From 8a986ab044cfd06e0b58e2ac731a686a08aed6c1 Mon Sep 17 00:00:00 2001 From: des Date: Mon, 31 Mar 2014 14:39:56 +0000 Subject: [PATCH] MFH (r237568, r255422, r255460, r255766, r255767, r255774, r255829, r256126, r257954, r261320, r261499, r263691, r263712): upgrade to OpenSSH 6.6p1 via 6.3p1, 6.4p1 and 6.5p1. Differences relative to head: - No DNSSEC support since stable/9 does not have LDNS - Sandboxing off by default, and uses rlimit instead of Capsicum - ED25519 moved to the bottom of the order of preference to avoid "new public key" warnings git-svn-id: svn://svn.freebsd.org/base/stable/9@263970 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- Makefile.inc1 | 4 +- crypto/openssh/ChangeLog | 5657 +++-- crypto/openssh/FREEBSD-tricks | 14 - crypto/openssh/FREEBSD-upgrade | 108 +- crypto/openssh/Makefile.in | 476 + crypto/openssh/PROTOCOL | 27 +- crypto/openssh/PROTOCOL.chacha20poly1305 | 105 + crypto/openssh/PROTOCOL.key | 68 + crypto/openssh/README | 4 +- crypto/openssh/aclocal.m4 | 97 +- crypto/openssh/addrmatch.c | 10 +- crypto/openssh/atomicio.c | 4 + crypto/openssh/audit-linux.c | 2 +- crypto/openssh/auth-chall.c | 22 +- crypto/openssh/auth-krb5.c | 30 +- crypto/openssh/auth-options.c | 78 +- crypto/openssh/auth-pam.c | 48 +- crypto/openssh/auth-rsa.c | 43 +- crypto/openssh/auth.c | 49 +- crypto/openssh/auth.h | 20 +- crypto/openssh/auth1.c | 51 +- crypto/openssh/auth2-chall.c | 41 +- crypto/openssh/auth2-gss.c | 27 +- crypto/openssh/auth2-hostbased.c | 24 +- crypto/openssh/auth2-jpake.c | 563 - crypto/openssh/auth2-kbdint.c | 6 +- crypto/openssh/auth2-passwd.c | 10 +- crypto/openssh/auth2-pubkey.c | 91 +- crypto/openssh/auth2.c | 103 +- crypto/openssh/authfd.c | 75 +- crypto/openssh/authfile.c | 406 +- crypto/openssh/authfile.h | 5 +- crypto/openssh/blocks.c | 248 + crypto/openssh/bufaux.c | 88 +- crypto/openssh/bufbn.c | 28 +- crypto/openssh/bufec.c | 10 +- crypto/openssh/buffer.c | 8 +- crypto/openssh/buffer.h | 8 +- crypto/openssh/buildpkg.sh.in | 677 + crypto/openssh/canohost.c | 27 +- crypto/openssh/chacha.c | 219 + crypto/openssh/chacha.h | 35 + crypto/openssh/channels.c | 174 +- crypto/openssh/channels.h | 9 +- crypto/openssh/cipher-3des1.c | 12 +- crypto/openssh/cipher-aes.c | 2 +- crypto/openssh/cipher-chachapoly.c | 114 + crypto/openssh/cipher-chachapoly.h | 41 + crypto/openssh/cipher-ctr.c | 2 +- crypto/openssh/cipher.c | 155 +- crypto/openssh/cipher.h | 21 +- crypto/openssh/clientloop.c | 114 +- crypto/openssh/clientloop.h | 3 +- crypto/openssh/compat.c | 66 +- crypto/openssh/compat.h | 3 +- crypto/openssh/config.guess | 262 +- crypto/openssh/config.h | 158 +- crypto/openssh/config.h.in | 151 +- crypto/openssh/config.sub | 1793 ++ crypto/openssh/configure | 19741 ++++++++++++++++ crypto/openssh/configure.ac | 4901 ++++ crypto/openssh/contrib/Makefile | 17 + crypto/openssh/contrib/README | 70 + crypto/openssh/contrib/aix/README | 50 + crypto/openssh/contrib/aix/buildbff.sh | 381 + crypto/openssh/contrib/aix/inventory.sh | 63 + crypto/openssh/contrib/aix/pam.conf | 20 + crypto/openssh/contrib/caldera/openssh.spec | 366 + .../openssh/contrib/caldera/ssh-host-keygen | 36 + crypto/openssh/contrib/caldera/sshd.init | 125 + crypto/openssh/contrib/caldera/sshd.pam | 8 + crypto/openssh/contrib/cygwin/Makefile | 77 + crypto/openssh/contrib/cygwin/README | 91 + crypto/openssh/contrib/cygwin/ssh-host-config | 710 + crypto/openssh/contrib/cygwin/ssh-user-config | 266 + crypto/openssh/contrib/cygwin/sshd-inetd | 4 + crypto/openssh/contrib/findssl.sh | 186 + crypto/openssh/contrib/gnome-ssh-askpass1.c | 171 + crypto/openssh/contrib/gnome-ssh-askpass2.c | 223 + crypto/openssh/contrib/hpux/README | 45 + crypto/openssh/contrib/hpux/egd | 15 + crypto/openssh/contrib/hpux/egd.rc | 98 + crypto/openssh/contrib/hpux/sshd | 5 + crypto/openssh/contrib/hpux/sshd.rc | 90 + .../contrib/redhat/gnome-ssh-askpass.csh | 1 + .../contrib/redhat/gnome-ssh-askpass.sh | 2 + crypto/openssh/contrib/redhat/openssh.spec | 812 + crypto/openssh/contrib/redhat/sshd.init | 106 + crypto/openssh/contrib/redhat/sshd.init.old | 172 + crypto/openssh/contrib/redhat/sshd.pam | 6 + crypto/openssh/contrib/redhat/sshd.pam.old | 8 + crypto/openssh/contrib/solaris/README | 30 + crypto/openssh/contrib/ssh-copy-id | 300 + crypto/openssh/contrib/ssh-copy-id.1 | 186 + crypto/openssh/contrib/sshd.pam.freebsd | 5 + crypto/openssh/contrib/sshd.pam.generic | 8 + crypto/openssh/contrib/suse/openssh.spec | 246 + crypto/openssh/contrib/suse/rc.config.sshd | 5 + crypto/openssh/contrib/suse/rc.sshd | 121 + crypto/openssh/contrib/suse/sysconfig.ssh | 9 + crypto/openssh/crypto_api.h | 44 + crypto/openssh/defines.h | 48 +- crypto/openssh/dh.c | 125 +- crypto/openssh/dh.h | 3 +- crypto/openssh/digest-libc.c | 238 + crypto/openssh/digest-openssl.c | 166 + crypto/openssh/digest.h | 63 + crypto/openssh/dns.c | 10 +- crypto/openssh/ed25519.c | 144 + crypto/openssh/fe25519.c | 337 + crypto/openssh/fe25519.h | 70 + crypto/openssh/fixalgorithms | 26 + crypto/openssh/freebsd-configure.sh | 30 + crypto/openssh/freebsd-post-merge.sh | 14 + crypto/openssh/freebsd-pre-merge.sh | 19 + crypto/openssh/ge25519.c | 321 + crypto/openssh/ge25519.h | 43 + crypto/openssh/ge25519_base.data | 858 + crypto/openssh/groupaccess.c | 9 +- crypto/openssh/gss-genr.c | 18 +- crypto/openssh/gss-serv-krb5.c | 48 +- crypto/openssh/gss-serv.c | 26 +- crypto/openssh/hash.c | 76 + crypto/openssh/hmac.c | 197 + crypto/openssh/hmac.h | 37 + crypto/openssh/hostfile.c | 59 +- crypto/openssh/hostfile.h | 4 +- crypto/openssh/includes.h | 2 + crypto/openssh/install-sh | 251 + crypto/openssh/jpake.c | 456 - crypto/openssh/jpake.h | 114 - crypto/openssh/kex.c | 228 +- crypto/openssh/kex.h | 49 +- crypto/openssh/kexc25519.c | 122 + crypto/openssh/kexc25519c.c | 129 + crypto/openssh/kexc25519s.c | 126 + crypto/openssh/kexdh.c | 17 +- crypto/openssh/kexdhc.c | 12 +- crypto/openssh/kexdhs.c | 24 +- crypto/openssh/kexecdh.c | 36 +- crypto/openssh/kexecdhc.c | 19 +- crypto/openssh/kexecdhs.c | 32 +- crypto/openssh/kexgex.c | 24 +- crypto/openssh/kexgexc.c | 16 +- crypto/openssh/kexgexs.c | 23 +- crypto/openssh/key.c | 798 +- crypto/openssh/key.h | 22 +- crypto/openssh/krb5_config.h | 10 + crypto/openssh/krl.c | 45 +- crypto/openssh/log.c | 20 +- crypto/openssh/log.h | 3 +- crypto/openssh/loginrec.c | 13 +- crypto/openssh/mac.c | 165 +- crypto/openssh/mac.h | 3 +- crypto/openssh/match.c | 19 +- crypto/openssh/mdoc2man.awk | 370 + crypto/openssh/misc.c | 68 +- crypto/openssh/misc.h | 5 +- crypto/openssh/moduli.0 | 74 + crypto/openssh/moduli.5 | 1 + crypto/openssh/moduli.c | 114 +- crypto/openssh/monitor.c | 431 +- crypto/openssh/monitor.h | 7 +- crypto/openssh/monitor_mm.c | 45 +- crypto/openssh/monitor_mm.h | 4 +- crypto/openssh/monitor_wrap.c | 207 +- crypto/openssh/monitor_wrap.h | 22 +- crypto/openssh/mux.c | 156 +- crypto/openssh/myproposal.h | 51 +- crypto/openssh/nchan.ms | 99 + crypto/openssh/nchan2.ms | 88 + crypto/openssh/openbsd-compat/Makefile.in | 42 + crypto/openssh/openbsd-compat/arc4random.c | 294 + crypto/openssh/openbsd-compat/bcrypt_pbkdf.c | 170 + crypto/openssh/openbsd-compat/blf.h | 88 + crypto/openssh/openbsd-compat/blowfish.c | 698 + .../openssh/openbsd-compat/bsd-arc4random.c | 150 - .../openssh/openbsd-compat/bsd-cygwin_util.c | 2 +- .../openssh/openbsd-compat/bsd-cygwin_util.h | 8 +- crypto/openssh/openbsd-compat/bsd-misc.c | 1 + crypto/openssh/openbsd-compat/bsd-misc.h | 16 +- crypto/openssh/openbsd-compat/bsd-poll.c | 16 +- crypto/openssh/openbsd-compat/bsd-setres_id.c | 3 +- crypto/openssh/openbsd-compat/bsd-snprintf.c | 46 +- crypto/openssh/openbsd-compat/bsd-statvfs.c | 55 +- crypto/openssh/openbsd-compat/bsd-statvfs.h | 11 +- .../openssh/openbsd-compat/chacha_private.h | 222 + .../openssh/openbsd-compat/explicit_bzero.c | 20 + crypto/openssh/openbsd-compat/getopt.c | 123 - crypto/openssh/openbsd-compat/getopt.h | 74 + crypto/openssh/openbsd-compat/getopt_long.c | 532 + .../openbsd-compat/getrrsetbyname-ldns.c | 284 + .../openssh/openbsd-compat/openbsd-compat.h | 30 +- .../openssh/openbsd-compat/openssl-compat.c | 38 +- .../openssh/openbsd-compat/openssl-compat.h | 22 +- crypto/openssh/openbsd-compat/port-aix.c | 10 +- crypto/openssh/openbsd-compat/port-linux.c | 12 +- .../openbsd-compat/regress/Makefile.in | 38 + .../openbsd-compat/regress/closefromtest.c | 63 + .../openbsd-compat/regress/snprintftest.c | 73 + .../openbsd-compat/regress/strduptest.c | 45 + .../openbsd-compat/regress/strtonumtest.c | 80 + crypto/openssh/openbsd-compat/setproctitle.c | 9 +- crypto/openssh/openbsd-compat/strnlen.c | 37 + crypto/openssh/openbsd-compat/xcrypt.c | 7 +- crypto/openssh/openssh.xml.in | 90 + crypto/openssh/opensshd.init.in | 88 + crypto/openssh/packet.c | 130 +- crypto/openssh/packet.h | 7 +- crypto/openssh/pathnames.h | 25 +- crypto/openssh/pkcs11.h | 18 +- crypto/openssh/platform.c | 16 +- crypto/openssh/platform.h | 3 +- crypto/openssh/poly1305.c | 160 + crypto/openssh/poly1305.h | 22 + crypto/openssh/progressmeter.c | 12 +- crypto/openssh/readconf.c | 748 +- crypto/openssh/readconf.h | 41 +- crypto/openssh/readpass.c | 10 +- crypto/openssh/regress/Makefile | 182 + crypto/openssh/regress/README.regress | 104 + crypto/openssh/regress/addrmatch.sh | 56 + crypto/openssh/regress/agent-getpeereid.sh | 45 + crypto/openssh/regress/agent-pkcs11.sh | 69 + crypto/openssh/regress/agent-ptrace.sh | 61 + crypto/openssh/regress/agent-timeout.sh | 36 + crypto/openssh/regress/agent.sh | 81 + crypto/openssh/regress/banner.sh | 44 + crypto/openssh/regress/broken-pipe.sh | 15 + crypto/openssh/regress/brokenkeys.sh | 23 + crypto/openssh/regress/cert-hostkey.sh | 244 + crypto/openssh/regress/cert-userkey.sh | 358 + crypto/openssh/regress/cfgmatch.sh | 126 + crypto/openssh/regress/cipher-speed.sh | 47 + crypto/openssh/regress/conch-ciphers.sh | 28 + crypto/openssh/regress/connect-privsep.sh | 36 + crypto/openssh/regress/connect.sh | 13 + crypto/openssh/regress/dhgex.sh | 54 + crypto/openssh/regress/dsa_ssh2.prv | 14 + crypto/openssh/regress/dsa_ssh2.pub | 13 + crypto/openssh/regress/dynamic-forward.sh | 59 + crypto/openssh/regress/envpass.sh | 60 + crypto/openssh/regress/exit-status.sh | 24 + crypto/openssh/regress/forcecommand.sh | 42 + crypto/openssh/regress/forward-control.sh | 168 + crypto/openssh/regress/forwarding.sh | 121 + crypto/openssh/regress/host-expand.sh | 19 + crypto/openssh/regress/integrity.sh | 70 + crypto/openssh/regress/kextype.sh | 20 + crypto/openssh/regress/key-options.sh | 71 + crypto/openssh/regress/keygen-change.sh | 23 + crypto/openssh/regress/keygen-convert.sh | 33 + crypto/openssh/regress/keys-command.sh | 39 + crypto/openssh/regress/keyscan.sh | 19 + crypto/openssh/regress/keytype.sh | 61 + crypto/openssh/regress/krl.sh | 160 + crypto/openssh/regress/localcommand.sh | 15 + crypto/openssh/regress/login-timeout.sh | 31 + crypto/openssh/regress/modpipe.c | 175 + crypto/openssh/regress/multiplex.sh | 143 + crypto/openssh/regress/portnum.sh | 34 + crypto/openssh/regress/proto-mismatch.sh | 19 + crypto/openssh/regress/proto-version.sh | 34 + crypto/openssh/regress/proxy-connect.sh | 26 + crypto/openssh/regress/putty-ciphers.sh | 26 + crypto/openssh/regress/putty-kex.sh | 23 + crypto/openssh/regress/putty-transfer.sh | 41 + crypto/openssh/regress/reconfigure.sh | 36 + crypto/openssh/regress/reexec.sh | 73 + crypto/openssh/regress/rekey.sh | 142 + crypto/openssh/regress/rsa_openssh.prv | 15 + crypto/openssh/regress/rsa_openssh.pub | 1 + crypto/openssh/regress/rsa_ssh2.prv | 16 + crypto/openssh/regress/scp-ssh-wrapper.sh | 59 + crypto/openssh/regress/scp.sh | 126 + crypto/openssh/regress/setuid-allowed.c | 57 + crypto/openssh/regress/sftp-badcmds.sh | 65 + crypto/openssh/regress/sftp-batch.sh | 55 + crypto/openssh/regress/sftp-chroot.sh | 26 + crypto/openssh/regress/sftp-cmds.sh | 232 + crypto/openssh/regress/sftp-glob.sh | 75 + crypto/openssh/regress/sftp-perm.sh | 269 + crypto/openssh/regress/sftp.sh | 32 + crypto/openssh/regress/ssh-com-client.sh | 130 + crypto/openssh/regress/ssh-com-keygen.sh | 74 + crypto/openssh/regress/ssh-com-sftp.sh | 65 + crypto/openssh/regress/ssh-com.sh | 119 + crypto/openssh/regress/ssh2putty.sh | 34 + crypto/openssh/regress/sshd-log-wrapper.sh | 13 + crypto/openssh/regress/stderr-after-eof.sh | 24 + crypto/openssh/regress/stderr-data.sh | 29 + crypto/openssh/regress/t4.ok | 1 + crypto/openssh/regress/t5.ok | 1 + crypto/openssh/regress/test-exec.sh | 487 + crypto/openssh/regress/transfer.sh | 26 + crypto/openssh/regress/try-ciphers.sh | 33 + crypto/openssh/regress/yes-head.sh | 15 + crypto/openssh/roaming_client.c | 27 +- crypto/openssh/roaming_common.c | 18 +- crypto/openssh/rsa.c | 18 +- crypto/openssh/sandbox-capsicum.c | 123 + crypto/openssh/sandbox-darwin.c | 2 +- crypto/openssh/sandbox-null.c | 2 +- crypto/openssh/sandbox-rlimit.c | 4 +- crypto/openssh/sandbox-seccomp-filter.c | 240 + crypto/openssh/sandbox-systrace.c | 8 +- crypto/openssh/sc25519.c | 308 + crypto/openssh/sc25519.h | 80 + crypto/openssh/schnorr.c | 76 +- crypto/openssh/schnorr.h | 60 - crypto/openssh/scp.0 | 163 + crypto/openssh/scp.1 | 19 +- crypto/openssh/scp.c | 95 +- crypto/openssh/servconf.c | 174 +- crypto/openssh/servconf.h | 12 +- crypto/openssh/serverloop.c | 55 +- crypto/openssh/session.c | 186 +- crypto/openssh/session.h | 3 +- crypto/openssh/sftp-client.c | 312 +- crypto/openssh/sftp-client.h | 16 +- crypto/openssh/sftp-common.c | 16 +- crypto/openssh/sftp-glob.c | 9 +- crypto/openssh/sftp-server.0 | 95 + crypto/openssh/sftp-server.8 | 44 +- crypto/openssh/sftp-server.c | 510 +- crypto/openssh/sftp.0 | 370 + crypto/openssh/sftp.1 | 61 +- crypto/openssh/sftp.c | 413 +- crypto/openssh/smult_curve25519_ref.c | 265 + crypto/openssh/ssh-add.0 | 123 + crypto/openssh/ssh-add.1 | 10 +- crypto/openssh/ssh-add.c | 40 +- crypto/openssh/ssh-agent.0 | 128 + crypto/openssh/ssh-agent.1 | 11 +- crypto/openssh/ssh-agent.c | 235 +- crypto/openssh/ssh-dss.c | 74 +- crypto/openssh/ssh-ecdsa.c | 67 +- crypto/openssh/ssh-ed25519.c | 149 + crypto/openssh/ssh-gss.h | 11 +- crypto/openssh/ssh-keygen.0 | 562 + crypto/openssh/ssh-keygen.1 | 62 +- crypto/openssh/ssh-keygen.c | 241 +- crypto/openssh/ssh-keyscan.0 | 110 + crypto/openssh/ssh-keyscan.1 | 36 +- crypto/openssh/ssh-keyscan.c | 31 +- crypto/openssh/ssh-keysign.0 | 53 + crypto/openssh/ssh-keysign.8 | 9 +- crypto/openssh/ssh-keysign.c | 26 +- crypto/openssh/ssh-pkcs11-client.c | 10 +- crypto/openssh/ssh-pkcs11-helper.0 | 25 + crypto/openssh/ssh-pkcs11-helper.8 | 7 +- crypto/openssh/ssh-pkcs11-helper.c | 27 +- crypto/openssh/ssh-pkcs11.c | 171 +- crypto/openssh/ssh-rsa.c | 137 +- crypto/openssh/ssh-sandbox.h | 3 +- crypto/openssh/ssh.0 | 946 + crypto/openssh/ssh.1 | 65 +- crypto/openssh/ssh.c | 489 +- crypto/openssh/ssh2.h | 8 +- crypto/openssh/ssh_config | 5 +- crypto/openssh/ssh_config.0 | 889 + crypto/openssh/ssh_config.5 | 226 +- crypto/openssh/ssh_namespace.h | 105 +- crypto/openssh/sshconnect.c | 322 +- crypto/openssh/sshconnect.h | 8 +- crypto/openssh/sshconnect1.c | 56 +- crypto/openssh/sshconnect2.c | 491 +- crypto/openssh/sshd.0 | 643 + crypto/openssh/sshd.8 | 30 +- crypto/openssh/sshd.c | 230 +- crypto/openssh/sshd_config | 12 +- crypto/openssh/sshd_config.0 | 835 + crypto/openssh/sshd_config.5 | 159 +- crypto/openssh/sshlogin.c | 4 +- crypto/openssh/sshlogin.h | 2 +- crypto/openssh/survey.sh.in | 69 + crypto/openssh/uidswap.c | 13 +- crypto/openssh/umac.c | 78 +- crypto/openssh/umac.h | 14 +- crypto/openssh/umac128.c | 10 +- crypto/openssh/uuencode.c | 7 +- crypto/openssh/verify.c | 49 + crypto/openssh/version.h | 8 +- crypto/openssh/xmalloc.c | 20 +- crypto/openssh/xmalloc.h | 3 +- etc/rc.d/sshd | 107 +- secure/lib/libssh/Makefile | 30 +- secure/libexec/sftp-server/Makefile | 13 +- secure/libexec/ssh-keysign/Makefile | 11 +- secure/libexec/ssh-pkcs11-helper/Makefile | 15 +- secure/usr.bin/scp/Makefile | 11 +- secure/usr.bin/sftp/Makefile | 13 +- secure/usr.bin/ssh-add/Makefile | 13 +- secure/usr.bin/ssh-agent/Makefile | 13 +- secure/usr.bin/ssh-keygen/Makefile | 15 +- secure/usr.bin/ssh-keyscan/Makefile | 9 +- secure/usr.bin/ssh/Makefile | 14 +- secure/usr.sbin/sshd/Makefile | 27 +- 398 files changed, 63127 insertions(+), 9351 deletions(-) delete mode 100644 crypto/openssh/FREEBSD-tricks create mode 100644 crypto/openssh/Makefile.in create mode 100644 crypto/openssh/PROTOCOL.chacha20poly1305 create mode 100644 crypto/openssh/PROTOCOL.key delete mode 100644 crypto/openssh/auth2-jpake.c create mode 100644 crypto/openssh/blocks.c create mode 100644 crypto/openssh/buildpkg.sh.in create mode 100644 crypto/openssh/chacha.c create mode 100644 crypto/openssh/chacha.h create mode 100644 crypto/openssh/cipher-chachapoly.c create mode 100644 crypto/openssh/cipher-chachapoly.h create mode 100755 crypto/openssh/config.sub create mode 100755 crypto/openssh/configure create mode 100644 crypto/openssh/configure.ac create mode 100644 crypto/openssh/contrib/Makefile create mode 100644 crypto/openssh/contrib/README create mode 100644 crypto/openssh/contrib/aix/README create mode 100755 crypto/openssh/contrib/aix/buildbff.sh create mode 100755 crypto/openssh/contrib/aix/inventory.sh create mode 100644 crypto/openssh/contrib/aix/pam.conf create mode 100644 crypto/openssh/contrib/caldera/openssh.spec create mode 100755 crypto/openssh/contrib/caldera/ssh-host-keygen create mode 100755 crypto/openssh/contrib/caldera/sshd.init create mode 100644 crypto/openssh/contrib/caldera/sshd.pam create mode 100644 crypto/openssh/contrib/cygwin/Makefile create mode 100644 crypto/openssh/contrib/cygwin/README create mode 100644 crypto/openssh/contrib/cygwin/ssh-host-config create mode 100644 crypto/openssh/contrib/cygwin/ssh-user-config create mode 100644 crypto/openssh/contrib/cygwin/sshd-inetd create mode 100755 crypto/openssh/contrib/findssl.sh create mode 100644 crypto/openssh/contrib/gnome-ssh-askpass1.c create mode 100644 crypto/openssh/contrib/gnome-ssh-askpass2.c create mode 100644 crypto/openssh/contrib/hpux/README create mode 100644 crypto/openssh/contrib/hpux/egd create mode 100755 crypto/openssh/contrib/hpux/egd.rc create mode 100644 crypto/openssh/contrib/hpux/sshd create mode 100755 crypto/openssh/contrib/hpux/sshd.rc create mode 100644 crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh create mode 100755 crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh create mode 100644 crypto/openssh/contrib/redhat/openssh.spec create mode 100755 crypto/openssh/contrib/redhat/sshd.init create mode 100755 crypto/openssh/contrib/redhat/sshd.init.old create mode 100644 crypto/openssh/contrib/redhat/sshd.pam create mode 100644 crypto/openssh/contrib/redhat/sshd.pam.old create mode 100755 crypto/openssh/contrib/solaris/README create mode 100644 crypto/openssh/contrib/ssh-copy-id create mode 100644 crypto/openssh/contrib/ssh-copy-id.1 create mode 100644 crypto/openssh/contrib/sshd.pam.freebsd create mode 100644 crypto/openssh/contrib/sshd.pam.generic create mode 100644 crypto/openssh/contrib/suse/openssh.spec create mode 100644 crypto/openssh/contrib/suse/rc.config.sshd create mode 100644 crypto/openssh/contrib/suse/rc.sshd create mode 100644 crypto/openssh/contrib/suse/sysconfig.ssh create mode 100644 crypto/openssh/crypto_api.h create mode 100644 crypto/openssh/digest-libc.c create mode 100644 crypto/openssh/digest-openssl.c create mode 100644 crypto/openssh/digest.h create mode 100644 crypto/openssh/ed25519.c create mode 100644 crypto/openssh/fe25519.c create mode 100644 crypto/openssh/fe25519.h create mode 100755 crypto/openssh/fixalgorithms create mode 100755 crypto/openssh/freebsd-configure.sh create mode 100755 crypto/openssh/freebsd-post-merge.sh create mode 100755 crypto/openssh/freebsd-pre-merge.sh create mode 100644 crypto/openssh/ge25519.c create mode 100644 crypto/openssh/ge25519.h create mode 100644 crypto/openssh/ge25519_base.data create mode 100644 crypto/openssh/hash.c create mode 100644 crypto/openssh/hmac.c create mode 100644 crypto/openssh/hmac.h create mode 100755 crypto/openssh/install-sh delete mode 100644 crypto/openssh/jpake.c delete mode 100644 crypto/openssh/jpake.h create mode 100644 crypto/openssh/kexc25519.c create mode 100644 crypto/openssh/kexc25519c.c create mode 100644 crypto/openssh/kexc25519s.c create mode 100644 crypto/openssh/krb5_config.h create mode 100644 crypto/openssh/mdoc2man.awk create mode 100644 crypto/openssh/moduli.0 create mode 100644 crypto/openssh/nchan.ms create mode 100644 crypto/openssh/nchan2.ms create mode 100644 crypto/openssh/openbsd-compat/Makefile.in create mode 100644 crypto/openssh/openbsd-compat/arc4random.c create mode 100644 crypto/openssh/openbsd-compat/bcrypt_pbkdf.c create mode 100644 crypto/openssh/openbsd-compat/blf.h create mode 100644 crypto/openssh/openbsd-compat/blowfish.c delete mode 100644 crypto/openssh/openbsd-compat/bsd-arc4random.c create mode 100644 crypto/openssh/openbsd-compat/chacha_private.h create mode 100644 crypto/openssh/openbsd-compat/explicit_bzero.c delete mode 100644 crypto/openssh/openbsd-compat/getopt.c create mode 100644 crypto/openssh/openbsd-compat/getopt.h create mode 100644 crypto/openssh/openbsd-compat/getopt_long.c create mode 100644 crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c create mode 100644 crypto/openssh/openbsd-compat/regress/Makefile.in create mode 100644 crypto/openssh/openbsd-compat/regress/closefromtest.c create mode 100644 crypto/openssh/openbsd-compat/regress/snprintftest.c create mode 100644 crypto/openssh/openbsd-compat/regress/strduptest.c create mode 100644 crypto/openssh/openbsd-compat/regress/strtonumtest.c create mode 100644 crypto/openssh/openbsd-compat/strnlen.c create mode 100644 crypto/openssh/openssh.xml.in create mode 100755 crypto/openssh/opensshd.init.in create mode 100644 crypto/openssh/poly1305.c create mode 100644 crypto/openssh/poly1305.h create mode 100644 crypto/openssh/regress/Makefile create mode 100644 crypto/openssh/regress/README.regress create mode 100755 crypto/openssh/regress/addrmatch.sh create mode 100644 crypto/openssh/regress/agent-getpeereid.sh create mode 100755 crypto/openssh/regress/agent-pkcs11.sh create mode 100644 crypto/openssh/regress/agent-ptrace.sh create mode 100644 crypto/openssh/regress/agent-timeout.sh create mode 100644 crypto/openssh/regress/agent.sh create mode 100644 crypto/openssh/regress/banner.sh create mode 100644 crypto/openssh/regress/broken-pipe.sh create mode 100644 crypto/openssh/regress/brokenkeys.sh create mode 100755 crypto/openssh/regress/cert-hostkey.sh create mode 100755 crypto/openssh/regress/cert-userkey.sh create mode 100644 crypto/openssh/regress/cfgmatch.sh create mode 100644 crypto/openssh/regress/cipher-speed.sh create mode 100755 crypto/openssh/regress/conch-ciphers.sh create mode 100644 crypto/openssh/regress/connect-privsep.sh create mode 100644 crypto/openssh/regress/connect.sh create mode 100755 crypto/openssh/regress/dhgex.sh create mode 100644 crypto/openssh/regress/dsa_ssh2.prv create mode 100644 crypto/openssh/regress/dsa_ssh2.pub create mode 100644 crypto/openssh/regress/dynamic-forward.sh create mode 100644 crypto/openssh/regress/envpass.sh create mode 100644 crypto/openssh/regress/exit-status.sh create mode 100644 crypto/openssh/regress/forcecommand.sh create mode 100755 crypto/openssh/regress/forward-control.sh create mode 100644 crypto/openssh/regress/forwarding.sh create mode 100755 crypto/openssh/regress/host-expand.sh create mode 100755 crypto/openssh/regress/integrity.sh create mode 100755 crypto/openssh/regress/kextype.sh create mode 100755 crypto/openssh/regress/key-options.sh create mode 100644 crypto/openssh/regress/keygen-change.sh create mode 100755 crypto/openssh/regress/keygen-convert.sh create mode 100755 crypto/openssh/regress/keys-command.sh create mode 100644 crypto/openssh/regress/keyscan.sh create mode 100755 crypto/openssh/regress/keytype.sh create mode 100755 crypto/openssh/regress/krl.sh create mode 100755 crypto/openssh/regress/localcommand.sh create mode 100644 crypto/openssh/regress/login-timeout.sh create mode 100755 crypto/openssh/regress/modpipe.c create mode 100644 crypto/openssh/regress/multiplex.sh create mode 100755 crypto/openssh/regress/portnum.sh create mode 100644 crypto/openssh/regress/proto-mismatch.sh create mode 100644 crypto/openssh/regress/proto-version.sh create mode 100644 crypto/openssh/regress/proxy-connect.sh create mode 100755 crypto/openssh/regress/putty-ciphers.sh create mode 100755 crypto/openssh/regress/putty-kex.sh create mode 100755 crypto/openssh/regress/putty-transfer.sh create mode 100644 crypto/openssh/regress/reconfigure.sh create mode 100644 crypto/openssh/regress/reexec.sh create mode 100644 crypto/openssh/regress/rekey.sh create mode 100644 crypto/openssh/regress/rsa_openssh.prv create mode 100644 crypto/openssh/regress/rsa_openssh.pub create mode 100644 crypto/openssh/regress/rsa_ssh2.prv create mode 100644 crypto/openssh/regress/scp-ssh-wrapper.sh create mode 100644 crypto/openssh/regress/scp.sh create mode 100644 crypto/openssh/regress/setuid-allowed.c create mode 100644 crypto/openssh/regress/sftp-badcmds.sh create mode 100644 crypto/openssh/regress/sftp-batch.sh create mode 100755 crypto/openssh/regress/sftp-chroot.sh create mode 100644 crypto/openssh/regress/sftp-cmds.sh create mode 100644 crypto/openssh/regress/sftp-glob.sh create mode 100644 crypto/openssh/regress/sftp-perm.sh create mode 100644 crypto/openssh/regress/sftp.sh create mode 100644 crypto/openssh/regress/ssh-com-client.sh create mode 100644 crypto/openssh/regress/ssh-com-keygen.sh create mode 100644 crypto/openssh/regress/ssh-com-sftp.sh create mode 100644 crypto/openssh/regress/ssh-com.sh create mode 100755 crypto/openssh/regress/ssh2putty.sh create mode 100644 crypto/openssh/regress/sshd-log-wrapper.sh create mode 100644 crypto/openssh/regress/stderr-after-eof.sh create mode 100644 crypto/openssh/regress/stderr-data.sh create mode 100644 crypto/openssh/regress/t4.ok create mode 100644 crypto/openssh/regress/t5.ok create mode 100644 crypto/openssh/regress/test-exec.sh create mode 100644 crypto/openssh/regress/transfer.sh create mode 100644 crypto/openssh/regress/try-ciphers.sh create mode 100644 crypto/openssh/regress/yes-head.sh create mode 100644 crypto/openssh/sandbox-capsicum.c create mode 100644 crypto/openssh/sandbox-seccomp-filter.c create mode 100644 crypto/openssh/sc25519.c create mode 100644 crypto/openssh/sc25519.h delete mode 100644 crypto/openssh/schnorr.h create mode 100644 crypto/openssh/scp.0 create mode 100644 crypto/openssh/sftp-server.0 create mode 100644 crypto/openssh/sftp.0 create mode 100644 crypto/openssh/smult_curve25519_ref.c create mode 100644 crypto/openssh/ssh-add.0 create mode 100644 crypto/openssh/ssh-agent.0 create mode 100644 crypto/openssh/ssh-ed25519.c create mode 100644 crypto/openssh/ssh-keygen.0 create mode 100644 crypto/openssh/ssh-keyscan.0 create mode 100644 crypto/openssh/ssh-keysign.0 create mode 100644 crypto/openssh/ssh-pkcs11-helper.0 create mode 100644 crypto/openssh/ssh.0 create mode 100644 crypto/openssh/ssh_config.0 create mode 100644 crypto/openssh/sshd.0 create mode 100644 crypto/openssh/sshd_config.0 create mode 100644 crypto/openssh/survey.sh.in create mode 100644 crypto/openssh/verify.c diff --git a/Makefile.inc1 b/Makefile.inc1 index 5fe5cc5dd..01ef3d516 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -1357,8 +1357,8 @@ _prebuild_libs= ${_kerberos5_lib_libasn1} ${_kerberos5_lib_libhdb} \ ${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \ ${_cddl_lib_libzfs_core} \ lib/libutil ${_lib_libypclnt} lib/libz lib/msun \ - ${_secure_lib_libcrypto} ${_secure_lib_libssh} \ - ${_secure_lib_libssl} + ${_secure_lib_libcrypto} ${_lib_libldns} \ + ${_secure_lib_libssh} ${_secure_lib_libssl} .if ${MK_LIBTHR} != "no" _lib_libthr= lib/libthr diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog index 826e8c337..38de846ff 100644 --- a/crypto/openssh/ChangeLog +++ b/crypto/openssh/ChangeLog @@ -1,3056 +1,2887 @@ -20130510 - - (djm) OpenBSD CVS Cherrypick - - djm@cvs.openbsd.org 2013/04/11 02:27:50 - [packet.c] - quiet disconnect notifications on the server from error() back to logit() - if it is a normal client closure; bz#2057 ok+feedback dtucker@ - - (djm) [version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Crank version numbers for release. - -20130404 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 - [readconf.c ssh.c readconf.h sshconnect2.c] - Keep track of which IndentityFile options were manually supplied and which - were default options, and don't warn if the latter are missing. - ok markus@ - - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 - [krl.c] - Remove bogus include. ok djm - - dtucker@cvs.openbsd.org 2013/02/22 04:45:09 - [ssh.c readconf.c readconf.h] - Don't complain if IdentityFiles specified in system-wide configs are - missing. ok djm, deraadt. - - markus@cvs.openbsd.org 2013/02/22 19:13:56 - [sshconnect.c] - support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ - - djm@cvs.openbsd.org 2013/02/22 22:09:01 - [ssh.c] - Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier - version) - -20130401 - - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h - to avoid conflicting definitions of __int64, adding the required bits. - Patch from Corinna Vinschen. - -20120322 - - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil - Hands' greatly revised version. - - (djm) Release 6.2p1 - -20120318 - - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] - [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's - so mark it as broken. Patch from des AT des.no - -20120317 - - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none - of the bits the configure test looks for. - -20120316 - - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform - is unable to successfully compile them. Based on patch from des AT - des.no - - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] - Add a usleep replacement for platforms that lack it; ok dtucker - - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to - occur after UID switch; patch from John Marshall via des AT des.no; - ok dtucker@ - -20120312 - - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] - Improve portability of cipher-speed test, based mostly on a patch from - Iain Morgan. - - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin") - in addition to root as an owner of system directories on AIX and HP-UX. - ok djm@ - -20130307 - - (dtucker) [INSTALL] Bump documented autoconf version to what we're - currently using. - - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it - was removed in configure.ac rev 1.481 as it was redundant. - - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days - ago. - - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a - chance to complete on broken systems; ok dtucker@ +20140313 + - (djm) Release OpenSSH 6.6 -20130306 - - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding - connection to start so that the test works on slower machines. - - (dtucker) [configure.ac] test that we can set number of file descriptors - to zero with setrlimit before enabling the rlimit sandbox. This affects - (at least) HPUX 11.11. +20140304 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/03/03 22:22:30 + [session.c] + ignore enviornment variables with embedded '=' or '\0' characters; + spotted by Jann Horn; ok deraadt@ -20130305 - - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for - HP/UX. Spotted by Kevin Brott - - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by - Amit Kulkarni and Kevin Brott. - - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure - build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin - Brott. - - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov. +20140301 + - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when + no moduli file exists at the expected location. -20130227 +20140228 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/02/27 00:41:49 + [bufbn.c] + fix unsigned overflow that could lead to reading a short ssh protocol + 1 bignum value; found by Ben Hawkes; ok deraadt@ + - djm@cvs.openbsd.org 2014/02/27 08:25:09 + [bufbn.c] + off by one in range check + - djm@cvs.openbsd.org 2014/02/27 22:47:07 + [sshd_config.5] + bz#2184 clarify behaviour of a keyword that appears in multiple + matching Match blocks; ok dtucker@ + - djm@cvs.openbsd.org 2014/02/27 22:57:40 + [version.h] + openssh-6.6 + - dtucker@cvs.openbsd.org 2014/01/19 23:43:02 + [regress/sftp-chroot.sh] + Don't use -q on sftp as it suppresses logging, instead redirect the + output to the regress logfile. + - dtucker@cvs.openbsd.org 2014/01/20 00:00:30 + [sregress/ftp-chroot.sh] + append to rather than truncating the log file + - dtucker@cvs.openbsd.org 2014/01/25 04:35:32 + [regress/Makefile regress/dhgex.sh] + Add a test for DH GEX sizes + - djm@cvs.openbsd.org 2014/01/26 10:22:10 + [regress/cert-hostkey.sh] + automatically generate revoked keys from listed keys rather than + manually specifying each type; from portable + (Id sync only) + - djm@cvs.openbsd.org 2014/01/26 10:49:17 + [scp-ssh-wrapper.sh scp.sh] + make sure $SCP is tested on the remote end rather than whichever one + happens to be in $PATH; from portable + (Id sync only) + - djm@cvs.openbsd.org 2014/02/27 20:04:16 + [login-timeout.sh] + remove any existing LoginGraceTime from sshd_config before adding + a specific one for the test back in + - djm@cvs.openbsd.org 2014/02/27 21:21:25 + [agent-ptrace.sh agent.sh] + keep return values that are printed in error messages; + from portable + (Id sync only) - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank version numbers - - (tim) [regress/forward-control.sh] use sh in case login shell is csh. - - (tim) [regress/integrity.sh] shell portability fix. - - (tim) [regress/integrity.sh] keep old solaris awk from hanging. - - (tim) [regress/krl.sh] keep old solaris awk from hanging. + - (djm) [regress/host-expand.sh] Add RCS Id -20130226 +20140227 - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/02/20 08:27:50 - [integrity.sh] - Add an option to modpipe that warns if the modification offset it not - reached in it's stream and turn it on for t-integrity. This should catch - cases where the session is not fuzzed for being too short (cf. my last - "oops" commit) - - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage - for UsePAM=yes configuration + - djm@cvs.openbsd.org 2014/02/26 20:18:37 + [ssh.c] + bz#2205: avoid early hostname lookups unless canonicalisation is enabled; + ok dtucker@ markus@ + - djm@cvs.openbsd.org 2014/02/26 20:28:44 + [auth2-gss.c gss-serv.c ssh-gss.h sshd.c] + bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep + sandboxing, as running this code in the sandbox can cause violations; + ok markus@ + - djm@cvs.openbsd.org 2014/02/26 20:29:29 + [channels.c] + don't assume that the socks4 username is \0 terminated; + spotted by Ben Hawkes; ok markus@ + - markus@cvs.openbsd.org 2014/02/26 21:53:37 + [sshd.c] + ssh_gssapi_prepare_supported_oids needs GSSAPI -20130225 - - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed - to use Solaris native GSS libs. Patch from Pierre Ossman. +20140224 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/02/07 06:55:54 + [cipher.c mac.c] + remove some logging that makes ssh debugging output very verbose; + ok markus + - djm@cvs.openbsd.org 2014/02/15 23:05:36 + [channels.c] + avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W; + bz#2200, debian#738692 via Colin Watson; ok dtucker@ + - djm@cvs.openbsd.org 2014/02/22 01:32:19 + [readconf.c] + when processing Match blocks, skip 'exec' clauses if previous predicates + failed to match; ok markus@ + - djm@cvs.openbsd.org 2014/02/23 20:03:42 + [ssh-ed25519.c] + check for unsigned overflow; not reachable in OpenSSH but others might + copy our code... + - djm@cvs.openbsd.org 2014/02/23 20:11:36 + [readconf.c readconf.h ssh.c ssh_config.5] + reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes + the hostname. This allows users to write configurations that always + refer to canonical hostnames, e.g. + + CanonicalizeHostname yes + CanonicalDomains int.example.org example.org + CanonicalizeFallbackLocal no + + Host *.int.example.org + Compression off + Host *.example.org + User djm + + ok markus@ -20130223 - - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer - bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu. - ok tim +20140213 + - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat + code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex. -20130222 - - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to - ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. - - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named - libgss too. Patch from Pierre Ossman, ok djm. - - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux - seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; +20140207 + - OpenBSD CVS Sync + - naddy@cvs.openbsd.org 2014/02/05 20:13:25 + [ssh-keygen.1 ssh-keygen.c] + tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@ + while here, fix ordering in usage(); requested by jmc@ + - djm@cvs.openbsd.org 2014/02/06 22:21:01 + [sshconnect.c] + in ssh_create_socket(), only do the getaddrinfo for BindAddress when + BindAddress is actually specified. Fixes regression in 6.5 for + UsePrivilegedPort=yes; patch from Corinna Vinschen + +20140206 + - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL + before freeing since free(NULL) is a no-op. ok djm. + - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define + __NR_shutdown; some go via the socketcall(2) multiplexer. + +20140205 + - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by + headers/libc but not supported by the kernel. Patch from Loganaden + Velvindron @ AfriNIC + +20140204 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2014/01/27 18:58:14 + [Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h] + replace openssl HMAC with an implementation based on our ssh_digest_* + ok and feedback djm@ + - markus@cvs.openbsd.org 2014/01/27 19:18:54 + [auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c] + replace openssl MD5 with our ssh_digest_*; ok djm@ + - markus@cvs.openbsd.org 2014/01/27 20:13:46 + [digest.c digest-openssl.c digest-libc.c Makefile.in] + rename digest.c to digest-openssl.c and add libc variant; ok djm@ + - jmc@cvs.openbsd.org 2014/01/28 14:13:39 + [ssh-keyscan.1] + kill some bad Pa; + From: Jan Stary + - djm@cvs.openbsd.org 2014/01/29 00:19:26 + [sshd.c] + use kill(0, ...) instead of killpg(0, ...); on most operating systems + they are equivalent, but SUSv2 describes the latter as having undefined + behaviour; from portable; ok dtucker + (Id sync only; change is already in portable) + - djm@cvs.openbsd.org 2014/01/29 06:18:35 + [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c] + [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h] + [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c] + remove experimental, never-enabled JPAKE code; ok markus@ + - jmc@cvs.openbsd.org 2014/01/29 14:04:51 + [sshd_config.5] + document kbdinteractiveauthentication; + requested From: Ross L Richardson + + dtucker/markus helped explain its workings; + - djm@cvs.openbsd.org 2014/01/30 22:26:14 + [sandbox-systrace.c] + allow shutdown(2) syscall in sandbox - it may be called by packet_close() + from portable + (Id sync only; change is already in portable) + - tedu@cvs.openbsd.org 2014/01/31 16:39:19 + [auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] + [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] + [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] + [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] + [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] + replace most bzero with explicit_bzero, except a few that cna be memset + ok djm dtucker + - djm@cvs.openbsd.org 2014/02/02 03:44:32 + [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c] + [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c] + [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c] + [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c] + [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c] + [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c] + [sshd.c] + convert memset of potentially-private data to explicit_bzero() + - djm@cvs.openbsd.org 2014/02/03 23:28:00 + [ssh-ecdsa.c] + fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike + DSA_SIG_new. Reported by Batz Spear; ok markus@ + - djm@cvs.openbsd.org 2014/02/02 03:44:31 + [digest-libc.c digest-openssl.c] + convert memset of potentially-private data to explicit_bzero() + - djm@cvs.openbsd.org 2014/02/04 00:24:29 + [ssh.c] + delay lowercasing of hostname until right before hostname + canonicalisation to unbreak case-sensitive matching of ssh_config; + reported by Ike Devolder; ok markus@ + - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o + - (djm) [regress/setuid-allowed.c] Missing string.h for strerror() + +20140131 + - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2) + syscall from sandboxes; it may be called by packet_close. + - (dtucker) [readconf.c] Include for the hton macros. Fixes + build with HP-UX's compiler. Patch from Kevin Brott. + - (tim) [Makefile.in] build regress/setuid-allow. + +20140130 + - (djm) [configure.ac] Only check for width-specified integer types + in headers that actually exist. patch from Tom G. Christensen; + ok dtucker@ + - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering + different symbols for 'read' when various compiler flags are + in use, causing atomicio.c comparisons against it to break and + read/write operations to hang; ok dtucker + - (djm) Release openssh-6.5p1 + +20140129 + - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from + Tom G. Christensen + +20140128 + - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl; ok dtucker + - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the + latter being specified to have undefined behaviour in SUSv3; + ok dtucker + - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable + when used as an error message inside an if statement so we display the + correct into. agent.sh patch from Petr Lautrbach. -20130221 - - (tim) [regress/forward-control.sh] shell portability fix. - -20130220 - - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. - - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded - err.h include from krl.c. Additional portability fixes for modpipe. OK djm - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/02/20 08:27:50 - [regress/integrity.sh regress/modpipe.c] - Add an option to modpipe that warns if the modification offset it not - reached in it's stream and turn it on for t-integrity. This should catch - cases where the session is not fuzzed for being too short (cf. my last - "oops" commit) - - djm@cvs.openbsd.org 2013/02/20 08:29:27 - [regress/modpipe.c] - s/Id/OpenBSD/ in RCS tag +20140127 + - (dtucker) [Makefile.in] Remove trailing backslash which some make + implementations (eg older Solaris) do not cope with. -20130219 +20140126 - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/02/18 22:26:47 - [integrity.sh] - crank the offset yet again; it was still fuzzing KEX one of Darren's - portable test hosts at 2800 - - djm@cvs.openbsd.org 2013/02/19 02:14:09 - [integrity.sh] - oops, forgot to increase the output of the ssh command to ensure that - we actually reach $offset - - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that - lack support for SHA2. - - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms - that do not have them. + - dtucker@cvs.openbsd.org 2014/01/25 10:12:50 + [cipher.c cipher.h kex.c kex.h kexgexc.c] + Add a special case for the DH group size for 3des-cbc, which has an + effective strength much lower than the key size. This causes problems + with some cryptlib implementations, which don't support group sizes larger + than 4k but also don't use the largest group size it does support as + specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, + reduced by me with input from Markus. ok djm@ markus@ + - markus@cvs.openbsd.org 2014/01/25 20:35:37 + [kex.c] + dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) + ok dtucker@, noted by mancha + - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable + RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, + libc will attempt to open additional file descriptors for crypto + offload and crash if they cannot be opened. + - (djm) [configure.ac] correct AC_DEFINE for previous. + +20140125 + - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD + - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless + sys/capability.h exists and cap_rights_limit is in libc. Fixes + build on FreeBSD9x which provides the header but not the libc + support. + - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test + against the correct thing. + +20140124 + - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make + the scp regress test actually test the built scp rather than the one + in $PATH. ok dtucker@ + +20140123 + - (tim) [session.c] Improve error reporting on set_id(). + - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously + incompatible with OpenBSD's despite post-dating it by more than a decade. + Declare it as broken, and document FreeBSD's as the same. ok djm@ + +20140122 + - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a + platform that is expected to use the reuse-argv style setproctitle + hack surprises us by providing a setproctitle in libc; ok dtucker + - (djm) [configure.ac] Unless specifically requested, only attempt + to build Position Independent Executables on gcc >= 4.x; ok dtucker + - (djm) [configure.ac aclocal.m4] More tests to detect fallout from + platform hardening options: include some long long int arithmatic + to detect missing support functions for -ftrapv in libgcc and + equivalents, actually test linking when -ftrapv is supplied and + set either both -pie/-fPIE or neither. feedback and ok dtucker@ + +20140121 + - (dtucker) [configure.ac] Make PIE a configure-time option which defaults + to on platforms where it's known to be reliably detected and off elsewhere. + Works around platforms such as FreeBSD 9.1 where it does not interop with + -ftrapv (it seems to work but fails when trying to link ssh). ok djm@ + - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time + tests in the configure output. ok djm. + - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced + with sftp chroot support. Move set_id call after chroot. + - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE + and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of + detecting toolchain-related problems; ok dtucker + +20140120 + - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos + implementation does not have krb5_cc_new_unique, similar to what we do + in auth-krb5.c. + - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that + skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@ + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/20 00:08:48 + [digest.c] + memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@ -20130217 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/02/17 23:16:55 - [integrity.sh] - make the ssh command generates some output to ensure that there are at - least offset+tries bytes in the stream. +20140119 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2014/01/17 06:23:24 + [sftp-server.c] + fix log message statvfs. ok djm + - dtucker@cvs.openbsd.org 2014/01/18 09:36:26 + [session.c] + explicitly define USE_PIPES to 1 to prevent redefinition warnings in + portable on platforms that use pipes for everything. From vinschen at + redhat. + - dtucker@cvs.openbsd.org 2014/01/19 04:17:29 + [canohost.c addrmatch.c] + Cast socklen_t when comparing to size_t and use socklen_t to iterate over + the ip options, both to prevent signed/unsigned comparison warnings. + Patch from vinschen at redhat via portable openssh, begrudging ok deraadt. + - djm@cvs.openbsd.org 2014/01/19 04:48:08 + [ssh_config.5] + fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal + - dtucker@cvs.openbsd.org 2014/01/19 11:21:51 + [addrmatch.c] + Cast the sizeof to socklen_t so it'll work even if the supplied len is + negative. Suggested by and ok djm, ok deraadt. + +20140118 + - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch + from vinschen at redhat.com + - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function + declarations that stopped being included when we stopped including + from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at + redhat.com. + - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs, + optind) are defined in getopt.h already. Unfortunately they are defined as + "declspec(dllimport)" for historical reasons, because the GNU linker didn't + allow auto-import on PE/COFF targets way back when. The problem is the + dllexport attributes collide with the definitions in the various source + files in OpenSSH, which obviousy define the variables without + declspec(dllimport). The least intrusive way to get rid of these warnings + is to disable warnings for GCC compiler attributes when building on Cygwin. + Patch from vinschen at redhat.com. + - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the + return value check for cap_enter() consistent with the other uses in + FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140. + +20140117 + - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain + hardening flags including -fstack-protector-strong. These default to on + if the toolchain supports them, but there is a configure-time knob + (--without-hardening) to disable them if necessary. ok djm@ + - (djm) [sftp-client.c] signed/unsigned comparison fix + - (dtucker) [loginrec.c] Cast to the types specfied in the format + specification to prevent warnings. + - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. + - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. + - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include + includes.h to pull in all of the compatibility stuff. + - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside + #ifdef HAVE_STDINT_H. + - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that + don't have them. + - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into + separate lines and alphabetize for easier diffing of changes. + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/17 00:21:06 + [sftp-client.c] + signed/unsigned comparison warning fix; from portable (Id sync only) + - dtucker@cvs.openbsd.org 2014/01/17 05:26:41 + [digest.c] + remove unused includes. ok djm@ + - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c] + [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] + [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing + using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling + Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@ + - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c + openbsd-compat/openssl-compat.h] Add compatibility layer for older + openssl versions. ok djm@ + - (dtucker) Fix typo in #ifndef. + - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c + openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs + to be useful (and for the regression tests to pass) on platforms that + have statfs and fstatfs. ok djm@ + - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we + need them to cut down on the name collisions. + - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types. + - (dtucker) [configure.ac] Have --without-hardening not turn off + stack-protector since that has a separate flag that's been around a while. + - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on + Solaris. + - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after + they're defined if we have to define them ourselves. Fixes builds on old + AIX. + +20140118 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/16 07:31:09 + [sftp-client.c] + needless and incorrect cast to size_t can break resumption of + large download; patch from tobias@ + - djm@cvs.openbsd.org 2014/01/16 07:32:00 + [version.h] + openssh-6.5 + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Crank RPM spec version numbers. + - (djm) [README] update release notes URL. -20130216 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/02/16 06:08:45 - [integrity.sh] - make sure the fuzz offset is actually past the end of KEX for all KEX - types. diffie-hellman-group-exchange-sha256 requires an offset around - 2700. Noticed via test failures in portable OpenSSH on platforms that - lack ECC and this the more byte-frugal ECDH KEX algorithms. +20140112 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/10 05:59:19 + [sshd_config] + the /etc/ssh/ssh_host_ed25519_key is loaded by default too + - djm@cvs.openbsd.org 2014/01/12 08:13:13 + [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c] + [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c] + avoid use of OpenSSL BIGNUM type and functions for KEX with + Curve25519 by adding a buffer_put_bignum2_from_string() that stores + a string using the bignum encoding rules. Will make it easier to + build a reduced-feature OpenSSH without OpenSSL in the future; + ok markus@ -20130215 - - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from - Iain Morgan - - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] - Use getpgrp() if we don't have getpgid() (old BSDs, maybe others). - - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c - openbsd-compat/openbsd-compat.h] Add strtoull to compat library for - platforms that don't have it. - - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul, - group strto* function prototypes together. - - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes - an argument. Pointed out by djm. +20140110 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/02/14 21:35:59 - [auth2-pubkey.c] - Correct error message that had a typo and was logging the wrong thing; - patch from Petr Lautrbach - - dtucker@cvs.openbsd.org 2013/02/15 00:21:01 - [sshconnect2.c] - Warn more loudly if an IdentityFile provided by the user cannot be read. - bz #1981, ok djm@ + - tedu@cvs.openbsd.org 2014/01/04 17:50:55 + [mac.c monitor_mm.c monitor_mm.h xmalloc.c] + use standard types and formats for size_t like variables. ok dtucker + - guenther@cvs.openbsd.org 2014/01/09 03:26:00 + [sftp-common.c] + When formating the time for "ls -l"-style output, show dates in the future + with the year, and rearrange a comparison to avoid a potentional signed + arithmetic overflow that would give the wrong result. + ok djm@ + - djm@cvs.openbsd.org 2014/01/09 23:20:00 + [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] + [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] + [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] + [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] + Introduce digest API and use it to perform all hashing operations + rather than calling OpenSSL EVP_Digest* directly. Will make it easier + to build a reduced-feature OpenSSH without OpenSSL in future; + feedback, ok markus@ + - djm@cvs.openbsd.org 2014/01/09 23:26:48 + [sshconnect.c sshd.c] + ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, + deranged and might make some attacks on KEX easier; ok markus@ + +20140108 + - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ + +20131231 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/12/30 23:52:28 + [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] + [sshconnect.c sshconnect2.c sshd.c] + refuse RSA keys from old proprietary clients/servers that use the + obsolete RSA+MD5 signature scheme. it will still be possible to connect + with these clients/servers but only DSA keys will be accepted, and we'll + deprecate them entirely in a future release. ok markus@ + +20131229 + - (djm) [loginrec.c] Check for username truncation when looking up lastlog + entries + - (djm) [regress/Makefile] Add some generated files for cleaning + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/12/19 00:10:30 + [ssh-add.c] + skip requesting smartcard PIN when removing keys from agent; bz#2187 + patch from jay AT slushpupie.com; ok dtucker + - dtucker@cvs.openbsd.org 2013/12/19 00:19:12 + [serverloop.c] + Cast client_alive_interval to u_int64_t before assinging to + max_time_milliseconds to avoid potential integer overflow in the timeout. + bz#2170, patch from Loganaden Velvindron, ok djm@ + - djm@cvs.openbsd.org 2013/12/19 00:27:57 + [auth-options.c] + simplify freeing of source-address certificate restriction + - djm@cvs.openbsd.org 2013/12/19 01:04:36 + [channels.c] + bz#2147: fix multiple remote forwardings with dynamically assigned + listen ports. In the s->c message to open the channel we were sending + zero (the magic number to request a dynamic port) instead of the actual + listen port. The client therefore had no way of discriminating between + them. + + Diagnosis and fix by ronf AT timeheart.net + - djm@cvs.openbsd.org 2013/12/19 01:19:41 + [ssh-agent.c] + bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent + that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com; + ok dtucker + - djm@cvs.openbsd.org 2013/12/19 22:57:13 + [poly1305.c poly1305.h] + use full name for author, with his permission + - tedu@cvs.openbsd.org 2013/12/21 07:10:47 + [ssh-keygen.1] + small typo + - djm@cvs.openbsd.org 2013/12/27 22:30:17 + [ssh-dss.c ssh-ecdsa.c ssh-rsa.c] + make the original RSA and DSA signing/verification code look more like + the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type + rather than tediously listing all variants, use __func__ for debug/ + error messages + - djm@cvs.openbsd.org 2013/12/27 22:37:18 + [ssh-rsa.c] + correct comment + - djm@cvs.openbsd.org 2013/12/29 02:28:10 + [key.c] + allow ed25519 keys to appear as certificate authorities + - djm@cvs.openbsd.org 2013/12/29 02:37:04 + [key.c] + correct comment for key_to_certified() + - djm@cvs.openbsd.org 2013/12/29 02:49:52 + [key.c] + correct comment for key_drop_cert() + - djm@cvs.openbsd.org 2013/12/29 04:20:04 + [key.c] + to make sure we don't omit any key types as valid CA keys again, + factor the valid key type check into a key_type_is_valid_ca() + function + - djm@cvs.openbsd.org 2013/12/29 04:29:25 + [authfd.c] + allow deletion of ed25519 keys from the agent + - djm@cvs.openbsd.org 2013/12/29 04:35:50 + [authfile.c] + don't refuse to load Ed25519 certificates + - djm@cvs.openbsd.org 2013/12/29 05:42:16 + [ssh.c] + don't forget to load Ed25519 certs too + - djm@cvs.openbsd.org 2013/12/29 05:57:02 + [sshconnect.c] + when showing other hostkeys, don't forget Ed25519 keys -20130214 - - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. - - (djm) [regress/krl.sh] typo; found by Iain Morgan - - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead - of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by - Iain Morgan +20131221 + - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. -20130212 +20131219 + - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions + greater than 11 either rather than just 11. Patch from Tomas Kuthan. + - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item(). + Patch from Loganaden Velvindron. + +20131218 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/01/24 21:45:37 - [krl.c] - fix handling of (unused) KRL signatures; skip string in correct buffer - - djm@cvs.openbsd.org 2013/01/24 22:08:56 - [krl.c] - skip serial lookup when cert's serial number is zero - - krw@cvs.openbsd.org 2013/01/25 05:00:27 - [krl.c] - Revert last. Breaks due to likely typo. Let djm@ fix later. - ok djm@ via dlg@ - - djm@cvs.openbsd.org 2013/01/25 10:22:19 - [krl.c] - redo last commit without the vi-vomit that snuck in: - skip serial lookup when cert's serial number is zero - (now with 100% better comment) - - djm@cvs.openbsd.org 2013/01/26 06:11:05 - [Makefile.in acss.c acss.h cipher-acss.c cipher.c] - [openbsd-compat/openssl-compat.h] - remove ACSS, now that it is gone from libcrypto too - - djm@cvs.openbsd.org 2013/01/27 10:06:12 - [krl.c] - actually use the xrealloc() return value; spotted by xi.wang AT gmail.com - - dtucker@cvs.openbsd.org 2013/02/06 00:20:42 - [servconf.c sshd_config sshd_config.5] - Change default of MaxStartups to 10:30:100 to start doing random early - drop at 10 connections up to 100 connections. This will make it harder - to DoS as CPUs have come a long way since the original value was set - back in 2000. Prompted by nion at debian org, ok markus@ - - dtucker@cvs.openbsd.org 2013/02/06 00:22:21 - [auth.c] - Fix comment, from jfree.e1 at gmail - - djm@cvs.openbsd.org 2013/02/08 00:41:12 - [sftp.c] - fix NULL deref when built without libedit and control characters - entered as command; debugging and patch from Iain Morgan an - Loganaden Velvindron in bz#1956 - - markus@cvs.openbsd.org 2013/02/10 21:19:34 - [version.h] - openssh 6.2 - - djm@cvs.openbsd.org 2013/02/10 23:32:10 + - djm@cvs.openbsd.org 2013/12/07 08:08:26 + [ssh-keygen.1] + document -a and -o wrt new key format + - naddy@cvs.openbsd.org 2013/12/07 11:58:46 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] + [ssh_config.5 sshd.8 sshd_config.5] + add missing mentions of ed25519; ok djm@ + - dtucker@cvs.openbsd.org 2013/12/08 09:53:27 + [sshd_config.5] + Use a literal for the default value of KEXAlgorithms. ok deraadt jmc + - markus@cvs.openbsd.org 2013/12/09 11:03:45 + [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] + [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] + Add Authors for the public domain ed25519/nacl code. + see also http://nacl.cr.yp.to/features.html + All of the NaCl software is in the public domain. + and http://ed25519.cr.yp.to/software.html + The Ed25519 software is in the public domain. + - markus@cvs.openbsd.org 2013/12/09 11:08:17 + [crypto_api.h] + remove unused defines + - pascal@cvs.openbsd.org 2013/12/15 18:17:26 + [ssh-add.c] + Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page. + ok markus@ + - djm@cvs.openbsd.org 2013/12/15 21:42:35 + [cipher-chachapoly.c] + add some comments and constify a constant + - markus@cvs.openbsd.org 2013/12/17 10:36:38 + [crypto_api.h] + I've assempled the header file by cut&pasting from generated headers + and the source files. + +20131208 + - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna + Vinschen + - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh] + [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid + filesystem before running agent-ptrace.sh; ok dtucker + +20131207 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/12/05 22:59:45 + [sftp-client.c] + fix memory leak in error path in do_readdir(); pointed out by + Loganaden Velvindron @ AfriNIC in bz#2163 + - djm@cvs.openbsd.org 2013/12/06 03:40:51 [ssh-keygen.c] - append to moduli file when screening candidates rather than overwriting. - allows resumption of interrupted screen; patch from Christophe Garault - in bz#1957; ok dtucker@ - - djm@cvs.openbsd.org 2013/02/10 23:35:24 - [packet.c] - record "Received disconnect" messages at ERROR rather than INFO priority, - since they are abnormal and result in a non-zero ssh exit status; patch - from Iain Morgan in bz#2057; ok dtucker@ - - dtucker@cvs.openbsd.org 2013/02/11 21:21:58 + remove duplicated character ('g') in getopt() string; + document the (few) remaining option characters so we don't have to + rummage next time. + - markus@cvs.openbsd.org 2013/12/06 13:30:08 + [authfd.c key.c key.h ssh-agent.c] + move private key (de)serialization to key.c; ok djm + - markus@cvs.openbsd.org 2013/12/06 13:34:54 + [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] + [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by + default; details in PROTOCOL.key; feedback and lots help from djm; + ok djm@ + - markus@cvs.openbsd.org 2013/12/06 13:39:49 + [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] + [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] + [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] + [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] + [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] + support ed25519 keys (hostkeys and user identities) using the public + domain ed25519 reference code from SUPERCOP, see + http://ed25519.cr.yp.to/software.html + feedback, help & ok djm@ + - jmc@cvs.openbsd.org 2013/12/06 15:29:07 + [sshd.8] + missing comma; + - djm@cvs.openbsd.org 2013/12/07 00:19:15 + [key.c] + set k->cert = NULL after freeing it + - markus@cvs.openbsd.org 2013/12/06 13:52:46 + [regress/Makefile regress/agent.sh regress/cert-hostkey.sh] + [regress/cert-userkey.sh regress/keytype.sh] + test ed25519 support; from djm@ + - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] + [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents + - (djm) [Makefile.in] Add ed25519 sources + - (djm) [authfile.c] Conditionalise inclusion of util.h + - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c] + [openbsd-compat/blf.h openbsd-compat/blowfish.c] + [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in + portable. + - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in] + [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on + Linux + - (djm) [regress/cert-hostkey.sh] Fix merge botch + - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from + Loganaden Velvindron @ AfriNIC in bz#2179 + +20131205 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2013/11/21 08:05:09 + [ssh_config.5 sshd_config.5] + no need for .Pp before displays; + - deraadt@cvs.openbsd.org 2013/11/25 18:04:21 + [ssh.1 ssh.c] + improve -Q usage and such. One usage change is that the option is now + case-sensitive + ok dtucker markus djm + - jmc@cvs.openbsd.org 2013/11/26 12:14:54 + [ssh.1 ssh.c] + - put -Q in the right place + - Ar was a poor choice for the arguments to -Q. i've chosen an + admittedly equally poor Cm, at least consistent with the rest + of the docs. also no need for multiple instances + - zap a now redundant Nm + - usage() sync + - deraadt@cvs.openbsd.org 2013/11/26 19:15:09 + [pkcs11.h] + cleanup 1 << 31 idioms. Resurrection of this issue pointed out by + Eitan Adler ok markus for ssh, implies same change in kerberosV + - djm@cvs.openbsd.org 2013/12/01 23:19:05 + [PROTOCOL] + mention curve25519-sha256@libssh.org key exchange algorithm + - djm@cvs.openbsd.org 2013/12/02 02:50:27 + [PROTOCOL.chacha20poly1305] + typo; from Jon Cave + - djm@cvs.openbsd.org 2013/12/02 02:56:17 + [ssh-pkcs11-helper.c] + use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC + - djm@cvs.openbsd.org 2013/12/02 03:09:22 + [key.c] + make key_to_blob() return a NULL blob on failure; part of + bz#2175 from Loganaden Velvindron @ AfriNIC + - djm@cvs.openbsd.org 2013/12/02 03:13:14 + [cipher.c] + correct bzero of chacha20+poly1305 key context. bz#2177 from + Loganaden Velvindron @ AfriNIC + + Also make it a memset for consistency with the rest of cipher.c + - djm@cvs.openbsd.org 2013/12/04 04:20:01 + [sftp-client.c] + bz#2171: don't leak local_fd on error; from Loganaden Velvindron @ + AfriNIC + - djm@cvs.openbsd.org 2013/12/05 01:16:41 + [servconf.c servconf.h] + bz#2161 - fix AuthorizedKeysCommand inside a Match block and + rearrange things so the same error is harder to make next time; + with and ok dtucker@ + - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct + -L location for libedit. Patch from Serge van den Boom. + +20131121 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/08 11:15:19 + [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c] + [uidswap.c] Include stdlib.h for free() as per the man page. + - markus@cvs.openbsd.org 2013/11/13 13:48:20 + [ssh-pkcs11.c] + add missing braces found by pedro + - djm@cvs.openbsd.org 2013/11/20 02:19:01 [sshd.c] - Add openssl version to debug output similar to the client. ok markus@ - - djm@cvs.openbsd.org 2013/02/11 23:58:51 + delay closure of in/out fds until after "Bad protocol version + identification..." message, as get_remote_ipaddr/get_remote_port + require them open. + - deraadt@cvs.openbsd.org 2013/11/20 20:53:10 + [scp.c] + unsigned casts for ctype macros where neccessary + ok guenther millert markus + - deraadt@cvs.openbsd.org 2013/11/20 20:54:10 + [canohost.c clientloop.c match.c readconf.c sftp.c] + unsigned casts for ctype macros where neccessary + ok guenther millert markus + - djm@cvs.openbsd.org 2013/11/21 00:45:44 + [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] + [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] + [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] + [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport + cipher "chacha20-poly1305@openssh.com" that combines Daniel + Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an + authenticated encryption mode. + + Inspired by and similar to Adam Langley's proposal for TLS: + http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 + but differs in layout used for the MAC calculation and the use of a + second ChaCha20 instance to separately encrypt packet lengths. + Details are in the PROTOCOL.chacha20poly1305 file. + + Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC + ok markus@ naddy@ + - naddy@cvs.openbsd.org 2013/11/18 05:09:32 + [regress/forward-control.sh] + bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) + to successfully run this; ok djm@ + - djm@cvs.openbsd.org 2013/11/21 03:15:46 + [regress/krl.sh] + add some reminders for additional tests that I'd like to implement + - djm@cvs.openbsd.org 2013/11/21 03:16:47 + [regress/modpipe.c] + use unsigned long long instead of u_int64_t here to avoid warnings + on some systems portable OpenSSH is built on. + - djm@cvs.openbsd.org 2013/11/21 03:18:51 + [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] [regress/try-ciphers.sh] - remove acss here too - - (djm) [regress/try-ciphers.sh] clean up CVS merge botch + use new "ssh -Q cipher-auth" query to obtain lists of authenticated + encryption ciphers instead of specifying them manually; ensures that + the new chacha20poly1305@openssh.com mode is tested; + + ok markus@ and naddy@ as part of the diff to add + chacha20poly1305@openssh.com -20130211 - - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old - libcrypto that lacks EVP_CIPHER_CTX_ctrl +20131110 + - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by + querying the ones that are compiled in. -20130208 - - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer; - patch from Iain Morgan in bz#2059 - - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows - __attribute__ on return values and work around if necessary. ok djm@ +20131109 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 + [regress/test-exec.sh regress/rekey.sh] + Use smaller test data files to speed up tests. Grow test datafiles + where necessary for a specific test. + - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of + NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the + latter actually works before using it. Fedora (at least) has NID_secp521r1 + that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). + - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test. + - (dtucker) [configure.ac] Add missing "test". + - (dtucker) [key.c] Check for the correct defines for NID_secp521r1. + +20131108 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 + [regress/rekey.sh] + Rekey less frequently during tests to speed them up + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/07 11:58:27 + [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] + Output the effective values of Ciphers, MACs and KexAlgorithms when + the default has not been overridden. ok markus@ + - djm@cvs.openbsd.org 2013/11/08 00:39:15 + [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c] + [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c] + [sftp-client.c sftp-glob.c] + use calloc for all structure allocations; from markus@ + - djm@cvs.openbsd.org 2013/11/08 01:38:11 + [version.h] + openssh-6.4 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update version numbers following release. + - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of + arc4random_stir for platforms that have arc4random but don't have + arc4random_stir (right now this is only OpenBSD -current). + - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have + EVP_sha256. + - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. + - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile + warnings. + - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform + and pass in TEST_ENV. use stderr to get polluted + and the stderr-data test to fail. + - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation: + rather than testing and generating each key, call ssh-keygen -A. + Patch from vinschen at redhat.com. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 + [regress/test-exec.sh regress/rekey.sh] + Use smaller test data files to speed up tests. Grow test datafiles + where necessary for a specific test. + +20131107 + - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) + that got lost in recent merge. + - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff + - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these + - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms + that lack it but have arc4random_uniform() + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/11/04 11:51:16 + [monitor.c] + fix rekeying for KEX_C25519_SHA256; noted by dtucker@ + RCSID sync only; I thought this was a merge botch and fixed it already + - markus@cvs.openbsd.org 2013/11/06 16:52:11 + [monitor_wrap.c] + fix rekeying for AES-GCM modes; ok deraadt + - djm@cvs.openbsd.org 2013/11/06 23:05:59 + [ssh-pkcs11.c] + from portable: s/true/true_val/ to avoid name collisions on dump platforms + RCSID sync only + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/09 23:44:14 + [regress/Makefile] (ID sync only) + regression test for sftp request white/blacklisting and readonly mode. + - markus@cvs.openbsd.org 2013/11/02 22:39:53 + [regress/kextype.sh] + add curve25519-sha256@libssh.org + - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 + [regress/rekey.sh] + Test rekeying with all KexAlgorithms. + - dtucker@cvs.openbsd.org 2013/11/07 00:12:05 + [regress/rekey.sh] + Test rekeying for every Cipher, MAC and KEX, plus test every KEX with + the GCM ciphers. + - dtucker@cvs.openbsd.org 2013/11/07 01:12:51 + [regress/rekey.sh] + Factor out the data transfer rekey tests + - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 + [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] + Use ssh -Q instead of hardcoding lists of ciphers or MACs. + - dtucker@cvs.openbsd.org 2013/11/07 03:55:41 + [regress/kextype.sh] + Use ssh -Q to get kex types instead of a static list. + - dtucker@cvs.openbsd.org 2013/11/07 04:26:56 + [regress/kextype.sh] + trailing space + - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment + variable. It's no longer used now that we get the supported MACs from + ssh -Q. + +20131104 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/11/02 20:03:54 + [ssh-pkcs11.c] + support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys; + fixes bz#1908; based on patch from Laurent Barbe; ok djm + - markus@cvs.openbsd.org 2013/11/02 21:59:15 + [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] + use curve25519 for default key exchange (curve25519-sha256@libssh.org); + initial patch from Aris Adamantiadis; ok djm@ + - markus@cvs.openbsd.org 2013/11/02 22:10:15 + [kexdhs.c kexecdhs.c] + no need to include monitor_wrap.h + - markus@cvs.openbsd.org 2013/11/02 22:24:24 + [kexdhs.c kexecdhs.c] + no need to include ssh-gss.h + - markus@cvs.openbsd.org 2013/11/02 22:34:01 + [auth-options.c] + no need to include monitor_wrap.h and ssh-gss.h + - markus@cvs.openbsd.org 2013/11/02 22:39:19 + [ssh_config.5 sshd_config.5] + the default kex is now curve25519-sha256@libssh.org + - djm@cvs.openbsd.org 2013/11/03 10:37:19 + [roaming_common.c] + fix a couple of function definitions foo() -> foo(void) + (-Wold-style-definition) + - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from + KEX/curve25519 change + +20131103 + - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep. + From OpenSMTPD where it prevents "implicit declaration" warnings (it's + a no-op in OpenSSH). From chl at openbsd. + - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd + vsnprintf. From eric at openbsd via chl@. + - (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t + for platforms that don't have them. + +20131030 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/29 09:42:11 + [key.c key.h] + fix potential stack exhaustion caused by nested certificates; + report by Mateusz Kocielski; ok dtucker@ markus@ + - djm@cvs.openbsd.org 2013/10/29 09:48:02 + [servconf.c servconf.h session.c sshd_config sshd_config.5] + shd_config PermitTTY to disallow TTY allocation, mirroring the + longstanding no-pty authorized_keys option; + bz#2070, patch from Teran McKinney; ok markus@ + - jmc@cvs.openbsd.org 2013/10/29 18:49:32 + [sshd_config.5] + pty(4), not pty(7); -20130207 - - (djm) [configure.ac] Don't probe seccomp capability of running kernel - at configure time; the seccomp sandbox will fall back to rlimit at - runtime anyway. Patch from plautrba AT redhat.com in bz#2011 +20131026 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/25 23:04:51 + [ssh.c] + fix crash when using ProxyCommand caused by previous commit - was calling + freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@ + +20131025 + - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove + unnecessary arc4random_stir() calls. The only ones left are to ensure + that the PRNG gets a different state after fork() for platforms that + have broken the API. + +20131024 + - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check + rather than full client name which may be of form user@REALM; + patch from Miguel Sanders; ok dtucker@ + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/10/23 05:40:58 + [servconf.c] + fix comment + - djm@cvs.openbsd.org 2013/10/23 23:35:32 + [sshd.c] + include local address and port in "Connection from ..." message (only + shown at loglevel>=verbose) + - dtucker@cvs.openbsd.org 2013/10/24 00:49:49 + [moduli.c] + Periodically print progress and, if possible, expected time to completion + when screening moduli for DH groups. ok deraadt djm + - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 + [readconf.c servconf.c ssh_config.5 sshd_config.5] + Disallow empty Match statements and add "Match all" which matches + everything. ok djm, man page help jmc@ + - djm@cvs.openbsd.org 2013/10/24 08:19:36 + [ssh.c] + fix bug introduced in hostname canonicalisation commit: don't try to + resolve hostnames when a ProxyCommand is set unless the user has forced + canonicalisation; spotted by Iain Morgan + - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd" -20130120 - - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h] - Move prototypes for replacement ciphers to openssl-compat.h; fix EVP - prototypes for openssl-1.0.0-fips. +20131023 - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2013/01/18 07:57:47 - [ssh-keygen.1] - tweak previous; - - jmc@cvs.openbsd.org 2013/01/18 07:59:46 + - djm@cvs.openbsd.org 2013/10/20 04:39:28 + [ssh_config.5] + document % expansions performed by "Match command ..." + - djm@cvs.openbsd.org 2013/10/20 06:19:28 + [readconf.c ssh_config.5] + rename "command" subclause of the recently-added "Match" keyword to + "exec"; it's shorter, clearer in intent and we might want to add the + ability to match against the command being executed at the remote end in + the future. + - djm@cvs.openbsd.org 2013/10/20 09:51:26 + [scp.1 sftp.1] + add canonicalisation options to -o lists + - jmc@cvs.openbsd.org 2013/10/20 18:00:13 + [ssh_config.5] + tweak the "exec" description, as worded by djm; + - djm@cvs.openbsd.org 2013/10/23 03:03:07 + [readconf.c] + Hostname may have %h sequences that should be expanded prior to Match + evaluation; spotted by Iain Morgan + - djm@cvs.openbsd.org 2013/10/23 03:05:19 + [readconf.c ssh.c] + comment + - djm@cvs.openbsd.org 2013/10/23 04:16:22 [ssh-keygen.c] - -u before -V in usage(); - - jmc@cvs.openbsd.org 2013/01/18 08:00:49 - [sshd_config.5] - tweak previous; - - jmc@cvs.openbsd.org 2013/01/18 08:39:04 - [ssh-keygen.1] - add -Q to the options list; ok djm - - jmc@cvs.openbsd.org 2013/01/18 21:48:43 - [ssh-keygen.1] - command-line (adj.) -> command line (n.); - - jmc@cvs.openbsd.org 2013/01/19 07:13:25 - [ssh-keygen.1] - fix some formatting; ok djm - - markus@cvs.openbsd.org 2013/01/19 12:34:55 - [krl.c] - RB_INSERT does not remove existing elments; ok djm@ - - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer - version. - - (djm) [regress/krl.sh] replacement for jot; most platforms lack it + Make code match documentation: relative-specified certificate expiry time + should be relative to current time and not the validity start time. + Reported by Petr Lautrbach; ok deraadt@ -20130118 +20131018 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/01/17 23:00:01 - [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] - [krl.c krl.h PROTOCOL.krl] - add support for Key Revocation Lists (KRLs). These are a compact way to - represent lists of revoked keys and certificates, taking as little as - a single bit of incremental cost to revoke a certificate by serial number. - KRLs are loaded via the existing RevokedKeys sshd_config option. - feedback and ok markus@ - - djm@cvs.openbsd.org 2013/01/18 00:45:29 - [regress/Makefile regress/cert-userkey.sh regress/krl.sh] - Tests for Key Revocation Lists (KRLs) - - djm@cvs.openbsd.org 2013/01/18 03:00:32 - [krl.c] - fix KRL generation bug for list sections - -20130117 - - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] - check for GCM support before testing GCM ciphers. + - djm@cvs.openbsd.org 2013/10/09 23:44:14 + [regress/Makefile regress/sftp-perm.sh] + regression test for sftp request white/blacklisting and readonly mode. + - jmc@cvs.openbsd.org 2013/10/17 07:35:48 + [sftp.1 sftp.c] + tweak previous; + - djm@cvs.openbsd.org 2013/10/17 22:08:04 + [sshd.c] + include remote port in bad banner message; bz#2162 -20130112 +20131017 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/01/12 11:22:04 - [cipher.c] - improve error message for integrity failure in AES-GCM modes; ok markus@ - - djm@cvs.openbsd.org 2013/01/12 11:23:53 - [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] - test AES-GCM modes; feedback markus@ - - (djm) [regress/integrity.sh] repair botched merge + - jmc@cvs.openbsd.org 2013/10/15 14:10:25 + [ssh.1 ssh_config.5] + tweak previous; + - djm@cvs.openbsd.org 2013/10/16 02:31:47 + [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] + [sshconnect.c sshconnect.h] + Implement client-side hostname canonicalisation to allow an explicit + search path of domain suffixes to use to convert unqualified host names + to fully-qualified ones for host key matching. + This is particularly useful for host certificates, which would otherwise + need to list unqualified names alongside fully-qualified ones (and this + causes a number of problems). + "looks fine" markus@ + - jmc@cvs.openbsd.org 2013/10/16 06:42:25 + [ssh_config.5] + tweak previous; + - djm@cvs.openbsd.org 2013/10/16 22:49:39 + [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] + s/canonicalise/canonicalize/ for consistency with existing spelling, + e.g. authorized_keys; pointed out by naddy@ + - djm@cvs.openbsd.org 2013/10/16 22:58:01 + [ssh.c ssh_config.5] + one I missed in previous: s/isation/ization/ + - djm@cvs.openbsd.org 2013/10/17 00:30:13 + [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c] + fsync@openssh.com protocol extension for sftp-server + client support to allow calling fsync() faster successful transfer + patch mostly by imorgan AT nas.nasa.gov; bz#1798 + "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@ + - djm@cvs.openbsd.org 2013/10/17 00:46:49 + [ssh.c] + rearrange check to reduce diff against -portable + (Id sync only) -20130109 +20131015 - (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2012/12/14 05:26:43 - [auth.c] - use correct string in error message; from rustybsd at gmx.fr - - djm@cvs.openbsd.org 2013/01/02 00:32:07 - [clientloop.c mux.c] - channel_setup_local_fwd_listener() returns 0 on failure, not -ve - bz#2055 reported by mathieu.lacage AT gmail.com - - djm@cvs.openbsd.org 2013/01/02 00:33:49 - [PROTOCOL.agent] - correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED - bz#2051 from david AT lechnology.com - - djm@cvs.openbsd.org 2013/01/03 05:49:36 - [servconf.h] - add a couple of ServerOptions members that should be copied to the privsep - child (for consistency, in this case they happen only to be accessed in - the monitor); ok dtucker@ - - djm@cvs.openbsd.org 2013/01/03 12:49:01 - [PROTOCOL] - fix description of MAC calculation for EtM modes; ok markus@ - - djm@cvs.openbsd.org 2013/01/03 12:54:49 + - djm@cvs.openbsd.org 2013/10/09 23:42:17 [sftp-server.8 sftp-server.c] - allow specification of an alternate start directory for sftp-server(8) - "I like this" markus@ - - djm@cvs.openbsd.org 2013/01/03 23:22:58 - [ssh-keygen.c] - allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... - ok markus@ - - jmc@cvs.openbsd.org 2013/01/04 19:26:38 + Add ability to whitelist and/or blacklist sftp protocol requests by name. + Refactor dispatch loop and consolidate read-only mode checks. + Make global variables static, since sftp-server is linked into sshd(8). + ok dtucker@ + - djm@cvs.openbsd.org 2013/10/10 00:53:25 + [sftp-server.c] + add -Q, -P and -p to usage() before jmc@ catches me + - djm@cvs.openbsd.org 2013/10/10 01:43:03 + [sshd.c] + bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly + updated; ok dtucker@ + - djm@cvs.openbsd.org 2013/10/11 02:45:36 + [sftp-client.c] + rename flag arguments to be more clear and consistent. + reorder some internal function arguments to make adding additional flags + easier. + no functional change + - djm@cvs.openbsd.org 2013/10/11 02:52:23 + [sftp-client.c] + missed one arg reorder + - djm@cvs.openbsd.org 2013/10/11 02:53:45 + [sftp-client.h] + obsolete comment + - jmc@cvs.openbsd.org 2013/10/14 14:18:56 [sftp-server.8 sftp-server.c] - sftp-server.8: add argument name to -d - sftp-server.c: add -d to usage() + tweak previous; ok djm - - markus@cvs.openbsd.org 2013/01/08 18:49:04 - [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] - [myproposal.h packet.c ssh_config.5 sshd_config.5] - support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) - ok and feedback djm@ - - djm@cvs.openbsd.org 2013/01/09 05:40:17 - [ssh-keygen.c] - correctly initialise fingerprint type for fingerprinting PKCS#11 keys - - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h] - Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little - cipher compat code to openssl-compat.h - -20121217 - - (dtucker) [Makefile.in] Add some scaffolding so that the new regress - tests will work with VPATH directories. + - djm@cvs.openbsd.org 2013/10/14 21:20:52 + [session.c session.h] + Add logging of session starts in a useful format; ok markus@ feedback and + ok dtucker@ + - djm@cvs.openbsd.org 2013/10/14 22:22:05 + [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] + add a "Match" keyword to ssh_config that allows matching on hostname, + user and result of arbitrary commands. "nice work" markus@ + - djm@cvs.openbsd.org 2013/10/14 23:28:23 + [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c] + refactor client config code a little: + add multistate option partsing to readconf.c, similar to servconf.c's + existing code. + move checking of options that accept "none" as an argument to readconf.c + add a lowercase() function and use it instead of explicit tolower() in + loops + part of a larger diff that was ok markus@ + - djm@cvs.openbsd.org 2013/10/14 23:31:01 + [ssh.c] + whitespace at EOL; pointed out by markus@ + - [ssh.c] g/c unused variable. -20121213 +20131010 + - (dtucker) OpenBSD CVS Sync + - sthen@cvs.openbsd.org 2013/09/16 11:35:43 + [ssh_config] + Remove gssapi config parts from ssh_config, as was already done for + sshd_config. Req by/ok ajacoutot@ + ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular + - djm@cvs.openbsd.org 2013/09/19 00:24:52 + [progressmeter.c] + store the initial file offset so the progress meter doesn't freak out + when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@` + - djm@cvs.openbsd.org 2013/09/19 00:49:12 + [sftp-client.c] + fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan + - djm@cvs.openbsd.org 2013/09/19 01:24:46 + [channels.c] + bz#1297 - tell the client (via packet_send_debug) when their preferred + listen address has been overridden by the server's GatewayPorts; + ok dtucker@ + - djm@cvs.openbsd.org 2013/09/19 01:26:29 + [sshconnect.c] + bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from + swp AT swp.pp.ru; ok dtucker@ + - dtucker@cvs.openbsd.org 2013/10/08 11:42:13 + [dh.c dh.h] + Increase the size of the Diffie-Hellman groups requested for a each + symmetric key size. New values from NIST Special Publication 800-57 with + the upper limit specified by RFC4419. Pointed out by Peter Backes, ok + djm@. + +20131009 + - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull + in OpenBSD implementation of arc4random, shortly to replace the existing + bsd-arc4random.c + - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c] + [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random + implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@, + tested tim@ + +20130922 + - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj + setting when handling SIGHUP to maintain behaviour over retart. Patch + from Matthew Ife. + +20130918 + - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu. + +20130914 - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2012/12/12 16:45:52 - [packet.c] - reset incoming_packet buffer for each new packet in EtM-case, too; - this happens if packets are parsed only parially (e.g. ignore - messages sent when su/sudo turn off echo); noted by sthen/millert - - naddy@cvs.openbsd.org 2012/12/12 16:46:10 - [cipher.c] - use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled - counter mode code; ok djm@ - - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our - compat code for older OpenSSL - - (djm) [cipher.c] Fix missing prototype for compat code - -20121212 + - djm@cvs.openbsd.org 2013/08/22 19:02:21 + [sshd.c] + Stir PRNG after post-accept fork. The child gets a different PRNG state + anyway via rexec and explicit privsep reseeds, but it's good to be sure. + ok markus@ + - mikeb@cvs.openbsd.org 2013/08/28 12:34:27 + [ssh-keygen.c] + improve batch processing a bit by making use of the quite flag a bit + more often and exit with a non zero code if asked to find a hostname + in a known_hosts file and it wasn't there; + originally from reyk@, ok djm + - djm@cvs.openbsd.org 2013/08/31 00:13:54 + [sftp.c] + make ^w match ksh behaviour (delete previous word instead of entire line) + - deraadt@cvs.openbsd.org 2013/09/02 22:00:34 + [ssh-keygen.c sshconnect1.c sshd.c] + All the instances of arc4random_stir() are bogus, since arc4random() + does this itself, inside itself, and has for a very long time.. Actually, + this was probably reducing the entropy available. + ok djm + ID SYNC ONLY for portable; we don't trust other arc4random implementations + to do this right. + - sthen@cvs.openbsd.org 2013/09/07 13:53:11 + [sshd_config] + Remove commented-out kerberos/gssapi config options from sample config, + kerberos support is currently not enabled in ssh in OpenBSD. Discussed with + various people; ok deraadt@ + ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular + - djm@cvs.openbsd.org 2013/09/12 01:41:12 + [clientloop.c] + fix connection crash when sending break (~B) on ControlPersist'd session; + ok dtucker@ + - djm@cvs.openbsd.org 2013/09/13 06:54:34 + [channels.c] + avoid unaligned access in code that reused a buffer to send a + struct in_addr in a reply; simpler just use use buffer_put_int(); + from portable; spotted by and ok dtucker@ + +20130828 + - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the + 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we + start to use them in the future. + - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits + until we have configure support. + +20130821 - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2012/12/11 22:16:21 - [monitor.c] - drain the log messages after receiving the keystate from the unpriv - child. otherwise it might block while sending. ok djm@ - - markus@cvs.openbsd.org 2012/12/11 22:31:18 - [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] - [packet.c ssh_config.5 sshd_config.5] - add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms - that change the packet format and compute the MAC over the encrypted - message (including the packet size) instead of the plaintext data; - these EtM modes are considered more secure and used by default. - feedback and ok djm@ - - sthen@cvs.openbsd.org 2012/12/11 22:51:45 - [mac.c] - fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ - - markus@cvs.openbsd.org 2012/12/11 22:32:56 - [regress/try-ciphers.sh] - add etm modes - - markus@cvs.openbsd.org 2012/12/11 22:42:11 - [regress/Makefile regress/modpipe.c regress/integrity.sh] - test the integrity of the packets; with djm@ - - markus@cvs.openbsd.org 2012/12/11 23:12:13 - [try-ciphers.sh] - add hmac-ripemd160-etm@openssh.com - - (djm) [mac.c] fix merge botch - - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test - work on platforms without 'jot' - - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip - - (djm) [regress/Makefile] fix t-exec rule - -20121207 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2012/12/06 06:06:54 - [regress/keys-command.sh] - Fix some problems with the keys-command test: - - use string comparison rather than numeric comparison - - check for existing KEY_COMMAND file and don't clobber if it exists - - clean up KEY_COMMAND file if we do create it. - - check that KEY_COMMAND is executable (which it won't be if eg /var/run - is mounted noexec). - ok djm. - - jmc@cvs.openbsd.org 2012/12/03 08:33:03 - [ssh-add.1 sshd_config.5] - tweak previous; - - markus@cvs.openbsd.org 2012/12/05 15:42:52 - [ssh-add.c] - prevent double-free of comment; ok djm@ - - dtucker@cvs.openbsd.org 2012/12/07 01:51:35 - [serverloop.c] - Cast signal to int for logging. A no-op on openbsd (they're always ints) - but will prevent warnings in portable. ok djm@ - -20121205 - - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. - -20121203 - - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get - TAILQ_FOREACH_SAFE needed for upcoming changes. + - djm@cvs.openbsd.org 2013/08/06 23:03:49 + [sftp.c] + fix some whitespace at EOL + make list of commands an enum rather than a long list of defines + add -a to usage() + - djm@cvs.openbsd.org 2013/08/06 23:05:01 + [sftp.1] + document top-level -a option (the -a option to 'get' was already + documented) + - djm@cvs.openbsd.org 2013/08/06 23:06:01 + [servconf.c] + add cast to avoid format warning; from portable + - jmc@cvs.openbsd.org 2013/08/07 06:24:51 + [sftp.1 sftp.c] + sort -a; + - djm@cvs.openbsd.org 2013/08/08 04:52:04 + [sftp.c] + fix two year old regression: symlinking a file would incorrectly + canonicalise the target path. bz#2129 report from delphij AT freebsd.org + - djm@cvs.openbsd.org 2013/08/08 05:04:03 + [sftp-client.c sftp-client.h sftp.c] + add a "-l" flag for the rename command to force it to use the silly + standard SSH_FXP_RENAME command instead of the POSIX-rename- like + posix-rename@openssh.com extension. + + intended for use in regress tests, so no documentation. + - djm@cvs.openbsd.org 2013/08/09 03:37:25 + [sftp.c] + do getopt parsing for all sftp commands (with an empty optstring for + commands without arguments) to ensure consistent behaviour + - djm@cvs.openbsd.org 2013/08/09 03:39:13 + [sftp-client.c] + two problems found by a to-be-committed regress test: 1) msg_id was not + being initialised so was starting at a random value from the heap + (harmless, but confusing). 2) some error conditions were not being + propagated back to the caller + - djm@cvs.openbsd.org 2013/08/09 03:56:42 + [sftp.c] + enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; + matching ksh's relatively recent change. + - djm@cvs.openbsd.org 2013/08/13 18:32:08 + [ssh-keygen.c] + typo in error message; from Stephan Rickauer + - djm@cvs.openbsd.org 2013/08/13 18:33:08 + [ssh-keygen.c] + another of the same typo + - jmc@cvs.openbsd.org 2013/08/14 08:39:27 + [scp.1 ssh.1] + some Bx/Ox conversion; + From: Jan Stary + - djm@cvs.openbsd.org 2013/08/20 00:11:38 + [readconf.c readconf.h ssh_config.5 sshconnect.c] + Add a ssh_config ProxyUseFDPass option that supports the use of + ProxyCommands that establish a connection and then pass a connected + file descriptor back to ssh(1). This allows the ProxyCommand to exit + rather than have to shuffle data back and forth and enables ssh to use + getpeername, etc. to obtain address information just like it does with + regular directly-connected sockets. ok markus@ + - jmc@cvs.openbsd.org 2013/08/20 06:56:07 + [ssh.1 ssh_config.5] + some proxyusefdpass tweaks; + +20130808 + - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt + since some platforms (eg really old FreeBSD) don't have it. Instead, + run "make clean" before a complete regress run. ok djm. + - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime( + CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the + CLOCK_MONOTONIC define but don't actually support it. Found and tested + by Kevin Brott, ok djm. + - (dtucker) [misc.c] Remove define added for fallback testing that was + mistakenly included in the previous commit. + - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt + removal. The "make clean" removes modpipe which is built by the top-level + directory before running the tests. Spotted by tim@ + - (djm) Release 6.3p1 + +20130804 + - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support + for building with older Heimdal versions. ok djm. + +20130801 + - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- + blocking connecting socket will clear any stored errno that might + otherwise have been retrievable via getsockopt(). A hack to limit writes + to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap + it in an #ifdef. Diagnosis and patch from Ivo Raisr. + - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134 + +20130725 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2012/12/02 20:26:11 - [ssh_config.5 sshconnect2.c] - Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. - This allows control of which keys are offered from tokens using - IdentityFile. ok markus@ - - djm@cvs.openbsd.org 2012/12/02 20:42:15 - [ssh-add.1 ssh-add.c] - make deleting explicit keys "ssh-add -d" symmetric with adding keys - - try to delete the corresponding certificate too and respect the -k option - to allow deleting of the key only; feedback and ok markus@ - - djm@cvs.openbsd.org 2012/12/02 20:46:11 - [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] - [sshd_config.5] - make AllowTcpForwarding accept "local" and "remote" in addition to its - current "yes"/"no" to allow the server to specify whether just local or - remote TCP forwarding is enabled. ok markus@ - - dtucker@cvs.openbsd.org 2012/10/05 02:20:48 - [regress/cipher-speed.sh regress/try-ciphers.sh] - Add umac-128@openssh.com to the list of MACs to be tested - - djm@cvs.openbsd.org 2012/10/19 05:10:42 - [regress/cert-userkey.sh] - include a serial number when generating certs - - djm@cvs.openbsd.org 2012/11/22 22:49:30 - [regress/Makefile regress/keys-command.sh] - regress for AuthorizedKeysCommand; hints from markus@ - - djm@cvs.openbsd.org 2012/12/02 20:47:48 - [Makefile regress/forward-control.sh] - regress for AllowTcpForwarding local/remote; ok markus@ - - djm@cvs.openbsd.org 2012/12/03 00:14:06 - [auth2-chall.c ssh-keygen.c] - Fix compilation with -Wall -Werror (trivial type fixes) - - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation - debugging. ok dtucker@ - - (djm) [configure.ac] Revert previous. configure.ac already does this - for us. - -20121114 + - djm@cvs.openbsd.org 2013/07/20 22:20:42 + [krl.c] + fix verification error in (as-yet usused) KRL signature checking path + - djm@cvs.openbsd.org 2013/07/22 05:00:17 + [umac.c] + make MAC key, data to be hashed and nonce for final hash const; + checked with -Wcast-qual + - djm@cvs.openbsd.org 2013/07/22 12:20:02 + [umac.h] + oops, forgot to commit corresponding header change; + spotted by jsg and jasper + - djm@cvs.openbsd.org 2013/07/25 00:29:10 + [ssh.c] + daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure + it is fully detached from its controlling terminal. based on debugging + - djm@cvs.openbsd.org 2013/07/25 00:56:52 + [sftp-client.c sftp-client.h sftp.1 sftp.c] + sftp support for resuming partial downloads; patch mostly by Loganaden + Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ + "Just be careful" deraadt@ + - djm@cvs.openbsd.org 2013/07/25 00:57:37 + [version.h] + openssh-6.3 for release + - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 + [regress/test-exec.sh] + use ssh and sshd as testdata since it needs to be >256k for the rekey test + - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 + [regress/forwarding.sh] + Add test for forward config parsing + - djm@cvs.openbsd.org 2013/06/21 02:26:26 + [regress/sftp-cmds.sh regress/test-exec.sh] + unbreak sftp-cmds for renamed test data (s/ls/data/) + - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on + Solaris and UnixWare. Feedback and OK djm@ + - (tim) [regress/forwarding.sh] Fix for building outside source tree. + +20130720 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2012/11/14 02:24:27 - [auth2-pubkey.c] - fix username passed to helper program - prepare stdio fds before closefrom() - spotted by landry@ - - djm@cvs.openbsd.org 2012/11/14 02:32:15 - [ssh-keygen.c] - allow the full range of unsigned serial numbers; 'fine' deraadt@ - - djm@cvs.openbsd.org 2012/12/02 20:34:10 - [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] - [monitor.c monitor.h] - Fixes logging of partial authentication when privsep is enabled - Previously, we recorded "Failed xxx" since we reset authenticated before - calling auth_log() in auth2.c. This adds an explcit "Partial" state. - - Add a "submethod" to auth_log() to report which submethod is used - for keyboard-interactive. - - Fix multiple authentication when one of the methods is - keyboard-interactive. - - ok markus@ - - dtucker@cvs.openbsd.org 2012/10/05 02:05:30 - [regress/multiplex.sh] - Use 'kill -0' to test for the presence of a pid since it's more portable + - markus@cvs.openbsd.org 2013/07/19 07:37:48 + [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] + [servconf.h session.c sshd.c sshd_config.5] + add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, + or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 + ok djm@ + - djm@cvs.openbsd.org 2013/07/20 01:43:46 + [umac.c] + use a union to ensure correct alignment; ok deraadt + - djm@cvs.openbsd.org 2013/07/20 01:44:37 + [ssh-keygen.c ssh.c] + More useful error message on missing current user in /etc/passwd + - djm@cvs.openbsd.org 2013/07/20 01:50:20 + [ssh-agent.c] + call cleanup_handler on SIGINT when in debug mode to ensure sockets + are cleaned up on manual exit; bz#2120 + - djm@cvs.openbsd.org 2013/07/20 01:55:13 + [auth-krb5.c gss-serv-krb5.c gss-serv.c] + fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@ -20121107 +20130718 - (djm) OpenBSD CVS Sync - - eric@cvs.openbsd.org 2011/11/28 08:46:27 - [moduli.5] - fix formula - ok djm@ - - jmc@cvs.openbsd.org 2012/09/26 17:34:38 - [moduli.5] - last stage of rfc changes, using consistent Rs/Re blocks, and moving the - references into a STANDARDS section; + - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 + [readconf.c] + revert 1.203 while we investigate crashes reported by okan@ + - guenther@cvs.openbsd.org 2013/06/17 04:48:42 + [scp.c] + Handle time_t values as long long's when formatting them and when + parsing them from remote servers. + Improve error checking in parsing of 'T' lines. + ok dtucker@ deraadt@ + - markus@cvs.openbsd.org 2013/06/20 19:15:06 + [krl.c] + don't leak the rdata blob on errors; ok djm@ + - djm@cvs.openbsd.org 2013/06/21 00:34:49 + [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] + for hostbased authentication, print the client host and user on + the auth success/failure line; bz#2064, ok dtucker@ + - djm@cvs.openbsd.org 2013/06/21 00:37:49 + [ssh_config.5] + explicitly mention that IdentitiesOnly can be used with IdentityFile + to control which keys are offered from an agent. + - djm@cvs.openbsd.org 2013/06/21 05:42:32 + [dh.c] + sprinkle in some error() to explain moduli(5) parse failures + - djm@cvs.openbsd.org 2013/06/21 05:43:10 + [scp.c] + make this -Wsign-compare clean after time_t conversion + - djm@cvs.openbsd.org 2013/06/22 06:31:57 + [scp.c] + improved time_t overflow check suggested by guenther@ + - jmc@cvs.openbsd.org 2013/06/27 14:05:37 + [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] + do not use Sx for sections outwith the man page - ingo informs me that + stuff like html will render with broken links; + issue reported by Eric S. Raymond, via djm + - markus@cvs.openbsd.org 2013/07/02 12:31:43 + [dh.c] + remove extra whitespace + - djm@cvs.openbsd.org 2013/07/12 00:19:59 + [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] + [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] + fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ + - djm@cvs.openbsd.org 2013/07/12 00:20:00 + [sftp.c ssh-keygen.c ssh-pkcs11.c] + fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ + - djm@cvs.openbsd.org 2013/07/12 00:43:50 + [misc.c] + in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when + errno == 0. Avoids confusing error message in some broken resolver + cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker + - djm@cvs.openbsd.org 2013/07/12 05:42:03 + [ssh-keygen.c] + do_print_resource_record() can never be called with a NULL filename, so + don't attempt (and bungle) asking for one if it has not been specified + bz#2127 ok dtucker@ + - djm@cvs.openbsd.org 2013/07/12 05:48:55 + [ssh.c] + set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ + - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 + [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] + use .Mt for email addresses; from Jan Stary ; ok jmc@ + - djm@cvs.openbsd.org 2013/07/18 01:12:26 + [ssh.1] + be more exact wrt perms for ~/.ssh/config; bz#2078 -20121105 - - (dtucker) [uidswap.c openbsd-compat/Makefile.in - openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h - openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids - and gids from uidswap.c to the compat library, which allows it to work with - the new setresuid calls in auth2-pubkey. with tim@, ok djm@ - - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that - don't have it. Spotted by tim@. +20130702 + - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config + contrib/cygwin/ssh-user-config] Modernizes and improve readability of + the Cygwin README file (which hasn't been updated for ages), drop + unsupported OSes from the ssh-host-config help text, and drop an + unneeded option from ssh-user-config. Patch from vinschen at redhat com. -20121104 +20130610 - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2012/10/31 08:04:50 - [sshd_config.5] - tweak previous; - - djm@cvs.openbsd.org 2012/11/04 10:38:43 - [auth2-pubkey.c sshd.c sshd_config.5] - Remove default of AuthorizedCommandUser. Administrators are now expected - to explicitly specify a user. feedback and ok markus@ - - djm@cvs.openbsd.org 2012/11/04 11:09:15 - [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] + - dtucker@cvs.openbsd.org 2013/06/07 15:37:52 + [channels.c channels.h clientloop.c] + Add an "ABANDONED" channel state and use for mux sessions that are + disconnected via the ~. escape sequence. Channels in this state will + be able to close if the server responds, but do not count as active channels. + This means that if you ~. all of the mux clients when using ControlPersist + on a broken network, the backgrounded mux master will exit when the + Control Persist time expires rather than hanging around indefinitely. + bz#1917, also reported and tested by tedu@. ok djm@ markus@. + - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported + algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. + - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have + the required OpenSSL support. Patch from naddy at freebsd. + - (dtucker) [myproposal.h] Make the conditional algorithm support consistent + and add some comments so it's clear what goes where. + +20130605 + - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of + the necessary functions, not from the openssl version. + - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test. + Patch from cjwatson at debian. + - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the + forwarding test is extremely slow copying data on some machines so switch + back to copying the much smaller ls binary until we can figure out why + this is. + - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building + modpipe in case there's anything in there we need. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/02 21:01:51 + [channels.h] + typo in comment + - dtucker@cvs.openbsd.org 2013/06/02 23:36:29 + [clientloop.h clientloop.c mux.c] + No need for the mux cleanup callback to be visible so restore it to static + and call it through the detach_user function pointer. ok djm@ + - dtucker@cvs.openbsd.org 2013/06/03 00:03:18 + [mac.c] + force the MAC output to be 64-bit aligned so umac won't see unaligned + accesses on strict-alignment architectures. bz#2101, patch from + tomas.kuthan at oracle.com, ok djm@ + - dtucker@cvs.openbsd.org 2013/06/04 19:12:23 + [scp.c] + use MAXPATHLEN for buffer size instead of fixed value. ok markus + - dtucker@cvs.openbsd.org 2013/06/04 20:42:36 + [sftp.c] + Make sftp's libedit interface marginally multibyte aware by building up + the quoted string by character instead of by byte. Prevents failures + when linked against a libedit built with wide character support (bz#1990). + "looks ok" djm + - dtucker@cvs.openbsd.org 2013/06/05 02:07:29 + [mux.c] + fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967, + ok djm + - dtucker@cvs.openbsd.org 2013/06/05 02:27:50 + [sshd.c] + When running sshd -D, close stderr unless we have explicitly requesting + logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch + so, err, ok dtucker. + - dtucker@cvs.openbsd.org 2013/06/05 12:52:38 + [sshconnect2.c] + Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm + - dtucker@cvs.openbsd.org 2013/06/05 22:00:28 + [readconf.c] + plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm + - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for + platforms that don't have multibyte character support (specifically, + mblen). + +20130602 + - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy + linking regress/modpipe. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/02 13:33:05 + [progressmeter.c] + Add misc.h for monotime prototype. (ID sync only). + - dtucker@cvs.openbsd.org 2013/06/02 13:35:58 + [ssh-agent.c] + Make parent_alive_interval time_t to avoid signed/unsigned comparison + - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms + to prevent noise from configure. Patch from Nathan Osman. (bz#2114). + - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android. + Patch from Nathan Osman. + - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we + need a shell that can handle "[ file1 -nt file2 ]". Rather than keep + dealing with shell portability issues in regression tests, we let + configure find us a capable shell on those platforms with an old /bin/sh. + - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. + feedback and ok dtucker + - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker + - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h. + - (dtucker) [configure.ac] Some other platforms need sys/types.h before + sys/socket.h. + +20130601 + - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to + using openssl's DES_crypt function on platorms that don't have a native + one, eg Android. Based on a patch from Nathan Osman. + - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS + rather than trying to enumerate the plaforms that don't have them. + Based on a patch from Nathan Osman, with help from tim@. + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/05/17 00:13:13 + [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c + ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c + gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c + auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c + servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c + auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c + sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c + kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c + kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c + monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c + ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c + sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c + ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c + dns.c packet.c readpass.c authfd.c moduli.c] + bye, bye xfree(); ok markus@ + - djm@cvs.openbsd.org 2013/05/19 02:38:28 + [auth2-pubkey.c] + fix failure to recognise cert-authority keys if a key of a different type + appeared in authorized_keys before it; ok markus@ + - djm@cvs.openbsd.org 2013/05/19 02:42:42 + [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h] + Standardise logging of supplemental information during userauth. Keys + and ruser is now logged in the auth success/failure message alongside + the local username, remote host/port and protocol in use. Certificates + contents and CA are logged too. + Pushing all logging onto a single line simplifies log analysis as it is + no longer necessary to relate information scattered across multiple log + entries. "I like it" markus@ + - dtucker@cvs.openbsd.org 2013/05/31 12:28:10 + [ssh-agent.c] + Use time_t where appropriate. ok djm + - dtucker@cvs.openbsd.org 2013/06/01 13:15:52 + [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c + channels.c sandbox-systrace.c] + Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like + keepalives and rekeying will work properly over clock steps. Suggested by + markus@, "looks good" djm@. + - dtucker@cvs.openbsd.org 2013/06/01 20:59:25 + [scp.c sftp-client.c] + Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch + from Nathan Osman via bz#2085. ok deraadt. + - dtucker@cvs.openbsd.org 2013/06/01 22:34:50 + [sftp-client.c] + Update progressmeter when data is acked, not when it's sent. bz#2108, from + Debian via Colin Watson, ok djm@ + - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c + groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c + sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c + openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c + openbsd-compat/port-linux.c] Replace portable-specific instances of xfree + with the equivalent calls to free. + - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall + back to time(NULL) if we can't find it anywhere. + - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday. + +20130529 + - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null + implementation of endgrent for platforms that don't have it (eg Android). + Loosely based on a patch from Nathan Osman, ok djm + + 20130517 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/03/07 00:20:34 + [regress/proxy-connect.sh] + repeat test with a style appended to the username + - dtucker@cvs.openbsd.org 2013/03/23 11:09:43 + [regress/test-exec.sh] + Only regenerate host keys if they don't exist or if ssh-keygen has changed + since they were. Reduces test runtime by 5-30% depending on machine + speed. + - dtucker@cvs.openbsd.org 2013/04/06 06:00:22 + [regress/rekey.sh regress/test-exec.sh regress/integrity.sh + regress/multiplex.sh Makefile regress/cfgmatch.sh] + Split the regress log into 3 parts: the debug output from ssh, the debug + log from sshd and the output from the client command (ssh, scp or sftp). + Somewhat functional now, will become more useful when ssh/sshd -E is added. + - dtucker@cvs.openbsd.org 2013/04/07 02:16:03 + [regress/Makefile regress/rekey.sh regress/integrity.sh + regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] + use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and + save the output from any failing tests. If a test fails the debug output + from ssh and sshd for the failing tests (and only the failing tests) should + be available in failed-ssh{,d}.log. + - djm@cvs.openbsd.org 2013/04/18 02:46:12 + [regress/Makefile regress/sftp-chroot.sh] + test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ + - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 + [regress/multiplex.sh] + Write mux master logs to regress.log instead of ssh.log to keep separate + - djm@cvs.openbsd.org 2013/05/10 03:46:14 + [regress/modpipe.c] + sync some portability changes from portable OpenSSH (id sync only) + - dtucker@cvs.openbsd.org 2013/05/16 02:10:35 + [regress/rekey.sh] + Add test for time-based rekeying + - dtucker@cvs.openbsd.org 2013/05/16 03:33:30 + [regress/rekey.sh] + test rekeying when there's no data being transferred + - dtucker@cvs.openbsd.org 2013/05/16 04:26:10 + [regress/rekey.sh] + add server-side rekey test + - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 + [regress/rekey.sh] + add tests for RekeyLimit parsing + - dtucker@cvs.openbsd.org 2013/05/17 00:37:40 + [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh + regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh + regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh + regress/ssh-com.sh] + replace 'echo -n' with 'printf' since it's more portable + also remove "echon" hack. + - dtucker@cvs.openbsd.org 2013/05/17 01:16:09 + [regress/agent-timeout.sh] + Pull back some portability changes from -portable: + - TIMEOUT is a read-only variable in some shells + - not all greps have -q so redirect to /dev/null instead. + (ID sync only) + - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 + [regress/integrity.sh] + don't print output from ssh before getting it (it's available in ssh.log) + - dtucker@cvs.openbsd.org 2013/05/17 04:29:14 + [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh + regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh + regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh + regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh + regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh + regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh + regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh + regress/multiplex.sh] + Move the setting of DATA and COPY into test-exec.sh + - dtucker@cvs.openbsd.org 2013/05/17 10:16:26 + [regress/try-ciphers.sh] + use expr for math to keep diffs vs portable down + (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:23:52 + [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh] + Use SUDO when cat'ing pid files and running the sshd log wrapper so that + it works with a restrictive umask and the pid files are not world readable. + Changes from -portable. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:24:48 + [regress/localcommand.sh] + use backticks for portability. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:26:26 + [regress/sftp-badcmds.sh] + remove unused BATCH variable. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:28:11 + [regress/sftp.sh] + only compare copied data if sftp succeeds. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:30:07 + [regress/test-exec.sh] + wait a bit longer for startup and use case for absolute path. + from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:33:09 + [regress/agent-getpeereid.sh] + don't redirect stdout from sudo. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:34:30 + [regress/portnum.sh] + use a more portable negated if structure. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:35:43 + [regress/scp.sh] + use a file extention that's not special on some platforms. from portable + (id sync only) + - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it + in portable and it's long gone in openbsd. + - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange + methods. When the openssl version doesn't support ECDH then next one on + the list is DH group exchange, but that causes a bit more traffic which can + mean that the tests flip bits in the initial exchange rather than the MACed + traffic and we get different errors to what the tests look for. + - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. + - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. + - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. + - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] + Move the jot helper function to portable-specific part of test-exec.sh. + - (dtucker) [regress/test-exec.sh] Move the portable-specific functions + together and add a couple of missing lines from openbsd. + - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 + helper function to the portable part of test-exec.sh. + - (dtucker) [regress/runtests.sh] Remove obsolete test driver script. + - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by + rev 1.6 which calls wait. + +20130516 + - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be + executed if mktemp failed; bz#2105 ok dtucker@ + - (dtucker) OpenBSD CVS Sync + - tedu@cvs.openbsd.org 2013/04/23 17:49:45 + [misc.c] + use xasprintf instead of a series of strlcats and strdup. ok djm + - tedu@cvs.openbsd.org 2013/04/24 16:01:46 + [misc.c] + remove extra parens noticed by nicm + - dtucker@cvs.openbsd.org 2013/05/06 07:35:12 + [sftp-server.8] + Reference the version of the sftp draft we actually implement. ok djm@ + - djm@cvs.openbsd.org 2013/05/10 03:40:07 + [sshconnect2.c] + fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from + Colin Watson + - djm@cvs.openbsd.org 2013/05/10 04:08:01 + [key.c] + memleak in cert_free(), wasn't actually freeing the struct; + bz#2096 from shm AT digitalsun.pl + - dtucker@cvs.openbsd.org 2013/05/10 10:13:50 + [ssh-pkcs11-helper.c] + remove unused extern optarg. ok markus@ + - dtucker@cvs.openbsd.org 2013/05/16 02:00:34 + [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c + ssh_config.5 packet.h] + Add an optional second argument to RekeyLimit in the client to allow + rekeying based on elapsed time in addition to amount of traffic. + with djm@ jmc@, ok djm + - dtucker@cvs.openbsd.org 2013/05/16 04:09:14 + [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config + sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing + rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man + page. + - djm@cvs.openbsd.org 2013/05/16 04:27:50 + [ssh_config.5 readconf.h readconf.c] + add the ability to ignore specific unrecognised ssh_config options; + bz#866; ok markus@ + - jmc@cvs.openbsd.org 2013/05/16 06:28:45 + [ssh_config.5] + put IgnoreUnknown in the right place; + - jmc@cvs.openbsd.org 2013/05/16 06:30:06 [sshd_config.5] - Support multiple required authentication via an AuthenticationMethods - option. This option lists one or more comma-separated lists of - authentication method names. Successful completion of all the methods in - any list is required for authentication to complete; - feedback and ok markus@ + oops! avoid Xr to self; + - dtucker@cvs.openbsd.org 2013/05/16 09:08:41 + [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c] + Fix some "unused result" warnings found via clang and -portable. + ok markus@ + - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 + [readconf.c servconf.c] + switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ + - dtucker@cvs.openbsd.org 2013/05/16 10:43:34 + [servconf.c readconf.c] + remove now-unused variables + - dtucker@cvs.openbsd.org 2013/05/16 10:44:06 + [servconf.c] + remove another now-unused variable + - (dtucker) [configure.ac readconf.c servconf.c + openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. -20121030 +20130510 + - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler + supports it. Mentioned by Colin Watson in bz#2100, ok djm. + - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to + getopt.c. Preprocessed source is identical other than line numbers. + - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No + portability changes yet. + - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c + openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add + portability code to getopt_long.c and switch over Makefile and the ugly + hack in modpipe.c. Fixes bz#1448. + - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c + openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb + in to use it when we're using our own getopt. + - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the + underlying libraries support them. + - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so + we don't get a warning on compilers that *don't* support it. Add + -Wno-unknown-warning-option. Move both to the start of the list for + maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9. + +20130423 + - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support + platforms, such as Android, that lack struct passwd.pw_gecos. Report + and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@ - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2012/10/05 12:34:39 + - markus@cvs.openbsd.org 2013/03/05 20:16:09 + [sshconnect2.c] + reset pubkey order on partial success; ok djm@ + - djm@cvs.openbsd.org 2013/03/06 23:35:23 + [session.c] + fatal() when ChrootDirectory specified by running without root privileges; + ok markus@ + - djm@cvs.openbsd.org 2013/03/06 23:36:53 + [readconf.c] + g/c unused variable (-Wunused) + - djm@cvs.openbsd.org 2013/03/07 00:19:59 + [auth2-pubkey.c monitor.c] + reconstruct the original username that was sent by the client, which may + have included a style (e.g. "root:skey") when checking public key + signatures. Fixes public key and hostbased auth when the client specified + a style; ok markus@ + - markus@cvs.openbsd.org 2013/03/07 19:27:25 + [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5] + add submethod support to AuthenticationMethods; ok and freedback djm@ + - djm@cvs.openbsd.org 2013/03/08 06:32:58 + [ssh.c] + allow "ssh -f none ..." ok markus@ + - djm@cvs.openbsd.org 2013/04/05 00:14:00 + [auth2-gss.c krl.c sshconnect2.c] + hush some {unused, printf type} warnings + - djm@cvs.openbsd.org 2013/04/05 00:31:49 + [pathnames.h] + use the existing _PATH_SSH_USER_RC define to construct the other + pathnames; bz#2077, ok dtucker@ (no binary change) + - djm@cvs.openbsd.org 2013/04/05 00:58:51 + [mux.c] + cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too + (in addition to ones already in OPEN); bz#2079, ok dtucker@ + - markus@cvs.openbsd.org 2013/04/06 16:07:00 + [channels.c sshd.c] + handle ECONNABORTED for accept(); ok deraadt some time ago... + - dtucker@cvs.openbsd.org 2013/04/07 02:10:33 + [log.c log.h ssh.1 ssh.c sshd.8 sshd.c] + Add -E option to ssh and sshd to append debugging logs to a specified file + instead of stderr or syslog. ok markus@, man page help jmc@ + - dtucker@cvs.openbsd.org 2013/04/07 09:40:27 + [sshd.8] + clarify -e text. suggested by & ok jmc@ + - djm@cvs.openbsd.org 2013/04/11 02:27:50 + [packet.c] + quiet disconnect notifications on the server from error() back to logit() + if it is a normal client closure; bz#2057 ok+feedback dtucker@ + - dtucker@cvs.openbsd.org 2013/04/17 09:04:09 + [session.c] + revert rev 1.262; it fails because uid is already set here. ok djm@ + - djm@cvs.openbsd.org 2013/04/18 02:16:07 [sftp.c] - fix signed vs unsigned warning; feedback & ok: djm@ - - djm@cvs.openbsd.org 2012/10/30 21:29:55 - [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] - [sshd.c sshd_config sshd_config.5] - new sshd_config option AuthorizedKeysCommand to support fetching - authorized_keys from a command in addition to (or instead of) from - the filesystem. The command is run as the target server user unless - another specified via a new AuthorizedKeysCommandUser option. - - patch originally by jchadima AT redhat.com, reworked by me; feedback - and ok markus@ + make "sftp -q" do what it says on the sticker: hush everything but errors; + ok dtucker@ + - djm@cvs.openbsd.org 2013/04/19 01:00:10 + [sshd_config.5] + document the requirment that the AuthorizedKeysCommand be owned by root; + ok dtucker@ markus@ + - djm@cvs.openbsd.org 2013/04/19 01:01:00 + [ssh-keygen.c] + fix some memory leaks; bz#2088 ok dtucker@ + - djm@cvs.openbsd.org 2013/04/19 01:03:01 + [session.c] + reintroduce 1.262 without the connection-killing bug: + fatal() when ChrootDirectory specified by running without root privileges; + ok markus@ + - djm@cvs.openbsd.org 2013/04/19 01:06:50 + [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] + [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] + add the ability to query supported ciphers, MACs, key type and KEX + algorithms to ssh. Includes some refactoring of KEX and key type handling + to be table-driven; ok markus@ + - djm@cvs.openbsd.org 2013/04/19 11:10:18 + [ssh.c] + add -Q to usage; reminded by jmc@ + - djm@cvs.openbsd.org 2013/04/19 12:07:08 + [kex.c] + remove duplicated list entry pointed out by naddy@ + - dtucker@cvs.openbsd.org 2013/04/22 01:17:18 + [mux.c] + typo in debug output: evitval->exitval -20121019 - - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in - the generated file as intended. +20130418 + - (djm) [config.guess config.sub] Update to last versions before they switch + to GPL3. ok dtucker@ + - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from + unused argument warnings (in particular, -fno-builtin-memset) from clang. -20121005 +20130404 - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2012/09/17 09:54:44 - [sftp.c] - an XXX for later - - markus@cvs.openbsd.org 2012/09/17 13:04:11 - [packet.c] - clear old keys on rekeing; ok djm - - dtucker@cvs.openbsd.org 2012/09/18 10:36:12 - [sftp.c] - Add bounds check on sftp tab-completion. Part of a patch from from - Jean-Marc Robert via tech@, ok djm - - dtucker@cvs.openbsd.org 2012/09/21 10:53:07 - [sftp.c] - Fix improper handling of absolute paths when PWD is part of the completed - path. Patch from Jean-Marc Robert via tech@, ok djm. - - dtucker@cvs.openbsd.org 2012/09/21 10:55:04 - [sftp.c] - Fix handling of filenames containing escaped globbing characters and - escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm. - - jmc@cvs.openbsd.org 2012/09/26 16:12:13 - [ssh.1] - last stage of rfc changes, using consistent Rs/Re blocks, and moving the - references into a STANDARDS section; - - naddy@cvs.openbsd.org 2012/10/01 13:59:51 - [monitor_wrap.c] - pasto; ok djm@ - - djm@cvs.openbsd.org 2012/10/02 07:07:45 - [ssh-keygen.c] - fix -z option, broken in revision 1.215 - - markus@cvs.openbsd.org 2012/10/04 13:21:50 - [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] - add umac128 variant; ok djm@ at n2k12 - - dtucker@cvs.openbsd.org 2012/09/06 04:11:07 - [regress/try-ciphers.sh] - Restore missing space. (Id sync only). - - dtucker@cvs.openbsd.org 2012/09/09 11:51:25 - [regress/multiplex.sh] - Add test for ssh -Ostop - - dtucker@cvs.openbsd.org 2012/09/10 00:49:21 - [regress/multiplex.sh] - Log -O cmd output to the log file and make logging consistent with the - other tests. Test clean shutdown of an existing channel when testing - "stop". - - dtucker@cvs.openbsd.org 2012/09/10 01:51:19 - [regress/multiplex.sh] - use -Ocheck and waiting for completions by PID to make multiplexing test - less racy and (hopefully) more reliable on slow hardware. - - [Makefile umac.c] Add special-case target to build umac128.o. - - [umac.c] Enforce allowed umac output sizes. From djm@. - - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom". - -20120917 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2012/09/13 23:37:36 - [servconf.c] - Fix comment line length - - markus@cvs.openbsd.org 2012/09/14 16:51:34 + - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 + [readconf.c ssh.c readconf.h sshconnect2.c] + Keep track of which IndentityFile options were manually supplied and which + were default options, and don't warn if the latter are missing. + ok markus@ + - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 + [krl.c] + Remove bogus include. ok djm + - dtucker@cvs.openbsd.org 2013/02/22 04:45:09 + [ssh.c readconf.c readconf.h] + Don't complain if IdentityFiles specified in system-wide configs are + missing. ok djm, deraadt. + - markus@cvs.openbsd.org 2013/02/22 19:13:56 [sshconnect.c] - remove unused variable - -20120907 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 - [clientloop.c] - Make the escape command help (~?) context sensitive so that only commands - that will work in the current session are shown. ok markus@ - - jmc@cvs.openbsd.org 2012/09/06 13:57:42 - [ssh.1] - missing letter in previous; - - dtucker@cvs.openbsd.org 2012/09/07 00:30:19 - [clientloop.c] - Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@ - - dtucker@cvs.openbsd.org 2012/09/07 01:10:21 - [clientloop.c] - Merge escape help text for ~v and ~V; ok djm@ - - dtucker@cvs.openbsd.org 2012/09/07 06:34:21 - [clientloop.c] - when muxmaster is run with -N, make it shut down gracefully when a client - sends it "-O stop" rather than hanging around (bz#1985). ok djm@ + support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ + - djm@cvs.openbsd.org 2013/02/22 22:09:01 + [ssh.c] + Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier + version) -20120906 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2012/08/15 18:25:50 - [ssh-keygen.1] - a little more info on certificate validity; - requested by Ross L Richardson, and provided by djm - - dtucker@cvs.openbsd.org 2012/08/17 00:45:45 - [clientloop.c clientloop.h mux.c] - Force a clean shutdown of ControlMaster client sessions when the ~. escape - sequence is used. This means that ~. should now work in mux clients even - if the server is no longer responding. Found by tedu, ok djm. - - djm@cvs.openbsd.org 2012/08/17 01:22:56 - [kex.c] - add some comments about better handling first-KEX-follows notifications - from the server. Nothing uses these right now. No binary change - - djm@cvs.openbsd.org 2012/08/17 01:25:58 - [ssh-keygen.c] - print details of which host lines were deleted when using - "ssh-keygen -R host"; ok markus@ - - djm@cvs.openbsd.org 2012/08/17 01:30:00 - [compat.c sshconnect.c] - Send client banner immediately, rather than waiting for the server to - move first for SSH protocol 2 connections (the default). Patch based on - one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@ - - dtucker@cvs.openbsd.org 2012/09/06 04:37:39 - [clientloop.c log.c ssh.1 log.h] - Add ~v and ~V escape sequences to raise and lower the logging level - respectively. Man page help from jmc, ok deraadt jmc +20130401 + - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h + to avoid conflicting definitions of __int64, adding the required bits. + Patch from Corinna Vinschen. -20120830 - - (dtucker) [moduli] Import new moduli file. +20130323 + - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit. -20120828 - - (djm) Release openssh-6.1 +20130322 + - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil + Hands' greatly revised version. + - (djm) Release 6.2p1 + - (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype. + - (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before + defining it again. Prevents warnings if someone, eg, sets it in CFLAGS. -20120828 - - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN - for compatibility with future mingw-w64 headers. Patch from vinschen at - redhat com. +20130318 + - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] + [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's + so mark it as broken. Patch from des AT des.no -20120822 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update version numbers +20130317 + - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none + of the bits the configure test looks for. -20120731 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2012/07/06 06:38:03 - [ssh-keygen.c] - missing full stop in usage(); - - djm@cvs.openbsd.org 2012/07/10 02:19:15 - [servconf.c servconf.h sshd.c sshd_config] - Turn on systrace sandboxing of pre-auth sshd by default for new installs - by shipping a config that overrides the current UsePrivilegeSeparation=yes - default. Make it easier to flip the default in the future by adding too. - prodded markus@ feedback dtucker@ "get it in" deraadt@ - - dtucker@cvs.openbsd.org 2012/07/13 01:35:21 - [servconf.c] - handle long comments in config files better. bz#2025, ok markus - - markus@cvs.openbsd.org 2012/07/22 18:19:21 - [version.h] - openssh 6.1 +20130316 + - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform + is unable to successfully compile them. Based on patch from des AT + des.no + - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] + Add a usleep replacement for platforms that lack it; ok dtucker + - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to + occur after UID switch; patch from John Marshall via des AT des.no; + ok dtucker@ -20120720 - - (dtucker) Import regened moduli file. +20130312 + - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] + Improve portability of cipher-speed test, based mostly on a patch from + Iain Morgan. + - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin") + in addition to root as an owner of system directories on AIX and HP-UX. + ok djm@ -20120706 - - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is - not available. Allows use of sshd compiled on host with a filter-capable - kernel on hosts that lack the support. bz#2011 ok dtucker@ - - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no - unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT - esperi.org.uk; ok dtucker@ -- (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2012/07/06 00:41:59 - [moduli.c ssh-keygen.1 ssh-keygen.c] - Add options to specify starting line number and number of lines to process - when screening moduli candidates. This allows processing of different - parts of a candidate moduli file in parallel. man page help jmc@, ok djm@ - - djm@cvs.openbsd.org 2012/07/06 01:37:21 - [mux.c] - fix memory leak of passed-in environment variables and connection - context when new session message is malformed; bz#2003 from Bert.Wesarg - AT googlemail.com - - djm@cvs.openbsd.org 2012/07/06 01:47:38 - [ssh.c] - move setting of tty_flag to after config parsing so RequestTTY options - are correctly picked up. bz#1995 patch from przemoc AT gmail.com; - ok dtucker@ +20130307 + - (dtucker) [INSTALL] Bump documented autoconf version to what we're + currently using. + - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it + was removed in configure.ac rev 1.481 as it was redundant. + - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days + ago. + - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a + chance to complete on broken systems; ok dtucker@ -20120704 - - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for - platforms that don't have it. "looks good" tim@ +20130306 + - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding + connection to start so that the test works on slower machines. + - (dtucker) [configure.ac] test that we can set number of file descriptors + to zero with setrlimit before enabling the rlimit sandbox. This affects + (at least) HPUX 11.11. -20120703 - - (dtucker) [configure.ac] Detect platforms that can't use select(2) with - setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. - - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not - setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its - benefit is minor, so it's not worth disabling the sandbox if it doesn't - work. +20130305 + - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for + HP/UX. Spotted by Kevin Brott + - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by + Amit Kulkarni and Kevin Brott. + - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure + build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin + Brott. + - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov. -20120702 -- (dtucker) OpenBSD CVS Sync - - naddy@cvs.openbsd.org 2012/06/29 13:57:25 - [ssh_config.5 sshd_config.5] - match the documented MAC order of preference to the actual one; - ok dtucker@ - - markus@cvs.openbsd.org 2012/06/30 14:35:09 - [sandbox-systrace.c sshd.c] - fix a during the load of the sandbox policies (child can still make - the read-syscall and wait forever for systrace-answers) by replacing - the read/write synchronisation with SIGSTOP/SIGCONT; - report and help hshoexer@; ok djm@, dtucker@ - - dtucker@cvs.openbsd.org 2012/07/02 08:50:03 - [ssh.c] - set interactive ToS for forwarded X11 sessions. ok djm@ - - dtucker@cvs.openbsd.org 2012/07/02 12:13:26 - [ssh-pkcs11-helper.c sftp-client.c] - fix a couple of "assigned but not used" warnings. ok markus@ - - dtucker@cvs.openbsd.org 2012/07/02 14:37:06 - [regress/connect-privsep.sh] - remove exit from end of test since it prevents reporting failure - - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh] - Move cygwin detection to test-exec and use to skip reexec test on cygwin. - - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k. +20130227 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Crank version numbers + - (tim) [regress/forward-control.sh] use sh in case login shell is csh. + - (tim) [regress/integrity.sh] shell portability fix. + - (tim) [regress/integrity.sh] keep old solaris awk from hanging. + - (tim) [regress/krl.sh] keep old solaris awk from hanging. -20120629 +20130226 - OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2012/06/21 00:16:07 - [addrmatch.c] - fix strlcpy truncation check. from carsten at debian org, ok markus - - dtucker@cvs.openbsd.org 2012/06/22 12:30:26 - [monitor.c sshconnect2.c] - remove dead code following 'for (;;)' loops. - From Steve.McClellan at radisys com, ok markus@ - - dtucker@cvs.openbsd.org 2012/06/22 14:36:33 - [sftp.c] - Remove unused variable leftover from tab-completion changes. - From Steve.McClellan at radisys com, ok markus@ - - dtucker@cvs.openbsd.org 2012/06/26 11:02:30 - [sandbox-systrace.c] - Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation - sandbox" since malloc now uses it. From johnw.mail at gmail com. - - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 - [mac.c myproposal.h ssh_config.5 sshd_config.5] - Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed - from draft6 of the spec and will not be in the RFC when published. Patch - from mdb at juniper net via bz#2023, ok markus. - - naddy@cvs.openbsd.org 2012/06/29 13:57:25 - [ssh_config.5 sshd_config.5] - match the documented MAC order of preference to the actual one; ok dtucker@ - - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 - [regress/addrmatch.sh] - Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests - to match. Feedback and ok djm@ markus@. - - djm@cvs.openbsd.org 2012/06/01 00:47:35 - [regress/multiplex.sh regress/forwarding.sh] - append to rather than truncate test log; bz#2013 from openssh AT - roumenpetrov.info - - djm@cvs.openbsd.org 2012/06/01 00:52:52 - [regress/sftp-cmds.sh] - don't delete .* on cleanup due to unintended env expansion; pointed out in - bz#2014 by openssh AT roumenpetrov.info - - dtucker@cvs.openbsd.org 2012/06/26 12:06:59 - [regress/connect-privsep.sh] - test sandbox with every malloc option - - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 - [regress/try-ciphers.sh regress/cipher-speed.sh] - Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed - from draft6 of the spec and will not be in the RFC when published. Patch - from mdb at juniper net via bz#2023, ok markus. - - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error. - - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have - the required functions in libcrypto. + - djm@cvs.openbsd.org 2013/02/20 08:27:50 + [integrity.sh] + Add an option to modpipe that warns if the modification offset it not + reached in it's stream and turn it on for t-integrity. This should catch + cases where the session is not fuzzed for being too short (cf. my last + "oops" commit) + - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage + for UsePAM=yes configuration -20120628 - - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null - pointer deref in the client when built with LDNS and using DNSSEC with a - CNAME. Patch from gregdlg+mr at hochet info. +20130225 + - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed + to use Solaris native GSS libs. Patch from Pierre Ossman. -20120622 - - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as - can logon as a service. Patch from vinschen at redhat com. +20130223 + - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer + bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu. + ok tim -20120620 +20130222 + - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to + ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. + - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named + libgss too. Patch from Pierre Ossman, ok djm. + - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux + seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; + ok dtucker + +20130221 + - (tim) [regress/forward-control.sh] shell portability fix. + +20130220 + - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. + - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded + err.h include from krl.c. Additional portability fixes for modpipe. OK djm + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/20 08:27:50 + [regress/integrity.sh regress/modpipe.c] + Add an option to modpipe that warns if the modification offset it not + reached in it's stream and turn it on for t-integrity. This should catch + cases where the session is not fuzzed for being too short (cf. my last + "oops" commit) + - djm@cvs.openbsd.org 2013/02/20 08:29:27 + [regress/modpipe.c] + s/Id/OpenBSD/ in RCS tag + +20130219 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/18 22:26:47 + [integrity.sh] + crank the offset yet again; it was still fuzzing KEX one of Darren's + portable test hosts at 2800 + - djm@cvs.openbsd.org 2013/02/19 02:14:09 + [integrity.sh] + oops, forgot to increase the output of the ssh command to ensure that + we actually reach $offset + - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that + lack support for SHA2. + - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms + that do not have them. + +20130217 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/17 23:16:55 + [integrity.sh] + make the ssh command generates some output to ensure that there are at + least offset+tries bytes in the stream. + +20130216 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/16 06:08:45 + [integrity.sh] + make sure the fuzz offset is actually past the end of KEX for all KEX + types. diffie-hellman-group-exchange-sha256 requires an offset around + 2700. Noticed via test failures in portable OpenSSH on platforms that + lack ECC and this the more byte-frugal ECDH KEX algorithms. + +20130215 + - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from + Iain Morgan + - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] + Use getpgrp() if we don't have getpgid() (old BSDs, maybe others). + - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c + openbsd-compat/openbsd-compat.h] Add strtoull to compat library for + platforms that don't have it. + - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul, + group strto* function prototypes together. + - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes + an argument. Pointed out by djm. - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/12/02 00:41:56 - [mux.c] - fix bz#1948: ssh -f doesn't fork for multiplexed connection. - ok dtucker@ - - djm@cvs.openbsd.org 2011/12/04 23:16:12 - [mux.c] - revert: - > revision 1.32 - > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 - > fix bz#1948: ssh -f doesn't fork for multiplexed connection. - > ok dtucker@ - it interacts badly with ControlPersist - - djm@cvs.openbsd.org 2012/01/07 21:11:36 - [mux.c] - fix double-free in new session handler - NB. Id sync only - - djm@cvs.openbsd.org 2012/05/23 03:28:28 - [dns.c dns.h key.c key.h ssh-keygen.c] - add support for RFC6594 SSHFP DNS records for ECDSA key types. - patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ - (Original authors Ondřej Surý, Ondřej Caletka and Daniel Black) - - djm@cvs.openbsd.org 2012/06/01 00:49:35 - [PROTOCOL.mux] - correct types of port numbers (integers, not strings); bz#2004 from - bert.wesarg AT googlemail.com - - djm@cvs.openbsd.org 2012/06/01 01:01:22 - [mux.c] - fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg - AT googlemail.com - - dtucker@cvs.openbsd.org 2012/06/18 11:43:53 - [jpake.c] - correct sizeof usage. patch from saw at online.de, ok deraadt - - dtucker@cvs.openbsd.org 2012/06/18 11:49:58 - [ssh_config.5] - RSA instead of DSA twice. From Steve.McClellan at radisys com - - dtucker@cvs.openbsd.org 2012/06/18 12:07:07 - [ssh.1 sshd.8] - Remove mention of 'three' key files since there are now four. From - Steve.McClellan at radisys com. - - dtucker@cvs.openbsd.org 2012/06/18 12:17:18 - [ssh.1] - Clarify description of -W. Noted by Steve.McClellan at radisys com, - ok jmc - - markus@cvs.openbsd.org 2012/06/19 18:25:28 - [servconf.c servconf.h sshd_config.5] - sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} - this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' - ok djm@ (back in March) - - jmc@cvs.openbsd.org 2012/06/19 21:35:54 - [sshd_config.5] - tweak previous; ok markus - - djm@cvs.openbsd.org 2012/06/20 04:42:58 - [clientloop.c serverloop.c] - initialise accept() backoff timer to avoid EINVAL from select(2) in - rekeying + - djm@cvs.openbsd.org 2013/02/14 21:35:59 + [auth2-pubkey.c] + Correct error message that had a typo and was logging the wrong thing; + patch from Petr Lautrbach + - dtucker@cvs.openbsd.org 2013/02/15 00:21:01 + [sshconnect2.c] + Warn more loudly if an IdentityFile provided by the user cannot be read. + bz #1981, ok djm@ -20120519 - - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch - from cjwatson at debian org. - - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find - pkg-config so it does the right thing when cross-compiling. Patch from - cjwatson at debian org. -- (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 - [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] - Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests - to match. Feedback and ok djm@ markus@. - - dtucker@cvs.openbsd.org 2012/05/19 06:30:30 - [sshd_config.5] - Document PermitOpen none. bz#2001, patch from Loganaden Velvindron +20130214 + - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. + - (djm) [regress/krl.sh] typo; found by Iain Morgan + - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead + of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by + Iain Morgan -20120504 - - (dtucker) [configure.ac] Include rather than - to fix building on some plaforms. Fom bowman at math utah edu and - des at des no. +20130212 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/01/24 21:45:37 + [krl.c] + fix handling of (unused) KRL signatures; skip string in correct buffer + - djm@cvs.openbsd.org 2013/01/24 22:08:56 + [krl.c] + skip serial lookup when cert's serial number is zero + - krw@cvs.openbsd.org 2013/01/25 05:00:27 + [krl.c] + Revert last. Breaks due to likely typo. Let djm@ fix later. + ok djm@ via dlg@ + - djm@cvs.openbsd.org 2013/01/25 10:22:19 + [krl.c] + redo last commit without the vi-vomit that snuck in: + skip serial lookup when cert's serial number is zero + (now with 100% better comment) + - djm@cvs.openbsd.org 2013/01/26 06:11:05 + [Makefile.in acss.c acss.h cipher-acss.c cipher.c] + [openbsd-compat/openssl-compat.h] + remove ACSS, now that it is gone from libcrypto too + - djm@cvs.openbsd.org 2013/01/27 10:06:12 + [krl.c] + actually use the xrealloc() return value; spotted by xi.wang AT gmail.com + - dtucker@cvs.openbsd.org 2013/02/06 00:20:42 + [servconf.c sshd_config sshd_config.5] + Change default of MaxStartups to 10:30:100 to start doing random early + drop at 10 connections up to 100 connections. This will make it harder + to DoS as CPUs have come a long way since the original value was set + back in 2000. Prompted by nion at debian org, ok markus@ + - dtucker@cvs.openbsd.org 2013/02/06 00:22:21 + [auth.c] + Fix comment, from jfree.e1 at gmail + - djm@cvs.openbsd.org 2013/02/08 00:41:12 + [sftp.c] + fix NULL deref when built without libedit and control characters + entered as command; debugging and patch from Iain Morgan an + Loganaden Velvindron in bz#1956 + - markus@cvs.openbsd.org 2013/02/10 21:19:34 + [version.h] + openssh 6.2 + - djm@cvs.openbsd.org 2013/02/10 23:32:10 + [ssh-keygen.c] + append to moduli file when screening candidates rather than overwriting. + allows resumption of interrupted screen; patch from Christophe Garault + in bz#1957; ok dtucker@ + - djm@cvs.openbsd.org 2013/02/10 23:35:24 + [packet.c] + record "Received disconnect" messages at ERROR rather than INFO priority, + since they are abnormal and result in a non-zero ssh exit status; patch + from Iain Morgan in bz#2057; ok dtucker@ + - dtucker@cvs.openbsd.org 2013/02/11 21:21:58 + [sshd.c] + Add openssl version to debug output similar to the client. ok markus@ + - djm@cvs.openbsd.org 2013/02/11 23:58:51 + [regress/try-ciphers.sh] + remove acss here too + - (djm) [regress/try-ciphers.sh] clean up CVS merge botch + +20130211 + - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old + libcrypto that lacks EVP_CIPHER_CTX_ctrl + +20130208 + - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer; + patch from Iain Morgan in bz#2059 + - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows + __attribute__ on return values and work around if necessary. ok djm@ + +20130207 + - (djm) [configure.ac] Don't probe seccomp capability of running kernel + at configure time; the seccomp sandbox will fall back to rlimit at + runtime anyway. Patch from plautrba AT redhat.com in bz#2011 + +20130120 + - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h] + Move prototypes for replacement ciphers to openssl-compat.h; fix EVP + prototypes for openssl-1.0.0-fips. + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2013/01/18 07:57:47 + [ssh-keygen.1] + tweak previous; + - jmc@cvs.openbsd.org 2013/01/18 07:59:46 + [ssh-keygen.c] + -u before -V in usage(); + - jmc@cvs.openbsd.org 2013/01/18 08:00:49 + [sshd_config.5] + tweak previous; + - jmc@cvs.openbsd.org 2013/01/18 08:39:04 + [ssh-keygen.1] + add -Q to the options list; ok djm + - jmc@cvs.openbsd.org 2013/01/18 21:48:43 + [ssh-keygen.1] + command-line (adj.) -> command line (n.); + - jmc@cvs.openbsd.org 2013/01/19 07:13:25 + [ssh-keygen.1] + fix some formatting; ok djm + - markus@cvs.openbsd.org 2013/01/19 12:34:55 + [krl.c] + RB_INSERT does not remove existing elments; ok djm@ + - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer + version. + - (djm) [regress/krl.sh] replacement for jot; most platforms lack it -20120427 - - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6 - platform rather than exiting early, so that we still clean up and return - success or failure to test-exec.sh +20130118 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/01/17 23:00:01 + [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] + [krl.c krl.h PROTOCOL.krl] + add support for Key Revocation Lists (KRLs). These are a compact way to + represent lists of revoked keys and certificates, taking as little as + a single bit of incremental cost to revoke a certificate by serial number. + KRLs are loaded via the existing RevokedKeys sshd_config option. + feedback and ok markus@ + - djm@cvs.openbsd.org 2013/01/18 00:45:29 + [regress/Makefile regress/cert-userkey.sh regress/krl.sh] + Tests for Key Revocation Lists (KRLs) + - djm@cvs.openbsd.org 2013/01/18 03:00:32 + [krl.c] + fix KRL generation bug for list sections -20120426 - - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters - via Niels - - (djm) [auth-krb5.c] Save errno across calls that might modify it; - ok dtucker@ +20130117 + - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] + check for GCM support before testing GCM ciphers. -20120423 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2012/04/23 08:18:17 - [channels.c] - fix function proto/source mismatch +20130112 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/01/12 11:22:04 + [cipher.c] + improve error message for integrity failure in AES-GCM modes; ok markus@ + - djm@cvs.openbsd.org 2013/01/12 11:23:53 + [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] + test AES-GCM modes; feedback markus@ + - (djm) [regress/integrity.sh] repair botched merge -20120422 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2012/02/29 11:21:26 - [ssh-keygen.c] - allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@ - - guenther@cvs.openbsd.org 2012/03/15 03:10:27 - [session.c] - root should always be excluded from the test for /etc/nologin instead - of having it always enforced even when marked as ignorenologin. This - regressed when the logic was incompletely flipped around in rev 1.251 - ok halex@ millert@ - - djm@cvs.openbsd.org 2012/03/28 07:23:22 - [PROTOCOL.certkeys] - explain certificate extensions/crit split rationale. Mention requirement - that each appear at most once per cert. - - dtucker@cvs.openbsd.org 2012/03/29 23:54:36 - [channels.c channels.h servconf.c] - Add PermitOpen none option based on patch from Loganaden Velvindron - (bz #1949). ok djm@ - - djm@cvs.openbsd.org 2012/04/11 13:16:19 - [channels.c channels.h clientloop.c serverloop.c] - don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a - while; ok deraadt@ markus@ - - djm@cvs.openbsd.org 2012/04/11 13:17:54 +20130109 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/12/14 05:26:43 [auth.c] - Support "none" as an argument for AuthorizedPrincipalsFile to indicate - no file should be read. - - djm@cvs.openbsd.org 2012/04/11 13:26:40 - [sshd.c] - don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a - while; ok deraadt@ markus@ - - djm@cvs.openbsd.org 2012/04/11 13:34:17 - [ssh-keyscan.1 ssh-keyscan.c] - now that sshd defaults to offering ECDSA keys, ssh-keyscan should also - look for them by default; bz#1971 - - djm@cvs.openbsd.org 2012/04/12 02:42:32 - [servconf.c servconf.h sshd.c sshd_config sshd_config.5] - VersionAddendum option to allow server operators to append some arbitrary - text to the SSH-... banner; ok deraadt@ "don't care" markus@ - - djm@cvs.openbsd.org 2012/04/12 02:43:55 - [sshd_config sshd_config.5] - mention AuthorizedPrincipalsFile=none default - - djm@cvs.openbsd.org 2012/04/20 03:24:23 - [sftp.c] - setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...) - - jmc@cvs.openbsd.org 2012/04/20 16:26:22 - [ssh.1] - use "brackets" instead of "braces", for consistency; - -20120420 - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update for release 6.0 - - (djm) [README] Update URL to release notes. - - (djm) Release openssh-6.0 - -20120419 - - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil - contains openpty() but not login() - -20120404 - - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox - mode for Linux's new seccomp filter; patch from Will Drewry; feedback - and ok dtucker@ - -20120330 - - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING - file from spec file. From crighter at nuclioss com. - - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running - openssh binaries on a newer fix release than they were compiled on. - with and ok dtucker@ - - (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect - assumptions when building on Cygwin; patch from Corinna Vinschen - -20120309 - - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux - systems where sshd is run in te wrong context. Patch from Sven - Vermeulen; ok dtucker@ - - (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6 - addressed connections. ok dtucker@ - -20120224 - - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM - audit breakage in Solaris 11. Patch from Magnus Johansson. - -20120215 - - (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for - unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c - ok dtucker@ - - (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so - it actually works. - - (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote - to work. Spotted by Angel Gonzalez + use correct string in error message; from rustybsd at gmx.fr + - djm@cvs.openbsd.org 2013/01/02 00:32:07 + [clientloop.c mux.c] + channel_setup_local_fwd_listener() returns 0 on failure, not -ve + bz#2055 reported by mathieu.lacage AT gmail.com + - djm@cvs.openbsd.org 2013/01/02 00:33:49 + [PROTOCOL.agent] + correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED + bz#2051 from david AT lechnology.com + - djm@cvs.openbsd.org 2013/01/03 05:49:36 + [servconf.h] + add a couple of ServerOptions members that should be copied to the privsep + child (for consistency, in this case they happen only to be accessed in + the monitor); ok dtucker@ + - djm@cvs.openbsd.org 2013/01/03 12:49:01 + [PROTOCOL] + fix description of MAC calculation for EtM modes; ok markus@ + - djm@cvs.openbsd.org 2013/01/03 12:54:49 + [sftp-server.8 sftp-server.c] + allow specification of an alternate start directory for sftp-server(8) + "I like this" markus@ + - djm@cvs.openbsd.org 2013/01/03 23:22:58 + [ssh-keygen.c] + allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... + ok markus@ + - jmc@cvs.openbsd.org 2013/01/04 19:26:38 + [sftp-server.8 sftp-server.c] + sftp-server.8: add argument name to -d + sftp-server.c: add -d to usage() + ok djm + - markus@cvs.openbsd.org 2013/01/08 18:49:04 + [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] + [myproposal.h packet.c ssh_config.5 sshd_config.5] + support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) + ok and feedback djm@ + - djm@cvs.openbsd.org 2013/01/09 05:40:17 + [ssh-keygen.c] + correctly initialise fingerprint type for fingerprinting PKCS#11 keys + - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h] + Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little + cipher compat code to openssl-compat.h -20120214 - - (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of - preserved Cygwin environment variables; from Corinna Vinschen +20121217 + - (dtucker) [Makefile.in] Add some scaffolding so that the new regress + tests will work with VPATH directories. -20120211 +20121213 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2012/01/05 00:16:56 - [monitor.c] - memleak on error path - - djm@cvs.openbsd.org 2012/01/07 21:11:36 - [mux.c] - fix double-free in new session handler - - miod@cvs.openbsd.org 2012/01/08 13:17:11 - [ssh-ecdsa.c] - Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron, - ok markus@ - - miod@cvs.openbsd.org 2012/01/16 20:34:09 - [ssh-pkcs11-client.c] - Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow. - While there, be sure to buffer_clear() between send_msg() and recv_msg(). - ok markus@ - - dtucker@cvs.openbsd.org 2012/01/18 21:46:43 - [clientloop.c] - Ensure that $DISPLAY contains only valid characters before using it to - extract xauth data so that it can't be used to play local shell - metacharacter games. Report from r00t_ati at ihteam.net, ok markus. - - markus@cvs.openbsd.org 2012/01/25 19:26:43 + - markus@cvs.openbsd.org 2012/12/12 16:45:52 [packet.c] - do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; - ok dtucker@, djm@ - - markus@cvs.openbsd.org 2012/01/25 19:36:31 - [authfile.c] - memleak in key_load_file(); from Jan Klemkow - - markus@cvs.openbsd.org 2012/01/25 19:40:09 - [packet.c packet.h] - packet_read_poll() is not used anymore. - - markus@cvs.openbsd.org 2012/02/09 20:00:18 - [version.h] - move from 6.0-beta to 6.0 - -20120206 - - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms - that don't support ECC. Patch from Phil Oleson + reset incoming_packet buffer for each new packet in EtM-case, too; + this happens if packets are parsed only parially (e.g. ignore + messages sent when su/sudo turn off echo); noted by sthen/millert + - naddy@cvs.openbsd.org 2012/12/12 16:46:10 + [cipher.c] + use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled + counter mode code; ok djm@ + - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our + compat code for older OpenSSL + - (djm) [cipher.c] Fix missing prototype for compat code -20111219 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/12/02 00:41:56 - [mux.c] - fix bz#1948: ssh -f doesn't fork for multiplexed connection. - ok dtucker@ - - djm@cvs.openbsd.org 2011/12/02 00:43:57 +20121212 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2012/12/11 22:16:21 + [monitor.c] + drain the log messages after receiving the keystate from the unpriv + child. otherwise it might block while sending. ok djm@ + - markus@cvs.openbsd.org 2012/12/11 22:31:18 + [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] + [packet.c ssh_config.5 sshd_config.5] + add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms + that change the packet format and compute the MAC over the encrypted + message (including the packet size) instead of the plaintext data; + these EtM modes are considered more secure and used by default. + feedback and ok djm@ + - sthen@cvs.openbsd.org 2012/12/11 22:51:45 [mac.c] - fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before - HMAC_init (this change in policy seems insane to me) - ok dtucker@ - - djm@cvs.openbsd.org 2011/12/04 23:16:12 - [mux.c] - revert: - > revision 1.32 - > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 - > fix bz#1948: ssh -f doesn't fork for multiplexed connection. - > ok dtucker@ - it interacts badly with ControlPersist - - djm@cvs.openbsd.org 2011/12/07 05:44:38 - [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c] - fix some harmless and/or unreachable int overflows; - reported Xi Wang, ok markus@ - -20111125 - - OpenBSD CVS Sync - - oga@cvs.openbsd.org 2011/11/16 12:24:28 - [sftp.c] - Don't leak list in complete_cmd_parse if there are no commands found. - Discovered when I was ``borrowing'' this code for something else. - ok djm@ - -20111121 - - (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@ + fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ + - markus@cvs.openbsd.org 2012/12/11 22:32:56 + [regress/try-ciphers.sh] + add etm modes + - markus@cvs.openbsd.org 2012/12/11 22:42:11 + [regress/Makefile regress/modpipe.c regress/integrity.sh] + test the integrity of the packets; with djm@ + - markus@cvs.openbsd.org 2012/12/11 23:12:13 + [try-ciphers.sh] + add hmac-ripemd160-etm@openssh.com + - (djm) [mac.c] fix merge botch + - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test + work on platforms without 'jot' + - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip + - (djm) [regress/Makefile] fix t-exec rule -20111104 +20121207 - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/10/18 05:15:28 - [ssh.c] - ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@ - - djm@cvs.openbsd.org 2011/10/18 23:37:42 + - dtucker@cvs.openbsd.org 2012/12/06 06:06:54 + [regress/keys-command.sh] + Fix some problems with the keys-command test: + - use string comparison rather than numeric comparison + - check for existing KEY_COMMAND file and don't clobber if it exists + - clean up KEY_COMMAND file if we do create it. + - check that KEY_COMMAND is executable (which it won't be if eg /var/run + is mounted noexec). + ok djm. + - jmc@cvs.openbsd.org 2012/12/03 08:33:03 + [ssh-add.1 sshd_config.5] + tweak previous; + - markus@cvs.openbsd.org 2012/12/05 15:42:52 [ssh-add.c] - add -k to usage(); reminded by jmc@ - - djm@cvs.openbsd.org 2011/10/19 00:06:10 - [moduli.c] - s/tmpfile/tmp/ to make this -Wshadow clean - - djm@cvs.openbsd.org 2011/10/19 10:39:48 - [umac.c] - typo in comment; patch from Michael W. Bombardieri - - djm@cvs.openbsd.org 2011/10/24 02:10:46 - [ssh.c] - bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh - was incorrectly requesting the forward in both the control master and - slave. skip requesting it in the master to fix. ok markus@ - - djm@cvs.openbsd.org 2011/10/24 02:13:13 - [session.c] - bz#1859: send tty break to pty master instead of (probably already - closed) slave side; "looks good" markus@ - - dtucker@cvs.openbsd.org 011/11/04 00:09:39 - [moduli] - regenerated moduli file; ok deraadt - - (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in - openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c] - bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library - which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr) - with some rework from myself and djm. ok djm. - -20111025 - - (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file - fails. Patch from Corinna Vinschen. - -20111018 + prevent double-free of comment; ok djm@ + - dtucker@cvs.openbsd.org 2012/12/07 01:51:35 + [serverloop.c] + Cast signal to int for logging. A no-op on openbsd (they're always ints) + but will prevent warnings in portable. ok djm@ + +20121205 + - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. + +20121203 + - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get + TAILQ_FOREACH_SAFE needed for upcoming changes. - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/10/04 14:17:32 - [sftp-glob.c] - silence error spam for "ls */foo" in directory with files; bz#1683 - - dtucker@cvs.openbsd.org 2011/10/16 11:02:46 - [moduli.c ssh-keygen.1 ssh-keygen.c] - Add optional checkpoints for moduli screening. feedback & ok deraadt - - jmc@cvs.openbsd.org 2011/10/16 15:02:41 - [ssh-keygen.c] - put -K in the right place (usage()); - - stsp@cvs.openbsd.org 2011/10/16 15:51:39 - [moduli.c] - add missing includes to unbreak tree; fix from rpointel - - djm@cvs.openbsd.org 2011/10/18 04:58:26 - [auth-options.c key.c] - remove explict search for \0 in packet strings, this job is now done - implicitly by buffer_get_cstring; ok markus - - djm@cvs.openbsd.org 2011/10/18 05:00:48 + - djm@cvs.openbsd.org 2012/12/02 20:26:11 + [ssh_config.5 sshconnect2.c] + Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. + This allows control of which keys are offered from tokens using + IdentityFile. ok markus@ + - djm@cvs.openbsd.org 2012/12/02 20:42:15 [ssh-add.1 ssh-add.c] - new "ssh-add -k" option to load plain keys (skipping certificates); - "looks ok" markus@ + make deleting explicit keys "ssh-add -d" symmetric with adding keys - + try to delete the corresponding certificate too and respect the -k option + to allow deleting of the key only; feedback and ok markus@ + - djm@cvs.openbsd.org 2012/12/02 20:46:11 + [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] + [sshd_config.5] + make AllowTcpForwarding accept "local" and "remote" in addition to its + current "yes"/"no" to allow the server to specify whether just local or + remote TCP forwarding is enabled. ok markus@ + - dtucker@cvs.openbsd.org 2012/10/05 02:20:48 + [regress/cipher-speed.sh regress/try-ciphers.sh] + Add umac-128@openssh.com to the list of MACs to be tested + - djm@cvs.openbsd.org 2012/10/19 05:10:42 + [regress/cert-userkey.sh] + include a serial number when generating certs + - djm@cvs.openbsd.org 2012/11/22 22:49:30 + [regress/Makefile regress/keys-command.sh] + regress for AuthorizedKeysCommand; hints from markus@ + - djm@cvs.openbsd.org 2012/12/02 20:47:48 + [Makefile regress/forward-control.sh] + regress for AllowTcpForwarding local/remote; ok markus@ + - djm@cvs.openbsd.org 2012/12/03 00:14:06 + [auth2-chall.c ssh-keygen.c] + Fix compilation with -Wall -Werror (trivial type fixes) + - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation + debugging. ok dtucker@ + - (djm) [configure.ac] Revert previous. configure.ac already does this + for us. -20111001 - - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2011/09/23 00:22:04 - [channels.c auth-options.c servconf.c channels.h sshd.8] - Add wildcard support to PermitOpen, allowing things like "PermitOpen - localhost:*". bz #1857, ok djm markus. - - markus@cvs.openbsd.org 2011/09/23 07:45:05 - [mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c - version.h] - unbreak remote portforwarding with dynamic allocated listen ports: - 1) send the actual listen port in the open message (instead of 0). - this allows multiple forwardings with a dynamic listen port - 2) update the matching permit-open entry, so we can identify where - to connect to - report: den at skbkontur.ru and P. Szczygielski - feedback and ok djm@ - - djm@cvs.openbsd.org 2011/09/25 05:44:47 +20121114 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/11/14 02:24:27 [auth2-pubkey.c] - improve the AuthorizedPrincipalsFile debug log message to include - file and line number - - dtucker@cvs.openbsd.org 2011/09/30 00:47:37 - [sshd.c] - don't attempt privsep cleanup when not using privsep; ok markus@ - - djm@cvs.openbsd.org 2011/09/30 21:22:49 - [sshd.c] - fix inverted test that caused logspam; spotted by henning@ - -20110929 - - (djm) [configure.ac defines.h] No need to detect sizeof(char); patch - from des AT des.no - - (dtucker) [configure.ac openbsd-compat/Makefile.in - openbsd-compat/strnlen.c] Add strnlen to the compat library. - -20110923 - - (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no - longer want to sync this file (OpenBSD uses a __getcwd syscall now, we - want this longhand version) - - (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the - upstream version is YPified and we don't want this - - (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version. - The file was totally rewritten between what we had in tree and -current. - - (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid - marker. The upstream API has changed (function and structure names) - enough to put it out of sync with other providers of this interface. - - (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion - of static __findenv() function from upstream setenv.c - - OpenBSD CVS Sync - - millert@cvs.openbsd.org 2006/05/05 15:27:38 - [openbsd-compat/strlcpy.c] - Convert do {} while loop -> while {} for clarity. No binary change - on most architectures. From Oliver Smith. OK deraadt@ and henning@ - - tobias@cvs.openbsd.org 2007/10/21 11:09:30 - [openbsd-compat/mktemp.c] - Comment fix about time consumption of _gettemp. - FreeBSD did this in revision 1.20. - OK deraadt@, krw@ - - deraadt@cvs.openbsd.org 2008/07/22 21:47:45 - [openbsd-compat/mktemp.c] - use arc4random_uniform(); ok djm millert - - millert@cvs.openbsd.org 2008/08/21 16:54:44 - [openbsd-compat/mktemp.c] - Remove useless code, the kernel will set errno appropriately if an - element in the path does not exist. OK deraadt@ pvalchev@ - - otto@cvs.openbsd.org 2008/12/09 19:38:38 - [openbsd-compat/inet_ntop.c] - fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon - -20110922 - - OpenBSD CVS Sync - - pyr@cvs.openbsd.org 2011/05/12 07:15:10 - [openbsd-compat/glob.c] - When the max number of items for a directory has reached GLOB_LIMIT_READDIR - an error is returned but closedir() is not called. - spotted and fix provided by Frank Denis obsd-tech@pureftpd.org - ok otto@, millert@ - - stsp@cvs.openbsd.org 2011/09/20 10:18:46 - [glob.c] - In glob(3), limit recursion during matching attempts. Similar to - fnmatch fix. Also collapse consecutive '*' (from NetBSD). - ok miod deraadt - - djm@cvs.openbsd.org 2011/09/22 06:27:29 - [glob.c] - fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being - applied only to the gl_pathv vector and not the corresponding gl_statv - array. reported in OpenSSH bz#1935; feedback and okay matthew@ - - djm@cvs.openbsd.org 2011/08/26 01:45:15 - [ssh.1] - Add some missing ssh_config(5) options that can be used in ssh(1)'s - -o argument. Patch from duclare AT guu.fi - - djm@cvs.openbsd.org 2011/09/05 05:56:13 - [scp.1 sftp.1] - mention ControlPersist and KbdInteractiveAuthentication in the -o - verbiage in these pages too (prompted by jmc@) - - djm@cvs.openbsd.org 2011/09/05 05:59:08 - [misc.c] - fix typo in IPQoS parsing: there is no "AF14" class, but there is - an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk - - jmc@cvs.openbsd.org 2011/09/05 07:01:44 - [scp.1] - knock out a useless Ns; - - deraadt@cvs.openbsd.org 2011/09/07 02:18:31 - [ssh-keygen.1] - typo (they vs the) found by Lawrence Teo - - djm@cvs.openbsd.org 2011/09/09 00:43:00 - [ssh_config.5 sshd_config.5] - fix typo in IPQoS parsing: there is no "AF14" class, but there is - an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk - - djm@cvs.openbsd.org 2011/09/09 00:44:07 - [PROTOCOL.mux] - MUX_C_CLOSE_FWD includes forward type in message (though it isn't - implemented anyway) - - djm@cvs.openbsd.org 2011/09/09 22:37:01 - [scp.c] - suppress adding '--' to remote commandlines when the first argument - does not start with '-'. saves breakage on some difficult-to-upgrade - embedded/router platforms; feedback & ok dtucker ok markus - - djm@cvs.openbsd.org 2011/09/09 22:38:21 - [sshd.c] - kill the preauth privsep child on fatal errors in the monitor; + fix username passed to helper program + prepare stdio fds before closefrom() + spotted by landry@ + - djm@cvs.openbsd.org 2012/11/14 02:32:15 + [ssh-keygen.c] + allow the full range of unsigned serial numbers; 'fine' deraadt@ + - djm@cvs.openbsd.org 2012/12/02 20:34:10 + [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] + [monitor.c monitor.h] + Fixes logging of partial authentication when privsep is enabled + Previously, we recorded "Failed xxx" since we reset authenticated before + calling auth_log() in auth2.c. This adds an explcit "Partial" state. + + Add a "submethod" to auth_log() to report which submethod is used + for keyboard-interactive. + + Fix multiple authentication when one of the methods is + keyboard-interactive. + ok markus@ - - djm@cvs.openbsd.org 2011/09/09 22:46:44 - [channels.c channels.h clientloop.h mux.c ssh.c] - support for cancelling local and remote port forwards via the multiplex - socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request - the cancellation of the specified forwardings; ok markus@ - - markus@cvs.openbsd.org 2011/09/10 22:26:34 - [channels.c channels.h clientloop.c ssh.1] - support cancellation of local/dynamic forwardings from ~C commandline; - ok & feedback djm@ - - okan@cvs.openbsd.org 2011/09/11 06:59:05 - [ssh.1] - document new -O cancel command; ok djm@ - - markus@cvs.openbsd.org 2011/09/11 16:07:26 - [sftp-client.c] - fix leaks in do_hardlink() and do_readlink(); bz#1921 - from Loganaden Velvindron - - markus@cvs.openbsd.org 2011/09/12 08:46:15 - [sftp-client.c] - fix leak in do_lsreaddir(); ok djm - - djm@cvs.openbsd.org 2011/09/22 06:29:03 - [sftp.c] - don't let remote_glob() implicitly sort its results in do_globbed_ls() - - in all likelihood, they will be resorted anyway - -20110909 - - (dtucker) [entropy.h] Bug #1932: remove old definition of init_rng. From - Colin Watson. - -20110906 - - (djm) [README version.h] Correct version - - (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon - - (djm) Respin OpenSSH-5.9p1 release - -20110905 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update version numbers. - -20110904 - - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal - regress errors for the sandbox to warnings. ok tim dtucker - - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations - ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen - support. + - dtucker@cvs.openbsd.org 2012/10/05 02:05:30 + [regress/multiplex.sh] + Use 'kill -0' to test for the presence of a pid since it's more portable -20110829 - - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting - to switch SELinux context away from unconfined_t, based on patch from - Jan Chadima; bz#1919 ok dtucker@ - -20110827 - - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. - -20110818 - - (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze - -20110817 - - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for - OpenSSL 0.9.7. ok djm - - (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] - binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen - - (djm) [configure.ac] error out if the host lacks the necessary bits for - an explicitly requested sandbox type - - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by - bisson AT archlinux.org +20121107 - (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 - [regress/cfgmatch.sh] - use OBJ to find test configs, patch from Tim Rice - - markus@cvs.openbsd.org 2011/06/30 22:44:43 - [regress/connect-privsep.sh] - test with sandbox enabled; ok djm@ - - djm@cvs.openbsd.org 2011/08/02 01:23:41 - [regress/cipher-speed.sh regress/try-ciphers.sh] - add SHA256/SHA512 based HMAC modes - - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 - MAC tests for platforms that hack EVP_SHA2 support - -20110812 - - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context - change error by reporting old and new context names Patch from - jchadima at redhat. - - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init] - [contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES - init scrips from imorgan AT nas.nasa.gov; bz#1920 - - (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the - identify file contained whitespace. bz#1828 patch from gwenael.lambrouin - AT gmail.com; ok dtucker@ - -20110807 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2008/06/26 06:59:39 - [moduli.5] - tweak previous; - - sobrado@cvs.openbsd.org 2009/10/28 08:56:54 + - eric@cvs.openbsd.org 2011/11/28 08:46:27 [moduli.5] - "Diffie-Hellman" is the usual spelling for the cryptographic protocol - first published by Whitfield Diffie and Martin Hellman in 1976. - ok jmc@ - - jmc@cvs.openbsd.org 2010/10/14 20:41:28 + fix formula + ok djm@ + - jmc@cvs.openbsd.org 2012/09/26 17:34:38 [moduli.5] - probabalistic -> probabilistic; from naddy - - dtucker@cvs.openbsd.org 2011/08/07 12:55:30 - [sftp.1] - typo, fix from Laurent Gautrot - -20110805 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/23 23:35:42 - [monitor.c] - ignore EINTR errors from poll() - - tedu@cvs.openbsd.org 2011/07/06 18:09:21 - [authfd.c] - bzero the agent address. the kernel was for a while very cranky about - these things. evne though that's fixed, always good to initialize - memory. ok deraadt djm - - djm@cvs.openbsd.org 2011/07/29 14:42:45 - [sandbox-systrace.c] - fail open(2) with EPERM rather than SIGKILLing the whole process. libc - will call open() to do strerror() when NLS is enabled; - feedback and ok markus@ - - markus@cvs.openbsd.org 2011/08/01 19:18:15 - [gss-serv.c] - prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); - report Adam Zabrock; ok djm@, deraadt@ - - djm@cvs.openbsd.org 2011/08/02 01:22:11 - [mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] - Add new SHA256 and SHA512 based HMAC modes from - http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt - Patch from mdb AT juniper.net; feedback and ok markus@ - - djm@cvs.openbsd.org 2011/08/02 23:13:01 - [version.h] - crank now, release later - - djm@cvs.openbsd.org 2011/08/02 23:15:03 - [ssh.c] - typo in comment + last stage of rfc changes, using consistent Rs/Re blocks, and moving the + references into a STANDARDS section; -20110624 - - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for - Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing - markus@ +20121105 + - (dtucker) [uidswap.c openbsd-compat/Makefile.in + openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h + openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids + and gids from uidswap.c to the compat library, which allows it to work with + the new setresuid calls in auth2-pubkey. with tim@, ok djm@ + - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that + don't have it. Spotted by tim@. -20110623 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/22 21:47:28 - [servconf.c] - reuse the multistate option arrays to pretty-print options for "sshd -T" - - djm@cvs.openbsd.org 2011/06/22 21:57:01 - [servconf.c servconf.h sshd.c sshd_config.5] - [configure.ac Makefile.in] - introduce sandboxing of the pre-auth privsep child using systrace(4). - - This introduces a new "UsePrivilegeSeparation=sandbox" option for - sshd_config that applies mandatory restrictions on the syscalls the - privsep child can perform. This prevents a compromised privsep child - from being used to attack other hosts (by opening sockets and proxying) - or probing local kernel attack surface. - - The sandbox is implemented using systrace(4) in unsupervised "fast-path" - mode, where a list of permitted syscalls is supplied. Any syscall not - on the list results in SIGKILL being sent to the privsep child. Note - that this requires a kernel with the new SYSTR_POLICY_KILL option. - - UsePrivilegeSeparation=sandbox will become the default in the future - so please start testing it now. - - feedback dtucker@; ok markus@ - - djm@cvs.openbsd.org 2011/06/22 22:08:42 - [channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] - hook up a channel confirm callback to warn the user then requested X11 - forwarding was refused by the server; ok markus@ - - djm@cvs.openbsd.org 2011/06/23 09:34:13 - [sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] - [sandbox-null.c] - rename sandbox.h => ssh-sandbox.h to make things easier for portable - - (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support - setrlimit(2) - -20110620 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/04 00:10:26 - [ssh_config.5] - explain IdentifyFile's semantics a little better, prompted by bz#1898 - ok dtucker jmc - - markus@cvs.openbsd.org 2011/06/14 22:49:18 - [authfile.c] - make sure key_parse_public/private_rsa1() no longer consumes its input - buffer. fixes ssh-add for passphrase-protected ssh1-keys; - noted by naddy@; ok djm@ - - djm@cvs.openbsd.org 2011/06/17 21:44:31 - [log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] - make the pre-auth privsep slave log via a socketpair shared with the - monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@ - - djm@cvs.openbsd.org 2011/06/17 21:46:16 - [sftp-server.c] - the protocol version should be unsigned; bz#1913 reported by mb AT - smartftp.com - - djm@cvs.openbsd.org 2011/06/17 21:47:35 - [servconf.c] - factor out multi-choice option parsing into a parse_multistate label - and some support structures; ok dtucker@ - - djm@cvs.openbsd.org 2011/06/17 21:57:25 - [clientloop.c] - setproctitle for a mux master that has been gracefully stopped; - bz#1911 from Bert.Wesarg AT googlemail.com - -20110603 - - (dtucker) [README version.h contrib/caldera/openssh.spec - contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version - bumps from the 5.8p2 branch into HEAD. ok djm. - - (tim) [configure.ac defines.h] Run test program to detect system mail - directory. Add --with-maildir option to override. Fixed OpenServer 6 - getting it wrong. Fixed many systems having MAIL=/var/mail//username - ok dtucker - - (dtucker) [monitor.c] Remove the !HAVE_SOCKETPAIR case. We use socketpair - unconditionally in other places and the survey data we have does not show - any systems that use it. "nuke it" djm@ - - (djm) [configure.ac] enable setproctitle emulation for OS X - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/03 00:54:38 - [ssh.c] - bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg - AT googlemail.com; ok dtucker@ - NB. includes additional portability code to enable setproctitle emulation - on platforms that don't support it. - - dtucker@cvs.openbsd.org 2011/06/03 01:37:40 - [ssh-agent.c] - Check current parent process ID against saved one to determine if the parent - has exited, rather than attempting to send a zero signal, since the latter - won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn - Gillmor, ok djm@ - - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 - [regress/dynamic-forward.sh] - back out revs 1.6 and 1.5 since it's not reliable - - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 - [regress/dynamic-forward.sh] - work around startup and teardown races; caught by deraadt - - dtucker@cvs.openbsd.org 2011/06/03 00:29:52 - [regress/dynamic-forward.sh] - Retry establishing the port forwarding after a small delay, should make - the tests less flaky when the previous test is slow to shut down and free - up the port. - - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. - -20110529 +20121104 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/05/23 03:30:07 - [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c] - [pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] - allow AuthorizedKeysFile to specify multiple files, separated by spaces. - Bring back authorized_keys2 as a default search path (to avoid breaking - existing users of this file), but override this in sshd_config so it will - be no longer used on fresh installs. Maybe in 2015 we can remove it - entierly :) - - feedback and ok markus@ dtucker@ - - djm@cvs.openbsd.org 2011/05/23 03:33:38 - [auth.c] - make secure_filename() spam debug logs less - - djm@cvs.openbsd.org 2011/05/23 03:52:55 - [sshconnect.c] - remove extra newline - - jmc@cvs.openbsd.org 2011/05/23 07:10:21 - [sshd.8 sshd_config.5] - tweak previous; ok djm - - djm@cvs.openbsd.org 2011/05/23 07:24:57 - [authfile.c] - read in key comments for v.2 keys (though note that these are not - passed over the agent protocol); bz#439, based on patch from binder - AT arago.de; ok markus@ - - djm@cvs.openbsd.org 2011/05/24 07:15:47 - [readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c] - Remove undocumented legacy options UserKnownHostsFile2 and - GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile - accept multiple paths per line and making their defaults include - known_hosts2; ok markus - - djm@cvs.openbsd.org 2011/05/23 03:31:31 - [regress/cfgmatch.sh] - include testing of multiple/overridden AuthorizedKeysFiles - refactor to simply daemon start/stop and get rid of racy constructs - -20110520 - - (djm) [session.c] call setexeccon() before executing passwd for pw - changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@ - - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options - options, we should corresponding -W-option when trying to determine - whether it is accepted. Also includes a warning fix on the program - fragment uses (bad main() return type). - bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@ - - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/05/15 08:09:01 - [authfd.c monitor.c serverloop.c] - use FD_CLOEXEC consistently; patch from zion AT x96.org - - djm@cvs.openbsd.org 2011/05/17 07:13:31 - [key.c] - fatal() if asked to generate a legacy ECDSA cert (these don't exist) - and fix the regress test that was trying to generate them :) - - djm@cvs.openbsd.org 2011/05/20 00:55:02 - [servconf.c] - the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile - and AuthorizedPrincipalsFile were not being correctly applied in - Match blocks, despite being overridable there; ok dtucker@ - - dtucker@cvs.openbsd.org 2011/05/20 02:00:19 - [servconf.c] - Add comment documenting what should be after the preauth check. ok djm - - djm@cvs.openbsd.org 2011/05/20 03:25:45 - [monitor.c monitor_wrap.c servconf.c servconf.h] - use a macro to define which string options to copy between configs - for Match. This avoids problems caused by forgetting to keep three - code locations in perfect sync and ordering - - "this is at once beautiful and horrible" + ok dtucker@ - - djm@cvs.openbsd.org 2011/05/17 07:13:31 - [regress/cert-userkey.sh] - fatal() if asked to generate a legacy ECDSA cert (these don't exist) - and fix the regress test that was trying to generate them :) - - djm@cvs.openbsd.org 2011/05/20 02:43:36 - [cert-hostkey.sh] - another attempt to generate a v00 ECDSA key that broke the test - ID sync only - portable already had this somehow - - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 - [dynamic-forward.sh] - Prevent races in dynamic forwarding test; ok djm - - dtucker@cvs.openbsd.org 2011/05/20 06:32:30 - [dynamic-forward.sh] - fix dumb error in dynamic-forward test - -20110515 + - jmc@cvs.openbsd.org 2012/10/31 08:04:50 + [sshd_config.5] + tweak previous; + - djm@cvs.openbsd.org 2012/11/04 10:38:43 + [auth2-pubkey.c sshd.c sshd_config.5] + Remove default of AuthorizedCommandUser. Administrators are now expected + to explicitly specify a user. feedback and ok markus@ + - djm@cvs.openbsd.org 2012/11/04 11:09:15 + [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] + [sshd_config.5] + Support multiple required authentication via an AuthenticationMethods + option. This option lists one or more comma-separated lists of + authentication method names. Successful completion of all the methods in + any list is required for authentication to complete; + feedback and ok markus@ + +20121030 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/05/05 05:12:08 - [mux.c] - gracefully fall back when ControlPath is too large for a - sockaddr_un. ok markus@ as part of a larger diff - - dtucker@cvs.openbsd.org 2011/05/06 01:03:35 - [sshd_config] - clarify language about overriding defaults. bz#1892, from Petr Cerny - - djm@cvs.openbsd.org 2011/05/06 01:09:53 - [sftp.1] - mention that IPv6 addresses must be enclosed in square brackets; - bz#1845 - - djm@cvs.openbsd.org 2011/05/06 02:05:41 - [sshconnect2.c] - fix memory leak; bz#1849 ok dtucker@ - - djm@cvs.openbsd.org 2011/05/06 21:14:05 - [packet.c packet.h] - set traffic class for IPv6 traffic as we do for IPv4 TOS; - patch from lionel AT mamane.lu via Colin Watson in bz#1855; - ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:18:02 - [ssh.c ssh_config.5] - add a %L expansion (short-form of the local host name) for ControlPath; - sync some more expansions with LocalCommand; ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:31:38 - [readconf.c ssh_config.5] - support negated Host matching, e.g. - - Host *.example.org !c.example.org - User mekmitasdigoat + - markus@cvs.openbsd.org 2012/10/05 12:34:39 + [sftp.c] + fix signed vs unsigned warning; feedback & ok: djm@ + - djm@cvs.openbsd.org 2012/10/30 21:29:55 + [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] + [sshd.c sshd_config sshd_config.5] + new sshd_config option AuthorizedKeysCommand to support fetching + authorized_keys from a command in addition to (or instead of) from + the filesystem. The command is run as the target server user unless + another specified via a new AuthorizedKeysCommandUser option. - Will match "a.example.org", "b.example.org", but not "c.example.org" - ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:34:32 - [clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] - Add a RequestTTY ssh_config option to allow configuration-based - control over tty allocation (like -t/-T); ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:38:58 - [ssh.c] - fix dropping from previous diff - - djm@cvs.openbsd.org 2011/05/06 22:20:10 - [PROTOCOL.mux] - fix numbering; from bert.wesarg AT googlemail.com - - jmc@cvs.openbsd.org 2011/05/07 23:19:39 - [ssh_config.5] - - tweak previous - - come consistency fixes - ok djm - - jmc@cvs.openbsd.org 2011/05/07 23:20:25 + patch originally by jchadima AT redhat.com, reworked by me; feedback + and ok markus@ + +20121019 + - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in + the generated file as intended. + +20121005 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/09/17 09:54:44 + [sftp.c] + an XXX for later + - markus@cvs.openbsd.org 2012/09/17 13:04:11 + [packet.c] + clear old keys on rekeing; ok djm + - dtucker@cvs.openbsd.org 2012/09/18 10:36:12 + [sftp.c] + Add bounds check on sftp tab-completion. Part of a patch from from + Jean-Marc Robert via tech@, ok djm + - dtucker@cvs.openbsd.org 2012/09/21 10:53:07 + [sftp.c] + Fix improper handling of absolute paths when PWD is part of the completed + path. Patch from Jean-Marc Robert via tech@, ok djm. + - dtucker@cvs.openbsd.org 2012/09/21 10:55:04 + [sftp.c] + Fix handling of filenames containing escaped globbing characters and + escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm. + - jmc@cvs.openbsd.org 2012/09/26 16:12:13 [ssh.1] - +.It RequestTTY - - djm@cvs.openbsd.org 2011/05/08 12:52:01 - [PROTOCOL.mux clientloop.c clientloop.h mux.c] - improve our behaviour when TTY allocation fails: if we are in - RequestTTY=auto mode (the default), then do not treat at TTY - allocation error as fatal but rather just restore the local TTY - to cooked mode and continue. This is more graceful on devices that - never allocate TTYs. - - If RequestTTY is set to "yes" or "force", then failure to allocate - a TTY is fatal. - - ok markus@ - - djm@cvs.openbsd.org 2011/05/10 05:46:46 - [authfile.c] - despam debug() logs by detecting that we are trying to load a private key - in key_try_load_public() and returning early; ok markus@ - - djm@cvs.openbsd.org 2011/05/11 04:47:06 - [auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] - remove support for authorized_keys2; it is a relic from the early days - of protocol v.2 support and has been undocumented for many years; - ok markus@ - - djm@cvs.openbsd.org 2011/05/13 00:05:36 - [authfile.c] - warn on unexpected key type in key_parse_private_type() - - (djm) [packet.c] unbreak portability #endif - -20110510 - - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix - --with-ssl-engine which was broken with the change from deprecated - SSLeay_add_all_algorithms(). ok djm - -20110506 - - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875: add prototype - for closefrom() in test code. Report from Dan Wallis via Gentoo. - -20110505 - - (djm) [defines.h] Move up include of netinet/ip.h for IPTOS - definitions. From des AT des.no - - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] - [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] - [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] - [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] - [regress/README.regress] Remove ssh-rand-helper and all its - tentacles. PRNGd seeding has been rolled into entropy.c directly. - Thanks to tim@ for testing on affected platforms. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/03/10 02:52:57 - [auth2-gss.c auth2.c auth.h] - allow GSSAPI authentication to detect when a server-side failure causes - authentication failure and don't count such failures against MaxAuthTries; - bz#1244 from simon AT sxw.org.uk; ok markus@ before lock - - okan@cvs.openbsd.org 2011/03/15 10:36:02 - [ssh-keyscan.c] - use timerclear macro - ok djm@ - - stevesk@cvs.openbsd.org 2011/03/23 15:16:22 - [ssh-keygen.1 ssh-keygen.c] - Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) - for which host keys do not exist, generate the host keys with the - default key file path, an empty passphrase, default bits for the key - type, and default comment. This will be used by /etc/rc to generate - new host keys. Idea from deraadt. - ok deraadt - - stevesk@cvs.openbsd.org 2011/03/23 16:24:56 - [ssh-keygen.1] - -q not used in /etc/rc now so remove statement. - - stevesk@cvs.openbsd.org 2011/03/23 16:50:04 - [ssh-keygen.c] - remove -d, documentation removed >10 years ago; ok markus - - jmc@cvs.openbsd.org 2011/03/24 15:29:30 - [ssh-keygen.1] - zap trailing whitespace; - - stevesk@cvs.openbsd.org 2011/03/24 22:14:54 - [ssh-keygen.c] - use strcasecmp() for "clear" cert permission option also; ok djm - - stevesk@cvs.openbsd.org 2011/03/29 18:54:17 - [misc.c misc.h servconf.c] - print ipqos friendly string for sshd -T; ok markus - # sshd -Tf sshd_config|grep ipqos - ipqos lowdelay throughput - - djm@cvs.openbsd.org 2011/04/12 04:23:50 - [ssh-keygen.c] - fix -Wshadow - - djm@cvs.openbsd.org 2011/04/12 05:32:49 - [sshd.c] - exit with 0 status on SIGTERM; bz#1879 - - djm@cvs.openbsd.org 2011/04/13 04:02:48 - [ssh-keygen.1] - improve wording; bz#1861 - - djm@cvs.openbsd.org 2011/04/13 04:09:37 - [ssh-keygen.1] - mention valid -b sizes for ECDSA keys; bz#1862 - - djm@cvs.openbsd.org 2011/04/17 22:42:42 - [PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c] - allow graceful shutdown of multiplexing: request that a mux server - removes its listener socket and refuse future multiplexing requests; - ok markus@ - - djm@cvs.openbsd.org 2011/04/18 00:46:05 + last stage of rfc changes, using consistent Rs/Re blocks, and moving the + references into a STANDARDS section; + - naddy@cvs.openbsd.org 2012/10/01 13:59:51 + [monitor_wrap.c] + pasto; ok djm@ + - djm@cvs.openbsd.org 2012/10/02 07:07:45 [ssh-keygen.c] - certificate options are supposed to be packed in lexical order of - option name (though we don't actually enforce this at present). - Move one up that was out of sequence - - djm@cvs.openbsd.org 2011/05/04 21:15:29 - [authfile.c authfile.h ssh-add.c] - allow "ssh-add - < key"; feedback and ok markus@ - - (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE - so autoreconf 2.68 is happy. - - (tim) [defines.h] Deal with platforms that do not have S_IFSOCK ok djm@ - -20110221 - - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the - Cygwin-specific service installer script ssh-host-config. The actual - functionality is the same, the revisited version is just more - exact when it comes to check for problems which disallow to run - certain aspects of the script. So, part of this script and the also - rearranged service helper script library "csih" is to check if all - the tools required to run the script are available on the system. - The new script also is more thorough to inform the user why the - script failed. Patch from vinschen at redhat com. - -20110218 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/02/16 00:31:14 - [ssh-keysign.c] - make hostbased auth with ECDSA keys work correctly. Based on patch - by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock) - -20110206 - - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in - selinux code. Patch from Leonardo Chiquitto - - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key - generation and simplify. Patch from Corinna Vinschen. - -20110204 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/31 21:42:15 - [PROTOCOL.mux] - cut'n'pasto; from bert.wesarg AT googlemail.com - - djm@cvs.openbsd.org 2011/02/04 00:44:21 - [key.c] - fix uninitialised nonce variable; reported by Mateusz Kocielski - - djm@cvs.openbsd.org 2011/02/04 00:44:43 - [version.h] - openssh-5.8 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] update versions in docs and spec files. - - Release OpenSSH 5.8p1 - -20110128 - - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled - before attempting setfscreatecon(). Check whether matchpathcon() - succeeded before using its result. Patch from cjwatson AT debian.org; - bz#1851 - -20110127 - - (tim) [config.guess config.sub] Sync with upstream. - - (tim) [configure.ac] Consistent M4 quoting throughout, updated obsolete - AC_TRY_COMPILE with AC_COMPILE_IFELSE, updated obsolete AC_TRY_LINK with - AC_LINK_IFELSE, updated obsolete AC_TRY_RUN with AC_RUN_IFELSE, misc white - space changes for consistency/readability. Makes autoconf 2.68 happy. - "Nice work" djm - -20110125 - - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c - openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to - port-linux.c to avoid compilation errors. Add -lselinux to ssh when - building with SELinux support to avoid linking failure; report from - amk AT spamfence.net; ok dtucker - -20110122 - - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add - RSA_get_default_method() for the benefit of openssl versions that don't - have it (at least openssl-engine-0.9.6b). Found and tested by Kevin Brott, - ok djm@. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/22 09:18:53 - [version.h] - crank to OpenSSH-5.7 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] update versions in docs and spec files. - - (djm) Release 5.7p1 - -20110119 - - (tim) [contrib/caldera/openssh.spec] Use CFLAGS from Makefile instead - of RPM so build completes. Signatures were changed to .asc since 4.1p1. - - (djm) [configure.ac] Disable ECC on OpenSSL <0.9.8g. Releases prior to - 0.9.8 lacked it, and 0.9.8a through 0.9.8d have proven buggy in pre- - release testing (random crashes and failure to load ECC keys). - ok dtucker@ + fix -z option, broken in revision 1.215 + - markus@cvs.openbsd.org 2012/10/04 13:21:50 + [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] + add umac128 variant; ok djm@ at n2k12 + - dtucker@cvs.openbsd.org 2012/09/06 04:11:07 + [regress/try-ciphers.sh] + Restore missing space. (Id sync only). + - dtucker@cvs.openbsd.org 2012/09/09 11:51:25 + [regress/multiplex.sh] + Add test for ssh -Ostop + - dtucker@cvs.openbsd.org 2012/09/10 00:49:21 + [regress/multiplex.sh] + Log -O cmd output to the log file and make logging consistent with the + other tests. Test clean shutdown of an existing channel when testing + "stop". + - dtucker@cvs.openbsd.org 2012/09/10 01:51:19 + [regress/multiplex.sh] + use -Ocheck and waiting for completions by PID to make multiplexing test + less racy and (hopefully) more reliable on slow hardware. + - [Makefile umac.c] Add special-case target to build umac128.o. + - [umac.c] Enforce allowed umac output sizes. From djm@. + - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom". -20110117 - - (djm) [regress/Makefile] use $TEST_SSH_KEYGEN instead of the one in - $PATH, fix cleanup of droppings; reported by openssh AT - roumenpetrov.info; ok dtucker@ - - (djm) [regress/agent-ptrace.sh] Fix false failure on OS X by adding - its unique snowflake of a gdb error to the ones we look for. - - (djm) [regress/agent-getpeereid.sh] leave stdout attached when running - ssh-add to avoid $SUDO failures on Linux - - (dtucker) [openbsd-compat/port-linux.c] Bug #1838: Add support for the new - Linux OOM-killer magic values that changed in 2.6.36 kernels, with fallback - to the old values. Feedback from vapier at gentoo org and djm, ok djm. - - (djm) [configure.ac regress/agent-getpeereid.sh regress/multiplex.sh] - [regress/sftp-glob.sh regress/test-exec.sh] Rework how feature tests are - disabled on platforms that do not support them; add a "config_defined()" - shell function that greps for defines in config.h and use them to decide - on feature tests. - Convert a couple of existing grep's over config.h to use the new function - Add a define "FILESYSTEM_NO_BACKSLASH" for filesystem that can't represent - backslash characters in filenames, enable it for Cygwin and use it to turn - of tests for quotes backslashes in sftp-glob.sh. - based on discussion with vinschen AT redhat.com and dtucker@; ok dtucker@ - - (tim) [regress/agent-getpeereid.sh] shell portability fix. - - (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror on - the tinderbox. - - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h - configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem - support, based on patches from Tomas Mraz and jchadima at redhat. - -20110116 - - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based - on configurations that don't have it. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/16 11:50:05 - [clientloop.c] - Use atomicio when flushing protocol 1 std{out,err} buffers at - session close. This was a latent bug exposed by setting a SIGCHLD - handler and spotted by kevin.brott AT gmail.com; ok dtucker@ - - djm@cvs.openbsd.org 2011/01/16 11:50:36 +20120917 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/09/13 23:37:36 + [servconf.c] + Fix comment line length + - markus@cvs.openbsd.org 2012/09/14 16:51:34 [sshconnect.c] - reset the SIGPIPE handler when forking to execute child processes; - ok dtucker@ - - djm@cvs.openbsd.org 2011/01/16 12:05:59 - [clientloop.c] - a couple more tweaks to the post-close protocol 1 stderr/stdout flush: - now that we use atomicio(), convert them from while loops to if statements - add test and cast to compile cleanly with -Wsigned - -20110114 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/13 21:54:53 - [mux.c] - correct error messages; patch from bert.wesarg AT googlemail.com - - djm@cvs.openbsd.org 2011/01/13 21:55:25 - [PROTOCOL.mux] - correct protocol names and add a couple of missing protocol number - defines; patch from bert.wesarg AT googlemail.com - - (djm) [Makefile.in] Use shell test to disable ecdsa key generating in - host-key-force target rather than a substitution that is replaced with a - comment so that the Makefile.in is still a syntactically valid Makefile - (useful to run the distprep target) - - (tim) [regress/cert-hostkey.sh] Typo. Missing $ on variable name. - - (tim) [regress/cert-hostkey.sh] Add missing TEST_SSH_ECC guard around some - ecdsa bits. - -20110113 - - (djm) [misc.c] include time.h for nanosleep() prototype - - (tim) [Makefile.in] test the ECC bits if we have the capability. ok djm - - (tim) [Makefile.in configure.ac opensshd.init.in] Add support for generating - ecdsa keys. ok djm. - - (djm) [entropy.c] cast OPENSSL_VERSION_NUMBER to u_long to avoid - gcc warning on platforms where it defaults to int - - (djm) [regress/Makefile] add a few more generated files to the clean - target - - (djm) [myproposal.h] Fix reversed OPENSSL_VERSION_NUMBER test and bad - #define that was causing diffie-hellman-group-exchange-sha256 to be - incorrectly disabled - - (djm) [regress/kextype.sh] Testing diffie-hellman-group-exchange-sha256 - should not depend on ECC support - -20110112 - - OpenBSD CVS Sync - - nicm@cvs.openbsd.org 2010/10/08 21:48:42 - [openbsd-compat/glob.c] - Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit - from ARG_MAX to 64K. - Fixes glob-using programs (notably ftp) able to be triggered to hit - resource limits. - Idea from a similar NetBSD change, original problem reported by jasper@. - ok millert tedu jasper - - djm@cvs.openbsd.org 2011/01/12 01:53:14 - avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS - and sanity check arguments (these will be unnecessary when we switch - struct glob members from being type into to size_t in the future); - "looks ok" tedu@ feedback guenther@ - - (djm) [configure.ac] Turn on -Wno-unused-result for gcc >= 4.4 to avoid - silly warnings on write() calls we don't care succeed or not. - - (djm) [configure.ac] Fix broken test for gcc >= 4.4 with per-compiler - flag tests that don't depend on gcc version at all; suggested by and - ok dtucker@ + remove unused variable -20110111 - - (tim) [regress/host-expand.sh] Fix for building outside of read only - source tree. - - (djm) [platform.c] Some missing includes that show up under -Werror - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/08 10:51:51 +20120907 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 [clientloop.c] - use host and not options.hostname, as the latter may have unescaped - substitution characters - - djm@cvs.openbsd.org 2011/01/11 06:06:09 - [sshlogin.c] - fd leak on error paths; from zinovik@ - NB. Id sync only; we use loginrec.c that was also audited and fixed - recently - - djm@cvs.openbsd.org 2011/01/11 06:13:10 - [clientloop.c ssh-keygen.c sshd.c] - some unsigned long long casts that make things a bit easier for - portable without resorting to dropping PRIu64 formats everywhere - -20110109 - - (djm) [Makefile.in] list ssh_host_ecdsa key in PATHSUBS; spotted by - openssh AT roumenpetrov.info - -20110108 - - (djm) [regress/keytype.sh] s/echo -n/echon/ to repair failing regress - test on OSX and others. Reported by imorgan AT nas.nasa.gov - -20110107 - - (djm) [regress/cert-hostkey.sh regress/cert-userkey.sh] fix shell test - for no-ECC case. Patch from cristian.ionescu-idbohrn AT axis.com - - djm@cvs.openbsd.org 2011/01/06 22:23:53 - [ssh.c] - unbreak %n expansion in LocalCommand; patch from bert.wesarg AT - googlemail.com; ok markus@ - - djm@cvs.openbsd.org 2011/01/06 22:23:02 + Make the escape command help (~?) context sensitive so that only commands + that will work in the current session are shown. ok markus@ + - jmc@cvs.openbsd.org 2012/09/06 13:57:42 + [ssh.1] + missing letter in previous; + - dtucker@cvs.openbsd.org 2012/09/07 00:30:19 [clientloop.c] - when exiting due to ServerAliveTimeout, mention the hostname that caused - it (useful with backgrounded controlmaster) - - djm@cvs.openbsd.org 2011/01/06 22:46:21 - [regress/Makefile regress/host-expand.sh] - regress test for LocalCommand %n expansion from bert.wesarg AT - googlemail.com; ok markus@ - - djm@cvs.openbsd.org 2011/01/06 23:01:35 - [sshconnect.c] - reset SIGCHLD handler to SIG_DFL when execuring LocalCommand; - ok markus@ + Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@ + - dtucker@cvs.openbsd.org 2012/09/07 01:10:21 + [clientloop.c] + Merge escape help text for ~v and ~V; ok djm@ + - dtucker@cvs.openbsd.org 2012/09/07 06:34:21 + [clientloop.c] + when muxmaster is run with -N, make it shut down gracefully when a client + sends it "-O stop" rather than hanging around (bz#1985). ok djm@ -20110106 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2010/12/08 22:46:03 - [scp.1 scp.c] - add a new -3 option to scp: Copies between two remote hosts are - transferred through the local host. Without this option the data - is copied directly between the two remote hosts. ok djm@ (bugzilla #1837) - - jmc@cvs.openbsd.org 2010/12/09 14:13:33 - [scp.1 scp.c] - scp.1: grammer fix - scp.c: add -3 to usage() - - markus@cvs.openbsd.org 2010/12/14 11:59:06 - [sshconnect.c] - don't mention key type in key-changed-warning, since we also print - this warning if a new key type appears. ok djm@ - - djm@cvs.openbsd.org 2010/12/15 00:49:27 - [readpass.c] - fix ControlMaster=ask regression - reset SIGCHLD handler before fork (and restore it after) so we don't miss - the the askpass child's exit status. Correct test for exit status/signal to - account for waitpid() failure; with claudio@ ok claudio@ markus@ - - djm@cvs.openbsd.org 2010/12/24 21:41:48 - [auth-options.c] - don't send the actual forced command in a debug message; ok markus deraadt - - otto@cvs.openbsd.org 2011/01/04 20:44:13 - [ssh-keyscan.c] - handle ecdsa-sha2 with various key lengths; hint and ok djm@ - -20110104 - - (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage - formatter if it is present, followed by nroff and groff respectively. - Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports - in favour of mandoc). feedback and ok tim - -20110103 - - (djm) [Makefile.in] revert local hack I didn't intend to commit - -20110102 - - (djm) [loginrec.c] Fix some fd leaks on error paths. ok dtucker - - (djm) [configure.ac] Check whether libdes is needed when building - with Heimdal krb5 support. On OpenBSD this library no longer exists, - so linking it unconditionally causes a build failure; ok dtucker - -20101226 +20120906 - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/12/08 04:02:47 - [ssh_config.5 sshd_config.5] - explain that IPQoS arguments are separated by whitespace; iirc requested - by jmc@ a while back + - jmc@cvs.openbsd.org 2012/08/15 18:25:50 + [ssh-keygen.1] + a little more info on certificate validity; + requested by Ross L Richardson, and provided by djm + - dtucker@cvs.openbsd.org 2012/08/17 00:45:45 + [clientloop.c clientloop.h mux.c] + Force a clean shutdown of ControlMaster client sessions when the ~. escape + sequence is used. This means that ~. should now work in mux clients even + if the server is no longer responding. Found by tedu, ok djm. + - djm@cvs.openbsd.org 2012/08/17 01:22:56 + [kex.c] + add some comments about better handling first-KEX-follows notifications + from the server. Nothing uses these right now. No binary change + - djm@cvs.openbsd.org 2012/08/17 01:25:58 + [ssh-keygen.c] + print details of which host lines were deleted when using + "ssh-keygen -R host"; ok markus@ + - djm@cvs.openbsd.org 2012/08/17 01:30:00 + [compat.c sshconnect.c] + Send client banner immediately, rather than waiting for the server to + move first for SSH protocol 2 connections (the default). Patch based on + one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@ + - dtucker@cvs.openbsd.org 2012/09/06 04:37:39 + [clientloop.c log.c ssh.1 log.h] + Add ~v and ~V escape sequences to raise and lower the logging level + respectively. Man page help from jmc, ok deraadt jmc -20101205 - - (dtucker) openbsd-compat/openssl-compat.c] remove sleep leftover from - debugging. Spotted by djm. - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/12/03 23:49:26 - [schnorr.c] - check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao - (this code is still disabled, but apprently people are treating it as - a reference implementation) - - djm@cvs.openbsd.org 2010/12/03 23:55:27 - [auth-rsa.c] - move check for revoked keys to run earlier (in auth_rsa_key_allowed) - bz#1829; patch from ldv AT altlinux.org; ok markus@ - - djm@cvs.openbsd.org 2010/12/04 00:18:01 - [sftp-server.c sftp.1 sftp-client.h sftp.c PROTOCOL sftp-client.c] - add a protocol extension to support a hard link operation. It is - available through the "ln" command in the client. The old "ln" - behaviour of creating a symlink is available using its "-s" option - or through the preexisting "symlink" command; based on a patch from - miklos AT szeredi.hu in bz#1555; ok markus@ - - djm@cvs.openbsd.org 2010/12/04 13:31:37 - [hostfile.c] - fix fd leak; spotted and ok dtucker - - djm@cvs.openbsd.org 2010/12/04 00:21:19 - [regress/sftp-cmds.sh] - adjust for hard-link support - - (dtucker) [regress/Makefile] Id sync. +20120830 + - (dtucker) [moduli] Import new moduli file. -20101204 - - (djm) [openbsd-compat/bindresvport.c] Use arc4random_uniform(range) - instead of (arc4random() % range) - - (dtucker) [configure.ac moduli.c openbsd-compat/openssl-compat.{c,h}] Add - shims for the new, non-deprecated OpenSSL key generation functions for - platforms that don't have the new interfaces. +20120828 + - (djm) Release openssh-6.1 -20101201 - - OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2010/11/20 05:12:38 - [auth2-pubkey.c] - clean up cases of ;; - - djm@cvs.openbsd.org 2010/11/21 01:01:13 - [clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c] - honour $TMPDIR for client xauth and ssh-agent temporary directories; - feedback and ok markus@ - - djm@cvs.openbsd.org 2010/11/21 10:57:07 - [authfile.c] - Refactor internals of private key loading and saving to work on memory - buffers rather than directly on files. This will make a few things - easier to do in the future; ok markus@ - - djm@cvs.openbsd.org 2010/11/23 02:35:50 - [auth.c] - use strict_modes already passed as function argument over referencing - global options.strict_modes - - djm@cvs.openbsd.org 2010/11/23 23:57:24 - [clientloop.c] - avoid NULL deref on receiving a channel request on an unknown or invalid - channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@ - - djm@cvs.openbsd.org 2010/11/24 01:24:14 - [channels.c] - remove a debug() that pollutes stderr on client connecting to a server - in debug mode (channel_close_fds is called transitively from the session - code post-fork); bz#1719, ok dtucker - - djm@cvs.openbsd.org 2010/11/25 04:10:09 - [session.c] - replace close() loop for fds 3->64 with closefrom(); - ok markus deraadt dtucker - - djm@cvs.openbsd.org 2010/11/26 05:52:49 - [scp.c] - Pass through ssh command-line flags and options when doing remote-remote - transfers, e.g. to enable agent forwarding which is particularly useful - in this case; bz#1837 ok dtucker@ - - markus@cvs.openbsd.org 2010/11/29 18:57:04 - [authfile.c] - correctly load comment for encrypted rsa1 keys; - report/fix Joachim Schipper; ok djm@ - - djm@cvs.openbsd.org 2010/11/29 23:45:51 - [auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c] - [sshconnect.h sshconnect2.c] - automatically order the hostkeys requested by the client based on - which hostkeys are already recorded in known_hosts. This avoids - hostkey warnings when connecting to servers with new ECDSA keys - that are preferred by default; with markus@ - -20101124 - - (dtucker) [platform.c session.c] Move the getluid call out of session.c and - into the platform-specific code Only affects SCO, tested by and ok tim@. - - (djm) [loginrec.c] Relax permission requirement on btmp logs to allow - group read/write. ok dtucker@ - - (dtucker) [packet.c] Remove redundant local declaration of "int tos". - - (djm) [defines.h] Add IP DSCP defines - -20101122 - - (dtucker) Bug #1840: fix warning when configuring --with-ssl-engine, patch - from vapier at gentoo org. - -20101120 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/11/05 02:46:47 - [packet.c] - whitespace KNF - - djm@cvs.openbsd.org 2010/11/10 01:33:07 - [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c] - use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED. - these have been around for years by this time. ok markus - - djm@cvs.openbsd.org 2010/11/13 23:27:51 - [clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] - [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] - allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of - hardcoding lowdelay/throughput. - - bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@ - - jmc@cvs.openbsd.org 2010/11/15 07:40:14 - [ssh_config.5] - libary -> library; - - jmc@cvs.openbsd.org 2010/11/18 15:01:00 - [scp.1 sftp.1 ssh.1 sshd_config.5] - add IPQoS to the various -o lists, and zap some trailing whitespace; - -20101111 - - (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys on - platforms that don't support ECC. Fixes some spurious warnings reported - by tim@ - -20101109 - - (tim) [regress/kextype.sh] Not all platforms have time in /usr/bin. - Feedback from dtucker@ - - (tim) [configure.ac openbsd-compat/bsd-misc.h openbsd-compat/bsd-misc.c] Add - support for platforms missing isblank(). ok djm@ - -20101108 - - (tim) [regress/Makefile] Fixes to allow building/testing outside source - tree. - - (tim) [regress/kextype.sh] Shell portability fix. - -20101107 - - (dtucker) [platform.c] includes.h instead of defines.h so that we get - the correct typedefs. - -20101105 - - (djm) [loginrec.c loginrec.h] Use correct uid_t/pid_t types instead of - int. Should fix bz#1817 cleanly; ok dtucker@ - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/09/22 12:26:05 - [regress/Makefile regress/kextype.sh] - regress test for each of the key exchange algorithms that we support - - djm@cvs.openbsd.org 2010/10/28 11:22:09 - [authfile.c key.c key.h ssh-keygen.c] - fix a possible NULL deref on loading a corrupt ECDH key - - store ECDH group information in private keys files as "named groups" - rather than as a set of explicit group parameters (by setting - the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and - retrieves the group's OpenSSL NID that we need for various things. - - jmc@cvs.openbsd.org 2010/10/28 18:33:28 - [scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] - knock out some "-*- nroff -*-" lines; - - djm@cvs.openbsd.org 2010/11/04 02:45:34 - [sftp-server.c] - umask should be parsed as octal. reported by candland AT xmission.com; - ok markus@ - - (dtucker) [configure.ac platform.{c,h} session.c - openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support. - Patch from cory.erickson at csu mnscu edu with a bit of rework from me. - ok djm@ - - (dtucker) [platform.c platform.h session.c] Add a platform hook to run - after the user's groups are established and move the selinux calls into it. - - (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into - platform.c - - (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c. - - (dtucker) [platform.c] Only call setpgrp on BSDI if running as root to - retain previous behavior. - - (dtucker) [platform.c session.c] Move the PAM credential establishment for - the LOGIN_CAP case into platform.c. - - (dtucker) platform.c session.c] Move the USE_LIBIAF fragment into - platform.c - - (dtucker) [platform.c session.c] Move aix_usrinfo frament into platform.c. - - (dtucker) [platform.c session.c] Move irix setusercontext fragment into - platform.c. - - (dtucker) [platform.c session.c] Move PAM credential establishment for the - non-LOGIN_CAP case into platform.c. - - (dtucker) [platform.c platform.h session.c] Move the Cygwin special-case - check into platform.c - - (dtucker) [regress/keytype.sh] Import new test. - - (dtucker) [Makefile configure.ac regress/Makefile regress/keytype.sh] - Import recent changes to regress/Makefile, pass a flag to enable ECC tests - from configure through to regress/Makefile and use it in the tests. - - (dtucker) [regress/kextype.sh] Add missing "test". - - (dtucker) [regress/kextype.sh] Make sha256 test depend on ECC. This is not - strictly correct since while ECC requires sha256 the reverse is not true - however it does prevent spurious test failures. - - (dtucker) [platform.c] Need servconf.h and extern options. - -20101025 - - (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with - 1.12 to unbreak Solaris build. - ok djm@ - - (dtucker) [defines.h] Use SIZE_T_MAX for SIZE_MAX for platforms that have a - native one. - -20101024 - - (dtucker) [includes.h] Add missing ifdef GLOB_HAS_GL_STATV to fix build. - - (dtucker) [regress/cert-hostkey.sh] Disable ECC-based tests on platforms - which don't have ECC support in libcrypto. - - (dtucker) [regress/cert-userkey.sh] Disable ECC-based tests on platforms - which don't have ECC support in libcrypto. - - (dtucker) [defines.h] Add SIZE_MAX for the benefit of platforms that don't - have it. - - (dtucker) OpenBSD CVS Sync - - sthen@cvs.openbsd.org 2010/10/23 22:06:12 - [sftp.c] - escape '[' in filename tab-completion; fix a type while there. - ok djm@ +20120828 + - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN + for compatibility with future mingw-w64 headers. Patch from vinschen at + redhat com. -20101021 - - OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2010/10/12 02:22:24 - [mux.c] - Typo in confirmation message. bz#1827, patch from imorgan at - nas nasa gov - - djm@cvs.openbsd.org 2010/08/31 12:24:09 - [regress/cert-hostkey.sh regress/cert-userkey.sh] - tests for ECDSA certificates - -20101011 - - (djm) [canohost.c] Zero a4 instead of addr to better match type. - bz#1825, reported by foo AT mailinator.com - - (djm) [sshconnect.c] Need signal.h for prototype for kill(2) - -20101011 - - (djm) [configure.ac] Use = instead of == in shell tests. Patch from - dr AT vasco.com - -20101007 - - (djm) [ssh-agent.c] Fix type for curve name. +20120822 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update version numbers + +20120731 - (djm) OpenBSD CVS Sync - - matthew@cvs.openbsd.org 2010/09/24 13:33:00 - [misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h] - [openbsd-compat/timingsafe_bcmp.c] - Add timingsafe_bcmp(3) to libc, mention that it's already in the - kernel in kern(9), and remove it from OpenSSH. - ok deraadt@, djm@ - NB. re-added under openbsd-compat/ for portable OpenSSH - - djm@cvs.openbsd.org 2010/09/25 09:30:16 - [sftp.c configure.ac openbsd-compat/glob.c openbsd-compat/glob.h] - make use of new glob(3) GLOB_KEEPSTAT extension to save extra server - rountrips to fetch per-file stat(2) information. - NB. update openbsd-compat/ glob(3) implementation from OpenBSD libc to - match. - - djm@cvs.openbsd.org 2010/09/26 22:26:33 - [sftp.c] - when performing an "ls" in columnated (short) mode, only call - ioctl(TIOCGWINSZ) once to get the window width instead of per- - filename - - djm@cvs.openbsd.org 2010/09/30 11:04:51 + - jmc@cvs.openbsd.org 2012/07/06 06:38:03 + [ssh-keygen.c] + missing full stop in usage(); + - djm@cvs.openbsd.org 2012/07/10 02:19:15 + [servconf.c servconf.h sshd.c sshd_config] + Turn on systrace sandboxing of pre-auth sshd by default for new installs + by shipping a config that overrides the current UsePrivilegeSeparation=yes + default. Make it easier to flip the default in the future by adding too. + prodded markus@ feedback dtucker@ "get it in" deraadt@ + - dtucker@cvs.openbsd.org 2012/07/13 01:35:21 [servconf.c] - prevent free() of string in .rodata when overriding AuthorizedKeys in - a Match block; patch from rein AT basefarm.no - - djm@cvs.openbsd.org 2010/10/01 23:05:32 - [cipher-3des1.c cipher-bf1.c cipher-ctr.c openbsd-compat/openssl-compat.h] - adapt to API changes in openssl-1.0.0a - NB. contains compat code to select correct API for older OpenSSL - - djm@cvs.openbsd.org 2010/10/05 05:13:18 - [sftp.c sshconnect.c] - use default shell /bin/sh if $SHELL is ""; ok markus@ - - djm@cvs.openbsd.org 2010/10/06 06:39:28 - [clientloop.c ssh.c sshconnect.c sshconnect.h] - kill proxy command on fatal() (we already kill it on clean exit); - ok markus@ - - djm@cvs.openbsd.org 2010/10/06 21:10:21 - [sshconnect.c] - swapped args to kill(2) - - (djm) [openbsd-compat/glob.c] restore ARG_MAX compat code. - - (djm) [cipher-acss.c] Add missing header. - - (djm) [openbsd-compat/Makefile.in] Actually link timingsafe_bcmp + handle long comments in config files better. bz#2025, ok markus + - markus@cvs.openbsd.org 2012/07/22 18:19:21 + [version.h] + openssh 6.1 -20100924 - - (djm) OpenBSD CVS Sync - - naddy@cvs.openbsd.org 2010/09/10 15:19:29 - [ssh-keygen.1] - * mention ECDSA in more places - * less repetition in FILES section - * SSHv1 keys are still encrypted with 3DES - help and ok jmc@ - - djm@cvs.openbsd.org 2010/09/11 21:44:20 - [ssh.1] - mention RFC 5656 for ECC stuff - - jmc@cvs.openbsd.org 2010/09/19 21:30:05 - [sftp.1] - more wacky macro fixing; - - djm@cvs.openbsd.org 2010/09/20 04:41:47 - [ssh.c] - install a SIGCHLD handler to reap expiried child process; ok markus@ - - djm@cvs.openbsd.org 2010/09/20 04:50:53 - [jpake.c schnorr.c] - check that received values are smaller than the group size in the - disabled and unfinished J-PAKE code. - avoids catastrophic security failure found by Sebastien Martini - - djm@cvs.openbsd.org 2010/09/20 04:54:07 - [jpake.c] - missing #include - - djm@cvs.openbsd.org 2010/09/20 07:19:27 +20120720 + - (dtucker) Import regened moduli file. + +20120706 + - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is + not available. Allows use of sshd compiled on host with a filter-capable + kernel on hosts that lack the support. bz#2011 ok dtucker@ + - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no + unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT + esperi.org.uk; ok dtucker@ +- (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/07/06 00:41:59 + [moduli.c ssh-keygen.1 ssh-keygen.c] + Add options to specify starting line number and number of lines to process + when screening moduli candidates. This allows processing of different + parts of a candidate moduli file in parallel. man page help jmc@, ok djm@ + - djm@cvs.openbsd.org 2012/07/06 01:37:21 [mux.c] - "atomically" create the listening mux socket by binding it on a temorary - name and then linking it into position after listen() has succeeded. - this allows the mux clients to determine that the server socket is - either ready or stale without races. stale server sockets are now - automatically removed - ok deraadt - - djm@cvs.openbsd.org 2010/09/22 05:01:30 - [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] - [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] - add a KexAlgorithms knob to the client and server configuration to allow - selection of which key exchange methods are used by ssh(1) and sshd(8) - and their order of preference. - ok markus@ - - jmc@cvs.openbsd.org 2010/09/22 08:30:08 - [ssh.1 ssh_config.5] - ssh.1: add kexalgorithms to the -o list - ssh_config.5: format the kexalgorithms in a more consistent - (prettier!) way - ok djm - - djm@cvs.openbsd.org 2010/09/22 22:58:51 - [atomicio.c atomicio.h misc.c misc.h scp.c sftp-client.c] - [sftp-client.h sftp.1 sftp.c] - add an option per-read/write callback to atomicio + fix memory leak of passed-in environment variables and connection + context when new session message is malformed; bz#2003 from Bert.Wesarg + AT googlemail.com + - djm@cvs.openbsd.org 2012/07/06 01:47:38 + [ssh.c] + move setting of tty_flag to after config parsing so RequestTTY options + are correctly picked up. bz#1995 patch from przemoc AT gmail.com; + ok dtucker@ - factor out bandwidth limiting code from scp(1) into a generic bandwidth - limiter that can be attached using the atomicio callback mechanism +20120704 + - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for + platforms that don't have it. "looks good" tim@ - add a bandwidth limit option to sftp(1) using the above - "very nice" markus@ - - jmc@cvs.openbsd.org 2010/09/23 13:34:43 - [sftp.c] - add [-l limit] to usage(); - - jmc@cvs.openbsd.org 2010/09/23 13:36:46 - [scp.1 sftp.1] - add KexAlgorithms to the -o list; +20120703 + - (dtucker) [configure.ac] Detect platforms that can't use select(2) with + setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. + - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not + setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its + benefit is minor, so it's not worth disabling the sandbox if it doesn't + work. -20100910 - - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact - return code since it can apparently return -1 under some conditions. From - openssh bugs werbittewas de, ok djm@ - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/31 12:33:38 - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - reintroduce commit from tedu@, which I pulled out for release - engineering: - OpenSSL_add_all_algorithms is the name of the function we have a - man page for, so use that. ok djm - - jmc@cvs.openbsd.org 2010/08/31 17:40:54 - [ssh-agent.1] - fix some macro abuse; - - jmc@cvs.openbsd.org 2010/08/31 21:14:58 - [ssh.1] - small text tweak to accommodate previous; - - naddy@cvs.openbsd.org 2010/09/01 15:21:35 - [servconf.c] - pick up ECDSA host key by default; ok djm@ - - markus@cvs.openbsd.org 2010/09/02 16:07:25 - [ssh-keygen.c] - permit -b 256, 384 or 521 as key size for ECDSA; ok djm@ - - markus@cvs.openbsd.org 2010/09/02 16:08:39 - [ssh.c] - unbreak ControlPersist=yes for ControlMaster=yes; ok djm@ - - naddy@cvs.openbsd.org 2010/09/02 17:21:50 - [ssh-keygen.c] - Switch ECDSA default key size to 256 bits, which according to RFC5656 - should still be better than our current RSA-2048 default. - ok djm@, markus@ - - jmc@cvs.openbsd.org 2010/09/03 11:09:29 - [scp.1] - add an EXIT STATUS section for /usr/bin; - - jmc@cvs.openbsd.org 2010/09/04 09:38:34 - [ssh-add.1 ssh.1] - two more EXIT STATUS sections; - - naddy@cvs.openbsd.org 2010/09/06 17:10:19 - [sshd_config] - add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste - - ok deraadt@ - - djm@cvs.openbsd.org 2010/09/08 03:54:36 - [authfile.c] - typo - - deraadt@cvs.openbsd.org 2010/09/08 04:13:31 - [compress.c] - work around name-space collisions some buggy compilers (looking at you - gcc, at least in earlier versions, but this does not forgive your current - transgressions) seen between zlib and openssl - ok djm - - djm@cvs.openbsd.org 2010/09/09 10:45:45 - [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] - ECDH/ECDSA compliance fix: these methods vary the hash function they use - (SHA256/384/512) depending on the length of the curve in use. The previous - code incorrectly used SHA256 in all cases. - - This fix will cause authentication failure when using 384 or 521-bit curve - keys if one peer hasn't been upgraded and the other has. (256-bit curve - keys work ok). In particular you may need to specify HostkeyAlgorithms - when connecting to a server that has not been upgraded from an upgraded - client. - - ok naddy@ - - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c] - [kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] - [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on - platforms that don't have the requisite OpenSSL support. ok dtucker@ - - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs - for missing headers and compiler warnings. - -20100831 - - OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/08/08 19:36:30 - [ssh-keysign.8 ssh.1 sshd.8] - use the same template for all FILES sections; i.e. -compact/.Pp where we - have multiple items, and .Pa for path names; - - tedu@cvs.openbsd.org 2010/08/12 23:34:39 - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - OpenSSL_add_all_algorithms is the name of the function we have a man page - for, so use that. ok djm - - djm@cvs.openbsd.org 2010/08/16 04:06:06 - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - backout previous temporarily; discussed with deraadt@ - - djm@cvs.openbsd.org 2010/08/31 09:58:37 - [auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] - [packet.h ssh-dss.c ssh-rsa.c] - Add buffer_get_cstring() and related functions that verify that the - string extracted from the buffer contains no embedded \0 characters* - This prevents random (possibly malicious) crap from being appended to - strings where it would not be noticed if the string is used with - a string(3) function. - - Use the new API in a few sensitive places. - - * actually, we allow a single one at the end of the string for now because - we don't know how many deployed implementations get this wrong, but don't - count on this to remain indefinitely. - - djm@cvs.openbsd.org 2010/08/31 11:54:45 - [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] - [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] - [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] - [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] - [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] - [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] - [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] - Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and - host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer - better performance than plain DH and DSA at the same equivalent symmetric - key length, as well as much shorter keys. - - Only the mandatory sections of RFC5656 are implemented, specifically the - three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and - ECDSA. Point compression (optional in RFC5656 is NOT implemented). - - Certificate host and user keys using the new ECDSA key types are supported. - - Note that this code has not been tested for interoperability and may be - subject to change. - - feedback and ok markus@ - - (djm) [Makefile.in] Add new ECC files - - (djm) [bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] include - includes.h - -20100827 - - (dtucker) [contrib/redhat/sshd.init] Bug #1810: initlog is deprecated, - remove. Patch from martynas at venck us - -20100823 - - (djm) Release OpenSSH-5.6p1 - -20100816 - - (dtucker) [configure.ac openbsd-compat/Makefile.in - openbsd-compat/openbsd-compat.h openbsd-compat/strptime.c] Add strptime to - the compat library which helps on platforms like old IRIX. Based on work - by djm, tested by Tom Christensen. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/12 21:49:44 +20120702 +- (dtucker) OpenBSD CVS Sync + - naddy@cvs.openbsd.org 2012/06/29 13:57:25 + [ssh_config.5 sshd_config.5] + match the documented MAC order of preference to the actual one; + ok dtucker@ + - markus@cvs.openbsd.org 2012/06/30 14:35:09 + [sandbox-systrace.c sshd.c] + fix a during the load of the sandbox policies (child can still make + the read-syscall and wait forever for systrace-answers) by replacing + the read/write synchronisation with SIGSTOP/SIGCONT; + report and help hshoexer@; ok djm@, dtucker@ + - dtucker@cvs.openbsd.org 2012/07/02 08:50:03 [ssh.c] - close any extra file descriptors inherited from parent at start and - reopen stdin/stdout to /dev/null when forking for ControlPersist. - - prevents tools that fork and run a captive ssh for communication from - failing to exit when the ssh completes while they wait for these fds to - close. The inherited fds may persist arbitrarily long if a background - mux master has been started by ControlPersist. cvs and scp were effected - by this. - - "please commit" markus@ - - (djm) [regress/README.regress] typo - -20100812 - - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.sh - regress/test-exec.sh] Under certain conditions when testing with sudo - tests would fail because the pidfile could not be read by a regular user. - "cat: cannot open ...../regress/pidfile: Permission denied (error 13)" - Make sure cat is run by $SUDO. no objection from me. djm@ - - (tim) [auth.c] add cast to quiet compiler. Change only affects SVR5 systems. - -20100809 - - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it is - already set. Makes FreeBSD user openable tunnels useful; patch from - richard.burakowski+ossh AT mrburak.net, ok dtucker@ - - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id. - based in part on a patch from Colin Watson, ok djm@ - -20100809 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/08 16:26:42 - [version.h] - crank to 5.6 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Crank version numbers + set interactive ToS for forwarded X11 sessions. ok djm@ + - dtucker@cvs.openbsd.org 2012/07/02 12:13:26 + [ssh-pkcs11-helper.c sftp-client.c] + fix a couple of "assigned but not used" warnings. ok markus@ + - dtucker@cvs.openbsd.org 2012/07/02 14:37:06 + [regress/connect-privsep.sh] + remove exit from end of test since it prevents reporting failure + - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh] + Move cygwin detection to test-exec and use to skip reexec test on cygwin. + - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k. -20100805 +20120629 - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/04 05:37:01 - [ssh.1 ssh_config.5 sshd.8] - Remove mentions of weird "addr/port" alternate address format for IPv6 - addresses combinations. It hasn't worked for ages and we have supported - the more commen "[addr]:port" format for a long time. ok jmc@ markus@ - - djm@cvs.openbsd.org 2010/08/04 05:40:39 - [PROTOCOL.certkeys ssh-keygen.c] - tighten the rules for certificate encoding by requiring that options - appear in lexical order and make our ssh-keygen comply. ok markus@ - - djm@cvs.openbsd.org 2010/08/04 05:42:47 - [auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] - [ssh-keysign.c ssh.c] - enable certificates for hostbased authentication, from Iain Morgan; - "looks ok" markus@ - - djm@cvs.openbsd.org 2010/08/04 05:49:22 - [authfile.c] - commited the wrong version of the hostbased certificate diff; this - version replaces some strlc{py,at} verbosity with xasprintf() at - the request of markus@ - - djm@cvs.openbsd.org 2010/08/04 06:07:11 - [ssh-keygen.1 ssh-keygen.c] - Support CA keys in PKCS#11 tokens; feedback and ok markus@ - - djm@cvs.openbsd.org 2010/08/04 06:08:40 - [ssh-keysign.c] - clean for -Wuninitialized (Id sync only; portable had this change) - - djm@cvs.openbsd.org 2010/08/05 13:08:42 - [channels.c] - Fix a trio of bugs in the local/remote window calculation for datagram - data channels (i.e. TunnelForward): - - Calculate local_consumed correctly in channel_handle_wfd() by measuring - the delta to buffer_len(c->output) from when we start to when we finish. - The proximal problem here is that the output_filter we use in portable - modified the length of the dequeued datagram (to futz with the headers - for !OpenBSD). - - In channel_output_poll(), don't enqueue datagrams that won't fit in the - peer's advertised packet size (highly unlikely to ever occur) or which - won't fit in the peer's remaining window (more likely). - - In channel_input_data(), account for the 4-byte string header in - datagram packets that we accept from the peer and enqueue in c->output. - - report, analysis and testing 2/3 cases from wierbows AT us.ibm.com; - "looks good" markus@ + - dtucker@cvs.openbsd.org 2012/06/21 00:16:07 + [addrmatch.c] + fix strlcpy truncation check. from carsten at debian org, ok markus + - dtucker@cvs.openbsd.org 2012/06/22 12:30:26 + [monitor.c sshconnect2.c] + remove dead code following 'for (;;)' loops. + From Steve.McClellan at radisys com, ok markus@ + - dtucker@cvs.openbsd.org 2012/06/22 14:36:33 + [sftp.c] + Remove unused variable leftover from tab-completion changes. + From Steve.McClellan at radisys com, ok markus@ + - dtucker@cvs.openbsd.org 2012/06/26 11:02:30 + [sandbox-systrace.c] + Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation + sandbox" since malloc now uses it. From johnw.mail at gmail com. + - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 + [mac.c myproposal.h ssh_config.5 sshd_config.5] + Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed + from draft6 of the spec and will not be in the RFC when published. Patch + from mdb at juniper net via bz#2023, ok markus. + - naddy@cvs.openbsd.org 2012/06/29 13:57:25 + [ssh_config.5 sshd_config.5] + match the documented MAC order of preference to the actual one; ok dtucker@ + - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 + [regress/addrmatch.sh] + Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests + to match. Feedback and ok djm@ markus@. + - djm@cvs.openbsd.org 2012/06/01 00:47:35 + [regress/multiplex.sh regress/forwarding.sh] + append to rather than truncate test log; bz#2013 from openssh AT + roumenpetrov.info + - djm@cvs.openbsd.org 2012/06/01 00:52:52 + [regress/sftp-cmds.sh] + don't delete .* on cleanup due to unintended env expansion; pointed out in + bz#2014 by openssh AT roumenpetrov.info + - dtucker@cvs.openbsd.org 2012/06/26 12:06:59 + [regress/connect-privsep.sh] + test sandbox with every malloc option + - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 + [regress/try-ciphers.sh regress/cipher-speed.sh] + Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed + from draft6 of the spec and will not be in the RFC when published. Patch + from mdb at juniper net via bz#2023, ok markus. + - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error. + - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have + the required functions in libcrypto. -20100803 - - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from - PAM to sane values in case the PAM method doesn't write to them. Spotted by - Bitman Zhou, ok djm@. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/07/16 04:45:30 - [ssh-keygen.c] - avoid bogus compiler warning - - djm@cvs.openbsd.org 2010/07/16 14:07:35 - [ssh-rsa.c] - more timing paranoia - compare all parts of the expected decrypted - data before returning. AFAIK not exploitable in the SSH protocol. - "groovy" deraadt@ - - djm@cvs.openbsd.org 2010/07/19 03:16:33 - [sftp-client.c] - bz#1797: fix swapped args in upload_dir_internal(), breaking recursive - upload depth checks and causing verbose printing of transfers to always - be turned on; patch from imorgan AT nas.nasa.gov - - djm@cvs.openbsd.org 2010/07/19 09:15:12 - [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] - add a "ControlPersist" option that automatically starts a background - ssh(1) multiplex master when connecting. This connection can stay alive - indefinitely, or can be set to automatically close after a user-specified - duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but - further hacked on by wmertens AT cisco.com, apb AT cequrux.com, - martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@ - - djm@cvs.openbsd.org 2010/07/21 02:10:58 - [misc.c] - sync timingsafe_bcmp() with the one dempsky@ committed to sys/lib/libkern - - dtucker@cvs.openbsd.org 2010/07/23 08:49:25 - [ssh.1] - Ciphers is documented in ssh_config(5) these days +20120628 + - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null + pointer deref in the client when built with LDNS and using DNSSEC with a + CNAME. Patch from gregdlg+mr at hochet info. -20100819 - - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more - details about its behaviour WRT existing directories. Patch from - asguthrie at gmail com, ok djm. +20120622 + - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as + can logon as a service. Patch from vinschen at redhat com. -20100716 +20120620 - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/07/02 04:32:44 - [misc.c] - unbreak strdelim() skipping past quoted strings, e.g. - AllowUsers "blah blah" blah - was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com - ok dtucker; - - djm@cvs.openbsd.org 2010/07/12 22:38:52 - [ssh.c] - Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f") - for protocol 2. ok markus@ - - djm@cvs.openbsd.org 2010/07/12 22:41:13 - [ssh.c ssh_config.5] - expand %h to the hostname in ssh_config Hostname options. While this - sounds useless, it is actually handy for working with unqualified - hostnames: - - Host *.* - Hostname %h - Host * - Hostname %h.example.org - - "I like it" markus@ - - djm@cvs.openbsd.org 2010/07/13 11:52:06 - [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c] - [packet.c ssh-rsa.c] - implement a timing_safe_cmp() function to compare memory without leaking - timing information by short-circuiting like memcmp() and use it for - some of the more sensitive comparisons (though nothing high-value was - readily attackable anyway); "looks ok" markus@ - - djm@cvs.openbsd.org 2010/07/13 23:13:16 - [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c] - [ssh-rsa.c] - s/timing_safe_cmp/timingsafe_bcmp/g - - jmc@cvs.openbsd.org 2010/07/14 17:06:58 + - djm@cvs.openbsd.org 2011/12/02 00:41:56 + [mux.c] + fix bz#1948: ssh -f doesn't fork for multiplexed connection. + ok dtucker@ + - djm@cvs.openbsd.org 2011/12/04 23:16:12 + [mux.c] + revert: + > revision 1.32 + > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 + > fix bz#1948: ssh -f doesn't fork for multiplexed connection. + > ok dtucker@ + it interacts badly with ControlPersist + - djm@cvs.openbsd.org 2012/01/07 21:11:36 + [mux.c] + fix double-free in new session handler + NB. Id sync only + - djm@cvs.openbsd.org 2012/05/23 03:28:28 + [dns.c dns.h key.c key.h ssh-keygen.c] + add support for RFC6594 SSHFP DNS records for ECDSA key types. + patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ + (Original authors Ondřej Surý, Ondřej Caletka and Daniel Black) + - djm@cvs.openbsd.org 2012/06/01 00:49:35 + [PROTOCOL.mux] + correct types of port numbers (integers, not strings); bz#2004 from + bert.wesarg AT googlemail.com + - djm@cvs.openbsd.org 2012/06/01 01:01:22 + [mux.c] + fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg + AT googlemail.com + - dtucker@cvs.openbsd.org 2012/06/18 11:43:53 + [jpake.c] + correct sizeof usage. patch from saw at online.de, ok deraadt + - dtucker@cvs.openbsd.org 2012/06/18 11:49:58 + [ssh_config.5] + RSA instead of DSA twice. From Steve.McClellan at radisys com + - dtucker@cvs.openbsd.org 2012/06/18 12:07:07 + [ssh.1 sshd.8] + Remove mention of 'three' key files since there are now four. From + Steve.McClellan at radisys com. + - dtucker@cvs.openbsd.org 2012/06/18 12:17:18 [ssh.1] - finally ssh synopsis looks nice again! this commit just removes a ton of - hacks we had in place to make it work with old groff; - - schwarze@cvs.openbsd.org 2010/07/15 21:20:38 - [ssh-keygen.1] - repair incorrect block nesting, which screwed up indentation; - problem reported and fix OK by jmc@ - -20100714 - - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpass - (line 77) should have been for no_x11_askpass. + Clarify description of -W. Noted by Steve.McClellan at radisys com, + ok jmc + - markus@cvs.openbsd.org 2012/06/19 18:25:28 + [servconf.c servconf.h sshd_config.5] + sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} + this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' + ok djm@ (back in March) + - jmc@cvs.openbsd.org 2012/06/19 21:35:54 + [sshd_config.5] + tweak previous; ok markus + - djm@cvs.openbsd.org 2012/06/20 04:42:58 + [clientloop.c serverloop.c] + initialise accept() backoff timer to avoid EINVAL from select(2) in + rekeying -20100702 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/06/26 00:57:07 - [ssh_config.5] - tweak previous; - - djm@cvs.openbsd.org 2010/06/26 23:04:04 - [ssh.c] - oops, forgot to #include ; spotted and patch from chl@ - - djm@cvs.openbsd.org 2010/06/29 23:15:30 - [ssh-keygen.1 ssh-keygen.c] - allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; - bz#1749; ok markus@ - - djm@cvs.openbsd.org 2010/06/29 23:16:46 - [auth2-pubkey.c sshd_config.5] - allow key options (command="..." and friends) in AuthorizedPrincipals; - ok markus@ - - jmc@cvs.openbsd.org 2010/06/30 07:24:25 - [ssh-keygen.1] - tweak previous; - - jmc@cvs.openbsd.org 2010/06/30 07:26:03 - [ssh-keygen.c] - sort usage(); - - jmc@cvs.openbsd.org 2010/06/30 07:28:34 +20120519 + - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch + from cjwatson at debian org. + - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find + pkg-config so it does the right thing when cross-compiling. Patch from + cjwatson at debian org. +- (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 + [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] + Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests + to match. Feedback and ok djm@ markus@. + - dtucker@cvs.openbsd.org 2012/05/19 06:30:30 [sshd_config.5] - tweak previous; - - millert@cvs.openbsd.org 2010/07/01 13:06:59 - [scp.c] - Fix a longstanding problem where if you suspend scp at the - password/passphrase prompt the terminal mode is not restored. - OK djm@ - - phessler@cvs.openbsd.org 2010/06/27 19:19:56 - [regress/Makefile] - fix how we run the tests so we can successfully use SUDO='sudo -E' - in our env - - djm@cvs.openbsd.org 2010/06/29 23:59:54 - [cert-userkey.sh] - regress tests for key options in AuthorizedPrincipals - -20100627 - - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs - key.h. - -20100626 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/05/21 05:00:36 - [misc.c] - colon() returns char*, so s/return (0)/return NULL/ - - markus@cvs.openbsd.org 2010/06/08 21:32:19 - [ssh-pkcs11.c] - check length of value returned C_GetAttributValue for != 0 - from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/17 07:07:30 - [mux.c] - Correct sizing of object to be allocated by calloc(), replacing - sizeof(state) with sizeof(*state). This worked by accident since - the struct contained a single int at present, but could have broken - in the future. patch from hyc AT symas.com - - djm@cvs.openbsd.org 2010/06/18 00:58:39 - [sftp.c] - unbreak ls in working directories that contains globbing characters in - their pathnames. bz#1655 reported by vgiffin AT apple.com - - djm@cvs.openbsd.org 2010/06/18 03:16:03 - [session.c] - Missing check for chroot_director == "none" (we already checked against - NULL); bz#1564 from Jan.Pechanec AT Sun.COM - - djm@cvs.openbsd.org 2010/06/18 04:43:08 - [sftp-client.c] - fix memory leak in do_realpath() error path; bz#1771, patch from - anicka AT suse.cz - - djm@cvs.openbsd.org 2010/06/22 04:22:59 - [servconf.c sshd_config.5] - expose some more sshd_config options inside Match blocks: - AuthorizedKeysFile AuthorizedPrincipalsFile - HostbasedUsesNameFromPacketOnly PermitTunnel - bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:32:06 - [ssh-keygen.c] - standardise error messages when attempting to open private key - files to include "progname: filename: error reason" - bz#1783; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:49:47 - [auth.c] - queue auth debug messages for bad ownership or permissions on the user's - keyfiles. These messages will be sent after the user has successfully - authenticated (where our client will display them with LogLevel=debug). - bz#1554; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:54:30 - [ssh-keyscan.c] - replace verbose and overflow-prone Linebuf code with read_keyfile_line() - based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:59:12 - [session.c] - include the user name on "subsystem request for ..." log messages; - bz#1571; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/23 02:59:02 - [ssh-keygen.c] - fix printing of extensions in v01 certificates that I broke in r1.190 - - djm@cvs.openbsd.org 2010/06/25 07:14:46 - [channels.c mux.c readconf.c readconf.h ssh.h] - bz#1327: remove hardcoded limit of 100 permitopen clauses and port - forwards per direction; ok markus@ stevesk@ - - djm@cvs.openbsd.org 2010/06/25 07:20:04 - [channels.c session.c] - bz#1750: fix requirement for /dev/null inside ChrootDirectory for - internal-sftp accidentally introduced in r1.253 by removing the code - that opens and dup /dev/null to stderr and modifying the channels code - to read stderr but discard it instead; ok markus@ - - djm@cvs.openbsd.org 2010/06/25 08:46:17 - [auth1.c auth2-none.c] - skip the initial check for access with an empty password when - PermitEmptyPasswords=no; bz#1638; ok markus@ - - djm@cvs.openbsd.org 2010/06/25 23:10:30 - [ssh.c] - log the hostname and address that we connected to at LogLevel=verbose - after authentication is successful to mitigate "phishing" attacks by - servers with trusted keys that accept authentication silently and - automatically before presenting fake password/passphrase prompts; - "nice!" markus@ - - djm@cvs.openbsd.org 2010/06/25 23:10:30 - [ssh.c] - log the hostname and address that we connected to at LogLevel=verbose - after authentication is successful to mitigate "phishing" attacks by - servers with trusted keys that accept authentication silently and - automatically before presenting fake password/passphrase prompts; - "nice!" markus@ - -20100622 - - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512 - bz#1579; ok dtucker - -20100618 - - (djm) [contrib/ssh-copy-id] Update key file explicitly under ~ - rather than assuming that $CWD == $HOME. bz#1500, patch from - timothy AT gelter.com - -20100617 - - (tim) [contrib/cygwin/README] Remove a reference to the obsolete - minires-devel package, and to add the reference to the libedit-devel - package since CYgwin now provides libedit. Patch from Corinna Vinschen. - -20100521 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/05/07 11:31:26 - [regress/Makefile regress/cert-userkey.sh] - regress tests for AuthorizedPrincipalsFile and "principals=" key option. - feedback and ok markus@ - - djm@cvs.openbsd.org 2010/05/11 02:58:04 - [auth-rsa.c] - don't accept certificates marked as "cert-authority" here; ok markus@ - - djm@cvs.openbsd.org 2010/05/14 00:47:22 - [ssh-add.c] - check that the certificate matches the corresponding private key before - grafting it on - - djm@cvs.openbsd.org 2010/05/14 23:29:23 - [channels.c channels.h mux.c ssh.c] - Pause the mux channel while waiting for reply from aynch callbacks. - Prevents misordering of replies if new requests arrive while waiting. - - Extend channel open confirm callback to allow signalling failure - conditions as well as success. Use this to 1) fix a memory leak, 2) - start using the above pause mechanism and 3) delay sending a success/ - failure message on mux slave session open until we receive a reply from - the server. - - motivated by and with feedback from markus@ - - markus@cvs.openbsd.org 2010/05/16 12:55:51 - [PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c] - mux support for remote forwarding with dynamic port allocation, - use with - LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost` - feedback and ok djm@ - - djm@cvs.openbsd.org 2010/05/20 11:25:26 - [auth2-pubkey.c] - fix logspam when key options (from="..." especially) deny non-matching - keys; reported by henning@ also bz#1765; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2010/05/20 23:46:02 - [PROTOCOL.certkeys auth-options.c ssh-keygen.c] - Move the permit-* options to the non-critical "extensions" field for v01 - certificates. The logic is that if another implementation fails to - implement them then the connection just loses features rather than fails - outright. - - ok markus@ + Document PermitOpen none. bz#2001, patch from Loganaden Velvindron + +20120504 + - (dtucker) [configure.ac] Include rather than + to fix building on some plaforms. Fom bowman at math utah edu and + des at des no. + +20120427 + - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6 + platform rather than exiting early, so that we still clean up and return + success or failure to test-exec.sh + +20120426 + - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters + via Niels + - (djm) [auth-krb5.c] Save errno across calls that might modify it; + ok dtucker@ -20100511 - - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve - circular dependency problem on old or odd platforms. From Tom Lane, ok - djm@. - - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older - libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't - already. ok dtucker@ +20120423 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/04/23 08:18:17 + [channels.c] + fix function proto/source mismatch -20100510 +20120422 - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/04/23 01:47:41 + - djm@cvs.openbsd.org 2012/02/29 11:21:26 [ssh-keygen.c] - bz#1740: display a more helpful error message when $HOME is - inaccessible while trying to create .ssh directory. Based on patch - from jchadima AT redhat.com; ok dtucker@ - - djm@cvs.openbsd.org 2010/04/23 22:27:38 - [mux.c] - set "detach_close" flag when registering channel cleanup callbacks. - This causes the channel to close normally when its fds close and - hangs when terminating a mux slave using ~. bz#1758; ok markus@ - - djm@cvs.openbsd.org 2010/04/23 22:42:05 + allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@ + - guenther@cvs.openbsd.org 2012/03/15 03:10:27 [session.c] - set stderr to /dev/null for subsystems rather than just closing it. - avoids hangs if a subsystem or shell initialisation writes to stderr. - bz#1750; ok markus@ - - djm@cvs.openbsd.org 2010/04/23 22:48:31 - [ssh-keygen.c] - refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS, - since we would refuse to use them anyway. bz#1516; ok dtucker@ - - djm@cvs.openbsd.org 2010/04/26 22:28:24 - [sshconnect2.c] - bz#1502: authctxt.success is declared as an int, but passed by - reference to function that accepts sig_atomic_t*. Convert it to - the latter; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2010/05/01 02:50:50 + root should always be excluded from the test for /etc/nologin instead + of having it always enforced even when marked as ignorenologin. This + regressed when the logic was incompletely flipped around in rev 1.251 + ok halex@ millert@ + - djm@cvs.openbsd.org 2012/03/28 07:23:22 [PROTOCOL.certkeys] - typo; jmeltzer@ - - dtucker@cvs.openbsd.org 2010/05/05 04:22:09 + explain certificate extensions/crit split rationale. Mention requirement + that each appear at most once per cert. + - dtucker@cvs.openbsd.org 2012/03/29 23:54:36 + [channels.c channels.h servconf.c] + Add PermitOpen none option based on patch from Loganaden Velvindron + (bz #1949). ok djm@ + - djm@cvs.openbsd.org 2012/04/11 13:16:19 + [channels.c channels.h clientloop.c serverloop.c] + don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a + while; ok deraadt@ markus@ + - djm@cvs.openbsd.org 2012/04/11 13:17:54 + [auth.c] + Support "none" as an argument for AuthorizedPrincipalsFile to indicate + no file should be read. + - djm@cvs.openbsd.org 2012/04/11 13:26:40 + [sshd.c] + don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a + while; ok deraadt@ markus@ + - djm@cvs.openbsd.org 2012/04/11 13:34:17 + [ssh-keyscan.1 ssh-keyscan.c] + now that sshd defaults to offering ECDSA keys, ssh-keyscan should also + look for them by default; bz#1971 + - djm@cvs.openbsd.org 2012/04/12 02:42:32 + [servconf.c servconf.h sshd.c sshd_config sshd_config.5] + VersionAddendum option to allow server operators to append some arbitrary + text to the SSH-... banner; ok deraadt@ "don't care" markus@ + - djm@cvs.openbsd.org 2012/04/12 02:43:55 + [sshd_config sshd_config.5] + mention AuthorizedPrincipalsFile=none default + - djm@cvs.openbsd.org 2012/04/20 03:24:23 [sftp.c] - restore mput and mget which got lost in the tab-completion changes. - found by Kenneth Whitaker, ok djm@ - - djm@cvs.openbsd.org 2010/05/07 11:30:30 - [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] - [key.c servconf.c servconf.h sshd.8 sshd_config.5] - add some optional indirection to matching of principal names listed - in certificates. Currently, a certificate must include the a user's name - to be accepted for authentication. This change adds the ability to - specify a list of certificate principal names that are acceptable. - - When authenticating using a CA trusted through ~/.ssh/authorized_keys, - this adds a new principals="name1[,name2,...]" key option. - - For CAs listed through sshd_config's TrustedCAKeys option, a new config - option "AuthorizedPrincipalsFile" specifies a per-user file containing - the list of acceptable names. - - If either option is absent, the current behaviour of requiring the - username to appear in principals continues to apply. - - These options are useful for role accounts, disjoint account namespaces - and "user@realm"-style naming policies in certificates. - - feedback and ok markus@ - - jmc@cvs.openbsd.org 2010/05/07 12:49:17 - [sshd_config.5] - tweak previous; + setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...) + - jmc@cvs.openbsd.org 2012/04/20 16:26:22 + [ssh.1] + use "brackets" instead of "braces", for consistency; -20100423 - - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir - in the openssl install directory (some newer openssl versions do this on at - least some amd64 platforms). +20120420 + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update for release 6.0 + - (djm) [README] Update URL to release notes. + - (djm) Release openssh-6.0 -20100418 - - OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/04/16 06:45:01 - [ssh_config.5] - tweak previous; ok djm - - jmc@cvs.openbsd.org 2010/04/16 06:47:04 - [ssh-keygen.1 ssh-keygen.c] - tweak previous; ok djm - - djm@cvs.openbsd.org 2010/04/16 21:14:27 - [sshconnect.c] - oops, %r => remote username, not %u - - djm@cvs.openbsd.org 2010/04/16 01:58:45 - [regress/cert-hostkey.sh regress/cert-userkey.sh] - regression tests for v01 certificate format - includes interop tests for v00 certs - - (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.default - file. - -20100416 - - (djm) Release openssh-5.5p1 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/03/26 03:13:17 - [bufaux.c] - allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer - argument to allow skipping past values in a buffer - - jmc@cvs.openbsd.org 2010/03/26 06:54:36 - [ssh.1] - tweak previous; - - jmc@cvs.openbsd.org 2010/03/27 14:26:55 - [ssh_config.5] - tweak previous; ok dtucker - - djm@cvs.openbsd.org 2010/04/10 00:00:16 - [ssh.c] - bz#1746 - suppress spurious tty warning when using -O and stdin - is not a tty; ok dtucker@ markus@ - - djm@cvs.openbsd.org 2010/04/10 00:04:30 - [sshconnect.c] - fix terminology: we didn't find a certificate in known_hosts, we found - a CA key - - djm@cvs.openbsd.org 2010/04/10 02:08:44 - [clientloop.c] - bz#1698: kill channel when pty allocation requests fail. Fixed - stuck client if the server refuses pty allocation. - ok dtucker@ "think so" markus@ - - djm@cvs.openbsd.org 2010/04/10 02:10:56 - [sshconnect2.c] - show the key type that we are offering in debug(), helps distinguish - between certs and plain keys as the path to the private key is usually - the same. - - djm@cvs.openbsd.org 2010/04/10 05:48:16 - [mux.c] - fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au - - djm@cvs.openbsd.org 2010/04/14 22:27:42 - [ssh_config.5 sshconnect.c] - expand %r => remote username in ssh_config:ProxyCommand; - ok deraadt markus - - markus@cvs.openbsd.org 2010/04/15 20:32:55 - [ssh-pkcs11.c] - retry lookup for private key if there's no matching key with CKA_SIGN - attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736) - ok djm@ - - djm@cvs.openbsd.org 2010/04/16 01:47:26 - [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] - [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] - [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] - [sshconnect.c sshconnect2.c sshd.c] - revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the - following changes: - - move the nonce field to the beginning of the certificate where it can - better protect against chosen-prefix attacks on the signature hash - - Rename "constraints" field to "critical options" - - Add a new non-critical "extensions" field - - Add a serial number - - The older format is still support for authentication and cert generation - (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) - - ok markus@ diff --git a/crypto/openssh/FREEBSD-tricks b/crypto/openssh/FREEBSD-tricks deleted file mode 100644 index 480bffc1d..000000000 --- a/crypto/openssh/FREEBSD-tricks +++ /dev/null @@ -1,14 +0,0 @@ -# $FreeBSD$ - -# Shell code to remove FreeBSD tags before merging -grep -rl '\$Fre[e]BSD:' . | grep -v FREEBSD >tags -cat tags | while read f ; do - sed -i.orig -e '/\$Fre[e]BSD:/d' $f -done - -# Shell + Perl code to add FreeBSD tags wherever an OpenBSD or Id tag occurs -cat tags | -xargs perl -n -i.orig -e 'print; s/\$(Id|OpenBSD): [^\$]*/\$FreeBSD/ && print' - -# Diff against vendor branch -svn diff --no-diff-deleted --old=$FSVN/vendor-crypto/openssh/dist/ --new=. diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index 03b7dbf0f..11f9bda3f 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -3,75 +3,97 @@ FreeBSD maintainer's guide to OpenSSH-portable ============================================== -[needs rewriting for svn] +00) Make sure your mail spool has plenty of free space. It'll fill up + pretty fast once you're done with this checklist. -0) Make sure your mail spool has plenty of free space. It'll fill up - pretty fast once you're done with this checklist. +01) Download the latest OpenSSH-portable tarball and signature from + OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/). -1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP - site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) +02) Verify the signature: -2) Unpack the tarball in a suitable directory. + $ gpg --verify openssh-X.YpZ.tar.gz.asc - $ tar xf openssh-X.YpZ.tar.gz \ - -X /usr/src/crypto/openssh/FREEBSD-Xlist +03) Unpack the tarball in a suitable directory: -3) Remove trash: + $ tar xf openssh-X.YpZ.tar.gz - Make sure -X took care of everything, and if it didn't, make sure - to update FREEBSD-Xlist so you won't miss it the next time. A good - way to do this is to run a test import and see if any new files - show up: +04) Copy to the vendor directory: - $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N + $ svn co svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist + $ rsync --archive --delete openssh-X.YpZ/ dist/ -4) Import the sources: +05) Take care of added / deleted files: - $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ + $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }') + $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }') -5) Resolve conflicts. Remember to bump the version number and - addendum in version.h, and update the default value in - ssh{,d}_config and ssh{,d}_config.5. +06) Commit: -6) Generate configure and config.h.in: + $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist - $ autoconf - $ autoheader +07) Tag: - Note: this requires a recent version of autoconf, not autoconf213. + $ svn copy -m "Tag OpenSSH X.YpZ." \ + svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \ + svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ -7) Run configure with the appropriate arguments: +08) Check out head and run the pre-merge script: - $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ - --with-pam --with-tcp-wrappers --with-libedit \ - --with-ssl-engine + $ svn co svn+ssh://svn.freebsd.org/base/head + $ cd head/crypto/openssh + $ sh freebsd-pre-merge.sh - This will regenerate config.h, which must be committed along with - the rest. +09) Merge from the vendor branch: - Note that we don't want to configure OpenSSH for Kerberos using - configure since we have to be able to turn it on or off depending - on the value of MK_KERBEROS. Our Makefiles take care of this. + $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist . -8) If source files have been added or removed, update the appropriate - makefiles to reflect changes in the vendor's Makefile.in. +0A) Resolve conflicts. Remember to bump the version addendum in + version.h, and update the default value in ssh{,d}_config and + ssh{,d}_config.5. -9) Build libssh. Follow the instructions in ssh_namespace.h to get a - list of new symbols. Update ssh_namespace.h, build everything, - install and test. +0B) Diff against the vendor branch: -A) Build and test the pam_ssh PAM module. It gropes around libssh's - internals and will break if something significant changes or if - ssh_namespace.h is out of whack. + $ svn diff \^/vendor-crypto/openssh/dist . -B) Re-commit everything on repoman (you *did* use a test repo for - this, didn't you?) + Files that have modifications relative to the vendor code, and + only those files, must have the svn:keywords property set to + FreeBSD=%H and be listed in the 'keywords' file created by the + pre-merge script. + +0C) Run the post-merge script: + + $ sh freebsd-post-merge.sh + +0D) Run the configure script: + + $ sh freebsd-configure.sh + +0E) Check config.h very carefully. + +0F) If source files have been added or removed, update the appropriate + makefiles to reflect changes in the vendor's Makefile.in. + +10) Build libssh: + + $ cd ../../secure/lib/libssh && make obj && make depend && make + +11) Follow the instructions in ssh_namespace.h to get a list of new + symbols, and them to ssh_namespace.h. Keep it sorted! + +12) Build and install world, reboot, test. Pay particular attention + to pam_ssh(8), which gropes inside libssh and will break if + something significant changes or if ssh_namespace.h is out of + whack. + +13) Commit, and hunker down for the inevitable storm of complaints. An overview of FreeBSD changes to OpenSSH-portable ================================================== +XXX This section is out of date + 0) VersionAddendum The SSH protocol allows for a human-readable version string of up @@ -116,7 +138,7 @@ B) Re-commit everything on repoman (you *did* use a test repo for This port was brought to you by (in no particular order) DARPA, NAI -Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., +Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., Suzanne Vega, and a Sanford's #69 Deluxe Marker. -- des@FreeBSD.org diff --git a/crypto/openssh/Makefile.in b/crypto/openssh/Makefile.in new file mode 100644 index 000000000..28a8ec41b --- /dev/null +++ b/crypto/openssh/Makefile.in @@ -0,0 +1,476 @@ +# $Id: Makefile.in,v 1.356 2014/02/04 00:12:56 djm Exp $ + +# uncomment if you run a non bourne compatable shell. Ie. csh +#SHELL = @SH@ + +AUTORECONF=autoreconf + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +sbindir=@sbindir@ +libexecdir=@libexecdir@ +datadir=@datadir@ +datarootdir=@datarootdir@ +mandir=@mandir@ +mansubdir=@mansubdir@ +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +DESTDIR= +VPATH=@srcdir@ +SSH_PROGRAM=@bindir@/ssh +ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass +SFTP_SERVER=$(libexecdir)/sftp-server +SSH_KEYSIGN=$(libexecdir)/ssh-keysign +SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper +PRIVSEP_PATH=@PRIVSEP_PATH@ +SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +STRIP_OPT=@STRIP_OPT@ + +PATHS= -DSSHDIR=\"$(sysconfdir)\" \ + -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ + -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ + -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \ + -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ + -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ + -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ + -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" + +CC=@CC@ +LD=@LD@ +CFLAGS=@CFLAGS@ +CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ +LIBS=@LIBS@ +K5LIBS=@K5LIBS@ +GSSLIBS=@GSSLIBS@ +SSHLIBS=@SSHLIBS@ +SSHDLIBS=@SSHDLIBS@ +LIBEDIT=@LIBEDIT@ +AR=@AR@ +AWK=@AWK@ +RANLIB=@RANLIB@ +INSTALL=@INSTALL@ +PERL=@PERL@ +SED=@SED@ +ENT=@ENT@ +XAUTH_PATH=@XAUTH_PATH@ +LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ +EXEEXT=@EXEEXT@ +MANFMT=@MANFMT@ + +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) + +LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ + canohost.o channels.o cipher.o cipher-aes.o \ + cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ + compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ + log.o match.o md-sha256.o moduli.o nchan.o packet.o \ + readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ + atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ + monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ + kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ + msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ + ssh-pkcs11.o krl.o smult_curve25519_ref.o \ + kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ + ssh-ed25519.o digest-openssl.o hmac.o \ + sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o + +SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ + sshconnect.o sshconnect1.o sshconnect2.o mux.o \ + roaming_common.o roaming_client.o + +SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + audit.o audit-bsm.o audit-linux.o platform.o \ + sshpty.o sshlogin.o servconf.o serverloop.o \ + auth.o auth1.o auth2.o auth-options.o session.o \ + auth-chall.o auth2-chall.o groupaccess.o \ + auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ + auth2-none.o auth2-passwd.o auth2-pubkey.o \ + monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ + kexc25519s.o auth-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + sftp-server.o sftp-common.o \ + roaming_common.o roaming_serv.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ + sandbox-seccomp-filter.o sandbox-capsicum.o + +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 +MANTYPE = @MANTYPE@ + +CONFIGFILES=sshd_config.out ssh_config.out moduli.out +CONFIGFILES_IN=sshd_config ssh_config moduli + +PATHSUBS = \ + -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ + -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ + -e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \ + -e 's|/usr/libexec|$(libexecdir)|g' \ + -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \ + -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \ + -e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \ + -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ + -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ + -e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \ + -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ + -e 's|/etc/moduli|$(sysconfdir)/moduli|g' \ + -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \ + -e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \ + -e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \ + -e 's|/var/empty|$(PRIVSEP_PATH)|g' \ + -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' + +FIXPATHSCMD = $(SED) $(PATHSUBS) +FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ + @UNSUPPORTED_ALGORITHMS@ + +all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) + +$(LIBSSH_OBJS): Makefile.in config.h +$(SSHOBJS): Makefile.in config.h +$(SSHDOBJS): Makefile.in config.h + +.c.o: + $(CC) $(CFLAGS) $(CPPFLAGS) -c $< + +LIBCOMPAT=openbsd-compat/libopenbsd-compat.a +$(LIBCOMPAT): always + (cd openbsd-compat && $(MAKE)) +always: + +libssh.a: $(LIBSSH_OBJS) + $(AR) rv $@ $(LIBSSH_OBJS) + $(RANLIB) $@ + +ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) + +sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + +scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o + $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o + $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + +ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o + $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o + $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) + +# test driver for the loginrec code - not built by default +logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o + $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) + +$(MANPAGES): $(MANPAGES_IN) + if test "$(MANTYPE)" = "cat"; then \ + manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \ + else \ + manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ + fi; \ + if test "$(MANTYPE)" = "man"; then \ + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \ + $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ + else \ + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \ + fi + +$(CONFIGFILES): $(CONFIGFILES_IN) + conffile=`echo $@ | sed 's/.out$$//'`; \ + $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ + +# fake rule to stop make trying to compile moduli.o into a binary "moduli.o" +moduli: + echo + +# special case target for umac128 +umac128.o: umac.c + $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \ + -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \ + -Dumac_update=umac128_update -Dumac_final=umac128_final \ + -Dumac_delete=umac128_delete + +clean: regressclean + rm -f *.o *.a $(TARGETS) logintest config.cache config.log + rm -f *.out core survey + (cd openbsd-compat && $(MAKE) clean) + +distclean: regressclean + rm -f *.o *.a $(TARGETS) logintest config.cache config.log + rm -f *.out core opensshd.init openssh.xml + rm -f Makefile buildpkg.sh config.h config.status + rm -f survey.sh openbsd-compat/regress/Makefile *~ + rm -rf autom4te.cache + (cd openbsd-compat && $(MAKE) distclean) + if test -d pkg ; then \ + rm -fr pkg ; \ + fi + +veryclean: distclean + rm -f configure config.h.in *.0 + +cleandir: veryclean + +mrproper: veryclean + +realclean: veryclean + +catman-do: + @for f in $(MANPAGES_IN) ; do \ + base=`echo $$f | sed 's/\..*$$//'` ; \ + echo "$$f -> $$base.0" ; \ + $(MANFMT) $$f | cat -v | sed -e 's/.\^H//g' \ + >$$base.0 ; \ + done + +distprep: catman-do + $(AUTORECONF) + -rm -rf autom4te.cache + +install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf +install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files + +check-config: + -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config + +install-files: + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 + $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) + (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 + $(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5 + $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 + $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 + $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(bindir)/slogin + ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + +install-sysconf: + if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ + $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ + fi + @if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \ + $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \ + fi + @if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ + $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \ + fi + @if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \ + if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \ + echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ + mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \ + else \ + $(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \ + fi ; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ + fi + +host-key: ssh-keygen$(EXEEXT) + @if [ -z "$(DESTDIR)" ] ; then \ + if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \ + echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \ + fi ; \ + if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \ + fi ; \ + if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \ + fi ; \ + if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \ + echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \ + fi ; \ + if [ -z "@COMMENT_OUT_ECC@" ] ; then \ + if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \ + fi ; \ + fi ; \ + fi ; + +host-key-force: ssh-keygen$(EXEEXT) + ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" + ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" + ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" + ./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N "" + test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N "" + +uninstallall: uninstall + -rm -f $(DESTDIR)$(sysconfdir)/ssh_config + -rm -f $(DESTDIR)$(sysconfdir)/sshd_config + -rmdir $(DESTDIR)$(sysconfdir) + -rmdir $(DESTDIR)$(bindir) + -rmdir $(DESTDIR)$(sbindir) + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)1 + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)8 + -rmdir $(DESTDIR)$(mandir) + -rmdir $(DESTDIR)$(libexecdir) + +uninstall: + -rm -f $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) + -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + +regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + +regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + +tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT) + BUILDDIR=`pwd`; \ + TEST_SHELL="@TEST_SHELL@"; \ + TEST_SSH_SCP="$${BUILDDIR}/scp"; \ + TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ + TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ + TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \ + TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \ + TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \ + TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \ + TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \ + TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \ + TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \ + TEST_SSH_PLINK="plink"; \ + TEST_SSH_PUTTYGEN="puttygen"; \ + TEST_SSH_CONCH="conch"; \ + TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ + TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ + cd $(srcdir)/regress || exit $$?; \ + $(MAKE) \ + .OBJDIR="$${BUILDDIR}/regress" \ + .CURDIR="`pwd`" \ + BUILDDIR="$${BUILDDIR}" \ + OBJ="$${BUILDDIR}/regress/" \ + PATH="$${BUILDDIR}:$${PATH}" \ + TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \ + TEST_SHELL="$${TEST_SHELL}" \ + TEST_SSH_SCP="$${TEST_SSH_SCP}" \ + TEST_SSH_SSH="$${TEST_SSH_SSH}" \ + TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \ + TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \ + TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \ + TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \ + TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \ + TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \ + TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \ + TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \ + TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \ + TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \ + TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \ + TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ + TEST_SSH_ECC="$${TEST_SSH_ECC}" \ + EXEEXT="$(EXEEXT)" \ + $@ && echo all tests passed + +compat-tests: $(LIBCOMPAT) + (cd openbsd-compat/regress && $(MAKE)) + +regressclean: + if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \ + (cd regress && $(MAKE) clean) \ + fi + +survey: survey.sh ssh + @$(SHELL) ./survey.sh > survey + @echo 'The survey results have been placed in the file "survey" in the' + @echo 'current directory. Please review the file then send with' + @echo '"make send-survey".' + +send-survey: survey + mail portable-survey@mindrot.org +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + ]])], + [ +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" +else + AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $_define_flag" +fi], [ AC_MSG_RESULT([no]) CFLAGS="$saved_CFLAGS" ] ) }]) +dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) +dnl Check that $CC accepts a flag 'check_flag'. If it is supported append +dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append +dnl 'check_flag'. +AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{ + AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds]) + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR $1" + _define_flag="$2" + test "x$_define_flag" = "x" && _define_flag="$1" + AC_LINK_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + ]])], + [ +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" +else + AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $_define_flag" +fi], + [ AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" ] + ) +}]) + +dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag]) +dnl Check that $LD accepts a flag 'check_flag'. If it is supported append +dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append +dnl 'check_flag'. +AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ + AC_MSG_CHECKING([if $LD supports link flag $1]) + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR $1" + _define_flag="$2" + test "x$_define_flag" = "x" && _define_flag="$1" + AC_LINK_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + ]])], + [ AC_MSG_RESULT([yes]) + LDFLAGS="$saved_LDFLAGS $_define_flag"], + [ AC_MSG_RESULT([no]) + LDFLAGS="$saved_LDFLAGS" ] + ) +}]) dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) dnl Does AC_EGREP_HEADER on 'header' for the string 'field' diff --git a/crypto/openssh/addrmatch.c b/crypto/openssh/addrmatch.c index 388603cae..c44314632 100644 --- a/crypto/openssh/addrmatch.c +++ b/crypto/openssh/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.9 2014/01/19 11:21:51 dtucker Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -88,13 +88,13 @@ addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa) switch (sa->sa_family) { case AF_INET: - if (slen < sizeof(*in4)) + if (slen < (socklen_t)sizeof(*in4)) return -1; xa->af = AF_INET; memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4)); break; case AF_INET6: - if (slen < sizeof(*in6)) + if (slen < (socklen_t)sizeof(*in6)) return -1; xa->af = AF_INET6; memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6)); @@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list) goto foundit; } } - xfree(o); + free(o); return ret; } @@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list) continue; } } - xfree(o); + free(o); return ret; } diff --git a/crypto/openssh/atomicio.c b/crypto/openssh/atomicio.c index 601b3c371..2bac36c91 100644 --- a/crypto/openssh/atomicio.c +++ b/crypto/openssh/atomicio.c @@ -56,8 +56,10 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n, ssize_t res; struct pollfd pfd; +#ifndef BROKEN_READ_COMPARISON pfd.fd = fd; pfd.events = f == read ? POLLIN : POLLOUT; +#endif while (n > pos) { res = (f) (fd, s + pos, n - pos); switch (res) { @@ -65,7 +67,9 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n, if (errno == EINTR) continue; if (errno == EAGAIN || errno == EWOULDBLOCK) { +#ifndef BROKEN_READ_COMPARISON (void)poll(&pfd, 1, -1); +#endif continue; } return 0; diff --git a/crypto/openssh/audit-linux.c b/crypto/openssh/audit-linux.c index 4e97386ce..b3ee2f4da 100644 --- a/crypto/openssh/audit-linux.c +++ b/crypto/openssh/audit-linux.c @@ -1,4 +1,4 @@ -/* $Id: audit-linux.c 221420 2011-05-04 07:34:44Z des $ */ +/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */ /* * Copyright 2010 Red Hat, Inc. All rights reserved. diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c index 919b1eaa4..0005aa88b 100644 --- a/crypto/openssh/auth-chall.c +++ b/crypto/openssh/auth-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt) fatal("get_challenge: numprompts < 1"); challenge = xstrdup(prompts[0]); for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); + free(prompts[i]); + free(prompts); + free(name); + free(echo_on); + free(info); return (challenge); } @@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response) authenticated = 1; for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); + free(prompts[i]); + free(prompts); + free(name); + free(echo_on); + free(info); break; } device->free_ctx(authctxt->kbdintctxt); diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c index 922c66c66..6c62bdf54 100644 --- a/crypto/openssh/auth-krb5.c +++ b/crypto/openssh/auth-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */ /* * Kerberos v5 authentication and ticket-passing routines. * @@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) krb5_ccache ccache = NULL; int len; char *client, *platform_client; + const char *errmsg; /* get platform-specific kerberos client principal name (if it exists) */ platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name); @@ -96,7 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; #ifdef HEIMDAL +# ifdef HAVE_KRB5_CC_NEW_UNIQUE + problem = krb5_cc_new_unique(authctxt->krb5_ctx, + krb5_mcc_ops.prefix, NULL, &ccache); +# else problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); +# endif if (problem) goto out; @@ -115,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; +# ifdef HAVE_KRB5_CC_NEW_UNIQUE + problem = krb5_cc_new_unique(authctxt->krb5_ctx, + krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache); +# else problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &authctxt->krb5_fwd_ccache); +# endif if (problem) goto out; @@ -146,7 +157,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, + authctxt->pw->pw_name)) { problem = -1; goto out; } @@ -181,17 +193,19 @@ auth_krb5_password(Authctxt *authctxt, const char *password) out: restore_uid(); - if (platform_client != NULL) - xfree(platform_client); + free(platform_client); if (problem) { if (ccache) krb5_cc_destroy(authctxt->krb5_ctx, ccache); - if (authctxt->krb5_ctx != NULL && problem!=-1) - debug("Kerberos password authentication failed: %s", - krb5_get_err_text(authctxt->krb5_ctx, problem)); - else + if (authctxt->krb5_ctx != NULL && problem!=-1) { + errmsg = krb5_get_error_message(authctxt->krb5_ctx, + problem); + debug("Kerberos password authentication failed: %s", + errmsg); + krb5_free_error_message(authctxt->krb5_ctx, errmsg); + } else debug("Kerberos password authentication failed: %d", problem); diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c index 23d0423e1..fa209eaab 100644 --- a/crypto/openssh/auth-options.c +++ b/crypto/openssh/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.62 2013/12/19 00:27:57 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -33,10 +33,6 @@ #include "auth-options.h" #include "hostfile.h" #include "auth.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" /* Flags set authorized_keys flags */ int no_port_forwarding_flag = 0; @@ -72,15 +68,15 @@ auth_clear_options(void) while (custom_environment) { struct envstring *ce = custom_environment; custom_environment = ce->next; - xfree(ce->s); - xfree(ce); + free(ce->s); + free(ce); } if (forced_command) { - xfree(forced_command); + free(forced_command); forced_command = NULL; } if (authorized_principals) { - xfree(authorized_principals); + free(authorized_principals); authorized_principals = NULL; } forced_tun_device = -1; @@ -149,7 +145,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); if (forced_command != NULL) - xfree(forced_command); + free(forced_command); forced_command = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -167,7 +163,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(forced_command); + free(forced_command); forced_command = NULL; goto bad_option; } @@ -180,7 +176,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); if (authorized_principals != NULL) - xfree(authorized_principals); + free(authorized_principals); authorized_principals = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -198,7 +194,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(authorized_principals); + free(authorized_principals); authorized_principals = NULL; goto bad_option; } @@ -232,14 +228,14 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(s); + free(s); goto bad_option; } s[i] = '\0'; auth_debug_add("Adding to environment: %.900s", s); debug("Adding to environment: %.900s", s); opts++; - new_envstring = xmalloc(sizeof(struct envstring)); + new_envstring = xcalloc(1, sizeof(struct envstring)); new_envstring->s = s; new_envstring->next = custom_environment; custom_environment = new_envstring; @@ -269,7 +265,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } patterns[i] = '\0'; @@ -277,7 +273,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) switch (match_host_and_ip(remote_host, remote_ip, patterns)) { case 1: - xfree(patterns); + free(patterns); /* Host name matches. */ goto next_option; case -1: @@ -287,7 +283,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) "invalid criteria", file, linenum); /* FALLTHROUGH */ case 0: - xfree(patterns); + free(patterns); logit("Authentication tried for %.100s with " "correct key but not from a permitted " "host (host=%.200s, ip=%.200s).", @@ -323,7 +319,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing " "end quote", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } patterns[i] = '\0'; @@ -337,7 +333,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) auth_debug_add("%.100s, line %lu: " "Bad permitopen specification", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } host = cleanhostname(host); @@ -346,12 +342,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) "<%.100s>", file, linenum, p ? p : ""); auth_debug_add("%.100s, line %lu: " "Bad permitopen port", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) channel_add_permitted_opens(host, port); - xfree(patterns); + free(patterns); goto next_option; } cp = "tunnel=\""; @@ -370,13 +366,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(tun); + free(tun); forced_tun_device = -1; goto bad_option; } tun[i] = '\0'; forced_tun_device = a2tun(tun, NULL); - xfree(tun); + free(tun); if (forced_tun_device == SSH_TUNID_ERR) { debug("%.100s, line %lu: invalid tun device", file, linenum); @@ -432,10 +428,11 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, { char *command, *allowed; const char *remote_ip; - u_char *name = NULL, *data_blob = NULL; + char *name = NULL; + u_char *data_blob = NULL; u_int nlen, dlen, clen; Buffer c, data; - int ret = -1, found; + int ret = -1, result, found; buffer_init(&data); @@ -484,7 +481,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if (*cert_forced_command != NULL) { error("Certificate has multiple " "force-command options"); - xfree(command); + free(command); goto out; } *cert_forced_command = command; @@ -500,15 +497,16 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if ((*cert_source_address_done)++) { error("Certificate has multiple " "source-address options"); - xfree(allowed); + free(allowed); goto out; } remote_ip = get_remote_ipaddr(); - switch (addr_match_cidr_list(remote_ip, - allowed)) { + result = addr_match_cidr_list(remote_ip, + allowed); + free(allowed); + switch (result) { case 1: /* accepted */ - xfree(allowed); break; case 0: /* no match */ @@ -521,12 +519,11 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, "is not permitted to use this " "certificate for login.", remote_ip); - xfree(allowed); goto out; case -1: + default: error("Certificate source-address " "contents invalid"); - xfree(allowed); goto out; } found = 1; @@ -548,9 +545,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, goto out; } buffer_clear(&data); - xfree(name); - xfree(data_blob); - name = data_blob = NULL; + free(name); + free(data_blob); + name = NULL; + data_blob = NULL; } /* successfully parsed all options */ ret = 0; @@ -559,13 +557,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if (ret != 0 && cert_forced_command != NULL && *cert_forced_command != NULL) { - xfree(*cert_forced_command); + free(*cert_forced_command); *cert_forced_command = NULL; } if (name != NULL) - xfree(name); + free(name); if (data_blob != NULL) - xfree(data_blob); + free(data_blob); buffer_free(&data); buffer_free(&c); return ret; @@ -627,7 +625,7 @@ auth_cert_options(Key *k, struct passwd *pw) /* CA-specified forced command supersedes key option */ if (cert_forced_command != NULL) { if (forced_command != NULL) - xfree(forced_command); + free(forced_command); forced_command = cert_forced_command; } return 0; diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index 675006e6f..d789bad7b 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); buffer_free(&buffer); return (PAM_CONV_ERR); } @@ -439,8 +438,10 @@ sshpam_thread(void *ctxtp) const char **ptr_pam_user = &pam_user; char *tz = getenv("TZ"); - pam_get_item(sshpam_handle, PAM_USER, + sshpam_err = pam_get_item(sshpam_handle, PAM_USER, (sshpam_const void **)ptr_pam_user); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; environ[0] = NULL; if (tz != NULL) @@ -586,10 +587,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } @@ -693,7 +693,7 @@ sshpam_init_ctx(Authctxt *authctxt) /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); - xfree(ctxt); + free(ctxt); return (NULL); } ctxt->pam_psock = socks[0]; @@ -703,7 +703,7 @@ sshpam_init_ctx(Authctxt *authctxt) strerror(errno)); close(socks[0]); close(socks[1]); - xfree(ctxt); + free(ctxt); return (NULL); } cleanup_ctxt = ctxt; @@ -742,7 +742,7 @@ sshpam_query(void *ctx, char **name, char **info, strlcpy(**prompts + plen, msg, len - plen); plen += mlen; **echo_on = (type == PAM_PROMPT_ECHO_ON); - xfree(msg); + free(msg); return (0); case PAM_ERROR_MSG: case PAM_TEXT_INFO: @@ -753,7 +753,7 @@ sshpam_query(void *ctx, char **name, char **info, plen += mlen; strlcat(**prompts + plen, "\n", len - plen); plen++; - xfree(msg); + free(msg); break; case PAM_ACCT_EXPIRED: sshpam_account_status = 0; @@ -766,7 +766,7 @@ sshpam_query(void *ctx, char **name, char **info, *num = 0; **echo_on = 0; ctxt->pam_done = -1; - xfree(msg); + free(msg); return 0; } /* FALLTHROUGH */ @@ -776,7 +776,7 @@ sshpam_query(void *ctx, char **name, char **info, debug("PAM: %s", **prompts); buffer_append(&loginmsg, **prompts, strlen(**prompts)); - xfree(**prompts); + free(**prompts); **prompts = NULL; } if (type == PAM_SUCCESS) { @@ -790,7 +790,7 @@ sshpam_query(void *ctx, char **name, char **info, *num = 0; **echo_on = 0; ctxt->pam_done = 1; - xfree(msg); + free(msg); return (0); } error("PAM: %s for %s%.100s from %.100s", msg, @@ -801,7 +801,7 @@ sshpam_query(void *ctx, char **name, char **info, default: *num = 0; **echo_on = 0; - xfree(msg); + free(msg); ctxt->pam_done = -1; return (-1); } @@ -852,7 +852,7 @@ sshpam_free_ctx(void *ctxtp) debug3("PAM: %s entering", __func__); sshpam_thread_cleanup(); - xfree(ctxt); + free(ctxt); /* * We don't call sshpam_cleanup() here because we may need the PAM * handle at a later stage, e.g. when setting up a session. It's @@ -1006,10 +1006,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } @@ -1081,7 +1080,7 @@ do_pam_putenv(char *name, char *value) snprintf(compound, len, "%s=%s", name, value); ret = pam_putenv(sshpam_handle, compound); - xfree(compound); + free(compound); #endif return (ret); @@ -1108,8 +1107,8 @@ free_pam_environment(char **env) return; for (envp = env; *envp; envp++) - xfree(*envp); - xfree(env); + free(*envp); + free(env); } /* @@ -1165,10 +1164,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } diff --git a/crypto/openssh/auth-rsa.c b/crypto/openssh/auth-rsa.c index 2c8a7cb35..5dad6c3dc 100644 --- a/crypto/openssh/auth-rsa.c +++ b/crypto/openssh/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.86 2014/01/27 19:18:54 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -20,7 +20,6 @@ #include #include -#include #include #include @@ -48,6 +47,8 @@ #include "ssh.h" #include "misc.h" +#include "digest.h" + /* import */ extern ServerOptions options; @@ -91,12 +92,13 @@ int auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) { u_char buf[32], mdbuf[16]; - MD5_CTX md; + struct ssh_digest_ctx *md; int len; /* don't allow short keys */ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", + error("%s: RSA modulus too small: %d < minimum %d bits", + __func__, BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); return (0); } @@ -104,13 +106,15 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) /* The response is MD5 of decrypted challenge plus session id. */ len = BN_num_bytes(challenge); if (len <= 0 || len > 32) - fatal("auth_rsa_verify_response: bad challenge length %d", len); + fatal("%s: bad challenge length %d", __func__, len); memset(buf, 0, 32); BN_bn2bin(challenge, buf + 32 - len); - MD5_Init(&md); - MD5_Update(&md, buf, 32); - MD5_Update(&md, session_id, 16); - MD5_Final(mdbuf, &md); + if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || + ssh_digest_update(md, buf, 32) < 0 || + ssh_digest_update(md, session_id, 16) < 0 || + ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0) + fatal("%s: md5 failed", __func__); + ssh_digest_free(md); /* Verify that the response is the original challenge. */ if (timingsafe_bcmp(response, mdbuf, 16) != 0) { @@ -164,9 +168,8 @@ static int rsa_key_allowed_in_file(struct passwd *pw, char *file, const BIGNUM *client_n, Key **rkey) { - char line[SSH_MAX_PUBKEY_BYTES]; - int allowed = 0; - u_int bits; + char *fp, line[SSH_MAX_PUBKEY_BYTES]; + int allowed = 0, bits; FILE *f; u_long linenum = 0; Key *key; @@ -227,11 +230,16 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, /* check the real bits */ keybits = BN_num_bits(key->rsa->n); - if (keybits < 0 || bits != (u_int)keybits) + if (keybits < 0 || bits != keybits) logit("Warning: %s, line %lu: keysize mismatch: " "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits); + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(key), fp); + free(fp); + /* Never accept a revoked key */ if (auth_key_is_revoked(key)) break; @@ -281,7 +289,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) file = expand_authorized_keys( options.authorized_keys_files[i], pw); allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); - xfree(file); + free(file); } restore_uid(); @@ -298,7 +306,6 @@ int auth_rsa(Authctxt *authctxt, BIGNUM *client_n) { Key *key; - char *fp; struct passwd *pw = authctxt->pw; /* no user given */ @@ -328,11 +335,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) * options; this will be reset if the options cause the * authentication to be rejected. */ - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(key), fp); - xfree(fp); - key_free(key); + pubkey_auth_info(authctxt, key, NULL); packet_send_debug("RSA authentication accepted."); return (1); diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c index 2ebbb9e24..985256277 100644 --- a/crypto/openssh/auth.c +++ b/crypto/openssh/auth.c @@ -1,4 +1,5 @@ -/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */ +/* $FreeBSD$ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -73,6 +74,7 @@ __RCSID("$FreeBSD$"); #include "authfile.h" #include "monitor_wrap.h" #include "krl.h" +#include "compat.h" /* import */ extern ServerOptions options; @@ -166,17 +168,17 @@ allowed_user(struct passwd * pw) if (stat(shell, &st) != 0) { logit("User %.100s not allowed because shell %.100s " "does not exist", pw->pw_name, shell); - xfree(shell); + free(shell); return 0; } if (S_ISREG(st.st_mode) == 0 || (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { logit("User %.100s not allowed because shell %.100s " "is not executable", pw->pw_name, shell); - xfree(shell); + free(shell); return 0; } - xfree(shell); + free(shell); } if (options.num_deny_users > 0 || options.num_allow_users > 0 || @@ -252,9 +254,26 @@ allowed_user(struct passwd * pw) return 1; } +void +auth_info(Authctxt *authctxt, const char *fmt, ...) +{ + va_list ap; + int i; + + free(authctxt->info); + authctxt->info = NULL; + + va_start(ap, fmt); + i = vasprintf(&authctxt->info, fmt, ap); + va_end(ap); + + if (i < 0 || authctxt->info == NULL) + fatal("vasprintf failed"); +} + void auth_log(Authctxt *authctxt, int authenticated, int partial, - const char *method, const char *submethod, const char *info) + const char *method, const char *submethod) { void (*authlog) (const char *fmt,...) = verbose; char *authmsg; @@ -276,7 +295,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, else authmsg = authenticated ? "Accepted" : "Failed"; - authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", + authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", authmsg, method, submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, @@ -284,7 +303,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, authctxt->user, get_remote_ipaddr(), get_remote_port(), - info); + compat20 ? "ssh2" : "ssh1", + authctxt->info != NULL ? ": " : "", + authctxt->info != NULL ? authctxt->info : ""); + free(authctxt->info); + authctxt->info = NULL; #ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && !authctxt->postponed && @@ -356,7 +379,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw) i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); if (i < 0 || (size_t)i >= sizeof(ret)) fatal("expand_authorized_keys: path too long"); - xfree(file); + free(file); return (xstrdup(ret)); } @@ -398,7 +421,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, load_hostkeys(hostkeys, host, user_hostfile); restore_uid(); } - xfree(user_hostfile); + free(user_hostfile); } host_status = check_key_in_hostkeys(hostkeys, key, &found); if (host_status == HOST_REVOKED) @@ -667,7 +690,7 @@ auth_key_is_revoked(Key *key) key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " "%s key %s ", key_type(key), key_fp); - xfree(key_fp); + free(key_fp); return 1; } fatal("key_in_file returned junk"); @@ -698,7 +721,7 @@ auth_debug_send(void) while (buffer_len(&auth_debug)) { msg = buffer_get_string(&auth_debug, NULL); packet_send_debug("%s", msg); - xfree(msg); + free(msg); } } @@ -722,10 +745,12 @@ fakepw(void) fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS fake.pw_gecos = "NOUSER"; +#endif fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS fake.pw_class = ""; #endif fake.pw_dir = "/nonexist"; diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h index c6fe84722..124e59743 100644 --- a/crypto/openssh/auth.h +++ b/crypto/openssh/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.77 2014/01/29 06:18:35 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -60,7 +60,7 @@ struct Authctxt { struct passwd *pw; /* set if 'valid' */ char *style; void *kbdintctxt; - void *jpake_ctx; + char *info; /* Extra info for next auth_log */ #ifdef BSD_AUTH auth_session_t *as; #endif @@ -121,6 +121,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); +void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) + __attribute__((__format__ (printf, 3, 4))); struct stat; int auth_secure_path(const char *, struct stat *, const char *, uid_t, @@ -148,8 +150,10 @@ void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); -void auth_log(Authctxt *, int, int, const char *, const char *, - const char *); +void auth_info(Authctxt *authctxt, const char *, ...) + __attribute__((__format__ (printf, 2, 3))) + __attribute__((__nonnull__ (2))); +void auth_log(Authctxt *, int, int, const char *, const char *); void userauth_finish(Authctxt *, int, const char *, const char *); int auth_root_allowed(const char *); @@ -157,8 +161,9 @@ void userauth_send_banner(const char *); char *auth2_read_banner(void); int auth2_methods_valid(const char *, int); -int auth2_update_methods_lists(Authctxt *, const char *); +int auth2_update_methods_lists(Authctxt *, const char *, const char *); int auth2_setup_methods_lists(Authctxt *); +int auth2_method_allowed(Authctxt *, const char *, const char *); void privsep_challenge_enable(void); @@ -169,9 +174,6 @@ int bsdauth_respond(void *, u_int, char **); int skey_query(void *, char **, char **, u_int *, char ***, u_int **); int skey_respond(void *, u_int, char **); -void auth2_jpake_get_pwdata(Authctxt *, BIGNUM **, char **, char **); -void auth2_jpake_stop(Authctxt *); - int allowed_user(struct passwd *); struct passwd * getpwnamallow(const char *user); @@ -192,10 +194,12 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *, /* hostkey handling */ Key *get_hostkey_by_index(int); +Key *get_hostkey_public_by_index(int); Key *get_hostkey_public_by_type(int); Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); int ssh1_session_key(BIGNUM *); +void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 6eea8d81e..0f870b3b6 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.80 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -45,11 +45,11 @@ extern ServerOptions options; extern Buffer loginmsg; -static int auth1_process_password(Authctxt *, char *, size_t); -static int auth1_process_rsa(Authctxt *, char *, size_t); -static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t); -static int auth1_process_tis_challenge(Authctxt *, char *, size_t); -static int auth1_process_tis_response(Authctxt *, char *, size_t); +static int auth1_process_password(Authctxt *); +static int auth1_process_rsa(Authctxt *); +static int auth1_process_rhosts_rsa(Authctxt *); +static int auth1_process_tis_challenge(Authctxt *); +static int auth1_process_tis_response(Authctxt *); static char *client_user = NULL; /* Used to fill in remote user for PAM */ @@ -57,7 +57,7 @@ struct AuthMethod1 { int type; char *name; int *enabled; - int (*method)(Authctxt *, char *, size_t); + int (*method)(Authctxt *); }; const struct AuthMethod1 auth1_methods[] = { @@ -112,7 +112,7 @@ get_authname(int type) /*ARGSUSED*/ static int -auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_password(Authctxt *authctxt) { int authenticated = 0; char *password; @@ -129,15 +129,15 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) /* Try authentication with the password. */ authenticated = PRIVSEP(auth_password(authctxt, password)); - memset(password, 0, dlen); - xfree(password); + explicit_bzero(password, dlen); + free(password); return (authenticated); } /*ARGSUSED*/ static int -auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_rsa(Authctxt *authctxt) { int authenticated = 0; BIGNUM *n; @@ -155,7 +155,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_rhosts_rsa(Authctxt *authctxt) { int keybits, authenticated = 0; u_int bits; @@ -187,14 +187,14 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) client_host_key); key_free(client_host_key); - snprintf(info, infolen, " ruser %.100s", client_user); + auth_info(authctxt, "ruser %.100s", client_user); return (authenticated); } /*ARGSUSED*/ static int -auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_tis_challenge(Authctxt *authctxt) { char *challenge; @@ -204,7 +204,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) debug("sending challenge '%s'", challenge); packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); packet_put_cstring(challenge); - xfree(challenge); + free(challenge); packet_send(); packet_write_wait(); @@ -213,7 +213,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_tis_response(Authctxt *authctxt) { int authenticated = 0; char *response; @@ -222,8 +222,8 @@ auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) response = packet_get_string(&dlen); packet_check_eom(); authenticated = verify_response(authctxt, response); - memset(response, 'r', dlen); - xfree(response); + explicit_bzero(response, dlen); + free(response); return (authenticated); } @@ -236,7 +236,6 @@ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; - char info[1024]; int prev = 0, type = 0; const struct AuthMethod1 *meth; @@ -254,7 +253,7 @@ do_authloop(Authctxt *authctxt) #endif { auth_log(authctxt, 1, 0, "without authentication", - NULL, ""); + NULL); return; } } @@ -268,7 +267,6 @@ do_authloop(Authctxt *authctxt) /* default to fail */ authenticated = 0; - info[0] = '\0'; /* Get a packet from the client. */ prev = type; @@ -298,7 +296,7 @@ do_authloop(Authctxt *authctxt) goto skip; } - authenticated = meth->method(authctxt, info, sizeof(info)); + authenticated = meth->method(authctxt); if (authenticated == -1) continue; /* "postponed" */ @@ -353,13 +351,10 @@ do_authloop(Authctxt *authctxt) skip: /* Log before sending the reply */ - auth_log(authctxt, authenticated, 0, get_authname(type), - NULL, info); + auth_log(authctxt, authenticated, 0, get_authname(type), NULL); - if (client_user != NULL) { - xfree(client_user); - client_user = NULL; - } + free(client_user); + client_user = NULL; if (authenticated) return; diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c index 6505d4009..980250a91 100644 --- a/crypto/openssh/auth2-chall.c +++ b/crypto/openssh/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.41 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -111,7 +111,7 @@ kbdint_alloc(const char *devs) remove_kbdint_device("pam"); #endif - kbdintctxt = xmalloc(sizeof(KbdintAuthctxt)); + kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt)); if (strcmp(devs, "") == 0) { buffer_init(&b); for (i = 0; devices[i]; i++) { @@ -147,15 +147,13 @@ kbdint_free(KbdintAuthctxt *kbdintctxt) { if (kbdintctxt->device) kbdint_reset_device(kbdintctxt); - if (kbdintctxt->devices) { - xfree(kbdintctxt->devices); - kbdintctxt->devices = NULL; - } - xfree(kbdintctxt); + free(kbdintctxt->devices); + explicit_bzero(kbdintctxt, sizeof(*kbdintctxt)); + free(kbdintctxt); } /* get next device */ static int -kbdint_next_device(KbdintAuthctxt *kbdintctxt) +kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) { size_t len; char *t; @@ -169,12 +167,16 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt) if (len == 0) break; - for (i = 0; devices[i]; i++) + for (i = 0; devices[i]; i++) { + if (!auth2_method_allowed(authctxt, + "keyboard-interactive", devices[i]->name)) + continue; if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) kbdintctxt->device = devices[i]; + } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; - xfree(t); + free(t); debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? kbdintctxt->devices : ""); } while (kbdintctxt->devices && !kbdintctxt->device); @@ -221,7 +223,7 @@ auth2_challenge_start(Authctxt *authctxt) debug2("auth2_challenge_start: devices %s", kbdintctxt->devices ? kbdintctxt->devices : ""); - if (kbdint_next_device(kbdintctxt) == 0) { + if (kbdint_next_device(authctxt, kbdintctxt) == 0) { auth2_challenge_stop(authctxt); return 0; } @@ -268,11 +270,11 @@ send_userauth_info_request(Authctxt *authctxt) packet_write_wait(); for (i = 0; i < kbdintctxt->nreq; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(echo_on); - xfree(name); - xfree(instr); + free(prompts[i]); + free(prompts); + free(echo_on); + free(name); + free(instr); return 1; } @@ -310,11 +312,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); for (i = 0; i < nresp; i++) { - memset(response[i], 'r', strlen(response[i])); - xfree(response[i]); + explicit_bzero(response[i], strlen(response[i])); + free(response[i]); } - if (response) - xfree(response); + free(response); switch (res) { case 0: diff --git a/crypto/openssh/auth2-gss.c b/crypto/openssh/auth2-gss.c index 93d576bfb..c28a705cb 100644 --- a/crypto/openssh/auth2-gss.c +++ b/crypto/openssh/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt) gss_OID_desc goid = {0, NULL}; Gssctxt *ctxt = NULL; int mechs; - gss_OID_set supported; int present; OM_uint32 ms; u_int len; @@ -77,12 +76,10 @@ userauth_gssapi(Authctxt *authctxt) return (0); } - ssh_gssapi_supported_oids(&supported); do { mechs--; - if (doid) - xfree(doid); + free(doid); present = 0; doid = packet_get_string(&len); @@ -91,17 +88,14 @@ userauth_gssapi(Authctxt *authctxt) doid[1] == len - 2) { goid.elements = doid + 2; goid.length = len - 2; - gss_test_oid_set_member(&ms, &goid, supported, - &present); + ssh_gssapi_test_oid_supported(&ms, &goid, &present); } else { logit("Badly formed OID received"); } } while (mechs > 0 && !present); - gss_release_oid_set(&ms, &supported); - if (!present) { - xfree(doid); + free(doid); authctxt->server_caused_failure = 1; return (0); } @@ -109,7 +103,7 @@ userauth_gssapi(Authctxt *authctxt) if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); - xfree(doid); + free(doid); authctxt->server_caused_failure = 1; return (0); } @@ -122,7 +116,7 @@ userauth_gssapi(Authctxt *authctxt) packet_put_string(doid, len); packet_send(); - xfree(doid); + free(doid); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); @@ -153,7 +147,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok, &flags)); - xfree(recv_tok.value); + free(recv_tok.value); if (GSS_ERROR(maj_status)) { if (send_tok.length != 0) { @@ -208,7 +202,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok, NULL)); - xfree(recv_tok.value); + free(recv_tok.value); /* We can't return anything to the client, even if we wanted to */ dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); @@ -229,14 +223,11 @@ static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) { Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; int authenticated; if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) fatal("No authentication or GSSAPI context"); - gssctxt = authctxt->methoddata; - /* * We don't need to check the status, because we're only enabled in * the dispatcher once the exchange is complete @@ -284,7 +275,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) logit("GSSAPI MIC check failed"); buffer_free(&b); - xfree(mic.value); + free(mic.value); authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); diff --git a/crypto/openssh/auth2-hostbased.c b/crypto/openssh/auth2-hostbased.c index cdf442f97..488008f62 100644 --- a/crypto/openssh/auth2-hostbased.c +++ b/crypto/openssh/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.17 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -100,6 +100,12 @@ userauth_hostbased(Authctxt *authctxt) "(received %d, expected %d)", key->type, pktype); goto done; } + if (key_type_plain(key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + error("Refusing RSA key because peer uses unsafe " + "signature format"); + goto done; + } service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); @@ -116,6 +122,10 @@ userauth_hostbased(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif + + pubkey_auth_info(authctxt, key, + "client user \"%.100s\", client host \"%.100s\"", cuser, chost); + /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && @@ -128,11 +138,11 @@ done: debug2("userauth_hostbased: authenticated %d", authenticated); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); - xfree(cuser); - xfree(chost); - xfree(sig); + free(pkalg); + free(pkblob); + free(cuser); + free(chost); + free(sig); return authenticated; } @@ -207,7 +217,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, verbose("Accepted %s public key %s from %s@%s", key_type(key), fp, cuser, lookup); } - xfree(fp); + free(fp); } return (host_status == HOST_OK); diff --git a/crypto/openssh/auth2-jpake.c b/crypto/openssh/auth2-jpake.c deleted file mode 100644 index ed0eba47b..000000000 --- a/crypto/openssh/auth2-jpake.c +++ /dev/null @@ -1,563 +0,0 @@ -/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ -/* - * Copyright (c) 2008 Damien Miller. All rights reserved. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Server side of zero-knowledge password auth using J-PAKE protocol - * as described in: - * - * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", - * 16th Workshop on Security Protocols, Cambridge, April 2008 - * - * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf - */ - -#ifdef JPAKE - -#include -#include - -#include -#include -#include -#include - -#include -#include - -#include "xmalloc.h" -#include "ssh2.h" -#include "key.h" -#include "hostfile.h" -#include "auth.h" -#include "buffer.h" -#include "packet.h" -#include "dispatch.h" -#include "log.h" -#include "servconf.h" -#include "auth-options.h" -#include "canohost.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" - -#include "schnorr.h" -#include "jpake.h" - -/* - * XXX options->permit_empty_passwd (at the moment, they will be refused - * anyway because they will mismatch on fake salt. - */ - -/* Dispatch handlers */ -static void input_userauth_jpake_client_step1(int, u_int32_t, void *); -static void input_userauth_jpake_client_step2(int, u_int32_t, void *); -static void input_userauth_jpake_client_confirm(int, u_int32_t, void *); - -static int auth2_jpake_start(Authctxt *); - -/* import */ -extern ServerOptions options; -extern u_char *session_id2; -extern u_int session_id2_len; - -/* - * Attempt J-PAKE authentication. - */ -static int -userauth_jpake(Authctxt *authctxt) -{ - int authenticated = 0; - - packet_check_eom(); - - debug("jpake-01@openssh.com requested"); - - if (authctxt->user != NULL) { - if (authctxt->jpake_ctx == NULL) - authctxt->jpake_ctx = jpake_new(); - if (options.zero_knowledge_password_authentication) - authenticated = auth2_jpake_start(authctxt); - } - - return authenticated; -} - -Authmethod method_jpake = { - "jpake-01@openssh.com", - userauth_jpake, - &options.zero_knowledge_password_authentication -}; - -/* Clear context and callbacks */ -void -auth2_jpake_stop(Authctxt *authctxt) -{ - /* unregister callbacks */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL); - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL); - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL); - if (authctxt->jpake_ctx != NULL) { - jpake_free(authctxt->jpake_ctx); - authctxt->jpake_ctx = NULL; - } -} - -/* Returns 1 if 'c' is a valid crypt(3) salt character, 0 otherwise */ -static int -valid_crypt_salt(int c) -{ - if (c >= 'A' && c <= 'Z') - return 1; - if (c >= 'a' && c <= 'z') - return 1; - if (c >= '.' && c <= '9') - return 1; - return 0; -} - -/* - * Derive fake salt as H(username || first_private_host_key) - * This provides relatively stable fake salts for non-existent - * users and avoids the jpake method becoming an account validity - * oracle. - */ -static void -derive_rawsalt(const char *username, u_char *rawsalt, u_int len) -{ - u_char *digest; - u_int digest_len; - Buffer b; - Key *k; - - buffer_init(&b); - buffer_put_cstring(&b, username); - if ((k = get_hostkey_by_index(0)) == NULL || - (k->flags & KEY_FLAG_EXT)) - fatal("%s: no hostkeys", __func__); - switch (k->type) { - case KEY_RSA1: - case KEY_RSA: - if (k->rsa->p == NULL || k->rsa->q == NULL) - fatal("%s: RSA key missing p and/or q", __func__); - buffer_put_bignum2(&b, k->rsa->p); - buffer_put_bignum2(&b, k->rsa->q); - break; - case KEY_DSA: - if (k->dsa->priv_key == NULL) - fatal("%s: DSA key missing priv_key", __func__); - buffer_put_bignum2(&b, k->dsa->priv_key); - break; - case KEY_ECDSA: - if (EC_KEY_get0_private_key(k->ecdsa) == NULL) - fatal("%s: ECDSA key missing priv_key", __func__); - buffer_put_bignum2(&b, EC_KEY_get0_private_key(k->ecdsa)); - break; - default: - fatal("%s: unknown key type %d", __func__, k->type); - } - if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(), - &digest, &digest_len) != 0) - fatal("%s: hash_buffer", __func__); - buffer_free(&b); - if (len > digest_len) - fatal("%s: not enough bytes for rawsalt (want %u have %u)", - __func__, len, digest_len); - memcpy(rawsalt, digest, len); - bzero(digest, digest_len); - xfree(digest); -} - -/* ASCII an integer [0, 64) for inclusion in a password/salt */ -static char -pw_encode64(u_int i64) -{ - const u_char e64[] = - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - return e64[i64 % 64]; -} - -/* Generate ASCII salt bytes for user */ -static char * -makesalt(u_int want, const char *user) -{ - u_char rawsalt[32]; - static char ret[33]; - u_int i; - - if (want > sizeof(ret) - 1) - fatal("%s: want %u", __func__, want); - - derive_rawsalt(user, rawsalt, sizeof(rawsalt)); - bzero(ret, sizeof(ret)); - for (i = 0; i < want; i++) - ret[i] = pw_encode64(rawsalt[i]); - bzero(rawsalt, sizeof(rawsalt)); - - return ret; -} - -/* - * Select the system's default password hashing scheme and generate - * a stable fake salt under it for use by a non-existent account. - * Prevents jpake method being used to infer the validity of accounts. - */ -static void -fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme) -{ - char *rounds_s, *style; - long long rounds; - login_cap_t *lc; - - - if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL && - (lc = login_getclass(NULL)) == NULL) - fatal("%s: login_getclass failed", __func__); - style = login_getcapstr(lc, "localcipher", NULL, NULL); - if (style == NULL) - style = xstrdup("blowfish,6"); - login_close(lc); - - if ((rounds_s = strchr(style, ',')) != NULL) - *rounds_s++ = '\0'; - rounds = strtonum(rounds_s, 1, 1<<31, NULL); - - if (strcmp(style, "md5") == 0) { - xasprintf(salt, "$1$%s$", makesalt(8, authctxt->user)); - *scheme = xstrdup("md5"); - } else if (strcmp(style, "old") == 0) { - *salt = xstrdup(makesalt(2, authctxt->user)); - *scheme = xstrdup("crypt"); - } else if (strcmp(style, "newsalt") == 0) { - rounds = MAX(rounds, 7250); - rounds = MIN(rounds, (1<<24) - 1); - xasprintf(salt, "_%c%c%c%c%s", - pw_encode64(rounds), pw_encode64(rounds >> 6), - pw_encode64(rounds >> 12), pw_encode64(rounds >> 18), - makesalt(4, authctxt->user)); - *scheme = xstrdup("crypt-extended"); - } else { - /* Default to blowfish */ - rounds = MAX(rounds, 3); - rounds = MIN(rounds, 31); - xasprintf(salt, "$2a$%02lld$%s", rounds, - makesalt(22, authctxt->user)); - *scheme = xstrdup("bcrypt"); - } - xfree(style); - debug3("%s: fake %s salt for user %s: %s", - __func__, *scheme, authctxt->user, *salt); -} - -/* - * Fetch password hashing scheme, password salt and derive shared secret - * for user. If user does not exist, a fake but stable and user-unique - * salt will be returned. - */ -void -auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s, - char **hash_scheme, char **salt) -{ - char *cp; - u_char *secret; - u_int secret_len, salt_len; - -#ifdef JPAKE_DEBUG - debug3("%s: valid %d pw %.5s...", __func__, - authctxt->valid, authctxt->pw->pw_passwd); -#endif - - *salt = NULL; - *hash_scheme = NULL; - if (authctxt->valid) { - if (strncmp(authctxt->pw->pw_passwd, "$2$", 3) == 0 && - strlen(authctxt->pw->pw_passwd) > 28) { - /* - * old-variant bcrypt: - * "$2$", 2 digit rounds, "$", 22 bytes salt - */ - salt_len = 3 + 2 + 1 + 22 + 1; - *salt = xmalloc(salt_len); - strlcpy(*salt, authctxt->pw->pw_passwd, salt_len); - *hash_scheme = xstrdup("bcrypt"); - } else if (strncmp(authctxt->pw->pw_passwd, "$2a$", 4) == 0 && - strlen(authctxt->pw->pw_passwd) > 29) { - /* - * current-variant bcrypt: - * "$2a$", 2 digit rounds, "$", 22 bytes salt - */ - salt_len = 4 + 2 + 1 + 22 + 1; - *salt = xmalloc(salt_len); - strlcpy(*salt, authctxt->pw->pw_passwd, salt_len); - *hash_scheme = xstrdup("bcrypt"); - } else if (strncmp(authctxt->pw->pw_passwd, "$1$", 3) == 0 && - strlen(authctxt->pw->pw_passwd) > 5) { - /* - * md5crypt: - * "$1$", salt until "$" - */ - cp = strchr(authctxt->pw->pw_passwd + 3, '$'); - if (cp != NULL) { - salt_len = (cp - authctxt->pw->pw_passwd) + 1; - *salt = xmalloc(salt_len); - strlcpy(*salt, authctxt->pw->pw_passwd, - salt_len); - *hash_scheme = xstrdup("md5crypt"); - } - } else if (strncmp(authctxt->pw->pw_passwd, "_", 1) == 0 && - strlen(authctxt->pw->pw_passwd) > 9) { - /* - * BSDI extended crypt: - * "_", 4 digits count, 4 chars salt - */ - salt_len = 1 + 4 + 4 + 1; - *salt = xmalloc(salt_len); - strlcpy(*salt, authctxt->pw->pw_passwd, salt_len); - *hash_scheme = xstrdup("crypt-extended"); - } else if (strlen(authctxt->pw->pw_passwd) == 13 && - valid_crypt_salt(authctxt->pw->pw_passwd[0]) && - valid_crypt_salt(authctxt->pw->pw_passwd[1])) { - /* - * traditional crypt: - * 2 chars salt - */ - salt_len = 2 + 1; - *salt = xmalloc(salt_len); - strlcpy(*salt, authctxt->pw->pw_passwd, salt_len); - *hash_scheme = xstrdup("crypt"); - } - if (*salt == NULL) { - debug("%s: unrecognised crypt scheme for user %s", - __func__, authctxt->pw->pw_name); - } - } - if (*salt == NULL) - fake_salt_and_scheme(authctxt, salt, hash_scheme); - - if (hash_buffer(authctxt->pw->pw_passwd, - strlen(authctxt->pw->pw_passwd), EVP_sha256(), - &secret, &secret_len) != 0) - fatal("%s: hash_buffer", __func__); - if ((*s = BN_bin2bn(secret, secret_len, NULL)) == NULL) - fatal("%s: BN_bin2bn (secret)", __func__); -#ifdef JPAKE_DEBUG - debug3("%s: salt = %s (len %u)", __func__, - *salt, (u_int)strlen(*salt)); - debug3("%s: scheme = %s", __func__, *hash_scheme); - JPAKE_DEBUG_BN((*s, "%s: s = ", __func__)); -#endif - bzero(secret, secret_len); - xfree(secret); -} - -/* - * Begin authentication attempt. - * Note, sets authctxt->postponed while in subprotocol - */ -static int -auth2_jpake_start(Authctxt *authctxt) -{ - struct jpake_ctx *pctx = authctxt->jpake_ctx; - u_char *x3_proof, *x4_proof; - u_int x3_proof_len, x4_proof_len; - char *salt, *hash_scheme; - - debug("%s: start", __func__); - - PRIVSEP(jpake_step1(pctx->grp, - &pctx->server_id, &pctx->server_id_len, - &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4, - &x3_proof, &x3_proof_len, - &x4_proof, &x4_proof_len)); - - PRIVSEP(auth2_jpake_get_pwdata(authctxt, &pctx->s, - &hash_scheme, &salt)); - - if (!use_privsep) - JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__)); - - packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1); - packet_put_cstring(hash_scheme); - packet_put_cstring(salt); - packet_put_string(pctx->server_id, pctx->server_id_len); - packet_put_bignum2(pctx->g_x3); - packet_put_bignum2(pctx->g_x4); - packet_put_string(x3_proof, x3_proof_len); - packet_put_string(x4_proof, x4_proof_len); - packet_send(); - packet_write_wait(); - - bzero(hash_scheme, strlen(hash_scheme)); - bzero(salt, strlen(salt)); - xfree(hash_scheme); - xfree(salt); - bzero(x3_proof, x3_proof_len); - bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); - - /* Expect step 1 packet from peer */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, - input_userauth_jpake_client_step1); - - authctxt->postponed = 1; - return 0; -} - -/* ARGSUSED */ -static void -input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt) -{ - Authctxt *authctxt = ctxt; - struct jpake_ctx *pctx = authctxt->jpake_ctx; - u_char *x1_proof, *x2_proof, *x4_s_proof; - u_int x1_proof_len, x2_proof_len, x4_s_proof_len; - - /* Disable this message */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL); - - /* Fetch step 1 values */ - if ((pctx->g_x1 = BN_new()) == NULL || - (pctx->g_x2 = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - pctx->client_id = packet_get_string(&pctx->client_id_len); - packet_get_bignum2(pctx->g_x1); - packet_get_bignum2(pctx->g_x2); - x1_proof = packet_get_string(&x1_proof_len); - x2_proof = packet_get_string(&x2_proof_len); - packet_check_eom(); - - if (!use_privsep) - JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__)); - - PRIVSEP(jpake_step2(pctx->grp, pctx->s, pctx->g_x3, - pctx->g_x1, pctx->g_x2, pctx->x4, - pctx->client_id, pctx->client_id_len, - pctx->server_id, pctx->server_id_len, - x1_proof, x1_proof_len, - x2_proof, x2_proof_len, - &pctx->b, - &x4_s_proof, &x4_s_proof_len)); - - bzero(x1_proof, x1_proof_len); - bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); - - if (!use_privsep) - JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); - - /* Send values for step 2 */ - packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2); - packet_put_bignum2(pctx->b); - packet_put_string(x4_s_proof, x4_s_proof_len); - packet_send(); - packet_write_wait(); - - bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); - - /* Expect step 2 packet from peer */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, - input_userauth_jpake_client_step2); -} - -/* ARGSUSED */ -static void -input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt) -{ - Authctxt *authctxt = ctxt; - struct jpake_ctx *pctx = authctxt->jpake_ctx; - u_char *x2_s_proof; - u_int x2_s_proof_len; - - /* Disable this message */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL); - - if ((pctx->a = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - - /* Fetch step 2 values */ - packet_get_bignum2(pctx->a); - x2_s_proof = packet_get_string(&x2_s_proof_len); - packet_check_eom(); - - if (!use_privsep) - JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__)); - - /* Derive shared key and calculate confirmation hash */ - PRIVSEP(jpake_key_confirm(pctx->grp, pctx->s, pctx->a, - pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2, - pctx->server_id, pctx->server_id_len, - pctx->client_id, pctx->client_id_len, - session_id2, session_id2_len, - x2_s_proof, x2_s_proof_len, - &pctx->k, - &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len)); - - bzero(x2_s_proof, x2_s_proof_len); - xfree(x2_s_proof); - - if (!use_privsep) - JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); - - /* Send key confirmation proof */ - packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM); - packet_put_string(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); - packet_send(); - packet_write_wait(); - - /* Expect confirmation from peer */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, - input_userauth_jpake_client_confirm); -} - -/* ARGSUSED */ -static void -input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt) -{ - Authctxt *authctxt = ctxt; - struct jpake_ctx *pctx = authctxt->jpake_ctx; - int authenticated = 0; - - /* Disable this message */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL); - - pctx->h_k_cid_sessid = packet_get_string(&pctx->h_k_cid_sessid_len); - packet_check_eom(); - - if (!use_privsep) - JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__)); - - /* Verify expected confirmation hash */ - if (PRIVSEP(jpake_check_confirm(pctx->k, - pctx->client_id, pctx->client_id_len, - session_id2, session_id2_len, - pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len)) == 1) - authenticated = authctxt->valid ? 1 : 0; - else - debug("%s: confirmation mismatch", __func__); - - /* done */ - authctxt->postponed = 0; - jpake_free(authctxt->jpake_ctx); - authctxt->jpake_ctx = NULL; - userauth_finish(authctxt, authenticated, method_jpake.name, NULL); -} - -#endif /* JPAKE */ - diff --git a/crypto/openssh/auth2-kbdint.c b/crypto/openssh/auth2-kbdint.c index fae67da6e..c39bdc62d 100644 --- a/crypto/openssh/auth2-kbdint.c +++ b/crypto/openssh/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -56,8 +56,8 @@ userauth_kbdint(Authctxt *authctxt) if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); - xfree(devs); - xfree(lang); + free(devs); + free(lang); return authenticated; } diff --git a/crypto/openssh/auth2-passwd.c b/crypto/openssh/auth2-passwd.c index 5f1f3635f..707680cd0 100644 --- a/crypto/openssh/auth2-passwd.c +++ b/crypto/openssh/auth2-passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2-passwd.c,v 1.11 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -59,8 +59,8 @@ userauth_passwd(Authctxt *authctxt) if (change) { /* discard new password from packet */ newpass = packet_get_string(&newlen); - memset(newpass, 0, newlen); - xfree(newpass); + explicit_bzero(newpass, newlen); + free(newpass); } packet_check_eom(); @@ -68,8 +68,8 @@ userauth_passwd(Authctxt *authctxt) logit("password change not supported"); else if (PRIVSEP(auth_password(authctxt, password)) == 1) authenticated = 1; - memset(password, 0, len); - xfree(password); + explicit_bzero(password, len); + free(password); return authenticated; } diff --git a/crypto/openssh/auth2-pubkey.c b/crypto/openssh/auth2-pubkey.c index 3ff6faa8b..0fd27bb92 100644 --- a/crypto/openssh/auth2-pubkey.c +++ b/crypto/openssh/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.39 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt) { Buffer b; Key *key = NULL; - char *pkalg; + char *pkalg, *userstyle; u_char *pkblob, *sig; u_int alen, blen, slen; int have_sig, pktype; @@ -116,6 +116,12 @@ userauth_pubkey(Authctxt *authctxt) "(received %d, expected %d)", key->type, pktype); goto done; } + if (key_type_plain(key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + logit("Refusing RSA key because client uses unsafe " + "signature scheme"); + goto done; + } if (have_sig) { sig = packet_get_string(&slen); packet_check_eom(); @@ -127,7 +133,11 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - buffer_put_cstring(&b, authctxt->user); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + buffer_put_cstring(&b, userstyle); + free(userstyle); buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : @@ -143,6 +153,8 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif + pubkey_auth_info(authctxt, key, NULL); + /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && @@ -150,7 +162,7 @@ userauth_pubkey(Authctxt *authctxt) buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); - xfree(sig); + free(sig); } else { debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); @@ -178,11 +190,45 @@ done: debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); return authenticated; } +void +pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) +{ + char *fp, *extra; + va_list ap; + int i; + + extra = NULL; + if (fmt != NULL) { + va_start(ap, fmt); + i = vasprintf(&extra, fmt, ap); + va_end(ap); + if (i < 0 || extra == NULL) + fatal("%s: vasprintf failed", __func__); + } + + if (key_is_cert(key)) { + fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); + auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", + key_type(key), key->cert->key_id, + (unsigned long long)key->cert->serial, + key_type(key->cert->signature_key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); + free(fp); + } else { + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + auth_info(authctxt, "%s %s%s%s", key_type(key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); + free(fp); + } + free(extra); +} + static int match_principals_option(const char *principal_list, struct KeyCert *cert) { @@ -196,7 +242,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert) principal_list, NULL)) != NULL) { debug3("matched principal from key options \"%.100s\"", result); - xfree(result); + free(result); return 1; } } @@ -276,11 +322,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) char *fp; found_key = 0; - found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); + found = NULL; while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL; - + if (found != NULL) + key_free(found); + found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); auth_clear_options(); /* Skip leading whitespace, empty and comment lines. */ @@ -332,7 +380,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) reason = "Certificate does not contain an " "authorized principal"; fail_reason: - xfree(fp); + free(fp); error("%s", reason); auth_debug_add("%s", reason); continue; @@ -342,13 +390,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) &reason) != 0) goto fail_reason; if (auth_cert_options(key, pw) != 0) { - xfree(fp); + free(fp); continue; } verbose("Accepted certificate ID \"%s\" " "signed by %s CA %s via %s", key->cert->key_id, key_type(found), fp, file); - xfree(fp); + free(fp); found_key = 1; break; } else if (key_equal(found, key)) { @@ -358,16 +406,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) if (key_is_cert_authority) continue; found_key = 1; - debug("matching key found: file %s, line %lu", - file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(found), fp); - xfree(fp); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(found), fp); + free(fp); break; } } - key_free(found); + if (found != NULL) + key_free(found); if (!found_key) debug2("key not found"); return found_key; @@ -421,10 +468,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) ret = 1; out: - if (principals_file != NULL) - xfree(principals_file); - if (ca_fp != NULL) - xfree(ca_fp); + free(principals_file); + free(ca_fp); return ret; } @@ -629,7 +674,7 @@ user_key_allowed(struct passwd *pw, Key *key) options.authorized_keys_files[i], pw); success = user_key_allowed2(pw, key, file); - xfree(file); + free(file); } return success; diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index 7e50bf71b..578940171 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -1,4 +1,5 @@ -/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.130 2014/01/29 06:18:35 djm Exp $ */ +/* $FreeBSD$ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -73,18 +74,12 @@ extern Authmethod method_hostbased; #ifdef GSSAPI extern Authmethod method_gssapi; #endif -#ifdef JPAKE -extern Authmethod method_jpake; -#endif Authmethod *authmethods[] = { &method_none, &method_pubkey, #ifdef GSSAPI &method_gssapi, -#endif -#ifdef JPAKE - &method_jpake, #endif &method_passwd, &method_kbdint, @@ -100,8 +95,12 @@ static void input_userauth_request(int, u_int32_t, void *); /* helper */ static Authmethod *authmethod_lookup(Authctxt *, const char *); static char *authmethods_get(Authctxt *authctxt); -static int method_allowed(Authctxt *, const char *); -static int list_starts_with(const char *, const char *); + +#define MATCH_NONE 0 /* method or submethod mismatch */ +#define MATCH_METHOD 1 /* method matches (no submethod specified) */ +#define MATCH_BOTH 2 /* method and submethod match */ +#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */ +static int list_starts_with(const char *, const char *, const char *); char * auth2_read_banner(void) @@ -128,7 +127,7 @@ auth2_read_banner(void) close(fd); if (n != len) { - xfree(banner); + free(banner); return (NULL); } banner[n] = '\0'; @@ -164,8 +163,7 @@ userauth_banner(void) userauth_send_banner(banner); done: - if (banner) - xfree(banner); + free(banner); } /* @@ -210,7 +208,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt) debug("bad service request %s", service); packet_disconnect("bad service request %s", service); } - xfree(service); + free(service); } /*ARGSUSED*/ @@ -297,9 +295,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) /* reset state */ auth2_challenge_stop(authctxt); -#ifdef JPAKE - auth2_jpake_stop(authctxt); -#endif #ifdef GSSAPI /* XXX move to auth2_gssapi_stop() */ @@ -318,9 +313,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } userauth_finish(authctxt, authenticated, method, NULL); - xfree(service); - xfree(user); - xfree(method); + free(service); + free(user); + free(method); } void @@ -346,14 +341,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, } if (authenticated && options.num_auth_methods != 0) { - if (!auth2_update_methods_lists(authctxt, method)) { + if (!auth2_update_methods_lists(authctxt, method, submethod)) { authenticated = 0; partial = 1; } } /* Log before sending the reply */ - auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); + auth_log(authctxt, authenticated, partial, method, submethod); if (authctxt->postponed) return; @@ -408,7 +403,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, packet_put_char(partial); packet_send(); packet_write_wait(); - xfree(methods); + free(methods); } } @@ -417,8 +412,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, * methods list. Returns 1 if allowed, or no methods lists configured. * 0 otherwise. */ -static int -method_allowed(Authctxt *authctxt, const char *method) +int +auth2_method_allowed(Authctxt *authctxt, const char *method, + const char *submethod) { u_int i; @@ -429,7 +425,8 @@ method_allowed(Authctxt *authctxt, const char *method) if (options.num_auth_methods == 0) return 1; for (i = 0; i < authctxt->num_auth_methods; i++) { - if (list_starts_with(authctxt->auth_methods[i], method)) + if (list_starts_with(authctxt->auth_methods[i], method, + submethod) != MATCH_NONE) return 1; } return 0; @@ -449,7 +446,8 @@ authmethods_get(Authctxt *authctxt) if (authmethods[i]->enabled == NULL || *(authmethods[i]->enabled) == 0) continue; - if (!method_allowed(authctxt, authmethods[i]->name)) + if (!auth2_method_allowed(authctxt, authmethods[i]->name, + NULL)) continue; if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); @@ -472,7 +470,8 @@ authmethod_lookup(Authctxt *authctxt, const char *name) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && strcmp(name, authmethods[i]->name) == 0 && - method_allowed(authctxt, authmethods[i]->name)) + auth2_method_allowed(authctxt, + authmethods[i]->name, NULL)) return authmethods[i]; debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); @@ -487,7 +486,7 @@ authmethod_lookup(Authctxt *authctxt, const char *name) int auth2_methods_valid(const char *_methods, int need_enable) { - char *methods, *omethods, *method; + char *methods, *omethods, *method, *p; u_int i, found; int ret = -1; @@ -498,6 +497,8 @@ auth2_methods_valid(const char *_methods, int need_enable) omethods = methods = xstrdup(_methods); while ((method = strsep(&methods, ",")) != NULL) { for (found = i = 0; !found && authmethods[i] != NULL; i++) { + if ((p = strchr(method, ':')) != NULL) + *p = '\0'; if (strcmp(method, authmethods[i]->name) != 0) continue; if (need_enable) { @@ -563,15 +564,30 @@ auth2_setup_methods_lists(Authctxt *authctxt) } static int -list_starts_with(const char *methods, const char *method) +list_starts_with(const char *methods, const char *method, + const char *submethod) { size_t l = strlen(method); + int match; + const char *p; if (strncmp(methods, method, l) != 0) - return 0; - if (methods[l] != ',' && methods[l] != '\0') - return 0; - return 1; + return MATCH_NONE; + p = methods + l; + match = MATCH_METHOD; + if (*p == ':') { + if (!submethod) + return MATCH_PARTIAL; + l = strlen(submethod); + p += 1; + if (strncmp(submethod, p, l)) + return MATCH_NONE; + p += l; + match = MATCH_BOTH; + } + if (*p != ',' && *p != '\0') + return MATCH_NONE; + return match; } /* @@ -580,14 +596,21 @@ list_starts_with(const char *methods, const char *method) * if it did. */ static int -remove_method(char **methods, const char *method) +remove_method(char **methods, const char *method, const char *submethod) { - char *omethods = *methods; + char *omethods = *methods, *p; size_t l = strlen(method); + int match; - if (!list_starts_with(omethods, method)) + match = list_starts_with(omethods, method, submethod); + if (match != MATCH_METHOD && match != MATCH_BOTH) return 0; - *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); + p = omethods + l; + if (submethod && match == MATCH_BOTH) + p += 1 + strlen(submethod); /* include colon */ + if (*p == ',') + p++; + *methods = xstrdup(p); free(omethods); return 1; } @@ -599,13 +622,15 @@ remove_method(char **methods, const char *method) * Returns 1 if the method completed any authentication list or 0 otherwise. */ int -auth2_update_methods_lists(Authctxt *authctxt, const char *method) +auth2_update_methods_lists(Authctxt *authctxt, const char *method, + const char *submethod) { u_int i, found = 0; debug3("%s: updating methods list after \"%s\"", __func__, method); for (i = 0; i < authctxt->num_auth_methods; i++) { - if (!remove_method(&(authctxt->auth_methods[i]), method)) + if (!remove_method(&(authctxt->auth_methods[i]), method, + submethod)) continue; found = 1; if (*authctxt->auth_methods[i] == '\0') { diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c index f037e838b..cea3f97b4 100644 --- a/crypto/openssh/authfd.c +++ b/crypto/openssh/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.86 2011/07/06 18:09:21 tedu Exp $ */ +/* $OpenBSD: authfd.c,v 1.92 2014/01/31 16:39:19 tedu Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,8 +42,8 @@ #include #include - #include + #include #include #include @@ -102,7 +102,7 @@ ssh_get_authentication_socket(void) if (!authsocket) return -1; - bzero(&sunaddr, sizeof(sunaddr)); + memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); @@ -206,7 +206,7 @@ ssh_get_authentication_connection(void) if (sock < 0) return NULL; - auth = xmalloc(sizeof(*auth)); + auth = xcalloc(1, sizeof(*auth)); auth->fd = sock; buffer_init(&auth->identities); auth->howmany = 0; @@ -224,7 +224,7 @@ ssh_close_authentication_connection(AuthenticationConnection *auth) { buffer_free(&auth->identities); close(auth->fd); - xfree(auth); + free(auth); } /* Lock/unlock agent */ @@ -343,7 +343,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio blob = buffer_get_string(&auth->identities, &blen); *comment = buffer_get_string(&auth->identities, NULL); key = key_from_blob(blob, blen); - xfree(blob); + free(blob); break; default: return NULL; @@ -436,7 +436,7 @@ ssh_agent_sign(AuthenticationConnection *auth, buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, data, datalen); buffer_put_int(&msg, flags); - xfree(blob); + free(blob); if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); @@ -474,58 +474,7 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) static void ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) { - buffer_put_cstring(b, key_ssh_name(key)); - switch (key->type) { - case KEY_RSA: - buffer_put_bignum2(b, key->rsa->n); - buffer_put_bignum2(b, key->rsa->e); - buffer_put_bignum2(b, key->rsa->d); - buffer_put_bignum2(b, key->rsa->iqmp); - buffer_put_bignum2(b, key->rsa->p); - buffer_put_bignum2(b, key->rsa->q); - break; - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) - fatal("%s: no cert/certblob", __func__); - buffer_put_string(b, buffer_ptr(&key->cert->certblob), - buffer_len(&key->cert->certblob)); - buffer_put_bignum2(b, key->rsa->d); - buffer_put_bignum2(b, key->rsa->iqmp); - buffer_put_bignum2(b, key->rsa->p); - buffer_put_bignum2(b, key->rsa->q); - break; - case KEY_DSA: - buffer_put_bignum2(b, key->dsa->p); - buffer_put_bignum2(b, key->dsa->q); - buffer_put_bignum2(b, key->dsa->g); - buffer_put_bignum2(b, key->dsa->pub_key); - buffer_put_bignum2(b, key->dsa->priv_key); - break; - case KEY_DSA_CERT_V00: - case KEY_DSA_CERT: - if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) - fatal("%s: no cert/certblob", __func__); - buffer_put_string(b, buffer_ptr(&key->cert->certblob), - buffer_len(&key->cert->certblob)); - buffer_put_bignum2(b, key->dsa->priv_key); - break; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); - buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), - EC_KEY_get0_public_key(key->ecdsa)); - buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); - break; - case KEY_ECDSA_CERT: - if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) - fatal("%s: no cert/certblob", __func__); - buffer_put_string(b, buffer_ptr(&key->cert->certblob), - buffer_len(&key->cert->certblob)); - buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); - break; -#endif - } + key_private_serialize(key, b); buffer_put_cstring(b, comment); } @@ -559,6 +508,8 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, case KEY_DSA_CERT_V00: case KEY_ECDSA: case KEY_ECDSA_CERT: + case KEY_ED25519: + case KEY_ED25519_CERT: type = constrained ? SSH2_AGENTC_ADD_ID_CONSTRAINED : SSH2_AGENTC_ADD_IDENTITY; @@ -606,13 +557,11 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) buffer_put_int(&msg, BN_num_bits(key->rsa->n)); buffer_put_bignum(&msg, key->rsa->e); buffer_put_bignum(&msg, key->rsa->n); - } else if (key_type_plain(key->type) == KEY_DSA || - key_type_plain(key->type) == KEY_RSA || - key_type_plain(key->type) == KEY_ECDSA) { + } else if (key->type != KEY_UNSPEC) { key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); buffer_put_string(&msg, blob, blen); - xfree(blob); + free(blob); } else { buffer_free(&msg); return 0; diff --git a/crypto/openssh/authfile.c b/crypto/openssh/authfile.c index 3544d170b..d7eaa9dec 100644 --- a/crypto/openssh/authfile.c +++ b/crypto/openssh/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.103 2014/02/02 03:44:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -13,7 +13,7 @@ * called by a name other than "ssh" or "Secure Shell". * * - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -50,6 +50,8 @@ /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" +#include "crypto_api.h" + #include #include #include @@ -58,6 +60,10 @@ #include #include +#ifdef HAVE_UTIL_H +#include +#endif + #include "xmalloc.h" #include "cipher.h" #include "buffer.h" @@ -68,6 +74,16 @@ #include "rsa.h" #include "misc.h" #include "atomicio.h" +#include "uuencode.h" + +/* openssh private key file format */ +#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" +#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" +#define KDFNAME "bcrypt" +#define AUTH_MAGIC "openssh-key-v1" +#define SALT_LEN 16 +#define DEFAULT_CIPHERNAME "aes256-cbc" +#define DEFAULT_ROUNDS 16 #define MAX_KEY_FILE_SIZE (1024 * 1024) @@ -75,6 +91,333 @@ static const char authfile_id_string[] = "SSH PRIVATE KEY FILE FORMAT 1.1\n"; +static int +key_private_to_blob2(Key *prv, Buffer *blob, const char *passphrase, + const char *comment, const char *ciphername, int rounds) +{ + u_char *key, *cp, salt[SALT_LEN]; + size_t keylen, ivlen, blocksize, authlen; + u_int len, check; + int i, n; + const Cipher *c; + Buffer encoded, b, kdf; + CipherContext ctx; + const char *kdfname = KDFNAME; + + if (rounds <= 0) + rounds = DEFAULT_ROUNDS; + if (passphrase == NULL || !strlen(passphrase)) { + ciphername = "none"; + kdfname = "none"; + } else if (ciphername == NULL) + ciphername = DEFAULT_CIPHERNAME; + else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) + fatal("invalid cipher"); + + if ((c = cipher_by_name(ciphername)) == NULL) + fatal("unknown cipher name"); + buffer_init(&kdf); + blocksize = cipher_blocksize(c); + keylen = cipher_keylen(c); + ivlen = cipher_ivlen(c); + authlen = cipher_authlen(c); + key = xcalloc(1, keylen + ivlen); + if (strcmp(kdfname, "none") != 0) { + arc4random_buf(salt, SALT_LEN); + if (bcrypt_pbkdf(passphrase, strlen(passphrase), + salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) + fatal("bcrypt_pbkdf failed"); + buffer_put_string(&kdf, salt, SALT_LEN); + buffer_put_int(&kdf, rounds); + } + cipher_init(&ctx, c, key, keylen, key + keylen , ivlen, 1); + explicit_bzero(key, keylen + ivlen); + free(key); + + buffer_init(&encoded); + buffer_append(&encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC)); + buffer_put_cstring(&encoded, ciphername); + buffer_put_cstring(&encoded, kdfname); + buffer_put_string(&encoded, buffer_ptr(&kdf), buffer_len(&kdf)); + buffer_put_int(&encoded, 1); /* number of keys */ + key_to_blob(prv, &cp, &len); /* public key */ + buffer_put_string(&encoded, cp, len); + + explicit_bzero(cp, len); + free(cp); + + buffer_free(&kdf); + + /* set up the buffer that will be encrypted */ + buffer_init(&b); + + /* Random check bytes */ + check = arc4random(); + buffer_put_int(&b, check); + buffer_put_int(&b, check); + + /* append private key and comment*/ + key_private_serialize(prv, &b); + buffer_put_cstring(&b, comment); + + /* padding */ + i = 0; + while (buffer_len(&b) % blocksize) + buffer_put_char(&b, ++i & 0xff); + + /* length */ + buffer_put_int(&encoded, buffer_len(&b)); + + /* encrypt */ + cp = buffer_append_space(&encoded, buffer_len(&b) + authlen); + if (cipher_crypt(&ctx, 0, cp, buffer_ptr(&b), buffer_len(&b), 0, + authlen) != 0) + fatal("%s: cipher_crypt failed", __func__); + buffer_free(&b); + cipher_cleanup(&ctx); + + /* uuencode */ + len = 2 * buffer_len(&encoded); + cp = xmalloc(len); + n = uuencode(buffer_ptr(&encoded), buffer_len(&encoded), + (char *)cp, len); + if (n < 0) + fatal("%s: uuencode", __func__); + + buffer_clear(blob); + buffer_append(blob, MARK_BEGIN, sizeof(MARK_BEGIN) - 1); + for (i = 0; i < n; i++) { + buffer_put_char(blob, cp[i]); + if (i % 70 == 69) + buffer_put_char(blob, '\n'); + } + if (i % 70 != 69) + buffer_put_char(blob, '\n'); + buffer_append(blob, MARK_END, sizeof(MARK_END) - 1); + free(cp); + + return buffer_len(blob); +} + +static Key * +key_parse_private2(Buffer *blob, int type, const char *passphrase, + char **commentp) +{ + u_char *key = NULL, *cp, *salt = NULL, pad, last; + char *comment = NULL, *ciphername = NULL, *kdfname = NULL, *kdfp; + u_int keylen = 0, ivlen, blocksize, slen, klen, len, rounds, nkeys; + u_int check1, check2, m1len, m2len; + size_t authlen; + const Cipher *c; + Buffer b, encoded, copy, kdf; + CipherContext ctx; + Key *k = NULL; + int dlen, ret, i; + + buffer_init(&b); + buffer_init(&kdf); + buffer_init(&encoded); + buffer_init(©); + + /* uudecode */ + m1len = sizeof(MARK_BEGIN) - 1; + m2len = sizeof(MARK_END) - 1; + cp = buffer_ptr(blob); + len = buffer_len(blob); + if (len < m1len || memcmp(cp, MARK_BEGIN, m1len)) { + debug("%s: missing begin marker", __func__); + goto out; + } + cp += m1len; + len -= m1len; + while (len) { + if (*cp != '\n' && *cp != '\r') + buffer_put_char(&encoded, *cp); + last = *cp; + len--; + cp++; + if (last == '\n') { + if (len >= m2len && !memcmp(cp, MARK_END, m2len)) { + buffer_put_char(&encoded, '\0'); + break; + } + } + } + if (!len) { + debug("%s: no end marker", __func__); + goto out; + } + len = buffer_len(&encoded); + if ((cp = buffer_append_space(©, len)) == NULL) { + error("%s: buffer_append_space", __func__); + goto out; + } + if ((dlen = uudecode(buffer_ptr(&encoded), cp, len)) < 0) { + error("%s: uudecode failed", __func__); + goto out; + } + if ((u_int)dlen > len) { + error("%s: crazy uudecode length %d > %u", __func__, dlen, len); + goto out; + } + buffer_consume_end(©, len - dlen); + if (buffer_len(©) < sizeof(AUTH_MAGIC) || + memcmp(buffer_ptr(©), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { + error("%s: bad magic", __func__); + goto out; + } + buffer_consume(©, sizeof(AUTH_MAGIC)); + + ciphername = buffer_get_cstring_ret(©, NULL); + if (ciphername == NULL || + (c = cipher_by_name(ciphername)) == NULL) { + error("%s: unknown cipher name", __func__); + goto out; + } + if ((passphrase == NULL || !strlen(passphrase)) && + strcmp(ciphername, "none") != 0) { + /* passphrase required */ + goto out; + } + kdfname = buffer_get_cstring_ret(©, NULL); + if (kdfname == NULL || + (!strcmp(kdfname, "none") && !strcmp(kdfname, "bcrypt"))) { + error("%s: unknown kdf name", __func__); + goto out; + } + if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { + error("%s: cipher %s requires kdf", __func__, ciphername); + goto out; + } + /* kdf options */ + kdfp = buffer_get_string_ptr_ret(©, &klen); + if (kdfp == NULL) { + error("%s: kdf options not set", __func__); + goto out; + } + if (klen > 0) { + if ((cp = buffer_append_space(&kdf, klen)) == NULL) { + error("%s: kdf alloc failed", __func__); + goto out; + } + memcpy(cp, kdfp, klen); + } + /* number of keys */ + if (buffer_get_int_ret(&nkeys, ©) < 0) { + error("%s: key counter missing", __func__); + goto out; + } + if (nkeys != 1) { + error("%s: only one key supported", __func__); + goto out; + } + /* pubkey */ + if ((cp = buffer_get_string_ret(©, &len)) == NULL) { + error("%s: pubkey not found", __func__); + goto out; + } + free(cp); /* XXX check pubkey against decrypted private key */ + + /* size of encrypted key blob */ + len = buffer_get_int(©); + blocksize = cipher_blocksize(c); + authlen = cipher_authlen(c); + if (len < blocksize) { + error("%s: encrypted data too small", __func__); + goto out; + } + if (len % blocksize) { + error("%s: length not multiple of blocksize", __func__); + goto out; + } + + /* setup key */ + keylen = cipher_keylen(c); + ivlen = cipher_ivlen(c); + key = xcalloc(1, keylen + ivlen); + if (!strcmp(kdfname, "bcrypt")) { + if ((salt = buffer_get_string_ret(&kdf, &slen)) == NULL) { + error("%s: salt not set", __func__); + goto out; + } + if (buffer_get_int_ret(&rounds, &kdf) < 0) { + error("%s: rounds not set", __func__); + goto out; + } + if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, + key, keylen + ivlen, rounds) < 0) { + error("%s: bcrypt_pbkdf failed", __func__); + goto out; + } + } + + cp = buffer_append_space(&b, len); + cipher_init(&ctx, c, key, keylen, key + keylen, ivlen, 0); + ret = cipher_crypt(&ctx, 0, cp, buffer_ptr(©), len, 0, authlen); + cipher_cleanup(&ctx); + buffer_consume(©, len); + + /* fail silently on decryption errors */ + if (ret != 0) { + debug("%s: decrypt failed", __func__); + goto out; + } + + if (buffer_len(©) != 0) { + error("%s: key blob has trailing data (len = %u)", __func__, + buffer_len(©)); + goto out; + } + + /* check bytes */ + if (buffer_get_int_ret(&check1, &b) < 0 || + buffer_get_int_ret(&check2, &b) < 0) { + error("check bytes missing"); + goto out; + } + if (check1 != check2) { + debug("%s: decrypt failed: 0x%08x != 0x%08x", __func__, + check1, check2); + goto out; + } + + k = key_private_deserialize(&b); + + /* comment */ + comment = buffer_get_cstring_ret(&b, NULL); + + i = 0; + while (buffer_len(&b)) { + if (buffer_get_char_ret(&pad, &b) == -1 || + pad != (++i & 0xff)) { + error("%s: bad padding", __func__); + key_free(k); + k = NULL; + goto out; + } + } + + if (k && commentp) { + *commentp = comment; + comment = NULL; + } + + /* XXX decode pubkey and check against private */ + out: + free(ciphername); + free(kdfname); + free(salt); + free(comment); + if (key) + explicit_bzero(key, keylen + ivlen); + free(key); + buffer_free(&encoded); + buffer_free(©); + buffer_free(&kdf); + buffer_free(&b); + return k; +} + /* * Serialises the authentication (private) key to a blob, encrypting it with * passphrase. The identification of the blob (lowest 64 bits of n) will @@ -89,7 +432,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, u_char buf[100], *cp; int i, cipher_num; CipherContext ciphercontext; - Cipher *cipher; + const Cipher *cipher; u_int32_t rnd; /* @@ -149,13 +492,14 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_ENCRYPT); - cipher_crypt(&ciphercontext, cp, - buffer_ptr(&buffer), buffer_len(&buffer), 0, 0); + if (cipher_crypt(&ciphercontext, 0, cp, + buffer_ptr(&buffer), buffer_len(&buffer), 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); cipher_cleanup(&ciphercontext); - memset(&ciphercontext, 0, sizeof(ciphercontext)); + explicit_bzero(&ciphercontext, sizeof(ciphercontext)); /* Destroy temporary data. */ - memset(buf, 0, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); buffer_free(&buffer); buffer_append(blob, buffer_ptr(&encrypted), buffer_len(&encrypted)); @@ -239,7 +583,8 @@ key_save_private_blob(Buffer *keybuf, const char *filename) /* Serialise "key" to buffer "blob" */ static int key_private_to_blob(Key *key, Buffer *blob, const char *passphrase, - const char *comment) + const char *comment, int force_new_format, const char *new_format_cipher, + int new_format_rounds) { switch (key->type) { case KEY_RSA1: @@ -247,7 +592,14 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase, case KEY_DSA: case KEY_ECDSA: case KEY_RSA: + if (force_new_format) { + return key_private_to_blob2(key, blob, passphrase, + comment, new_format_cipher, new_format_rounds); + } return key_private_pem_to_blob(key, blob, passphrase, comment); + case KEY_ED25519: + return key_private_to_blob2(key, blob, passphrase, + comment, new_format_cipher, new_format_rounds); default: error("%s: cannot save key type %d", __func__, key->type); return 0; @@ -256,13 +608,15 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase, int key_save_private(Key *key, const char *filename, const char *passphrase, - const char *comment) + const char *comment, int force_new_format, const char *new_format_cipher, + int new_format_rounds) { Buffer keyblob; int success = 0; buffer_init(&keyblob); - if (!key_private_to_blob(key, &keyblob, passphrase, comment)) + if (!key_private_to_blob(key, &keyblob, passphrase, comment, + force_new_format, new_format_cipher, new_format_rounds)) goto out; if (!key_save_private_blob(&keyblob, filename)) goto out; @@ -349,17 +703,17 @@ key_load_file(int fd, const char *filename, Buffer *blob) __func__, filename == NULL ? "" : filename, filename == NULL ? "" : " ", strerror(errno)); buffer_clear(blob); - bzero(buf, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); return 0; } buffer_append(blob, buf, len); if (buffer_len(blob) > MAX_KEY_FILE_SIZE) { buffer_clear(blob); - bzero(buf, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); goto toobig; } } - bzero(buf, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 && st.st_size != buffer_len(blob)) { debug("%s: key file %.200s%schanged size while reading", @@ -421,7 +775,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) Buffer decrypted; u_char *cp; CipherContext ciphercontext; - Cipher *cipher; + const Cipher *cipher; Key *prv = NULL; Buffer copy; @@ -473,10 +827,11 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_DECRYPT); - cipher_crypt(&ciphercontext, cp, - buffer_ptr(©), buffer_len(©), 0, 0); + if (cipher_crypt(&ciphercontext, 0, cp, + buffer_ptr(©), buffer_len(©), 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); cipher_cleanup(&ciphercontext); - memset(&ciphercontext, 0, sizeof(ciphercontext)); + explicit_bzero(&ciphercontext, sizeof(ciphercontext)); buffer_free(©); check1 = buffer_get_char(&decrypted); @@ -509,8 +864,8 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) return prv; fail: - if (commentp) - xfree(*commentp); + if (commentp != NULL) + free(*commentp); key_free(prv); return NULL; } @@ -641,13 +996,20 @@ static Key * key_parse_private_type(Buffer *blob, int type, const char *passphrase, char **commentp) { + Key *k; + switch (type) { case KEY_RSA1: return key_parse_private_rsa1(blob, passphrase, commentp); case KEY_DSA: case KEY_ECDSA: case KEY_RSA: + return key_parse_private_pem(blob, type, passphrase, commentp); + case KEY_ED25519: + return key_parse_private2(blob, type, passphrase, commentp); case KEY_UNSPEC: + if ((k = key_parse_private2(blob, type, passphrase, commentp))) + return k; return key_parse_private_pem(blob, type, passphrase, commentp); default: error("%s: cannot parse key type %d", __func__, type); @@ -832,10 +1194,10 @@ key_load_cert(const char *filename) pub = key_new(KEY_UNSPEC); xasprintf(&file, "%s-cert.pub", filename); if (key_try_load_public(pub, file, NULL) == 1) { - xfree(file); + free(file); return pub; } - xfree(file); + free(file); key_free(pub); return NULL; } @@ -851,6 +1213,7 @@ key_load_private_cert(int type, const char *filename, const char *passphrase, case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: break; default: error("%s: unsupported key type", __func__); @@ -943,4 +1306,3 @@ key_in_file(Key *key, const char *filename, int strict_type) fclose(f); return ret; } - diff --git a/crypto/openssh/authfile.h b/crypto/openssh/authfile.h index 78349beb5..8ba1c2dbe 100644 --- a/crypto/openssh/authfile.h +++ b/crypto/openssh/authfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.h,v 1.16 2011/05/04 21:15:29 djm Exp $ */ +/* $OpenBSD: authfile.h,v 1.17 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen @@ -15,7 +15,8 @@ #ifndef AUTHFILE_H #define AUTHFILE_H -int key_save_private(Key *, const char *, const char *, const char *); +int key_save_private(Key *, const char *, const char *, const char *, + int, const char *, int); int key_load_file(int, const char *, Buffer *); Key *key_load_cert(const char *); Key *key_load_public(const char *, char **); diff --git a/crypto/openssh/blocks.c b/crypto/openssh/blocks.c new file mode 100644 index 000000000..ad93fe509 --- /dev/null +++ b/crypto/openssh/blocks.c @@ -0,0 +1,248 @@ +/* $OpenBSD: blocks.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Author: Daniel J. Bernstein + * Copied from nacl-20110221/crypto_hashblocks/sha512/ref/blocks.c + */ + +#include "includes.h" + +#include "crypto_api.h" + +typedef unsigned long long uint64; + +static uint64 load_bigendian(const unsigned char *x) +{ + return + (uint64) (x[7]) \ + | (((uint64) (x[6])) << 8) \ + | (((uint64) (x[5])) << 16) \ + | (((uint64) (x[4])) << 24) \ + | (((uint64) (x[3])) << 32) \ + | (((uint64) (x[2])) << 40) \ + | (((uint64) (x[1])) << 48) \ + | (((uint64) (x[0])) << 56) + ; +} + +static void store_bigendian(unsigned char *x,uint64 u) +{ + x[7] = u; u >>= 8; + x[6] = u; u >>= 8; + x[5] = u; u >>= 8; + x[4] = u; u >>= 8; + x[3] = u; u >>= 8; + x[2] = u; u >>= 8; + x[1] = u; u >>= 8; + x[0] = u; +} + +#define SHR(x,c) ((x) >> (c)) +#define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c)))) + +#define Ch(x,y,z) ((x & y) ^ (~x & z)) +#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) +#define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39)) +#define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41)) +#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7)) +#define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6)) + +#define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; + +#define EXPAND \ + M(w0 ,w14,w9 ,w1 ) \ + M(w1 ,w15,w10,w2 ) \ + M(w2 ,w0 ,w11,w3 ) \ + M(w3 ,w1 ,w12,w4 ) \ + M(w4 ,w2 ,w13,w5 ) \ + M(w5 ,w3 ,w14,w6 ) \ + M(w6 ,w4 ,w15,w7 ) \ + M(w7 ,w5 ,w0 ,w8 ) \ + M(w8 ,w6 ,w1 ,w9 ) \ + M(w9 ,w7 ,w2 ,w10) \ + M(w10,w8 ,w3 ,w11) \ + M(w11,w9 ,w4 ,w12) \ + M(w12,w10,w5 ,w13) \ + M(w13,w11,w6 ,w14) \ + M(w14,w12,w7 ,w15) \ + M(w15,w13,w8 ,w0 ) + +#define F(w,k) \ + T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \ + T2 = Sigma0(a) + Maj(a,b,c); \ + h = g; \ + g = f; \ + f = e; \ + e = d + T1; \ + d = c; \ + c = b; \ + b = a; \ + a = T1 + T2; + +int crypto_hashblocks_sha512(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen) +{ + uint64 state[8]; + uint64 a; + uint64 b; + uint64 c; + uint64 d; + uint64 e; + uint64 f; + uint64 g; + uint64 h; + uint64 T1; + uint64 T2; + + a = load_bigendian(statebytes + 0); state[0] = a; + b = load_bigendian(statebytes + 8); state[1] = b; + c = load_bigendian(statebytes + 16); state[2] = c; + d = load_bigendian(statebytes + 24); state[3] = d; + e = load_bigendian(statebytes + 32); state[4] = e; + f = load_bigendian(statebytes + 40); state[5] = f; + g = load_bigendian(statebytes + 48); state[6] = g; + h = load_bigendian(statebytes + 56); state[7] = h; + + while (inlen >= 128) { + uint64 w0 = load_bigendian(in + 0); + uint64 w1 = load_bigendian(in + 8); + uint64 w2 = load_bigendian(in + 16); + uint64 w3 = load_bigendian(in + 24); + uint64 w4 = load_bigendian(in + 32); + uint64 w5 = load_bigendian(in + 40); + uint64 w6 = load_bigendian(in + 48); + uint64 w7 = load_bigendian(in + 56); + uint64 w8 = load_bigendian(in + 64); + uint64 w9 = load_bigendian(in + 72); + uint64 w10 = load_bigendian(in + 80); + uint64 w11 = load_bigendian(in + 88); + uint64 w12 = load_bigendian(in + 96); + uint64 w13 = load_bigendian(in + 104); + uint64 w14 = load_bigendian(in + 112); + uint64 w15 = load_bigendian(in + 120); + + F(w0 ,0x428a2f98d728ae22ULL) + F(w1 ,0x7137449123ef65cdULL) + F(w2 ,0xb5c0fbcfec4d3b2fULL) + F(w3 ,0xe9b5dba58189dbbcULL) + F(w4 ,0x3956c25bf348b538ULL) + F(w5 ,0x59f111f1b605d019ULL) + F(w6 ,0x923f82a4af194f9bULL) + F(w7 ,0xab1c5ed5da6d8118ULL) + F(w8 ,0xd807aa98a3030242ULL) + F(w9 ,0x12835b0145706fbeULL) + F(w10,0x243185be4ee4b28cULL) + F(w11,0x550c7dc3d5ffb4e2ULL) + F(w12,0x72be5d74f27b896fULL) + F(w13,0x80deb1fe3b1696b1ULL) + F(w14,0x9bdc06a725c71235ULL) + F(w15,0xc19bf174cf692694ULL) + + EXPAND + + F(w0 ,0xe49b69c19ef14ad2ULL) + F(w1 ,0xefbe4786384f25e3ULL) + F(w2 ,0x0fc19dc68b8cd5b5ULL) + F(w3 ,0x240ca1cc77ac9c65ULL) + F(w4 ,0x2de92c6f592b0275ULL) + F(w5 ,0x4a7484aa6ea6e483ULL) + F(w6 ,0x5cb0a9dcbd41fbd4ULL) + F(w7 ,0x76f988da831153b5ULL) + F(w8 ,0x983e5152ee66dfabULL) + F(w9 ,0xa831c66d2db43210ULL) + F(w10,0xb00327c898fb213fULL) + F(w11,0xbf597fc7beef0ee4ULL) + F(w12,0xc6e00bf33da88fc2ULL) + F(w13,0xd5a79147930aa725ULL) + F(w14,0x06ca6351e003826fULL) + F(w15,0x142929670a0e6e70ULL) + + EXPAND + + F(w0 ,0x27b70a8546d22ffcULL) + F(w1 ,0x2e1b21385c26c926ULL) + F(w2 ,0x4d2c6dfc5ac42aedULL) + F(w3 ,0x53380d139d95b3dfULL) + F(w4 ,0x650a73548baf63deULL) + F(w5 ,0x766a0abb3c77b2a8ULL) + F(w6 ,0x81c2c92e47edaee6ULL) + F(w7 ,0x92722c851482353bULL) + F(w8 ,0xa2bfe8a14cf10364ULL) + F(w9 ,0xa81a664bbc423001ULL) + F(w10,0xc24b8b70d0f89791ULL) + F(w11,0xc76c51a30654be30ULL) + F(w12,0xd192e819d6ef5218ULL) + F(w13,0xd69906245565a910ULL) + F(w14,0xf40e35855771202aULL) + F(w15,0x106aa07032bbd1b8ULL) + + EXPAND + + F(w0 ,0x19a4c116b8d2d0c8ULL) + F(w1 ,0x1e376c085141ab53ULL) + F(w2 ,0x2748774cdf8eeb99ULL) + F(w3 ,0x34b0bcb5e19b48a8ULL) + F(w4 ,0x391c0cb3c5c95a63ULL) + F(w5 ,0x4ed8aa4ae3418acbULL) + F(w6 ,0x5b9cca4f7763e373ULL) + F(w7 ,0x682e6ff3d6b2b8a3ULL) + F(w8 ,0x748f82ee5defb2fcULL) + F(w9 ,0x78a5636f43172f60ULL) + F(w10,0x84c87814a1f0ab72ULL) + F(w11,0x8cc702081a6439ecULL) + F(w12,0x90befffa23631e28ULL) + F(w13,0xa4506cebde82bde9ULL) + F(w14,0xbef9a3f7b2c67915ULL) + F(w15,0xc67178f2e372532bULL) + + EXPAND + + F(w0 ,0xca273eceea26619cULL) + F(w1 ,0xd186b8c721c0c207ULL) + F(w2 ,0xeada7dd6cde0eb1eULL) + F(w3 ,0xf57d4f7fee6ed178ULL) + F(w4 ,0x06f067aa72176fbaULL) + F(w5 ,0x0a637dc5a2c898a6ULL) + F(w6 ,0x113f9804bef90daeULL) + F(w7 ,0x1b710b35131c471bULL) + F(w8 ,0x28db77f523047d84ULL) + F(w9 ,0x32caab7b40c72493ULL) + F(w10,0x3c9ebe0a15c9bebcULL) + F(w11,0x431d67c49c100d4cULL) + F(w12,0x4cc5d4becb3e42b6ULL) + F(w13,0x597f299cfc657e2aULL) + F(w14,0x5fcb6fab3ad6faecULL) + F(w15,0x6c44198c4a475817ULL) + + a += state[0]; + b += state[1]; + c += state[2]; + d += state[3]; + e += state[4]; + f += state[5]; + g += state[6]; + h += state[7]; + + state[0] = a; + state[1] = b; + state[2] = c; + state[3] = d; + state[4] = e; + state[5] = f; + state[6] = g; + state[7] = h; + + in += 128; + inlen -= 128; + } + + store_bigendian(statebytes + 0,state[0]); + store_bigendian(statebytes + 8,state[1]); + store_bigendian(statebytes + 16,state[2]); + store_bigendian(statebytes + 24,state[3]); + store_bigendian(statebytes + 32,state[4]); + store_bigendian(statebytes + 40,state[5]); + store_bigendian(statebytes + 48,state[6]); + store_bigendian(statebytes + 56,state[7]); + + return inlen; +} diff --git a/crypto/openssh/bufaux.c b/crypto/openssh/bufaux.c index 00208ca27..e24b5fc0a 100644 --- a/crypto/openssh/bufaux.c +++ b/crypto/openssh/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.50 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,6 +45,7 @@ #include #include +#include #include "xmalloc.h" #include "buffer.h" @@ -181,7 +182,7 @@ buffer_get_string_ret(Buffer *buffer, u_int *length_ptr) /* Get the string. */ if (buffer_get_ret(buffer, value, len) == -1) { error("buffer_get_string_ret: buffer_get failed"); - xfree(value); + free(value); return (NULL); } /* Append a null character to make processing easier. */ @@ -215,8 +216,8 @@ buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr) if (cp == ret + length - 1) error("buffer_get_cstring_ret: string contains \\0"); else { - bzero(ret, length); - xfree(ret); + explicit_bzero(ret, length); + free(ret); return NULL; } } @@ -285,7 +286,7 @@ buffer_put_cstring(Buffer *buffer, const char *s) * Returns a character from the buffer (0 - 255). */ int -buffer_get_char_ret(char *ret, Buffer *buffer) +buffer_get_char_ret(u_char *ret, Buffer *buffer) { if (buffer_get_ret(buffer, ret, 1) == -1) { error("buffer_get_char_ret: buffer_get_ret failed"); @@ -297,11 +298,11 @@ buffer_get_char_ret(char *ret, Buffer *buffer) int buffer_get_char(Buffer *buffer) { - char ch; + u_char ch; if (buffer_get_char_ret(&ch, buffer) == -1) fatal("buffer_get_char: buffer error"); - return (u_char) ch; + return ch; } /* @@ -314,3 +315,76 @@ buffer_put_char(Buffer *buffer, int value) buffer_append(buffer, &ch, 1); } + +/* Pseudo bignum functions */ + +void * +buffer_get_bignum2_as_string_ret(Buffer *buffer, u_int *length_ptr) +{ + u_int len; + u_char *bin, *p, *ret; + + if ((p = bin = buffer_get_string_ret(buffer, &len)) == NULL) { + error("%s: invalid bignum", __func__); + return NULL; + } + + if (len > 0 && (bin[0] & 0x80)) { + error("%s: negative numbers not supported", __func__); + free(bin); + return NULL; + } + if (len > 8 * 1024) { + error("%s: cannot handle BN of size %d", __func__, len); + free(bin); + return NULL; + } + /* Skip zero prefix on numbers with the MSB set */ + if (len > 1 && bin[0] == 0x00 && (bin[1] & 0x80) != 0) { + p++; + len--; + } + ret = xmalloc(len); + memcpy(ret, p, len); + explicit_bzero(p, len); + free(bin); + return ret; +} + +void * +buffer_get_bignum2_as_string(Buffer *buffer, u_int *l) +{ + void *ret = buffer_get_bignum2_as_string_ret(buffer, l); + + if (ret == NULL) + fatal("%s: buffer error", __func__); + return ret; +} + +/* + * Stores a string using the bignum encoding rules (\0 pad if MSB set). + */ +void +buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) +{ + u_char *buf, *p; + int pad = 0; + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to + * avoid interpretation as a negative number. + */ + if (l > 0 && (s[0] & 0x80) != 0) { + *p++ = '\0'; + pad = 1; + } + memcpy(p, s, l); + buffer_put_string(buffer, buf, l + pad); + explicit_bzero(buf, l + pad); + free(buf); +} + + diff --git a/crypto/openssh/bufbn.c b/crypto/openssh/bufbn.c index 251cd0951..1d2e01266 100644 --- a/crypto/openssh/bufbn.c +++ b/crypto/openssh/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/ +/* $OpenBSD: bufbn.c,v 1.11 2014/02/27 08:25:09 djm Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,6 +45,7 @@ #include #include +#include #include "xmalloc.h" #include "buffer.h" @@ -69,7 +70,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) if (oi != bin_size) { error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d", oi, bin_size); - xfree(buf); + free(buf); return (-1); } @@ -79,8 +80,8 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) /* Store the binary data. */ buffer_append(buffer, buf, oi); - memset(buf, 0, bin_size); - xfree(buf); + explicit_bzero(buf, bin_size); + free(buf); return (0); } @@ -107,6 +108,11 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) return (-1); } bits = get_u16(buf); + if (bits > 65535-7) { + error("buffer_get_bignum_ret: cannot handle BN of size %d", + bits); + return (-1); + } /* Compute the number of binary bytes that follow. */ bytes = (bits + 7) / 8; if (bytes > 8 * 1024) { @@ -167,13 +173,13 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) if (oi < 0 || (u_int)oi != bytes - 1) { error("buffer_put_bignum2_ret: BN_bn2bin() failed: " "oi %d != bin_size %d", oi, bytes); - xfree(buf); + free(buf); return (-1); } hasnohigh = (buf[1] & 0x80) ? 0 : 1; buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh); - memset(buf, 0, bytes); - xfree(buf); + explicit_bzero(buf, bytes); + free(buf); return (0); } @@ -197,21 +203,21 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value) if (len > 0 && (bin[0] & 0x80)) { error("buffer_get_bignum2_ret: negative numbers not supported"); - xfree(bin); + free(bin); return (-1); } if (len > 8 * 1024) { error("buffer_get_bignum2_ret: cannot handle BN of size %d", len); - xfree(bin); + free(bin); return (-1); } if (BN_bin2bn(bin, len, value) == NULL) { error("buffer_get_bignum2_ret: BN_bin2bn failed"); - xfree(bin); + free(bin); return (-1); } - xfree(bin); + free(bin); return (0); } diff --git a/crypto/openssh/bufec.c b/crypto/openssh/bufec.c index 3dcb49477..89482b906 100644 --- a/crypto/openssh/bufec.c +++ b/crypto/openssh/bufec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufec.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: bufec.c,v 1.3 2014/01/31 16:39:19 tedu Exp $ */ /* * Copyright (c) 2010 Damien Miller * @@ -77,8 +77,8 @@ buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve, ret = 0; out: if (buf != NULL) { - bzero(buf, len); - xfree(buf); + explicit_bzero(buf, len); + free(buf); } BN_CTX_free(bnctx); return ret; @@ -130,8 +130,8 @@ buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve, ret = 0; out: BN_CTX_free(bnctx); - bzero(buf, len); - xfree(buf); + explicit_bzero(buf, len); + free(buf); return ret; } diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c index a3202c601..55fb253c3 100644 --- a/crypto/openssh/buffer.c +++ b/crypto/openssh/buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.c,v 1.32 2010/02/09 03:56:28 djm Exp $ */ +/* $OpenBSD: buffer.c,v 1.35 2014/02/02 03:44:31 djm Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -14,12 +14,14 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include #include #include +#include #include "xmalloc.h" #include "buffer.h" @@ -49,9 +51,9 @@ void buffer_free(Buffer *buffer) { if (buffer->alloc > 0) { - memset(buffer->buf, 0, buffer->alloc); + explicit_bzero(buffer->buf, buffer->alloc); buffer->alloc = 0; - xfree(buffer->buf); + free(buffer->buf); } } diff --git a/crypto/openssh/buffer.h b/crypto/openssh/buffer.h index c35f53fe4..39e04f9d3 100644 --- a/crypto/openssh/buffer.h +++ b/crypto/openssh/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.21 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.23 2014/01/12 08:13:13 djm Exp $ */ /* $FreeBSD$ */ /* @@ -87,7 +87,11 @@ int buffer_get_int64_ret(u_int64_t *, Buffer *); void *buffer_get_string_ret(Buffer *, u_int *); char *buffer_get_cstring_ret(Buffer *, u_int *); void *buffer_get_string_ptr_ret(Buffer *, u_int *); -int buffer_get_char_ret(char *, Buffer *); +int buffer_get_char_ret(u_char *, Buffer *); + +void *buffer_get_bignum2_as_string_ret(Buffer *, u_int *); +void *buffer_get_bignum2_as_string(Buffer *, u_int *); +void buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int); #ifdef OPENSSL_HAS_ECC #include diff --git a/crypto/openssh/buildpkg.sh.in b/crypto/openssh/buildpkg.sh.in new file mode 100644 index 000000000..4b842b3f7 --- /dev/null +++ b/crypto/openssh/buildpkg.sh.in @@ -0,0 +1,677 @@ +#!/bin/sh +# +# Fake Root Solaris/SVR4/SVR5 Build System - Prototype +# +# The following code has been provide under Public Domain License. I really +# don't care what you use it for. Just as long as you don't complain to me +# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org) +# +umask 022 +# +# Options for building the package +# You can create a openssh-config.local with your customized options +# +REMOVE_FAKE_ROOT_WHEN_DONE=yes +# +# uncommenting TEST_DIR and using +# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty +# and +# PKGNAME=tOpenSSH should allow testing a package without interfering +# with a real OpenSSH package on a system. This is not needed on systems +# that support the -R option to pkgadd. +#TEST_DIR=/var/tmp # leave commented out for production build +PKGNAME=OpenSSH +# revisions within the same version (REV=a) +#REV= +SYSVINIT_NAME=opensshd +AWK=${AWK:="nawk"} +MAKE=${MAKE:="make"} +SSHDUID=67 # Default privsep uid +SSHDGID=67 # Default privsep gid +# uncomment these next three as needed +#PERMIT_ROOT_LOGIN=no +#X11_FORWARDING=yes +#USR_LOCAL_IS_SYMLINK=yes +# System V init run levels +SYSVINITSTART=S98 +SYSVINITSTOPT=K30 +# We will source these if they exist +POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh +POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh +# We'll be one level deeper looking for these +PKG_PREINSTALL_LOCAL=../pkg-preinstall.local +PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local +PKG_PREREMOVE_LOCAL=../pkg-preremove.local +PKG_POSTREMOVE_LOCAL=../pkg-postremove.local +PKG_REQUEST_LOCAL=../pkg-request.local +# end of sourced files +# +OPENSSHD=opensshd.init +OPENSSH_MANIFEST=openssh.xml +OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default +SMF_METHOD_DIR=/lib/svc/method/site +SMF_MANIFEST_DIR=/var/svc/manifest/site + +PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@ +PATH_USERADD_PROG=@PATH_USERADD_PROG@ +PATH_PASSWD_PROG=@PATH_PASSWD_PROG@ +# +# list of system directories we do NOT want to change owner/group/perms +# when installing our package +SYSTEM_DIR="/etc \ +/etc/init.d \ +/etc/rcS.d \ +/etc/rc0.d \ +/etc/rc1.d \ +/etc/rc2.d \ +/etc/opt \ +/lib \ +/lib/svc \ +/lib/svc/method \ +/lib/svc/method/site \ +/opt \ +/opt/bin \ +/usr \ +/usr/bin \ +/usr/lib \ +/usr/sbin \ +/usr/share \ +/usr/share/man \ +/usr/share/man/man1 \ +/usr/share/man/man8 \ +/usr/local \ +/usr/local/bin \ +/usr/local/etc \ +/usr/local/libexec \ +/usr/local/man \ +/usr/local/man/man1 \ +/usr/local/man/man8 \ +/usr/local/sbin \ +/usr/local/share \ +/var \ +/var/opt \ +/var/run \ +/var/svc \ +/var/svc/manifest \ +/var/svc/manifest/site \ +/var/tmp \ +/tmp" + +# We may need to build as root so we make sure PATH is set up +# only set the path if it's not set already +[ -d /opt/bin ] && { + echo $PATH | grep ":/opt/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/opt/bin +} +[ -d /usr/local/bin ] && { + echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/usr/local/bin +} +[ -d /usr/ccs/bin ] && { + echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin +} +export PATH +# + +[ -f Makefile ] || { + echo "Please run this script from your build directory" + exit 1 +} + +# we will look for openssh-config.local to override the above options +[ -s ./openssh-config.local ] && . ./openssh-config.local + +START=`pwd` +FAKE_ROOT=$START/pkg + +## Fill in some details, like prefix and sysconfdir +for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir +do + eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` +done + +## Are we using Solaris' SMF? +DO_SMF=0 +if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1 +then + DO_SMF=1 +fi + +## Collect value of privsep user +for confvar in SSH_PRIVSEP_USER +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` +done + +## Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi + +## Extract common info requires for the 'info' part of the package. +VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'` + +ARCH=`uname -m` +DEF_MSG="\n" +OS_VER=`uname -v` +SCRIPT_SHELL=/sbin/sh +UNAME_R=`uname -r` +UNAME_S=`uname -s` +case ${UNAME_S} in + SunOS) UNAME_S=Solaris + OS_VER=${UNAME_R} + ARCH=`uname -p` + RCS_D=yes + DEF_MSG="(default: n)" + ;; + SCO_SV) case ${UNAME_R} in + 3.2) UNAME_S=OpenServer5 + OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'` + ;; + 5) UNAME_S=OpenServer6 + ;; + esac + SCRIPT_SHELL=/bin/sh + RC1_D=no + DEF_MSG="(default: n)" + ;; +esac + +case `basename $0` in + buildpkg.sh) +## Start by faking root install +echo "Faking root install..." +[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT +mkdir $FAKE_ROOT +${MAKE} install-nokeys DESTDIR=$FAKE_ROOT +if [ $? -gt 0 ] +then + echo "Fake root install failed, stopping." + exit 1 +fi + +## Setup our run level stuff while we are at it. +if [ $DO_SMF -eq 1 ] +then + # For Solaris' SMF, /lib/svc/method/site is the preferred place + # for start/stop scripts that aren't supplied with the OS, and + # similarly /var/svc/manifest/site for manifests. + mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR} + mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR} + + cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME} + chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME} + + cat ${OPENSSH_MANIFEST} | \ + sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \ + -e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \ + > $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml + chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml +else + mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d + + cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} + chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} +fi + +[ "${PERMIT_ROOT_LOGIN}" = no ] && \ + perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ + $FAKE_ROOT${sysconfdir}/sshd_config +[ "${X11_FORWARDING}" = yes ] && \ + perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT${sysconfdir}/sshd_config +# fix PrintMotd +perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \ + $FAKE_ROOT${sysconfdir}/sshd_config + +# We don't want to overwrite config files on multiple installs +mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default +mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default + +# local tweeks here +[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES} + +cd $FAKE_ROOT + +## Ok, this is outright wrong, but it will work. I'm tired of pkgmk +## whining. +for i in *; do + PROTO_ARGS="$PROTO_ARGS $i=/$i"; +done + +## Build info file +echo "Building pkginfo file..." +cat > pkginfo << _EOF +PKG=$PKGNAME +NAME="OpenSSH Portable for ${UNAME_S}" +DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh." +VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html" +ARCH=$ARCH +VERSION=$VERSION$REV +CATEGORY="Security,application" +BASEDIR=/ +CLASSES="none" +PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`" +_EOF + +## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS +echo "Building depend file..." +touch depend + +## Build space file +echo "Building space file..." +if [ $DO_SMF -eq 1 ] +then + # XXX Is this necessary? If not, remove space line from mk-proto.awk. + touch space +else + cat > space << _EOF +# extra space required by start/stop links added by installf +# in postinstall +$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1 +$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1 +_EOF + [ "$RC1_D" = no ] || \ + echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space + [ "$RCS_D" = yes ] && \ + echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space +fi + +## Build preinstall file +echo "Building preinstall file..." +cat > preinstall << _EOF +#! ${SCRIPT_SHELL} +# +_EOF + +# local preinstall changes here +[ -s "${PKG_PREINSTALL_LOCAL}" ] && . ${PKG_PREINSTALL_LOCAL} + +cat >> preinstall << _EOF +# +if [ "\${PRE_INS_STOP}" = "yes" ] +then + if [ $DO_SMF -eq 1 ] + then + svcadm disable $OPENSSH_FMRI + else + ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop + fi +fi + +exit 0 +_EOF + +## Build postinstall file +echo "Building postinstall file..." +cat > postinstall << _EOF +#! ${SCRIPT_SHELL} +# +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config + +# make rc?.d dirs only if we are doing a test install +[ -n "${TEST_DIR}" ] && [ $DO_SMF -ne 1 ] && { + [ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d + mkdir -p ${TEST_DIR}/etc/rc0.d + [ "$RC1_D" = no ] || mkdir -p ${TEST_DIR}/etc/rc1.d + mkdir -p ${TEST_DIR}/etc/rc2.d +} + +if [ $DO_SMF -eq 1 ] +then + # Delete the existing service, if it exists, then import the + # new one. + if svcs $OPENSSH_FMRI > /dev/null 2>&1 + then + svccfg delete -f $OPENSSH_FMRI + fi + # NOTE, The manifest disables sshd by default. + svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml +else + if [ "\${USE_SYM_LINKS}" = yes ] + then + [ "$RCS_D" = yes ] && \\ + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + [ "$RC1_D" = no ] || \\ + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + else + [ "$RCS_D" = yes ] && \\ + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + [ "$RC1_D" = no ] || \\ + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + fi +fi + +# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh) +[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys + +_EOF + +# local postinstall changes here +[ -s "${PKG_POSTINSTALL_LOCAL}" ] && . ${PKG_POSTINSTALL_LOCAL} + +cat >> postinstall << _EOF +installf -f ${PKGNAME} + +# Use chroot to handle PKG_INSTALL_ROOT +if [ ! -z "\${PKG_INSTALL_ROOT}" ] +then + chroot="chroot \${PKG_INSTALL_ROOT}" +fi +# If this is a test build, we will skip the groupadd/useradd/passwd commands +if [ ! -z "${TEST_DIR}" ] +then + chroot=echo +fi + + echo "PrivilegeSeparation user always required." + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." + SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\` + SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\` + else + DO_PASSWD=yes + fi + [ -z "\$SSH_PRIVSEP_GROUP" ] && SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER + + # group required? + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null + then + echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists." + else + DO_GROUP=yes + fi + + # create group if required + [ "\$DO_GROUP" = yes ] && { + # Use gid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + : + else + sshdgid="-g $SSHDGID" + fi + echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP." + \$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP + } + + # Create user if required + [ "\$DO_PASSWD" = yes ] && { + # Use uid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null + then + : + else + sshduid="-u $SSHDUID" + fi + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + \$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER + \$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER + } + +if [ "\${POST_INS_START}" = "yes" ] +then + if [ $DO_SMF -eq 1 ] + then + svcadm enable $OPENSSH_FMRI + else + ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start + fi +fi +exit 0 +_EOF + +## Build preremove file +echo "Building preremove file..." +cat > preremove << _EOF +#! ${SCRIPT_SHELL} +# +if [ $DO_SMF -eq 1 ] +then + svcadm disable $OPENSSH_FMRI +else + ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop +fi +_EOF + +# local preremove changes here +[ -s "${PKG_PREREMOVE_LOCAL}" ] && . ${PKG_PREREMOVE_LOCAL} + +cat >> preremove << _EOF +exit 0 +_EOF + +## Build postremove file +echo "Building postremove file..." +cat > postremove << _EOF +#! ${SCRIPT_SHELL} +# +if [ $DO_SMF -eq 1 ] +then + if svcs $OPENSSH_FMRI > /dev/null 2>&1 + then + svccfg delete -f $OPENSSH_FMRI + fi +fi +_EOF + +# local postremove changes here +[ -s "${PKG_POSTREMOVE_LOCAL}" ] && . ${PKG_POSTREMOVE_LOCAL} + +cat >> postremove << _EOF +exit 0 +_EOF + +## Build request file +echo "Building request file..." +cat > request << _EOF +trap 'exit 3' 15 + +_EOF + +[ -x /usr/bin/ckyorn ] || cat >> request << _EOF + +ckyorn() { +# for some strange reason OpenServer5 has no ckyorn +# We build a striped down version here + +DEFAULT=n +PROMPT="Yes or No [yes,no,?,quit]" +HELP_PROMPT=" Enter y or yes if your answer is yes; n or no if your answer is no." +USAGE="usage: ckyorn [options] +where options may include: + -d default + -h help + -p prompt +" + +if [ \$# != 0 ] +then + while getopts d:p:h: c + do + case \$c in + h) HELP_PROMPT="\$OPTARG" ;; + d) DEFAULT=\$OPTARG ;; + p) PROMPT=\$OPTARG ;; + \\?) echo "\$USAGE" 1>&2 + exit 1 ;; + esac + done + shift \`expr \$OPTIND - 1\` +fi + +while true +do + echo "\${PROMPT}\\c " 1>&2 + read key + [ -z "\$key" ] && key=\$DEFAULT + case \$key in + [n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S]) echo "\${key}\\c" + exit 0 ;; + \\?) echo \$HELP_PROMPT 1>&2 ;; + q|quit) echo "q\\c" 1>&2 + exit 3 ;; + esac +done + +} + +_EOF + +if [ $DO_SMF -eq 1 ] +then + # This could get hairy, as the running sshd may not be under SMF. + # We'll assume an earlier version of OpenSSH started via SMF. + cat >> request << _EOF +PRE_INS_STOP=no +POST_INS_START=no +# determine if should restart the daemon +if [ -s ${piddir}/sshd.pid ] && \\ + /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1 +then + ans=\`ckyorn -d n \\ +-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) PRE_INS_STOP=yes + POST_INS_START=yes + ;; + esac + +else + +# determine if we should start sshd + ans=\`ckyorn -d n \\ +-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) POST_INS_START=yes ;; + esac +fi + +# make parameters available to installation service, +# and so to any other packaging scripts +cat >\$1 <> request << _EOF +USE_SYM_LINKS=no +PRE_INS_STOP=no +POST_INS_START=no +# Use symbolic links? +ans=\`ckyorn -d n \\ +-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? +case \$ans in + [y,Y]*) USE_SYM_LINKS=yes ;; +esac + +# determine if should restart the daemon +if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] +then + ans=\`ckyorn -d n \\ +-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) PRE_INS_STOP=yes + POST_INS_START=yes + ;; + esac + +else + +# determine if we should start sshd + ans=\`ckyorn -d n \\ +-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) POST_INS_START=yes ;; + esac +fi + +# make parameters available to installation service, +# and so to any other packaging scripts +cat >\$1 <> request << _EOF +exit 0 + +_EOF + +## Next Build our prototype +echo "Building prototype file..." +cat >mk-proto.awk << _EOF + BEGIN { print "i pkginfo"; print "i depend"; \\ + print "i preinstall"; print "i postinstall"; \\ + print "i preremove"; print "i postremove"; \\ + print "i request"; print "i space"; \\ + split("$SYSTEM_DIR",sys_files); } + { + for (dir in sys_files) { if ( \$3 != sys_files[dir] ) + { if ( \$1 == "s" ) + { \$5=""; \$6=""; } + else + { \$5="root"; \$6="sys"; } + } + else + { \$4="?"; \$5="?"; \$6="?"; break;} + } } + { print; } +_EOF + +find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \ + pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype + +# /usr/local is a symlink on some systems +[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && { + grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new + mv prototype.new prototype +} + +## Step back a directory and now build the package. +cd .. +# local prototype tweeks here +[ -s "${POST_PROTOTYPE_EDITS}" ] && . ${POST_PROTOTYPE_EDITS} + +echo "Building package.." +pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o +echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg + ;; + + justpkg.sh) +rm -fr ${FAKE_ROOT}/${PKGNAME} +grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp +mv $$tmp $FAKE_ROOT/pkginfo +cat >> $FAKE_ROOT/pkginfo << _EOF +PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`" +_EOF +pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o +echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg + ;; + +esac + +[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ] && rm -rf $FAKE_ROOT +exit 0 + diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c index dabd8a31a..a61a8c94d 100644 --- a/crypto/openssh/canohost.c +++ b/crypto/openssh/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.66 2010/01/13 01:20:20 dtucker Exp $ */ +/* $OpenBSD: canohost.c,v 1.70 2014/01/19 04:17:29 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -20,7 +20,6 @@ #include #include -#include #include #include #include @@ -41,14 +40,13 @@ static int cached_port = -1; /* * Return the canonical name of the host at the other end of the socket. The - * caller should free the returned string with xfree. + * caller should free the returned string. */ static char * get_remote_hostname(int sock, int use_dns) { struct sockaddr_storage from; - int i; socklen_t fromlen; struct addrinfo hints, *ai, *aitop; char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; @@ -99,13 +97,9 @@ get_remote_hostname(int sock, int use_dns) return xstrdup(ntop); } - /* - * Convert it to all lowercase (which is expected by the rest - * of this software). - */ - for (i = 0; name[i]; i++) - if (isupper(name[i])) - name[i] = (char)tolower(name[i]); + /* Names are stores in lowercase. */ + lowercase(name); + /* * Map it back to an IP address and check that the given * address actually is an address of this host. This is @@ -160,8 +154,7 @@ check_ip_options(int sock, char *ipaddr) #ifdef IP_OPTIONS u_char options[200]; char text[sizeof(options) * 3 + 1]; - socklen_t option_size; - u_int i; + socklen_t option_size, i; int ipproto; struct protoent *ip; @@ -199,7 +192,7 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); port = a6->sin6_port; - bzero(a4, sizeof(*a4)); + memset(a4, 0, sizeof(*a4)); a4->sin_family = AF_INET; *len = sizeof(*a4); @@ -323,10 +316,8 @@ get_local_name(int fd) void clear_cached_addr(void) { - if (canonical_host_ip != NULL) { - xfree(canonical_host_ip); - canonical_host_ip = NULL; - } + free(canonical_host_ip); + canonical_host_ip = NULL; cached_port = -1; } diff --git a/crypto/openssh/chacha.c b/crypto/openssh/chacha.c new file mode 100644 index 000000000..a84c25ea8 --- /dev/null +++ b/crypto/openssh/chacha.c @@ -0,0 +1,219 @@ +/* +chacha-merged.c version 20080118 +D. J. Bernstein +Public domain. +*/ + +#include "includes.h" + +#include "chacha.h" + +/* $OpenBSD: chacha.c,v 1.1 2013/11/21 00:45:44 djm Exp $ */ + +typedef unsigned char u8; +typedef unsigned int u32; + +typedef struct chacha_ctx chacha_ctx; + +#define U8C(v) (v##U) +#define U32C(v) (v##U) + +#define U8V(v) ((u8)(v) & U8C(0xFF)) +#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) + +#define ROTL32(v, n) \ + (U32V((v) << (n)) | ((v) >> (32 - (n)))) + +#define U8TO32_LITTLE(p) \ + (((u32)((p)[0]) ) | \ + ((u32)((p)[1]) << 8) | \ + ((u32)((p)[2]) << 16) | \ + ((u32)((p)[3]) << 24)) + +#define U32TO8_LITTLE(p, v) \ + do { \ + (p)[0] = U8V((v) ); \ + (p)[1] = U8V((v) >> 8); \ + (p)[2] = U8V((v) >> 16); \ + (p)[3] = U8V((v) >> 24); \ + } while (0) + +#define ROTATE(v,c) (ROTL32(v,c)) +#define XOR(v,w) ((v) ^ (w)) +#define PLUS(v,w) (U32V((v) + (w))) +#define PLUSONE(v) (PLUS((v),1)) + +#define QUARTERROUND(a,b,c,d) \ + a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ + a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); + +static const char sigma[16] = "expand 32-byte k"; +static const char tau[16] = "expand 16-byte k"; + +void +chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits) +{ + const char *constants; + + x->input[4] = U8TO32_LITTLE(k + 0); + x->input[5] = U8TO32_LITTLE(k + 4); + x->input[6] = U8TO32_LITTLE(k + 8); + x->input[7] = U8TO32_LITTLE(k + 12); + if (kbits == 256) { /* recommended */ + k += 16; + constants = sigma; + } else { /* kbits == 128 */ + constants = tau; + } + x->input[8] = U8TO32_LITTLE(k + 0); + x->input[9] = U8TO32_LITTLE(k + 4); + x->input[10] = U8TO32_LITTLE(k + 8); + x->input[11] = U8TO32_LITTLE(k + 12); + x->input[0] = U8TO32_LITTLE(constants + 0); + x->input[1] = U8TO32_LITTLE(constants + 4); + x->input[2] = U8TO32_LITTLE(constants + 8); + x->input[3] = U8TO32_LITTLE(constants + 12); +} + +void +chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter) +{ + x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0); + x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4); + x->input[14] = U8TO32_LITTLE(iv + 0); + x->input[15] = U8TO32_LITTLE(iv + 4); +} + +void +chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) +{ + u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + u8 *ctarget = NULL; + u8 tmp[64]; + u_int i; + + if (!bytes) return; + + j0 = x->input[0]; + j1 = x->input[1]; + j2 = x->input[2]; + j3 = x->input[3]; + j4 = x->input[4]; + j5 = x->input[5]; + j6 = x->input[6]; + j7 = x->input[7]; + j8 = x->input[8]; + j9 = x->input[9]; + j10 = x->input[10]; + j11 = x->input[11]; + j12 = x->input[12]; + j13 = x->input[13]; + j14 = x->input[14]; + j15 = x->input[15]; + + for (;;) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) tmp[i] = m[i]; + m = tmp; + ctarget = c; + c = tmp; + } + x0 = j0; + x1 = j1; + x2 = j2; + x3 = j3; + x4 = j4; + x5 = j5; + x6 = j6; + x7 = j7; + x8 = j8; + x9 = j9; + x10 = j10; + x11 = j11; + x12 = j12; + x13 = j13; + x14 = j14; + x15 = j15; + for (i = 20;i > 0;i -= 2) { + QUARTERROUND( x0, x4, x8,x12) + QUARTERROUND( x1, x5, x9,x13) + QUARTERROUND( x2, x6,x10,x14) + QUARTERROUND( x3, x7,x11,x15) + QUARTERROUND( x0, x5,x10,x15) + QUARTERROUND( x1, x6,x11,x12) + QUARTERROUND( x2, x7, x8,x13) + QUARTERROUND( x3, x4, x9,x14) + } + x0 = PLUS(x0,j0); + x1 = PLUS(x1,j1); + x2 = PLUS(x2,j2); + x3 = PLUS(x3,j3); + x4 = PLUS(x4,j4); + x5 = PLUS(x5,j5); + x6 = PLUS(x6,j6); + x7 = PLUS(x7,j7); + x8 = PLUS(x8,j8); + x9 = PLUS(x9,j9); + x10 = PLUS(x10,j10); + x11 = PLUS(x11,j11); + x12 = PLUS(x12,j12); + x13 = PLUS(x13,j13); + x14 = PLUS(x14,j14); + x15 = PLUS(x15,j15); + + x0 = XOR(x0,U8TO32_LITTLE(m + 0)); + x1 = XOR(x1,U8TO32_LITTLE(m + 4)); + x2 = XOR(x2,U8TO32_LITTLE(m + 8)); + x3 = XOR(x3,U8TO32_LITTLE(m + 12)); + x4 = XOR(x4,U8TO32_LITTLE(m + 16)); + x5 = XOR(x5,U8TO32_LITTLE(m + 20)); + x6 = XOR(x6,U8TO32_LITTLE(m + 24)); + x7 = XOR(x7,U8TO32_LITTLE(m + 28)); + x8 = XOR(x8,U8TO32_LITTLE(m + 32)); + x9 = XOR(x9,U8TO32_LITTLE(m + 36)); + x10 = XOR(x10,U8TO32_LITTLE(m + 40)); + x11 = XOR(x11,U8TO32_LITTLE(m + 44)); + x12 = XOR(x12,U8TO32_LITTLE(m + 48)); + x13 = XOR(x13,U8TO32_LITTLE(m + 52)); + x14 = XOR(x14,U8TO32_LITTLE(m + 56)); + x15 = XOR(x15,U8TO32_LITTLE(m + 60)); + + j12 = PLUSONE(j12); + if (!j12) { + j13 = PLUSONE(j13); + /* stopping at 2^70 bytes per nonce is user's responsibility */ + } + + U32TO8_LITTLE(c + 0,x0); + U32TO8_LITTLE(c + 4,x1); + U32TO8_LITTLE(c + 8,x2); + U32TO8_LITTLE(c + 12,x3); + U32TO8_LITTLE(c + 16,x4); + U32TO8_LITTLE(c + 20,x5); + U32TO8_LITTLE(c + 24,x6); + U32TO8_LITTLE(c + 28,x7); + U32TO8_LITTLE(c + 32,x8); + U32TO8_LITTLE(c + 36,x9); + U32TO8_LITTLE(c + 40,x10); + U32TO8_LITTLE(c + 44,x11); + U32TO8_LITTLE(c + 48,x12); + U32TO8_LITTLE(c + 52,x13); + U32TO8_LITTLE(c + 56,x14); + U32TO8_LITTLE(c + 60,x15); + + if (bytes <= 64) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) ctarget[i] = c[i]; + } + x->input[12] = j12; + x->input[13] = j13; + return; + } + bytes -= 64; + c += 64; + m += 64; + } +} diff --git a/crypto/openssh/chacha.h b/crypto/openssh/chacha.h new file mode 100644 index 000000000..4ef42cc70 --- /dev/null +++ b/crypto/openssh/chacha.h @@ -0,0 +1,35 @@ +/* $OpenBSD: chacha.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */ + +/* +chacha-merged.c version 20080118 +D. J. Bernstein +Public domain. +*/ + +#ifndef CHACHA_H +#define CHACHA_H + +#include + +struct chacha_ctx { + u_int input[16]; +}; + +#define CHACHA_MINKEYLEN 16 +#define CHACHA_NONCELEN 8 +#define CHACHA_CTRLEN 8 +#define CHACHA_STATELEN (CHACHA_NONCELEN+CHACHA_CTRLEN) +#define CHACHA_BLOCKLEN 64 + +void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits) + __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN))); +void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv, const u_char *ctr) + __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN))) + __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN))); +void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m, + u_char *c, u_int bytes) + __attribute__((__bounded__(__buffer__, 2, 4))) + __attribute__((__bounded__(__buffer__, 3, 4))); + +#endif /* CHACHA_H */ + diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c index 4bdf26579..7d45e0bac 100644 --- a/crypto/openssh/channels.c +++ b/crypto/openssh/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.331 2014/02/26 20:29:29 djm Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -41,6 +41,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -219,6 +220,7 @@ channel_lookup(int id) case SSH_CHANNEL_OPEN: case SSH_CHANNEL_INPUT_DRAINING: case SSH_CHANNEL_OUTPUT_DRAINING: + case SSH_CHANNEL_ABANDONED: return (c); } logit("Non-public channel %d, type %d.", id, c->type); @@ -253,7 +255,10 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, if ((c->isatty = is_tty) != 0) debug2("channel %d: rfd %d isatty", c->self, c->rfd); +#ifdef _AIX + /* XXX: Later AIX versions can't push as much data to tty */ c->wfd_isatty = is_tty || isatty(c->wfd); +#endif /* enable nonblocking mode */ if (nonblock) { @@ -408,7 +413,7 @@ channel_free(Channel *c) s = channel_open_message(); debug3("channel %d: status: %s", c->self, s); - xfree(s); + free(s); if (c->sock != -1) shutdown(c->sock, SHUT_RDWR); @@ -416,29 +421,23 @@ channel_free(Channel *c) buffer_free(&c->input); buffer_free(&c->output); buffer_free(&c->extended); - if (c->remote_name) { - xfree(c->remote_name); - c->remote_name = NULL; - } - if (c->path) { - xfree(c->path); - c->path = NULL; - } - if (c->listening_addr) { - xfree(c->listening_addr); - c->listening_addr = NULL; - } + free(c->remote_name); + c->remote_name = NULL; + free(c->path); + c->path = NULL; + free(c->listening_addr); + c->listening_addr = NULL; while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { if (cc->abandon_cb != NULL) cc->abandon_cb(c, cc->ctx); TAILQ_REMOVE(&c->status_confirms, cc, entry); - bzero(cc, sizeof(*cc)); - xfree(cc); + explicit_bzero(cc, sizeof(*cc)); + free(cc); } if (c->filter_cleanup != NULL && c->filter_ctx != NULL) c->filter_cleanup(c->self, c->filter_ctx); channels[c->self] = NULL; - xfree(c); + free(c); } void @@ -543,6 +542,7 @@ channel_still_open(void) case SSH_CHANNEL_DYNAMIC: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: continue; case SSH_CHANNEL_LARVAL: if (!compat20) @@ -588,6 +588,7 @@ channel_find_open(void) case SSH_CHANNEL_OPENING: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: continue; case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_AUTH_SOCKET: @@ -635,6 +636,7 @@ channel_open_message(void) case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: case SSH_CHANNEL_MUX_CLIENT: case SSH_CHANNEL_MUX_LISTENER: continue; @@ -710,7 +712,7 @@ channel_register_status_confirm(int id, channel_confirm_cb *cb, if ((c = channel_lookup(id)) == NULL) fatal("channel_register_expect: %d: bad id", id); - cc = xmalloc(sizeof(*cc)); + cc = xcalloc(1, sizeof(*cc)); cc->cb = cb; cc->abandon_cb = abandon_cb; cc->ctx = ctx; @@ -1113,6 +1115,9 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); have = buffer_len(&c->input); p = buffer_ptr(&c->input); + if (memchr(p, '\0', have) == NULL) + fatal("channel %d: decode socks4: user not nul terminated", + c->self); len = strlen(p); debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); len++; /* trailing '\0' */ @@ -1122,10 +1127,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) strlcpy(username, p, sizeof(username)); buffer_consume(&c->input, len); - if (c->path != NULL) { - xfree(c->path); - c->path = NULL; - } + free(c->path); + c->path = NULL; if (need == 1) { /* SOCKS4: one string */ host = inet_ntoa(s4_req.dest_addr); c->path = xstrdup(host); @@ -1185,7 +1188,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) u_int8_t atyp; } s5_req, s5_rsp; u_int16_t dest_port; - u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; + char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; + u_char *p; u_int have, need, i, found, nmethods, addrlen, af; debug2("channel %d: decode socks5", c->self); @@ -1255,13 +1259,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) buffer_consume(&c->input, sizeof(s5_req)); if (s5_req.atyp == SSH_SOCKS5_DOMAIN) buffer_consume(&c->input, 1); /* host string length */ - buffer_get(&c->input, (char *)&dest_addr, addrlen); + buffer_get(&c->input, &dest_addr, addrlen); buffer_get(&c->input, (char *)&dest_port, 2); dest_addr[addrlen] = '\0'; - if (c->path != NULL) { - xfree(c->path); - c->path = NULL; - } + free(c->path); + c->path = NULL; if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { if (addrlen >= NI_MAXHOST) { error("channel %d: dynamic request: socks5 hostname " @@ -1283,11 +1285,10 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) s5_rsp.command = SSH_SOCKS5_SUCCESS; s5_rsp.reserved = 0; /* ignored */ s5_rsp.atyp = SSH_SOCKS5_IPV4; - ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; dest_port = 0; /* ignored */ buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); - buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); + buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */ buffer_append(&c->output, &dest_port, sizeof(dest_port)); return 1; } @@ -1366,7 +1367,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) { Channel *nc; struct sockaddr_storage addr; - int newsock; + int newsock, oerrno; socklen_t addrlen; char buf[16384], *remote_ipaddr; int remote_port; @@ -1376,14 +1377,18 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) addrlen = sizeof(addr); newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (c->single_connection) { + oerrno = errno; debug2("single_connection: closing X11 listener."); channel_close_fd(&c->sock); chan_mark_dead(c); + errno = oerrno; } if (newsock < 0) { - error("accept: %.100s", strerror(errno)); + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED) + error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } set_nodelay(newsock); @@ -1417,7 +1422,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) packet_put_cstring(buf); packet_send(); } - xfree(remote_ipaddr); + free(remote_ipaddr); } } @@ -1426,12 +1431,14 @@ port_open_helper(Channel *c, char *rtype) { int direct; char buf[1024]; + char *local_ipaddr = get_local_ipaddr(c->sock); + int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1); char *remote_ipaddr = get_peer_ipaddr(c->sock); int remote_port = get_peer_port(c->sock); if (remote_port == -1) { /* Fake addr/port to appease peers that validate it (Tectia) */ - xfree(remote_ipaddr); + free(remote_ipaddr); remote_ipaddr = xstrdup("127.0.0.1"); remote_port = 65535; } @@ -1440,11 +1447,11 @@ port_open_helper(Channel *c, char *rtype) snprintf(buf, sizeof buf, "%s: listening port %d for %.100s port %d, " - "connect from %.200s port %d", + "connect from %.200s port %d to %.100s port %d", rtype, c->listening_port, c->path, c->host_port, - remote_ipaddr, remote_port); + remote_ipaddr, remote_port, local_ipaddr, local_port); - xfree(c->remote_name); + free(c->remote_name); c->remote_name = xstrdup(buf); if (compat20) { @@ -1460,7 +1467,7 @@ port_open_helper(Channel *c, char *rtype) } else { /* listen address, port */ packet_put_cstring(c->path); - packet_put_int(c->listening_port); + packet_put_int(local_port); } /* originator host and port */ packet_put_cstring(remote_ipaddr); @@ -1476,7 +1483,8 @@ port_open_helper(Channel *c, char *rtype) packet_put_cstring(c->remote_name); packet_send(); } - xfree(remote_ipaddr); + free(remote_ipaddr); + free(local_ipaddr); } static void @@ -1526,9 +1534,11 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) addrlen = sizeof(addr); newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (newsock < 0) { - error("accept: %.100s", strerror(errno)); + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED) + error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } set_nodelay(newsock); @@ -1564,7 +1574,7 @@ channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) error("accept from auth socket: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } nc = channel_new("accepted auth socket", @@ -1727,7 +1737,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) if (c->datagram) { /* ignore truncated writes, datagrams might get lost */ len = write(c->wfd, buf, dlen); - xfree(data); + free(data); if (len < 0 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) return 1; @@ -1979,7 +1989,7 @@ channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) &addrlen)) == -1) { error("%s accept: %s", __func__, strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } @@ -2142,7 +2152,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, channel_handler_init(); did_init = 1; } - now = time(NULL); + now = monotime(); if (unpause_secs != NULL) *unpause_secs = 0; for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { @@ -2272,7 +2282,7 @@ channel_output_poll(void) debug("channel %d: datagram " "too big for channel", c->self); - xfree(data); + free(data); continue; } packet_start(SSH2_MSG_CHANNEL_DATA); @@ -2280,7 +2290,7 @@ channel_output_poll(void) packet_put_string(data, dlen); packet_send(); c->remote_window -= dlen + 4; - xfree(data); + free(data); } continue; } @@ -2452,13 +2462,13 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt) if (data_len > c->local_window) { logit("channel %d: rcvd too much extended_data %d, win %d", c->self, data_len, c->local_window); - xfree(data); + free(data); return; } debug2("channel %d: rcvd ext data %d", c->self, data_len); c->local_window -= data_len; buffer_append(&c->extended, data, data_len); - xfree(data); + free(data); } /* ARGSUSED */ @@ -2548,7 +2558,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) if (c == NULL) packet_disconnect("Received close confirmation for " "out-of-range channel %d.", id); - if (c->type != SSH_CHANNEL_CLOSED) + if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED) packet_disconnect("Received close confirmation for " "non-closed channel %d (type %d).", id, c->type); channel_free(c); @@ -2624,10 +2634,8 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt) } logit("channel %d: open failed: %s%s%s", id, reason2txt(reason), msg ? ": ": "", msg ? msg : ""); - if (msg != NULL) - xfree(msg); - if (lang != NULL) - xfree(lang); + free(msg); + free(lang); if (c->open_confirm) { debug2("callback start"); c->open_confirm(c->self, 0, c->open_confirm_ctx); @@ -2685,8 +2693,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt) packet_check_eom(); c = channel_connect_to(host, host_port, "connected socket", originator_string); - xfree(originator_string); - xfree(host); + free(originator_string); + free(host); if (c == NULL) { packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(remote_id); @@ -2720,8 +2728,8 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) return; cc->cb(type, c, cc->ctx); TAILQ_REMOVE(&c->status_confirms, cc, entry); - bzero(cc, sizeof(*cc)); - xfree(cc); + explicit_bzero(cc, sizeof(*cc)); + free(cc); } /* -- tcp forwarding */ @@ -2770,8 +2778,20 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp, if (((datafellows & SSH_OLD_FORWARD_ADDR) && strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || - (!is_client && gateway_ports == 1)) + (!is_client && gateway_ports == 1)) { wildcard = 1; + /* + * Notify client if they requested a specific listen + * address and it was overridden. + */ + if (*listen_addr != '\0' && + strcmp(listen_addr, "0.0.0.0") != 0 && + strcmp(listen_addr, "*") != 0) { + packet_send_debug("Forwarding listen address " + "\"%s\" overridden by server " + "GatewayPorts", listen_addr); + } + } else if (strcmp(listen_addr, "localhost") != 0) addr = listen_addr; } @@ -3117,7 +3137,7 @@ channel_request_rforward_cancel(const char *host, u_short port) permitted_opens[i].listen_port = 0; permitted_opens[i].port_to_connect = 0; - xfree(permitted_opens[i].host_to_connect); + free(permitted_opens[i].host_to_connect); permitted_opens[i].host_to_connect = NULL; return 0; @@ -3158,7 +3178,7 @@ channel_input_port_forward_request(int is_root, int gateway_ports) host_port, gateway_ports); /* Free the argument string. */ - xfree(hostname); + free(hostname); return (success ? 0 : -1); } @@ -3213,7 +3233,7 @@ channel_update_permitted_opens(int idx, int newport) } else { permitted_opens[idx].listen_port = 0; permitted_opens[idx].port_to_connect = 0; - xfree(permitted_opens[idx].host_to_connect); + free(permitted_opens[idx].host_to_connect); permitted_opens[idx].host_to_connect = NULL; } } @@ -3246,12 +3266,9 @@ channel_clear_permitted_opens(void) int i; for (i = 0; i < num_permitted_opens; i++) - if (permitted_opens[i].host_to_connect != NULL) - xfree(permitted_opens[i].host_to_connect); - if (num_permitted_opens > 0) { - xfree(permitted_opens); - permitted_opens = NULL; - } + free(permitted_opens[i].host_to_connect); + free(permitted_opens); + permitted_opens = NULL; num_permitted_opens = 0; } @@ -3261,12 +3278,9 @@ channel_clear_adm_permitted_opens(void) int i; for (i = 0; i < num_adm_permitted_opens; i++) - if (permitted_adm_opens[i].host_to_connect != NULL) - xfree(permitted_adm_opens[i].host_to_connect); - if (num_adm_permitted_opens > 0) { - xfree(permitted_adm_opens); - permitted_adm_opens = NULL; - } + free(permitted_adm_opens[i].host_to_connect); + free(permitted_adm_opens); + permitted_adm_opens = NULL; num_adm_permitted_opens = 0; } @@ -3360,12 +3374,10 @@ connect_next(struct channel_connect *cctx) static void channel_connect_ctx_free(struct channel_connect *cctx) { - xfree(cctx->host); + free(cctx->host); if (cctx->aitop) freeaddrinfo(cctx->aitop); - bzero(cctx, sizeof(*cctx)); - cctx->host = NULL; - cctx->ai = cctx->aitop = NULL; + memset(cctx, 0, sizeof(*cctx)); } /* Return CONNECTING channel to remote host, port */ @@ -3761,7 +3773,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt) c->remote_id = remote_id; c->force_drain = 1; } - xfree(remote_host); + free(remote_host); if (c == NULL) { /* Send refusal to the remote host. */ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); @@ -3869,7 +3881,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, packet_put_int(screen_number); packet_send(); packet_write_wait(); - xfree(new_data); + free(new_data); } diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h index cede0a4e1..68ebf098b 100644 --- a/crypto/openssh/channels.h +++ b/crypto/openssh/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */ /* $FreeBSD$ */ /* @@ -56,7 +56,8 @@ #define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ #define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */ #define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */ -#define SSH_CHANNEL_MAX_TYPE 17 +#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */ +#define SSH_CHANNEL_MAX_TYPE 18 #define CHANNEL_CANCEL_PORT_STATIC -1 @@ -103,7 +104,9 @@ struct Channel { int sock; /* sock fd */ int ctl_chan; /* control channel (multiplexed connections) */ int isatty; /* rfd is a tty */ +#ifdef _AIX int wfd_isatty; /* wfd is a tty */ +#endif int client_tty; /* (client) TTY has been requested */ int force_drain; /* force close on iEOF */ time_t notbefore; /* Pause IO until deadline (time_t) */ @@ -111,7 +114,7 @@ struct Channel { * channels are delayed until the first call * to a matching pre-select handler. * this way post-select handlers are not - * accidenly called if a FD gets reused */ + * accidentally called if a FD gets reused */ Buffer input; /* data read from socket, to be sent over * encrypted connection */ Buffer output; /* data received over encrypted connection for diff --git a/crypto/openssh/cipher-3des1.c b/crypto/openssh/cipher-3des1.c index b7aa588cd..b2823592b 100644 --- a/crypto/openssh/cipher-3des1.c +++ b/crypto/openssh/cipher-3des1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher-3des1.c,v 1.7 2010/10/01 23:05:32 djm Exp $ */ +/* $OpenBSD: cipher-3des1.c,v 1.10 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. * @@ -67,7 +67,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, u_char *k1, *k2, *k3; if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { - c = xmalloc(sizeof(*c)); + c = xcalloc(1, sizeof(*c)); EVP_CIPHER_CTX_set_app_data(ctx, c); } if (key == NULL) @@ -93,8 +93,8 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 || EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { - memset(c, 0, sizeof(*c)); - xfree(c); + explicit_bzero(c, sizeof(*c)); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); return (0); } @@ -134,8 +134,8 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) EVP_CIPHER_CTX_cleanup(&c->k1); EVP_CIPHER_CTX_cleanup(&c->k2); EVP_CIPHER_CTX_cleanup(&c->k3); - memset(c, 0, sizeof(*c)); - xfree(c); + explicit_bzero(c, sizeof(*c)); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/crypto/openssh/cipher-aes.c b/crypto/openssh/cipher-aes.c index 07ec7aa5d..8b1017272 100644 --- a/crypto/openssh/cipher-aes.c +++ b/crypto/openssh/cipher-aes.c @@ -120,7 +120,7 @@ ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx) if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/crypto/openssh/cipher-chachapoly.c b/crypto/openssh/cipher-chachapoly.c new file mode 100644 index 000000000..251b94ec8 --- /dev/null +++ b/crypto/openssh/cipher-chachapoly.c @@ -0,0 +1,114 @@ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */ + +#include "includes.h" + +#include +#include /* needed for log.h */ +#include +#include /* needed for misc.h */ + +#include "log.h" +#include "misc.h" +#include "cipher-chachapoly.h" + +void chachapoly_init(struct chachapoly_ctx *ctx, + const u_char *key, u_int keylen) +{ + if (keylen != (32 + 32)) /* 2 x 256 bit keys */ + fatal("%s: invalid keylen %u", __func__, keylen); + chacha_keysetup(&ctx->main_ctx, key, 256); + chacha_keysetup(&ctx->header_ctx, key + 32, 256); +} + +/* + * chachapoly_crypt() operates as following: + * En/decrypt with header key 'aadlen' bytes from 'src', storing result + * to 'dest'. The ciphertext here is treated as additional authenticated + * data for MAC calculation. + * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use + * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication + * tag. This tag is written on encryption and verified on decryption. + */ +int +chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, + const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt) +{ + u_char seqbuf[8]; + const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */ + u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; + int r = -1; + + /* + * Run ChaCha20 once to generate the Poly1305 key. The IV is the + * packet sequence number. + */ + memset(poly_key, 0, sizeof(poly_key)); + put_u64(seqbuf, seqnr); + chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL); + chacha_encrypt_bytes(&ctx->main_ctx, + poly_key, poly_key, sizeof(poly_key)); + /* Set Chacha's block counter to 1 */ + chacha_ivsetup(&ctx->main_ctx, seqbuf, one); + + /* If decrypting, check tag before anything else */ + if (!do_encrypt) { + const u_char *tag = src + aadlen + len; + + poly1305_auth(expected_tag, src, aadlen + len, poly_key); + if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) + goto out; + } + /* Crypt additional data */ + if (aadlen) { + chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); + chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen); + } + chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen, + dest + aadlen, len); + + /* If encrypting, calculate and append tag */ + if (do_encrypt) { + poly1305_auth(dest + aadlen + len, dest, aadlen + len, + poly_key); + } + r = 0; + + out: + explicit_bzero(expected_tag, sizeof(expected_tag)); + explicit_bzero(seqbuf, sizeof(seqbuf)); + explicit_bzero(poly_key, sizeof(poly_key)); + return r; +} + +/* Decrypt and extract the encrypted packet length */ +int +chachapoly_get_length(struct chachapoly_ctx *ctx, + u_int *plenp, u_int seqnr, const u_char *cp, u_int len) +{ + u_char buf[4], seqbuf[8]; + + if (len < 4) + return -1; /* Insufficient length */ + put_u64(seqbuf, seqnr); + chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); + chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4); + *plenp = get_u32(buf); + return 0; +} + diff --git a/crypto/openssh/cipher-chachapoly.h b/crypto/openssh/cipher-chachapoly.h new file mode 100644 index 000000000..1628693b2 --- /dev/null +++ b/crypto/openssh/cipher-chachapoly.h @@ -0,0 +1,41 @@ +/* $OpenBSD: cipher-chachapoly.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */ + +/* + * Copyright (c) Damien Miller 2013 + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#ifndef CHACHA_POLY_AEAD_H +#define CHACHA_POLY_AEAD_H + +#include +#include "chacha.h" +#include "poly1305.h" + +#define CHACHA_KEYLEN 32 /* Only 256 bit keys used here */ + +struct chachapoly_ctx { + struct chacha_ctx main_ctx, header_ctx; +}; + +void chachapoly_init(struct chachapoly_ctx *cpctx, + const u_char *key, u_int keylen) + __attribute__((__bounded__(__buffer__, 2, 3))); +int chachapoly_crypt(struct chachapoly_ctx *cpctx, u_int seqnr, + u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen, + int do_encrypt); +int chachapoly_get_length(struct chachapoly_ctx *cpctx, + u_int *plenp, u_int seqnr, const u_char *cp, u_int len) + __attribute__((__bounded__(__buffer__, 4, 5))); + +#endif /* CHACHA_POLY_AEAD_H */ diff --git a/crypto/openssh/cipher-ctr.c b/crypto/openssh/cipher-ctr.c index d1fe69f57..ea0f9b3b7 100644 --- a/crypto/openssh/cipher-ctr.c +++ b/crypto/openssh/cipher-ctr.c @@ -104,7 +104,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c index 91bd11ee4..0f4bd48e6 100644 --- a/crypto/openssh/cipher.c +++ b/crypto/openssh/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.97 2014/02/07 06:55:54 djm Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -37,17 +37,20 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include -#include - #include #include +#include #include "xmalloc.h" #include "log.h" +#include "misc.h" #include "cipher.h" +#include "buffer.h" +#include "digest.h" /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" @@ -64,9 +67,13 @@ struct Cipher { u_int iv_len; /* defaults to block_size */ u_int auth_len; u_int discard_len; - u_int cbc_mode; + u_int flags; +#define CFLAG_CBC (1<<0) +#define CFLAG_CHACHAPOLY (1<<1) const EVP_CIPHER *(*evptype)(void); -} ciphers[] = { +}; + +static const struct Cipher ciphers[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, @@ -94,11 +101,36 @@ struct Cipher { { "aes256-gcm@openssh.com", SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, #endif + { "chacha20-poly1305@openssh.com", + SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL }, { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; /*--*/ +/* Returns a list of supported ciphers separated by the specified char. */ +char * +cipher_alg_list(char sep, int auth_only) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const Cipher *c; + + for (c = ciphers; c->name != NULL; c++) { + if (c->number != SSH_CIPHER_SSH2) + continue; + if (auth_only && c->auth_len == 0) + continue; + if (ret != NULL) + ret[rlen++] = sep; + nlen = strlen(c->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, c->name, nlen + 1); + rlen += nlen; + } + return ret; +} + u_int cipher_blocksize(const Cipher *c) { @@ -111,6 +143,14 @@ cipher_keylen(const Cipher *c) return (c->key_len); } +u_int +cipher_seclen(const Cipher *c) +{ + if (strcmp("3des-cbc", c->name) == 0) + return 14; + return cipher_keylen(c); +} + u_int cipher_authlen(const Cipher *c) { @@ -120,7 +160,12 @@ cipher_authlen(const Cipher *c) u_int cipher_ivlen(const Cipher *c) { - return (c->iv_len ? c->iv_len : c->block_size); + /* + * Default is cipher block size, except for chacha20+poly1305 that + * needs no IV. XXX make iv_len == -1 default? + */ + return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ? + c->iv_len : c->block_size; } u_int @@ -132,7 +177,7 @@ cipher_get_number(const Cipher *c) u_int cipher_is_cbc(const Cipher *c) { - return (c->cbc_mode); + return (c->flags & CFLAG_CBC) != 0; } u_int @@ -147,20 +192,20 @@ cipher_mask_ssh1(int client) return mask; } -Cipher * +const Cipher * cipher_by_name(const char *name) { - Cipher *c; + const Cipher *c; for (c = ciphers; c->name != NULL; c++) if (strcmp(c->name, name) == 0) return c; return NULL; } -Cipher * +const Cipher * cipher_by_number(int id) { - Cipher *c; + const Cipher *c; for (c = ciphers; c->name != NULL; c++) if (c->number == id) return c; @@ -171,7 +216,7 @@ cipher_by_number(int id) int ciphers_valid(const char *names) { - Cipher *c; + const Cipher *c; char *cipher_list, *cp; char *p; @@ -188,14 +233,12 @@ ciphers_valid(const char *names) if (c == NULL || (c->number != SSH_CIPHER_SSH2)) { #endif debug("bad cipher %s [%s]", p, names); - xfree(cipher_list); + free(cipher_list); return 0; - } else { - debug3("cipher ok: %s [%s]", p, names); } } debug3("ciphers ok: [%s]", names); - xfree(cipher_list); + free(cipher_list); return 1; } @@ -207,7 +250,7 @@ ciphers_valid(const char *names) int cipher_number(const char *name) { - Cipher *c; + const Cipher *c; if (name == NULL) return -1; for (c = ciphers; c->name != NULL; c++) @@ -219,12 +262,12 @@ cipher_number(const char *name) char * cipher_name(int id) { - Cipher *c = cipher_by_number(id); + const Cipher *c = cipher_by_number(id); return (c==NULL) ? "" : c->name; } void -cipher_init(CipherContext *cc, Cipher *cipher, +cipher_init(CipherContext *cc, const Cipher *cipher, const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, int do_encrypt) { @@ -257,8 +300,11 @@ cipher_init(CipherContext *cc, Cipher *cipher, ivlen, cipher->name); cc->cipher = cipher; + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + chachapoly_init(&cc->cp_ctx, key, keylen); + return; + } type = (*cipher->evptype)(); - EVP_CIPHER_CTX_init(&cc->evp); #ifdef SSH_OLD_EVP if (type->key_len > 0 && type->key_len != keylen) { @@ -296,9 +342,9 @@ cipher_init(CipherContext *cc, Cipher *cipher, if (EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len) == 0) fatal("evp_crypt: EVP_Cipher failed during discard"); - memset(discard, 0, cipher->discard_len); - xfree(junk); - xfree(discard); + explicit_bzero(discard, cipher->discard_len); + free(junk); + free(discard); } } @@ -311,11 +357,16 @@ cipher_init(CipherContext *cc, Cipher *cipher, * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. * This tag is written on encryption and verified on decryption. * Both 'aadlen' and 'authlen' can be set to 0. + * cipher_crypt() returns 0 on success and -1 if the decryption integrity + * check fails. */ -void -cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, +int +cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen) { + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len, + aadlen, authlen, cc->encrypt); if (authlen) { u_char lastiv[1]; @@ -348,19 +399,36 @@ cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, if (cc->encrypt) fatal("%s: EVP_Cipher(final) failed", __func__); else - fatal("Decryption integrity check failed"); + return -1; } if (cc->encrypt && !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG, authlen, dest + aadlen + len)) fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__); } + return 0; +} + +/* Extract the packet length, including any decryption necessary beforehand */ +int +cipher_get_length(CipherContext *cc, u_int *plenp, u_int seqnr, + const u_char *cp, u_int len) +{ + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr, + cp, len); + if (len < 4) + return -1; + *plenp = get_u32(cp); + return 0; } void cipher_cleanup(CipherContext *cc) { - if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); + else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); } @@ -370,20 +438,18 @@ cipher_cleanup(CipherContext *cc) */ void -cipher_set_key_string(CipherContext *cc, Cipher *cipher, +cipher_set_key_string(CipherContext *cc, const Cipher *cipher, const char *passphrase, int do_encrypt) { - MD5_CTX md; u_char digest[16]; - MD5_Init(&md); - MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); - MD5_Final(digest, &md); + if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase), + digest, sizeof(digest)) < 0) + fatal("%s: md5 failed", __func__); cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); - memset(digest, 0, sizeof(digest)); - memset(&md, 0, sizeof(md)); + explicit_bzero(digest, sizeof(digest)); } /* @@ -395,11 +461,13 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher, int cipher_get_keyiv_len(const CipherContext *cc) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int ivlen; if (c->number == SSH_CIPHER_3DES) ivlen = 24; + else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + ivlen = 0; else ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); return (ivlen); @@ -408,9 +476,15 @@ cipher_get_keyiv_len(const CipherContext *cc) void cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int evplen; + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + if (len != 0) + fatal("%s: wrong iv length %d != %d", __func__, len, 0); + return; + } + switch (c->number) { #ifdef NONE_CIPHER_ENABLED case SSH_CIPHER_NONE: @@ -447,9 +521,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) void cipher_set_keyiv(CipherContext *cc, u_char *iv) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int evplen = 0; + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + return; + switch (c->number) { #ifdef NONE_CIPHER_ENABLED case SSH_CIPHER_NONE: @@ -483,7 +560,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) int cipher_get_keycontext(const CipherContext *cc, u_char *dat) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int plen = 0; if (c->evptype == EVP_rc4) { @@ -498,7 +575,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat) void cipher_set_keycontext(CipherContext *cc, u_char *dat) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int plen; if (c->evptype == EVP_rc4) { diff --git a/crypto/openssh/cipher.h b/crypto/openssh/cipher.h index 8cb57c3e5..133d2e73d 100644 --- a/crypto/openssh/cipher.h +++ b/crypto/openssh/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.44 2014/01/25 10:12:50 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -38,6 +38,8 @@ #define CIPHER_H #include +#include "cipher-chachapoly.h" + /* * Cipher types for SSH-1. New types can be added, but old types should not * be removed for compatibility. The maximum allowed value is 31. @@ -66,23 +68,28 @@ struct CipherContext { int plaintext; int encrypt; EVP_CIPHER_CTX evp; - Cipher *cipher; + struct chachapoly_ctx cp_ctx; /* XXX union with evp? */ + const Cipher *cipher; }; u_int cipher_mask_ssh1(int); -Cipher *cipher_by_name(const char *); -Cipher *cipher_by_number(int); +const Cipher *cipher_by_name(const char *); +const Cipher *cipher_by_number(int); int cipher_number(const char *); char *cipher_name(int); int ciphers_valid(const char *); -void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, +char *cipher_alg_list(char, int); +void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int, const u_char *, u_int, int); -void cipher_crypt(CipherContext *, u_char *, const u_char *, +int cipher_crypt(CipherContext *, u_int, u_char *, const u_char *, u_int, u_int, u_int); +int cipher_get_length(CipherContext *, u_int *, u_int, + const u_char *, u_int); void cipher_cleanup(CipherContext *); -void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); +void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); +u_int cipher_seclen(const Cipher *); u_int cipher_authlen(const Cipher *); u_int cipher_ivlen(const Cipher *); u_int cipher_is_cbc(const Cipher *); diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c index aa6670aff..0532f1e84 100644 --- a/crypto/openssh/clientloop.c +++ b/crypto/openssh/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.258 2014/02/02 03:44:31 djm Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -61,6 +61,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -274,7 +275,7 @@ set_control_persist_exit_time(void) control_persist_exit_time = 0; } else if (control_persist_exit_time <= 0) { /* a client connection has recently closed */ - control_persist_exit_time = time(NULL) + + control_persist_exit_time = monotime() + (time_t)options.control_persist_timeout; debug2("%s: schedule exit in %d seconds", __func__, options.control_persist_timeout); @@ -290,7 +291,7 @@ client_x11_display_valid(const char *display) dlen = strlen(display); for (i = 0; i < dlen; i++) { - if (!isalnum(display[i]) && + if (!isalnum((u_char)display[i]) && strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) { debug("Invalid character '%c' in DISPLAY", display[i]); return 0; @@ -357,7 +358,7 @@ client_x11_get_proto(const char *display, const char *xauth_path, if (system(cmd) == 0) generated = 1; if (x11_refuse_time == 0) { - now = time(NULL) + 1; + now = monotime() + 1; if (UINT_MAX - timeout < now) x11_refuse_time = UINT_MAX; else @@ -394,10 +395,8 @@ client_x11_get_proto(const char *display, const char *xauth_path, unlink(xauthfile); rmdir(xauthdir); } - if (xauthdir) - xfree(xauthdir); - if (xauthfile) - xfree(xauthfile); + free(xauthdir); + free(xauthfile); /* * If we didn't get authentication data, just make up some @@ -552,8 +551,8 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) gc->cb(type, seq, gc->ctx); if (--gc->ref_count <= 0) { TAILQ_REMOVE(&global_confirms, gc, entry); - bzero(gc, sizeof(*gc)); - xfree(gc); + explicit_bzero(gc, sizeof(*gc)); + free(gc); } packet_set_alive_timeouts(0); @@ -584,7 +583,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, { struct timeval tv, *tvp; int timeout_secs; - time_t minwait_secs = 0; + time_t minwait_secs = 0, server_alive_time = 0, now = monotime(); int ret; /* Add any selections by the channel mechanism. */ @@ -633,12 +632,16 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, */ timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ - if (options.server_alive_interval > 0 && compat20) + if (options.server_alive_interval > 0 && compat20) { timeout_secs = options.server_alive_interval; + server_alive_time = now + options.server_alive_interval; + } + if (options.rekey_interval > 0 && compat20 && !rekeying) + timeout_secs = MIN(timeout_secs, packet_get_rekey_timeout()); set_control_persist_exit_time(); if (control_persist_exit_time > 0) { timeout_secs = MIN(timeout_secs, - control_persist_exit_time - time(NULL)); + control_persist_exit_time - now); if (timeout_secs < 0) timeout_secs = 0; } @@ -670,8 +673,15 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } else if (ret == 0) - server_alive_check(); + } else if (ret == 0) { + /* + * Timeout. Could have been either keepalive or rekeying. + * Keepalive we check here, rekeying is checked in clientloop. + */ + if (server_alive_time != 0 && server_alive_time <= monotime()) + server_alive_check(); + } + } static void @@ -816,20 +826,20 @@ client_status_confirm(int type, Channel *c, void *ctx) chan_write_failed(c); } } - xfree(cr); + free(cr); } static void client_abandon_status_confirm(Channel *c, void *ctx) { - xfree(ctx); + free(ctx); } void client_expect_confirm(int id, const char *request, enum confirm_action action) { - struct channel_reply_ctx *cr = xmalloc(sizeof(*cr)); + struct channel_reply_ctx *cr = xcalloc(1, sizeof(*cr)); cr->request_type = request; cr->action = action; @@ -852,7 +862,7 @@ client_register_global_confirm(global_confirm_cb *cb, void *ctx) return; } - gc = xmalloc(sizeof(*gc)); + gc = xcalloc(1, sizeof(*gc)); gc->cb = cb; gc->ctx = ctx; gc->ref_count = 1; @@ -868,7 +878,7 @@ process_cmdline(void) int cancel_port, ok; Forward fwd; - bzero(&fwd, sizeof(fwd)); + memset(&fwd, 0, sizeof(fwd)); fwd.listen_host = fwd.connect_host = NULL; leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); @@ -876,7 +886,7 @@ process_cmdline(void) cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); if (s == NULL) goto out; - while (isspace(*s)) + while (isspace((u_char)*s)) s++; if (*s == '-') s++; /* Skip cmdline '-', if any */ @@ -930,7 +940,7 @@ process_cmdline(void) goto out; } - while (isspace(*++s)) + while (isspace((u_char)*++s)) ; /* XXX update list of forwards in options */ @@ -989,12 +999,9 @@ process_cmdline(void) out: signal(SIGINT, handler); enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); - if (cmd) - xfree(cmd); - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(cmd); + free(fwd.listen_host); + free(fwd.connect_host); } /* reasons to suppress output of an escape command in help output */ @@ -1104,8 +1111,11 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, if (c && c->ctl_chan != -1) { chan_read_failed(c); chan_write_failed(c); - mux_master_session_cleanup_cb(c->self, - NULL); + if (c->detach_user) + c->detach_user(c->self, NULL); + c->type = SSH_CHANNEL_ABANDONED; + buffer_clear(&c->input); + chan_ibuf_empty(c); return 0; } else quit_pending = 1; @@ -1145,7 +1155,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, "%cB\r\n", escape_char); buffer_append(berr, string, strlen(string)); - channel_request_start(session_ident, + channel_request_start(c->self, "break", 0); packet_put_int(1000); packet_send(); @@ -1251,7 +1261,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, buffer_append(berr, string, strlen(string)); s = channel_open_message(); buffer_append(berr, s, strlen(s)); - xfree(s); + free(s); continue; case 'C': @@ -1430,7 +1440,7 @@ client_new_escape_filter_ctx(int escape_char) { struct escape_filter_ctx *ret; - ret = xmalloc(sizeof(*ret)); + ret = xcalloc(1, sizeof(*ret)); ret->escape_pending = 0; ret->escape_char = escape_char; return (void *)ret; @@ -1440,7 +1450,7 @@ client_new_escape_filter_ctx(int escape_char) void client_filter_cleanup(int cid, void *ctx) { - xfree(ctx); + free(ctx); } int @@ -1645,16 +1655,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) * connections, then quit. */ if (control_persist_exit_time > 0) { - if (time(NULL) >= control_persist_exit_time) { + if (monotime() >= control_persist_exit_time) { debug("ControlPersist timeout expired"); break; } } } - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* Terminate the session. */ @@ -1755,8 +1763,8 @@ client_input_stdout_data(int type, u_int32_t seq, void *ctxt) char *data = packet_get_string(&data_len); packet_check_eom(); buffer_append(&stdout_buffer, data, data_len); - memset(data, 0, data_len); - xfree(data); + explicit_bzero(data, data_len); + free(data); } static void client_input_stderr_data(int type, u_int32_t seq, void *ctxt) @@ -1765,8 +1773,8 @@ client_input_stderr_data(int type, u_int32_t seq, void *ctxt) char *data = packet_get_string(&data_len); packet_check_eom(); buffer_append(&stderr_buffer, data, data_len); - memset(data, 0, data_len); - xfree(data); + explicit_bzero(data, data_len); + free(data); } static void client_input_exit_status(int type, u_int32_t seq, void *ctxt) @@ -1846,8 +1854,8 @@ client_request_forwarded_tcpip(const char *request_type, int rchan) c = channel_connect_by_listen_address(listen_port, "forwarded-tcpip", originator_address); - xfree(originator_address); - xfree(listen_address); + free(originator_address); + free(listen_address); return c; } @@ -1865,7 +1873,7 @@ client_request_x11(const char *request_type, int rchan) "malicious server."); return NULL; } - if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) { + if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) { verbose("Rejected X11 connection after ForwardX11Timeout " "expired"); return NULL; @@ -1881,7 +1889,7 @@ client_request_x11(const char *request_type, int rchan) /* XXX check permission */ debug("client_request_x11: request from %s %d", originator, originator_port); - xfree(originator); + free(originator); sock = x11_connect_display(); if (sock < 0) return NULL; @@ -2025,7 +2033,7 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt) } packet_send(); } - xfree(ctype); + free(ctype); } static void client_input_channel_req(int type, u_int32_t seq, void *ctxt) @@ -2071,7 +2079,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt) packet_put_int(c->remote_id); packet_send(); } - xfree(rtype); + free(rtype); } static void client_input_global_request(int type, u_int32_t seq, void *ctxt) @@ -2090,7 +2098,7 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt) packet_send(); packet_write_wait(); } - xfree(rtype); + free(rtype); } void @@ -2140,7 +2148,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, /* Split */ name = xstrdup(env[i]); if ((val = strchr(name, '=')) == NULL) { - xfree(name); + free(name); continue; } *val++ = '\0'; @@ -2154,7 +2162,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, } if (!matched) { debug3("Ignored env %s", name); - xfree(name); + free(name); continue; } @@ -2163,7 +2171,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, packet_put_cstring(name); packet_put_cstring(val); packet_send(); - xfree(name); + free(name); } } diff --git a/crypto/openssh/clientloop.h b/crypto/openssh/clientloop.h index d2baa0324..338d45186 100644 --- a/crypto/openssh/clientloop.h +++ b/crypto/openssh/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */ +/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -76,5 +76,4 @@ void muxserver_listen(void); void muxclient(const char *); void mux_exit_message(Channel *, int); void mux_tty_alloc_failed(Channel *); -void mux_master_session_cleanup_cb(int, void *); diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c index e357faf98..4ca71cf99 100644 --- a/crypto/openssh/compat.c +++ b/crypto/openssh/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. @@ -25,6 +25,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include @@ -172,8 +173,9 @@ compat_datafellows(const char *version) for (i = 0; check[i].pat; i++) { if (match_pattern_list(version, check[i].pat, strlen(check[i].pat), 0) == 1) { - debug("match: %s pat %s", version, check[i].pat); datafellows = check[i].bugs; + debug("match: %s pat %s compat 0x%08x", + version, check[i].pat, datafellows); /* * Check to see if the remote side is OpenSSH and not * HPN. It is utterly strange to check it from the @@ -215,37 +217,63 @@ proto_spec(const char *spec) break; } } - xfree(s); + free(s); return ret; } -char * -compat_cipher_proposal(char *cipher_prop) +/* + * Filters a proposal string, excluding any algorithm matching the 'filter' + * pattern list. + */ +static char * +filter_proposal(char *proposal, const char *filter) { Buffer b; - char *orig_prop, *fix_ciphers; + char *orig_prop, *fix_prop; char *cp, *tmp; - if (!(datafellows & SSH_BUG_BIGENDIANAES)) - return(cipher_prop); - buffer_init(&b); - tmp = orig_prop = xstrdup(cipher_prop); + tmp = orig_prop = xstrdup(proposal); while ((cp = strsep(&tmp, ",")) != NULL) { - if (strncmp(cp, "aes", 3) != 0) { + if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) { if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); buffer_append(&b, cp, strlen(cp)); - } + } else + debug2("Compat: skipping algorithm \"%s\"", cp); } buffer_append(&b, "\0", 1); - fix_ciphers = xstrdup(buffer_ptr(&b)); + fix_prop = xstrdup(buffer_ptr(&b)); buffer_free(&b); - xfree(orig_prop); - debug2("Original cipher proposal: %s", cipher_prop); - debug2("Compat cipher proposal: %s", fix_ciphers); - if (!*fix_ciphers) - fatal("No available ciphers found."); + free(orig_prop); - return(fix_ciphers); + return fix_prop; } + +char * +compat_cipher_proposal(char *cipher_prop) +{ + if (!(datafellows & SSH_BUG_BIGENDIANAES)) + return cipher_prop; + debug2("%s: original cipher proposal: %s", __func__, cipher_prop); + cipher_prop = filter_proposal(cipher_prop, "aes*"); + debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); + if (*cipher_prop == '\0') + fatal("No supported ciphers found"); + return cipher_prop; +} + + +char * +compat_pkalg_proposal(char *pkalg_prop) +{ + if (!(datafellows & SSH_BUG_RSASIGMD5)) + return pkalg_prop; + debug2("%s: original public key proposal: %s", __func__, pkalg_prop); + pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa"); + debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); + if (*pkalg_prop == '\0') + fatal("No supported PK algorithms found"); + return pkalg_prop; +} + diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h index e5f46bc63..10185b3eb 100644 --- a/crypto/openssh/compat.h +++ b/crypto/openssh/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.43 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */ /* $FreeBSD$ */ /* @@ -67,6 +67,7 @@ void enable_compat20(void); void compat_datafellows(const char *); int proto_spec(const char *); char *compat_cipher_proposal(char *); +char *compat_pkalg_proposal(char *); extern int compat13; extern int compat20; diff --git a/crypto/openssh/config.guess b/crypto/openssh/config.guess index 78553c4ea..b94cde8ef 100755 --- a/crypto/openssh/config.guess +++ b/crypto/openssh/config.guess @@ -2,9 +2,9 @@ # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012, 2013 Free Software Foundation, Inc. -timestamp='2011-01-23' +timestamp='2012-12-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -17,9 +17,7 @@ timestamp='2011-01-23' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -57,8 +55,8 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free -Software Foundation, Inc. +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, +2012, 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward @@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in fi ;; *) - os=netbsd + os=netbsd ;; esac # The OS release @@ -202,6 +200,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} @@ -224,7 +226,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on @@ -299,12 +301,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in echo s390-ibm-zvmoe exit ;; *:OS400:*:*) - echo powerpc-ibm-os400 + echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; - arm:riscos:*:*|arm:RISCOS:*:*) + arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) @@ -398,23 +400,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit ;; + exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} - exit ;; + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} - exit ;; + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} - exit ;; + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; @@ -484,8 +486,8 @@ EOF echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ @@ -498,7 +500,7 @@ EOF else echo i586-dg-dgux${UNAME_RELEASE} fi - exit ;; + exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; @@ -598,52 +600,52 @@ EOF 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` - sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 - 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 - esac ;; - esac + esac ;; + esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + sed 's/^ //' << EOF >$dummy.c - #define _HPUX_SOURCE - #include - #include + #define _HPUX_SOURCE + #include + #include - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa @@ -734,22 +736,22 @@ EOF exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd - exit ;; + exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi - exit ;; + exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd - exit ;; + exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd - exit ;; + exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd - exit ;; + exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; @@ -773,14 +775,14 @@ EOF exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit ;; + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` - echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} @@ -792,30 +794,35 @@ EOF echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) - case ${UNAME_MACHINE} in - pc98) - echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; + *:MINGW64*:*) + echo ${UNAME_MACHINE}-pc-mingw64 + exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; + i*:MSYS*:*) + echo ${UNAME_MACHINE}-pc-msys + exit ;; i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; @@ -861,6 +868,13 @@ EOF i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -870,7 +884,7 @@ EOF EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; - esac + esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} @@ -882,20 +896,29 @@ EOF then echo ${UNAME_MACHINE}-unknown-linux-gnu else - echo ${UNAME_MACHINE}-unknown-linux-gnueabi + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo ${UNAME_MACHINE}-unknown-linux-gnueabi + else + echo ${UNAME_MACHINE}-unknown-linux-gnueabihf + fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; cris:Linux:*:*) - echo cris-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; crisv32:Linux:*:*) - echo crisv32-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; frv:Linux:*:*) - echo frv-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + hexagon:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:Linux:*:*) LIBC=gnu @@ -937,7 +960,7 @@ EOF test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) - echo or32-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; padre:Linux:*:*) echo sparc-unknown-linux-gnu @@ -963,7 +986,7 @@ EOF echo ${UNAME_MACHINE}-ibm-linux exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu @@ -972,16 +995,16 @@ EOF echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-tilera-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-gnu exit ;; x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -990,11 +1013,11 @@ EOF echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. + # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) @@ -1026,7 +1049,7 @@ EOF fi exit ;; i*86:*:5:[678]*) - # UnixWare 7.x, OpenUNIX and OpenServer 6. + # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; @@ -1054,13 +1077,13 @@ EOF exit ;; pc:*:*:*) # Left here for compatibility: - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i586. + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp - exit ;; + exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; @@ -1095,8 +1118,8 @@ EOF /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4; exit; } ;; + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ @@ -1139,10 +1162,10 @@ EOF echo ns32k-sni-sysv fi exit ;; - PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm @@ -1168,11 +1191,11 @@ EOF exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv${UNAME_RELEASE} else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv${UNAME_RELEASE} fi - exit ;; + exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; @@ -1185,6 +1208,9 @@ EOF BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; + x86_64:Haiku:*:*) + echo x86_64-unknown-haiku + exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; @@ -1240,7 +1266,7 @@ EOF NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; - NSE-?:NONSTOP_KERNEL:*:*) + NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) @@ -1285,13 +1311,13 @@ EOF echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) - UNAME_MACHINE=`(uname -p) 2>/dev/null` + UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; @@ -1309,11 +1335,11 @@ EOF i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; esac -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - eval $set_cc_for_build cat >$dummy.c < printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 - "4" + "4" #else - "" + "" #endif - ); exit (0); + ); exit (0); #endif #endif diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h index 4b743e1ff..3b4091eeb 100644 --- a/crypto/openssh/config.h +++ b/crypto/openssh/config.h @@ -48,6 +48,10 @@ /* Can't do comparisons on readv */ /* #undef BROKEN_READV_COMPARISON */ +/* NetBSD read function is sometimes redirected, breaking atomicio comparisons + against it */ +/* #undef BROKEN_READ_COMPARISON */ + /* Define if you have a broken realpath. */ /* #undef BROKEN_REALPATH */ @@ -75,7 +79,7 @@ /* Define if your snprintf is busted */ /* #undef BROKEN_SNPRINTF */ -/* FreeBSD strnvis does not do what we need */ +/* FreeBSD strnvis argument order is swapped compared to OpenBSD */ #define BROKEN_STRNVIS 1 /* tcgetattr with ICANON may hang */ @@ -183,6 +187,9 @@ /* Define to 1 if you have the `arc4random_buf' function. */ #define HAVE_ARC4RANDOM_BUF 1 +/* Define to 1 if you have the `arc4random_stir' function. */ +#define HAVE_ARC4RANDOM_STIR 1 + /* Define to 1 if you have the `arc4random_uniform' function. */ #define HAVE_ARC4RANDOM_UNIFORM 1 @@ -213,9 +220,30 @@ /* Define to 1 if you have the `bcopy' function. */ #define HAVE_BCOPY 1 +/* Define to 1 if you have the `bcrypt_pbkdf' function. */ +/* #undef HAVE_BCRYPT_PBKDF */ + /* Define to 1 if you have the `bindresvport_sa' function. */ #define HAVE_BINDRESVPORT_SA 1 +/* Define to 1 if you have the `blf_enc' function. */ +/* #undef HAVE_BLF_ENC */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_BLF_H */ + +/* Define to 1 if you have the `Blowfish_expand0state' function. */ +/* #undef HAVE_BLOWFISH_EXPAND0STATE */ + +/* Define to 1 if you have the `Blowfish_expandstate' function. */ +/* #undef HAVE_BLOWFISH_EXPANDSTATE */ + +/* Define to 1 if you have the `Blowfish_initstate' function. */ +/* #undef HAVE_BLOWFISH_INITSTATE */ + +/* Define to 1 if you have the `Blowfish_stream2word' function. */ +/* #undef HAVE_BLOWFISH_STREAM2WORD */ + /* Define to 1 if you have the `BN_is_prime_ex' function. */ #define HAVE_BN_IS_PRIME_EX 1 @@ -228,9 +256,15 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_BSTRING_H */ +/* Define to 1 if you have the `cap_rights_limit' function. */ +/* #undef HAVE_CAP_RIGHTS_LIMIT */ + /* Define to 1 if you have the `clock' function. */ #define HAVE_CLOCK 1 +/* Have clock_gettime */ +#define HAVE_CLOCK_GETTIME 1 + /* define if you have clock_t data type */ #define HAVE_CLOCK_T 1 @@ -243,6 +277,9 @@ /* Define if your system uses ancillary data style file descriptor passing */ #define HAVE_CONTROL_IN_MSGHDR 1 +/* Define to 1 if you have the `crypt' function. */ +#define HAVE_CRYPT 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_CRYPTO_SHA2_H */ @@ -267,6 +304,10 @@ and to 0 if you don't. */ /* #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE */ +/* Define to 1 if you have the declaration of `howmany', and to 0 if you + don't. */ +#define HAVE_DECL_HOWMANY 1 + /* Define to 1 if you have the declaration of `h_errno', and to 0 if you don't. */ #define HAVE_DECL_H_ERRNO 1 @@ -287,6 +328,10 @@ don't. */ #define HAVE_DECL_MAXSYMLINKS 1 +/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you + don't. */ +#define HAVE_DECL_NFDBITS 1 + /* Define to 1 if you have the declaration of `offsetof', and to 0 if you don't. */ #define HAVE_DECL_OFFSETOF 1 @@ -319,6 +364,9 @@ don't. */ #define HAVE_DECL__GETSHORT 0 +/* Define to 1 if you have the `DES_crypt' function. */ +#define HAVE_DES_CRYPT 1 + /* Define if you have /dev/ptmx */ #define HAVE_DEV_PTMX 1 @@ -340,6 +388,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_ELF_H 1 +/* Define to 1 if you have the `endgrent' function. */ +#define HAVE_ENDGRENT 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_ENDIAN_H */ @@ -355,12 +406,30 @@ /* Define if libcrypto has EVP_CIPHER_CTX_ctrl */ #define HAVE_EVP_CIPHER_CTX_CTRL 1 +/* Define to 1 if you have the `EVP_DigestFinal_ex' function. */ +#define HAVE_EVP_DIGESTFINAL_EX 1 + +/* Define to 1 if you have the `EVP_DigestInit_ex' function. */ +#define HAVE_EVP_DIGESTINIT_EX 1 + +/* Define to 1 if you have the `EVP_MD_CTX_cleanup' function. */ +#define HAVE_EVP_MD_CTX_CLEANUP 1 + +/* Define to 1 if you have the `EVP_MD_CTX_copy_ex' function. */ +#define HAVE_EVP_MD_CTX_COPY_EX 1 + +/* Define to 1 if you have the `EVP_MD_CTX_init' function. */ +#define HAVE_EVP_MD_CTX_INIT 1 + /* Define to 1 if you have the `EVP_sha256' function. */ #define HAVE_EVP_SHA256 1 /* Define if you have ut_exit in utmp.h */ /* #undef HAVE_EXIT_IN_UTMP */ +/* Define to 1 if you have the `explicit_bzero' function. */ +/* #undef HAVE_EXPLICIT_BZERO */ + /* Define to 1 if you have the `fchmod' function. */ #define HAVE_FCHMOD 1 @@ -373,6 +442,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_FCNTL_H 1 +/* Define to 1 if the system has the type `fd_mask'. */ +#define HAVE_FD_MASK 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_FEATURES_H */ @@ -391,6 +463,9 @@ /* Define to 1 if the system has the type `fsfilcnt_t'. */ #define HAVE_FSFILCNT_T 1 +/* Define to 1 if you have the `fstatfs' function. */ +#define HAVE_FSTATFS 1 + /* Define to 1 if you have the `fstatvfs' function. */ #define HAVE_FSTATVFS 1 @@ -562,6 +637,9 @@ /* define if you have int64_t data type */ #define HAVE_INT64_T 1 +/* Define to 1 if the system has the type `intmax_t'. */ +#define HAVE_INTMAX_T 1 + /* Define to 1 if you have the header file. */ #define HAVE_INTTYPES_H 1 @@ -577,6 +655,15 @@ /* Define if you have isblank(3C). */ #define HAVE_ISBLANK 1 +/* Define to 1 if you have the `krb5_cc_new_unique' function. */ +/* #undef HAVE_KRB5_CC_NEW_UNIQUE */ + +/* Define to 1 if you have the `krb5_free_error_message' function. */ +/* #undef HAVE_KRB5_FREE_ERROR_MESSAGE */ + +/* Define to 1 if you have the `krb5_get_error_message' function. */ +/* #undef HAVE_KRB5_GET_ERROR_MESSAGE */ + /* Define to 1 if you have the header file. */ /* #undef HAVE_LASTLOG_H */ @@ -637,6 +724,9 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_LINUX_SECCOMP_H */ +/* Define to 1 if you have the header file. */ +#define HAVE_LOCALE_H 1 + /* Define to 1 if you have the `login' function. */ /* #undef HAVE_LOGIN */ @@ -664,6 +754,9 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_MAILLOCK_H */ +/* Define to 1 if you have the `mblen' function. */ +#define HAVE_MBLEN 1 + /* Define to 1 if you have the `md5_crypt' function. */ /* #undef HAVE_MD5_CRYPT */ @@ -770,15 +863,6 @@ /* Define to 1 if you have the `pututxline' function. */ #define HAVE_PUTUTXLINE 1 -/* Define if your password has a pw_change field */ -#define HAVE_PW_CHANGE_IN_PASSWD 1 - -/* Define if your password has a pw_class field */ -#define HAVE_PW_CLASS_IN_PASSWD 1 - -/* Define if your password has a pw_expire field */ -#define HAVE_PW_EXPIRE_IN_PASSWD 1 - /* Define to 1 if you have the `readpassphrase' function. */ #define HAVE_READPASSPHRASE 1 @@ -815,6 +899,9 @@ /* define if you have sa_family_t data type */ #define HAVE_SA_FAMILY_T 1 +/* Define to 1 if you have the `scan_scaled' function. */ +/* #undef HAVE_SCAN_SCALED */ + /* Define if you have SecureWare-based protected password database */ /* #undef HAVE_SECUREWARE */ @@ -1004,6 +1091,18 @@ /* define if you have struct in6_addr data type */ #define HAVE_STRUCT_IN6_ADDR 1 +/* Define to 1 if `pw_change' is a member of `struct passwd'. */ +#define HAVE_STRUCT_PASSWD_PW_CHANGE 1 + +/* Define to 1 if `pw_class' is a member of `struct passwd'. */ +#define HAVE_STRUCT_PASSWD_PW_CLASS 1 + +/* Define to 1 if `pw_expire' is a member of `struct passwd'. */ +#define HAVE_STRUCT_PASSWD_PW_EXPIRE 1 + +/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */ +#define HAVE_STRUCT_PASSWD_PW_GECOS 1 + /* define if you have struct sockaddr_in6 data type */ #define HAVE_STRUCT_SOCKADDR_IN6 1 @@ -1040,6 +1139,9 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_BSDTTY_H */ +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_CAPABILITY_H 1 + /* Define to 1 if you have the header file. */ #define HAVE_SYS_CDEFS_H 1 @@ -1154,6 +1256,9 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_UCRED_H */ +/* Define to 1 if the system has the type `uintmax_t'. */ +#define HAVE_UINTMAX_T 1 + /* define if you have uintxx_t data type */ #define HAVE_UINTXX_T 1 @@ -1324,15 +1429,6 @@ /* Set this to your mail directory if you do not have _PATH_MAILDIR */ /* #undef MAIL_DIRECTORY */ -/* Define on *nto-qnx systems */ -/* #undef MISSING_FD_MASK */ - -/* Define on *nto-qnx systems */ -/* #undef MISSING_HOWMANY */ - -/* Define on *nto-qnx systems */ -/* #undef MISSING_NFDBITS */ - /* Need setpgrp to acquire controlling tty */ /* #undef NEED_SETPGRP */ @@ -1351,9 +1447,18 @@ /* Define if EVP_DigestUpdate returns void */ /* #undef OPENSSL_EVP_DIGESTUPDATE_VOID */ -/* libcrypto includes complete ECC support */ +/* OpenSSL has ECC */ #define OPENSSL_HAS_ECC 1 +/* libcrypto has NID_X9_62_prime256v1 */ +#define OPENSSL_HAS_NISTP256 1 + +/* libcrypto has NID_secp384r1 */ +#define OPENSSL_HAS_NISTP384 1 + +/* libcrypto has NID_secp521r1 */ +#define OPENSSL_HAS_NISTP521 1 + /* libcrypto has EVP AES CTR */ /* #undef OPENSSL_HAVE_EVPCTR */ @@ -1406,6 +1511,9 @@ /* read(1) can return 0 for a non-closed fd */ /* #undef PTY_ZEROREAD */ +/* Sandbox using capsicum */ +/* #undef SANDBOX_CAPSICUM */ + /* Sandbox using Darwin sandbox_init(3) */ /* #undef SANDBOX_DARWIN */ @@ -1421,6 +1529,9 @@ /* setrlimit RLIMIT_FSIZE works */ /* #undef SANDBOX_SKIP_RLIMIT_FSIZE */ +/* define if setrlimit RLIMIT_NOFILE breaks things */ +#define SANDBOX_SKIP_RLIMIT_NOFILE 1 + /* Sandbox using systrace(4) */ /* #undef SANDBOX_SYSTRACE */ @@ -1434,7 +1545,7 @@ #define SIZEOF_INT 4 /* The size of `long int', as computed by sizeof. */ -#define SIZEOF_LONG_INT 4 +#define SIZEOF_LONG_INT 8 /* The size of `long long int', as computed by sizeof. */ #define SIZEOF_LONG_LONG_INT 8 @@ -1570,11 +1681,6 @@ /* Define if xauth is found in your path */ /* #undef XAUTH_PATH */ -/* Enable large inode numbers on Mac OS X 10.5. */ -#ifndef _DARWIN_USE_64_BIT_INODE -# define _DARWIN_USE_64_BIT_INODE 1 -#endif - /* Number of bits in a file offset, on hosts where this is settable. */ /* #undef _FILE_OFFSET_BITS */ diff --git a/crypto/openssh/config.h.in b/crypto/openssh/config.h.in index ea3591a0b..0401ad181 100644 --- a/crypto/openssh/config.h.in +++ b/crypto/openssh/config.h.in @@ -47,6 +47,10 @@ /* Can't do comparisons on readv */ #undef BROKEN_READV_COMPARISON +/* NetBSD read function is sometimes redirected, breaking atomicio comparisons + against it */ +#undef BROKEN_READ_COMPARISON + /* Define if you have a broken realpath. */ #undef BROKEN_REALPATH @@ -74,7 +78,7 @@ /* Define if your snprintf is busted */ #undef BROKEN_SNPRINTF -/* FreeBSD strnvis does not do what we need */ +/* FreeBSD strnvis argument order is swapped compared to OpenBSD */ #undef BROKEN_STRNVIS /* tcgetattr with ICANON may hang */ @@ -182,6 +186,9 @@ /* Define to 1 if you have the `arc4random_buf' function. */ #undef HAVE_ARC4RANDOM_BUF +/* Define to 1 if you have the `arc4random_stir' function. */ +#undef HAVE_ARC4RANDOM_STIR + /* Define to 1 if you have the `arc4random_uniform' function. */ #undef HAVE_ARC4RANDOM_UNIFORM @@ -212,9 +219,30 @@ /* Define to 1 if you have the `bcopy' function. */ #undef HAVE_BCOPY +/* Define to 1 if you have the `bcrypt_pbkdf' function. */ +#undef HAVE_BCRYPT_PBKDF + /* Define to 1 if you have the `bindresvport_sa' function. */ #undef HAVE_BINDRESVPORT_SA +/* Define to 1 if you have the `blf_enc' function. */ +#undef HAVE_BLF_ENC + +/* Define to 1 if you have the header file. */ +#undef HAVE_BLF_H + +/* Define to 1 if you have the `Blowfish_expand0state' function. */ +#undef HAVE_BLOWFISH_EXPAND0STATE + +/* Define to 1 if you have the `Blowfish_expandstate' function. */ +#undef HAVE_BLOWFISH_EXPANDSTATE + +/* Define to 1 if you have the `Blowfish_initstate' function. */ +#undef HAVE_BLOWFISH_INITSTATE + +/* Define to 1 if you have the `Blowfish_stream2word' function. */ +#undef HAVE_BLOWFISH_STREAM2WORD + /* Define to 1 if you have the `BN_is_prime_ex' function. */ #undef HAVE_BN_IS_PRIME_EX @@ -227,9 +255,15 @@ /* Define to 1 if you have the header file. */ #undef HAVE_BSTRING_H +/* Define to 1 if you have the `cap_rights_limit' function. */ +#undef HAVE_CAP_RIGHTS_LIMIT + /* Define to 1 if you have the `clock' function. */ #undef HAVE_CLOCK +/* Have clock_gettime */ +#undef HAVE_CLOCK_GETTIME + /* define if you have clock_t data type */ #undef HAVE_CLOCK_T @@ -242,6 +276,9 @@ /* Define if your system uses ancillary data style file descriptor passing */ #undef HAVE_CONTROL_IN_MSGHDR +/* Define to 1 if you have the `crypt' function. */ +#undef HAVE_CRYPT + /* Define to 1 if you have the header file. */ #undef HAVE_CRYPTO_SHA2_H @@ -266,6 +303,10 @@ and to 0 if you don't. */ #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE +/* Define to 1 if you have the declaration of `howmany', and to 0 if you + don't. */ +#undef HAVE_DECL_HOWMANY + /* Define to 1 if you have the declaration of `h_errno', and to 0 if you don't. */ #undef HAVE_DECL_H_ERRNO @@ -286,6 +327,10 @@ don't. */ #undef HAVE_DECL_MAXSYMLINKS +/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you + don't. */ +#undef HAVE_DECL_NFDBITS + /* Define to 1 if you have the declaration of `offsetof', and to 0 if you don't. */ #undef HAVE_DECL_OFFSETOF @@ -318,6 +363,9 @@ don't. */ #undef HAVE_DECL__GETSHORT +/* Define to 1 if you have the `DES_crypt' function. */ +#undef HAVE_DES_CRYPT + /* Define if you have /dev/ptmx */ #undef HAVE_DEV_PTMX @@ -339,6 +387,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_ELF_H +/* Define to 1 if you have the `endgrent' function. */ +#undef HAVE_ENDGRENT + /* Define to 1 if you have the header file. */ #undef HAVE_ENDIAN_H @@ -354,12 +405,30 @@ /* Define if libcrypto has EVP_CIPHER_CTX_ctrl */ #undef HAVE_EVP_CIPHER_CTX_CTRL +/* Define to 1 if you have the `EVP_DigestFinal_ex' function. */ +#undef HAVE_EVP_DIGESTFINAL_EX + +/* Define to 1 if you have the `EVP_DigestInit_ex' function. */ +#undef HAVE_EVP_DIGESTINIT_EX + +/* Define to 1 if you have the `EVP_MD_CTX_cleanup' function. */ +#undef HAVE_EVP_MD_CTX_CLEANUP + +/* Define to 1 if you have the `EVP_MD_CTX_copy_ex' function. */ +#undef HAVE_EVP_MD_CTX_COPY_EX + +/* Define to 1 if you have the `EVP_MD_CTX_init' function. */ +#undef HAVE_EVP_MD_CTX_INIT + /* Define to 1 if you have the `EVP_sha256' function. */ #undef HAVE_EVP_SHA256 /* Define if you have ut_exit in utmp.h */ #undef HAVE_EXIT_IN_UTMP +/* Define to 1 if you have the `explicit_bzero' function. */ +#undef HAVE_EXPLICIT_BZERO + /* Define to 1 if you have the `fchmod' function. */ #undef HAVE_FCHMOD @@ -372,6 +441,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H +/* Define to 1 if the system has the type `fd_mask'. */ +#undef HAVE_FD_MASK + /* Define to 1 if you have the header file. */ #undef HAVE_FEATURES_H @@ -390,6 +462,9 @@ /* Define to 1 if the system has the type `fsfilcnt_t'. */ #undef HAVE_FSFILCNT_T +/* Define to 1 if you have the `fstatfs' function. */ +#undef HAVE_FSTATFS + /* Define to 1 if you have the `fstatvfs' function. */ #undef HAVE_FSTATVFS @@ -561,6 +636,9 @@ /* define if you have int64_t data type */ #undef HAVE_INT64_T +/* Define to 1 if the system has the type `intmax_t'. */ +#undef HAVE_INTMAX_T + /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H @@ -576,6 +654,15 @@ /* Define if you have isblank(3C). */ #undef HAVE_ISBLANK +/* Define to 1 if you have the `krb5_cc_new_unique' function. */ +#undef HAVE_KRB5_CC_NEW_UNIQUE + +/* Define to 1 if you have the `krb5_free_error_message' function. */ +#undef HAVE_KRB5_FREE_ERROR_MESSAGE + +/* Define to 1 if you have the `krb5_get_error_message' function. */ +#undef HAVE_KRB5_GET_ERROR_MESSAGE + /* Define to 1 if you have the header file. */ #undef HAVE_LASTLOG_H @@ -636,6 +723,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_LINUX_SECCOMP_H +/* Define to 1 if you have the header file. */ +#undef HAVE_LOCALE_H + /* Define to 1 if you have the `login' function. */ #undef HAVE_LOGIN @@ -663,6 +753,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_MAILLOCK_H +/* Define to 1 if you have the `mblen' function. */ +#undef HAVE_MBLEN + /* Define to 1 if you have the `md5_crypt' function. */ #undef HAVE_MD5_CRYPT @@ -769,15 +862,6 @@ /* Define to 1 if you have the `pututxline' function. */ #undef HAVE_PUTUTXLINE -/* Define if your password has a pw_change field */ -#undef HAVE_PW_CHANGE_IN_PASSWD - -/* Define if your password has a pw_class field */ -#undef HAVE_PW_CLASS_IN_PASSWD - -/* Define if your password has a pw_expire field */ -#undef HAVE_PW_EXPIRE_IN_PASSWD - /* Define to 1 if you have the `readpassphrase' function. */ #undef HAVE_READPASSPHRASE @@ -814,6 +898,9 @@ /* define if you have sa_family_t data type */ #undef HAVE_SA_FAMILY_T +/* Define to 1 if you have the `scan_scaled' function. */ +#undef HAVE_SCAN_SCALED + /* Define if you have SecureWare-based protected password database */ #undef HAVE_SECUREWARE @@ -1003,6 +1090,18 @@ /* define if you have struct in6_addr data type */ #undef HAVE_STRUCT_IN6_ADDR +/* Define to 1 if `pw_change' is a member of `struct passwd'. */ +#undef HAVE_STRUCT_PASSWD_PW_CHANGE + +/* Define to 1 if `pw_class' is a member of `struct passwd'. */ +#undef HAVE_STRUCT_PASSWD_PW_CLASS + +/* Define to 1 if `pw_expire' is a member of `struct passwd'. */ +#undef HAVE_STRUCT_PASSWD_PW_EXPIRE + +/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */ +#undef HAVE_STRUCT_PASSWD_PW_GECOS + /* define if you have struct sockaddr_in6 data type */ #undef HAVE_STRUCT_SOCKADDR_IN6 @@ -1039,6 +1138,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_BSDTTY_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_CAPABILITY_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_CDEFS_H @@ -1153,6 +1255,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_UCRED_H +/* Define to 1 if the system has the type `uintmax_t'. */ +#undef HAVE_UINTMAX_T + /* define if you have uintxx_t data type */ #undef HAVE_UINTXX_T @@ -1323,15 +1428,6 @@ /* Set this to your mail directory if you do not have _PATH_MAILDIR */ #undef MAIL_DIRECTORY -/* Define on *nto-qnx systems */ -#undef MISSING_FD_MASK - -/* Define on *nto-qnx systems */ -#undef MISSING_HOWMANY - -/* Define on *nto-qnx systems */ -#undef MISSING_NFDBITS - /* Need setpgrp to acquire controlling tty */ #undef NEED_SETPGRP @@ -1350,9 +1446,18 @@ /* Define if EVP_DigestUpdate returns void */ #undef OPENSSL_EVP_DIGESTUPDATE_VOID -/* libcrypto includes complete ECC support */ +/* OpenSSL has ECC */ #undef OPENSSL_HAS_ECC +/* libcrypto has NID_X9_62_prime256v1 */ +#undef OPENSSL_HAS_NISTP256 + +/* libcrypto has NID_secp384r1 */ +#undef OPENSSL_HAS_NISTP384 + +/* libcrypto has NID_secp521r1 */ +#undef OPENSSL_HAS_NISTP521 + /* libcrypto has EVP AES CTR */ #undef OPENSSL_HAVE_EVPCTR @@ -1405,6 +1510,9 @@ /* read(1) can return 0 for a non-closed fd */ #undef PTY_ZEROREAD +/* Sandbox using capsicum */ +#undef SANDBOX_CAPSICUM + /* Sandbox using Darwin sandbox_init(3) */ #undef SANDBOX_DARWIN @@ -1420,6 +1528,9 @@ /* setrlimit RLIMIT_FSIZE works */ #undef SANDBOX_SKIP_RLIMIT_FSIZE +/* define if setrlimit RLIMIT_NOFILE breaks things */ +#undef SANDBOX_SKIP_RLIMIT_NOFILE + /* Sandbox using systrace(4) */ #undef SANDBOX_SYSTRACE diff --git a/crypto/openssh/config.sub b/crypto/openssh/config.sub new file mode 100755 index 000000000..eee8dccb0 --- /dev/null +++ b/crypto/openssh/config.sub @@ -0,0 +1,1793 @@ +#! /bin/sh +# Configuration validation subroutine script. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, +# 2011, 2012, 2013 Free Software Foundation, Inc. + +timestamp='2012-12-23' + +# This file is (in principle) common to ALL GNU software. +# The presence of a machine in this file suggests that SOME GNU software +# can handle that machine. It does not imply ALL GNU software can. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + + +# Please send patches to . Submit a context +# diff and a properly formatted GNU ChangeLog entry. +# +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] CPU-MFR-OPSYS + $0 [OPTION] ALIAS + +Canonicalize a configuration name. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.sub ($timestamp) + +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, +2012, 2013 Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" + exit 1 ;; + + *local*) + # First pass through any local machine types. + echo $1 + exit ;; + + * ) + break ;; + esac +done + +case $# in + 0) echo "$me: missing argument$help" >&2 + exit 1;; + 1) ;; + *) echo "$me: too many arguments$help" >&2 + exit 1;; +esac + +# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). +# Here we must recognize all the valid KERNEL-OS combinations. +maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` +case $maybe_os in + nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ + linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ + knetbsd*-gnu* | netbsd*-gnu* | \ + kopensolaris*-gnu* | \ + storm-chaos* | os2-emx* | rtmk-nova*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; + android-linux) + os=-linux-android + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown + ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] + then os=`echo $1 | sed 's/.*-/-/'` + else os=; fi + ;; +esac + +### Let's recognize common machines as not being operating systems so +### that things like config.sub decstation-3100 work. We also +### recognize some manufacturers as not being operating systems, so we +### can provide default operating systems below. +case $os in + -sun*os*) + # Prevent following clause from handling this invalid input. + ;; + -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ + -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ + -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ + -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ + -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ + -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ + -apple | -axis | -knuth | -cray | -microblaze*) + os= + basic_machine=$1 + ;; + -bluegene*) + os=-cnk + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= + basic_machine=$1 + ;; + -scout) + ;; + -wrs) + os=-vxworks + basic_machine=$1 + ;; + -chorusos*) + os=-chorusos + basic_machine=$1 + ;; + -chorusrdb) + os=-chorusrdb + basic_machine=$1 + ;; + -hiux*) + os=-hiuxwe2 + ;; + -sco6) + os=-sco5v6 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco5) + os=-sco3.2v5 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco4) + os=-sco3.2v4 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2v[4-9]*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco*) + os=-sco3.2v2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -udk*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -isc) + os=-isc2.2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -clix*) + basic_machine=clipper-intergraph + ;; + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -lynx*178) + os=-lynxos178 + ;; + -lynx*5) + os=-lynxos5 + ;; + -lynx*) + os=-lynxos + ;; + -ptx*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + ;; + -windowsnt*) + os=`echo $os | sed -e 's/windowsnt/winnt/'` + ;; + -psos*) + os=-psos + ;; + -mint | -mint[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; +esac + +# Decode aliases for certain CPU-COMPANY combinations. +case $basic_machine in + # Recognize the basic CPU types without company name. + # Some are omitted here because they have special meanings below. + 1750a | 580 \ + | a29k \ + | aarch64 | aarch64_be \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ + | arc \ + | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ + | avr | avr32 \ + | be32 | be64 \ + | bfin \ + | c4x | clipper \ + | d10v | d30v | dlx | dsp16xx \ + | epiphany \ + | fido | fr30 | frv \ + | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ + | i370 | i860 | i960 | ia64 \ + | ip2k | iq2000 \ + | le32 | le64 \ + | lm32 \ + | m32c | m32r | m32rle | m68000 | m68k | m88k \ + | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64octeon | mips64octeonel \ + | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipstx39 | mipstx39el \ + | mn10200 | mn10300 \ + | moxie \ + | mt \ + | msp430 \ + | nds32 | nds32le | nds32be \ + | nios | nios2 \ + | ns16k | ns32k \ + | open8 \ + | or32 \ + | pdp10 | pdp11 | pj | pjl \ + | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pyramid \ + | rl78 | rx \ + | score \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ + | spu \ + | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ + | ubicom32 \ + | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ + | we32k \ + | x86 | xc16x | xstormy16 | xtensa \ + | z8k | z80) + basic_machine=$basic_machine-unknown + ;; + c54x) + basic_machine=tic54x-unknown + ;; + c55x) + basic_machine=tic55x-unknown + ;; + c6x) + basic_machine=tic6x-unknown + ;; + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) + basic_machine=$basic_machine-unknown + os=-none + ;; + m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) + ;; + ms1) + basic_machine=mt-unknown + ;; + + strongarm | thumb | xscale) + basic_machine=arm-unknown + ;; + xgate) + basic_machine=$basic_machine-unknown + os=-none + ;; + xscaleeb) + basic_machine=armeb-unknown + ;; + + xscaleel) + basic_machine=armel-unknown + ;; + + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i*86 | x86_64) + basic_machine=$basic_machine-pc + ;; + # Object if more than one company name word. + *-*-*) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; + # Recognize the basic CPU types with company name. + 580-* \ + | a29k-* \ + | aarch64-* | aarch64_be-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* | avr32-* \ + | be32-* | be64-* \ + | bfin-* | bs2000-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* \ + | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ + | elxsi-* \ + | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ + | h8300-* | h8500-* \ + | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | hexagon-* \ + | i*86-* | i860-* | i960-* | ia64-* \ + | ip2k-* | iq2000-* \ + | le32-* | le64-* \ + | lm32-* \ + | m32c-* | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | microblaze-* | microblazeel-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64octeon-* | mips64octeonel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64r5900-* | mips64r5900el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mips64vr5900-* | mips64vr5900el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipstx39-* | mipstx39el-* \ + | mmix-* \ + | mt-* \ + | msp430-* \ + | nds32-* | nds32le-* | nds32be-* \ + | nios-* | nios2-* \ + | none-* | np1-* | ns16k-* | ns32k-* \ + | open8-* \ + | orion-* \ + | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pyramid-* \ + | rl78-* | romp-* | rs6000-* | rx-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ + | sparclite-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | tahoe-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tile*-* \ + | tron-* \ + | ubicom32-* \ + | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ + | vax-* \ + | we32k-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* \ + | xstormy16-* | xtensa*-* \ + | ymp-* \ + | z8k-* | z80-*) + ;; + # Recognize the basic CPU types without company name, with glob match. + xtensa*) + basic_machine=$basic_machine-unknown + ;; + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 386bsd) + basic_machine=i386-unknown + os=-bsd + ;; + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + basic_machine=m68000-att + ;; + 3b*) + basic_machine=we32k-att + ;; + a29khif) + basic_machine=a29k-amd + os=-udi + ;; + abacus) + basic_machine=abacus-unknown + ;; + adobe68k) + basic_machine=m68010-adobe + os=-scout + ;; + alliant | fx80) + basic_machine=fx80-alliant + ;; + altos | altos3068) + basic_machine=m68k-altos + ;; + am29k) + basic_machine=a29k-none + os=-bsd + ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + amdahl) + basic_machine=580-amdahl + os=-sysv + ;; + amiga | amiga-*) + basic_machine=m68k-unknown + ;; + amigaos | amigados) + basic_machine=m68k-unknown + os=-amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + os=-sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=-sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=-bsd + ;; + aros) + basic_machine=i386-pc + os=-aros + ;; + aux) + basic_machine=m68k-apple + os=-aux + ;; + balance) + basic_machine=ns32k-sequent + os=-dynix + ;; + blackfin) + basic_machine=bfin-unknown + os=-linux + ;; + blackfin-*) + basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; + bluegene*) + basic_machine=powerpc-ibm + os=-cnk + ;; + c54x-*) + basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c55x-*) + basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c6x-*) + basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; + cegcc) + basic_machine=arm-unknown + os=-cegcc + ;; + convex-c1) + basic_machine=c1-convex + os=-bsd + ;; + convex-c2) + basic_machine=c2-convex + os=-bsd + ;; + convex-c32) + basic_machine=c32-convex + os=-bsd + ;; + convex-c34) + basic_machine=c34-convex + os=-bsd + ;; + convex-c38) + basic_machine=c38-convex + os=-bsd + ;; + cray | j90) + basic_machine=j90-cray + os=-unicos + ;; + craynv) + basic_machine=craynv-cray + os=-unicosmp + ;; + cr16 | cr16-*) + basic_machine=cr16-unknown + os=-elf + ;; + crds | unos) + basic_machine=m68k-crds + ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; + cris | cris-* | etrax*) + basic_machine=cris-axis + ;; + crx) + basic_machine=crx-unknown + os=-elf + ;; + da30 | da30-*) + basic_machine=m68k-da30 + ;; + decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) + basic_machine=mips-dec + ;; + decsystem10* | dec10*) + basic_machine=pdp10-dec + os=-tops10 + ;; + decsystem20* | dec20*) + basic_machine=pdp10-dec + os=-tops20 + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + basic_machine=m68k-motorola + ;; + delta88) + basic_machine=m88k-motorola + os=-sysv3 + ;; + dicos) + basic_machine=i686-pc + os=-dicos + ;; + djgpp) + basic_machine=i586-pc + os=-msdosdjgpp + ;; + dpx20 | dpx20-*) + basic_machine=rs6000-bull + os=-bosx + ;; + dpx2* | dpx2*-bull) + basic_machine=m68k-bull + os=-sysv3 + ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon + ;; + elxsi) + basic_machine=elxsi-elxsi + os=-bsd + ;; + encore | umax | mmax) + basic_machine=ns32k-encore + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=-ose + ;; + fx2800) + basic_machine=i860-alliant + ;; + genix) + basic_machine=ns32k-ns + ;; + gmicro) + basic_machine=tron-gmicro + os=-sysv + ;; + go32) + basic_machine=i386-pc + os=-go32 + ;; + h3050r* | hiux*) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=-hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=-xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=-hms + ;; + harris) + basic_machine=m88k-harris + os=-sysv3 + ;; + hp300-*) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=-bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=-hpux + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + basic_machine=m68000-hp + ;; + hp9k3[2-9][0-9]) + basic_machine=m68k-hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + basic_machine=hppa1.1-hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hppa-next) + os=-nextstep3 + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=-osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=-proelf + ;; + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; + i*86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 + ;; + i*86v4*) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv4 + ;; + i*86v) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv + ;; + i*86sol2) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-solaris2 + ;; + i386mach) + basic_machine=i386-mach + os=-mach + ;; + i386-vsta | vsta) + basic_machine=i386-unknown + os=-vsta + ;; + iris | iris4d) + basic_machine=mips-sgi + case $os in + -irix*) + ;; + *) + os=-irix4 + ;; + esac + ;; + isi68 | isi) + basic_machine=m68k-isi + os=-sysv + ;; + m68knommu) + basic_machine=m68k-unknown + os=-linux + ;; + m68knommu-*) + basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; + m88k-omron*) + basic_machine=m88k-omron + ;; + magnum | m3230) + basic_machine=mips-mips + os=-sysv + ;; + merlin) + basic_machine=ns32k-utek + os=-sysv + ;; + microblaze*) + basic_machine=microblaze-xilinx + ;; + mingw64) + basic_machine=x86_64-pc + os=-mingw64 + ;; + mingw32) + basic_machine=i386-pc + os=-mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + os=-mingw32ce + ;; + miniframe) + basic_machine=m68000-convergent + ;; + *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; + mips3*-*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + ;; + mips3*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + ;; + monitor) + basic_machine=m68k-rom68k + os=-coff + ;; + morphos) + basic_machine=powerpc-unknown + os=-morphos + ;; + msdos) + basic_machine=i386-pc + os=-msdos + ;; + ms1-*) + basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` + ;; + msys) + basic_machine=i386-pc + os=-msys + ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; + nacl) + basic_machine=le32-unknown + os=-nacl + ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 + ;; + netbsd386) + basic_machine=i386-unknown + os=-netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + os=-linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=-newsos + ;; + news1000) + basic_machine=m68030-sony + os=-newsos + ;; + news-3600 | risc-news) + basic_machine=mips-sony + os=-newsos + ;; + necv70) + basic_machine=v70-nec + os=-sysv + ;; + next | m*-next ) + basic_machine=m68k-next + case $os in + -nextstep* ) + ;; + -ns2*) + os=-nextstep2 + ;; + *) + os=-nextstep3 + ;; + esac + ;; + nh3000) + basic_machine=m68k-harris + os=-cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=-cxux + ;; + nindy960) + basic_machine=i960-intel + os=-nindy + ;; + mon960) + basic_machine=i960-intel + os=-mon960 + ;; + nonstopux) + basic_machine=mips-compaq + os=-nonstopux + ;; + np1) + basic_machine=np1-gould + ;; + neo-tandem) + basic_machine=neo-tandem + ;; + nse-tandem) + basic_machine=nse-tandem + ;; + nsr-tandem) + basic_machine=nsr-tandem + ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf + ;; + openrisc | openrisc-*) + basic_machine=or32-unknown + ;; + os400) + basic_machine=powerpc-ibm + os=-os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=-ose + ;; + os68k) + basic_machine=m68k-none + os=-os68k + ;; + pa-hitachi) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + paragon) + basic_machine=i860-intel + os=-osf + ;; + parisc) + basic_machine=hppa-unknown + os=-linux + ;; + parisc-*) + basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; + pbd) + basic_machine=sparc-tti + ;; + pbb) + basic_machine=m68k-tti + ;; + pc532 | pc532-*) + basic_machine=ns32k-pc532 + ;; + pc98) + basic_machine=i386-pc + ;; + pc98-*) + basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentium | p5 | k5 | k6 | nexgen | viac3) + basic_machine=i586-pc + ;; + pentiumpro | p6 | 6x86 | athlon | athlon_*) + basic_machine=i686-pc + ;; + pentiumii | pentium2 | pentiumiii | pentium3) + basic_machine=i686-pc + ;; + pentium4) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) + basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumpro-* | p6-* | 6x86-* | athlon-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pn) + basic_machine=pn-gould + ;; + power) basic_machine=power-ibm + ;; + ppc | ppcbe) basic_machine=powerpc-unknown + ;; + ppc-* | ppcbe-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle | ppc-le | powerpc-little) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) + basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64) basic_machine=powerpc64-unknown + ;; + ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64le | powerpc64little | ppc64-le | powerpc64-little) + basic_machine=powerpc64le-unknown + ;; + ppc64le-* | powerpc64little-*) + basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ps2) + basic_machine=i386-ibm + ;; + pw32) + basic_machine=i586-unknown + os=-pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + os=-rdos + ;; + rdos32) + basic_machine=i386-pc + os=-rdos + ;; + rom68k) + basic_machine=m68k-rom68k + os=-coff + ;; + rm[46]00) + basic_machine=mips-siemens + ;; + rtpc | rtpc-*) + basic_machine=romp-ibm + ;; + s390 | s390-*) + basic_machine=s390-ibm + ;; + s390x | s390x-*) + basic_machine=s390x-ibm + ;; + sa29200) + basic_machine=a29k-amd + os=-udi + ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sde) + basic_machine=mipsisa32-sde + os=-elf + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; + sequent) + basic_machine=i386-sequent + ;; + sh) + basic_machine=sh-hitachi + os=-hms + ;; + sh5el) + basic_machine=sh5le-unknown + ;; + sh64) + basic_machine=sh64-unknown + ;; + sparclite-wrs | simso-wrs) + basic_machine=sparclite-wrs + os=-vxworks + ;; + sps7) + basic_machine=m68k-bull + os=-sysv2 + ;; + spur) + basic_machine=spur-unknown + ;; + st2000) + basic_machine=m68k-tandem + ;; + stratus) + basic_machine=i860-stratus + os=-sysv4 + ;; + strongarm-* | thumb-*) + basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + sun2) + basic_machine=m68000-sun + ;; + sun2os3) + basic_machine=m68000-sun + os=-sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=-sunos4 + ;; + sun3os3) + basic_machine=m68k-sun + os=-sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=-sunos4 + ;; + sun4os3) + basic_machine=sparc-sun + os=-sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=-sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=-solaris2 + ;; + sun3 | sun3-*) + basic_machine=m68k-sun + ;; + sun4) + basic_machine=sparc-sun + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + ;; + sv1) + basic_machine=sv1-cray + os=-unicos + ;; + symmetry) + basic_machine=i386-sequent + os=-dynix + ;; + t3e) + basic_machine=alphaev5-cray + os=-unicos + ;; + t90) + basic_machine=t90-cray + os=-unicos + ;; + tile*) + basic_machine=$basic_machine-unknown + os=-linux-gnu + ;; + tx39) + basic_machine=mipstx39-unknown + ;; + tx39el) + basic_machine=mipstx39el-unknown + ;; + toad1) + basic_machine=pdp10-xkl + os=-tops20 + ;; + tower | tower-32) + basic_machine=m68k-ncr + ;; + tpf) + basic_machine=s390x-ibm + os=-tpf + ;; + udi29k) + basic_machine=a29k-amd + os=-udi + ;; + ultra3) + basic_machine=a29k-nyu + os=-sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=-none + ;; + vaxv) + basic_machine=vax-dec + os=-sysv + ;; + vms) + basic_machine=vax-dec + os=-vms + ;; + vpp*|vx|vx-*) + basic_machine=f301-fujitsu + ;; + vxworks960) + basic_machine=i960-wrs + os=-vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=-vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=-vxworks + ;; + w65*) + basic_machine=w65-wdc + os=-none + ;; + w89k-*) + basic_machine=hppa1.1-winbond + os=-proelf + ;; + xbox) + basic_machine=i686-pc + os=-mingw32 + ;; + xps | xps100) + basic_machine=xps100-honeywell + ;; + xscale-* | xscalee[bl]-*) + basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` + ;; + ymp) + basic_machine=ymp-cray + os=-unicos + ;; + z8k-*-coff) + basic_machine=z8k-unknown + os=-sim + ;; + z80-*-coff) + basic_machine=z80-unknown + os=-sim + ;; + none) + basic_machine=none-none + os=-none + ;; + +# Here we handle the default manufacturer of certain CPU types. It is in +# some cases the only manufacturer, in others, it is the most popular. + w89k) + basic_machine=hppa1.1-winbond + ;; + op50n) + basic_machine=hppa1.1-oki + ;; + op60c) + basic_machine=hppa1.1-oki + ;; + romp) + basic_machine=romp-ibm + ;; + mmix) + basic_machine=mmix-knuth + ;; + rs6000) + basic_machine=rs6000-ibm + ;; + vax) + basic_machine=vax-dec + ;; + pdp10) + # there are many clones, so DEC is not a safe bet + basic_machine=pdp10-unknown + ;; + pdp11) + basic_machine=pdp11-dec + ;; + we32k) + basic_machine=we32k-att + ;; + sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) + basic_machine=sh-unknown + ;; + sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) + basic_machine=sparc-sun + ;; + cydra) + basic_machine=cydra-cydrome + ;; + orion) + basic_machine=orion-highlevel + ;; + orion105) + basic_machine=clipper-highlevel + ;; + mac | mpw | mac-mpw) + basic_machine=m68k-apple + ;; + pmac | pmac-mpw) + basic_machine=powerpc-apple + ;; + *-unknown) + # Make sure to match an already-canonicalized machine name. + ;; + *) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $basic_machine in + *-digital*) + basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + ;; + *-commodore*) + basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if [ x"$os" != x"" ] +then +case $os in + # First match some system type aliases + # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. + -auroraux) + os=-auroraux + ;; + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` + ;; + -solaris) + os=-solaris2 + ;; + -svr4*) + os=-sysv4 + ;; + -unixware*) + os=-sysv4.2uw + ;; + -gnu/linux*) + os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + ;; + # First accept the basic system types. + # The portable systems comes first. + # Each alternative MUST END IN A *, to match a version number. + # -sysv* is not here because it comes later, after sysvr4. + -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ + | -sym* | -kopensolaris* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ + | -aos* | -aros* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ + | -bitrig* | -openbsd* | -solidbsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -chorusos* | -chorusrdb* | -cegcc* \ + | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-musl* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ + | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ + | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -qnx*) + case $basic_machine in + x86-* | i*86-*) + ;; + *) + os=-nto$os + ;; + esac + ;; + -nto-qnx*) + ;; + -nto*) + os=`echo $os | sed -e 's|nto|nto-qnx|'` + ;; + -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ + | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + ;; + -mac*) + os=`echo $os | sed -e 's|mac|macos|'` + ;; + -linux-dietlibc) + os=-linux-dietlibc + ;; + -linux*) + os=`echo $os | sed -e 's|linux|linux-gnu|'` + ;; + -sunos5*) + os=`echo $os | sed -e 's|sunos5|solaris2|'` + ;; + -sunos6*) + os=`echo $os | sed -e 's|sunos6|solaris3|'` + ;; + -opened*) + os=-openedition + ;; + -os400*) + os=-os400 + ;; + -wince*) + os=-wince + ;; + -osfrose*) + os=-osfrose + ;; + -osf*) + os=-osf + ;; + -utek*) + os=-bsd + ;; + -dynix*) + os=-bsd + ;; + -acis*) + os=-aos + ;; + -atheos*) + os=-atheos + ;; + -syllable*) + os=-syllable + ;; + -386bsd) + os=-bsd + ;; + -ctix* | -uts*) + os=-sysv + ;; + -nova*) + os=-rtmk-nova + ;; + -ns2 ) + os=-nextstep2 + ;; + -nsk*) + os=-nsk + ;; + # Preserve the version number of sinix5. + -sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` + ;; + -sinix*) + os=-sysv4 + ;; + -tpf*) + os=-tpf + ;; + -triton*) + os=-sysv3 + ;; + -oss*) + os=-sysv3 + ;; + -svr4) + os=-sysv4 + ;; + -svr3) + os=-sysv3 + ;; + -sysvr4) + os=-sysv4 + ;; + # This must come after -sysvr4. + -sysv*) + ;; + -ose*) + os=-ose + ;; + -es1800*) + os=-ose + ;; + -xenix) + os=-xenix + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -kaos*) + os=-kaos + ;; + -zvmoe) + os=-zvmoe + ;; + -dicos*) + os=-dicos + ;; + -nacl*) + ;; + -none) + ;; + *) + # Get rid of the `-' at the beginning of $os. + os=`echo $os | sed 's/[^-]*-//'` + echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + exit 1 + ;; +esac +else + +# Here we handle the default operating systems that come with various machines. +# The value should be what the vendor currently ships out the door with their +# machine or put another way, the most popular os provided with the machine. + +# Note that if you're going to try to match "-MANUFACTURER" here (say, +# "-sun"), then you have to tell the case statement up towards the top +# that MANUFACTURER isn't an operating system. Otherwise, code above +# will signal an error saying that MANUFACTURER isn't an operating +# system, and we'll never get to this point. + +case $basic_machine in + score-*) + os=-elf + ;; + spu-*) + os=-elf + ;; + *-acorn) + os=-riscix1.2 + ;; + arm*-rebel) + os=-linux + ;; + arm*-semi) + os=-aout + ;; + c4x-* | tic4x-*) + os=-coff + ;; + hexagon-*) + os=-elf + ;; + tic54x-*) + os=-coff + ;; + tic55x-*) + os=-coff + ;; + tic6x-*) + os=-coff + ;; + # This must come before the *-dec entry. + pdp10-*) + os=-tops20 + ;; + pdp11-*) + os=-none + ;; + *-dec | vax-*) + os=-ultrix4.2 + ;; + m68*-apollo) + os=-domain + ;; + i386-sun) + os=-sunos4.0.2 + ;; + m68000-sun) + os=-sunos3 + ;; + m68*-cisco) + os=-aout + ;; + mep-*) + os=-elf + ;; + mips*-cisco) + os=-elf + ;; + mips*-*) + os=-elf + ;; + or32-*) + os=-coff + ;; + *-tti) # must be before sparc entry or we get the wrong os. + os=-sysv3 + ;; + sparc-* | *-sun) + os=-sunos4.1.1 + ;; + *-be) + os=-beos + ;; + *-haiku) + os=-haiku + ;; + *-ibm) + os=-aix + ;; + *-knuth) + os=-mmixware + ;; + *-wec) + os=-proelf + ;; + *-winbond) + os=-proelf + ;; + *-oki) + os=-proelf + ;; + *-hp) + os=-hpux + ;; + *-hitachi) + os=-hiux + ;; + i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) + os=-sysv + ;; + *-cbm) + os=-amigaos + ;; + *-dg) + os=-dgux + ;; + *-dolphin) + os=-sysv3 + ;; + m68k-ccur) + os=-rtu + ;; + m88k-omron*) + os=-luna + ;; + *-next ) + os=-nextstep + ;; + *-sequent) + os=-ptx + ;; + *-crds) + os=-unos + ;; + *-ns) + os=-genix + ;; + i370-*) + os=-mvs + ;; + *-next) + os=-nextstep3 + ;; + *-gould) + os=-sysv + ;; + *-highlevel) + os=-bsd + ;; + *-encore) + os=-bsd + ;; + *-sgi) + os=-irix + ;; + *-siemens) + os=-sysv4 + ;; + *-masscomp) + os=-rtu + ;; + f30[01]-fujitsu | f700-fujitsu) + os=-uxpv + ;; + *-rom68k) + os=-coff + ;; + *-*bug) + os=-coff + ;; + *-apple) + os=-macos + ;; + *-atari*) + os=-mint + ;; + *) + os=-none + ;; +esac +fi + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +vendor=unknown +case $basic_machine in + *-unknown) + case $os in + -riscix*) + vendor=acorn + ;; + -sunos*) + vendor=sun + ;; + -cnk*|-aix*) + vendor=ibm + ;; + -beos*) + vendor=be + ;; + -hpux*) + vendor=hp + ;; + -mpeix*) + vendor=hp + ;; + -hiux*) + vendor=hitachi + ;; + -unos*) + vendor=crds + ;; + -dgux*) + vendor=dg + ;; + -luna*) + vendor=omron + ;; + -genix*) + vendor=ns + ;; + -mvs* | -opened*) + vendor=ibm + ;; + -os400*) + vendor=ibm + ;; + -ptx*) + vendor=sequent + ;; + -tpf*) + vendor=ibm + ;; + -vxsim* | -vxworks* | -windiss*) + vendor=wrs + ;; + -aux*) + vendor=apple + ;; + -hms*) + vendor=hitachi + ;; + -mpw* | -macos*) + vendor=apple + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + vendor=atari + ;; + -vos*) + vendor=stratus + ;; + esac + basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + ;; +esac + +echo $basic_machine$os +exit + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/crypto/openssh/configure b/crypto/openssh/configure new file mode 100755 index 000000000..d690393a3 --- /dev/null +++ b/crypto/openssh/configure @@ -0,0 +1,19741 @@ +#! /bin/sh +# From configure.ac Revision: 1.571 . +# Guess values for system-dependent variables and create Makefiles. +# Generated by GNU Autoconf 2.68 for OpenSSH Portable. +# +# Report bugs to . +# +# +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software +# Foundation, Inc. +# +# +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +if test "x$CONFIG_SHELL" = x; then + as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST +else + case \`(set -o) 2>/dev/null\` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi +" + as_required="as_fn_return () { (exit \$1); } +as_fn_success () { as_fn_return 0; } +as_fn_failure () { as_fn_return 1; } +as_fn_ret_success () { return 0; } +as_fn_ret_failure () { return 1; } + +exitcode=0 +as_fn_success || { exitcode=1; echo as_fn_success failed.; } +as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } +as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } +as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } +if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : + +else + exitcode=1; echo positional parameters were not saved. +fi +test x\$exitcode = x0 || exit 1" + as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO + as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO + eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && + test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 +test \$(( 1 + 1 )) = 2 || exit 1" + if (eval "$as_required") 2>/dev/null; then : + as_have_required=yes +else + as_have_required=no +fi + if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : + +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_found=false +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + as_found=: + case $as_dir in #( + /*) + for as_base in sh bash ksh sh5; do + # Try only shells that exist, to save several forks. + as_shell=$as_dir/$as_base + if { test -f "$as_shell" || test -f "$as_shell.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : + CONFIG_SHELL=$as_shell as_have_required=yes + if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : + break 2 +fi +fi + done;; + esac + as_found=false +done +$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : + CONFIG_SHELL=$SHELL as_have_required=yes +fi; } +IFS=$as_save_IFS + + + if test "x$CONFIG_SHELL" != x; then : + # We cannot yet assume a decent shell, so we have to provide a + # neutralization value for shells without unset; and this also + # works around shells that cannot unset nonexistent variables. + # Preserve -v and -x to the replacement shell. + BASH_ENV=/dev/null + ENV=/dev/null + (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV + export CONFIG_SHELL + case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; + esac + exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} +fi + + if test x$as_have_required = xno; then : + $as_echo "$0: This script requires a shell more modern than all" + $as_echo "$0: the shells that I found on your system." + if test x${ZSH_VERSION+set} = xset ; then + $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" + $as_echo "$0: be upgraded to zsh 4.3.4 or later." + else + $as_echo "$0: Please tell bug-autoconf@gnu.org and +$0: openssh-unix-dev@mindrot.org about your system, +$0: including any error possibly output before this +$0: message. Then install a modern shell, or manually run +$0: the script under such a shell if you do have one." + fi + exit 1 +fi +fi +fi +SHELL=${CONFIG_SHELL-/bin/sh} +export SHELL +# Unset more variables known to interfere with behavior of common tools. +CLICOLOR_FORCE= GREP_OPTIONS= +unset CLICOLOR_FORCE GREP_OPTIONS + +## --------------------- ## +## M4sh Shell Functions. ## +## --------------------- ## +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + + + as_lineno_1=$LINENO as_lineno_1a=$LINENO + as_lineno_2=$LINENO as_lineno_2a=$LINENO + eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && + test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { + # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -p' + fi +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in #( + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +test -n "$DJDIR" || exec 7<&0 &1 + +# Name of the host. +# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, +# so uname gets run too. +ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` + +# +# Initializations. +# +ac_default_prefix=/usr/local +ac_clean_files= +ac_config_libobj_dir=. +LIBOBJS= +cross_compiling=no +subdirs= +MFLAGS= +MAKEFLAGS= + +# Identity of this package. +PACKAGE_NAME='OpenSSH' +PACKAGE_TARNAME='openssh' +PACKAGE_VERSION='Portable' +PACKAGE_STRING='OpenSSH Portable' +PACKAGE_BUGREPORT='openssh-unix-dev@mindrot.org' +PACKAGE_URL='' + +ac_unique_file="ssh.c" +# Factoring default headers for most tests. +ac_includes_default="\ +#include +#ifdef HAVE_SYS_TYPES_H +# include +#endif +#ifdef HAVE_SYS_STAT_H +# include +#endif +#ifdef STDC_HEADERS +# include +# include +#else +# ifdef HAVE_STDLIB_H +# include +# endif +#endif +#ifdef HAVE_STRING_H +# if !defined STDC_HEADERS && defined HAVE_MEMORY_H +# include +# endif +# include +#endif +#ifdef HAVE_STRINGS_H +# include +#endif +#ifdef HAVE_INTTYPES_H +# include +#endif +#ifdef HAVE_STDINT_H +# include +#endif +#ifdef HAVE_UNISTD_H +# include +#endif" + +ac_subst_vars='LTLIBOBJS +LIBOBJS +UNSUPPORTED_ALGORITHMS +TEST_MALLOC_OPTIONS +TEST_SSH_IPV6 +piddir +user_path +mansubdir +MANTYPE +XAUTH_PATH +STRIP_OPT +xauth_path +PRIVSEP_PATH +K5LIBS +GSSLIBS +KRB5CONF +SSHDLIBS +SSHLIBS +SSH_PRIVSEP_USER +COMMENT_OUT_ECC +TEST_SSH_ECC +LIBEDIT +PKGCONFIG +LD +PATH_PASSWD_PROG +LOGIN_PROGRAM_FALLBACK +STARTUP_SCRIPT_SHELL +MAKE_PACKAGE_SUPPORTED +PATH_USERADD_PROG +PATH_GROUPADD_PROG +MANFMT +TEST_SHELL +MANDOC +NROFF +GROFF +SH +TEST_MINUS_S_SH +ENT +SED +PERL +KILL +CAT +AR +INSTALL_DATA +INSTALL_SCRIPT +INSTALL_PROGRAM +RANLIB +AWK +EGREP +GREP +CPP +host_os +host_vendor +host_cpu +host +build_os +build_vendor +build_cpu +build +OBJEXT +EXEEXT +ac_ct_CC +CPPFLAGS +LDFLAGS +CFLAGS +CC +target_alias +host_alias +build_alias +LIBS +ECHO_T +ECHO_N +ECHO_C +DEFS +mandir +localedir +libdir +psdir +pdfdir +dvidir +htmldir +infodir +docdir +oldincludedir +includedir +localstatedir +sharedstatedir +sysconfdir +datadir +datarootdir +libexecdir +sbindir +bindir +program_transform_name +prefix +exec_prefix +PACKAGE_URL +PACKAGE_BUGREPORT +PACKAGE_STRING +PACKAGE_VERSION +PACKAGE_TARNAME +PACKAGE_NAME +PATH_SEPARATOR +SHELL' +ac_subst_files='' +ac_user_opts=' +enable_option_checking +enable_largefile +with_stackprotect +with_hardening +with_rpath +with_cflags +with_cppflags +with_ldflags +with_libs +with_Werror +with_solaris_contracts +with_solaris_projects +with_osfsia +with_zlib +with_zlib_version_check +with_skey +with_tcp_wrappers +with_ldns +with_libedit +with_audit +with_pie +with_ssl_dir +with_openssl_header_check +with_ssl_engine +with_prngd_port +with_prngd_socket +with_pam +with_privsep_user +with_sandbox +with_selinux +with_kerberos5 +with_privsep_path +with_xauth +enable_strip +with_maildir +with_mantype +with_md5_passwords +with_shadow +with_ipaddr_display +enable_etc_default_login +with_default_path +with_superuser_path +with_4in6 +with_bsd_auth +with_pid_dir +enable_lastlog +enable_utmp +enable_utmpx +enable_wtmp +enable_wtmpx +enable_libutil +enable_pututline +enable_pututxline +with_lastlog +' + ac_precious_vars='build_alias +host_alias +target_alias +CC +CFLAGS +LDFLAGS +LIBS +CPPFLAGS +CPP' + + +# Initialize some variables set by options. +ac_init_help= +ac_init_version=false +ac_unrecognized_opts= +ac_unrecognized_sep= +# The variables have the same names as the options, with +# dashes changed to underlines. +cache_file=/dev/null +exec_prefix=NONE +no_create= +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +verbose= +x_includes=NONE +x_libraries=NONE + +# Installation directory options. +# These are left unexpanded so users can "make install exec_prefix=/foo" +# and all the variables that are supposed to be based on exec_prefix +# by default will actually change. +# Use braces instead of parens because sh, perl, etc. also accept them. +# (The list follows the same order as the GNU Coding Standards.) +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datarootdir='${prefix}/share' +datadir='${datarootdir}' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +includedir='${prefix}/include' +oldincludedir='/usr/include' +docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' +infodir='${datarootdir}/info' +htmldir='${docdir}' +dvidir='${docdir}' +pdfdir='${docdir}' +psdir='${docdir}' +libdir='${exec_prefix}/lib' +localedir='${datarootdir}/locale' +mandir='${datarootdir}/man' + +ac_prev= +ac_dashdash= +for ac_option +do + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval $ac_prev=\$ac_option + ac_prev= + continue + fi + + case $ac_option in + *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; + *=) ac_optarg= ;; + *) ac_optarg=yes ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case $ac_dashdash$ac_option in + --) + ac_dashdash=yes ;; + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir=$ac_optarg ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build_alias ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build_alias=$ac_optarg ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file=$ac_optarg ;; + + --config-cache | -C) + cache_file=config.cache ;; + + -datadir | --datadir | --datadi | --datad) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=*) + datadir=$ac_optarg ;; + + -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ + | --dataroo | --dataro | --datar) + ac_prev=datarootdir ;; + -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ + | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) + datarootdir=$ac_optarg ;; + + -disable-* | --disable-*) + ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=no ;; + + -docdir | --docdir | --docdi | --doc | --do) + ac_prev=docdir ;; + -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) + docdir=$ac_optarg ;; + + -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) + ac_prev=dvidir ;; + -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) + dvidir=$ac_optarg ;; + + -enable-* | --enable-*) + ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=\$ac_optarg ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix=$ac_optarg ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he | -h) + ac_init_help=long ;; + -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) + ac_init_help=recursive ;; + -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) + ac_init_help=short ;; + + -host | --host | --hos | --ho) + ac_prev=host_alias ;; + -host=* | --host=* | --hos=* | --ho=*) + host_alias=$ac_optarg ;; + + -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) + ac_prev=htmldir ;; + -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ + | --ht=*) + htmldir=$ac_optarg ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir=$ac_optarg ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir=$ac_optarg ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir=$ac_optarg ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir=$ac_optarg ;; + + -localedir | --localedir | --localedi | --localed | --locale) + ac_prev=localedir ;; + -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) + localedir=$ac_optarg ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst | --locals) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) + localstatedir=$ac_optarg ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir=$ac_optarg ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c | -n) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir=$ac_optarg ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix=$ac_optarg ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix=$ac_optarg ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix=$ac_optarg ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name=$ac_optarg ;; + + -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) + ac_prev=pdfdir ;; + -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) + pdfdir=$ac_optarg ;; + + -psdir | --psdir | --psdi | --psd | --ps) + ac_prev=psdir ;; + -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) + psdir=$ac_optarg ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir=$ac_optarg ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir=$ac_optarg ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site=$ac_optarg ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir=$ac_optarg ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir=$ac_optarg ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target_alias ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target_alias=$ac_optarg ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers | -V) + ac_init_version=: ;; + + -with-* | --with-*) + ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=\$ac_optarg ;; + + -without-* | --without-*) + ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=no ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes=$ac_optarg ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries=$ac_optarg ;; + + -*) as_fn_error $? "unrecognized option: \`$ac_option' +Try \`$0 --help' for more information" + ;; + + *=*) + ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` + # Reject names that are not valid shell variable names. + case $ac_envvar in #( + '' | [0-9]* | *[!_$as_cr_alnum]* ) + as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; + esac + eval $ac_envvar=\$ac_optarg + export $ac_envvar ;; + + *) + # FIXME: should be removed in autoconf 3.0. + $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 + expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && + $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 + : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" + ;; + + esac +done + +if test -n "$ac_prev"; then + ac_option=--`echo $ac_prev | sed 's/_/-/g'` + as_fn_error $? "missing argument to $ac_option" +fi + +if test -n "$ac_unrecognized_opts"; then + case $enable_option_checking in + no) ;; + fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; + *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; + esac +fi + +# Check all directory arguments for consistency. +for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ + libdir localedir mandir +do + eval ac_val=\$$ac_var + # Remove trailing slashes. + case $ac_val in + */ ) + ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` + eval $ac_var=\$ac_val;; + esac + # Be sure to have absolute directory names. + case $ac_val in + [\\/$]* | ?:[\\/]* ) continue;; + NONE | '' ) case $ac_var in *prefix ) continue;; esac;; + esac + as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" +done + +# There might be people who depend on the old broken behavior: `$host' +# used to hold the argument of --host etc. +# FIXME: To remove some day. +build=$build_alias +host=$host_alias +target=$target_alias + +# FIXME: To remove some day. +if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe + $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. + If a cross compiler is detected then cross compile mode will be used" >&2 + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +fi + +ac_tool_prefix= +test -n "$host_alias" && ac_tool_prefix=$host_alias- + +test "$silent" = yes && exec 6>/dev/null + + +ac_pwd=`pwd` && test -n "$ac_pwd" && +ac_ls_di=`ls -di .` && +ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || + as_fn_error $? "working directory cannot be determined" +test "X$ac_ls_di" = "X$ac_pwd_ls_di" || + as_fn_error $? "pwd does not report name of working directory" + + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then the parent directory. + ac_confdir=`$as_dirname -- "$as_myself" || +$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_myself" : 'X\(//\)[^/]' \| \ + X"$as_myself" : 'X\(//\)$' \| \ + X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_myself" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + srcdir=$ac_confdir + if test ! -r "$srcdir/$ac_unique_file"; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r "$srcdir/$ac_unique_file"; then + test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." + as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" +fi +ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" +ac_abs_confdir=`( + cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" + pwd)` +# When building in place, set srcdir=. +if test "$ac_abs_confdir" = "$ac_pwd"; then + srcdir=. +fi +# Remove unnecessary trailing slashes from srcdir. +# Double slashes in file names in object file debugging info +# mess up M-x gdb in Emacs. +case $srcdir in +*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; +esac +for ac_var in $ac_precious_vars; do + eval ac_env_${ac_var}_set=\${${ac_var}+set} + eval ac_env_${ac_var}_value=\$${ac_var} + eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} + eval ac_cv_env_${ac_var}_value=\$${ac_var} +done + +# +# Report the --help message. +# +if test "$ac_init_help" = "long"; then + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat <<_ACEOF +\`configure' configures OpenSSH Portable to adapt to many kinds of systems. + +Usage: $0 [OPTION]... [VAR=VALUE]... + +To assign environment variables (e.g., CC, CFLAGS...), specify them as +VAR=VALUE. See below for descriptions of some of the useful variables. + +Defaults for the options are specified in brackets. + +Configuration: + -h, --help display this help and exit + --help=short display options specific to this package + --help=recursive display the short help of all the included packages + -V, --version display version information and exit + -q, --quiet, --silent do not print \`checking ...' messages + --cache-file=FILE cache test results in FILE [disabled] + -C, --config-cache alias for \`--cache-file=config.cache' + -n, --no-create do not create output files + --srcdir=DIR find the sources in DIR [configure dir or \`..'] + +Installation directories: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [PREFIX] + +By default, \`make install' will install all the files in +\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify +an installation prefix other than \`$ac_default_prefix' using \`--prefix', +for instance \`--prefix=\$HOME'. + +For better control, use the options below. + +Fine tuning of the installation directories: + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR system admin executables [EPREFIX/sbin] + --libexecdir=DIR program executables [EPREFIX/libexec] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] + --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] + --datadir=DIR read-only architecture-independent data [DATAROOTDIR] + --infodir=DIR info documentation [DATAROOTDIR/info] + --localedir=DIR locale-dependent data [DATAROOTDIR/locale] + --mandir=DIR man documentation [DATAROOTDIR/man] + --docdir=DIR documentation root [DATAROOTDIR/doc/openssh] + --htmldir=DIR html documentation [DOCDIR] + --dvidir=DIR dvi documentation [DOCDIR] + --pdfdir=DIR pdf documentation [DOCDIR] + --psdir=DIR ps documentation [DOCDIR] +_ACEOF + + cat <<\_ACEOF + +System types: + --build=BUILD configure for building on BUILD [guessed] + --host=HOST cross-compile to build programs to run on HOST [BUILD] +_ACEOF +fi + +if test -n "$ac_init_help"; then + case $ac_init_help in + short | recursive ) echo "Configuration of OpenSSH Portable:";; + esac + cat <<\_ACEOF + +Optional Features: + --disable-option-checking ignore unrecognized --enable/--with options + --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) + --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --disable-largefile omit support for large files + --disable-strip Disable calling strip(1) on install + --disable-etc-default-login Disable using PATH from /etc/default/login no + --disable-lastlog disable use of lastlog even if detected no + --disable-utmp disable use of utmp even if detected no + --disable-utmpx disable use of utmpx even if detected no + --disable-wtmp disable use of wtmp even if detected no + --disable-wtmpx disable use of wtmpx even if detected no + --disable-libutil disable use of libutil (login() etc.) no + --disable-pututline disable use of pututline() etc. (uwtmp) no + --disable-pututxline disable use of pututxline() etc. (uwtmpx) no + +Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --without-stackprotect Don't use compiler's stack protection + --without-hardening Don't use toolchain hardening flags + --without-rpath Disable auto-added -R linker paths + --with-cflags Specify additional flags to pass to compiler + --with-cppflags Specify additional flags to pass to preprocessor + --with-ldflags Specify additional flags to pass to linker + --with-libs Specify additional libraries to link with + --with-Werror Build main code with -Werror + --with-solaris-contracts Enable Solaris process contracts (experimental) + --with-solaris-projects Enable Solaris projects (experimental) + --with-osfsia Enable Digital Unix SIA + --with-zlib=PATH Use zlib in PATH + --without-zlib-version-check Disable zlib version check + --with-skey[=PATH] Enable S/Key support (optionally in PATH) + --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) + --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) + --with-libedit[=PATH] Enable libedit support for sftp + --with-audit=module Enable audit support (modules=debug,bsm,linux) + --with-pie Build Position Independent Executables if possible + --with-ssl-dir=PATH Specify path to OpenSSL installation + --without-openssl-header-check Disable OpenSSL version consistency check + --with-ssl-engine Enable OpenSSL (hardware) ENGINE support + --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT + --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool) + --with-pam Enable PAM support + --with-privsep-user=user Specify non-privileged user for privilege separation + --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) + --with-selinux Enable SELinux support + --with-kerberos5=PATH Enable Kerberos 5 support + --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) + --with-xauth=PATH Specify path to xauth program + --with-maildir=/path/to/mail Specify your system mail directory + --with-mantype=man|cat|doc Set man page type + --with-md5-passwords Enable use of MD5 passwords + --without-shadow Disable shadow password support + --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY + --with-default-path= Specify default \$PATH environment for server + --with-superuser-path= Specify different path for super-user + --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses + --with-bsd-auth Enable BSD auth support + --with-pid-dir=PATH Specify location of ssh.pid file + --with-lastlog=FILE|DIR specify lastlog location common locations + +Some influential environment variables: + CC C compiler command + CFLAGS C compiler flags + LDFLAGS linker flags, e.g. -L if you have libraries in a + nonstandard directory + LIBS libraries to pass to the linker, e.g. -l + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if + you have headers in a nonstandard directory + CPP C preprocessor + +Use these variables to override the choices made by `configure' or to help +it to find libraries and programs with nonstandard names/locations. + +Report bugs to . +_ACEOF +ac_status=$? +fi + +if test "$ac_init_help" = "recursive"; then + # If there are subdirs, report their specific --help. + for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue + test -d "$ac_dir" || + { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || + continue + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + cd "$ac_dir" || { ac_status=$?; continue; } + # Check for guested configure. + if test -f "$ac_srcdir/configure.gnu"; then + echo && + $SHELL "$ac_srcdir/configure.gnu" --help=recursive + elif test -f "$ac_srcdir/configure"; then + echo && + $SHELL "$ac_srcdir/configure" --help=recursive + else + $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + fi || ac_status=$? + cd "$ac_pwd" || { ac_status=$?; break; } + done +fi + +test -n "$ac_init_help" && exit $ac_status +if $ac_init_version; then + cat <<\_ACEOF +OpenSSH configure Portable +generated by GNU Autoconf 2.68 + +Copyright (C) 2010 Free Software Foundation, Inc. +This configure script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it. +_ACEOF + exit +fi + +## ------------------------ ## +## Autoconf initialization. ## +## ------------------------ ## + +# ac_fn_c_try_compile LINENO +# -------------------------- +# Try to compile conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext + if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_compile + +# ac_fn_c_try_run LINENO +# ---------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes +# that executables *can* be run. +ac_fn_c_try_run () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then : + ac_retval=0 +else + $as_echo "$as_me: program exited with status $ac_status" >&5 + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=$ac_status +fi + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_run + +# ac_fn_c_try_cpp LINENO +# ---------------------- +# Try to preprocess conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_cpp () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } > conftest.i && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_cpp + +# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES +# ------------------------------------------------------- +# Tests whether HEADER exists and can be compiled using the include files in +# INCLUDES, setting the cache variable VAR accordingly. +ac_fn_c_check_header_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +#include <$2> +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_header_compile + +# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES +# --------------------------------------------- +# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR +# accordingly. +ac_fn_c_check_decl () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + as_decl_name=`echo $2|sed 's/ *(.*//'` + as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'` + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5 +$as_echo_n "checking whether $as_decl_name is declared... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +#ifndef $as_decl_name +#ifdef __cplusplus + (void) $as_decl_use; +#else + (void) $as_decl_name; +#endif +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_decl + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + +# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES +# ------------------------------------------------------- +# Tests whether HEADER exists, giving a warning if it cannot be compiled using +# the include files in INCLUDES and setting the cache variable VAR +# accordingly. +ac_fn_c_check_header_mongrel () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if eval \${$3+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 +$as_echo_n "checking $2 usability... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +#include <$2> +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_header_compiler=yes +else + ac_header_compiler=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 +$as_echo_n "checking $2 presence... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <$2> +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + ac_header_preproc=yes +else + ac_header_preproc=no +fi +rm -f conftest.err conftest.i conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( + yes:no: ) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} + ;; + no:yes:* ) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} +( $as_echo "## ------------------------------------------- ## +## Report this to openssh-unix-dev@mindrot.org ## +## ------------------------------------------- ##" + ) | sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=\$ac_header_compiler" +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_header_mongrel + +# ac_fn_c_check_func LINENO FUNC VAR +# ---------------------------------- +# Tests whether FUNC exists, setting the cache variable VAR accordingly +ac_fn_c_check_func () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +/* Define $2 to an innocuous variant, in case declares $2. + For example, HP-UX 11i declares gettimeofday. */ +#define $2 innocuous_$2 + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $2 (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $2 + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $2 (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$2 || defined __stub___$2 +choke me +#endif + +int +main () +{ +return $2 (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_func + +# ac_fn_c_check_type LINENO TYPE VAR INCLUDES +# ------------------------------------------- +# Tests whether TYPE exists after having included INCLUDES, setting cache +# variable VAR accordingly. +ac_fn_c_check_type () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=no" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +if (sizeof ($2)) + return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +if (sizeof (($2))) + return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + eval "$3=yes" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_type + +# ac_fn_c_compute_int LINENO EXPR VAR INCLUDES +# -------------------------------------------- +# Tries to find the compile-time value of EXPR in a program that includes +# INCLUDES, setting VAR accordingly. Returns whether the value could be +# computed +ac_fn_c_compute_int () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) >= 0)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_lo=0 ac_mid=0 + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=$ac_mid; break +else + as_fn_arith $ac_mid + 1 && ac_lo=$as_val + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) < 0)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=-1 ac_mid=-1 + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) >= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_lo=$ac_mid; break +else + as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + ac_lo= ac_hi= +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=$ac_mid +else + as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in #(( +?*) eval "$3=\$ac_lo"; ac_retval=0 ;; +'') ac_retval=1 ;; +esac + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +static long int longval () { return $2; } +static unsigned long int ulongval () { return $2; } +#include +#include +int +main () +{ + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (($2) < 0) + { + long int i = longval (); + if (i != ($2)) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ($2)) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + echo >>conftest.val; read $3 &5 +$as_echo_n "checking for $2.$3... " >&6; } +if eval \${$4+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$5 +int +main () +{ +static $2 ac_aggr; +if (ac_aggr.$3) +return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$4=yes" +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$5 +int +main () +{ +static $2 ac_aggr; +if (sizeof ac_aggr.$3) +return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$4=yes" +else + eval "$4=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$4 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_member +cat >config.log <<_ACEOF +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. + +It was created by OpenSSH $as_me Portable, which was +generated by GNU Autoconf 2.68. Invocation command line was + + $ $0 $@ + +_ACEOF +exec 5>>config.log +{ +cat <<_ASUNAME +## --------- ## +## Platform. ## +## --------- ## + +hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` + +/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` +/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` + +_ASUNAME + +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + $as_echo "PATH: $as_dir" + done +IFS=$as_save_IFS + +} >&5 + +cat >&5 <<_ACEOF + + +## ----------- ## +## Core tests. ## +## ----------- ## + +_ACEOF + + +# Keep a trace of the command line. +# Strip out --no-create and --no-recursion so they do not pile up. +# Strip out --silent because we don't want to record it for future runs. +# Also quote any args containing shell meta-characters. +# Make two passes to allow for proper duplicate-argument suppression. +ac_configure_args= +ac_configure_args0= +ac_configure_args1= +ac_must_keep_next=false +for ac_pass in 1 2 +do + for ac_arg + do + case $ac_arg in + -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + continue ;; + *\'*) + ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + case $ac_pass in + 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; + 2) + as_fn_append ac_configure_args1 " '$ac_arg'" + if test $ac_must_keep_next = true; then + ac_must_keep_next=false # Got value, back to normal. + else + case $ac_arg in + *=* | --config-cache | -C | -disable-* | --disable-* \ + | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ + | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ + | -with-* | --with-* | -without-* | --without-* | --x) + case "$ac_configure_args0 " in + "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; + esac + ;; + -* ) ac_must_keep_next=true ;; + esac + fi + as_fn_append ac_configure_args " '$ac_arg'" + ;; + esac + done +done +{ ac_configure_args0=; unset ac_configure_args0;} +{ ac_configure_args1=; unset ac_configure_args1;} + +# When interrupted or exit'd, cleanup temporary files, and complete +# config.log. We remove comments because anyway the quotes in there +# would cause problems or look ugly. +# WARNING: Use '\'' to represent an apostrophe within the trap. +# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. +trap 'exit_status=$? + # Save into config.log some information that might help in debugging. + { + echo + + $as_echo "## ---------------- ## +## Cache variables. ## +## ---------------- ##" + echo + # The following way of writing the cache mishandles newlines in values, +( + for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + (set) 2>&1 | + case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + sed -n \ + "s/'\''/'\''\\\\'\'''\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" + ;; #( + *) + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) + echo + + $as_echo "## ----------------- ## +## Output variables. ## +## ----------------- ##" + echo + for ac_var in $ac_subst_vars + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + + if test -n "$ac_subst_files"; then + $as_echo "## ------------------- ## +## File substitutions. ## +## ------------------- ##" + echo + for ac_var in $ac_subst_files + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + fi + + if test -s confdefs.h; then + $as_echo "## ----------- ## +## confdefs.h. ## +## ----------- ##" + echo + cat confdefs.h + echo + fi + test "$ac_signal" != 0 && + $as_echo "$as_me: caught signal $ac_signal" + $as_echo "$as_me: exit $exit_status" + } >&5 + rm -f core *.core core.conftest.* && + rm -f -r conftest* confdefs* conf$$* $ac_clean_files && + exit $exit_status +' 0 +for ac_signal in 1 2 13 15; do + trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal +done +ac_signal=0 + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -f -r conftest* confdefs.h + +$as_echo "/* confdefs.h */" > confdefs.h + +# Predefined preprocessor variables. + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_NAME "$PACKAGE_NAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_TARNAME "$PACKAGE_TARNAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_VERSION "$PACKAGE_VERSION" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_STRING "$PACKAGE_STRING" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_URL "$PACKAGE_URL" +_ACEOF + + +# Let the site file select an alternate cache file if it wants to. +# Prefer an explicitly selected file to automatically selected ones. +ac_site_file1=NONE +ac_site_file2=NONE +if test -n "$CONFIG_SITE"; then + # We do not want a PATH search for config.site. + case $CONFIG_SITE in #(( + -*) ac_site_file1=./$CONFIG_SITE;; + */*) ac_site_file1=$CONFIG_SITE;; + *) ac_site_file1=./$CONFIG_SITE;; + esac +elif test "x$prefix" != xNONE; then + ac_site_file1=$prefix/share/config.site + ac_site_file2=$prefix/etc/config.site +else + ac_site_file1=$ac_default_prefix/share/config.site + ac_site_file2=$ac_default_prefix/etc/config.site +fi +for ac_site_file in "$ac_site_file1" "$ac_site_file2" +do + test "x$ac_site_file" = xNONE && continue + if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 +$as_echo "$as_me: loading site script $ac_site_file" >&6;} + sed 's/^/| /' "$ac_site_file" >&5 + . "$ac_site_file" \ + || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "failed to load site script $ac_site_file +See \`config.log' for more details" "$LINENO" 5; } + fi +done + +if test -r "$cache_file"; then + # Some versions of bash will fail to source /dev/null (special files + # actually), so we avoid doing that. DJGPP emulates it as a regular file. + if test /dev/null != "$cache_file" && test -f "$cache_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 +$as_echo "$as_me: loading cache $cache_file" >&6;} + case $cache_file in + [\\/]* | ?:[\\/]* ) . "$cache_file";; + *) . "./$cache_file";; + esac + fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 +$as_echo "$as_me: creating cache $cache_file" >&6;} + >$cache_file +fi + +# Check that the precious variables saved in the cache have kept the same +# value. +ac_cache_corrupted=false +for ac_var in $ac_precious_vars; do + eval ac_old_set=\$ac_cv_env_${ac_var}_set + eval ac_new_set=\$ac_env_${ac_var}_set + eval ac_old_val=\$ac_cv_env_${ac_var}_value + eval ac_new_val=\$ac_env_${ac_var}_value + case $ac_old_set,$ac_new_set in + set,) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,set) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,);; + *) + if test "x$ac_old_val" != "x$ac_new_val"; then + # differences in whitespace do not lead to failure. + ac_old_val_w=`echo x $ac_old_val` + ac_new_val_w=`echo x $ac_new_val` + if test "$ac_old_val_w" != "$ac_new_val_w"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 +$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + ac_cache_corrupted=: + else + { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + eval $ac_var=\$ac_old_val + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 +$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 +$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) as_fn_append ac_configure_args " '$ac_arg'" ;; + esac + fi +done +if $ac_cache_corrupted; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 +fi +## -------------------- ## +## Main body of script. ## +## -------------------- ## + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +ac_config_headers="$ac_config_headers config.h" + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. +set dummy ${ac_tool_prefix}gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_CC"; then + ac_ct_CC=$CC + # Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_CC="gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +else + CC="$ac_cv_prog_CC" +fi + +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. +set dummy ${ac_tool_prefix}cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + fi +fi +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + ac_prog_rejected=no +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# != 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" + fi +fi +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + for ac_prog in cl.exe + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$CC" && break + done +fi +if test -z "$CC"; then + ac_ct_CC=$CC + for ac_prog in cl.exe +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_CC" && break +done + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +fi + +fi + + +test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "no acceptable C compiler found in \$PATH +See \`config.log' for more details" "$LINENO" 5; } + +# Provide some information about the compiler. +$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 +set X $ac_compile +ac_compiler=$2 +for ac_option in --version -v -V -qversion; do + { { ac_try="$ac_compiler $ac_option >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compiler $ac_option >&5") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + sed '10a\ +... rest of stderr output deleted ... + 10q' conftest.err >conftest.er1 + cat conftest.er1 >&5 + fi + rm -f conftest.er1 conftest.err + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } +done + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" +# Try to create an executable without -o first, disregard a.out. +# It will help us diagnose broken compilers, and finding out an intuition +# of exeext. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } +ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` + +# The possible output files: +ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" + +ac_rmfiles= +for ac_file in $ac_files +do + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + * ) ac_rmfiles="$ac_rmfiles $ac_file";; + esac +done +rm -f $ac_rmfiles + +if { { ac_try="$ac_link_default" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link_default") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. +# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' +# in a Makefile. We should not override ac_cv_exeext if it was cached, +# so that the user can short-circuit this test for compilers unknown to +# Autoconf. +for ac_file in $ac_files '' +do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) + ;; + [ab].out ) + # We found the default executable, but exeext='' is most + # certainly right. + break;; + *.* ) + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + then :; else + ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + fi + # We set ac_cv_exeext here because the later test for it is not + # safe: cross compilers may not add the suffix if given an `-o' + # argument, so we may need to know it at that point already. + # Even if this section looks crufty: it has the advantage of + # actually working. + break;; + * ) + break;; + esac +done +test "$ac_cv_exeext" = no && ac_cv_exeext= + +else + ac_file='' +fi +if test -z "$ac_file"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "C compiler cannot create executables +See \`config.log' for more details" "$LINENO" 5; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } +ac_exeext=$ac_cv_exeext + +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 +$as_echo_n "checking for suffix of executables... " >&6; } +if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # If both `conftest.exe' and `conftest' are `present' (well, observable) +# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +# work properly (i.e., refer to `conftest.exe'), while it won't with +# `rm'. +for ac_file in conftest.exe conftest conftest.*; do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + break;; + * ) break;; + esac +done +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest conftest$ac_cv_exeext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 +$as_echo "$ac_cv_exeext" >&6; } + +rm -f conftest.$ac_ext +EXEEXT=$ac_cv_exeext +ac_exeext=$EXEEXT +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +FILE *f = fopen ("conftest.out", "w"); + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +ac_clean_files="$ac_clean_files conftest.out" +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +if test "$cross_compiling" != yes; then + { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if { ac_try='./conftest$ac_cv_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details" "$LINENO" 5; } + fi + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 +$as_echo_n "checking for suffix of object files... " >&6; } +if ${ac_cv_objext+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.o conftest.obj +if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + for ac_file in conftest.o conftest.obj conftest.*; do + test -f "$ac_file" || continue; + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; + *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` + break;; + esac +done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of object files: cannot compile +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest.$ac_cv_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 +$as_echo "$ac_cv_objext" >&6; } +OBJEXT=$ac_cv_objext +ac_objext=$OBJEXT +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 +$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } +if ${ac_cv_c_compiler_gnu+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ +#ifndef __GNUC__ + choke me +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_compiler_gnu=yes +else + ac_compiler_gnu=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +ac_cv_c_compiler_gnu=$ac_compiler_gnu + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 +$as_echo "$ac_cv_c_compiler_gnu" >&6; } +if test $ac_compiler_gnu = yes; then + GCC=yes +else + GCC= +fi +ac_test_CFLAGS=${CFLAGS+set} +ac_save_CFLAGS=$CFLAGS +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 +$as_echo_n "checking whether $CC accepts -g... " >&6; } +if ${ac_cv_prog_cc_g+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_save_c_werror_flag=$ac_c_werror_flag + ac_c_werror_flag=yes + ac_cv_prog_cc_g=no + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +else + CFLAGS="" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + ac_c_werror_flag=$ac_save_c_werror_flag + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_c_werror_flag=$ac_save_c_werror_flag +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 +$as_echo "$ac_cv_prog_cc_g" >&6; } +if test "$ac_test_CFLAGS" = set; then + CFLAGS=$ac_save_CFLAGS +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } +if ${ac_cv_prog_cc_c89+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_prog_cc_c89=no +ac_save_CC=$CC +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +#include +#include +/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ +struct buf { int x; }; +FILE * (*rcsopen) (struct buf *, struct stat *, int); +static char *e (p, i) + char **p; + int i; +{ + return p[i]; +} +static char *f (char * (*g) (char **, int), char **p, ...) +{ + char *s; + va_list v; + va_start (v,p); + s = g (p, va_arg (v,int)); + va_end (v); + return s; +} + +/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has + function prototypes and stuff, but not '\xHH' hex character constants. + These don't provoke an error unfortunately, instead are silently treated + as 'x'. The following induces an error, until -std is added to get + proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an + array size at least. It's necessary to write '\x00'==0 to get something + that's true only with -std. */ +int osf4_cc_array ['\x00' == 0 ? 1 : -1]; + +/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters + inside strings and character constants. */ +#define FOO(x) 'x' +int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; + +int test (int i, double x); +struct s1 {int (*f) (int a);}; +struct s2 {int (*f) (double a);}; +int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); +int argc; +char **argv; +int +main () +{ +return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; + ; + return 0; +} +_ACEOF +for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ + -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" +do + CC="$ac_save_CC $ac_arg" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_c89=$ac_arg +fi +rm -f core conftest.err conftest.$ac_objext + test "x$ac_cv_prog_cc_c89" != "xno" && break +done +rm -f conftest.$ac_ext +CC=$ac_save_CC + +fi +# AC_CACHE_VAL +case "x$ac_cv_prog_cc_c89" in + x) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + xno) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + *) + CC="$CC $ac_cv_prog_cc_c89" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; +esac +if test "x$ac_cv_prog_cc_c89" != xno; then : + +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +ac_aux_dir= +for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do + if test -f "$ac_dir/install-sh"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install-sh -c" + break + elif test -f "$ac_dir/install.sh"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install.sh -c" + break + elif test -f "$ac_dir/shtool"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/shtool install -c" + break + fi +done +if test -z "$ac_aux_dir"; then + as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 +fi + +# These three variables are undocumented and unsupported, +# and are intended to be withdrawn in a future Autoconf release. +# They can cause serious problems if a builder's source tree is in a directory +# whose full name contains unusual characters. +ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. +ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. +ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. + + +# Make sure we can run config.sub. +$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || + as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 +$as_echo_n "checking build system type... " >&6; } +if ${ac_cv_build+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_build_alias=$build_alias +test "x$ac_build_alias" = x && + ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` +test "x$ac_build_alias" = x && + as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 +ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || + as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 +$as_echo "$ac_cv_build" >&6; } +case $ac_cv_build in +*-*-*) ;; +*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; +esac +build=$ac_cv_build +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_build +shift +build_cpu=$1 +build_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +build_os=$* +IFS=$ac_save_IFS +case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 +$as_echo_n "checking host system type... " >&6; } +if ${ac_cv_host+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$host_alias" = x; then + ac_cv_host=$ac_cv_build +else + ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || + as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 +$as_echo "$ac_cv_host" >&6; } +case $ac_cv_host in +*-*-*) ;; +*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; +esac +host=$ac_cv_host +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_host +shift +host_cpu=$1 +host_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +host_os=$* +IFS=$ac_save_IFS +case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac + + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then + if ${ac_cv_prog_CPP+:} false; then : + $as_echo_n "(cached) " >&6 +else + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + break +fi + + done + ac_cv_prog_CPP=$CPP + +fi + CPP=$ac_cv_prog_CPP +else + ac_cv_prog_CPP=$CPP +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 +$as_echo "$CPP" >&6; } +ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details" "$LINENO" 5; } +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 +$as_echo_n "checking for grep that handles long lines and -e... " >&6; } +if ${ac_cv_path_GREP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -z "$GREP"; then + ac_path_GREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in grep ggrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue +# Check for GNU ac_path_GREP and select it if it is found. + # Check for GNU $ac_path_GREP +case `"$ac_path_GREP" --version 2>&1` in +*GNU*) + ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'GREP' >> "conftest.nl" + "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_GREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_GREP="$ac_path_GREP" + ac_path_GREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_GREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_GREP"; then + as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_GREP=$GREP +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 +$as_echo "$ac_cv_path_GREP" >&6; } + GREP="$ac_cv_path_GREP" + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 +$as_echo_n "checking for egrep... " >&6; } +if ${ac_cv_path_EGREP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 + then ac_cv_path_EGREP="$GREP -E" + else + if test -z "$EGREP"; then + ac_path_EGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue +# Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP +case `"$ac_path_EGREP" --version 2>&1` in +*GNU*) + ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'EGREP' >> "conftest.nl" + "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_EGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_EGREP="$ac_path_EGREP" + ac_path_EGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_EGREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_EGREP"; then + as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_EGREP=$EGREP +fi + + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 +$as_echo "$ac_cv_path_EGREP" >&6; } + EGREP="$ac_cv_path_EGREP" + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 +$as_echo_n "checking for ANSI C header files... " >&6; } +if ${ac_cv_header_stdc+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +#include +#include + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_header_stdc=yes +else + ac_cv_header_stdc=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "memchr" >/dev/null 2>&1; then : + +else + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "free" >/dev/null 2>&1; then : + +else + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. + if test "$cross_compiling" = yes; then : + : +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +#if ((' ' & 0x0FF) == 0x020) +# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) +#else +# define ISLOWER(c) \ + (('a' <= (c) && (c) <= 'i') \ + || ('j' <= (c) && (c) <= 'r') \ + || ('s' <= (c) && (c) <= 'z')) +# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) +#endif + +#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) +int +main () +{ + int i; + for (i = 0; i < 256; i++) + if (XOR (islower (i), ISLOWER (i)) + || toupper (i) != TOUPPER (i)) + return 2; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + +else + ac_cv_header_stdc=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 +$as_echo "$ac_cv_header_stdc" >&6; } +if test $ac_cv_header_stdc = yes; then + +$as_echo "#define STDC_HEADERS 1" >>confdefs.h + +fi + +# On IRIX 5.3, sys/types and inttypes.h are conflicting. +for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ + inttypes.h stdint.h unistd.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default +" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 +$as_echo_n "checking whether byte ordering is bigendian... " >&6; } +if ${ac_cv_c_bigendian+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_c_bigendian=unknown + # See if we're dealing with a universal compiler. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifndef __APPLE_CC__ + not a universal capable compiler + #endif + typedef int dummy; + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + # Check for potential -arch flags. It is not universal unless + # there are at least two -arch flags with different values. + ac_arch= + ac_prev= + for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do + if test -n "$ac_prev"; then + case $ac_word in + i?86 | x86_64 | ppc | ppc64) + if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then + ac_arch=$ac_word + else + ac_cv_c_bigendian=universal + break + fi + ;; + esac + ac_prev= + elif test "x$ac_word" = "x-arch"; then + ac_prev=arch + fi + done +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test $ac_cv_c_bigendian = unknown; then + # See if sys/param.h defines the BYTE_ORDER macro. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #include + +int +main () +{ +#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ + && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ + && LITTLE_ENDIAN) + bogus endian macros + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + # It does; now see whether it defined to BIG_ENDIAN or not. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #include + +int +main () +{ +#if BYTE_ORDER != BIG_ENDIAN + not big endian + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_bigendian=yes +else + ac_cv_c_bigendian=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +int +main () +{ +#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) + bogus endian macros + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + # It does; now see whether it defined to _BIG_ENDIAN or not. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +int +main () +{ +#ifndef _BIG_ENDIAN + not big endian + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_bigendian=yes +else + ac_cv_c_bigendian=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # Compile a test program. + if test "$cross_compiling" = yes; then : + # Try to guess by grepping values from an object file. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +short int ascii_mm[] = + { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; + short int ascii_ii[] = + { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; + int use_ascii (int i) { + return ascii_mm[i] + ascii_ii[i]; + } + short int ebcdic_ii[] = + { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; + short int ebcdic_mm[] = + { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; + int use_ebcdic (int i) { + return ebcdic_mm[i] + ebcdic_ii[i]; + } + extern int foo; + +int +main () +{ +return use_ascii (foo) == use_ebcdic (foo); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then + ac_cv_c_bigendian=yes + fi + if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then + if test "$ac_cv_c_bigendian" = unknown; then + ac_cv_c_bigendian=no + else + # finding both strings is unlikely to happen, but who knows? + ac_cv_c_bigendian=unknown + fi + fi +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ + + /* Are we little or big endian? From Harbison&Steele. */ + union + { + long int l; + char c[sizeof (long int)]; + } u; + u.l = 1; + return u.c[sizeof (long int) - 1] == 1; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_cv_c_bigendian=no +else + ac_cv_c_bigendian=yes +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 +$as_echo "$ac_cv_c_bigendian" >&6; } + case $ac_cv_c_bigendian in #( + yes) + $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h +;; #( + no) + ;; #( + universal) + +$as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h + + ;; #( + *) + as_fn_error $? "unknown endianness + presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; + esac + + +# Checks for programs. +for ac_prog in gawk mawk nawk awk +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_AWK+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$AWK"; then + ac_cv_prog_AWK="$AWK" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +AWK=$ac_cv_prog_AWK +if test -n "$AWK"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 +$as_echo "$AWK" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AWK" && break +done + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then + if ${ac_cv_prog_CPP+:} false; then : + $as_echo_n "(cached) " >&6 +else + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + break +fi + + done + ac_cv_prog_CPP=$CPP + +fi + CPP=$ac_cv_prog_CPP +else + ac_cv_prog_CPP=$CPP +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 +$as_echo "$CPP" >&6; } +ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details" "$LINENO" 5; } +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. +set dummy ${ac_tool_prefix}ranlib; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_RANLIB+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +RANLIB=$ac_cv_prog_RANLIB +if test -n "$RANLIB"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 +$as_echo "$RANLIB" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_RANLIB"; then + ac_ct_RANLIB=$RANLIB + # Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_RANLIB"; then + ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB +if test -n "$ac_ct_RANLIB"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 +$as_echo "$ac_ct_RANLIB" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_RANLIB" = x; then + RANLIB=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + RANLIB=$ac_ct_RANLIB + fi +else + RANLIB="$ac_cv_prog_RANLIB" +fi + +# Find a good install program. We prefer a C program (faster), +# so one script is as good as another. But avoid the broken or +# incompatible versions: +# SysV /etc/install, /usr/sbin/install +# SunOS /usr/etc/install +# IRIX /sbin/install +# AIX /bin/install +# AmigaOS /C/install, which installs bootblocks on floppy discs +# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag +# AFS /usr/afsws/bin/install, which mishandles nonexistent args +# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" +# OS/2's system install, which has a completely different semantic +# ./install, which can be erroneously created by make from ./install.sh. +# Reject install programs that cannot install multiple files. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 +$as_echo_n "checking for a BSD-compatible install... " >&6; } +if test -z "$INSTALL"; then +if ${ac_cv_path_install+:} false; then : + $as_echo_n "(cached) " >&6 +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + # Account for people who put trailing slashes in PATH elements. +case $as_dir/ in #(( + ./ | .// | /[cC]/* | \ + /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ + ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ + /usr/ucb/* ) ;; + *) + # OSF1 and SCO ODT 3.0 have their own names for install. + # Don't use installbsd from OSF since it installs stuff as root + # by default. + for ac_prog in ginstall scoinst install; do + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then + if test $ac_prog = install && + grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. + : + elif test $ac_prog = install && + grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # program-specific install script used by HP pwplus--don't use. + : + else + rm -rf conftest.one conftest.two conftest.dir + echo one > conftest.one + echo two > conftest.two + mkdir conftest.dir + if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && + test -s conftest.one && test -s conftest.two && + test -s conftest.dir/conftest.one && + test -s conftest.dir/conftest.two + then + ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" + break 3 + fi + fi + fi + done + done + ;; +esac + + done +IFS=$as_save_IFS + +rm -rf conftest.one conftest.two conftest.dir + +fi + if test "${ac_cv_path_install+set}" = set; then + INSTALL=$ac_cv_path_install + else + # As a last resort, use the slow shell script. Don't cache a + # value for INSTALL within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + INSTALL=$ac_install_sh + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 +$as_echo "$INSTALL" >&6; } + +# Use test -z because SunOS4 sh mishandles braces in ${var-val}. +# It thinks the first close brace ends the variable substitution. +test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' + +test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' + +test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 +$as_echo_n "checking for egrep... " >&6; } +if ${ac_cv_path_EGREP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 + then ac_cv_path_EGREP="$GREP -E" + else + if test -z "$EGREP"; then + ac_path_EGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue +# Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP +case `"$ac_path_EGREP" --version 2>&1` in +*GNU*) + ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'EGREP' >> "conftest.nl" + "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_EGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_EGREP="$ac_path_EGREP" + ac_path_EGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_EGREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_EGREP"; then + as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_EGREP=$EGREP +fi + + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 +$as_echo "$ac_cv_path_EGREP" >&6; } + EGREP="$ac_cv_path_EGREP" + + +# Extract the first word of "ar", so it can be a program name with args. +set dummy ar; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_AR+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $AR in + [\\/]* | ?:[\\/]*) + ac_cv_path_AR="$AR" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +AR=$ac_cv_path_AR +if test -n "$AR"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 +$as_echo "$AR" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "cat", so it can be a program name with args. +set dummy cat; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_CAT+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $CAT in + [\\/]* | ?:[\\/]*) + ac_cv_path_CAT="$CAT" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_CAT="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +CAT=$ac_cv_path_CAT +if test -n "$CAT"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CAT" >&5 +$as_echo "$CAT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "kill", so it can be a program name with args. +set dummy kill; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_KILL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $KILL in + [\\/]* | ?:[\\/]*) + ac_cv_path_KILL="$KILL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_KILL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +KILL=$ac_cv_path_KILL +if test -n "$KILL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KILL" >&5 +$as_echo "$KILL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +for ac_prog in perl5 perl +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PERL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PERL in + [\\/]* | ?:[\\/]*) + ac_cv_path_PERL="$PERL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PERL=$ac_cv_path_PERL +if test -n "$PERL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PERL" >&5 +$as_echo "$PERL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$PERL" && break +done + +# Extract the first word of "sed", so it can be a program name with args. +set dummy sed; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_SED+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $SED in + [\\/]* | ?:[\\/]*) + ac_cv_path_SED="$SED" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_SED="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +SED=$ac_cv_path_SED +if test -n "$SED"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SED" >&5 +$as_echo "$SED" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + +# Extract the first word of "ent", so it can be a program name with args. +set dummy ent; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_ENT+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $ENT in + [\\/]* | ?:[\\/]*) + ac_cv_path_ENT="$ENT" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_ENT="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ENT=$ac_cv_path_ENT +if test -n "$ENT"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ENT" >&5 +$as_echo "$ENT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + +# Extract the first word of "bash", so it can be a program name with args. +set dummy bash; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_TEST_MINUS_S_SH+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $TEST_MINUS_S_SH in + [\\/]* | ?:[\\/]*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_TEST_MINUS_S_SH="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH +if test -n "$TEST_MINUS_S_SH"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $TEST_MINUS_S_SH" >&5 +$as_echo "$TEST_MINUS_S_SH" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "ksh", so it can be a program name with args. +set dummy ksh; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_TEST_MINUS_S_SH+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $TEST_MINUS_S_SH in + [\\/]* | ?:[\\/]*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_TEST_MINUS_S_SH="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH +if test -n "$TEST_MINUS_S_SH"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $TEST_MINUS_S_SH" >&5 +$as_echo "$TEST_MINUS_S_SH" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "sh", so it can be a program name with args. +set dummy sh; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_TEST_MINUS_S_SH+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $TEST_MINUS_S_SH in + [\\/]* | ?:[\\/]*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_TEST_MINUS_S_SH="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH +if test -n "$TEST_MINUS_S_SH"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $TEST_MINUS_S_SH" >&5 +$as_echo "$TEST_MINUS_S_SH" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "sh", so it can be a program name with args. +set dummy sh; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_SH+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $SH in + [\\/]* | ?:[\\/]*) + ac_cv_path_SH="$SH" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_SH="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +SH=$ac_cv_path_SH +if test -n "$SH"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SH" >&5 +$as_echo "$SH" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "groff", so it can be a program name with args. +set dummy groff; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_GROFF+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $GROFF in + [\\/]* | ?:[\\/]*) + ac_cv_path_GROFF="$GROFF" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_GROFF="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +GROFF=$ac_cv_path_GROFF +if test -n "$GROFF"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GROFF" >&5 +$as_echo "$GROFF" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "nroff", so it can be a program name with args. +set dummy nroff; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_NROFF+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $NROFF in + [\\/]* | ?:[\\/]*) + ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_NROFF="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +NROFF=$ac_cv_path_NROFF +if test -n "$NROFF"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFF" >&5 +$as_echo "$NROFF" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "mandoc", so it can be a program name with args. +set dummy mandoc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_MANDOC+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $MANDOC in + [\\/]* | ?:[\\/]*) + ac_cv_path_MANDOC="$MANDOC" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_MANDOC="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +MANDOC=$ac_cv_path_MANDOC +if test -n "$MANDOC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANDOC" >&5 +$as_echo "$MANDOC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +TEST_SHELL=sh + + +if test "x$MANDOC" != "x" ; then + MANFMT="$MANDOC" +elif test "x$NROFF" != "x" ; then + MANFMT="$NROFF -mandoc" +elif test "x$GROFF" != "x" ; then + MANFMT="$GROFF -mandoc -Tascii" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: no manpage formatted found" >&5 +$as_echo "$as_me: WARNING: no manpage formatted found" >&2;} + MANFMT="false" +fi + + +# Extract the first word of "groupadd", so it can be a program name with args. +set dummy groupadd; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PATH_GROUPADD_PROG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PATH_GROUPADD_PROG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PATH_GROUPADD_PROG="$PATH_GROUPADD_PROG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in /usr/sbin${PATH_SEPARATOR}/etc +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PATH_GROUPADD_PROG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_path_PATH_GROUPADD_PROG" && ac_cv_path_PATH_GROUPADD_PROG="groupadd" + ;; +esac +fi +PATH_GROUPADD_PROG=$ac_cv_path_PATH_GROUPADD_PROG +if test -n "$PATH_GROUPADD_PROG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PATH_GROUPADD_PROG" >&5 +$as_echo "$PATH_GROUPADD_PROG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "useradd", so it can be a program name with args. +set dummy useradd; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PATH_USERADD_PROG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PATH_USERADD_PROG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PATH_USERADD_PROG="$PATH_USERADD_PROG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in /usr/sbin${PATH_SEPARATOR}/etc +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PATH_USERADD_PROG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_path_PATH_USERADD_PROG" && ac_cv_path_PATH_USERADD_PROG="useradd" + ;; +esac +fi +PATH_USERADD_PROG=$ac_cv_path_PATH_USERADD_PROG +if test -n "$PATH_USERADD_PROG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PATH_USERADD_PROG" >&5 +$as_echo "$PATH_USERADD_PROG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +# Extract the first word of "pkgmk", so it can be a program name with args. +set dummy pkgmk; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_MAKE_PACKAGE_SUPPORTED+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$MAKE_PACKAGE_SUPPORTED"; then + ac_cv_prog_MAKE_PACKAGE_SUPPORTED="$MAKE_PACKAGE_SUPPORTED" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_MAKE_PACKAGE_SUPPORTED="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_MAKE_PACKAGE_SUPPORTED" && ac_cv_prog_MAKE_PACKAGE_SUPPORTED="no" +fi +fi +MAKE_PACKAGE_SUPPORTED=$ac_cv_prog_MAKE_PACKAGE_SUPPORTED +if test -n "$MAKE_PACKAGE_SUPPORTED"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAKE_PACKAGE_SUPPORTED" >&5 +$as_echo "$MAKE_PACKAGE_SUPPORTED" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +if test -x /sbin/sh; then + STARTUP_SCRIPT_SHELL=/sbin/sh + +else + STARTUP_SCRIPT_SHELL=/bin/sh + +fi + +# System features +# Check whether --enable-largefile was given. +if test "${enable_largefile+set}" = set; then : + enableval=$enable_largefile; +fi + +if test "$enable_largefile" != no; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for special C compiler options needed for large files" >&5 +$as_echo_n "checking for special C compiler options needed for large files... " >&6; } +if ${ac_cv_sys_largefile_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_sys_largefile_CC=no + if test "$GCC" != yes; then + ac_save_CC=$CC + while :; do + # IRIX 6.2 and later do not support large files by default, + # so use the C compiler's -n32 option if that helps. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF + if ac_fn_c_try_compile "$LINENO"; then : + break +fi +rm -f core conftest.err conftest.$ac_objext + CC="$CC -n32" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_largefile_CC=' -n32'; break +fi +rm -f core conftest.err conftest.$ac_objext + break + done + CC=$ac_save_CC + rm -f conftest.$ac_ext + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_CC" >&5 +$as_echo "$ac_cv_sys_largefile_CC" >&6; } + if test "$ac_cv_sys_largefile_CC" != no; then + CC=$CC$ac_cv_sys_largefile_CC + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _FILE_OFFSET_BITS value needed for large files" >&5 +$as_echo_n "checking for _FILE_OFFSET_BITS value needed for large files... " >&6; } +if ${ac_cv_sys_file_offset_bits+:} false; then : + $as_echo_n "(cached) " >&6 +else + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_file_offset_bits=no; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#define _FILE_OFFSET_BITS 64 +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_file_offset_bits=64; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_cv_sys_file_offset_bits=unknown + break +done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_file_offset_bits" >&5 +$as_echo "$ac_cv_sys_file_offset_bits" >&6; } +case $ac_cv_sys_file_offset_bits in #( + no | unknown) ;; + *) +cat >>confdefs.h <<_ACEOF +#define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits +_ACEOF +;; +esac +rm -rf conftest* + if test $ac_cv_sys_file_offset_bits = unknown; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGE_FILES value needed for large files" >&5 +$as_echo_n "checking for _LARGE_FILES value needed for large files... " >&6; } +if ${ac_cv_sys_large_files+:} false; then : + $as_echo_n "(cached) " >&6 +else + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_large_files=no; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#define _LARGE_FILES 1 +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_large_files=1; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_cv_sys_large_files=unknown + break +done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_large_files" >&5 +$as_echo "$ac_cv_sys_large_files" >&6; } +case $ac_cv_sys_large_files in #( + no | unknown) ;; + *) +cat >>confdefs.h <<_ACEOF +#define _LARGE_FILES $ac_cv_sys_large_files +_ACEOF +;; +esac +rm -rf conftest* + fi +fi + + +if test -z "$AR" ; then + as_fn_error $? "*** 'ar' missing, please install or fix your \$PATH ***" "$LINENO" 5 +fi + +# Use LOGIN_PROGRAM from environment if possible +if test ! -z "$LOGIN_PROGRAM" ; then + +cat >>confdefs.h <<_ACEOF +#define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM" +_ACEOF + +else + # Search for login + # Extract the first word of "login", so it can be a program name with args. +set dummy login; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_LOGIN_PROGRAM_FALLBACK+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $LOGIN_PROGRAM_FALLBACK in + [\\/]* | ?:[\\/]*) + ac_cv_path_LOGIN_PROGRAM_FALLBACK="$LOGIN_PROGRAM_FALLBACK" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_LOGIN_PROGRAM_FALLBACK="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +LOGIN_PROGRAM_FALLBACK=$ac_cv_path_LOGIN_PROGRAM_FALLBACK +if test -n "$LOGIN_PROGRAM_FALLBACK"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LOGIN_PROGRAM_FALLBACK" >&5 +$as_echo "$LOGIN_PROGRAM_FALLBACK" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then + cat >>confdefs.h <<_ACEOF +#define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM_FALLBACK" +_ACEOF + + fi +fi + +# Extract the first word of "passwd", so it can be a program name with args. +set dummy passwd; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PATH_PASSWD_PROG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PATH_PASSWD_PROG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PATH_PASSWD_PROG="$PATH_PASSWD_PROG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PATH_PASSWD_PROG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PATH_PASSWD_PROG=$ac_cv_path_PATH_PASSWD_PROG +if test -n "$PATH_PASSWD_PROG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PATH_PASSWD_PROG" >&5 +$as_echo "$PATH_PASSWD_PROG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +if test ! -z "$PATH_PASSWD_PROG" ; then + +cat >>confdefs.h <<_ACEOF +#define _PATH_PASSWD_PROG "$PATH_PASSWD_PROG" +_ACEOF + +fi + +if test -z "$LD" ; then + LD=$CC +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 +$as_echo_n "checking for inline... " >&6; } +if ${ac_cv_c_inline+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_c_inline=no +for ac_kw in inline __inline__ __inline; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifndef __cplusplus +typedef int foo_t; +static $ac_kw foo_t static_foo () {return 0; } +$ac_kw foo_t foo () {return 0; } +#endif + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_inline=$ac_kw +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + test "$ac_cv_c_inline" != no && break +done + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 +$as_echo "$ac_cv_c_inline" >&6; } + +case $ac_cv_c_inline in + inline | yes) ;; + *) + case $ac_cv_c_inline in + no) ac_val=;; + *) ac_val=$ac_cv_c_inline;; + esac + cat >>confdefs.h <<_ACEOF +#ifndef __cplusplus +#define inline $ac_val +#endif +_ACEOF + ;; +esac + + +ac_fn_c_check_decl "$LINENO" "LLONG_MAX" "ac_cv_have_decl_LLONG_MAX" "#include +" +if test "x$ac_cv_have_decl_LLONG_MAX" = xyes; then : + have_llong_max=1 +fi + +ac_fn_c_check_decl "$LINENO" "SYSTR_POLICY_KILL" "ac_cv_have_decl_SYSTR_POLICY_KILL" " + #include + #include + #include + +" +if test "x$ac_cv_have_decl_SYSTR_POLICY_KILL" = xyes; then : + have_systr_policy_kill=1 +fi + +ac_fn_c_check_decl "$LINENO" "RLIMIT_NPROC" "ac_cv_have_decl_RLIMIT_NPROC" " + #include + #include + +" +if test "x$ac_cv_have_decl_RLIMIT_NPROC" = xyes; then : + +$as_echo "#define HAVE_RLIMIT_NPROC /**/" >>confdefs.h + +fi + +ac_fn_c_check_decl "$LINENO" "PR_SET_NO_NEW_PRIVS" "ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" " + #include + #include + +" +if test "x$ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" = xyes; then : + have_linux_no_new_privs=1 +fi + + +use_stack_protector=1 +use_toolchain_hardening=1 + +# Check whether --with-stackprotect was given. +if test "${with_stackprotect+set}" = set; then : + withval=$with_stackprotect; + if test "x$withval" = "xno"; then + use_stack_protector=0 + fi +fi + + +# Check whether --with-hardening was given. +if test "${with_hardening+set}" = set; then : + withval=$with_hardening; + if test "x$withval" = "xno"; then + use_toolchain_hardening=0 + fi +fi + + +# We use -Werror for the tests only so that we catch warnings like "this is +# on by default" for things like -fPIE. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Werror" >&5 +$as_echo_n "checking if $CC supports -Werror... " >&6; } +saved_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS -Werror" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int main(void) { return 0; } +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + WERROR="-Werror" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + WERROR="" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +CFLAGS="$saved_CFLAGS" + +if test "$GCC" = "yes" || test "$GCC" = "egcs"; then + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Qunused-arguments" >&5 +$as_echo_n "checking if $CC supports compile flag -Qunused-arguments... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Qunused-arguments" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Qunused-arguments" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wunknown-warning-option" >&5 +$as_echo_n "checking if $CC supports compile flag -Wunknown-warning-option... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wunknown-warning-option" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wunknown-warning-option" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wall" >&5 +$as_echo_n "checking if $CC supports compile flag -Wall... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wall" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wall" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wpointer-arith" >&5 +$as_echo_n "checking if $CC supports compile flag -Wpointer-arith... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wpointer-arith" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wpointer-arith" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wuninitialized" >&5 +$as_echo_n "checking if $CC supports compile flag -Wuninitialized... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wuninitialized" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wuninitialized" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wsign-compare" >&5 +$as_echo_n "checking if $CC supports compile flag -Wsign-compare... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wsign-compare" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wsign-compare" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wformat-security" >&5 +$as_echo_n "checking if $CC supports compile flag -Wformat-security... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wformat-security" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wformat-security" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wsizeof-pointer-memaccess" >&5 +$as_echo_n "checking if $CC supports compile flag -Wsizeof-pointer-memaccess... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wsizeof-pointer-memaccess" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wsizeof-pointer-memaccess" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wpointer-sign" >&5 +$as_echo_n "checking if $CC supports compile flag -Wpointer-sign... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wpointer-sign" + _define_flag="-Wno-pointer-sign" + test "x$_define_flag" = "x" && _define_flag="-Wpointer-sign" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wunused-result" >&5 +$as_echo_n "checking if $CC supports compile flag -Wunused-result... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wunused-result" + _define_flag="-Wno-unused-result" + test "x$_define_flag" = "x" && _define_flag="-Wunused-result" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -fno-strict-aliasing" >&5 +$as_echo_n "checking if $CC supports compile flag -fno-strict-aliasing... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -fno-strict-aliasing" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-fno-strict-aliasing" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -D_FORTIFY_SOURCE=2" >&5 +$as_echo_n "checking if $CC supports compile flag -D_FORTIFY_SOURCE=2... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -D_FORTIFY_SOURCE=2" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-D_FORTIFY_SOURCE=2" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + if test "x$use_toolchain_hardening" = "x1"; then + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,relro" >&5 +$as_echo_n "checking if $LD supports link flag -Wl,-z,relro... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -Wl,-z,relro" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wl,-z,relro" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,now" >&5 +$as_echo_n "checking if $LD supports link flag -Wl,-z,now... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -Wl,-z,now" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wl,-z,now" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,noexecstack" >&5 +$as_echo_n "checking if $LD supports link flag -Wl,-z,noexecstack... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -Wl,-z,noexecstack" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wl,-z,noexecstack" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + # NB. -ftrapv expects certain support functions to be present in + # the compiler library (libgcc or similar) to detect integer operations + # that can overflow. We must check that the result of enabling it + # actually links. The test program compiled/linked includes a number + # of integer operations that should exercise this. + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -ftrapv and linking succeeds" >&5 +$as_echo_n "checking if $CC supports compile flag -ftrapv and linking succeeds... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -ftrapv" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-ftrapv" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking gcc version" >&5 +$as_echo_n "checking gcc version... " >&6; } + GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` + case $GCC_VER in + 1.*) no_attrib_nonnull=1 ;; + 2.8* | 2.9*) + no_attrib_nonnull=1 + ;; + 2.*) no_attrib_nonnull=1 ;; + *) ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GCC_VER" >&5 +$as_echo "$GCC_VER" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC accepts -fno-builtin-memset" >&5 +$as_echo_n "checking if $CC accepts -fno-builtin-memset... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-builtin-memset" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + char b[10]; memset(b, 0, sizeof(b)); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + # -fstack-protector-all doesn't always work for some GCC versions + # and/or platforms, so we test if we can. If it's not supported + # on a given platform gcc will emit a warning so we use -Werror. + if test "x$use_stack_protector" = "x1"; then + for t in -fstack-protector-strong -fstack-protector-all \ + -fstack-protector; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports $t" >&5 +$as_echo_n "checking if $CC supports $t... " >&6; } + saved_CFLAGS="$CFLAGS" + saved_LDFLAGS="$LDFLAGS" + CFLAGS="$CFLAGS $t -Werror" + LDFLAGS="$LDFLAGS $t -Werror" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + + char x[256]; + snprintf(x, sizeof(x), "XXX"); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $t" + LDFLAGS="$saved_LDFLAGS $t" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $t works" >&5 +$as_echo_n "checking if $t works... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: cannot test" >&5 +$as_echo "$as_me: WARNING: cross compiling: cannot test" >&2;} + break + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + + char x[256]; + snprintf(x, sizeof(x), "XXX"); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CFLAGS="$saved_CFLAGS" + LDFLAGS="$saved_LDFLAGS" + done + fi + + if test -z "$have_llong_max"; then + # retry LLONG_MAX with -std=gnu99, needed on some Linuxes + unset ac_cv_have_decl_LLONG_MAX + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -std=gnu99" + ac_fn_c_check_decl "$LINENO" "LLONG_MAX" "ac_cv_have_decl_LLONG_MAX" "#include + +" +if test "x$ac_cv_have_decl_LLONG_MAX" = xyes; then : + have_llong_max=1 +else + CFLAGS="$saved_CFLAGS" +fi + + fi +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler allows __attribute__ on return types" >&5 +$as_echo_n "checking if compiler allows __attribute__ on return types... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +__attribute__((__unused__)) static void foo(void){return;} +int +main () +{ + exit(0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define NO_ATTRIBUTE_ON_RETURN_TYPE 1" >>confdefs.h + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +if test "x$no_attrib_nonnull" != "x1" ; then + +$as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h + +fi + + +# Check whether --with-rpath was given. +if test "${with_rpath+set}" = set; then : + withval=$with_rpath; + if test "x$withval" = "xno" ; then + need_dash_r="" + fi + if test "x$withval" = "xyes" ; then + need_dash_r=1 + fi + + +fi + + +# Allow user to specify flags + +# Check whether --with-cflags was given. +if test "${with_cflags+set}" = set; then : + withval=$with_cflags; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CFLAGS="$CFLAGS $withval" + fi + + +fi + + +# Check whether --with-cppflags was given. +if test "${with_cppflags+set}" = set; then : + withval=$with_cppflags; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CPPFLAGS="$CPPFLAGS $withval" + fi + + +fi + + +# Check whether --with-ldflags was given. +if test "${with_ldflags+set}" = set; then : + withval=$with_ldflags; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LDFLAGS="$LDFLAGS $withval" + fi + + +fi + + +# Check whether --with-libs was given. +if test "${with_libs+set}" = set; then : + withval=$with_libs; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LIBS="$LIBS $withval" + fi + + +fi + + +# Check whether --with-Werror was given. +if test "${with_Werror+set}" = set; then : + withval=$with_Werror; + if test -n "$withval" && test "x$withval" != "xno"; then + werror_flags="-Werror" + if test "x${withval}" != "xyes"; then + werror_flags="$withval" + fi + fi + + +fi + + +for ac_header in \ + blf.h \ + bstring.h \ + crypt.h \ + crypto/sha2.h \ + dirent.h \ + endian.h \ + elf.h \ + features.h \ + fcntl.h \ + floatingpoint.h \ + getopt.h \ + glob.h \ + ia.h \ + iaf.h \ + inttypes.h \ + limits.h \ + locale.h \ + login.h \ + maillock.h \ + ndir.h \ + net/if_tun.h \ + netdb.h \ + netgroup.h \ + pam/pam_appl.h \ + paths.h \ + poll.h \ + pty.h \ + readpassphrase.h \ + rpc/types.h \ + security/pam_appl.h \ + sha2.h \ + shadow.h \ + stddef.h \ + stdint.h \ + string.h \ + strings.h \ + sys/audit.h \ + sys/bitypes.h \ + sys/bsdtty.h \ + sys/capability.h \ + sys/cdefs.h \ + sys/dir.h \ + sys/mman.h \ + sys/ndir.h \ + sys/poll.h \ + sys/prctl.h \ + sys/pstat.h \ + sys/select.h \ + sys/stat.h \ + sys/stream.h \ + sys/stropts.h \ + sys/strtio.h \ + sys/statvfs.h \ + sys/sysmacros.h \ + sys/time.h \ + sys/timers.h \ + time.h \ + tmpdir.h \ + ttyent.h \ + ucred.h \ + unistd.h \ + usersec.h \ + util.h \ + utime.h \ + utmp.h \ + utmpx.h \ + vis.h \ + +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + +# lastlog.h requires sys/time.h to be included first on Solaris +for ac_header in lastlog.h +do : + ac_fn_c_check_header_compile "$LINENO" "lastlog.h" "ac_cv_header_lastlog_h" " +#ifdef HAVE_SYS_TIME_H +# include +#endif + +" +if test "x$ac_cv_header_lastlog_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LASTLOG_H 1 +_ACEOF + +fi + +done + + +# sys/ptms.h requires sys/stream.h to be included first on Solaris +for ac_header in sys/ptms.h +do : + ac_fn_c_check_header_compile "$LINENO" "sys/ptms.h" "ac_cv_header_sys_ptms_h" " +#ifdef HAVE_SYS_STREAM_H +# include +#endif + +" +if test "x$ac_cv_header_sys_ptms_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_PTMS_H 1 +_ACEOF + +fi + +done + + +# login_cap.h requires sys/types.h on NetBSD +for ac_header in login_cap.h +do : + ac_fn_c_check_header_compile "$LINENO" "login_cap.h" "ac_cv_header_login_cap_h" " +#include + +" +if test "x$ac_cv_header_login_cap_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LOGIN_CAP_H 1 +_ACEOF + +fi + +done + + +# older BSDs need sys/param.h before sys/mount.h +for ac_header in sys/mount.h +do : + ac_fn_c_check_header_compile "$LINENO" "sys/mount.h" "ac_cv_header_sys_mount_h" " +#include + +" +if test "x$ac_cv_header_sys_mount_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_MOUNT_H 1 +_ACEOF + +fi + +done + + +# Android requires sys/socket.h to be included before sys/un.h +for ac_header in sys/un.h +do : + ac_fn_c_check_header_compile "$LINENO" "sys/un.h" "ac_cv_header_sys_un_h" " +#include +#include + +" +if test "x$ac_cv_header_sys_un_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_UN_H 1 +_ACEOF + +fi + +done + + +# Messages for features tested for in target-specific section +SIA_MSG="no" +SPC_MSG="no" +SP_MSG="no" + +# Check for some target-specific stuff +case "$host" in +*-*-aix*) + # Some versions of VAC won't allow macro redefinitions at + # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that + # particularly with older versions of vac or xlc. + # It also throws errors about null macro argments, but these are + # not fatal. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler allows macro redefinitions" >&5 +$as_echo_n "checking if compiler allows macro redefinitions... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#define testmacro foo +#define testmacro bar +int +main () +{ + exit(0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`" + LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`" + CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`" + CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`" + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to specify blibpath for linker ($LD)" >&5 +$as_echo_n "checking how to specify blibpath for linker ($LD)... " >&6; } + if (test -z "$blibpath"); then + blibpath="/usr/lib:/lib" + fi + saved_LDFLAGS="$LDFLAGS" + if test "$GCC" = "yes"; then + flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:" + else + flags="-blibpath: -Wl,-blibpath: -Wl,-rpath," + fi + for tryflags in $flags ;do + if (test -z "$blibflags"); then + LDFLAGS="$saved_LDFLAGS $tryflags$blibpath" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + blibflags=$tryflags +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + fi + done + if (test -z "$blibflags"); then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + as_fn_error $? "*** must be able to specify blibpath on AIX - check config.log" "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $blibflags" >&5 +$as_echo "$blibflags" >&6; } + fi + LDFLAGS="$saved_LDFLAGS" + ac_fn_c_check_func "$LINENO" "authenticate" "ac_cv_func_authenticate" +if test "x$ac_cv_func_authenticate" = xyes; then : + +$as_echo "#define WITH_AIXAUTHENTICATE 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for authenticate in -ls" >&5 +$as_echo_n "checking for authenticate in -ls... " >&6; } +if ${ac_cv_lib_s_authenticate+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ls $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char authenticate (); +int +main () +{ +return authenticate (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_s_authenticate=yes +else + ac_cv_lib_s_authenticate=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_s_authenticate" >&5 +$as_echo "$ac_cv_lib_s_authenticate" >&6; } +if test "x$ac_cv_lib_s_authenticate" = xyes; then : + $as_echo "#define WITH_AIXAUTHENTICATE 1" >>confdefs.h + + LIBS="$LIBS -ls" + +fi + + +fi + + ac_fn_c_check_decl "$LINENO" "authenticate" "ac_cv_have_decl_authenticate" "#include +" +if test "x$ac_cv_have_decl_authenticate" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_AUTHENTICATE $ac_have_decl +_ACEOF +ac_fn_c_check_decl "$LINENO" "loginrestrictions" "ac_cv_have_decl_loginrestrictions" "#include +" +if test "x$ac_cv_have_decl_loginrestrictions" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_LOGINRESTRICTIONS $ac_have_decl +_ACEOF +ac_fn_c_check_decl "$LINENO" "loginsuccess" "ac_cv_have_decl_loginsuccess" "#include +" +if test "x$ac_cv_have_decl_loginsuccess" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_LOGINSUCCESS $ac_have_decl +_ACEOF +ac_fn_c_check_decl "$LINENO" "passwdexpired" "ac_cv_have_decl_passwdexpired" "#include +" +if test "x$ac_cv_have_decl_passwdexpired" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_PASSWDEXPIRED $ac_have_decl +_ACEOF +ac_fn_c_check_decl "$LINENO" "setauthdb" "ac_cv_have_decl_setauthdb" "#include +" +if test "x$ac_cv_have_decl_setauthdb" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_SETAUTHDB $ac_have_decl +_ACEOF + + ac_fn_c_check_decl "$LINENO" "loginfailed" "ac_cv_have_decl_loginfailed" "#include + +" +if test "x$ac_cv_have_decl_loginfailed" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_LOGINFAILED $ac_have_decl +_ACEOF +if test $ac_have_decl = 1; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if loginfailed takes 4 arguments" >&5 +$as_echo_n "checking if loginfailed takes 4 arguments... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + (void)loginfailed("user","host","tty",0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define AIX_LOGINFAILED_4ARG 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + + for ac_func in getgrset setauthdb +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + ac_fn_c_check_decl "$LINENO" "F_CLOSEM" "ac_cv_have_decl_F_CLOSEM" " #include + #include + +" +if test "x$ac_cv_have_decl_F_CLOSEM" = xyes; then : + +$as_echo "#define HAVE_FCNTL_CLOSEM 1" >>confdefs.h + +fi + + check_for_aix_broken_getaddrinfo=1 + +$as_echo "#define BROKEN_REALPATH 1" >>confdefs.h + + +$as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + +$as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + +$as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + +$as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h + + +$as_echo "#define LOGIN_NEEDS_UTMPX 1" >>confdefs.h + + +$as_echo "#define SPT_TYPE SPT_REUSEARGV" >>confdefs.h + + +$as_echo "#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1" >>confdefs.h + + +$as_echo "#define PTY_ZEROREAD 1" >>confdefs.h + + +$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h + + ;; +*-*-android*) + +$as_echo "#define DISABLE_UTMP 1" >>confdefs.h + + +$as_echo "#define DISABLE_WTMP 1" >>confdefs.h + + ;; +*-*-cygwin*) + check_for_libcrypt_later=1 + LIBS="$LIBS /usr/lib/textreadmode.o" + +$as_echo "#define HAVE_CYGWIN 1" >>confdefs.h + + +$as_echo "#define USE_PIPES 1" >>confdefs.h + + +$as_echo "#define DISABLE_SHADOW 1" >>confdefs.h + + +$as_echo "#define NO_X11_UNIX_SOCKETS 1" >>confdefs.h + + +$as_echo "#define NO_IPPORT_RESERVED_CONCEPT 1" >>confdefs.h + + +$as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h + + +$as_echo "#define SSH_IOBUFSZ 65535" >>confdefs.h + + +$as_echo "#define FILESYSTEM_NO_BACKSLASH 1" >>confdefs.h + + # Cygwin defines optargs, optargs as declspec(dllimport) for historical + # reasons which cause compile warnings, so we disable those warnings. + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wno-attributes" >&5 +$as_echo_n "checking if $CC supports compile flag -Wno-attributes... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wno-attributes" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wno-attributes" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + ;; +*-*-dgux*) + +$as_echo "#define IP_TOS_IS_BROKEN 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + ;; +*-*-darwin*) + use_pie=auto + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have working getaddrinfo" >&5 +$as_echo_n "checking if we have working getaddrinfo... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: assume it is working" >&5 +$as_echo "assume it is working" >&6; } +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + exit(0); + else + exit(1); +} + +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: working" >&5 +$as_echo "working" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: buggy" >&5 +$as_echo "buggy" >&6; } + +$as_echo "#define BROKEN_GETADDRINFO 1" >>confdefs.h + + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + +$as_echo "#define BROKEN_GLOB 1" >>confdefs.h + + +cat >>confdefs.h <<_ACEOF +#define BIND_8_COMPAT 1 +_ACEOF + + +$as_echo "#define SSH_TUN_FREEBSD 1" >>confdefs.h + + +$as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h + + +$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h + + + ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" +if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : + +else + +$as_echo "#define AU_IPv4 0" >>confdefs.h + + #include + +$as_echo "#define LASTLOG_WRITE_PUTUTXLINE 1" >>confdefs.h + + +fi + + +$as_echo "#define SPT_TYPE SPT_REUSEARGV" >>confdefs.h + + for ac_func in sandbox_init +do : + ac_fn_c_check_func "$LINENO" "sandbox_init" "ac_cv_func_sandbox_init" +if test "x$ac_cv_func_sandbox_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SANDBOX_INIT 1 +_ACEOF + +fi +done + + for ac_header in sandbox.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "sandbox.h" "ac_cv_header_sandbox_h" "$ac_includes_default" +if test "x$ac_cv_header_sandbox_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SANDBOX_H 1 +_ACEOF + +fi + +done + + ;; +*-*-dragonfly*) + SSHDLIBS="$SSHDLIBS -lcrypt" + TEST_MALLOC_OPTIONS="AFGJPRX" + ;; +*-*-haiku*) + LIBS="$LIBS -lbsd " + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lnetwork" >&5 +$as_echo_n "checking for socket in -lnetwork... " >&6; } +if ${ac_cv_lib_network_socket+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnetwork $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char socket (); +int +main () +{ +return socket (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_network_socket=yes +else + ac_cv_lib_network_socket=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_network_socket" >&5 +$as_echo "$ac_cv_lib_network_socket" >&6; } +if test "x$ac_cv_lib_network_socket" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNETWORK 1 +_ACEOF + + LIBS="-lnetwork $LIBS" + +fi + + $as_echo "#define HAVE_U_INT64_T 1" >>confdefs.h + + MANTYPE=man + ;; +*-*-hpux*) + # first we define all of the options common to all HP-UX releases + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" + IPADDR_IN_DISPLAY=yes + $as_echo "#define USE_PIPES 1" >>confdefs.h + + +$as_echo "#define LOGIN_NO_ENDOPT 1" >>confdefs.h + + $as_echo "#define LOGIN_NEEDS_UTMPX 1" >>confdefs.h + + +$as_echo "#define LOCKED_PASSWD_STRING \"*\"" >>confdefs.h + + $as_echo "#define SPT_TYPE SPT_PSTAT" >>confdefs.h + + +$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h + + maildir="/var/mail" + LIBS="$LIBS -lsec" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for t_error in -lxnet" >&5 +$as_echo_n "checking for t_error in -lxnet... " >&6; } +if ${ac_cv_lib_xnet_t_error+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lxnet $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char t_error (); +int +main () +{ +return t_error (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_xnet_t_error=yes +else + ac_cv_lib_xnet_t_error=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_xnet_t_error" >&5 +$as_echo "$ac_cv_lib_xnet_t_error" >&6; } +if test "x$ac_cv_lib_xnet_t_error" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBXNET 1 +_ACEOF + + LIBS="-lxnet $LIBS" + +else + as_fn_error $? "*** -lxnet needed on HP-UX - check config.log ***" "$LINENO" 5 +fi + + + # next, we define all of the options specific to major releases + case "$host" in + *-*-hpux10*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + ;; + *-*-hpux11*) + +$as_echo "#define PAM_SUN_CODEBASE 1" >>confdefs.h + + +$as_echo "#define DISABLE_UTMP 1" >>confdefs.h + + +$as_echo "#define USE_BTMP 1" >>confdefs.h + + check_for_hpux_broken_getaddrinfo=1 + check_for_conflicting_getspnam=1 + ;; + esac + + # lastly, we define options specific to minor releases + case "$host" in + *-*-hpux10.26) + +$as_echo "#define HAVE_SECUREWARE 1" >>confdefs.h + + disable_ptmx_check=yes + LIBS="$LIBS -lsecpw" + ;; + esac + ;; +*-*-irix5*) + PATH="$PATH:/usr/etc" + +$as_echo "#define BROKEN_INET_NTOA 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + +$as_echo "#define WITH_ABBREV_NO_TTY 1" >>confdefs.h + + $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h + + ;; +*-*-irix6*) + PATH="$PATH:/usr/etc" + +$as_echo "#define WITH_IRIX_ARRAY 1" >>confdefs.h + + +$as_echo "#define WITH_IRIX_PROJECT 1" >>confdefs.h + + +$as_echo "#define WITH_IRIX_AUDIT 1" >>confdefs.h + + ac_fn_c_check_func "$LINENO" "jlimit_startjob" "ac_cv_func_jlimit_startjob" +if test "x$ac_cv_func_jlimit_startjob" = xyes; then : + +$as_echo "#define WITH_IRIX_JOBS 1" >>confdefs.h + +fi + + $as_echo "#define BROKEN_INET_NTOA 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + +$as_echo "#define BROKEN_UPDWTMPX 1" >>confdefs.h + + $as_echo "#define WITH_ABBREV_NO_TTY 1" >>confdefs.h + + $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h + + ;; +*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu) + check_for_libcrypt_later=1 + $as_echo "#define PAM_TTY_KLUDGE 1" >>confdefs.h + + $as_echo "#define LOCKED_PASSWD_PREFIX \"!\"" >>confdefs.h + + $as_echo "#define SPT_TYPE SPT_REUSEARGV" >>confdefs.h + + +$as_echo "#define _PATH_BTMP \"/var/log/btmp\"" >>confdefs.h + + +$as_echo "#define USE_BTMP 1" >>confdefs.h + + ;; +*-*-linux*) + no_dev_ptmx=1 + use_pie=auto + check_for_libcrypt_later=1 + check_for_openpty_ctty_bug=1 + +$as_echo "#define PAM_TTY_KLUDGE 1" >>confdefs.h + + +$as_echo "#define LOCKED_PASSWD_PREFIX \"!\"" >>confdefs.h + + $as_echo "#define SPT_TYPE SPT_REUSEARGV" >>confdefs.h + + +$as_echo "#define LINK_OPNOTSUPP_ERRNO EPERM" >>confdefs.h + + +$as_echo "#define _PATH_BTMP \"/var/log/btmp\"" >>confdefs.h + + $as_echo "#define USE_BTMP 1" >>confdefs.h + + +$as_echo "#define LINUX_OOM_ADJUST 1" >>confdefs.h + + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) + +$as_echo "#define BROKEN_CMSG_TYPE 1" >>confdefs.h + + ;; + esac + # tun(4) forwarding compat code + for ac_header in linux/if_tun.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "linux/if_tun.h" "ac_cv_header_linux_if_tun_h" "$ac_includes_default" +if test "x$ac_cv_header_linux_if_tun_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LINUX_IF_TUN_H 1 +_ACEOF + +fi + +done + + if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then + +$as_echo "#define SSH_TUN_LINUX 1" >>confdefs.h + + +$as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h + + +$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h + + fi + for ac_header in linux/seccomp.h linux/filter.h linux/audit.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include +" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + for ac_func in prctl +do : + ac_fn_c_check_func "$LINENO" "prctl" "ac_cv_func_prctl" +if test "x$ac_cv_func_prctl" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_PRCTL 1 +_ACEOF + +fi +done + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp architecture" >&5 +$as_echo_n "checking for seccomp architecture... " >&6; } + seccomp_audit_arch= + case "$host" in + x86_64-*) + seccomp_audit_arch=AUDIT_ARCH_X86_64 + ;; + i*86-*) + seccomp_audit_arch=AUDIT_ARCH_I386 + ;; + arm*-*) + seccomp_audit_arch=AUDIT_ARCH_ARM + ;; + esac + if test "x$seccomp_audit_arch" != "x" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$seccomp_audit_arch\"" >&5 +$as_echo "\"$seccomp_audit_arch\"" >&6; } + +cat >>confdefs.h <<_ACEOF +#define SECCOMP_AUDIT_ARCH $seccomp_audit_arch +_ACEOF + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: architecture not supported" >&5 +$as_echo "architecture not supported" >&6; } + fi + ;; +mips-sony-bsd|mips-sony-newsos4) + +$as_echo "#define NEED_SETPGRP 1" >>confdefs.h + + SONY=1 + ;; +*-*-netbsd*) + check_for_libcrypt_before=1 + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + +$as_echo "#define SSH_TUN_FREEBSD 1" >>confdefs.h + + ac_fn_c_check_header_mongrel "$LINENO" "net/if_tap.h" "ac_cv_header_net_if_tap_h" "$ac_includes_default" +if test "x$ac_cv_header_net_if_tap_h" = xyes; then : + +else + +$as_echo "#define SSH_TUN_NO_L2 1" >>confdefs.h + +fi + + + +$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h + + TEST_MALLOC_OPTIONS="AJRX" + +$as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h + + +$as_echo "#define BROKEN_READ_COMPARISON 1" >>confdefs.h + + ;; +*-*-freebsd*) + check_for_libcrypt_later=1 + +$as_echo "#define LOCKED_PASSWD_PREFIX \"*LOCKED*\"" >>confdefs.h + + +$as_echo "#define SSH_TUN_FREEBSD 1" >>confdefs.h + + ac_fn_c_check_header_mongrel "$LINENO" "net/if_tap.h" "ac_cv_header_net_if_tap_h" "$ac_includes_default" +if test "x$ac_cv_header_net_if_tap_h" = xyes; then : + +else + +$as_echo "#define SSH_TUN_NO_L2 1" >>confdefs.h + +fi + + + +$as_echo "#define BROKEN_GLOB 1" >>confdefs.h + + +$as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h + + TEST_MALLOC_OPTIONS="AJRX" + # Preauth crypto occasionally uses file descriptors for crypto offload + # and will crash if they cannot be opened. + +$as_echo "#define SANDBOX_SKIP_RLIMIT_NOFILE 1" >>confdefs.h + + ;; +*-*-bsdi*) + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + ;; +*-next-*) + conf_lastlog_location="/usr/adm/lastlog" + conf_utmp_location=/etc/utmp + conf_wtmp_location=/usr/adm/wtmp + maildir=/usr/spool/mail + +$as_echo "#define HAVE_NEXT 1" >>confdefs.h + + $as_echo "#define BROKEN_REALPATH 1" >>confdefs.h + + $as_echo "#define USE_PIPES 1" >>confdefs.h + + +$as_echo "#define BROKEN_SAVED_UIDS 1" >>confdefs.h + + ;; +*-*-openbsd*) + use_pie=auto + +$as_echo "#define HAVE_ATTRIBUTE__SENTINEL__ 1" >>confdefs.h + + +$as_echo "#define HAVE_ATTRIBUTE__BOUNDED__ 1" >>confdefs.h + + +$as_echo "#define SSH_TUN_OPENBSD 1" >>confdefs.h + + +$as_echo "#define SYSLOG_R_SAFE_IN_SIGHAND 1" >>confdefs.h + + TEST_MALLOC_OPTIONS="AFGJPRX" + ;; +*-*-solaris*) + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + $as_echo "#define PAM_SUN_CODEBASE 1" >>confdefs.h + + $as_echo "#define LOGIN_NEEDS_UTMPX 1" >>confdefs.h + + +$as_echo "#define LOGIN_NEEDS_TERM 1" >>confdefs.h + + $as_echo "#define PAM_TTY_KLUDGE 1" >>confdefs.h + + +$as_echo "#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1" >>confdefs.h + + $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h + + # Pushing STREAMS modules will cause sshd to acquire a controlling tty. + +$as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h + + +$as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h + + +$as_echo "#define BROKEN_TCGETATTR_ICANON 1" >>confdefs.h + + external_path_file=/etc/default/login + # hardwire lastlog location (can't detect it on some versions) + conf_lastlog_location="/var/adm/lastlog" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for obsolete utmp and wtmp in solaris2.x" >&5 +$as_echo_n "checking for obsolete utmp and wtmp in solaris2.x... " >&6; } + sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` + if test "$sol2ver" -ge 8; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + $as_echo "#define DISABLE_UTMP 1" >>confdefs.h + + +$as_echo "#define DISABLE_WTMP 1" >>confdefs.h + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + +# Check whether --with-solaris-contracts was given. +if test "${with_solaris_contracts+set}" = set; then : + withval=$with_solaris_contracts; + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ct_tmpl_activate in -lcontract" >&5 +$as_echo_n "checking for ct_tmpl_activate in -lcontract... " >&6; } +if ${ac_cv_lib_contract_ct_tmpl_activate+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcontract $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ct_tmpl_activate (); +int +main () +{ +return ct_tmpl_activate (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_contract_ct_tmpl_activate=yes +else + ac_cv_lib_contract_ct_tmpl_activate=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_contract_ct_tmpl_activate" >&5 +$as_echo "$ac_cv_lib_contract_ct_tmpl_activate" >&6; } +if test "x$ac_cv_lib_contract_ct_tmpl_activate" = xyes; then : + +$as_echo "#define USE_SOLARIS_PROCESS_CONTRACTS 1" >>confdefs.h + + SSHDLIBS="$SSHDLIBS -lcontract" + SPC_MSG="yes" +fi + + +fi + + +# Check whether --with-solaris-projects was given. +if test "${with_solaris_projects+set}" = set; then : + withval=$with_solaris_projects; + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for setproject in -lproject" >&5 +$as_echo_n "checking for setproject in -lproject... " >&6; } +if ${ac_cv_lib_project_setproject+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lproject $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char setproject (); +int +main () +{ +return setproject (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_project_setproject=yes +else + ac_cv_lib_project_setproject=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_project_setproject" >&5 +$as_echo "$ac_cv_lib_project_setproject" >&6; } +if test "x$ac_cv_lib_project_setproject" = xyes; then : + +$as_echo "#define USE_SOLARIS_PROJECTS 1" >>confdefs.h + + SSHDLIBS="$SSHDLIBS -lproject" + SP_MSG="yes" +fi + + +fi + + TEST_SHELL=$SHELL # let configure find us a capable shell + ;; +*-*-sunos4*) + CPPFLAGS="$CPPFLAGS -DSUNOS4" + for ac_func in getpwanam +do : + ac_fn_c_check_func "$LINENO" "getpwanam" "ac_cv_func_getpwanam" +if test "x$ac_cv_func_getpwanam" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GETPWANAM 1 +_ACEOF + +fi +done + + $as_echo "#define PAM_SUN_CODEBASE 1" >>confdefs.h + + conf_utmp_location=/etc/utmp + conf_wtmp_location=/var/adm/wtmp + conf_lastlog_location=/var/adm/lastlog + $as_echo "#define USE_PIPES 1" >>confdefs.h + + ;; +*-ncr-sysv*) + LIBS="$LIBS -lc89" + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + ;; +*-sni-sysv*) + # /usr/ucblib MUST NOT be searched on ReliantUNIX + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlsym in -ldl" >&5 +$as_echo_n "checking for dlsym in -ldl... " >&6; } +if ${ac_cv_lib_dl_dlsym+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlsym (); +int +main () +{ +return dlsym (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dl_dlsym=yes +else + ac_cv_lib_dl_dlsym=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlsym" >&5 +$as_echo "$ac_cv_lib_dl_dlsym" >&6; } +if test "x$ac_cv_lib_dl_dlsym" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBDL 1 +_ACEOF + + LIBS="-ldl $LIBS" + +fi + + # -lresolv needs to be at the end of LIBS or DNS lookups break + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_query in -lresolv" >&5 +$as_echo_n "checking for res_query in -lresolv... " >&6; } +if ${ac_cv_lib_resolv_res_query+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lresolv $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char res_query (); +int +main () +{ +return res_query (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_resolv_res_query=yes +else + ac_cv_lib_resolv_res_query=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_query" >&5 +$as_echo "$ac_cv_lib_resolv_res_query" >&6; } +if test "x$ac_cv_lib_resolv_res_query" = xyes; then : + LIBS="$LIBS -lresolv" +fi + + IPADDR_IN_DISPLAY=yes + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define IP_TOS_IS_BROKEN 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h + + external_path_file=/etc/default/login + # /usr/ucblib/libucb.a no longer needed on ReliantUNIX + # Attention: always take care to bind libsocket and libnsl before libc, + # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog + ;; +# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. +*-*-sysv4.2*) + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + +$as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h + + $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h + + TEST_SHELL=$SHELL # let configure find us a capable shell + ;; +# UnixWare 7.x, OpenUNIX 8 +*-*-sysv5*) + CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf" + +$as_echo "#define UNIXWARE_LONG_PASSWORDS 1" >>confdefs.h + + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_GETADDRINFO 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h + + TEST_SHELL=$SHELL # let configure find us a capable shell + case "$host" in + *-*-sysv5SCO_SV*) # SCO OpenServer 6.x + maildir=/var/spool/mail + +$as_echo "#define BROKEN_LIBIAF 1" >>confdefs.h + + $as_echo "#define BROKEN_UPDWTMPX 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for getluid in -lprot" >&5 +$as_echo_n "checking for getluid in -lprot... " >&6; } +if ${ac_cv_lib_prot_getluid+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lprot $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char getluid (); +int +main () +{ +return getluid (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_prot_getluid=yes +else + ac_cv_lib_prot_getluid=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_prot_getluid" >&5 +$as_echo "$ac_cv_lib_prot_getluid" >&6; } +if test "x$ac_cv_lib_prot_getluid" = xyes; then : + LIBS="$LIBS -lprot" + for ac_func in getluid setluid +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + $as_echo "#define HAVE_SECUREWARE 1" >>confdefs.h + + $as_echo "#define DISABLE_SHADOW 1" >>confdefs.h + + +fi + + ;; + *) $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h + + check_for_libcrypt_later=1 + ;; + esac + ;; +*-*-sysv*) + ;; +# SCO UNIX and OEM versions of SCO UNIX +*-*-sco3.2v4*) + as_fn_error $? "\"This Platform is no longer supported.\"" "$LINENO" 5 + ;; +# SCO OpenServer 5.x +*-*-sco3.2v5*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -belf" + fi + LIBS="$LIBS -lprot -lx -ltinfo -lm" + no_dev_ptmx=1 + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define HAVE_SECUREWARE 1" >>confdefs.h + + $as_echo "#define DISABLE_SHADOW 1" >>confdefs.h + + $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_GETADDRINFO 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + $as_echo "#define WITH_ABBREV_NO_TTY 1" >>confdefs.h + + $as_echo "#define BROKEN_UPDWTMPX 1" >>confdefs.h + + $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h + + for ac_func in getluid setluid +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + MANTYPE=man + TEST_SHELL=$SHELL # let configure find us a capable shell + SKIP_DISABLE_LASTLOG_DEFINE=yes + ;; +*-*-unicosmk*) + +$as_echo "#define NO_SSH_LASTLOG 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h + + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-*-unicosmp*) + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + $as_echo "#define WITH_ABBREV_NO_TTY 1" >>confdefs.h + + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h + + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lacid -ldb" + MANTYPE=cat + ;; +*-*-unicos*) + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h + + $as_echo "#define NO_SSH_LASTLOG 1" >>confdefs.h + + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-dec-osf*) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Digital Unix SIA" >&5 +$as_echo_n "checking for Digital Unix SIA... " >&6; } + no_osfsia="" + +# Check whether --with-osfsia was given. +if test "${with_osfsia+set}" = set; then : + withval=$with_osfsia; + if test "x$withval" = "xno" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 +$as_echo "disabled" >&6; } + no_osfsia=1 + fi + +fi + + if test -z "$no_osfsia" ; then + if test -f /etc/sia/matrix.conf; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_OSF_SIA 1" >>confdefs.h + + +$as_echo "#define DISABLE_LOGIN 1" >>confdefs.h + + $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h + + LIBS="$LIBS -lsecurity -ldb -lm -laud" + SIA_MSG="yes" + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define LOCKED_PASSWD_SUBSTR \"Nologin\"" >>confdefs.h + + fi + fi + $as_echo "#define BROKEN_GETADDRINFO 1" >>confdefs.h + + $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h + + $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h + + +$as_echo "#define BROKEN_READV_COMPARISON 1" >>confdefs.h + + ;; + +*-*-nto-qnx*) + $as_echo "#define USE_PIPES 1" >>confdefs.h + + $as_echo "#define NO_X11_UNIX_SOCKETS 1" >>confdefs.h + + $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h + + $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h + + +$as_echo "#define BROKEN_SHADOW_EXPIRE 1" >>confdefs.h + + enable_etc_default_login=no # has incompatible /etc/default/login + case "$host" in + *-*-nto-qnx6*) + $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h + + ;; + esac + ;; + +*-*-ultrix*) + +$as_echo "#define BROKEN_GETGROUPS 1" >>confdefs.h + + +$as_echo "#define BROKEN_MMAP 1" >>confdefs.h + + $as_echo "#define NEED_SETPGRP 1" >>confdefs.h + + +$as_echo "#define HAVE_SYS_SYSLOG_H 1" >>confdefs.h + + ;; + +*-*-lynxos) + CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" + +$as_echo "#define BROKEN_SETVBUF 1" >>confdefs.h + + ;; +esac + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 +$as_echo_n "checking compiler and flags for sanity... " >&6; } +if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking compiler sanity" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking compiler sanity" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + exit(0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "*** compiler cannot create working executables, check config.log ***" "$LINENO" 5 + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +# Checks for libraries. +ac_fn_c_check_func "$LINENO" "yp_match" "ac_cv_func_yp_match" +if test "x$ac_cv_func_yp_match" = xyes; then : + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for yp_match in -lnsl" >&5 +$as_echo_n "checking for yp_match in -lnsl... " >&6; } +if ${ac_cv_lib_nsl_yp_match+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnsl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char yp_match (); +int +main () +{ +return yp_match (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nsl_yp_match=yes +else + ac_cv_lib_nsl_yp_match=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_yp_match" >&5 +$as_echo "$ac_cv_lib_nsl_yp_match" >&6; } +if test "x$ac_cv_lib_nsl_yp_match" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSL 1 +_ACEOF + + LIBS="-lnsl $LIBS" + +fi + +fi + +ac_fn_c_check_func "$LINENO" "setsockopt" "ac_cv_func_setsockopt" +if test "x$ac_cv_func_setsockopt" = xyes; then : + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for setsockopt in -lsocket" >&5 +$as_echo_n "checking for setsockopt in -lsocket... " >&6; } +if ${ac_cv_lib_socket_setsockopt+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsocket $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char setsockopt (); +int +main () +{ +return setsockopt (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_socket_setsockopt=yes +else + ac_cv_lib_socket_setsockopt=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_setsockopt" >&5 +$as_echo "$ac_cv_lib_socket_setsockopt" >&6; } +if test "x$ac_cv_lib_socket_setsockopt" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSOCKET 1 +_ACEOF + + LIBS="-lsocket $LIBS" + +fi + +fi + + +for ac_func in dirname +do : + ac_fn_c_check_func "$LINENO" "dirname" "ac_cv_func_dirname" +if test "x$ac_cv_func_dirname" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_DIRNAME 1 +_ACEOF + for ac_header in libgen.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "libgen.h" "ac_cv_header_libgen_h" "$ac_includes_default" +if test "x$ac_cv_header_libgen_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBGEN_H 1 +_ACEOF + +fi + +done + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dirname in -lgen" >&5 +$as_echo_n "checking for dirname in -lgen... " >&6; } +if ${ac_cv_lib_gen_dirname+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgen $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dirname (); +int +main () +{ +return dirname (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gen_dirname=yes +else + ac_cv_lib_gen_dirname=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gen_dirname" >&5 +$as_echo "$ac_cv_lib_gen_dirname" >&6; } +if test "x$ac_cv_lib_gen_dirname" = xyes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for broken dirname" >&5 +$as_echo_n "checking for broken dirname... " >&6; } +if ${ac_cv_have_broken_dirname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + save_LIBS="$LIBS" + LIBS="$LIBS -lgen" + if test "$cross_compiling" = yes; then : + ac_cv_have_broken_dirname="no" +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int main(int argc, char **argv) { + char *s, buf[32]; + + strncpy(buf,"/etc", 32); + s = dirname(buf); + if (!s || strncmp(s, "/", 32) != 0) { + exit(1); + } else { + exit(0); + } +} + +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_cv_have_broken_dirname="no" +else + ac_cv_have_broken_dirname="yes" +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + LIBS="$save_LIBS" + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_broken_dirname" >&5 +$as_echo "$ac_cv_have_broken_dirname" >&6; } + if test "x$ac_cv_have_broken_dirname" = "xno" ; then + LIBS="$LIBS -lgen" + $as_echo "#define HAVE_DIRNAME 1" >>confdefs.h + + for ac_header in libgen.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "libgen.h" "ac_cv_header_libgen_h" "$ac_includes_default" +if test "x$ac_cv_header_libgen_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBGEN_H 1 +_ACEOF + +fi + +done + + fi + +fi + + +fi +done + + +ac_fn_c_check_func "$LINENO" "getspnam" "ac_cv_func_getspnam" +if test "x$ac_cv_func_getspnam" = xyes; then : + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for getspnam in -lgen" >&5 +$as_echo_n "checking for getspnam in -lgen... " >&6; } +if ${ac_cv_lib_gen_getspnam+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgen $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char getspnam (); +int +main () +{ +return getspnam (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gen_getspnam=yes +else + ac_cv_lib_gen_getspnam=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gen_getspnam" >&5 +$as_echo "$ac_cv_lib_gen_getspnam" >&6; } +if test "x$ac_cv_lib_gen_getspnam" = xyes; then : + LIBS="$LIBS -lgen" +fi + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing basename" >&5 +$as_echo_n "checking for library containing basename... " >&6; } +if ${ac_cv_search_basename+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char basename (); +int +main () +{ +return basename (); + ; + return 0; +} +_ACEOF +for ac_lib in '' gen; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_basename=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_basename+:} false; then : + break +fi +done +if ${ac_cv_search_basename+:} false; then : + +else + ac_cv_search_basename=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_basename" >&5 +$as_echo "$ac_cv_search_basename" >&6; } +ac_res=$ac_cv_search_basename +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_BASENAME 1" >>confdefs.h + +fi + + + +# Check whether --with-zlib was given. +if test "${with_zlib+set}" = set; then : + withval=$with_zlib; if test "x$withval" = "xno" ; then + as_fn_error $? "*** zlib is required ***" "$LINENO" 5 + elif test "x$withval" != "xyes"; then + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + +fi + + +ac_fn_c_check_header_mongrel "$LINENO" "zlib.h" "ac_cv_header_zlib_h" "$ac_includes_default" +if test "x$ac_cv_header_zlib_h" = xyes; then : + +else + as_fn_error $? "*** zlib.h missing - please install first or check config.log ***" "$LINENO" 5 +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for deflate in -lz" >&5 +$as_echo_n "checking for deflate in -lz... " >&6; } +if ${ac_cv_lib_z_deflate+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lz $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char deflate (); +int +main () +{ +return deflate (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_z_deflate=yes +else + ac_cv_lib_z_deflate=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_deflate" >&5 +$as_echo "$ac_cv_lib_z_deflate" >&6; } +if test "x$ac_cv_lib_z_deflate" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBZ 1 +_ACEOF + + LIBS="-lz $LIBS" + +else + + saved_CPPFLAGS="$CPPFLAGS" + saved_LDFLAGS="$LDFLAGS" + save_LIBS="$LIBS" + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}" + LIBS="$LIBS -lz" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char deflate (); +int +main () +{ +return deflate (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + $as_echo "#define HAVE_LIBZ 1" >>confdefs.h + +else + + as_fn_error $? "*** zlib missing - please install first or check config.log ***" "$LINENO" 5 + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + +fi + + + +# Check whether --with-zlib-version-check was given. +if test "${with_zlib_version_check+set}" = set; then : + withval=$with_zlib_version_check; if test "x$withval" = "xno" ; then + zlib_check_nonfatal=1 + fi + + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for possibly buggy zlib" >&5 +$as_echo_n "checking for possibly buggy zlib... " >&6; } +if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking zlib version" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking zlib version" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); + if (n != 3 && n != 4) + exit(1); + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + + /* 1.1.4 is OK */ + if (a == 1 && b == 1 && c >= 4) + exit(0); + + /* 1.2.3 and up are OK */ + if (v >= 1020300) + exit(0); + + exit(2); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + if test -z "$zlib_check_nonfatal" ; then + as_fn_error $? "*** zlib too old - check config.log *** +Your reported zlib version has known security problems. It's possible your +vendor has fixed these problems without changing the version number. If you +are sure this is the case, you can disable the check by running +\"./configure --without-zlib-version-check\". +If you are in doubt, upgrade zlib to version 1.2.3 or greater. +See http://www.gzip.org/zlib/ for details." "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: zlib version may have security problems" >&5 +$as_echo "$as_me: WARNING: zlib version may have security problems" >&2;} + fi + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +ac_fn_c_check_func "$LINENO" "strcasecmp" "ac_cv_func_strcasecmp" +if test "x$ac_cv_func_strcasecmp" = xyes; then : + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for strcasecmp in -lresolv" >&5 +$as_echo_n "checking for strcasecmp in -lresolv... " >&6; } +if ${ac_cv_lib_resolv_strcasecmp+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lresolv $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char strcasecmp (); +int +main () +{ +return strcasecmp (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_resolv_strcasecmp=yes +else + ac_cv_lib_resolv_strcasecmp=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_strcasecmp" >&5 +$as_echo "$ac_cv_lib_resolv_strcasecmp" >&6; } +if test "x$ac_cv_lib_resolv_strcasecmp" = xyes; then : + LIBS="$LIBS -lresolv" +fi + + +fi + +for ac_func in utimes +do : + ac_fn_c_check_func "$LINENO" "utimes" "ac_cv_func_utimes" +if test "x$ac_cv_func_utimes" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_UTIMES 1 +_ACEOF + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for utimes in -lc89" >&5 +$as_echo_n "checking for utimes in -lc89... " >&6; } +if ${ac_cv_lib_c89_utimes+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc89 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char utimes (); +int +main () +{ +return utimes (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_c89_utimes=yes +else + ac_cv_lib_c89_utimes=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c89_utimes" >&5 +$as_echo "$ac_cv_lib_c89_utimes" >&6; } +if test "x$ac_cv_lib_c89_utimes" = xyes; then : + $as_echo "#define HAVE_UTIMES 1" >>confdefs.h + + LIBS="$LIBS -lc89" +fi + + +fi +done + + +for ac_header in bsd/libutil.h libutil.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fmt_scaled" >&5 +$as_echo_n "checking for library containing fmt_scaled... " >&6; } +if ${ac_cv_search_fmt_scaled+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char fmt_scaled (); +int +main () +{ +return fmt_scaled (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_fmt_scaled=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_fmt_scaled+:} false; then : + break +fi +done +if ${ac_cv_search_fmt_scaled+:} false; then : + +else + ac_cv_search_fmt_scaled=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fmt_scaled" >&5 +$as_echo "$ac_cv_search_fmt_scaled" >&6; } +ac_res=$ac_cv_search_fmt_scaled +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing scan_scaled" >&5 +$as_echo_n "checking for library containing scan_scaled... " >&6; } +if ${ac_cv_search_scan_scaled+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char scan_scaled (); +int +main () +{ +return scan_scaled (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_scan_scaled=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_scan_scaled+:} false; then : + break +fi +done +if ${ac_cv_search_scan_scaled+:} false; then : + +else + ac_cv_search_scan_scaled=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_scan_scaled" >&5 +$as_echo "$ac_cv_search_scan_scaled" >&6; } +ac_res=$ac_cv_search_scan_scaled +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing login" >&5 +$as_echo_n "checking for library containing login... " >&6; } +if ${ac_cv_search_login+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char login (); +int +main () +{ +return login (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_login=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_login+:} false; then : + break +fi +done +if ${ac_cv_search_login+:} false; then : + +else + ac_cv_search_login=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_login" >&5 +$as_echo "$ac_cv_search_login" >&6; } +ac_res=$ac_cv_search_login +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing logout" >&5 +$as_echo_n "checking for library containing logout... " >&6; } +if ${ac_cv_search_logout+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char logout (); +int +main () +{ +return logout (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_logout=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_logout+:} false; then : + break +fi +done +if ${ac_cv_search_logout+:} false; then : + +else + ac_cv_search_logout=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_logout" >&5 +$as_echo "$ac_cv_search_logout" >&6; } +ac_res=$ac_cv_search_logout +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing logwtmp" >&5 +$as_echo_n "checking for library containing logwtmp... " >&6; } +if ${ac_cv_search_logwtmp+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char logwtmp (); +int +main () +{ +return logwtmp (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_logwtmp=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_logwtmp+:} false; then : + break +fi +done +if ${ac_cv_search_logwtmp+:} false; then : + +else + ac_cv_search_logwtmp=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_logwtmp" >&5 +$as_echo "$ac_cv_search_logwtmp" >&6; } +ac_res=$ac_cv_search_logwtmp +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing openpty" >&5 +$as_echo_n "checking for library containing openpty... " >&6; } +if ${ac_cv_search_openpty+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char openpty (); +int +main () +{ +return openpty (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_openpty=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_openpty+:} false; then : + break +fi +done +if ${ac_cv_search_openpty+:} false; then : + +else + ac_cv_search_openpty=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_openpty" >&5 +$as_echo "$ac_cv_search_openpty" >&6; } +ac_res=$ac_cv_search_openpty +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing updwtmp" >&5 +$as_echo_n "checking for library containing updwtmp... " >&6; } +if ${ac_cv_search_updwtmp+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char updwtmp (); +int +main () +{ +return updwtmp (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_updwtmp=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_updwtmp+:} false; then : + break +fi +done +if ${ac_cv_search_updwtmp+:} false; then : + +else + ac_cv_search_updwtmp=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_updwtmp" >&5 +$as_echo "$ac_cv_search_updwtmp" >&6; } +ac_res=$ac_cv_search_updwtmp +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +for ac_func in fmt_scaled scan_scaled login logout openpty updwtmp logwtmp +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +# On some platforms, inet_ntop may be found in libresolv or libnsl. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing inet_ntop" >&5 +$as_echo_n "checking for library containing inet_ntop... " >&6; } +if ${ac_cv_search_inet_ntop+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char inet_ntop (); +int +main () +{ +return inet_ntop (); + ; + return 0; +} +_ACEOF +for ac_lib in '' resolv nsl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_inet_ntop=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_inet_ntop+:} false; then : + break +fi +done +if ${ac_cv_search_inet_ntop+:} false; then : + +else + ac_cv_search_inet_ntop=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_inet_ntop" >&5 +$as_echo "$ac_cv_search_inet_ntop" >&6; } +ac_res=$ac_cv_search_inet_ntop +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + + +for ac_func in strftime +do : + ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime" +if test "x$ac_cv_func_strftime" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_STRFTIME 1 +_ACEOF + +else + # strftime is in -lintl on SCO UNIX. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for strftime in -lintl" >&5 +$as_echo_n "checking for strftime in -lintl... " >&6; } +if ${ac_cv_lib_intl_strftime+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lintl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char strftime (); +int +main () +{ +return strftime (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_intl_strftime=yes +else + ac_cv_lib_intl_strftime=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_intl_strftime" >&5 +$as_echo "$ac_cv_lib_intl_strftime" >&6; } +if test "x$ac_cv_lib_intl_strftime" = xyes; then : + $as_echo "#define HAVE_STRFTIME 1" >>confdefs.h + +LIBS="-lintl $LIBS" +fi + +fi +done + + +# Check for ALTDIRFUNC glob() extension +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GLOB_ALTDIRFUNC support" >&5 +$as_echo_n "checking for GLOB_ALTDIRFUNC support... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include + #ifdef GLOB_ALTDIRFUNC + FOUNDIT + #endif + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "FOUNDIT" >/dev/null 2>&1; then : + + +$as_echo "#define GLOB_HAS_ALTDIRFUNC 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + +fi +rm -f conftest* + + +# Check for g.gl_matchc glob() extension +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gl_matchc field in glob_t" >&5 +$as_echo_n "checking for gl_matchc field in glob_t... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + glob_t g; g.gl_matchc = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + +$as_echo "#define GLOB_HAS_GL_MATCHC 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +# Check for g.gl_statv glob() extension +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gl_statv and GLOB_KEEPSTAT extensions for glob" >&5 +$as_echo_n "checking for gl_statv and GLOB_KEEPSTAT extensions for glob... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + +#ifndef GLOB_KEEPSTAT +#error "glob does not support GLOB_KEEPSTAT extension" +#endif +glob_t g; +g.gl_statv = NULL; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + +$as_echo "#define GLOB_HAS_GL_STATV 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +ac_fn_c_check_decl "$LINENO" "GLOB_NOMATCH" "ac_cv_have_decl_GLOB_NOMATCH" "#include +" +if test "x$ac_cv_have_decl_GLOB_NOMATCH" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_GLOB_NOMATCH $ac_have_decl +_ACEOF + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether struct dirent allocates space for d_name" >&5 +$as_echo_n "checking whether struct dirent allocates space for d_name... " >&6; } +if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME" >&5 +$as_echo "$as_me: WARNING: cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME" >&2;} + $as_echo "#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1" >>confdefs.h + + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int +main () +{ + + struct dirent d; + exit(sizeof(d.d_name)<=sizeof(char)); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1" >>confdefs.h + + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for /proc/pid/fd directory" >&5 +$as_echo_n "checking for /proc/pid/fd directory... " >&6; } +if test -d "/proc/$$/fd" ; then + +$as_echo "#define HAVE_PROC_PID 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + +# Check whether user wants S/Key support +SKEY_MSG="no" + +# Check whether --with-skey was given. +if test "${with_skey+set}" = set; then : + withval=$with_skey; + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + +$as_echo "#define SKEY 1" >>confdefs.h + + LIBS="-lskey $LIBS" + SKEY_MSG="yes" + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for s/key support" >&5 +$as_echo_n "checking for s/key support... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + char *ff = skey_keyinfo(""); ff=""; + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "** Incomplete or missing s/key libraries." "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if skeychallenge takes 4 arguments" >&5 +$as_echo_n "checking if skeychallenge takes 4 arguments... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + (void)skeychallenge(NULL,"name","",0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define SKEYCHALLENGE_4ARG 1" >>confdefs.h + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + + +fi + + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" + +# Check whether --with-tcp-wrappers was given. +if test "${with_tcp_wrappers+set}" = set; then : + withval=$with_tcp_wrappers; + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then + if test -d "${withval}/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "${withval}/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + LIBS="-lwrap $LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libwrap" >&5 +$as_echo_n "checking for libwrap... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +int deny_severity = 0, allow_severity = 0; + +int +main () +{ + + hosts_access(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define LIBWRAP 1" >>confdefs.h + + SSHDLIBS="$SSHDLIBS -lwrap" + TCPW_MSG="yes" + +else + + as_fn_error $? "*** libwrap missing" "$LINENO" 5 + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS="$saved_LIBS" + fi + + +fi + + +# Check whether user wants to use ldns +LDNS_MSG="no" + +# Check whether --with-ldns was given. +if test "${with_ldns+set}" = set; then : + withval=$with_ldns; + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + +$as_echo "#define HAVE_LDNS 1" >>confdefs.h + + LIBS="-lldns $LIBS" + LDNS_MSG="yes" + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldns support" >&5 +$as_echo_n "checking for ldns support... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); } + + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "** Incomplete or missing ldns libraries." "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + fi + + +fi + + +# Check whether user wants libedit support +LIBEDIT_MSG="no" + +# Check whether --with-libedit was given. +if test "${with_libedit+set}" = set; then : + withval=$with_libedit; if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PKGCONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PKGCONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PKGCONFIG=$ac_cv_path_PKGCONFIG +if test -n "$PKGCONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKGCONFIG" >&5 +$as_echo "$PKGCONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_PKGCONFIG"; then + ac_pt_PKGCONFIG=$PKGCONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKGCONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG +if test -n "$ac_pt_PKGCONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5 +$as_echo "$ac_pt_PKGCONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_PKGCONFIG" = x; then + PKGCONFIG="no" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKGCONFIG=$ac_pt_PKGCONFIG + fi +else + PKGCONFIG="$ac_cv_path_PKGCONFIG" +fi + + if test "x$PKGCONFIG" != "xno"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $PKGCONFIG knows about libedit" >&5 +$as_echo_n "checking if $PKGCONFIG knows about libedit... " >&6; } + if "$PKGCONFIG" libedit; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + use_pkgconfig_for_libedit=yes + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + fi + else + CPPFLAGS="$CPPFLAGS -I${withval}/include" + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + fi + if test "x$use_pkgconfig_for_libedit" = "xyes"; then + LIBEDIT=`$PKGCONFIG --libs libedit` + CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" + else + LIBEDIT="-ledit -lcurses" + fi + OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'` + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for el_init in -ledit" >&5 +$as_echo_n "checking for el_init in -ledit... " >&6; } +if ${ac_cv_lib_edit_el_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ledit $OTHERLIBS + $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char el_init (); +int +main () +{ +return el_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_edit_el_init=yes +else + ac_cv_lib_edit_el_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_edit_el_init" >&5 +$as_echo "$ac_cv_lib_edit_el_init" >&6; } +if test "x$ac_cv_lib_edit_el_init" = xyes; then : + +$as_echo "#define USE_LIBEDIT 1" >>confdefs.h + + LIBEDIT_MSG="yes" + + +else + as_fn_error $? "libedit not found" "$LINENO" 5 +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libedit version is compatible" >&5 +$as_echo_n "checking if libedit version is compatible... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + + int i = H_SETSIZE; + el_init("", NULL, NULL, NULL); + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "libedit version is not compatible" "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + +fi + + +AUDIT_MODULE=none + +# Check whether --with-audit was given. +if test "${with_audit+set}" = set; then : + withval=$with_audit; + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for supported audit module" >&5 +$as_echo_n "checking for supported audit module... " >&6; } + case "$withval" in + bsm) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: bsm" >&5 +$as_echo "bsm" >&6; } + AUDIT_MODULE=bsm + for ac_header in bsm/audit.h +do : + ac_fn_c_check_header_compile "$LINENO" "bsm/audit.h" "ac_cv_header_bsm_audit_h" " +#ifdef HAVE_TIME_H +# include +#endif + + +" +if test "x$ac_cv_header_bsm_audit_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_BSM_AUDIT_H 1 +_ACEOF + +else + as_fn_error $? "BSM enabled and bsm/audit.h not found" "$LINENO" 5 +fi + +done + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for getaudit in -lbsm" >&5 +$as_echo_n "checking for getaudit in -lbsm... " >&6; } +if ${ac_cv_lib_bsm_getaudit+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lbsm $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char getaudit (); +int +main () +{ +return getaudit (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_bsm_getaudit=yes +else + ac_cv_lib_bsm_getaudit=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bsm_getaudit" >&5 +$as_echo "$ac_cv_lib_bsm_getaudit" >&6; } +if test "x$ac_cv_lib_bsm_getaudit" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBBSM 1 +_ACEOF + + LIBS="-lbsm $LIBS" + +else + as_fn_error $? "BSM enabled and required library not found" "$LINENO" 5 +fi + + for ac_func in getaudit +do : + ac_fn_c_check_func "$LINENO" "getaudit" "ac_cv_func_getaudit" +if test "x$ac_cv_func_getaudit" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GETAUDIT 1 +_ACEOF + +else + as_fn_error $? "BSM enabled and required function not found" "$LINENO" 5 +fi +done + + # These are optional + for ac_func in getaudit_addr aug_get_machine +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +$as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h + + if test "$sol2ver" -ge 11; then + SSHDLIBS="$SSHDLIBS -lscf" + +$as_echo "#define BROKEN_BSM_API 1" >>confdefs.h + + fi + ;; + linux) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: linux" >&5 +$as_echo "linux" >&6; } + AUDIT_MODULE=linux + for ac_header in libaudit.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "libaudit.h" "ac_cv_header_libaudit_h" "$ac_includes_default" +if test "x$ac_cv_header_libaudit_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBAUDIT_H 1 +_ACEOF + +fi + +done + + SSHDLIBS="$SSHDLIBS -laudit" + +$as_echo "#define USE_LINUX_AUDIT 1" >>confdefs.h + + ;; + debug) + AUDIT_MODULE=debug + { $as_echo "$as_me:${as_lineno-$LINENO}: result: debug" >&5 +$as_echo "debug" >&6; } + +$as_echo "#define SSH_AUDIT_EVENTS 1" >>confdefs.h + + ;; + no) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + ;; + *) + as_fn_error $? "Unknown audit module $withval" "$LINENO" 5 + ;; + esac + +fi + + + +# Check whether --with-pie was given. +if test "${with_pie+set}" = set; then : + withval=$with_pie; + if test "x$withval" = "xno"; then + use_pie=no + fi + if test "x$withval" = "xyes"; then + use_pie=yes + fi + + +fi + +if test "x$use_pie" = "x"; then + use_pie=no +fi +if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then + # Turn off automatic PIE when toolchain hardening is off. + use_pie=no +fi +if test "x$use_pie" = "xauto"; then + # Automatic PIE requires gcc >= 4.x + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc >= 4.x" >&5 +$as_echo_n "checking for gcc >= 4.x... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#if !defined(__GNUC__) || __GNUC__ < 4 +#error gcc is too old +#endif + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + use_pie=no + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +if test "x$use_pie" != "xno"; then + SAVED_CFLAGS="$CFLAGS" + SAVED_LDFLAGS="$LDFLAGS" + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -fPIE" >&5 +$as_echo_n "checking if $CC supports compile flag -fPIE... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -fPIE" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-fPIE" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -pie" >&5 +$as_echo_n "checking if $LD supports link flag -pie... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -pie" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-pie" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + # We use both -fPIE and -pie or neither. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether both -fPIE and -pie are supported" >&5 +$as_echo_n "checking whether both -fPIE and -pie are supported... " >&6; } + if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \ + echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$SAVED_CFLAGS" + LDFLAGS="$SAVED_LDFLAGS" + fi +fi + +for ac_func in \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ + Blowfish_stream2word \ + arc4random \ + arc4random_buf \ + arc4random_stir \ + arc4random_uniform \ + asprintf \ + b64_ntop \ + __b64_ntop \ + b64_pton \ + __b64_pton \ + bcopy \ + bcrypt_pbkdf \ + bindresvport_sa \ + blf_enc \ + cap_rights_limit \ + clock \ + closefrom \ + dirfd \ + endgrent \ + explicit_bzero \ + fchmod \ + fchown \ + freeaddrinfo \ + fstatfs \ + fstatvfs \ + futimes \ + getaddrinfo \ + getcwd \ + getgrouplist \ + getnameinfo \ + getopt \ + getpeereid \ + getpeerucred \ + getpgid \ + getpgrp \ + _getpty \ + getrlimit \ + getttyent \ + glob \ + group_from_gid \ + inet_aton \ + inet_ntoa \ + inet_ntop \ + innetgr \ + login_getcapbool \ + mblen \ + md5_crypt \ + memmove \ + mkdtemp \ + mmap \ + ngetaddrinfo \ + nsleep \ + ogetaddrinfo \ + openlog_r \ + poll \ + prctl \ + pstat \ + readpassphrase \ + realpath \ + recvmsg \ + rresvport_af \ + sendmsg \ + setdtablesize \ + setegid \ + setenv \ + seteuid \ + setgroupent \ + setgroups \ + setlinebuf \ + setlogin \ + setpassent\ + setpcred \ + setproctitle \ + setregid \ + setreuid \ + setrlimit \ + setsid \ + setvbuf \ + sigaction \ + sigvec \ + snprintf \ + socketpair \ + statfs \ + statvfs \ + strdup \ + strerror \ + strlcat \ + strlcpy \ + strmode \ + strnlen \ + strnvis \ + strptime \ + strtonum \ + strtoll \ + strtoul \ + strtoull \ + swap32 \ + sysconf \ + tcgetpgrp \ + timingsafe_bcmp \ + truncate \ + unsetenv \ + updwtmpx \ + user_from_uid \ + usleep \ + vasprintf \ + vhangup \ + vsnprintf \ + waitpid \ + +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + return (isblank('a')); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +$as_echo "#define HAVE_ISBLANK 1" >>confdefs.h + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +# PKCS#11 support requires dlopen() and co +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5 +$as_echo_n "checking for library containing dlopen... " >&6; } +if ${ac_cv_search_dlopen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +for ac_lib in '' dl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_dlopen=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_dlopen+:} false; then : + break +fi +done +if ${ac_cv_search_dlopen+:} false; then : + +else + ac_cv_search_dlopen=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5 +$as_echo "$ac_cv_search_dlopen" >&6; } +ac_res=$ac_cv_search_dlopen +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define ENABLE_PKCS11 /**/" >>confdefs.h + + +fi + + +# IRIX has a const char return value for gai_strerror() +for ac_func in gai_strerror +do : + ac_fn_c_check_func "$LINENO" "gai_strerror" "ac_cv_func_gai_strerror" +if test "x$ac_cv_func_gai_strerror" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GAI_STRERROR 1 +_ACEOF + + $as_echo "#define HAVE_GAI_STRERROR 1" >>confdefs.h + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +const char *gai_strerror(int); + +int +main () +{ + + char *str; + str = gai_strerror(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + +$as_echo "#define HAVE_CONST_GAI_STRERROR_PROTO 1" >>confdefs.h + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +done + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing nanosleep" >&5 +$as_echo_n "checking for library containing nanosleep... " >&6; } +if ${ac_cv_search_nanosleep+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nanosleep (); +int +main () +{ +return nanosleep (); + ; + return 0; +} +_ACEOF +for ac_lib in '' rt posix4; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_nanosleep=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_nanosleep+:} false; then : + break +fi +done +if ${ac_cv_search_nanosleep+:} false; then : + +else + ac_cv_search_nanosleep=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_nanosleep" >&5 +$as_echo "$ac_cv_search_nanosleep" >&6; } +ac_res=$ac_cv_search_nanosleep +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_NANOSLEEP 1" >>confdefs.h + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5 +$as_echo_n "checking for library containing clock_gettime... " >&6; } +if ${ac_cv_search_clock_gettime+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char clock_gettime (); +int +main () +{ +return clock_gettime (); + ; + return 0; +} +_ACEOF +for ac_lib in '' rt; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_clock_gettime=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_clock_gettime+:} false; then : + break +fi +done +if ${ac_cv_search_clock_gettime+:} false; then : + +else + ac_cv_search_clock_gettime=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5 +$as_echo "$ac_cv_search_clock_gettime" >&6; } +ac_res=$ac_cv_search_clock_gettime +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h + +fi + + +ac_fn_c_check_decl "$LINENO" "getrusage" "ac_cv_have_decl_getrusage" "$ac_includes_default" +if test "x$ac_cv_have_decl_getrusage" = xyes; then : + for ac_func in getrusage +do : + ac_fn_c_check_func "$LINENO" "getrusage" "ac_cv_func_getrusage" +if test "x$ac_cv_func_getrusage" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GETRUSAGE 1 +_ACEOF + +fi +done + +fi + +ac_fn_c_check_decl "$LINENO" "strsep" "ac_cv_have_decl_strsep" " +#ifdef HAVE_STRING_H +# include +#endif + +" +if test "x$ac_cv_have_decl_strsep" = xyes; then : + for ac_func in strsep +do : + ac_fn_c_check_func "$LINENO" "strsep" "ac_cv_func_strsep" +if test "x$ac_cv_func_strsep" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_STRSEP 1 +_ACEOF + +fi +done + +fi + + +ac_fn_c_check_decl "$LINENO" "tcsendbreak" "ac_cv_have_decl_tcsendbreak" "#include + +" +if test "x$ac_cv_have_decl_tcsendbreak" = xyes; then : + $as_echo "#define HAVE_TCSENDBREAK 1" >>confdefs.h + +else + for ac_func in tcsendbreak +do : + ac_fn_c_check_func "$LINENO" "tcsendbreak" "ac_cv_func_tcsendbreak" +if test "x$ac_cv_func_tcsendbreak" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_TCSENDBREAK 1 +_ACEOF + +fi +done + +fi + + +ac_fn_c_check_decl "$LINENO" "h_errno" "ac_cv_have_decl_h_errno" "#include +" +if test "x$ac_cv_have_decl_h_errno" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_H_ERRNO $ac_have_decl +_ACEOF + + +ac_fn_c_check_decl "$LINENO" "SHUT_RD" "ac_cv_have_decl_SHUT_RD" " +#include +#include + +" +if test "x$ac_cv_have_decl_SHUT_RD" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_SHUT_RD $ac_have_decl +_ACEOF + + +ac_fn_c_check_decl "$LINENO" "O_NONBLOCK" "ac_cv_have_decl_O_NONBLOCK" " +#include +#ifdef HAVE_SYS_STAT_H +# include +#endif +#ifdef HAVE_FCNTL_H +# include +#endif + +" +if test "x$ac_cv_have_decl_O_NONBLOCK" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_O_NONBLOCK $ac_have_decl +_ACEOF + + +ac_fn_c_check_decl "$LINENO" "writev" "ac_cv_have_decl_writev" " +#include +#include +#include + +" +if test "x$ac_cv_have_decl_writev" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_WRITEV $ac_have_decl +_ACEOF + + +ac_fn_c_check_decl "$LINENO" "MAXSYMLINKS" "ac_cv_have_decl_MAXSYMLINKS" " +#include + +" +if test "x$ac_cv_have_decl_MAXSYMLINKS" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_MAXSYMLINKS $ac_have_decl +_ACEOF + + +ac_fn_c_check_decl "$LINENO" "offsetof" "ac_cv_have_decl_offsetof" " +#include + +" +if test "x$ac_cv_have_decl_offsetof" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_OFFSETOF $ac_have_decl +_ACEOF + + +# extra bits for select(2) +ac_fn_c_check_decl "$LINENO" "howmany" "ac_cv_have_decl_howmany" " +#include +#include +#ifdef HAVE_SYS_SYSMACROS_H +#include +#endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + +" +if test "x$ac_cv_have_decl_howmany" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_HOWMANY $ac_have_decl +_ACEOF +ac_fn_c_check_decl "$LINENO" "NFDBITS" "ac_cv_have_decl_NFDBITS" " +#include +#include +#ifdef HAVE_SYS_SYSMACROS_H +#include +#endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + +" +if test "x$ac_cv_have_decl_NFDBITS" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_NFDBITS $ac_have_decl +_ACEOF + +ac_fn_c_check_type "$LINENO" "fd_mask" "ac_cv_type_fd_mask" " +#include +#include +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + +" +if test "x$ac_cv_type_fd_mask" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_FD_MASK 1 +_ACEOF + + +fi + + +for ac_func in setresuid +do : + ac_fn_c_check_func "$LINENO" "setresuid" "ac_cv_func_setresuid" +if test "x$ac_cv_func_setresuid" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SETRESUID 1 +_ACEOF + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if setresuid seems to work" >&5 +$as_echo_n "checking if setresuid seems to work... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking setresuid" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking setresuid" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + errno=0; + setresuid(0,0,0); + if (errno==ENOSYS) + exit(1); + else + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + +$as_echo "#define BROKEN_SETRESUID 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not implemented" >&5 +$as_echo "not implemented" >&6; } +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +fi +done + + +for ac_func in setresgid +do : + ac_fn_c_check_func "$LINENO" "setresgid" "ac_cv_func_setresgid" +if test "x$ac_cv_func_setresgid" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SETRESGID 1 +_ACEOF + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if setresgid seems to work" >&5 +$as_echo_n "checking if setresgid seems to work... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking setresuid" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking setresuid" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + errno=0; + setresgid(0,0,0); + if (errno==ENOSYS) + exit(1); + else + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + +$as_echo "#define BROKEN_SETRESGID 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not implemented" >&5 +$as_echo "not implemented" >&6; } +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +fi +done + + +for ac_func in gettimeofday time +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +for ac_func in endutent getutent getutid getutline pututline setutent +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +for ac_func in utmpname +do : + ac_fn_c_check_func "$LINENO" "utmpname" "ac_cv_func_utmpname" +if test "x$ac_cv_func_utmpname" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_UTMPNAME 1 +_ACEOF + +fi +done + +for ac_func in endutxent getutxent getutxid getutxline getutxuser pututxline +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +for ac_func in setutxdb setutxent utmpxname +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +for ac_func in getlastlogxbyname +do : + ac_fn_c_check_func "$LINENO" "getlastlogxbyname" "ac_cv_func_getlastlogxbyname" +if test "x$ac_cv_func_getlastlogxbyname" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GETLASTLOGXBYNAME 1 +_ACEOF + +fi +done + + +ac_fn_c_check_func "$LINENO" "daemon" "ac_cv_func_daemon" +if test "x$ac_cv_func_daemon" = xyes; then : + +$as_echo "#define HAVE_DAEMON 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for daemon in -lbsd" >&5 +$as_echo_n "checking for daemon in -lbsd... " >&6; } +if ${ac_cv_lib_bsd_daemon+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lbsd $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char daemon (); +int +main () +{ +return daemon (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_bsd_daemon=yes +else + ac_cv_lib_bsd_daemon=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bsd_daemon" >&5 +$as_echo "$ac_cv_lib_bsd_daemon" >&6; } +if test "x$ac_cv_lib_bsd_daemon" = xyes; then : + LIBS="$LIBS -lbsd"; $as_echo "#define HAVE_DAEMON 1" >>confdefs.h + +fi + + +fi + + +ac_fn_c_check_func "$LINENO" "getpagesize" "ac_cv_func_getpagesize" +if test "x$ac_cv_func_getpagesize" = xyes; then : + +$as_echo "#define HAVE_GETPAGESIZE 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for getpagesize in -lucb" >&5 +$as_echo_n "checking for getpagesize in -lucb... " >&6; } +if ${ac_cv_lib_ucb_getpagesize+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lucb $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char getpagesize (); +int +main () +{ +return getpagesize (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ucb_getpagesize=yes +else + ac_cv_lib_ucb_getpagesize=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ucb_getpagesize" >&5 +$as_echo "$ac_cv_lib_ucb_getpagesize" >&6; } +if test "x$ac_cv_lib_ucb_getpagesize" = xyes; then : + LIBS="$LIBS -lucb"; $as_echo "#define HAVE_GETPAGESIZE 1" >>confdefs.h + +fi + + +fi + + +# Check for broken snprintf +if test "x$ac_cv_func_snprintf" = "xyes" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether snprintf correctly terminates long strings" >&5 +$as_echo_n "checking whether snprintf correctly terminates long strings... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: Assuming working snprintf()" >&5 +$as_echo "$as_me: WARNING: cross compiling: Assuming working snprintf()" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + + char b[5]; + snprintf(b,5,"123456789"); + exit(b[4]!='\0'); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define BROKEN_SNPRINTF 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&5 +$as_echo "$as_me: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&2;} + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +# If we don't have a working asprintf, then we strongly depend on vsnprintf +# returning the right thing on overflow: the number of characters it tried to +# create (as per SUSv3) +if test "x$ac_cv_func_asprintf" != "xyes" && \ + test "x$ac_cv_func_vsnprintf" = "xyes" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether vsnprintf returns correct values on overflow" >&5 +$as_echo_n "checking whether vsnprintf returns correct values on overflow... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: Assuming working vsnprintf()" >&5 +$as_echo "$as_me: WARNING: cross compiling: Assuming working vsnprintf()" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +int x_snprintf(char *str,size_t count,const char *fmt,...) +{ + size_t ret; va_list ap; + va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap); + return ret; +} + +int +main () +{ + + char x[1]; + exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define BROKEN_SNPRINTF 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ****** Your vsnprintf() function is broken, complain to your vendor" >&5 +$as_echo "$as_me: WARNING: ****** Your vsnprintf() function is broken, complain to your vendor" >&2;} + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +# On systems where [v]snprintf is broken, but is declared in stdio, +# check that the fmt argument is const char * or just char *. +# This is only useful for when BROKEN_SNPRINTF +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether snprintf can declare const char *fmt" >&5 +$as_echo_n "checking whether snprintf can declare const char *fmt... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +int snprintf(char *a, size_t b, const char *c, ...) { return 0; } + +int +main () +{ + + snprintf(0, 0, 0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define SNPRINTF_CONST const" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + $as_echo "#define SNPRINTF_CONST /* not const */" >>confdefs.h + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +# Check for missing getpeereid (or equiv) support +NO_PEERCHECK="" +if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether system supports SO_PEERCRED getsockopt" >&5 +$as_echo_n "checking whether system supports SO_PEERCRED getsockopt... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +int +main () +{ +int i = SO_PEERCRED; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_SO_PEERCRED 1" >>confdefs.h + + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + NO_PEERCHECK=1 + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test "x$ac_cv_func_mkdtemp" = "xyes" ; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for (overly) strict mkstemp" >&5 +$as_echo_n "checking for (overly) strict mkstemp... " >&6; } +if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + $as_echo "#define HAVE_STRICT_MKSTEMP 1" >>confdefs.h + + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include + +int +main () +{ + + char template[]="conftest.mkstemp-test"; + if (mkstemp(template) == -1) + exit(1); + unlink(template); + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_STRICT_MKSTEMP 1" >>confdefs.h + + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +if test ! -z "$check_for_openpty_ctty_bug"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openpty correctly handles controlling tty" >&5 +$as_echo_n "checking if openpty correctly handles controlling tty... " >&6; } + if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5 +$as_echo "cross-compiling, assuming yes" >&6; } + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include + +int +main () +{ + + pid_t pid; + int fd, ptyfd, ttyfd, status; + + pid = fork(); + if (pid < 0) { /* failed */ + exit(1); + } else if (pid > 0) { /* parent */ + waitpid(pid, &status, 0); + if (WIFEXITED(status)) + exit(WEXITSTATUS(status)); + else + exit(2); + } else { /* child */ + close(0); close(1); close(2); + setsid(); + openpty(&ptyfd, &ttyfd, NULL, NULL, NULL); + fd = open("/dev/tty", O_RDWR | O_NOCTTY); + if (fd >= 0) + exit(3); /* Acquired ctty: broken */ + else + exit(0); /* Did not acquire ctty: OK */ + } + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h + + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if getaddrinfo seems to work" >&5 +$as_echo_n "checking if getaddrinfo seems to work... " >&6; } + if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5 +$as_echo "cross-compiling, assuming yes" >&6; } + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main () +{ + + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + $as_echo "#define BROKEN_GETADDRINFO 1" >>confdefs.h + + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_aix_broken_getaddrinfo" = "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if getaddrinfo seems to work" >&5 +$as_echo_n "checking if getaddrinfo seems to work... " >&6; } + if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming no" >&5 +$as_echo "cross-compiling, assuming no" >&6; } + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main () +{ + + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (ai->ai_family == AF_INET && err != 0) { + perror("getnameinfo"); + exit(2); + } + } + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define AIX_GETNAMEINFO_HACK 1" >>confdefs.h + + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + $as_echo "#define BROKEN_GETADDRINFO 1" >>confdefs.h + + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +if test "x$check_for_conflicting_getspnam" = "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for conflicting getspnam in shadow.h" >&5 +$as_echo_n "checking for conflicting getspnam in shadow.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + exit(0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define GETSPNAM_CONFLICTING_DEFS 1" >>confdefs.h + + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether getpgrp requires zero arguments" >&5 +$as_echo_n "checking whether getpgrp requires zero arguments... " >&6; } +if ${ac_cv_func_getpgrp_void+:} false; then : + $as_echo_n "(cached) " >&6 +else + # Use it with a single arg. +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +getpgrp (0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_func_getpgrp_void=no +else + ac_cv_func_getpgrp_void=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_getpgrp_void" >&5 +$as_echo "$ac_cv_func_getpgrp_void" >&6; } +if test $ac_cv_func_getpgrp_void = yes; then + +$as_echo "#define GETPGRP_VOID 1" >>confdefs.h + +fi + + +# Search for OpenSSL +saved_CPPFLAGS="$CPPFLAGS" +saved_LDFLAGS="$LDFLAGS" + +# Check whether --with-ssl-dir was given. +if test "${with_ssl_dir+set}" = set; then : + withval=$with_ssl_dir; + if test "x$withval" != "xno" ; then + case "$withval" in + # Relative paths + ./*|../*) withval="`pwd`/$withval" + esac + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + elif test -d "$withval/lib64"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib64 ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + + +fi + +LIBS="-lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char RAND_add (); +int +main () +{ +return RAND_add (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h + +else + + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" + ac_fn_c_check_header_mongrel "$LINENO" "openssl/opensslv.h" "ac_cv_header_openssl_opensslv_h" "$ac_includes_default" +if test "x$ac_cv_header_openssl_opensslv_h" = xyes; then : + +else + as_fn_error $? "*** OpenSSL headers missing - please install first or check config.log ***" "$LINENO" 5 +fi + + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char RAND_add (); +int +main () +{ +return RAND_add (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h + +else + + as_fn_error $? "*** Can't find recent OpenSSL libcrypto (see config.log for details) ***" "$LINENO" 5 + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +# Determine OpenSSL header version +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL header version" >&5 +$as_echo_n "checking OpenSSL header version... " >&6; } +if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking" >&2;} + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#define DATA "conftest.sslincver" + +int +main () +{ + + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) + exit(1); + + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + ssl_header_ver=`cat conftest.sslincver` + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_header_ver" >&5 +$as_echo "$ssl_header_ver" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + as_fn_error $? "OpenSSL version header not found." "$LINENO" 5 + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +# Determine OpenSSL library version +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL library version" >&5 +$as_echo_n "checking OpenSSL library version... " >&6; } +if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking" >&2;} + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#define DATA "conftest.ssllibver" + +int +main () +{ + + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0) + exit(1); + + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + ssl_library_ver=`cat conftest.ssllibver` + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5 +$as_echo "$ssl_library_ver" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + as_fn_error $? "OpenSSL library not found." "$LINENO" 5 + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + + +# Check whether --with-openssl-header-check was given. +if test "${with_openssl_header_check+set}" = set; then : + withval=$with_openssl_header_check; if test "x$withval" = "xno" ; then + openssl_check_nonfatal=1 + fi + + +fi + + +# Sanity check OpenSSL headers +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL's headers match the library" >&5 +$as_echo_n "checking whether OpenSSL's headers match the library... " >&6; } +if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking" >&2;} + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + if test "x$openssl_check_nonfatal" = "x"; then + as_fn_error $? "Your OpenSSL headers do not match your +library. Check config.log for details. +If you are sure your installation is consistent, you can disable the check +by running \"./configure --without-openssl-header-check\". +Also see contrib/findssl.sh for help identifying header/library mismatches. +" "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your OpenSSL headers do not match your +library. Check config.log for details. +Also see contrib/findssl.sh for help identifying header/library mismatches." >&5 +$as_echo "$as_me: WARNING: Your OpenSSL headers do not match your +library. Check config.log for details. +Also see contrib/findssl.sh for help identifying header/library mismatches." >&2;} + fi + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if programs using OpenSSL functions will link" >&5 +$as_echo_n "checking if programs using OpenSSL functions will link... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + SSLeay_add_all_algorithms(); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + saved_LIBS="$LIBS" + LIBS="$LIBS -ldl" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if programs using OpenSSL need -ldl" >&5 +$as_echo_n "checking if programs using OpenSSL need -ldl... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + SSLeay_add_all_algorithms(); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LIBS="$saved_LIBS" + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +for ac_func in \ + BN_is_prime_ex \ + DSA_generate_parameters_ex \ + EVP_DigestInit_ex \ + EVP_DigestFinal_ex \ + EVP_MD_CTX_init \ + EVP_MD_CTX_cleanup \ + EVP_MD_CTX_copy_ex \ + HMAC_CTX_init \ + RSA_generate_key_ex \ + RSA_get_default_method \ + +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + + +# Check whether --with-ssl-engine was given. +if test "${with_ssl_engine+set}" = set; then : + withval=$with_ssl_engine; if test "x$withval" != "xno" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ENGINE support" >&5 +$as_echo_n "checking for OpenSSL ENGINE support... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include + +int +main () +{ + + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define USE_OPENSSL_ENGINE 1" >>confdefs.h + + +else + as_fn_error $? "OpenSSL ENGINE support not found" "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + +fi + + +# Check for OpenSSL without EVP_aes_{192,256}_cbc +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has crippled AES support" >&5 +$as_echo_n "checking whether OpenSSL has crippled AES support... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define OPENSSL_LOBOTOMISED_AES 1" >>confdefs.h + + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +# Check for OpenSSL with EVP_aes_*ctr +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES CTR via EVP" >&5 +$as_echo_n "checking whether OpenSSL has AES CTR via EVP... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + exit(EVP_aes_128_ctr() == NULL || + EVP_aes_192_cbc() == NULL || + EVP_aes_256_cbc() == NULL); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define OPENSSL_HAVE_EVPCTR 1" >>confdefs.h + + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +# Check for OpenSSL with EVP_aes_*gcm +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES GCM via EVP" >&5 +$as_echo_n "checking whether OpenSSL has AES GCM via EVP... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + exit(EVP_aes_128_gcm() == NULL || + EVP_aes_256_gcm() == NULL || + EVP_CTRL_GCM_SET_IV_FIXED == 0 || + EVP_CTRL_GCM_IV_GEN == 0 || + EVP_CTRL_GCM_SET_TAG == 0 || + EVP_CTRL_GCM_GET_TAG == 0 || + EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define OPENSSL_HAVE_EVPGCM 1" >>confdefs.h + + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + unsupported_algorithms="$unsupported_cipers \ + aes128-gcm@openssh.com aes256-gcm@openssh.com" + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_ctrl" >&5 +$as_echo_n "checking for library containing EVP_CIPHER_CTX_ctrl... " >&6; } +if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char EVP_CIPHER_CTX_ctrl (); +int +main () +{ +return EVP_CIPHER_CTX_ctrl (); + ; + return 0; +} +_ACEOF +for ac_lib in '' crypto; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_EVP_CIPHER_CTX_ctrl=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then : + break +fi +done +if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then : + +else + ac_cv_search_EVP_CIPHER_CTX_ctrl=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_ctrl" >&5 +$as_echo "$ac_cv_search_EVP_CIPHER_CTX_ctrl" >&6; } +ac_res=$ac_cv_search_EVP_CIPHER_CTX_ctrl +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_EVP_CIPHER_CTX_CTRL 1" >>confdefs.h + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5 +$as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + if(EVP_DigestUpdate(NULL, NULL,0)) + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define OPENSSL_EVP_DIGESTUPDATE_VOID 1" >>confdefs.h + + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, +# because the system crypt() is more featureful. +if test "x$check_for_libcrypt_before" = "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for crypt in -lcrypt" >&5 +$as_echo_n "checking for crypt in -lcrypt... " >&6; } +if ${ac_cv_lib_crypt_crypt+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcrypt $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char crypt (); +int +main () +{ +return crypt (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_crypt_crypt=yes +else + ac_cv_lib_crypt_crypt=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypt_crypt" >&5 +$as_echo "$ac_cv_lib_crypt_crypt" >&6; } +if test "x$ac_cv_lib_crypt_crypt" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBCRYPT 1 +_ACEOF + + LIBS="-lcrypt $LIBS" + +fi + +fi + +# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the +# version in OpenSSL. +if test "x$check_for_libcrypt_later" = "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for crypt in -lcrypt" >&5 +$as_echo_n "checking for crypt in -lcrypt... " >&6; } +if ${ac_cv_lib_crypt_crypt+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcrypt $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char crypt (); +int +main () +{ +return crypt (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_crypt_crypt=yes +else + ac_cv_lib_crypt_crypt=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypt_crypt" >&5 +$as_echo "$ac_cv_lib_crypt_crypt" >&6; } +if test "x$ac_cv_lib_crypt_crypt" = xyes; then : + LIBS="$LIBS -lcrypt" +fi + +fi +for ac_func in crypt DES_crypt +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +# Search for SHA256 support in libc and/or OpenSSL +for ac_func in SHA256_Update EVP_sha256 +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +else + unsupported_algorithms="$unsupported_algorithms \ + hmac-sha2-256 hmac-sha2-512 \ + diffie-hellman-group-exchange-sha256 \ + hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" + + +fi +done + + +# Check complete ECC support in OpenSSL +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_X9_62_prime256v1" >&5 +$as_echo_n "checking whether OpenSSL has NID_X9_62_prime256v1... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + +int +main () +{ + + EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + const EVP_MD *m = EVP_sha256(); /* We need this too */ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + enable_nistp256=1 +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_secp384r1" >&5 +$as_echo_n "checking whether OpenSSL has NID_secp384r1... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + +int +main () +{ + + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); + const EVP_MD *m = EVP_sha384(); /* We need this too */ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + enable_nistp384=1 +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_secp521r1" >&5 +$as_echo_n "checking whether OpenSSL has NID_secp521r1... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + +int +main () +{ + + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if OpenSSL's NID_secp521r1 is functional" >&5 +$as_echo_n "checking if OpenSSL's NID_secp521r1 is functional... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross-compiling: assuming yes" >&5 +$as_echo "$as_me: WARNING: cross-compiling: assuming yes" >&2;} + enable_nistp521=1 + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include +#include + +int +main () +{ + + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ + exit(e == NULL || m == NULL); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + enable_nistp521=1 +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +COMMENT_OUT_ECC="#no ecc#" +TEST_SSH_ECC=no + +if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ + test x$enable_nistp521 = x1; then + +$as_echo "#define OPENSSL_HAS_ECC 1" >>confdefs.h + +fi +if test x$enable_nistp256 = x1; then + +$as_echo "#define OPENSSL_HAS_NISTP256 1" >>confdefs.h + + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ + ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" +fi +if test x$enable_nistp384 = x1; then + +$as_echo "#define OPENSSL_HAS_NISTP384 1" >>confdefs.h + + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ + ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" +fi +if test x$enable_nistp521 = x1; then + +$as_echo "#define OPENSSL_HAS_NISTP521 1" >>confdefs.h + + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ + ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" +fi + + + + +saved_LIBS="$LIBS" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ia_openinfo in -liaf" >&5 +$as_echo_n "checking for ia_openinfo in -liaf... " >&6; } +if ${ac_cv_lib_iaf_ia_openinfo+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-liaf $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ia_openinfo (); +int +main () +{ +return ia_openinfo (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_iaf_ia_openinfo=yes +else + ac_cv_lib_iaf_ia_openinfo=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iaf_ia_openinfo" >&5 +$as_echo "$ac_cv_lib_iaf_ia_openinfo" >&6; } +if test "x$ac_cv_lib_iaf_ia_openinfo" = xyes; then : + + LIBS="$LIBS -liaf" + for ac_func in set_id +do : + ac_fn_c_check_func "$LINENO" "set_id" "ac_cv_func_set_id" +if test "x$ac_cv_func_set_id" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SET_ID 1 +_ACEOF + SSHDLIBS="$SSHDLIBS -liaf" + +$as_echo "#define HAVE_LIBIAF 1" >>confdefs.h + + +fi +done + + +fi + +LIBS="$saved_LIBS" + +### Configure cryptographic random number support + +# Check wheter OpenSSL seeds itself +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL's PRNG is internally seeded" >&5 +$as_echo_n "checking whether OpenSSL's PRNG is internally seeded... " >&6; } +if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5 +$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;} + # This is safe, since we will fatal() at runtime if + # OpenSSL is not seeded correctly. + OPENSSL_SEEDS_ITSELF=yes + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + exit(RAND_status() == 1 ? 0 : 1); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + OPENSSL_SEEDS_ITSELF=yes + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +# PRNGD TCP socket + +# Check whether --with-prngd-port was given. +if test "${with_prngd_port+set}" = set; then : + withval=$with_prngd_port; + case "$withval" in + no) + withval="" + ;; + [0-9]*) + ;; + *) + as_fn_error $? "You must specify a numeric port number for --with-prngd-port" "$LINENO" 5 + ;; + esac + if test ! -z "$withval" ; then + PRNGD_PORT="$withval" + +cat >>confdefs.h <<_ACEOF +#define PRNGD_PORT $PRNGD_PORT +_ACEOF + + fi + + +fi + + +# PRNGD Unix domain socket + +# Check whether --with-prngd-socket was given. +if test "${with_prngd_socket+set}" = set; then : + withval=$with_prngd_socket; + case "$withval" in + yes) + withval="/var/run/egd-pool" + ;; + no) + withval="" + ;; + /*) + ;; + *) + as_fn_error $? "You must specify an absolute path to the entropy socket" "$LINENO" 5 + ;; + esac + + if test ! -z "$withval" ; then + if test ! -z "$PRNGD_PORT" ; then + as_fn_error $? "You may not specify both a PRNGD/EGD port and socket" "$LINENO" 5 + fi + if test ! -r "$withval" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Entropy socket is not readable" >&5 +$as_echo "$as_me: WARNING: Entropy socket is not readable" >&2;} + fi + PRNGD_SOCKET="$withval" + +cat >>confdefs.h <<_ACEOF +#define PRNGD_SOCKET "$PRNGD_SOCKET" +_ACEOF + + fi + +else + + # Check for existing socket only if we don't have a random device already + if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PRNGD/EGD socket" >&5 +$as_echo_n "checking for PRNGD/EGD socket... " >&6; } + # Insert other locations here + for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do + if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then + PRNGD_SOCKET="$sock" + cat >>confdefs.h <<_ACEOF +#define PRNGD_SOCKET "$PRNGD_SOCKET" +_ACEOF + + break; + fi + done + if test ! -z "$PRNGD_SOCKET" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PRNGD_SOCKET" >&5 +$as_echo "$PRNGD_SOCKET" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + fi + fi + + +fi + + +# Which randomness source do we use? +if test ! -z "$PRNGD_PORT" ; then + RAND_MSG="PRNGd port $PRNGD_PORT" +elif test ! -z "$PRNGD_SOCKET" ; then + RAND_MSG="PRNGd socket $PRNGD_SOCKET" +elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then + +$as_echo "#define OPENSSL_PRNG_ONLY 1" >>confdefs.h + + RAND_MSG="OpenSSL internal ONLY" +else + as_fn_error $? "OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options" "$LINENO" 5 +fi + +# Check for PAM libs +PAM_MSG="no" + +# Check whether --with-pam was given. +if test "${with_pam+set}" = set; then : + withval=$with_pam; + if test "x$withval" != "xno" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ + test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then + as_fn_error $? "PAM headers not found" "$LINENO" 5 + fi + + saved_LIBS="$LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if ${ac_cv_lib_dl_dlopen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dl_dlopen=yes +else + ac_cv_lib_dl_dlopen=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test "x$ac_cv_lib_dl_dlopen" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBDL 1 +_ACEOF + + LIBS="-ldl $LIBS" + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_set_item in -lpam" >&5 +$as_echo_n "checking for pam_set_item in -lpam... " >&6; } +if ${ac_cv_lib_pam_pam_set_item+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpam $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pam_set_item (); +int +main () +{ +return pam_set_item (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pam_pam_set_item=yes +else + ac_cv_lib_pam_pam_set_item=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_set_item" >&5 +$as_echo "$ac_cv_lib_pam_pam_set_item" >&6; } +if test "x$ac_cv_lib_pam_pam_set_item" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPAM 1 +_ACEOF + + LIBS="-lpam $LIBS" + +else + as_fn_error $? "*** libpam missing" "$LINENO" 5 +fi + + for ac_func in pam_getenvlist +do : + ac_fn_c_check_func "$LINENO" "pam_getenvlist" "ac_cv_func_pam_getenvlist" +if test "x$ac_cv_func_pam_getenvlist" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_PAM_GETENVLIST 1 +_ACEOF + +fi +done + + for ac_func in pam_putenv +do : + ac_fn_c_check_func "$LINENO" "pam_putenv" "ac_cv_func_pam_putenv" +if test "x$ac_cv_func_pam_putenv" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_PAM_PUTENV 1 +_ACEOF + +fi +done + + LIBS="$saved_LIBS" + + PAM_MSG="yes" + + SSHDLIBS="$SSHDLIBS -lpam" + +$as_echo "#define USE_PAM 1" >>confdefs.h + + + if test $ac_cv_lib_dl_dlopen = yes; then + case "$LIBS" in + *-ldl*) + # libdl already in LIBS + ;; + *) + SSHDLIBS="$SSHDLIBS -ldl" + ;; + esac + fi + fi + + +fi + + +# Check for older PAM +if test "x$PAM_MSG" = "xyes" ; then + # Check PAM strerror arguments (old PAM) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pam_strerror takes only one argument" >&5 +$as_echo_n "checking whether pam_strerror takes only one argument... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif + +int +main () +{ + +(void)pam_strerror((pam_handle_t *)NULL, -1); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +else + + +$as_echo "#define HAVE_OLD_PAM 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + PAM_MSG="yes (old library)" + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +SSH_PRIVSEP_USER=sshd + +# Check whether --with-privsep-user was given. +if test "${with_privsep_user+set}" = set; then : + withval=$with_privsep_user; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + SSH_PRIVSEP_USER=$withval + fi + + +fi + + +cat >>confdefs.h <<_ACEOF +#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER" +_ACEOF + + + +if test "x$have_linux_no_new_privs" = "x1" ; then +ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" " + #include + #include + +" +if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then : + have_seccomp_filter=1 +fi + +fi +if test "x$have_seccomp_filter" = "x1" ; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5 +$as_echo_n "checking kernel for seccomp_filter support... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include + #include + #include + #include + #include + #include + +int +main () +{ + int i = $seccomp_audit_arch; + errno = 0; + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); + exit(errno == EFAULT ? 0 : 1); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + # Disable seccomp filter as a target + have_seccomp_filter=0 + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi + +# Decide which sandbox style to use +sandbox_arg="" + +# Check whether --with-sandbox was given. +if test "${with_sandbox+set}" = set; then : + withval=$with_sandbox; + if test "x$withval" = "xyes" ; then + sandbox_arg="" + else + sandbox_arg="$withval" + fi + + +fi + + +# Some platforms (seems to be the ones that have a kernel poll(2)-type +# function with which they implement select(2)) use an extra file descriptor +# when calling select(2), which means we can't use the rlimit sandbox. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if select works with descriptor rlimit" >&5 +$as_echo_n "checking if select works with descriptor rlimit... " >&6; } +if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5 +$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#include +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#include +#include +#include + +int +main () +{ + + struct rlimit rl_zero; + int fd, r; + fd_set fds; + struct timeval tv; + + fd = open("/dev/null", O_RDONLY); + FD_ZERO(&fds); + FD_SET(fd, &fds); + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + setrlimit(RLIMIT_FSIZE, &rl_zero); + setrlimit(RLIMIT_NOFILE, &rl_zero); + tv.tv_sec = 1; + tv.tv_usec = 0; + r = select(fd+1, &fds, NULL, NULL, &tv); + exit (r == -1 ? 1 : 0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + select_works_with_rlimit=yes +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + select_works_with_rlimit=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit(RLIMIT_NOFILE,{0,0}) works" >&5 +$as_echo_n "checking if setrlimit(RLIMIT_NOFILE,{0,0}) works... " >&6; } +if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5 +$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#include +#include +#include + +int +main () +{ + + struct rlimit rl_zero; + int fd, r; + fd_set fds; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + r = setrlimit(RLIMIT_NOFILE, &rl_zero); + exit (r == -1 ? 1 : 0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + rlimit_nofile_zero_works=yes +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + rlimit_nofile_zero_works=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5 +$as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; } +if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5 +$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define SANDBOX_SKIP_RLIMIT_FSIZE 1" >>confdefs.h + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +if test "x$sandbox_arg" = "xsystrace" || \ + ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then + test "x$have_systr_policy_kill" != "x1" && \ + as_fn_error $? "systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" "$LINENO" 5 + SANDBOX_STYLE="systrace" + +$as_echo "#define SANDBOX_SYSTRACE 1" >>confdefs.h + +elif test "x$sandbox_arg" = "xdarwin" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ + test "x$ac_cv_header_sandbox_h" = "xyes") ; then + test "x$ac_cv_func_sandbox_init" != "xyes" -o \ + "x$ac_cv_header_sandbox_h" != "xyes" && \ + as_fn_error $? "Darwin seatbelt sandbox requires sandbox.h and sandbox_init function" "$LINENO" 5 + SANDBOX_STYLE="darwin" + +$as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h + +elif test "x$sandbox_arg" = "xseccomp_filter" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_seccomp_filter" = "x1" && \ + test "x$ac_cv_header_elf_h" = "xyes" && \ + test "x$ac_cv_header_linux_audit_h" = "xyes" && \ + test "x$ac_cv_header_linux_filter_h" = "xyes" && \ + test "x$seccomp_audit_arch" != "x" && \ + test "x$have_linux_no_new_privs" = "x1" && \ + test "x$ac_cv_func_prctl" = "xyes" ) ; then + test "x$seccomp_audit_arch" = "x" && \ + as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5 + test "x$have_linux_no_new_privs" != "x1" && \ + as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5 + test "x$have_seccomp_filter" != "x1" && \ + as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5 + test "x$ac_cv_func_prctl" != "xyes" && \ + as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5 + SANDBOX_STYLE="seccomp_filter" + +$as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h + +elif test "x$sandbox_arg" = "xcapsicum" || \ + ( test -z "$sandbox_arg" && \ + test "x$ac_cv_header_sys_capability_h" = "xyes" && \ + test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then + test "x$ac_cv_header_sys_capability_h" != "xyes" && \ + as_fn_error $? "capsicum sandbox requires sys/capability.h header" "$LINENO" 5 + test "x$ac_cv_func_cap_rights_limit" != "xyes" && \ + as_fn_error $? "capsicum sandbox requires cap_rights_limit function" "$LINENO" 5 + SANDBOX_STYLE="capsicum" + +$as_echo "#define SANDBOX_CAPSICUM 1" >>confdefs.h + +elif test "x$sandbox_arg" = "xrlimit" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ + test "x$select_works_with_rlimit" = "xyes" && \ + test "x$rlimit_nofile_zero_works" = "xyes" ) ; then + test "x$ac_cv_func_setrlimit" != "xyes" && \ + as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 + test "x$select_works_with_rlimit" != "xyes" && \ + as_fn_error $? "rlimit sandbox requires select to work with rlimit" "$LINENO" 5 + SANDBOX_STYLE="rlimit" + +$as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h + +elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ + test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then + SANDBOX_STYLE="none" + +$as_echo "#define SANDBOX_NULL 1" >>confdefs.h + +else + as_fn_error $? "unsupported --with-sandbox" "$LINENO" 5 +fi + +# Cheap hack to ensure NEWS-OS libraries are arranged right. +if test ! -z "$SONY" ; then + LIBS="$LIBS -liberty"; +fi + +# Check for long long datatypes +ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" "$ac_includes_default" +if test "x$ac_cv_type_long_long" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_LONG_LONG 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "unsigned long long" "ac_cv_type_unsigned_long_long" "$ac_includes_default" +if test "x$ac_cv_type_unsigned_long_long" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_UNSIGNED_LONG_LONG 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "long double" "ac_cv_type_long_double" "$ac_includes_default" +if test "x$ac_cv_type_long_double" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_LONG_DOUBLE 1 +_ACEOF + + +fi + + +# Check datatype sizes +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short int" >&5 +$as_echo_n "checking size of short int... " >&6; } +if ${ac_cv_sizeof_short_int+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (short int))" "ac_cv_sizeof_short_int" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_short_int" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (short int) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_short_int=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_short_int" >&5 +$as_echo "$ac_cv_sizeof_short_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_SHORT_INT $ac_cv_sizeof_short_int +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of int" >&5 +$as_echo_n "checking size of int... " >&6; } +if ${ac_cv_sizeof_int+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (int))" "ac_cv_sizeof_int" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_int" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (int) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_int=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_int" >&5 +$as_echo "$ac_cv_sizeof_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_INT $ac_cv_sizeof_int +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long int" >&5 +$as_echo_n "checking size of long int... " >&6; } +if ${ac_cv_sizeof_long_int+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long int))" "ac_cv_sizeof_long_int" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_long_int" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (long int) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_long_int=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long_int" >&5 +$as_echo "$ac_cv_sizeof_long_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_INT $ac_cv_sizeof_long_int +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long long int" >&5 +$as_echo_n "checking size of long long int... " >&6; } +if ${ac_cv_sizeof_long_long_int+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long long int))" "ac_cv_sizeof_long_long_int" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_long_long_int" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (long long int) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_long_long_int=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long_long_int" >&5 +$as_echo "$ac_cv_sizeof_long_long_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_LONG_INT $ac_cv_sizeof_long_long_int +_ACEOF + + + +# Sanity check long long for some platforms (AIX) +if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then + ac_cv_sizeof_long_long_int=0 +fi + +# compute LLONG_MIN and LLONG_MAX if we don't know them. +if test -z "$have_llong_max"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for max value of long long" >&5 +$as_echo_n "checking for max value of long long... " >&6; } + if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking" >&2;} + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +/* Why is this so damn hard? */ +#ifdef __GNUC__ +# undef __GNUC__ +#endif +#define __USE_ISOC99 +#include +#define DATA "conftest.llminmax" +#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a)) + +/* + * printf in libc on some platforms (eg old Tru64) does not understand %lld so + * we do this the hard way. + */ +static int +fprint_ll(FILE *f, long long n) +{ + unsigned int i; + int l[sizeof(long long) * 8]; + + if (n < 0) + if (fprintf(f, "-") < 0) + return -1; + for (i = 0; n != 0; i++) { + l[i] = my_abs(n % 10); + n /= 10; + } + do { + if (fprintf(f, "%d", l[--i]) < 0) + return -1; + } while (i != 0); + if (fprintf(f, " ") < 0) + return -1; + return 0; +} + +int +main () +{ + + FILE *f; + long long i, llmin, llmax = 0; + + if((f = fopen(DATA,"w")) == NULL) + exit(1); + +#if defined(LLONG_MIN) && defined(LLONG_MAX) + fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n"); + llmin = LLONG_MIN; + llmax = LLONG_MAX; +#else + fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n"); + /* This will work on one's complement and two's complement */ + for (i = 1; i > llmax; i <<= 1, i++) + llmax = i; + llmin = llmax + 1LL; /* wrap */ +#endif + + /* Sanity check */ + if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax + || llmax - 1 > llmax || llmin == llmax || llmin == 0 + || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) { + fprintf(f, "unknown unknown\n"); + exit(2); + } + + if (fprint_ll(f, llmin) < 0) + exit(3); + if (fprint_ll(f, llmax) < 0) + exit(4); + if (fclose(f) < 0) + exit(5); + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + llong_min=`$AWK '{print $1}' conftest.llminmax` + llong_max=`$AWK '{print $2}' conftest.llminmax` + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $llong_max" >&5 +$as_echo "$llong_max" >&6; } + +cat >>confdefs.h <<_ACEOF +#define LLONG_MAX ${llong_max}LL +_ACEOF + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for min value of long long" >&5 +$as_echo_n "checking for min value of long long... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $llong_min" >&5 +$as_echo "$llong_min" >&6; } + +cat >>confdefs.h <<_ACEOF +#define LLONG_MIN ${llong_min}LL +_ACEOF + + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + + +# More checks for data types +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_int type" >&5 +$as_echo_n "checking for u_int type... " >&6; } +if ${ac_cv_have_u_int+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + u_int a; a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_u_int="yes" +else + ac_cv_have_u_int="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_u_int" >&5 +$as_echo "$ac_cv_have_u_int" >&6; } +if test "x$ac_cv_have_u_int" = "xyes" ; then + +$as_echo "#define HAVE_U_INT 1" >>confdefs.h + + have_u_int=1 +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for intXX_t types" >&5 +$as_echo_n "checking for intXX_t types... " >&6; } +if ${ac_cv_have_intxx_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + int8_t a; int16_t b; int32_t c; a = b = c = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_intxx_t="yes" +else + ac_cv_have_intxx_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_intxx_t" >&5 +$as_echo "$ac_cv_have_intxx_t" >&6; } +if test "x$ac_cv_have_intxx_t" = "xyes" ; then + +$as_echo "#define HAVE_INTXX_T 1" >>confdefs.h + + have_intxx_t=1 +fi + +if (test -z "$have_intxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for intXX_t types in stdint.h" >&5 +$as_echo_n "checking for intXX_t types in stdint.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + int8_t a; int16_t b; int32_t c; a = b = c = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + $as_echo "#define HAVE_INTXX_T 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for int64_t type" >&5 +$as_echo_n "checking for int64_t type... " >&6; } +if ${ac_cv_have_int64_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#ifdef HAVE_STDINT_H +# include +#endif +#include +#ifdef HAVE_SYS_BITYPES_H +# include +#endif + +int +main () +{ + +int64_t a; a = 1; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_int64_t="yes" +else + ac_cv_have_int64_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_int64_t" >&5 +$as_echo "$ac_cv_have_int64_t" >&6; } +if test "x$ac_cv_have_int64_t" = "xyes" ; then + +$as_echo "#define HAVE_INT64_T 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_intXX_t types" >&5 +$as_echo_n "checking for u_intXX_t types... " >&6; } +if ${ac_cv_have_u_intxx_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_u_intxx_t="yes" +else + ac_cv_have_u_intxx_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_u_intxx_t" >&5 +$as_echo "$ac_cv_have_u_intxx_t" >&6; } +if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then + +$as_echo "#define HAVE_U_INTXX_T 1" >>confdefs.h + + have_u_intxx_t=1 +fi + +if test -z "$have_u_intxx_t" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_intXX_t types in sys/socket.h" >&5 +$as_echo_n "checking for u_intXX_t types in sys/socket.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + $as_echo "#define HAVE_U_INTXX_T 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_int64_t types" >&5 +$as_echo_n "checking for u_int64_t types... " >&6; } +if ${ac_cv_have_u_int64_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + u_int64_t a; a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_u_int64_t="yes" +else + ac_cv_have_u_int64_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_u_int64_t" >&5 +$as_echo "$ac_cv_have_u_int64_t" >&6; } +if test "x$ac_cv_have_u_int64_t" = "xyes" ; then + +$as_echo "#define HAVE_U_INT64_T 1" >>confdefs.h + + have_u_int64_t=1 +fi + +if (test -z "$have_u_int64_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_int64_t type in sys/bitypes.h" >&5 +$as_echo_n "checking for u_int64_t type in sys/bitypes.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + u_int64_t a; a = 1 + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + $as_echo "#define HAVE_U_INT64_T 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test -z "$have_u_intxx_t" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uintXX_t types" >&5 +$as_echo_n "checking for uintXX_t types... " >&6; } +if ${ac_cv_have_uintxx_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include + +int +main () +{ + + uint8_t a; + uint16_t b; + uint32_t c; + a = b = c = 1; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_uintxx_t="yes" +else + ac_cv_have_uintxx_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_uintxx_t" >&5 +$as_echo "$ac_cv_have_uintxx_t" >&6; } + if test "x$ac_cv_have_uintxx_t" = "xyes" ; then + +$as_echo "#define HAVE_UINTXX_T 1" >>confdefs.h + + fi +fi + +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uintXX_t types in stdint.h" >&5 +$as_echo_n "checking for uintXX_t types in stdint.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + $as_echo "#define HAVE_UINTXX_T 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_inttypes_h" = "xyes") +then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uintXX_t types in inttypes.h" >&5 +$as_echo_n "checking for uintXX_t types in inttypes.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + $as_echo "#define HAVE_UINTXX_T 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 +$as_echo_n "checking for intXX_t and u_intXX_t types in sys/bitypes.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include + +int +main () +{ + + int8_t a; int16_t b; int32_t c; + u_int8_t e; u_int16_t f; u_int32_t g; + a = b = c = e = f = g = 1; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + $as_echo "#define HAVE_U_INTXX_T 1" >>confdefs.h + + $as_echo "#define HAVE_INTXX_T 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_char" >&5 +$as_echo_n "checking for u_char... " >&6; } +if ${ac_cv_have_u_char+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + u_char foo; foo = 125; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_u_char="yes" +else + ac_cv_have_u_char="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_u_char" >&5 +$as_echo "$ac_cv_have_u_char" >&6; } +if test "x$ac_cv_have_u_char" = "xyes" ; then + +$as_echo "#define HAVE_U_CHAR 1" >>confdefs.h + +fi + +ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" " +#include +#include + +" +if test "x$ac_cv_type_intmax_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_INTMAX_T 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "uintmax_t" "ac_cv_type_uintmax_t" " +#include +#include + +" +if test "x$ac_cv_type_uintmax_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_UINTMAX_T 1 +_ACEOF + + +fi + + + + ac_fn_c_check_type "$LINENO" "socklen_t" "ac_cv_type_socklen_t" "#include +#include +" +if test "x$ac_cv_type_socklen_t" = xyes; then : + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socklen_t equivalent" >&5 +$as_echo_n "checking for socklen_t equivalent... " >&6; } + if ${curl_cv_socklen_t_equiv+:} false; then : + $as_echo_n "(cached) " >&6 +else + + # Systems have either "struct sockaddr *" or + # "void *" as the second argument to getpeername + curl_cv_socklen_t_equiv= + for arg2 in "struct sockaddr" void; do + for t in int size_t unsigned long "unsigned long"; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include + #include + + int getpeername (int, $arg2 *, $t *); + +int +main () +{ + + $t len; + getpeername(0,0,&len); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + curl_cv_socklen_t_equiv="$t" + break + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + done + + if test "x$curl_cv_socklen_t_equiv" = x; then + as_fn_error $? "Cannot find a type to use in place of socklen_t" "$LINENO" 5 + fi + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $curl_cv_socklen_t_equiv" >&5 +$as_echo "$curl_cv_socklen_t_equiv" >&6; } + +cat >>confdefs.h <<_ACEOF +#define socklen_t $curl_cv_socklen_t_equiv +_ACEOF + +fi + + + +ac_fn_c_check_type "$LINENO" "sig_atomic_t" "ac_cv_type_sig_atomic_t" "#include +" +if test "x$ac_cv_type_sig_atomic_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_SIG_ATOMIC_T 1 +_ACEOF + + +fi + +ac_fn_c_check_type "$LINENO" "fsblkcnt_t" "ac_cv_type_fsblkcnt_t" " +#include +#ifdef HAVE_SYS_BITYPES_H +#include +#endif +#ifdef HAVE_SYS_STATFS_H +#include +#endif +#ifdef HAVE_SYS_STATVFS_H +#include +#endif + +" +if test "x$ac_cv_type_fsblkcnt_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_FSBLKCNT_T 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "fsfilcnt_t" "ac_cv_type_fsfilcnt_t" " +#include +#ifdef HAVE_SYS_BITYPES_H +#include +#endif +#ifdef HAVE_SYS_STATFS_H +#include +#endif +#ifdef HAVE_SYS_STATVFS_H +#include +#endif + +" +if test "x$ac_cv_type_fsfilcnt_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_FSFILCNT_T 1 +_ACEOF + + +fi + + +ac_fn_c_check_type "$LINENO" "in_addr_t" "ac_cv_type_in_addr_t" "#include +#include +" +if test "x$ac_cv_type_in_addr_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_IN_ADDR_T 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "in_port_t" "ac_cv_type_in_port_t" "#include +#include +" +if test "x$ac_cv_type_in_port_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_IN_PORT_T 1 +_ACEOF + + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for size_t" >&5 +$as_echo_n "checking for size_t... " >&6; } +if ${ac_cv_have_size_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + size_t foo; foo = 1235; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_size_t="yes" +else + ac_cv_have_size_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_size_t" >&5 +$as_echo "$ac_cv_have_size_t" >&6; } +if test "x$ac_cv_have_size_t" = "xyes" ; then + +$as_echo "#define HAVE_SIZE_T 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ssize_t" >&5 +$as_echo_n "checking for ssize_t... " >&6; } +if ${ac_cv_have_ssize_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + ssize_t foo; foo = 1235; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_ssize_t="yes" +else + ac_cv_have_ssize_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_ssize_t" >&5 +$as_echo "$ac_cv_have_ssize_t" >&6; } +if test "x$ac_cv_have_ssize_t" = "xyes" ; then + +$as_echo "#define HAVE_SSIZE_T 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_t" >&5 +$as_echo_n "checking for clock_t... " >&6; } +if ${ac_cv_have_clock_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + clock_t foo; foo = 1235; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_clock_t="yes" +else + ac_cv_have_clock_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_clock_t" >&5 +$as_echo "$ac_cv_have_clock_t" >&6; } +if test "x$ac_cv_have_clock_t" = "xyes" ; then + +$as_echo "#define HAVE_CLOCK_T 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sa_family_t" >&5 +$as_echo_n "checking for sa_family_t... " >&6; } +if ${ac_cv_have_sa_family_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + sa_family_t foo; foo = 1235; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_sa_family_t="yes" +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + sa_family_t foo; foo = 1235; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_sa_family_t="yes" +else + ac_cv_have_sa_family_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_sa_family_t" >&5 +$as_echo "$ac_cv_have_sa_family_t" >&6; } +if test "x$ac_cv_have_sa_family_t" = "xyes" ; then + +$as_echo "#define HAVE_SA_FAMILY_T 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pid_t" >&5 +$as_echo_n "checking for pid_t... " >&6; } +if ${ac_cv_have_pid_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + pid_t foo; foo = 1235; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_pid_t="yes" +else + ac_cv_have_pid_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_pid_t" >&5 +$as_echo "$ac_cv_have_pid_t" >&6; } +if test "x$ac_cv_have_pid_t" = "xyes" ; then + +$as_echo "#define HAVE_PID_T 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for mode_t" >&5 +$as_echo_n "checking for mode_t... " >&6; } +if ${ac_cv_have_mode_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + mode_t foo; foo = 1235; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_mode_t="yes" +else + ac_cv_have_mode_t="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_mode_t" >&5 +$as_echo "$ac_cv_have_mode_t" >&6; } +if test "x$ac_cv_have_mode_t" = "xyes" ; then + +$as_echo "#define HAVE_MODE_T 1" >>confdefs.h + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct sockaddr_storage" >&5 +$as_echo_n "checking for struct sockaddr_storage... " >&6; } +if ${ac_cv_have_struct_sockaddr_storage+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + struct sockaddr_storage s; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_struct_sockaddr_storage="yes" +else + ac_cv_have_struct_sockaddr_storage="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_struct_sockaddr_storage" >&5 +$as_echo "$ac_cv_have_struct_sockaddr_storage" >&6; } +if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then + +$as_echo "#define HAVE_STRUCT_SOCKADDR_STORAGE 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct sockaddr_in6" >&5 +$as_echo_n "checking for struct sockaddr_in6... " >&6; } +if ${ac_cv_have_struct_sockaddr_in6+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + struct sockaddr_in6 s; s.sin6_family = 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_struct_sockaddr_in6="yes" +else + ac_cv_have_struct_sockaddr_in6="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_struct_sockaddr_in6" >&5 +$as_echo "$ac_cv_have_struct_sockaddr_in6" >&6; } +if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then + +$as_echo "#define HAVE_STRUCT_SOCKADDR_IN6 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct in6_addr" >&5 +$as_echo_n "checking for struct in6_addr... " >&6; } +if ${ac_cv_have_struct_in6_addr+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + struct in6_addr s; s.s6_addr[0] = 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_struct_in6_addr="yes" +else + ac_cv_have_struct_in6_addr="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_struct_in6_addr" >&5 +$as_echo "$ac_cv_have_struct_in6_addr" >&6; } +if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then + +$as_echo "#define HAVE_STRUCT_IN6_ADDR 1" >>confdefs.h + + + ac_fn_c_check_member "$LINENO" "struct sockaddr_in6" "sin6_scope_id" "ac_cv_member_struct_sockaddr_in6_sin6_scope_id" " +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#include + +" +if test "x$ac_cv_member_struct_sockaddr_in6_sin6_scope_id" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID 1 +_ACEOF + + +fi + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct addrinfo" >&5 +$as_echo_n "checking for struct addrinfo... " >&6; } +if ${ac_cv_have_struct_addrinfo+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + struct addrinfo s; s.ai_flags = AI_PASSIVE; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_struct_addrinfo="yes" +else + ac_cv_have_struct_addrinfo="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_struct_addrinfo" >&5 +$as_echo "$ac_cv_have_struct_addrinfo" >&6; } +if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then + +$as_echo "#define HAVE_STRUCT_ADDRINFO 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct timeval" >&5 +$as_echo_n "checking for struct timeval... " >&6; } +if ${ac_cv_have_struct_timeval+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + struct timeval tv; tv.tv_sec = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_struct_timeval="yes" +else + ac_cv_have_struct_timeval="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_struct_timeval" >&5 +$as_echo "$ac_cv_have_struct_timeval" >&6; } +if test "x$ac_cv_have_struct_timeval" = "xyes" ; then + +$as_echo "#define HAVE_STRUCT_TIMEVAL 1" >>confdefs.h + + have_struct_timeval=1 +fi + +ac_fn_c_check_type "$LINENO" "struct timespec" "ac_cv_type_struct_timespec" "$ac_includes_default" +if test "x$ac_cv_type_struct_timespec" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_TIMESPEC 1 +_ACEOF + + +fi + + +# We need int64_t or else certian parts of the compile will fail. +if test "x$ac_cv_have_int64_t" = "xno" && \ + test "x$ac_cv_sizeof_long_int" != "x8" && \ + test "x$ac_cv_sizeof_long_long_int" = "x0" ; then + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; +else + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: Assuming working snprintf()" >&5 +$as_echo "$as_me: WARNING: cross compiling: Assuming working snprintf()" >&2;} + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_SNPRINTF +main() +{ + char buf[50]; + char expected_out[50]; + int mazsize = 50 ; +#if (SIZEOF_LONG_INT == 8) + long int num = 0x7fffffffffffffff; +#else + long long num = 0x7fffffffffffffffll; +#endif + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) + exit(1); + exit(0); +} +#else +main() { exit(0); } +#endif + +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + true +else + $as_echo "#define BROKEN_SNPRINTF 1" >>confdefs.h + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + + +# look for field 'ut_host' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_host field in utmp.h" >&5 +$as_echo_n "checking for ut_host field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_host" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_HOST_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_host' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_host field in utmpx.h" >&5 +$as_echo_n "checking for ut_host field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_host" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_HOST_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'syslen' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"syslen + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for syslen field in utmpx.h" >&5 +$as_echo_n "checking for syslen field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "syslen" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_SYSLEN_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_pid' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_pid field in utmp.h" >&5 +$as_echo_n "checking for ut_pid field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_pid" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_PID_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_type' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_type field in utmp.h" >&5 +$as_echo_n "checking for ut_type field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_type" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_TYPE_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_type' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_type field in utmpx.h" >&5 +$as_echo_n "checking for ut_type field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_type" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_TYPE_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_tv' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_tv field in utmp.h" >&5 +$as_echo_n "checking for ut_tv field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_tv" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_TV_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_id' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_id field in utmp.h" >&5 +$as_echo_n "checking for ut_id field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_id" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_ID_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_id' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_id field in utmpx.h" >&5 +$as_echo_n "checking for ut_id field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_id" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_ID_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_addr' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_addr field in utmp.h" >&5 +$as_echo_n "checking for ut_addr field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_addr" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_ADDR_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_addr' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_addr field in utmpx.h" >&5 +$as_echo_n "checking for ut_addr field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_addr" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_ADDR_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_addr_v6' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_addr_v6 field in utmp.h" >&5 +$as_echo_n "checking for ut_addr_v6 field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_addr_v6" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_ADDR_V6_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_addr_v6' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_addr_v6 field in utmpx.h" >&5 +$as_echo_n "checking for ut_addr_v6 field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_addr_v6" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_ADDR_V6_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_exit' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_exit field in utmp.h" >&5 +$as_echo_n "checking for ut_exit field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_exit" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_EXIT_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_time' in header 'utmp.h' + ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_time field in utmp.h" >&5 +$as_echo_n "checking for ut_time field in utmp.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_time" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_TIME_IN_UTMP 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_time' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_time field in utmpx.h" >&5 +$as_echo_n "checking for ut_time field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_time" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_TIME_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +# look for field 'ut_tv' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ut_tv field in utmpx.h" >&5 +$as_echo_n "checking for ut_tv field in utmpx.h... " >&6; } + if eval \${$ossh_varname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "ut_tv" >/dev/null 2>&1; then : + eval "$ossh_varname=yes" +else + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ossh_result" >&5 +$as_echo "$ossh_result" >&6; } + if test "x$ossh_result" = "xyes"; then + +$as_echo "#define HAVE_TV_IN_UTMPX 1" >>confdefs.h + + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + + +ac_fn_c_check_member "$LINENO" "struct stat" "st_blksize" "ac_cv_member_struct_stat_st_blksize" "$ac_includes_default" +if test "x$ac_cv_member_struct_stat_st_blksize" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_STAT_ST_BLKSIZE 1 +_ACEOF + + +fi + +ac_fn_c_check_member "$LINENO" "struct passwd" "pw_gecos" "ac_cv_member_struct_passwd_pw_gecos" " +#include +#include + +" +if test "x$ac_cv_member_struct_passwd_pw_gecos" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_PASSWD_PW_GECOS 1 +_ACEOF + + +fi +ac_fn_c_check_member "$LINENO" "struct passwd" "pw_class" "ac_cv_member_struct_passwd_pw_class" " +#include +#include + +" +if test "x$ac_cv_member_struct_passwd_pw_class" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_PASSWD_PW_CLASS 1 +_ACEOF + + +fi +ac_fn_c_check_member "$LINENO" "struct passwd" "pw_change" "ac_cv_member_struct_passwd_pw_change" " +#include +#include + +" +if test "x$ac_cv_member_struct_passwd_pw_change" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_PASSWD_PW_CHANGE 1 +_ACEOF + + +fi +ac_fn_c_check_member "$LINENO" "struct passwd" "pw_expire" "ac_cv_member_struct_passwd_pw_expire" " +#include +#include + +" +if test "x$ac_cv_member_struct_passwd_pw_expire" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_PASSWD_PW_EXPIRE 1 +_ACEOF + + +fi + + +ac_fn_c_check_member "$LINENO" "struct __res_state" "retrans" "ac_cv_member_struct___res_state_retrans" " +#include +#if HAVE_SYS_TYPES_H +# include +#endif +#include +#include +#include + +" +if test "x$ac_cv_member_struct___res_state_retrans" = xyes; then : + +else + +$as_echo "#define __res_state state" >>confdefs.h + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ss_family field in struct sockaddr_storage" >&5 +$as_echo_n "checking for ss_family field in struct sockaddr_storage... " >&6; } +if ${ac_cv_have_ss_family_in_struct_ss+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + struct sockaddr_storage s; s.ss_family = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_ss_family_in_struct_ss="yes" +else + ac_cv_have_ss_family_in_struct_ss="no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_ss_family_in_struct_ss" >&5 +$as_echo "$ac_cv_have_ss_family_in_struct_ss" >&6; } +if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then + +$as_echo "#define HAVE_SS_FAMILY_IN_SS 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __ss_family field in struct sockaddr_storage" >&5 +$as_echo_n "checking for __ss_family field in struct sockaddr_storage... " >&6; } +if ${ac_cv_have___ss_family_in_struct_ss+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + struct sockaddr_storage s; s.__ss_family = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have___ss_family_in_struct_ss="yes" +else + ac_cv_have___ss_family_in_struct_ss="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have___ss_family_in_struct_ss" >&5 +$as_echo "$ac_cv_have___ss_family_in_struct_ss" >&6; } +if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then + +$as_echo "#define HAVE___SS_FAMILY_IN_SS 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for msg_accrights field in struct msghdr" >&5 +$as_echo_n "checking for msg_accrights field in struct msghdr... " >&6; } +if ${ac_cv_have_accrights_in_msghdr+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + +#ifdef msg_accrights +#error "msg_accrights is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_accrights = 0; +exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_accrights_in_msghdr="yes" +else + ac_cv_have_accrights_in_msghdr="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_accrights_in_msghdr" >&5 +$as_echo "$ac_cv_have_accrights_in_msghdr" >&6; } +if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then + +$as_echo "#define HAVE_ACCRIGHTS_IN_MSGHDR 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if struct statvfs.f_fsid is integral type" >&5 +$as_echo_n "checking if struct statvfs.f_fsid is integral type... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#ifdef HAVE_SYS_MOUNT_H +#include +#endif +#ifdef HAVE_SYS_STATVFS_H +#include +#endif + +int +main () +{ + struct statvfs s; s.f_fsid = 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if fsid_t has member val" >&5 +$as_echo_n "checking if fsid_t has member val... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + fsid_t t; t.val[0] = 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define FSID_HAS_VAL 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if f_fsid has member __val" >&5 +$as_echo_n "checking if f_fsid has member __val... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + fsid_t t; t.__val[0] = 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define FSID_HAS___VAL 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for msg_control field in struct msghdr" >&5 +$as_echo_n "checking for msg_control field in struct msghdr... " >&6; } +if ${ac_cv_have_control_in_msghdr+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + +#ifdef msg_control +#error "msg_control is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_control = 0; +exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_have_control_in_msghdr="yes" +else + ac_cv_have_control_in_msghdr="no" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_control_in_msghdr" >&5 +$as_echo "$ac_cv_have_control_in_msghdr" >&6; } +if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then + +$as_echo "#define HAVE_CONTROL_IN_MSGHDR 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if libc defines __progname" >&5 +$as_echo_n "checking if libc defines __progname... " >&6; } +if ${ac_cv_libc_defines___progname+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + extern char *__progname; printf("%s", __progname); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_libc_defines___progname="yes" +else + ac_cv_libc_defines___progname="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_libc_defines___progname" >&5 +$as_echo "$ac_cv_libc_defines___progname" >&6; } +if test "x$ac_cv_libc_defines___progname" = "xyes" ; then + +$as_echo "#define HAVE___PROGNAME 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC implements __FUNCTION__" >&5 +$as_echo_n "checking whether $CC implements __FUNCTION__... " >&6; } +if ${ac_cv_cc_implements___FUNCTION__+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + printf("%s", __FUNCTION__); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_cc_implements___FUNCTION__="yes" +else + ac_cv_cc_implements___FUNCTION__="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cc_implements___FUNCTION__" >&5 +$as_echo "$ac_cv_cc_implements___FUNCTION__" >&6; } +if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then + +$as_echo "#define HAVE___FUNCTION__ 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC implements __func__" >&5 +$as_echo_n "checking whether $CC implements __func__... " >&6; } +if ${ac_cv_cc_implements___func__+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + printf("%s", __func__); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_cc_implements___func__="yes" +else + ac_cv_cc_implements___func__="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cc_implements___func__" >&5 +$as_echo "$ac_cv_cc_implements___func__" >&6; } +if test "x$ac_cv_cc_implements___func__" = "xyes" ; then + +$as_echo "#define HAVE___func__ 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether va_copy exists" >&5 +$as_echo_n "checking whether va_copy exists... " >&6; } +if ${ac_cv_have_va_copy+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +va_list x,y; + +int +main () +{ + va_copy(x,y); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_have_va_copy="yes" +else + ac_cv_have_va_copy="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_va_copy" >&5 +$as_echo "$ac_cv_have_va_copy" >&6; } +if test "x$ac_cv_have_va_copy" = "xyes" ; then + +$as_echo "#define HAVE_VA_COPY 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether __va_copy exists" >&5 +$as_echo_n "checking whether __va_copy exists... " >&6; } +if ${ac_cv_have___va_copy+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +va_list x,y; + +int +main () +{ + __va_copy(x,y); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_have___va_copy="yes" +else + ac_cv_have___va_copy="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have___va_copy" >&5 +$as_echo "$ac_cv_have___va_copy" >&6; } +if test "x$ac_cv_have___va_copy" = "xyes" ; then + +$as_echo "#define HAVE___VA_COPY 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether getopt has optreset support" >&5 +$as_echo_n "checking whether getopt has optreset support... " >&6; } +if ${ac_cv_have_getopt_optreset+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + extern int optreset; optreset = 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_have_getopt_optreset="yes" +else + ac_cv_have_getopt_optreset="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_getopt_optreset" >&5 +$as_echo "$ac_cv_have_getopt_optreset" >&6; } +if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then + +$as_echo "#define HAVE_GETOPT_OPTRESET 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if libc defines sys_errlist" >&5 +$as_echo_n "checking if libc defines sys_errlist... " >&6; } +if ${ac_cv_libc_defines_sys_errlist+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_libc_defines_sys_errlist="yes" +else + ac_cv_libc_defines_sys_errlist="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_libc_defines_sys_errlist" >&5 +$as_echo "$ac_cv_libc_defines_sys_errlist" >&6; } +if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then + +$as_echo "#define HAVE_SYS_ERRLIST 1" >>confdefs.h + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if libc defines sys_nerr" >&5 +$as_echo_n "checking if libc defines sys_nerr... " >&6; } +if ${ac_cv_libc_defines_sys_nerr+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + extern int sys_nerr; printf("%i", sys_nerr); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_libc_defines_sys_nerr="yes" +else + ac_cv_libc_defines_sys_nerr="no" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_libc_defines_sys_nerr" >&5 +$as_echo "$ac_cv_libc_defines_sys_nerr" >&6; } +if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then + +$as_echo "#define HAVE_SYS_NERR 1" >>confdefs.h + +fi + +# Check libraries needed by DNS fingerprint support +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing getrrsetbyname" >&5 +$as_echo_n "checking for library containing getrrsetbyname... " >&6; } +if ${ac_cv_search_getrrsetbyname+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char getrrsetbyname (); +int +main () +{ +return getrrsetbyname (); + ; + return 0; +} +_ACEOF +for ac_lib in '' resolv; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_getrrsetbyname=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_getrrsetbyname+:} false; then : + break +fi +done +if ${ac_cv_search_getrrsetbyname+:} false; then : + +else + ac_cv_search_getrrsetbyname=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_getrrsetbyname" >&5 +$as_echo "$ac_cv_search_getrrsetbyname" >&6; } +ac_res=$ac_cv_search_getrrsetbyname +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_GETRRSETBYNAME 1" >>confdefs.h + +else + + # Needed by our getrrsetbyname() + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing res_query" >&5 +$as_echo_n "checking for library containing res_query... " >&6; } +if ${ac_cv_search_res_query+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char res_query (); +int +main () +{ +return res_query (); + ; + return 0; +} +_ACEOF +for ac_lib in '' resolv; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_res_query=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_res_query+:} false; then : + break +fi +done +if ${ac_cv_search_res_query+:} false; then : + +else + ac_cv_search_res_query=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_res_query" >&5 +$as_echo "$ac_cv_search_res_query" >&6; } +ac_res=$ac_cv_search_res_query +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dn_expand" >&5 +$as_echo_n "checking for library containing dn_expand... " >&6; } +if ${ac_cv_search_dn_expand+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dn_expand (); +int +main () +{ +return dn_expand (); + ; + return 0; +} +_ACEOF +for ac_lib in '' resolv; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_dn_expand=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_dn_expand+:} false; then : + break +fi +done +if ${ac_cv_search_dn_expand+:} false; then : + +else + ac_cv_search_dn_expand=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dn_expand" >&5 +$as_echo "$ac_cv_search_dn_expand" >&6; } +ac_res=$ac_cv_search_dn_expand +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if res_query will link" >&5 +$as_echo_n "checking if res_query will link... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include + +int +main () +{ + + res_query (0, 0, 0, 0, 0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + saved_LIBS="$LIBS" + LIBS="$LIBS -lresolv" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_query in -lresolv" >&5 +$as_echo_n "checking for res_query in -lresolv... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include + +int +main () +{ + + res_query (0, 0, 0, 0, 0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + LIBS="$saved_LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + for ac_func in _getshort _getlong +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + ac_fn_c_check_decl "$LINENO" "_getshort" "ac_cv_have_decl__getshort" "#include + #include +" +if test "x$ac_cv_have_decl__getshort" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL__GETSHORT $ac_have_decl +_ACEOF +ac_fn_c_check_decl "$LINENO" "_getlong" "ac_cv_have_decl__getlong" "#include + #include +" +if test "x$ac_cv_have_decl__getlong" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL__GETLONG $ac_have_decl +_ACEOF + + ac_fn_c_check_member "$LINENO" "HEADER" "ad" "ac_cv_member_HEADER_ad" "#include +" +if test "x$ac_cv_member_HEADER_ad" = xyes; then : + +$as_echo "#define HAVE_HEADER_AD 1" >>confdefs.h + +fi + + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if struct __res_state _res is an extern" >&5 +$as_echo_n "checking if struct __res_state _res is an extern... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#if HAVE_SYS_TYPES_H +# include +#endif +#include +#include +#include +extern struct __res_state _res; + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE__RES_EXTERN 1" >>confdefs.h + + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +# Check whether user wants SELinux support +SELINUX_MSG="no" +LIBSELINUX="" + +# Check whether --with-selinux was given. +if test "${with_selinux+set}" = set; then : + withval=$with_selinux; if test "x$withval" != "xno" ; then + save_LIBS="$LIBS" + +$as_echo "#define WITH_SELINUX 1" >>confdefs.h + + SELINUX_MSG="yes" + ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default" +if test "x$ac_cv_header_selinux_selinux_h" = xyes; then : + +else + as_fn_error $? "SELinux support requires selinux.h header" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for setexeccon in -lselinux" >&5 +$as_echo_n "checking for setexeccon in -lselinux... " >&6; } +if ${ac_cv_lib_selinux_setexeccon+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lselinux $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char setexeccon (); +int +main () +{ +return setexeccon (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_selinux_setexeccon=yes +else + ac_cv_lib_selinux_setexeccon=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_setexeccon" >&5 +$as_echo "$ac_cv_lib_selinux_setexeccon" >&6; } +if test "x$ac_cv_lib_selinux_setexeccon" = xyes; then : + LIBSELINUX="-lselinux" + LIBS="$LIBS -lselinux" + +else + as_fn_error $? "SELinux support requires libselinux library" "$LINENO" 5 +fi + + SSHLIBS="$SSHLIBS $LIBSELINUX" + SSHDLIBS="$SSHDLIBS $LIBSELINUX" + for ac_func in getseuserbyname get_default_context_with_level +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + LIBS="$save_LIBS" + fi + +fi + + + + +# Check whether user wants Kerberos 5 support +KRB5_MSG="no" + +# Check whether --with-kerberos5 was given. +if test "${with_kerberos5+set}" = set; then : + withval=$with_kerberos5; if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + KRB5ROOT="/usr/local" + else + KRB5ROOT=${withval} + fi + + +$as_echo "#define KRB5 1" >>confdefs.h + + KRB5_MSG="yes" + + # Extract the first word of "krb5-config", so it can be a program name with args. +set dummy krb5-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_KRB5CONF+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $KRB5CONF in + [\\/]* | ?:[\\/]*) + ac_cv_path_KRB5CONF="$KRB5CONF" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_dummy="$KRB5ROOT/bin:$PATH" +for as_dir in $as_dummy +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_KRB5CONF="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_path_KRB5CONF" && ac_cv_path_KRB5CONF="$KRB5ROOT/bin/krb5-config" + ;; +esac +fi +KRB5CONF=$ac_cv_path_KRB5CONF +if test -n "$KRB5CONF"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5CONF" >&5 +$as_echo "$KRB5CONF" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test -x $KRB5CONF ; then + K5CFLAGS="`$KRB5CONF --cflags`" + K5LIBS="`$KRB5CONF --libs`" + CPPFLAGS="$CPPFLAGS $K5CFLAGS" + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gssapi support" >&5 +$as_echo_n "checking for gssapi support... " >&6; } + if $KRB5CONF | grep gssapi >/dev/null ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define GSSAPI 1" >>confdefs.h + + GSSCFLAGS="`$KRB5CONF --cflags gssapi`" + GSSLIBS="`$KRB5CONF --libs gssapi`" + CPPFLAGS="$CPPFLAGS $GSSCFLAGS" + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 +$as_echo_n "checking whether we are using Heimdal... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include + +int +main () +{ + char *tmp = heimdal_version; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HEIMDAL 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + else + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" + LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 +$as_echo_n "checking whether we are using Heimdal... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include + +int +main () +{ + char *tmp = heimdal_version; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + $as_echo "#define HEIMDAL 1" >>confdefs.h + + K5LIBS="-lkrb5" + K5LIBS="$K5LIBS -lcom_err -lasn1" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for net_write in -lroken" >&5 +$as_echo_n "checking for net_write in -lroken... " >&6; } +if ${ac_cv_lib_roken_net_write+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lroken $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char net_write (); +int +main () +{ +return net_write (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_roken_net_write=yes +else + ac_cv_lib_roken_net_write=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_roken_net_write" >&5 +$as_echo "$ac_cv_lib_roken_net_write" >&6; } +if test "x$ac_cv_lib_roken_net_write" = xyes; then : + K5LIBS="$K5LIBS -lroken" +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for des_cbc_encrypt in -ldes" >&5 +$as_echo_n "checking for des_cbc_encrypt in -ldes... " >&6; } +if ${ac_cv_lib_des_des_cbc_encrypt+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldes $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char des_cbc_encrypt (); +int +main () +{ +return des_cbc_encrypt (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_des_des_cbc_encrypt=yes +else + ac_cv_lib_des_des_cbc_encrypt=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_des_des_cbc_encrypt" >&5 +$as_echo "$ac_cv_lib_des_des_cbc_encrypt" >&6; } +if test "x$ac_cv_lib_des_des_cbc_encrypt" = xyes; then : + K5LIBS="$K5LIBS -ldes" +fi + + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + K5LIBS="-lkrb5 -lk5crypto -lcom_err" + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dn_expand" >&5 +$as_echo_n "checking for library containing dn_expand... " >&6; } +if ${ac_cv_search_dn_expand+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dn_expand (); +int +main () +{ +return dn_expand (); + ; + return 0; +} +_ACEOF +for ac_lib in '' resolv; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_dn_expand=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_dn_expand+:} false; then : + break +fi +done +if ${ac_cv_search_dn_expand+:} false; then : + +else + ac_cv_search_dn_expand=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dn_expand" >&5 +$as_echo "$ac_cv_search_dn_expand" >&6; } +ac_res=$ac_cv_search_dn_expand +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi_krb5" >&5 +$as_echo_n "checking for gss_init_sec_context in -lgssapi_krb5... " >&6; } +if ${ac_cv_lib_gssapi_krb5_gss_init_sec_context+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgssapi_krb5 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char gss_init_sec_context (); +int +main () +{ +return gss_init_sec_context (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gssapi_krb5_gss_init_sec_context=yes +else + ac_cv_lib_gssapi_krb5_gss_init_sec_context=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&5 +$as_echo "$ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&6; } +if test "x$ac_cv_lib_gssapi_krb5_gss_init_sec_context" = xyes; then : + $as_echo "#define GSSAPI 1" >>confdefs.h + + GSSLIBS="-lgssapi_krb5" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi" >&5 +$as_echo_n "checking for gss_init_sec_context in -lgssapi... " >&6; } +if ${ac_cv_lib_gssapi_gss_init_sec_context+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgssapi $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char gss_init_sec_context (); +int +main () +{ +return gss_init_sec_context (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gssapi_gss_init_sec_context=yes +else + ac_cv_lib_gssapi_gss_init_sec_context=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gssapi_gss_init_sec_context" >&5 +$as_echo "$ac_cv_lib_gssapi_gss_init_sec_context" >&6; } +if test "x$ac_cv_lib_gssapi_gss_init_sec_context" = xyes; then : + $as_echo "#define GSSAPI 1" >>confdefs.h + + GSSLIBS="-lgssapi" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgss" >&5 +$as_echo_n "checking for gss_init_sec_context in -lgss... " >&6; } +if ${ac_cv_lib_gss_gss_init_sec_context+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgss $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char gss_init_sec_context (); +int +main () +{ +return gss_init_sec_context (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gss_gss_init_sec_context=yes +else + ac_cv_lib_gss_gss_init_sec_context=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gss_gss_init_sec_context" >&5 +$as_echo "$ac_cv_lib_gss_gss_init_sec_context" >&6; } +if test "x$ac_cv_lib_gss_gss_init_sec_context" = xyes; then : + $as_echo "#define GSSAPI 1" >>confdefs.h + + GSSLIBS="-lgss" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api library - build may fail" >&5 +$as_echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;} +fi + + +fi + + +fi + + + ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default" +if test "x$ac_cv_header_gssapi_h" = xyes; then : + +else + unset ac_cv_header_gssapi_h + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + for ac_header in gssapi.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default" +if test "x$ac_cv_header_gssapi_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GSSAPI_H 1 +_ACEOF + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api header - build may fail" >&5 +$as_echo "$as_me: WARNING: Cannot find any suitable gss-api header - build may fail" >&2;} + +fi + +done + + + +fi + + + + oldCPP="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + ac_fn_c_check_header_mongrel "$LINENO" "gssapi_krb5.h" "ac_cv_header_gssapi_krb5_h" "$ac_includes_default" +if test "x$ac_cv_header_gssapi_krb5_h" = xyes; then : + +else + CPPFLAGS="$oldCPP" +fi + + + + fi + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${KRB5ROOT}/lib" + fi + + for ac_header in gssapi.h gssapi/gssapi.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + for ac_header in gssapi_generic.h gssapi/gssapi_generic.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing k_hasafs" >&5 +$as_echo_n "checking for library containing k_hasafs... " >&6; } +if ${ac_cv_search_k_hasafs+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char k_hasafs (); +int +main () +{ +return k_hasafs (); + ; + return 0; +} +_ACEOF +for ac_lib in '' kafs; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_k_hasafs=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_k_hasafs+:} false; then : + break +fi +done +if ${ac_cv_search_k_hasafs+:} false; then : + +else + ac_cv_search_k_hasafs=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_k_hasafs" >&5 +$as_echo "$ac_cv_search_k_hasafs" >&6; } +ac_res=$ac_cv_search_k_hasafs +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define USE_AFS 1" >>confdefs.h + +fi + + + ac_fn_c_check_decl "$LINENO" "GSS_C_NT_HOSTBASED_SERVICE" "ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" " +#ifdef HAVE_GSSAPI_H +# include +#elif defined(HAVE_GSSAPI_GSSAPI_H) +# include +#endif + +#ifdef HAVE_GSSAPI_GENERIC_H +# include +#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) +# include +#endif + +" +if test "x$ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl +_ACEOF + + saved_LIBS="$LIBS" + LIBS="$LIBS $K5LIBS" + for ac_func in krb5_cc_new_unique krb5_get_error_message krb5_free_error_message +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + LIBS="$saved_LIBS" + + fi + + +fi + + + + +# Looking for programs, paths and files + +PRIVSEP_PATH=/var/empty + +# Check whether --with-privsep-path was given. +if test "${with_privsep_path+set}" = set; then : + withval=$with_privsep_path; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + PRIVSEP_PATH=$withval + fi + + +fi + + + + +# Check whether --with-xauth was given. +if test "${with_xauth+set}" = set; then : + withval=$with_xauth; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + xauth_path=$withval + fi + +else + + TestPath="$PATH" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin" + # Extract the first word of "xauth", so it can be a program name with args. +set dummy xauth; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_xauth_path+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $xauth_path in + [\\/]* | ?:[\\/]*) + ac_cv_path_xauth_path="$xauth_path" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $TestPath +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_xauth_path="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +xauth_path=$ac_cv_path_xauth_path +if test -n "$xauth_path"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $xauth_path" >&5 +$as_echo "$xauth_path" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then + xauth_path="/usr/openwin/bin/xauth" + fi + + +fi + + +STRIP_OPT=-s +# Check whether --enable-strip was given. +if test "${enable_strip+set}" = set; then : + enableval=$enable_strip; + if test "x$enableval" = "xno" ; then + STRIP_OPT= + fi + + +fi + + + +if test -z "$xauth_path" ; then + XAUTH_PATH="undefined" + +else + +cat >>confdefs.h <<_ACEOF +#define XAUTH_PATH "$xauth_path" +_ACEOF + + XAUTH_PATH=$xauth_path + +fi + +# Check for mail directory + +# Check whether --with-maildir was given. +if test "${with_maildir+set}" = set; then : + withval=$with_maildir; + if test "X$withval" != X && test "x$withval" != xno && \ + test "x${withval}" != xyes; then + +cat >>confdefs.h <<_ACEOF +#define MAIL_DIRECTORY "$withval" +_ACEOF + + fi + +else + + if test "X$maildir" != "X"; then + cat >>confdefs.h <<_ACEOF +#define MAIL_DIRECTORY "$maildir" +_ACEOF + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking Discovering system mail directory" >&5 +$as_echo_n "checking Discovering system mail directory... " >&6; } + if test "$cross_compiling" = yes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: use --with-maildir=/path/to/mail" >&5 +$as_echo "$as_me: WARNING: cross compiling: use --with-maildir=/path/to/mail" >&2;} + + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_PATHS_H +#include +#endif +#ifdef HAVE_MAILLOCK_H +#include +#endif +#define DATA "conftest.maildir" + +int +main () +{ + + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + +#if defined (_PATH_MAILDIR) + if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0) + exit(1); +#elif defined (MAILDIR) + if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0) + exit(1); +#elif defined (_PATH_MAIL) + if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0) + exit(1); +#else + exit (2); +#endif + + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + + maildir_what=`awk -F: '{print $1}' conftest.maildir` + maildir=`awk -F: '{print $2}' conftest.maildir \ + | sed 's|/$||'` + { $as_echo "$as_me:${as_lineno-$LINENO}: result: Using: $maildir from $maildir_what" >&5 +$as_echo "Using: $maildir from $maildir_what" >&6; } + if test "x$maildir_what" != "x_PATH_MAILDIR"; then + cat >>confdefs.h <<_ACEOF +#define MAIL_DIRECTORY "$maildir" +_ACEOF + + fi + +else + + if test "X$ac_status" = "X2";then +# our test program didn't find it. Default to /var/spool/mail + { $as_echo "$as_me:${as_lineno-$LINENO}: result: Using: default value of /var/spool/mail" >&5 +$as_echo "Using: default value of /var/spool/mail" >&6; } + cat >>confdefs.h <<_ACEOF +#define MAIL_DIRECTORY "/var/spool/mail" +_ACEOF + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: *** not found ***" >&5 +$as_echo "*** not found ***" >&6; } + fi + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + fi + + +fi + # maildir + +if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: Disabling /dev/ptmx test" >&5 +$as_echo "$as_me: WARNING: cross compiling: Disabling /dev/ptmx test" >&2;} + disable_ptmx_check=yes +fi +if test -z "$no_dev_ptmx" ; then + if test "x$disable_ptmx_check" != "xyes" ; then + as_ac_File=`$as_echo "ac_cv_file_"/dev/ptmx"" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for \"/dev/ptmx\"" >&5 +$as_echo_n "checking for \"/dev/ptmx\"... " >&6; } +if eval \${$as_ac_File+:} false; then : + $as_echo_n "(cached) " >&6 +else + test "$cross_compiling" = yes && + as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 +if test -r ""/dev/ptmx""; then + eval "$as_ac_File=yes" +else + eval "$as_ac_File=no" +fi +fi +eval ac_res=\$$as_ac_File + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_File"\" = x"yes"; then : + + +cat >>confdefs.h <<_ACEOF +#define HAVE_DEV_PTMX 1 +_ACEOF + + have_dev_ptmx=1 + + +fi + + fi +fi + +if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then + as_ac_File=`$as_echo "ac_cv_file_"/dev/ptc"" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for \"/dev/ptc\"" >&5 +$as_echo_n "checking for \"/dev/ptc\"... " >&6; } +if eval \${$as_ac_File+:} false; then : + $as_echo_n "(cached) " >&6 +else + test "$cross_compiling" = yes && + as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 +if test -r ""/dev/ptc""; then + eval "$as_ac_File=yes" +else + eval "$as_ac_File=no" +fi +fi +eval ac_res=\$$as_ac_File + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_File"\" = x"yes"; then : + + +cat >>confdefs.h <<_ACEOF +#define HAVE_DEV_PTS_AND_PTC 1 +_ACEOF + + have_dev_ptc=1 + + +fi + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: Disabling /dev/ptc test" >&5 +$as_echo "$as_me: WARNING: cross compiling: Disabling /dev/ptc test" >&2;} +fi + +# Options from here on. Some of these are preset by platform above + +# Check whether --with-mantype was given. +if test "${with_mantype+set}" = set; then : + withval=$with_mantype; + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + as_fn_error $? "invalid man type: $withval" "$LINENO" 5 + ;; + esac + + +fi + +if test -z "$MANTYPE"; then + TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb" + for ac_prog in nroff awf +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_NROFF+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $NROFF in + [\\/]* | ?:[\\/]*) + ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $TestPath +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_NROFF="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +NROFF=$ac_cv_path_NROFF +if test -n "$NROFF"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFF" >&5 +$as_echo "$NROFF" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$NROFF" && break +done +test -n "$NROFF" || NROFF="/bin/false" + + if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=man + else + MANTYPE=cat + fi +fi + +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi + + +# Check whether to enable MD5 passwords +MD5_MSG="no" + +# Check whether --with-md5-passwords was given. +if test "${with_md5_passwords+set}" = set; then : + withval=$with_md5_passwords; + if test "x$withval" != "xno" ; then + +$as_echo "#define HAVE_MD5_PASSWORDS 1" >>confdefs.h + + MD5_MSG="yes" + fi + + +fi + + +# Whether to disable shadow password support + +# Check whether --with-shadow was given. +if test "${with_shadow+set}" = set; then : + withval=$with_shadow; + if test "x$withval" = "xno" ; then + $as_echo "#define DISABLE_SHADOW 1" >>confdefs.h + + disable_shadow=yes + fi + + +fi + + +if test -z "$disable_shadow" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the systems has expire shadow information" >&5 +$as_echo_n "checking if the systems has expire shadow information... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +struct spwd sp; + +int +main () +{ + sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + sp_expire_available=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + if test "x$sp_expire_available" = "xyes" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAS_SHADOW_EXPIRE 1" >>confdefs.h + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi +fi + +# Use ip address instead of hostname in $DISPLAY +if test ! -z "$IPADDR_IN_DISPLAY" ; then + DISPLAY_HACK_MSG="yes" + +$as_echo "#define IPADDR_IN_DISPLAY 1" >>confdefs.h + +else + DISPLAY_HACK_MSG="no" + +# Check whether --with-ipaddr-display was given. +if test "${with_ipaddr_display+set}" = set; then : + withval=$with_ipaddr_display; + if test "x$withval" != "xno" ; then + $as_echo "#define IPADDR_IN_DISPLAY 1" >>confdefs.h + + DISPLAY_HACK_MSG="yes" + fi + + +fi + +fi + +# check for /etc/default/login and use it if present. +# Check whether --enable-etc-default-login was given. +if test "${enable_etc_default_login+set}" = set; then : + enableval=$enable_etc_default_login; if test "x$enableval" = "xno"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: /etc/default/login handling disabled" >&5 +$as_echo "$as_me: /etc/default/login handling disabled" >&6;} + etc_default_login=no + else + etc_default_login=yes + fi +else + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; + then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking /etc/default/login" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking /etc/default/login" >&2;} + etc_default_login=no + else + etc_default_login=yes + fi + +fi + + +if test "x$etc_default_login" != "xno"; then + as_ac_File=`$as_echo "ac_cv_file_"/etc/default/login"" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for \"/etc/default/login\"" >&5 +$as_echo_n "checking for \"/etc/default/login\"... " >&6; } +if eval \${$as_ac_File+:} false; then : + $as_echo_n "(cached) " >&6 +else + test "$cross_compiling" = yes && + as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 +if test -r ""/etc/default/login""; then + eval "$as_ac_File=yes" +else + eval "$as_ac_File=no" +fi +fi +eval ac_res=\$$as_ac_File + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_File"\" = x"yes"; then : + external_path_file=/etc/default/login +fi + + if test "x$external_path_file" = "x/etc/default/login"; then + +$as_echo "#define HAVE_ETC_DEFAULT_LOGIN 1" >>confdefs.h + + fi +fi + +if test $ac_cv_func_login_getcapbool = "yes" && \ + test $ac_cv_header_login_cap_h = "yes" ; then + external_path_file=/etc/login.conf +fi + +# Whether to mess with the default path +SERVER_PATH_MSG="(default)" + +# Check whether --with-default-path was given. +if test "${with_default_path+set}" = set; then : + withval=$with_default_path; + if test "x$external_path_file" = "x/etc/login.conf" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: +--with-default-path=PATH has no effect on this system. +Edit /etc/login.conf instead." >&5 +$as_echo "$as_me: WARNING: +--with-default-path=PATH has no effect on this system. +Edit /etc/login.conf instead." >&2;} + elif test "x$withval" != "xno" ; then + if test ! -z "$external_path_file" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: +--with-default-path=PATH will only be used if PATH is not defined in +$external_path_file ." >&5 +$as_echo "$as_me: WARNING: +--with-default-path=PATH will only be used if PATH is not defined in +$external_path_file ." >&2;} + fi + user_path="$withval" + SERVER_PATH_MSG="$withval" + fi + +else + if test "x$external_path_file" = "x/etc/login.conf" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Make sure the path to scp is in /etc/login.conf" >&5 +$as_echo "$as_me: WARNING: Make sure the path to scp is in /etc/login.conf" >&2;} + else + if test ! -z "$external_path_file" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: +If PATH is defined in $external_path_file, ensure the path to scp is included, +otherwise scp will not work." >&5 +$as_echo "$as_me: WARNING: +If PATH is defined in $external_path_file, ensure the path to scp is included, +otherwise scp will not work." >&2;} + fi + if test "$cross_compiling" = yes; then : + user_path="/usr/bin:/bin:/usr/sbin:/sbin" + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* find out what STDPATH is */ +#include +#ifdef HAVE_PATHS_H +# include +#endif +#ifndef _PATH_STDPATH +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif +#endif +#include +#include +#include +#define DATA "conftest.stdpath" + +int +main () +{ + + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) + exit(1); + + exit(0); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + user_path=`cat conftest.stdpath` +else + user_path="/usr/bin:/bin:/usr/sbin:/sbin" +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +# make sure $bindir is in USER_PATH so scp will work + t_bindir="${bindir}" + while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do + t_bindir=`eval echo ${t_bindir}` + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; + esac + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; + esac + done + echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + user_path=$user_path:$t_bindir + { $as_echo "$as_me:${as_lineno-$LINENO}: result: Adding $t_bindir to USER_PATH so scp will work" >&5 +$as_echo "Adding $t_bindir to USER_PATH so scp will work" >&6; } + fi + fi + fi + +fi + +if test "x$external_path_file" != "x/etc/login.conf" ; then + +cat >>confdefs.h <<_ACEOF +#define USER_PATH "$user_path" +_ACEOF + + +fi + +# Set superuser path separately to user path + +# Check whether --with-superuser-path was given. +if test "${with_superuser_path+set}" = set; then : + withval=$with_superuser_path; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + +cat >>confdefs.h <<_ACEOF +#define SUPERUSER_PATH "$withval" +_ACEOF + + superuser_path=$withval + fi + + +fi + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +$as_echo_n "checking if we need to convert IPv4 in IPv6-mapped addresses... " >&6; } +IPV4_IN6_HACK_MSG="no" + +# Check whether --with-4in6 was given. +if test "${with_4in6+set}" = set; then : + withval=$with_4in6; + if test "x$withval" != "xno" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define IPV4_IN_IPV6 1" >>confdefs.h + + IPV4_IN6_HACK_MSG="yes" + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + +else + + if test "x$inet6_default_4in6" = "xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes (default)" >&5 +$as_echo "yes (default)" >&6; } + $as_echo "#define IPV4_IN_IPV6 1" >>confdefs.h + + IPV4_IN6_HACK_MSG="yes" + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no (default)" >&5 +$as_echo "no (default)" >&6; } + fi + + +fi + + +# Whether to enable BSD auth support +BSD_AUTH_MSG=no + +# Check whether --with-bsd-auth was given. +if test "${with_bsd_auth+set}" = set; then : + withval=$with_bsd_auth; + if test "x$withval" != "xno" ; then + +$as_echo "#define BSD_AUTH 1" >>confdefs.h + + BSD_AUTH_MSG=yes + fi + + +fi + + +# Where to place sshd.pid +piddir=/var/run +# make sure the directory exists +if test ! -d $piddir ; then + piddir=`eval echo ${sysconfdir}` + case $piddir in + NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; + esac +fi + + +# Check whether --with-pid-dir was given. +if test "${with_pid_dir+set}" = set; then : + withval=$with_pid_dir; + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + piddir=$withval + if test ! -d $piddir ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ** no $piddir directory on this system **" >&5 +$as_echo "$as_me: WARNING: ** no $piddir directory on this system **" >&2;} + fi + fi + + +fi + + + +cat >>confdefs.h <<_ACEOF +#define _PATH_SSH_PIDDIR "$piddir" +_ACEOF + + + +# Check whether --enable-lastlog was given. +if test "${enable_lastlog+set}" = set; then : + enableval=$enable_lastlog; + if test "x$enableval" = "xno" ; then + $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h + + fi + + +fi + +# Check whether --enable-utmp was given. +if test "${enable_utmp+set}" = set; then : + enableval=$enable_utmp; + if test "x$enableval" = "xno" ; then + $as_echo "#define DISABLE_UTMP 1" >>confdefs.h + + fi + + +fi + +# Check whether --enable-utmpx was given. +if test "${enable_utmpx+set}" = set; then : + enableval=$enable_utmpx; + if test "x$enableval" = "xno" ; then + +$as_echo "#define DISABLE_UTMPX 1" >>confdefs.h + + fi + + +fi + +# Check whether --enable-wtmp was given. +if test "${enable_wtmp+set}" = set; then : + enableval=$enable_wtmp; + if test "x$enableval" = "xno" ; then + $as_echo "#define DISABLE_WTMP 1" >>confdefs.h + + fi + + +fi + +# Check whether --enable-wtmpx was given. +if test "${enable_wtmpx+set}" = set; then : + enableval=$enable_wtmpx; + if test "x$enableval" = "xno" ; then + +$as_echo "#define DISABLE_WTMPX 1" >>confdefs.h + + fi + + +fi + +# Check whether --enable-libutil was given. +if test "${enable_libutil+set}" = set; then : + enableval=$enable_libutil; + if test "x$enableval" = "xno" ; then + $as_echo "#define DISABLE_LOGIN 1" >>confdefs.h + + fi + + +fi + +# Check whether --enable-pututline was given. +if test "${enable_pututline+set}" = set; then : + enableval=$enable_pututline; + if test "x$enableval" = "xno" ; then + +$as_echo "#define DISABLE_PUTUTLINE 1" >>confdefs.h + + fi + + +fi + +# Check whether --enable-pututxline was given. +if test "${enable_pututxline+set}" = set; then : + enableval=$enable_pututxline; + if test "x$enableval" = "xno" ; then + +$as_echo "#define DISABLE_PUTUTXLINE 1" >>confdefs.h + + fi + + +fi + + +# Check whether --with-lastlog was given. +if test "${with_lastlog+set}" = set; then : + withval=$with_lastlog; + if test "x$withval" = "xno" ; then + $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h + + elif test -n "$withval" && test "x${withval}" != "xyes"; then + conf_lastlog_location=$withval + fi + + +fi + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines LASTLOG_FILE" >&5 +$as_echo_n "checking if your system defines LASTLOG_FILE... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif + +int +main () +{ + char *lastlog = LASTLOG_FILE; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines _PATH_LASTLOG" >&5 +$as_echo_n "checking if your system defines _PATH_LASTLOG... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + +int +main () +{ + char *lastlog = _PATH_LASTLOG; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + system_lastlog_path=no + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +if test -z "$conf_lastlog_location"; then + if test x"$system_lastlog_path" = x"no" ; then + for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if (test -d "$f" || test -f "$f") ; then + conf_lastlog_location=$f + fi + done + if test -z "$conf_lastlog_location"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ** Cannot find lastlog **" >&5 +$as_echo "$as_me: WARNING: ** Cannot find lastlog **" >&2;} + fi + fi +fi + +if test -n "$conf_lastlog_location"; then + +cat >>confdefs.h <<_ACEOF +#define CONF_LASTLOG_FILE "$conf_lastlog_location" +_ACEOF + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines UTMP_FILE" >&5 +$as_echo_n "checking if your system defines UTMP_FILE... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + +int +main () +{ + char *utmp = UTMP_FILE; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + system_utmp_path=no + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +if test -z "$conf_utmp_location"; then + if test x"$system_utmp_path" = x"no" ; then + for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do + if test -f $f ; then + conf_utmp_location=$f + fi + done + if test -z "$conf_utmp_location"; then + $as_echo "#define DISABLE_UTMP 1" >>confdefs.h + + fi + fi +fi +if test -n "$conf_utmp_location"; then + +cat >>confdefs.h <<_ACEOF +#define CONF_UTMP_FILE "$conf_utmp_location" +_ACEOF + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMP_FILE" >&5 +$as_echo_n "checking if your system defines WTMP_FILE... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + +int +main () +{ + char *wtmp = WTMP_FILE; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + system_wtmp_path=no + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +if test -z "$conf_wtmp_location"; then + if test x"$system_wtmp_path" = x"no" ; then + for f in /usr/adm/wtmp /var/log/wtmp; do + if test -f $f ; then + conf_wtmp_location=$f + fi + done + if test -z "$conf_wtmp_location"; then + $as_echo "#define DISABLE_WTMP 1" >>confdefs.h + + fi + fi +fi +if test -n "$conf_wtmp_location"; then + +cat >>confdefs.h <<_ACEOF +#define CONF_WTMP_FILE "$conf_wtmp_location" +_ACEOF + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMPX_FILE" >&5 +$as_echo_n "checking if your system defines WTMPX_FILE... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + +int +main () +{ + char *wtmpx = WTMPX_FILE; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + system_wtmpx_path=no + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +if test -z "$conf_wtmpx_location"; then + if test x"$system_wtmpx_path" = x"no" ; then + $as_echo "#define DISABLE_WTMPX 1" >>confdefs.h + + fi +else + +cat >>confdefs.h <<_ACEOF +#define CONF_WTMPX_FILE "$conf_wtmpx_location" +_ACEOF + +fi + + +if test ! -z "$blibpath" ; then + LDFLAGS="$LDFLAGS $blibflags$blibpath" + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&5 +$as_echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;} +fi + +ac_fn_c_check_member "$LINENO" "struct lastlog" "ll_line" "ac_cv_member_struct_lastlog_ll_line" " +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + +" +if test "x$ac_cv_member_struct_lastlog_ll_line" = xyes; then : + +else + + if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then + $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h + + fi + +fi + + +ac_fn_c_check_member "$LINENO" "struct utmp" "ut_line" "ac_cv_member_struct_utmp_ut_line" " +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + +" +if test "x$ac_cv_member_struct_utmp_ut_line" = xyes; then : + +else + + $as_echo "#define DISABLE_UTMP 1" >>confdefs.h + + $as_echo "#define DISABLE_WTMP 1" >>confdefs.h + + +fi + + +CFLAGS="$CFLAGS $werror_flags" + +if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then + TEST_SSH_IPV6=no +else + TEST_SSH_IPV6=yes +fi +ac_fn_c_check_decl "$LINENO" "BROKEN_GETADDRINFO" "ac_cv_have_decl_BROKEN_GETADDRINFO" "$ac_includes_default" +if test "x$ac_cv_have_decl_BROKEN_GETADDRINFO" = xyes; then : + TEST_SSH_IPV6=no +fi + +TEST_SSH_IPV6=$TEST_SSH_IPV6 + +TEST_MALLOC_OPTIONS=$TEST_MALLOC_OPTIONS + +UNSUPPORTED_ALGORITHMS=$unsupported_algorithms + + + +ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile survey.sh" + +cat >confcache <<\_ACEOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs, see configure's option --config-cache. +# It is not useful on other systems. If it contains results you don't +# want to keep, you may remove or edit it. +# +# config.status only pays attention to the cache file if you give it +# the --recheck option to rerun configure. +# +# `ac_cv_env_foo' variables (set or unset) will be overridden when +# loading this file, other *unset* `ac_cv_foo' will be assigned the +# following values. + +_ACEOF + +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, we kill variables containing newlines. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +( + for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + + (set) 2>&1 | + case $as_nl`(ac_space=' '; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + # `set' does not quote correctly, so add quotes: double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \. + sed -n \ + "s/'/'\\\\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" + ;; #( + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) | + sed ' + /^ac_cv_env_/b end + t clear + :clear + s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ + t end + s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ + :end' >>confcache +if diff "$cache_file" confcache >/dev/null 2>&1; then :; else + if test -w "$cache_file"; then + if test "x$cache_file" != "x/dev/null"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 +$as_echo "$as_me: updating cache $cache_file" >&6;} + if test ! -f "$cache_file" || test -h "$cache_file"; then + cat confcache >"$cache_file" + else + case $cache_file in #( + */* | ?:*) + mv -f confcache "$cache_file"$$ && + mv -f "$cache_file"$$ "$cache_file" ;; #( + *) + mv -f confcache "$cache_file" ;; + esac + fi + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 +$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} + fi +fi +rm -f confcache + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +DEFS=-DHAVE_CONFIG_H + +ac_libobjs= +ac_ltlibobjs= +U= +for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue + # 1. Remove the extension, and $U if already installed. + ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' + ac_i=`$as_echo "$ac_i" | sed "$ac_script"` + # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR + # will be set to the directory where LIBOBJS objects are built. + as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" + as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' +done +LIBOBJS=$ac_libobjs + +LTLIBOBJS=$ac_ltlibobjs + + + + +: "${CONFIG_STATUS=./config.status}" +ac_write_fail=0 +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files $CONFIG_STATUS" +{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} +as_write_fail=0 +cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 +#! $SHELL +# Generated by $as_me. +# Run this file to recreate the current configuration. +# Compiler output produced by configure, useful for debugging +# configure, is in config.log if it exists. + +debug=false +ac_cs_recheck=false +ac_cs_silent=false + +SHELL=\${CONFIG_SHELL-$SHELL} +export SHELL +_ASEOF +cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -p' + fi +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in #( + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +exec 6>&1 +## ----------------------------------- ## +## Main body of $CONFIG_STATUS script. ## +## ----------------------------------- ## +_ASEOF +test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# Save the log message, to keep $0 and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. +ac_log=" +This file was extended by OpenSSH $as_me Portable, which was +generated by GNU Autoconf 2.68. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ + +on `(hostname || uname -n) 2>/dev/null | sed 1q` +" + +_ACEOF + +case $ac_config_files in *" +"*) set x $ac_config_files; shift; ac_config_files=$*;; +esac + +case $ac_config_headers in *" +"*) set x $ac_config_headers; shift; ac_config_headers=$*;; +esac + + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# Files that config.status was made for. +config_files="$ac_config_files" +config_headers="$ac_config_headers" + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +ac_cs_usage="\ +\`$as_me' instantiates files and other configuration actions +from templates according to the current configuration. Unless the files +and actions are specified as TAGs, all are instantiated by default. + +Usage: $0 [OPTION]... [TAG]... + + -h, --help print this help, then exit + -V, --version print version number and configuration settings, then exit + --config print configuration, then exit + -q, --quiet, --silent + do not print progress messages + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + --header=FILE[:TEMPLATE] + instantiate the configuration header FILE + +Configuration files: +$config_files + +Configuration headers: +$config_headers + +Report bugs to ." + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" +ac_cs_version="\\ +OpenSSH config.status Portable +configured by $0, generated by GNU Autoconf 2.68, + with options \\"\$ac_cs_config\\" + +Copyright (C) 2010 Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." + +ac_pwd='$ac_pwd' +srcdir='$srcdir' +INSTALL='$INSTALL' +AWK='$AWK' +test -n "\$AWK" || AWK=awk +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# The default lists apply if the user does not specify any file. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=?*) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` + ac_shift=: + ;; + --*=) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg= + ac_shift=: + ;; + *) + ac_option=$1 + ac_optarg=$2 + ac_shift=shift + ;; + esac + + case $ac_option in + # Handling of the options. + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + ac_cs_recheck=: ;; + --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) + $as_echo "$ac_cs_version"; exit ;; + --config | --confi | --conf | --con | --co | --c ) + $as_echo "$ac_cs_config"; exit ;; + --debug | --debu | --deb | --de | --d | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + '') as_fn_error $? "missing file argument" ;; + esac + as_fn_append CONFIG_FILES " '$ac_optarg'" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + as_fn_append CONFIG_HEADERS " '$ac_optarg'" + ac_need_defaults=false;; + --he | --h) + # Conflict between --help and --header + as_fn_error $? "ambiguous option: \`$1' +Try \`$0 --help' for more information.";; + --help | --hel | -h ) + $as_echo "$ac_cs_usage"; exit ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil | --si | --s) + ac_cs_silent=: ;; + + # This is an error. + -*) as_fn_error $? "unrecognized option: \`$1' +Try \`$0 --help' for more information." ;; + + *) as_fn_append ac_config_targets " $1" + ac_need_defaults=false ;; + + esac + shift +done + +ac_configure_extra_args= + +if $ac_cs_silent; then + exec 6>/dev/null + ac_configure_extra_args="$ac_configure_extra_args --silent" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +if \$ac_cs_recheck; then + set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' + export CONFIG_SHELL + exec "\$@" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX + $as_echo "$ac_log" +} >&5 + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + +# Handling of arguments. +for ac_config_target in $ac_config_targets +do + case $ac_config_target in + "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; + "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; + "buildpkg.sh") CONFIG_FILES="$CONFIG_FILES buildpkg.sh" ;; + "opensshd.init") CONFIG_FILES="$CONFIG_FILES opensshd.init" ;; + "openssh.xml") CONFIG_FILES="$CONFIG_FILES openssh.xml" ;; + "openbsd-compat/Makefile") CONFIG_FILES="$CONFIG_FILES openbsd-compat/Makefile" ;; + "openbsd-compat/regress/Makefile") CONFIG_FILES="$CONFIG_FILES openbsd-compat/regress/Makefile" ;; + "survey.sh") CONFIG_FILES="$CONFIG_FILES survey.sh" ;; + + *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; + esac +done + + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files + test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers +fi + +# Have a temporary directory for convenience. Make it in the build tree +# simply because there is no reason against having it here, and in addition, +# creating and moving files from /tmp can sometimes cause problems. +# Hook for its removal unless debugging. +# Note that there is a small window in which the directory will not be cleaned: +# after its creation but before its name has been assigned to `$tmp'. +$debug || +{ + tmp= ac_tmp= + trap 'exit_status=$? + : "${ac_tmp:=$tmp}" + { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status +' 0 + trap 'as_fn_exit 1' 1 2 13 15 +} +# Create a (secure) tmp directory for tmp files. + +{ + tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && + test -d "$tmp" +} || +{ + tmp=./conf$$-$RANDOM + (umask 077 && mkdir "$tmp") +} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 +ac_tmp=$tmp + +# Set up the scripts for CONFIG_FILES section. +# No need to generate them if there are no CONFIG_FILES. +# This happens for instance with `./config.status config.h'. +if test -n "$CONFIG_FILES"; then + + +ac_cr=`echo X | tr X '\015'` +# On cygwin, bash can eat \r inside `` if the user requested igncr. +# But we know of no other shell where ac_cr would be empty at this +# point, so we can use a bashism as a fallback. +if test "x$ac_cr" = x; then + eval ac_cr=\$\'\\r\' +fi +ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` +if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then + ac_cs_awk_cr='\\r' +else + ac_cs_awk_cr=$ac_cr +fi + +echo 'BEGIN {' >"$ac_tmp/subs1.awk" && +_ACEOF + + +{ + echo "cat >conf$$subs.awk <<_ACEOF" && + echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && + echo "_ACEOF" +} >conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 +ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` +ac_delim='%!_!# ' +for ac_last_try in false false false false false :; do + . ./conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + + ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` + if test $ac_delim_n = $ac_delim_num; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done +rm -f conf$$subs.sh + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && +_ACEOF +sed -n ' +h +s/^/S["/; s/!.*/"]=/ +p +g +s/^[^!]*!// +:repl +t repl +s/'"$ac_delim"'$// +t delim +:nl +h +s/\(.\{148\}\)..*/\1/ +t more1 +s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ +p +n +b repl +:more1 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t nl +:delim +h +s/\(.\{148\}\)..*/\1/ +t more2 +s/["\\]/\\&/g; s/^/"/; s/$/"/ +p +b +:more2 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t delim +' >$CONFIG_STATUS || ac_write_fail=1 +rm -f conf$$subs.awk +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACAWK +cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && + for (key in S) S_is_set[key] = 1 + FS = "" + +} +{ + line = $ 0 + nfields = split(line, field, "@") + substed = 0 + len = length(field[1]) + for (i = 2; i < nfields; i++) { + key = field[i] + keylen = length(key) + if (S_is_set[key]) { + value = S[key] + line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) + len += length(value) + length(field[++i]) + substed = 1 + } else + len += 1 + keylen + } + + print line +} + +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then + sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" +else + cat +fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ + || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 +_ACEOF + +# VPATH may cause trouble with some makes, so we remove sole $(srcdir), +# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and +# trailing colons and then remove the whole line if VPATH becomes empty +# (actually we leave an empty line to preserve line numbers). +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ +h +s/// +s/^/:/ +s/[ ]*$/:/ +s/:\$(srcdir):/:/g +s/:\${srcdir}:/:/g +s/:@srcdir@:/:/g +s/^:*// +s/:*$// +x +s/\(=[ ]*\).*/\1/ +G +s/\n// +s/^[^=]*=[ ]*$// +}' +fi + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +fi # test -n "$CONFIG_FILES" + +# Set up the scripts for CONFIG_HEADERS section. +# No need to generate them if there are no CONFIG_HEADERS. +# This happens for instance with `./config.status Makefile'. +if test -n "$CONFIG_HEADERS"; then +cat >"$ac_tmp/defines.awk" <<\_ACAWK || +BEGIN { +_ACEOF + +# Transform confdefs.h into an awk script `defines.awk', embedded as +# here-document in config.status, that substitutes the proper values into +# config.h.in to produce config.h. + +# Create a delimiter string that does not exist in confdefs.h, to ease +# handling of long lines. +ac_delim='%!_!# ' +for ac_last_try in false false :; do + ac_tt=`sed -n "/$ac_delim/p" confdefs.h` + if test -z "$ac_tt"; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done + +# For the awk script, D is an array of macro values keyed by name, +# likewise P contains macro parameters if any. Preserve backslash +# newline sequences. + +ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* +sed -n ' +s/.\{148\}/&'"$ac_delim"'/g +t rset +:rset +s/^[ ]*#[ ]*define[ ][ ]*/ / +t def +d +:def +s/\\$// +t bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3"/p +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p +d +:bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3\\\\\\n"\\/p +t cont +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p +t cont +d +:cont +n +s/.\{148\}/&'"$ac_delim"'/g +t clear +:clear +s/\\$// +t bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/"/p +d +:bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p +b cont +' >$CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + for (key in D) D_is_set[key] = 1 + FS = "" +} +/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { + line = \$ 0 + split(line, arg, " ") + if (arg[1] == "#") { + defundef = arg[2] + mac1 = arg[3] + } else { + defundef = substr(arg[1], 2) + mac1 = arg[2] + } + split(mac1, mac2, "(") #) + macro = mac2[1] + prefix = substr(line, 1, index(line, defundef) - 1) + if (D_is_set[macro]) { + # Preserve the white space surrounding the "#". + print prefix "define", macro P[macro] D[macro] + next + } else { + # Replace #undef with comments. This is necessary, for example, + # in the case of _POSIX_SOURCE, which is predefined and required + # on some systems where configure will not decide to define it. + if (defundef == "undef") { + print "/*", prefix defundef, macro, "*/" + next + } + } +} +{ print } +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 +fi # test -n "$CONFIG_HEADERS" + + +eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " +shift +for ac_tag +do + case $ac_tag in + :[FHLC]) ac_mode=$ac_tag; continue;; + esac + case $ac_mode$ac_tag in + :[FHL]*:*);; + :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; + :[FH]-) ac_tag=-:-;; + :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; + esac + ac_save_IFS=$IFS + IFS=: + set x $ac_tag + IFS=$ac_save_IFS + shift + ac_file=$1 + shift + + case $ac_mode in + :L) ac_source=$1;; + :[FH]) + ac_file_inputs= + for ac_f + do + case $ac_f in + -) ac_f="$ac_tmp/stdin";; + *) # Look for the file first in the build tree, then in the source tree + # (if the path is not absolute). The absolute path cannot be DOS-style, + # because $ac_f cannot contain `:'. + test -f "$ac_f" || + case $ac_f in + [\\/$]*) false;; + *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; + esac || + as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; + esac + case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac + as_fn_append ac_file_inputs " '$ac_f'" + done + + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + configure_input='Generated from '` + $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' + `' by configure.' + if test x"$ac_file" != x-; then + configure_input="$ac_file. $configure_input" + { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 +$as_echo "$as_me: creating $ac_file" >&6;} + fi + # Neutralize special characters interpreted by sed in replacement strings. + case $configure_input in #( + *\&* | *\|* | *\\* ) + ac_sed_conf_input=`$as_echo "$configure_input" | + sed 's/[\\\\&|]/\\\\&/g'`;; #( + *) ac_sed_conf_input=$configure_input;; + esac + + case $ac_tag in + *:-:* | *:-) cat >"$ac_tmp/stdin" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; + esac + ;; + esac + + ac_dir=`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + as_dir="$ac_dir"; as_fn_mkdir_p + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + + case $ac_mode in + :F) + # + # CONFIG_FILE + # + + case $INSTALL in + [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; + *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; + esac +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# If the template does not know about datarootdir, expand it. +# FIXME: This hack should be removed a few years after 2.60. +ac_datarootdir_hack=; ac_datarootdir_seen= +ac_sed_dataroot=' +/datarootdir/ { + p + q +} +/@datadir@/p +/@docdir@/p +/@infodir@/p +/@localedir@/p +/@mandir@/p' +case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in +*datarootdir*) ac_datarootdir_seen=yes;; +*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + ac_datarootdir_hack=' + s&@datadir@&$datadir&g + s&@docdir@&$docdir&g + s&@infodir@&$infodir&g + s&@localedir@&$localedir&g + s&@mandir@&$mandir&g + s&\\\${datarootdir}&$datarootdir&g' ;; +esac +_ACEOF + +# Neutralize VPATH when `$srcdir' = `.'. +# Shell code in configure.ac might set extrasub. +# FIXME: do we really want to maintain this feature? +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_sed_extra="$ac_vpsub +$extrasub +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s|@configure_input@|$ac_sed_conf_input|;t t +s&@top_builddir@&$ac_top_builddir_sub&;t t +s&@top_build_prefix@&$ac_top_build_prefix&;t t +s&@srcdir@&$ac_srcdir&;t t +s&@abs_srcdir@&$ac_abs_srcdir&;t t +s&@top_srcdir@&$ac_top_srcdir&;t t +s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +s&@builddir@&$ac_builddir&;t t +s&@abs_builddir@&$ac_abs_builddir&;t t +s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +s&@INSTALL@&$ac_INSTALL&;t t +$ac_datarootdir_hack +" +eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ + >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + +test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && + { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ + "$ac_tmp/out"`; test -z "$ac_out"; } && + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&5 +$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&2;} + + rm -f "$ac_tmp/stdin" + case $ac_file in + -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; + *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; + esac \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + ;; + :H) + # + # CONFIG_HEADER + # + if test x"$ac_file" != x-; then + { + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" + } >"$ac_tmp/config.h" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then + { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 +$as_echo "$as_me: $ac_file is unchanged" >&6;} + else + rm -f "$ac_file" + mv "$ac_tmp/config.h" "$ac_file" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + fi + else + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ + || as_fn_error $? "could not create -" "$LINENO" 5 + fi + ;; + + + esac + +done # for ac_tag + + +as_fn_exit 0 +_ACEOF +ac_clean_files=$ac_clean_files_save + +test $ac_write_fail = 0 || + as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 + + +# configure is writing to config.log, and then calls config.status. +# config.status does its own redirection, appending to config.log. +# Unfortunately, on DOS this fails, as config.log is still kept open +# by configure, so config.status won't be able to write to it; its +# output is simply discarded. So we exec the FD to /dev/null, +# effectively closing config.log, so it can be properly (re)opened and +# appended to by config.status. When coming back to configure, we +# need to make the FD available again. +if test "$no_create" != yes; then + ac_cs_success=: + ac_config_status_args= + test "$silent" = yes && + ac_config_status_args="$ac_config_status_args --quiet" + exec 5>/dev/null + $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false + exec 5>>config.log + # Use ||, not &&, to avoid exiting from the if with $? = 1, which + # would make configure fail if this is the last instruction. + $ac_cs_success || as_fn_exit 1 +fi +if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 +$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} +fi + + +# Print summary of options + +# Someone please show me a better way :) +A=`eval echo ${prefix}` ; A=`eval echo ${A}` +B=`eval echo ${bindir}` ; B=`eval echo ${B}` +C=`eval echo ${sbindir}` ; C=`eval echo ${C}` +D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` +E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` +F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` +G=`eval echo ${piddir}` ; G=`eval echo ${G}` +H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}` +I=`eval echo ${user_path}` ; I=`eval echo ${I}` +J=`eval echo ${superuser_path}` ; J=`eval echo ${J}` + +echo "" +echo "OpenSSH has been configured with the following options:" +echo " User binaries: $B" +echo " System binaries: $C" +echo " Configuration files: $D" +echo " Askpass program: $E" +echo " Manual pages: $F" +echo " PID file: $G" +echo " Privilege separation chroot path: $H" +if test "x$external_path_file" = "x/etc/login.conf" ; then +echo " At runtime, sshd will use the path defined in $external_path_file" +echo " Make sure the path to scp is present, otherwise scp will not work" +else +echo " sshd default user PATH: $I" + if test ! -z "$external_path_file"; then +echo " (If PATH is set in $external_path_file it will be used instead. If" +echo " used, ensure the path to scp is present, otherwise scp will not work.)" + fi +fi +if test ! -z "$superuser_path" ; then +echo " sshd superuser user PATH: $J" +fi +echo " Manpage format: $MANTYPE" +echo " PAM support: $PAM_MSG" +echo " OSF SIA support: $SIA_MSG" +echo " KerberosV support: $KRB5_MSG" +echo " SELinux support: $SELINUX_MSG" +echo " Smartcard support: $SCARD_MSG" +echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" +echo " MD5 password support: $MD5_MSG" +echo " libedit support: $LIBEDIT_MSG" +echo " Solaris process contract support: $SPC_MSG" +echo " Solaris project support: $SP_MSG" +echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" +echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +echo " BSD Auth support: $BSD_AUTH_MSG" +echo " Random number source: $RAND_MSG" +echo " Privsep sandbox style: $SANDBOX_STYLE" + +echo "" + +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo "Preprocessor flags: ${CPPFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBS}" +if test ! -z "${SSHDLIBS}"; then +echo " +for sshd: ${SSHDLIBS}" +fi +if test ! -z "${SSHLIBS}"; then +echo " +for ssh: ${SSHLIBS}" +fi + +echo "" + +if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then + echo "SVR4 style packages are supported with \"make package\"" + echo "" +fi + +if test "x$PAM_MSG" = "xyes" ; then + echo "PAM is enabled. You may need to install a PAM control file " + echo "for sshd, otherwise password authentication may fail. " + echo "Example PAM control files can be found in the contrib/ " + echo "subdirectory" + echo "" +fi + +if test ! -z "$NO_PEERCHECK" ; then + echo "WARNING: the operating system that you are using does not" + echo "appear to support getpeereid(), getpeerucred() or the" + echo "SO_PEERCRED getsockopt() option. These facilities are used to" + echo "enforce security checks to prevent unauthorised connections to" + echo "ssh-agent. Their absence increases the risk that a malicious" + echo "user can connect to your agent." + echo "" +fi + +if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." +fi diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac new file mode 100644 index 000000000..7c6ce08d8 --- /dev/null +++ b/crypto/openssh/configure.ac @@ -0,0 +1,4901 @@ +# $Id: configure.ac,v 1.571 2014/02/21 17:09:34 tim Exp $ +# +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) +AC_REVISION($Revision: 1.571 $) +AC_CONFIG_SRCDIR([ssh.c]) +AC_LANG([C]) + +AC_CONFIG_HEADER([config.h]) +AC_PROG_CC +AC_CANONICAL_HOST +AC_C_BIGENDIAN + +# Checks for programs. +AC_PROG_AWK +AC_PROG_CPP +AC_PROG_RANLIB +AC_PROG_INSTALL +AC_PROG_EGREP +AC_PATH_PROG([AR], [ar]) +AC_PATH_PROG([CAT], [cat]) +AC_PATH_PROG([KILL], [kill]) +AC_PATH_PROGS([PERL], [perl5 perl]) +AC_PATH_PROG([SED], [sed]) +AC_SUBST([PERL]) +AC_PATH_PROG([ENT], [ent]) +AC_SUBST([ENT]) +AC_PATH_PROG([TEST_MINUS_S_SH], [bash]) +AC_PATH_PROG([TEST_MINUS_S_SH], [ksh]) +AC_PATH_PROG([TEST_MINUS_S_SH], [sh]) +AC_PATH_PROG([SH], [sh]) +AC_PATH_PROG([GROFF], [groff]) +AC_PATH_PROG([NROFF], [nroff]) +AC_PATH_PROG([MANDOC], [mandoc]) +AC_SUBST([TEST_SHELL], [sh]) + +dnl select manpage formatter +if test "x$MANDOC" != "x" ; then + MANFMT="$MANDOC" +elif test "x$NROFF" != "x" ; then + MANFMT="$NROFF -mandoc" +elif test "x$GROFF" != "x" ; then + MANFMT="$GROFF -mandoc -Tascii" +else + AC_MSG_WARN([no manpage formatted found]) + MANFMT="false" +fi +AC_SUBST([MANFMT]) + +dnl for buildpkg.sh +AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd], + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd], + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no]) +if test -x /sbin/sh; then + AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh]) +else + AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh]) +fi + +# System features +AC_SYS_LARGEFILE + +if test -z "$AR" ; then + AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***]) +fi + +# Use LOGIN_PROGRAM from environment if possible +if test ! -z "$LOGIN_PROGRAM" ; then + AC_DEFINE_UNQUOTED([LOGIN_PROGRAM_FALLBACK], ["$LOGIN_PROGRAM"], + [If your header files don't define LOGIN_PROGRAM, + then use this (detected) from environment and PATH]) +else + # Search for login + AC_PATH_PROG([LOGIN_PROGRAM_FALLBACK], [login]) + if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then + AC_DEFINE_UNQUOTED([LOGIN_PROGRAM_FALLBACK], ["$LOGIN_PROGRAM_FALLBACK"]) + fi +fi + +AC_PATH_PROG([PATH_PASSWD_PROG], [passwd]) +if test ! -z "$PATH_PASSWD_PROG" ; then + AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"], + [Full path of your "passwd" program]) +fi + +if test -z "$LD" ; then + LD=$CC +fi +AC_SUBST([LD]) + +AC_C_INLINE + +AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include ]) +AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [ + #include + #include + #include +]) +AC_CHECK_DECL([RLIMIT_NPROC], + [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [ + #include + #include +]) +AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ + #include + #include +]) + +use_stack_protector=1 +use_toolchain_hardening=1 +AC_ARG_WITH([stackprotect], + [ --without-stackprotect Don't use compiler's stack protection], [ + if test "x$withval" = "xno"; then + use_stack_protector=0 + fi ]) +AC_ARG_WITH([hardening], + [ --without-hardening Don't use toolchain hardening flags], [ + if test "x$withval" = "xno"; then + use_toolchain_hardening=0 + fi ]) + +# We use -Werror for the tests only so that we catch warnings like "this is +# on by default" for things like -fPIE. +AC_MSG_CHECKING([if $CC supports -Werror]) +saved_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS -Werror" +AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], + [ AC_MSG_RESULT([yes]) + WERROR="-Werror"], + [ AC_MSG_RESULT([no]) + WERROR="" ] +) +CFLAGS="$saved_CFLAGS" + +if test "$GCC" = "yes" || test "$GCC" = "egcs"; then + OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) + OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option]) + OSSH_CHECK_CFLAG_COMPILE([-Wall]) + OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) + OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) + OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) + OSSH_CHECK_CFLAG_COMPILE([-Wformat-security]) + OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess]) + OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) + OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) + OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) + OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) + if test "x$use_toolchain_hardening" = "x1"; then + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) + # NB. -ftrapv expects certain support functions to be present in + # the compiler library (libgcc or similar) to detect integer operations + # that can overflow. We must check that the result of enabling it + # actually links. The test program compiled/linked includes a number + # of integer operations that should exercise this. + OSSH_CHECK_CFLAG_LINK([-ftrapv]) + fi + AC_MSG_CHECKING([gcc version]) + GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` + case $GCC_VER in + 1.*) no_attrib_nonnull=1 ;; + 2.8* | 2.9*) + no_attrib_nonnull=1 + ;; + 2.*) no_attrib_nonnull=1 ;; + *) ;; + esac + AC_MSG_RESULT([$GCC_VER]) + + AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset]) + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-builtin-memset" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ char b[10]; memset(b, 0, sizeof(b)); ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" ] + ) + + # -fstack-protector-all doesn't always work for some GCC versions + # and/or platforms, so we test if we can. If it's not supported + # on a given platform gcc will emit a warning so we use -Werror. + if test "x$use_stack_protector" = "x1"; then + for t in -fstack-protector-strong -fstack-protector-all \ + -fstack-protector; do + AC_MSG_CHECKING([if $CC supports $t]) + saved_CFLAGS="$CFLAGS" + saved_LDFLAGS="$LDFLAGS" + CFLAGS="$CFLAGS $t -Werror" + LDFLAGS="$LDFLAGS $t -Werror" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ + char x[256]; + snprintf(x, sizeof(x), "XXX"); + ]])], + [ AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $t" + LDFLAGS="$saved_LDFLAGS $t" + AC_MSG_CHECKING([if $t works]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ + char x[256]; + snprintf(x, sizeof(x), "XXX"); + ]])], + [ AC_MSG_RESULT([yes]) + break ], + [ AC_MSG_RESULT([no]) ], + [ AC_MSG_WARN([cross compiling: cannot test]) + break ] + ) + ], + [ AC_MSG_RESULT([no]) ] + ) + CFLAGS="$saved_CFLAGS" + LDFLAGS="$saved_LDFLAGS" + done + fi + + if test -z "$have_llong_max"; then + # retry LLONG_MAX with -std=gnu99, needed on some Linuxes + unset ac_cv_have_decl_LLONG_MAX + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -std=gnu99" + AC_CHECK_DECL([LLONG_MAX], + [have_llong_max=1], + [CFLAGS="$saved_CFLAGS"], + [#include ] + ) + fi +fi + +AC_MSG_CHECKING([if compiler allows __attribute__ on return types]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[ +#include +__attribute__((__unused__)) static void foo(void){return;}]], + [[ exit(0); ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1, + [compiler does not accept __attribute__ on return types]) ] +) + +if test "x$no_attrib_nonnull" != "x1" ; then + AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) +fi + +AC_ARG_WITH([rpath], + [ --without-rpath Disable auto-added -R linker paths], + [ + if test "x$withval" = "xno" ; then + need_dash_r="" + fi + if test "x$withval" = "xyes" ; then + need_dash_r=1 + fi + ] +) + +# Allow user to specify flags +AC_ARG_WITH([cflags], + [ --with-cflags Specify additional flags to pass to compiler], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CFLAGS="$CFLAGS $withval" + fi + ] +) +AC_ARG_WITH([cppflags], + [ --with-cppflags Specify additional flags to pass to preprocessor] , + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CPPFLAGS="$CPPFLAGS $withval" + fi + ] +) +AC_ARG_WITH([ldflags], + [ --with-ldflags Specify additional flags to pass to linker], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LDFLAGS="$LDFLAGS $withval" + fi + ] +) +AC_ARG_WITH([libs], + [ --with-libs Specify additional libraries to link with], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LIBS="$LIBS $withval" + fi + ] +) +AC_ARG_WITH([Werror], + [ --with-Werror Build main code with -Werror], + [ + if test -n "$withval" && test "x$withval" != "xno"; then + werror_flags="-Werror" + if test "x${withval}" != "xyes"; then + werror_flags="$withval" + fi + fi + ] +) + +AC_CHECK_HEADERS([ \ + blf.h \ + bstring.h \ + crypt.h \ + crypto/sha2.h \ + dirent.h \ + endian.h \ + elf.h \ + features.h \ + fcntl.h \ + floatingpoint.h \ + getopt.h \ + glob.h \ + ia.h \ + iaf.h \ + inttypes.h \ + limits.h \ + locale.h \ + login.h \ + maillock.h \ + ndir.h \ + net/if_tun.h \ + netdb.h \ + netgroup.h \ + pam/pam_appl.h \ + paths.h \ + poll.h \ + pty.h \ + readpassphrase.h \ + rpc/types.h \ + security/pam_appl.h \ + sha2.h \ + shadow.h \ + stddef.h \ + stdint.h \ + string.h \ + strings.h \ + sys/audit.h \ + sys/bitypes.h \ + sys/bsdtty.h \ + sys/capability.h \ + sys/cdefs.h \ + sys/dir.h \ + sys/mman.h \ + sys/ndir.h \ + sys/poll.h \ + sys/prctl.h \ + sys/pstat.h \ + sys/select.h \ + sys/stat.h \ + sys/stream.h \ + sys/stropts.h \ + sys/strtio.h \ + sys/statvfs.h \ + sys/sysmacros.h \ + sys/time.h \ + sys/timers.h \ + time.h \ + tmpdir.h \ + ttyent.h \ + ucred.h \ + unistd.h \ + usersec.h \ + util.h \ + utime.h \ + utmp.h \ + utmpx.h \ + vis.h \ +]) + +# lastlog.h requires sys/time.h to be included first on Solaris +AC_CHECK_HEADERS([lastlog.h], [], [], [ +#ifdef HAVE_SYS_TIME_H +# include +#endif +]) + +# sys/ptms.h requires sys/stream.h to be included first on Solaris +AC_CHECK_HEADERS([sys/ptms.h], [], [], [ +#ifdef HAVE_SYS_STREAM_H +# include +#endif +]) + +# login_cap.h requires sys/types.h on NetBSD +AC_CHECK_HEADERS([login_cap.h], [], [], [ +#include +]) + +# older BSDs need sys/param.h before sys/mount.h +AC_CHECK_HEADERS([sys/mount.h], [], [], [ +#include +]) + +# Android requires sys/socket.h to be included before sys/un.h +AC_CHECK_HEADERS([sys/un.h], [], [], [ +#include +#include +]) + +# Messages for features tested for in target-specific section +SIA_MSG="no" +SPC_MSG="no" +SP_MSG="no" + +# Check for some target-specific stuff +case "$host" in +*-*-aix*) + # Some versions of VAC won't allow macro redefinitions at + # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that + # particularly with older versions of vac or xlc. + # It also throws errors about null macro argments, but these are + # not fatal. + AC_MSG_CHECKING([if compiler allows macro redefinitions]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[ +#define testmacro foo +#define testmacro bar]], + [[ exit(0); ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`" + LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`" + CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`" + CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`" + ] + ) + + AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) + if (test -z "$blibpath"); then + blibpath="/usr/lib:/lib" + fi + saved_LDFLAGS="$LDFLAGS" + if test "$GCC" = "yes"; then + flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:" + else + flags="-blibpath: -Wl,-blibpath: -Wl,-rpath," + fi + for tryflags in $flags ;do + if (test -z "$blibflags"); then + LDFLAGS="$saved_LDFLAGS $tryflags$blibpath" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])], + [blibflags=$tryflags], []) + fi + done + if (test -z "$blibflags"); then + AC_MSG_RESULT([not found]) + AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log]) + else + AC_MSG_RESULT([$blibflags]) + fi + LDFLAGS="$saved_LDFLAGS" + dnl Check for authenticate. Might be in libs.a on older AIXes + AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1], + [Define if you want to enable AIX4's authenticate function])], + [AC_CHECK_LIB([s], [authenticate], + [ AC_DEFINE([WITH_AIXAUTHENTICATE]) + LIBS="$LIBS -ls" + ]) + ]) + dnl Check for various auth function declarations in headers. + AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess, + passwdexpired, setauthdb], , , [#include ]) + dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2) + AC_CHECK_DECLS([loginfailed], + [AC_MSG_CHECKING([if loginfailed takes 4 arguments]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ (void)loginfailed("user","host","tty",0); ]])], + [AC_MSG_RESULT([yes]) + AC_DEFINE([AIX_LOGINFAILED_4ARG], [1], + [Define if your AIX loginfailed() function + takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no]) + ])], + [], + [#include ] + ) + AC_CHECK_FUNCS([getgrset setauthdb]) + AC_CHECK_DECL([F_CLOSEM], + AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]), + [], + [ #include + #include ] + ) + check_for_aix_broken_getaddrinfo=1 + AC_DEFINE([BROKEN_REALPATH], [1], [Define if you have a broken realpath.]) + AC_DEFINE([SETEUID_BREAKS_SETUID], [1], + [Define if your platform breaks doing a seteuid before a setuid]) + AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken]) + AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken]) + dnl AIX handles lastlog as part of its login message + AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog]) + AC_DEFINE([LOGIN_NEEDS_UTMPX], [1], + [Some systems need a utmpx entry for /bin/login to work]) + AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], + [Define to a Set Process Title type if your system is + supported by bsd-setproctitle.c]) + AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], + [AIX 5.2 and 5.3 (and presumably newer) require this]) + AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) + AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) + ;; +*-*-android*) + AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp]) + AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp]) + ;; +*-*-cygwin*) + check_for_libcrypt_later=1 + LIBS="$LIBS /usr/lib/textreadmode.o" + AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin]) + AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()]) + AC_DEFINE([DISABLE_SHADOW], [1], + [Define if you want to disable shadow passwords]) + AC_DEFINE([NO_X11_UNIX_SOCKETS], [1], + [Define if X11 doesn't support AF_UNIX sockets on that system]) + AC_DEFINE([NO_IPPORT_RESERVED_CONCEPT], [1], + [Define if the concept of ports only accessible to + superusers isn't known]) + AC_DEFINE([DISABLE_FD_PASSING], [1], + [Define if your platform needs to skip post auth + file descriptor passing]) + AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) + AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) + # Cygwin defines optargs, optargs as declspec(dllimport) for historical + # reasons which cause compile warnings, so we disable those warnings. + OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes]) + ;; +*-*-dgux*) + AC_DEFINE([IP_TOS_IS_BROKEN], [1], + [Define if your system choked on IP TOS setting]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + ;; +*-*-darwin*) + use_pie=auto + AC_MSG_CHECKING([if we have working getaddrinfo]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include +main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + exit(0); + else + exit(1); +} + ]])], + [AC_MSG_RESULT([working])], + [AC_MSG_RESULT([buggy]) + AC_DEFINE([BROKEN_GETADDRINFO], [1], + [getaddrinfo is broken (if present)]) + ], + [AC_MSG_RESULT([assume it is working])]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect]) + AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1], + [Define if your resolver libs need this for getrrsetbyname]) + AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way]) + AC_DEFINE([SSH_TUN_COMPAT_AF], [1], + [Use tunnel device compatibility to OpenBSD]) + AC_DEFINE([SSH_TUN_PREPEND_AF], [1], + [Prepend the address family to IP tunnel traffic]) + m4_pattern_allow([AU_IPv]) + AC_CHECK_DECL([AU_IPv4], [], + AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) + [#include ] + AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1], + [Define if pututxline updates lastlog too]) + ) + AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], + [Define to a Set Process Title type if your system is + supported by bsd-setproctitle.c]) + AC_CHECK_FUNCS([sandbox_init]) + AC_CHECK_HEADERS([sandbox.h]) + ;; +*-*-dragonfly*) + SSHDLIBS="$SSHDLIBS -lcrypt" + TEST_MALLOC_OPTIONS="AFGJPRX" + ;; +*-*-haiku*) + LIBS="$LIBS -lbsd " + AC_CHECK_LIB([network], [socket]) + AC_DEFINE([HAVE_U_INT64_T]) + MANTYPE=man + ;; +*-*-hpux*) + # first we define all of the options common to all HP-UX releases + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" + IPADDR_IN_DISPLAY=yes + AC_DEFINE([USE_PIPES]) + AC_DEFINE([LOGIN_NO_ENDOPT], [1], + [Define if your login program cannot handle end of options ("--")]) + AC_DEFINE([LOGIN_NEEDS_UTMPX]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], + [String used in /etc/passwd to denote locked account]) + AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) + AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) + maildir="/var/mail" + LIBS="$LIBS -lsec" + AC_CHECK_LIB([xnet], [t_error], , + [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])]) + + # next, we define all of the options specific to major releases + case "$host" in + *-*-hpux10*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + ;; + *-*-hpux11*) + AC_DEFINE([PAM_SUN_CODEBASE], [1], + [Define if you are using Solaris-derived PAM which + passes pam_messages to the conversation function + with an extra level of indirection]) + AC_DEFINE([DISABLE_UTMP], [1], + [Define if you don't want to use utmp]) + AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) + check_for_hpux_broken_getaddrinfo=1 + check_for_conflicting_getspnam=1 + ;; + esac + + # lastly, we define options specific to minor releases + case "$host" in + *-*-hpux10.26) + AC_DEFINE([HAVE_SECUREWARE], [1], + [Define if you have SecureWare-based + protected password database]) + disable_ptmx_check=yes + LIBS="$LIBS -lsecpw" + ;; + esac + ;; +*-*-irix5*) + PATH="$PATH:/usr/etc" + AC_DEFINE([BROKEN_INET_NTOA], [1], + [Define if you system's inet_ntoa is busted + (e.g. Irix gcc issue)]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([WITH_ABBREV_NO_TTY], [1], + [Define if you shouldn't strip 'tty' from your + ttyname in [uw]tmp]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) + ;; +*-*-irix6*) + PATH="$PATH:/usr/etc" + AC_DEFINE([WITH_IRIX_ARRAY], [1], + [Define if you have/want arrays + (cluster-wide session managment, not C arrays)]) + AC_DEFINE([WITH_IRIX_PROJECT], [1], + [Define if you want IRIX project management]) + AC_DEFINE([WITH_IRIX_AUDIT], [1], + [Define if you want IRIX audit trails]) + AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1], + [Define if you want IRIX kernel jobs])]) + AC_DEFINE([BROKEN_INET_NTOA]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)]) + AC_DEFINE([WITH_ABBREV_NO_TTY]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) + ;; +*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu) + check_for_libcrypt_later=1 + AC_DEFINE([PAM_TTY_KLUDGE]) + AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"]) + AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV]) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) + ;; +*-*-linux*) + no_dev_ptmx=1 + use_pie=auto + check_for_libcrypt_later=1 + check_for_openpty_ctty_bug=1 + AC_DEFINE([PAM_TTY_KLUDGE], [1], + [Work around problematic Linux PAM modules handling of PAM_TTY]) + AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"], + [String used in /etc/passwd to denote locked account]) + AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV]) + AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM], + [Define to whatever link() returns for "not supported" + if it doesn't return EOPNOTSUPP.]) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP]) + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) + AC_DEFINE([BROKEN_CMSG_TYPE], [1], + [Define if cmsg_type is not passed correctly]) + ;; + esac + # tun(4) forwarding compat code + AC_CHECK_HEADERS([linux/if_tun.h]) + if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then + AC_DEFINE([SSH_TUN_LINUX], [1], + [Open tunnel devices the Linux tun/tap way]) + AC_DEFINE([SSH_TUN_COMPAT_AF], [1], + [Use tunnel device compatibility to OpenBSD]) + AC_DEFINE([SSH_TUN_PREPEND_AF], [1], + [Prepend the address family to IP tunnel traffic]) + fi + AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], + [], [#include ]) + AC_CHECK_FUNCS([prctl]) + AC_MSG_CHECKING([for seccomp architecture]) + seccomp_audit_arch= + case "$host" in + x86_64-*) + seccomp_audit_arch=AUDIT_ARCH_X86_64 + ;; + i*86-*) + seccomp_audit_arch=AUDIT_ARCH_I386 + ;; + arm*-*) + seccomp_audit_arch=AUDIT_ARCH_ARM + ;; + esac + if test "x$seccomp_audit_arch" != "x" ; then + AC_MSG_RESULT(["$seccomp_audit_arch"]) + AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], + [Specify the system call convention in use]) + else + AC_MSG_RESULT([architecture not supported]) + fi + ;; +mips-sony-bsd|mips-sony-newsos4) + AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) + SONY=1 + ;; +*-*-netbsd*) + check_for_libcrypt_before=1 + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way]) + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) + AC_DEFINE([SSH_TUN_PREPEND_AF], [1], + [Prepend the address family to IP tunnel traffic]) + TEST_MALLOC_OPTIONS="AJRX" + AC_DEFINE([BROKEN_STRNVIS], [1], + [NetBSD strnvis argument order is swapped compared to OpenBSD]) + AC_DEFINE([BROKEN_READ_COMPARISON], [1], + [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it]) + ;; +*-*-freebsd*) + check_for_libcrypt_later=1 + AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)]) + AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way]) + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) + AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) + AC_DEFINE([BROKEN_STRNVIS], [1], + [FreeBSD strnvis argument order is swapped compared to OpenBSD]) + TEST_MALLOC_OPTIONS="AJRX" + # Preauth crypto occasionally uses file descriptors for crypto offload + # and will crash if they cannot be opened. + AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1], + [define if setrlimit RLIMIT_NOFILE breaks things]) + ;; +*-*-bsdi*) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + ;; +*-next-*) + conf_lastlog_location="/usr/adm/lastlog" + conf_utmp_location=/etc/utmp + conf_wtmp_location=/usr/adm/wtmp + maildir=/usr/spool/mail + AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT]) + AC_DEFINE([BROKEN_REALPATH]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) + ;; +*-*-openbsd*) + use_pie=auto + AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) + AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) + AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) + AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], + [syslog_r function is safe to use in in a signal handler]) + TEST_MALLOC_OPTIONS="AFGJPRX" + ;; +*-*-solaris*) + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + AC_DEFINE([PAM_SUN_CODEBASE]) + AC_DEFINE([LOGIN_NEEDS_UTMPX]) + AC_DEFINE([LOGIN_NEEDS_TERM], [1], + [Some versions of /bin/login need the TERM supplied + on the commandline]) + AC_DEFINE([PAM_TTY_KLUDGE]) + AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], + [Define if pam_chauthtok wants real uid set + to the unpriv'ed user]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) + # Pushing STREAMS modules will cause sshd to acquire a controlling tty. + AC_DEFINE([SSHD_ACQUIRES_CTTY], [1], + [Define if sshd somehow reacquires a controlling TTY + after setsid()]) + AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd + in case the name is longer than 8 chars]) + AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang]) + external_path_file=/etc/default/login + # hardwire lastlog location (can't detect it on some versions) + conf_lastlog_location="/var/adm/lastlog" + AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x]) + sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` + if test "$sol2ver" -ge 8; then + AC_MSG_RESULT([yes]) + AC_DEFINE([DISABLE_UTMP]) + AC_DEFINE([DISABLE_WTMP], [1], + [Define if you don't want to use wtmp]) + else + AC_MSG_RESULT([no]) + fi + AC_ARG_WITH([solaris-contracts], + [ --with-solaris-contracts Enable Solaris process contracts (experimental)], + [ + AC_CHECK_LIB([contract], [ct_tmpl_activate], + [ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1], + [Define if you have Solaris process contracts]) + SSHDLIBS="$SSHDLIBS -lcontract" + SPC_MSG="yes" ], ) + ], + ) + AC_ARG_WITH([solaris-projects], + [ --with-solaris-projects Enable Solaris projects (experimental)], + [ + AC_CHECK_LIB([project], [setproject], + [ AC_DEFINE([USE_SOLARIS_PROJECTS], [1], + [Define if you have Solaris projects]) + SSHDLIBS="$SSHDLIBS -lproject" + SP_MSG="yes" ], ) + ], + ) + TEST_SHELL=$SHELL # let configure find us a capable shell + ;; +*-*-sunos4*) + CPPFLAGS="$CPPFLAGS -DSUNOS4" + AC_CHECK_FUNCS([getpwanam]) + AC_DEFINE([PAM_SUN_CODEBASE]) + conf_utmp_location=/etc/utmp + conf_wtmp_location=/var/adm/wtmp + conf_lastlog_location=/var/adm/lastlog + AC_DEFINE([USE_PIPES]) + ;; +*-ncr-sysv*) + LIBS="$LIBS -lc89" + AC_DEFINE([USE_PIPES]) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + ;; +*-sni-sysv*) + # /usr/ucblib MUST NOT be searched on ReliantUNIX + AC_CHECK_LIB([dl], [dlsym], ,) + # -lresolv needs to be at the end of LIBS or DNS lookups break + AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ]) + IPADDR_IN_DISPLAY=yes + AC_DEFINE([USE_PIPES]) + AC_DEFINE([IP_TOS_IS_BROKEN]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) + external_path_file=/etc/default/login + # /usr/ucblib/libucb.a no longer needed on ReliantUNIX + # Attention: always take care to bind libsocket and libnsl before libc, + # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog + ;; +# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. +*-*-sysv4.2*) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd]) + AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) + TEST_SHELL=$SHELL # let configure find us a capable shell + ;; +# UnixWare 7.x, OpenUNIX 8 +*-*-sysv5*) + CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf" + AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_GETADDRINFO]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([PASSWD_NEEDS_USERNAME]) + TEST_SHELL=$SHELL # let configure find us a capable shell + case "$host" in + *-*-sysv5SCO_SV*) # SCO OpenServer 6.x + maildir=/var/spool/mail + AC_DEFINE([BROKEN_LIBIAF], [1], + [ia_uinfo routines not supported by OS yet]) + AC_DEFINE([BROKEN_UPDWTMPX]) + AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot" + AC_CHECK_FUNCS([getluid setluid], , , [-lprot]) + AC_DEFINE([HAVE_SECUREWARE]) + AC_DEFINE([DISABLE_SHADOW]) + ], , ) + ;; + *) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) + check_for_libcrypt_later=1 + ;; + esac + ;; +*-*-sysv*) + ;; +# SCO UNIX and OEM versions of SCO UNIX +*-*-sco3.2v4*) + AC_MSG_ERROR("This Platform is no longer supported.") + ;; +# SCO OpenServer 5.x +*-*-sco3.2v5*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -belf" + fi + LIBS="$LIBS -lprot -lx -ltinfo -lm" + no_dev_ptmx=1 + AC_DEFINE([USE_PIPES]) + AC_DEFINE([HAVE_SECUREWARE]) + AC_DEFINE([DISABLE_SHADOW]) + AC_DEFINE([DISABLE_FD_PASSING]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_GETADDRINFO]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([WITH_ABBREV_NO_TTY]) + AC_DEFINE([BROKEN_UPDWTMPX]) + AC_DEFINE([PASSWD_NEEDS_USERNAME]) + AC_CHECK_FUNCS([getluid setluid]) + MANTYPE=man + TEST_SHELL=$SHELL # let configure find us a capable shell + SKIP_DISABLE_LASTLOG_DEFINE=yes + ;; +*-*-unicosmk*) + AC_DEFINE([NO_SSH_LASTLOG], [1], + [Define if you don't want to use lastlog in session.c]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([DISABLE_FD_PASSING]) + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-*-unicosmp*) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([WITH_ABBREV_NO_TTY]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([DISABLE_FD_PASSING]) + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lacid -ldb" + MANTYPE=cat + ;; +*-*-unicos*) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([DISABLE_FD_PASSING]) + AC_DEFINE([NO_SSH_LASTLOG]) + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-dec-osf*) + AC_MSG_CHECKING([for Digital Unix SIA]) + no_osfsia="" + AC_ARG_WITH([osfsia], + [ --with-osfsia Enable Digital Unix SIA], + [ + if test "x$withval" = "xno" ; then + AC_MSG_RESULT([disabled]) + no_osfsia=1 + fi + ], + ) + if test -z "$no_osfsia" ; then + if test -f /etc/sia/matrix.conf; then + AC_MSG_RESULT([yes]) + AC_DEFINE([HAVE_OSF_SIA], [1], + [Define if you have Digital Unix Security + Integration Architecture]) + AC_DEFINE([DISABLE_LOGIN], [1], + [Define if you don't want to use your + system's login() call]) + AC_DEFINE([DISABLE_FD_PASSING]) + LIBS="$LIBS -lsecurity -ldb -lm -laud" + SIA_MSG="yes" + else + AC_MSG_RESULT([no]) + AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"], + [String used in /etc/passwd to denote locked account]) + fi + fi + AC_DEFINE([BROKEN_GETADDRINFO]) + AC_DEFINE([SETEUID_BREAKS_SETUID]) + AC_DEFINE([BROKEN_SETREUID]) + AC_DEFINE([BROKEN_SETREGID]) + AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv]) + ;; + +*-*-nto-qnx*) + AC_DEFINE([USE_PIPES]) + AC_DEFINE([NO_X11_UNIX_SOCKETS]) + AC_DEFINE([DISABLE_LASTLOG]) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) + AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken]) + enable_etc_default_login=no # has incompatible /etc/default/login + case "$host" in + *-*-nto-qnx6*) + AC_DEFINE([DISABLE_FD_PASSING]) + ;; + esac + ;; + +*-*-ultrix*) + AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1]) + AC_DEFINE([BROKEN_MMAP], [1], [Ultrix mmap can't map files]) + AC_DEFINE([NEED_SETPGRP]) + AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix]) + ;; + +*-*-lynxos) + CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" + AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation]) + ;; +esac + +AC_MSG_CHECKING([compiler and flags for sanity]) +AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ exit(0); ]])], + [ AC_MSG_RESULT([yes]) ], + [ + AC_MSG_RESULT([no]) + AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***]) + ], + [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ] +) + +dnl Checks for header files. +# Checks for libraries. +AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])]) +AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])]) + +dnl IRIX and Solaris 2.5.1 have dirname() in libgen +AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [ + AC_CHECK_LIB([gen], [dirname], [ + AC_CACHE_CHECK([for broken dirname], + ac_cv_have_broken_dirname, [ + save_LIBS="$LIBS" + LIBS="$LIBS -lgen" + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include + +int main(int argc, char **argv) { + char *s, buf[32]; + + strncpy(buf,"/etc", 32); + s = dirname(buf); + if (!s || strncmp(s, "/", 32) != 0) { + exit(1); + } else { + exit(0); + } +} + ]])], + [ ac_cv_have_broken_dirname="no" ], + [ ac_cv_have_broken_dirname="yes" ], + [ ac_cv_have_broken_dirname="no" ], + ) + LIBS="$save_LIBS" + ]) + if test "x$ac_cv_have_broken_dirname" = "xno" ; then + LIBS="$LIBS -lgen" + AC_DEFINE([HAVE_DIRNAME]) + AC_CHECK_HEADERS([libgen.h]) + fi + ]) +]) + +AC_CHECK_FUNC([getspnam], , + [AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])]) +AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1], + [Define if you have the basename function.])]) + +dnl zlib is required +AC_ARG_WITH([zlib], + [ --with-zlib=PATH Use zlib in PATH], + [ if test "x$withval" = "xno" ; then + AC_MSG_ERROR([*** zlib is required ***]) + elif test "x$withval" != "xyes"; then + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi ] +) + +AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])]) +AC_CHECK_LIB([z], [deflate], , + [ + saved_CPPFLAGS="$CPPFLAGS" + saved_LDFLAGS="$LDFLAGS" + save_LIBS="$LIBS" + dnl Check default zlib install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}" + LIBS="$LIBS -lz" + AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])], + [ + AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***]) + ] + ) + ] +) + +AC_ARG_WITH([zlib-version-check], + [ --without-zlib-version-check Disable zlib version check], + [ if test "x$withval" = "xno" ; then + zlib_check_nonfatal=1 + fi + ] +) + +AC_MSG_CHECKING([for possibly buggy zlib]) +AC_RUN_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include + ]], + [[ + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); + if (n != 3 && n != 4) + exit(1); + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + + /* 1.1.4 is OK */ + if (a == 1 && b == 1 && c >= 4) + exit(0); + + /* 1.2.3 and up are OK */ + if (v >= 1020300) + exit(0); + + exit(2); + ]])], + AC_MSG_RESULT([no]), + [ AC_MSG_RESULT([yes]) + if test -z "$zlib_check_nonfatal" ; then + AC_MSG_ERROR([*** zlib too old - check config.log *** +Your reported zlib version has known security problems. It's possible your +vendor has fixed these problems without changing the version number. If you +are sure this is the case, you can disable the check by running +"./configure --without-zlib-version-check". +If you are in doubt, upgrade zlib to version 1.2.3 or greater. +See http://www.gzip.org/zlib/ for details.]) + else + AC_MSG_WARN([zlib version may have security problems]) + fi + ], + [ AC_MSG_WARN([cross compiling: not checking zlib version]) ] +) + +dnl UnixWare 2.x +AC_CHECK_FUNC([strcasecmp], + [], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ] +) +AC_CHECK_FUNCS([utimes], + [], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES]) + LIBS="$LIBS -lc89"]) ] +) + +dnl Checks for libutil functions +AC_CHECK_HEADERS([bsd/libutil.h libutil.h]) +AC_SEARCH_LIBS([fmt_scaled], [util bsd]) +AC_SEARCH_LIBS([scan_scaled], [util bsd]) +AC_SEARCH_LIBS([login], [util bsd]) +AC_SEARCH_LIBS([logout], [util bsd]) +AC_SEARCH_LIBS([logwtmp], [util bsd]) +AC_SEARCH_LIBS([openpty], [util bsd]) +AC_SEARCH_LIBS([updwtmp], [util bsd]) +AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) + +# On some platforms, inet_ntop may be found in libresolv or libnsl. +AC_SEARCH_LIBS([inet_ntop], [resolv nsl]) + +AC_FUNC_STRFTIME + +# Check for ALTDIRFUNC glob() extension +AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support]) +AC_EGREP_CPP([FOUNDIT], + [ + #include + #ifdef GLOB_ALTDIRFUNC + FOUNDIT + #endif + ], + [ + AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1], + [Define if your system glob() function has + the GLOB_ALTDIRFUNC extension]) + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + ] +) + +# Check for g.gl_matchc glob() extension +AC_MSG_CHECKING([for gl_matchc field in glob_t]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ glob_t g; g.gl_matchc = 1; ]])], + [ + AC_DEFINE([GLOB_HAS_GL_MATCHC], [1], + [Define if your system glob() function has + gl_matchc options in glob_t]) + AC_MSG_RESULT([yes]) + ], [ + AC_MSG_RESULT([no]) +]) + +# Check for g.gl_statv glob() extension +AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ +#ifndef GLOB_KEEPSTAT +#error "glob does not support GLOB_KEEPSTAT extension" +#endif +glob_t g; +g.gl_statv = NULL; +]])], + [ + AC_DEFINE([GLOB_HAS_GL_STATV], [1], + [Define if your system glob() function has + gl_statv options in glob_t]) + AC_MSG_RESULT([yes]) + ], [ + AC_MSG_RESULT([no]) + +]) + +AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include ]) + +AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include ]], + [[ + struct dirent d; + exit(sizeof(d.d_name)<=sizeof(char)); + ]])], + [AC_MSG_RESULT([yes])], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1], + [Define if your struct dirent expects you to + allocate extra space for d_name]) + ], + [ + AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) + AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME]) + ] +) + +AC_MSG_CHECKING([for /proc/pid/fd directory]) +if test -d "/proc/$$/fd" ; then + AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd]) + AC_MSG_RESULT([yes]) +else + AC_MSG_RESULT([no]) +fi + +# Check whether user wants S/Key support +SKEY_MSG="no" +AC_ARG_WITH([skey], + [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE([SKEY], [1], [Define if you want S/Key support]) + LIBS="-lskey $LIBS" + SKEY_MSG="yes" + + AC_MSG_CHECKING([for s/key support]) + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + char *ff = skey_keyinfo(""); ff=""; + exit(0); + ]])], + [AC_MSG_RESULT([yes])], + [ + AC_MSG_RESULT([no]) + AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) + ]) + AC_MSG_CHECKING([if skeychallenge takes 4 arguments]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + (void)skeychallenge(NULL,"name","",0); + ]])], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([SKEYCHALLENGE_4ARG], [1], + [Define if your skeychallenge() + function takes 4 arguments (NetBSD)])], + [ + AC_MSG_RESULT([no]) + ]) + fi + ] +) + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +AC_ARG_WITH([tcp-wrappers], + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then + if test -d "${withval}/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "${withval}/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + LIBS="-lwrap $LIBS" + AC_MSG_CHECKING([for libwrap]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include +#include +int deny_severity = 0, allow_severity = 0; + ]], [[ + hosts_access(0); + ]])], [ + AC_MSG_RESULT([yes]) + AC_DEFINE([LIBWRAP], [1], + [Define if you want + TCP Wrappers support]) + SSHDLIBS="$SSHDLIBS -lwrap" + TCPW_MSG="yes" + ], [ + AC_MSG_ERROR([*** libwrap missing]) + + ]) + LIBS="$saved_LIBS" + fi + ] +) + +# Check whether user wants to use ldns +LDNS_MSG="no" +AC_ARG_WITH(ldns, + [ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support]) + LIBS="-lldns $LIBS" + LDNS_MSG="yes" + + AC_MSG_CHECKING([for ldns support]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#include +int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); } + ]]) + ], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([** Incomplete or missing ldns libraries.]) + ]) + fi + ] +) + +# Check whether user wants libedit support +LIBEDIT_MSG="no" +AC_ARG_WITH([libedit], + [ --with-libedit[[=PATH]] Enable libedit support for sftp], + [ if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) + if test "x$PKGCONFIG" != "xno"; then + AC_MSG_CHECKING([if $PKGCONFIG knows about libedit]) + if "$PKGCONFIG" libedit; then + AC_MSG_RESULT([yes]) + use_pkgconfig_for_libedit=yes + else + AC_MSG_RESULT([no]) + fi + fi + else + CPPFLAGS="$CPPFLAGS -I${withval}/include" + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + fi + if test "x$use_pkgconfig_for_libedit" = "xyes"; then + LIBEDIT=`$PKGCONFIG --libs libedit` + CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" + else + LIBEDIT="-ledit -lcurses" + fi + OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'` + AC_CHECK_LIB([edit], [el_init], + [ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp]) + LIBEDIT_MSG="yes" + AC_SUBST([LIBEDIT]) + ], + [ AC_MSG_ERROR([libedit not found]) ], + [ $OTHERLIBS ] + ) + AC_MSG_CHECKING([if libedit version is compatible]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ + int i = H_SETSIZE; + el_init("", NULL, NULL, NULL); + exit(0); + ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + AC_MSG_ERROR([libedit version is not compatible]) ] + ) + fi ] +) + +AUDIT_MODULE=none +AC_ARG_WITH([audit], + [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], + [ + AC_MSG_CHECKING([for supported audit module]) + case "$withval" in + bsm) + AC_MSG_RESULT([bsm]) + AUDIT_MODULE=bsm + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS([bsm/audit.h], [], + [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])], + [ +#ifdef HAVE_TIME_H +# include +#endif + ] +) + AC_CHECK_LIB([bsm], [getaudit], [], + [AC_MSG_ERROR([BSM enabled and required library not found])]) + AC_CHECK_FUNCS([getaudit], [], + [AC_MSG_ERROR([BSM enabled and required function not found])]) + # These are optional + AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) + AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) + if test "$sol2ver" -ge 11; then + SSHDLIBS="$SSHDLIBS -lscf" + AC_DEFINE([BROKEN_BSM_API], [1], + [The system has incomplete BSM API]) + fi + ;; + linux) + AC_MSG_RESULT([linux]) + AUDIT_MODULE=linux + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS([libaudit.h]) + SSHDLIBS="$SSHDLIBS -laudit" + AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module]) + ;; + debug) + AUDIT_MODULE=debug + AC_MSG_RESULT([debug]) + AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module]) + ;; + no) + AC_MSG_RESULT([no]) + ;; + *) + AC_MSG_ERROR([Unknown audit module $withval]) + ;; + esac ] +) + +AC_ARG_WITH([pie], + [ --with-pie Build Position Independent Executables if possible], [ + if test "x$withval" = "xno"; then + use_pie=no + fi + if test "x$withval" = "xyes"; then + use_pie=yes + fi + ] +) +if test "x$use_pie" = "x"; then + use_pie=no +fi +if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then + # Turn off automatic PIE when toolchain hardening is off. + use_pie=no +fi +if test "x$use_pie" = "xauto"; then + # Automatic PIE requires gcc >= 4.x + AC_MSG_CHECKING([for gcc >= 4.x]) + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ +#if !defined(__GNUC__) || __GNUC__ < 4 +#error gcc is too old +#endif +]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + use_pie=no ] +) +fi +if test "x$use_pie" != "xno"; then + SAVED_CFLAGS="$CFLAGS" + SAVED_LDFLAGS="$LDFLAGS" + OSSH_CHECK_CFLAG_COMPILE([-fPIE]) + OSSH_CHECK_LDFLAG_LINK([-pie]) + # We use both -fPIE and -pie or neither. + AC_MSG_CHECKING([whether both -fPIE and -pie are supported]) + if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \ + echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + CFLAGS="$SAVED_CFLAGS" + LDFLAGS="$SAVED_LDFLAGS" + fi +fi + +dnl Checks for library functions. Please keep in alphabetical order +AC_CHECK_FUNCS([ \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ + Blowfish_stream2word \ + arc4random \ + arc4random_buf \ + arc4random_stir \ + arc4random_uniform \ + asprintf \ + b64_ntop \ + __b64_ntop \ + b64_pton \ + __b64_pton \ + bcopy \ + bcrypt_pbkdf \ + bindresvport_sa \ + blf_enc \ + cap_rights_limit \ + clock \ + closefrom \ + dirfd \ + endgrent \ + explicit_bzero \ + fchmod \ + fchown \ + freeaddrinfo \ + fstatfs \ + fstatvfs \ + futimes \ + getaddrinfo \ + getcwd \ + getgrouplist \ + getnameinfo \ + getopt \ + getpeereid \ + getpeerucred \ + getpgid \ + getpgrp \ + _getpty \ + getrlimit \ + getttyent \ + glob \ + group_from_gid \ + inet_aton \ + inet_ntoa \ + inet_ntop \ + innetgr \ + login_getcapbool \ + mblen \ + md5_crypt \ + memmove \ + mkdtemp \ + mmap \ + ngetaddrinfo \ + nsleep \ + ogetaddrinfo \ + openlog_r \ + poll \ + prctl \ + pstat \ + readpassphrase \ + realpath \ + recvmsg \ + rresvport_af \ + sendmsg \ + setdtablesize \ + setegid \ + setenv \ + seteuid \ + setgroupent \ + setgroups \ + setlinebuf \ + setlogin \ + setpassent\ + setpcred \ + setproctitle \ + setregid \ + setreuid \ + setrlimit \ + setsid \ + setvbuf \ + sigaction \ + sigvec \ + snprintf \ + socketpair \ + statfs \ + statvfs \ + strdup \ + strerror \ + strlcat \ + strlcpy \ + strmode \ + strnlen \ + strnvis \ + strptime \ + strtonum \ + strtoll \ + strtoul \ + strtoull \ + swap32 \ + sysconf \ + tcgetpgrp \ + timingsafe_bcmp \ + truncate \ + unsetenv \ + updwtmpx \ + user_from_uid \ + usleep \ + vasprintf \ + vhangup \ + vsnprintf \ + waitpid \ +]) + +AC_LINK_IFELSE( + [AC_LANG_PROGRAM( + [[ #include ]], + [[ return (isblank('a')); ]])], + [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) +]) + +# PKCS#11 support requires dlopen() and co +AC_SEARCH_LIBS([dlopen], [dl], + [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] +) + +# IRIX has a const char return value for gai_strerror() +AC_CHECK_FUNCS([gai_strerror], [ + AC_DEFINE([HAVE_GAI_STRERROR]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include + +const char *gai_strerror(int); + ]], [[ + char *str; + str = gai_strerror(0); + ]])], [ + AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1], + [Define if gai_strerror() returns const char *])], [])]) + +AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1], + [Some systems put nanosleep outside of libc])]) + +AC_SEARCH_LIBS([clock_gettime], [rt], + [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])]) + +dnl Make sure prototypes are defined for these before using them. +AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])]) +AC_CHECK_DECL([strsep], + [AC_CHECK_FUNCS([strsep])], + [], + [ +#ifdef HAVE_STRING_H +# include +#endif + ]) + +dnl tcsendbreak might be a macro +AC_CHECK_DECL([tcsendbreak], + [AC_DEFINE([HAVE_TCSENDBREAK])], + [AC_CHECK_FUNCS([tcsendbreak])], + [#include ] +) + +AC_CHECK_DECLS([h_errno], , ,[#include ]) + +AC_CHECK_DECLS([SHUT_RD], , , + [ +#include +#include + ]) + +AC_CHECK_DECLS([O_NONBLOCK], , , + [ +#include +#ifdef HAVE_SYS_STAT_H +# include +#endif +#ifdef HAVE_FCNTL_H +# include +#endif + ]) + +AC_CHECK_DECLS([writev], , , [ +#include +#include +#include + ]) + +AC_CHECK_DECLS([MAXSYMLINKS], , , [ +#include + ]) + +AC_CHECK_DECLS([offsetof], , , [ +#include + ]) + +# extra bits for select(2) +AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[ +#include +#include +#ifdef HAVE_SYS_SYSMACROS_H +#include +#endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + ]]) +AC_CHECK_TYPES([fd_mask], [], [], [[ +#include +#include +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + ]]) + +AC_CHECK_FUNCS([setresuid], [ + dnl Some platorms have setresuid that isn't implemented, test for this + AC_MSG_CHECKING([if setresuid seems to work]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + errno=0; + setresuid(0,0,0); + if (errno==ENOSYS) + exit(1); + else + exit(0); + ]])], + [AC_MSG_RESULT([yes])], + [AC_DEFINE([BROKEN_SETRESUID], [1], + [Define if your setresuid() is broken]) + AC_MSG_RESULT([not implemented])], + [AC_MSG_WARN([cross compiling: not checking setresuid])] + ) +]) + +AC_CHECK_FUNCS([setresgid], [ + dnl Some platorms have setresgid that isn't implemented, test for this + AC_MSG_CHECKING([if setresgid seems to work]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + errno=0; + setresgid(0,0,0); + if (errno==ENOSYS) + exit(1); + else + exit(0); + ]])], + [AC_MSG_RESULT([yes])], + [AC_DEFINE([BROKEN_SETRESGID], [1], + [Define if your setresgid() is broken]) + AC_MSG_RESULT([not implemented])], + [AC_MSG_WARN([cross compiling: not checking setresuid])] + ) +]) + +dnl Checks for time functions +AC_CHECK_FUNCS([gettimeofday time]) +dnl Checks for utmp functions +AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent]) +AC_CHECK_FUNCS([utmpname]) +dnl Checks for utmpx functions +AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline]) +AC_CHECK_FUNCS([setutxdb setutxent utmpxname]) +dnl Checks for lastlog functions +AC_CHECK_FUNCS([getlastlogxbyname]) + +AC_CHECK_FUNC([daemon], + [AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])], + [AC_CHECK_LIB([bsd], [daemon], + [LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])] +) + +AC_CHECK_FUNC([getpagesize], + [AC_DEFINE([HAVE_GETPAGESIZE], [1], + [Define if your libraries define getpagesize()])], + [AC_CHECK_LIB([ucb], [getpagesize], + [LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])] +) + +# Check for broken snprintf +if test "x$ac_cv_func_snprintf" = "xyes" ; then + AC_MSG_CHECKING([whether snprintf correctly terminates long strings]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ + char b[5]; + snprintf(b,5,"123456789"); + exit(b[4]!='\0'); + ]])], + [AC_MSG_RESULT([yes])], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([BROKEN_SNPRINTF], [1], + [Define if your snprintf is busted]) + AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) + ], + [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ] + ) +fi + +# If we don't have a working asprintf, then we strongly depend on vsnprintf +# returning the right thing on overflow: the number of characters it tried to +# create (as per SUSv3) +if test "x$ac_cv_func_asprintf" != "xyes" && \ + test "x$ac_cv_func_vsnprintf" = "xyes" ; then + AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include + +int x_snprintf(char *str,size_t count,const char *fmt,...) +{ + size_t ret; va_list ap; + va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap); + return ret; +} + ]], [[ + char x[1]; + exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1); + ]])], + [AC_MSG_RESULT([yes])], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([BROKEN_SNPRINTF], [1], + [Define if your snprintf is busted]) + AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor]) + ], + [ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ] + ) +fi + +# On systems where [v]snprintf is broken, but is declared in stdio, +# check that the fmt argument is const char * or just char *. +# This is only useful for when BROKEN_SNPRINTF +AC_MSG_CHECKING([whether snprintf can declare const char *fmt]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +int snprintf(char *a, size_t b, const char *c, ...) { return 0; } + ]], [[ + snprintf(0, 0, 0); + ]])], + [AC_MSG_RESULT([yes]) + AC_DEFINE([SNPRINTF_CONST], [const], + [Define as const if snprintf() can declare const char *fmt])], + [AC_MSG_RESULT([no]) + AC_DEFINE([SNPRINTF_CONST], [/* not const */])]) + +# Check for missing getpeereid (or equiv) support +NO_PEERCHECK="" +if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then + AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include ]], [[int i = SO_PEERCRED;]])], + [ AC_MSG_RESULT([yes]) + AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option]) + ], [AC_MSG_RESULT([no]) + NO_PEERCHECK=1 + ]) +fi + +dnl see whether mkstemp() requires XXXXXX +if test "x$ac_cv_func_mkdtemp" = "xyes" ; then +AC_MSG_CHECKING([for (overly) strict mkstemp]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include + ]], [[ + char template[]="conftest.mkstemp-test"; + if (mkstemp(template) == -1) + exit(1); + unlink(template); + exit(0); + ]])], + [ + AC_MSG_RESULT([no]) + ], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()]) + ], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([HAVE_STRICT_MKSTEMP]) + ] +) +fi + +dnl make sure that openpty does not reacquire controlling terminal +if test ! -z "$check_for_openpty_ctty_bug"; then + AC_MSG_CHECKING([if openpty correctly handles controlling tty]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include + ]], [[ + pid_t pid; + int fd, ptyfd, ttyfd, status; + + pid = fork(); + if (pid < 0) { /* failed */ + exit(1); + } else if (pid > 0) { /* parent */ + waitpid(pid, &status, 0); + if (WIFEXITED(status)) + exit(WEXITSTATUS(status)); + else + exit(2); + } else { /* child */ + close(0); close(1); close(2); + setsid(); + openpty(&ptyfd, &ttyfd, NULL, NULL, NULL); + fd = open("/dev/tty", O_RDWR | O_NOCTTY); + if (fd >= 0) + exit(3); /* Acquired ctty: broken */ + else + exit(0); /* Did not acquire ctty: OK */ + } + ]])], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([SSHD_ACQUIRES_CTTY]) + ], + [ + AC_MSG_RESULT([cross-compiling, assuming yes]) + ] + ) +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING([if getaddrinfo seems to work]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + ]], [[ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); + ]])], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([BROKEN_GETADDRINFO]) + ], + [ + AC_MSG_RESULT([cross-compiling, assuming yes]) + ] + ) +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_aix_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING([if getaddrinfo seems to work]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + ]], [[ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (ai->ai_family == AF_INET && err != 0) { + perror("getnameinfo"); + exit(2); + } + } + exit(0); + ]])], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([AIX_GETNAMEINFO_HACK], [1], + [Define if you have a getaddrinfo that fails + for the all-zeros IPv6 address]) + ], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([BROKEN_GETADDRINFO]) + ], + [ + AC_MSG_RESULT([cross-compiling, assuming no]) + ] + ) +fi + +if test "x$check_for_conflicting_getspnam" = "x1"; then + AC_MSG_CHECKING([for conflicting getspnam in shadow.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ exit(0); ]])], + [ + AC_MSG_RESULT([no]) + ], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1], + [Conflicting defs for getspnam]) + ] + ) +fi + +AC_FUNC_GETPGRP + +# Search for OpenSSL +saved_CPPFLAGS="$CPPFLAGS" +saved_LDFLAGS="$LDFLAGS" +AC_ARG_WITH([ssl-dir], + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ + if test "x$withval" != "xno" ; then + case "$withval" in + # Relative paths + ./*|../*) withval="`pwd`/$withval" + esac + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + elif test -d "$withval/lib64"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib64 ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + ] +) +LIBS="-lcrypto $LIBS" +AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], + [Define if your ssl headers are included + with #include ])], + [ + dnl Check default openssl install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" + AC_CHECK_HEADER([openssl/opensslv.h], , + [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) + AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], + [ + AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) + ] + ) + ] +) + +# Determine OpenSSL header version +AC_MSG_CHECKING([OpenSSL header version]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#define DATA "conftest.sslincver" + ]], [[ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) + exit(1); + + exit(0); + ]])], + [ + ssl_header_ver=`cat conftest.sslincver` + AC_MSG_RESULT([$ssl_header_ver]) + ], + [ + AC_MSG_RESULT([not found]) + AC_MSG_ERROR([OpenSSL version header not found.]) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +# Determine OpenSSL library version +AC_MSG_CHECKING([OpenSSL library version]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#define DATA "conftest.ssllibver" + ]], [[ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0) + exit(1); + + exit(0); + ]])], + [ + ssl_library_ver=`cat conftest.ssllibver` + AC_MSG_RESULT([$ssl_library_ver]) + ], + [ + AC_MSG_RESULT([not found]) + AC_MSG_ERROR([OpenSSL library not found.]) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +AC_ARG_WITH([openssl-header-check], + [ --without-openssl-header-check Disable OpenSSL version consistency check], + [ if test "x$withval" = "xno" ; then + openssl_check_nonfatal=1 + fi + ] +) + +# Sanity check OpenSSL headers +AC_MSG_CHECKING([whether OpenSSL's headers match the library]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); + ]])], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + if test "x$openssl_check_nonfatal" = "x"; then + AC_MSG_ERROR([Your OpenSSL headers do not match your +library. Check config.log for details. +If you are sure your installation is consistent, you can disable the check +by running "./configure --without-openssl-header-check". +Also see contrib/findssl.sh for help identifying header/library mismatches. +]) + else + AC_MSG_WARN([Your OpenSSL headers do not match your +library. Check config.log for details. +Also see contrib/findssl.sh for help identifying header/library mismatches.]) + fi + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +AC_MSG_CHECKING([if programs using OpenSSL functions will link]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ SSLeay_add_all_algorithms(); ]])], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + saved_LIBS="$LIBS" + LIBS="$LIBS -ldl" + AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ SSLeay_add_all_algorithms(); ]])], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + LIBS="$saved_LIBS" + ] + ) + ] +) + +AC_CHECK_FUNCS([ \ + BN_is_prime_ex \ + DSA_generate_parameters_ex \ + EVP_DigestInit_ex \ + EVP_DigestFinal_ex \ + EVP_MD_CTX_init \ + EVP_MD_CTX_cleanup \ + EVP_MD_CTX_copy_ex \ + HMAC_CTX_init \ + RSA_generate_key_ex \ + RSA_get_default_method \ +]) + +AC_ARG_WITH([ssl-engine], + [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], + [ if test "x$withval" != "xno" ; then + AC_MSG_CHECKING([for OpenSSL ENGINE support]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include + ]], [[ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + ]])], + [ AC_MSG_RESULT([yes]) + AC_DEFINE([USE_OPENSSL_ENGINE], [1], + [Enable OpenSSL engine support]) + ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) + ]) + fi ] +) + +# Check for OpenSSL without EVP_aes_{192,256}_cbc +AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); + ]])], + [ + AC_MSG_RESULT([no]) + ], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], + [libcrypto is missing AES 192 and 256 bit functions]) + ] +) + +# Check for OpenSSL with EVP_aes_*ctr +AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + exit(EVP_aes_128_ctr() == NULL || + EVP_aes_192_cbc() == NULL || + EVP_aes_256_cbc() == NULL); + ]])], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], + [libcrypto has EVP AES CTR]) + ], + [ + AC_MSG_RESULT([no]) + ] +) + +# Check for OpenSSL with EVP_aes_*gcm +AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + exit(EVP_aes_128_gcm() == NULL || + EVP_aes_256_gcm() == NULL || + EVP_CTRL_GCM_SET_IV_FIXED == 0 || + EVP_CTRL_GCM_IV_GEN == 0 || + EVP_CTRL_GCM_SET_TAG == 0 || + EVP_CTRL_GCM_GET_TAG == 0 || + EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); + ]])], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], + [libcrypto has EVP AES GCM]) + ], + [ + AC_MSG_RESULT([no]) + unsupported_algorithms="$unsupported_cipers \ + aes128-gcm@openssh.com aes256-gcm@openssh.com" + ] +) + +AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], + [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], + [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) + +AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + if(EVP_DigestUpdate(NULL, NULL,0)) + exit(0); + ]])], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], + [Define if EVP_DigestUpdate returns void]) + ] +) + +# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, +# because the system crypt() is more featureful. +if test "x$check_for_libcrypt_before" = "x1"; then + AC_CHECK_LIB([crypt], [crypt]) +fi + +# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the +# version in OpenSSL. +if test "x$check_for_libcrypt_later" = "x1"; then + AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) +fi +AC_CHECK_FUNCS([crypt DES_crypt]) + +# Search for SHA256 support in libc and/or OpenSSL +AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , + [unsupported_algorithms="$unsupported_algorithms \ + hmac-sha2-256 hmac-sha2-512 \ + diffie-hellman-group-exchange-sha256 \ + hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" + ] +) + +# Check complete ECC support in OpenSSL +AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + ]], [[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + const EVP_MD *m = EVP_sha256(); /* We need this too */ + ]])], + [ AC_MSG_RESULT([yes]) + enable_nistp256=1 ], + [ AC_MSG_RESULT([no]) ] +) + +AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + ]], [[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); + const EVP_MD *m = EVP_sha384(); /* We need this too */ + ]])], + [ AC_MSG_RESULT([yes]) + enable_nistp384=1 ], + [ AC_MSG_RESULT([no]) ] +) + +AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + ]], [[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ + ]])], + [ AC_MSG_RESULT([yes]) + AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include +#include + ]],[[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ + exit(e == NULL || m == NULL); + ]])], + [ AC_MSG_RESULT([yes]) + enable_nistp521=1 ], + [ AC_MSG_RESULT([no]) ], + [ AC_MSG_WARN([cross-compiling: assuming yes]) + enable_nistp521=1 ] + )], + AC_MSG_RESULT([no]) +) + +COMMENT_OUT_ECC="#no ecc#" +TEST_SSH_ECC=no + +if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ + test x$enable_nistp521 = x1; then + AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) +fi +if test x$enable_nistp256 = x1; then + AC_DEFINE([OPENSSL_HAS_NISTP256], [1], + [libcrypto has NID_X9_62_prime256v1]) + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ + ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" +fi +if test x$enable_nistp384 = x1; then + AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ + ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" +fi +if test x$enable_nistp521 = x1; then + AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ + ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" +fi + +AC_SUBST([TEST_SSH_ECC]) +AC_SUBST([COMMENT_OUT_ECC]) + +saved_LIBS="$LIBS" +AC_CHECK_LIB([iaf], [ia_openinfo], [ + LIBS="$LIBS -liaf" + AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf" + AC_DEFINE([HAVE_LIBIAF], [1], + [Define if system has libiaf that supports set_id]) + ]) +]) +LIBS="$saved_LIBS" + +### Configure cryptographic random number support + +# Check wheter OpenSSL seeds itself +AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + exit(RAND_status() == 1 ? 0 : 1); + ]])], + [ + OPENSSL_SEEDS_ITSELF=yes + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + ], + [ + AC_MSG_WARN([cross compiling: assuming yes]) + # This is safe, since we will fatal() at runtime if + # OpenSSL is not seeded correctly. + OPENSSL_SEEDS_ITSELF=yes + ] +) + +# PRNGD TCP socket +AC_ARG_WITH([prngd-port], + [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT], + [ + case "$withval" in + no) + withval="" + ;; + [[0-9]]*) + ;; + *) + AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port]) + ;; + esac + if test ! -z "$withval" ; then + PRNGD_PORT="$withval" + AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT], + [Port number of PRNGD/EGD random number socket]) + fi + ] +) + +# PRNGD Unix domain socket +AC_ARG_WITH([prngd-socket], + [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], + [ + case "$withval" in + yes) + withval="/var/run/egd-pool" + ;; + no) + withval="" + ;; + /*) + ;; + *) + AC_MSG_ERROR([You must specify an absolute path to the entropy socket]) + ;; + esac + + if test ! -z "$withval" ; then + if test ! -z "$PRNGD_PORT" ; then + AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket]) + fi + if test ! -r "$withval" ; then + AC_MSG_WARN([Entropy socket is not readable]) + fi + PRNGD_SOCKET="$withval" + AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"], + [Location of PRNGD/EGD random number socket]) + fi + ], + [ + # Check for existing socket only if we don't have a random device already + if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then + AC_MSG_CHECKING([for PRNGD/EGD socket]) + # Insert other locations here + for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do + if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then + PRNGD_SOCKET="$sock" + AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"]) + break; + fi + done + if test ! -z "$PRNGD_SOCKET" ; then + AC_MSG_RESULT([$PRNGD_SOCKET]) + else + AC_MSG_RESULT([not found]) + fi + fi + ] +) + +# Which randomness source do we use? +if test ! -z "$PRNGD_PORT" ; then + RAND_MSG="PRNGd port $PRNGD_PORT" +elif test ! -z "$PRNGD_SOCKET" ; then + RAND_MSG="PRNGd socket $PRNGD_SOCKET" +elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then + AC_DEFINE([OPENSSL_PRNG_ONLY], [1], + [Define if you want OpenSSL's internally seeded PRNG only]) + RAND_MSG="OpenSSL internal ONLY" +else + AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) +fi + +# Check for PAM libs +PAM_MSG="no" +AC_ARG_WITH([pam], + [ --with-pam Enable PAM support ], + [ + if test "x$withval" != "xno" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ + test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then + AC_MSG_ERROR([PAM headers not found]) + fi + + saved_LIBS="$LIBS" + AC_CHECK_LIB([dl], [dlopen], , ) + AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])]) + AC_CHECK_FUNCS([pam_getenvlist]) + AC_CHECK_FUNCS([pam_putenv]) + LIBS="$saved_LIBS" + + PAM_MSG="yes" + + SSHDLIBS="$SSHDLIBS -lpam" + AC_DEFINE([USE_PAM], [1], + [Define if you want to enable PAM support]) + + if test $ac_cv_lib_dl_dlopen = yes; then + case "$LIBS" in + *-ldl*) + # libdl already in LIBS + ;; + *) + SSHDLIBS="$SSHDLIBS -ldl" + ;; + esac + fi + fi + ] +) + +# Check for older PAM +if test "x$PAM_MSG" = "xyes" ; then + # Check PAM strerror arguments (old PAM) + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif + ]], [[ +(void)pam_strerror((pam_handle_t *)NULL, -1); + ]])], [AC_MSG_RESULT([no])], [ + AC_DEFINE([HAVE_OLD_PAM], [1], + [Define if you have an old version of PAM + which takes only one argument to pam_strerror]) + AC_MSG_RESULT([yes]) + PAM_MSG="yes (old library)" + + ]) +fi + +SSH_PRIVSEP_USER=sshd +AC_ARG_WITH([privsep-user], + [ --with-privsep-user=user Specify non-privileged user for privilege separation], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + SSH_PRIVSEP_USER=$withval + fi + ] +) +AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], + [non-privileged user for privilege separation]) +AC_SUBST([SSH_PRIVSEP_USER]) + +if test "x$have_linux_no_new_privs" = "x1" ; then +AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ + #include + #include +]) +fi +if test "x$have_seccomp_filter" = "x1" ; then +AC_MSG_CHECKING([kernel for seccomp_filter support]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([[ + #include + #include + #include + #include + #include + #include + ]], + [[ int i = $seccomp_audit_arch; + errno = 0; + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); + exit(errno == EFAULT ? 0 : 1); ]])], + [ AC_MSG_RESULT([yes]) ], [ + AC_MSG_RESULT([no]) + # Disable seccomp filter as a target + have_seccomp_filter=0 + ] +) +fi + +# Decide which sandbox style to use +sandbox_arg="" +AC_ARG_WITH([sandbox], + [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], + [ + if test "x$withval" = "xyes" ; then + sandbox_arg="" + else + sandbox_arg="$withval" + fi + ] +) + +# Some platforms (seems to be the ones that have a kernel poll(2)-type +# function with which they implement select(2)) use an extra file descriptor +# when calling select(2), which means we can't use the rlimit sandbox. +AC_MSG_CHECKING([if select works with descriptor rlimit]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#include +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#include +#include +#include + ]],[[ + struct rlimit rl_zero; + int fd, r; + fd_set fds; + struct timeval tv; + + fd = open("/dev/null", O_RDONLY); + FD_ZERO(&fds); + FD_SET(fd, &fds); + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + setrlimit(RLIMIT_FSIZE, &rl_zero); + setrlimit(RLIMIT_NOFILE, &rl_zero); + tv.tv_sec = 1; + tv.tv_usec = 0; + r = select(fd+1, &fds, NULL, NULL, &tv); + exit (r == -1 ? 1 : 0); + ]])], + [AC_MSG_RESULT([yes]) + select_works_with_rlimit=yes], + [AC_MSG_RESULT([no]) + select_works_with_rlimit=no], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + +AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#include +#include +#include + ]],[[ + struct rlimit rl_zero; + int fd, r; + fd_set fds; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + r = setrlimit(RLIMIT_NOFILE, &rl_zero); + exit (r == -1 ? 1 : 0); + ]])], + [AC_MSG_RESULT([yes]) + rlimit_nofile_zero_works=yes], + [AC_MSG_RESULT([no]) + rlimit_nofile_zero_works=no], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + +AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include + ]],[[ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0); + ]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1, + [setrlimit RLIMIT_FSIZE works])], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + +if test "x$sandbox_arg" = "xsystrace" || \ + ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then + test "x$have_systr_policy_kill" != "x1" && \ + AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support]) + SANDBOX_STYLE="systrace" + AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) +elif test "x$sandbox_arg" = "xdarwin" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ + test "x$ac_cv_header_sandbox_h" = "xyes") ; then + test "x$ac_cv_func_sandbox_init" != "xyes" -o \ + "x$ac_cv_header_sandbox_h" != "xyes" && \ + AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) + SANDBOX_STYLE="darwin" + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) +elif test "x$sandbox_arg" = "xseccomp_filter" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_seccomp_filter" = "x1" && \ + test "x$ac_cv_header_elf_h" = "xyes" && \ + test "x$ac_cv_header_linux_audit_h" = "xyes" && \ + test "x$ac_cv_header_linux_filter_h" = "xyes" && \ + test "x$seccomp_audit_arch" != "x" && \ + test "x$have_linux_no_new_privs" = "x1" && \ + test "x$ac_cv_func_prctl" = "xyes" ) ; then + test "x$seccomp_audit_arch" = "x" && \ + AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) + test "x$have_linux_no_new_privs" != "x1" && \ + AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) + test "x$have_seccomp_filter" != "x1" && \ + AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers]) + test "x$ac_cv_func_prctl" != "xyes" && \ + AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) + SANDBOX_STYLE="seccomp_filter" + AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) +elif test "x$sandbox_arg" = "xcapsicum" || \ + ( test -z "$sandbox_arg" && \ + test "x$ac_cv_header_sys_capability_h" = "xyes" && \ + test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then + test "x$ac_cv_header_sys_capability_h" != "xyes" && \ + AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header]) + test "x$ac_cv_func_cap_rights_limit" != "xyes" && \ + AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function]) + SANDBOX_STYLE="capsicum" + AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) +elif test "x$sandbox_arg" = "xrlimit" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ + test "x$select_works_with_rlimit" = "xyes" && \ + test "x$rlimit_nofile_zero_works" = "xyes" ) ; then + test "x$ac_cv_func_setrlimit" != "xyes" && \ + AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) + test "x$select_works_with_rlimit" != "xyes" && \ + AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit]) + SANDBOX_STYLE="rlimit" + AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) +elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ + test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then + SANDBOX_STYLE="none" + AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing]) +else + AC_MSG_ERROR([unsupported --with-sandbox]) +fi + +# Cheap hack to ensure NEWS-OS libraries are arranged right. +if test ! -z "$SONY" ; then + LIBS="$LIBS -liberty"; +fi + +# Check for long long datatypes +AC_CHECK_TYPES([long long, unsigned long long, long double]) + +# Check datatype sizes +AC_CHECK_SIZEOF([short int], [2]) +AC_CHECK_SIZEOF([int], [4]) +AC_CHECK_SIZEOF([long int], [4]) +AC_CHECK_SIZEOF([long long int], [8]) + +# Sanity check long long for some platforms (AIX) +if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then + ac_cv_sizeof_long_long_int=0 +fi + +# compute LLONG_MIN and LLONG_MAX if we don't know them. +if test -z "$have_llong_max"; then + AC_MSG_CHECKING([for max value of long long]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +/* Why is this so damn hard? */ +#ifdef __GNUC__ +# undef __GNUC__ +#endif +#define __USE_ISOC99 +#include +#define DATA "conftest.llminmax" +#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a)) + +/* + * printf in libc on some platforms (eg old Tru64) does not understand %lld so + * we do this the hard way. + */ +static int +fprint_ll(FILE *f, long long n) +{ + unsigned int i; + int l[sizeof(long long) * 8]; + + if (n < 0) + if (fprintf(f, "-") < 0) + return -1; + for (i = 0; n != 0; i++) { + l[i] = my_abs(n % 10); + n /= 10; + } + do { + if (fprintf(f, "%d", l[--i]) < 0) + return -1; + } while (i != 0); + if (fprintf(f, " ") < 0) + return -1; + return 0; +} + ]], [[ + FILE *f; + long long i, llmin, llmax = 0; + + if((f = fopen(DATA,"w")) == NULL) + exit(1); + +#if defined(LLONG_MIN) && defined(LLONG_MAX) + fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n"); + llmin = LLONG_MIN; + llmax = LLONG_MAX; +#else + fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n"); + /* This will work on one's complement and two's complement */ + for (i = 1; i > llmax; i <<= 1, i++) + llmax = i; + llmin = llmax + 1LL; /* wrap */ +#endif + + /* Sanity check */ + if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax + || llmax - 1 > llmax || llmin == llmax || llmin == 0 + || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) { + fprintf(f, "unknown unknown\n"); + exit(2); + } + + if (fprint_ll(f, llmin) < 0) + exit(3); + if (fprint_ll(f, llmax) < 0) + exit(4); + if (fclose(f) < 0) + exit(5); + exit(0); + ]])], + [ + llong_min=`$AWK '{print $1}' conftest.llminmax` + llong_max=`$AWK '{print $2}' conftest.llminmax` + + AC_MSG_RESULT([$llong_max]) + AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL], + [max value of long long calculated by configure]) + AC_MSG_CHECKING([for min value of long long]) + AC_MSG_RESULT([$llong_min]) + AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL], + [min value of long long calculated by configure]) + ], + [ + AC_MSG_RESULT([not found]) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] + ) +fi + + +# More checks for data types +AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ u_int a; a = 1;]])], + [ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no" + ]) +]) +if test "x$ac_cv_have_u_int" = "xyes" ; then + AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type]) + have_u_int=1 +fi + +AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])], + [ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no" + ]) +]) +if test "x$ac_cv_have_intxx_t" = "xyes" ; then + AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type]) + have_intxx_t=1 +fi + +if (test -z "$have_intxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then + AC_MSG_CHECKING([for intXX_t types in stdint.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])], + [ + AC_DEFINE([HAVE_INTXX_T]) + AC_MSG_RESULT([yes]) + ], [ AC_MSG_RESULT([no]) + ]) +fi + +AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#ifdef HAVE_STDINT_H +# include +#endif +#include +#ifdef HAVE_SYS_BITYPES_H +# include +#endif + ]], [[ +int64_t a; a = 1; + ]])], + [ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no" + ]) +]) +if test "x$ac_cv_have_int64_t" = "xyes" ; then + AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type]) +fi + +AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])], + [ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no" + ]) +]) +if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then + AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type]) + have_u_intxx_t=1 +fi + +if test -z "$have_u_intxx_t" ; then + AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])], + [ + AC_DEFINE([HAVE_U_INTXX_T]) + AC_MSG_RESULT([yes]) + ], [ AC_MSG_RESULT([no]) + ]) +fi + +AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ u_int64_t a; a = 1;]])], + [ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no" + ]) +]) +if test "x$ac_cv_have_u_int64_t" = "xyes" ; then + AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type]) + have_u_int64_t=1 +fi + +if (test -z "$have_u_int64_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ u_int64_t a; a = 1]])], + [ + AC_DEFINE([HAVE_U_INT64_T]) + AC_MSG_RESULT([yes]) + ], [ AC_MSG_RESULT([no]) + ]) +fi + +if test -z "$have_u_intxx_t" ; then + AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include + ]], [[ + uint8_t a; + uint16_t b; + uint32_t c; + a = b = c = 1; + ]])], + [ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no" + ]) + ]) + if test "x$ac_cv_have_uintxx_t" = "xyes" ; then + AC_DEFINE([HAVE_UINTXX_T], [1], + [define if you have uintxx_t data type]) + fi +fi + +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then + AC_MSG_CHECKING([for uintXX_t types in stdint.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], + [ + AC_DEFINE([HAVE_UINTXX_T]) + AC_MSG_RESULT([yes]) + ], [ AC_MSG_RESULT([no]) + ]) +fi + +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_inttypes_h" = "xyes") +then + AC_MSG_CHECKING([for uintXX_t types in inttypes.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], + [ + AC_DEFINE([HAVE_UINTXX_T]) + AC_MSG_RESULT([yes]) + ], [ AC_MSG_RESULT([no]) + ]) +fi + +if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include + ]], [[ + int8_t a; int16_t b; int32_t c; + u_int8_t e; u_int16_t f; u_int32_t g; + a = b = c = e = f = g = 1; + ]])], + [ + AC_DEFINE([HAVE_U_INTXX_T]) + AC_DEFINE([HAVE_INTXX_T]) + AC_MSG_RESULT([yes]) + ], [AC_MSG_RESULT([no]) + ]) +fi + + +AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ u_char foo; foo = 125; ]])], + [ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no" + ]) +]) +if test "x$ac_cv_have_u_char" = "xyes" ; then + AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) +fi + +AC_CHECK_TYPES([intmax_t, uintmax_t], , , [ +#include +#include +]) + +TYPE_SOCKLEN_T + +AC_CHECK_TYPES([sig_atomic_t], , , [#include ]) +AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [ +#include +#ifdef HAVE_SYS_BITYPES_H +#include +#endif +#ifdef HAVE_SYS_STATFS_H +#include +#endif +#ifdef HAVE_SYS_STATVFS_H +#include +#endif +]) + +AC_CHECK_TYPES([in_addr_t, in_port_t], , , +[#include +#include ]) + +AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ size_t foo; foo = 1235; ]])], + [ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no" + ]) +]) +if test "x$ac_cv_have_size_t" = "xyes" ; then + AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type]) +fi + +AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ ssize_t foo; foo = 1235; ]])], + [ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no" + ]) +]) +if test "x$ac_cv_have_ssize_t" = "xyes" ; then + AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type]) +fi + +AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ clock_t foo; foo = 1235; ]])], + [ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no" + ]) +]) +if test "x$ac_cv_have_clock_t" = "xyes" ; then + AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type]) +fi + +AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ sa_family_t foo; foo = 1235; ]])], + [ ac_cv_have_sa_family_t="yes" ], + [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include + ]], [[ sa_family_t foo; foo = 1235; ]])], + [ ac_cv_have_sa_family_t="yes" ], + [ ac_cv_have_sa_family_t="no" ] + ) + ]) +]) +if test "x$ac_cv_have_sa_family_t" = "xyes" ; then + AC_DEFINE([HAVE_SA_FAMILY_T], [1], + [define if you have sa_family_t data type]) +fi + +AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ pid_t foo; foo = 1235; ]])], + [ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no" + ]) +]) +if test "x$ac_cv_have_pid_t" = "xyes" ; then + AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type]) +fi + +AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ mode_t foo; foo = 1235; ]])], + [ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no" + ]) +]) +if test "x$ac_cv_have_mode_t" = "xyes" ; then + AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type]) +fi + + +AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ struct sockaddr_storage s; ]])], + [ ac_cv_have_struct_sockaddr_storage="yes" ], + [ ac_cv_have_struct_sockaddr_storage="no" + ]) +]) +if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then + AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1], + [define if you have struct sockaddr_storage data type]) +fi + +AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])], + [ ac_cv_have_struct_sockaddr_in6="yes" ], + [ ac_cv_have_struct_sockaddr_in6="no" + ]) +]) +if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then + AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1], + [define if you have struct sockaddr_in6 data type]) +fi + +AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])], + [ ac_cv_have_struct_in6_addr="yes" ], + [ ac_cv_have_struct_in6_addr="no" + ]) +]) +if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then + AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1], + [define if you have struct in6_addr data type]) + +dnl Now check for sin6_scope_id + AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , , + [ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#include + ]) +fi + +AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include + ]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])], + [ ac_cv_have_struct_addrinfo="yes" ], + [ ac_cv_have_struct_addrinfo="no" + ]) +]) +if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then + AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1], + [define if you have struct addrinfo data type]) +fi + +AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ struct timeval tv; tv.tv_sec = 1;]])], + [ ac_cv_have_struct_timeval="yes" ], + [ ac_cv_have_struct_timeval="no" + ]) +]) +if test "x$ac_cv_have_struct_timeval" = "xyes" ; then + AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval]) + have_struct_timeval=1 +fi + +AC_CHECK_TYPES([struct timespec]) + +# We need int64_t or else certian parts of the compile will fail. +if test "x$ac_cv_have_int64_t" = "xno" && \ + test "x$ac_cv_sizeof_long_int" != "x8" && \ + test "x$ac_cv_sizeof_long_long_int" = "x0" ; then + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; +else +dnl test snprintf (broken on SCO w/gcc) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#ifdef HAVE_SNPRINTF +main() +{ + char buf[50]; + char expected_out[50]; + int mazsize = 50 ; +#if (SIZEOF_LONG_INT == 8) + long int num = 0x7fffffffffffffff; +#else + long long num = 0x7fffffffffffffffll; +#endif + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) + exit(1); + exit(0); +} +#else +main() { exit(0); } +#endif + ]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ], + AC_MSG_WARN([cross compiling: Assuming working snprintf()]) + ) +fi + +dnl Checks for structure members +OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX]) +OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX]) +OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX]) + +AC_CHECK_MEMBERS([struct stat.st_blksize]) +AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class, +struct passwd.pw_change, struct passwd.pw_expire], +[], [], [[ +#include +#include +]]) + +AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state], + [Define if we don't have struct __res_state in resolv.h])], +[[ +#include +#if HAVE_SYS_TYPES_H +# include +#endif +#include +#include +#include +]]) + +AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], + ac_cv_have_ss_family_in_struct_ss, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])], + [ ac_cv_have_ss_family_in_struct_ss="yes" ], + [ ac_cv_have_ss_family_in_struct_ss="no" ]) +]) +if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage]) +fi + +AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], + ac_cv_have___ss_family_in_struct_ss, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])], + [ ac_cv_have___ss_family_in_struct_ss="yes" ], + [ ac_cv_have___ss_family_in_struct_ss="no" + ]) +]) +if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1], + [Fields in struct sockaddr_storage]) +fi + +dnl make sure we're using the real structure members and not defines +AC_CACHE_CHECK([for msg_accrights field in struct msghdr], + ac_cv_have_accrights_in_msghdr, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include + ]], [[ +#ifdef msg_accrights +#error "msg_accrights is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_accrights = 0; +exit(0); + ]])], + [ ac_cv_have_accrights_in_msghdr="yes" ], + [ ac_cv_have_accrights_in_msghdr="no" ] + ) +]) +if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then + AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1], + [Define if your system uses access rights style + file descriptor passing]) +fi + +AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#ifdef HAVE_SYS_MOUNT_H +#include +#endif +#ifdef HAVE_SYS_STATVFS_H +#include +#endif + ]], [[ struct statvfs s; s.f_fsid = 0; ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + + AC_MSG_CHECKING([if fsid_t has member val]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ fsid_t t; t.val[0] = 0; ]])], + [ AC_MSG_RESULT([yes]) + AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ], + [ AC_MSG_RESULT([no]) ]) + + AC_MSG_CHECKING([if f_fsid has member __val]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include + ]], [[ fsid_t t; t.__val[0] = 0; ]])], + [ AC_MSG_RESULT([yes]) + AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ], + [ AC_MSG_RESULT([no]) ]) +]) + +AC_CACHE_CHECK([for msg_control field in struct msghdr], + ac_cv_have_control_in_msghdr, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include + ]], [[ +#ifdef msg_control +#error "msg_control is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_control = 0; +exit(0); + ]])], + [ ac_cv_have_control_in_msghdr="yes" ], + [ ac_cv_have_control_in_msghdr="no" ] + ) +]) +if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then + AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1], + [Define if your system uses ancillary data style + file descriptor passing]) +fi + +AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], + [[ extern char *__progname; printf("%s", __progname); ]])], + [ ac_cv_libc_defines___progname="yes" ], + [ ac_cv_libc_defines___progname="no" + ]) +]) +if test "x$ac_cv_libc_defines___progname" = "xyes" ; then + AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname]) +fi + +AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ printf("%s", __FUNCTION__); ]])], + [ ac_cv_cc_implements___FUNCTION__="yes" ], + [ ac_cv_cc_implements___FUNCTION__="no" + ]) +]) +if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then + AC_DEFINE([HAVE___FUNCTION__], [1], + [Define if compiler implements __FUNCTION__]) +fi + +AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ printf("%s", __func__); ]])], + [ ac_cv_cc_implements___func__="yes" ], + [ ac_cv_cc_implements___func__="no" + ]) +]) +if test "x$ac_cv_cc_implements___func__" = "xyes" ; then + AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__]) +fi + +AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +va_list x,y; + ]], [[ va_copy(x,y); ]])], + [ ac_cv_have_va_copy="yes" ], + [ ac_cv_have_va_copy="no" + ]) +]) +if test "x$ac_cv_have_va_copy" = "xyes" ; then + AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists]) +fi + +AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +va_list x,y; + ]], [[ __va_copy(x,y); ]])], + [ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no" + ]) +]) +if test "x$ac_cv_have___va_copy" = "xyes" ; then + AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists]) +fi + +AC_CACHE_CHECK([whether getopt has optreset support], + ac_cv_have_getopt_optreset, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ extern int optreset; optreset = 0; ]])], + [ ac_cv_have_getopt_optreset="yes" ], + [ ac_cv_have_getopt_optreset="no" + ]) +]) +if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then + AC_DEFINE([HAVE_GETOPT_OPTRESET], [1], + [Define if your getopt(3) defines and uses optreset]) +fi + +AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], +[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])], + [ ac_cv_libc_defines_sys_errlist="yes" ], + [ ac_cv_libc_defines_sys_errlist="no" + ]) +]) +if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then + AC_DEFINE([HAVE_SYS_ERRLIST], [1], + [Define if your system defines sys_errlist[]]) +fi + + +AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], +[[ extern int sys_nerr; printf("%i", sys_nerr);]])], + [ ac_cv_libc_defines_sys_nerr="yes" ], + [ ac_cv_libc_defines_sys_nerr="no" + ]) +]) +if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then + AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr]) +fi + +# Check libraries needed by DNS fingerprint support +AC_SEARCH_LIBS([getrrsetbyname], [resolv], + [AC_DEFINE([HAVE_GETRRSETBYNAME], [1], + [Define if getrrsetbyname() exists])], + [ + # Needed by our getrrsetbyname() + AC_SEARCH_LIBS([res_query], [resolv]) + AC_SEARCH_LIBS([dn_expand], [resolv]) + AC_MSG_CHECKING([if res_query will link]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include + ]], [[ + res_query (0, 0, 0, 0, 0); + ]])], + AC_MSG_RESULT([yes]), + [AC_MSG_RESULT([no]) + saved_LIBS="$LIBS" + LIBS="$LIBS -lresolv" + AC_MSG_CHECKING([for res_query in -lresolv]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include + ]], [[ + res_query (0, 0, 0, 0, 0); + ]])], + [AC_MSG_RESULT([yes])], + [LIBS="$saved_LIBS" + AC_MSG_RESULT([no])]) + ]) + AC_CHECK_FUNCS([_getshort _getlong]) + AC_CHECK_DECLS([_getshort, _getlong], , , + [#include + #include ]) + AC_CHECK_MEMBER([HEADER.ad], + [AC_DEFINE([HAVE_HEADER_AD], [1], + [Define if HEADER.ad exists in arpa/nameser.h])], , + [#include ]) + ]) + +AC_MSG_CHECKING([if struct __res_state _res is an extern]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +#if HAVE_SYS_TYPES_H +# include +#endif +#include +#include +#include +extern struct __res_state _res; + ]], [[ ]])], + [AC_MSG_RESULT([yes]) + AC_DEFINE([HAVE__RES_EXTERN], [1], + [Define if you have struct __res_state _res as an extern]) + ], + [ AC_MSG_RESULT([no]) ] +) + +# Check whether user wants SELinux support +SELINUX_MSG="no" +LIBSELINUX="" +AC_ARG_WITH([selinux], + [ --with-selinux Enable SELinux support], + [ if test "x$withval" != "xno" ; then + save_LIBS="$LIBS" + AC_DEFINE([WITH_SELINUX], [1], + [Define if you want SELinux support.]) + SELINUX_MSG="yes" + AC_CHECK_HEADER([selinux/selinux.h], , + AC_MSG_ERROR([SELinux support requires selinux.h header])) + AC_CHECK_LIB([selinux], [setexeccon], + [ LIBSELINUX="-lselinux" + LIBS="$LIBS -lselinux" + ], + AC_MSG_ERROR([SELinux support requires libselinux library])) + SSHLIBS="$SSHLIBS $LIBSELINUX" + SSHDLIBS="$SSHDLIBS $LIBSELINUX" + AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level]) + LIBS="$save_LIBS" + fi ] +) +AC_SUBST([SSHLIBS]) +AC_SUBST([SSHDLIBS]) + +# Check whether user wants Kerberos 5 support +KRB5_MSG="no" +AC_ARG_WITH([kerberos5], + [ --with-kerberos5=PATH Enable Kerberos 5 support], + [ if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + KRB5ROOT="/usr/local" + else + KRB5ROOT=${withval} + fi + + AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support]) + KRB5_MSG="yes" + + AC_PATH_PROG([KRB5CONF], [krb5-config], + [$KRB5ROOT/bin/krb5-config], + [$KRB5ROOT/bin:$PATH]) + if test -x $KRB5CONF ; then + K5CFLAGS="`$KRB5CONF --cflags`" + K5LIBS="`$KRB5CONF --libs`" + CPPFLAGS="$CPPFLAGS $K5CFLAGS" + + AC_MSG_CHECKING([for gssapi support]) + if $KRB5CONF | grep gssapi >/dev/null ; then + AC_MSG_RESULT([yes]) + AC_DEFINE([GSSAPI], [1], + [Define this if you want GSSAPI + support in the version 2 protocol]) + GSSCFLAGS="`$KRB5CONF --cflags gssapi`" + GSSLIBS="`$KRB5CONF --libs gssapi`" + CPPFLAGS="$CPPFLAGS $GSSCFLAGS" + else + AC_MSG_RESULT([no]) + fi + AC_MSG_CHECKING([whether we are using Heimdal]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include + ]], [[ char *tmp = heimdal_version; ]])], + [ AC_MSG_RESULT([yes]) + AC_DEFINE([HEIMDAL], [1], + [Define this if you are using the Heimdal + version of Kerberos V5]) ], + [AC_MSG_RESULT([no]) + ]) + else + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" + LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + AC_MSG_CHECKING([whether we are using Heimdal]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include + ]], [[ char *tmp = heimdal_version; ]])], + [ AC_MSG_RESULT([yes]) + AC_DEFINE([HEIMDAL]) + K5LIBS="-lkrb5" + K5LIBS="$K5LIBS -lcom_err -lasn1" + AC_CHECK_LIB([roken], [net_write], + [K5LIBS="$K5LIBS -lroken"]) + AC_CHECK_LIB([des], [des_cbc_encrypt], + [K5LIBS="$K5LIBS -ldes"]) + ], [ AC_MSG_RESULT([no]) + K5LIBS="-lkrb5 -lk5crypto -lcom_err" + + ]) + AC_SEARCH_LIBS([dn_expand], [resolv]) + + AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context], + [ AC_DEFINE([GSSAPI]) + GSSLIBS="-lgssapi_krb5" ], + [ AC_CHECK_LIB([gssapi], [gss_init_sec_context], + [ AC_DEFINE([GSSAPI]) + GSSLIBS="-lgssapi" ], + [ AC_CHECK_LIB([gss], [gss_init_sec_context], + [ AC_DEFINE([GSSAPI]) + GSSLIBS="-lgss" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail])) + ]) + ]) + + AC_CHECK_HEADER([gssapi.h], , + [ unset ac_cv_header_gssapi_h + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADERS([gssapi.h], , + AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) + ) + ] + ) + + oldCPP="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADER([gssapi_krb5.h], , + [ CPPFLAGS="$oldCPP" ]) + + fi + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${KRB5ROOT}/lib" + fi + + AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h]) + AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h]) + AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h]) + + AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1], + [Define this if you want to use libkafs' AFS support])]) + + AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[ +#ifdef HAVE_GSSAPI_H +# include +#elif defined(HAVE_GSSAPI_GSSAPI_H) +# include +#endif + +#ifdef HAVE_GSSAPI_GENERIC_H +# include +#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) +# include +#endif + ]]) + saved_LIBS="$LIBS" + LIBS="$LIBS $K5LIBS" + AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message]) + LIBS="$saved_LIBS" + + fi + ] +) +AC_SUBST([GSSLIBS]) +AC_SUBST([K5LIBS]) + +# Looking for programs, paths and files + +PRIVSEP_PATH=/var/empty +AC_ARG_WITH([privsep-path], + [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + PRIVSEP_PATH=$withval + fi + ] +) +AC_SUBST([PRIVSEP_PATH]) + +AC_ARG_WITH([xauth], + [ --with-xauth=PATH Specify path to xauth program ], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + xauth_path=$withval + fi + ], + [ + TestPath="$PATH" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin" + AC_PATH_PROG([xauth_path], [xauth], , [$TestPath]) + if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then + xauth_path="/usr/openwin/bin/xauth" + fi + ] +) + +STRIP_OPT=-s +AC_ARG_ENABLE([strip], + [ --disable-strip Disable calling strip(1) on install], + [ + if test "x$enableval" = "xno" ; then + STRIP_OPT= + fi + ] +) +AC_SUBST([STRIP_OPT]) + +if test -z "$xauth_path" ; then + XAUTH_PATH="undefined" + AC_SUBST([XAUTH_PATH]) +else + AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"], + [Define if xauth is found in your path]) + XAUTH_PATH=$xauth_path + AC_SUBST([XAUTH_PATH]) +fi + +dnl # --with-maildir=/path/to/mail gets top priority. +dnl # if maildir is set in the platform case statement above we use that. +dnl # Otherwise we run a program to get the dir from system headers. +dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL +dnl # If we find _PATH_MAILDIR we do nothing because that is what +dnl # session.c expects anyway. Otherwise we set to the value found +dnl # stripping any trailing slash. If for some strage reason our program +dnl # does not find what it needs, we default to /var/spool/mail. +# Check for mail directory +AC_ARG_WITH([maildir], + [ --with-maildir=/path/to/mail Specify your system mail directory], + [ + if test "X$withval" != X && test "x$withval" != xno && \ + test "x${withval}" != xyes; then + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"], + [Set this to your mail directory if you do not have _PATH_MAILDIR]) + fi + ],[ + if test "X$maildir" != "X"; then + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"]) + else + AC_MSG_CHECKING([Discovering system mail directory]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_PATHS_H +#include +#endif +#ifdef HAVE_MAILLOCK_H +#include +#endif +#define DATA "conftest.maildir" + ]], [[ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + +#if defined (_PATH_MAILDIR) + if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0) + exit(1); +#elif defined (MAILDIR) + if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0) + exit(1); +#elif defined (_PATH_MAIL) + if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0) + exit(1); +#else + exit (2); +#endif + + exit(0); + ]])], + [ + maildir_what=`awk -F: '{print $1}' conftest.maildir` + maildir=`awk -F: '{print $2}' conftest.maildir \ + | sed 's|/$||'` + AC_MSG_RESULT([Using: $maildir from $maildir_what]) + if test "x$maildir_what" != "x_PATH_MAILDIR"; then + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"]) + fi + ], + [ + if test "X$ac_status" = "X2";then +# our test program didn't find it. Default to /var/spool/mail + AC_MSG_RESULT([Using: default value of /var/spool/mail]) + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"]) + else + AC_MSG_RESULT([*** not found ***]) + fi + ], + [ + AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail]) + ] + ) + fi + ] +) # maildir + +if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +fi +if test -z "$no_dev_ptmx" ; then + if test "x$disable_ptmx_check" != "xyes" ; then + AC_CHECK_FILE(["/dev/ptmx"], + [ + AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1], + [Define if you have /dev/ptmx]) + have_dev_ptmx=1 + ] + ) + fi +fi + +if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then + AC_CHECK_FILE(["/dev/ptc"], + [ + AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1], + [Define if you have /dev/ptc]) + have_dev_ptc=1 + ] + ) +else + AC_MSG_WARN([cross compiling: Disabling /dev/ptc test]) +fi + +# Options from here on. Some of these are preset by platform above +AC_ARG_WITH([mantype], + [ --with-mantype=man|cat|doc Set man page type], + [ + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + AC_MSG_ERROR([invalid man type: $withval]) + ;; + esac + ] +) +if test -z "$MANTYPE"; then + TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb" + AC_PATH_PROGS([NROFF], [nroff awf], [/bin/false], [$TestPath]) + if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=man + else + MANTYPE=cat + fi +fi +AC_SUBST([MANTYPE]) +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi +AC_SUBST([mansubdir]) + +# Check whether to enable MD5 passwords +MD5_MSG="no" +AC_ARG_WITH([md5-passwords], + [ --with-md5-passwords Enable use of MD5 passwords], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE([HAVE_MD5_PASSWORDS], [1], + [Define if you want to allow MD5 passwords]) + MD5_MSG="yes" + fi + ] +) + +# Whether to disable shadow password support +AC_ARG_WITH([shadow], + [ --without-shadow Disable shadow password support], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE([DISABLE_SHADOW]) + disable_shadow=yes + fi + ] +) + +if test -z "$disable_shadow" ; then + AC_MSG_CHECKING([if the systems has expire shadow information]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +struct spwd sp; + ]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])], + [ sp_expire_available=yes ], [ + ]) + + if test "x$sp_expire_available" = "xyes" ; then + AC_MSG_RESULT([yes]) + AC_DEFINE([HAS_SHADOW_EXPIRE], [1], + [Define if you want to use shadow password expire field]) + else + AC_MSG_RESULT([no]) + fi +fi + +# Use ip address instead of hostname in $DISPLAY +if test ! -z "$IPADDR_IN_DISPLAY" ; then + DISPLAY_HACK_MSG="yes" + AC_DEFINE([IPADDR_IN_DISPLAY], [1], + [Define if you need to use IP address + instead of hostname in $DISPLAY]) +else + DISPLAY_HACK_MSG="no" + AC_ARG_WITH([ipaddr-display], + [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE([IPADDR_IN_DISPLAY]) + DISPLAY_HACK_MSG="yes" + fi + ] + ) +fi + +# check for /etc/default/login and use it if present. +AC_ARG_ENABLE([etc-default-login], + [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]], + [ if test "x$enableval" = "xno"; then + AC_MSG_NOTICE([/etc/default/login handling disabled]) + etc_default_login=no + else + etc_default_login=yes + fi ], + [ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; + then + AC_MSG_WARN([cross compiling: not checking /etc/default/login]) + etc_default_login=no + else + etc_default_login=yes + fi ] +) + +if test "x$etc_default_login" != "xno"; then + AC_CHECK_FILE(["/etc/default/login"], + [ external_path_file=/etc/default/login ]) + if test "x$external_path_file" = "x/etc/default/login"; then + AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1], + [Define if your system has /etc/default/login]) + fi +fi + +dnl BSD systems use /etc/login.conf so --with-default-path= has no effect +if test $ac_cv_func_login_getcapbool = "yes" && \ + test $ac_cv_header_login_cap_h = "yes" ; then + external_path_file=/etc/login.conf +fi + +# Whether to mess with the default path +SERVER_PATH_MSG="(default)" +AC_ARG_WITH([default-path], + [ --with-default-path= Specify default \$PATH environment for server], + [ + if test "x$external_path_file" = "x/etc/login.conf" ; then + AC_MSG_WARN([ +--with-default-path=PATH has no effect on this system. +Edit /etc/login.conf instead.]) + elif test "x$withval" != "xno" ; then + if test ! -z "$external_path_file" ; then + AC_MSG_WARN([ +--with-default-path=PATH will only be used if PATH is not defined in +$external_path_file .]) + fi + user_path="$withval" + SERVER_PATH_MSG="$withval" + fi + ], + [ if test "x$external_path_file" = "x/etc/login.conf" ; then + AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf]) + else + if test ! -z "$external_path_file" ; then + AC_MSG_WARN([ +If PATH is defined in $external_path_file, ensure the path to scp is included, +otherwise scp will not work.]) + fi + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +/* find out what STDPATH is */ +#include +#ifdef HAVE_PATHS_H +# include +#endif +#ifndef _PATH_STDPATH +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif +#endif +#include +#include +#include +#define DATA "conftest.stdpath" + ]], [[ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) + exit(1); + + exit(0); + ]])], + [ user_path=`cat conftest.stdpath` ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ] + ) +# make sure $bindir is in USER_PATH so scp will work + t_bindir="${bindir}" + while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do + t_bindir=`eval echo ${t_bindir}` + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; + esac + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; + esac + done + echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + user_path=$user_path:$t_bindir + AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work]) + fi + fi + fi ] +) +if test "x$external_path_file" != "x/etc/login.conf" ; then + AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH]) + AC_SUBST([user_path]) +fi + +# Set superuser path separately to user path +AC_ARG_WITH([superuser-path], + [ --with-superuser-path= Specify different path for super-user], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"], + [Define if you want a different $PATH + for the superuser]) + superuser_path=$withval + fi + ] +) + + +AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses]) +IPV4_IN6_HACK_MSG="no" +AC_ARG_WITH(4in6, + [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses], + [ + if test "x$withval" != "xno" ; then + AC_MSG_RESULT([yes]) + AC_DEFINE([IPV4_IN_IPV6], [1], + [Detect IPv4 in IPv6 mapped addresses + and treat as IPv4]) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT([no]) + fi + ], [ + if test "x$inet6_default_4in6" = "xyes"; then + AC_MSG_RESULT([yes (default)]) + AC_DEFINE([IPV4_IN_IPV6]) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT([no (default)]) + fi + ] +) + +# Whether to enable BSD auth support +BSD_AUTH_MSG=no +AC_ARG_WITH([bsd-auth], + [ --with-bsd-auth Enable BSD auth support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE([BSD_AUTH], [1], + [Define if you have BSD auth support]) + BSD_AUTH_MSG=yes + fi + ] +) + +# Where to place sshd.pid +piddir=/var/run +# make sure the directory exists +if test ! -d $piddir ; then + piddir=`eval echo ${sysconfdir}` + case $piddir in + NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; + esac +fi + +AC_ARG_WITH([pid-dir], + [ --with-pid-dir=PATH Specify location of ssh.pid file], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + piddir=$withval + if test ! -d $piddir ; then + AC_MSG_WARN([** no $piddir directory on this system **]) + fi + fi + ] +) + +AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"], + [Specify location of ssh.pid]) +AC_SUBST([piddir]) + +dnl allow user to disable some login recording features +AC_ARG_ENABLE([lastlog], + [ --disable-lastlog disable use of lastlog even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_LASTLOG]) + fi + ] +) +AC_ARG_ENABLE([utmp], + [ --disable-utmp disable use of utmp even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_UTMP]) + fi + ] +) +AC_ARG_ENABLE([utmpx], + [ --disable-utmpx disable use of utmpx even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_UTMPX], [1], + [Define if you don't want to use utmpx]) + fi + ] +) +AC_ARG_ENABLE([wtmp], + [ --disable-wtmp disable use of wtmp even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_WTMP]) + fi + ] +) +AC_ARG_ENABLE([wtmpx], + [ --disable-wtmpx disable use of wtmpx even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_WTMPX], [1], + [Define if you don't want to use wtmpx]) + fi + ] +) +AC_ARG_ENABLE([libutil], + [ --disable-libutil disable use of libutil (login() etc.) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_LOGIN]) + fi + ] +) +AC_ARG_ENABLE([pututline], + [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_PUTUTLINE], [1], + [Define if you don't want to use pututline() + etc. to write [uw]tmp]) + fi + ] +) +AC_ARG_ENABLE([pututxline], + [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE([DISABLE_PUTUTXLINE], [1], + [Define if you don't want to use pututxline() + etc. to write [uw]tmpx]) + fi + ] +) +AC_ARG_WITH([lastlog], + [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE([DISABLE_LASTLOG]) + elif test -n "$withval" && test "x${withval}" != "xyes"; then + conf_lastlog_location=$withval + fi + ] +) + +dnl lastlog, [uw]tmpx? detection +dnl NOTE: set the paths in the platform section to avoid the +dnl need for command-line parameters +dnl lastlog and [uw]tmp are subject to a file search if all else fails + +dnl lastlog detection +dnl NOTE: the code itself will detect if lastlog is a directory +AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif + ]], [[ char *lastlog = LASTLOG_FILE; ]])], + [ AC_MSG_RESULT([yes]) ], + [ + AC_MSG_RESULT([no]) + AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ]], [[ char *lastlog = _PATH_LASTLOG; ]])], + [ AC_MSG_RESULT([yes]) ], + [ + AC_MSG_RESULT([no]) + system_lastlog_path=no + ]) +]) + +if test -z "$conf_lastlog_location"; then + if test x"$system_lastlog_path" = x"no" ; then + for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if (test -d "$f" || test -f "$f") ; then + conf_lastlog_location=$f + fi + done + if test -z "$conf_lastlog_location"; then + AC_MSG_WARN([** Cannot find lastlog **]) + dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx + fi + fi +fi + +if test -n "$conf_lastlog_location"; then + AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"], + [Define if you want to specify the path to your lastlog file]) +fi + +dnl utmp detection +AC_MSG_CHECKING([if your system defines UTMP_FILE]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ]], [[ char *utmp = UTMP_FILE; ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + system_utmp_path=no +]) +if test -z "$conf_utmp_location"; then + if test x"$system_utmp_path" = x"no" ; then + for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do + if test -f $f ; then + conf_utmp_location=$f + fi + done + if test -z "$conf_utmp_location"; then + AC_DEFINE([DISABLE_UTMP]) + fi + fi +fi +if test -n "$conf_utmp_location"; then + AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"], + [Define if you want to specify the path to your utmp file]) +fi + +dnl wtmp detection +AC_MSG_CHECKING([if your system defines WTMP_FILE]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ]], [[ char *wtmp = WTMP_FILE; ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + system_wtmp_path=no +]) +if test -z "$conf_wtmp_location"; then + if test x"$system_wtmp_path" = x"no" ; then + for f in /usr/adm/wtmp /var/log/wtmp; do + if test -f $f ; then + conf_wtmp_location=$f + fi + done + if test -z "$conf_wtmp_location"; then + AC_DEFINE([DISABLE_WTMP]) + fi + fi +fi +if test -n "$conf_wtmp_location"; then + AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"], + [Define if you want to specify the path to your wtmp file]) +fi + +dnl wtmpx detection +AC_MSG_CHECKING([if your system defines WTMPX_FILE]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ]], [[ char *wtmpx = WTMPX_FILE; ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + system_wtmpx_path=no +]) +if test -z "$conf_wtmpx_location"; then + if test x"$system_wtmpx_path" = x"no" ; then + AC_DEFINE([DISABLE_WTMPX]) + fi +else + AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"], + [Define if you want to specify the path to your wtmpx file]) +fi + + +if test ! -z "$blibpath" ; then + LDFLAGS="$LDFLAGS $blibflags$blibpath" + AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) +fi + +AC_CHECK_MEMBER([struct lastlog.ll_line], [], [ + if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then + AC_DEFINE([DISABLE_LASTLOG]) + fi + ], [ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + ]) + +AC_CHECK_MEMBER([struct utmp.ut_line], [], [ + AC_DEFINE([DISABLE_UTMP]) + AC_DEFINE([DISABLE_WTMP]) + ], [ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + ]) + +dnl Adding -Werror to CFLAGS early prevents configure tests from running. +dnl Add now. +CFLAGS="$CFLAGS $werror_flags" + +if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then + TEST_SSH_IPV6=no +else + TEST_SSH_IPV6=yes +fi +AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) +AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) +AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS]) +AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) + +AC_EXEEXT +AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ + openbsd-compat/Makefile openbsd-compat/regress/Makefile \ + survey.sh]) +AC_OUTPUT + +# Print summary of options + +# Someone please show me a better way :) +A=`eval echo ${prefix}` ; A=`eval echo ${A}` +B=`eval echo ${bindir}` ; B=`eval echo ${B}` +C=`eval echo ${sbindir}` ; C=`eval echo ${C}` +D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` +E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` +F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` +G=`eval echo ${piddir}` ; G=`eval echo ${G}` +H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}` +I=`eval echo ${user_path}` ; I=`eval echo ${I}` +J=`eval echo ${superuser_path}` ; J=`eval echo ${J}` + +echo "" +echo "OpenSSH has been configured with the following options:" +echo " User binaries: $B" +echo " System binaries: $C" +echo " Configuration files: $D" +echo " Askpass program: $E" +echo " Manual pages: $F" +echo " PID file: $G" +echo " Privilege separation chroot path: $H" +if test "x$external_path_file" = "x/etc/login.conf" ; then +echo " At runtime, sshd will use the path defined in $external_path_file" +echo " Make sure the path to scp is present, otherwise scp will not work" +else +echo " sshd default user PATH: $I" + if test ! -z "$external_path_file"; then +echo " (If PATH is set in $external_path_file it will be used instead. If" +echo " used, ensure the path to scp is present, otherwise scp will not work.)" + fi +fi +if test ! -z "$superuser_path" ; then +echo " sshd superuser user PATH: $J" +fi +echo " Manpage format: $MANTYPE" +echo " PAM support: $PAM_MSG" +echo " OSF SIA support: $SIA_MSG" +echo " KerberosV support: $KRB5_MSG" +echo " SELinux support: $SELINUX_MSG" +echo " Smartcard support: $SCARD_MSG" +echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" +echo " MD5 password support: $MD5_MSG" +echo " libedit support: $LIBEDIT_MSG" +echo " Solaris process contract support: $SPC_MSG" +echo " Solaris project support: $SP_MSG" +echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" +echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +echo " BSD Auth support: $BSD_AUTH_MSG" +echo " Random number source: $RAND_MSG" +echo " Privsep sandbox style: $SANDBOX_STYLE" + +echo "" + +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo "Preprocessor flags: ${CPPFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBS}" +if test ! -z "${SSHDLIBS}"; then +echo " +for sshd: ${SSHDLIBS}" +fi +if test ! -z "${SSHLIBS}"; then +echo " +for ssh: ${SSHLIBS}" +fi + +echo "" + +if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then + echo "SVR4 style packages are supported with \"make package\"" + echo "" +fi + +if test "x$PAM_MSG" = "xyes" ; then + echo "PAM is enabled. You may need to install a PAM control file " + echo "for sshd, otherwise password authentication may fail. " + echo "Example PAM control files can be found in the contrib/ " + echo "subdirectory" + echo "" +fi + +if test ! -z "$NO_PEERCHECK" ; then + echo "WARNING: the operating system that you are using does not" + echo "appear to support getpeereid(), getpeerucred() or the" + echo "SO_PEERCRED getsockopt() option. These facilities are used to" + echo "enforce security checks to prevent unauthorised connections to" + echo "ssh-agent. Their absence increases the risk that a malicious" + echo "user can connect to your agent." + echo "" +fi + +if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." +fi diff --git a/crypto/openssh/contrib/Makefile b/crypto/openssh/contrib/Makefile new file mode 100644 index 000000000..c6c48e78a --- /dev/null +++ b/crypto/openssh/contrib/Makefile @@ -0,0 +1,17 @@ +PKG_CONFIG = pkg-config + +all: + @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" + +gnome-ssh-askpass1: gnome-ssh-askpass1.c + $(CC) `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \ + `gnome-config --libs gnome gnomeui` + +gnome-ssh-askpass2: gnome-ssh-askpass2.c + $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \ + gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ + `$(PKG_CONFIG) --libs gtk+-2.0 x11` + +clean: + rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass diff --git a/crypto/openssh/contrib/README b/crypto/openssh/contrib/README new file mode 100644 index 000000000..c00223865 --- /dev/null +++ b/crypto/openssh/contrib/README @@ -0,0 +1,70 @@ +Other patches and addons for OpenSSH. Please send submissions to +djm@mindrot.org + +Externally maintained +--------------------- + +SSH Proxy Command -- connect.c + +Shun-ichi GOTO has written a very useful ProxyCommand +which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or +https CONNECT style proxy server. His page for connect.c has extensive +documentation on its use as well as compiled versions for Win32. + +http://www.taiyo.co.jp/~gotoh/ssh/connect.html + + +X11 SSH Askpass: + +Jim Knoble has written an excellent X11 +passphrase requester. This is highly recommended: + +http://www.jmknoble.net/software/x11-ssh-askpass/ + + +In this directory +----------------- + +ssh-copy-id: + +Phil Hands' shell script to automate the process of adding +your public key to a remote machine's ~/.ssh/authorized_keys file. + +gnome-ssh-askpass[12]: + +A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or +"make gnome-ssh-askpass2" to build. + +sshd.pam.generic: + +A generic PAM config file which may be useful on your system. YMMV + +sshd.pam.freebsd: + +A PAM config file which works with FreeBSD's PAM port. Contributed by +Dominik Brettnacher + +findssl.sh: + +Search for all instances of OpenSSL headers and libraries and print their +versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not +match your library" errors. + +aix: + Files to build an AIX native (installp or SMIT installable) package. + +caldera: + RPM spec file and scripts for building Caldera OpenLinuix packages + +cygwin: + Support files for Cygwin + +hpux: + Support files for HP-UX + +redhat: + RPM spec file and scripts for building Redhat packages + +suse: + RPM spec file and scripts for building SuSE packages + diff --git a/crypto/openssh/contrib/aix/README b/crypto/openssh/contrib/aix/README new file mode 100644 index 000000000..2a299350a --- /dev/null +++ b/crypto/openssh/contrib/aix/README @@ -0,0 +1,50 @@ +Overview: + +This directory contains files to build an AIX native (installp or SMIT +installable) openssh package. + + +Directions: + +(optional) create config.local in your build dir +./configure [options] +contrib/aix/buildbff.sh + +The file config.local or the environment is read to set the following options +(default first): +PERMIT_ROOT_LOGIN=[no|yes] +X11_FORWARDING=[no|yes] +AIX_SRC=[no|yes] + +Acknowledgements: + +The contents of this directory are based on Ben Lindstrom's Solaris +buildpkg.sh. Ben also supplied inventory.sh. + +Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's +and for comparison with the output from this script, however no code +from lppbuild is included and it is not required for operation. + +SRC support based on examples provided by Sandor Sklar and Maarten Kreuger. +PrivSep account handling fixes contributed by W. Earl Allen. + + +Other notes: + +The script treats all packages as USR packages (not ROOT+USR when +appropriate). It seems to work, though...... + +If there are any patches to this that have not yet been integrated they +may be found at http://www.zip.com.au/~dtucker/openssh/. + + +Disclaimer: + +It is hoped that it is useful but there is no warranty. If it breaks +you get to keep both pieces. + + + - Darren Tucker (dtucker at zip dot com dot au) + 2002/03/01 + +$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $ diff --git a/crypto/openssh/contrib/aix/buildbff.sh b/crypto/openssh/contrib/aix/buildbff.sh new file mode 100755 index 000000000..81d8cc301 --- /dev/null +++ b/crypto/openssh/contrib/aix/buildbff.sh @@ -0,0 +1,381 @@ +#!/bin/sh +# +# buildbff.sh: Create AIX SMIT-installable OpenSSH packages +# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $ +# +# Author: Darren Tucker (dtucker at zip dot com dot au) +# This file is placed in the public domain and comes with absolutely +# no warranty. +# +# Based originally on Ben Lindstrom's buildpkg.sh for Solaris +# + +# +# Tunable configuration settings +# create a "config.local" in your build directory or set +# environment variables to override these. +# +[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no +[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no +[ -z "$AIX_SRC" ] && AIX_SRC=no + +umask 022 + +startdir=`pwd` + +perl -v >/dev/null || (echo perl required; exit 1) + +# Path to inventory.sh: same place as buildbff.sh +if echo $0 | egrep '^/' +then + inventory=`dirname $0`/inventory.sh # absolute path +else + inventory=`pwd`/`dirname $0`/inventory.sh # relative path +fi + +# +# We still support running from contrib/aix, but this is deprecated +# +if pwd | egrep 'contrib/aix$' +then + echo "Changing directory to `pwd`/../.." + echo "Please run buildbff.sh from your build directory in future." + cd ../.. + contribaix=1 +fi + +if [ ! -f Makefile ] +then + echo "Makefile not found (did you run configure?)" + exit 1 +fi + +# +# Directories used during build: +# current dir = $objdir directory you ran ./configure in. +# $objdir/$PKGDIR/ directory package files are constructed in +# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT) +# +objdir=`pwd` +PKGNAME=openssh +PKGDIR=package + +# +# Collect local configuration settings to override defaults +# +if [ -s ./config.local ] +then + echo Reading local settings from config.local + . ./config.local +fi + +# +# Fill in some details from Makefile, like prefix and sysconfdir +# the eval also expands variables like sysconfdir=${prefix}/etc +# provided they are eval'ed in the correct order +# +for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir +do + eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2` +done + +# +# Collect values of privsep user and privsep path +# currently only found in config.h +# +for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h` +done + +# Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi +if [ -z "$PRIVSEP_PATH" ] +then + PRIVSEP_PATH=/var/empty +fi + +# Clean package build directory +rm -rf $objdir/$PKGDIR +FAKE_ROOT=$objdir/$PKGDIR/root +mkdir -p $FAKE_ROOT + +# Start by faking root install +echo "Faking root install..." +cd $objdir +make install-nokeys DESTDIR=$FAKE_ROOT + +if [ $? -gt 0 ] +then + echo "Fake root install failed, stopping." + exit 1 +fi + +# +# Copy informational files to include in package +# +cp $srcdir/LICENCE $objdir/$PKGDIR/ +cp $srcdir/README* $objdir/$PKGDIR/ + +# +# Extract common info requires for the 'info' part of the package. +# AIX requires 4-part version numbers +# +VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _` +MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .` +MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .` +PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .` +PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'` +[ "$PATCH" = "" ] && PATCH=0 +[ "$PORTABLE" = "" ] && PORTABLE=0 +BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE` + +echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)" + +# +# Set ssh and sshd parameters as per config.local +# +if [ "${PERMIT_ROOT_LOGIN}" = no ] +then + perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +fi +if [ "${X11_FORWARDING}" = yes ] +then + perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +fi + + +# Rename config files; postinstall script will copy them if necessary +for cfgfile in ssh_config sshd_config +do + mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default +done + +# +# Generate lpp control files. +# working dir is $FAKE_ROOT but files are generated in dir above +# and moved into place just before creation of .bff +# +cd $FAKE_ROOT +echo Generating LPP control files +find . ! -name . -print >../openssh.al +$inventory >../openssh.inventory + +cat <../openssh.copyright +This software is distributed under a BSD-style license. +For the full text of the license, see /usr/lpp/openssh/LICENCE +EOD + +# +# openssh.size file allows filesystem expansion as required +# generate list of directories containing files +# then calculate disk usage for each directory and store in openssh.size +# +files=`find . -type f -print` +dirs=`for file in $files; do dirname $file; done | sort -u` +for dir in $dirs +do + du $dir +done > ../openssh.size + +# +# Create postinstall script +# +cat <>../openssh.post_i +#!/bin/sh + +echo Creating configs from defaults if necessary. +for cfgfile in ssh_config sshd_config +do + if [ ! -f $sysconfdir/\$cfgfile ] + then + echo "Creating \$cfgfile from default" + cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile + else + echo "\$cfgfile already exists." + fi +done +echo + +# Create PrivilegeSeparation user and group if not present +echo Checking for PrivilegeSeparation user and group. +if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null +then + echo "PrivSep group $SSH_PRIVSEP_USER already exists." +else + echo "Creating PrivSep group $SSH_PRIVSEP_USER." + mkgroup -A $SSH_PRIVSEP_USER +fi + +# Create user if required +if lsuser "$SSH_PRIVSEP_USER" >/dev/null +then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." +else + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER +fi + +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +then + echo UsePrivilegeSeparation not enabled, privsep directory not required. +else + # create chroot directory if required + if [ -d $PRIVSEP_PATH ] + then + echo "PrivSep chroot directory $PRIVSEP_PATH already exists." + else + echo "Creating PrivSep chroot directory $PRIVSEP_PATH." + mkdir $PRIVSEP_PATH + chown 0 $PRIVSEP_PATH + chgrp 0 $PRIVSEP_PATH + chmod 755 $PRIVSEP_PATH + fi +fi +echo + +# Generate keys unless they already exist +echo Creating host keys if required. +if [ -f "$sysconfdir/ssh_host_key" ] ; then + echo "$sysconfdir/ssh_host_key already exists, skipping." +else + $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" +fi +if [ -f $sysconfdir/ssh_host_dsa_key ] ; then + echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." +else + $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" +fi +if [ -f $sysconfdir/ssh_host_rsa_key ] ; then + echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." +else + $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" +fi +echo + +# Set startup command depending on SRC support +if [ "$AIX_SRC" = "yes" ] +then + echo Creating SRC sshd subsystem. + rmssys -s sshd 2>&1 >/dev/null + mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip + startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\"" + oldstartcmd="$sbindir/sshd" +else + startupcmd="$sbindir/sshd" + oldstartcmd="start $sbindir/sshd \\\"$src_running\\\"" +fi + +# If migrating to or from SRC, change previous startup command +# otherwise add to rc.tcpip +if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null +then + if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new + then + chmod 0755 /etc/rc.tcpip.new + mv /etc/rc.tcpip /etc/rc.tcpip.old && \ + mv /etc/rc.tcpip.new /etc/rc.tcpip + else + echo "Updating /etc/rc.tcpip failed, please check." + fi +else + # Add to system startup if required + if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null + then + echo "sshd found in rc.tcpip, not adding." + else + echo "Adding sshd to rc.tcpip" + echo >>/etc/rc.tcpip + echo "# Start sshd" >>/etc/rc.tcpip + echo "\$startupcmd" >>/etc/rc.tcpip + fi +fi +EOF + +# +# Create liblpp.a and move control files into it +# +echo Creating liblpp.a +( + cd .. + for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README* + do + ar -r liblpp.a $i + rm $i + done +) + +# +# Create lpp_name +# +# This will end up looking something like: +# 4 R I OpenSSH { +# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX +# [ +# % +# /usr/local/bin 8073 +# /usr/local/etc 189 +# /usr/local/libexec 185 +# /usr/local/man/man1 145 +# /usr/local/man/man8 83 +# /usr/local/sbin 2105 +# /usr/local/share 3 +# % +# ] +# } + +echo Creating lpp_name +cat <../lpp_name +4 R I $PKGNAME { +$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX +[ +% +EOF + +for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh +do + # get size in 512 byte blocks + if [ -d $FAKE_ROOT/$i ] + then + size=`du $FAKE_ROOT/$i | awk '{print $1}'` + echo "$i $size" >>../lpp_name + fi +done + +echo '%' >>../lpp_name +echo ']' >>../lpp_name +echo '}' >>../lpp_name + +# +# Move pieces into place +# +mkdir -p usr/lpp/openssh +mv ../liblpp.a usr/lpp/openssh +mv ../lpp_name . + +# +# Now invoke backup to create .bff file +# note: lpp_name needs to be the first file so we generate the +# file list on the fly and feed it to backup using -i +# +echo Creating $PKGNAME-$VERSION.bff with backup... +rm -f $PKGNAME-$VERSION.bff +( + echo "./lpp_name" + find . ! -name lpp_name -a ! -name . -print +) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist + +# +# Move package into final location and clean up +# +mv ../$PKGNAME-$VERSION.bff $startdir +cd $startdir +rm -rf $objdir/$PKGDIR + +echo $0: done. + diff --git a/crypto/openssh/contrib/aix/inventory.sh b/crypto/openssh/contrib/aix/inventory.sh new file mode 100755 index 000000000..e2641e79c --- /dev/null +++ b/crypto/openssh/contrib/aix/inventory.sh @@ -0,0 +1,63 @@ +#!/bin/sh +# +# inventory.sh +# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $ +# +# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl +# This file is placed into the public domain. +# +# This will produce an AIX package inventory file, which looks like: +# +# /usr/local/bin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=755 +# type=DIRECTORY +# /usr/local/bin/slogin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=777 +# type=SYMLINK +# target=ssh +# /usr/local/share/Ssh.bin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=644 +# type=FILE +# size=VOLATILE +# checksum=VOLATILE + +find . ! -name . -print | perl -ne '{ + chomp; + if ( -l $_ ) { + ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat; + } else { + ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat; + } + + # Start to display inventory information + $name = $_; + $name =~ s|^.||; # Strip leading dot from path + print "$name:\n"; + print "\tclass=apply,inventory,openssh\n"; + print "\towner=root\n"; + print "\tgroup=system\n"; + printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits + + if ( -l $_ ) { + # Entry is SymLink + print "\ttype=SYMLINK\n"; + printf "\ttarget=%s\n", readlink($_); + } elsif ( -f $_ ) { + # Entry is File + print "\ttype=FILE\n"; + print "\tsize=$sz\n"; + print "\tchecksum=VOLATILE\n"; + } elsif ( -d $_ ) { + # Entry is Directory + print "\ttype=DIRECTORY\n"; + } +}' diff --git a/crypto/openssh/contrib/aix/pam.conf b/crypto/openssh/contrib/aix/pam.conf new file mode 100644 index 000000000..f1528b005 --- /dev/null +++ b/crypto/openssh/contrib/aix/pam.conf @@ -0,0 +1,20 @@ +# +# PAM configuration file /etc/pam.conf +# Example for OpenSSH on AIX 5.2 +# + +# Authentication Management +sshd auth required /usr/lib/security/pam_aix +OTHER auth required /usr/lib/security/pam_aix + +# Account Management +sshd account required /usr/lib/security/pam_aix +OTHER account required /usr/lib/security/pam_aix + +# Password Management +sshd password required /usr/lib/security/pam_aix +OTHER password required /usr/lib/security/pam_aix + +# Session Management +sshd session required /usr/lib/security/pam_aix +OTHER session required /usr/lib/security/pam_aix diff --git a/crypto/openssh/contrib/caldera/openssh.spec b/crypto/openssh/contrib/caldera/openssh.spec new file mode 100644 index 000000000..0061fe933 --- /dev/null +++ b/crypto/openssh/contrib/caldera/openssh.spec @@ -0,0 +1,366 @@ + +# Some of this will need re-evaluation post-LSB. The SVIdir is there +# because the link appeared broken. The rest is for easy compilation, +# the tradeoff open to discussion. (LC957) + +%define SVIdir /etc/rc.d/init.d +%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages} +%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons} + +%define _mandir %{_prefix}/share/man/en +%define _sysconfdir /etc/ssh +%define _libexecdir %{_libdir}/ssh + +# Do we want to disable root_login? (1=yes 0=no) +%define no_root_login 0 + +#old cvs stuff. please update before use. may be deprecated. +%define use_stable 1 +%define version 6.6p1 +%if %{use_stable} + %define cvs %{nil} + %define release 1 +%else + %define cvs cvs20050315 + %define release 0r1 +%endif +%define xsa x11-ssh-askpass +%define askpass %{xsa}-1.2.4.1 + +# OpenSSH privilege separation requires a user & group ID +%define sshd_uid 67 +%define sshd_gid 67 + +Name : openssh +Version : %{version}%{cvs} +Release : %{release} +Group : System/Network + +Summary : OpenSSH free Secure Shell (SSH) implementation. +Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH). +Summary(es) : OpenSSH implementación libre de Secure Shell (SSH). +Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH). +Summary(it) : Implementazione gratuita OpenSSH della Secure Shell. +Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH). +Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH). + +Copyright : BSD +Packager : Raymund Will +URL : http://www.openssh.com/ + +Obsoletes : ssh, ssh-clients, openssh-clients + +BuildRoot : /tmp/%{name}-%{version} +BuildRequires : XFree86-imake + +# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable +# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs +Source0: see-above:/.../openssh-%{version}.tar.gz +%if %{use_stable} +Source1: see-above:/.../openssh-%{version}.tar.gz.asc +%endif +Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz +Source3: http://www.openssh.com/faq.html + +%Package server +Group : System/Network +Requires : openssh = %{version} +Obsoletes : ssh-server + +Summary : OpenSSH Secure Shell protocol server (sshd). +Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd). +Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd). +Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd). +Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd). +Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd). +Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd). + + +%Package askpass +Group : System/Network +Requires : openssh = %{version} +URL : http://www.jmknoble.net/software/x11-ssh-askpass/ +Obsoletes : ssh-extras + +Summary : OpenSSH X11 pass-phrase dialog. +Summary(de) : OpenSSH X11 Passwort-Dialog. +Summary(es) : Aplicación de petición de frase clave OpenSSH X11. +Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH. +Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH. +Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH. +Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH. + + +%Description +OpenSSH (Secure Shell) provides access to a remote system. It replaces +telnet, rlogin, rexec, and rsh, and provides secure encrypted +communications between two untrusted hosts over an insecure network. +X11 connections and arbitrary TCP/IP ports can also be forwarded over +the secure channel. + +%Description -l de +OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt +telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte +Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres +Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso +über den sicheren Channel weitergeleitet werden. + +%Description -l es +OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a +telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas +entre dos equipos entre los que no se ha establecido confianza a través de una +red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden +ser canalizadas sobre el canal seguro. + +%Description -l fr +OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace +telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées +securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des +connexions X11 et des ports TCP/IP arbitraires peuvent également être +transmis sur le canal sécurisé. + +%Description -l it +OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto. +Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure +e crittate tra due host non fidati su una rete non sicura. Le connessioni +X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso +un canale sicuro. + +%Description -l pt +OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o +telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas +entre duas máquinas sem confiança mútua sobre uma rede insegura. +Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados +pelo canal seguro. + +%Description -l pt_BR +O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o +telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas +entre duas máquinas sem confiança mútua sobre uma rede insegura. +Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas +pelo canal seguro. + +%Description server +This package installs the sshd, the server portion of OpenSSH. + +%Description -l de server +Dieses Paket installiert den sshd, den Server-Teil der OpenSSH. + +%Description -l es server +Este paquete instala sshd, la parte servidor de OpenSSH. + +%Description -l fr server +Ce paquetage installe le 'sshd', partie serveur de OpenSSH. + +%Description -l it server +Questo pacchetto installa sshd, il server di OpenSSH. + +%Description -l pt server +Este pacote intala o sshd, o servidor do OpenSSH. + +%Description -l pt_BR server +Este pacote intala o sshd, o servidor do OpenSSH. + +%Description askpass +This package contains an X11-based pass-phrase dialog used per +default by ssh-add(1). It is based on %{askpass} +by Jim Knoble . + + +%Prep +%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2 +%if ! %{use_stable} + autoreconf +%endif + + +%Build +CFLAGS="$RPM_OPT_FLAGS" \ +%configure \ + --with-pam \ + --with-tcp-wrappers \ + --with-privsep-path=%{_var}/empty/sshd \ + #leave this line for easy edits. + +%__make + +cd %{askpass} +%configure \ + #leave this line for easy edits. + +xmkmf +%__make includes +%__make + + +%Install +[ %{buildroot} != "/" ] && rm -rf %{buildroot} + +make install DESTDIR=%{buildroot} +%makeinstall -C %{askpass} \ + BINDIR=%{_libexecdir} \ + MANPATH=%{_mandir} \ + DESTDIR=%{buildroot} + +# OpenLinux specific configuration +mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}} +mkdir -p %{buildroot}%{_var}/empty/sshd + +# enabling X11 forwarding on the server is convenient and okay, +# on the client side it's a potential security risk! +%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \ + %{buildroot}%{_sysconfdir}/sshd_config + +%if %{no_root_login} +%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \ + %{buildroot}%{_sysconfdir}/sshd_config +%endif + +install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd +# FIXME: disabled, find out why this doesn't work with nis +%__perl -pi -e 's:(.*pam_limits.*):#$1:' \ + %{buildroot}/etc/pam.d/sshd + +install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd + +# the last one is needless, but more future-proof +find %{buildroot}%{SVIdir} -type f -exec \ + %__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\ + s:\@sysconfdir\@:%{_sysconfdir}:g; \ + s:/usr/sbin:%{_sbindir}:g'\ + \{\} \; + +cat <<-EoD > %{buildroot}%{SVIcdir}/sshd + IDENT=sshd + DESCRIPTIVE="OpenSSH secure shell daemon" + # This service will be marked as 'skipped' on boot if there + # is no host key. Use ssh-host-keygen to generate one + ONBOOT="yes" + OPTIONS="" +EoD + +SKG=%{buildroot}%{_sbindir}/ssh-host-keygen +install -m 0755 contrib/caldera/ssh-host-keygen $SKG +# Fix up some path names in the keygen toy^Hol + %__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \ + s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \ + %{buildroot}%{_sbindir}/ssh-host-keygen + +# This looks terrible. Expect it to change. +# install remaining docs +DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}" +mkdir -p $DocD/%{askpass} +cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD +install -p -m 0444 %{SOURCE3} $DocD/faq.html +cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass} +%if %{use_stable} + cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1 +%else + cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1 + ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1 +%endif + +find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf +rm %{buildroot}%{_mandir}/man1/slogin.1 && \ + ln -s %{_mandir}/man1/ssh.1.gz \ + %{buildroot}%{_mandir}/man1/slogin.1.gz + + +%Clean +#%{rmDESTDIR} +[ %{buildroot} != "/" ] && rm -rf %{buildroot} + +%Post +# Generate host key when none is present to get up and running, +# both client and server require this for host-based auth! +# ssh-host-keygen checks for existing keys. +/usr/sbin/ssh-host-keygen +: # to protect the rpm database + +%pre server +%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || : +%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ + -c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || : +: # to protect the rpm database + +%Post server +if [ -x %{LSBinit}-install ]; then + %{LSBinit}-install sshd +else + lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6 +fi + +! %{SVIdir}/sshd status || %{SVIdir}/sshd restart +: # to protect the rpm database + + +%PreUn server +[ "$1" = 0 ] || exit 0 +! %{SVIdir}/sshd status || %{SVIdir}/sshd stop +if [ -x %{LSBinit}-remove ]; then + %{LSBinit}-remove sshd +else + lisa --SysV-init remove sshd $1 +fi +: # to protect the rpm database + +%Files +%defattr(-,root,root) +%dir %{_sysconfdir} +%config %{_sysconfdir}/ssh_config +%{_bindir}/scp +%{_bindir}/sftp +%{_bindir}/ssh +%{_bindir}/slogin +%{_bindir}/ssh-add +%attr(2755,root,nobody) %{_bindir}/ssh-agent +%{_bindir}/ssh-keygen +%{_bindir}/ssh-keyscan +%dir %{_libexecdir} +%attr(4711,root,root) %{_libexecdir}/ssh-keysign +%{_libexecdir}/ssh-pkcs11-helper +%{_sbindir}/ssh-host-keygen +%dir %{_defaultdocdir}/%{name}-%{version} +%{_defaultdocdir}/%{name}-%{version}/CREDITS +%{_defaultdocdir}/%{name}-%{version}/ChangeLog +%{_defaultdocdir}/%{name}-%{version}/LICENCE +%{_defaultdocdir}/%{name}-%{version}/OVERVIEW +%{_defaultdocdir}/%{name}-%{version}/README* +%{_defaultdocdir}/%{name}-%{version}/TODO +%{_defaultdocdir}/%{name}-%{version}/faq.html +%{_mandir}/man1/* +%{_mandir}/man8/ssh-keysign.8.gz +%{_mandir}/man8/ssh-pkcs11-helper.8.gz +%{_mandir}/man5/ssh_config.5.gz + +%Files server +%defattr(-,root,root) +%dir %{_var}/empty/sshd +%config %{SVIdir}/sshd +%config /etc/pam.d/sshd +%config %{_sysconfdir}/moduli +%config %{_sysconfdir}/sshd_config +%config %{SVIcdir}/sshd +%{_libexecdir}/sftp-server +%{_sbindir}/sshd +%{_mandir}/man5/moduli.5.gz +%{_mandir}/man5/sshd_config.5.gz +%{_mandir}/man8/sftp-server.8.gz +%{_mandir}/man8/sshd.8.gz + +%Files askpass +%defattr(-,root,root) +%{_libexecdir}/ssh-askpass +%{_libexecdir}/x11-ssh-askpass +%{_defaultdocdir}/%{name}-%{version}/%{askpass} + + +%ChangeLog +* Tue Jan 18 2011 Tim Rice +- Use CFLAGS from Makefile instead of RPM so build completes. +- Signatures were changed to .asc since 4.1p1. + +* Mon Jan 01 1998 ... +Template Version: 1.31 + +$Id: openssh.spec,v 1.83 2014/02/27 23:03:55 djm Exp $ diff --git a/crypto/openssh/contrib/caldera/ssh-host-keygen b/crypto/openssh/contrib/caldera/ssh-host-keygen new file mode 100755 index 000000000..86382ddfb --- /dev/null +++ b/crypto/openssh/contrib/caldera/ssh-host-keygen @@ -0,0 +1,36 @@ +#! /bin/sh +# +# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $ +# +# This script is normally run only *once* for a given host +# (in a given period of time) -- on updates/upgrades/recovery +# the ssh_host_key* files _should_ be retained! Otherwise false +# "man-in-the-middle-attack" alerts will frighten unsuspecting +# clients... + +keydir=@sysconfdir@ +keygen=@sshkeygen@ + +if [ -f $keydir/ssh_host_key -o \ + -f $keydir/ssh_host_key.pub ]; then + echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." +else + echo "Generating SSH1 RSA host key." + $keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N '' +fi + +if [ -f $keydir/ssh_host_rsa_key -o \ + -f $keydir/ssh_host_rsa_key.pub ]; then + echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." +else + echo "Generating SSH2 RSA host key." + $keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' +fi + +if [ -f $keydir/ssh_host_dsa_key -o \ + -f $keydir/ssh_host_dsa_key.pub ]; then + echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key." +else + echo "Generating SSH2 DSA host key." + $keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N '' +fi diff --git a/crypto/openssh/contrib/caldera/sshd.init b/crypto/openssh/contrib/caldera/sshd.init new file mode 100755 index 000000000..983146f4f --- /dev/null +++ b/crypto/openssh/contrib/caldera/sshd.init @@ -0,0 +1,125 @@ +#! /bin/bash +# +# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $ +# +### BEGIN INIT INFO +# Provides: +# Required-Start: $network +# Required-Stop: +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Description: sshd +# Bring up/down the OpenSSH secure shell daemon. +### END INIT INFO +# +# Written by Miquel van Smoorenburg . +# Modified for Debian GNU/Linux by Ian Murdock . +# Modified for OpenLinux by Raymund Will + +NAME=sshd +DAEMON=/usr/sbin/$NAME +# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem +# created by recent OpenSSH daemon/ssd combinations. See Caldera internal +# PR [linux/8278] for details... +PIDF=/var/run/$NAME.pid +NAME=$DAEMON + +_status() { + [ -z "$1" ] || local pidf="$1" + local ret=-1 + local pid + if [ -n "$pidf" ] && [ -r "$pidf" ]; then + pid=$(head -1 $pidf) + else + pid=$(pidof $NAME) + fi + + if [ ! -e $SVIlock ]; then + # no lock-file => not started == stopped? + ret=3 + elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then + # pid-file given but not present or no pid => died, but was not stopped + ret=2 + elif [ -r /proc/$pid/cmdline ] && + echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then + # pid-file given and present or pid found => check process... + # but don't compare exe, as this will fail after an update! + # compares OK => all's well, that ends well... + ret=0 + else + # no such process or exe does not match => stale pid-file or process died + # just recently... + ret=1 + fi + return $ret +} + +# Source function library (and set vital variables). +. @SVIdir@/functions + +case "$1" in + start) + [ ! -e $SVIlock ] || exit 0 + [ -x $DAEMON ] || exit 5 + SVIemptyConfig @sysconfdir@/sshd_config && exit 6 + + if [ ! \( -f @sysconfdir@/ssh_host_key -a \ + -f @sysconfdir@/ssh_host_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_rsa_key -a \ + -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_dsa_key -a \ + -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then + + echo "$SVIsubsys: host key not initialized: skipped!" + echo "$SVIsubsys: use ssh-host-keygen to generate one!" + exit 6 + fi + + echo -n "Starting $SVIsubsys services: " + ssd -S -x $DAEMON -n $NAME -- $OPTIONS + ret=$? + + echo "." + touch $SVIlock + ;; + + stop) + [ -e $SVIlock ] || exit 0 + + echo -n "Stopping $SVIsubsys services: " + ssd -K -p $PIDF -n $NAME + ret=$? + + echo "." + rm -f $SVIlock + ;; + + force-reload|reload) + [ -e $SVIlock ] || exit 0 + + echo "Reloading $SVIsubsys configuration files: " + ssd -K --signal 1 -q -p $PIDF -n $NAME + ret=$? + echo "done." + ;; + + restart) + $0 stop + $0 start + ret=$? + ;; + + status) + _status $PIDF + ret=$? + ;; + + *) + echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}" + ret=2 + ;; + +esac + +exit $ret + diff --git a/crypto/openssh/contrib/caldera/sshd.pam b/crypto/openssh/contrib/caldera/sshd.pam new file mode 100644 index 000000000..f050a9aee --- /dev/null +++ b/crypto/openssh/contrib/caldera/sshd.pam @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +account required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff --git a/crypto/openssh/contrib/cygwin/Makefile b/crypto/openssh/contrib/cygwin/Makefile new file mode 100644 index 000000000..a0261f48d --- /dev/null +++ b/crypto/openssh/contrib/cygwin/Makefile @@ -0,0 +1,77 @@ +srcdir=../.. +copyidsrcdir=.. +prefix=/usr +exec_prefix=$(prefix) +bindir=$(prefix)/bin +datadir=$(prefix)/share +mandir=$(datadir)/man +docdir=$(datadir)/doc +sshdocdir=$(docdir)/openssh +cygdocdir=$(docdir)/Cygwin +sysconfdir=/etc +defaultsdir=$(sysconfdir)/defaults/etc +inetdefdir=$(defaultsdir)/inetd.d +PRIVSEP_PATH=/var/empty +INSTALL=/usr/bin/install -c + +DESTDIR= + +all: + @echo + @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" + @echo "Be sure having DESTDIR set correctly!" + @echo + +move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config + $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) + +remove-empty-dir: + rm -rf $(DESTDIR)$(PRIVSEP_PATH) + +install-inetd-config: + $(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir) + $(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd + +install-sshdoc: + $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) + -$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS + -$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog + -$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE + -$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux + -$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README + -$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + -$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform + -$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep + -$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun + -$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO + +install-cygwindoc: README + $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) + $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README + +install-doc: install-sshdoc install-cygwindoc + +install-scripts: ssh-host-config ssh-user-config + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config + $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config + +install-copy-id: $(copyidsrcdir)/ssh-copy-id $(copyidsrcdir)/ssh-copy-id.1 + $(INSTALL) -m 755 $(copyidsrcdir)/ssh-copy-id $(DESTDIR)$(bindir)/ssh-copy-id + $(INSTALL) -m 644 $(copyidsrcdir)/ssh-copy-id.1 $(DESTDIR)$(mandir)/man1/ssh-copy-id.1 + +gzip-man-pages: + rm $(DESTDIR)$(mandir)/man1/slogin.1 + gzip $(DESTDIR)$(mandir)/man1/*.1 + gzip $(DESTDIR)$(mandir)/man5/*.5 + gzip $(DESTDIR)$(mandir)/man8/*.8 + cd $(DESTDIR)$(mandir)/man1 && ln -s ssh.1.gz slogin.1.gz + +cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts install-copy-id gzip-man-pages + @echo "Cygwin specific configuration finished." diff --git a/crypto/openssh/contrib/cygwin/README b/crypto/openssh/contrib/cygwin/README new file mode 100644 index 000000000..2562b6186 --- /dev/null +++ b/crypto/openssh/contrib/cygwin/README @@ -0,0 +1,91 @@ +This package describes important Cygwin specific stuff concerning OpenSSH. + +The binary package is usually built for recent Cygwin versions and might +not run on older versions. Please check http://cygwin.com/ for information +about current Cygwin releases. + +================== +Host configuration +================== + +If you are installing OpenSSH the first time, you can generate global config +files and server keys, as well as installing sshd as a service, by running + + /usr/bin/ssh-host-config + +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-host-config is started. + +To support testing and unattended installation ssh-host-config got +some options: + +usage: ssh-host-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --cygwin -c Use "options" as value for CYGWIN environment var. + --port -p sshd listens on port n. + --user -u privileged user for service, default 'cyg_server'. + --pwd -w Use "pwd" as password for privileged user. + --privileged On Windows XP, require privileged user + instead of LocalSystem for sshd service. + +Installing sshd as daemon via ssh-host-config is recommended. + +Alternatively you can start sshd via inetd, if you have the inetutils +package installed. Just run ssh-host-config, but answer "no" when asked +to install sshd as service. The ssh-host-config script also adds the +required lines to /etc/inetd.conf and /etc/services. + +================== +User configuration +================== + +Any user can simplify creating the own private and public keys by running + + /usr/bin/ssh-user-config + +To support testing and unattended installation ssh-user-config got +some options as well: + +usage: ssh-user-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --passphrase -p word Use "word" as passphrase automatically. + +Please note that OpenSSH does never use the value of $HOME to +search for the users configuration files! It always uses the +value of the pw_dir field in /etc/passwd as the home directory. +If no home diretory is set in /etc/passwd, the root directory +is used instead! + +================ +Building OpenSSH +================ + +Building from source is easy. Just unpack the source archive, cd to that +directory, and call cygport: + + cygport openssh.cygport almostall + +You must have installed the following packages to be able to build OpenSSH +with the aforementioned cygport script: + + zlib + crypt + openssl-devel + libwrap-devel + libedit-devel + libkrb5-devel + +Please send requests, error reports etc. to cygwin@cygwin.com. + + +Have fun, + +Corinna Vinschen +Cygwin Developer +Red Hat Inc. diff --git a/crypto/openssh/contrib/cygwin/ssh-host-config b/crypto/openssh/contrib/cygwin/ssh-host-config new file mode 100644 index 000000000..05efd3b3b --- /dev/null +++ b/crypto/openssh/contrib/cygwin/ssh-host-config @@ -0,0 +1,710 @@ +#!/bin/bash +# +# ssh-host-config, Copyright 2000-2011 Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +# ====================================================================== +# Initialization +# ====================================================================== + +CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh + +# List of apps used. This is checkad for existance in csih_sanity_check +# Don't use *any* transient commands before sourcing the csih helper script, +# otherwise the sanity checks are short-circuited. +declare -a csih_required_commands=( + /usr/bin/basename coreutils + /usr/bin/cat coreutils + /usr/bin/chmod coreutils + /usr/bin/dirname coreutils + /usr/bin/id coreutils + /usr/bin/mv coreutils + /usr/bin/rm coreutils + /usr/bin/cygpath cygwin + /usr/bin/mount cygwin + /usr/bin/ps cygwin + /usr/bin/setfacl cygwin + /usr/bin/umount cygwin + /usr/bin/cmp diffutils + /usr/bin/grep grep + /usr/bin/awk gawk + /usr/bin/ssh-keygen openssh + /usr/sbin/sshd openssh + /usr/bin/sed sed +) +csih_sanity_check_server=yes +source ${CSIH_SCRIPT} + +PROGNAME=$(/usr/bin/basename $0) +_tdir=$(/usr/bin/dirname $0) +PROGDIR=$(cd $_tdir && pwd) + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc +LOCALSTATEDIR=/var + +port_number=22 +privsep_configured=no +privsep_used=yes +cygwin_value="" +user_account= +password_value= +opt_force=no + +# ====================================================================== +# Routine: update_services_file +# ====================================================================== +update_services_file() { + local _my_etcdir="/ssh-host-config.$$" + local _win_etcdir + local _services + local _spaces + local _serv_tmp + local _wservices + local ret=0 + + _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" + _services="${_my_etcdir}/services" + _spaces=" #" + _serv_tmp="${_my_etcdir}/srv.out.$$" + + /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" + + # Depends on the above mount + _wservices=`cygpath -w "${_services}"` + + # Remove sshd 22/port from services + if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] + then + /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" + if [ -f "${_serv_tmp}" ] + then + if /usr/bin/mv "${_serv_tmp}" "${_services}" + then + csih_inform "Removing sshd from ${_wservices}" + else + csih_warning "Removing sshd from ${_wservices} failed!" + let ++ret + fi + /usr/bin/rm -f "${_serv_tmp}" + else + csih_warning "Removing sshd from ${_wservices} failed!" + let ++ret + fi + fi + + # Add ssh 22/tcp and ssh 22/udp to services + if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] + then + if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" + then + if /usr/bin/mv "${_serv_tmp}" "${_services}" + then + csih_inform "Added ssh to ${_wservices}" + else + csih_warning "Adding ssh to ${_wservices} failed!" + let ++ret + fi + /usr/bin/rm -f "${_serv_tmp}" + else + csih_warning "Adding ssh to ${_wservices} failed!" + let ++ret + fi + fi + /usr/bin/umount "${_my_etcdir}" + return $ret +} # --- End of update_services_file --- # + +# ====================================================================== +# Routine: sshd_privsep +# MODIFIES: privsep_configured privsep_used +# ====================================================================== +sshd_privsep() { + local sshdconfig_tmp + local ret=0 + + if [ "${privsep_configured}" != "yes" ] + then + csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." + csih_inform "However, this requires a non-privileged account called 'sshd'." + csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." + if csih_request "Should privilege separation be used?" + then + privsep_used=yes + if ! csih_create_unprivileged_user sshd + then + csih_error_recoverable "Couldn't create user 'sshd'!" + csih_error_recoverable "Privilege separation set to 'no' again!" + csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + privsep_used=no + fi + else + privsep_used=no + fi + fi + + # Create default sshd_config from skeleton files in /etc/defaults/etc or + # modify to add the missing privsep configuration option + if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 + then + csih_inform "Updating ${SYSCONFDIR}/sshd_config file" + sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ + /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + s/^#Port 22/Port ${port_number}/ + s/^#StrictModes yes/StrictModes no/" \ + < ${SYSCONFDIR}/sshd_config \ + > "${sshdconfig_tmp}" + if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config + then + csih_warning "Setting privilege separation to 'yes' failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + fi + elif [ "${privsep_configured}" != "yes" ] + then + echo >> ${SYSCONFDIR}/sshd_config + if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config + then + csih_warning "Setting privilege separation to 'yes' failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + fi + fi + return $ret +} # --- End of sshd_privsep --- # + +# ====================================================================== +# Routine: update_inetd_conf +# ====================================================================== +update_inetd_conf() { + local _inetcnf="${SYSCONFDIR}/inetd.conf" + local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" + local _inetcnf_dir="${SYSCONFDIR}/inetd.d" + local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" + local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" + local _with_comment=1 + local ret=0 + + if [ -d "${_inetcnf_dir}" ] + then + # we have inetutils-1.5 inetd.d support + if [ -f "${_inetcnf}" ] + then + /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 + + # check for sshd OR ssh in top-level inetd.conf file, and remove + # will be replaced by a file in inetd.d/ + if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] + then + /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" + then + csih_inform "Removed ssh[d] from ${_inetcnf}" + else + csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + let ++ret + fi + /usr/bin/rm -f "${_inetcnf_tmp}" + else + csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + let ++ret + fi + fi + fi + + csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" + if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 + then + if [ "${_with_comment}" -eq 0 ] + then + /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + else + /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + fi + if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" + then + csih_inform "Updated ${_sshd_inetd_conf}" + else + csih_warning "Updating ${_sshd_inetd_conf} failed!" + let ++ret + fi + fi + + elif [ -f "${_inetcnf}" ] + then + /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 + + # check for sshd in top-level inetd.conf file, and remove + # will be replaced by a file in inetd.d/ + if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + then + /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" + then + csih_inform "Removed sshd from ${_inetcnf}" + else + csih_warning "Removing sshd from ${_inetcnf} failed!" + let ++ret + fi + /usr/bin/rm -f "${_inetcnf_tmp}" + else + csih_warning "Removing sshd from ${_inetcnf} failed!" + let ++ret + fi + fi + + # Add ssh line to inetd.conf + if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] + then + if [ "${_with_comment}" -eq 0 ] + then + echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + else + echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + fi + if [ $? -eq 0 ] + then + csih_inform "Added ssh to ${_inetcnf}" + else + csih_warning "Adding ssh to ${_inetcnf} failed!" + let ++ret + fi + fi + fi + return $ret +} # --- End of update_inetd_conf --- # + +# ====================================================================== +# Routine: check_service_files_ownership +# Checks that the files in /etc and /var belong to the right owner +# ====================================================================== +check_service_files_ownership() { + local run_service_as=$1 + local ret=0 + + if [ -z "${run_service_as}" ] + then + accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') + if [ "${accnt_name}" = "LocalSystem" ] + then + # Convert "LocalSystem" to "SYSTEM" as is the correct account name + accnt_name="SYSTEM:" + elif [[ "${accnt_name}" =~ ^\.\\ ]] + then + # Convert "." domain to local machine name + accnt_name="U-${COMPUTERNAME}${accnt_name#.}," + fi + run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') + if [ -z "${run_service_as}" ] + then + csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" + csih_warning "As a result, this script cannot make sure that the files used" + csih_warning "by the sshd service belong to the user running the service." + csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" + csih_warning "file is in a good shape." + return 1 + fi + fi + for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub + do + if [ -f "$i" ] + then + if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of $i!" + let ++ret + fi + fi + done + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" + let ++ret + fi + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" + let ++ret + fi + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" + let ++ret + fi + fi + if [ $ret -ne 0 ] + then + csih_warning "Couldn't change owner of important files to ${run_service_as}!" + csih_warning "This may cause the sshd service to fail! Please make sure that" + csih_warning "you have suufficient permissions to change the ownership of files" + csih_warning "and try to run the ssh-host-config script again." + fi + return $ret +} # --- End of check_service_files_ownership --- # + +# ====================================================================== +# Routine: install_service +# Install sshd as a service +# ====================================================================== +install_service() { + local run_service_as + local password + local ret=0 + + echo + if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 + then + csih_inform "Sshd service is already installed." + check_service_files_ownership "" || let ret+=$? + else + echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" + if csih_request "(Say \"no\" if it is already installed as a service)" + then + csih_get_cygenv "${cygwin_value}" + + if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + then + csih_inform "On Windows Server 2003, Windows Vista, and above, the" + csih_inform "SYSTEM account cannot setuid to other users -- a capability" + csih_inform "sshd requires. You need to have or to create a privileged" + csih_inform "account. This script will help you do so." + echo + + [ "${opt_force}" = "yes" ] && opt_f=-f + [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" + csih_select_privileged_username ${opt_f} ${opt_u} sshd + + if ! csih_create_privileged_user "${password_value}" + then + csih_error_recoverable "There was a serious problem creating a privileged user." + csih_request "Do you want to proceed anyway?" || exit 1 + let ++ret + fi + fi + + # Never returns empty if NT or above + run_service_as=$(csih_service_should_run_as) + + if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] + then + password="${csih_PRIVILEGED_PASSWORD}" + if [ -z "${password}" ] + then + csih_get_value "Please enter the password for user '${run_service_as}':" "-s" + password="${csih_value}" + fi + fi + + # At this point, we either have $run_service_as = "system" and + # $password is empty, or $run_service_as is some privileged user and + # (hopefully) $password contains the correct password. So, from here + # out, we use '-z "${password}"' to discriminate the two cases. + + csih_check_user "${run_service_as}" + + if [ -n "${csih_cygenv}" ] + then + cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) + fi + if [ -z "${password}" ] + then + if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ + -a "-D" -y tcpip "${cygwin_env[@]}" + then + echo + csih_inform "The sshd service has been installed under the LocalSystem" + csih_inform "account (also known as SYSTEM). To start the service now, call" + csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" + csih_inform "will start automatically after the next reboot." + fi + else + if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ + -a "-D" -y tcpip "${cygwin_env[@]}" \ + -u "${run_service_as}" -w "${password}" + then + /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight + echo + csih_inform "The sshd service has been installed under the '${run_service_as}'" + csih_inform "account. To start the service now, call \`net start sshd' or" + csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" + csih_inform "after the next reboot." + fi + fi + + if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 + then + check_service_files_ownership "${run_service_as}" || let ret+=$? + else + csih_error_recoverable "Installing sshd as a service failed!" + let ++ret + fi + fi # user allowed us to install as service + fi # service not yet installed + return $ret +} # --- End of install_service --- # + +# ====================================================================== +# Main Entry Point +# ====================================================================== + +# Check how the script has been started. If +# (1) it has been started by giving the full path and +# that path is /etc/postinstall, OR +# (2) Otherwise, if the environment variable +# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set +# then set auto_answer to "no". This allows automatic +# creation of the config files in /etc w/o overwriting +# them if they already exist. In both cases, color +# escape sequences are suppressed, so as to prevent +# cluttering setup's logfiles. +if [ "$PROGDIR" = "/etc/postinstall" ] +then + csih_auto_answer="no" + csih_disable_color + opt_force=yes +fi +if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] +then + csih_auto_answer="no" + csih_disable_color + opt_force=yes +fi + +# ====================================================================== +# Parse options +# ====================================================================== +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "${option}" in + -d | --debug ) + set -x + csih_trace_on + ;; + + -y | --yes ) + csih_auto_answer=yes + opt_force=yes + ;; + + -n | --no ) + csih_auto_answer=no + opt_force=yes + ;; + + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + + -p | --port ) + port_number=$1 + shift + ;; + + -u | --user ) + user_account="$1" + shift + ;; + + -w | --pwd ) + password_value="$1" + shift + ;; + + --privileged ) + csih_FORCE_PRIVILEGED_USER=yes + ;; + + *) + echo "usage: ${progname} [OPTION]..." + echo + echo "This script creates an OpenSSH host configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." + echo " --port -p sshd listens on port n." + echo " --user -u privileged user for service, default 'cyg_server'." + echo " --pwd -w Use \"pwd\" as password for privileged user." + echo " --privileged On Windows XP, require privileged user" + echo " instead of LocalSystem for sshd service." + echo + exit 1 + ;; + + esac +done + +# ====================================================================== +# Action! +# ====================================================================== + +# Check for running ssh/sshd processes first. Refuse to do anything while +# some ssh processes are still running +if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' +then + echo + csih_error "There are still ssh processes running. Please shut them down first." +fi + +# Make sure the user is running in an administrative context +admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) +if [ "${admin}" != "yes" ] +then + echo + csih_warning "Running this script typically requires administrator privileges!" + csih_warning "However, it seems your account does not have these privileges." + csih_warning "Here's the list of groups in your user token:" + echo + for i in $(/usr/bin/id -G) + do + /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group + done + echo + csih_warning "This usually means you're running this script from a non-admin" + csih_warning "desktop session, or in a non-elevated shell under UAC control." + echo + csih_warning "Make sure you have the appropriate privileges right now," + csih_warning "otherwise parts of this script will probably fail!" + echo + echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" + if ! csih_request "you have the required privileges)" + then + echo + csih_inform "Ok. Exiting. Make sure to switch to an administrative account" + csih_inform "or to start this script from an elevated shell." + exit 1 + fi +fi + +echo + +warning_cnt=0 + +# Check for ${SYSCONFDIR} directory +csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." +if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 +then + csih_warning "Can't set permissions on ${SYSCONFDIR}!" + let ++warning_cnt +fi +if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 +then + csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" + let ++warning_cnt +fi + +# Check for /var/log directory +csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." +if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 +then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" + let ++warning_cnt +fi +if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 +then + csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" + let ++warning_cnt +fi + +# Create /var/log/lastlog if not already exists +if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] +then + echo + csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ + "Cannot create ssh host configuration." +fi +if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] +then + /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 + then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" + let ++warning_cnt + fi +fi + +# Create /var/empty file used as chroot jail for privilege separation +csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." +if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 +then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" + let ++warning_cnt +fi +if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 +then + csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" + let ++warning_cnt +fi + +# generate missing host keys +/usr/bin/ssh-keygen -A || let warning_cnt+=$? + +# handle ssh_config +csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt +if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 +then + if [ "${port_number}" != "22" ] + then + csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" + echo "Host localhost" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config + fi +fi + +# handle sshd_config (and privsep) +csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt +if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 +then + /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes +fi +sshd_privsep || let warning_cnt+=$? + +update_services_file || let warning_cnt+=$? +update_inetd_conf || let warning_cnt+=$? +install_service || let warning_cnt+=$? + +echo +if [ $warning_cnt -eq 0 ] +then + csih_inform "Host configuration finished. Have fun!" +else + csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" + csih_warning "Make sure that all problems reported are fixed," + csih_warning "then re-run ssh-host-config." +fi +exit $warning_cnt diff --git a/crypto/openssh/contrib/cygwin/ssh-user-config b/crypto/openssh/contrib/cygwin/ssh-user-config new file mode 100644 index 000000000..8708b7a58 --- /dev/null +++ b/crypto/openssh/contrib/cygwin/ssh-user-config @@ -0,0 +1,266 @@ +#!/bin/bash +# +# ssh-user-config, Copyright 2000-2008 Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +# ====================================================================== +# Initialization +# ====================================================================== +PROGNAME=$(basename -- $0) +_tdir=$(dirname -- $0) +PROGDIR=$(cd $_tdir && pwd) + +CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc + +source ${CSIH_SCRIPT} + +auto_passphrase="no" +passphrase="" +pwdhome= +with_passphrase= + +# ====================================================================== +# Routine: create_identity +# optionally create identity of type argument in ~/.ssh +# optionally add result to ~/.ssh/authorized_keys +# ====================================================================== +create_identity() { + local file="$1" + local type="$2" + local name="$3" + if [ ! -f "${pwdhome}/.ssh/${file}" ] + then + if csih_request "Shall I create a ${name} identity file for you?" + then + csih_inform "Generating ${pwdhome}/.ssh/${file}" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null + else + ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null + fi + if csih_request "Do you want to use this identity to login to this machine?" + then + csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi + fi +} # === End of create_ssh1_identity() === # +readonly -f create_identity + +# ====================================================================== +# Routine: check_user_homedir +# Perform various checks on the user's home directory +# SETS GLOBAL VARIABLE: +# pwdhome +# ====================================================================== +check_user_homedir() { + local uid=$(id -u) + pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd) + if [ "X${pwdhome}" = "X" ] + then + csih_error_multi \ + "There is no home directory set for you in ${SYSCONFDIR}/passwd." \ + 'Setting $HOME is not sufficient!' + fi + + if [ ! -d "${pwdhome}" ] + then + csih_error_multi \ + "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \ + 'but it is not a valid directory. Cannot create user identity files.' + fi + + # If home is the root dir, set home to empty string to avoid error messages + # in subsequent parts of that script. + if [ "X${pwdhome}" = "X/" ] + then + # But first raise a warning! + csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" + if csih_request "Would you like to proceed anyway?" + then + pwdhome='' + else + csih_warning "Exiting. Configuration is not complete" + exit 1 + fi + fi + + if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] + then + echo + csih_warning 'group and other have been revoked write permission to your home' + csih_warning "directory ${pwdhome}." + csih_warning 'This is required by OpenSSH to allow public key authentication using' + csih_warning 'the key files stored in your .ssh subdirectory.' + csih_warning 'Revert this change ONLY if you know what you are doing!' + echo + fi +} # === End of check_user_homedir() === # +readonly -f check_user_homedir + +# ====================================================================== +# Routine: check_user_dot_ssh_dir +# Perform various checks on the ~/.ssh directory +# PREREQUISITE: +# pwdhome -- check_user_homedir() +# ====================================================================== +check_user_dot_ssh_dir() { + if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] + then + csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." + fi + + if [ ! -e "${pwdhome}/.ssh" ] + then + mkdir "${pwdhome}/.ssh" + if [ ! -e "${pwdhome}/.ssh" ] + then + csih_error "Creating users ${pwdhome}/.ssh directory failed" + fi + fi +} # === End of check_user_dot_ssh_dir() === # +readonly -f check_user_dot_ssh_dir + +# ====================================================================== +# Routine: fix_authorized_keys_perms +# Corrects the permissions of ~/.ssh/authorized_keys +# PREREQUISITE: +# pwdhome -- check_user_homedir() +# ====================================================================== +fix_authorized_keys_perms() { + if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ] + then + if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" + then + csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" + csih_warning "failed. Please care for the correct permissions. The minimum requirement" + csih_warning "is, the owner needs read permissions." + echo + fi + fi +} # === End of fix_authorized_keys_perms() === # +readonly -f fix_authorized_keys_perms + + +# ====================================================================== +# Main Entry Point +# ====================================================================== + +# Check how the script has been started. If +# (1) it has been started by giving the full path and +# that path is /etc/postinstall, OR +# (2) Otherwise, if the environment variable +# SSH_USER_CONFIG_AUTO_ANSWER_NO is set +# then set auto_answer to "no". This allows automatic +# creation of the config files in /etc w/o overwriting +# them if they already exist. In both cases, color +# escape sequences are suppressed, so as to prevent +# cluttering setup's logfiles. +if [ "$PROGDIR" = "/etc/postinstall" ] +then + csih_auto_answer="no" + csih_disable_color +fi +if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ] +then + csih_auto_answer="no" + csih_disable_color +fi + +# ====================================================================== +# Parse options +# ====================================================================== +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "$option" in + -d | --debug ) + set -x + csih_trace_on + ;; + + -y | --yes ) + csih_auto_answer=yes + ;; + + -n | --no ) + csih_auto_answer=no + ;; + + -p | --passphrase ) + with_passphrase="yes" + passphrase=$1 + shift + ;; + + *) + echo "usage: ${PROGNAME} [OPTION]..." + echo + echo "This script creates an OpenSSH user configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --passphrase -p word Use \"word\" as passphrase automatically." + echo + exit 1 + ;; + + esac +done + +# ====================================================================== +# Action! +# ====================================================================== + +# Check passwd file +if [ ! -f ${SYSCONFDIR}/passwd ] +then + csih_error_multi \ + "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \ + 'first using mkpasswd. Check if it contains an entry for you and' \ + 'please care for the home directory in your entry as well.' +fi + +check_user_homedir +check_user_dot_ssh_dir +create_identity id_rsa rsa "SSH2 RSA" +create_identity id_dsa dsa "SSH2 DSA" +create_identity id_ecdsa ecdsa "SSH2 ECDSA" +create_identity identity rsa1 "(deprecated) SSH1 RSA" +fix_authorized_keys_perms + +echo +csih_inform "Configuration finished. Have fun!" + + diff --git a/crypto/openssh/contrib/cygwin/sshd-inetd b/crypto/openssh/contrib/cygwin/sshd-inetd new file mode 100644 index 000000000..aa6bf073f --- /dev/null +++ b/crypto/openssh/contrib/cygwin/sshd-inetd @@ -0,0 +1,4 @@ +# This file can be used to enable sshd as a slave of the inetd service +# To do so, the line below should be uncommented. +@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i + diff --git a/crypto/openssh/contrib/findssl.sh b/crypto/openssh/contrib/findssl.sh new file mode 100755 index 000000000..263fd2644 --- /dev/null +++ b/crypto/openssh/contrib/findssl.sh @@ -0,0 +1,186 @@ +#!/bin/sh +# +# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $ +# +# findssl.sh +# Search for all instances of OpenSSL headers and libraries +# and print their versions. +# Intended to help diagnose OpenSSH's "OpenSSL headers do not +# match your library" errors. +# +# Written by Darren Tucker (dtucker at zip dot com dot au) +# This file is placed in the public domain. +# +# Release history: +# 2002-07-27: Initial release. +# 2002-08-04: Added public domain notice. +# 2003-06-24: Incorporated readme, set library paths. First cvs version. +# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole. +# +# "OpenSSL headers do not match your library" are usually caused by +# OpenSSH's configure picking up an older version of OpenSSL headers +# or libraries. You can use the following # procedure to help identify +# the cause. +# +# The output of configure will tell you the versions of the OpenSSL +# headers and libraries that were picked up, for example: +# +# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) +# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) +# checking whether OpenSSL's headers match the library... no +# configure: error: Your OpenSSL headers do not match your library +# +# Now run findssl.sh. This should identify the headers and libraries +# present and their versions. You should be able to identify the +# libraries and headers used and adjust your CFLAGS or remove incorrect +# versions. The output will show OpenSSL's internal version identifier +# and should look something like: + +# $ ./findssl.sh +# Searching for OpenSSL header files. +# 0x0090604fL /usr/include/openssl/opensslv.h +# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h +# +# Searching for OpenSSL shared library files. +# 0x0090602fL /lib/libcrypto.so.0.9.6b +# 0x0090602fL /lib/libcrypto.so.2 +# 0x0090581fL /usr/lib/libcrypto.so.0 +# 0x0090602fL /usr/lib/libcrypto.so +# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a +# 0x0090600fL /usr/lib/libcrypto.so.0.9.6 +# 0x0090600fL /usr/lib/libcrypto.so.1 +# +# Searching for OpenSSL static library files. +# 0x0090602fL /usr/lib/libcrypto.a +# 0x0090604fL /usr/local/ssl/lib/libcrypto.a +# +# In this example, I gave configure no extra flags, so it's picking up +# the OpenSSL header from /usr/include/openssl (90604f) and the library +# from /usr/lib/ (90602f). + +# +# Adjust these to suit your compiler. +# You may also need to set the *LIB*PATH environment variables if +# DEFAULT_LIBPATH is not correct for your system. +# +CC=gcc +STATIC=-static + +# +# Cleanup on interrupt +# +trap 'rm -f conftest.c' INT HUP TERM + +# +# Set up conftest C source +# +rm -f findssl.log +cat >conftest.c < +int main(){printf("0x%08xL\n", SSLeay());} +EOD + +# +# Set default library paths if not already set +# +DEFAULT_LIBPATH=/usr/lib:/usr/local/lib +LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH} +LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} +LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} +export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + +# not all platforms have a 'which' command +if which ls >/dev/null 2>/dev/null; then + : which is defined +else + which () { + saveIFS="$IFS" + IFS=: + for p in $PATH; do + if test -x "$p/$1" -a -f "$p/$1"; then + IFS="$saveIFS" + echo "$p/$1" + return 0 + fi + done + IFS="$saveIFS" + return 1 + } +fi + +# +# Search for OpenSSL headers and print versions +# +echo Searching for OpenSSL header files. +if [ -x "`which locate`" ] +then + headers=`locate opensslv.h` +else + headers=`find / -name opensslv.h -print 2>/dev/null` +fi + +for header in $headers +do + ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header` + echo "$ver $header" +done +echo + +# +# Search for shared libraries. +# Relies on shared libraries looking like "libcrypto.s*" +# +echo Searching for OpenSSL shared library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.s` +else + libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null` +fi + +for lib in $libraries +do + (echo "Trying libcrypto $lib" >>findssl.log + dir=`dirname $lib` + LIBPATH="$dir:$LIBPATH" + LD_LIBRARY_PATH="$dir:$LIBPATH" + LIBRARY_PATH="$dir:$LIBPATH" + export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + ${CC} -o conftest conftest.c $lib 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi) +done +echo + +# +# Search for static OpenSSL libraries and print versions +# +echo Searching for OpenSSL static library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.a` +else + libraries=`find / -name libcrypto.a -print 2>/dev/null` +fi + +for lib in $libraries +do + libdir=`dirname $lib` + echo "Trying libcrypto $lib" >>findssl.log + ${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi +done + +# +# Clean up +# +rm -f conftest.c diff --git a/crypto/openssh/contrib/gnome-ssh-askpass1.c b/crypto/openssh/contrib/gnome-ssh-askpass1.c new file mode 100644 index 000000000..4d51032d1 --- /dev/null +++ b/crypto/openssh/contrib/gnome-ssh-askpass1.c @@ -0,0 +1,171 @@ +/* + * Copyright (c) 2000-2002 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * + * There is only two run-time options: if you set the environment variable + * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if + * you don't trust your X server. We grab the keyboard always. + */ + +/* + * Compile with: + * + * cc `gnome-config --cflags gnome gnomeui` \ + * gnome-ssh-askpass1.c -o gnome-ssh-askpass \ + * `gnome-config --libs gnome gnomeui` + * + */ + +#include +#include +#include +#include +#include +#include + +void +report_failed_grab (void) +{ + GtkWidget *err; + + err = gnome_message_box_new("Could not grab keyboard or mouse.\n" + "A malicious client may be eavesdropping on your session.", + GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL); + + gnome_dialog_run_and_close(GNOME_DIALOG(err)); +} + +int +passphrase_dialog(char *message) +{ + char *passphrase; + char **messages; + int result, i, grab_server, grab_pointer; + GtkWidget *dialog, *entry, *label; + + grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); + grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + messages = g_strsplit(message, "\\n", 0); + if (messages) + for(i = 0; messages[i]; i++) { + label = gtk_label_new(messages[i]); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), + label, FALSE, FALSE, 0); + } + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), + GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + if (grab_server) + XGrabServer(GDK_DISPLAY()); + if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, + NULL, NULL, GDK_CURRENT_TIME)) + goto nograb; + if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) + goto nograbkb; + + /* Make close dialog */ + gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry)); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + if (grab_pointer) + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + /* Report passphrase if user selected OK */ + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + if (result == 0) + puts(passphrase); + + /* Zero passphrase in memory */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + return (result == 0 ? 0 : -1); + + /* At least one grab failed - ungrab what we got, and report + the failure to the user. Note that XGrabServer() cannot + fail. */ + nograbkb: + gdk_pointer_ungrab(GDK_CURRENT_TIME); + nograb: + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + gnome_dialog_close(GNOME_DIALOG(dialog)); + + report_failed_grab(); + return (-1); +} + +int +main(int argc, char **argv) +{ + char *message; + int result; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + setvbuf(stdout, 0, _IONBF, 0); + result = passphrase_dialog(message); + + return (result); +} diff --git a/crypto/openssh/contrib/gnome-ssh-askpass2.c b/crypto/openssh/contrib/gnome-ssh-askpass2.c new file mode 100644 index 000000000..9d97c30c0 --- /dev/null +++ b/crypto/openssh/contrib/gnome-ssh-askpass2.c @@ -0,0 +1,223 @@ +/* + * Copyright (c) 2000-2002 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* GTK2 support by Nalin Dahyabhai */ + +/* + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * + * There is only two run-time options: if you set the environment variable + * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if + * you don't trust your X server. We grab the keyboard always. + */ + +#define GRAB_TRIES 16 +#define GRAB_WAIT 250 /* milliseconds */ + +/* + * Compile with: + * + * cc -Wall `pkg-config --cflags gtk+-2.0` \ + * gnome-ssh-askpass2.c -o gnome-ssh-askpass \ + * `pkg-config --libs gtk+-2.0` + * + */ + +#include +#include +#include +#include +#include +#include +#include + +static void +report_failed_grab (const char *what) +{ + GtkWidget *err; + + err = gtk_message_dialog_new(NULL, 0, + GTK_MESSAGE_ERROR, + GTK_BUTTONS_CLOSE, + "Could not grab %s. " + "A malicious client may be eavesdropping " + "on your session.", what); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label), + TRUE); + + gtk_dialog_run(GTK_DIALOG(err)); + + gtk_widget_destroy(err); +} + +static void +ok_dialog(GtkWidget *entry, gpointer dialog) +{ + g_return_if_fail(GTK_IS_DIALOG(dialog)); + gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); +} + +static int +passphrase_dialog(char *message) +{ + const char *failed; + char *passphrase, *local; + int result, grab_tries, grab_server, grab_pointer; + GtkWidget *dialog, *entry; + GdkGrabStatus status; + + grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); + grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); + grab_tries = 0; + + dialog = gtk_message_dialog_new(NULL, 0, + GTK_MESSAGE_QUESTION, + GTK_BUTTONS_OK_CANCEL, + "%s", + message); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + gtk_widget_show(entry); + + gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); + gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label), + TRUE); + + /* Make close dialog */ + gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); + g_signal_connect(G_OBJECT(entry), "activate", + G_CALLBACK(ok_dialog), dialog); + + gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); + + /* Grab focus */ + gtk_widget_show_now(dialog); + if (grab_pointer) { + for(;;) { + status = gdk_pointer_grab( + (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, + NULL, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "mouse"; + goto nograb; + } + } + } + for(;;) { + status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, + FALSE, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "keyboard"; + goto nograbkb; + } + } + if (grab_server) { + gdk_x11_grab_server(); + } + + result = gtk_dialog_run(GTK_DIALOG(dialog)); + + /* Ungrab */ + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + if (grab_pointer) + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + /* Report passphrase if user selected OK */ + passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); + if (result == GTK_RESPONSE_OK) { + local = g_locale_from_utf8(passphrase, strlen(passphrase), + NULL, NULL, NULL); + if (local != NULL) { + puts(local); + memset(local, '\0', strlen(local)); + g_free(local); + } else { + puts(passphrase); + } + } + + /* Zero passphrase in memory */ + memset(passphrase, '\b', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + memset(passphrase, '\0', strlen(passphrase)); + g_free(passphrase); + + gtk_widget_destroy(dialog); + return (result == GTK_RESPONSE_OK ? 0 : -1); + + /* At least one grab failed - ungrab what we got, and report + the failure to the user. Note that XGrabServer() cannot + fail. */ + nograbkb: + gdk_pointer_ungrab(GDK_CURRENT_TIME); + nograb: + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + gtk_widget_destroy(dialog); + + report_failed_grab(failed); + + return (-1); +} + +int +main(int argc, char **argv) +{ + char *message; + int result; + + gtk_init(&argc, &argv); + + if (argc > 1) { + message = g_strjoinv(" ", argv + 1); + } else { + message = g_strdup("Enter your OpenSSH passphrase:"); + } + + setvbuf(stdout, 0, _IONBF, 0); + result = passphrase_dialog(message); + g_free(message); + + return (result); +} diff --git a/crypto/openssh/contrib/hpux/README b/crypto/openssh/contrib/hpux/README new file mode 100644 index 000000000..f8bfa84e4 --- /dev/null +++ b/crypto/openssh/contrib/hpux/README @@ -0,0 +1,45 @@ +README for OpenSSH HP-UX contrib files +Kevin Steves + +sshd: configuration file for sshd.rc +sshd.rc: SSH startup script +egd: configuration file for egd.rc +egd.rc: EGD (entropy gathering daemon) startup script + +To install: + +sshd.rc: + +o Verify paths in sshd.rc match your local installation + (WHAT_PATH and WHAT_PID) +o Customize sshd if needed (SSHD_ARGS) +o Install: + + # cp sshd /etc/rc.config.d + # chmod 444 /etc/rc.config.d/sshd + # cp sshd.rc /sbin/init.d + # chmod 555 /sbin/init.d/sshd.rc + # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd + # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd + +egd.rc: + +o Verify egd.pl path in egd.rc matches your local installation + (WHAT_PATH) +o Customize egd if needed (EGD_ARGS and EGD_LOG) +o Add pseudo account: + + # groupadd egd + # useradd -g egd egd + # mkdir -p /etc/opt/egd + # chown egd:egd /etc/opt/egd + # chmod 711 /etc/opt/egd + +o Install: + + # cp egd /etc/rc.config.d + # chmod 444 /etc/rc.config.d/egd + # cp egd.rc /sbin/init.d + # chmod 555 /sbin/init.d/egd.rc + # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd + # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd diff --git a/crypto/openssh/contrib/hpux/egd b/crypto/openssh/contrib/hpux/egd new file mode 100644 index 000000000..21af0bd13 --- /dev/null +++ b/crypto/openssh/contrib/hpux/egd @@ -0,0 +1,15 @@ +# EGD_START: Set to 1 to start entropy gathering daemon +# EGD_ARGS: Command line arguments to pass to egd +# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log) +# +# To configure the egd environment: + +# groupadd egd +# useradd -g egd egd +# mkdir -p /etc/opt/egd +# chown egd:egd /etc/opt/egd +# chmod 711 /etc/opt/egd + +EGD_START=1 +EGD_ARGS='/etc/opt/egd/entropy' +EGD_LOG= diff --git a/crypto/openssh/contrib/hpux/egd.rc b/crypto/openssh/contrib/hpux/egd.rc new file mode 100755 index 000000000..919dea725 --- /dev/null +++ b/crypto/openssh/contrib/hpux/egd.rc @@ -0,0 +1,98 @@ +#!/sbin/sh + +# +# egd.rc: EGD start-up and shutdown script +# + +# Allowed exit values: +# 0 = success; causes "OK" to show up in checklist. +# 1 = failure; causes "FAIL" to show up in checklist. +# 2 = skip; causes "N/A" to show up in the checklist. +# Use this value if execution of this script is overridden +# by the use of a control variable, or if this script is not +# appropriate to execute for some other reason. +# 3 = reboot; causes the system to be rebooted after execution. + +# Input and output: +# stdin is redirected from /dev/null +# +# stdout and stderr are redirected to the /etc/rc.log file +# during checklist mode, or to the console in raw mode. + +umask 022 + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +WHAT='EGD (entropy gathering daemon)' +WHAT_PATH=/opt/perl/bin/egd.pl +WHAT_CONFIG=/etc/rc.config.d/egd +WHAT_LOG=/etc/opt/egd/egd.log + +# NOTE: If your script executes in run state 0 or state 1, then /usr might +# not be available. Do not attempt to access commands or files in +# /usr unless your script executes in run state 2 or greater. Other +# file systems typically not mounted until run state 2 include /var +# and /opt. + +rval=0 + +# Check the exit value of a command run by this script. If non-zero, the +# exit code is echoed to the log file and the return value of this script +# is set to indicate failure. + +set_return() { + x=$? + if [ $x -ne 0 ]; then + echo "EXIT CODE: $x" + rval=1 # script FAILed + fi +} + +case $1 in +'start_msg') + echo "Starting $WHAT" + ;; + +'stop_msg') + echo "Stopping $WHAT" + ;; + +'start') + if [ -f $WHAT_CONFIG ] ; then + . $WHAT_CONFIG + else + echo "ERROR: $WHAT_CONFIG defaults file MISSING" + fi + + + if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then + EGD_LOG=${EGD_LOG:-$WHAT_LOG} + su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" && + echo $WHAT started + set_return + else + rval=2 + fi + ;; + +'stop') + pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'` + if [ "X$pid" != "X" ]; then + if kill "$pid"; then + echo "$WHAT stopped" + else + rval=1 + echo "Unable to stop $WHAT" + fi + fi + set_return + ;; + +*) + echo "usage: $0 {start|stop|start_msg|stop_msg}" + rval=1 + ;; +esac + +exit $rval diff --git a/crypto/openssh/contrib/hpux/sshd b/crypto/openssh/contrib/hpux/sshd new file mode 100644 index 000000000..8eb5e92a3 --- /dev/null +++ b/crypto/openssh/contrib/hpux/sshd @@ -0,0 +1,5 @@ +# SSHD_START: Set to 1 to start SSH daemon +# SSHD_ARGS: Command line arguments to pass to sshd +# +SSHD_START=1 +SSHD_ARGS= diff --git a/crypto/openssh/contrib/hpux/sshd.rc b/crypto/openssh/contrib/hpux/sshd.rc new file mode 100755 index 000000000..f9a10999b --- /dev/null +++ b/crypto/openssh/contrib/hpux/sshd.rc @@ -0,0 +1,90 @@ +#!/sbin/sh + +# +# sshd.rc: SSH daemon start-up and shutdown script +# + +# Allowed exit values: +# 0 = success; causes "OK" to show up in checklist. +# 1 = failure; causes "FAIL" to show up in checklist. +# 2 = skip; causes "N/A" to show up in the checklist. +# Use this value if execution of this script is overridden +# by the use of a control variable, or if this script is not +# appropriate to execute for some other reason. +# 3 = reboot; causes the system to be rebooted after execution. + +# Input and output: +# stdin is redirected from /dev/null +# +# stdout and stderr are redirected to the /etc/rc.log file +# during checklist mode, or to the console in raw mode. + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +WHAT='OpenSSH' +WHAT_PATH=/opt/openssh/sbin/sshd +WHAT_PID=/var/run/sshd.pid +WHAT_CONFIG=/etc/rc.config.d/sshd + +# NOTE: If your script executes in run state 0 or state 1, then /usr might +# not be available. Do not attempt to access commands or files in +# /usr unless your script executes in run state 2 or greater. Other +# file systems typically not mounted until run state 2 include /var +# and /opt. + +rval=0 + +# Check the exit value of a command run by this script. If non-zero, the +# exit code is echoed to the log file and the return value of this script +# is set to indicate failure. + +set_return() { + x=$? + if [ $x -ne 0 ]; then + echo "EXIT CODE: $x" + rval=1 # script FAILed + fi +} + +case $1 in +'start_msg') + echo "Starting $WHAT" + ;; + +'stop_msg') + echo "Stopping $WHAT" + ;; + +'start') + if [ -f $WHAT_CONFIG ] ; then + . $WHAT_CONFIG + else + echo "ERROR: $WHAT_CONFIG defaults file MISSING" + fi + + if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then + $WHAT_PATH $SSHD_ARGS && echo "$WHAT started" + set_return + else + rval=2 + fi + ;; + +'stop') + if kill `cat $WHAT_PID`; then + echo "$WHAT stopped" + else + rval=1 + echo "Unable to stop $WHAT" + fi + set_return + ;; + +*) + echo "usage: $0 {start|stop|start_msg|stop_msg}" + rval=1 + ;; +esac + +exit $rval diff --git a/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh new file mode 100644 index 000000000..dd77712cd --- /dev/null +++ b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh @@ -0,0 +1 @@ +setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass diff --git a/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh new file mode 100755 index 000000000..355189f45 --- /dev/null +++ b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh @@ -0,0 +1,2 @@ +SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass +export SSH_ASKPASS diff --git a/crypto/openssh/contrib/redhat/openssh.spec b/crypto/openssh/contrib/redhat/openssh.spec new file mode 100644 index 000000000..96401c6ee --- /dev/null +++ b/crypto/openssh/contrib/redhat/openssh.spec @@ -0,0 +1,812 @@ +%define ver 6.6p1 +%define rel 1 + +# OpenSSH privilege separation requires a user & group ID +%define sshd_uid 74 +%define sshd_gid 74 + +# Version of ssh-askpass +%define aversion 1.2.4.1 + +# Do we want to disable building of x11-askpass? (1=yes 0=no) +%define no_x11_askpass 0 + +# Do we want to disable building of gnome-askpass? (1=yes 0=no) +%define no_gnome_askpass 0 + +# Do we want to link against a static libcrypto? (1=yes 0=no) +%define static_libcrypto 0 + +# Do we want smartcard support (1=yes 0=no) +%define scard 0 + +# Use GTK2 instead of GNOME in gnome-ssh-askpass +%define gtk2 1 + +# Is this build for RHL 6.x? +%define build6x 0 + +# Do we want kerberos5 support (1=yes 0=no) +%define kerberos5 1 + +# Reserve options to override askpass settings with: +# rpm -ba|--rebuild --define 'skip_xxx 1' +%{?skip_x11_askpass:%define no_x11_askpass 1} +%{?skip_gnome_askpass:%define no_gnome_askpass 1} + +# Add option to build without GTK2 for older platforms with only GTK+. +# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. +# rpm -ba|--rebuild --define 'no_gtk2 1' +%{?no_gtk2:%define gtk2 0} + +# Is this a build for RHL 6.x or earlier? +%{?build_6x:%define build6x 1} + +# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. +%if %{build6x} +%define _sysconfdir /etc +%endif + +# Options for static OpenSSL link: +# rpm -ba|--rebuild --define "static_openssl 1" +%{?static_openssl:%define static_libcrypto 1} + +# Options for Smartcard support: (needs libsectok and openssl-engine) +# rpm -ba|--rebuild --define "smartcard 1" +%{?smartcard:%define scard 1} + +# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) +%define rescue 0 +%{?build_rescue:%define rescue 1} + +# Turn off some stuff for resuce builds +%if %{rescue} +%define kerberos5 0 +%endif + +Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. +Name: openssh +Version: %{ver} +%if %{rescue} +Release: %{rel}rescue +%else +Release: %{rel} +%endif +URL: http://www.openssh.com/portable.html +Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +%if ! %{no_x11_askpass} +Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +%endif +License: BSD +Group: Applications/Internet +BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot +Obsoletes: ssh +%if %{build6x} +PreReq: initscripts >= 5.00 +%else +Requires: initscripts >= 5.20 +%endif +BuildRequires: perl, openssl-devel, tcp_wrappers +BuildRequires: /bin/login +%if ! %{build6x} +BuildPreReq: glibc-devel, pam +%else +BuildRequires: /usr/include/security/pam_appl.h +%endif +%if ! %{no_x11_askpass} +BuildRequires: /usr/include/X11/Xlib.h +%endif +%if ! %{no_gnome_askpass} +BuildRequires: pkgconfig +%endif +%if %{kerberos5} +BuildRequires: krb5-devel +BuildRequires: krb5-libs +%endif + +%package clients +Summary: OpenSSH clients. +Requires: openssh = %{version}-%{release} +Group: Applications/Internet +Obsoletes: ssh-clients + +%package server +Summary: The OpenSSH server daemon. +Group: System Environment/Daemons +Obsoletes: ssh-server +Requires: openssh = %{version}-%{release}, chkconfig >= 0.9 +%if ! %{build6x} +Requires: /etc/pam.d/system-auth +%endif + +%package askpass +Summary: A passphrase dialog for OpenSSH and X. +Group: Applications/Internet +Requires: openssh = %{version}-%{release} +Obsoletes: ssh-extras + +%package askpass-gnome +Summary: A passphrase dialog for OpenSSH, X, and GNOME. +Group: Applications/Internet +Requires: openssh = %{version}-%{release} +Obsoletes: ssh-extras + +%description +SSH (Secure SHell) is a program for logging into and executing +commands on a remote machine. SSH is intended to replace rlogin and +rsh, and to provide secure encrypted communications between two +untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's version of the last free version of SSH, bringing +it up to date in terms of security and features, as well as removing +all patented algorithms to separate libraries. + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package includes +the clients necessary to make encrypted connections to SSH servers. +You'll also need to install the openssh package on OpenSSH clients. + +%description server +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +the secure shell daemon (sshd). The sshd daemon allows SSH clients to +securely connect to your SSH server. You also need to have the openssh +package installed. + +%description askpass +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH. + +%description askpass-gnome +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop +environment. + +%prep + +%if ! %{no_x11_askpass} +%setup -q -a 1 +%else +%setup -q +%endif + +%build +%if %{rescue} +CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS +%endif + +%if %{kerberos5} +K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` +echo K5DIR=$K5DIR +%endif + +%configure \ + --sysconfdir=%{_sysconfdir}/ssh \ + --libexecdir=%{_libexecdir}/openssh \ + --datadir=%{_datadir}/openssh \ + --with-tcp-wrappers \ + --with-rsh=%{_bindir}/rsh \ + --with-default-path=/usr/local/bin:/bin:/usr/bin \ + --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ + --with-privsep-path=%{_var}/empty/sshd \ + --with-md5-passwords \ +%if %{scard} + --with-smartcard \ +%endif +%if %{rescue} + --without-pam \ +%else + --with-pam \ +%endif +%if %{kerberos5} + --with-kerberos5=$K5DIR \ +%endif + + +%if %{static_libcrypto} +perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile +%endif + +make + +%if ! %{no_x11_askpass} +pushd x11-ssh-askpass-%{aversion} +%configure --libexecdir=%{_libexecdir}/openssh +xmkmf -a +make +popd +%endif + +# Define a variable to toggle gnome1/gtk2 building. This is necessary +# because RPM doesn't handle nested %if statements. +%if %{gtk2} + gtk2=yes +%else + gtk2=no +%endif + +%if ! %{no_gnome_askpass} +pushd contrib +if [ $gtk2 = yes ] ; then + make gnome-ssh-askpass2 + mv gnome-ssh-askpass2 gnome-ssh-askpass +else + make gnome-ssh-askpass1 + mv gnome-ssh-askpass1 gnome-ssh-askpass +fi +popd +%endif + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh +mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh +mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd + +make install DESTDIR=$RPM_BUILD_ROOT + +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh +%if %{build6x} +install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd +%else +install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +%endif +install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd + +%if ! %{no_x11_askpass} +install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass +ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass +%endif + +%if ! %{scard} + rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin +%endif + +%if ! %{no_gnome_askpass} +install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +%endif + +perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* + +%clean +rm -rf $RPM_BUILD_ROOT + +%triggerun server -- ssh-server +if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then + touch /var/run/sshd.restart +fi + +%triggerun server -- openssh-server < 2.5.0p1 +# Count the number of HostKey and HostDsaKey statements we have. +gawk 'BEGIN {IGNORECASE=1} + /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1} + END {exit sawhostkey}' /etc/ssh/sshd_config +# And if we only found one, we know the client was relying on the old default +# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't +# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying +# one nullifies the default, which would have loaded both. +if [ $? -eq 1 ] ; then + echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config + echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config +fi + +%triggerpostun server -- ssh-server +if [ "$1" != 0 ] ; then + /sbin/chkconfig --add sshd + if test -f /var/run/sshd.restart ; then + rm -f /var/run/sshd.restart + /sbin/service sshd start > /dev/null 2>&1 || : + fi +fi + +%pre server +%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || : +%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ + -g sshd -M -r sshd 2>/dev/null || : + +%post server +/sbin/chkconfig --add sshd + +%postun server +/sbin/service sshd condrestart > /dev/null 2>&1 || : + +%preun server +if [ "$1" = 0 ] +then + /sbin/service sshd stop > /dev/null 2>&1 || : + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO +%attr(0755,root,root) %{_bindir}/scp +%attr(0644,root,root) %{_mandir}/man1/scp.1* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli +%if ! %{rescue} +%attr(0755,root,root) %{_bindir}/ssh-keygen +%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0755,root,root) %dir %{_libexecdir}/openssh +%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper +%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* +%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* +%endif +%if %{scard} +%attr(0755,root,root) %dir %{_datadir}/openssh +%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin +%endif + +%files clients +%defattr(-,root,root) +%attr(0755,root,root) %{_bindir}/ssh +%attr(0644,root,root) %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(-,root,root) %{_bindir}/slogin +%attr(-,root,root) %{_mandir}/man1/slogin.1* +%if ! %{rescue} +%attr(2755,root,nobody) %{_bindir}/ssh-agent +%attr(0755,root,root) %{_bindir}/ssh-add +%attr(0755,root,root) %{_bindir}/ssh-keyscan +%attr(0755,root,root) %{_bindir}/sftp +%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* +%attr(0644,root,root) %{_mandir}/man1/sftp.1* +%endif + +%if ! %{rescue} +%files server +%defattr(-,root,root) +%dir %attr(0111,root,root) %{_var}/empty/sshd +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server +%attr(0644,root,root) %{_mandir}/man8/sshd.8* +%attr(0644,root,root) %{_mandir}/man5/moduli.5* +%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd +%endif + +%if ! %{no_x11_askpass} +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{aversion}/README +%doc x11-ssh-askpass-%{aversion}/ChangeLog +%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass +%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +%files askpass-gnome +%defattr(-,root,root) +%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.* +%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass +%endif + +%changelog +* Wed Jul 14 2010 Tim Rice +- test for skip_x11_askpass (line 77) should have been for no_x11_askpass + +* Mon Jun 2 2003 Damien Miller +- Remove noip6 option. This may be controlled at run-time in client config + file using new AddressFamily directive + +* Mon May 12 2003 Damien Miller +- Don't install profile.d scripts when not building with GNOME/GTK askpass + (patch from bet@rahul.net) + +* Wed Oct 01 2002 Damien Miller +- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks + +* Mon Sep 30 2002 Damien Miller +- Use contrib/ Makefile for building askpass programs + +* Fri Jun 21 2002 Damien Miller +- Merge in spec changes from seba@iq.pl (Sebastian Pachuta) +- Add new {ssh,sshd}_config.5 manpages +- Add new ssh-keysign program and remove setuid from ssh client + +* Fri May 10 2002 Damien Miller +- Merge in spec changes from RedHat, reorgansie a little +- Add Privsep user, group and directory + +* Thu Mar 7 2002 Nalin Dahyabhai 3.1p1-2 +- bump and grind (through the build system) + +* Thu Mar 7 2002 Nalin Dahyabhai 3.1p1-1 +- require sharutils for building (mindrot #137) +- require db1-devel only when building for 6.x (#55105), which probably won't + work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck +- require pam-devel by file (not by package name) again +- add Markus's patch to compile with OpenSSL 0.9.5a (from + http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're + building for 6.x + +* Thu Mar 7 2002 Nalin Dahyabhai 3.1p1-0 +- update to 3.1p1 + +* Tue Mar 5 2002 Nalin Dahyabhai SNAP-20020305 +- update to SNAP-20020305 +- drop debug patch, fixed upstream + +* Wed Feb 20 2002 Nalin Dahyabhai SNAP-20020220 +- update to SNAP-20020220 for testing purposes (you've been warned, if there's + anything to be warned about, gss patches won't apply, I don't mind) + +* Wed Feb 13 2002 Nalin Dahyabhai 3.0.2p1-3 +- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key + exchange, authentication, and named key support + +* Wed Jan 23 2002 Nalin Dahyabhai 3.0.2p1-2 +- remove dependency on db1-devel, which has just been swallowed up whole + by gnome-libs-devel + +* Sun Dec 29 2001 Nalin Dahyabhai +- adjust build dependencies so that build6x actually works right (fix + from Hugo van der Kooij) + +* Tue Dec 4 2001 Nalin Dahyabhai 3.0.2p1-1 +- update to 3.0.2p1 + +* Fri Nov 16 2001 Nalin Dahyabhai 3.0.1p1-1 +- update to 3.0.1p1 + +* Tue Nov 13 2001 Nalin Dahyabhai +- update to current CVS (not for use in distribution) + +* Thu Nov 8 2001 Nalin Dahyabhai 3.0p1-1 +- merge some of Damien Miller changes from the upstream + 3.0p1 spec file and init script + +* Wed Nov 7 2001 Nalin Dahyabhai +- update to 3.0p1 +- update to x11-ssh-askpass 1.2.4.1 +- change build dependency on a file from pam-devel to the pam-devel package +- replace primes with moduli + +* Thu Sep 27 2001 Nalin Dahyabhai 2.9p2-9 +- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs + +* Thu Sep 13 2001 Bernhard Rosenkraenzer 2.9p2-8 +- Merge changes to rescue build from current sysadmin survival cd + +* Thu Sep 6 2001 Nalin Dahyabhai 2.9p2-7 +- fix scp's server's reporting of file sizes, and build with the proper + preprocessor define to get large-file capable open(), stat(), etc. + (sftp has been doing this correctly all along) (#51827) +- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247) +- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298) +- mark profile.d scriptlets as config files (#42337) +- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug +- change a couple of log() statements to debug() statements (#50751) +- pull cvs patch to add -t flag to sshd (#28611) +- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221) + +* Mon Aug 20 2001 Nalin Dahyabhai 2.9p2-6 +- add db1-devel as a BuildPrerequisite (noted by Hans Ecke) + +* Thu Aug 16 2001 Nalin Dahyabhai +- pull cvs patch to fix remote port forwarding with protocol 2 + +* Thu Aug 9 2001 Nalin Dahyabhai +- pull cvs patch to add session initialization to no-pty sessions +- pull cvs patch to not cut off challengeresponse auth needlessly +- refuse to do X11 forwarding if xauth isn't there, handy if you enable + it by default on a system that doesn't have X installed (#49263) + +* Wed Aug 8 2001 Nalin Dahyabhai +- don't apply patches to code we don't intend to build (spotted by Matt Galgoci) + +* Mon Aug 6 2001 Nalin Dahyabhai +- pass OPTIONS correctly to initlog (#50151) + +* Wed Jul 25 2001 Nalin Dahyabhai +- switch to x11-ssh-askpass 1.2.2 + +* Wed Jul 11 2001 Nalin Dahyabhai +- rebuild in new environment + +* Mon Jun 25 2001 Nalin Dahyabhai +- disable the gssapi patch + +* Mon Jun 18 2001 Nalin Dahyabhai +- update to 2.9p2 +- refresh to a new version of the gssapi patch + +* Thu Jun 7 2001 Nalin Dahyabhai +- change Copyright: BSD to License: BSD +- add Markus Friedl's unverified patch for the cookie file deletion problem + so that we can verify it +- drop patch to check if xauth is present (was folded into cookie patch) +- don't apply gssapi patches for the errata candidate +- clear supplemental groups list at startup + +* Fri May 25 2001 Nalin Dahyabhai +- fix an error parsing the new default sshd_config +- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not + dealing with comments right + +* Thu May 24 2001 Nalin Dahyabhai +- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house, + to be removed before the next beta cycle because it's a big departure + from the upstream version + +* Thu May 3 2001 Nalin Dahyabhai +- finish marking strings in the init script for translation +- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd + at startup (change merged from openssh.com init script, originally by + Pekka Savola) +- refuse to do X11 forwarding if xauth isn't there, handy if you enable + it by default on a system that doesn't have X installed + +* Wed May 2 2001 Nalin Dahyabhai +- update to 2.9 +- drop various patches that came from or went upstream or to or from CVS + +* Wed Apr 18 2001 Nalin Dahyabhai +- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer) + +* Sun Apr 8 2001 Preston Brown +- remove explicit openssl requirement, fixes builddistro issue +- make initscript stop() function wait until sshd really dead to avoid + races in condrestart + +* Mon Apr 2 2001 Nalin Dahyabhai +- mention that challengereponse supports PAM, so disabling password doesn't + limit users to pubkey and rsa auth (#34378) +- bypass the daemon() function in the init script and call initlog directly, + because daemon() won't start a daemon it detects is already running (like + open connections) +- require the version of openssl we had when we were built + +* Fri Mar 23 2001 Nalin Dahyabhai +- make do_pam_setcred() smart enough to know when to establish creds and + when to reinitialize them +- add in a couple of other fixes from Damien for inclusion in the errata + +* Thu Mar 22 2001 Nalin Dahyabhai +- update to 2.5.2p2 +- call setcred() again after initgroups, because the "creds" could actually + be group memberships + +* Tue Mar 20 2001 Nalin Dahyabhai +- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation) +- don't enable challenge-response by default until we find a way to not + have too many userauth requests (we may make up to six pubkey and up to + three password attempts as it is) +- remove build dependency on rsh to match openssh.com's packages more closely + +* Sat Mar 3 2001 Nalin Dahyabhai +- remove dependency on openssl -- would need to be too precise + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Mon Feb 26 2001 Nalin Dahyabhai +- Revert the patch to move pam_open_session. +- Init script and spec file changes from Pekka Savola. (#28750) +- Patch sftp to recognize '-o protocol' arguments. (#29540) + +* Thu Feb 22 2001 Nalin Dahyabhai +- Chuck the closing patch. +- Add a trigger to add host keys for protocol 2 to the config file, now that + configuration file syntax requires us to specify it with HostKey if we + specify any other HostKey values, which we do. + +* Tue Feb 20 2001 Nalin Dahyabhai +- Redo patch to move pam_open_session after the server setuid()s to the user. +- Rework the nopam patch to use be picked up by autoconf. + +* Mon Feb 19 2001 Nalin Dahyabhai +- Update for 2.5.1p1. +- Add init script mods from Pekka Savola. +- Tweak the init script to match the CVS contrib script more closely. +- Redo patch to ssh-add to try to adding both identity and id_dsa to also try + adding id_rsa. + +* Fri Feb 16 2001 Nalin Dahyabhai +- Update for 2.5.0p1. +- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass +- Resync with parts of Damien Miller's openssh.spec from CVS, including + update of x11 askpass to 1.2.0. +- Only require openssl (don't prereq) because we generate keys in the init + script now. + +* Tue Feb 13 2001 Nalin Dahyabhai +- Don't open a PAM session until we've forked and become the user (#25690). +- Apply Andrew Bartlett's patch for letting pam_authenticate() know which + host the user is attempting a login from. +- Resync with parts of Damien Miller's openssh.spec from CVS. +- Don't expose KbdInt responses in debug messages (from CVS). +- Detect and handle errors in rsa_{public,private}_decrypt (from CVS). + +* Wed Feb 7 2001 Trond Eivind Glomsrxd +- i18n-tweak to initscript. + +* Tue Jan 23 2001 Nalin Dahyabhai +- More gettextizing. +- Close all files after going into daemon mode (needs more testing). +- Extract patch from CVS to handle auth banners (in the client). +- Extract patch from CVS to handle compat weirdness. + +* Fri Jan 19 2001 Nalin Dahyabhai +- Finish with the gettextizing. + +* Thu Jan 18 2001 Nalin Dahyabhai +- Fix a bug in auth2-pam.c (#23877) +- Gettextize the init script. + +* Wed Dec 20 2000 Nalin Dahyabhai +- Incorporate a switch for using PAM configs for 6.x, just in case. + +* Tue Dec 5 2000 Nalin Dahyabhai +- Incorporate Bero's changes for a build specifically for rescue CDs. + +* Wed Nov 29 2000 Nalin Dahyabhai +- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has + succeeded, to allow public-key authentication after a failure with "none" + authentication. (#21268) + +* Tue Nov 28 2000 Nalin Dahyabhai +- Update to x11-askpass 1.1.1. (#21301) +- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290) + +* Mon Nov 27 2000 Nalin Dahyabhai +- Merge multiple PAM text messages into subsequent prompts when possible when + doing keyboard-interactive authentication. + +* Sun Nov 26 2000 Nalin Dahyabhai +- Disable the built-in MD5 password support. We're using PAM. +- Take a crack at doing keyboard-interactive authentication with PAM, and + enable use of it in the default client configuration so that the client + will try it when the server disallows password authentication. +- Build with debugging flags. Build root policies strip all binaries anyway. + +* Tue Nov 21 2000 Nalin Dahyabhai +- Use DESTDIR instead of %%makeinstall. +- Remove /usr/X11R6/bin from the path-fixing patch. + +* Mon Nov 20 2000 Nalin Dahyabhai +- Add the primes file from the latest snapshot to the main package (#20884). +- Add the dev package to the prereq list (#19984). +- Remove the default path and mimic login's behavior in the server itself. + +* Fri Nov 17 2000 Nalin Dahyabhai +- Resync with conditional options in Damien Miller's .spec file for an errata. +- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh. + +* Tue Nov 7 2000 Nalin Dahyabhai +- Update to OpenSSH 2.3.0p1. +- Update to x11-askpass 1.1.0. +- Enable keyboard-interactive authentication. + +* Mon Oct 30 2000 Nalin Dahyabhai +- Update to ssh-askpass-x11 1.0.3. +- Change authentication related messages to be private (#19966). + +* Tue Oct 10 2000 Nalin Dahyabhai +- Patch ssh-keygen to be able to list signatures for DSA public key files + it generates. + +* Thu Oct 5 2000 Nalin Dahyabhai +- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always + build PAM authentication in. +- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. +- Clean out no-longer-used patches. +- Patch ssh-add to try to add both identity and id_dsa, and to error only + when neither exists. + +* Mon Oct 2 2000 Nalin Dahyabhai +- Update x11-askpass to 1.0.2. (#17835) +- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will + always find them in the right place. (#17909) +- Set the default path to be the same as the one supplied by /bin/login, but + add /usr/X11R6/bin. (#17909) +- Try to handle obsoletion of ssh-server more cleanly. Package names + are different, but init script name isn't. (#17865) + +* Wed Sep 6 2000 Nalin Dahyabhai +- Update to 2.2.0p1. (#17835) +- Tweak the init script to allow proper restarting. (#18023) + +* Wed Aug 23 2000 Nalin Dahyabhai +- Update to 20000823 snapshot. +- Change subpackage requirements from %%{version} to %%{version}-%%{release} +- Back out the pipe patch. + +* Mon Jul 17 2000 Nalin Dahyabhai +- Update to 2.1.1p4, which includes fixes for config file parsing problems. +- Move the init script back. +- Add Damien's quick fix for wackiness. + +* Wed Jul 12 2000 Nalin Dahyabhai +- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok(). + +* Thu Jul 6 2000 Nalin Dahyabhai +- Move condrestart to server postun. +- Move key generation to init script. +- Actually use the right patch for moving the key generation to the init script. +- Clean up the init script a bit. + +* Wed Jul 5 2000 Nalin Dahyabhai +- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard. + +* Sun Jul 2 2000 Nalin Dahyabhai +- Update to 2.1.1p2. +- Use of strtok() considered harmful. + +* Sat Jul 1 2000 Nalin Dahyabhai +- Get the build root out of the man pages. + +* Thu Jun 29 2000 Nalin Dahyabhai +- Add and use condrestart support in the init script. +- Add newer initscripts as a prereq. + +* Tue Jun 27 2000 Nalin Dahyabhai +- Build in new environment (release 2) +- Move -clients subpackage to Applications/Internet group + +* Fri Jun 9 2000 Nalin Dahyabhai +- Update to 2.2.1p1 + +* Sat Jun 3 2000 Nalin Dahyabhai +- Patch to build with neither RSA nor RSAref. +- Miscellaneous FHS-compliance tweaks. +- Fix for possibly-compressed man pages. + +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build + +* Sun Dec 26 1999 Damien Miller +- Added Jim Knoble's askpass + +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble + +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives + +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages + +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages + +* Sat Oct 30 1999 Damien Miller +- Renamed init script + +* Fri Oct 29 1999 Damien Miller +- Back to old binary names + +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names + +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. diff --git a/crypto/openssh/contrib/redhat/sshd.init b/crypto/openssh/contrib/redhat/sshd.init new file mode 100755 index 000000000..40c8dfd9f --- /dev/null +++ b/crypto/openssh/contrib/redhat/sshd.init @@ -0,0 +1,106 @@ +#!/bin/bash +# +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +RETVAL=0 +prog="sshd" + +# Some functions to make the below more readable +SSHD=/usr/sbin/sshd +PID_FILE=/var/run/sshd.pid + +do_restart_sanity_check() +{ + $SSHD -t + RETVAL=$? + if [ $RETVAL -ne 0 ]; then + failure $"Configuration file or keys are invalid" + echo + fi +} + +start() +{ + # Create keys if necessary + /usr/bin/ssh-keygen -A + if [ -x /sbin/restorecon ]; then + /sbin/restorecon /etc/ssh/ssh_host_key.pub + /sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub + /sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub + /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub + fi + + echo -n $"Starting $prog:" + $SSHD $OPTIONS && success || failure + RETVAL=$? + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd + echo +} + +stop() +{ + echo -n $"Stopping $prog:" + killproc $SSHD -TERM + RETVAL=$? + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd + echo +} + +reload() +{ + echo -n $"Reloading $prog:" + killproc $SSHD -HUP + RETVAL=$? + echo +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + reload) + reload + ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + do_restart_sanity_check + if [ $RETVAL -eq 0 ] ; then + stop + # avoid race + sleep 3 + start + fi + fi + ;; + status) + status $SSHD + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" + RETVAL=1 +esac +exit $RETVAL diff --git a/crypto/openssh/contrib/redhat/sshd.init.old b/crypto/openssh/contrib/redhat/sshd.init.old new file mode 100755 index 000000000..0deb6080e --- /dev/null +++ b/crypto/openssh/contrib/redhat/sshd.init.old @@ -0,0 +1,172 @@ +#!/bin/bash +# +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +RETVAL=0 +prog="sshd" + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +SSHD=/usr/sbin/sshd +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key +PID_FILE=/var/run/sshd.pid + +my_success() { + local msg + if [ $# -gt 1 ]; then + msg="$2" + else + msg="done" + fi + case "`type -type success`" in + function) + success "$1" + ;; + *) + echo -n "${msg}" + ;; + esac +} +my_failure() { + local msg + if [ $# -gt 1 ]; then + msg="$2" + else + msg="FAILED" + fi + case "`type -type failure`" in + function) + failure "$1" + ;; + *) + echo -n "${msg}" + ;; + esac +} +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + echo -n "Generating SSH1 RSA host key: " + if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + my_success "RSA1 key generation" + echo + else + my_failure "RSA1 key generation" + echo + exit 1 + fi + fi +} +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + echo -n "Generating SSH2 RSA host key: " + if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + my_success "RSA key generation" + echo + else + my_failure "RSA key generation" + echo + exit 1 + fi + fi +} +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + echo -n "Generating SSH2 DSA host key: " + if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + my_success "DSA key generation" + echo + else + my_failure "DSA key generation" + echo + exit 1 + fi + fi +} +do_restart_sanity_check() { + $SSHD -t + RETVAL=$? + if [ ! "$RETVAL" = 0 ]; then + my_failure "Configuration file or keys" + echo + fi +} + + +case "$1" in + start) + # Create keys if necessary + do_rsa1_keygen; + do_rsa_keygen; + do_dsa_keygen; + + echo -n "Starting sshd: " + if [ ! -f $PID_FILE ] ; then + sshd $OPTIONS + RETVAL=$? + if [ "$RETVAL" = "0" ] ; then + my_success "sshd startup" "sshd" + touch /var/lock/subsys/sshd + else + my_failure "sshd startup" "" + fi + fi + echo + ;; + stop) + echo -n "Shutting down sshd: " + if [ -f $PID_FILE ] ; then + killproc sshd + RETVAL=$? + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd + fi + echo + ;; + restart) + do_restart_sanity_check + $0 stop + $0 start + RETVAL=$? + ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + do_restart_sanity_check + $0 stop + $0 start + RETVAL=$? + fi + ;; + status) + status sshd + RETVAL=$? + ;; + *) + echo "Usage: sshd {start|stop|restart|status|condrestart}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/crypto/openssh/contrib/redhat/sshd.pam b/crypto/openssh/contrib/redhat/sshd.pam new file mode 100644 index 000000000..ffa5adbe5 --- /dev/null +++ b/crypto/openssh/contrib/redhat/sshd.pam @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_stack.so service=system-auth +account required pam_nologin.so +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth diff --git a/crypto/openssh/contrib/redhat/sshd.pam.old b/crypto/openssh/contrib/redhat/sshd.pam.old new file mode 100644 index 000000000..26dcb34d9 --- /dev/null +++ b/crypto/openssh/contrib/redhat/sshd.pam.old @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff --git a/crypto/openssh/contrib/solaris/README b/crypto/openssh/contrib/solaris/README new file mode 100755 index 000000000..fefdd4b53 --- /dev/null +++ b/crypto/openssh/contrib/solaris/README @@ -0,0 +1,30 @@ +The following is a new package build script for Solaris. This is being +introduced into OpenSSH 3.0 and above in hopes of simplifying the build +process. As of 3.1p2 the script should work on all platforms that have +SVR4 style package tools. + +The build process is called a 'dummy install'.. Which means the software does +a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should +be handled correctly and key are defered until the first time the sshd +is started. + +Directions: + +1. make -F Makefile.in distprep (Only if you are getting from the CVS tree) +2. ./configure --with-pam [..any other options you want..] +3. look at the top of buildpkg.sh for the configurable options and put + any changes you want in openssh-config.local. Additional customizations + can be done to the build process by creating one or more of the following + scripts that will be sourced by buildpkg.sh. + pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh + pkg-preinstall.local pkg-postinstall.local pkg-preremove.local + pkg-postremove.local pkg-request.local +4. Run "make package" + +If all goes well you should have a solaris package ready to be installed. + +If you have any problems with this script please post them to +openssh-unix-dev@mindrot.org and I will try to assist you as best as I can. + +- Ben Lindstrom + diff --git a/crypto/openssh/contrib/ssh-copy-id b/crypto/openssh/contrib/ssh-copy-id new file mode 100644 index 000000000..ae88e9958 --- /dev/null +++ b/crypto/openssh/contrib/ssh-copy-id @@ -0,0 +1,300 @@ +#!/bin/sh + +# Copyright (c) 1999-2013 Philip Hands +# 2013 Martin Kletzander +# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= +# 2010 Eric Moret +# 2009 Xr +# 2007 Justin Pryzby +# 2004 Reini Urban +# 2003 Colin Watson +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Shell script to install your public key(s) on a remote machine +# See the ssh-copy-id(1) man page for details + +# check that we have something mildly sane as our shell, or try to find something better +if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0" +then + SANE_SH=${SANE_SH:-/usr/bin/ksh} + if printf 'true ^ false\n' | "$SANE_SH" + then + printf "'%s' seems viable.\n" "$SANE_SH" + exec "$SANE_SH" "$0" "$@" + else + cat <<-EOF + oh dear. + + If you have a more recent shell available, that supports \$(...) etc. + please try setting the environment variable SANE_SH to the path of that + shell, and then retry running this script. If that works, please report + a bug describing your setup, and the shell you used to make it work. + + EOF + printf "%s: ERROR: Less dimwitted shell required.\n" "$0" + exit 1 + fi +fi + +DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) + +usage () { + printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 + exit 1 +} + +# escape any single quotes in an argument +quote() { + printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g" +} + +use_id_file() { + local L_ID_FILE="$1" + + if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then + PUB_ID_FILE="$L_ID_FILE" + else + PUB_ID_FILE="$L_ID_FILE.pub" + fi + + PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) + + # check that the files are readable + for f in $PUB_ID_FILE $PRIV_ID_FILE ; do + ErrMSG=$( { : < $f ; } 2>&1 ) || { + printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')" + exit 1 + } + done + GET_ID="cat \"$PUB_ID_FILE\"" +} + +if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then + GET_ID="ssh-add -L" +fi + +while test "$#" -gt 0 +do + [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && { + printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0" + usage + } + + OPT= OPTARG= + # implement something like getopt to avoid Solaris pain + case "$1" in + -i?*|-o?*|-p?*) + OPT="$(printf -- "$1"|cut -c1-2)" + OPTARG="$(printf -- "$1"|cut -c3-)" + shift + ;; + -o|-p) + OPT="$1" + OPTARG="$2" + shift 2 + ;; + -i) + OPT="$1" + test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || { + OPTARG="$2" + shift + } + shift + ;; + -n|-h|-\?) + OPT="$1" + OPTARG= + shift + ;; + --) + shift + while test "$#" -gt 0 + do + SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'" + shift + done + break + ;; + -*) + printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1" + usage + ;; + *) + SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'" + shift + continue + ;; + esac + + case "$OPT" in + -i) + SEEN_OPT_I="yes" + use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}" + ;; + -o|-p) + SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'" + ;; + -n) + DRY_RUN=1 + ;; + -h|-\?) + usage + ;; + esac +done + +eval set -- "$SAVEARGS" + +if [ $# = 0 ] ; then + usage +fi +if [ $# != 1 ] ; then + printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2 + usage +fi + +# drop trailing colon +USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//') +# tack the hostname onto SSH_OPTS +SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'" +# and populate "$@" for later use (only way to get proper quoting of options) +eval set -- "$SSH_OPTS" + +if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then + use_id_file "$PUB_ID_FILE" +fi + +if [ -z "$(eval $GET_ID)" ] ; then + printf '%s: ERROR: No identities found\n' "$0" >&2 + exit 1 +fi + +# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...) +# and has the side effect of setting $NEW_IDS +populate_new_ids() { + local L_SUCCESS="$1" + + # repopulate "$@" inside this function + eval set -- "$SSH_OPTS" + + umask 0177 + local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) + if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then + echo "mktemp failed" 1>&2 + exit 1 + fi + trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT + printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 + NEW_IDS=$( + eval $GET_ID | { + while read ID ; do + printf '%s\n' "$ID" > $L_TMP_ID_FILE + + # the next line assumes $PRIV_ID_FILE only set if using a single id file - this + # assumption will break if we implement the possibility of multiple -i options. + # The point being that if file based, ssh needs the private key, which it cannot + # find if only given the contents of the .pub file in an unrelated tmpfile + ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ + -o PreferredAuthentications=publickey \ + -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr $L_TMP_ID_FILE + else + grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || { + sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE + cat >/dev/null #consume the other keys, causing loop to end + } + fi + + cat $L_TMP_ID_FILE + done + } + ) + rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT + + if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then + printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2 + exit 1 + fi + if [ -z "$NEW_IDS" ] ; then + printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2 + exit 0 + fi + printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 +} + +REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | + sed -ne 's/.*remote software version //p') + +case "$REMOTE_VERSION" in + NetScreen*) + populate_new_ids 1 + for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do + KEY_NO=$(($KEY_NO + 1)) + printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || { + printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2 + continue + } + [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1 + if [ $? = 255 ] ; then + printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2 + else + ADDED=$(($ADDED + 1)) + fi + done + if [ -z "$ADDED" ] ; then + exit 1 + fi + ;; + *) + # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect + populate_new_ids 0 + [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " + umask 077 ; + mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; + if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \ + || exit 1 + ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) + ;; +esac + +if [ "$DRY_RUN" ] ; then + cat <<-EOF + =-=-=-=-=-=-=-= + Would have added the following key(s): + + $NEW_IDS + =-=-=-=-=-=-=-= + EOF +else + cat <<-EOF + + Number of key(s) added: $ADDED + + Now try logging into the machine, with: "ssh $SSH_OPTS" + and check to make sure that only the key(s) you wanted were added. + + EOF +fi + +# =-=-=-= diff --git a/crypto/openssh/contrib/ssh-copy-id.1 b/crypto/openssh/contrib/ssh-copy-id.1 new file mode 100644 index 000000000..ccf325f1a --- /dev/null +++ b/crypto/openssh/contrib/ssh-copy-id.1 @@ -0,0 +1,186 @@ +.ig \" -*- nroff -*- +Copyright (c) 1999-2013 hands.com Ltd. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.. +.Dd June 17, 2010 +.Dt SSH-COPY-ID 1 +.Os +.Sh NAME +.Nm ssh-copy-id +.Nd use locally available keys to authorise logins on a remote machine +.Sh SYNOPSIS +.Nm +.Op Fl n +.Op Fl i Op Ar identity_file +.Op Fl p Ar port +.Op Fl o Ar ssh_option +.Op Ar user Ns @ Ns +.Ar hostname +.Nm +.Fl h | Fl ? +.br +.Sh DESCRIPTION +.Nm +is a script that uses +.Xr ssh 1 +to log into a remote machine (presumably using a login password, +so password authentication should be enabled, unless you've done some +clever use of multiple identities). It assembles a list of one or more +fingerprints (as described below) and tries to log in with each key, to +see if any of them are already installed (of course, if you are not using +.Xr ssh-agent 1 +this may result in you being repeatedly prompted for pass-phrases). +It then assembles a list of those that failed to log in, and using ssh, +enables logins with those keys on the remote server. By default it adds +the keys by appending them to the remote user's +.Pa ~/.ssh/authorized_keys +(creating the file, and directory, if necessary). It is also capable +of detecting if the remote system is a NetScreen, and using its +.Ql set ssh pka-dsa key ... +command instead. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl i Ar identity_file +Use only the key(s) contained in +.Ar identity_file +(rather than looking for identities via +.Xr ssh-add 1 +or in the +.Ic default_ID_file ) . +If the filename does not end in +.Pa .pub +this is added. If the filename is omitted, the +.Ic default_ID_file +is used. +.Pp +Note that this can be used to ensure that the keys copied have the +comment one prefers and/or extra options applied, by ensuring that the +key file has these set as preferred before the copy is attempted. +.It Fl n +do a dry-run. Instead of installing keys on the remote system simply +prints the key(s) that would have been installed. +.It Fl h , Fl ? +Print Usage summary +.It Fl p Ar port , Fl o Ar ssh_option +These two options are simply passed through untouched, along with their +argument, to allow one to set the port or other +.Xr ssh 1 +options, respectively. +.Pp +Rather than specifying these as command line options, it is often better to use (per-host) settings in +.Xr ssh 1 Ns 's +configuration file: +.Xr ssh_config 5 . +.El +.Pp +Default behaviour without +.Fl i , +is to check if +.Ql ssh-add -L +provides any output, and if so those keys are used. Note that this results in +the comment on the key being the filename that was given to +.Xr ssh-add 1 +when the key was loaded into your +.Xr ssh-agent 1 +rather than the comment contained in that file, which is a bit of a shame. +Otherwise, if +.Xr ssh-add 1 +provides no keys contents of the +.Ic default_ID_file +will be used. +.Pp +The +.Ic default_ID_file +is the most recent file that matches: +.Pa ~/.ssh/id*.pub , +(excluding those that match +.Pa ~/.ssh/*-cert.pub ) +so if you create a key that is not the one you want +.Nm +to use, just use +.Xr touch 1 +on your preferred key's +.Pa .pub +file to reinstate it as the most recent. +.Pp +.Sh EXAMPLES +If you have already installed keys from one system on a lot of remote +hosts, and you then create a new key, on a new client machine, say, +it can be difficult to keep track of which systems on which you've +installed the new key. One way of dealing with this is to load both +the new key and old key(s) into your +.Xr ssh-agent 1 . +Load the new key first, without the +.Fl c +option, then load one or more old keys into the agent, possibly by +ssh-ing to the client machine that has that old key, using the +.Fl A +option to allow agent forwarding: +.Pp +.D1 user@newclient$ ssh-add +.D1 user@newclient$ ssh -A old.client +.D1 user@oldl$ ssh-add -c +.D1 No ... prompt for pass-phrase ... +.D1 user@old$ logoff +.D1 user@newclient$ ssh someserver +.Pp +now, if the new key is installed on the server, you'll be allowed in +unprompted, whereas if you only have the old key(s) enabled, you'll be +asked for confirmation, which is your cue to log back out and run +.Pp +.D1 user@newclient$ ssh-copy-id -i someserver +.Pp +The reason you might want to specify the -i option in this case is to +ensure that the comment on the installed key is the one from the +.Pa .pub +file, rather than just the filename that was loaded into you agent. +It also ensures that only the id you intended is installed, rather than +all the keys that you have in your +.Xr ssh-agent 1 . +Of course, you can specify another id, or use the contents of the +.Xr ssh-agent 1 +as you prefer. +.Pp +Having mentioned +.Xr ssh-add 1 Ns 's +.Fl c +option, you might consider using this whenever using agent forwarding +to avoid your key being hijacked, but it is much better to instead use +.Xr ssh 1 Ns 's +.Ar ProxyCommand +and +.Fl W +option, +to bounce through remote servers while always doing direct end-to-end +authentication. This way the middle hop(s) don't get access to your +.Xr ssh-agent 1 . +A web search for +.Ql ssh proxycommand nc +should prove enlightening (N.B. the modern approach is to use the +.Fl W +option, rather than +.Xr nc 1 ) . +.Sh "SEE ALSO" +.Xr ssh 1 , +.Xr ssh-agent 1 , +.Xr sshd 8 diff --git a/crypto/openssh/contrib/sshd.pam.freebsd b/crypto/openssh/contrib/sshd.pam.freebsd new file mode 100644 index 000000000..c0bc36410 --- /dev/null +++ b/crypto/openssh/contrib/sshd.pam.freebsd @@ -0,0 +1,5 @@ +sshd auth required pam_unix.so try_first_pass +sshd account required pam_unix.so +sshd password required pam_permit.so +sshd session required pam_permit.so + diff --git a/crypto/openssh/contrib/sshd.pam.generic b/crypto/openssh/contrib/sshd.pam.generic new file mode 100644 index 000000000..215f0fe30 --- /dev/null +++ b/crypto/openssh/contrib/sshd.pam.generic @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_unix.so shadow nodelay +account required /lib/security/pam_nologin.so +account required /lib/security/pam_unix.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_unix.so shadow nullok use_authtok +session required /lib/security/pam_unix.so +session required /lib/security/pam_limits.so diff --git a/crypto/openssh/contrib/suse/openssh.spec b/crypto/openssh/contrib/suse/openssh.spec new file mode 100644 index 000000000..0515d6d7c --- /dev/null +++ b/crypto/openssh/contrib/suse/openssh.spec @@ -0,0 +1,246 @@ +# Default values for additional components +%define build_x11_askpass 1 + +# Define the UID/GID to use for privilege separation +%define sshd_gid 65 +%define sshd_uid 71 + +# The version of x11-ssh-askpass to use +%define xversion 1.2.4.1 + +# Allow the ability to override defaults with -D skip_xxx=1 +%{?skip_x11_askpass:%define build_x11_askpass 0} + +Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation +Name: openssh +Version: 6.6p1 +URL: http://www.openssh.com/ +Release: 1 +Source0: openssh-%{version}.tar.gz +Source1: x11-ssh-askpass-%{xversion}.tar.gz +License: BSD +Group: Productivity/Networking/SSH +BuildRoot: %{_tmppath}/openssh-%{version}-buildroot +PreReq: openssl +Obsoletes: ssh +Provides: ssh +# +# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) +# building prerequisites -- stuff for +# OpenSSL (openssl-devel), +# TCP Wrappers (tcpd-devel), +# and Gnome (glibdev, gtkdev, and gnlibsd) +# +BuildPrereq: openssl +BuildPrereq: tcpd-devel +BuildPrereq: zlib-devel +#BuildPrereq: glibdev +#BuildPrereq: gtkdev +#BuildPrereq: gnlibsd + +%package askpass +Summary: A passphrase dialog for OpenSSH and the X window System. +Group: Productivity/Networking/SSH +Requires: openssh = %{version} +Obsoletes: ssh-extras +Provides: openssh:${_libdir}/ssh/ssh-askpass + +%if %{build_x11_askpass} +BuildPrereq: XFree86-devel +%endif + +%description +Ssh (Secure Shell) is a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes all files necessary for both the OpenSSH +client and server. + +%description askpass +Ssh (Secure Shell) is a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains an X Window System passphrase dialog for OpenSSH. + +%changelog +* Wed Oct 26 2005 Iain Morgan +- Removed accidental inclusion of --without-zlib-version-check +* Tue Oct 25 2005 Iain Morgan +- Overhaul to deal with newer versions of SuSE and OpenSSH +* Mon Jun 12 2000 Damien Miller +- Glob manpages to catch compressed files +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Chris Saia +- Made symlink to gnome-ssh-askpass called ssh-askpass +* Wed Nov 24 1999 Chris Saia +- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and + /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into + his released tarfile +- Changed permissions on ssh_config in the install procedure to 644 from 600 + even though it was correct in the %files section and thus right in the RPMs +- Postinstall script for the server now only prints "Generating SSH host + key..." if we need to actually do this, in order to eliminate a confusing + message if an SSH host key is already in place +- Marked all manual pages as %doc(umentation) +* Mon Nov 22 1999 Chris Saia +- Added flag to configure daemon with TCP Wrappers support +- Added building prerequisites (works in RPM 3.0 and newer) +* Thu Nov 18 1999 Chris Saia +- Made this package correct for SuSE. +- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly + with SuSE, and lib_pwdb.so isn't installed by default. +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%if %{build_x11_askpass} +%setup -q -a 1 +%else +%setup -q +%endif + +%build +CFLAGS="$RPM_OPT_FLAGS" \ +%configure --prefix=/usr \ + --sysconfdir=%{_sysconfdir}/ssh \ + --mandir=%{_mandir} \ + --with-privsep-path=/var/lib/empty \ + --with-pam \ + --with-tcp-wrappers \ + --libexecdir=%{_libdir}/ssh +make + +%if %{build_x11_askpass} +cd x11-ssh-askpass-%{xversion} +%configure --mandir=/usr/X11R6/man \ + --libexecdir=%{_libdir}/ssh +xmkmf -a +make +cd .. +%endif + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/init.d/ +install -d $RPM_BUILD_ROOT/var/adm/fillup-templates +install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd +install -m744 contrib/suse/sysconfig.ssh \ + $RPM_BUILD_ROOT/var/adm/fillup-templates + +%if %{build_x11_askpass} +cd x11-ssh-askpass-%{xversion} +make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/ +rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin +%endif + +%clean +rm -rf $RPM_BUILD_ROOT + +%pre +/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || : +/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || : + +%post +/usr/bin/ssh-keygen -A +%{fillup_and_insserv -n -y ssh sshd} +%run_permissions + +%verifyscript +%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh + +%preun +%stop_on_removal sshd + +%postun +%restart_on_update sshd +%{insserv_cleanup} + +%files +%defattr(-,root,root) +%doc ChangeLog OVERVIEW README* PROTOCOL* +%doc TODO CREDITS LICENCE +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli +%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/init.d/sshd +%attr(0755,root,root) %{_bindir}/ssh-keygen +%attr(0755,root,root) %{_bindir}/scp +%attr(0755,root,root) %{_bindir}/ssh +%attr(-,root,root) %{_bindir}/slogin +%attr(0755,root,root) %{_bindir}/ssh-agent +%attr(0755,root,root) %{_bindir}/ssh-add +%attr(0755,root,root) %{_bindir}/ssh-keyscan +%attr(0755,root,root) %{_bindir}/sftp +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %dir %{_libdir}/ssh +%attr(0755,root,root) %{_libdir}/ssh/sftp-server +%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign +%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper +%attr(0644,root,root) %doc %{_mandir}/man1/scp.1* +%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1* +%attr(-,root,root) %doc %{_mandir}/man1/slogin.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1* +%attr(0644,root,root) %doc %{_mandir}/man5/moduli.5* +%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5* +%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8* +%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8* +%attr(0644,root,root) %doc %{_mandir}/man8/ssh-pkcs11-helper.8* +%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8* +%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh + +%if %{build_x11_askpass} +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{xversion}/README +%doc x11-ssh-askpass-%{xversion}/ChangeLog +%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad +%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass +%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass +%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x* +%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x* +%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass +%endif diff --git a/crypto/openssh/contrib/suse/rc.config.sshd b/crypto/openssh/contrib/suse/rc.config.sshd new file mode 100644 index 000000000..baaa7a5a1 --- /dev/null +++ b/crypto/openssh/contrib/suse/rc.config.sshd @@ -0,0 +1,5 @@ +# +# Start the Secure Shell (SSH) Daemon? +# +START_SSHD="yes" + diff --git a/crypto/openssh/contrib/suse/rc.sshd b/crypto/openssh/contrib/suse/rc.sshd new file mode 100644 index 000000000..28f28e41d --- /dev/null +++ b/crypto/openssh/contrib/suse/rc.sshd @@ -0,0 +1,121 @@ +#! /bin/sh +# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany. +# +# Author: Jiri Smid +# +# /etc/init.d/sshd +# +# and symbolic its link +# +# /usr/sbin/rcsshd +# +### BEGIN INIT INFO +# Provides: sshd +# Required-Start: $network $remote_fs +# Required-Stop: $network $remote_fs +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Description: Start the sshd daemon +### END INIT INFO + +SSHD_BIN=/usr/sbin/sshd +test -x $SSHD_BIN || exit 5 + +SSHD_SYSCONFIG=/etc/sysconfig/ssh +test -r $SSHD_SYSCONFIG || exit 6 +. $SSHD_SYSCONFIG + +SSHD_PIDFILE=/var/run/sshd.init.pid + +. /etc/rc.status + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status + +# First reset status of this service +rc_reset + +case "$1" in + start) + # Generate any missing host keys + ssh-keygen -A + echo -n "Starting SSH daemon" + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down SSH daemon" + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart) + ## Stop the service and if this succeeds (i.e. the + ## service was running before), start it again. + $0 status >/dev/null && $0 restart + + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload|reload) + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + + echo -n "Reload service sshd" + + killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN + + rc_status -v + + ;; + status) + echo -n "Checking for service sshd " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Status has a slightly different for the status command: + # 0 - service running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running + + checkproc -p $SSHD_PIDFILE $SSHD_BIN + + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, + ## give out the argument which is required for a reload. + + test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/crypto/openssh/contrib/suse/sysconfig.ssh b/crypto/openssh/contrib/suse/sysconfig.ssh new file mode 100644 index 000000000..c6a37e5cb --- /dev/null +++ b/crypto/openssh/contrib/suse/sysconfig.ssh @@ -0,0 +1,9 @@ +## Path: Network/Remote access/SSH +## Description: SSH server settings +## Type: string +## Default: "" +## ServiceRestart: sshd +# +# Options for sshd +# +SSHD_OPTS="" diff --git a/crypto/openssh/crypto_api.h b/crypto/openssh/crypto_api.h new file mode 100644 index 000000000..5820ce8fa --- /dev/null +++ b/crypto/openssh/crypto_api.h @@ -0,0 +1,44 @@ +/* $OpenBSD: crypto_api.h,v 1.3 2013/12/17 10:36:38 markus Exp $ */ + +/* + * Assembled from generated headers and source files by Markus Friedl. + * Placed in the public domain. + */ + +#ifndef crypto_api_h +#define crypto_api_h + +#ifdef HAVE_STDINT_H +# include +#endif +#include + +typedef int32_t crypto_int32; +typedef uint32_t crypto_uint32; + +#define randombytes(buf, buf_len) arc4random_buf((buf), (buf_len)) + +#define crypto_hashblocks_sha512_STATEBYTES 64U +#define crypto_hashblocks_sha512_BLOCKBYTES 128U + +int crypto_hashblocks_sha512(unsigned char *, const unsigned char *, + unsigned long long); + +#define crypto_hash_sha512_BYTES 64U + +int crypto_hash_sha512(unsigned char *, const unsigned char *, + unsigned long long); + +int crypto_verify_32(const unsigned char *, const unsigned char *); + +#define crypto_sign_ed25519_SECRETKEYBYTES 64U +#define crypto_sign_ed25519_PUBLICKEYBYTES 32U +#define crypto_sign_ed25519_BYTES 64U + +int crypto_sign_ed25519(unsigned char *, unsigned long long *, + const unsigned char *, unsigned long long, const unsigned char *); +int crypto_sign_ed25519_open(unsigned char *, unsigned long long *, + const unsigned char *, unsigned long long, const unsigned char *); +int crypto_sign_ed25519_keypair(unsigned char *, unsigned char *); + +#endif /* crypto_api_h */ diff --git a/crypto/openssh/defines.h b/crypto/openssh/defines.h index 64515c2ff..354d5b614 100644 --- a/crypto/openssh/defines.h +++ b/crypto/openssh/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */ +/* $Id: defines.h,v 1.176 2014/01/17 13:12:38 dtucker Exp $ */ /* Constants */ @@ -171,11 +171,6 @@ enum # define MAP_FAILED ((void *)-1) #endif -/* *-*-nto-qnx doesn't define this constant in the system headers */ -#ifdef MISSING_NFDBITS -# define NFDBITS (8 * sizeof(unsigned long)) -#endif - /* SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but including rpc/rpc.h breaks Solaris 6 @@ -274,6 +269,21 @@ typedef unsigned long long int u_int64_t; # endif #endif +#ifndef HAVE_UINTXX_T +typedef u_int8_t uint8_t; +typedef u_int16_t uint16_t; +typedef u_int32_t uint32_t; +typedef u_int64_t uint64_t; +#endif + +#ifndef HAVE_INTMAX_T +typedef long long intmax_t; +#endif + +#ifndef HAVE_UINTMAX_T +typedef unsigned long long uintmax_t; +#endif + #ifndef HAVE_U_CHAR typedef unsigned char u_char; # define HAVE_U_CHAR @@ -355,11 +365,19 @@ struct winsize { }; #endif -/* *-*-nto-qnx does not define this type in the system headers */ -#ifdef MISSING_FD_MASK +/* bits needed for select that may not be in the system headers */ +#ifndef HAVE_FD_MASK typedef unsigned long int fd_mask; #endif +#if defined(HAVE_DECL_NFDBITS) && HAVE_DECL_NFDBITS == 0 +# define NFDBITS (8 * sizeof(unsigned long)) +#endif + +#if defined(HAVE_DECL_HOWMANY) && HAVE_DECL_HOWMANY == 0 +# define howmany(x,y) (((x)+((y)-1))/(y)) +#endif + /* Paths */ #ifndef _PATH_BSHELL @@ -484,11 +502,6 @@ struct winsize { # define __nonnull__(x) #endif -/* *-*-nto-qnx doesn't define this macro in the system headers */ -#ifdef MISSING_HOWMANY -# define howmany(x,y) (((x)+((y)-1))/(y)) -#endif - #ifndef OSSH_ALIGNBYTES #define OSSH_ALIGNBYTES (sizeof(int) - 1) #endif @@ -804,4 +817,13 @@ struct winsize { # endif #endif +/* + * Platforms that have arc4random_uniform() and not arc4random_stir() + * shouldn't need the latter. + */ +#if defined(HAVE_ARC4RANDOM) && defined(HAVE_ARC4RANDOM_UNIFORM) && \ + !defined(HAVE_ARC4RANDOM_STIR) +# define arc4random_stir() +#endif + #endif /* _DEFINES_H */ diff --git a/crypto/openssh/dh.c b/crypto/openssh/dh.c index d943ca1e1..3331cda6c 100644 --- a/crypto/openssh/dh.c +++ b/crypto/openssh/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: dh.c,v 1.53 2013/11/21 00:45:44 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -48,6 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) const char *errstr = NULL; long long n; + dhg->p = dhg->g = NULL; cp = line; if ((arg = strdelim(&cp)) == NULL) return 0; @@ -59,66 +60,85 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) /* time */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; arg = strsep(&cp, " "); /* type */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; /* Ensure this is a safe prime */ n = strtonum(arg, 0, 5, &errstr); - if (errstr != NULL || n != MODULI_TYPE_SAFE) + if (errstr != NULL || n != MODULI_TYPE_SAFE) { + error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE); goto fail; + } arg = strsep(&cp, " "); /* tests */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; /* Ensure prime has been tested and is not composite */ n = strtonum(arg, 0, 0x1f, &errstr); if (errstr != NULL || - (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) + (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) { + error("moduli:%d: invalid moduli tests flag", linenum); goto fail; + } arg = strsep(&cp, " "); /* tries */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; n = strtonum(arg, 0, 1<<30, &errstr); - if (errstr != NULL || n == 0) + if (errstr != NULL || n == 0) { + error("moduli:%d: invalid primality trial count", linenum); goto fail; + } strsize = strsep(&cp, " "); /* size */ if (cp == NULL || *strsize == '\0' || (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 || - errstr) + errstr) { + error("moduli:%d: invalid prime length", linenum); goto fail; + } /* The whole group is one bit larger */ dhg->size++; gen = strsep(&cp, " "); /* gen */ if (cp == NULL || *gen == '\0') - goto fail; + goto truncated; prime = strsep(&cp, " "); /* prime */ - if (cp != NULL || *prime == '\0') + if (cp != NULL || *prime == '\0') { + truncated: + error("moduli:%d: truncated", linenum); goto fail; + } if ((dhg->g = BN_new()) == NULL) fatal("parse_prime: BN_new failed"); if ((dhg->p = BN_new()) == NULL) fatal("parse_prime: BN_new failed"); - if (BN_hex2bn(&dhg->g, gen) == 0) - goto failclean; - - if (BN_hex2bn(&dhg->p, prime) == 0) - goto failclean; - - if (BN_num_bits(dhg->p) != dhg->size) - goto failclean; - - if (BN_is_zero(dhg->g) || BN_is_one(dhg->g)) - goto failclean; + if (BN_hex2bn(&dhg->g, gen) == 0) { + error("moduli:%d: could not parse generator value", linenum); + goto fail; + } + if (BN_hex2bn(&dhg->p, prime) == 0) { + error("moduli:%d: could not parse prime value", linenum); + goto fail; + } + if (BN_num_bits(dhg->p) != dhg->size) { + error("moduli:%d: prime has wrong size: actual %d listed %d", + linenum, BN_num_bits(dhg->p), dhg->size - 1); + goto fail; + } + if (BN_cmp(dhg->g, BN_value_one()) <= 0) { + error("moduli:%d: generator is invalid", linenum); + goto fail; + } - return (1); + return 1; - failclean: - BN_clear_free(dhg->g); - BN_clear_free(dhg->p); fail: + if (dhg->g != NULL) + BN_clear_free(dhg->g); + if (dhg->p != NULL) + BN_clear_free(dhg->p); + dhg->g = dhg->p = NULL; error("Bad prime description in line %d", linenum); - return (0); + return 0; } DH * @@ -234,33 +254,19 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) void dh_gen_key(DH *dh, int need) { - int i, bits_set, tries = 0; + int pbits; - if (need < 0) - fatal("dh_gen_key: need < 0"); + if (need <= 0) + fatal("%s: need <= 0", __func__); if (dh->p == NULL) - fatal("dh_gen_key: dh->p == NULL"); - if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) - fatal("dh_gen_key: group too small: %d (2*need %d)", - BN_num_bits(dh->p), 2*need); - do { - if (dh->priv_key != NULL) - BN_clear_free(dh->priv_key); - if ((dh->priv_key = BN_new()) == NULL) - fatal("dh_gen_key: BN_new failed"); - /* generate a 2*need bits random private exponent */ - if (!BN_rand(dh->priv_key, 2*need, 0, 0)) - fatal("dh_gen_key: BN_rand failed"); - if (DH_generate_key(dh) == 0) - fatal("DH_generate_key"); - for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++) - if (BN_is_bit_set(dh->priv_key, i)) - bits_set++; - debug2("dh_gen_key: priv key bits set: %d/%d", - bits_set, BN_num_bits(dh->priv_key)); - if (tries++ > 10) - fatal("dh_gen_key: too many bad keys: giving up"); - } while (!dh_pub_is_valid(dh, dh->pub_key)); + fatal("%s: dh->p == NULL", __func__); + if ((pbits = BN_num_bits(dh->p)) <= 0) + fatal("%s: bits(p) <= 0", __func__); + dh->length = MIN(need * 2, pbits - 1); + if (DH_generate_key(dh) == 0) + fatal("%s: key generation failed", __func__); + if (!dh_pub_is_valid(dh, dh->pub_key)) + fatal("%s: generated invalid key", __func__); } DH * @@ -332,17 +338,20 @@ dh_new_group14(void) /* * Estimates the group order for a Diffie-Hellman group that has an - * attack complexity approximately the same as O(2**bits). Estimate - * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) + * attack complexity approximately the same as O(2**bits). + * Values from NIST Special Publication 800-57: Recommendation for Key + * Management Part 1 (rev 3) limited by the recommended maximum value + * from RFC4419 section 3. */ int dh_estimate(int bits) { - + if (bits <= 112) + return 2048; if (bits <= 128) - return (1024); /* O(2**86) */ + return 3072; if (bits <= 192) - return (2048); /* O(2**116) */ - return (4096); /* O(2**156) */ + return 7680; + return 8192; } diff --git a/crypto/openssh/dh.h b/crypto/openssh/dh.h index dfc1480ea..48f7b68ea 100644 --- a/crypto/openssh/dh.h +++ b/crypto/openssh/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */ +/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. @@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *); int dh_estimate(int); +/* Min and max values from RFC4419. */ #define DH_GRP_MIN 1024 #define DH_GRP_MAX 8192 diff --git a/crypto/openssh/digest-libc.c b/crypto/openssh/digest-libc.c new file mode 100644 index 000000000..1804b0698 --- /dev/null +++ b/crypto/openssh/digest-libc.c @@ -0,0 +1,238 @@ +/* $OpenBSD: digest-libc.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */ +/* + * Copyright (c) 2013 Damien Miller + * Copyright (c) 2014 Markus Friedl. All rights reserved. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "buffer.h" +#include "digest.h" + +typedef void md_init_fn(void *mdctx); +typedef void md_update_fn(void *mdctx, const u_int8_t *m, size_t mlen); +typedef void md_final_fn(u_int8_t[], void *mdctx); + +struct ssh_digest_ctx { + int alg; + void *mdctx; +}; + +struct ssh_digest { + int id; + const char *name; + size_t block_len; + size_t digest_len; + size_t ctx_len; + md_init_fn *md_init; + md_update_fn *md_update; + md_final_fn *md_final; +}; + +/* NB. Indexed directly by algorithm number */ +const struct ssh_digest digests[SSH_DIGEST_MAX] = { + { + SSH_DIGEST_MD5, + "MD5", + MD5_BLOCK_LENGTH, + MD5_DIGEST_LENGTH, + sizeof(MD5_CTX), + (md_init_fn *) MD5Init, + (md_update_fn *) MD5Update, + (md_final_fn *) MD5Final + }, + { + SSH_DIGEST_RIPEMD160, + "RIPEMD160", + RMD160_BLOCK_LENGTH, + RMD160_DIGEST_LENGTH, + sizeof(RMD160_CTX), + (md_init_fn *) RMD160Init, + (md_update_fn *) RMD160Update, + (md_final_fn *) RMD160Final + }, + { + SSH_DIGEST_SHA1, + "SHA1", + SHA1_BLOCK_LENGTH, + SHA1_DIGEST_LENGTH, + sizeof(SHA1_CTX), + (md_init_fn *) SHA1Init, + (md_update_fn *) SHA1Update, + (md_final_fn *) SHA1Final + }, + { + SSH_DIGEST_SHA256, + "SHA256", + SHA256_BLOCK_LENGTH, + SHA256_DIGEST_LENGTH, + sizeof(SHA2_CTX), + (md_init_fn *) SHA256Init, + (md_update_fn *) SHA256Update, + (md_final_fn *) SHA256Final + }, + { + SSH_DIGEST_SHA384, + "SHA384", + SHA384_BLOCK_LENGTH, + SHA384_DIGEST_LENGTH, + sizeof(SHA2_CTX), + (md_init_fn *) SHA384Init, + (md_update_fn *) SHA384Update, + (md_final_fn *) SHA384Final + }, + { + SSH_DIGEST_SHA512, + "SHA512", + SHA512_BLOCK_LENGTH, + SHA512_DIGEST_LENGTH, + sizeof(SHA2_CTX), + (md_init_fn *) SHA512Init, + (md_update_fn *) SHA512Update, + (md_final_fn *) SHA512Final + } +}; + +static const struct ssh_digest * +ssh_digest_by_alg(int alg) +{ + if (alg < 0 || alg >= SSH_DIGEST_MAX) + return NULL; + if (digests[alg].id != alg) /* sanity */ + return NULL; + return &(digests[alg]); +} + +size_t +ssh_digest_bytes(int alg) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(alg); + + return digest == NULL ? 0 : digest->digest_len; +} + +size_t +ssh_digest_blocksize(struct ssh_digest_ctx *ctx) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg); + + return digest == NULL ? 0 : digest->block_len; +} + +struct ssh_digest_ctx * +ssh_digest_start(int alg) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(alg); + struct ssh_digest_ctx *ret; + + if (digest == NULL || (ret = calloc(1, sizeof(ret))) == NULL) + return NULL; + if ((ret->mdctx = calloc(1, digest->ctx_len)) == NULL) { + free(ret); + return NULL; + } + ret->alg = alg; + digest->md_init(ret->mdctx); + return ret; +} + +int +ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(from->alg); + + if (digest == NULL || from->alg != to->alg) + return -1; + memcpy(to->mdctx, from->mdctx, digest->ctx_len); + return 0; +} + +int +ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg); + + if (digest == NULL) + return -1; + digest->md_update(ctx->mdctx, m, mlen); + return 0; +} + +int +ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b) +{ + return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b)); +} + +int +ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg); + + if (digest == NULL) + return -1; + if (dlen > UINT_MAX) + return -1; + if (dlen < digest->digest_len) /* No truncation allowed */ + return -1; + digest->md_final(d, ctx->mdctx); + return 0; +} + +void +ssh_digest_free(struct ssh_digest_ctx *ctx) +{ + const struct ssh_digest *digest; + + if (ctx != NULL) { + digest = ssh_digest_by_alg(ctx->alg); + if (digest) { + explicit_bzero(ctx->mdctx, digest->ctx_len); + free(ctx->mdctx); + explicit_bzero(ctx, sizeof(*ctx)); + free(ctx); + } + } +} + +int +ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen) +{ + struct ssh_digest_ctx *ctx = ssh_digest_start(alg); + + if (ctx == NULL) + return -1; + if (ssh_digest_update(ctx, m, mlen) != 0 || + ssh_digest_final(ctx, d, dlen) != 0) + return -1; + ssh_digest_free(ctx); + return 0; +} + +int +ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen) +{ + return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen); +} diff --git a/crypto/openssh/digest-openssl.c b/crypto/openssh/digest-openssl.c new file mode 100644 index 000000000..863d37d03 --- /dev/null +++ b/crypto/openssh/digest-openssl.c @@ -0,0 +1,166 @@ +/* $OpenBSD: digest-openssl.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include +#include +#include + +#include + +#include "openbsd-compat/openssl-compat.h" + +#include "buffer.h" +#include "digest.h" + +struct ssh_digest_ctx { + int alg; + EVP_MD_CTX mdctx; +}; + +struct ssh_digest { + int id; + const char *name; + size_t digest_len; + const EVP_MD *(*mdfunc)(void); +}; + +/* NB. Indexed directly by algorithm number */ +const struct ssh_digest digests[] = { + { SSH_DIGEST_MD5, "MD5", 16, EVP_md5 }, + { SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 }, + { SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 }, +#ifdef HAVE_EVP_SHA256 /* XXX replace with local if missing */ + { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, + { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 }, + { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, +#endif + { -1, NULL, 0, NULL }, +}; + +static const struct ssh_digest * +ssh_digest_by_alg(int alg) +{ + if (alg < 0 || alg >= SSH_DIGEST_MAX) + return NULL; + if (digests[alg].id != alg) /* sanity */ + return NULL; + return &(digests[alg]); +} + +size_t +ssh_digest_bytes(int alg) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(alg); + + return digest == NULL ? 0 : digest->digest_len; +} + +size_t +ssh_digest_blocksize(struct ssh_digest_ctx *ctx) +{ + return EVP_MD_CTX_block_size(&ctx->mdctx); +} + +struct ssh_digest_ctx * +ssh_digest_start(int alg) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(alg); + struct ssh_digest_ctx *ret; + + if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL)) + return NULL; + ret->alg = alg; + EVP_MD_CTX_init(&ret->mdctx); + if (EVP_DigestInit_ex(&ret->mdctx, digest->mdfunc(), NULL) != 1) { + free(ret); + return NULL; + } + return ret; +} + +int +ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to) +{ + /* we have bcopy-style order while openssl has memcpy-style */ + if (!EVP_MD_CTX_copy_ex(&to->mdctx, &from->mdctx)) + return -1; + return 0; +} + +int +ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen) +{ + if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1) + return -1; + return 0; +} + +int +ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b) +{ + return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b)); +} + +int +ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg); + u_int l = dlen; + + if (dlen > UINT_MAX) + return -1; + if (dlen < digest->digest_len) /* No truncation allowed */ + return -1; + if (EVP_DigestFinal_ex(&ctx->mdctx, d, &l) != 1) + return -1; + if (l != digest->digest_len) /* sanity */ + return -1; + return 0; +} + +void +ssh_digest_free(struct ssh_digest_ctx *ctx) +{ + if (ctx != NULL) { + EVP_MD_CTX_cleanup(&ctx->mdctx); + explicit_bzero(ctx, sizeof(*ctx)); + free(ctx); + } +} + +int +ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen) +{ + struct ssh_digest_ctx *ctx = ssh_digest_start(alg); + + if (ctx == NULL) + return -1; + if (ssh_digest_update(ctx, m, mlen) != 0 || + ssh_digest_final(ctx, d, dlen) != 0) + return -1; + ssh_digest_free(ctx); + return 0; +} + +int +ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen) +{ + return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen); +} diff --git a/crypto/openssh/digest.h b/crypto/openssh/digest.h new file mode 100644 index 000000000..0fb207fca --- /dev/null +++ b/crypto/openssh/digest.h @@ -0,0 +1,63 @@ +/* $OpenBSD: digest.h,v 1.2 2014/01/27 18:58:14 markus Exp $ */ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _DIGEST_H +#define _DIGEST_H + +/* Maximum digest output length */ +#define SSH_DIGEST_MAX_LENGTH 64 + +/* Digest algorithms */ +#define SSH_DIGEST_MD5 0 +#define SSH_DIGEST_RIPEMD160 1 +#define SSH_DIGEST_SHA1 2 +#define SSH_DIGEST_SHA256 3 +#define SSH_DIGEST_SHA384 4 +#define SSH_DIGEST_SHA512 5 +#define SSH_DIGEST_MAX 6 + +struct ssh_digest_ctx; + +/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */ +size_t ssh_digest_bytes(int alg); + +/* Returns the block size of the digest, e.g. for implementing HMAC */ +size_t ssh_digest_blocksize(struct ssh_digest_ctx *ctx); + +/* Copies internal state of digest of 'from' to 'to' */ +int ssh_digest_copy_state(struct ssh_digest_ctx *from, + struct ssh_digest_ctx *to); + +/* One-shot API */ +int ssh_digest_memory(int alg, const void *m, size_t mlen, + u_char *d, size_t dlen) + __attribute__((__bounded__(__buffer__, 2, 3))) + __attribute__((__bounded__(__buffer__, 4, 5))); +int ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen) + __attribute__((__bounded__(__buffer__, 3, 4))); + +/* Update API */ +struct ssh_digest_ctx *ssh_digest_start(int alg); +int ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen) + __attribute__((__bounded__(__buffer__, 2, 3))); +int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b); +int ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen) + __attribute__((__bounded__(__buffer__, 2, 3))); +void ssh_digest_free(struct ssh_digest_ctx *ctx); + +#endif /* _DIGEST_H */ + diff --git a/crypto/openssh/dns.c b/crypto/openssh/dns.c index 9e3084ba5..630b97ae8 100644 --- a/crypto/openssh/dns.c +++ b/crypto/openssh/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -261,7 +261,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (hostkey_digest_type != dnskey_digest_type) { hostkey_digest_type = dnskey_digest_type; - xfree(hostkey_digest); + free(hostkey_digest); /* Initialize host key parameters */ if (!dns_read_key(&hostkey_algorithm, @@ -281,10 +281,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, hostkey_digest_len) == 0) *flags |= DNS_VERIFY_MATCH; } - xfree(dnskey_digest); + free(dnskey_digest); } - xfree(hostkey_digest); /* from key_fingerprint_raw() */ + free(hostkey_digest); /* from key_fingerprint_raw() */ freerrset(fingerprints); if (*flags & DNS_VERIFY_FOUND) @@ -327,7 +327,7 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) for (i = 0; i < rdata_digest_len; i++) fprintf(f, "%02x", rdata_digest[i]); fprintf(f, "\n"); - xfree(rdata_digest); /* from key_fingerprint_raw() */ + free(rdata_digest); /* from key_fingerprint_raw() */ success = 1; } } diff --git a/crypto/openssh/ed25519.c b/crypto/openssh/ed25519.c new file mode 100644 index 000000000..767ec24d6 --- /dev/null +++ b/crypto/openssh/ed25519.c @@ -0,0 +1,144 @@ +/* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c + */ + +#include "includes.h" +#include "crypto_api.h" + +#include "ge25519.h" + +static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) +{ + unsigned long long i; + + for (i = 0;i < 32;++i) playground[i] = sm[i]; + for (i = 32;i < 64;++i) playground[i] = pk[i-32]; + for (i = 64;i < smlen;++i) playground[i] = sm[i]; + + crypto_hash_sha512(hram,playground,smlen); +} + + +int crypto_sign_ed25519_keypair( + unsigned char *pk, + unsigned char *sk + ) +{ + sc25519 scsk; + ge25519 gepk; + unsigned char extsk[64]; + int i; + + randombytes(sk, 32); + crypto_hash_sha512(extsk, sk, 32); + extsk[0] &= 248; + extsk[31] &= 127; + extsk[31] |= 64; + + sc25519_from32bytes(&scsk,extsk); + + ge25519_scalarmult_base(&gepk, &scsk); + ge25519_pack(pk, &gepk); + for(i=0;i<32;i++) + sk[32 + i] = pk[i]; + return 0; +} + +int crypto_sign_ed25519( + unsigned char *sm,unsigned long long *smlen, + const unsigned char *m,unsigned long long mlen, + const unsigned char *sk + ) +{ + sc25519 sck, scs, scsk; + ge25519 ger; + unsigned char r[32]; + unsigned char s[32]; + unsigned char extsk[64]; + unsigned long long i; + unsigned char hmg[crypto_hash_sha512_BYTES]; + unsigned char hram[crypto_hash_sha512_BYTES]; + + crypto_hash_sha512(extsk, sk, 32); + extsk[0] &= 248; + extsk[31] &= 127; + extsk[31] |= 64; + + *smlen = mlen+64; + for(i=0;i>= 31; /* 1: yes; 0: no */ + return x; +} + +static crypto_uint32 ge(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */ +{ + unsigned int x = a; + x -= (unsigned int) b; /* 0..65535: yes; 4294901761..4294967295: no */ + x >>= 31; /* 0: yes; 1: no */ + x ^= 1; /* 1: yes; 0: no */ + return x; +} + +static crypto_uint32 times19(crypto_uint32 a) +{ + return (a << 4) + (a << 1) + a; +} + +static crypto_uint32 times38(crypto_uint32 a) +{ + return (a << 5) + (a << 2) + (a << 1); +} + +static void reduce_add_sub(fe25519 *r) +{ + crypto_uint32 t; + int i,rep; + + for(rep=0;rep<4;rep++) + { + t = r->v[31] >> 7; + r->v[31] &= 127; + t = times19(t); + r->v[0] += t; + for(i=0;i<31;i++) + { + t = r->v[i] >> 8; + r->v[i+1] += t; + r->v[i] &= 255; + } + } +} + +static void reduce_mul(fe25519 *r) +{ + crypto_uint32 t; + int i,rep; + + for(rep=0;rep<2;rep++) + { + t = r->v[31] >> 7; + r->v[31] &= 127; + t = times19(t); + r->v[0] += t; + for(i=0;i<31;i++) + { + t = r->v[i] >> 8; + r->v[i+1] += t; + r->v[i] &= 255; + } + } +} + +/* reduction modulo 2^255-19 */ +void fe25519_freeze(fe25519 *r) +{ + int i; + crypto_uint32 m = equal(r->v[31],127); + for(i=30;i>0;i--) + m &= equal(r->v[i],255); + m &= ge(r->v[0],237); + + m = -m; + + r->v[31] -= m&127; + for(i=30;i>0;i--) + r->v[i] -= m&255; + r->v[0] -= m&237; +} + +void fe25519_unpack(fe25519 *r, const unsigned char x[32]) +{ + int i; + for(i=0;i<32;i++) r->v[i] = x[i]; + r->v[31] &= 127; +} + +/* Assumes input x being reduced below 2^255 */ +void fe25519_pack(unsigned char r[32], const fe25519 *x) +{ + int i; + fe25519 y = *x; + fe25519_freeze(&y); + for(i=0;i<32;i++) + r[i] = y.v[i]; +} + +int fe25519_iszero(const fe25519 *x) +{ + int i; + int r; + fe25519 t = *x; + fe25519_freeze(&t); + r = equal(t.v[0],0); + for(i=1;i<32;i++) + r &= equal(t.v[i],0); + return r; +} + +int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y) +{ + int i; + fe25519 t1 = *x; + fe25519 t2 = *y; + fe25519_freeze(&t1); + fe25519_freeze(&t2); + for(i=0;i<32;i++) + if(t1.v[i] != t2.v[i]) return 0; + return 1; +} + +void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b) +{ + int i; + crypto_uint32 mask = b; + mask = -mask; + for(i=0;i<32;i++) r->v[i] ^= mask & (x->v[i] ^ r->v[i]); +} + +unsigned char fe25519_getparity(const fe25519 *x) +{ + fe25519 t = *x; + fe25519_freeze(&t); + return t.v[0] & 1; +} + +void fe25519_setone(fe25519 *r) +{ + int i; + r->v[0] = 1; + for(i=1;i<32;i++) r->v[i]=0; +} + +void fe25519_setzero(fe25519 *r) +{ + int i; + for(i=0;i<32;i++) r->v[i]=0; +} + +void fe25519_neg(fe25519 *r, const fe25519 *x) +{ + fe25519 t; + int i; + for(i=0;i<32;i++) t.v[i]=x->v[i]; + fe25519_setzero(r); + fe25519_sub(r, r, &t); +} + +void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i; + for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i]; + reduce_add_sub(r); +} + +void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i; + crypto_uint32 t[32]; + t[0] = x->v[0] + 0x1da; + t[31] = x->v[31] + 0xfe; + for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe; + for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i]; + reduce_add_sub(r); +} + +void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i,j; + crypto_uint32 t[63]; + for(i=0;i<63;i++)t[i] = 0; + + for(i=0;i<32;i++) + for(j=0;j<32;j++) + t[i+j] += x->v[i] * y->v[j]; + + for(i=32;i<63;i++) + r->v[i-32] = t[i-32] + times38(t[i]); + r->v[31] = t[31]; /* result now in r[0]...r[31] */ + + reduce_mul(r); +} + +void fe25519_square(fe25519 *r, const fe25519 *x) +{ + fe25519_mul(r, x, x); +} + +void fe25519_invert(fe25519 *r, const fe25519 *x) +{ + fe25519 z2; + fe25519 z9; + fe25519 z11; + fe25519 z2_5_0; + fe25519 z2_10_0; + fe25519 z2_20_0; + fe25519 z2_50_0; + fe25519 z2_100_0; + fe25519 t0; + fe25519 t1; + int i; + + /* 2 */ fe25519_square(&z2,x); + /* 4 */ fe25519_square(&t1,&z2); + /* 8 */ fe25519_square(&t0,&t1); + /* 9 */ fe25519_mul(&z9,&t0,x); + /* 11 */ fe25519_mul(&z11,&z9,&z2); + /* 22 */ fe25519_square(&t0,&z11); + /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9); + + /* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0); + /* 2^7 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^8 - 2^3 */ fe25519_square(&t0,&t1); + /* 2^9 - 2^4 */ fe25519_square(&t1,&t0); + /* 2^10 - 2^5 */ fe25519_square(&t0,&t1); + /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0); + + /* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0); + /* 2^12 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0); + + /* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0); + /* 2^22 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0); + + /* 2^41 - 2^1 */ fe25519_square(&t1,&t0); + /* 2^42 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); } + /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0); + + /* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0); + /* 2^52 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0); + + /* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0); + /* 2^102 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); } + /* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0); + + /* 2^201 - 2^1 */ fe25519_square(&t0,&t1); + /* 2^202 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0); + + /* 2^251 - 2^1 */ fe25519_square(&t1,&t0); + /* 2^252 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^253 - 2^3 */ fe25519_square(&t1,&t0); + /* 2^254 - 2^4 */ fe25519_square(&t0,&t1); + /* 2^255 - 2^5 */ fe25519_square(&t1,&t0); + /* 2^255 - 21 */ fe25519_mul(r,&t1,&z11); +} + +void fe25519_pow2523(fe25519 *r, const fe25519 *x) +{ + fe25519 z2; + fe25519 z9; + fe25519 z11; + fe25519 z2_5_0; + fe25519 z2_10_0; + fe25519 z2_20_0; + fe25519 z2_50_0; + fe25519 z2_100_0; + fe25519 t; + int i; + + /* 2 */ fe25519_square(&z2,x); + /* 4 */ fe25519_square(&t,&z2); + /* 8 */ fe25519_square(&t,&t); + /* 9 */ fe25519_mul(&z9,&t,x); + /* 11 */ fe25519_mul(&z11,&z9,&z2); + /* 22 */ fe25519_square(&t,&z11); + /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9); + + /* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0); + /* 2^10 - 2^5 */ for (i = 1;i < 5;i++) { fe25519_square(&t,&t); } + /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0); + + /* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0); + /* 2^20 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } + /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0); + + /* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0); + /* 2^40 - 2^20 */ for (i = 1;i < 20;i++) { fe25519_square(&t,&t); } + /* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0); + + /* 2^41 - 2^1 */ fe25519_square(&t,&t); + /* 2^50 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } + /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0); + + /* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0); + /* 2^100 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } + /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0); + + /* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0); + /* 2^200 - 2^100 */ for (i = 1;i < 100;i++) { fe25519_square(&t,&t); } + /* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0); + + /* 2^201 - 2^1 */ fe25519_square(&t,&t); + /* 2^250 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } + /* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0); + + /* 2^251 - 2^1 */ fe25519_square(&t,&t); + /* 2^252 - 2^2 */ fe25519_square(&t,&t); + /* 2^252 - 3 */ fe25519_mul(r,&t,x); +} diff --git a/crypto/openssh/fe25519.h b/crypto/openssh/fe25519.h new file mode 100644 index 000000000..41b3cbb49 --- /dev/null +++ b/crypto/openssh/fe25519.h @@ -0,0 +1,70 @@ +/* $OpenBSD: fe25519.h,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.h + */ + +#ifndef FE25519_H +#define FE25519_H + +#include "crypto_api.h" + +#define fe25519 crypto_sign_ed25519_ref_fe25519 +#define fe25519_freeze crypto_sign_ed25519_ref_fe25519_freeze +#define fe25519_unpack crypto_sign_ed25519_ref_fe25519_unpack +#define fe25519_pack crypto_sign_ed25519_ref_fe25519_pack +#define fe25519_iszero crypto_sign_ed25519_ref_fe25519_iszero +#define fe25519_iseq_vartime crypto_sign_ed25519_ref_fe25519_iseq_vartime +#define fe25519_cmov crypto_sign_ed25519_ref_fe25519_cmov +#define fe25519_setone crypto_sign_ed25519_ref_fe25519_setone +#define fe25519_setzero crypto_sign_ed25519_ref_fe25519_setzero +#define fe25519_neg crypto_sign_ed25519_ref_fe25519_neg +#define fe25519_getparity crypto_sign_ed25519_ref_fe25519_getparity +#define fe25519_add crypto_sign_ed25519_ref_fe25519_add +#define fe25519_sub crypto_sign_ed25519_ref_fe25519_sub +#define fe25519_mul crypto_sign_ed25519_ref_fe25519_mul +#define fe25519_square crypto_sign_ed25519_ref_fe25519_square +#define fe25519_invert crypto_sign_ed25519_ref_fe25519_invert +#define fe25519_pow2523 crypto_sign_ed25519_ref_fe25519_pow2523 + +typedef struct +{ + crypto_uint32 v[32]; +} +fe25519; + +void fe25519_freeze(fe25519 *r); + +void fe25519_unpack(fe25519 *r, const unsigned char x[32]); + +void fe25519_pack(unsigned char r[32], const fe25519 *x); + +int fe25519_iszero(const fe25519 *x); + +int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y); + +void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b); + +void fe25519_setone(fe25519 *r); + +void fe25519_setzero(fe25519 *r); + +void fe25519_neg(fe25519 *r, const fe25519 *x); + +unsigned char fe25519_getparity(const fe25519 *x); + +void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_square(fe25519 *r, const fe25519 *x); + +void fe25519_invert(fe25519 *r, const fe25519 *x); + +void fe25519_pow2523(fe25519 *r, const fe25519 *x); + +#endif diff --git a/crypto/openssh/fixalgorithms b/crypto/openssh/fixalgorithms new file mode 100755 index 000000000..115dce81c --- /dev/null +++ b/crypto/openssh/fixalgorithms @@ -0,0 +1,26 @@ +#!/bin/sh +# +# fixciphers - remove unsupported ciphers from man pages. +# Usage: fixpaths /path/to/sed cipher1 [cipher2] outfile +# +# Author: Darren Tucker (dtucker at zip com.au). Placed in the public domain. + +die() { + echo $* + exit -1 +} + +SED=$1 +shift + +for c in $*; do + subs="$subs -e /.Dq.$c.*$/d" + subs="$subs -e s/$c,//g" +done + +# now remove any entirely empty lines +subs="$subs -e /^$/d" + +${SED} $subs + +exit 0 diff --git a/crypto/openssh/freebsd-configure.sh b/crypto/openssh/freebsd-configure.sh new file mode 100755 index 000000000..800488041 --- /dev/null +++ b/crypto/openssh/freebsd-configure.sh @@ -0,0 +1,30 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +configure_args=" + --prefix=/usr + --sysconfdir=/etc/ssh + --with-pam + --with-tcp-wrappers + --with-libedit + --with-ssl-engine + --without-xauth +" + +set -e + +# generate config.h with krb5 and stash it +sh configure $configure_args --with-kerberos5 +mv config.log config.log.orig +mv config.h config.h.orig + +# generate config.h without krb5 +sh configure $configure_args --without-kerberos5 + +# extract the difference +echo '/* $Free''BSD$ */' > krb5_config.h +diff -u config.h.orig config.h | + sed -n '/^-#define/s/^-//p' | + grep -Ff /dev/stdin config.h.orig >> krb5_config.h diff --git a/crypto/openssh/freebsd-post-merge.sh b/crypto/openssh/freebsd-post-merge.sh new file mode 100755 index 000000000..eefe3af63 --- /dev/null +++ b/crypto/openssh/freebsd-post-merge.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +xargs perl -n -i -e ' + print; + s/\$(Id|OpenBSD): [^\$]*/\$FreeBSD/ && print; + m/^\#include "includes.h"/ && print "__RCSID(\"\$FreeBSD\$\");\n"; +' keywords +xargs perl -n -i -e ' + $strip = $ARGV if /\$(Id|OpenBSD):.*\$/; + print unless ($strip eq $ARGV && /\$FreeBSD.*\$/); +' mdocdates +xargs perl -p -i -e ' + s/^\.Dd (\w+) (\d+), (\d+)$/.Dd \$Mdocdate: $1 $2 $3 \$/; +' x, &p->x, &p->t); + fe25519_mul(&r->y, &p->y, &p->z); + fe25519_mul(&r->z, &p->z, &p->t); +} + +static void p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p) +{ + p1p1_to_p2((ge25519_p2 *)r, p); + fe25519_mul(&r->t, &p->x, &p->y); +} + +static void ge25519_mixadd2(ge25519_p3 *r, const ge25519_aff *q) +{ + fe25519 a,b,t1,t2,c,d,e,f,g,h,qt; + fe25519_mul(&qt, &q->x, &q->y); + fe25519_sub(&a, &r->y, &r->x); /* A = (Y1-X1)*(Y2-X2) */ + fe25519_add(&b, &r->y, &r->x); /* B = (Y1+X1)*(Y2+X2) */ + fe25519_sub(&t1, &q->y, &q->x); + fe25519_add(&t2, &q->y, &q->x); + fe25519_mul(&a, &a, &t1); + fe25519_mul(&b, &b, &t2); + fe25519_sub(&e, &b, &a); /* E = B-A */ + fe25519_add(&h, &b, &a); /* H = B+A */ + fe25519_mul(&c, &r->t, &qt); /* C = T1*k*T2 */ + fe25519_mul(&c, &c, &ge25519_ec2d); + fe25519_add(&d, &r->z, &r->z); /* D = Z1*2 */ + fe25519_sub(&f, &d, &c); /* F = D-C */ + fe25519_add(&g, &d, &c); /* G = D+C */ + fe25519_mul(&r->x, &e, &f); + fe25519_mul(&r->y, &h, &g); + fe25519_mul(&r->z, &g, &f); + fe25519_mul(&r->t, &e, &h); +} + +static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q) +{ + fe25519 a, b, c, d, t; + + fe25519_sub(&a, &p->y, &p->x); /* A = (Y1-X1)*(Y2-X2) */ + fe25519_sub(&t, &q->y, &q->x); + fe25519_mul(&a, &a, &t); + fe25519_add(&b, &p->x, &p->y); /* B = (Y1+X1)*(Y2+X2) */ + fe25519_add(&t, &q->x, &q->y); + fe25519_mul(&b, &b, &t); + fe25519_mul(&c, &p->t, &q->t); /* C = T1*k*T2 */ + fe25519_mul(&c, &c, &ge25519_ec2d); + fe25519_mul(&d, &p->z, &q->z); /* D = Z1*2*Z2 */ + fe25519_add(&d, &d, &d); + fe25519_sub(&r->x, &b, &a); /* E = B-A */ + fe25519_sub(&r->t, &d, &c); /* F = D-C */ + fe25519_add(&r->z, &d, &c); /* G = D+C */ + fe25519_add(&r->y, &b, &a); /* H = B+A */ +} + +/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */ +static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p) +{ + fe25519 a,b,c,d; + fe25519_square(&a, &p->x); + fe25519_square(&b, &p->y); + fe25519_square(&c, &p->z); + fe25519_add(&c, &c, &c); + fe25519_neg(&d, &a); + + fe25519_add(&r->x, &p->x, &p->y); + fe25519_square(&r->x, &r->x); + fe25519_sub(&r->x, &r->x, &a); + fe25519_sub(&r->x, &r->x, &b); + fe25519_add(&r->z, &d, &b); + fe25519_sub(&r->t, &r->z, &c); + fe25519_sub(&r->y, &d, &b); +} + +/* Constant-time version of: if(b) r = p */ +static void cmov_aff(ge25519_aff *r, const ge25519_aff *p, unsigned char b) +{ + fe25519_cmov(&r->x, &p->x, b); + fe25519_cmov(&r->y, &p->y, b); +} + +static unsigned char equal(signed char b,signed char c) +{ + unsigned char ub = b; + unsigned char uc = c; + unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ + crypto_uint32 y = x; /* 0: yes; 1..255: no */ + y -= 1; /* 4294967295: yes; 0..254: no */ + y >>= 31; /* 1: yes; 0: no */ + return y; +} + +static unsigned char negative(signed char b) +{ + unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ + x >>= 63; /* 1: yes; 0: no */ + return x; +} + +static void choose_t(ge25519_aff *t, unsigned long long pos, signed char b) +{ + /* constant time */ + fe25519 v; + *t = ge25519_base_multiples_affine[5*pos+0]; + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+1],equal(b,1) | equal(b,-1)); + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+2],equal(b,2) | equal(b,-2)); + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+3],equal(b,3) | equal(b,-3)); + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+4],equal(b,-4)); + fe25519_neg(&v, &t->x); + fe25519_cmov(&t->x, &v, negative(b)); +} + +static void setneutral(ge25519 *r) +{ + fe25519_setzero(&r->x); + fe25519_setone(&r->y); + fe25519_setone(&r->z); + fe25519_setzero(&r->t); +} + +/* ******************************************************************** + * EXPORTED FUNCTIONS + ******************************************************************** */ + +/* return 0 on success, -1 otherwise */ +int ge25519_unpackneg_vartime(ge25519_p3 *r, const unsigned char p[32]) +{ + unsigned char par; + fe25519 t, chk, num, den, den2, den4, den6; + fe25519_setone(&r->z); + par = p[31] >> 7; + fe25519_unpack(&r->y, p); + fe25519_square(&num, &r->y); /* x = y^2 */ + fe25519_mul(&den, &num, &ge25519_ecd); /* den = dy^2 */ + fe25519_sub(&num, &num, &r->z); /* x = y^2-1 */ + fe25519_add(&den, &r->z, &den); /* den = dy^2+1 */ + + /* Computation of sqrt(num/den) */ + /* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */ + fe25519_square(&den2, &den); + fe25519_square(&den4, &den2); + fe25519_mul(&den6, &den4, &den2); + fe25519_mul(&t, &den6, &num); + fe25519_mul(&t, &t, &den); + + fe25519_pow2523(&t, &t); + /* 2. computation of r->x = t * num * den^3 */ + fe25519_mul(&t, &t, &num); + fe25519_mul(&t, &t, &den); + fe25519_mul(&t, &t, &den); + fe25519_mul(&r->x, &t, &den); + + /* 3. Check whether sqrt computation gave correct result, multiply by sqrt(-1) if not: */ + fe25519_square(&chk, &r->x); + fe25519_mul(&chk, &chk, &den); + if (!fe25519_iseq_vartime(&chk, &num)) + fe25519_mul(&r->x, &r->x, &ge25519_sqrtm1); + + /* 4. Now we have one of the two square roots, except if input was not a square */ + fe25519_square(&chk, &r->x); + fe25519_mul(&chk, &chk, &den); + if (!fe25519_iseq_vartime(&chk, &num)) + return -1; + + /* 5. Choose the desired square root according to parity: */ + if(fe25519_getparity(&r->x) != (1-par)) + fe25519_neg(&r->x, &r->x); + + fe25519_mul(&r->t, &r->x, &r->y); + return 0; +} + +void ge25519_pack(unsigned char r[32], const ge25519_p3 *p) +{ + fe25519 tx, ty, zi; + fe25519_invert(&zi, &p->z); + fe25519_mul(&tx, &p->x, &zi); + fe25519_mul(&ty, &p->y, &zi); + fe25519_pack(r, &ty); + r[31] ^= fe25519_getparity(&tx) << 7; +} + +int ge25519_isneutral_vartime(const ge25519_p3 *p) +{ + int ret = 1; + if(!fe25519_iszero(&p->x)) ret = 0; + if(!fe25519_iseq_vartime(&p->y, &p->z)) ret = 0; + return ret; +} + +/* computes [s1]p1 + [s2]p2 */ +void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3 *p1, const sc25519 *s1, const ge25519_p3 *p2, const sc25519 *s2) +{ + ge25519_p1p1 tp1p1; + ge25519_p3 pre[16]; + unsigned char b[127]; + int i; + + /* precomputation s2 s1 */ + setneutral(pre); /* 00 00 */ + pre[1] = *p1; /* 00 01 */ + dbl_p1p1(&tp1p1,(ge25519_p2 *)p1); p1p1_to_p3( &pre[2], &tp1p1); /* 00 10 */ + add_p1p1(&tp1p1,&pre[1], &pre[2]); p1p1_to_p3( &pre[3], &tp1p1); /* 00 11 */ + pre[4] = *p2; /* 01 00 */ + add_p1p1(&tp1p1,&pre[1], &pre[4]); p1p1_to_p3( &pre[5], &tp1p1); /* 01 01 */ + add_p1p1(&tp1p1,&pre[2], &pre[4]); p1p1_to_p3( &pre[6], &tp1p1); /* 01 10 */ + add_p1p1(&tp1p1,&pre[3], &pre[4]); p1p1_to_p3( &pre[7], &tp1p1); /* 01 11 */ + dbl_p1p1(&tp1p1,(ge25519_p2 *)p2); p1p1_to_p3( &pre[8], &tp1p1); /* 10 00 */ + add_p1p1(&tp1p1,&pre[1], &pre[8]); p1p1_to_p3( &pre[9], &tp1p1); /* 10 01 */ + dbl_p1p1(&tp1p1,(ge25519_p2 *)&pre[5]); p1p1_to_p3(&pre[10], &tp1p1); /* 10 10 */ + add_p1p1(&tp1p1,&pre[3], &pre[8]); p1p1_to_p3(&pre[11], &tp1p1); /* 10 11 */ + add_p1p1(&tp1p1,&pre[4], &pre[8]); p1p1_to_p3(&pre[12], &tp1p1); /* 11 00 */ + add_p1p1(&tp1p1,&pre[1],&pre[12]); p1p1_to_p3(&pre[13], &tp1p1); /* 11 01 */ + add_p1p1(&tp1p1,&pre[2],&pre[12]); p1p1_to_p3(&pre[14], &tp1p1); /* 11 10 */ + add_p1p1(&tp1p1,&pre[3],&pre[12]); p1p1_to_p3(&pre[15], &tp1p1); /* 11 11 */ + + sc25519_2interleave2(b,s1,s2); + + /* scalar multiplication */ + *r = pre[b[126]]; + for(i=125;i>=0;i--) + { + dbl_p1p1(&tp1p1, (ge25519_p2 *)r); + p1p1_to_p2((ge25519_p2 *) r, &tp1p1); + dbl_p1p1(&tp1p1, (ge25519_p2 *)r); + if(b[i]!=0) + { + p1p1_to_p3(r, &tp1p1); + add_p1p1(&tp1p1, r, &pre[b[i]]); + } + if(i != 0) p1p1_to_p2((ge25519_p2 *)r, &tp1p1); + else p1p1_to_p3(r, &tp1p1); + } +} + +void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s) +{ + signed char b[85]; + int i; + ge25519_aff t; + sc25519_window3(b,s); + + choose_t((ge25519_aff *)r, 0, b[0]); + fe25519_setone(&r->z); + fe25519_mul(&r->t, &r->x, &r->y); + for(i=1;i<85;i++) + { + choose_t(&t, (unsigned long long) i, b[i]); + ge25519_mixadd2(r, &t); + } +} diff --git a/crypto/openssh/ge25519.h b/crypto/openssh/ge25519.h new file mode 100644 index 000000000..64f63c6f8 --- /dev/null +++ b/crypto/openssh/ge25519.h @@ -0,0 +1,43 @@ +/* $OpenBSD: ge25519.h,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.h + */ + +#ifndef GE25519_H +#define GE25519_H + +#include "fe25519.h" +#include "sc25519.h" + +#define ge25519 crypto_sign_ed25519_ref_ge25519 +#define ge25519_base crypto_sign_ed25519_ref_ge25519_base +#define ge25519_unpackneg_vartime crypto_sign_ed25519_ref_unpackneg_vartime +#define ge25519_pack crypto_sign_ed25519_ref_pack +#define ge25519_isneutral_vartime crypto_sign_ed25519_ref_isneutral_vartime +#define ge25519_double_scalarmult_vartime crypto_sign_ed25519_ref_double_scalarmult_vartime +#define ge25519_scalarmult_base crypto_sign_ed25519_ref_scalarmult_base + +typedef struct +{ + fe25519 x; + fe25519 y; + fe25519 z; + fe25519 t; +} ge25519; + +const ge25519 ge25519_base; + +int ge25519_unpackneg_vartime(ge25519 *r, const unsigned char p[32]); + +void ge25519_pack(unsigned char r[32], const ge25519 *p); + +int ge25519_isneutral_vartime(const ge25519 *p); + +void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const sc25519 *s1, const ge25519 *p2, const sc25519 *s2); + +void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s); + +#endif diff --git a/crypto/openssh/ge25519_base.data b/crypto/openssh/ge25519_base.data new file mode 100644 index 000000000..66fb1b61c --- /dev/null +++ b/crypto/openssh/ge25519_base.data @@ -0,0 +1,858 @@ +/* $OpenBSD: ge25519_base.data,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519_base.data + */ + +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21}} , + {{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}}}, +{{{0x0e, 0xce, 0x43, 0x28, 0x4e, 0xa1, 0xc5, 0x83, 0x5f, 0xa4, 0xd7, 0x15, 0x45, 0x8e, 0x0d, 0x08, 0xac, 0xe7, 0x33, 0x18, 0x7d, 0x3b, 0x04, 0x3d, 0x6c, 0x04, 0x5a, 0x9f, 0x4c, 0x38, 0xab, 0x36}} , + {{0xc9, 0xa3, 0xf8, 0x6a, 0xae, 0x46, 0x5f, 0x0e, 0x56, 0x51, 0x38, 0x64, 0x51, 0x0f, 0x39, 0x97, 0x56, 0x1f, 0xa2, 0xc9, 0xe8, 0x5e, 0xa2, 0x1d, 0xc2, 0x29, 0x23, 0x09, 0xf3, 0xcd, 0x60, 0x22}}}, +{{{0x5c, 0xe2, 0xf8, 0xd3, 0x5f, 0x48, 0x62, 0xac, 0x86, 0x48, 0x62, 0x81, 0x19, 0x98, 0x43, 0x63, 0x3a, 0xc8, 0xda, 0x3e, 0x74, 0xae, 0xf4, 0x1f, 0x49, 0x8f, 0x92, 0x22, 0x4a, 0x9c, 0xae, 0x67}} , + {{0xd4, 0xb4, 0xf5, 0x78, 0x48, 0x68, 0xc3, 0x02, 0x04, 0x03, 0x24, 0x67, 0x17, 0xec, 0x16, 0x9f, 0xf7, 0x9e, 0x26, 0x60, 0x8e, 0xa1, 0x26, 0xa1, 0xab, 0x69, 0xee, 0x77, 0xd1, 0xb1, 0x67, 0x12}}}, +{{{0x70, 0xf8, 0xc9, 0xc4, 0x57, 0xa6, 0x3a, 0x49, 0x47, 0x15, 0xce, 0x93, 0xc1, 0x9e, 0x73, 0x1a, 0xf9, 0x20, 0x35, 0x7a, 0xb8, 0xd4, 0x25, 0x83, 0x46, 0xf1, 0xcf, 0x56, 0xdb, 0xa8, 0x3d, 0x20}} , + {{0x2f, 0x11, 0x32, 0xca, 0x61, 0xab, 0x38, 0xdf, 0xf0, 0x0f, 0x2f, 0xea, 0x32, 0x28, 0xf2, 0x4c, 0x6c, 0x71, 0xd5, 0x80, 0x85, 0xb8, 0x0e, 0x47, 0xe1, 0x95, 0x15, 0xcb, 0x27, 0xe8, 0xd0, 0x47}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xc8, 0x84, 0xa5, 0x08, 0xbc, 0xfd, 0x87, 0x3b, 0x99, 0x8b, 0x69, 0x80, 0x7b, 0xc6, 0x3a, 0xeb, 0x93, 0xcf, 0x4e, 0xf8, 0x5c, 0x2d, 0x86, 0x42, 0xb6, 0x71, 0xd7, 0x97, 0x5f, 0xe1, 0x42, 0x67}} , + {{0xb4, 0xb9, 0x37, 0xfc, 0xa9, 0x5b, 0x2f, 0x1e, 0x93, 0xe4, 0x1e, 0x62, 0xfc, 0x3c, 0x78, 0x81, 0x8f, 0xf3, 0x8a, 0x66, 0x09, 0x6f, 0xad, 0x6e, 0x79, 0x73, 0xe5, 0xc9, 0x00, 0x06, 0xd3, 0x21}}}, +{{{0xf8, 0xf9, 0x28, 0x6c, 0x6d, 0x59, 0xb2, 0x59, 0x74, 0x23, 0xbf, 0xe7, 0x33, 0x8d, 0x57, 0x09, 0x91, 0x9c, 0x24, 0x08, 0x15, 0x2b, 0xe2, 0xb8, 0xee, 0x3a, 0xe5, 0x27, 0x06, 0x86, 0xa4, 0x23}} , + {{0xeb, 0x27, 0x67, 0xc1, 0x37, 0xab, 0x7a, 0xd8, 0x27, 0x9c, 0x07, 0x8e, 0xff, 0x11, 0x6a, 0xb0, 0x78, 0x6e, 0xad, 0x3a, 0x2e, 0x0f, 0x98, 0x9f, 0x72, 0xc3, 0x7f, 0x82, 0xf2, 0x96, 0x96, 0x70}}}, +{{{0x81, 0x6b, 0x88, 0xe8, 0x1e, 0xc7, 0x77, 0x96, 0x0e, 0xa1, 0xa9, 0x52, 0xe0, 0xd8, 0x0e, 0x61, 0x9e, 0x79, 0x2d, 0x95, 0x9c, 0x8d, 0x96, 0xe0, 0x06, 0x40, 0x5d, 0x87, 0x28, 0x5f, 0x98, 0x70}} , + {{0xf1, 0x79, 0x7b, 0xed, 0x4f, 0x44, 0xb2, 0xe7, 0x08, 0x0d, 0xc2, 0x08, 0x12, 0xd2, 0x9f, 0xdf, 0xcd, 0x93, 0x20, 0x8a, 0xcf, 0x33, 0xca, 0x6d, 0x89, 0xb9, 0x77, 0xc8, 0x93, 0x1b, 0x4e, 0x60}}}, +{{{0x26, 0x4f, 0x7e, 0x97, 0xf6, 0x40, 0xdd, 0x4f, 0xfc, 0x52, 0x78, 0xf9, 0x90, 0x31, 0x03, 0xe6, 0x7d, 0x56, 0x39, 0x0b, 0x1d, 0x56, 0x82, 0x85, 0xf9, 0x1a, 0x42, 0x17, 0x69, 0x6c, 0xcf, 0x39}} , + {{0x69, 0xd2, 0x06, 0x3a, 0x4f, 0x39, 0x2d, 0xf9, 0x38, 0x40, 0x8c, 0x4c, 0xe7, 0x05, 0x12, 0xb4, 0x78, 0x8b, 0xf8, 0xc0, 0xec, 0x93, 0xde, 0x7a, 0x6b, 0xce, 0x2c, 0xe1, 0x0e, 0xa9, 0x34, 0x44}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x0b, 0xa4, 0x3c, 0xb0, 0x0f, 0x7a, 0x51, 0xf1, 0x78, 0xd6, 0xd9, 0x6a, 0xfd, 0x46, 0xe8, 0xb8, 0xa8, 0x79, 0x1d, 0x87, 0xf9, 0x90, 0xf2, 0x9c, 0x13, 0x29, 0xf8, 0x0b, 0x20, 0x64, 0xfa, 0x05}} , + {{0x26, 0x09, 0xda, 0x17, 0xaf, 0x95, 0xd6, 0xfb, 0x6a, 0x19, 0x0d, 0x6e, 0x5e, 0x12, 0xf1, 0x99, 0x4c, 0xaa, 0xa8, 0x6f, 0x79, 0x86, 0xf4, 0x72, 0x28, 0x00, 0x26, 0xf9, 0xea, 0x9e, 0x19, 0x3d}}}, +{{{0x87, 0xdd, 0xcf, 0xf0, 0x5b, 0x49, 0xa2, 0x5d, 0x40, 0x7a, 0x23, 0x26, 0xa4, 0x7a, 0x83, 0x8a, 0xb7, 0x8b, 0xd2, 0x1a, 0xbf, 0xea, 0x02, 0x24, 0x08, 0x5f, 0x7b, 0xa9, 0xb1, 0xbe, 0x9d, 0x37}} , + {{0xfc, 0x86, 0x4b, 0x08, 0xee, 0xe7, 0xa0, 0xfd, 0x21, 0x45, 0x09, 0x34, 0xc1, 0x61, 0x32, 0x23, 0xfc, 0x9b, 0x55, 0x48, 0x53, 0x99, 0xf7, 0x63, 0xd0, 0x99, 0xce, 0x01, 0xe0, 0x9f, 0xeb, 0x28}}}, +{{{0x47, 0xfc, 0xab, 0x5a, 0x17, 0xf0, 0x85, 0x56, 0x3a, 0x30, 0x86, 0x20, 0x28, 0x4b, 0x8e, 0x44, 0x74, 0x3a, 0x6e, 0x02, 0xf1, 0x32, 0x8f, 0x9f, 0x3f, 0x08, 0x35, 0xe9, 0xca, 0x16, 0x5f, 0x6e}} , + {{0x1c, 0x59, 0x1c, 0x65, 0x5d, 0x34, 0xa4, 0x09, 0xcd, 0x13, 0x9c, 0x70, 0x7d, 0xb1, 0x2a, 0xc5, 0x88, 0xaf, 0x0b, 0x60, 0xc7, 0x9f, 0x34, 0x8d, 0xd6, 0xb7, 0x7f, 0xea, 0x78, 0x65, 0x8d, 0x77}}}, +{{{0x56, 0xa5, 0xc2, 0x0c, 0xdd, 0xbc, 0xb8, 0x20, 0x6d, 0x57, 0x61, 0xb5, 0xfb, 0x78, 0xb5, 0xd4, 0x49, 0x54, 0x90, 0x26, 0xc1, 0xcb, 0xe9, 0xe6, 0xbf, 0xec, 0x1d, 0x4e, 0xed, 0x07, 0x7e, 0x5e}} , + {{0xc7, 0xf6, 0x6c, 0x56, 0x31, 0x20, 0x14, 0x0e, 0xa8, 0xd9, 0x27, 0xc1, 0x9a, 0x3d, 0x1b, 0x7d, 0x0e, 0x26, 0xd3, 0x81, 0xaa, 0xeb, 0xf5, 0x6b, 0x79, 0x02, 0xf1, 0x51, 0x5c, 0x75, 0x55, 0x0f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x0a, 0x34, 0xcd, 0x82, 0x3c, 0x33, 0x09, 0x54, 0xd2, 0x61, 0x39, 0x30, 0x9b, 0xfd, 0xef, 0x21, 0x26, 0xd4, 0x70, 0xfa, 0xee, 0xf9, 0x31, 0x33, 0x73, 0x84, 0xd0, 0xb3, 0x81, 0xbf, 0xec, 0x2e}} , + {{0xe8, 0x93, 0x8b, 0x00, 0x64, 0xf7, 0x9c, 0xb8, 0x74, 0xe0, 0xe6, 0x49, 0x48, 0x4d, 0x4d, 0x48, 0xb6, 0x19, 0xa1, 0x40, 0xb7, 0xd9, 0x32, 0x41, 0x7c, 0x82, 0x37, 0xa1, 0x2d, 0xdc, 0xd2, 0x54}}}, +{{{0x68, 0x2b, 0x4a, 0x5b, 0xd5, 0xc7, 0x51, 0x91, 0x1d, 0xe1, 0x2a, 0x4b, 0xc4, 0x47, 0xf1, 0xbc, 0x7a, 0xb3, 0xcb, 0xc8, 0xb6, 0x7c, 0xac, 0x90, 0x05, 0xfd, 0xf3, 0xf9, 0x52, 0x3a, 0x11, 0x6b}} , + {{0x3d, 0xc1, 0x27, 0xf3, 0x59, 0x43, 0x95, 0x90, 0xc5, 0x96, 0x79, 0xf5, 0xf4, 0x95, 0x65, 0x29, 0x06, 0x9c, 0x51, 0x05, 0x18, 0xda, 0xb8, 0x2e, 0x79, 0x7e, 0x69, 0x59, 0x71, 0x01, 0xeb, 0x1a}}}, +{{{0x15, 0x06, 0x49, 0xb6, 0x8a, 0x3c, 0xea, 0x2f, 0x34, 0x20, 0x14, 0xc3, 0xaa, 0xd6, 0xaf, 0x2c, 0x3e, 0xbd, 0x65, 0x20, 0xe2, 0x4d, 0x4b, 0x3b, 0xeb, 0x9f, 0x4a, 0xc3, 0xad, 0xa4, 0x3b, 0x60}} , + {{0xbc, 0x58, 0xe6, 0xc0, 0x95, 0x2a, 0x2a, 0x81, 0x9a, 0x7a, 0xf3, 0xd2, 0x06, 0xbe, 0x48, 0xbc, 0x0c, 0xc5, 0x46, 0xe0, 0x6a, 0xd4, 0xac, 0x0f, 0xd9, 0xcc, 0x82, 0x34, 0x2c, 0xaf, 0xdb, 0x1f}}}, +{{{0xf7, 0x17, 0x13, 0xbd, 0xfb, 0xbc, 0xd2, 0xec, 0x45, 0xb3, 0x15, 0x31, 0xe9, 0xaf, 0x82, 0x84, 0x3d, 0x28, 0xc6, 0xfc, 0x11, 0xf5, 0x41, 0xb5, 0x8b, 0xd3, 0x12, 0x76, 0x52, 0xe7, 0x1a, 0x3c}} , + {{0x4e, 0x36, 0x11, 0x07, 0xa2, 0x15, 0x20, 0x51, 0xc4, 0x2a, 0xc3, 0x62, 0x8b, 0x5e, 0x7f, 0xa6, 0x0f, 0xf9, 0x45, 0x85, 0x6c, 0x11, 0x86, 0xb7, 0x7e, 0xe5, 0xd7, 0xf9, 0xc3, 0x91, 0x1c, 0x05}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xea, 0xd6, 0xde, 0x29, 0x3a, 0x00, 0xb9, 0x02, 0x59, 0xcb, 0x26, 0xc4, 0xba, 0x99, 0xb1, 0x97, 0x2f, 0x8e, 0x00, 0x92, 0x26, 0x4f, 0x52, 0xeb, 0x47, 0x1b, 0x89, 0x8b, 0x24, 0xc0, 0x13, 0x7d}} , + {{0xd5, 0x20, 0x5b, 0x80, 0xa6, 0x80, 0x20, 0x95, 0xc3, 0xe9, 0x9f, 0x8e, 0x87, 0x9e, 0x1e, 0x9e, 0x7a, 0xc7, 0xcc, 0x75, 0x6c, 0xa5, 0xf1, 0x91, 0x1a, 0xa8, 0x01, 0x2c, 0xab, 0x76, 0xa9, 0x59}}}, +{{{0xde, 0xc9, 0xb1, 0x31, 0x10, 0x16, 0xaa, 0x35, 0x14, 0x6a, 0xd4, 0xb5, 0x34, 0x82, 0x71, 0xd2, 0x4a, 0x5d, 0x9a, 0x1f, 0x53, 0x26, 0x3c, 0xe5, 0x8e, 0x8d, 0x33, 0x7f, 0xff, 0xa9, 0xd5, 0x17}} , + {{0x89, 0xaf, 0xf6, 0xa4, 0x64, 0xd5, 0x10, 0xe0, 0x1d, 0xad, 0xef, 0x44, 0xbd, 0xda, 0x83, 0xac, 0x7a, 0xa8, 0xf0, 0x1c, 0x07, 0xf9, 0xc3, 0x43, 0x6c, 0x3f, 0xb7, 0xd3, 0x87, 0x22, 0x02, 0x73}}}, +{{{0x64, 0x1d, 0x49, 0x13, 0x2f, 0x71, 0xec, 0x69, 0x87, 0xd0, 0x42, 0xee, 0x13, 0xec, 0xe3, 0xed, 0x56, 0x7b, 0xbf, 0xbd, 0x8c, 0x2f, 0x7d, 0x7b, 0x9d, 0x28, 0xec, 0x8e, 0x76, 0x2f, 0x6f, 0x08}} , + {{0x22, 0xf5, 0x5f, 0x4d, 0x15, 0xef, 0xfc, 0x4e, 0x57, 0x03, 0x36, 0x89, 0xf0, 0xeb, 0x5b, 0x91, 0xd6, 0xe2, 0xca, 0x01, 0xa5, 0xee, 0x52, 0xec, 0xa0, 0x3c, 0x8f, 0x33, 0x90, 0x5a, 0x94, 0x72}}}, +{{{0x8a, 0x4b, 0xe7, 0x38, 0xbc, 0xda, 0xc2, 0xb0, 0x85, 0xe1, 0x4a, 0xfe, 0x2d, 0x44, 0x84, 0xcb, 0x20, 0x6b, 0x2d, 0xbf, 0x11, 0x9c, 0xd7, 0xbe, 0xd3, 0x3e, 0x5f, 0xbf, 0x68, 0xbc, 0xa8, 0x07}} , + {{0x01, 0x89, 0x28, 0x22, 0x6a, 0x78, 0xaa, 0x29, 0x03, 0xc8, 0x74, 0x95, 0x03, 0x3e, 0xdc, 0xbd, 0x07, 0x13, 0xa8, 0xa2, 0x20, 0x2d, 0xb3, 0x18, 0x70, 0x42, 0xfd, 0x7a, 0xc4, 0xd7, 0x49, 0x72}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x02, 0xff, 0x32, 0x2b, 0x5c, 0x93, 0x54, 0x32, 0xe8, 0x57, 0x54, 0x1a, 0x8b, 0x33, 0x60, 0x65, 0xd3, 0x67, 0xa4, 0xc1, 0x26, 0xc4, 0xa4, 0x34, 0x1f, 0x9b, 0xa7, 0xa9, 0xf4, 0xd9, 0x4f, 0x5b}} , + {{0x46, 0x8d, 0xb0, 0x33, 0x54, 0x26, 0x5b, 0x68, 0xdf, 0xbb, 0xc5, 0xec, 0xc2, 0xf9, 0x3c, 0x5a, 0x37, 0xc1, 0x8e, 0x27, 0x47, 0xaa, 0x49, 0x5a, 0xf8, 0xfb, 0x68, 0x04, 0x23, 0xd1, 0xeb, 0x40}}}, +{{{0x65, 0xa5, 0x11, 0x84, 0x8a, 0x67, 0x9d, 0x9e, 0xd1, 0x44, 0x68, 0x7a, 0x34, 0xe1, 0x9f, 0xa3, 0x54, 0xcd, 0x07, 0xca, 0x79, 0x1f, 0x54, 0x2f, 0x13, 0x70, 0x4e, 0xee, 0xa2, 0xfa, 0xe7, 0x5d}} , + {{0x36, 0xec, 0x54, 0xf8, 0xce, 0xe4, 0x85, 0xdf, 0xf6, 0x6f, 0x1d, 0x90, 0x08, 0xbc, 0xe8, 0xc0, 0x92, 0x2d, 0x43, 0x6b, 0x92, 0xa9, 0x8e, 0xab, 0x0a, 0x2e, 0x1c, 0x1e, 0x64, 0x23, 0x9f, 0x2c}}}, +{{{0xa7, 0xd6, 0x2e, 0xd5, 0xcc, 0xd4, 0xcb, 0x5a, 0x3b, 0xa7, 0xf9, 0x46, 0x03, 0x1d, 0xad, 0x2b, 0x34, 0x31, 0x90, 0x00, 0x46, 0x08, 0x82, 0x14, 0xc4, 0xe0, 0x9c, 0xf0, 0xe3, 0x55, 0x43, 0x31}} , + {{0x60, 0xd6, 0xdd, 0x78, 0xe6, 0xd4, 0x22, 0x42, 0x1f, 0x00, 0xf9, 0xb1, 0x6a, 0x63, 0xe2, 0x92, 0x59, 0xd1, 0x1a, 0xb7, 0x00, 0x54, 0x29, 0xc9, 0xc1, 0xf6, 0x6f, 0x7a, 0xc5, 0x3c, 0x5f, 0x65}}}, +{{{0x27, 0x4f, 0xd0, 0x72, 0xb1, 0x11, 0x14, 0x27, 0x15, 0x94, 0x48, 0x81, 0x7e, 0x74, 0xd8, 0x32, 0xd5, 0xd1, 0x11, 0x28, 0x60, 0x63, 0x36, 0x32, 0x37, 0xb5, 0x13, 0x1c, 0xa0, 0x37, 0xe3, 0x74}} , + {{0xf1, 0x25, 0x4e, 0x11, 0x96, 0x67, 0xe6, 0x1c, 0xc2, 0xb2, 0x53, 0xe2, 0xda, 0x85, 0xee, 0xb2, 0x9f, 0x59, 0xf3, 0xba, 0xbd, 0xfa, 0xcf, 0x6e, 0xf9, 0xda, 0xa4, 0xb3, 0x02, 0x8f, 0x64, 0x08}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x34, 0x94, 0xf2, 0x64, 0x54, 0x47, 0x37, 0x07, 0x40, 0x8a, 0x20, 0xba, 0x4a, 0x55, 0xd7, 0x3f, 0x47, 0xba, 0x25, 0x23, 0x14, 0xb0, 0x2c, 0xe8, 0x55, 0xa8, 0xa6, 0xef, 0x51, 0xbd, 0x6f, 0x6a}} , + {{0x71, 0xd6, 0x16, 0x76, 0xb2, 0x06, 0xea, 0x79, 0xf5, 0xc4, 0xc3, 0x52, 0x7e, 0x61, 0xd1, 0xe1, 0xad, 0x70, 0x78, 0x1d, 0x16, 0x11, 0xf8, 0x7c, 0x2b, 0xfc, 0x55, 0x9f, 0x52, 0xf8, 0xf5, 0x16}}}, +{{{0x34, 0x96, 0x9a, 0xf6, 0xc5, 0xe0, 0x14, 0x03, 0x24, 0x0e, 0x4c, 0xad, 0x9e, 0x9a, 0x70, 0x23, 0x96, 0xb2, 0xf1, 0x2e, 0x9d, 0xc3, 0x32, 0x9b, 0x54, 0xa5, 0x73, 0xde, 0x88, 0xb1, 0x3e, 0x24}} , + {{0xf6, 0xe2, 0x4c, 0x1f, 0x5b, 0xb2, 0xaf, 0x82, 0xa5, 0xcf, 0x81, 0x10, 0x04, 0xef, 0xdb, 0xa2, 0xcc, 0x24, 0xb2, 0x7e, 0x0b, 0x7a, 0xeb, 0x01, 0xd8, 0x52, 0xf4, 0x51, 0x89, 0x29, 0x79, 0x37}}}, +{{{0x74, 0xde, 0x12, 0xf3, 0x68, 0xb7, 0x66, 0xc3, 0xee, 0x68, 0xdc, 0x81, 0xb5, 0x55, 0x99, 0xab, 0xd9, 0x28, 0x63, 0x6d, 0x8b, 0x40, 0x69, 0x75, 0x6c, 0xcd, 0x5c, 0x2a, 0x7e, 0x32, 0x7b, 0x29}} , + {{0x02, 0xcc, 0x22, 0x74, 0x4d, 0x19, 0x07, 0xc0, 0xda, 0xb5, 0x76, 0x51, 0x2a, 0xaa, 0xa6, 0x0a, 0x5f, 0x26, 0xd4, 0xbc, 0xaf, 0x48, 0x88, 0x7f, 0x02, 0xbc, 0xf2, 0xe1, 0xcf, 0xe9, 0xdd, 0x15}}}, +{{{0xed, 0xb5, 0x9a, 0x8c, 0x9a, 0xdd, 0x27, 0xf4, 0x7f, 0x47, 0xd9, 0x52, 0xa7, 0xcd, 0x65, 0xa5, 0x31, 0x22, 0xed, 0xa6, 0x63, 0x5b, 0x80, 0x4a, 0xad, 0x4d, 0xed, 0xbf, 0xee, 0x49, 0xb3, 0x06}} , + {{0xf8, 0x64, 0x8b, 0x60, 0x90, 0xe9, 0xde, 0x44, 0x77, 0xb9, 0x07, 0x36, 0x32, 0xc2, 0x50, 0xf5, 0x65, 0xdf, 0x48, 0x4c, 0x37, 0xaa, 0x68, 0xab, 0x9a, 0x1f, 0x3e, 0xff, 0x89, 0x92, 0xa0, 0x07}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x7d, 0x4f, 0x9c, 0x19, 0xc0, 0x4a, 0x31, 0xec, 0xf9, 0xaa, 0xeb, 0xb2, 0x16, 0x9c, 0xa3, 0x66, 0x5f, 0xd1, 0xd4, 0xed, 0xb8, 0x92, 0x1c, 0xab, 0xda, 0xea, 0xd9, 0x57, 0xdf, 0x4c, 0x2a, 0x48}} , + {{0x4b, 0xb0, 0x4e, 0x6e, 0x11, 0x3b, 0x51, 0xbd, 0x6a, 0xfd, 0xe4, 0x25, 0xa5, 0x5f, 0x11, 0x3f, 0x98, 0x92, 0x51, 0x14, 0xc6, 0x5f, 0x3c, 0x0b, 0xa8, 0xf7, 0xc2, 0x81, 0x43, 0xde, 0x91, 0x73}}}, +{{{0x3c, 0x8f, 0x9f, 0x33, 0x2a, 0x1f, 0x43, 0x33, 0x8f, 0x68, 0xff, 0x1f, 0x3d, 0x73, 0x6b, 0xbf, 0x68, 0xcc, 0x7d, 0x13, 0x6c, 0x24, 0x4b, 0xcc, 0x4d, 0x24, 0x0d, 0xfe, 0xde, 0x86, 0xad, 0x3b}} , + {{0x79, 0x51, 0x81, 0x01, 0xdc, 0x73, 0x53, 0xe0, 0x6e, 0x9b, 0xea, 0x68, 0x3f, 0x5c, 0x14, 0x84, 0x53, 0x8d, 0x4b, 0xc0, 0x9f, 0x9f, 0x89, 0x2b, 0x8c, 0xba, 0x86, 0xfa, 0xf2, 0xcd, 0xe3, 0x2d}}}, +{{{0x06, 0xf9, 0x29, 0x5a, 0xdb, 0x3d, 0x84, 0x52, 0xab, 0xcc, 0x6b, 0x60, 0x9d, 0xb7, 0x4a, 0x0e, 0x36, 0x63, 0x91, 0xad, 0xa0, 0x95, 0xb0, 0x97, 0x89, 0x4e, 0xcf, 0x7d, 0x3c, 0xe5, 0x7c, 0x28}} , + {{0x2e, 0x69, 0x98, 0xfd, 0xc6, 0xbd, 0xcc, 0xca, 0xdf, 0x9a, 0x44, 0x7e, 0x9d, 0xca, 0x89, 0x6d, 0xbf, 0x27, 0xc2, 0xf8, 0xcd, 0x46, 0x00, 0x2b, 0xb5, 0x58, 0x4e, 0xb7, 0x89, 0x09, 0xe9, 0x2d}}}, +{{{0x54, 0xbe, 0x75, 0xcb, 0x05, 0xb0, 0x54, 0xb7, 0xe7, 0x26, 0x86, 0x4a, 0xfc, 0x19, 0xcf, 0x27, 0x46, 0xd4, 0x22, 0x96, 0x5a, 0x11, 0xe8, 0xd5, 0x1b, 0xed, 0x71, 0xc5, 0x5d, 0xc8, 0xaf, 0x45}} , + {{0x40, 0x7b, 0x77, 0x57, 0x49, 0x9e, 0x80, 0x39, 0x23, 0xee, 0x81, 0x0b, 0x22, 0xcf, 0xdb, 0x7a, 0x2f, 0x14, 0xb8, 0x57, 0x8f, 0xa1, 0x39, 0x1e, 0x77, 0xfc, 0x0b, 0xa6, 0xbf, 0x8a, 0x0c, 0x6c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x77, 0x3a, 0xd4, 0xd8, 0x27, 0xcf, 0xe8, 0xa1, 0x72, 0x9d, 0xca, 0xdd, 0x0d, 0x96, 0xda, 0x79, 0xed, 0x56, 0x42, 0x15, 0x60, 0xc7, 0x1c, 0x6b, 0x26, 0x30, 0xf6, 0x6a, 0x95, 0x67, 0xf3, 0x0a}} , + {{0xc5, 0x08, 0xa4, 0x2b, 0x2f, 0xbd, 0x31, 0x81, 0x2a, 0xa6, 0xb6, 0xe4, 0x00, 0x91, 0xda, 0x3d, 0xb2, 0xb0, 0x96, 0xce, 0x8a, 0xd2, 0x8d, 0x70, 0xb3, 0xd3, 0x34, 0x01, 0x90, 0x8d, 0x10, 0x21}}}, +{{{0x33, 0x0d, 0xe7, 0xba, 0x4f, 0x07, 0xdf, 0x8d, 0xea, 0x7d, 0xa0, 0xc5, 0xd6, 0xb1, 0xb0, 0xe5, 0x57, 0x1b, 0x5b, 0xf5, 0x45, 0x13, 0x14, 0x64, 0x5a, 0xeb, 0x5c, 0xfc, 0x54, 0x01, 0x76, 0x2b}} , + {{0x02, 0x0c, 0xc2, 0xaf, 0x96, 0x36, 0xfe, 0x4a, 0xe2, 0x54, 0x20, 0x6a, 0xeb, 0xb2, 0x9f, 0x62, 0xd7, 0xce, 0xa2, 0x3f, 0x20, 0x11, 0x34, 0x37, 0xe0, 0x42, 0xed, 0x6f, 0xf9, 0x1a, 0xc8, 0x7d}}}, +{{{0xd8, 0xb9, 0x11, 0xe8, 0x36, 0x3f, 0x42, 0xc1, 0xca, 0xdc, 0xd3, 0xf1, 0xc8, 0x23, 0x3d, 0x4f, 0x51, 0x7b, 0x9d, 0x8d, 0xd8, 0xe4, 0xa0, 0xaa, 0xf3, 0x04, 0xd6, 0x11, 0x93, 0xc8, 0x35, 0x45}} , + {{0x61, 0x36, 0xd6, 0x08, 0x90, 0xbf, 0xa7, 0x7a, 0x97, 0x6c, 0x0f, 0x84, 0xd5, 0x33, 0x2d, 0x37, 0xc9, 0x6a, 0x80, 0x90, 0x3d, 0x0a, 0xa2, 0xaa, 0xe1, 0xb8, 0x84, 0xba, 0x61, 0x36, 0xdd, 0x69}}}, +{{{0x6b, 0xdb, 0x5b, 0x9c, 0xc6, 0x92, 0xbc, 0x23, 0xaf, 0xc5, 0xb8, 0x75, 0xf8, 0x42, 0xfa, 0xd6, 0xb6, 0x84, 0x94, 0x63, 0x98, 0x93, 0x48, 0x78, 0x38, 0xcd, 0xbb, 0x18, 0x34, 0xc3, 0xdb, 0x67}} , + {{0x96, 0xf3, 0x3a, 0x09, 0x56, 0xb0, 0x6f, 0x7c, 0x51, 0x1e, 0x1b, 0x39, 0x48, 0xea, 0xc9, 0x0c, 0x25, 0xa2, 0x7a, 0xca, 0xe7, 0x92, 0xfc, 0x59, 0x30, 0xa3, 0x89, 0x85, 0xdf, 0x6f, 0x43, 0x38}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x79, 0x84, 0x44, 0x19, 0xbd, 0xe9, 0x54, 0xc4, 0xc0, 0x6e, 0x2a, 0xa8, 0xa8, 0x9b, 0x43, 0xd5, 0x71, 0x22, 0x5f, 0xdc, 0x01, 0xfa, 0xdf, 0xb3, 0xb8, 0x47, 0x4b, 0x0a, 0xa5, 0x44, 0xea, 0x29}} , + {{0x05, 0x90, 0x50, 0xaf, 0x63, 0x5f, 0x9d, 0x9e, 0xe1, 0x9d, 0x38, 0x97, 0x1f, 0x6c, 0xac, 0x30, 0x46, 0xb2, 0x6a, 0x19, 0xd1, 0x4b, 0xdb, 0xbb, 0x8c, 0xda, 0x2e, 0xab, 0xc8, 0x5a, 0x77, 0x6c}}}, +{{{0x2b, 0xbe, 0xaf, 0xa1, 0x6d, 0x2f, 0x0b, 0xb1, 0x8f, 0xe3, 0xe0, 0x38, 0xcd, 0x0b, 0x41, 0x1b, 0x4a, 0x15, 0x07, 0xf3, 0x6f, 0xdc, 0xb8, 0xe9, 0xde, 0xb2, 0xa3, 0x40, 0x01, 0xa6, 0x45, 0x1e}} , + {{0x76, 0x0a, 0xda, 0x8d, 0x2c, 0x07, 0x3f, 0x89, 0x7d, 0x04, 0xad, 0x43, 0x50, 0x6e, 0xd2, 0x47, 0xcb, 0x8a, 0xe6, 0x85, 0x1a, 0x24, 0xf3, 0xd2, 0x60, 0xfd, 0xdf, 0x73, 0xa4, 0x0d, 0x73, 0x0e}}}, +{{{0xfd, 0x67, 0x6b, 0x71, 0x9b, 0x81, 0x53, 0x39, 0x39, 0xf4, 0xb8, 0xd5, 0xc3, 0x30, 0x9b, 0x3b, 0x7c, 0xa3, 0xf0, 0xd0, 0x84, 0x21, 0xd6, 0xbf, 0xb7, 0x4c, 0x87, 0x13, 0x45, 0x2d, 0xa7, 0x55}} , + {{0x5d, 0x04, 0xb3, 0x40, 0x28, 0x95, 0x2d, 0x30, 0x83, 0xec, 0x5e, 0xe4, 0xff, 0x75, 0xfe, 0x79, 0x26, 0x9d, 0x1d, 0x36, 0xcd, 0x0a, 0x15, 0xd2, 0x24, 0x14, 0x77, 0x71, 0xd7, 0x8a, 0x1b, 0x04}}}, +{{{0x5d, 0x93, 0xc9, 0xbe, 0xaa, 0x90, 0xcd, 0x9b, 0xfb, 0x73, 0x7e, 0xb0, 0x64, 0x98, 0x57, 0x44, 0x42, 0x41, 0xb1, 0xaf, 0xea, 0xc1, 0xc3, 0x22, 0xff, 0x60, 0x46, 0xcb, 0x61, 0x81, 0x70, 0x61}} , + {{0x0d, 0x82, 0xb9, 0xfe, 0x21, 0xcd, 0xc4, 0xf5, 0x98, 0x0c, 0x4e, 0x72, 0xee, 0x87, 0x49, 0xf8, 0xa1, 0x95, 0xdf, 0x8f, 0x2d, 0xbd, 0x21, 0x06, 0x7c, 0x15, 0xe8, 0x12, 0x6d, 0x93, 0xd6, 0x38}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x91, 0xf7, 0x51, 0xd9, 0xef, 0x7d, 0x42, 0x01, 0x13, 0xe9, 0xb8, 0x7f, 0xa6, 0x49, 0x17, 0x64, 0x21, 0x80, 0x83, 0x2c, 0x63, 0x4c, 0x60, 0x09, 0x59, 0x91, 0x92, 0x77, 0x39, 0x51, 0xf4, 0x48}} , + {{0x60, 0xd5, 0x22, 0x83, 0x08, 0x2f, 0xff, 0x99, 0x3e, 0x69, 0x6d, 0x88, 0xda, 0xe7, 0x5b, 0x52, 0x26, 0x31, 0x2a, 0xe5, 0x89, 0xde, 0x68, 0x90, 0xb6, 0x22, 0x5a, 0xbd, 0xd3, 0x85, 0x53, 0x31}}}, +{{{0xd8, 0xce, 0xdc, 0xf9, 0x3c, 0x4b, 0xa2, 0x1d, 0x2c, 0x2f, 0x36, 0xbe, 0x7a, 0xfc, 0xcd, 0xbc, 0xdc, 0xf9, 0x30, 0xbd, 0xff, 0x05, 0xc7, 0xe4, 0x8e, 0x17, 0x62, 0xf8, 0x4d, 0xa0, 0x56, 0x79}} , + {{0x82, 0xe7, 0xf6, 0xba, 0x53, 0x84, 0x0a, 0xa3, 0x34, 0xff, 0x3c, 0xa3, 0x6a, 0xa1, 0x37, 0xea, 0xdd, 0xb6, 0x95, 0xb3, 0x78, 0x19, 0x76, 0x1e, 0x55, 0x2f, 0x77, 0x2e, 0x7f, 0xc1, 0xea, 0x5e}}}, +{{{0x83, 0xe1, 0x6e, 0xa9, 0x07, 0x33, 0x3e, 0x83, 0xff, 0xcb, 0x1c, 0x9f, 0xb1, 0xa3, 0xb4, 0xc9, 0xe1, 0x07, 0x97, 0xff, 0xf8, 0x23, 0x8f, 0xce, 0x40, 0xfd, 0x2e, 0x5e, 0xdb, 0x16, 0x43, 0x2d}} , + {{0xba, 0x38, 0x02, 0xf7, 0x81, 0x43, 0x83, 0xa3, 0x20, 0x4f, 0x01, 0x3b, 0x8a, 0x04, 0x38, 0x31, 0xc6, 0x0f, 0xc8, 0xdf, 0xd7, 0xfa, 0x2f, 0x88, 0x3f, 0xfc, 0x0c, 0x76, 0xc4, 0xa6, 0x45, 0x72}}}, +{{{0xbb, 0x0c, 0xbc, 0x6a, 0xa4, 0x97, 0x17, 0x93, 0x2d, 0x6f, 0xde, 0x72, 0x10, 0x1c, 0x08, 0x2c, 0x0f, 0x80, 0x32, 0x68, 0x27, 0xd4, 0xab, 0xdd, 0xc5, 0x58, 0x61, 0x13, 0x6d, 0x11, 0x1e, 0x4d}} , + {{0x1a, 0xb9, 0xc9, 0x10, 0xfb, 0x1e, 0x4e, 0xf4, 0x84, 0x4b, 0x8a, 0x5e, 0x7b, 0x4b, 0xe8, 0x43, 0x8c, 0x8f, 0x00, 0xb5, 0x54, 0x13, 0xc5, 0x5c, 0xb6, 0x35, 0x4e, 0x9d, 0xe4, 0x5b, 0x41, 0x6d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x15, 0x7d, 0x12, 0x48, 0x82, 0x14, 0x42, 0xcd, 0x32, 0xd4, 0x4b, 0xc1, 0x72, 0x61, 0x2a, 0x8c, 0xec, 0xe2, 0xf8, 0x24, 0x45, 0x94, 0xe3, 0xbe, 0xdd, 0x67, 0xa8, 0x77, 0x5a, 0xae, 0x5b, 0x4b}} , + {{0xcb, 0x77, 0x9a, 0x20, 0xde, 0xb8, 0x23, 0xd9, 0xa0, 0x0f, 0x8c, 0x7b, 0xa5, 0xcb, 0xae, 0xb6, 0xec, 0x42, 0x67, 0x0e, 0x58, 0xa4, 0x75, 0x98, 0x21, 0x71, 0x84, 0xb3, 0xe0, 0x76, 0x94, 0x73}}}, +{{{0xdf, 0xfc, 0x69, 0x28, 0x23, 0x3f, 0x5b, 0xf8, 0x3b, 0x24, 0x37, 0xf3, 0x1d, 0xd5, 0x22, 0x6b, 0xd0, 0x98, 0xa8, 0x6c, 0xcf, 0xff, 0x06, 0xe1, 0x13, 0xdf, 0xb9, 0xc1, 0x0c, 0xa9, 0xbf, 0x33}} , + {{0xd9, 0x81, 0xda, 0xb2, 0x4f, 0x82, 0x9d, 0x43, 0x81, 0x09, 0xf1, 0xd2, 0x01, 0xef, 0xac, 0xf4, 0x2d, 0x7d, 0x01, 0x09, 0xf1, 0xff, 0xa5, 0x9f, 0xe5, 0xca, 0x27, 0x63, 0xdb, 0x20, 0xb1, 0x53}}}, +{{{0x67, 0x02, 0xe8, 0xad, 0xa9, 0x34, 0xd4, 0xf0, 0x15, 0x81, 0xaa, 0xc7, 0x4d, 0x87, 0x94, 0xea, 0x75, 0xe7, 0x4c, 0x94, 0x04, 0x0e, 0x69, 0x87, 0xe7, 0x51, 0x91, 0x10, 0x03, 0xc7, 0xbe, 0x56}} , + {{0x32, 0xfb, 0x86, 0xec, 0x33, 0x6b, 0x2e, 0x51, 0x2b, 0xc8, 0xfa, 0x6c, 0x70, 0x47, 0x7e, 0xce, 0x05, 0x0c, 0x71, 0xf3, 0xb4, 0x56, 0xa6, 0xdc, 0xcc, 0x78, 0x07, 0x75, 0xd0, 0xdd, 0xb2, 0x6a}}}, +{{{0xc6, 0xef, 0xb9, 0xc0, 0x2b, 0x22, 0x08, 0x1e, 0x71, 0x70, 0xb3, 0x35, 0x9c, 0x7a, 0x01, 0x92, 0x44, 0x9a, 0xf6, 0xb0, 0x58, 0x95, 0xc1, 0x9b, 0x02, 0xed, 0x2d, 0x7c, 0x34, 0x29, 0x49, 0x44}} , + {{0x45, 0x62, 0x1d, 0x2e, 0xff, 0x2a, 0x1c, 0x21, 0xa4, 0x25, 0x7b, 0x0d, 0x8c, 0x15, 0x39, 0xfc, 0x8f, 0x7c, 0xa5, 0x7d, 0x1e, 0x25, 0xa3, 0x45, 0xd6, 0xab, 0xbd, 0xcb, 0xc5, 0x5e, 0x78, 0x77}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd0, 0xd3, 0x42, 0xed, 0x1d, 0x00, 0x3c, 0x15, 0x2c, 0x9c, 0x77, 0x81, 0xd2, 0x73, 0xd1, 0x06, 0xd5, 0xc4, 0x7f, 0x94, 0xbb, 0x92, 0x2d, 0x2c, 0x4b, 0x45, 0x4b, 0xe9, 0x2a, 0x89, 0x6b, 0x2b}} , + {{0xd2, 0x0c, 0x88, 0xc5, 0x48, 0x4d, 0xea, 0x0d, 0x4a, 0xc9, 0x52, 0x6a, 0x61, 0x79, 0xe9, 0x76, 0xf3, 0x85, 0x52, 0x5c, 0x1b, 0x2c, 0xe1, 0xd6, 0xc4, 0x0f, 0x18, 0x0e, 0x4e, 0xf6, 0x1c, 0x7f}}}, +{{{0xb4, 0x04, 0x2e, 0x42, 0xcb, 0x1f, 0x2b, 0x11, 0x51, 0x7b, 0x08, 0xac, 0xaa, 0x3e, 0x9e, 0x52, 0x60, 0xb7, 0xc2, 0x61, 0x57, 0x8c, 0x84, 0xd5, 0x18, 0xa6, 0x19, 0xfc, 0xb7, 0x75, 0x91, 0x1b}} , + {{0xe8, 0x68, 0xca, 0x44, 0xc8, 0x38, 0x38, 0xcc, 0x53, 0x0a, 0x32, 0x35, 0xcc, 0x52, 0xcb, 0x0e, 0xf7, 0xc5, 0xe7, 0xec, 0x3d, 0x85, 0xcc, 0x58, 0xe2, 0x17, 0x47, 0xff, 0x9f, 0xa5, 0x30, 0x17}}}, +{{{0xe3, 0xae, 0xc8, 0xc1, 0x71, 0x75, 0x31, 0x00, 0x37, 0x41, 0x5c, 0x0e, 0x39, 0xda, 0x73, 0xa0, 0xc7, 0x97, 0x36, 0x6c, 0x5b, 0xf2, 0xee, 0x64, 0x0a, 0x3d, 0x89, 0x1e, 0x1d, 0x49, 0x8c, 0x37}} , + {{0x4c, 0xe6, 0xb0, 0xc1, 0xa5, 0x2a, 0x82, 0x09, 0x08, 0xad, 0x79, 0x9c, 0x56, 0xf6, 0xf9, 0xc1, 0xd7, 0x7c, 0x39, 0x7f, 0x93, 0xca, 0x11, 0x55, 0xbf, 0x07, 0x1b, 0x82, 0x29, 0x69, 0x95, 0x5c}}}, +{{{0x87, 0xee, 0xa6, 0x56, 0x9e, 0xc2, 0x9a, 0x56, 0x24, 0x42, 0x85, 0x4d, 0x98, 0x31, 0x1e, 0x60, 0x4d, 0x87, 0x85, 0x04, 0xae, 0x46, 0x12, 0xf9, 0x8e, 0x7f, 0xe4, 0x7f, 0xf6, 0x1c, 0x37, 0x01}} , + {{0x73, 0x4c, 0xb6, 0xc5, 0xc4, 0xe9, 0x6c, 0x85, 0x48, 0x4a, 0x5a, 0xac, 0xd9, 0x1f, 0x43, 0xf8, 0x62, 0x5b, 0xee, 0x98, 0x2a, 0x33, 0x8e, 0x79, 0xce, 0x61, 0x06, 0x35, 0xd8, 0xd7, 0xca, 0x71}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x72, 0xd3, 0xae, 0xa6, 0xca, 0x8f, 0xcd, 0xcc, 0x78, 0x8e, 0x19, 0x4d, 0xa7, 0xd2, 0x27, 0xe9, 0xa4, 0x3c, 0x16, 0x5b, 0x84, 0x80, 0xf9, 0xd0, 0xcc, 0x6a, 0x1e, 0xca, 0x1e, 0x67, 0xbd, 0x63}} , + {{0x7b, 0x6e, 0x2a, 0xd2, 0x87, 0x48, 0xff, 0xa1, 0xca, 0xe9, 0x15, 0x85, 0xdc, 0xdb, 0x2c, 0x39, 0x12, 0x91, 0xa9, 0x20, 0xaa, 0x4f, 0x29, 0xf4, 0x15, 0x7a, 0xd2, 0xf5, 0x32, 0xcc, 0x60, 0x04}}}, +{{{0xe5, 0x10, 0x47, 0x3b, 0xfa, 0x90, 0xfc, 0x30, 0xb5, 0xea, 0x6f, 0x56, 0x8f, 0xfb, 0x0e, 0xa7, 0x3b, 0xc8, 0xb2, 0xff, 0x02, 0x7a, 0x33, 0x94, 0x93, 0x2a, 0x03, 0xe0, 0x96, 0x3a, 0x6c, 0x0f}} , + {{0x5a, 0x63, 0x67, 0xe1, 0x9b, 0x47, 0x78, 0x9f, 0x38, 0x79, 0xac, 0x97, 0x66, 0x1d, 0x5e, 0x51, 0xee, 0x24, 0x42, 0xe8, 0x58, 0x4b, 0x8a, 0x03, 0x75, 0x86, 0x37, 0x86, 0xe2, 0x97, 0x4e, 0x3d}}}, +{{{0x3f, 0x75, 0x8e, 0xb4, 0xff, 0xd8, 0xdd, 0xd6, 0x37, 0x57, 0x9d, 0x6d, 0x3b, 0xbd, 0xd5, 0x60, 0x88, 0x65, 0x9a, 0xb9, 0x4a, 0x68, 0x84, 0xa2, 0x67, 0xdd, 0x17, 0x25, 0x97, 0x04, 0x8b, 0x5e}} , + {{0xbb, 0x40, 0x5e, 0xbc, 0x16, 0x92, 0x05, 0xc4, 0xc0, 0x4e, 0x72, 0x90, 0x0e, 0xab, 0xcf, 0x8a, 0xed, 0xef, 0xb9, 0x2d, 0x3b, 0xf8, 0x43, 0x5b, 0xba, 0x2d, 0xeb, 0x2f, 0x52, 0xd2, 0xd1, 0x5a}}}, +{{{0x40, 0xb4, 0xab, 0xe6, 0xad, 0x9f, 0x46, 0x69, 0x4a, 0xb3, 0x8e, 0xaa, 0xea, 0x9c, 0x8a, 0x20, 0x16, 0x5d, 0x8c, 0x13, 0xbd, 0xf6, 0x1d, 0xc5, 0x24, 0xbd, 0x90, 0x2a, 0x1c, 0xc7, 0x13, 0x3b}} , + {{0x54, 0xdc, 0x16, 0x0d, 0x18, 0xbe, 0x35, 0x64, 0x61, 0x52, 0x02, 0x80, 0xaf, 0x05, 0xf7, 0xa6, 0x42, 0xd3, 0x8f, 0x2e, 0x79, 0x26, 0xa8, 0xbb, 0xb2, 0x17, 0x48, 0xb2, 0x7a, 0x0a, 0x89, 0x14}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x20, 0xa8, 0x88, 0xe3, 0x91, 0xc0, 0x6e, 0xbb, 0x8a, 0x27, 0x82, 0x51, 0x83, 0xb2, 0x28, 0xa9, 0x83, 0xeb, 0xa6, 0xa9, 0x4d, 0x17, 0x59, 0x22, 0x54, 0x00, 0x50, 0x45, 0xcb, 0x48, 0x4b, 0x18}} , + {{0x33, 0x7c, 0xe7, 0x26, 0xba, 0x4d, 0x32, 0xfe, 0x53, 0xf4, 0xfa, 0x83, 0xe3, 0xa5, 0x79, 0x66, 0x73, 0xef, 0x80, 0x23, 0x68, 0xc2, 0x60, 0xdd, 0xa9, 0x33, 0xdc, 0x03, 0x7a, 0xe0, 0xe0, 0x3e}}}, +{{{0x34, 0x5c, 0x13, 0xfb, 0xc0, 0xe3, 0x78, 0x2b, 0x54, 0x58, 0x22, 0x9b, 0x76, 0x81, 0x7f, 0x93, 0x9c, 0x25, 0x3c, 0xd2, 0xe9, 0x96, 0x21, 0x26, 0x08, 0xf5, 0xed, 0x95, 0x11, 0xae, 0x04, 0x5a}} , + {{0xb9, 0xe8, 0xc5, 0x12, 0x97, 0x1f, 0x83, 0xfe, 0x3e, 0x94, 0x99, 0xd4, 0x2d, 0xf9, 0x52, 0x59, 0x5c, 0x82, 0xa6, 0xf0, 0x75, 0x7e, 0xe8, 0xec, 0xcc, 0xac, 0x18, 0x21, 0x09, 0x67, 0x66, 0x67}}}, +{{{0xb3, 0x40, 0x29, 0xd1, 0xcb, 0x1b, 0x08, 0x9e, 0x9c, 0xb7, 0x53, 0xb9, 0x3b, 0x71, 0x08, 0x95, 0x12, 0x1a, 0x58, 0xaf, 0x7e, 0x82, 0x52, 0x43, 0x4f, 0x11, 0x39, 0xf4, 0x93, 0x1a, 0x26, 0x05}} , + {{0x6e, 0x44, 0xa3, 0xf9, 0x64, 0xaf, 0xe7, 0x6d, 0x7d, 0xdf, 0x1e, 0xac, 0x04, 0xea, 0x3b, 0x5f, 0x9b, 0xe8, 0x24, 0x9d, 0x0e, 0xe5, 0x2e, 0x3e, 0xdf, 0xa9, 0xf7, 0xd4, 0x50, 0x71, 0xf0, 0x78}}}, +{{{0x3e, 0xa8, 0x38, 0xc2, 0x57, 0x56, 0x42, 0x9a, 0xb1, 0xe2, 0xf8, 0x45, 0xaa, 0x11, 0x48, 0x5f, 0x17, 0xc4, 0x54, 0x27, 0xdc, 0x5d, 0xaa, 0xdd, 0x41, 0xbc, 0xdf, 0x81, 0xb9, 0x53, 0xee, 0x52}} , + {{0xc3, 0xf1, 0xa7, 0x6d, 0xb3, 0x5f, 0x92, 0x6f, 0xcc, 0x91, 0xb8, 0x95, 0x05, 0xdf, 0x3c, 0x64, 0x57, 0x39, 0x61, 0x51, 0xad, 0x8c, 0x38, 0x7b, 0xc8, 0xde, 0x00, 0x34, 0xbe, 0xa1, 0xb0, 0x7e}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x25, 0x24, 0x1d, 0x8a, 0x67, 0x20, 0xee, 0x42, 0xeb, 0x38, 0xed, 0x0b, 0x8b, 0xcd, 0x46, 0x9d, 0x5e, 0x6b, 0x1e, 0x24, 0x9d, 0x12, 0x05, 0x1a, 0xcc, 0x05, 0x4e, 0x92, 0x38, 0xe1, 0x1f, 0x50}} , + {{0x4e, 0xee, 0x1c, 0x91, 0xe6, 0x11, 0xbd, 0x8e, 0x55, 0x1a, 0x18, 0x75, 0x66, 0xaf, 0x4d, 0x7b, 0x0f, 0xae, 0x6d, 0x85, 0xca, 0x82, 0x58, 0x21, 0x9c, 0x18, 0xe0, 0xed, 0xec, 0x22, 0x80, 0x2f}}}, +{{{0x68, 0x3b, 0x0a, 0x39, 0x1d, 0x6a, 0x15, 0x57, 0xfc, 0xf0, 0x63, 0x54, 0xdb, 0x39, 0xdb, 0xe8, 0x5c, 0x64, 0xff, 0xa0, 0x09, 0x4f, 0x3b, 0xb7, 0x32, 0x60, 0x99, 0x94, 0xfd, 0x94, 0x82, 0x2d}} , + {{0x24, 0xf6, 0x5a, 0x44, 0xf1, 0x55, 0x2c, 0xdb, 0xea, 0x7c, 0x84, 0x7c, 0x01, 0xac, 0xe3, 0xfd, 0xc9, 0x27, 0xc1, 0x5a, 0xb9, 0xde, 0x4f, 0x5a, 0x90, 0xdd, 0xc6, 0x67, 0xaa, 0x6f, 0x8a, 0x3a}}}, +{{{0x78, 0x52, 0x87, 0xc9, 0x97, 0x63, 0xb1, 0xdd, 0x54, 0x5f, 0xc1, 0xf8, 0xf1, 0x06, 0xa6, 0xa8, 0xa3, 0x88, 0x82, 0xd4, 0xcb, 0xa6, 0x19, 0xdd, 0xd1, 0x11, 0x87, 0x08, 0x17, 0x4c, 0x37, 0x2a}} , + {{0xa1, 0x0c, 0xf3, 0x08, 0x43, 0xd9, 0x24, 0x1e, 0x83, 0xa7, 0xdf, 0x91, 0xca, 0xbd, 0x69, 0x47, 0x8d, 0x1b, 0xe2, 0xb9, 0x4e, 0xb5, 0xe1, 0x76, 0xb3, 0x1c, 0x93, 0x03, 0xce, 0x5f, 0xb3, 0x5a}}}, +{{{0x1d, 0xda, 0xe4, 0x61, 0x03, 0x50, 0xa9, 0x8b, 0x68, 0x18, 0xef, 0xb2, 0x1c, 0x84, 0x3b, 0xa2, 0x44, 0x95, 0xa3, 0x04, 0x3b, 0xd6, 0x99, 0x00, 0xaf, 0x76, 0x42, 0x67, 0x02, 0x7d, 0x85, 0x56}} , + {{0xce, 0x72, 0x0e, 0x29, 0x84, 0xb2, 0x7d, 0xd2, 0x45, 0xbe, 0x57, 0x06, 0xed, 0x7f, 0xcf, 0xed, 0xcd, 0xef, 0x19, 0xd6, 0xbc, 0x15, 0x79, 0x64, 0xd2, 0x18, 0xe3, 0x20, 0x67, 0x3a, 0x54, 0x0b}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x52, 0xfd, 0x04, 0xc5, 0xfb, 0x99, 0xe7, 0xe8, 0xfb, 0x8c, 0xe1, 0x42, 0x03, 0xef, 0x9d, 0xd9, 0x9e, 0x4d, 0xf7, 0x80, 0xcf, 0x2e, 0xcc, 0x9b, 0x45, 0xc9, 0x7b, 0x7a, 0xbc, 0x37, 0xa8, 0x52}} , + {{0x96, 0x11, 0x41, 0x8a, 0x47, 0x91, 0xfe, 0xb6, 0xda, 0x7a, 0x54, 0x63, 0xd1, 0x14, 0x35, 0x05, 0x86, 0x8c, 0xa9, 0x36, 0x3f, 0xf2, 0x85, 0x54, 0x4e, 0x92, 0xd8, 0x85, 0x01, 0x46, 0xd6, 0x50}}}, +{{{0x53, 0xcd, 0xf3, 0x86, 0x40, 0xe6, 0x39, 0x42, 0x95, 0xd6, 0xcb, 0x45, 0x1a, 0x20, 0xc8, 0x45, 0x4b, 0x32, 0x69, 0x04, 0xb1, 0xaf, 0x20, 0x46, 0xc7, 0x6b, 0x23, 0x5b, 0x69, 0xee, 0x30, 0x3f}} , + {{0x70, 0x83, 0x47, 0xc0, 0xdb, 0x55, 0x08, 0xa8, 0x7b, 0x18, 0x6d, 0xf5, 0x04, 0x5a, 0x20, 0x0c, 0x4a, 0x8c, 0x60, 0xae, 0xae, 0x0f, 0x64, 0x55, 0x55, 0x2e, 0xd5, 0x1d, 0x53, 0x31, 0x42, 0x41}}}, +{{{0xca, 0xfc, 0x88, 0x6b, 0x96, 0x78, 0x0a, 0x8b, 0x83, 0xdc, 0xbc, 0xaf, 0x40, 0xb6, 0x8d, 0x7f, 0xef, 0xb4, 0xd1, 0x3f, 0xcc, 0xa2, 0x74, 0xc9, 0xc2, 0x92, 0x55, 0x00, 0xab, 0xdb, 0xbf, 0x4f}} , + {{0x93, 0x1c, 0x06, 0x2d, 0x66, 0x65, 0x02, 0xa4, 0x97, 0x18, 0xfd, 0x00, 0xe7, 0xab, 0x03, 0xec, 0xce, 0xc1, 0xbf, 0x37, 0xf8, 0x13, 0x53, 0xa5, 0xe5, 0x0c, 0x3a, 0xa8, 0x55, 0xb9, 0xff, 0x68}}}, +{{{0xe4, 0xe6, 0x6d, 0x30, 0x7d, 0x30, 0x35, 0xc2, 0x78, 0x87, 0xf9, 0xfc, 0x6b, 0x5a, 0xc3, 0xb7, 0x65, 0xd8, 0x2e, 0xc7, 0xa5, 0x0c, 0xc6, 0xdc, 0x12, 0xaa, 0xd6, 0x4f, 0xc5, 0x38, 0xbc, 0x0e}} , + {{0xe2, 0x3c, 0x76, 0x86, 0x38, 0xf2, 0x7b, 0x2c, 0x16, 0x78, 0x8d, 0xf5, 0xa4, 0x15, 0xda, 0xdb, 0x26, 0x85, 0xa0, 0x56, 0xdd, 0x1d, 0xe3, 0xb3, 0xfd, 0x40, 0xef, 0xf2, 0xd9, 0xa1, 0xb3, 0x04}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xdb, 0x49, 0x0e, 0xe6, 0x58, 0x10, 0x7a, 0x52, 0xda, 0xb5, 0x7d, 0x37, 0x6a, 0x3e, 0xa1, 0x78, 0xce, 0xc7, 0x1c, 0x24, 0x23, 0xdb, 0x7d, 0xfb, 0x8c, 0x8d, 0xdc, 0x30, 0x67, 0x69, 0x75, 0x3b}} , + {{0xa9, 0xea, 0x6d, 0x16, 0x16, 0x60, 0xf4, 0x60, 0x87, 0x19, 0x44, 0x8c, 0x4a, 0x8b, 0x3e, 0xfb, 0x16, 0x00, 0x00, 0x54, 0xa6, 0x9e, 0x9f, 0xef, 0xcf, 0xd9, 0xd2, 0x4c, 0x74, 0x31, 0xd0, 0x34}}}, +{{{0xa4, 0xeb, 0x04, 0xa4, 0x8c, 0x8f, 0x71, 0x27, 0x95, 0x85, 0x5d, 0x55, 0x4b, 0xb1, 0x26, 0x26, 0xc8, 0xae, 0x6a, 0x7d, 0xa2, 0x21, 0xca, 0xce, 0x38, 0xab, 0x0f, 0xd0, 0xd5, 0x2b, 0x6b, 0x00}} , + {{0xe5, 0x67, 0x0c, 0xf1, 0x3a, 0x9a, 0xea, 0x09, 0x39, 0xef, 0xd1, 0x30, 0xbc, 0x33, 0xba, 0xb1, 0x6a, 0xc5, 0x27, 0x08, 0x7f, 0x54, 0x80, 0x3d, 0xab, 0xf6, 0x15, 0x7a, 0xc2, 0x40, 0x73, 0x72}}}, +{{{0x84, 0x56, 0x82, 0xb6, 0x12, 0x70, 0x7f, 0xf7, 0xf0, 0xbd, 0x5b, 0xa9, 0xd5, 0xc5, 0x5f, 0x59, 0xbf, 0x7f, 0xb3, 0x55, 0x22, 0x02, 0xc9, 0x44, 0x55, 0x87, 0x8f, 0x96, 0x98, 0x64, 0x6d, 0x15}} , + {{0xb0, 0x8b, 0xaa, 0x1e, 0xec, 0xc7, 0xa5, 0x8f, 0x1f, 0x92, 0x04, 0xc6, 0x05, 0xf6, 0xdf, 0xa1, 0xcc, 0x1f, 0x81, 0xf5, 0x0e, 0x9c, 0x57, 0xdc, 0xe3, 0xbb, 0x06, 0x87, 0x1e, 0xfe, 0x23, 0x6c}}}, +{{{0xd8, 0x2b, 0x5b, 0x16, 0xea, 0x20, 0xf1, 0xd3, 0x68, 0x8f, 0xae, 0x5b, 0xd0, 0xa9, 0x1a, 0x19, 0xa8, 0x36, 0xfb, 0x2b, 0x57, 0x88, 0x7d, 0x90, 0xd5, 0xa6, 0xf3, 0xdc, 0x38, 0x89, 0x4e, 0x1f}} , + {{0xcc, 0x19, 0xda, 0x9b, 0x3b, 0x43, 0x48, 0x21, 0x2e, 0x23, 0x4d, 0x3d, 0xae, 0xf8, 0x8c, 0xfc, 0xdd, 0xa6, 0x74, 0x37, 0x65, 0xca, 0xee, 0x1a, 0x19, 0x8e, 0x9f, 0x64, 0x6f, 0x0c, 0x8b, 0x5a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x25, 0xb9, 0xc2, 0xf0, 0x72, 0xb8, 0x15, 0x16, 0xcc, 0x8d, 0x3c, 0x6f, 0x25, 0xed, 0xf4, 0x46, 0x2e, 0x0c, 0x60, 0x0f, 0xe2, 0x84, 0x34, 0x55, 0x89, 0x59, 0x34, 0x1b, 0xf5, 0x8d, 0xfe, 0x08}} , + {{0xf8, 0xab, 0x93, 0xbc, 0x44, 0xba, 0x1b, 0x75, 0x4b, 0x49, 0x6f, 0xd0, 0x54, 0x2e, 0x63, 0xba, 0xb5, 0xea, 0xed, 0x32, 0x14, 0xc9, 0x94, 0xd8, 0xc5, 0xce, 0xf4, 0x10, 0x68, 0xe0, 0x38, 0x27}}}, +{{{0x74, 0x1c, 0x14, 0x9b, 0xd4, 0x64, 0x61, 0x71, 0x5a, 0xb6, 0x21, 0x33, 0x4f, 0xf7, 0x8e, 0xba, 0xa5, 0x48, 0x9a, 0xc7, 0xfa, 0x9a, 0xf0, 0xb4, 0x62, 0xad, 0xf2, 0x5e, 0xcc, 0x03, 0x24, 0x1a}} , + {{0xf5, 0x76, 0xfd, 0xe4, 0xaf, 0xb9, 0x03, 0x59, 0xce, 0x63, 0xd2, 0x3b, 0x1f, 0xcd, 0x21, 0x0c, 0xad, 0x44, 0xa5, 0x97, 0xac, 0x80, 0x11, 0x02, 0x9b, 0x0c, 0xe5, 0x8b, 0xcd, 0xfb, 0x79, 0x77}}}, +{{{0x15, 0xbe, 0x9a, 0x0d, 0xba, 0x38, 0x72, 0x20, 0x8a, 0xf5, 0xbe, 0x59, 0x93, 0x79, 0xb7, 0xf6, 0x6a, 0x0c, 0x38, 0x27, 0x1a, 0x60, 0xf4, 0x86, 0x3b, 0xab, 0x5a, 0x00, 0xa0, 0xce, 0x21, 0x7d}} , + {{0x6c, 0xba, 0x14, 0xc5, 0xea, 0x12, 0x9e, 0x2e, 0x82, 0x63, 0xce, 0x9b, 0x4a, 0xe7, 0x1d, 0xec, 0xf1, 0x2e, 0x51, 0x1c, 0xf4, 0xd0, 0x69, 0x15, 0x42, 0x9d, 0xa3, 0x3f, 0x0e, 0xbf, 0xe9, 0x5c}}}, +{{{0xe4, 0x0d, 0xf4, 0xbd, 0xee, 0x31, 0x10, 0xed, 0xcb, 0x12, 0x86, 0xad, 0xd4, 0x2f, 0x90, 0x37, 0x32, 0xc3, 0x0b, 0x73, 0xec, 0x97, 0x85, 0xa4, 0x01, 0x1c, 0x76, 0x35, 0xfe, 0x75, 0xdd, 0x71}} , + {{0x11, 0xa4, 0x88, 0x9f, 0x3e, 0x53, 0x69, 0x3b, 0x1b, 0xe0, 0xf7, 0xba, 0x9b, 0xad, 0x4e, 0x81, 0x5f, 0xb5, 0x5c, 0xae, 0xbe, 0x67, 0x86, 0x37, 0x34, 0x8e, 0x07, 0x32, 0x45, 0x4a, 0x67, 0x39}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x90, 0x70, 0x58, 0x20, 0x03, 0x1e, 0x67, 0xb2, 0xc8, 0x9b, 0x58, 0xc5, 0xb1, 0xeb, 0x2d, 0x4a, 0xde, 0x82, 0x8c, 0xf2, 0xd2, 0x14, 0xb8, 0x70, 0x61, 0x4e, 0x73, 0xd6, 0x0b, 0x6b, 0x0d, 0x30}} , + {{0x81, 0xfc, 0x55, 0x5c, 0xbf, 0xa7, 0xc4, 0xbd, 0xe2, 0xf0, 0x4b, 0x8f, 0xe9, 0x7d, 0x99, 0xfa, 0xd3, 0xab, 0xbc, 0xc7, 0x83, 0x2b, 0x04, 0x7f, 0x0c, 0x19, 0x43, 0x03, 0x3d, 0x07, 0xca, 0x40}}}, +{{{0xf9, 0xc8, 0xbe, 0x8c, 0x16, 0x81, 0x39, 0x96, 0xf6, 0x17, 0x58, 0xc8, 0x30, 0x58, 0xfb, 0xc2, 0x03, 0x45, 0xd2, 0x52, 0x76, 0xe0, 0x6a, 0x26, 0x28, 0x5c, 0x88, 0x59, 0x6a, 0x5a, 0x54, 0x42}} , + {{0x07, 0xb5, 0x2e, 0x2c, 0x67, 0x15, 0x9b, 0xfb, 0x83, 0x69, 0x1e, 0x0f, 0xda, 0xd6, 0x29, 0xb1, 0x60, 0xe0, 0xb2, 0xba, 0x69, 0xa2, 0x9e, 0xbd, 0xbd, 0xe0, 0x1c, 0xbd, 0xcd, 0x06, 0x64, 0x70}}}, +{{{0x41, 0xfa, 0x8c, 0xe1, 0x89, 0x8f, 0x27, 0xc8, 0x25, 0x8f, 0x6f, 0x5f, 0x55, 0xf8, 0xde, 0x95, 0x6d, 0x2f, 0x75, 0x16, 0x2b, 0x4e, 0x44, 0xfd, 0x86, 0x6e, 0xe9, 0x70, 0x39, 0x76, 0x97, 0x7e}} , + {{0x17, 0x62, 0x6b, 0x14, 0xa1, 0x7c, 0xd0, 0x79, 0x6e, 0xd8, 0x8a, 0xa5, 0x6d, 0x8c, 0x93, 0xd2, 0x3f, 0xec, 0x44, 0x8d, 0x6e, 0x91, 0x01, 0x8c, 0x8f, 0xee, 0x01, 0x8f, 0xc0, 0xb4, 0x85, 0x0e}}}, +{{{0x02, 0x3a, 0x70, 0x41, 0xe4, 0x11, 0x57, 0x23, 0xac, 0xe6, 0xfc, 0x54, 0x7e, 0xcd, 0xd7, 0x22, 0xcb, 0x76, 0x9f, 0x20, 0xce, 0xa0, 0x73, 0x76, 0x51, 0x3b, 0xa4, 0xf8, 0xe3, 0x62, 0x12, 0x6c}} , + {{0x7f, 0x00, 0x9c, 0x26, 0x0d, 0x6f, 0x48, 0x7f, 0x3a, 0x01, 0xed, 0xc5, 0x96, 0xb0, 0x1f, 0x4f, 0xa8, 0x02, 0x62, 0x27, 0x8a, 0x50, 0x8d, 0x9a, 0x8b, 0x52, 0x0f, 0x1e, 0xcf, 0x41, 0x38, 0x19}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xf5, 0x6c, 0xd4, 0x2f, 0x0f, 0x69, 0x0f, 0x87, 0x3f, 0x61, 0x65, 0x1e, 0x35, 0x34, 0x85, 0xba, 0x02, 0x30, 0xac, 0x25, 0x3d, 0xe2, 0x62, 0xf1, 0xcc, 0xe9, 0x1b, 0xc2, 0xef, 0x6a, 0x42, 0x57}} , + {{0x34, 0x1f, 0x2e, 0xac, 0xd1, 0xc7, 0x04, 0x52, 0x32, 0x66, 0xb2, 0x33, 0x73, 0x21, 0x34, 0x54, 0xf7, 0x71, 0xed, 0x06, 0xb0, 0xff, 0xa6, 0x59, 0x6f, 0x8a, 0x4e, 0xfb, 0x02, 0xb0, 0x45, 0x6b}}}, +{{{0xf5, 0x48, 0x0b, 0x03, 0xc5, 0x22, 0x7d, 0x80, 0x08, 0x53, 0xfe, 0x32, 0xb1, 0xa1, 0x8a, 0x74, 0x6f, 0xbd, 0x3f, 0x85, 0xf4, 0xcf, 0xf5, 0x60, 0xaf, 0x41, 0x7e, 0x3e, 0x46, 0xa3, 0x5a, 0x20}} , + {{0xaa, 0x35, 0x87, 0x44, 0x63, 0x66, 0x97, 0xf8, 0x6e, 0x55, 0x0c, 0x04, 0x3e, 0x35, 0x50, 0xbf, 0x93, 0x69, 0xd2, 0x8b, 0x05, 0x55, 0x99, 0xbe, 0xe2, 0x53, 0x61, 0xec, 0xe8, 0x08, 0x0b, 0x32}}}, +{{{0xb3, 0x10, 0x45, 0x02, 0x69, 0x59, 0x2e, 0x97, 0xd9, 0x64, 0xf8, 0xdb, 0x25, 0x80, 0xdc, 0xc4, 0xd5, 0x62, 0x3c, 0xed, 0x65, 0x91, 0xad, 0xd1, 0x57, 0x81, 0x94, 0xaa, 0xa1, 0x29, 0xfc, 0x68}} , + {{0xdd, 0xb5, 0x7d, 0xab, 0x5a, 0x21, 0x41, 0x53, 0xbb, 0x17, 0x79, 0x0d, 0xd1, 0xa8, 0x0c, 0x0c, 0x20, 0x88, 0x09, 0xe9, 0x84, 0xe8, 0x25, 0x11, 0x67, 0x7a, 0x8b, 0x1a, 0xe4, 0x5d, 0xe1, 0x5d}}}, +{{{0x37, 0xea, 0xfe, 0x65, 0x3b, 0x25, 0xe8, 0xe1, 0xc2, 0xc5, 0x02, 0xa4, 0xbe, 0x98, 0x0a, 0x2b, 0x61, 0xc1, 0x9b, 0xe2, 0xd5, 0x92, 0xe6, 0x9e, 0x7d, 0x1f, 0xca, 0x43, 0x88, 0x8b, 0x2c, 0x59}} , + {{0xe0, 0xb5, 0x00, 0x1d, 0x2a, 0x6f, 0xaf, 0x79, 0x86, 0x2f, 0xa6, 0x5a, 0x93, 0xd1, 0xfe, 0xae, 0x3a, 0xee, 0xdb, 0x7c, 0x61, 0xbe, 0x7c, 0x01, 0xf9, 0xfe, 0x52, 0xdc, 0xd8, 0x52, 0xa3, 0x42}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x22, 0xaf, 0x13, 0x37, 0xbd, 0x37, 0x71, 0xac, 0x04, 0x46, 0x63, 0xac, 0xa4, 0x77, 0xed, 0x25, 0x38, 0xe0, 0x15, 0xa8, 0x64, 0x00, 0x0d, 0xce, 0x51, 0x01, 0xa9, 0xbc, 0x0f, 0x03, 0x1c, 0x04}} , + {{0x89, 0xf9, 0x80, 0x07, 0xcf, 0x3f, 0xb3, 0xe9, 0xe7, 0x45, 0x44, 0x3d, 0x2a, 0x7c, 0xe9, 0xe4, 0x16, 0x5c, 0x5e, 0x65, 0x1c, 0xc7, 0x7d, 0xc6, 0x7a, 0xfb, 0x43, 0xee, 0x25, 0x76, 0x46, 0x72}}}, +{{{0x02, 0xa2, 0xed, 0xf4, 0x8f, 0x6b, 0x0b, 0x3e, 0xeb, 0x35, 0x1a, 0xd5, 0x7e, 0xdb, 0x78, 0x00, 0x96, 0x8a, 0xa0, 0xb4, 0xcf, 0x60, 0x4b, 0xd4, 0xd5, 0xf9, 0x2d, 0xbf, 0x88, 0xbd, 0x22, 0x62}} , + {{0x13, 0x53, 0xe4, 0x82, 0x57, 0xfa, 0x1e, 0x8f, 0x06, 0x2b, 0x90, 0xba, 0x08, 0xb6, 0x10, 0x54, 0x4f, 0x7c, 0x1b, 0x26, 0xed, 0xda, 0x6b, 0xdd, 0x25, 0xd0, 0x4e, 0xea, 0x42, 0xbb, 0x25, 0x03}}}, +{{{0x51, 0x16, 0x50, 0x7c, 0xd5, 0x5d, 0xf6, 0x99, 0xe8, 0x77, 0x72, 0x4e, 0xfa, 0x62, 0xcb, 0x76, 0x75, 0x0c, 0xe2, 0x71, 0x98, 0x92, 0xd5, 0xfa, 0x45, 0xdf, 0x5c, 0x6f, 0x1e, 0x9e, 0x28, 0x69}} , + {{0x0d, 0xac, 0x66, 0x6d, 0xc3, 0x8b, 0xba, 0x16, 0xb5, 0xe2, 0xa0, 0x0d, 0x0c, 0xbd, 0xa4, 0x8e, 0x18, 0x6c, 0xf2, 0xdc, 0xf9, 0xdc, 0x4a, 0x86, 0x25, 0x95, 0x14, 0xcb, 0xd8, 0x1a, 0x04, 0x0f}}}, +{{{0x97, 0xa5, 0xdb, 0x8b, 0x2d, 0xaa, 0x42, 0x11, 0x09, 0xf2, 0x93, 0xbb, 0xd9, 0x06, 0x84, 0x4e, 0x11, 0xa8, 0xa0, 0x25, 0x2b, 0xa6, 0x5f, 0xae, 0xc4, 0xb4, 0x4c, 0xc8, 0xab, 0xc7, 0x3b, 0x02}} , + {{0xee, 0xc9, 0x29, 0x0f, 0xdf, 0x11, 0x85, 0xed, 0xce, 0x0d, 0x62, 0x2c, 0x8f, 0x4b, 0xf9, 0x04, 0xe9, 0x06, 0x72, 0x1d, 0x37, 0x20, 0x50, 0xc9, 0x14, 0xeb, 0xec, 0x39, 0xa7, 0x97, 0x2b, 0x4d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x69, 0xd1, 0x39, 0xbd, 0xfb, 0x33, 0xbe, 0xc4, 0xf0, 0x5c, 0xef, 0xf0, 0x56, 0x68, 0xfc, 0x97, 0x47, 0xc8, 0x72, 0xb6, 0x53, 0xa4, 0x0a, 0x98, 0xa5, 0xb4, 0x37, 0x71, 0xcf, 0x66, 0x50, 0x6d}} , + {{0x17, 0xa4, 0x19, 0x52, 0x11, 0x47, 0xb3, 0x5c, 0x5b, 0xa9, 0x2e, 0x22, 0xb4, 0x00, 0x52, 0xf9, 0x57, 0x18, 0xb8, 0xbe, 0x5a, 0xe3, 0xab, 0x83, 0xc8, 0x87, 0x0a, 0x2a, 0xd8, 0x8c, 0xbb, 0x54}}}, +{{{0xa9, 0x62, 0x93, 0x85, 0xbe, 0xe8, 0x73, 0x4a, 0x0e, 0xb0, 0xb5, 0x2d, 0x94, 0x50, 0xaa, 0xd3, 0xb2, 0xea, 0x9d, 0x62, 0x76, 0x3b, 0x07, 0x34, 0x4e, 0x2d, 0x70, 0xc8, 0x9a, 0x15, 0x66, 0x6b}} , + {{0xc5, 0x96, 0xca, 0xc8, 0x22, 0x1a, 0xee, 0x5f, 0xe7, 0x31, 0x60, 0x22, 0x83, 0x08, 0x63, 0xce, 0xb9, 0x32, 0x44, 0x58, 0x5d, 0x3a, 0x9b, 0xe4, 0x04, 0xd5, 0xef, 0x38, 0xef, 0x4b, 0xdd, 0x19}}}, +{{{0x4d, 0xc2, 0x17, 0x75, 0xa1, 0x68, 0xcd, 0xc3, 0xc6, 0x03, 0x44, 0xe3, 0x78, 0x09, 0x91, 0x47, 0x3f, 0x0f, 0xe4, 0x92, 0x58, 0xfa, 0x7d, 0x1f, 0x20, 0x94, 0x58, 0x5e, 0xbc, 0x19, 0x02, 0x6f}} , + {{0x20, 0xd6, 0xd8, 0x91, 0x54, 0xa7, 0xf3, 0x20, 0x4b, 0x34, 0x06, 0xfa, 0x30, 0xc8, 0x6f, 0x14, 0x10, 0x65, 0x74, 0x13, 0x4e, 0xf0, 0x69, 0x26, 0xce, 0xcf, 0x90, 0xf4, 0xd0, 0xc5, 0xc8, 0x64}}}, +{{{0x26, 0xa2, 0x50, 0x02, 0x24, 0x72, 0xf1, 0xf0, 0x4e, 0x2d, 0x93, 0xd5, 0x08, 0xe7, 0xae, 0x38, 0xf7, 0x18, 0xa5, 0x32, 0x34, 0xc2, 0xf0, 0xa6, 0xec, 0xb9, 0x61, 0x7b, 0x64, 0x99, 0xac, 0x71}} , + {{0x25, 0xcf, 0x74, 0x55, 0x1b, 0xaa, 0xa9, 0x38, 0x41, 0x40, 0xd5, 0x95, 0x95, 0xab, 0x1c, 0x5e, 0xbc, 0x41, 0x7e, 0x14, 0x30, 0xbe, 0x13, 0x89, 0xf4, 0xe5, 0xeb, 0x28, 0xc0, 0xc2, 0x96, 0x3a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2b, 0x77, 0x45, 0xec, 0x67, 0x76, 0x32, 0x4c, 0xb9, 0xdf, 0x25, 0x32, 0x6b, 0xcb, 0xe7, 0x14, 0x61, 0x43, 0xee, 0xba, 0x9b, 0x71, 0xef, 0xd2, 0x48, 0x65, 0xbb, 0x1b, 0x8a, 0x13, 0x1b, 0x22}} , + {{0x84, 0xad, 0x0c, 0x18, 0x38, 0x5a, 0xba, 0xd0, 0x98, 0x59, 0xbf, 0x37, 0xb0, 0x4f, 0x97, 0x60, 0x20, 0xb3, 0x9b, 0x97, 0xf6, 0x08, 0x6c, 0xa4, 0xff, 0xfb, 0xb7, 0xfa, 0x95, 0xb2, 0x51, 0x79}}}, +{{{0x28, 0x5c, 0x3f, 0xdb, 0x6b, 0x18, 0x3b, 0x5c, 0xd1, 0x04, 0x28, 0xde, 0x85, 0x52, 0x31, 0xb5, 0xbb, 0xf6, 0xa9, 0xed, 0xbe, 0x28, 0x4f, 0xb3, 0x7e, 0x05, 0x6a, 0xdb, 0x95, 0x0d, 0x1b, 0x1c}} , + {{0xd5, 0xc5, 0xc3, 0x9a, 0x0a, 0xd0, 0x31, 0x3e, 0x07, 0x36, 0x8e, 0xc0, 0x8a, 0x62, 0xb1, 0xca, 0xd6, 0x0e, 0x1e, 0x9d, 0xef, 0xab, 0x98, 0x4d, 0xbb, 0x6c, 0x05, 0xe0, 0xe4, 0x5d, 0xbd, 0x57}}}, +{{{0xcc, 0x21, 0x27, 0xce, 0xfd, 0xa9, 0x94, 0x8e, 0xe1, 0xab, 0x49, 0xe0, 0x46, 0x26, 0xa1, 0xa8, 0x8c, 0xa1, 0x99, 0x1d, 0xb4, 0x27, 0x6d, 0x2d, 0xc8, 0x39, 0x30, 0x5e, 0x37, 0x52, 0xc4, 0x6e}} , + {{0xa9, 0x85, 0xf4, 0xe7, 0xb0, 0x15, 0x33, 0x84, 0x1b, 0x14, 0x1a, 0x02, 0xd9, 0x3b, 0xad, 0x0f, 0x43, 0x6c, 0xea, 0x3e, 0x0f, 0x7e, 0xda, 0xdd, 0x6b, 0x4c, 0x7f, 0x6e, 0xd4, 0x6b, 0xbf, 0x0f}}}, +{{{0x47, 0x9f, 0x7c, 0x56, 0x7c, 0x43, 0x91, 0x1c, 0xbb, 0x4e, 0x72, 0x3e, 0x64, 0xab, 0xa0, 0xa0, 0xdf, 0xb4, 0xd8, 0x87, 0x3a, 0xbd, 0xa8, 0x48, 0xc9, 0xb8, 0xef, 0x2e, 0xad, 0x6f, 0x84, 0x4f}} , + {{0x2d, 0x2d, 0xf0, 0x1b, 0x7e, 0x2a, 0x6c, 0xf8, 0xa9, 0x6a, 0xe1, 0xf0, 0x99, 0xa1, 0x67, 0x9a, 0xd4, 0x13, 0xca, 0xca, 0xba, 0x27, 0x92, 0xaa, 0xa1, 0x5d, 0x50, 0xde, 0xcc, 0x40, 0x26, 0x0a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x9f, 0x3e, 0xf2, 0xb2, 0x90, 0xce, 0xdb, 0x64, 0x3e, 0x03, 0xdd, 0x37, 0x36, 0x54, 0x70, 0x76, 0x24, 0xb5, 0x69, 0x03, 0xfc, 0xa0, 0x2b, 0x74, 0xb2, 0x05, 0x0e, 0xcc, 0xd8, 0x1f, 0x6a, 0x1f}} , + {{0x19, 0x5e, 0x60, 0x69, 0x58, 0x86, 0xa0, 0x31, 0xbd, 0x32, 0xe9, 0x2c, 0x5c, 0xd2, 0x85, 0xba, 0x40, 0x64, 0xa8, 0x74, 0xf8, 0x0e, 0x1c, 0xb3, 0xa9, 0x69, 0xe8, 0x1e, 0x40, 0x64, 0x99, 0x77}}}, +{{{0x6c, 0x32, 0x4f, 0xfd, 0xbb, 0x5c, 0xbb, 0x8d, 0x64, 0x66, 0x4a, 0x71, 0x1f, 0x79, 0xa3, 0xad, 0x8d, 0xf9, 0xd4, 0xec, 0xcf, 0x67, 0x70, 0xfa, 0x05, 0x4a, 0x0f, 0x6e, 0xaf, 0x87, 0x0a, 0x6f}} , + {{0xc6, 0x36, 0x6e, 0x6c, 0x8c, 0x24, 0x09, 0x60, 0xbe, 0x26, 0xd2, 0x4c, 0x5e, 0x17, 0xca, 0x5f, 0x1d, 0xcc, 0x87, 0xe8, 0x42, 0x6a, 0xcb, 0xcb, 0x7d, 0x92, 0x05, 0x35, 0x81, 0x13, 0x60, 0x6b}}}, +{{{0xf4, 0x15, 0xcd, 0x0f, 0x0a, 0xaf, 0x4e, 0x6b, 0x51, 0xfd, 0x14, 0xc4, 0x2e, 0x13, 0x86, 0x74, 0x44, 0xcb, 0x66, 0x6b, 0xb6, 0x9d, 0x74, 0x56, 0x32, 0xac, 0x8d, 0x8e, 0x8c, 0x8c, 0x8c, 0x39}} , + {{0xca, 0x59, 0x74, 0x1a, 0x11, 0xef, 0x6d, 0xf7, 0x39, 0x5c, 0x3b, 0x1f, 0xfa, 0xe3, 0x40, 0x41, 0x23, 0x9e, 0xf6, 0xd1, 0x21, 0xa2, 0xbf, 0xad, 0x65, 0x42, 0x6b, 0x59, 0x8a, 0xe8, 0xc5, 0x7f}}}, +{{{0x64, 0x05, 0x7a, 0x84, 0x4a, 0x13, 0xc3, 0xf6, 0xb0, 0x6e, 0x9a, 0x6b, 0x53, 0x6b, 0x32, 0xda, 0xd9, 0x74, 0x75, 0xc4, 0xba, 0x64, 0x3d, 0x3b, 0x08, 0xdd, 0x10, 0x46, 0xef, 0xc7, 0x90, 0x1f}} , + {{0x7b, 0x2f, 0x3a, 0xce, 0xc8, 0xa1, 0x79, 0x3c, 0x30, 0x12, 0x44, 0x28, 0xf6, 0xbc, 0xff, 0xfd, 0xf4, 0xc0, 0x97, 0xb0, 0xcc, 0xc3, 0x13, 0x7a, 0xb9, 0x9a, 0x16, 0xe4, 0xcb, 0x4c, 0x34, 0x63}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x07, 0x4e, 0xd3, 0x2d, 0x09, 0x33, 0x0e, 0xd2, 0x0d, 0xbe, 0x3e, 0xe7, 0xe4, 0xaa, 0xb7, 0x00, 0x8b, 0xe8, 0xad, 0xaa, 0x7a, 0x8d, 0x34, 0x28, 0xa9, 0x81, 0x94, 0xc5, 0xe7, 0x42, 0xac, 0x47}} , + {{0x24, 0x89, 0x7a, 0x8f, 0xb5, 0x9b, 0xf0, 0xc2, 0x03, 0x64, 0xd0, 0x1e, 0xf5, 0xa4, 0xb2, 0xf3, 0x74, 0xe9, 0x1a, 0x16, 0xfd, 0xcb, 0x15, 0xea, 0xeb, 0x10, 0x6c, 0x35, 0xd1, 0xc1, 0xa6, 0x28}}}, +{{{0xcc, 0xd5, 0x39, 0xfc, 0xa5, 0xa4, 0xad, 0x32, 0x15, 0xce, 0x19, 0xe8, 0x34, 0x2b, 0x1c, 0x60, 0x91, 0xfc, 0x05, 0xa9, 0xb3, 0xdc, 0x80, 0x29, 0xc4, 0x20, 0x79, 0x06, 0x39, 0xc0, 0xe2, 0x22}} , + {{0xbb, 0xa8, 0xe1, 0x89, 0x70, 0x57, 0x18, 0x54, 0x3c, 0xf6, 0x0d, 0x82, 0x12, 0x05, 0x87, 0x96, 0x06, 0x39, 0xe3, 0xf8, 0xb3, 0x95, 0xe5, 0xd7, 0x26, 0xbf, 0x09, 0x5a, 0x94, 0xf9, 0x1c, 0x63}}}, +{{{0x2b, 0x8c, 0x2d, 0x9a, 0x8b, 0x84, 0xf2, 0x56, 0xfb, 0xad, 0x2e, 0x7f, 0xb7, 0xfc, 0x30, 0xe1, 0x35, 0x89, 0xba, 0x4d, 0xa8, 0x6d, 0xce, 0x8c, 0x8b, 0x30, 0xe0, 0xda, 0x29, 0x18, 0x11, 0x17}} , + {{0x19, 0xa6, 0x5a, 0x65, 0x93, 0xc3, 0xb5, 0x31, 0x22, 0x4f, 0xf3, 0xf6, 0x0f, 0xeb, 0x28, 0xc3, 0x7c, 0xeb, 0xce, 0x86, 0xec, 0x67, 0x76, 0x6e, 0x35, 0x45, 0x7b, 0xd8, 0x6b, 0x92, 0x01, 0x65}}}, +{{{0x3d, 0xd5, 0x9a, 0x64, 0x73, 0x36, 0xb1, 0xd6, 0x86, 0x98, 0x42, 0x3f, 0x8a, 0xf1, 0xc7, 0xf5, 0x42, 0xa8, 0x9c, 0x52, 0xa8, 0xdc, 0xf9, 0x24, 0x3f, 0x4a, 0xa1, 0xa4, 0x5b, 0xe8, 0x62, 0x1a}} , + {{0xc5, 0xbd, 0xc8, 0x14, 0xd5, 0x0d, 0xeb, 0xe1, 0xa5, 0xe6, 0x83, 0x11, 0x09, 0x00, 0x1d, 0x55, 0x83, 0x51, 0x7e, 0x75, 0x00, 0x81, 0xb9, 0xcb, 0xd8, 0xc5, 0xe5, 0xa1, 0xd9, 0x17, 0x6d, 0x1f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xea, 0xf9, 0xe4, 0xe9, 0xe1, 0x52, 0x3f, 0x51, 0x19, 0x0d, 0xdd, 0xd9, 0x9d, 0x93, 0x31, 0x87, 0x23, 0x09, 0xd5, 0x83, 0xeb, 0x92, 0x09, 0x76, 0x6e, 0xe3, 0xf8, 0xc0, 0xa2, 0x66, 0xb5, 0x36}} , + {{0x3a, 0xbb, 0x39, 0xed, 0x32, 0x02, 0xe7, 0x43, 0x7a, 0x38, 0x14, 0x84, 0xe3, 0x44, 0xd2, 0x5e, 0x94, 0xdd, 0x78, 0x89, 0x55, 0x4c, 0x73, 0x9e, 0xe1, 0xe4, 0x3e, 0x43, 0xd0, 0x4a, 0xde, 0x1b}}}, +{{{0xb2, 0xe7, 0x8f, 0xe3, 0xa3, 0xc5, 0xcb, 0x72, 0xee, 0x79, 0x41, 0xf8, 0xdf, 0xee, 0x65, 0xc5, 0x45, 0x77, 0x27, 0x3c, 0xbd, 0x58, 0xd3, 0x75, 0xe2, 0x04, 0x4b, 0xbb, 0x65, 0xf3, 0xc8, 0x0f}} , + {{0x24, 0x7b, 0x93, 0x34, 0xb5, 0xe2, 0x74, 0x48, 0xcd, 0xa0, 0x0b, 0x92, 0x97, 0x66, 0x39, 0xf4, 0xb0, 0xe2, 0x5d, 0x39, 0x6a, 0x5b, 0x45, 0x17, 0x78, 0x1e, 0xdb, 0x91, 0x81, 0x1c, 0xf9, 0x16}}}, +{{{0x16, 0xdf, 0xd1, 0x5a, 0xd5, 0xe9, 0x4e, 0x58, 0x95, 0x93, 0x5f, 0x51, 0x09, 0xc3, 0x2a, 0xc9, 0xd4, 0x55, 0x48, 0x79, 0xa4, 0xa3, 0xb2, 0xc3, 0x62, 0xaa, 0x8c, 0xe8, 0xad, 0x47, 0x39, 0x1b}} , + {{0x46, 0xda, 0x9e, 0x51, 0x3a, 0xe6, 0xd1, 0xa6, 0xbb, 0x4d, 0x7b, 0x08, 0xbe, 0x8c, 0xd5, 0xf3, 0x3f, 0xfd, 0xf7, 0x44, 0x80, 0x2d, 0x53, 0x4b, 0xd0, 0x87, 0x68, 0xc1, 0xb5, 0xd8, 0xf7, 0x07}}}, +{{{0xf4, 0x10, 0x46, 0xbe, 0xb7, 0xd2, 0xd1, 0xce, 0x5e, 0x76, 0xa2, 0xd7, 0x03, 0xdc, 0xe4, 0x81, 0x5a, 0xf6, 0x3c, 0xde, 0xae, 0x7a, 0x9d, 0x21, 0x34, 0xa5, 0xf6, 0xa9, 0x73, 0xe2, 0x8d, 0x60}} , + {{0xfa, 0x44, 0x71, 0xf6, 0x41, 0xd8, 0xc6, 0x58, 0x13, 0x37, 0xeb, 0x84, 0x0f, 0x96, 0xc7, 0xdc, 0xc8, 0xa9, 0x7a, 0x83, 0xb2, 0x2f, 0x31, 0xb1, 0x1a, 0xd8, 0x98, 0x3f, 0x11, 0xd0, 0x31, 0x3b}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x81, 0xd5, 0x34, 0x16, 0x01, 0xa3, 0x93, 0xea, 0x52, 0x94, 0xec, 0x93, 0xb7, 0x81, 0x11, 0x2d, 0x58, 0xf9, 0xb5, 0x0a, 0xaa, 0x4f, 0xf6, 0x2e, 0x3f, 0x36, 0xbf, 0x33, 0x5a, 0xe7, 0xd1, 0x08}} , + {{0x1a, 0xcf, 0x42, 0xae, 0xcc, 0xb5, 0x77, 0x39, 0xc4, 0x5b, 0x5b, 0xd0, 0x26, 0x59, 0x27, 0xd0, 0x55, 0x71, 0x12, 0x9d, 0x88, 0x3d, 0x9c, 0xea, 0x41, 0x6a, 0xf0, 0x50, 0x93, 0x93, 0xdd, 0x47}}}, +{{{0x6f, 0xc9, 0x51, 0x6d, 0x1c, 0xaa, 0xf5, 0xa5, 0x90, 0x3f, 0x14, 0xe2, 0x6e, 0x8e, 0x64, 0xfd, 0xac, 0xe0, 0x4e, 0x22, 0xe5, 0xc1, 0xbc, 0x29, 0x0a, 0x6a, 0x9e, 0xa1, 0x60, 0xcb, 0x2f, 0x0b}} , + {{0xdc, 0x39, 0x32, 0xf3, 0xa1, 0x44, 0xe9, 0xc5, 0xc3, 0x78, 0xfb, 0x95, 0x47, 0x34, 0x35, 0x34, 0xe8, 0x25, 0xde, 0x93, 0xc6, 0xb4, 0x76, 0x6d, 0x86, 0x13, 0xc6, 0xe9, 0x68, 0xb5, 0x01, 0x63}}}, +{{{0x1f, 0x9a, 0x52, 0x64, 0x97, 0xd9, 0x1c, 0x08, 0x51, 0x6f, 0x26, 0x9d, 0xaa, 0x93, 0x33, 0x43, 0xfa, 0x77, 0xe9, 0x62, 0x9b, 0x5d, 0x18, 0x75, 0xeb, 0x78, 0xf7, 0x87, 0x8f, 0x41, 0xb4, 0x4d}} , + {{0x13, 0xa8, 0x82, 0x3e, 0xe9, 0x13, 0xad, 0xeb, 0x01, 0xca, 0xcf, 0xda, 0xcd, 0xf7, 0x6c, 0xc7, 0x7a, 0xdc, 0x1e, 0x6e, 0xc8, 0x4e, 0x55, 0x62, 0x80, 0xea, 0x78, 0x0c, 0x86, 0xb9, 0x40, 0x51}}}, +{{{0x27, 0xae, 0xd3, 0x0d, 0x4c, 0x8f, 0x34, 0xea, 0x7d, 0x3c, 0xe5, 0x8a, 0xcf, 0x5b, 0x92, 0xd8, 0x30, 0x16, 0xb4, 0xa3, 0x75, 0xff, 0xeb, 0x27, 0xc8, 0x5c, 0x6c, 0xc2, 0xee, 0x6c, 0x21, 0x0b}} , + {{0xc3, 0xba, 0x12, 0x53, 0x2a, 0xaa, 0x77, 0xad, 0x19, 0x78, 0x55, 0x8a, 0x2e, 0x60, 0x87, 0xc2, 0x6e, 0x91, 0x38, 0x91, 0x3f, 0x7a, 0xc5, 0x24, 0x8f, 0x51, 0xc5, 0xde, 0xb0, 0x53, 0x30, 0x56}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x02, 0xfe, 0x54, 0x12, 0x18, 0xca, 0x7d, 0xa5, 0x68, 0x43, 0xa3, 0x6d, 0x14, 0x2a, 0x6a, 0xa5, 0x8e, 0x32, 0xe7, 0x63, 0x4f, 0xe3, 0xc6, 0x44, 0x3e, 0xab, 0x63, 0xca, 0x17, 0x86, 0x74, 0x3f}} , + {{0x1e, 0x64, 0xc1, 0x7d, 0x52, 0xdc, 0x13, 0x5a, 0xa1, 0x9c, 0x4e, 0xee, 0x99, 0x28, 0xbb, 0x4c, 0xee, 0xac, 0xa9, 0x1b, 0x89, 0xa2, 0x38, 0x39, 0x7b, 0xc4, 0x0f, 0x42, 0xe6, 0x89, 0xed, 0x0f}}}, +{{{0xf3, 0x3c, 0x8c, 0x80, 0x83, 0x10, 0x8a, 0x37, 0x50, 0x9c, 0xb4, 0xdf, 0x3f, 0x8c, 0xf7, 0x23, 0x07, 0xd6, 0xff, 0xa0, 0x82, 0x6c, 0x75, 0x3b, 0xe4, 0xb5, 0xbb, 0xe4, 0xe6, 0x50, 0xf0, 0x08}} , + {{0x62, 0xee, 0x75, 0x48, 0x92, 0x33, 0xf2, 0xf4, 0xad, 0x15, 0x7a, 0xa1, 0x01, 0x46, 0xa9, 0x32, 0x06, 0x88, 0xb6, 0x36, 0x47, 0x35, 0xb9, 0xb4, 0x42, 0x85, 0x76, 0xf0, 0x48, 0x00, 0x90, 0x38}}}, +{{{0x51, 0x15, 0x9d, 0xc3, 0x95, 0xd1, 0x39, 0xbb, 0x64, 0x9d, 0x15, 0x81, 0xc1, 0x68, 0xd0, 0xb6, 0xa4, 0x2c, 0x7d, 0x5e, 0x02, 0x39, 0x00, 0xe0, 0x3b, 0xa4, 0xcc, 0xca, 0x1d, 0x81, 0x24, 0x10}} , + {{0xe7, 0x29, 0xf9, 0x37, 0xd9, 0x46, 0x5a, 0xcd, 0x70, 0xfe, 0x4d, 0x5b, 0xbf, 0xa5, 0xcf, 0x91, 0xf4, 0xef, 0xee, 0x8a, 0x29, 0xd0, 0xe7, 0xc4, 0x25, 0x92, 0x8a, 0xff, 0x36, 0xfc, 0xe4, 0x49}}}, +{{{0xbd, 0x00, 0xb9, 0x04, 0x7d, 0x35, 0xfc, 0xeb, 0xd0, 0x0b, 0x05, 0x32, 0x52, 0x7a, 0x89, 0x24, 0x75, 0x50, 0xe1, 0x63, 0x02, 0x82, 0x8e, 0xe7, 0x85, 0x0c, 0xf2, 0x56, 0x44, 0x37, 0x83, 0x25}} , + {{0x8f, 0xa1, 0xce, 0xcb, 0x60, 0xda, 0x12, 0x02, 0x1e, 0x29, 0x39, 0x2a, 0x03, 0xb7, 0xeb, 0x77, 0x40, 0xea, 0xc9, 0x2b, 0x2c, 0xd5, 0x7d, 0x7e, 0x2c, 0xc7, 0x5a, 0xfd, 0xff, 0xc4, 0xd1, 0x62}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x1d, 0x88, 0x98, 0x5b, 0x4e, 0xfc, 0x41, 0x24, 0x05, 0xe6, 0x50, 0x2b, 0xae, 0x96, 0x51, 0xd9, 0x6b, 0x72, 0xb2, 0x33, 0x42, 0x98, 0x68, 0xbb, 0x10, 0x5a, 0x7a, 0x8c, 0x9d, 0x07, 0xb4, 0x05}} , + {{0x2f, 0x61, 0x9f, 0xd7, 0xa8, 0x3f, 0x83, 0x8c, 0x10, 0x69, 0x90, 0xe6, 0xcf, 0xd2, 0x63, 0xa3, 0xe4, 0x54, 0x7e, 0xe5, 0x69, 0x13, 0x1c, 0x90, 0x57, 0xaa, 0xe9, 0x53, 0x22, 0x43, 0x29, 0x23}}}, +{{{0xe5, 0x1c, 0xf8, 0x0a, 0xfd, 0x2d, 0x7e, 0xf5, 0xf5, 0x70, 0x7d, 0x41, 0x6b, 0x11, 0xfe, 0xbe, 0x99, 0xd1, 0x55, 0x29, 0x31, 0xbf, 0xc0, 0x97, 0x6c, 0xd5, 0x35, 0xcc, 0x5e, 0x8b, 0xd9, 0x69}} , + {{0x8e, 0x4e, 0x9f, 0x25, 0xf8, 0x81, 0x54, 0x2d, 0x0e, 0xd5, 0x54, 0x81, 0x9b, 0xa6, 0x92, 0xce, 0x4b, 0xe9, 0x8f, 0x24, 0x3b, 0xca, 0xe0, 0x44, 0xab, 0x36, 0xfe, 0xfb, 0x87, 0xd4, 0x26, 0x3e}}}, +{{{0x0f, 0x93, 0x9c, 0x11, 0xe7, 0xdb, 0xf1, 0xf0, 0x85, 0x43, 0x28, 0x15, 0x37, 0xdd, 0xde, 0x27, 0xdf, 0xad, 0x3e, 0x49, 0x4f, 0xe0, 0x5b, 0xf6, 0x80, 0x59, 0x15, 0x3c, 0x85, 0xb7, 0x3e, 0x12}} , + {{0xf5, 0xff, 0xcc, 0xf0, 0xb4, 0x12, 0x03, 0x5f, 0xc9, 0x84, 0xcb, 0x1d, 0x17, 0xe0, 0xbc, 0xcc, 0x03, 0x62, 0xa9, 0x8b, 0x94, 0xa6, 0xaa, 0x18, 0xcb, 0x27, 0x8d, 0x49, 0xa6, 0x17, 0x15, 0x07}}}, +{{{0xd9, 0xb6, 0xd4, 0x9d, 0xd4, 0x6a, 0xaf, 0x70, 0x07, 0x2c, 0x10, 0x9e, 0xbd, 0x11, 0xad, 0xe4, 0x26, 0x33, 0x70, 0x92, 0x78, 0x1c, 0x74, 0x9f, 0x75, 0x60, 0x56, 0xf4, 0x39, 0xa8, 0xa8, 0x62}} , + {{0x3b, 0xbf, 0x55, 0x35, 0x61, 0x8b, 0x44, 0x97, 0xe8, 0x3a, 0x55, 0xc1, 0xc8, 0x3b, 0xfd, 0x95, 0x29, 0x11, 0x60, 0x96, 0x1e, 0xcb, 0x11, 0x9d, 0xc2, 0x03, 0x8a, 0x1b, 0xc6, 0xd6, 0x45, 0x3d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x7e, 0x0e, 0x50, 0xb2, 0xcc, 0x0d, 0x6b, 0xa6, 0x71, 0x5b, 0x42, 0xed, 0xbd, 0xaf, 0xac, 0xf0, 0xfc, 0x12, 0xa2, 0x3f, 0x4e, 0xda, 0xe8, 0x11, 0xf3, 0x23, 0xe1, 0x04, 0x62, 0x03, 0x1c, 0x4e}} , + {{0xc8, 0xb1, 0x1b, 0x6f, 0x73, 0x61, 0x3d, 0x27, 0x0d, 0x7d, 0x7a, 0x25, 0x5f, 0x73, 0x0e, 0x2f, 0x93, 0xf6, 0x24, 0xd8, 0x4f, 0x90, 0xac, 0xa2, 0x62, 0x0a, 0xf0, 0x61, 0xd9, 0x08, 0x59, 0x6a}}}, +{{{0x6f, 0x2d, 0x55, 0xf8, 0x2f, 0x8e, 0xf0, 0x18, 0x3b, 0xea, 0xdd, 0x26, 0x72, 0xd1, 0xf5, 0xfe, 0xe5, 0xb8, 0xe6, 0xd3, 0x10, 0x48, 0x46, 0x49, 0x3a, 0x9f, 0x5e, 0x45, 0x6b, 0x90, 0xe8, 0x7f}} , + {{0xd3, 0x76, 0x69, 0x33, 0x7b, 0xb9, 0x40, 0x70, 0xee, 0xa6, 0x29, 0x6b, 0xdd, 0xd0, 0x5d, 0x8d, 0xc1, 0x3e, 0x4a, 0xea, 0x37, 0xb1, 0x03, 0x02, 0x03, 0x35, 0xf1, 0x28, 0x9d, 0xff, 0x00, 0x13}}}, +{{{0x7a, 0xdb, 0x12, 0xd2, 0x8a, 0x82, 0x03, 0x1b, 0x1e, 0xaf, 0xf9, 0x4b, 0x9c, 0xbe, 0xae, 0x7c, 0xe4, 0x94, 0x2a, 0x23, 0xb3, 0x62, 0x86, 0xe7, 0xfd, 0x23, 0xaa, 0x99, 0xbd, 0x2b, 0x11, 0x6c}} , + {{0x8d, 0xa6, 0xd5, 0xac, 0x9d, 0xcc, 0x68, 0x75, 0x7f, 0xc3, 0x4d, 0x4b, 0xdd, 0x6c, 0xbb, 0x11, 0x5a, 0x60, 0xe5, 0xbd, 0x7d, 0x27, 0x8b, 0xda, 0xb4, 0x95, 0xf6, 0x03, 0x27, 0xa4, 0x92, 0x3f}}}, +{{{0x22, 0xd6, 0xb5, 0x17, 0x84, 0xbf, 0x12, 0xcc, 0x23, 0x14, 0x4a, 0xdf, 0x14, 0x31, 0xbc, 0xa1, 0xac, 0x6e, 0xab, 0xfa, 0x57, 0x11, 0x53, 0xb3, 0x27, 0xe6, 0xf9, 0x47, 0x33, 0x44, 0x34, 0x1e}} , + {{0x79, 0xfc, 0xa6, 0xb4, 0x0b, 0x35, 0x20, 0xc9, 0x4d, 0x22, 0x84, 0xc4, 0xa9, 0x20, 0xec, 0x89, 0x94, 0xba, 0x66, 0x56, 0x48, 0xb9, 0x87, 0x7f, 0xca, 0x1e, 0x06, 0xed, 0xa5, 0x55, 0x59, 0x29}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x56, 0xe1, 0xf5, 0xf1, 0xd5, 0xab, 0xa8, 0x2b, 0xae, 0x89, 0xf3, 0xcf, 0x56, 0x9f, 0xf2, 0x4b, 0x31, 0xbc, 0x18, 0xa9, 0x06, 0x5b, 0xbe, 0xb4, 0x61, 0xf8, 0xb2, 0x06, 0x9c, 0x81, 0xab, 0x4c}} , + {{0x1f, 0x68, 0x76, 0x01, 0x16, 0x38, 0x2b, 0x0f, 0x77, 0x97, 0x92, 0x67, 0x4e, 0x86, 0x6a, 0x8b, 0xe5, 0xe8, 0x0c, 0xf7, 0x36, 0x39, 0xb5, 0x33, 0xe6, 0xcf, 0x5e, 0xbd, 0x18, 0xfb, 0x10, 0x1f}}}, +{{{0x83, 0xf0, 0x0d, 0x63, 0xef, 0x53, 0x6b, 0xb5, 0x6b, 0xf9, 0x83, 0xcf, 0xde, 0x04, 0x22, 0x9b, 0x2c, 0x0a, 0xe0, 0xa5, 0xd8, 0xc7, 0x9c, 0xa5, 0xa3, 0xf6, 0x6f, 0xcf, 0x90, 0x6b, 0x68, 0x7c}} , + {{0x33, 0x15, 0xd7, 0x7f, 0x1a, 0xd5, 0x21, 0x58, 0xc4, 0x18, 0xa5, 0xf0, 0xcc, 0x73, 0xa8, 0xfd, 0xfa, 0x18, 0xd1, 0x03, 0x91, 0x8d, 0x52, 0xd2, 0xa3, 0xa4, 0xd3, 0xb1, 0xea, 0x1d, 0x0f, 0x00}}}, +{{{0xcc, 0x48, 0x83, 0x90, 0xe5, 0xfd, 0x3f, 0x84, 0xaa, 0xf9, 0x8b, 0x82, 0x59, 0x24, 0x34, 0x68, 0x4f, 0x1c, 0x23, 0xd9, 0xcc, 0x71, 0xe1, 0x7f, 0x8c, 0xaf, 0xf1, 0xee, 0x00, 0xb6, 0xa0, 0x77}} , + {{0xf5, 0x1a, 0x61, 0xf7, 0x37, 0x9d, 0x00, 0xf4, 0xf2, 0x69, 0x6f, 0x4b, 0x01, 0x85, 0x19, 0x45, 0x4d, 0x7f, 0x02, 0x7c, 0x6a, 0x05, 0x47, 0x6c, 0x1f, 0x81, 0x20, 0xd4, 0xe8, 0x50, 0x27, 0x72}}}, +{{{0x2c, 0x3a, 0xe5, 0xad, 0xf4, 0xdd, 0x2d, 0xf7, 0x5c, 0x44, 0xb5, 0x5b, 0x21, 0xa3, 0x89, 0x5f, 0x96, 0x45, 0xca, 0x4d, 0xa4, 0x21, 0x99, 0x70, 0xda, 0xc4, 0xc4, 0xa0, 0xe5, 0xf4, 0xec, 0x0a}} , + {{0x07, 0x68, 0x21, 0x65, 0xe9, 0x08, 0xa0, 0x0b, 0x6a, 0x4a, 0xba, 0xb5, 0x80, 0xaf, 0xd0, 0x1b, 0xc5, 0xf5, 0x4b, 0x73, 0x50, 0x60, 0x2d, 0x71, 0x69, 0x61, 0x0e, 0xc0, 0x20, 0x40, 0x30, 0x19}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd0, 0x75, 0x57, 0x3b, 0xeb, 0x5c, 0x14, 0x56, 0x50, 0xc9, 0x4f, 0xb8, 0xb8, 0x1e, 0xa3, 0xf4, 0xab, 0xf5, 0xa9, 0x20, 0x15, 0x94, 0x82, 0xda, 0x96, 0x1c, 0x9b, 0x59, 0x8c, 0xff, 0xf4, 0x51}} , + {{0xc1, 0x3a, 0x86, 0xd7, 0xb0, 0x06, 0x84, 0x7f, 0x1b, 0xbd, 0xd4, 0x07, 0x78, 0x80, 0x2e, 0xb1, 0xb4, 0xee, 0x52, 0x38, 0xee, 0x9a, 0xf9, 0xf6, 0xf3, 0x41, 0x6e, 0xd4, 0x88, 0x95, 0xac, 0x35}}}, +{{{0x41, 0x97, 0xbf, 0x71, 0x6a, 0x9b, 0x72, 0xec, 0xf3, 0xf8, 0x6b, 0xe6, 0x0e, 0x6c, 0x69, 0xa5, 0x2f, 0x68, 0x52, 0xd8, 0x61, 0x81, 0xc0, 0x63, 0x3f, 0xa6, 0x3c, 0x13, 0x90, 0xe6, 0x8d, 0x56}} , + {{0xe8, 0x39, 0x30, 0x77, 0x23, 0xb1, 0xfd, 0x1b, 0x3d, 0x3e, 0x74, 0x4d, 0x7f, 0xae, 0x5b, 0x3a, 0xb4, 0x65, 0x0e, 0x3a, 0x43, 0xdc, 0xdc, 0x41, 0x47, 0xe6, 0xe8, 0x92, 0x09, 0x22, 0x48, 0x4c}}}, +{{{0x85, 0x57, 0x9f, 0xb5, 0xc8, 0x06, 0xb2, 0x9f, 0x47, 0x3f, 0xf0, 0xfa, 0xe6, 0xa9, 0xb1, 0x9b, 0x6f, 0x96, 0x7d, 0xf9, 0xa4, 0x65, 0x09, 0x75, 0x32, 0xa6, 0x6c, 0x7f, 0x47, 0x4b, 0x2f, 0x4f}} , + {{0x34, 0xe9, 0x59, 0x93, 0x9d, 0x26, 0x80, 0x54, 0xf2, 0xcc, 0x3c, 0xc2, 0x25, 0x85, 0xe3, 0x6a, 0xc1, 0x62, 0x04, 0xa7, 0x08, 0x32, 0x6d, 0xa1, 0x39, 0x84, 0x8a, 0x3b, 0x87, 0x5f, 0x11, 0x13}}}, +{{{0xda, 0x03, 0x34, 0x66, 0xc4, 0x0c, 0x73, 0x6e, 0xbc, 0x24, 0xb5, 0xf9, 0x70, 0x81, 0x52, 0xe9, 0xf4, 0x7c, 0x23, 0xdd, 0x9f, 0xb8, 0x46, 0xef, 0x1d, 0x22, 0x55, 0x7d, 0x71, 0xc4, 0x42, 0x33}} , + {{0xc5, 0x37, 0x69, 0x5b, 0xa8, 0xc6, 0x9d, 0xa4, 0xfc, 0x61, 0x6e, 0x68, 0x46, 0xea, 0xd7, 0x1c, 0x67, 0xd2, 0x7d, 0xfa, 0xf1, 0xcc, 0x54, 0x8d, 0x36, 0x35, 0xc9, 0x00, 0xdf, 0x6c, 0x67, 0x50}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x9a, 0x4d, 0x42, 0x29, 0x5d, 0xa4, 0x6b, 0x6f, 0xa8, 0x8a, 0x4d, 0x91, 0x7b, 0xd2, 0xdf, 0x36, 0xef, 0x01, 0x22, 0xc5, 0xcc, 0x8d, 0xeb, 0x58, 0x3d, 0xb3, 0x50, 0xfc, 0x8b, 0x97, 0x96, 0x33}} , + {{0x93, 0x33, 0x07, 0xc8, 0x4a, 0xca, 0xd0, 0xb1, 0xab, 0xbd, 0xdd, 0xa7, 0x7c, 0xac, 0x3e, 0x45, 0xcb, 0xcc, 0x07, 0x91, 0xbf, 0x35, 0x9d, 0xcb, 0x7d, 0x12, 0x3c, 0x11, 0x59, 0x13, 0xcf, 0x5c}}}, +{{{0x45, 0xb8, 0x41, 0xd7, 0xab, 0x07, 0x15, 0x00, 0x8e, 0xce, 0xdf, 0xb2, 0x43, 0x5c, 0x01, 0xdc, 0xf4, 0x01, 0x51, 0x95, 0x10, 0x5a, 0xf6, 0x24, 0x24, 0xa0, 0x19, 0x3a, 0x09, 0x2a, 0xaa, 0x3f}} , + {{0xdc, 0x8e, 0xeb, 0xc6, 0xbf, 0xdd, 0x11, 0x7b, 0xe7, 0x47, 0xe6, 0xce, 0xe7, 0xb6, 0xc5, 0xe8, 0x8a, 0xdc, 0x4b, 0x57, 0x15, 0x3b, 0x66, 0xca, 0x89, 0xa3, 0xfd, 0xac, 0x0d, 0xe1, 0x1d, 0x7a}}}, +{{{0x89, 0xef, 0xbf, 0x03, 0x75, 0xd0, 0x29, 0x50, 0xcb, 0x7d, 0xd6, 0xbe, 0xad, 0x5f, 0x7b, 0x00, 0x32, 0xaa, 0x98, 0xed, 0x3f, 0x8f, 0x92, 0xcb, 0x81, 0x56, 0x01, 0x63, 0x64, 0xa3, 0x38, 0x39}} , + {{0x8b, 0xa4, 0xd6, 0x50, 0xb4, 0xaa, 0x5d, 0x64, 0x64, 0x76, 0x2e, 0xa1, 0xa6, 0xb3, 0xb8, 0x7c, 0x7a, 0x56, 0xf5, 0x5c, 0x4e, 0x84, 0x5c, 0xfb, 0xdd, 0xca, 0x48, 0x8b, 0x48, 0xb9, 0xba, 0x34}}}, +{{{0xc5, 0xe3, 0xe8, 0xae, 0x17, 0x27, 0xe3, 0x64, 0x60, 0x71, 0x47, 0x29, 0x02, 0x0f, 0x92, 0x5d, 0x10, 0x93, 0xc8, 0x0e, 0xa1, 0xed, 0xba, 0xa9, 0x96, 0x1c, 0xc5, 0x76, 0x30, 0xcd, 0xf9, 0x30}} , + {{0x95, 0xb0, 0xbd, 0x8c, 0xbc, 0xa7, 0x4f, 0x7e, 0xfd, 0x4e, 0x3a, 0xbf, 0x5f, 0x04, 0x79, 0x80, 0x2b, 0x5a, 0x9f, 0x4f, 0x68, 0x21, 0x19, 0x71, 0xc6, 0x20, 0x01, 0x42, 0xaa, 0xdf, 0xae, 0x2c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x90, 0x6e, 0x7e, 0x4b, 0x71, 0x93, 0xc0, 0x72, 0xed, 0xeb, 0x71, 0x24, 0x97, 0x26, 0x9c, 0xfe, 0xcb, 0x3e, 0x59, 0x19, 0xa8, 0x0f, 0x75, 0x7d, 0xbe, 0x18, 0xe6, 0x96, 0x1e, 0x95, 0x70, 0x60}} , + {{0x89, 0x66, 0x3e, 0x1d, 0x4c, 0x5f, 0xfe, 0xc0, 0x04, 0x43, 0xd6, 0x44, 0x19, 0xb5, 0xad, 0xc7, 0x22, 0xdc, 0x71, 0x28, 0x64, 0xde, 0x41, 0x38, 0x27, 0x8f, 0x2c, 0x6b, 0x08, 0xb8, 0xb8, 0x7b}}}, +{{{0x3d, 0x70, 0x27, 0x9d, 0xd9, 0xaf, 0xb1, 0x27, 0xaf, 0xe3, 0x5d, 0x1e, 0x3a, 0x30, 0x54, 0x61, 0x60, 0xe8, 0xc3, 0x26, 0x3a, 0xbc, 0x7e, 0xf5, 0x81, 0xdd, 0x64, 0x01, 0x04, 0xeb, 0xc0, 0x1e}} , + {{0xda, 0x2c, 0xa4, 0xd1, 0xa1, 0xc3, 0x5c, 0x6e, 0x32, 0x07, 0x1f, 0xb8, 0x0e, 0x19, 0x9e, 0x99, 0x29, 0x33, 0x9a, 0xae, 0x7a, 0xed, 0x68, 0x42, 0x69, 0x7c, 0x07, 0xb3, 0x38, 0x2c, 0xf6, 0x3d}}}, +{{{0x64, 0xaa, 0xb5, 0x88, 0x79, 0x65, 0x38, 0x8c, 0x94, 0xd6, 0x62, 0x37, 0x7d, 0x64, 0xcd, 0x3a, 0xeb, 0xff, 0xe8, 0x81, 0x09, 0xc7, 0x6a, 0x50, 0x09, 0x0d, 0x28, 0x03, 0x0d, 0x9a, 0x93, 0x0a}} , + {{0x42, 0xa3, 0xf1, 0xc5, 0xb4, 0x0f, 0xd8, 0xc8, 0x8d, 0x15, 0x31, 0xbd, 0xf8, 0x07, 0x8b, 0xcd, 0x08, 0x8a, 0xfb, 0x18, 0x07, 0xfe, 0x8e, 0x52, 0x86, 0xef, 0xbe, 0xec, 0x49, 0x52, 0x99, 0x08}}}, +{{{0x0f, 0xa9, 0xd5, 0x01, 0xaa, 0x48, 0x4f, 0x28, 0x66, 0x32, 0x1a, 0xba, 0x7c, 0xea, 0x11, 0x80, 0x17, 0x18, 0x9b, 0x56, 0x88, 0x25, 0x06, 0x69, 0x12, 0x2c, 0xea, 0x56, 0x69, 0x41, 0x24, 0x19}} , + {{0xde, 0x21, 0xf0, 0xda, 0x8a, 0xfb, 0xb1, 0xb8, 0xcd, 0xc8, 0x6a, 0x82, 0x19, 0x73, 0xdb, 0xc7, 0xcf, 0x88, 0xeb, 0x96, 0xee, 0x6f, 0xfb, 0x06, 0xd2, 0xcd, 0x7d, 0x7b, 0x12, 0x28, 0x8e, 0x0c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x93, 0x44, 0x97, 0xce, 0x28, 0xff, 0x3a, 0x40, 0xc4, 0xf5, 0xf6, 0x9b, 0xf4, 0x6b, 0x07, 0x84, 0xfb, 0x98, 0xd8, 0xec, 0x8c, 0x03, 0x57, 0xec, 0x49, 0xed, 0x63, 0xb6, 0xaa, 0xff, 0x98, 0x28}} , + {{0x3d, 0x16, 0x35, 0xf3, 0x46, 0xbc, 0xb3, 0xf4, 0xc6, 0xb6, 0x4f, 0xfa, 0xf4, 0xa0, 0x13, 0xe6, 0x57, 0x45, 0x93, 0xb9, 0xbc, 0xd6, 0x59, 0xe7, 0x77, 0x94, 0x6c, 0xab, 0x96, 0x3b, 0x4f, 0x09}}}, +{{{0x5a, 0xf7, 0x6b, 0x01, 0x12, 0x4f, 0x51, 0xc1, 0x70, 0x84, 0x94, 0x47, 0xb2, 0x01, 0x6c, 0x71, 0xd7, 0xcc, 0x17, 0x66, 0x0f, 0x59, 0x5d, 0x5d, 0x10, 0x01, 0x57, 0x11, 0xf5, 0xdd, 0xe2, 0x34}} , + {{0x26, 0xd9, 0x1f, 0x5c, 0x58, 0xac, 0x8b, 0x03, 0xd2, 0xc3, 0x85, 0x0f, 0x3a, 0xc3, 0x7f, 0x6d, 0x8e, 0x86, 0xcd, 0x52, 0x74, 0x8f, 0x55, 0x77, 0x17, 0xb7, 0x8e, 0xb7, 0x88, 0xea, 0xda, 0x1b}}}, +{{{0xb6, 0xea, 0x0e, 0x40, 0x93, 0x20, 0x79, 0x35, 0x6a, 0x61, 0x84, 0x5a, 0x07, 0x6d, 0xf9, 0x77, 0x6f, 0xed, 0x69, 0x1c, 0x0d, 0x25, 0x76, 0xcc, 0xf0, 0xdb, 0xbb, 0xc5, 0xad, 0xe2, 0x26, 0x57}} , + {{0xcf, 0xe8, 0x0e, 0x6b, 0x96, 0x7d, 0xed, 0x27, 0xd1, 0x3c, 0xa9, 0xd9, 0x50, 0xa9, 0x98, 0x84, 0x5e, 0x86, 0xef, 0xd6, 0xf0, 0xf8, 0x0e, 0x89, 0x05, 0x2f, 0xd9, 0x5f, 0x15, 0x5f, 0x73, 0x79}}}, +{{{0xc8, 0x5c, 0x16, 0xfe, 0xed, 0x9f, 0x26, 0x56, 0xf6, 0x4b, 0x9f, 0xa7, 0x0a, 0x85, 0xfe, 0xa5, 0x8c, 0x87, 0xdd, 0x98, 0xce, 0x4e, 0xc3, 0x58, 0x55, 0xb2, 0x7b, 0x3d, 0xd8, 0x6b, 0xb5, 0x4c}} , + {{0x65, 0x38, 0xa0, 0x15, 0xfa, 0xa7, 0xb4, 0x8f, 0xeb, 0xc4, 0x86, 0x9b, 0x30, 0xa5, 0x5e, 0x4d, 0xea, 0x8a, 0x9a, 0x9f, 0x1a, 0xd8, 0x5b, 0x53, 0x14, 0x19, 0x25, 0x63, 0xb4, 0x6f, 0x1f, 0x5d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xac, 0x8f, 0xbc, 0x1e, 0x7d, 0x8b, 0x5a, 0x0b, 0x8d, 0xaf, 0x76, 0x2e, 0x71, 0xe3, 0x3b, 0x6f, 0x53, 0x2f, 0x3e, 0x90, 0x95, 0xd4, 0x35, 0x14, 0x4f, 0x8c, 0x3c, 0xce, 0x57, 0x1c, 0x76, 0x49}} , + {{0xa8, 0x50, 0xe1, 0x61, 0x6b, 0x57, 0x35, 0xeb, 0x44, 0x0b, 0x0c, 0x6e, 0xf9, 0x25, 0x80, 0x74, 0xf2, 0x8f, 0x6f, 0x7a, 0x3e, 0x7f, 0x2d, 0xf3, 0x4e, 0x09, 0x65, 0x10, 0x5e, 0x03, 0x25, 0x32}}}, +{{{0xa9, 0x60, 0xdc, 0x0f, 0x64, 0xe5, 0x1d, 0xe2, 0x8d, 0x4f, 0x79, 0x2f, 0x0e, 0x24, 0x02, 0x00, 0x05, 0x77, 0x43, 0x25, 0x3d, 0x6a, 0xc7, 0xb7, 0xbf, 0x04, 0x08, 0x65, 0xf4, 0x39, 0x4b, 0x65}} , + {{0x96, 0x19, 0x12, 0x6b, 0x6a, 0xb7, 0xe3, 0xdc, 0x45, 0x9b, 0xdb, 0xb4, 0xa8, 0xae, 0xdc, 0xa8, 0x14, 0x44, 0x65, 0x62, 0xce, 0x34, 0x9a, 0x84, 0x18, 0x12, 0x01, 0xf1, 0xe2, 0x7b, 0xce, 0x50}}}, +{{{0x41, 0x21, 0x30, 0x53, 0x1b, 0x47, 0x01, 0xb7, 0x18, 0xd8, 0x82, 0x57, 0xbd, 0xa3, 0x60, 0xf0, 0x32, 0xf6, 0x5b, 0xf0, 0x30, 0x88, 0x91, 0x59, 0xfd, 0x90, 0xa2, 0xb9, 0x55, 0x93, 0x21, 0x34}} , + {{0x97, 0x67, 0x9e, 0xeb, 0x6a, 0xf9, 0x6e, 0xd6, 0x73, 0xe8, 0x6b, 0x29, 0xec, 0x63, 0x82, 0x00, 0xa8, 0x99, 0x1c, 0x1d, 0x30, 0xc8, 0x90, 0x52, 0x90, 0xb6, 0x6a, 0x80, 0x4e, 0xff, 0x4b, 0x51}}}, +{{{0x0f, 0x7d, 0x63, 0x8c, 0x6e, 0x5c, 0xde, 0x30, 0xdf, 0x65, 0xfa, 0x2e, 0xb0, 0xa3, 0x25, 0x05, 0x54, 0xbd, 0x25, 0xba, 0x06, 0xae, 0xdf, 0x8b, 0xd9, 0x1b, 0xea, 0x38, 0xb3, 0x05, 0x16, 0x09}} , + {{0xc7, 0x8c, 0xbf, 0x64, 0x28, 0xad, 0xf8, 0xa5, 0x5a, 0x6f, 0xc9, 0xba, 0xd5, 0x7f, 0xd5, 0xd6, 0xbd, 0x66, 0x2f, 0x3d, 0xaa, 0x54, 0xf6, 0xba, 0x32, 0x22, 0x9a, 0x1e, 0x52, 0x05, 0xf4, 0x1d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xaa, 0x1f, 0xbb, 0xeb, 0xfe, 0xe4, 0x87, 0xfc, 0xb1, 0x2c, 0xb7, 0x88, 0xf4, 0xc6, 0xb9, 0xf5, 0x24, 0x46, 0xf2, 0xa5, 0x9f, 0x8f, 0x8a, 0x93, 0x70, 0x69, 0xd4, 0x56, 0xec, 0xfd, 0x06, 0x46}} , + {{0x4e, 0x66, 0xcf, 0x4e, 0x34, 0xce, 0x0c, 0xd9, 0xa6, 0x50, 0xd6, 0x5e, 0x95, 0xaf, 0xe9, 0x58, 0xfa, 0xee, 0x9b, 0xb8, 0xa5, 0x0f, 0x35, 0xe0, 0x43, 0x82, 0x6d, 0x65, 0xe6, 0xd9, 0x00, 0x0f}}}, +{{{0x7b, 0x75, 0x3a, 0xfc, 0x64, 0xd3, 0x29, 0x7e, 0xdd, 0x49, 0x9a, 0x59, 0x53, 0xbf, 0xb4, 0xa7, 0x52, 0xb3, 0x05, 0xab, 0xc3, 0xaf, 0x16, 0x1a, 0x85, 0x42, 0x32, 0xa2, 0x86, 0xfa, 0x39, 0x43}} , + {{0x0e, 0x4b, 0xa3, 0x63, 0x8a, 0xfe, 0xa5, 0x58, 0xf1, 0x13, 0xbd, 0x9d, 0xaa, 0x7f, 0x76, 0x40, 0x70, 0x81, 0x10, 0x75, 0x99, 0xbb, 0xbe, 0x0b, 0x16, 0xe9, 0xba, 0x62, 0x34, 0xcc, 0x07, 0x6d}}}, +{{{0xc3, 0xf1, 0xc6, 0x93, 0x65, 0xee, 0x0b, 0xbc, 0xea, 0x14, 0xf0, 0xc1, 0xf8, 0x84, 0x89, 0xc2, 0xc9, 0xd7, 0xea, 0x34, 0xca, 0xa7, 0xc4, 0x99, 0xd5, 0x50, 0x69, 0xcb, 0xd6, 0x21, 0x63, 0x7c}} , + {{0x99, 0xeb, 0x7c, 0x31, 0x73, 0x64, 0x67, 0x7f, 0x0c, 0x66, 0xaa, 0x8c, 0x69, 0x91, 0xe2, 0x26, 0xd3, 0x23, 0xe2, 0x76, 0x5d, 0x32, 0x52, 0xdf, 0x5d, 0xc5, 0x8f, 0xb7, 0x7c, 0x84, 0xb3, 0x70}}}, +{{{0xeb, 0x01, 0xc7, 0x36, 0x97, 0x4e, 0xb6, 0xab, 0x5f, 0x0d, 0x2c, 0xba, 0x67, 0x64, 0x55, 0xde, 0xbc, 0xff, 0xa6, 0xec, 0x04, 0xd3, 0x8d, 0x39, 0x56, 0x5e, 0xee, 0xf8, 0xe4, 0x2e, 0x33, 0x62}} , + {{0x65, 0xef, 0xb8, 0x9f, 0xc8, 0x4b, 0xa7, 0xfd, 0x21, 0x49, 0x9b, 0x92, 0x35, 0x82, 0xd6, 0x0a, 0x9b, 0xf2, 0x79, 0xf1, 0x47, 0x2f, 0x6a, 0x7e, 0x9f, 0xcf, 0x18, 0x02, 0x3c, 0xfb, 0x1b, 0x3e}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2f, 0x8b, 0xc8, 0x40, 0x51, 0xd1, 0xac, 0x1a, 0x0b, 0xe4, 0xa9, 0xa2, 0x42, 0x21, 0x19, 0x2f, 0x7b, 0x97, 0xbf, 0xf7, 0x57, 0x6d, 0x3f, 0x3d, 0x4f, 0x0f, 0xe2, 0xb2, 0x81, 0x00, 0x9e, 0x7b}} , + {{0x8c, 0x85, 0x2b, 0xc4, 0xfc, 0xf1, 0xab, 0xe8, 0x79, 0x22, 0xc4, 0x84, 0x17, 0x3a, 0xfa, 0x86, 0xa6, 0x7d, 0xf9, 0xf3, 0x6f, 0x03, 0x57, 0x20, 0x4d, 0x79, 0xf9, 0x6e, 0x71, 0x54, 0x38, 0x09}}}, +{{{0x40, 0x29, 0x74, 0xa8, 0x2f, 0x5e, 0xf9, 0x79, 0xa4, 0xf3, 0x3e, 0xb9, 0xfd, 0x33, 0x31, 0xac, 0x9a, 0x69, 0x88, 0x1e, 0x77, 0x21, 0x2d, 0xf3, 0x91, 0x52, 0x26, 0x15, 0xb2, 0xa6, 0xcf, 0x7e}} , + {{0xc6, 0x20, 0x47, 0x6c, 0xa4, 0x7d, 0xcb, 0x63, 0xea, 0x5b, 0x03, 0xdf, 0x3e, 0x88, 0x81, 0x6d, 0xce, 0x07, 0x42, 0x18, 0x60, 0x7e, 0x7b, 0x55, 0xfe, 0x6a, 0xf3, 0xda, 0x5c, 0x8b, 0x95, 0x10}}}, +{{{0x62, 0xe4, 0x0d, 0x03, 0xb4, 0xd7, 0xcd, 0xfa, 0xbd, 0x46, 0xdf, 0x93, 0x71, 0x10, 0x2c, 0xa8, 0x3b, 0xb6, 0x09, 0x05, 0x70, 0x84, 0x43, 0x29, 0xa8, 0x59, 0xf5, 0x8e, 0x10, 0xe4, 0xd7, 0x20}} , + {{0x57, 0x82, 0x1c, 0xab, 0xbf, 0x62, 0x70, 0xe8, 0xc4, 0xcf, 0xf0, 0x28, 0x6e, 0x16, 0x3c, 0x08, 0x78, 0x89, 0x85, 0x46, 0x0f, 0xf6, 0x7f, 0xcf, 0xcb, 0x7e, 0xb8, 0x25, 0xe9, 0x5a, 0xfa, 0x03}}}, +{{{0xfb, 0x95, 0x92, 0x63, 0x50, 0xfc, 0x62, 0xf0, 0xa4, 0x5e, 0x8c, 0x18, 0xc2, 0x17, 0x24, 0xb7, 0x78, 0xc2, 0xa9, 0xe7, 0x6a, 0x32, 0xd6, 0x29, 0x85, 0xaf, 0xcb, 0x8d, 0x91, 0x13, 0xda, 0x6b}} , + {{0x36, 0x0a, 0xc2, 0xb6, 0x4b, 0xa5, 0x5d, 0x07, 0x17, 0x41, 0x31, 0x5f, 0x62, 0x46, 0xf8, 0x92, 0xf9, 0x66, 0x48, 0x73, 0xa6, 0x97, 0x0d, 0x7d, 0x88, 0xee, 0x62, 0xb1, 0x03, 0xa8, 0x3f, 0x2c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x4a, 0xb1, 0x70, 0x8a, 0xa9, 0xe8, 0x63, 0x79, 0x00, 0xe2, 0x25, 0x16, 0xca, 0x4b, 0x0f, 0xa4, 0x66, 0xad, 0x19, 0x9f, 0x88, 0x67, 0x0c, 0x8b, 0xc2, 0x4a, 0x5b, 0x2b, 0x6d, 0x95, 0xaf, 0x19}} , + {{0x8b, 0x9d, 0xb6, 0xcc, 0x60, 0xb4, 0x72, 0x4f, 0x17, 0x69, 0x5a, 0x4a, 0x68, 0x34, 0xab, 0xa1, 0x45, 0x32, 0x3c, 0x83, 0x87, 0x72, 0x30, 0x54, 0x77, 0x68, 0xae, 0xfb, 0xb5, 0x8b, 0x22, 0x5e}}}, +{{{0xf1, 0xb9, 0x87, 0x35, 0xc5, 0xbb, 0xb9, 0xcf, 0xf5, 0xd6, 0xcd, 0xd5, 0x0c, 0x7c, 0x0e, 0xe6, 0x90, 0x34, 0xfb, 0x51, 0x42, 0x1e, 0x6d, 0xac, 0x9a, 0x46, 0xc4, 0x97, 0x29, 0x32, 0xbf, 0x45}} , + {{0x66, 0x9e, 0xc6, 0x24, 0xc0, 0xed, 0xa5, 0x5d, 0x88, 0xd4, 0xf0, 0x73, 0x97, 0x7b, 0xea, 0x7f, 0x42, 0xff, 0x21, 0xa0, 0x9b, 0x2f, 0x9a, 0xfd, 0x53, 0x57, 0x07, 0x84, 0x48, 0x88, 0x9d, 0x52}}}, +{{{0xc6, 0x96, 0x48, 0x34, 0x2a, 0x06, 0xaf, 0x94, 0x3d, 0xf4, 0x1a, 0xcf, 0xf2, 0xc0, 0x21, 0xc2, 0x42, 0x5e, 0xc8, 0x2f, 0x35, 0xa2, 0x3e, 0x29, 0xfa, 0x0c, 0x84, 0xe5, 0x89, 0x72, 0x7c, 0x06}} , + {{0x32, 0x65, 0x03, 0xe5, 0x89, 0xa6, 0x6e, 0xb3, 0x5b, 0x8e, 0xca, 0xeb, 0xfe, 0x22, 0x56, 0x8b, 0x5d, 0x14, 0x4b, 0x4d, 0xf9, 0xbe, 0xb5, 0xf5, 0xe6, 0x5c, 0x7b, 0x8b, 0xf4, 0x13, 0x11, 0x34}}}, +{{{0x07, 0xc6, 0x22, 0x15, 0xe2, 0x9c, 0x60, 0xa2, 0x19, 0xd9, 0x27, 0xae, 0x37, 0x4e, 0xa6, 0xc9, 0x80, 0xa6, 0x91, 0x8f, 0x12, 0x49, 0xe5, 0x00, 0x18, 0x47, 0xd1, 0xd7, 0x28, 0x22, 0x63, 0x39}} , + {{0xe8, 0xe2, 0x00, 0x7e, 0xf2, 0x9e, 0x1e, 0x99, 0x39, 0x95, 0x04, 0xbd, 0x1e, 0x67, 0x7b, 0xb2, 0x26, 0xac, 0xe6, 0xaa, 0xe2, 0x46, 0xd5, 0xe4, 0xe8, 0x86, 0xbd, 0xab, 0x7c, 0x55, 0x59, 0x6f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x24, 0x64, 0x6e, 0x9b, 0x35, 0x71, 0x78, 0xce, 0x33, 0x03, 0x21, 0x33, 0x36, 0xf1, 0x73, 0x9b, 0xb9, 0x15, 0x8b, 0x2c, 0x69, 0xcf, 0x4d, 0xed, 0x4f, 0x4d, 0x57, 0x14, 0x13, 0x82, 0xa4, 0x4d}} , + {{0x65, 0x6e, 0x0a, 0xa4, 0x59, 0x07, 0x17, 0xf2, 0x6b, 0x4a, 0x1f, 0x6e, 0xf6, 0xb5, 0xbc, 0x62, 0xe4, 0xb6, 0xda, 0xa2, 0x93, 0xbc, 0x29, 0x05, 0xd2, 0xd2, 0x73, 0x46, 0x03, 0x16, 0x40, 0x31}}}, +{{{0x4c, 0x73, 0x6d, 0x15, 0xbd, 0xa1, 0x4d, 0x5c, 0x13, 0x0b, 0x24, 0x06, 0x98, 0x78, 0x1c, 0x5b, 0xeb, 0x1f, 0x18, 0x54, 0x43, 0xd9, 0x55, 0x66, 0xda, 0x29, 0x21, 0xe8, 0xb8, 0x3c, 0x42, 0x22}} , + {{0xb4, 0xcd, 0x08, 0x6f, 0x15, 0x23, 0x1a, 0x0b, 0x22, 0xed, 0xd1, 0xf1, 0xa7, 0xc7, 0x73, 0x45, 0xf3, 0x9e, 0xce, 0x76, 0xb7, 0xf6, 0x39, 0xb6, 0x8e, 0x79, 0xbe, 0xe9, 0x9b, 0xcf, 0x7d, 0x62}}}, +{{{0x92, 0x5b, 0xfc, 0x72, 0xfd, 0xba, 0xf1, 0xfd, 0xa6, 0x7c, 0x95, 0xe3, 0x61, 0x3f, 0xe9, 0x03, 0xd4, 0x2b, 0xd4, 0x20, 0xd9, 0xdb, 0x4d, 0x32, 0x3e, 0xf5, 0x11, 0x64, 0xe3, 0xb4, 0xbe, 0x32}} , + {{0x86, 0x17, 0x90, 0xe7, 0xc9, 0x1f, 0x10, 0xa5, 0x6a, 0x2d, 0x39, 0xd0, 0x3b, 0xc4, 0xa6, 0xe9, 0x59, 0x13, 0xda, 0x1a, 0xe6, 0xa0, 0xb9, 0x3c, 0x50, 0xb8, 0x40, 0x7c, 0x15, 0x36, 0x5a, 0x42}}}, +{{{0xb4, 0x0b, 0x32, 0xab, 0xdc, 0x04, 0x51, 0x55, 0x21, 0x1e, 0x0b, 0x75, 0x99, 0x89, 0x73, 0x35, 0x3a, 0x91, 0x2b, 0xfe, 0xe7, 0x49, 0xea, 0x76, 0xc1, 0xf9, 0x46, 0xb9, 0x53, 0x02, 0x23, 0x04}} , + {{0xfc, 0x5a, 0x1e, 0x1d, 0x74, 0x58, 0x95, 0xa6, 0x8f, 0x7b, 0x97, 0x3e, 0x17, 0x3b, 0x79, 0x2d, 0xa6, 0x57, 0xef, 0x45, 0x02, 0x0b, 0x4d, 0x6e, 0x9e, 0x93, 0x8d, 0x2f, 0xd9, 0x9d, 0xdb, 0x04}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xc0, 0xd7, 0x56, 0x97, 0x58, 0x91, 0xde, 0x09, 0x4f, 0x9f, 0xbe, 0x63, 0xb0, 0x83, 0x86, 0x43, 0x5d, 0xbc, 0xe0, 0xf3, 0xc0, 0x75, 0xbf, 0x8b, 0x8e, 0xaa, 0xf7, 0x8b, 0x64, 0x6e, 0xb0, 0x63}} , + {{0x16, 0xae, 0x8b, 0xe0, 0x9b, 0x24, 0x68, 0x5c, 0x44, 0xc2, 0xd0, 0x08, 0xb7, 0x7b, 0x62, 0xfd, 0x7f, 0xd8, 0xd4, 0xb7, 0x50, 0xfd, 0x2c, 0x1b, 0xbf, 0x41, 0x95, 0xd9, 0x8e, 0xd8, 0x17, 0x1b}}}, +{{{0x86, 0x55, 0x37, 0x8e, 0xc3, 0x38, 0x48, 0x14, 0xb5, 0x97, 0xd2, 0xa7, 0x54, 0x45, 0xf1, 0x35, 0x44, 0x38, 0x9e, 0xf1, 0x1b, 0xb6, 0x34, 0x00, 0x3c, 0x96, 0xee, 0x29, 0x00, 0xea, 0x2c, 0x0b}} , + {{0xea, 0xda, 0x99, 0x9e, 0x19, 0x83, 0x66, 0x6d, 0xe9, 0x76, 0x87, 0x50, 0xd1, 0xfd, 0x3c, 0x60, 0x87, 0xc6, 0x41, 0xd9, 0x8e, 0xdb, 0x5e, 0xde, 0xaa, 0x9a, 0xd3, 0x28, 0xda, 0x95, 0xea, 0x47}}}, +{{{0xd0, 0x80, 0xba, 0x19, 0xae, 0x1d, 0xa9, 0x79, 0xf6, 0x3f, 0xac, 0x5d, 0x6f, 0x96, 0x1f, 0x2a, 0xce, 0x29, 0xb2, 0xff, 0x37, 0xf1, 0x94, 0x8f, 0x0c, 0xb5, 0x28, 0xba, 0x9a, 0x21, 0xf6, 0x66}} , + {{0x02, 0xfb, 0x54, 0xb8, 0x05, 0xf3, 0x81, 0x52, 0x69, 0x34, 0x46, 0x9d, 0x86, 0x76, 0x8f, 0xd7, 0xf8, 0x6a, 0x66, 0xff, 0xe6, 0xa7, 0x90, 0xf7, 0x5e, 0xcd, 0x6a, 0x9b, 0x55, 0xfc, 0x9d, 0x48}}}, +{{{0xbd, 0xaa, 0x13, 0xe6, 0xcd, 0x45, 0x4a, 0xa4, 0x59, 0x0a, 0x64, 0xb1, 0x98, 0xd6, 0x34, 0x13, 0x04, 0xe6, 0x97, 0x94, 0x06, 0xcb, 0xd4, 0x4e, 0xbb, 0x96, 0xcd, 0xd1, 0x57, 0xd1, 0xe3, 0x06}} , + {{0x7a, 0x6c, 0x45, 0x27, 0xc4, 0x93, 0x7f, 0x7d, 0x7c, 0x62, 0x50, 0x38, 0x3a, 0x6b, 0xb5, 0x88, 0xc6, 0xd9, 0xf1, 0x78, 0x19, 0xb9, 0x39, 0x93, 0x3d, 0xc9, 0xe0, 0x9c, 0x3c, 0xce, 0xf5, 0x72}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x24, 0xea, 0x23, 0x7d, 0x56, 0x2c, 0xe2, 0x59, 0x0e, 0x85, 0x60, 0x04, 0x88, 0x5a, 0x74, 0x1e, 0x4b, 0xef, 0x13, 0xda, 0x4c, 0xff, 0x83, 0x45, 0x85, 0x3f, 0x08, 0x95, 0x2c, 0x20, 0x13, 0x1f}} , + {{0x48, 0x5f, 0x27, 0x90, 0x5c, 0x02, 0x42, 0xad, 0x78, 0x47, 0x5c, 0xb5, 0x7e, 0x08, 0x85, 0x00, 0xfa, 0x7f, 0xfd, 0xfd, 0xe7, 0x09, 0x11, 0xf2, 0x7e, 0x1b, 0x38, 0x6c, 0x35, 0x6d, 0x33, 0x66}}}, +{{{0x93, 0x03, 0x36, 0x81, 0xac, 0xe4, 0x20, 0x09, 0x35, 0x4c, 0x45, 0xb2, 0x1e, 0x4c, 0x14, 0x21, 0xe6, 0xe9, 0x8a, 0x7b, 0x8d, 0xfe, 0x1e, 0xc6, 0x3e, 0xc1, 0x35, 0xfa, 0xe7, 0x70, 0x4e, 0x1d}} , + {{0x61, 0x2e, 0xc2, 0xdd, 0x95, 0x57, 0xd1, 0xab, 0x80, 0xe8, 0x63, 0x17, 0xb5, 0x48, 0xe4, 0x8a, 0x11, 0x9e, 0x72, 0xbe, 0x85, 0x8d, 0x51, 0x0a, 0xf2, 0x9f, 0xe0, 0x1c, 0xa9, 0x07, 0x28, 0x7b}}}, +{{{0xbb, 0x71, 0x14, 0x5e, 0x26, 0x8c, 0x3d, 0xc8, 0xe9, 0x7c, 0xd3, 0xd6, 0xd1, 0x2f, 0x07, 0x6d, 0xe6, 0xdf, 0xfb, 0x79, 0xd6, 0x99, 0x59, 0x96, 0x48, 0x40, 0x0f, 0x3a, 0x7b, 0xb2, 0xa0, 0x72}} , + {{0x4e, 0x3b, 0x69, 0xc8, 0x43, 0x75, 0x51, 0x6c, 0x79, 0x56, 0xe4, 0xcb, 0xf7, 0xa6, 0x51, 0xc2, 0x2c, 0x42, 0x0b, 0xd4, 0x82, 0x20, 0x1c, 0x01, 0x08, 0x66, 0xd7, 0xbf, 0x04, 0x56, 0xfc, 0x02}}}, +{{{0x24, 0xe8, 0xb7, 0x60, 0xae, 0x47, 0x80, 0xfc, 0xe5, 0x23, 0xe7, 0xc2, 0xc9, 0x85, 0xe6, 0x98, 0xa0, 0x29, 0x4e, 0xe1, 0x84, 0x39, 0x2d, 0x95, 0x2c, 0xf3, 0x45, 0x3c, 0xff, 0xaf, 0x27, 0x4c}} , + {{0x6b, 0xa6, 0xf5, 0x4b, 0x11, 0xbd, 0xba, 0x5b, 0x9e, 0xc4, 0xa4, 0x51, 0x1e, 0xbe, 0xd0, 0x90, 0x3a, 0x9c, 0xc2, 0x26, 0xb6, 0x1e, 0xf1, 0x95, 0x7d, 0xc8, 0x6d, 0x52, 0xe6, 0x99, 0x2c, 0x5f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x85, 0xe0, 0x24, 0x32, 0xb4, 0xd1, 0xef, 0xfc, 0x69, 0xa2, 0xbf, 0x8f, 0x72, 0x2c, 0x95, 0xf6, 0xe4, 0x6e, 0x7d, 0x90, 0xf7, 0x57, 0x81, 0xa0, 0xf7, 0xda, 0xef, 0x33, 0x07, 0xe3, 0x6b, 0x78}} , + {{0x36, 0x27, 0x3e, 0xc6, 0x12, 0x07, 0xab, 0x4e, 0xbe, 0x69, 0x9d, 0xb3, 0xbe, 0x08, 0x7c, 0x2a, 0x47, 0x08, 0xfd, 0xd4, 0xcd, 0x0e, 0x27, 0x34, 0x5b, 0x98, 0x34, 0x2f, 0x77, 0x5f, 0x3a, 0x65}}}, +{{{0x13, 0xaa, 0x2e, 0x4c, 0xf0, 0x22, 0xb8, 0x6c, 0xb3, 0x19, 0x4d, 0xeb, 0x6b, 0xd0, 0xa4, 0xc6, 0x9c, 0xdd, 0xc8, 0x5b, 0x81, 0x57, 0x89, 0xdf, 0x33, 0xa9, 0x68, 0x49, 0x80, 0xe4, 0xfe, 0x21}} , + {{0x00, 0x17, 0x90, 0x30, 0xe9, 0xd3, 0x60, 0x30, 0x31, 0xc2, 0x72, 0x89, 0x7a, 0x36, 0xa5, 0xbd, 0x39, 0x83, 0x85, 0x50, 0xa1, 0x5d, 0x6c, 0x41, 0x1d, 0xb5, 0x2c, 0x07, 0x40, 0x77, 0x0b, 0x50}}}, +{{{0x64, 0x34, 0xec, 0xc0, 0x9e, 0x44, 0x41, 0xaf, 0xa0, 0x36, 0x05, 0x6d, 0xea, 0x30, 0x25, 0x46, 0x35, 0x24, 0x9d, 0x86, 0xbd, 0x95, 0xf1, 0x6a, 0x46, 0xd7, 0x94, 0x54, 0xf9, 0x3b, 0xbd, 0x5d}} , + {{0x77, 0x5b, 0xe2, 0x37, 0xc7, 0xe1, 0x7c, 0x13, 0x8c, 0x9f, 0x7b, 0x7b, 0x2a, 0xce, 0x42, 0xa3, 0xb9, 0x2a, 0x99, 0xa8, 0xc0, 0xd8, 0x3c, 0x86, 0xb0, 0xfb, 0xe9, 0x76, 0x77, 0xf7, 0xf5, 0x56}}}, +{{{0xdf, 0xb3, 0x46, 0x11, 0x6e, 0x13, 0xb7, 0x28, 0x4e, 0x56, 0xdd, 0xf1, 0xac, 0xad, 0x58, 0xc3, 0xf8, 0x88, 0x94, 0x5e, 0x06, 0x98, 0xa1, 0xe4, 0x6a, 0xfb, 0x0a, 0x49, 0x5d, 0x8a, 0xfe, 0x77}} , + {{0x46, 0x02, 0xf5, 0xa5, 0xaf, 0xc5, 0x75, 0x6d, 0xba, 0x45, 0x35, 0x0a, 0xfe, 0xc9, 0xac, 0x22, 0x91, 0x8d, 0x21, 0x95, 0x33, 0x03, 0xc0, 0x8a, 0x16, 0xf3, 0x39, 0xe0, 0x01, 0x0f, 0x53, 0x3c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x34, 0x75, 0x37, 0x1f, 0x34, 0x4e, 0xa9, 0x1d, 0x68, 0x67, 0xf8, 0x49, 0x98, 0x96, 0xfc, 0x4c, 0x65, 0x97, 0xf7, 0x02, 0x4a, 0x52, 0x6c, 0x01, 0xbd, 0x48, 0xbb, 0x1b, 0xed, 0xa4, 0xe2, 0x53}} , + {{0x59, 0xd5, 0x9b, 0x5a, 0xa2, 0x90, 0xd3, 0xb8, 0x37, 0x4c, 0x55, 0x82, 0x28, 0x08, 0x0f, 0x7f, 0xaa, 0x81, 0x65, 0xe0, 0x0c, 0x52, 0xc9, 0xa3, 0x32, 0x27, 0x64, 0xda, 0xfd, 0x34, 0x23, 0x5a}}}, +{{{0xb5, 0xb0, 0x0c, 0x4d, 0xb3, 0x7b, 0x23, 0xc8, 0x1f, 0x8a, 0x39, 0x66, 0xe6, 0xba, 0x4c, 0x10, 0x37, 0xca, 0x9c, 0x7c, 0x05, 0x9e, 0xff, 0xc0, 0xf8, 0x8e, 0xb1, 0x8f, 0x6f, 0x67, 0x18, 0x26}} , + {{0x4b, 0x41, 0x13, 0x54, 0x23, 0x1a, 0xa4, 0x4e, 0xa9, 0x8b, 0x1e, 0x4b, 0xfc, 0x15, 0x24, 0xbb, 0x7e, 0xcb, 0xb6, 0x1e, 0x1b, 0xf5, 0xf2, 0xc8, 0x56, 0xec, 0x32, 0xa2, 0x60, 0x5b, 0xa0, 0x2a}}}, +{{{0xa4, 0x29, 0x47, 0x86, 0x2e, 0x92, 0x4f, 0x11, 0x4f, 0xf3, 0xb2, 0x5c, 0xd5, 0x3e, 0xa6, 0xb9, 0xc8, 0xe2, 0x33, 0x11, 0x1f, 0x01, 0x8f, 0xb0, 0x9b, 0xc7, 0xa5, 0xff, 0x83, 0x0f, 0x1e, 0x28}} , + {{0x1d, 0x29, 0x7a, 0xa1, 0xec, 0x8e, 0xb5, 0xad, 0xea, 0x02, 0x68, 0x60, 0x74, 0x29, 0x1c, 0xa5, 0xcf, 0xc8, 0x3b, 0x7d, 0x8b, 0x2b, 0x7c, 0xad, 0xa4, 0x40, 0x17, 0x51, 0x59, 0x7c, 0x2e, 0x5d}}}, +{{{0x0a, 0x6c, 0x4f, 0xbc, 0x3e, 0x32, 0xe7, 0x4a, 0x1a, 0x13, 0xc1, 0x49, 0x38, 0xbf, 0xf7, 0xc2, 0xd3, 0x8f, 0x6b, 0xad, 0x52, 0xf7, 0xcf, 0xbc, 0x27, 0xcb, 0x40, 0x67, 0x76, 0xcd, 0x6d, 0x56}} , + {{0xe5, 0xb0, 0x27, 0xad, 0xbe, 0x9b, 0xf2, 0xb5, 0x63, 0xde, 0x3a, 0x23, 0x95, 0xb7, 0x0a, 0x7e, 0xf3, 0x9e, 0x45, 0x6f, 0x19, 0x39, 0x75, 0x8f, 0x39, 0x3d, 0x0f, 0xc0, 0x9f, 0xf1, 0xe9, 0x51}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x88, 0xaa, 0x14, 0x24, 0x86, 0x94, 0x11, 0x12, 0x3e, 0x1a, 0xb5, 0xcc, 0xbb, 0xe0, 0x9c, 0xd5, 0x9c, 0x6d, 0xba, 0x58, 0x72, 0x8d, 0xfb, 0x22, 0x7b, 0x9f, 0x7c, 0x94, 0x30, 0xb3, 0x51, 0x21}} , + {{0xf6, 0x74, 0x3d, 0xf2, 0xaf, 0xd0, 0x1e, 0x03, 0x7c, 0x23, 0x6b, 0xc9, 0xfc, 0x25, 0x70, 0x90, 0xdc, 0x9a, 0xa4, 0xfb, 0x49, 0xfc, 0x3d, 0x0a, 0x35, 0x38, 0x6f, 0xe4, 0x7e, 0x50, 0x01, 0x2a}}}, +{{{0xd6, 0xe3, 0x96, 0x61, 0x3a, 0xfd, 0xef, 0x9b, 0x1f, 0x90, 0xa4, 0x24, 0x14, 0x5b, 0xc8, 0xde, 0x50, 0xb1, 0x1d, 0xaf, 0xe8, 0x55, 0x8a, 0x87, 0x0d, 0xfe, 0xaa, 0x3b, 0x82, 0x2c, 0x8d, 0x7b}} , + {{0x85, 0x0c, 0xaf, 0xf8, 0x83, 0x44, 0x49, 0xd9, 0x45, 0xcf, 0xf7, 0x48, 0xd9, 0x53, 0xb4, 0xf1, 0x65, 0xa0, 0xe1, 0xc3, 0xb3, 0x15, 0xed, 0x89, 0x9b, 0x4f, 0x62, 0xb3, 0x57, 0xa5, 0x45, 0x1c}}}, +{{{0x8f, 0x12, 0xea, 0xaf, 0xd1, 0x1f, 0x79, 0x10, 0x0b, 0xf6, 0xa3, 0x7b, 0xea, 0xac, 0x8b, 0x57, 0x32, 0x62, 0xe7, 0x06, 0x12, 0x51, 0xa0, 0x3b, 0x43, 0x5e, 0xa4, 0x20, 0x78, 0x31, 0xce, 0x0d}} , + {{0x84, 0x7c, 0xc2, 0xa6, 0x91, 0x23, 0xce, 0xbd, 0xdc, 0xf9, 0xce, 0xd5, 0x75, 0x30, 0x22, 0xe6, 0xf9, 0x43, 0x62, 0x0d, 0xf7, 0x75, 0x9d, 0x7f, 0x8c, 0xff, 0x7d, 0xe4, 0x72, 0xac, 0x9f, 0x1c}}}, +{{{0x88, 0xc1, 0x99, 0xd0, 0x3c, 0x1c, 0x5d, 0xb4, 0xef, 0x13, 0x0f, 0x90, 0xb9, 0x36, 0x2f, 0x95, 0x95, 0xc6, 0xdc, 0xde, 0x0a, 0x51, 0xe2, 0x8d, 0xf3, 0xbc, 0x51, 0xec, 0xdf, 0xb1, 0xa2, 0x5f}} , + {{0x2e, 0x68, 0xa1, 0x23, 0x7d, 0x9b, 0x40, 0x69, 0x85, 0x7b, 0x42, 0xbf, 0x90, 0x4b, 0xd6, 0x40, 0x2f, 0xd7, 0x52, 0x52, 0xb2, 0x21, 0xde, 0x64, 0xbd, 0x88, 0xc3, 0x6d, 0xa5, 0xfa, 0x81, 0x3f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xfb, 0xfd, 0x47, 0x7b, 0x8a, 0x66, 0x9e, 0x79, 0x2e, 0x64, 0x82, 0xef, 0xf7, 0x21, 0xec, 0xf6, 0xd8, 0x86, 0x09, 0x31, 0x7c, 0xdd, 0x03, 0x6a, 0x58, 0xa0, 0x77, 0xb7, 0x9b, 0x8c, 0x87, 0x1f}} , + {{0x55, 0x47, 0xe4, 0xa8, 0x3d, 0x55, 0x21, 0x34, 0xab, 0x1d, 0xae, 0xe0, 0xf4, 0xea, 0xdb, 0xc5, 0xb9, 0x58, 0xbf, 0xc4, 0x2a, 0x89, 0x31, 0x1a, 0xf4, 0x2d, 0xe1, 0xca, 0x37, 0x99, 0x47, 0x59}}}, +{{{0xc7, 0xca, 0x63, 0xc1, 0x49, 0xa9, 0x35, 0x45, 0x55, 0x7e, 0xda, 0x64, 0x32, 0x07, 0x50, 0xf7, 0x32, 0xac, 0xde, 0x75, 0x58, 0x9b, 0x11, 0xb2, 0x3a, 0x1f, 0xf5, 0xf7, 0x79, 0x04, 0xe6, 0x08}} , + {{0x46, 0xfa, 0x22, 0x4b, 0xfa, 0xe1, 0xfe, 0x96, 0xfc, 0x67, 0xba, 0x67, 0x97, 0xc4, 0xe7, 0x1b, 0x86, 0x90, 0x5f, 0xee, 0xf4, 0x5b, 0x11, 0xb2, 0xcd, 0xad, 0xee, 0xc2, 0x48, 0x6c, 0x2b, 0x1b}}}, +{{{0xe3, 0x39, 0x62, 0xb4, 0x4f, 0x31, 0x04, 0xc9, 0xda, 0xd5, 0x73, 0x51, 0x57, 0xc5, 0xb8, 0xf3, 0xa3, 0x43, 0x70, 0xe4, 0x61, 0x81, 0x84, 0xe2, 0xbb, 0xbf, 0x4f, 0x9e, 0xa4, 0x5e, 0x74, 0x06}} , + {{0x29, 0xac, 0xff, 0x27, 0xe0, 0x59, 0xbe, 0x39, 0x9c, 0x0d, 0x83, 0xd7, 0x10, 0x0b, 0x15, 0xb7, 0xe1, 0xc2, 0x2c, 0x30, 0x73, 0x80, 0x3a, 0x7d, 0x5d, 0xab, 0x58, 0x6b, 0xc1, 0xf0, 0xf4, 0x22}}}, +{{{0xfe, 0x7f, 0xfb, 0x35, 0x7d, 0xc6, 0x01, 0x23, 0x28, 0xc4, 0x02, 0xac, 0x1f, 0x42, 0xb4, 0x9d, 0xfc, 0x00, 0x94, 0xa5, 0xee, 0xca, 0xda, 0x97, 0x09, 0x41, 0x77, 0x87, 0x5d, 0x7b, 0x87, 0x78}} , + {{0xf5, 0xfb, 0x90, 0x2d, 0x81, 0x19, 0x9e, 0x2f, 0x6d, 0x85, 0x88, 0x8c, 0x40, 0x5c, 0x77, 0x41, 0x4d, 0x01, 0x19, 0x76, 0x60, 0xe8, 0x4c, 0x48, 0xe4, 0x33, 0x83, 0x32, 0x6c, 0xb4, 0x41, 0x03}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xff, 0x10, 0xc2, 0x09, 0x4f, 0x6e, 0xf4, 0xd2, 0xdf, 0x7e, 0xca, 0x7b, 0x1c, 0x1d, 0xba, 0xa3, 0xb6, 0xda, 0x67, 0x33, 0xd4, 0x87, 0x36, 0x4b, 0x11, 0x20, 0x05, 0xa6, 0x29, 0xc1, 0x87, 0x17}} , + {{0xf6, 0x96, 0xca, 0x2f, 0xda, 0x38, 0xa7, 0x1b, 0xfc, 0xca, 0x7d, 0xfe, 0x08, 0x89, 0xe2, 0x47, 0x2b, 0x6a, 0x5d, 0x4b, 0xfa, 0xa1, 0xb4, 0xde, 0xb6, 0xc2, 0x31, 0x51, 0xf5, 0xe0, 0xa4, 0x0b}}}, +{{{0x5c, 0xe5, 0xc6, 0x04, 0x8e, 0x2b, 0x57, 0xbe, 0x38, 0x85, 0x23, 0xcb, 0xb7, 0xbe, 0x4f, 0xa9, 0xd3, 0x6e, 0x12, 0xaa, 0xd5, 0xb2, 0x2e, 0x93, 0x29, 0x9a, 0x4a, 0x88, 0x18, 0x43, 0xf5, 0x01}} , + {{0x50, 0xfc, 0xdb, 0xa2, 0x59, 0x21, 0x8d, 0xbd, 0x7e, 0x33, 0xae, 0x2f, 0x87, 0x1a, 0xd0, 0x97, 0xc7, 0x0d, 0x4d, 0x63, 0x01, 0xef, 0x05, 0x84, 0xec, 0x40, 0xdd, 0xa8, 0x0a, 0x4f, 0x70, 0x0b}}}, +{{{0x41, 0x69, 0x01, 0x67, 0x5c, 0xd3, 0x8a, 0xc5, 0xcf, 0x3f, 0xd1, 0x57, 0xd1, 0x67, 0x3e, 0x01, 0x39, 0xb5, 0xcb, 0x81, 0x56, 0x96, 0x26, 0xb6, 0xc2, 0xe7, 0x5c, 0xfb, 0x63, 0x97, 0x58, 0x06}} , + {{0x0c, 0x0e, 0xf3, 0xba, 0xf0, 0xe5, 0xba, 0xb2, 0x57, 0x77, 0xc6, 0x20, 0x9b, 0x89, 0x24, 0xbe, 0xf2, 0x9c, 0x8a, 0xba, 0x69, 0xc1, 0xf1, 0xb0, 0x4f, 0x2a, 0x05, 0x9a, 0xee, 0x10, 0x7e, 0x36}}}, +{{{0x3f, 0x26, 0xe9, 0x40, 0xe9, 0x03, 0xad, 0x06, 0x69, 0x91, 0xe0, 0xd1, 0x89, 0x60, 0x84, 0x79, 0xde, 0x27, 0x6d, 0xe6, 0x76, 0xbd, 0xea, 0xe6, 0xae, 0x48, 0xc3, 0x67, 0xc0, 0x57, 0xcd, 0x2f}} , + {{0x7f, 0xc1, 0xdc, 0xb9, 0xc7, 0xbc, 0x86, 0x3d, 0x55, 0x4b, 0x28, 0x7a, 0xfb, 0x4d, 0xc7, 0xf8, 0xbc, 0x67, 0x2a, 0x60, 0x4d, 0x8f, 0x07, 0x0b, 0x1a, 0x17, 0xbf, 0xfa, 0xac, 0xa7, 0x3d, 0x1a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x91, 0x3f, 0xed, 0x5e, 0x18, 0x78, 0x3f, 0x23, 0x2c, 0x0d, 0x8c, 0x44, 0x00, 0xe8, 0xfb, 0xe9, 0x8e, 0xd6, 0xd1, 0x36, 0x58, 0x57, 0x9e, 0xae, 0x4b, 0x5c, 0x0b, 0x07, 0xbc, 0x6b, 0x55, 0x2b}} , + {{0x6f, 0x4d, 0x17, 0xd7, 0xe1, 0x84, 0xd9, 0x78, 0xb1, 0x90, 0xfd, 0x2e, 0xb3, 0xb5, 0x19, 0x3f, 0x1b, 0xfa, 0xc0, 0x68, 0xb3, 0xdd, 0x00, 0x2e, 0x89, 0xbd, 0x7e, 0x80, 0x32, 0x13, 0xa0, 0x7b}}}, +{{{0x1a, 0x6f, 0x40, 0xaf, 0x44, 0x44, 0xb0, 0x43, 0x8f, 0x0d, 0xd0, 0x1e, 0xc4, 0x0b, 0x19, 0x5d, 0x8e, 0xfe, 0xc1, 0xf3, 0xc5, 0x5c, 0x91, 0xf8, 0x04, 0x4e, 0xbe, 0x90, 0xb4, 0x47, 0x5c, 0x3f}} , + {{0xb0, 0x3b, 0x2c, 0xf3, 0xfe, 0x32, 0x71, 0x07, 0x3f, 0xaa, 0xba, 0x45, 0x60, 0xa8, 0x8d, 0xea, 0x54, 0xcb, 0x39, 0x10, 0xb4, 0xf2, 0x8b, 0xd2, 0x14, 0x82, 0x42, 0x07, 0x8e, 0xe9, 0x7c, 0x53}}}, +{{{0xb0, 0xae, 0xc1, 0x8d, 0xc9, 0x8f, 0xb9, 0x7a, 0x77, 0xef, 0xba, 0x79, 0xa0, 0x3c, 0xa8, 0xf5, 0x6a, 0xe2, 0x3f, 0x5d, 0x00, 0xe3, 0x4b, 0x45, 0x24, 0x7b, 0x43, 0x78, 0x55, 0x1d, 0x2b, 0x1e}} , + {{0x01, 0xb8, 0xd6, 0x16, 0x67, 0xa0, 0x15, 0xb9, 0xe1, 0x58, 0xa4, 0xa7, 0x31, 0x37, 0x77, 0x2f, 0x8b, 0x12, 0x9f, 0xf4, 0x3f, 0xc7, 0x36, 0x66, 0xd2, 0xa8, 0x56, 0xf7, 0x7f, 0x74, 0xc6, 0x41}}}, +{{{0x5d, 0xf8, 0xb4, 0xa8, 0x30, 0xdd, 0xcc, 0x38, 0xa5, 0xd3, 0xca, 0xd8, 0xd1, 0xf8, 0xb2, 0x31, 0x91, 0xd4, 0x72, 0x05, 0x57, 0x4a, 0x3b, 0x82, 0x4a, 0xc6, 0x68, 0x20, 0xe2, 0x18, 0x41, 0x61}} , + {{0x19, 0xd4, 0x8d, 0x47, 0x29, 0x12, 0x65, 0xb0, 0x11, 0x78, 0x47, 0xb5, 0xcb, 0xa3, 0xa5, 0xfa, 0x05, 0x85, 0x54, 0xa9, 0x33, 0x97, 0x8d, 0x2b, 0xc2, 0xfe, 0x99, 0x35, 0x28, 0xe5, 0xeb, 0x63}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xb1, 0x3f, 0x3f, 0xef, 0xd8, 0xf4, 0xfc, 0xb3, 0xa0, 0x60, 0x50, 0x06, 0x2b, 0x29, 0x52, 0x70, 0x15, 0x0b, 0x24, 0x24, 0xf8, 0x5f, 0x79, 0x18, 0xcc, 0xff, 0x89, 0x99, 0x84, 0xa1, 0xae, 0x13}} , + {{0x44, 0x1f, 0xb8, 0xc2, 0x01, 0xc1, 0x30, 0x19, 0x55, 0x05, 0x60, 0x10, 0xa4, 0x6c, 0x2d, 0x67, 0x70, 0xe5, 0x25, 0x1b, 0xf2, 0xbf, 0xdd, 0xfb, 0x70, 0x2b, 0xa1, 0x8c, 0x9c, 0x94, 0x84, 0x08}}}, +{{{0xe7, 0xc4, 0x43, 0x4d, 0xc9, 0x2b, 0x69, 0x5d, 0x1d, 0x3c, 0xaf, 0xbb, 0x43, 0x38, 0x4e, 0x98, 0x3d, 0xed, 0x0d, 0x21, 0x03, 0xfd, 0xf0, 0x99, 0x47, 0x04, 0xb0, 0x98, 0x69, 0x55, 0x72, 0x0f}} , + {{0x5e, 0xdf, 0x15, 0x53, 0x3b, 0x86, 0x80, 0xb0, 0xf1, 0x70, 0x68, 0x8f, 0x66, 0x7c, 0x0e, 0x49, 0x1a, 0xd8, 0x6b, 0xfe, 0x4e, 0xef, 0xca, 0x47, 0xd4, 0x03, 0xc1, 0x37, 0x50, 0x9c, 0xc1, 0x16}}}, +{{{0xcd, 0x24, 0xc6, 0x3e, 0x0c, 0x82, 0x9b, 0x91, 0x2b, 0x61, 0x4a, 0xb2, 0x0f, 0x88, 0x55, 0x5f, 0x5a, 0x57, 0xff, 0xe5, 0x74, 0x0b, 0x13, 0x43, 0x00, 0xd8, 0x6b, 0xcf, 0xd2, 0x15, 0x03, 0x2c}} , + {{0xdc, 0xff, 0x15, 0x61, 0x2f, 0x4a, 0x2f, 0x62, 0xf2, 0x04, 0x2f, 0xb5, 0x0c, 0xb7, 0x1e, 0x3f, 0x74, 0x1a, 0x0f, 0xd7, 0xea, 0xcd, 0xd9, 0x7d, 0xf6, 0x12, 0x0e, 0x2f, 0xdb, 0x5a, 0x3b, 0x16}}}, +{{{0x1b, 0x37, 0x47, 0xe3, 0xf5, 0x9e, 0xea, 0x2c, 0x2a, 0xe7, 0x82, 0x36, 0xf4, 0x1f, 0x81, 0x47, 0x92, 0x4b, 0x69, 0x0e, 0x11, 0x8c, 0x5d, 0x53, 0x5b, 0x81, 0x27, 0x08, 0xbc, 0xa0, 0xae, 0x25}} , + {{0x69, 0x32, 0xa1, 0x05, 0x11, 0x42, 0x00, 0xd2, 0x59, 0xac, 0x4d, 0x62, 0x8b, 0x13, 0xe2, 0x50, 0x5d, 0xa0, 0x9d, 0x9b, 0xfd, 0xbb, 0x12, 0x41, 0x75, 0x41, 0x9e, 0xcc, 0xdc, 0xc7, 0xdc, 0x5d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd9, 0xe3, 0x38, 0x06, 0x46, 0x70, 0x82, 0x5e, 0x28, 0x49, 0x79, 0xff, 0x25, 0xd2, 0x4e, 0x29, 0x8d, 0x06, 0xb0, 0x23, 0xae, 0x9b, 0x66, 0xe4, 0x7d, 0xc0, 0x70, 0x91, 0xa3, 0xfc, 0xec, 0x4e}} , + {{0x62, 0x12, 0x37, 0x6a, 0x30, 0xf6, 0x1e, 0xfb, 0x14, 0x5c, 0x0d, 0x0e, 0xb7, 0x81, 0x6a, 0xe7, 0x08, 0x05, 0xac, 0xaa, 0x38, 0x46, 0xe2, 0x73, 0xea, 0x4b, 0x07, 0x81, 0x43, 0x7c, 0x9e, 0x5e}}}, +{{{0xfc, 0xf9, 0x21, 0x4f, 0x2e, 0x76, 0x9b, 0x1f, 0x28, 0x60, 0x77, 0x43, 0x32, 0x9d, 0xbe, 0x17, 0x30, 0x2a, 0xc6, 0x18, 0x92, 0x66, 0x62, 0x30, 0x98, 0x40, 0x11, 0xa6, 0x7f, 0x18, 0x84, 0x28}} , + {{0x3f, 0xab, 0xd3, 0xf4, 0x8a, 0x76, 0xa1, 0x3c, 0xca, 0x2d, 0x49, 0xc3, 0xea, 0x08, 0x0b, 0x85, 0x17, 0x2a, 0xc3, 0x6c, 0x08, 0xfd, 0x57, 0x9f, 0x3d, 0x5f, 0xdf, 0x67, 0x68, 0x42, 0x00, 0x32}}}, +{{{0x51, 0x60, 0x1b, 0x06, 0x4f, 0x8a, 0x21, 0xba, 0x38, 0xa8, 0xba, 0xd6, 0x40, 0xf6, 0xe9, 0x9b, 0x76, 0x4d, 0x56, 0x21, 0x5b, 0x0a, 0x9b, 0x2e, 0x4f, 0x3d, 0x81, 0x32, 0x08, 0x9f, 0x97, 0x5b}} , + {{0xe5, 0x44, 0xec, 0x06, 0x9d, 0x90, 0x79, 0x9f, 0xd3, 0xe0, 0x79, 0xaf, 0x8f, 0x10, 0xfd, 0xdd, 0x04, 0xae, 0x27, 0x97, 0x46, 0x33, 0x79, 0xea, 0xb8, 0x4e, 0xca, 0x5a, 0x59, 0x57, 0xe1, 0x0e}}}, +{{{0x1a, 0xda, 0xf3, 0xa5, 0x41, 0x43, 0x28, 0xfc, 0x7e, 0xe7, 0x71, 0xea, 0xc6, 0x3b, 0x59, 0xcc, 0x2e, 0xd3, 0x40, 0xec, 0xb3, 0x13, 0x6f, 0x44, 0xcd, 0x13, 0xb2, 0x37, 0xf2, 0x6e, 0xd9, 0x1c}} , + {{0xe3, 0xdb, 0x60, 0xcd, 0x5c, 0x4a, 0x18, 0x0f, 0xef, 0x73, 0x36, 0x71, 0x8c, 0xf6, 0x11, 0xb4, 0xd8, 0xce, 0x17, 0x5e, 0x4f, 0x26, 0x77, 0x97, 0x5f, 0xcb, 0xef, 0x91, 0xeb, 0x6a, 0x62, 0x7a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x18, 0x4a, 0xa2, 0x97, 0x08, 0x81, 0x2d, 0x83, 0xc4, 0xcc, 0xf0, 0x83, 0x7e, 0xec, 0x0d, 0x95, 0x4c, 0x5b, 0xfb, 0xfa, 0x98, 0x80, 0x4a, 0x66, 0x56, 0x0c, 0x51, 0xb3, 0xf2, 0x04, 0x5d, 0x27}} , + {{0x3b, 0xb9, 0xb8, 0x06, 0x5a, 0x2e, 0xfe, 0xc3, 0x82, 0x37, 0x9c, 0xa3, 0x11, 0x1f, 0x9c, 0xa6, 0xda, 0x63, 0x48, 0x9b, 0xad, 0xde, 0x2d, 0xa6, 0xbc, 0x6e, 0x32, 0xda, 0x27, 0x65, 0xdd, 0x57}}}, +{{{0x84, 0x4f, 0x37, 0x31, 0x7d, 0x2e, 0xbc, 0xad, 0x87, 0x07, 0x2a, 0x6b, 0x37, 0xfc, 0x5f, 0xeb, 0x4e, 0x75, 0x35, 0xa6, 0xde, 0xab, 0x0a, 0x19, 0x3a, 0xb7, 0xb1, 0xef, 0x92, 0x6a, 0x3b, 0x3c}} , + {{0x3b, 0xb2, 0x94, 0x6d, 0x39, 0x60, 0xac, 0xee, 0xe7, 0x81, 0x1a, 0x3b, 0x76, 0x87, 0x5c, 0x05, 0x94, 0x2a, 0x45, 0xb9, 0x80, 0xe9, 0x22, 0xb1, 0x07, 0xcb, 0x40, 0x9e, 0x70, 0x49, 0x6d, 0x12}}}, +{{{0xfd, 0x18, 0x78, 0x84, 0xa8, 0x4c, 0x7d, 0x6e, 0x59, 0xa6, 0xe5, 0x74, 0xf1, 0x19, 0xa6, 0x84, 0x2e, 0x51, 0xc1, 0x29, 0x13, 0xf2, 0x14, 0x6b, 0x5d, 0x53, 0x51, 0xf7, 0xef, 0xbf, 0x01, 0x22}} , + {{0xa4, 0x4b, 0x62, 0x4c, 0xe6, 0xfd, 0x72, 0x07, 0xf2, 0x81, 0xfc, 0xf2, 0xbd, 0x12, 0x7c, 0x68, 0x76, 0x2a, 0xba, 0xf5, 0x65, 0xb1, 0x1f, 0x17, 0x0a, 0x38, 0xb0, 0xbf, 0xc0, 0xf8, 0xf4, 0x2a}}}, +{{{0x55, 0x60, 0x55, 0x5b, 0xe4, 0x1d, 0x71, 0x4c, 0x9d, 0x5b, 0x9f, 0x70, 0xa6, 0x85, 0x9a, 0x2c, 0xa0, 0xe2, 0x32, 0x48, 0xce, 0x9e, 0x2a, 0xa5, 0x07, 0x3b, 0xc7, 0x6c, 0x86, 0x77, 0xde, 0x3c}} , + {{0xf7, 0x18, 0x7a, 0x96, 0x7e, 0x43, 0x57, 0xa9, 0x55, 0xfc, 0x4e, 0xb6, 0x72, 0x00, 0xf2, 0xe4, 0xd7, 0x52, 0xd3, 0xd3, 0xb6, 0x85, 0xf6, 0x71, 0xc7, 0x44, 0x3f, 0x7f, 0xd7, 0xb3, 0xf2, 0x79}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x46, 0xca, 0xa7, 0x55, 0x7b, 0x79, 0xf3, 0xca, 0x5a, 0x65, 0xf6, 0xed, 0x50, 0x14, 0x7b, 0xe4, 0xc4, 0x2a, 0x65, 0x9e, 0xe2, 0xf9, 0xca, 0xa7, 0x22, 0x26, 0x53, 0xcb, 0x21, 0x5b, 0xa7, 0x31}} , + {{0x90, 0xd7, 0xc5, 0x26, 0x08, 0xbd, 0xb0, 0x53, 0x63, 0x58, 0xc3, 0x31, 0x5e, 0x75, 0x46, 0x15, 0x91, 0xa6, 0xf8, 0x2f, 0x1a, 0x08, 0x65, 0x88, 0x2f, 0x98, 0x04, 0xf1, 0x7c, 0x6e, 0x00, 0x77}}}, +{{{0x81, 0x21, 0x61, 0x09, 0xf6, 0x4e, 0xf1, 0x92, 0xee, 0x63, 0x61, 0x73, 0x87, 0xc7, 0x54, 0x0e, 0x42, 0x4b, 0xc9, 0x47, 0xd1, 0xb8, 0x7e, 0x91, 0x75, 0x37, 0x99, 0x28, 0xb8, 0xdd, 0x7f, 0x50}} , + {{0x89, 0x8f, 0xc0, 0xbe, 0x5d, 0xd6, 0x9f, 0xa0, 0xf0, 0x9d, 0x81, 0xce, 0x3a, 0x7b, 0x98, 0x58, 0xbb, 0xd7, 0x78, 0xc8, 0x3f, 0x13, 0xf1, 0x74, 0x19, 0xdf, 0xf8, 0x98, 0x89, 0x5d, 0xfa, 0x5f}}}, +{{{0x9e, 0x35, 0x85, 0x94, 0x47, 0x1f, 0x90, 0x15, 0x26, 0xd0, 0x84, 0xed, 0x8a, 0x80, 0xf7, 0x63, 0x42, 0x86, 0x27, 0xd7, 0xf4, 0x75, 0x58, 0xdc, 0x9c, 0xc0, 0x22, 0x7e, 0x20, 0x35, 0xfd, 0x1f}} , + {{0x68, 0x0e, 0x6f, 0x97, 0xba, 0x70, 0xbb, 0xa3, 0x0e, 0xe5, 0x0b, 0x12, 0xf4, 0xa2, 0xdc, 0x47, 0xf8, 0xe6, 0xd0, 0x23, 0x6c, 0x33, 0xa8, 0x99, 0x46, 0x6e, 0x0f, 0x44, 0xba, 0x76, 0x48, 0x0f}}}, +{{{0xa3, 0x2a, 0x61, 0x37, 0xe2, 0x59, 0x12, 0x0e, 0x27, 0xba, 0x64, 0x43, 0xae, 0xc0, 0x42, 0x69, 0x79, 0xa4, 0x1e, 0x29, 0x8b, 0x15, 0xeb, 0xf8, 0xaf, 0xd4, 0xa2, 0x68, 0x33, 0xb5, 0x7a, 0x24}} , + {{0x2c, 0x19, 0x33, 0xdd, 0x1b, 0xab, 0xec, 0x01, 0xb0, 0x23, 0xf8, 0x42, 0x2b, 0x06, 0x88, 0xea, 0x3d, 0x2d, 0x00, 0x2a, 0x78, 0x45, 0x4d, 0x38, 0xed, 0x2e, 0x2e, 0x44, 0x49, 0xed, 0xcb, 0x33}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xa0, 0x68, 0xe8, 0x41, 0x8f, 0x91, 0xf8, 0x11, 0x13, 0x90, 0x2e, 0xa7, 0xab, 0x30, 0xef, 0xad, 0xa0, 0x61, 0x00, 0x88, 0xef, 0xdb, 0xce, 0x5b, 0x5c, 0xbb, 0x62, 0xc8, 0x56, 0xf9, 0x00, 0x73}} , + {{0x3f, 0x60, 0xc1, 0x82, 0x2d, 0xa3, 0x28, 0x58, 0x24, 0x9e, 0x9f, 0xe3, 0x70, 0xcc, 0x09, 0x4e, 0x1a, 0x3f, 0x11, 0x11, 0x15, 0x07, 0x3c, 0xa4, 0x41, 0xe0, 0x65, 0xa3, 0x0a, 0x41, 0x6d, 0x11}}}, +{{{0x31, 0x40, 0x01, 0x52, 0x56, 0x94, 0x5b, 0x28, 0x8a, 0xaa, 0x52, 0xee, 0xd8, 0x0a, 0x05, 0x8d, 0xcd, 0xb5, 0xaa, 0x2e, 0x38, 0xaa, 0xb7, 0x87, 0xf7, 0x2b, 0xfb, 0x04, 0xcb, 0x84, 0x3d, 0x54}} , + {{0x20, 0xef, 0x59, 0xde, 0xa4, 0x2b, 0x93, 0x6e, 0x2e, 0xec, 0x42, 0x9a, 0xd4, 0x2d, 0xf4, 0x46, 0x58, 0x27, 0x2b, 0x18, 0x8f, 0x83, 0x3d, 0x69, 0x9e, 0xd4, 0x3e, 0xb6, 0xc5, 0xfd, 0x58, 0x03}}}, +{{{0x33, 0x89, 0xc9, 0x63, 0x62, 0x1c, 0x17, 0xb4, 0x60, 0xc4, 0x26, 0x68, 0x09, 0xc3, 0x2e, 0x37, 0x0f, 0x7b, 0xb4, 0x9c, 0xb6, 0xf9, 0xfb, 0xd4, 0x51, 0x78, 0xc8, 0x63, 0xea, 0x77, 0x47, 0x07}} , + {{0x32, 0xb4, 0x18, 0x47, 0x79, 0xcb, 0xd4, 0x5a, 0x07, 0x14, 0x0f, 0xa0, 0xd5, 0xac, 0xd0, 0x41, 0x40, 0xab, 0x61, 0x23, 0xe5, 0x2a, 0x2a, 0x6f, 0xf7, 0xa8, 0xd4, 0x76, 0xef, 0xe7, 0x45, 0x6c}}}, +{{{0xa1, 0x5e, 0x60, 0x4f, 0xfb, 0xe1, 0x70, 0x6a, 0x1f, 0x55, 0x4f, 0x09, 0xb4, 0x95, 0x33, 0x36, 0xc6, 0x81, 0x01, 0x18, 0x06, 0x25, 0x27, 0xa4, 0xb4, 0x24, 0xa4, 0x86, 0x03, 0x4c, 0xac, 0x02}} , + {{0x77, 0x38, 0xde, 0xd7, 0x60, 0x48, 0x07, 0xf0, 0x74, 0xa8, 0xff, 0x54, 0xe5, 0x30, 0x43, 0xff, 0x77, 0xfb, 0x21, 0x07, 0xff, 0xb2, 0x07, 0x6b, 0xe4, 0xe5, 0x30, 0xfc, 0x19, 0x6c, 0xa3, 0x01}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x13, 0xc5, 0x2c, 0xac, 0xd3, 0x83, 0x82, 0x7c, 0x29, 0xf7, 0x05, 0xa5, 0x00, 0xb6, 0x1f, 0x86, 0x55, 0xf4, 0xd6, 0x2f, 0x0c, 0x99, 0xd0, 0x65, 0x9b, 0x6b, 0x46, 0x0d, 0x43, 0xf8, 0x16, 0x28}} , + {{0x1e, 0x7f, 0xb4, 0x74, 0x7e, 0xb1, 0x89, 0x4f, 0x18, 0x5a, 0xab, 0x64, 0x06, 0xdf, 0x45, 0x87, 0xe0, 0x6a, 0xc6, 0xf0, 0x0e, 0xc9, 0x24, 0x35, 0x38, 0xea, 0x30, 0x54, 0xb4, 0xc4, 0x52, 0x54}}}, +{{{0xe9, 0x9f, 0xdc, 0x3f, 0xc1, 0x89, 0x44, 0x74, 0x27, 0xe4, 0xc1, 0x90, 0xff, 0x4a, 0xa7, 0x3c, 0xee, 0xcd, 0xf4, 0x1d, 0x25, 0x94, 0x7f, 0x63, 0x16, 0x48, 0xbc, 0x64, 0xfe, 0x95, 0xc4, 0x0c}} , + {{0x8b, 0x19, 0x75, 0x6e, 0x03, 0x06, 0x5e, 0x6a, 0x6f, 0x1a, 0x8c, 0xe3, 0xd3, 0x28, 0xf2, 0xe0, 0xb9, 0x7a, 0x43, 0x69, 0xe6, 0xd3, 0xc0, 0xfe, 0x7e, 0x97, 0xab, 0x6c, 0x7b, 0x8e, 0x13, 0x42}}}, +{{{0xd4, 0xca, 0x70, 0x3d, 0xab, 0xfb, 0x5f, 0x5e, 0x00, 0x0c, 0xcc, 0x77, 0x22, 0xf8, 0x78, 0x55, 0xae, 0x62, 0x35, 0xfb, 0x9a, 0xc6, 0x03, 0xe4, 0x0c, 0xee, 0xab, 0xc7, 0xc0, 0x89, 0x87, 0x54}} , + {{0x32, 0xad, 0xae, 0x85, 0x58, 0x43, 0xb8, 0xb1, 0xe6, 0x3e, 0x00, 0x9c, 0x78, 0x88, 0x56, 0xdb, 0x9c, 0xfc, 0x79, 0xf6, 0xf9, 0x41, 0x5f, 0xb7, 0xbc, 0x11, 0xf9, 0x20, 0x36, 0x1c, 0x53, 0x2b}}}, +{{{0x5a, 0x20, 0x5b, 0xa1, 0xa5, 0x44, 0x91, 0x24, 0x02, 0x63, 0x12, 0x64, 0xb8, 0x55, 0xf6, 0xde, 0x2c, 0xdb, 0x47, 0xb8, 0xc6, 0x0a, 0xc3, 0x00, 0x78, 0x93, 0xd8, 0xf5, 0xf5, 0x18, 0x28, 0x0a}} , + {{0xd6, 0x1b, 0x9a, 0x6c, 0xe5, 0x46, 0xea, 0x70, 0x96, 0x8d, 0x4e, 0x2a, 0x52, 0x21, 0x26, 0x4b, 0xb1, 0xbb, 0x0f, 0x7c, 0xa9, 0x9b, 0x04, 0xbb, 0x51, 0x08, 0xf1, 0x9a, 0xa4, 0x76, 0x7c, 0x18}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xfa, 0x94, 0xf7, 0x40, 0xd0, 0xd7, 0xeb, 0xa9, 0x82, 0x36, 0xd5, 0x15, 0xb9, 0x33, 0x7a, 0xbf, 0x8a, 0xf2, 0x63, 0xaa, 0x37, 0xf5, 0x59, 0xac, 0xbd, 0xbb, 0x32, 0x36, 0xbe, 0x73, 0x99, 0x38}} , + {{0x2c, 0xb3, 0xda, 0x7a, 0xd8, 0x3d, 0x99, 0xca, 0xd2, 0xf4, 0xda, 0x99, 0x8e, 0x4f, 0x98, 0xb7, 0xf4, 0xae, 0x3e, 0x9f, 0x8e, 0x35, 0x60, 0xa4, 0x33, 0x75, 0xa4, 0x04, 0x93, 0xb1, 0x6b, 0x4d}}}, +{{{0x97, 0x9d, 0xa8, 0xcd, 0x97, 0x7b, 0x9d, 0xb9, 0xe7, 0xa5, 0xef, 0xfd, 0xa8, 0x42, 0x6b, 0xc3, 0x62, 0x64, 0x7d, 0xa5, 0x1b, 0xc9, 0x9e, 0xd2, 0x45, 0xb9, 0xee, 0x03, 0xb0, 0xbf, 0xc0, 0x68}} , + {{0xed, 0xb7, 0x84, 0x2c, 0xf6, 0xd3, 0xa1, 0x6b, 0x24, 0x6d, 0x87, 0x56, 0x97, 0x59, 0x79, 0x62, 0x9f, 0xac, 0xed, 0xf3, 0xc9, 0x89, 0x21, 0x2e, 0x04, 0xb3, 0xcc, 0x2f, 0xbe, 0xd6, 0x0a, 0x4b}}}, +{{{0x39, 0x61, 0x05, 0xed, 0x25, 0x89, 0x8b, 0x5d, 0x1b, 0xcb, 0x0c, 0x55, 0xf4, 0x6a, 0x00, 0x8a, 0x46, 0xe8, 0x1e, 0xc6, 0x83, 0xc8, 0x5a, 0x76, 0xdb, 0xcc, 0x19, 0x7a, 0xcc, 0x67, 0x46, 0x0b}} , + {{0x53, 0xcf, 0xc2, 0xa1, 0xad, 0x6a, 0xf3, 0xcd, 0x8f, 0xc9, 0xde, 0x1c, 0xf8, 0x6c, 0x8f, 0xf8, 0x76, 0x42, 0xe7, 0xfe, 0xb2, 0x72, 0x21, 0x0a, 0x66, 0x74, 0x8f, 0xb7, 0xeb, 0xe4, 0x6f, 0x01}}}, +{{{0x22, 0x8c, 0x6b, 0xbe, 0xfc, 0x4d, 0x70, 0x62, 0x6e, 0x52, 0x77, 0x99, 0x88, 0x7e, 0x7b, 0x57, 0x7a, 0x0d, 0xfe, 0xdc, 0x72, 0x92, 0xf1, 0x68, 0x1d, 0x97, 0xd7, 0x7c, 0x8d, 0x53, 0x10, 0x37}} , + {{0x53, 0x88, 0x77, 0x02, 0xca, 0x27, 0xa8, 0xe5, 0x45, 0xe2, 0xa8, 0x48, 0x2a, 0xab, 0x18, 0xca, 0xea, 0x2d, 0x2a, 0x54, 0x17, 0x37, 0x32, 0x09, 0xdc, 0xe0, 0x4a, 0xb7, 0x7d, 0x82, 0x10, 0x7d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x8a, 0x64, 0x1e, 0x14, 0x0a, 0x57, 0xd4, 0xda, 0x5c, 0x96, 0x9b, 0x01, 0x4c, 0x67, 0xbf, 0x8b, 0x30, 0xfe, 0x08, 0xdb, 0x0d, 0xd5, 0xa8, 0xd7, 0x09, 0x11, 0x85, 0xa2, 0xd3, 0x45, 0xfb, 0x7e}} , + {{0xda, 0x8c, 0xc2, 0xd0, 0xac, 0x18, 0xe8, 0x52, 0x36, 0xd4, 0x21, 0xa3, 0xdd, 0x57, 0x22, 0x79, 0xb7, 0xf8, 0x71, 0x9d, 0xc6, 0x91, 0x70, 0x86, 0x56, 0xbf, 0xa1, 0x11, 0x8b, 0x19, 0xe1, 0x0f}}}, +{{{0x18, 0x32, 0x98, 0x2c, 0x8f, 0x91, 0xae, 0x12, 0xf0, 0x8c, 0xea, 0xf3, 0x3c, 0xb9, 0x5d, 0xe4, 0x69, 0xed, 0xb2, 0x47, 0x18, 0xbd, 0xce, 0x16, 0x52, 0x5c, 0x23, 0xe2, 0xa5, 0x25, 0x52, 0x5d}} , + {{0xb9, 0xb1, 0xe7, 0x5d, 0x4e, 0xbc, 0xee, 0xbb, 0x40, 0x81, 0x77, 0x82, 0x19, 0xab, 0xb5, 0xc6, 0xee, 0xab, 0x5b, 0x6b, 0x63, 0x92, 0x8a, 0x34, 0x8d, 0xcd, 0xee, 0x4f, 0x49, 0xe5, 0xc9, 0x7e}}}, +{{{0x21, 0xac, 0x8b, 0x22, 0xcd, 0xc3, 0x9a, 0xe9, 0x5e, 0x78, 0xbd, 0xde, 0xba, 0xad, 0xab, 0xbf, 0x75, 0x41, 0x09, 0xc5, 0x58, 0xa4, 0x7d, 0x92, 0xb0, 0x7f, 0xf2, 0xa1, 0xd1, 0xc0, 0xb3, 0x6d}} , + {{0x62, 0x4f, 0xd0, 0x75, 0x77, 0xba, 0x76, 0x77, 0xd7, 0xb8, 0xd8, 0x92, 0x6f, 0x98, 0x34, 0x3d, 0xd6, 0x4e, 0x1c, 0x0f, 0xf0, 0x8f, 0x2e, 0xf1, 0xb3, 0xbd, 0xb1, 0xb9, 0xec, 0x99, 0xb4, 0x07}}}, +{{{0x60, 0x57, 0x2e, 0x9a, 0x72, 0x1d, 0x6b, 0x6e, 0x58, 0x33, 0x24, 0x8c, 0x48, 0x39, 0x46, 0x8e, 0x89, 0x6a, 0x88, 0x51, 0x23, 0x62, 0xb5, 0x32, 0x09, 0x36, 0xe3, 0x57, 0xf5, 0x98, 0xde, 0x6f}} , + {{0x8b, 0x2c, 0x00, 0x48, 0x4a, 0xf9, 0x5b, 0x87, 0x69, 0x52, 0xe5, 0x5b, 0xd1, 0xb1, 0xe5, 0x25, 0x25, 0xe0, 0x9c, 0xc2, 0x13, 0x44, 0xe8, 0xb9, 0x0a, 0x70, 0xad, 0xbd, 0x0f, 0x51, 0x94, 0x69}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xa2, 0xdc, 0xab, 0xa9, 0x25, 0x2d, 0xac, 0x5f, 0x03, 0x33, 0x08, 0xe7, 0x7e, 0xfe, 0x95, 0x36, 0x3c, 0x5b, 0x3a, 0xd3, 0x05, 0x82, 0x1c, 0x95, 0x2d, 0xd8, 0x77, 0x7e, 0x02, 0xd9, 0x5b, 0x70}} , + {{0xc2, 0xfe, 0x1b, 0x0c, 0x67, 0xcd, 0xd6, 0xe0, 0x51, 0x8e, 0x2c, 0xe0, 0x79, 0x88, 0xf0, 0xcf, 0x41, 0x4a, 0xad, 0x23, 0xd4, 0x46, 0xca, 0x94, 0xa1, 0xc3, 0xeb, 0x28, 0x06, 0xfa, 0x17, 0x14}}}, +{{{0x7b, 0xaa, 0x70, 0x0a, 0x4b, 0xfb, 0xf5, 0xbf, 0x80, 0xc5, 0xcf, 0x08, 0x7a, 0xdd, 0xa1, 0xf4, 0x9d, 0x54, 0x50, 0x53, 0x23, 0x77, 0x23, 0xf5, 0x34, 0xa5, 0x22, 0xd1, 0x0d, 0x96, 0x2e, 0x47}} , + {{0xcc, 0xb7, 0x32, 0x89, 0x57, 0xd0, 0x98, 0x75, 0xe4, 0x37, 0x99, 0xa9, 0xe8, 0xba, 0xed, 0xba, 0xeb, 0xc7, 0x4f, 0x15, 0x76, 0x07, 0x0c, 0x4c, 0xef, 0x9f, 0x52, 0xfc, 0x04, 0x5d, 0x58, 0x10}}}, +{{{0xce, 0x82, 0xf0, 0x8f, 0x79, 0x02, 0xa8, 0xd1, 0xda, 0x14, 0x09, 0x48, 0xee, 0x8a, 0x40, 0x98, 0x76, 0x60, 0x54, 0x5a, 0xde, 0x03, 0x24, 0xf5, 0xe6, 0x2f, 0xe1, 0x03, 0xbf, 0x68, 0x82, 0x7f}} , + {{0x64, 0xe9, 0x28, 0xc7, 0xa4, 0xcf, 0x2a, 0xf9, 0x90, 0x64, 0x72, 0x2c, 0x8b, 0xeb, 0xec, 0xa0, 0xf2, 0x7d, 0x35, 0xb5, 0x90, 0x4d, 0x7f, 0x5b, 0x4a, 0x49, 0xe4, 0xb8, 0x3b, 0xc8, 0xa1, 0x2f}}}, +{{{0x8b, 0xc5, 0xcc, 0x3d, 0x69, 0xa6, 0xa1, 0x18, 0x44, 0xbc, 0x4d, 0x77, 0x37, 0xc7, 0x86, 0xec, 0x0c, 0xc9, 0xd6, 0x44, 0xa9, 0x23, 0x27, 0xb9, 0x03, 0x34, 0xa7, 0x0a, 0xd5, 0xc7, 0x34, 0x37}} , + {{0xf9, 0x7e, 0x3e, 0x66, 0xee, 0xf9, 0x99, 0x28, 0xff, 0xad, 0x11, 0xd8, 0xe2, 0x66, 0xc5, 0xcd, 0x0f, 0x0d, 0x0b, 0x6a, 0xfc, 0x7c, 0x24, 0xa8, 0x4f, 0xa8, 0x5e, 0x80, 0x45, 0x8b, 0x6c, 0x41}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xef, 0x1e, 0xec, 0xf7, 0x8d, 0x77, 0xf2, 0xea, 0xdb, 0x60, 0x03, 0x21, 0xc0, 0xff, 0x5e, 0x67, 0xc3, 0x71, 0x0b, 0x21, 0xb4, 0x41, 0xa0, 0x68, 0x38, 0xc6, 0x01, 0xa3, 0xd3, 0x51, 0x3c, 0x3c}} , + {{0x92, 0xf8, 0xd6, 0x4b, 0xef, 0x42, 0x13, 0xb2, 0x4a, 0xc4, 0x2e, 0x72, 0x3f, 0xc9, 0x11, 0xbd, 0x74, 0x02, 0x0e, 0xf5, 0x13, 0x9d, 0x83, 0x1a, 0x1b, 0xd5, 0x54, 0xde, 0xc4, 0x1e, 0x16, 0x6c}}}, +{{{0x27, 0x52, 0xe4, 0x63, 0xaa, 0x94, 0xe6, 0xc3, 0x28, 0x9c, 0xc6, 0x56, 0xac, 0xfa, 0xb6, 0xbd, 0xe2, 0xcc, 0x76, 0xc6, 0x27, 0x27, 0xa2, 0x8e, 0x78, 0x2b, 0x84, 0x72, 0x10, 0xbd, 0x4e, 0x2a}} , + {{0xea, 0xa7, 0x23, 0xef, 0x04, 0x61, 0x80, 0x50, 0xc9, 0x6e, 0xa5, 0x96, 0xd1, 0xd1, 0xc8, 0xc3, 0x18, 0xd7, 0x2d, 0xfd, 0x26, 0xbd, 0xcb, 0x7b, 0x92, 0x51, 0x0e, 0x4a, 0x65, 0x57, 0xb8, 0x49}}}, +{{{0xab, 0x55, 0x36, 0xc3, 0xec, 0x63, 0x55, 0x11, 0x55, 0xf6, 0xa5, 0xc7, 0x01, 0x5f, 0xfe, 0x79, 0xd8, 0x0a, 0xf7, 0x03, 0xd8, 0x98, 0x99, 0xf5, 0xd0, 0x00, 0x54, 0x6b, 0x66, 0x28, 0xf5, 0x25}} , + {{0x7a, 0x8d, 0xa1, 0x5d, 0x70, 0x5d, 0x51, 0x27, 0xee, 0x30, 0x65, 0x56, 0x95, 0x46, 0xde, 0xbd, 0x03, 0x75, 0xb4, 0x57, 0x59, 0x89, 0xeb, 0x02, 0x9e, 0xcc, 0x89, 0x19, 0xa7, 0xcb, 0x17, 0x67}}}, +{{{0x6a, 0xeb, 0xfc, 0x9a, 0x9a, 0x10, 0xce, 0xdb, 0x3a, 0x1c, 0x3c, 0x6a, 0x9d, 0xea, 0x46, 0xbc, 0x45, 0x49, 0xac, 0xe3, 0x41, 0x12, 0x7c, 0xf0, 0xf7, 0x4f, 0xf9, 0xf7, 0xff, 0x2c, 0x89, 0x04}} , + {{0x30, 0x31, 0x54, 0x1a, 0x46, 0xca, 0xe6, 0xc6, 0xcb, 0xe2, 0xc3, 0xc1, 0x8b, 0x75, 0x81, 0xbe, 0xee, 0xf8, 0xa3, 0x11, 0x1c, 0x25, 0xa3, 0xa7, 0x35, 0x51, 0x55, 0xe2, 0x25, 0xaa, 0xe2, 0x3a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xb4, 0x48, 0x10, 0x9f, 0x8a, 0x09, 0x76, 0xfa, 0xf0, 0x7a, 0xb0, 0x70, 0xf7, 0x83, 0x80, 0x52, 0x84, 0x2b, 0x26, 0xa2, 0xc4, 0x5d, 0x4f, 0xba, 0xb1, 0xc8, 0x40, 0x0d, 0x78, 0x97, 0xc4, 0x60}} , + {{0xd4, 0xb1, 0x6c, 0x08, 0xc7, 0x40, 0x38, 0x73, 0x5f, 0x0b, 0xf3, 0x76, 0x5d, 0xb2, 0xa5, 0x2f, 0x57, 0x57, 0x07, 0xed, 0x08, 0xa2, 0x6c, 0x4f, 0x08, 0x02, 0xb5, 0x0e, 0xee, 0x44, 0xfa, 0x22}}}, +{{{0x0f, 0x00, 0x3f, 0xa6, 0x04, 0x19, 0x56, 0x65, 0x31, 0x7f, 0x8b, 0xeb, 0x0d, 0xe1, 0x47, 0x89, 0x97, 0x16, 0x53, 0xfa, 0x81, 0xa7, 0xaa, 0xb2, 0xbf, 0x67, 0xeb, 0x72, 0x60, 0x81, 0x0d, 0x48}} , + {{0x7e, 0x13, 0x33, 0xcd, 0xa8, 0x84, 0x56, 0x1e, 0x67, 0xaf, 0x6b, 0x43, 0xac, 0x17, 0xaf, 0x16, 0xc0, 0x52, 0x99, 0x49, 0x5b, 0x87, 0x73, 0x7e, 0xb5, 0x43, 0xda, 0x6b, 0x1d, 0x0f, 0x2d, 0x55}}}, +{{{0xe9, 0x58, 0x1f, 0xff, 0x84, 0x3f, 0x93, 0x1c, 0xcb, 0xe1, 0x30, 0x69, 0xa5, 0x75, 0x19, 0x7e, 0x14, 0x5f, 0xf8, 0xfc, 0x09, 0xdd, 0xa8, 0x78, 0x9d, 0xca, 0x59, 0x8b, 0xd1, 0x30, 0x01, 0x13}} , + {{0xff, 0x76, 0x03, 0xc5, 0x4b, 0x89, 0x99, 0x70, 0x00, 0x59, 0x70, 0x9c, 0xd5, 0xd9, 0x11, 0x89, 0x5a, 0x46, 0xfe, 0xef, 0xdc, 0xd9, 0x55, 0x2b, 0x45, 0xa7, 0xb0, 0x2d, 0xfb, 0x24, 0xc2, 0x29}}}, +{{{0x38, 0x06, 0xf8, 0x0b, 0xac, 0x82, 0xc4, 0x97, 0x2b, 0x90, 0xe0, 0xf7, 0xa8, 0xab, 0x6c, 0x08, 0x80, 0x66, 0x90, 0x46, 0xf7, 0x26, 0x2d, 0xf8, 0xf1, 0xc4, 0x6b, 0x4a, 0x82, 0x98, 0x8e, 0x37}} , + {{0x8e, 0xb4, 0xee, 0xb8, 0xd4, 0x3f, 0xb2, 0x1b, 0xe0, 0x0a, 0x3d, 0x75, 0x34, 0x28, 0xa2, 0x8e, 0xc4, 0x92, 0x7b, 0xfe, 0x60, 0x6e, 0x6d, 0xb8, 0x31, 0x1d, 0x62, 0x0d, 0x78, 0x14, 0x42, 0x11}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x5e, 0xa8, 0xd8, 0x04, 0x9b, 0x73, 0xc9, 0xc9, 0xdc, 0x0d, 0x73, 0xbf, 0x0a, 0x0a, 0x73, 0xff, 0x18, 0x1f, 0x9c, 0x51, 0xaa, 0xc6, 0xf1, 0x83, 0x25, 0xfd, 0xab, 0xa3, 0x11, 0xd3, 0x01, 0x24}} , + {{0x4d, 0xe3, 0x7e, 0x38, 0x62, 0x5e, 0x64, 0xbb, 0x2b, 0x53, 0xb5, 0x03, 0x68, 0xc4, 0xf2, 0x2b, 0x5a, 0x03, 0x32, 0x99, 0x4a, 0x41, 0x9a, 0xe1, 0x1a, 0xae, 0x8c, 0x48, 0xf3, 0x24, 0x32, 0x65}}}, +{{{0xe8, 0xdd, 0xad, 0x3a, 0x8c, 0xea, 0xf4, 0xb3, 0xb2, 0xe5, 0x73, 0xf2, 0xed, 0x8b, 0xbf, 0xed, 0xb1, 0x0c, 0x0c, 0xfb, 0x2b, 0xf1, 0x01, 0x48, 0xe8, 0x26, 0x03, 0x8e, 0x27, 0x4d, 0x96, 0x72}} , + {{0xc8, 0x09, 0x3b, 0x60, 0xc9, 0x26, 0x4d, 0x7c, 0xf2, 0x9c, 0xd4, 0xa1, 0x3b, 0x26, 0xc2, 0x04, 0x33, 0x44, 0x76, 0x3c, 0x02, 0xbb, 0x11, 0x42, 0x0c, 0x22, 0xb7, 0xc6, 0xe1, 0xac, 0xb4, 0x0e}}}, +{{{0x6f, 0x85, 0xe7, 0xef, 0xde, 0x67, 0x30, 0xfc, 0xbf, 0x5a, 0xe0, 0x7b, 0x7a, 0x2a, 0x54, 0x6b, 0x5d, 0x62, 0x85, 0xa1, 0xf8, 0x16, 0x88, 0xec, 0x61, 0xb9, 0x96, 0xb5, 0xef, 0x2d, 0x43, 0x4d}} , + {{0x7c, 0x31, 0x33, 0xcc, 0xe4, 0xcf, 0x6c, 0xff, 0x80, 0x47, 0x77, 0xd1, 0xd8, 0xe9, 0x69, 0x97, 0x98, 0x7f, 0x20, 0x57, 0x1d, 0x1d, 0x4f, 0x08, 0x27, 0xc8, 0x35, 0x57, 0x40, 0xc6, 0x21, 0x0c}}}, +{{{0xd2, 0x8e, 0x9b, 0xfa, 0x42, 0x8e, 0xdf, 0x8f, 0xc7, 0x86, 0xf9, 0xa4, 0xca, 0x70, 0x00, 0x9d, 0x21, 0xbf, 0xec, 0x57, 0x62, 0x30, 0x58, 0x8c, 0x0d, 0x35, 0xdb, 0x5d, 0x8b, 0x6a, 0xa0, 0x5a}} , + {{0xc1, 0x58, 0x7c, 0x0d, 0x20, 0xdd, 0x11, 0x26, 0x5f, 0x89, 0x3b, 0x97, 0x58, 0xf8, 0x8b, 0xe3, 0xdf, 0x32, 0xe2, 0xfc, 0xd8, 0x67, 0xf2, 0xa5, 0x37, 0x1e, 0x6d, 0xec, 0x7c, 0x27, 0x20, 0x79}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd0, 0xe9, 0xc0, 0xfa, 0x95, 0x45, 0x23, 0x96, 0xf1, 0x2c, 0x79, 0x25, 0x14, 0xce, 0x40, 0x14, 0x44, 0x2c, 0x36, 0x50, 0xd9, 0x63, 0x56, 0xb7, 0x56, 0x3b, 0x9e, 0xa7, 0xef, 0x89, 0xbb, 0x0e}} , + {{0xce, 0x7f, 0xdc, 0x0a, 0xcc, 0x82, 0x1c, 0x0a, 0x78, 0x71, 0xe8, 0x74, 0x8d, 0x01, 0x30, 0x0f, 0xa7, 0x11, 0x4c, 0xdf, 0x38, 0xd7, 0xa7, 0x0d, 0xf8, 0x48, 0x52, 0x00, 0x80, 0x7b, 0x5f, 0x0e}}}, +{{{0x25, 0x83, 0xe6, 0x94, 0x7b, 0x81, 0xb2, 0x91, 0xae, 0x0e, 0x05, 0xc9, 0xa3, 0x68, 0x2d, 0xd9, 0x88, 0x25, 0x19, 0x2a, 0x61, 0x61, 0x21, 0x97, 0x15, 0xa1, 0x35, 0xa5, 0x46, 0xc8, 0xa2, 0x0e}} , + {{0x1b, 0x03, 0x0d, 0x8b, 0x5a, 0x1b, 0x97, 0x4b, 0xf2, 0x16, 0x31, 0x3d, 0x1f, 0x33, 0xa0, 0x50, 0x3a, 0x18, 0xbe, 0x13, 0xa1, 0x76, 0xc1, 0xba, 0x1b, 0xf1, 0x05, 0x7b, 0x33, 0xa8, 0x82, 0x3b}}}, +{{{0xba, 0x36, 0x7b, 0x6d, 0xa9, 0xea, 0x14, 0x12, 0xc5, 0xfa, 0x91, 0x00, 0xba, 0x9b, 0x99, 0xcc, 0x56, 0x02, 0xe9, 0xa0, 0x26, 0x40, 0x66, 0x8c, 0xc4, 0xf8, 0x85, 0x33, 0x68, 0xe7, 0x03, 0x20}} , + {{0x50, 0x5b, 0xff, 0xa9, 0xb2, 0xf1, 0xf1, 0x78, 0xcf, 0x14, 0xa4, 0xa9, 0xfc, 0x09, 0x46, 0x94, 0x54, 0x65, 0x0d, 0x9c, 0x5f, 0x72, 0x21, 0xe2, 0x97, 0xa5, 0x2d, 0x81, 0xce, 0x4a, 0x5f, 0x79}}}, +{{{0x3d, 0x5f, 0x5c, 0xd2, 0xbc, 0x7d, 0x77, 0x0e, 0x2a, 0x6d, 0x22, 0x45, 0x84, 0x06, 0xc4, 0xdd, 0xc6, 0xa6, 0xc6, 0xd7, 0x49, 0xad, 0x6d, 0x87, 0x91, 0x0e, 0x3a, 0x67, 0x1d, 0x2c, 0x1d, 0x56}} , + {{0xfe, 0x7a, 0x74, 0xcf, 0xd4, 0xd2, 0xe5, 0x19, 0xde, 0xd0, 0xdb, 0x70, 0x23, 0x69, 0xe6, 0x6d, 0xec, 0xec, 0xcc, 0x09, 0x33, 0x6a, 0x77, 0xdc, 0x6b, 0x22, 0x76, 0x5d, 0x92, 0x09, 0xac, 0x2d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x23, 0x15, 0x17, 0xeb, 0xd3, 0xdb, 0x12, 0x5e, 0x01, 0xf0, 0x91, 0xab, 0x2c, 0x41, 0xce, 0xac, 0xed, 0x1b, 0x4b, 0x2d, 0xbc, 0xdb, 0x17, 0x66, 0x89, 0x46, 0xad, 0x4b, 0x1e, 0x6f, 0x0b, 0x14}} , + {{0x11, 0xce, 0xbf, 0xb6, 0x77, 0x2d, 0x48, 0x22, 0x18, 0x4f, 0xa3, 0x5d, 0x4a, 0xb0, 0x70, 0x12, 0x3e, 0x54, 0xd7, 0xd8, 0x0e, 0x2b, 0x27, 0xdc, 0x53, 0xff, 0xca, 0x8c, 0x59, 0xb3, 0x4e, 0x44}}}, +{{{0x07, 0x76, 0x61, 0x0f, 0x66, 0xb2, 0x21, 0x39, 0x7e, 0xc0, 0xec, 0x45, 0x28, 0x82, 0xa1, 0x29, 0x32, 0x44, 0x35, 0x13, 0x5e, 0x61, 0x5e, 0x54, 0xcb, 0x7c, 0xef, 0xf6, 0x41, 0xcf, 0x9f, 0x0a}} , + {{0xdd, 0xf9, 0xda, 0x84, 0xc3, 0xe6, 0x8a, 0x9f, 0x24, 0xd2, 0x96, 0x5d, 0x39, 0x6f, 0x58, 0x8c, 0xc1, 0x56, 0x93, 0xab, 0xb5, 0x79, 0x3b, 0xd2, 0xa8, 0x73, 0x16, 0xed, 0xfa, 0xb4, 0x2f, 0x73}}}, +{{{0x8b, 0xb1, 0x95, 0xe5, 0x92, 0x50, 0x35, 0x11, 0x76, 0xac, 0xf4, 0x4d, 0x24, 0xc3, 0x32, 0xe6, 0xeb, 0xfe, 0x2c, 0x87, 0xc4, 0xf1, 0x56, 0xc4, 0x75, 0x24, 0x7a, 0x56, 0x85, 0x5a, 0x3a, 0x13}} , + {{0x0d, 0x16, 0xac, 0x3c, 0x4a, 0x58, 0x86, 0x3a, 0x46, 0x7f, 0x6c, 0xa3, 0x52, 0x6e, 0x37, 0xe4, 0x96, 0x9c, 0xe9, 0x5c, 0x66, 0x41, 0x67, 0xe4, 0xfb, 0x79, 0x0c, 0x05, 0xf6, 0x64, 0xd5, 0x7c}}}, +{{{0x28, 0xc1, 0xe1, 0x54, 0x73, 0xf2, 0xbf, 0x76, 0x74, 0x19, 0x19, 0x1b, 0xe4, 0xb9, 0xa8, 0x46, 0x65, 0x73, 0xf3, 0x77, 0x9b, 0x29, 0x74, 0x5b, 0xc6, 0x89, 0x6c, 0x2c, 0x7c, 0xf8, 0xb3, 0x0f}} , + {{0xf7, 0xd5, 0xe9, 0x74, 0x5d, 0xb8, 0x25, 0x16, 0xb5, 0x30, 0xbc, 0x84, 0xc5, 0xf0, 0xad, 0xca, 0x12, 0x28, 0xbc, 0x9d, 0xd4, 0xfa, 0x82, 0xe6, 0xe3, 0xbf, 0xa2, 0x15, 0x2c, 0xd4, 0x34, 0x10}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x61, 0xb1, 0x46, 0xba, 0x0e, 0x31, 0xa5, 0x67, 0x6c, 0x7f, 0xd6, 0xd9, 0x27, 0x85, 0x0f, 0x79, 0x14, 0xc8, 0x6c, 0x2f, 0x5f, 0x5b, 0x9c, 0x35, 0x3d, 0x38, 0x86, 0x77, 0x65, 0x55, 0x6a, 0x7b}} , + {{0xd3, 0xb0, 0x3a, 0x66, 0x60, 0x1b, 0x43, 0xf1, 0x26, 0x58, 0x99, 0x09, 0x8f, 0x2d, 0xa3, 0x14, 0x71, 0x85, 0xdb, 0xed, 0xf6, 0x26, 0xd5, 0x61, 0x9a, 0x73, 0xac, 0x0e, 0xea, 0xac, 0xb7, 0x0c}}}, +{{{0x5e, 0xf4, 0xe5, 0x17, 0x0e, 0x10, 0x9f, 0xe7, 0x43, 0x5f, 0x67, 0x5c, 0xac, 0x4b, 0xe5, 0x14, 0x41, 0xd2, 0xbf, 0x48, 0xf5, 0x14, 0xb0, 0x71, 0xc6, 0x61, 0xc1, 0xb2, 0x70, 0x58, 0xd2, 0x5a}} , + {{0x2d, 0xba, 0x16, 0x07, 0x92, 0x94, 0xdc, 0xbd, 0x50, 0x2b, 0xc9, 0x7f, 0x42, 0x00, 0xba, 0x61, 0xed, 0xf8, 0x43, 0xed, 0xf5, 0xf9, 0x40, 0x60, 0xb2, 0xb0, 0x82, 0xcb, 0xed, 0x75, 0xc7, 0x65}}}, +{{{0x80, 0xba, 0x0d, 0x09, 0x40, 0xa7, 0x39, 0xa6, 0x67, 0x34, 0x7e, 0x66, 0xbe, 0x56, 0xfb, 0x53, 0x78, 0xc4, 0x46, 0xe8, 0xed, 0x68, 0x6c, 0x7f, 0xce, 0xe8, 0x9f, 0xce, 0xa2, 0x64, 0x58, 0x53}} , + {{0xe8, 0xc1, 0xa9, 0xc2, 0x7b, 0x59, 0x21, 0x33, 0xe2, 0x43, 0x73, 0x2b, 0xac, 0x2d, 0xc1, 0x89, 0x3b, 0x15, 0xe2, 0xd5, 0xc0, 0x97, 0x8a, 0xfd, 0x6f, 0x36, 0x33, 0xb7, 0xb9, 0xc3, 0x88, 0x09}}}, +{{{0xd0, 0xb6, 0x56, 0x30, 0x5c, 0xae, 0xb3, 0x75, 0x44, 0xa4, 0x83, 0x51, 0x6e, 0x01, 0x65, 0xef, 0x45, 0x76, 0xe6, 0xf5, 0xa2, 0x0d, 0xd4, 0x16, 0x3b, 0x58, 0x2f, 0xf2, 0x2f, 0x36, 0x18, 0x3f}} , + {{0xfd, 0x2f, 0xe0, 0x9b, 0x1e, 0x8c, 0xc5, 0x18, 0xa9, 0xca, 0xd4, 0x2b, 0x35, 0xb6, 0x95, 0x0a, 0x9f, 0x7e, 0xfb, 0xc4, 0xef, 0x88, 0x7b, 0x23, 0x43, 0xec, 0x2f, 0x0d, 0x0f, 0x7a, 0xfc, 0x5c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x8d, 0xd2, 0xda, 0xc7, 0x44, 0xd6, 0x7a, 0xdb, 0x26, 0x7d, 0x1d, 0xb8, 0xe1, 0xde, 0x9d, 0x7a, 0x7d, 0x17, 0x7e, 0x1c, 0x37, 0x04, 0x8d, 0x2d, 0x7c, 0x5e, 0x18, 0x38, 0x1e, 0xaf, 0xc7, 0x1b}} , + {{0x33, 0x48, 0x31, 0x00, 0x59, 0xf6, 0xf2, 0xca, 0x0f, 0x27, 0x1b, 0x63, 0x12, 0x7e, 0x02, 0x1d, 0x49, 0xc0, 0x5d, 0x79, 0x87, 0xef, 0x5e, 0x7a, 0x2f, 0x1f, 0x66, 0x55, 0xd8, 0x09, 0xd9, 0x61}}}, +{{{0x54, 0x83, 0x02, 0x18, 0x82, 0x93, 0x99, 0x07, 0xd0, 0xa7, 0xda, 0xd8, 0x75, 0x89, 0xfa, 0xf2, 0xd9, 0xa3, 0xb8, 0x6b, 0x5a, 0x35, 0x28, 0xd2, 0x6b, 0x59, 0xc2, 0xf8, 0x45, 0xe2, 0xbc, 0x06}} , + {{0x65, 0xc0, 0xa3, 0x88, 0x51, 0x95, 0xfc, 0x96, 0x94, 0x78, 0xe8, 0x0d, 0x8b, 0x41, 0xc9, 0xc2, 0x58, 0x48, 0x75, 0x10, 0x2f, 0xcd, 0x2a, 0xc9, 0xa0, 0x6d, 0x0f, 0xdd, 0x9c, 0x98, 0x26, 0x3d}}}, +{{{0x2f, 0x66, 0x29, 0x1b, 0x04, 0x89, 0xbd, 0x7e, 0xee, 0x6e, 0xdd, 0xb7, 0x0e, 0xef, 0xb0, 0x0c, 0xb4, 0xfc, 0x7f, 0xc2, 0xc9, 0x3a, 0x3c, 0x64, 0xef, 0x45, 0x44, 0xaf, 0x8a, 0x90, 0x65, 0x76}} , + {{0xa1, 0x4c, 0x70, 0x4b, 0x0e, 0xa0, 0x83, 0x70, 0x13, 0xa4, 0xaf, 0xb8, 0x38, 0x19, 0x22, 0x65, 0x09, 0xb4, 0x02, 0x4f, 0x06, 0xf8, 0x17, 0xce, 0x46, 0x45, 0xda, 0x50, 0x7c, 0x8a, 0xd1, 0x4e}}}, +{{{0xf7, 0xd4, 0x16, 0x6c, 0x4e, 0x95, 0x9d, 0x5d, 0x0f, 0x91, 0x2b, 0x52, 0xfe, 0x5c, 0x34, 0xe5, 0x30, 0xe6, 0xa4, 0x3b, 0xf3, 0xf3, 0x34, 0x08, 0xa9, 0x4a, 0xa0, 0xb5, 0x6e, 0xb3, 0x09, 0x0a}} , + {{0x26, 0xd9, 0x5e, 0xa3, 0x0f, 0xeb, 0xa2, 0xf3, 0x20, 0x3b, 0x37, 0xd4, 0xe4, 0x9e, 0xce, 0x06, 0x3d, 0x53, 0xed, 0xae, 0x2b, 0xeb, 0xb6, 0x24, 0x0a, 0x11, 0xa3, 0x0f, 0xd6, 0x7f, 0xa4, 0x3a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xdb, 0x9f, 0x2c, 0xfc, 0xd6, 0xb2, 0x1e, 0x2e, 0x52, 0x7a, 0x06, 0x87, 0x2d, 0x86, 0x72, 0x2b, 0x6d, 0x90, 0x77, 0x46, 0x43, 0xb5, 0x7a, 0xf8, 0x60, 0x7d, 0x91, 0x60, 0x5b, 0x9d, 0x9e, 0x07}} , + {{0x97, 0x87, 0xc7, 0x04, 0x1c, 0x38, 0x01, 0x39, 0x58, 0xc7, 0x85, 0xa3, 0xfc, 0x64, 0x00, 0x64, 0x25, 0xa2, 0xbf, 0x50, 0x94, 0xca, 0x26, 0x31, 0x45, 0x0a, 0x24, 0xd2, 0x51, 0x29, 0x51, 0x16}}}, +{{{0x4d, 0x4a, 0xd7, 0x98, 0x71, 0x57, 0xac, 0x7d, 0x8b, 0x37, 0xbd, 0x63, 0xff, 0x87, 0xb1, 0x49, 0x95, 0x20, 0x7c, 0xcf, 0x7c, 0x59, 0xc4, 0x91, 0x9c, 0xef, 0xd0, 0xdb, 0x60, 0x09, 0x9d, 0x46}} , + {{0xcb, 0x78, 0x94, 0x90, 0xe4, 0x45, 0xb3, 0xf6, 0xd9, 0xf6, 0x57, 0x74, 0xd5, 0xf8, 0x83, 0x4f, 0x39, 0xc9, 0xbd, 0x88, 0xc2, 0x57, 0x21, 0x1f, 0x24, 0x32, 0x68, 0xf8, 0xc7, 0x21, 0x5f, 0x0b}}}, +{{{0x2a, 0x36, 0x68, 0xfc, 0x5f, 0xb6, 0x4f, 0xa5, 0xe3, 0x9d, 0x24, 0x2f, 0xc0, 0x93, 0x61, 0xcf, 0xf8, 0x0a, 0xed, 0xe1, 0xdb, 0x27, 0xec, 0x0e, 0x14, 0x32, 0x5f, 0x8e, 0xa1, 0x62, 0x41, 0x16}} , + {{0x95, 0x21, 0x01, 0xce, 0x95, 0x5b, 0x0e, 0x57, 0xc7, 0xb9, 0x62, 0xb5, 0x28, 0xca, 0x11, 0xec, 0xb4, 0x46, 0x06, 0x73, 0x26, 0xff, 0xfb, 0x66, 0x7d, 0xee, 0x5f, 0xb2, 0x56, 0xfd, 0x2a, 0x08}}}, +{{{0x92, 0x67, 0x77, 0x56, 0xa1, 0xff, 0xc4, 0xc5, 0x95, 0xf0, 0xe3, 0x3a, 0x0a, 0xca, 0x94, 0x4d, 0x9e, 0x7e, 0x3d, 0xb9, 0x6e, 0xb6, 0xb0, 0xce, 0xa4, 0x30, 0x89, 0x99, 0xe9, 0xad, 0x11, 0x59}} , + {{0xf6, 0x48, 0x95, 0xa1, 0x6f, 0x5f, 0xb7, 0xa5, 0xbb, 0x30, 0x00, 0x1c, 0xd2, 0x8a, 0xd6, 0x25, 0x26, 0x1b, 0xb2, 0x0d, 0x37, 0x6a, 0x05, 0xf4, 0x9d, 0x3e, 0x17, 0x2a, 0x43, 0xd2, 0x3a, 0x06}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x32, 0x99, 0x93, 0xd1, 0x9a, 0x72, 0xf3, 0xa9, 0x16, 0xbd, 0xb4, 0x4c, 0xdd, 0xf9, 0xd4, 0xb2, 0x64, 0x9a, 0xd3, 0x05, 0xe4, 0xa3, 0x73, 0x1c, 0xcb, 0x7e, 0x57, 0x67, 0xff, 0x04, 0xb3, 0x10}} , + {{0xb9, 0x4b, 0xa4, 0xad, 0xd0, 0x6d, 0x61, 0x23, 0xb4, 0xaf, 0x34, 0xa9, 0xaa, 0x65, 0xec, 0xd9, 0x69, 0xe3, 0x85, 0xcd, 0xcc, 0xe7, 0xb0, 0x9b, 0x41, 0xc1, 0x1c, 0xf9, 0xa0, 0xfa, 0xb7, 0x13}}}, +{{{0x04, 0xfd, 0x88, 0x3c, 0x0c, 0xd0, 0x09, 0x52, 0x51, 0x4f, 0x06, 0x19, 0xcc, 0xc3, 0xbb, 0xde, 0x80, 0xc5, 0x33, 0xbc, 0xf9, 0xf3, 0x17, 0x36, 0xdd, 0xc6, 0xde, 0xe8, 0x9b, 0x5d, 0x79, 0x1b}} , + {{0x65, 0x0a, 0xbe, 0x51, 0x57, 0xad, 0x50, 0x79, 0x08, 0x71, 0x9b, 0x07, 0x95, 0x8f, 0xfb, 0xae, 0x4b, 0x38, 0xba, 0xcf, 0x53, 0x2a, 0x86, 0x1e, 0xc0, 0x50, 0x5c, 0x67, 0x1b, 0xf6, 0x87, 0x6c}}}, +{{{0x4f, 0x00, 0xb2, 0x66, 0x55, 0xed, 0x4a, 0xed, 0x8d, 0xe1, 0x66, 0x18, 0xb2, 0x14, 0x74, 0x8d, 0xfd, 0x1a, 0x36, 0x0f, 0x26, 0x5c, 0x8b, 0x89, 0xf3, 0xab, 0xf2, 0xf3, 0x24, 0x67, 0xfd, 0x70}} , + {{0xfd, 0x4e, 0x2a, 0xc1, 0x3a, 0xca, 0x8f, 0x00, 0xd8, 0xec, 0x74, 0x67, 0xef, 0x61, 0xe0, 0x28, 0xd0, 0x96, 0xf4, 0x48, 0xde, 0x81, 0xe3, 0xef, 0xdc, 0xaa, 0x7d, 0xf3, 0xb6, 0x55, 0xa6, 0x65}}}, +{{{0xeb, 0xcb, 0xc5, 0x70, 0x91, 0x31, 0x10, 0x93, 0x0d, 0xc8, 0xd0, 0xef, 0x62, 0xe8, 0x6f, 0x82, 0xe3, 0x69, 0x3d, 0x91, 0x7f, 0x31, 0xe1, 0x26, 0x35, 0x3c, 0x4a, 0x2f, 0xab, 0xc4, 0x9a, 0x5e}} , + {{0xab, 0x1b, 0xb5, 0xe5, 0x2b, 0xc3, 0x0e, 0x29, 0xb0, 0xd0, 0x73, 0xe6, 0x4f, 0x64, 0xf2, 0xbc, 0xe4, 0xe4, 0xe1, 0x9a, 0x52, 0x33, 0x2f, 0xbd, 0xcc, 0x03, 0xee, 0x8a, 0xfa, 0x00, 0x5f, 0x50}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xf6, 0xdb, 0x0d, 0x22, 0x3d, 0xb5, 0x14, 0x75, 0x31, 0xf0, 0x81, 0xe2, 0xb9, 0x37, 0xa2, 0xa9, 0x84, 0x11, 0x9a, 0x07, 0xb5, 0x53, 0x89, 0x78, 0xa9, 0x30, 0x27, 0xa1, 0xf1, 0x4e, 0x5c, 0x2e}} , + {{0x8b, 0x00, 0x54, 0xfb, 0x4d, 0xdc, 0xcb, 0x17, 0x35, 0x40, 0xff, 0xb7, 0x8c, 0xfe, 0x4a, 0xe4, 0x4e, 0x99, 0x4e, 0xa8, 0x74, 0x54, 0x5d, 0x5c, 0x96, 0xa3, 0x12, 0x55, 0x36, 0x31, 0x17, 0x5c}}}, +{{{0xce, 0x24, 0xef, 0x7b, 0x86, 0xf2, 0x0f, 0x77, 0xe8, 0x5c, 0x7d, 0x87, 0x38, 0x2d, 0xef, 0xaf, 0xf2, 0x8c, 0x72, 0x2e, 0xeb, 0xb6, 0x55, 0x4b, 0x6e, 0xf1, 0x4e, 0x8a, 0x0e, 0x9a, 0x6c, 0x4c}} , + {{0x25, 0xea, 0x86, 0xc2, 0xd1, 0x4f, 0xb7, 0x3e, 0xa8, 0x5c, 0x8d, 0x66, 0x81, 0x25, 0xed, 0xc5, 0x4c, 0x05, 0xb9, 0xd8, 0xd6, 0x70, 0xbe, 0x73, 0x82, 0xe8, 0xa1, 0xe5, 0x1e, 0x71, 0xd5, 0x26}}}, +{{{0x4e, 0x6d, 0xc3, 0xa7, 0x4f, 0x22, 0x45, 0x26, 0xa2, 0x7e, 0x16, 0xf7, 0xf7, 0x63, 0xdc, 0x86, 0x01, 0x2a, 0x71, 0x38, 0x5c, 0x33, 0xc3, 0xce, 0x30, 0xff, 0xf9, 0x2c, 0x91, 0x71, 0x8a, 0x72}} , + {{0x8c, 0x44, 0x09, 0x28, 0xd5, 0x23, 0xc9, 0x8f, 0xf3, 0x84, 0x45, 0xc6, 0x9a, 0x5e, 0xff, 0xd2, 0xc7, 0x57, 0x93, 0xa3, 0xc1, 0x69, 0xdd, 0x62, 0x0f, 0xda, 0x5c, 0x30, 0x59, 0x5d, 0xe9, 0x4c}}}, +{{{0x92, 0x7e, 0x50, 0x27, 0x72, 0xd7, 0x0c, 0xd6, 0x69, 0x96, 0x81, 0x35, 0x84, 0x94, 0x35, 0x8b, 0x6c, 0xaa, 0x62, 0x86, 0x6e, 0x1c, 0x15, 0xf3, 0x6c, 0xb3, 0xff, 0x65, 0x1b, 0xa2, 0x9b, 0x59}} , + {{0xe2, 0xa9, 0x65, 0x88, 0xc4, 0x50, 0xfa, 0xbb, 0x3b, 0x6e, 0x5f, 0x44, 0x01, 0xca, 0x97, 0xd4, 0xdd, 0xf6, 0xcd, 0x3f, 0x3f, 0xe5, 0x97, 0x67, 0x2b, 0x8c, 0x66, 0x0f, 0x35, 0x9b, 0xf5, 0x07}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xf1, 0x59, 0x27, 0xd8, 0xdb, 0x5a, 0x11, 0x5e, 0x82, 0xf3, 0x38, 0xff, 0x1c, 0xed, 0xfe, 0x3f, 0x64, 0x54, 0x3f, 0x7f, 0xd1, 0x81, 0xed, 0xef, 0x65, 0xc5, 0xcb, 0xfd, 0xe1, 0x80, 0xcd, 0x11}} , + {{0xe0, 0xdb, 0x22, 0x28, 0xe6, 0xff, 0x61, 0x9d, 0x41, 0x14, 0x2d, 0x3b, 0x26, 0x22, 0xdf, 0xf1, 0x34, 0x81, 0xe9, 0x45, 0xee, 0x0f, 0x98, 0x8b, 0xa6, 0x3f, 0xef, 0xf7, 0x43, 0x19, 0xf1, 0x43}}}, +{{{0xee, 0xf3, 0x00, 0xa1, 0x50, 0xde, 0xc0, 0xb6, 0x01, 0xe3, 0x8c, 0x3c, 0x4d, 0x31, 0xd2, 0xb0, 0x58, 0xcd, 0xed, 0x10, 0x4a, 0x7a, 0xef, 0x80, 0xa9, 0x19, 0x32, 0xf3, 0xd8, 0x33, 0x8c, 0x06}} , + {{0xcb, 0x7d, 0x4f, 0xff, 0x30, 0xd8, 0x12, 0x3b, 0x39, 0x1c, 0x06, 0xf9, 0x4c, 0x34, 0x35, 0x71, 0xb5, 0x16, 0x94, 0x67, 0xdf, 0xee, 0x11, 0xde, 0xa4, 0x1d, 0x88, 0x93, 0x35, 0xa9, 0x32, 0x10}}}, +{{{0xe9, 0xc3, 0xbc, 0x7b, 0x5c, 0xfc, 0xb2, 0xf9, 0xc9, 0x2f, 0xe5, 0xba, 0x3a, 0x0b, 0xab, 0x64, 0x38, 0x6f, 0x5b, 0x4b, 0x93, 0xda, 0x64, 0xec, 0x4d, 0x3d, 0xa0, 0xf5, 0xbb, 0xba, 0x47, 0x48}} , + {{0x60, 0xbc, 0x45, 0x1f, 0x23, 0xa2, 0x3b, 0x70, 0x76, 0xe6, 0x97, 0x99, 0x4f, 0x77, 0x54, 0x67, 0x30, 0x9a, 0xe7, 0x66, 0xd6, 0xcd, 0x2e, 0x51, 0x24, 0x2c, 0x42, 0x4a, 0x11, 0xfe, 0x6f, 0x7e}}}, +{{{0x87, 0xc0, 0xb1, 0xf0, 0xa3, 0x6f, 0x0c, 0x93, 0xa9, 0x0a, 0x72, 0xef, 0x5c, 0xbe, 0x65, 0x35, 0xa7, 0x6a, 0x4e, 0x2c, 0xbf, 0x21, 0x23, 0xe8, 0x2f, 0x97, 0xc7, 0x3e, 0xc8, 0x17, 0xac, 0x1e}} , + {{0x7b, 0xef, 0x21, 0xe5, 0x40, 0xcc, 0x1e, 0xdc, 0xd6, 0xbd, 0x97, 0x7a, 0x7c, 0x75, 0x86, 0x7a, 0x25, 0x5a, 0x6e, 0x7c, 0xe5, 0x51, 0x3c, 0x1b, 0x5b, 0x82, 0x9a, 0x07, 0x60, 0xa1, 0x19, 0x04}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x96, 0x88, 0xa6, 0xab, 0x8f, 0xe3, 0x3a, 0x49, 0xf8, 0xfe, 0x34, 0xe7, 0x6a, 0xb2, 0xfe, 0x40, 0x26, 0x74, 0x57, 0x4c, 0xf6, 0xd4, 0x99, 0xce, 0x5d, 0x7b, 0x2f, 0x67, 0xd6, 0x5a, 0xe4, 0x4e}} , + {{0x5c, 0x82, 0xb3, 0xbd, 0x55, 0x25, 0xf6, 0x6a, 0x93, 0xa4, 0x02, 0xc6, 0x7d, 0x5c, 0xb1, 0x2b, 0x5b, 0xff, 0xfb, 0x56, 0xf8, 0x01, 0x41, 0x90, 0xc6, 0xb6, 0xac, 0x4f, 0xfe, 0xa7, 0x41, 0x70}}}, +{{{0xdb, 0xfa, 0x9b, 0x2c, 0xd4, 0x23, 0x67, 0x2c, 0x8a, 0x63, 0x6c, 0x07, 0x26, 0x48, 0x4f, 0xc2, 0x03, 0xd2, 0x53, 0x20, 0x28, 0xed, 0x65, 0x71, 0x47, 0xa9, 0x16, 0x16, 0x12, 0xbc, 0x28, 0x33}} , + {{0x39, 0xc0, 0xfa, 0xfa, 0xcd, 0x33, 0x43, 0xc7, 0x97, 0x76, 0x9b, 0x93, 0x91, 0x72, 0xeb, 0xc5, 0x18, 0x67, 0x4c, 0x11, 0xf0, 0xf4, 0xe5, 0x73, 0xb2, 0x5c, 0x1b, 0xc2, 0x26, 0x3f, 0xbf, 0x2b}}}, +{{{0x86, 0xe6, 0x8c, 0x1d, 0xdf, 0xca, 0xfc, 0xd5, 0xf8, 0x3a, 0xc3, 0x44, 0x72, 0xe6, 0x78, 0x9d, 0x2b, 0x97, 0xf8, 0x28, 0x45, 0xb4, 0x20, 0xc9, 0x2a, 0x8c, 0x67, 0xaa, 0x11, 0xc5, 0x5b, 0x2f}} , + {{0x17, 0x0f, 0x86, 0x52, 0xd7, 0x9d, 0xc3, 0x44, 0x51, 0x76, 0x32, 0x65, 0xb4, 0x37, 0x81, 0x99, 0x46, 0x37, 0x62, 0xed, 0xcf, 0x64, 0x9d, 0x72, 0x40, 0x7a, 0x4c, 0x0b, 0x76, 0x2a, 0xfb, 0x56}}}, +{{{0x33, 0xa7, 0x90, 0x7c, 0xc3, 0x6f, 0x17, 0xa5, 0xa0, 0x67, 0x72, 0x17, 0xea, 0x7e, 0x63, 0x14, 0x83, 0xde, 0xc1, 0x71, 0x2d, 0x41, 0x32, 0x7a, 0xf3, 0xd1, 0x2b, 0xd8, 0x2a, 0xa6, 0x46, 0x36}} , + {{0xac, 0xcc, 0x6b, 0x7c, 0xf9, 0xb8, 0x8b, 0x08, 0x5c, 0xd0, 0x7d, 0x8f, 0x73, 0xea, 0x20, 0xda, 0x86, 0xca, 0x00, 0xc7, 0xad, 0x73, 0x4d, 0xe9, 0xe8, 0xa9, 0xda, 0x1f, 0x03, 0x06, 0xdd, 0x24}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x9c, 0xb2, 0x61, 0x0a, 0x98, 0x2a, 0xa5, 0xd7, 0xee, 0xa9, 0xac, 0x65, 0xcb, 0x0a, 0x1e, 0xe2, 0xbe, 0xdc, 0x85, 0x59, 0x0f, 0x9c, 0xa6, 0x57, 0x34, 0xa5, 0x87, 0xeb, 0x7b, 0x1e, 0x0c, 0x3c}} , + {{0x2f, 0xbd, 0x84, 0x63, 0x0d, 0xb5, 0xa0, 0xf0, 0x4b, 0x9e, 0x93, 0xc6, 0x34, 0x9a, 0x34, 0xff, 0x73, 0x19, 0x2f, 0x6e, 0x54, 0x45, 0x2c, 0x92, 0x31, 0x76, 0x34, 0xf1, 0xb2, 0x26, 0xe8, 0x74}}}, +{{{0x0a, 0x67, 0x90, 0x6d, 0x0c, 0x4c, 0xcc, 0xc0, 0xe6, 0xbd, 0xa7, 0x5e, 0x55, 0x8c, 0xcd, 0x58, 0x9b, 0x11, 0xa2, 0xbb, 0x4b, 0xb1, 0x43, 0x04, 0x3c, 0x55, 0xed, 0x23, 0xfe, 0xcd, 0xb1, 0x53}} , + {{0x05, 0xfb, 0x75, 0xf5, 0x01, 0xaf, 0x38, 0x72, 0x58, 0xfc, 0x04, 0x29, 0x34, 0x7a, 0x67, 0xa2, 0x08, 0x50, 0x6e, 0xd0, 0x2b, 0x73, 0xd5, 0xb8, 0xe4, 0x30, 0x96, 0xad, 0x45, 0xdf, 0xa6, 0x5c}}}, +{{{0x0d, 0x88, 0x1a, 0x90, 0x7e, 0xdc, 0xd8, 0xfe, 0xc1, 0x2f, 0x5d, 0x67, 0xee, 0x67, 0x2f, 0xed, 0x6f, 0x55, 0x43, 0x5f, 0x87, 0x14, 0x35, 0x42, 0xd3, 0x75, 0xae, 0xd5, 0xd3, 0x85, 0x1a, 0x76}} , + {{0x87, 0xc8, 0xa0, 0x6e, 0xe1, 0xb0, 0xad, 0x6a, 0x4a, 0x34, 0x71, 0xed, 0x7c, 0xd6, 0x44, 0x03, 0x65, 0x4a, 0x5c, 0x5c, 0x04, 0xf5, 0x24, 0x3f, 0xb0, 0x16, 0x5e, 0x8c, 0xb2, 0xd2, 0xc5, 0x20}}}, +{{{0x98, 0x83, 0xc2, 0x37, 0xa0, 0x41, 0xa8, 0x48, 0x5c, 0x5f, 0xbf, 0xc8, 0xfa, 0x24, 0xe0, 0x59, 0x2c, 0xbd, 0xf6, 0x81, 0x7e, 0x88, 0xe6, 0xca, 0x04, 0xd8, 0x5d, 0x60, 0xbb, 0x74, 0xa7, 0x0b}} , + {{0x21, 0x13, 0x91, 0xbf, 0x77, 0x7a, 0x33, 0xbc, 0xe9, 0x07, 0x39, 0x0a, 0xdd, 0x7d, 0x06, 0x10, 0x9a, 0xee, 0x47, 0x73, 0x1b, 0x15, 0x5a, 0xfb, 0xcd, 0x4d, 0xd0, 0xd2, 0x3a, 0x01, 0xba, 0x54}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x48, 0xd5, 0x39, 0x4a, 0x0b, 0x20, 0x6a, 0x43, 0xa0, 0x07, 0x82, 0x5e, 0x49, 0x7c, 0xc9, 0x47, 0xf1, 0x7c, 0x37, 0xb9, 0x23, 0xef, 0x6b, 0x46, 0x45, 0x8c, 0x45, 0x76, 0xdf, 0x14, 0x6b, 0x6e}} , + {{0x42, 0xc9, 0xca, 0x29, 0x4c, 0x76, 0x37, 0xda, 0x8a, 0x2d, 0x7c, 0x3a, 0x58, 0xf2, 0x03, 0xb4, 0xb5, 0xb9, 0x1a, 0x13, 0x2d, 0xde, 0x5f, 0x6b, 0x9d, 0xba, 0x52, 0xc9, 0x5d, 0xb3, 0xf3, 0x30}}}, +{{{0x4c, 0x6f, 0xfe, 0x6b, 0x0c, 0x62, 0xd7, 0x48, 0x71, 0xef, 0xb1, 0x85, 0x79, 0xc0, 0xed, 0x24, 0xb1, 0x08, 0x93, 0x76, 0x8e, 0xf7, 0x38, 0x8e, 0xeb, 0xfe, 0x80, 0x40, 0xaf, 0x90, 0x64, 0x49}} , + {{0x4a, 0x88, 0xda, 0xc1, 0x98, 0x44, 0x3c, 0x53, 0x4e, 0xdb, 0x4b, 0xb9, 0x12, 0x5f, 0xcd, 0x08, 0x04, 0xef, 0x75, 0xe7, 0xb1, 0x3a, 0xe5, 0x07, 0xfa, 0xca, 0x65, 0x7b, 0x72, 0x10, 0x64, 0x7f}}}, +{{{0x3d, 0x81, 0xf0, 0xeb, 0x16, 0xfd, 0x58, 0x33, 0x8d, 0x7c, 0x1a, 0xfb, 0x20, 0x2c, 0x8a, 0xee, 0x90, 0xbb, 0x33, 0x6d, 0x45, 0xe9, 0x8e, 0x99, 0x85, 0xe1, 0x08, 0x1f, 0xc5, 0xf1, 0xb5, 0x46}} , + {{0xe4, 0xe7, 0x43, 0x4b, 0xa0, 0x3f, 0x2b, 0x06, 0xba, 0x17, 0xae, 0x3d, 0xe6, 0xce, 0xbd, 0xb8, 0xed, 0x74, 0x11, 0x35, 0xec, 0x96, 0xfe, 0x31, 0xe3, 0x0e, 0x7a, 0x4e, 0xc9, 0x1d, 0xcb, 0x20}}}, +{{{0xe0, 0x67, 0xe9, 0x7b, 0xdb, 0x96, 0x5c, 0xb0, 0x32, 0xd0, 0x59, 0x31, 0x90, 0xdc, 0x92, 0x97, 0xac, 0x09, 0x38, 0x31, 0x0f, 0x7e, 0xd6, 0x5d, 0xd0, 0x06, 0xb6, 0x1f, 0xea, 0xf0, 0x5b, 0x07}} , + {{0x81, 0x9f, 0xc7, 0xde, 0x6b, 0x41, 0x22, 0x35, 0x14, 0x67, 0x77, 0x3e, 0x90, 0x81, 0xb0, 0xd9, 0x85, 0x4c, 0xca, 0x9b, 0x3f, 0x04, 0x59, 0xd6, 0xaa, 0x17, 0xc3, 0x88, 0x34, 0x37, 0xba, 0x43}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x4c, 0xb6, 0x69, 0xc8, 0x81, 0x95, 0x94, 0x33, 0x92, 0x34, 0xe9, 0x3c, 0x84, 0x0d, 0x3d, 0x5a, 0x37, 0x9c, 0x22, 0xa0, 0xaa, 0x65, 0xce, 0xb4, 0xc2, 0x2d, 0x66, 0x67, 0x02, 0xff, 0x74, 0x10}} , + {{0x22, 0xb0, 0xd5, 0xe6, 0xc7, 0xef, 0xb1, 0xa7, 0x13, 0xda, 0x60, 0xb4, 0x80, 0xc1, 0x42, 0x7d, 0x10, 0x70, 0x97, 0x04, 0x4d, 0xda, 0x23, 0x89, 0xc2, 0x0e, 0x68, 0xcb, 0xde, 0xe0, 0x9b, 0x29}}}, +{{{0x33, 0xfe, 0x42, 0x2a, 0x36, 0x2b, 0x2e, 0x36, 0x64, 0x5c, 0x8b, 0xcc, 0x81, 0x6a, 0x15, 0x08, 0xa1, 0x27, 0xe8, 0x57, 0xe5, 0x78, 0x8e, 0xf2, 0x58, 0x19, 0x12, 0x42, 0xae, 0xc4, 0x63, 0x3e}} , + {{0x78, 0x96, 0x9c, 0xa7, 0xca, 0x80, 0xae, 0x02, 0x85, 0xb1, 0x7c, 0x04, 0x5c, 0xc1, 0x5b, 0x26, 0xc1, 0xba, 0xed, 0xa5, 0x59, 0x70, 0x85, 0x8c, 0x8c, 0xe8, 0x87, 0xac, 0x6a, 0x28, 0x99, 0x35}}}, +{{{0x9f, 0x04, 0x08, 0x28, 0xbe, 0x87, 0xda, 0x80, 0x28, 0x38, 0xde, 0x9f, 0xcd, 0xe4, 0xe3, 0x62, 0xfb, 0x2e, 0x46, 0x8d, 0x01, 0xb3, 0x06, 0x51, 0xd4, 0x19, 0x3b, 0x11, 0xfa, 0xe2, 0xad, 0x1e}} , + {{0xa0, 0x20, 0x99, 0x69, 0x0a, 0xae, 0xa3, 0x70, 0x4e, 0x64, 0x80, 0xb7, 0x85, 0x9c, 0x87, 0x54, 0x43, 0x43, 0x55, 0x80, 0x6d, 0x8d, 0x7c, 0xa9, 0x64, 0xca, 0x6c, 0x2e, 0x21, 0xd8, 0xc8, 0x6c}}}, +{{{0x91, 0x4a, 0x07, 0xad, 0x08, 0x75, 0xc1, 0x4f, 0xa4, 0xb2, 0xc3, 0x6f, 0x46, 0x3e, 0xb1, 0xce, 0x52, 0xab, 0x67, 0x09, 0x54, 0x48, 0x6b, 0x6c, 0xd7, 0x1d, 0x71, 0x76, 0xcb, 0xff, 0xdd, 0x31}} , + {{0x36, 0x88, 0xfa, 0xfd, 0xf0, 0x36, 0x6f, 0x07, 0x74, 0x88, 0x50, 0xd0, 0x95, 0x38, 0x4a, 0x48, 0x2e, 0x07, 0x64, 0x97, 0x11, 0x76, 0x01, 0x1a, 0x27, 0x4d, 0x8e, 0x25, 0x9a, 0x9b, 0x1c, 0x22}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xbe, 0x57, 0xbd, 0x0e, 0x0f, 0xac, 0x5e, 0x76, 0xa3, 0x71, 0xad, 0x2b, 0x10, 0x45, 0x02, 0xec, 0x59, 0xd5, 0x5d, 0xa9, 0x44, 0xcc, 0x25, 0x4c, 0xb3, 0x3c, 0x5b, 0x69, 0x07, 0x55, 0x26, 0x6b}} , + {{0x30, 0x6b, 0xd4, 0xa7, 0x51, 0x29, 0xe3, 0xf9, 0x7a, 0x75, 0x2a, 0x82, 0x2f, 0xd6, 0x1d, 0x99, 0x2b, 0x80, 0xd5, 0x67, 0x1e, 0x15, 0x9d, 0xca, 0xfd, 0xeb, 0xac, 0x97, 0x35, 0x09, 0x7f, 0x3f}}}, +{{{0x35, 0x0d, 0x34, 0x0a, 0xb8, 0x67, 0x56, 0x29, 0x20, 0xf3, 0x19, 0x5f, 0xe2, 0x83, 0x42, 0x73, 0x53, 0xa8, 0xc5, 0x02, 0x19, 0x33, 0xb4, 0x64, 0xbd, 0xc3, 0x87, 0x8c, 0xd7, 0x76, 0xed, 0x25}} , + {{0x47, 0x39, 0x37, 0x76, 0x0d, 0x1d, 0x0c, 0xf5, 0x5a, 0x6d, 0x43, 0x88, 0x99, 0x15, 0xb4, 0x52, 0x0f, 0x2a, 0xb3, 0xb0, 0x3f, 0xa6, 0xb3, 0x26, 0xb3, 0xc7, 0x45, 0xf5, 0x92, 0x5f, 0x9b, 0x17}}}, +{{{0x9d, 0x23, 0xbd, 0x15, 0xfe, 0x52, 0x52, 0x15, 0x26, 0x79, 0x86, 0xba, 0x06, 0x56, 0x66, 0xbb, 0x8c, 0x2e, 0x10, 0x11, 0xd5, 0x4a, 0x18, 0x52, 0xda, 0x84, 0x44, 0xf0, 0x3e, 0xe9, 0x8c, 0x35}} , + {{0xad, 0xa0, 0x41, 0xec, 0xc8, 0x4d, 0xb9, 0xd2, 0x6e, 0x96, 0x4e, 0x5b, 0xc5, 0xc2, 0xa0, 0x1b, 0xcf, 0x0c, 0xbf, 0x17, 0x66, 0x57, 0xc1, 0x17, 0x90, 0x45, 0x71, 0xc2, 0xe1, 0x24, 0xeb, 0x27}}}, +{{{0x2c, 0xb9, 0x42, 0xa4, 0xaf, 0x3b, 0x42, 0x0e, 0xc2, 0x0f, 0xf2, 0xea, 0x83, 0xaf, 0x9a, 0x13, 0x17, 0xb0, 0xbd, 0x89, 0x17, 0xe3, 0x72, 0xcb, 0x0e, 0x76, 0x7e, 0x41, 0x63, 0x04, 0x88, 0x71}} , + {{0x75, 0x78, 0x38, 0x86, 0x57, 0xdd, 0x9f, 0xee, 0x54, 0x70, 0x65, 0xbf, 0xf1, 0x2c, 0xe0, 0x39, 0x0d, 0xe3, 0x89, 0xfd, 0x8e, 0x93, 0x4f, 0x43, 0xdc, 0xd5, 0x5b, 0xde, 0xf9, 0x98, 0xe5, 0x7b}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xe7, 0x3b, 0x65, 0x11, 0xdf, 0xb2, 0xf2, 0x63, 0x94, 0x12, 0x6f, 0x5c, 0x9e, 0x77, 0xc1, 0xb6, 0xd8, 0xab, 0x58, 0x7a, 0x1d, 0x95, 0x73, 0xdd, 0xe7, 0xe3, 0x6f, 0xf2, 0x03, 0x1d, 0xdb, 0x76}} , + {{0xae, 0x06, 0x4e, 0x2c, 0x52, 0x1b, 0xbc, 0x5a, 0x5a, 0xa5, 0xbe, 0x27, 0xbd, 0xeb, 0xe1, 0x14, 0x17, 0x68, 0x26, 0x07, 0x03, 0xd1, 0x18, 0x0b, 0xdf, 0xf1, 0x06, 0x5c, 0xa6, 0x1b, 0xb9, 0x24}}}, +{{{0xc5, 0x66, 0x80, 0x13, 0x0e, 0x48, 0x8c, 0x87, 0x31, 0x84, 0xb4, 0x60, 0xed, 0xc5, 0xec, 0xb6, 0xc5, 0x05, 0x33, 0x5f, 0x2f, 0x7d, 0x40, 0xb6, 0x32, 0x1d, 0x38, 0x74, 0x1b, 0xf1, 0x09, 0x3d}} , + {{0xd4, 0x69, 0x82, 0xbc, 0x8d, 0xf8, 0x34, 0x36, 0x75, 0x55, 0x18, 0x55, 0x58, 0x3c, 0x79, 0xaf, 0x26, 0x80, 0xab, 0x9b, 0x95, 0x00, 0xf1, 0xcb, 0xda, 0xc1, 0x9f, 0xf6, 0x2f, 0xa2, 0xf4, 0x45}}}, +{{{0x17, 0xbe, 0xeb, 0x85, 0xed, 0x9e, 0xcd, 0x56, 0xf5, 0x17, 0x45, 0x42, 0xb4, 0x1f, 0x44, 0x4c, 0x05, 0x74, 0x15, 0x47, 0x00, 0xc6, 0x6a, 0x3d, 0x24, 0x09, 0x0d, 0x58, 0xb1, 0x42, 0xd7, 0x04}} , + {{0x8d, 0xbd, 0xa3, 0xc4, 0x06, 0x9b, 0x1f, 0x90, 0x58, 0x60, 0x74, 0xb2, 0x00, 0x3b, 0x3c, 0xd2, 0xda, 0x82, 0xbb, 0x10, 0x90, 0x69, 0x92, 0xa9, 0xb4, 0x30, 0x81, 0xe3, 0x7c, 0xa8, 0x89, 0x45}}}, +{{{0x3f, 0xdc, 0x05, 0xcb, 0x41, 0x3c, 0xc8, 0x23, 0x04, 0x2c, 0x38, 0x99, 0xe3, 0x68, 0x55, 0xf9, 0xd3, 0x32, 0xc7, 0xbf, 0xfa, 0xd4, 0x1b, 0x5d, 0xde, 0xdc, 0x10, 0x42, 0xc0, 0x42, 0xd9, 0x75}} , + {{0x2d, 0xab, 0x35, 0x4e, 0x87, 0xc4, 0x65, 0x97, 0x67, 0x24, 0xa4, 0x47, 0xad, 0x3f, 0x8e, 0xf3, 0xcb, 0x31, 0x17, 0x77, 0xc5, 0xe2, 0xd7, 0x8f, 0x3c, 0xc1, 0xcd, 0x56, 0x48, 0xc1, 0x6c, 0x69}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x14, 0xae, 0x5f, 0x88, 0x7b, 0xa5, 0x90, 0xdf, 0x10, 0xb2, 0x8b, 0x5e, 0x24, 0x17, 0xc3, 0xa3, 0xd4, 0x0f, 0x92, 0x61, 0x1a, 0x19, 0x5a, 0xad, 0x76, 0xbd, 0xd8, 0x1c, 0xdd, 0xe0, 0x12, 0x6d}} , + {{0x8e, 0xbd, 0x70, 0x8f, 0x02, 0xa3, 0x24, 0x4d, 0x5a, 0x67, 0xc4, 0xda, 0xf7, 0x20, 0x0f, 0x81, 0x5b, 0x7a, 0x05, 0x24, 0x67, 0x83, 0x0b, 0x2a, 0x80, 0xe7, 0xfd, 0x74, 0x4b, 0x9e, 0x5c, 0x0d}}}, +{{{0x94, 0xd5, 0x5f, 0x1f, 0xa2, 0xfb, 0xeb, 0xe1, 0x07, 0x34, 0xf8, 0x20, 0xad, 0x81, 0x30, 0x06, 0x2d, 0xa1, 0x81, 0x95, 0x36, 0xcf, 0x11, 0x0b, 0xaf, 0xc1, 0x2b, 0x9a, 0x6c, 0x55, 0xc1, 0x16}} , + {{0x36, 0x4f, 0xf1, 0x5e, 0x74, 0x35, 0x13, 0x28, 0xd7, 0x11, 0xcf, 0xb8, 0xde, 0x93, 0xb3, 0x05, 0xb8, 0xb5, 0x73, 0xe9, 0xeb, 0xad, 0x19, 0x1e, 0x89, 0x0f, 0x8b, 0x15, 0xd5, 0x8c, 0xe3, 0x23}}}, +{{{0x33, 0x79, 0xe7, 0x18, 0xe6, 0x0f, 0x57, 0x93, 0x15, 0xa0, 0xa7, 0xaa, 0xc4, 0xbf, 0x4f, 0x30, 0x74, 0x95, 0x5e, 0x69, 0x4a, 0x5b, 0x45, 0xe4, 0x00, 0xeb, 0x23, 0x74, 0x4c, 0xdf, 0x6b, 0x45}} , + {{0x97, 0x29, 0x6c, 0xc4, 0x42, 0x0b, 0xdd, 0xc0, 0x29, 0x5c, 0x9b, 0x34, 0x97, 0xd0, 0xc7, 0x79, 0x80, 0x63, 0x74, 0xe4, 0x8e, 0x37, 0xb0, 0x2b, 0x7c, 0xe8, 0x68, 0x6c, 0xc3, 0x82, 0x97, 0x57}}}, +{{{0x22, 0xbe, 0x83, 0xb6, 0x4b, 0x80, 0x6b, 0x43, 0x24, 0x5e, 0xef, 0x99, 0x9b, 0xa8, 0xfc, 0x25, 0x8d, 0x3b, 0x03, 0x94, 0x2b, 0x3e, 0xe7, 0x95, 0x76, 0x9b, 0xcc, 0x15, 0xdb, 0x32, 0xe6, 0x66}} , + {{0x84, 0xf0, 0x4a, 0x13, 0xa6, 0xd6, 0xfa, 0x93, 0x46, 0x07, 0xf6, 0x7e, 0x5c, 0x6d, 0x5e, 0xf6, 0xa6, 0xe7, 0x48, 0xf0, 0x06, 0xea, 0xff, 0x90, 0xc1, 0xcc, 0x4c, 0x19, 0x9c, 0x3c, 0x4e, 0x53}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2a, 0x50, 0xe3, 0x07, 0x15, 0x59, 0xf2, 0x8b, 0x81, 0xf2, 0xf3, 0xd3, 0x6c, 0x99, 0x8c, 0x70, 0x67, 0xec, 0xcc, 0xee, 0x9e, 0x59, 0x45, 0x59, 0x7d, 0x47, 0x75, 0x69, 0xf5, 0x24, 0x93, 0x5d}} , + {{0x6a, 0x4f, 0x1b, 0xbe, 0x6b, 0x30, 0xcf, 0x75, 0x46, 0xe3, 0x7b, 0x9d, 0xfc, 0xcd, 0xd8, 0x5c, 0x1f, 0xb4, 0xc8, 0xe2, 0x24, 0xec, 0x1a, 0x28, 0x05, 0x32, 0x57, 0xfd, 0x3c, 0x5a, 0x98, 0x10}}}, +{{{0xa3, 0xdb, 0xf7, 0x30, 0xd8, 0xc2, 0x9a, 0xe1, 0xd3, 0xce, 0x22, 0xe5, 0x80, 0x1e, 0xd9, 0xe4, 0x1f, 0xab, 0xc0, 0x71, 0x1a, 0x86, 0x0e, 0x27, 0x99, 0x5b, 0xfa, 0x76, 0x99, 0xb0, 0x08, 0x3c}} , + {{0x2a, 0x93, 0xd2, 0x85, 0x1b, 0x6a, 0x5d, 0xa6, 0xee, 0xd1, 0xd1, 0x33, 0xbd, 0x6a, 0x36, 0x73, 0x37, 0x3a, 0x44, 0xb4, 0xec, 0xa9, 0x7a, 0xde, 0x83, 0x40, 0xd7, 0xdf, 0x28, 0xba, 0xa2, 0x30}}}, +{{{0xd3, 0xb5, 0x6d, 0x05, 0x3f, 0x9f, 0xf3, 0x15, 0x8d, 0x7c, 0xca, 0xc9, 0xfc, 0x8a, 0x7c, 0x94, 0xb0, 0x63, 0x36, 0x9b, 0x78, 0xd1, 0x91, 0x1f, 0x93, 0xd8, 0x57, 0x43, 0xde, 0x76, 0xa3, 0x43}} , + {{0x9b, 0x35, 0xe2, 0xa9, 0x3d, 0x32, 0x1e, 0xbb, 0x16, 0x28, 0x70, 0xe9, 0x45, 0x2f, 0x8f, 0x70, 0x7f, 0x08, 0x7e, 0x53, 0xc4, 0x7a, 0xbf, 0xf7, 0xe1, 0xa4, 0x6a, 0xd8, 0xac, 0x64, 0x1b, 0x11}}}, +{{{0xb2, 0xeb, 0x47, 0x46, 0x18, 0x3e, 0x1f, 0x99, 0x0c, 0xcc, 0xf1, 0x2c, 0xe0, 0xe7, 0x8f, 0xe0, 0x01, 0x7e, 0x65, 0xb8, 0x0c, 0xd0, 0xfb, 0xc8, 0xb9, 0x90, 0x98, 0x33, 0x61, 0x3b, 0xd8, 0x27}} , + {{0xa0, 0xbe, 0x72, 0x3a, 0x50, 0x4b, 0x74, 0xab, 0x01, 0xc8, 0x93, 0xc5, 0xe4, 0xc7, 0x08, 0x6c, 0xb4, 0xca, 0xee, 0xeb, 0x8e, 0xd7, 0x4e, 0x26, 0xc6, 0x1d, 0xe2, 0x71, 0xaf, 0x89, 0xa0, 0x2a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x98, 0x0b, 0xe4, 0xde, 0xdb, 0xa8, 0xfa, 0x82, 0x74, 0x06, 0x52, 0x6d, 0x08, 0x52, 0x8a, 0xff, 0x62, 0xc5, 0x6a, 0x44, 0x0f, 0x51, 0x8c, 0x1f, 0x6e, 0xb6, 0xc6, 0x2c, 0x81, 0xd3, 0x76, 0x46}} , + {{0xf4, 0x29, 0x74, 0x2e, 0x80, 0xa7, 0x1a, 0x8f, 0xf6, 0xbd, 0xd6, 0x8e, 0xbf, 0xc1, 0x95, 0x2a, 0xeb, 0xa0, 0x7f, 0x45, 0xa0, 0x50, 0x14, 0x05, 0xb1, 0x57, 0x4c, 0x74, 0xb7, 0xe2, 0x89, 0x7d}}}, +{{{0x07, 0xee, 0xa7, 0xad, 0xb7, 0x09, 0x0b, 0x49, 0x4e, 0xbf, 0xca, 0xe5, 0x21, 0xe6, 0xe6, 0xaf, 0xd5, 0x67, 0xf3, 0xce, 0x7e, 0x7c, 0x93, 0x7b, 0x5a, 0x10, 0x12, 0x0e, 0x6c, 0x06, 0x11, 0x75}} , + {{0xd5, 0xfc, 0x86, 0xa3, 0x3b, 0xa3, 0x3e, 0x0a, 0xfb, 0x0b, 0xf7, 0x36, 0xb1, 0x5b, 0xda, 0x70, 0xb7, 0x00, 0xa7, 0xda, 0x88, 0x8f, 0x84, 0xa8, 0xbc, 0x1c, 0x39, 0xb8, 0x65, 0xf3, 0x4d, 0x60}}}, +{{{0x96, 0x9d, 0x31, 0xf4, 0xa2, 0xbe, 0x81, 0xb9, 0xa5, 0x59, 0x9e, 0xba, 0x07, 0xbe, 0x74, 0x58, 0xd8, 0xeb, 0xc5, 0x9f, 0x3d, 0xd1, 0xf4, 0xae, 0xce, 0x53, 0xdf, 0x4f, 0xc7, 0x2a, 0x89, 0x4d}} , + {{0x29, 0xd8, 0xf2, 0xaa, 0xe9, 0x0e, 0xf7, 0x2e, 0x5f, 0x9d, 0x8a, 0x5b, 0x09, 0xed, 0xc9, 0x24, 0x22, 0xf4, 0x0f, 0x25, 0x8f, 0x1c, 0x84, 0x6e, 0x34, 0x14, 0x6c, 0xea, 0xb3, 0x86, 0x5d, 0x04}}}, +{{{0x07, 0x98, 0x61, 0xe8, 0x6a, 0xd2, 0x81, 0x49, 0x25, 0xd5, 0x5b, 0x18, 0xc7, 0x35, 0x52, 0x51, 0xa4, 0x46, 0xad, 0x18, 0x0d, 0xc9, 0x5f, 0x18, 0x91, 0x3b, 0xb4, 0xc0, 0x60, 0x59, 0x8d, 0x66}} , + {{0x03, 0x1b, 0x79, 0x53, 0x6e, 0x24, 0xae, 0x57, 0xd9, 0x58, 0x09, 0x85, 0x48, 0xa2, 0xd3, 0xb5, 0xe2, 0x4d, 0x11, 0x82, 0xe6, 0x86, 0x3c, 0xe9, 0xb1, 0x00, 0x19, 0xc2, 0x57, 0xf7, 0x66, 0x7a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x0f, 0xe3, 0x89, 0x03, 0xd7, 0x22, 0x95, 0x9f, 0xca, 0xb4, 0x8d, 0x9e, 0x6d, 0x97, 0xff, 0x8d, 0x21, 0x59, 0x07, 0xef, 0x03, 0x2d, 0x5e, 0xf8, 0x44, 0x46, 0xe7, 0x85, 0x80, 0xc5, 0x89, 0x50}} , + {{0x8b, 0xd8, 0x53, 0x86, 0x24, 0x86, 0x29, 0x52, 0x01, 0xfa, 0x20, 0xc3, 0x4e, 0x95, 0xcb, 0xad, 0x7b, 0x34, 0x94, 0x30, 0xb7, 0x7a, 0xfa, 0x96, 0x41, 0x60, 0x2b, 0xcb, 0x59, 0xb9, 0xca, 0x50}}}, +{{{0xc2, 0x5b, 0x9b, 0x78, 0x23, 0x1b, 0x3a, 0x88, 0x94, 0x5f, 0x0a, 0x9b, 0x98, 0x2b, 0x6e, 0x53, 0x11, 0xf6, 0xff, 0xc6, 0x7d, 0x42, 0xcc, 0x02, 0x80, 0x40, 0x0d, 0x1e, 0xfb, 0xaf, 0x61, 0x07}} , + {{0xb0, 0xe6, 0x2f, 0x81, 0x70, 0xa1, 0x2e, 0x39, 0x04, 0x7c, 0xc4, 0x2c, 0x87, 0x45, 0x4a, 0x5b, 0x69, 0x97, 0xac, 0x6d, 0x2c, 0x10, 0x42, 0x7c, 0x3b, 0x15, 0x70, 0x60, 0x0e, 0x11, 0x6d, 0x3a}}}, +{{{0x9b, 0x18, 0x80, 0x5e, 0xdb, 0x05, 0xbd, 0xc6, 0xb7, 0x3c, 0xc2, 0x40, 0x4d, 0x5d, 0xce, 0x97, 0x8a, 0x34, 0x15, 0xab, 0x28, 0x5d, 0x10, 0xf0, 0x37, 0x0c, 0xcc, 0x16, 0xfa, 0x1f, 0x33, 0x0d}} , + {{0x19, 0xf9, 0x35, 0xaa, 0x59, 0x1a, 0x0c, 0x5c, 0x06, 0xfc, 0x6a, 0x0b, 0x97, 0x53, 0x36, 0xfc, 0x2a, 0xa5, 0x5a, 0x9b, 0x30, 0xef, 0x23, 0xaf, 0x39, 0x5d, 0x9a, 0x6b, 0x75, 0x57, 0x48, 0x0b}}}, +{{{0x26, 0xdc, 0x76, 0x3b, 0xfc, 0xf9, 0x9c, 0x3f, 0x89, 0x0b, 0x62, 0x53, 0xaf, 0x83, 0x01, 0x2e, 0xbc, 0x6a, 0xc6, 0x03, 0x0d, 0x75, 0x2a, 0x0d, 0xe6, 0x94, 0x54, 0xcf, 0xb3, 0xe5, 0x96, 0x25}} , + {{0xfe, 0x82, 0xb1, 0x74, 0x31, 0x8a, 0xa7, 0x6f, 0x56, 0xbd, 0x8d, 0xf4, 0xe0, 0x94, 0x51, 0x59, 0xde, 0x2c, 0x5a, 0xf4, 0x84, 0x6b, 0x4a, 0x88, 0x93, 0xc0, 0x0c, 0x9a, 0xac, 0xa7, 0xa0, 0x68}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x25, 0x0d, 0xd6, 0xc7, 0x23, 0x47, 0x10, 0xad, 0xc7, 0x08, 0x5c, 0x87, 0x87, 0x93, 0x98, 0x18, 0xb8, 0xd3, 0x9c, 0xac, 0x5a, 0x3d, 0xc5, 0x75, 0xf8, 0x49, 0x32, 0x14, 0xcc, 0x51, 0x96, 0x24}} , + {{0x65, 0x9c, 0x5d, 0xf0, 0x37, 0x04, 0xf0, 0x34, 0x69, 0x2a, 0xf0, 0xa5, 0x64, 0xca, 0xde, 0x2b, 0x5b, 0x15, 0x10, 0xd2, 0xab, 0x06, 0xdd, 0xc4, 0xb0, 0xb6, 0x5b, 0xc1, 0x17, 0xdf, 0x8f, 0x02}}}, +{{{0xbd, 0x59, 0x3d, 0xbf, 0x5c, 0x31, 0x44, 0x2c, 0x32, 0x94, 0x04, 0x60, 0x84, 0x0f, 0xad, 0x00, 0xb6, 0x8f, 0xc9, 0x1d, 0xcc, 0x5c, 0xa2, 0x49, 0x0e, 0x50, 0x91, 0x08, 0x9a, 0x43, 0x55, 0x05}} , + {{0x5d, 0x93, 0x55, 0xdf, 0x9b, 0x12, 0x19, 0xec, 0x93, 0x85, 0x42, 0x9e, 0x66, 0x0f, 0x9d, 0xaf, 0x99, 0xaf, 0x26, 0x89, 0xbc, 0x61, 0xfd, 0xff, 0xce, 0x4b, 0xf4, 0x33, 0x95, 0xc9, 0x35, 0x58}}}, +{{{0x12, 0x55, 0xf9, 0xda, 0xcb, 0x44, 0xa7, 0xdc, 0x57, 0xe2, 0xf9, 0x9a, 0xe6, 0x07, 0x23, 0x60, 0x54, 0xa7, 0x39, 0xa5, 0x9b, 0x84, 0x56, 0x6e, 0xaa, 0x8b, 0x8f, 0xb0, 0x2c, 0x87, 0xaf, 0x67}} , + {{0x00, 0xa9, 0x4c, 0xb2, 0x12, 0xf8, 0x32, 0xa8, 0x7a, 0x00, 0x4b, 0x49, 0x32, 0xba, 0x1f, 0x5d, 0x44, 0x8e, 0x44, 0x7a, 0xdc, 0x11, 0xfb, 0x39, 0x08, 0x57, 0x87, 0xa5, 0x12, 0x42, 0x93, 0x0e}}}, +{{{0x17, 0xb4, 0xae, 0x72, 0x59, 0xd0, 0xaa, 0xa8, 0x16, 0x8b, 0x63, 0x11, 0xb3, 0x43, 0x04, 0xda, 0x0c, 0xa8, 0xb7, 0x68, 0xdd, 0x4e, 0x54, 0xe7, 0xaf, 0x5d, 0x5d, 0x05, 0x76, 0x36, 0xec, 0x0d}} , + {{0x6d, 0x7c, 0x82, 0x32, 0x38, 0x55, 0x57, 0x74, 0x5b, 0x7d, 0xc3, 0xc4, 0xfb, 0x06, 0x29, 0xf0, 0x13, 0x55, 0x54, 0xc6, 0xa7, 0xdc, 0x4c, 0x9f, 0x98, 0x49, 0x20, 0xa8, 0xc3, 0x8d, 0xfa, 0x48}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x87, 0x47, 0x9d, 0xe9, 0x25, 0xd5, 0xe3, 0x47, 0x78, 0xdf, 0x85, 0xa7, 0x85, 0x5e, 0x7a, 0x4c, 0x5f, 0x79, 0x1a, 0xf3, 0xa2, 0xb2, 0x28, 0xa0, 0x9c, 0xdd, 0x30, 0x40, 0xd4, 0x38, 0xbd, 0x28}} , + {{0xfc, 0xbb, 0xd5, 0x78, 0x6d, 0x1d, 0xd4, 0x99, 0xb4, 0xaa, 0x44, 0x44, 0x7a, 0x1b, 0xd8, 0xfe, 0xb4, 0x99, 0xb9, 0xcc, 0xe7, 0xc4, 0xd3, 0x3a, 0x73, 0x83, 0x41, 0x5c, 0x40, 0xd7, 0x2d, 0x55}}}, +{{{0x26, 0xe1, 0x7b, 0x5f, 0xe5, 0xdc, 0x3f, 0x7d, 0xa1, 0xa7, 0x26, 0x44, 0x22, 0x23, 0xc0, 0x8f, 0x7d, 0xf1, 0xb5, 0x11, 0x47, 0x7b, 0x19, 0xd4, 0x75, 0x6f, 0x1e, 0xa5, 0x27, 0xfe, 0xc8, 0x0e}} , + {{0xd3, 0x11, 0x3d, 0xab, 0xef, 0x2c, 0xed, 0xb1, 0x3d, 0x7c, 0x32, 0x81, 0x6b, 0xfe, 0xf8, 0x1c, 0x3c, 0x7b, 0xc0, 0x61, 0xdf, 0xb8, 0x75, 0x76, 0x7f, 0xaa, 0xd8, 0x93, 0xaf, 0x3d, 0xe8, 0x3d}}}, +{{{0xfd, 0x5b, 0x4e, 0x8d, 0xb6, 0x7e, 0x82, 0x9b, 0xef, 0xce, 0x04, 0x69, 0x51, 0x52, 0xff, 0xef, 0xa0, 0x52, 0xb5, 0x79, 0x17, 0x5e, 0x2f, 0xde, 0xd6, 0x3c, 0x2d, 0xa0, 0x43, 0xb4, 0x0b, 0x19}} , + {{0xc0, 0x61, 0x48, 0x48, 0x17, 0xf4, 0x9e, 0x18, 0x51, 0x2d, 0xea, 0x2f, 0xf2, 0xf2, 0xe0, 0xa3, 0x14, 0xb7, 0x8b, 0x3a, 0x30, 0xf5, 0x81, 0xc1, 0x5d, 0x71, 0x39, 0x62, 0x55, 0x1f, 0x60, 0x5a}}}, +{{{0xe5, 0x89, 0x8a, 0x76, 0x6c, 0xdb, 0x4d, 0x0a, 0x5b, 0x72, 0x9d, 0x59, 0x6e, 0x63, 0x63, 0x18, 0x7c, 0xe3, 0xfa, 0xe2, 0xdb, 0xa1, 0x8d, 0xf4, 0xa5, 0xd7, 0x16, 0xb2, 0xd0, 0xb3, 0x3f, 0x39}} , + {{0xce, 0x60, 0x09, 0x6c, 0xf5, 0x76, 0x17, 0x24, 0x80, 0x3a, 0x96, 0xc7, 0x94, 0x2e, 0xf7, 0x6b, 0xef, 0xb5, 0x05, 0x96, 0xef, 0xd3, 0x7b, 0x51, 0xda, 0x05, 0x44, 0x67, 0xbc, 0x07, 0x21, 0x4e}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xe9, 0x73, 0x6f, 0x21, 0xb9, 0xde, 0x22, 0x7d, 0xeb, 0x97, 0x31, 0x10, 0xa3, 0xea, 0xe1, 0xc6, 0x37, 0xeb, 0x8f, 0x43, 0x58, 0xde, 0x41, 0x64, 0x0e, 0x3e, 0x07, 0x99, 0x3d, 0xf1, 0xdf, 0x1e}} , + {{0xf8, 0xad, 0x43, 0xc2, 0x17, 0x06, 0xe2, 0xe4, 0xa9, 0x86, 0xcd, 0x18, 0xd7, 0x78, 0xc8, 0x74, 0x66, 0xd2, 0x09, 0x18, 0xa5, 0xf1, 0xca, 0xa6, 0x62, 0x92, 0xc1, 0xcb, 0x00, 0xeb, 0x42, 0x2e}}}, +{{{0x7b, 0x34, 0x24, 0x4c, 0xcf, 0x38, 0xe5, 0x6c, 0x0a, 0x01, 0x2c, 0x22, 0x0b, 0x24, 0x38, 0xad, 0x24, 0x7e, 0x19, 0xf0, 0x6c, 0xf9, 0x31, 0xf4, 0x35, 0x11, 0xf6, 0x46, 0x33, 0x3a, 0x23, 0x59}} , + {{0x20, 0x0b, 0xa1, 0x08, 0x19, 0xad, 0x39, 0x54, 0xea, 0x3e, 0x23, 0x09, 0xb6, 0xe2, 0xd2, 0xbc, 0x4d, 0xfc, 0x9c, 0xf0, 0x13, 0x16, 0x22, 0x3f, 0xb9, 0xd2, 0x11, 0x86, 0x90, 0x55, 0xce, 0x3c}}}, +{{{0xc4, 0x0b, 0x4b, 0x62, 0x99, 0x37, 0x84, 0x3f, 0x74, 0xa2, 0xf9, 0xce, 0xe2, 0x0b, 0x0f, 0x2a, 0x3d, 0xa3, 0xe3, 0xdb, 0x5a, 0x9d, 0x93, 0xcc, 0xa5, 0xef, 0x82, 0x91, 0x1d, 0xe6, 0x6c, 0x68}} , + {{0xa3, 0x64, 0x17, 0x9b, 0x8b, 0xc8, 0x3a, 0x61, 0xe6, 0x9d, 0xc6, 0xed, 0x7b, 0x03, 0x52, 0x26, 0x9d, 0x3a, 0xb3, 0x13, 0xcc, 0x8a, 0xfd, 0x2c, 0x1a, 0x1d, 0xed, 0x13, 0xd0, 0x55, 0x57, 0x0e}}}, +{{{0x1a, 0xea, 0xbf, 0xfd, 0x4a, 0x3c, 0x8e, 0xec, 0x29, 0x7e, 0x77, 0x77, 0x12, 0x99, 0xd7, 0x84, 0xf9, 0x55, 0x7f, 0xf1, 0x8b, 0xb4, 0xd2, 0x95, 0xa3, 0x8d, 0xf0, 0x8a, 0xa7, 0xeb, 0x82, 0x4b}} , + {{0x2c, 0x28, 0xf4, 0x3a, 0xf6, 0xde, 0x0a, 0xe0, 0x41, 0x44, 0x23, 0xf8, 0x3f, 0x03, 0x64, 0x9f, 0xc3, 0x55, 0x4c, 0xc6, 0xc1, 0x94, 0x1c, 0x24, 0x5d, 0x5f, 0x92, 0x45, 0x96, 0x57, 0x37, 0x14}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xc1, 0xcd, 0x90, 0x66, 0xb9, 0x76, 0xa0, 0x5b, 0xa5, 0x85, 0x75, 0x23, 0xf9, 0x89, 0xa5, 0x82, 0xb2, 0x6f, 0xb1, 0xeb, 0xc4, 0x69, 0x6f, 0x18, 0x5a, 0xed, 0x94, 0x3d, 0x9d, 0xd9, 0x2c, 0x1a}} , + {{0x35, 0xb0, 0xe6, 0x73, 0x06, 0xb7, 0x37, 0xe0, 0xf8, 0xb0, 0x22, 0xe8, 0xd2, 0xed, 0x0b, 0xef, 0xe6, 0xc6, 0x5a, 0x99, 0x9e, 0x1a, 0x9f, 0x04, 0x97, 0xe4, 0x4d, 0x0b, 0xbe, 0xba, 0x44, 0x40}}}, +{{{0xc1, 0x56, 0x96, 0x91, 0x5f, 0x1f, 0xbb, 0x54, 0x6f, 0x88, 0x89, 0x0a, 0xb2, 0xd6, 0x41, 0x42, 0x6a, 0x82, 0xee, 0x14, 0xaa, 0x76, 0x30, 0x65, 0x0f, 0x67, 0x39, 0xa6, 0x51, 0x7c, 0x49, 0x24}} , + {{0x35, 0xa3, 0x78, 0xd1, 0x11, 0x0f, 0x75, 0xd3, 0x70, 0x46, 0xdb, 0x20, 0x51, 0xcb, 0x92, 0x80, 0x54, 0x10, 0x74, 0x36, 0x86, 0xa9, 0xd7, 0xa3, 0x08, 0x78, 0xf1, 0x01, 0x29, 0xf8, 0x80, 0x3b}}}, +{{{0xdb, 0xa7, 0x9d, 0x9d, 0xbf, 0xa0, 0xcc, 0xed, 0x53, 0xa2, 0xa2, 0x19, 0x39, 0x48, 0x83, 0x19, 0x37, 0x58, 0xd1, 0x04, 0x28, 0x40, 0xf7, 0x8a, 0xc2, 0x08, 0xb7, 0xa5, 0x42, 0xcf, 0x53, 0x4c}} , + {{0xa7, 0xbb, 0xf6, 0x8e, 0xad, 0xdd, 0xf7, 0x90, 0xdd, 0x5f, 0x93, 0x89, 0xae, 0x04, 0x37, 0xe6, 0x9a, 0xb7, 0xe8, 0xc0, 0xdf, 0x16, 0x2a, 0xbf, 0xc4, 0x3a, 0x3c, 0x41, 0xd5, 0x89, 0x72, 0x5a}}}, +{{{0x1f, 0x96, 0xff, 0x34, 0x2c, 0x13, 0x21, 0xcb, 0x0a, 0x89, 0x85, 0xbe, 0xb3, 0x70, 0x9e, 0x1e, 0xde, 0x97, 0xaf, 0x96, 0x30, 0xf7, 0x48, 0x89, 0x40, 0x8d, 0x07, 0xf1, 0x25, 0xf0, 0x30, 0x58}} , + {{0x1e, 0xd4, 0x93, 0x57, 0xe2, 0x17, 0xe7, 0x9d, 0xab, 0x3c, 0x55, 0x03, 0x82, 0x2f, 0x2b, 0xdb, 0x56, 0x1e, 0x30, 0x2e, 0x24, 0x47, 0x6e, 0xe6, 0xff, 0x33, 0x24, 0x2c, 0x75, 0x51, 0xd4, 0x67}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2b, 0x06, 0xd9, 0xa1, 0x5d, 0xe1, 0xf4, 0xd1, 0x1e, 0x3c, 0x9a, 0xc6, 0x29, 0x2b, 0x13, 0x13, 0x78, 0xc0, 0xd8, 0x16, 0x17, 0x2d, 0x9e, 0xa9, 0xc9, 0x79, 0x57, 0xab, 0x24, 0x91, 0x92, 0x19}} , + {{0x69, 0xfb, 0xa1, 0x9c, 0xa6, 0x75, 0x49, 0x7d, 0x60, 0x73, 0x40, 0x42, 0xc4, 0x13, 0x0a, 0x95, 0x79, 0x1e, 0x04, 0x83, 0x94, 0x99, 0x9b, 0x1e, 0x0c, 0xe8, 0x1f, 0x54, 0xef, 0xcb, 0xc0, 0x52}}}, +{{{0x14, 0x89, 0x73, 0xa1, 0x37, 0x87, 0x6a, 0x7a, 0xcf, 0x1d, 0xd9, 0x2e, 0x1a, 0x67, 0xed, 0x74, 0xc0, 0xf0, 0x9c, 0x33, 0xdd, 0xdf, 0x08, 0xbf, 0x7b, 0xd1, 0x66, 0xda, 0xe6, 0xc9, 0x49, 0x08}} , + {{0xe9, 0xdd, 0x5e, 0x55, 0xb0, 0x0a, 0xde, 0x21, 0x4c, 0x5a, 0x2e, 0xd4, 0x80, 0x3a, 0x57, 0x92, 0x7a, 0xf1, 0xc4, 0x2c, 0x40, 0xaf, 0x2f, 0xc9, 0x92, 0x03, 0xe5, 0x5a, 0xbc, 0xdc, 0xf4, 0x09}}}, +{{{0xf3, 0xe1, 0x2b, 0x7c, 0x05, 0x86, 0x80, 0x93, 0x4a, 0xad, 0xb4, 0x8f, 0x7e, 0x99, 0x0c, 0xfd, 0xcd, 0xef, 0xd1, 0xff, 0x2c, 0x69, 0x34, 0x13, 0x41, 0x64, 0xcf, 0x3b, 0xd0, 0x90, 0x09, 0x1e}} , + {{0x9d, 0x45, 0xd6, 0x80, 0xe6, 0x45, 0xaa, 0xf4, 0x15, 0xaa, 0x5c, 0x34, 0x87, 0x99, 0xa2, 0x8c, 0x26, 0x84, 0x62, 0x7d, 0xb6, 0x29, 0xc0, 0x52, 0xea, 0xf5, 0x81, 0x18, 0x0f, 0x35, 0xa9, 0x0e}}}, +{{{0xe7, 0x20, 0x72, 0x7c, 0x6d, 0x94, 0x5f, 0x52, 0x44, 0x54, 0xe3, 0xf1, 0xb2, 0xb0, 0x36, 0x46, 0x0f, 0xae, 0x92, 0xe8, 0x70, 0x9d, 0x6e, 0x79, 0xb1, 0xad, 0x37, 0xa9, 0x5f, 0xc0, 0xde, 0x03}} , + {{0x15, 0x55, 0x37, 0xc6, 0x1c, 0x27, 0x1c, 0x6d, 0x14, 0x4f, 0xca, 0xa4, 0xc4, 0x88, 0x25, 0x46, 0x39, 0xfc, 0x5a, 0xe5, 0xfe, 0x29, 0x11, 0x69, 0xf5, 0x72, 0x84, 0x4d, 0x78, 0x9f, 0x94, 0x15}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xec, 0xd3, 0xff, 0x57, 0x0b, 0xb0, 0xb2, 0xdc, 0xf8, 0x4f, 0xe2, 0x12, 0xd5, 0x36, 0xbe, 0x6b, 0x09, 0x43, 0x6d, 0xa3, 0x4d, 0x90, 0x2d, 0xb8, 0x74, 0xe8, 0x71, 0x45, 0x19, 0x8b, 0x0c, 0x6a}} , + {{0xb8, 0x42, 0x1c, 0x03, 0xad, 0x2c, 0x03, 0x8e, 0xac, 0xd7, 0x98, 0x29, 0x13, 0xc6, 0x02, 0x29, 0xb5, 0xd4, 0xe7, 0xcf, 0xcc, 0x8b, 0x83, 0xec, 0x35, 0xc7, 0x9c, 0x74, 0xb7, 0xad, 0x85, 0x5f}}}, +{{{0x78, 0x84, 0xe1, 0x56, 0x45, 0x69, 0x68, 0x5a, 0x4f, 0xb8, 0xb1, 0x29, 0xff, 0x33, 0x03, 0x31, 0xb7, 0xcb, 0x96, 0x25, 0xe6, 0xe6, 0x41, 0x98, 0x1a, 0xbb, 0x03, 0x56, 0xf2, 0xb2, 0x91, 0x34}} , + {{0x2c, 0x6c, 0xf7, 0x66, 0xa4, 0x62, 0x6b, 0x39, 0xb3, 0xba, 0x65, 0xd3, 0x1c, 0xf8, 0x11, 0xaa, 0xbe, 0xdc, 0x80, 0x59, 0x87, 0xf5, 0x7b, 0xe5, 0xe3, 0xb3, 0x3e, 0x39, 0xda, 0xbe, 0x88, 0x09}}}, +{{{0x8b, 0xf1, 0xa0, 0xf5, 0xdc, 0x29, 0xb4, 0xe2, 0x07, 0xc6, 0x7a, 0x00, 0xd0, 0x89, 0x17, 0x51, 0xd4, 0xbb, 0xd4, 0x22, 0xea, 0x7e, 0x7d, 0x7c, 0x24, 0xea, 0xf2, 0xe8, 0x22, 0x12, 0x95, 0x06}} , + {{0xda, 0x7c, 0xa4, 0x0c, 0xf4, 0xba, 0x6e, 0xe1, 0x89, 0xb5, 0x59, 0xca, 0xf1, 0xc0, 0x29, 0x36, 0x09, 0x44, 0xe2, 0x7f, 0xd1, 0x63, 0x15, 0x99, 0xea, 0x25, 0xcf, 0x0c, 0x9d, 0xc0, 0x44, 0x6f}}}, +{{{0x1d, 0x86, 0x4e, 0xcf, 0xf7, 0x37, 0x10, 0x25, 0x8f, 0x12, 0xfb, 0x19, 0xfb, 0xe0, 0xed, 0x10, 0xc8, 0xe2, 0xf5, 0x75, 0xb1, 0x33, 0xc0, 0x96, 0x0d, 0xfb, 0x15, 0x6c, 0x0d, 0x07, 0x5f, 0x05}} , + {{0x69, 0x3e, 0x47, 0x97, 0x2c, 0xaf, 0x52, 0x7c, 0x78, 0x83, 0xad, 0x1b, 0x39, 0x82, 0x2f, 0x02, 0x6f, 0x47, 0xdb, 0x2a, 0xb0, 0xe1, 0x91, 0x99, 0x55, 0xb8, 0x99, 0x3a, 0xa0, 0x44, 0x11, 0x51}}} diff --git a/crypto/openssh/groupaccess.c b/crypto/openssh/groupaccess.c index 2381aeb15..1eab10b19 100644 --- a/crypto/openssh/groupaccess.c +++ b/crypto/openssh/groupaccess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */ +/* $OpenBSD: groupaccess.c,v 1.14 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. * @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "xmalloc.h" @@ -68,7 +69,7 @@ ga_init(const char *user, gid_t base) for (i = 0, j = 0; i < ngroups; i++) if ((gr = getgrgid(groups_bygid[i])) != NULL) groups_byname[j++] = xstrdup(gr->gr_name); - xfree(groups_bygid); + free(groups_bygid); return (ngroups = j); } @@ -122,8 +123,8 @@ ga_free(void) if (ngroups > 0) { for (i = 0; i < ngroups; i++) - xfree(groups_byname[i]); + free(groups_byname[i]); ngroups = 0; - xfree(groups_byname); + free(groups_byname); } } diff --git a/crypto/openssh/gss-genr.c b/crypto/openssh/gss-genr.c index 842f38582..b39281bc1 100644 --- a/crypto/openssh/gss-genr.c +++ b/crypto/openssh/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ /* * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -59,10 +59,10 @@ void ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) { if (ctx->oid != GSS_C_NO_OID) { - xfree(ctx->oid->elements); - xfree(ctx->oid); + free(ctx->oid->elements); + free(ctx->oid); } - ctx->oid = xmalloc(sizeof(gss_OID_desc)); + ctx->oid = xcalloc(1, sizeof(gss_OID_desc)); ctx->oid->length = len; ctx->oid->elements = xmalloc(len); memcpy(ctx->oid->elements, data, len); @@ -83,7 +83,7 @@ ssh_gssapi_error(Gssctxt *ctxt) s = ssh_gssapi_last_error(ctxt, NULL, NULL); debug("%s", s); - xfree(s); + free(s); } char * @@ -164,8 +164,8 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx) if ((*ctx)->name != GSS_C_NO_NAME) gss_release_name(&ms, &(*ctx)->name); if ((*ctx)->oid != GSS_C_NO_OID) { - xfree((*ctx)->oid->elements); - xfree((*ctx)->oid); + free((*ctx)->oid->elements); + free((*ctx)->oid); (*ctx)->oid = GSS_C_NO_OID; } if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) @@ -175,7 +175,7 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx) if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) gss_release_cred(&ms, &(*ctx)->client_creds); - xfree(*ctx); + free(*ctx); *ctx = NULL; } @@ -222,7 +222,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) ssh_gssapi_error(ctx); - xfree(gssbuf.value); + free(gssbuf.value); return (ctx->major); } diff --git a/crypto/openssh/gss-serv-krb5.c b/crypto/openssh/gss-serv-krb5.c index 5a625acb8..759fa104f 100644 --- a/crypto/openssh/gss-serv-krb5.c +++ b/crypto/openssh/gss-serv-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -48,12 +48,11 @@ extern ServerOptions options; #ifdef HEIMDAL # include -#else -# ifdef HAVE_GSSAPI_KRB5_H -# include -# elif HAVE_GSSAPI_GSSAPI_KRB5_H -# include -# endif +#endif +#ifdef HAVE_GSSAPI_KRB5_H +# include +#elif HAVE_GSSAPI_GSSAPI_KRB5_H +# include #endif static krb5_context krb_context = NULL; @@ -87,14 +86,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) { krb5_principal princ; int retval; + const char *errmsg; if (ssh_gssapi_krb5_init() == 0) return 0; if ((retval = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { - logit("krb5_parse_name(): %.100s", - krb5_get_err_text(krb_context, retval)); + errmsg = krb5_get_error_message(krb_context, retval); + logit("krb5_parse_name(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return 0; } if (krb5_kuserok(krb_context, princ, name)) { @@ -120,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_principal princ; OM_uint32 maj_status, min_status; int len; + const char *errmsg; if (client->creds == NULL) { debug("No credentials stored"); @@ -130,30 +132,40 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) return; #ifdef HEIMDAL +# ifdef HAVE_KRB5_CC_NEW_UNIQUE + if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix, + NULL, &ccache)) != 0) { + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_cc_new_unique(): %.100s", errmsg); +# else if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { - logit("krb5_cc_gen_new(): %.100s", - krb5_get_err_text(krb_context, problem)); + logit("krb5_cc_gen_new(): %.100s", + krb5_get_err_text(krb_context, problem)); +# endif + krb5_free_error_message(krb_context, errmsg); return; } #else if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { - logit("ssh_krb5_cc_gen(): %.100s", - krb5_get_err_text(krb_context, problem)); + errmsg = krb5_get_error_message(krb_context, problem); + logit("ssh_krb5_cc_gen(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } #endif /* #ifdef HEIMDAL */ if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { - logit("krb5_parse_name(): %.100s", - krb5_get_err_text(krb_context, problem)); - krb5_cc_destroy(krb_context, ccache); + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_parse_name(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { - logit("krb5_cc_initialize(): %.100s", - krb5_get_err_text(krb_context, problem)); + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_cc_initialize(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); krb5_free_principal(krb_context, princ); krb5_cc_destroy(krb_context, ccache); return; diff --git a/crypto/openssh/gss-serv.c b/crypto/openssh/gss-serv.c index c719c1306..e61b37bec 100644 --- a/crypto/openssh/gss-serv.c +++ b/crypto/openssh/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -50,7 +50,7 @@ static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; ssh_gssapi_mech gssapi_null_mech = { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; @@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= { &gssapi_null_mech, }; +/* + * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the + * list of supported mechanisms before privsep is set up. + */ +static gss_OID_set supported_oids; + +void +ssh_gssapi_prepare_supported_oids(void) +{ + ssh_gssapi_supported_oids(&supported_oids); +} + +OM_uint32 +ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present) +{ + if (supported_oids == NULL) + ssh_gssapi_prepare_supported_oids(); + return gss_test_oid_set_member(ms, member, supported_oids, present); +} /* * Acquire credentials for a server running on the current host. @@ -346,7 +365,8 @@ ssh_gssapi_userok(char *user) gss_release_buffer(&lmin, &gssapi_client.displayname); gss_release_buffer(&lmin, &gssapi_client.exportedname); gss_release_cred(&lmin, &gssapi_client.creds); - memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); + explicit_bzero(&gssapi_client, + sizeof(ssh_gssapi_client)); return 0; } else diff --git a/crypto/openssh/hash.c b/crypto/openssh/hash.c new file mode 100644 index 000000000..734c6bee2 --- /dev/null +++ b/crypto/openssh/hash.c @@ -0,0 +1,76 @@ +/* $OpenBSD: hash.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* Copied from nacl-20110221/crypto_hash/sha512/ref/hash.c */ + +/* +20080913 +D. J. Bernstein +Public domain. +*/ + +#include "includes.h" + +#include "crypto_api.h" + +#define blocks crypto_hashblocks_sha512 + +static const unsigned char iv[64] = { + 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, + 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, + 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, + 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, + 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, + 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, + 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, + 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 +} ; + +typedef unsigned long long uint64; + +int crypto_hash_sha512(unsigned char *out,const unsigned char *in,unsigned long long inlen) +{ + unsigned char h[64]; + unsigned char padded[256]; + unsigned int i; + unsigned long long bytes = inlen; + + for (i = 0;i < 64;++i) h[i] = iv[i]; + + blocks(h,in,inlen); + in += inlen; + inlen &= 127; + in -= inlen; + + for (i = 0;i < inlen;++i) padded[i] = in[i]; + padded[inlen] = 0x80; + + if (inlen < 112) { + for (i = inlen + 1;i < 119;++i) padded[i] = 0; + padded[119] = bytes >> 61; + padded[120] = bytes >> 53; + padded[121] = bytes >> 45; + padded[122] = bytes >> 37; + padded[123] = bytes >> 29; + padded[124] = bytes >> 21; + padded[125] = bytes >> 13; + padded[126] = bytes >> 5; + padded[127] = bytes << 3; + blocks(h,padded,128); + } else { + for (i = inlen + 1;i < 247;++i) padded[i] = 0; + padded[247] = bytes >> 61; + padded[248] = bytes >> 53; + padded[249] = bytes >> 45; + padded[250] = bytes >> 37; + padded[251] = bytes >> 29; + padded[252] = bytes >> 21; + padded[253] = bytes >> 13; + padded[254] = bytes >> 5; + padded[255] = bytes << 3; + blocks(h,padded,256); + } + + for (i = 0;i < 64;++i) out[i] = h[i]; + + return 0; +} diff --git a/crypto/openssh/hmac.c b/crypto/openssh/hmac.c new file mode 100644 index 000000000..99317b0f9 --- /dev/null +++ b/crypto/openssh/hmac.c @@ -0,0 +1,197 @@ +/* $OpenBSD: hmac.c,v 1.10 2014/01/31 16:39:19 tedu Exp $ */ +/* + * Copyright (c) 2014 Markus Friedl. All rights reserved. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include + +#include "buffer.h" +#include "digest.h" +#include "hmac.h" + +struct ssh_hmac_ctx { + int alg; + struct ssh_digest_ctx *ictx; + struct ssh_digest_ctx *octx; + struct ssh_digest_ctx *digest; + u_char *buf; + size_t buf_len; +}; + +size_t +ssh_hmac_bytes(int alg) +{ + return ssh_digest_bytes(alg); +} + +struct ssh_hmac_ctx * +ssh_hmac_start(int alg) +{ + struct ssh_hmac_ctx *ret; + + if ((ret = calloc(1, sizeof(*ret))) == NULL) + return NULL; + ret->alg = alg; + if ((ret->ictx = ssh_digest_start(alg)) == NULL || + (ret->octx = ssh_digest_start(alg)) == NULL || + (ret->digest = ssh_digest_start(alg)) == NULL) + goto fail; + ret->buf_len = ssh_digest_blocksize(ret->ictx); + if ((ret->buf = calloc(1, ret->buf_len)) == NULL) + goto fail; + return ret; +fail: + ssh_hmac_free(ret); + return NULL; +} + +int +ssh_hmac_init(struct ssh_hmac_ctx *ctx, const void *key, size_t klen) +{ + size_t i; + + /* reset ictx and octx if no is key given */ + if (key != NULL) { + /* truncate long keys */ + if (klen <= ctx->buf_len) + memcpy(ctx->buf, key, klen); + else if (ssh_digest_memory(ctx->alg, key, klen, ctx->buf, + ctx->buf_len) < 0) + return -1; + for (i = 0; i < ctx->buf_len; i++) + ctx->buf[i] ^= 0x36; + if (ssh_digest_update(ctx->ictx, ctx->buf, ctx->buf_len) < 0) + return -1; + for (i = 0; i < ctx->buf_len; i++) + ctx->buf[i] ^= 0x36 ^ 0x5c; + if (ssh_digest_update(ctx->octx, ctx->buf, ctx->buf_len) < 0) + return -1; + explicit_bzero(ctx->buf, ctx->buf_len); + } + /* start with ictx */ + if (ssh_digest_copy_state(ctx->ictx, ctx->digest) < 0) + return -1; + return 0; +} + +int +ssh_hmac_update(struct ssh_hmac_ctx *ctx, const void *m, size_t mlen) +{ + return ssh_digest_update(ctx->digest, m, mlen); +} + +int +ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const Buffer *b) +{ + return ssh_digest_update_buffer(ctx->digest, b); +} + +int +ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen) +{ + size_t len; + + len = ssh_digest_bytes(ctx->alg); + if (dlen < len || + ssh_digest_final(ctx->digest, ctx->buf, len)) + return -1; + /* switch to octx */ + if (ssh_digest_copy_state(ctx->octx, ctx->digest) < 0 || + ssh_digest_update(ctx->digest, ctx->buf, len) < 0 || + ssh_digest_final(ctx->digest, d, dlen) < 0) + return -1; + return 0; +} + +void +ssh_hmac_free(struct ssh_hmac_ctx *ctx) +{ + if (ctx != NULL) { + ssh_digest_free(ctx->ictx); + ssh_digest_free(ctx->octx); + ssh_digest_free(ctx->digest); + if (ctx->buf) { + explicit_bzero(ctx->buf, ctx->buf_len); + free(ctx->buf); + } + explicit_bzero(ctx, sizeof(*ctx)); + free(ctx); + } +} + +#ifdef TEST + +/* cc -DTEST hmac.c digest.c buffer.c cleanup.c fatal.c log.c xmalloc.c -lcrypto */ +static void +hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen) +{ + struct ssh_hmac_ctx *ctx; + size_t i; + u_char digest[16]; + + if ((ctx = ssh_hmac_start(SSH_DIGEST_MD5)) == NULL) + printf("ssh_hmac_start failed"); + if (ssh_hmac_init(ctx, key, klen) < 0 || + ssh_hmac_update(ctx, m, mlen) < 0 || + ssh_hmac_final(ctx, digest, sizeof(digest)) < 0) + printf("ssh_hmac_xxx failed"); + ssh_hmac_free(ctx); + + if (memcmp(e, digest, elen)) { + for (i = 0; i < elen; i++) + printf("[%zd] %2.2x %2.2x\n", i, e[i], digest[i]); + printf("mismatch\n"); + } else + printf("ok\n"); +} + +int +main(int argc, char **argv) +{ + /* try test vectors from RFC 2104 */ + + u_char key1[16] = { + 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, + 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb }; + u_char *data1 = "Hi There"; + u_char dig1[16] = { + 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c, + 0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d }; + + u_char *key2 = "Jefe"; + u_char *data2 = "what do ya want for nothing?"; + u_char dig2[16] = { + 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03, + 0xea, 0xa8, 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38 }; + + u_char key3[16]; + u_char data3[50]; + u_char dig3[16] = { + 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88, + 0xdb, 0xb8, 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6 }; + memset(key3, 0xaa, sizeof(key3)); + memset(data3, 0xdd, sizeof(data3)); + + hmac_test(key1, sizeof(key1), data1, strlen(data1), dig1, sizeof(dig1)); + hmac_test(key2, strlen(key2), data2, strlen(data2), dig2, sizeof(dig2)); + hmac_test(key3, sizeof(key3), data3, sizeof(data3), dig3, sizeof(dig3)); + + return 0; +} + +#endif diff --git a/crypto/openssh/hmac.h b/crypto/openssh/hmac.h new file mode 100644 index 000000000..2374a6955 --- /dev/null +++ b/crypto/openssh/hmac.h @@ -0,0 +1,37 @@ +/* $OpenBSD: hmac.h,v 1.6 2014/01/27 18:58:14 markus Exp $ */ +/* + * Copyright (c) 2014 Markus Friedl. All rights reserved. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _HMAC_H +#define _HMAC_H + +/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */ +size_t ssh_hmac_bytes(int alg); + +struct ssh_hmac_ctx; +struct ssh_hmac_ctx *ssh_hmac_start(int alg); + +/* Sets the state of the HMAC or resets the state if key == NULL */ +int ssh_hmac_init(struct ssh_hmac_ctx *ctx, const void *key, size_t klen) + __attribute__((__bounded__(__buffer__, 2, 3))); +int ssh_hmac_update(struct ssh_hmac_ctx *ctx, const void *m, size_t mlen) + __attribute__((__bounded__(__buffer__, 2, 3))); +int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const Buffer *b); +int ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen) + __attribute__((__bounded__(__buffer__, 2, 3))); +void ssh_hmac_free(struct ssh_hmac_ctx *ctx); + +#endif /* _HMAC_H */ diff --git a/crypto/openssh/hostfile.c b/crypto/openssh/hostfile.c index b6f924b23..8bc9540b7 100644 --- a/crypto/openssh/hostfile.c +++ b/crypto/openssh/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.50 2010/12/04 13:31:37 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.55 2014/01/31 16:39:19 tedu Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,9 +42,6 @@ #include -#include -#include - #include #include #include @@ -57,6 +54,8 @@ #include "hostfile.h" #include "log.h" #include "misc.h" +#include "digest.h" +#include "hmac.h" struct hostkeys { struct hostkey_entry *entries; @@ -64,7 +63,7 @@ struct hostkeys { }; static int -extract_salt(const char *s, u_int l, char *salt, size_t salt_len) +extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len) { char *p, *b64salt; u_int b64len; @@ -96,14 +95,14 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len) b64salt[b64len] = '\0'; ret = __b64_pton(b64salt, salt, salt_len); - xfree(b64salt); + free(b64salt); if (ret == -1) { debug2("extract_salt: salt decode error"); return (-1); } - if (ret != SHA_DIGEST_LENGTH) { - debug2("extract_salt: expected salt len %d, got %d", - SHA_DIGEST_LENGTH, ret); + if (ret != (int)ssh_hmac_bytes(SSH_DIGEST_SHA1)) { + debug2("extract_salt: expected salt len %zd, got %d", + ssh_hmac_bytes(SSH_DIGEST_SHA1), ret); return (-1); } @@ -113,13 +112,13 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len) char * host_hash(const char *host, const char *name_from_hostfile, u_int src_len) { - const EVP_MD *md = EVP_sha1(); - HMAC_CTX mac_ctx; - char salt[256], result[256], uu_salt[512], uu_result[512]; + struct ssh_hmac_ctx *ctx; + u_char salt[256], result[256]; + char uu_salt[512], uu_result[512]; static char encoded[1024]; u_int i, len; - len = EVP_MD_size(md); + len = ssh_digest_bytes(SSH_DIGEST_SHA1); if (name_from_hostfile == NULL) { /* Create new salt */ @@ -132,14 +131,16 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) return (NULL); } - HMAC_Init(&mac_ctx, salt, len, md); - HMAC_Update(&mac_ctx, host, strlen(host)); - HMAC_Final(&mac_ctx, result, NULL); - HMAC_cleanup(&mac_ctx); + if ((ctx = ssh_hmac_start(SSH_DIGEST_SHA1)) == NULL || + ssh_hmac_init(ctx, salt, len) < 0 || + ssh_hmac_update(ctx, host, strlen(host)) < 0 || + ssh_hmac_final(ctx, result, sizeof(result))) + fatal("%s: ssh_hmac failed", __func__); + ssh_hmac_free(ctx); if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 || __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1) - fatal("host_hash: __b64_ntop failed"); + fatal("%s: __b64_ntop failed", __func__); snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt, HASH_DELIM, uu_result); @@ -153,7 +154,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) */ int -hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) +hostfile_read_key(char **cpp, int *bitsp, Key *ret) { char *cp; @@ -170,8 +171,10 @@ hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) /* Return results. */ *cpp = cp; - if (bitsp != NULL) - *bitsp = key_size(ret); + if (bitsp != NULL) { + if ((*bitsp = key_size(ret)) <= 0) + return 0; + } return 1; } @@ -327,16 +330,14 @@ free_hostkeys(struct hostkeys *hostkeys) u_int i; for (i = 0; i < hostkeys->num_entries; i++) { - xfree(hostkeys->entries[i].host); - xfree(hostkeys->entries[i].file); + free(hostkeys->entries[i].host); + free(hostkeys->entries[i].file); key_free(hostkeys->entries[i].key); - bzero(hostkeys->entries + i, sizeof(*hostkeys->entries)); + explicit_bzero(hostkeys->entries + i, sizeof(*hostkeys->entries)); } - if (hostkeys->entries != NULL) - xfree(hostkeys->entries); - hostkeys->entries = NULL; - hostkeys->num_entries = 0; - xfree(hostkeys); + free(hostkeys->entries); + explicit_bzero(hostkeys, sizeof(*hostkeys)); + free(hostkeys); } static int diff --git a/crypto/openssh/hostfile.h b/crypto/openssh/hostfile.h index d84d422ff..679c034f3 100644 --- a/crypto/openssh/hostfile.h +++ b/crypto/openssh/hostfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.h,v 1.19 2010/11/29 23:45:51 djm Exp $ */ +/* $OpenBSD: hostfile.h,v 1.20 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen @@ -40,7 +40,7 @@ HostStatus check_key_in_hostkeys(struct hostkeys *, Key *, int lookup_key_in_hostkeys_by_type(struct hostkeys *, int, const struct hostkey_entry **); -int hostfile_read_key(char **, u_int *, Key *); +int hostfile_read_key(char **, int *, Key *); int add_host_to_hostfile(const char *, const char *, const Key *, int); #define HASH_MAGIC "|1|" diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h index 3e206c899..07bcd89f2 100644 --- a/crypto/openssh/includes.h +++ b/crypto/openssh/includes.h @@ -18,7 +18,9 @@ #include "config.h" +#ifndef _GNU_SOURCE #define _GNU_SOURCE /* activate extra prototypes for glibc */ +#endif #include #include /* For CMSG_* */ diff --git a/crypto/openssh/install-sh b/crypto/openssh/install-sh new file mode 100755 index 000000000..220abbf61 --- /dev/null +++ b/crypto/openssh/install-sh @@ -0,0 +1,251 @@ +#!/bin/sh +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# `make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. It can only install one file at a time, a restriction +# shared with many OS's install programs. + + +# set DOITPROG to echo to test this script + +# Don't use :- since 4.3BSD and earlier shells don't like it. +doit="${DOITPROG-}" + + +# put in absolute paths if you don't have them in your path; or use env. vars. + +mvprog="${MVPROG-mv}" +cpprog="${CPPROG-cp}" +chmodprog="${CHMODPROG-chmod}" +chownprog="${CHOWNPROG-chown}" +chgrpprog="${CHGRPPROG-chgrp}" +stripprog="${STRIPPROG-strip}" +rmprog="${RMPROG-rm}" +mkdirprog="${MKDIRPROG-mkdir}" + +transformbasename="" +transform_arg="" +instcmd="$mvprog" +chmodcmd="$chmodprog 0755" +chowncmd="" +chgrpcmd="" +stripcmd="" +rmcmd="$rmprog -f" +mvcmd="$mvprog" +src="" +dst="" +dir_arg="" + +while [ x"$1" != x ]; do + case $1 in + -c) instcmd="$cpprog" + shift + continue;; + + -d) dir_arg=true + shift + continue;; + + -m) chmodcmd="$chmodprog $2" + shift + shift + continue;; + + -o) chowncmd="$chownprog $2" + shift + shift + continue;; + + -g) chgrpcmd="$chgrpprog $2" + shift + shift + continue;; + + -s) stripcmd="$stripprog" + shift + continue;; + + -t=*) transformarg=`echo $1 | sed 's/-t=//'` + shift + continue;; + + -b=*) transformbasename=`echo $1 | sed 's/-b=//'` + shift + continue;; + + *) if [ x"$src" = x ] + then + src=$1 + else + # this colon is to work around a 386BSD /bin/sh bug + : + dst=$1 + fi + shift + continue;; + esac +done + +if [ x"$src" = x ] +then + echo "install: no input file specified" + exit 1 +else + true +fi + +if [ x"$dir_arg" != x ]; then + dst=$src + src="" + + if [ -d $dst ]; then + instcmd=: + chmodcmd="" + else + instcmd=mkdir + fi +else + +# Waiting for this to be detected by the "$instcmd $src $dsttmp" command +# might cause directories to be created, which would be especially bad +# if $src (and thus $dsttmp) contains '*'. + + if [ -f $src -o -d $src ] + then + true + else + echo "install: $src does not exist" + exit 1 + fi + + if [ x"$dst" = x ] + then + echo "install: no destination specified" + exit 1 + else + true + fi + +# If destination is a directory, append the input filename; if your system +# does not like double slashes in filenames, you may need to add some logic + + if [ -d $dst ] + then + dst="$dst"/`basename $src` + else + true + fi +fi + +## this sed command emulates the dirname command +dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` + +# Make sure that the destination directory exists. +# this part is taken from Noah Friedman's mkinstalldirs script + +# Skip lots of stat calls in the usual case. +if [ ! -d "$dstdir" ]; then +defaultIFS=' +' +IFS="${IFS-${defaultIFS}}" + +oIFS="${IFS}" +# Some sh's can't handle IFS=/ for some reason. +IFS='%' +set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` +IFS="${oIFS}" + +pathcomp='' + +while [ $# -ne 0 ] ; do + pathcomp="${pathcomp}${1}" + shift + + if [ ! -d "${pathcomp}" ] ; + then + $mkdirprog "${pathcomp}" + else + true + fi + + pathcomp="${pathcomp}/" +done +fi + +if [ x"$dir_arg" != x ] +then + $doit $instcmd $dst && + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi +else + +# If we're going to rename the final executable, determine the name now. + + if [ x"$transformarg" = x ] + then + dstfile=`basename $dst` + else + dstfile=`basename $dst $transformbasename | + sed $transformarg`$transformbasename + fi + +# don't allow the sed command to completely eliminate the filename + + if [ x"$dstfile" = x ] + then + dstfile=`basename $dst` + else + true + fi + +# Make a temp file name in the proper directory. + + dsttmp=$dstdir/#inst.$$# + +# Move or copy the file name to the temp name + + $doit $instcmd $src $dsttmp && + + trap "rm -f ${dsttmp}" 0 && + +# and set any options; do chmod last to preserve setuid bits + +# If any of these fail, we abort the whole thing. If we want to +# ignore errors from any of these, just make sure not to ignore +# errors from the above "$doit $instcmd $src $dsttmp" command. + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + +# Now rename the file to the real destination. + + $doit $rmcmd -f $dstdir/$dstfile && + $doit $mvcmd $dsttmp $dstdir/$dstfile + +fi && + + +exit 0 diff --git a/crypto/openssh/jpake.c b/crypto/openssh/jpake.c deleted file mode 100644 index b010dafaa..000000000 --- a/crypto/openssh/jpake.c +++ /dev/null @@ -1,456 +0,0 @@ -/* $OpenBSD: jpake.c,v 1.7 2012/06/18 11:43:53 dtucker Exp $ */ -/* - * Copyright (c) 2008 Damien Miller. All rights reserved. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Shared components of zero-knowledge password auth using J-PAKE protocol - * as described in: - * - * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", - * 16th Workshop on Security Protocols, Cambridge, April 2008 - * - * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf - */ - -#include "includes.h" - -#include - -#include -#include -#include - -#include -#include - -#include "xmalloc.h" -#include "ssh2.h" -#include "key.h" -#include "hostfile.h" -#include "auth.h" -#include "buffer.h" -#include "packet.h" -#include "dispatch.h" -#include "log.h" -#include "misc.h" - -#include "jpake.h" -#include "schnorr.h" - -#ifdef JPAKE - -/* RFC3526 group 5, 1536 bits */ -#define JPAKE_GROUP_G "2" -#define JPAKE_GROUP_P \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \ - "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \ - "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \ - "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \ - "9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" - -struct modp_group * -jpake_default_group(void) -{ - return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P); -} - -struct jpake_ctx * -jpake_new(void) -{ - struct jpake_ctx *ret; - - ret = xcalloc(1, sizeof(*ret)); - - ret->grp = jpake_default_group(); - - ret->s = ret->k = NULL; - ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL; - ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL; - ret->a = ret->b = NULL; - - ret->client_id = ret->server_id = NULL; - ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL; - - debug3("%s: alloc %p", __func__, ret); - - return ret; -} - -void -jpake_free(struct jpake_ctx *pctx) -{ - debug3("%s: free %p", __func__, pctx); - -#define JPAKE_BN_CLEAR_FREE(v) \ - do { \ - if ((v) != NULL) { \ - BN_clear_free(v); \ - (v) = NULL; \ - } \ - } while (0) -#define JPAKE_BUF_CLEAR_FREE(v, l) \ - do { \ - if ((v) != NULL) { \ - bzero((v), (l)); \ - xfree(v); \ - (v) = NULL; \ - (l) = 0; \ - } \ - } while (0) - - JPAKE_BN_CLEAR_FREE(pctx->s); - JPAKE_BN_CLEAR_FREE(pctx->k); - JPAKE_BN_CLEAR_FREE(pctx->x1); - JPAKE_BN_CLEAR_FREE(pctx->x2); - JPAKE_BN_CLEAR_FREE(pctx->x3); - JPAKE_BN_CLEAR_FREE(pctx->x4); - JPAKE_BN_CLEAR_FREE(pctx->g_x1); - JPAKE_BN_CLEAR_FREE(pctx->g_x2); - JPAKE_BN_CLEAR_FREE(pctx->g_x3); - JPAKE_BN_CLEAR_FREE(pctx->g_x4); - JPAKE_BN_CLEAR_FREE(pctx->a); - JPAKE_BN_CLEAR_FREE(pctx->b); - - JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len); - JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len); - JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len); - JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); - -#undef JPAKE_BN_CLEAR_FREE -#undef JPAKE_BUF_CLEAR_FREE - - bzero(pctx, sizeof(*pctx)); - xfree(pctx); -} - -/* dump entire jpake_ctx. NB. includes private values! */ -void -jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...) -{ - char *out; - va_list args; - - out = NULL; - va_start(args, fmt); - vasprintf(&out, fmt, args); - va_end(args); - if (out == NULL) - fatal("%s: vasprintf failed", __func__); - - debug3("%s: %s (ctx at %p)", __func__, out, pctx); - if (pctx == NULL) { - free(out); - return; - } - -#define JPAKE_DUMP_BN(a) do { \ - if ((a) != NULL) \ - JPAKE_DEBUG_BN(((a), "%s = ", #a)); \ - } while (0) -#define JPAKE_DUMP_BUF(a, b) do { \ - if ((a) != NULL) \ - JPAKE_DEBUG_BUF((a, b, "%s", #a)); \ - } while (0) - - JPAKE_DUMP_BN(pctx->s); - JPAKE_DUMP_BN(pctx->k); - JPAKE_DUMP_BN(pctx->x1); - JPAKE_DUMP_BN(pctx->x2); - JPAKE_DUMP_BN(pctx->x3); - JPAKE_DUMP_BN(pctx->x4); - JPAKE_DUMP_BN(pctx->g_x1); - JPAKE_DUMP_BN(pctx->g_x2); - JPAKE_DUMP_BN(pctx->g_x3); - JPAKE_DUMP_BN(pctx->g_x4); - JPAKE_DUMP_BN(pctx->a); - JPAKE_DUMP_BN(pctx->b); - - JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len); - JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len); - JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len); - JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); - - debug3("%s: %s done", __func__, out); - free(out); -} - -/* Shared parts of step 1 exchange calculation */ -void -jpake_step1(struct modp_group *grp, - u_char **id, u_int *id_len, - BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2, - u_char **priv1_proof, u_int *priv1_proof_len, - u_char **priv2_proof, u_int *priv2_proof_len) -{ - BN_CTX *bn_ctx; - - if ((bn_ctx = BN_CTX_new()) == NULL) - fatal("%s: BN_CTX_new", __func__); - - /* Random nonce to prevent replay */ - *id = xmalloc(KZP_ID_LEN); - *id_len = KZP_ID_LEN; - arc4random_buf(*id, *id_len); - - /* - * x1/x3 is a random element of Zq - * x2/x4 is a random element of Z*q - * We also exclude [1] from x1/x3 candidates and [0, 1] from - * x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1). - */ - if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL || - (*priv2 = bn_rand_range_gt_one(grp->q)) == NULL) - fatal("%s: bn_rand_range_gt_one", __func__); - - /* - * client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p - * client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p - */ - if ((*g_priv1 = BN_new()) == NULL || - (*g_priv2 = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - if (BN_mod_exp(*g_priv1, grp->g, *priv1, grp->p, bn_ctx) == -1) - fatal("%s: BN_mod_exp", __func__); - if (BN_mod_exp(*g_priv2, grp->g, *priv2, grp->p, bn_ctx) == -1) - fatal("%s: BN_mod_exp", __func__); - - /* Generate proofs for holding x1/x3 and x2/x4 */ - if (schnorr_sign_buf(grp->p, grp->q, grp->g, - *priv1, *g_priv1, *id, *id_len, - priv1_proof, priv1_proof_len) != 0) - fatal("%s: schnorr_sign", __func__); - if (schnorr_sign_buf(grp->p, grp->q, grp->g, - *priv2, *g_priv2, *id, *id_len, - priv2_proof, priv2_proof_len) != 0) - fatal("%s: schnorr_sign", __func__); - - BN_CTX_free(bn_ctx); -} - -/* Shared parts of step 2 exchange calculation */ -void -jpake_step2(struct modp_group *grp, BIGNUM *s, - BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2, - const u_char *theirid, u_int theirid_len, - const u_char *myid, u_int myid_len, - const u_char *theirpub1_proof, u_int theirpub1_proof_len, - const u_char *theirpub2_proof, u_int theirpub2_proof_len, - BIGNUM **newpub, - u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len) -{ - BN_CTX *bn_ctx; - BIGNUM *tmp, *exponent; - - /* Validate peer's step 1 values */ - if (BN_cmp(theirpub1, BN_value_one()) <= 0) - fatal("%s: theirpub1 <= 1", __func__); - if (BN_cmp(theirpub1, grp->p) >= 0) - fatal("%s: theirpub1 >= p", __func__); - if (BN_cmp(theirpub2, BN_value_one()) <= 0) - fatal("%s: theirpub2 <= 1", __func__); - if (BN_cmp(theirpub2, grp->p) >= 0) - fatal("%s: theirpub2 >= p", __func__); - - if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1, - theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1) - fatal("%s: schnorr_verify theirpub1 failed", __func__); - if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2, - theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1) - fatal("%s: schnorr_verify theirpub2 failed", __func__); - - if ((bn_ctx = BN_CTX_new()) == NULL) - fatal("%s: BN_CTX_new", __func__); - - if ((*newpub = BN_new()) == NULL || - (tmp = BN_new()) == NULL || - (exponent = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - - /* - * client: exponent = x2 * s mod p - * server: exponent = x4 * s mod p - */ - if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1) - fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)", - __func__); - - /* - * client: tmp = g^(x1 + x3 + x4) mod p - * server: tmp = g^(x1 + x2 + x3) mod p - */ - if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)", - __func__); - if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__); - - /* - * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p - * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p - */ - if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__); - - JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); - JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__)); - - /* Note the generator here is 'tmp', not g */ - if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub, - myid, myid_len, - newpub_exponent_proof, newpub_exponent_proof_len) != 0) - fatal("%s: schnorr_sign newpub", __func__); - - BN_clear_free(tmp); /* XXX stash for later use? */ - BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */ - - BN_CTX_free(bn_ctx); -} - -/* Confirmation hash calculation */ -void -jpake_confirm_hash(const BIGNUM *k, - const u_char *endpoint_id, u_int endpoint_id_len, - const u_char *sess_id, u_int sess_id_len, - u_char **confirm_hash, u_int *confirm_hash_len) -{ - Buffer b; - - /* - * Calculate confirmation proof: - * client: H(k || client_id || session_id) - * server: H(k || server_id || session_id) - */ - buffer_init(&b); - buffer_put_bignum2(&b, k); - buffer_put_string(&b, endpoint_id, endpoint_id_len); - buffer_put_string(&b, sess_id, sess_id_len); - if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(), - confirm_hash, confirm_hash_len) != 0) - fatal("%s: hash_buffer", __func__); - buffer_free(&b); -} - -/* Shared parts of key derivation and confirmation calculation */ -void -jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val, - BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2, - BIGNUM *theirpub1, BIGNUM *theirpub2, - const u_char *my_id, u_int my_id_len, - const u_char *their_id, u_int their_id_len, - const u_char *sess_id, u_int sess_id_len, - const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len, - BIGNUM **k, - u_char **confirm_hash, u_int *confirm_hash_len) -{ - BN_CTX *bn_ctx; - BIGNUM *tmp; - - if ((bn_ctx = BN_CTX_new()) == NULL) - fatal("%s: BN_CTX_new", __func__); - if ((tmp = BN_new()) == NULL || - (*k = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - - /* Validate step 2 values */ - if (BN_cmp(step2_val, BN_value_one()) <= 0) - fatal("%s: step2_val <= 1", __func__); - if (BN_cmp(step2_val, grp->p) >= 0) - fatal("%s: step2_val >= p", __func__); - - /* - * theirpriv2_s_proof is calculated with a different generator: - * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1 - * Calculate it here so we can check the signature. - */ - if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__); - if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__); - - JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); - - if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val, - their_id, their_id_len, - theirpriv2_s_proof, theirpriv2_s_proof_len) != 1) - fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__); - - /* - * Derive shared key: - * client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s) - * server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s) - * - * Computed as: - * client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p - * server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p - */ - if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1) - fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__); - if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1) - fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__); - if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__); - if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__); - if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1) - fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__); - - BN_CTX_free(bn_ctx); - BN_clear_free(tmp); - - jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len, - confirm_hash, confirm_hash_len); -} - -/* - * Calculate and check confirmation hash from peer. Returns 1 on success - * 0 on failure/mismatch. - */ -int -jpake_check_confirm(const BIGNUM *k, - const u_char *peer_id, u_int peer_id_len, - const u_char *sess_id, u_int sess_id_len, - const u_char *peer_confirm_hash, u_int peer_confirm_hash_len) -{ - u_char *expected_confirm_hash; - u_int expected_confirm_hash_len; - int success = 0; - - /* Calculate and verify expected confirmation hash */ - jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len, - &expected_confirm_hash, &expected_confirm_hash_len); - - JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len, - "%s: expected confirm hash", __func__)); - JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len, - "%s: received confirm hash", __func__)); - - if (peer_confirm_hash_len != expected_confirm_hash_len) - error("%s: confirmation length mismatch (my %u them %u)", - __func__, expected_confirm_hash_len, peer_confirm_hash_len); - else if (timingsafe_bcmp(peer_confirm_hash, expected_confirm_hash, - expected_confirm_hash_len) == 0) - success = 1; - bzero(expected_confirm_hash, expected_confirm_hash_len); - xfree(expected_confirm_hash); - debug3("%s: success = %d", __func__, success); - return success; -} - -/* XXX main() function with tests */ - -#endif /* JPAKE */ - diff --git a/crypto/openssh/jpake.h b/crypto/openssh/jpake.h deleted file mode 100644 index a3f2cf025..000000000 --- a/crypto/openssh/jpake.h +++ /dev/null @@ -1,114 +0,0 @@ -/* $OpenBSD: jpake.h,v 1.2 2009/03/05 07:18:19 djm Exp $ */ -/* - * Copyright (c) 2008 Damien Miller. All rights reserved. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef JPAKE_H -#define JPAKE_H - -#include - -#include - -/* Set JPAKE_DEBUG in CFLAGS for privacy-violating debugging */ -#ifndef JPAKE_DEBUG -# define JPAKE_DEBUG_BN(a) -# define JPAKE_DEBUG_BUF(a) -# define JPAKE_DEBUG_CTX(a) -#else -# define JPAKE_DEBUG_BN(a) debug3_bn a -# define JPAKE_DEBUG_BUF(a) debug3_buf a -# define JPAKE_DEBUG_CTX(a) jpake_dump a -#endif /* JPAKE_DEBUG */ - -#define KZP_ID_LEN 16 /* Length of client and server IDs */ - -struct jpake_ctx { - /* Parameters */ - struct modp_group *grp; - - /* Private values shared by client and server */ - BIGNUM *s; /* Secret (salted, crypted password) */ - BIGNUM *k; /* Derived key */ - - /* Client private values (NULL for server) */ - BIGNUM *x1; /* random in Zq */ - BIGNUM *x2; /* random in Z*q */ - - /* Server private values (NULL for server) */ - BIGNUM *x3; /* random in Zq */ - BIGNUM *x4; /* random in Z*q */ - - /* Step 1: C->S */ - u_char *client_id; /* Anti-replay nonce */ - u_int client_id_len; - BIGNUM *g_x1; /* g^x1 */ - BIGNUM *g_x2; /* g^x2 */ - - /* Step 1: S->C */ - u_char *server_id; /* Anti-replay nonce */ - u_int server_id_len; - BIGNUM *g_x3; /* g^x3 */ - BIGNUM *g_x4; /* g^x4 */ - - /* Step 2: C->S */ - BIGNUM *a; /* g^((x1+x3+x4)*x2*s) */ - - /* Step 2: S->C */ - BIGNUM *b; /* g^((x1+x2+x3)*x4*s) */ - - /* Confirmation: C->S */ - u_char *h_k_cid_sessid; /* H(k || client_id || session_id) */ - u_int h_k_cid_sessid_len; - - /* Confirmation: S->C */ - u_char *h_k_sid_sessid; /* H(k || server_id || session_id) */ - u_int h_k_sid_sessid_len; -}; - -/* jpake.c */ -struct modp_group *jpake_default_group(void); -void jpake_dump(struct jpake_ctx *, const char *, ...) - __attribute__((__nonnull__ (2))) - __attribute__((format(printf, 2, 3))); -struct jpake_ctx *jpake_new(void); -void jpake_free(struct jpake_ctx *); - -void jpake_step1(struct modp_group *, u_char **, u_int *, - BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **, - u_char **, u_int *, u_char **, u_int *); - -void jpake_step2(struct modp_group *, BIGNUM *, - BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, - const u_char *, u_int, const u_char *, u_int, - const u_char *, u_int, const u_char *, u_int, - BIGNUM **, u_char **, u_int *); - -void jpake_confirm_hash(const BIGNUM *, - const u_char *, u_int, - const u_char *, u_int, - u_char **, u_int *); - -void jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *, - BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, - const u_char *, u_int, const u_char *, u_int, - const u_char *, u_int, const u_char *, u_int, - BIGNUM **, u_char **, u_int *); - -int jpake_check_confirm(const BIGNUM *, const u_char *, u_int, - const u_char *, u_int, const u_char *, u_int); - -#endif /* JPAKE_H */ - diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c index 281406011..b1792af6d 100644 --- a/crypto/openssh/kex.c +++ b/crypto/openssh/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: kex.c,v 1.98 2014/02/02 03:44:31 djm Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -25,6 +25,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include @@ -50,6 +51,7 @@ #include "dispatch.h" #include "monitor.h" #include "roaming.h" +#include "digest.h" #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) @@ -63,6 +65,66 @@ extern const EVP_MD *evp_ssh_sha256(void); static void kex_kexinit_finish(Kex *); static void kex_choose_conf(Kex *); +struct kexalg { + char *name; + int type; + int ec_nid; + int hash_alg; +}; +static const struct kexalg kexalgs[] = { + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, +#ifdef HAVE_EVP_SHA256 + { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, +#endif +#ifdef OPENSSL_HAS_ECC + { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, + NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, + { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, + SSH_DIGEST_SHA384 }, +# ifdef OPENSSL_HAS_NISTP521 + { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, + SSH_DIGEST_SHA512 }, +# endif +#endif + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, +#ifdef HAVE_EVP_SHA256 + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, +#endif + { NULL, -1, -1, -1}, +}; + +char * +kex_alg_list(char sep) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct kexalg *k; + + for (k = kexalgs; k->name != NULL; k++) { + if (ret != NULL) + ret[rlen++] = sep; + nlen = strlen(k->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, k->name, nlen + 1); + rlen += nlen; + } + return ret; +} + +static const struct kexalg * +kex_alg_by_name(const char *name) +{ + const struct kexalg *k; + + for (k = kexalgs; k->name != NULL; k++) { + if (strcmp(k->name, name) == 0) + return k; + } + return NULL; +} + /* Validate KEX method name list */ int kex_names_valid(const char *names) @@ -74,20 +136,14 @@ kex_names_valid(const char *names) s = cp = xstrdup(names); for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { - if (strcmp(p, KEX_DHGEX_SHA256) != 0 && - strcmp(p, KEX_DHGEX_SHA1) != 0 && - strcmp(p, KEX_DH14) != 0 && - strcmp(p, KEX_DH1) != 0 && - (strncmp(p, KEX_ECDH_SHA2_STEM, - sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 || - kex_ecdh_name_to_nid(p) == -1)) { + if (kex_alg_by_name(p) == NULL) { error("Unsupported KEX algorithm \"%.100s\"", p); - xfree(s); + free(s); return 0; } } debug3("kex names ok: [%s]", names); - xfree(s); + free(s); return 1; } @@ -152,8 +208,8 @@ kex_prop_free(char **proposal) u_int i; for (i = 0; i < PROPOSAL_MAX; i++) - xfree(proposal[i]); - xfree(proposal); + free(proposal[i]); + free(proposal); } /* ARGSUSED */ @@ -190,7 +246,7 @@ kex_finish(Kex *kex) buffer_clear(&kex->peer); /* buffer_clear(&kex->my); */ kex->flags &= ~KEX_INIT_SENT; - xfree(kex->name); + free(kex->name); kex->name = NULL; } @@ -247,7 +303,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) for (i = 0; i < KEX_COOKIE_LEN; i++) packet_get_char(); for (i = 0; i < PROPOSAL_MAX; i++) - xfree(packet_get_string(NULL)); + free(packet_get_string(NULL)); /* * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported * KEX method has the server move first, but a server might be using @@ -354,29 +410,16 @@ choose_comp(Comp *comp, char *client, char *server) static void choose_kex(Kex *k, char *client, char *server) { + const struct kexalg *kexalg; + k->name = match_list(client, server, NULL); if (k->name == NULL) fatal("Unable to negotiate a key exchange method"); - if (strcmp(k->name, KEX_DH1) == 0) { - k->kex_type = KEX_DH_GRP1_SHA1; - k->evp_md = EVP_sha1(); - } else if (strcmp(k->name, KEX_DH14) == 0) { - k->kex_type = KEX_DH_GRP14_SHA1; - k->evp_md = EVP_sha1(); - } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) { - k->kex_type = KEX_DH_GEX_SHA1; - k->evp_md = EVP_sha1(); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { - k->kex_type = KEX_DH_GEX_SHA256; - k->evp_md = evp_ssh_sha256(); - } else if (strncmp(k->name, KEX_ECDH_SHA2_STEM, - sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) { - k->kex_type = KEX_ECDH_SHA2; - k->evp_md = kex_ecdh_name_to_evpmd(k->name); -#endif - } else - fatal("bad kex alg %s", k->name); + if ((kexalg = kex_alg_by_name(k->name)) == NULL) + fatal("unsupported kex alg %s", k->name); + k->kex_type = kexalg->type; + k->hash_alg = kexalg->hash_alg; + k->ec_nid = kexalg->ec_nid; } static void @@ -388,7 +431,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server) k->hostkey_type = key_type_from_name(hostkeyalg); if (k->hostkey_type == KEY_UNSPEC) fatal("bad hostkey alg '%s'", hostkeyalg); - xfree(hostkeyalg); + free(hostkeyalg); } static int @@ -422,7 +465,7 @@ kex_choose_conf(Kex *kex) char **my, **peer; char **cprop, **sprop; int nenc, nmac, ncomp; - u_int mode, ctos, need, authlen; + u_int mode, ctos, need, dh_need, authlen; int first_kex_follows, type; #ifdef NONE_CIPHER_ENABLED int auth_flag; @@ -445,7 +488,7 @@ kex_choose_conf(Kex *kex) roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL); if (roaming) { kex->roaming = 1; - xfree(roaming); + free(roaming); } } @@ -488,20 +531,21 @@ kex_choose_conf(Kex *kex) choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); - need = 0; + need = dh_need = 0; for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; - if (need < newkeys->enc.key_len) - need = newkeys->enc.key_len; - if (need < newkeys->enc.block_size) - need = newkeys->enc.block_size; - if (need < newkeys->enc.iv_len) - need = newkeys->enc.iv_len; - if (need < newkeys->mac.key_len) - need = newkeys->mac.key_len; + need = MAX(need, newkeys->enc.key_len); + need = MAX(need, newkeys->enc.block_size); + need = MAX(need, newkeys->enc.iv_len); + need = MAX(need, newkeys->mac.key_len); + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); + dh_need = MAX(dh_need, newkeys->enc.block_size); + dh_need = MAX(dh_need, newkeys->enc.iv_len); + dh_need = MAX(dh_need, newkeys->mac.key_len); } /* XXX need runden? */ kex->we_need = need; + kex->dh_need = dh_need; /* ignore the next message if the proposals do not match */ if (first_kex_follows && !proposals_match(my, peer) && @@ -516,30 +560,34 @@ kex_choose_conf(Kex *kex) static u_char * derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, - BIGNUM *shared_secret) + const u_char *shared_secret, u_int slen) { Buffer b; - EVP_MD_CTX md; + struct ssh_digest_ctx *hashctx; char c = id; u_int have; - int mdsz; + size_t mdsz; u_char *digest; - if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0) - fatal("bad kex md size %d", mdsz); + if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) + fatal("bad kex md size %zu", mdsz); digest = xmalloc(roundup(need, mdsz)); buffer_init(&b); - buffer_put_bignum2(&b, shared_secret); + buffer_append(&b, shared_secret, slen); /* K1 = HASH(K || H || "A" || session_id) */ - EVP_DigestInit(&md, kex->evp_md); - if (!(datafellows & SSH_BUG_DERIVEKEY)) - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestUpdate(&md, hash, hashlen); - EVP_DigestUpdate(&md, &c, 1); - EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); - EVP_DigestFinal(&md, digest, NULL); + if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL) + fatal("%s: ssh_digest_start failed", __func__); + if (ssh_digest_update_buffer(hashctx, &b) != 0 || + ssh_digest_update(hashctx, hash, hashlen) != 0 || + ssh_digest_update(hashctx, &c, 1) != 0 || + ssh_digest_update(hashctx, kex->session_id, + kex->session_id_len) != 0) + fatal("%s: ssh_digest_update failed", __func__); + if (ssh_digest_final(hashctx, digest, mdsz) != 0) + fatal("%s: ssh_digest_final failed", __func__); + ssh_digest_free(hashctx); /* * expand key: @@ -547,12 +595,15 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, * Key = K1 || K2 || ... || Kn */ for (have = mdsz; need > have; have += mdsz) { - EVP_DigestInit(&md, kex->evp_md); - if (!(datafellows & SSH_BUG_DERIVEKEY)) - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestUpdate(&md, hash, hashlen); - EVP_DigestUpdate(&md, digest, have); - EVP_DigestFinal(&md, digest + have, NULL); + if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL) + fatal("%s: ssh_digest_start failed", __func__); + if (ssh_digest_update_buffer(hashctx, &b) != 0 || + ssh_digest_update(hashctx, hash, hashlen) != 0 || + ssh_digest_update(hashctx, digest, have) != 0) + fatal("%s: ssh_digest_update failed", __func__); + if (ssh_digest_final(hashctx, digest + have, mdsz) != 0) + fatal("%s: ssh_digest_final failed", __func__); + ssh_digest_free(hashctx); } buffer_free(&b); #ifdef DEBUG_KEX @@ -566,14 +617,15 @@ Newkeys *current_keys[MODE_MAX]; #define NKEYS 6 void -kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret) +kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, + const u_char *shared_secret, u_int slen) { u_char *keys[NKEYS]; u_int i, mode, ctos; for (i = 0; i < NKEYS; i++) { keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen, - shared_secret); + shared_secret, slen); } debug2("kex_derive_keys"); @@ -588,6 +640,18 @@ kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret) } } +void +kex_derive_keys_bn(Kex *kex, u_char *hash, u_int hashlen, const BIGNUM *secret) +{ + Buffer shared_secret; + + buffer_init(&shared_secret); + buffer_put_bignum2(&shared_secret, secret); + kex_derive_keys(kex, hash, hashlen, + buffer_ptr(&shared_secret), buffer_len(&shared_secret)); + buffer_free(&shared_secret); +} + Newkeys * kex_get_newkeys(int mode) { @@ -602,33 +666,33 @@ void derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, u_int8_t cookie[8], u_int8_t id[16]) { - const EVP_MD *evp_md = EVP_md5(); - EVP_MD_CTX md; - u_int8_t nbuf[2048], obuf[EVP_MAX_MD_SIZE]; + u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; int len; + struct ssh_digest_ctx *hashctx; - EVP_DigestInit(&md, evp_md); + if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) + fatal("%s: ssh_digest_start", __func__); len = BN_num_bytes(host_modulus); if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) fatal("%s: bad host modulus (len %d)", __func__, len); BN_bn2bin(host_modulus, nbuf); - EVP_DigestUpdate(&md, nbuf, len); + if (ssh_digest_update(hashctx, nbuf, len) != 0) + fatal("%s: ssh_digest_update failed", __func__); len = BN_num_bytes(server_modulus); if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) fatal("%s: bad server modulus (len %d)", __func__, len); BN_bn2bin(server_modulus, nbuf); - EVP_DigestUpdate(&md, nbuf, len); - - EVP_DigestUpdate(&md, cookie, 8); - - EVP_DigestFinal(&md, obuf, NULL); - memcpy(id, obuf, 16); - - memset(nbuf, 0, sizeof(nbuf)); - memset(obuf, 0, sizeof(obuf)); - memset(&md, 0, sizeof(md)); + if (ssh_digest_update(hashctx, nbuf, len) != 0 || + ssh_digest_update(hashctx, cookie, 8) != 0) + fatal("%s: ssh_digest_update failed", __func__); + if (ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) + fatal("%s: ssh_digest_final failed", __func__); + memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); + + explicit_bzero(nbuf, sizeof(nbuf)); + explicit_bzero(obuf, sizeof(obuf)); } #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h index aa57e06d0..0d5c3627d 100644 --- a/crypto/openssh/kex.h +++ b/crypto/openssh/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.62 2014/01/27 18:58:14 markus Exp $ */ /* $FreeBSD$ */ /* @@ -41,8 +41,10 @@ #define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" #define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256" #define KEX_RESUME "resume@appgate.com" -/* The following represents the family of ECDH methods */ -#define KEX_ECDH_SHA2_STEM "ecdh-sha2-" +#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256" +#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384" +#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" +#define KEX_CURVE25519_SHA256 "curve25519-sha256@libssh.org" #define COMP_NONE 0 #define COMP_ZLIB 1 @@ -74,6 +76,7 @@ enum kex_exchange { KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, + KEX_C25519_SHA256, KEX_MAX }; @@ -87,7 +90,7 @@ typedef struct Newkeys Newkeys; struct Enc { char *name; - Cipher *cipher; + const Cipher *cipher; int enabled; u_int key_len; u_int iv_len; @@ -103,9 +106,8 @@ struct Mac { u_int key_len; int type; int etm; /* Encrypt-then-MAC */ - const EVP_MD *evp_md; - HMAC_CTX evp_ctx; - struct umac_ctx *umac_ctx; + struct ssh_hmac_ctx *hmac_ctx; + struct umac_ctx *umac_ctx; }; struct Comp { int type; @@ -122,6 +124,7 @@ struct Kex { u_int session_id_len; Newkeys *newkeys[MODE_MAX]; u_int we_need; + u_int dh_need; int server; char *name; int hostkey_type; @@ -131,17 +134,20 @@ struct Kex { Buffer peer; sig_atomic_t done; int flags; - const EVP_MD *evp_md; + int hash_alg; + int ec_nid; char *client_version_string; char *server_version_string; int (*verify_host_key)(Key *); Key *(*load_host_public_key)(int); Key *(*load_host_private_key)(int); int (*host_key_index)(Key *); + void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int); void (*kex[KEX_MAX])(Kex *); }; int kex_names_valid(const char *); +char *kex_alg_list(char); #ifdef NONE_CIPHER_ENABLED void kex_prop2buf(Buffer *, char *[PROPOSAL_MAX]); @@ -152,7 +158,8 @@ void kex_finish(Kex *); void kex_send_kexinit(Kex *); void kex_input_kexinit(int, u_int32_t, void *); -void kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *); +void kex_derive_keys(Kex *, u_char *, u_int, const u_char *, u_int); +void kex_derive_keys_bn(Kex *, u_char *, u_int, const BIGNUM *); Newkeys *kex_get_newkeys(int); @@ -162,25 +169,35 @@ void kexgex_client(Kex *); void kexgex_server(Kex *); void kexecdh_client(Kex *); void kexecdh_server(Kex *); +void kexc25519_client(Kex *); +void kexc25519_server(Kex *); void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); void -kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, +kexgex_hash(int, char *, char *, char *, int, char *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); #ifdef OPENSSL_HAS_ECC void -kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, +kex_ecdh_hash(int, const EC_GROUP *, char *, char *, char *, int, char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char **, u_int *); -int kex_ecdh_name_to_nid(const char *); -const EVP_MD *kex_ecdh_name_to_evpmd(const char *); -#else -# define kex_ecdh_name_to_nid(x) (-1) -# define kex_ecdh_name_to_evpmd(x) (NULL) #endif +void +kex_c25519_hash(int, char *, char *, char *, int, + char *, int, u_char *, int, const u_char *, const u_char *, + const u_char *, u_int, u_char **, u_int *); + +#define CURVE25519_SIZE 32 +void kexc25519_keygen(u_char[CURVE25519_SIZE], u_char[CURVE25519_SIZE]) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); +void kexc25519_shared_key(const u_char key[CURVE25519_SIZE], + const u_char pub[CURVE25519_SIZE], Buffer *out) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); void derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); diff --git a/crypto/openssh/kexc25519.c b/crypto/openssh/kexc25519.c new file mode 100644 index 000000000..ee79b4327 --- /dev/null +++ b/crypto/openssh/kexc25519.c @@ -0,0 +1,122 @@ +/* $OpenBSD: kexc25519.c,v 1.5 2014/01/31 16:39:19 tedu Exp $ */ +/* + * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. + * Copyright (c) 2013 Aris Adamantiadis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include + +#include +#include + +#include +#include + +#include "buffer.h" +#include "ssh2.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "log.h" +#include "digest.h" + +extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE], + const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE]) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 3, CURVE25519_SIZE))); + +void +kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) +{ + static const u_char basepoint[CURVE25519_SIZE] = {9}; + + arc4random_buf(key, CURVE25519_SIZE); + crypto_scalarmult_curve25519(pub, key, basepoint); +} + +void +kexc25519_shared_key(const u_char key[CURVE25519_SIZE], + const u_char pub[CURVE25519_SIZE], Buffer *out) +{ + u_char shared_key[CURVE25519_SIZE]; + + crypto_scalarmult_curve25519(shared_key, key, pub); +#ifdef DEBUG_KEXECDH + dump_digest("shared secret", shared_key, CURVE25519_SIZE); +#endif + buffer_clear(out); + buffer_put_bignum2_from_string(out, shared_key, CURVE25519_SIZE); + explicit_bzero(shared_key, CURVE25519_SIZE); +} + +void +kex_c25519_hash( + int hash_alg, + char *client_version_string, + char *server_version_string, + char *ckexinit, int ckexinitlen, + char *skexinit, int skexinitlen, + u_char *serverhostkeyblob, int sbloblen, + const u_char client_dh_pub[CURVE25519_SIZE], + const u_char server_dh_pub[CURVE25519_SIZE], + const u_char *shared_secret, u_int secretlen, + u_char **hash, u_int *hashlen) +{ + Buffer b; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; + + buffer_init(&b); + buffer_put_cstring(&b, client_version_string); + buffer_put_cstring(&b, server_version_string); + + /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ + buffer_put_int(&b, ckexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, ckexinit, ckexinitlen); + buffer_put_int(&b, skexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, skexinit, skexinitlen); + + buffer_put_string(&b, serverhostkeyblob, sbloblen); + buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE); + buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE); + buffer_append(&b, shared_secret, secretlen); + +#ifdef DEBUG_KEX + buffer_dump(&b); +#endif + if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) + fatal("%s: digest_buffer failed", __func__); + + buffer_free(&b); + +#ifdef DEBUG_KEX + dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); +#endif + *hash = digest; + *hashlen = ssh_digest_bytes(hash_alg); +} diff --git a/crypto/openssh/kexc25519c.c b/crypto/openssh/kexc25519c.c new file mode 100644 index 000000000..a80678af6 --- /dev/null +++ b/crypto/openssh/kexc25519c.c @@ -0,0 +1,129 @@ +/* $OpenBSD: kexc25519c.c,v 1.4 2014/01/12 08:13:13 djm Exp $ */ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. + * Copyright (c) 2013 Aris Adamantiadis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include + +#include +#include +#include + +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "log.h" +#include "packet.h" +#include "ssh2.h" + +void +kexc25519_client(Kex *kex) +{ + Key *server_host_key; + u_char client_key[CURVE25519_SIZE]; + u_char client_pubkey[CURVE25519_SIZE]; + u_char *server_pubkey = NULL; + u_char *server_host_key_blob = NULL, *signature = NULL; + u_char *hash; + u_int slen, sbloblen, hashlen; + Buffer shared_secret; + + kexc25519_keygen(client_key, client_pubkey); + + packet_start(SSH2_MSG_KEX_ECDH_INIT); + packet_put_string(client_pubkey, sizeof(client_pubkey)); + packet_send(); + debug("sending SSH2_MSG_KEX_ECDH_INIT"); + +#ifdef DEBUG_KEXECDH + dump_digest("client private key:", client_key, sizeof(client_key)); +#endif + + debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); + packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY); + + /* hostkey */ + server_host_key_blob = packet_get_string(&sbloblen); + server_host_key = key_from_blob(server_host_key_blob, sbloblen); + if (server_host_key == NULL) + fatal("cannot decode server_host_key_blob"); + if (server_host_key->type != kex->hostkey_type) + fatal("type mismatch for decoded server_host_key_blob"); + if (kex->verify_host_key == NULL) + fatal("cannot verify server_host_key"); + if (kex->verify_host_key(server_host_key) == -1) + fatal("server_host_key verification failed"); + + /* Q_S, server public key */ + server_pubkey = packet_get_string(&slen); + if (slen != CURVE25519_SIZE) + fatal("Incorrect size for server Curve25519 pubkey: %d", slen); + +#ifdef DEBUG_KEXECDH + dump_digest("server public key:", server_pubkey, CURVE25519_SIZE); +#endif + + /* signed H */ + signature = packet_get_string(&slen); + packet_check_eom(); + + buffer_init(&shared_secret); + kexc25519_shared_key(client_key, server_pubkey, &shared_secret); + + /* calc and verify H */ + kex_c25519_hash( + kex->hash_alg, + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->my), buffer_len(&kex->my), + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + server_host_key_blob, sbloblen, + client_pubkey, + server_pubkey, + buffer_ptr(&shared_secret), buffer_len(&shared_secret), + &hash, &hashlen + ); + free(server_host_key_blob); + free(server_pubkey); + if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) + fatal("key_verify failed for server_host_key"); + key_free(server_host_key); + free(signature); + + /* save session id */ + if (kex->session_id == NULL) { + kex->session_id_len = hashlen; + kex->session_id = xmalloc(kex->session_id_len); + memcpy(kex->session_id, hash, kex->session_id_len); + } + kex_derive_keys(kex, hash, hashlen, + buffer_ptr(&shared_secret), buffer_len(&shared_secret)); + buffer_free(&shared_secret); + kex_finish(kex); +} diff --git a/crypto/openssh/kexc25519s.c b/crypto/openssh/kexc25519s.c new file mode 100644 index 000000000..2b8e8efa1 --- /dev/null +++ b/crypto/openssh/kexc25519s.c @@ -0,0 +1,126 @@ +/* $OpenBSD: kexc25519s.c,v 1.4 2014/01/12 08:13:13 djm Exp $ */ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. + * Copyright (c) 2013 Aris Adamantiadis. All rights reserved. + * + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include +#include + +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "log.h" +#include "packet.h" +#include "ssh2.h" + +void +kexc25519_server(Kex *kex) +{ + Key *server_host_private, *server_host_public; + u_char *server_host_key_blob = NULL, *signature = NULL; + u_char server_key[CURVE25519_SIZE]; + u_char *client_pubkey = NULL; + u_char server_pubkey[CURVE25519_SIZE]; + u_char *hash; + u_int slen, sbloblen, hashlen; + Buffer shared_secret; + + /* generate private key */ + kexc25519_keygen(server_key, server_pubkey); +#ifdef DEBUG_KEXECDH + dump_digest("server private key:", server_key, sizeof(server_key)); +#endif + + if (kex->load_host_public_key == NULL || + kex->load_host_private_key == NULL) + fatal("Cannot load hostkey"); + server_host_public = kex->load_host_public_key(kex->hostkey_type); + if (server_host_public == NULL) + fatal("Unsupported hostkey type %d", kex->hostkey_type); + server_host_private = kex->load_host_private_key(kex->hostkey_type); + + debug("expecting SSH2_MSG_KEX_ECDH_INIT"); + packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); + client_pubkey = packet_get_string(&slen); + if (slen != CURVE25519_SIZE) + fatal("Incorrect size for server Curve25519 pubkey: %d", slen); + packet_check_eom(); + +#ifdef DEBUG_KEXECDH + dump_digest("client public key:", client_pubkey, CURVE25519_SIZE); +#endif + + buffer_init(&shared_secret); + kexc25519_shared_key(server_key, client_pubkey, &shared_secret); + + /* calc H */ + key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); + kex_c25519_hash( + kex->hash_alg, + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + buffer_ptr(&kex->my), buffer_len(&kex->my), + server_host_key_blob, sbloblen, + client_pubkey, + server_pubkey, + buffer_ptr(&shared_secret), buffer_len(&shared_secret), + &hash, &hashlen + ); + + /* save session id := H */ + if (kex->session_id == NULL) { + kex->session_id_len = hashlen; + kex->session_id = xmalloc(kex->session_id_len); + memcpy(kex->session_id, hash, kex->session_id_len); + } + + /* sign H */ + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); + + /* destroy_sensitive_data(); */ + + /* send server hostkey, ECDH pubkey 'Q_S' and signed H */ + packet_start(SSH2_MSG_KEX_ECDH_REPLY); + packet_put_string(server_host_key_blob, sbloblen); + packet_put_string(server_pubkey, sizeof(server_pubkey)); + packet_put_string(signature, slen); + packet_send(); + + free(signature); + free(server_host_key_blob); + /* have keys, free server key */ + free(client_pubkey); + + kex_derive_keys(kex, hash, hashlen, + buffer_ptr(&shared_secret), buffer_len(&shared_secret)); + buffer_free(&shared_secret); + kex_finish(kex); +} diff --git a/crypto/openssh/kexdh.c b/crypto/openssh/kexdh.c index 56e22f5bc..e7cdadc90 100644 --- a/crypto/openssh/kexdh.c +++ b/crypto/openssh/kexdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdh.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: kexdh.c,v 1.24 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -36,6 +36,8 @@ #include "key.h" #include "cipher.h" #include "kex.h" +#include "digest.h" +#include "log.h" void kex_dh_hash( @@ -50,9 +52,7 @@ kex_dh_hash( u_char **hash, u_int *hashlen) { Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; - const EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); @@ -74,15 +74,14 @@ kex_dh_hash( #ifdef DEBUG_KEX buffer_dump(&b); #endif - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); #ifdef DEBUG_KEX - dump_digest("hash", digest, EVP_MD_size(evp_md)); + dump_digest("hash", digest, ssh_digest_bytes(SSH_DIGEST_SHA1)); #endif *hash = digest; - *hashlen = EVP_MD_size(evp_md); + *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); } diff --git a/crypto/openssh/kexdhc.c b/crypto/openssh/kexdhc.c index 76ceb5dd8..f7a19fc13 100644 --- a/crypto/openssh/kexdhc.c +++ b/crypto/openssh/kexdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexdhc.c,v 1.15 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -124,8 +124,8 @@ kexdh_client(Kex *kex) fatal("kexdh_client: BN_new failed"); if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexdh_client: BN_bin2bn failed"); - memset(kbuf, 0, klen); - xfree(kbuf); + explicit_bzero(kbuf, klen); + free(kbuf); /* calc and verify H */ kex_dh_hash( @@ -139,14 +139,14 @@ kexdh_client(Kex *kex) shared_secret, &hash, &hashlen ); - xfree(server_host_key_blob); + free(server_host_key_blob); BN_clear_free(dh_server_pub); DH_free(dh); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { @@ -155,7 +155,7 @@ kexdh_client(Kex *kex) memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/crypto/openssh/kexdhs.c b/crypto/openssh/kexdhs.c index f56e88764..c3011f741 100644 --- a/crypto/openssh/kexdhs.c +++ b/crypto/openssh/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.18 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -42,10 +42,6 @@ #include "packet.h" #include "dh.h" #include "ssh2.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" void kexdh_server(Kex *kex) @@ -80,9 +76,6 @@ kexdh_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); /* key, cert */ if ((dh_client_pub = BN_new()) == NULL) @@ -117,8 +110,8 @@ kexdh_server(Kex *kex) fatal("kexdh_server: BN_new failed"); if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexdh_server: BN_bin2bn failed"); - memset(kbuf, 0, klen); - xfree(kbuf); + explicit_bzero(kbuf, klen); + free(kbuf); key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -144,9 +137,8 @@ kexdh_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, - hashlen)) < 0) - fatal("kexdh_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ @@ -157,12 +149,12 @@ kexdh_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free DH */ DH_free(dh); - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/crypto/openssh/kexecdh.c b/crypto/openssh/kexecdh.c index f13f69d3b..c52c5e234 100644 --- a/crypto/openssh/kexecdh.c +++ b/crypto/openssh/kexecdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdh.c,v 1.5 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -44,28 +44,11 @@ #include "cipher.h" #include "kex.h" #include "log.h" - -int -kex_ecdh_name_to_nid(const char *kexname) -{ - if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1) - fatal("%s: kexname too short \"%s\"", __func__, kexname); - return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); -} - -const EVP_MD * -kex_ecdh_name_to_evpmd(const char *kexname) -{ - int nid = kex_ecdh_name_to_nid(kexname); - - if (nid == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname); - return key_ec_nid_to_evpmd(nid); -} +#include "digest.h" void kex_ecdh_hash( - const EVP_MD *evp_md, + int hash_alg, const EC_GROUP *ec_group, char *client_version_string, char *server_version_string, @@ -78,8 +61,7 @@ kex_ecdh_hash( u_char **hash, u_int *hashlen) { Buffer b; - EVP_MD_CTX md; - static u_char digest[EVP_MAX_MD_SIZE]; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); @@ -101,17 +83,15 @@ kex_ecdh_hash( #ifdef DEBUG_KEX buffer_dump(&b); #endif - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); #ifdef DEBUG_KEX - dump_digest("hash", digest, EVP_MD_size(evp_md)); + dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); #endif *hash = digest; - *hashlen = EVP_MD_size(evp_md); + *hashlen = ssh_digest_bytes(hash_alg); } - #endif /* OPENSSL_HAS_ECC */ diff --git a/crypto/openssh/kexecdhc.c b/crypto/openssh/kexecdhc.c index 115d4bf83..2f7629cca 100644 --- a/crypto/openssh/kexecdhc.c +++ b/crypto/openssh/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.7 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -57,11 +57,8 @@ kexecdh_client(Kex *kex) u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; - int curve_nid; - if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); - if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) + if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(client_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); @@ -122,12 +119,12 @@ kexecdh_client(Kex *kex) fatal("%s: BN_new failed", __func__); if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); - memset(kbuf, 0, klen); - xfree(kbuf); + explicit_bzero(kbuf, klen); + free(kbuf); /* calc and verify H */ kex_ecdh_hash( - kex->evp_md, + kex->hash_alg, group, kex->client_version_string, kex->server_version_string, @@ -139,14 +136,14 @@ kexecdh_client(Kex *kex) shared_secret, &hash, &hashlen ); - xfree(server_host_key_blob); + free(server_host_key_blob); EC_POINT_clear_free(server_public); EC_KEY_free(client_key); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { @@ -155,7 +152,7 @@ kexecdh_client(Kex *kex) memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/crypto/openssh/kexecdhs.c b/crypto/openssh/kexecdhs.c index 8c515dfa6..2700b7219 100644 --- a/crypto/openssh/kexecdhs.c +++ b/crypto/openssh/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.10 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -37,12 +37,7 @@ #include "kex.h" #include "log.h" #include "packet.h" -#include "dh.h" #include "ssh2.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" #ifdef OPENSSL_HAS_ECC @@ -59,11 +54,8 @@ kexecdh_server(Kex *kex) u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; - int curve_nid; - if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); - if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) + if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(server_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); @@ -81,9 +73,6 @@ kexecdh_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); debug("expecting SSH2_MSG_KEX_ECDH_INIT"); packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); @@ -114,13 +103,13 @@ kexecdh_server(Kex *kex) fatal("%s: BN_new failed", __func__); if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); - memset(kbuf, 0, klen); - xfree(kbuf); + explicit_bzero(kbuf, klen); + free(kbuf); /* calc H */ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); kex_ecdh_hash( - kex->evp_md, + kex->hash_alg, group, kex->client_version_string, kex->server_version_string, @@ -142,9 +131,8 @@ kexecdh_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, - hash, hashlen)) < 0) - fatal("kexdh_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ @@ -155,12 +143,12 @@ kexecdh_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free server key */ EC_KEY_free(server_key); - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/crypto/openssh/kexgex.c b/crypto/openssh/kexgex.c index b60ab5c53..c2e6bc16d 100644 --- a/crypto/openssh/kexgex.c +++ b/crypto/openssh/kexgex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: kexgex.c,v 1.28 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -36,10 +36,12 @@ #include "cipher.h" #include "kex.h" #include "ssh2.h" +#include "digest.h" +#include "log.h" void kexgex_hash( - const EVP_MD *evp_md, + int hash_alg, char *client_version_string, char *server_version_string, char *ckexinit, int ckexinitlen, @@ -52,8 +54,7 @@ kexgex_hash( u_char **hash, u_int *hashlen) { Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; - EVP_MD_CTX md; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); @@ -84,15 +85,14 @@ kexgex_hash( #ifdef DEBUG_KEXDH buffer_dump(&b); #endif - - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); - *hash = digest; - *hashlen = EVP_MD_size(evp_md); -#ifdef DEBUG_KEXDH - dump_digest("hash", digest, *hashlen); + +#ifdef DEBUG_KEX + dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); #endif + *hash = digest; + *hashlen = ssh_digest_bytes(hash_alg); } diff --git a/crypto/openssh/kexgexc.c b/crypto/openssh/kexgexc.c index 79552d709..355b7ba31 100644 --- a/crypto/openssh/kexgexc.c +++ b/crypto/openssh/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.17 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -58,7 +58,7 @@ kexgex_client(Kex *kex) int min, max, nbits; DH *dh; - nbits = dh_estimate(kex->we_need * 8); + nbits = dh_estimate(kex->dh_need * 8); if (datafellows & SSH_OLD_DHGEX) { /* Old GEX request */ @@ -162,15 +162,15 @@ kexgex_client(Kex *kex) fatal("kexgex_client: BN_new failed"); if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexgex_client: BN_bin2bn failed"); - memset(kbuf, 0, klen); - xfree(kbuf); + explicit_bzero(kbuf, klen); + free(kbuf); if (datafellows & SSH_OLD_DHGEX) min = max = -1; /* calc and verify H */ kexgex_hash( - kex->evp_md, + kex->hash_alg, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->my), buffer_len(&kex->my), @@ -186,13 +186,13 @@ kexgex_client(Kex *kex) /* have keys, free DH */ DH_free(dh); - xfree(server_host_key_blob); + free(server_host_key_blob); BN_clear_free(dh_server_pub); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { @@ -200,7 +200,7 @@ kexgex_client(Kex *kex) kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); diff --git a/crypto/openssh/kexgexs.c b/crypto/openssh/kexgexs.c index a5e3df7bc..770ad28a8 100644 --- a/crypto/openssh/kexgexs.c +++ b/crypto/openssh/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.14 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.19 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -68,10 +68,6 @@ kexgex_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); - type = packet_read(); switch (type) { @@ -154,8 +150,8 @@ kexgex_server(Kex *kex) fatal("kexgex_server: BN_new failed"); if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexgex_server: BN_bin2bn failed"); - memset(kbuf, 0, klen); - xfree(kbuf); + explicit_bzero(kbuf, klen); + free(kbuf); key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -164,7 +160,7 @@ kexgex_server(Kex *kex) /* calc H */ kexgex_hash( - kex->evp_md, + kex->hash_alg, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->peer), buffer_len(&kex->peer), @@ -187,9 +183,8 @@ kexgex_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, - hashlen)) < 0) - fatal("kexgex_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ @@ -201,12 +196,12 @@ kexgex_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free DH */ DH_free(dh); - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c index 4cc5c5d35..168e1b7d7 100644 --- a/crypto/openssh/key.c +++ b/crypto/openssh/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: key.c,v 1.116 2014/02/02 03:44:31 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -39,6 +39,8 @@ #include #include +#include "crypto_api.h" + #include #include @@ -54,8 +56,10 @@ #include "log.h" #include "misc.h" #include "ssh2.h" +#include "digest.h" static int to_blob(const Key *, u_char **, u_int *, int); +static Key *key_from_blob2(const u_char *, u_int, int); static struct KeyCert * cert_new(void) @@ -85,6 +89,8 @@ key_new(int type) k->dsa = NULL; k->rsa = NULL; k->cert = NULL; + k->ed25519_sk = NULL; + k->ed25519_pk = NULL; switch (k->type) { case KEY_RSA1: case KEY_RSA: @@ -119,6 +125,10 @@ key_new(int type) /* Cannot do anything until we know the group */ break; #endif + case KEY_ED25519: + case KEY_ED25519_CERT: + /* no need to prealloc */ + break; case KEY_UNSPEC: break; default: @@ -163,6 +173,10 @@ key_add_private(Key *k) case KEY_ECDSA_CERT: /* Cannot do anything until we know the group */ break; + case KEY_ED25519: + case KEY_ED25519_CERT: + /* no need to prealloc */ + break; case KEY_UNSPEC: break; default: @@ -187,14 +201,13 @@ cert_free(struct KeyCert *cert) buffer_free(&cert->certblob); buffer_free(&cert->critical); buffer_free(&cert->extensions); - if (cert->key_id != NULL) - xfree(cert->key_id); + free(cert->key_id); for (i = 0; i < cert->nprincipals; i++) - xfree(cert->principals[i]); - if (cert->principals != NULL) - xfree(cert->principals); + free(cert->principals[i]); + free(cert->principals); if (cert->signature_key != NULL) key_free(cert->signature_key); + free(cert); } void @@ -226,6 +239,19 @@ key_free(Key *k) k->ecdsa = NULL; break; #endif + case KEY_ED25519: + case KEY_ED25519_CERT: + if (k->ed25519_pk) { + explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); + free(k->ed25519_pk); + k->ed25519_pk = NULL; + } + if (k->ed25519_sk) { + explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); + free(k->ed25519_sk); + k->ed25519_sk = NULL; + } + break; case KEY_UNSPEC: break; default: @@ -238,7 +264,7 @@ key_free(Key *k) k->cert = NULL; } - xfree(k); + free(k); } static int @@ -307,6 +333,10 @@ key_equal_public(const Key *a, const Key *b) BN_CTX_free(bnctx); return 1; #endif /* OPENSSL_HAS_ECC */ + case KEY_ED25519: + case KEY_ED25519_CERT: + return a->ed25519_pk != NULL && b->ed25519_pk != NULL && + memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; default: fatal("key_equal: bad key type %d", a->type); } @@ -329,30 +359,26 @@ u_char* key_fingerprint_raw(const Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) { - const EVP_MD *md = NULL; - EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; u_int len = 0; - int nlen, elen; + int nlen, elen, hash_alg = -1; *dgst_raw_length = 0; + /* XXX switch to DIGEST_* directly? */ switch (dgst_type) { case SSH_FP_MD5: - md = EVP_md5(); + hash_alg = SSH_DIGEST_MD5; break; case SSH_FP_SHA1: - md = EVP_sha1(); + hash_alg = SSH_DIGEST_SHA1; break; -#ifdef HAVE_EVP_SHA256 case SSH_FP_SHA256: - md = EVP_sha256(); + hash_alg = SSH_DIGEST_SHA256; break; -#endif default: - fatal("key_fingerprint_raw: bad digest type %d", - dgst_type); + fatal("%s: bad digest type %d", __func__, dgst_type); } switch (k->type) { case KEY_RSA1: @@ -366,6 +392,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, case KEY_DSA: case KEY_ECDSA: case KEY_RSA: + case KEY_ED25519: key_to_blob(k, &blob, &len); break; case KEY_DSA_CERT_V00: @@ -373,24 +400,26 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: + case KEY_ED25519_CERT: /* We want a fingerprint of the _key_ not of the cert */ to_blob(k, &blob, &len, 1); break; case KEY_UNSPEC: return retval; default: - fatal("key_fingerprint_raw: bad key type %d", k->type); + fatal("%s: bad key type %d", __func__, k->type); break; } if (blob != NULL) { - retval = xmalloc(EVP_MAX_MD_SIZE); - EVP_DigestInit(&ctx, md); - EVP_DigestUpdate(&ctx, blob, len); - EVP_DigestFinal(&ctx, retval, dgst_raw_length); - memset(blob, 0, len); - xfree(blob); + retval = xmalloc(SSH_DIGEST_MAX_LENGTH); + if ((ssh_digest_memory(hash_alg, blob, len, + retval, SSH_DIGEST_MAX_LENGTH)) != 0) + fatal("%s: digest_memory failed", __func__); + explicit_bzero(blob, len); + free(blob); + *dgst_raw_length = ssh_digest_bytes(hash_alg); } else { - fatal("key_fingerprint_raw: blob is null"); + fatal("%s: blob is null", __func__); } return retval; } @@ -570,7 +599,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k) } char * -key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) +key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) { char *retval = NULL; u_char *dgst_raw; @@ -594,8 +623,8 @@ key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) dgst_rep); break; } - memset(dgst_raw, 0, dgst_raw_len); - xfree(dgst_raw); + explicit_bzero(dgst_raw, dgst_raw_len); + free(dgst_raw); return retval; } @@ -699,11 +728,13 @@ key_read(Key *ret, char **cpp) case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: case KEY_DSA_CERT_V00: case KEY_RSA_CERT_V00: case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: + case KEY_ED25519_CERT: space = strchr(cp, ' '); if (space == NULL) { debug3("key_read: missing whitespace"); @@ -740,11 +771,11 @@ key_read(Key *ret, char **cpp) n = uudecode(cp, blob, len); if (n < 0) { error("key_read: uudecode %s failed", cp); - xfree(blob); + free(blob); return -1; } k = key_from_blob(blob, (u_int)n); - xfree(blob); + free(blob); if (k == NULL) { error("key_read: key_from_blob %s failed", cp); return -1; @@ -805,6 +836,14 @@ key_read(Key *ret, char **cpp) #endif } #endif + if (key_type_plain(ret->type) == KEY_ED25519) { + free(ret->ed25519_pk); + ret->ed25519_pk = k->ed25519_pk; + k->ed25519_pk = NULL; +#ifdef DEBUG_PK + /* XXX */ +#endif + } success = 1; /*XXXX*/ key_free(k); @@ -868,6 +907,11 @@ key_write(const Key *key, FILE *f) return 0; break; #endif + case KEY_ED25519: + case KEY_ED25519_CERT: + if (key->ed25519_pk == NULL) + return 0; + break; case KEY_RSA: case KEY_RSA_CERT_V00: case KEY_RSA_CERT: @@ -885,42 +929,12 @@ key_write(const Key *key, FILE *f) fprintf(f, "%s %s", key_ssh_name(key), uu); success = 1; } - xfree(blob); - xfree(uu); + free(blob); + free(uu); return success; } -const char * -key_type(const Key *k) -{ - switch (k->type) { - case KEY_RSA1: - return "RSA1"; - case KEY_RSA: - return "RSA"; - case KEY_DSA: - return "DSA"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - return "ECDSA"; -#endif - case KEY_RSA_CERT_V00: - return "RSA-CERT-V00"; - case KEY_DSA_CERT_V00: - return "DSA-CERT-V00"; - case KEY_RSA_CERT: - return "RSA-CERT"; - case KEY_DSA_CERT: - return "DSA-CERT"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA_CERT: - return "ECDSA-CERT"; -#endif - } - return "unknown"; -} - const char * key_cert_type(const Key *k) { @@ -934,48 +948,66 @@ key_cert_type(const Key *k) } } +struct keytype { + char *name; + char *shortname; + int type; + int nid; + int cert; +}; +static const struct keytype keytypes[] = { + { NULL, "RSA1", KEY_RSA1, 0, 0 }, + { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, + { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, + { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, +#ifdef OPENSSL_HAS_ECC + { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, + { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, +# ifdef OPENSSL_HAS_NISTP521 + { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, +# endif +#endif /* OPENSSL_HAS_ECC */ + { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, + { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, +#ifdef OPENSSL_HAS_ECC + { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, + { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_secp384r1, 1 }, +# ifdef OPENSSL_HAS_NISTP521 + { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_secp521r1, 1 }, +# endif +#endif /* OPENSSL_HAS_ECC */ + { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", + KEY_RSA_CERT_V00, 0, 1 }, + { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", + KEY_DSA_CERT_V00, 0, 1 }, + { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", + KEY_ED25519_CERT, 0, 1 }, + { NULL, NULL, -1, -1, 0 } +}; + +const char * +key_type(const Key *k) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == k->type) + return kt->shortname; + } + return "unknown"; +} + static const char * key_ssh_name_from_type_nid(int type, int nid) { - switch (type) { - case KEY_RSA: - return "ssh-rsa"; - case KEY_DSA: - return "ssh-dss"; - case KEY_RSA_CERT_V00: - return "ssh-rsa-cert-v00@openssh.com"; - case KEY_DSA_CERT_V00: - return "ssh-dss-cert-v00@openssh.com"; - case KEY_RSA_CERT: - return "ssh-rsa-cert-v01@openssh.com"; - case KEY_DSA_CERT: - return "ssh-dss-cert-v01@openssh.com"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - switch (nid) { - case NID_X9_62_prime256v1: - return "ecdsa-sha2-nistp256"; - case NID_secp384r1: - return "ecdsa-sha2-nistp384"; - case NID_secp521r1: - return "ecdsa-sha2-nistp521"; - default: - break; - } - break; - case KEY_ECDSA_CERT: - switch (nid) { - case NID_X9_62_prime256v1: - return "ecdsa-sha2-nistp256-cert-v01@openssh.com"; - case NID_secp384r1: - return "ecdsa-sha2-nistp384-cert-v01@openssh.com"; - case NID_secp521r1: - return "ecdsa-sha2-nistp521-cert-v01@openssh.com"; - default: - break; - } - break; -#endif /* OPENSSL_HAS_ECC */ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) + return kt->name; } return "ssh-unknown"; } @@ -993,6 +1025,84 @@ key_ssh_name_plain(const Key *k) k->ecdsa_nid); } +int +key_type_from_name(char *name) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + /* Only allow shortname matches for plain key types */ + if ((kt->name != NULL && strcmp(name, kt->name) == 0) || + (!kt->cert && strcasecmp(kt->shortname, name) == 0)) + return kt->type; + } + debug2("key_type_from_name: unknown key type '%s'", name); + return KEY_UNSPEC; +} + +int +key_ecdsa_nid_from_name(const char *name) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) + continue; + if (kt->name != NULL && strcmp(name, kt->name) == 0) + return kt->nid; + } + debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); + return -1; +} + +char * +key_alg_list(int certs_only, int plain_only) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->name == NULL) + continue; + if ((certs_only && !kt->cert) || (plain_only && kt->cert)) + continue; + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(kt->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, kt->name, nlen + 1); + rlen += nlen; + } + return ret; +} + +int +key_type_is_cert(int type) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == type) + return kt->cert; + } + return 0; +} + +static int +key_type_is_valid_ca(int type) +{ + switch (type) { + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: + case KEY_ED25519: + return 1; + default: + return 0; + } +} + u_int key_size(const Key *k) { @@ -1006,6 +1116,8 @@ key_size(const Key *k) case KEY_DSA_CERT_V00: case KEY_DSA_CERT: return BN_num_bits(k->dsa->p); + case KEY_ED25519: + return 256; /* XXX */ #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: case KEY_ECDSA_CERT: @@ -1057,8 +1169,10 @@ key_ecdsa_bits_to_nid(int bits) return NID_X9_62_prime256v1; case 384: return NID_secp384r1; +# ifdef OPENSSL_HAS_NISTP521 case 521: return NID_secp521r1; +# endif #endif default: return -1; @@ -1073,7 +1187,9 @@ key_ecdsa_key_to_nid(EC_KEY *k) int nids[] = { NID_X9_62_prime256v1, NID_secp384r1, +# ifdef OPENSSL_HAS_NISTP521 NID_secp521r1, +# endif -1 }; int nid; @@ -1145,6 +1261,11 @@ key_generate(int type, u_int bits) case KEY_RSA1: k->rsa = rsa_generate_private_key(bits); break; + case KEY_ED25519: + k->ed25519_pk = xmalloc(ED25519_PK_SZ); + k->ed25519_sk = xmalloc(ED25519_SK_SZ); + crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); + break; case KEY_RSA_CERT_V00: case KEY_DSA_CERT_V00: case KEY_RSA_CERT: @@ -1238,6 +1359,14 @@ key_from_private(const Key *k) (BN_copy(n->rsa->e, k->rsa->e) == NULL)) fatal("key_from_private: BN_copy failed"); break; + case KEY_ED25519: + case KEY_ED25519_CERT: + n = key_new(k->type); + if (k->ed25519_pk != NULL) { + n->ed25519_pk = xmalloc(ED25519_PK_SZ); + memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); + } + break; default: fatal("key_from_private: unknown type %d", k->type); break; @@ -1247,65 +1376,6 @@ key_from_private(const Key *k) return n; } -int -key_type_from_name(char *name) -{ - if (strcmp(name, "rsa1") == 0) { - return KEY_RSA1; - } else if (strcmp(name, "rsa") == 0) { - return KEY_RSA; - } else if (strcmp(name, "dsa") == 0) { - return KEY_DSA; - } else if (strcmp(name, "ssh-rsa") == 0) { - return KEY_RSA; - } else if (strcmp(name, "ssh-dss") == 0) { - return KEY_DSA; -#ifdef OPENSSL_HAS_ECC - } else if (strcmp(name, "ecdsa") == 0 || - strcmp(name, "ecdsa-sha2-nistp256") == 0 || - strcmp(name, "ecdsa-sha2-nistp384") == 0 || - strcmp(name, "ecdsa-sha2-nistp521") == 0) { - return KEY_ECDSA; -#endif - } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { - return KEY_RSA_CERT_V00; - } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { - return KEY_DSA_CERT_V00; - } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) { - return KEY_RSA_CERT; - } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { - return KEY_DSA_CERT; -#ifdef OPENSSL_HAS_ECC - } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { - return KEY_ECDSA_CERT; -#endif - } - - debug2("key_type_from_name: unknown key type '%s'", name); - return KEY_UNSPEC; -} - -int -key_ecdsa_nid_from_name(const char *name) -{ -#ifdef OPENSSL_HAS_ECC - if (strcmp(name, "ecdsa-sha2-nistp256") == 0 || - strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) - return NID_X9_62_prime256v1; - if (strcmp(name, "ecdsa-sha2-nistp384") == 0 || - strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0) - return NID_secp384r1; - if (strcmp(name, "ecdsa-sha2-nistp521") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) - return NID_secp521r1; -#endif /* OPENSSL_HAS_ECC */ - - debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); - return -1; -} - int key_names_valid2(const char *names) { @@ -1319,12 +1389,12 @@ key_names_valid2(const char *names) switch (key_type_from_name(p)) { case KEY_RSA1: case KEY_UNSPEC: - xfree(s); + free(s); return 0; } } debug3("key names ok: [%s]", names); - xfree(s); + free(s); return 1; } @@ -1416,14 +1486,12 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) } buffer_clear(&tmp); - if ((key->cert->signature_key = key_from_blob(sig_key, - sklen)) == NULL) { + if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0)) + == NULL) { error("%s: Signature key invalid", __func__); goto out; } - if (key->cert->signature_key->type != KEY_RSA && - key->cert->signature_key->type != KEY_DSA && - key->cert->signature_key->type != KEY_ECDSA) { + if (!key_type_is_valid_ca(key->cert->signature_key->type)) { error("%s: Invalid signature key type %s (%d)", __func__, key_type(key->cert->signature_key), key->cert->signature_key->type); @@ -1446,25 +1514,22 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) out: buffer_free(&tmp); - if (principals != NULL) - xfree(principals); - if (critical != NULL) - xfree(critical); - if (exts != NULL) - xfree(exts); - if (sig_key != NULL) - xfree(sig_key); - if (sig != NULL) - xfree(sig); + free(principals); + free(critical); + free(exts); + free(sig_key); + free(sig); return ret; } -Key * -key_from_blob(const u_char *blob, u_int blen) +static Key * +key_from_blob2(const u_char *blob, u_int blen, int allow_cert) { Buffer b; int rlen, type; + u_int len; char *ktype = NULL, *curve = NULL; + u_char *pk = NULL; Key *key = NULL; #ifdef OPENSSL_HAS_ECC EC_POINT *q = NULL; @@ -1486,7 +1551,10 @@ key_from_blob(const u_char *blob, u_int blen) if (key_type_plain(type) == KEY_ECDSA) nid = key_ecdsa_nid_from_name(ktype); #endif - + if (!allow_cert && key_type_is_cert(type)) { + error("key_from_blob: certificate not allowed in this context"); + goto out; + } switch (type) { case KEY_RSA_CERT: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ @@ -1560,6 +1628,23 @@ key_from_blob(const u_char *blob, u_int blen) #endif break; #endif /* OPENSSL_HAS_ECC */ + case KEY_ED25519_CERT: + (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ + /* FALLTHROUGH */ + case KEY_ED25519: + if ((pk = buffer_get_string_ret(&b, &len)) == NULL) { + error("key_from_blob: can't read ed25519 key"); + goto badkey; + } + if (len != ED25519_PK_SZ) { + error("key_from_blob: ed25519 len %d != %d", + len, ED25519_PK_SZ); + goto badkey; + } + key = key_new(type); + key->ed25519_pk = pk; + pk = NULL; + break; case KEY_UNSPEC: key = key_new(type); break; @@ -1575,10 +1660,9 @@ key_from_blob(const u_char *blob, u_int blen) if (key != NULL && rlen != 0) error("key_from_blob: remaining bytes in key blob %d", rlen); out: - if (ktype != NULL) - xfree(ktype); - if (curve != NULL) - xfree(curve); + free(ktype); + free(curve); + free(pk); #ifdef OPENSSL_HAS_ECC if (q != NULL) EC_POINT_free(q); @@ -1587,12 +1671,22 @@ key_from_blob(const u_char *blob, u_int blen) return key; } +Key * +key_from_blob(const u_char *blob, u_int blen) +{ + return key_from_blob2(blob, blen, 1); +} + static int to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) { Buffer b; int len, type; + if (blobp != NULL) + *blobp = NULL; + if (lenp != NULL) + *lenp = 0; if (key == NULL) { error("key_to_blob: key == NULL"); return 0; @@ -1605,6 +1699,7 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: + case KEY_ED25519_CERT: /* Use the existing blob */ buffer_append(&b, buffer_ptr(&key->cert->certblob), buffer_len(&key->cert->certblob)); @@ -1632,6 +1727,11 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) buffer_put_bignum2(&b, key->rsa->e); buffer_put_bignum2(&b, key->rsa->n); break; + case KEY_ED25519: + buffer_put_cstring(&b, + key_ssh_name_from_type_nid(type, key->ecdsa_nid)); + buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ); + break; default: error("key_to_blob: unsupported key type %d", key->type); buffer_free(&b); @@ -1644,7 +1744,7 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) *blobp = xmalloc(len); memcpy(*blobp, buffer_ptr(&b), len); } - memset(buffer_ptr(&b), 0, len); + explicit_bzero(buffer_ptr(&b), len); buffer_free(&b); return len; } @@ -1675,6 +1775,9 @@ key_sign( case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_sign(key, sigp, lenp, data, datalen); + case KEY_ED25519: + case KEY_ED25519_CERT: + return ssh_ed25519_sign(key, sigp, lenp, data, datalen); default: error("key_sign: invalid key type %d", key->type); return -1; @@ -1708,6 +1811,9 @@ key_verify( case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_verify(key, signature, signaturelen, data, datalen); + case KEY_ED25519: + case KEY_ED25519_CERT: + return ssh_ed25519_verify(key, signature, signaturelen, data, datalen); default: error("key_verify: invalid key type %d", key->type); return -1; @@ -1727,6 +1833,8 @@ key_demote(const Key *k) pk->dsa = NULL; pk->ecdsa = NULL; pk->rsa = NULL; + pk->ed25519_pk = NULL; + pk->ed25519_sk = NULL; switch (k->type) { case KEY_RSA_CERT_V00: @@ -1770,8 +1878,17 @@ key_demote(const Key *k) fatal("key_demote: EC_KEY_set_public_key failed"); break; #endif + case KEY_ED25519_CERT: + key_cert_copy(k, pk); + /* FALLTHROUGH */ + case KEY_ED25519: + if (k->ed25519_pk != NULL) { + pk->ed25519_pk = xmalloc(ED25519_PK_SZ); + memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); + } + break; default: - fatal("key_free: bad key type %d", k->type); + fatal("key_demote: bad key type %d", k->type); break; } @@ -1783,16 +1900,7 @@ key_is_cert(const Key *k) { if (k == NULL) return 0; - switch (k->type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT: - case KEY_DSA_CERT: - case KEY_ECDSA_CERT: - return 1; - default: - return 0; - } + return key_type_is_cert(k->type); } /* Return the cert-less equivalent to a certified key type */ @@ -1808,12 +1916,14 @@ key_type_plain(int type) return KEY_DSA; case KEY_ECDSA_CERT: return KEY_ECDSA; + case KEY_ED25519_CERT: + return KEY_ED25519; default: return type; } } -/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ +/* Convert a plain key to their _CERT equivalent */ int key_to_certified(Key *k, int legacy) { @@ -1833,41 +1943,34 @@ key_to_certified(Key *k, int legacy) k->cert = cert_new(); k->type = KEY_ECDSA_CERT; return 0; + case KEY_ED25519: + if (legacy) + fatal("%s: legacy ED25519 certificates are not " + "supported", __func__); + k->cert = cert_new(); + k->type = KEY_ED25519_CERT; + return 0; default: error("%s: key has incorrect type %s", __func__, key_type(k)); return -1; } } -/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ +/* Convert a certificate to its raw key equivalent */ int key_drop_cert(Key *k) { - switch (k->type) { - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - cert_free(k->cert); - k->type = KEY_RSA; - return 0; - case KEY_DSA_CERT_V00: - case KEY_DSA_CERT: - cert_free(k->cert); - k->type = KEY_DSA; - return 0; - case KEY_ECDSA_CERT: - cert_free(k->cert); - k->type = KEY_ECDSA; - return 0; - default: + if (!key_type_is_cert(k->type)) { error("%s: key has incorrect type %s", __func__, key_type(k)); return -1; } + cert_free(k->cert); + k->cert = NULL; + k->type = key_type_plain(k->type); + return 0; } -/* - * Sign a KEY_RSA_CERT, KEY_DSA_CERT or KEY_ECDSA_CERT, (re-)generating - * the signed certblob - */ +/* Sign a certified key, (re-)generating the signed certblob. */ int key_certify(Key *k, Key *ca) { @@ -1886,8 +1989,7 @@ key_certify(Key *k, Key *ca) return -1; } - if (ca->type != KEY_RSA && ca->type != KEY_DSA && - ca->type != KEY_ECDSA) { + if (!key_type_is_valid_ca(ca->type)) { error("%s: CA key has unsupported type %s", __func__, key_type(ca)); return -1; @@ -1903,6 +2005,7 @@ key_certify(Key *k, Key *ca) if (!key_cert_is_legacy(k)) buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); + /* XXX this substantially duplicates to_blob(); refactor */ switch (k->type) { case KEY_DSA_CERT_V00: case KEY_DSA_CERT: @@ -1925,10 +2028,14 @@ key_certify(Key *k, Key *ca) buffer_put_bignum2(&k->cert->certblob, k->rsa->e); buffer_put_bignum2(&k->cert->certblob, k->rsa->n); break; + case KEY_ED25519_CERT: + buffer_put_string(&k->cert->certblob, + k->ed25519_pk, ED25519_PK_SZ); + break; default: error("%s: key has incorrect type %s", __func__, key_type(k)); buffer_clear(&k->cert->certblob); - xfree(ca_blob); + free(ca_blob); return -1; } @@ -1964,7 +2071,7 @@ key_certify(Key *k, Key *ca) buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ buffer_put_string(&k->cert->certblob, ca_blob, ca_len); - xfree(ca_blob); + free(ca_blob); /* Sign the whole mess */ if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), @@ -1975,7 +2082,7 @@ key_certify(Key *k, Key *ca) } /* Append signature and we are done */ buffer_put_string(&k->cert->certblob, sig_blob, sig_len); - xfree(sig_blob); + free(sig_blob); return 0; } @@ -2054,8 +2161,10 @@ key_curve_name_to_nid(const char *name) return NID_X9_62_prime256v1; else if (strcmp(name, "nistp384") == 0) return NID_secp384r1; +# ifdef OPENSSL_HAS_NISTP521 else if (strcmp(name, "nistp521") == 0) return NID_secp521r1; +# endif #endif debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); @@ -2071,8 +2180,10 @@ key_curve_nid_to_bits(int nid) return 256; case NID_secp384r1: return 384; +# ifdef OPENSSL_HAS_NISTP521 case NID_secp521r1: return 521; +# endif #endif default: error("%s: unsupported EC curve nid %d", __func__, nid); @@ -2088,16 +2199,18 @@ key_curve_nid_to_name(int nid) return "nistp256"; else if (nid == NID_secp384r1) return "nistp384"; +# ifdef OPENSSL_HAS_NISTP521 else if (nid == NID_secp521r1) return "nistp521"; +# endif #endif error("%s: unsupported EC curve nid %d", __func__, nid); return NULL; } #ifdef OPENSSL_HAS_ECC -const EVP_MD * -key_ec_nid_to_evpmd(int nid) +int +key_ec_nid_to_hash_alg(int nid) { int kbits = key_curve_nid_to_bits(nid); @@ -2105,11 +2218,11 @@ key_ec_nid_to_evpmd(int nid) fatal("%s: invalid nid %d", __func__, nid); /* RFC5656 section 6.2.1 */ if (kbits <= 256) - return EVP_sha256(); + return SSH_DIGEST_SHA256; else if (kbits <= 384) - return EVP_sha384(); + return SSH_DIGEST_SHA384; else - return EVP_sha512(); + return SSH_DIGEST_SHA512; } int @@ -2281,3 +2394,232 @@ key_dump_ec_key(const EC_KEY *key) } #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ #endif /* OPENSSL_HAS_ECC */ + +void +key_private_serialize(const Key *key, Buffer *b) +{ + buffer_put_cstring(b, key_ssh_name(key)); + switch (key->type) { + case KEY_RSA: + buffer_put_bignum2(b, key->rsa->n); + buffer_put_bignum2(b, key->rsa->e); + buffer_put_bignum2(b, key->rsa->d); + buffer_put_bignum2(b, key->rsa->iqmp); + buffer_put_bignum2(b, key->rsa->p); + buffer_put_bignum2(b, key->rsa->q); + break; + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_bignum2(b, key->rsa->d); + buffer_put_bignum2(b, key->rsa->iqmp); + buffer_put_bignum2(b, key->rsa->p); + buffer_put_bignum2(b, key->rsa->q); + break; + case KEY_DSA: + buffer_put_bignum2(b, key->dsa->p); + buffer_put_bignum2(b, key->dsa->q); + buffer_put_bignum2(b, key->dsa->g); + buffer_put_bignum2(b, key->dsa->pub_key); + buffer_put_bignum2(b, key->dsa->priv_key); + break; + case KEY_DSA_CERT_V00: + case KEY_DSA_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_bignum2(b, key->dsa->priv_key); + break; +#ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: + buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); + buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), + EC_KEY_get0_public_key(key->ecdsa)); + buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); + break; + case KEY_ECDSA_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); + break; +#endif /* OPENSSL_HAS_ECC */ + case KEY_ED25519: + buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); + buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); + break; + case KEY_ED25519_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); + buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); + break; + } +} + +Key * +key_private_deserialize(Buffer *blob) +{ + char *type_name; + Key *k = NULL; + u_char *cert; + u_int len, pklen, sklen; + int type; +#ifdef OPENSSL_HAS_ECC + char *curve; + BIGNUM *exponent; + EC_POINT *q; +#endif + + type_name = buffer_get_string(blob, NULL); + type = key_type_from_name(type_name); + switch (type) { + case KEY_DSA: + k = key_new_private(type); + buffer_get_bignum2(blob, k->dsa->p); + buffer_get_bignum2(blob, k->dsa->q); + buffer_get_bignum2(blob, k->dsa->g); + buffer_get_bignum2(blob, k->dsa->pub_key); + buffer_get_bignum2(blob, k->dsa->priv_key); + break; + case KEY_DSA_CERT_V00: + case KEY_DSA_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + buffer_get_bignum2(blob, k->dsa->priv_key); + break; +#ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: + k = key_new_private(type); + k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); + curve = buffer_get_string(blob, NULL); + if (k->ecdsa_nid != key_curve_name_to_nid(curve)) + fatal("%s: curve names mismatch", __func__); + free(curve); + k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); + if (k->ecdsa == NULL) + fatal("%s: EC_KEY_new_by_curve_name failed", + __func__); + q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); + if (q == NULL) + fatal("%s: BN_new failed", __func__); + if ((exponent = BN_new()) == NULL) + fatal("%s: BN_new failed", __func__); + buffer_get_ecpoint(blob, + EC_KEY_get0_group(k->ecdsa), q); + buffer_get_bignum2(blob, exponent); + if (EC_KEY_set_public_key(k->ecdsa, q) != 1) + fatal("%s: EC_KEY_set_public_key failed", + __func__); + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) + fatal("%s: EC_KEY_set_private_key failed", + __func__); + if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), + EC_KEY_get0_public_key(k->ecdsa)) != 0) + fatal("%s: bad ECDSA public key", __func__); + if (key_ec_validate_private(k->ecdsa) != 0) + fatal("%s: bad ECDSA private key", __func__); + BN_clear_free(exponent); + EC_POINT_free(q); + break; + case KEY_ECDSA_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + if ((exponent = BN_new()) == NULL) + fatal("%s: BN_new failed", __func__); + buffer_get_bignum2(blob, exponent); + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) + fatal("%s: EC_KEY_set_private_key failed", + __func__); + if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), + EC_KEY_get0_public_key(k->ecdsa)) != 0 || + key_ec_validate_private(k->ecdsa) != 0) + fatal("%s: bad ECDSA key", __func__); + BN_clear_free(exponent); + break; +#endif + case KEY_RSA: + k = key_new_private(type); + buffer_get_bignum2(blob, k->rsa->n); + buffer_get_bignum2(blob, k->rsa->e); + buffer_get_bignum2(blob, k->rsa->d); + buffer_get_bignum2(blob, k->rsa->iqmp); + buffer_get_bignum2(blob, k->rsa->p); + buffer_get_bignum2(blob, k->rsa->q); + + /* Generate additional parameters */ + rsa_generate_additional_parameters(k->rsa); + break; + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + buffer_get_bignum2(blob, k->rsa->d); + buffer_get_bignum2(blob, k->rsa->iqmp); + buffer_get_bignum2(blob, k->rsa->p); + buffer_get_bignum2(blob, k->rsa->q); + break; + case KEY_ED25519: + k = key_new_private(type); + k->ed25519_pk = buffer_get_string(blob, &pklen); + k->ed25519_sk = buffer_get_string(blob, &sklen); + if (pklen != ED25519_PK_SZ) + fatal("%s: ed25519 pklen %d != %d", + __func__, pklen, ED25519_PK_SZ); + if (sklen != ED25519_SK_SZ) + fatal("%s: ed25519 sklen %d != %d", + __func__, sklen, ED25519_SK_SZ); + break; + case KEY_ED25519_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + k->ed25519_pk = buffer_get_string(blob, &pklen); + k->ed25519_sk = buffer_get_string(blob, &sklen); + if (pklen != ED25519_PK_SZ) + fatal("%s: ed25519 pklen %d != %d", + __func__, pklen, ED25519_PK_SZ); + if (sklen != ED25519_SK_SZ) + fatal("%s: ed25519 sklen %d != %d", + __func__, sklen, ED25519_SK_SZ); + break; + default: + free(type_name); + buffer_clear(blob); + return NULL; + } + free(type_name); + + /* enable blinding */ + switch (k->type) { + case KEY_RSA: + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + case KEY_RSA1: + if (RSA_blinding_on(k->rsa, NULL) != 1) { + error("%s: RSA_blinding_on failed", __func__); + key_free(k); + return NULL; + } + break; + } + return k; +} diff --git a/crypto/openssh/key.h b/crypto/openssh/key.h index ebdf45677..d8ad13d08 100644 --- a/crypto/openssh/key.h +++ b/crypto/openssh/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: key.h,v 1.41 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -39,9 +39,11 @@ enum types { KEY_RSA, KEY_DSA, KEY_ECDSA, + KEY_ED25519, KEY_RSA_CERT, KEY_DSA_CERT, KEY_ECDSA_CERT, + KEY_ED25519_CERT, KEY_RSA_CERT_V00, KEY_DSA_CERT_V00, KEY_UNSPEC @@ -86,8 +88,13 @@ struct Key { void *ecdsa; #endif struct KeyCert *cert; + u_char *ed25519_sk; + u_char *ed25519_pk; }; +#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES +#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES + Key *key_new(int); void key_add_private(Key *); Key *key_new_private(int); @@ -95,7 +102,7 @@ void key_free(Key *); Key *key_demote(const Key *); int key_equal_public(const Key *, const Key *); int key_equal(const Key *, const Key *); -char *key_fingerprint(Key *, enum fp_type, enum fp_rep); +char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); const char *key_type(const Key *); const char *key_cert_type(const Key *); @@ -107,6 +114,7 @@ Key *key_generate(int, u_int); Key *key_from_private(const Key *); int key_type_from_name(char *); int key_is_cert(const Key *); +int key_type_is_cert(int); int key_type_plain(int); int key_to_certified(Key *, int); int key_drop_cert(Key *); @@ -118,15 +126,16 @@ int key_cert_is_legacy(const Key *); int key_ecdsa_nid_from_name(const char *); int key_curve_name_to_nid(const char *); -const char * key_curve_nid_to_name(int); +const char *key_curve_nid_to_name(int); u_int key_curve_nid_to_bits(int); int key_ecdsa_bits_to_nid(int); #ifdef OPENSSL_HAS_ECC int key_ecdsa_key_to_nid(EC_KEY *); -const EVP_MD * key_ec_nid_to_evpmd(int nid); +int key_ec_nid_to_hash_alg(int nid); int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); int key_ec_validate_private(const EC_KEY *); #endif +char *key_alg_list(int, int); Key *key_from_blob(const u_char *, u_int); int key_to_blob(const Key *, u_char **, u_int *); @@ -143,10 +152,15 @@ int ssh_ecdsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); +int ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int); +int ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int); #if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK)) void key_dump_ec_point(const EC_GROUP *, const EC_POINT *); void key_dump_ec_key(const EC_KEY *); #endif +void key_private_serialize(const Key *, Buffer *); +Key *key_private_deserialize(Buffer *); + #endif diff --git a/crypto/openssh/krb5_config.h b/crypto/openssh/krb5_config.h new file mode 100644 index 000000000..590619651 --- /dev/null +++ b/crypto/openssh/krb5_config.h @@ -0,0 +1,10 @@ +/* $FreeBSD$ */ +#define GSSAPI 1 +#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE 1 +#define HAVE_GSSAPI_GSSAPI_H 1 +#define HAVE_GSSAPI_GSSAPI_KRB5_H 1 +#define HAVE_GSSAPI_H 1 +#define HAVE_KRB5_CC_NEW_UNIQUE 1 +#define HAVE_KRB5_GET_ERROR_MESSAGE 1 +#define HEIMDAL 1 +#define KRB5 1 diff --git a/crypto/openssh/krl.c b/crypto/openssh/krl.c index 4dd245f1d..3b4cded05 100644 --- a/crypto/openssh/krl.c +++ b/crypto/openssh/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */ +/* $OpenBSD: krl.c,v 1.14 2014/01/31 16:39:19 tedu Exp $ */ #include "includes.h" @@ -238,7 +238,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) struct revoked_serial rs, *ers, *crs, *irs; KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi)); - bzero(&rs, sizeof(rs)); + memset(&rs, 0, sizeof(rs)); rs.lo = lo; rs.hi = hi; ers = RB_NFIND(revoked_serial_tree, rt, &rs); @@ -502,11 +502,11 @@ choose_next_state(int current_state, u_int64_t contig, int final, } debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" "list %llu range %llu bitmap %llu new bitmap %llu, " - "selected 0x%02x%s", __func__, (unsigned long long)contig, - (unsigned long long)last_gap, (unsigned long long)next_gap, final, - (unsigned long long)cost_list, (unsigned long long)cost_range, - (unsigned long long)cost_bitmap, - (unsigned long long)cost_bitmap_restart, new_state, + "selected 0x%02x%s", __func__, (long long unsigned)contig, + (long long unsigned)last_gap, (long long unsigned)next_gap, final, + (long long unsigned)cost_list, (long long unsigned)cost_range, + (long long unsigned)cost_bitmap, + (long long unsigned)cost_bitmap_restart, new_state, *force_new_section ? " restart" : ""); return new_state; } @@ -542,7 +542,7 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf) rs != NULL; rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { debug3("%s: serial %llu:%llu state 0x%02x", __func__, - (unsigned long long)rs->lo, (unsigned long long)rs->hi, + (long long unsigned)rs->lo, (long long unsigned)rs->hi, state); /* Check contiguous length and gap to next section (if any) */ @@ -887,9 +887,10 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, char timestamp[64]; int ret = -1, r, sig_seen; Key *key = NULL, **ca_used = NULL; - u_char type, *blob; - u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; + u_char type, *blob, *rdata = NULL; + u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used; + nca_used = 0; *krlp = NULL; if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { @@ -933,7 +934,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); debug("KRL version %llu generated at %s%s%s", - (unsigned long long)krl->krl_version, timestamp, + (long long unsigned)krl->krl_version, timestamp, *krl->comment ? ": " : "", krl->comment); /* @@ -972,7 +973,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, } /* Check signature over entire KRL up to this point */ if (key_verify(key, blob, blen, - buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { + buffer_ptr(buf), buffer_len(buf) - sig_off) != 1) { error("bad signaure on KRL"); goto out; } @@ -1015,21 +1016,22 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, case KRL_SECTION_EXPLICIT_KEY: case KRL_SECTION_FINGERPRINT_SHA1: while (buffer_len(§) > 0) { - if ((blob = buffer_get_string_ret(§, - &blen)) == NULL) { + if ((rdata = buffer_get_string_ret(§, + &rlen)) == NULL) { error("%s: buffer error", __func__); goto out; } if (type == KRL_SECTION_FINGERPRINT_SHA1 && - blen != 20) { + rlen != 20) { error("%s: bad SHA1 length", __func__); goto out; } if (revoke_blob( type == KRL_SECTION_EXPLICIT_KEY ? &krl->revoked_keys : &krl->revoked_sha1s, - blob, blen) != 0) - goto out; /* revoke_blob frees blob */ + rdata, rlen) != 0) + goto out; + rdata = NULL; /* revoke_blob frees blob */ } break; case KRL_SECTION_SIGNATURE: @@ -1095,6 +1097,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, key_free(ca_used[i]); } free(ca_used); + free(rdata); if (key != NULL) key_free(key); buffer_free(©); @@ -1112,7 +1115,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) struct revoked_certs *rc; /* Check explicitly revoked hashes first */ - bzero(&rb, sizeof(rb)); + memset(&rb, 0, sizeof(rb)); if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL) return -1; erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); @@ -1123,7 +1126,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) } /* Next, explicit keys */ - bzero(&rb, sizeof(rb)); + memset(&rb, 0, sizeof(rb)); if (plain_key_blob(key, &rb.blob, &rb.len) != 0) return -1; erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); @@ -1144,7 +1147,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) return 0; /* No entry for this CA */ /* Check revocation by cert key ID */ - bzero(&rki, sizeof(rki)); + memset(&rki, 0, sizeof(rki)); rki.key_id = key->cert->key_id; erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); if (erki != NULL) { @@ -1159,7 +1162,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) if (key_cert_is_legacy(key) || key->cert->serial == 0) return 0; - bzero(&rs, sizeof(rs)); + memset(&rs, 0, sizeof(rs)); rs.lo = rs.hi = key->cert->serial; ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); if (ers != NULL) { diff --git a/crypto/openssh/log.c b/crypto/openssh/log.c index d69154a67..32e1d2e45 100644 --- a/crypto/openssh/log.c +++ b/crypto/openssh/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */ +/* $OpenBSD: log.c,v 1.45 2013/05/16 09:08:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -38,6 +38,7 @@ #include +#include #include #include #include @@ -54,6 +55,7 @@ static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; +static int log_stderr_fd = STDERR_FILENO; static int log_facility = LOG_AUTH; static char *argv0; static log_handler_fn *log_handler; @@ -344,6 +346,20 @@ log_is_on_stderr(void) return log_on_stderr; } +/* redirect what would usually get written to stderr to specified file */ +void +log_redirect_stderr_to(const char *logfile) +{ + int fd; + + if ((fd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0600)) == -1) { + fprintf(stderr, "Couldn't open logfile %s: %s\n", logfile, + strerror(errno)); + exit(1); + } + log_stderr_fd = fd; +} + #define MSGBUFSIZ 1024 void @@ -429,7 +445,7 @@ do_log(LogLevel level, const char *fmt, va_list args) log_handler = tmp_handler; } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); - write(STDERR_FILENO, msgbuf, strlen(msgbuf)); + (void)write(log_stderr_fd, msgbuf, strlen(msgbuf)); } else { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); diff --git a/crypto/openssh/log.h b/crypto/openssh/log.h index e3e328b06..ae7df25d3 100644 --- a/crypto/openssh/log.h +++ b/crypto/openssh/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */ +/* $OpenBSD: log.h,v 1.20 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -51,6 +51,7 @@ typedef void (log_handler_fn)(LogLevel, const char *, void *); void log_init(char *, LogLevel, SyslogFacility, int); void log_change_level(LogLevel); int log_is_on_stderr(void); +void log_redirect_stderr_to(const char *); SyslogFacility log_facility_number(char *); const char * log_facility_name(SyslogFacility); diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c index f9662fa5c..4219b9aef 100644 --- a/crypto/openssh/loginrec.c +++ b/crypto/openssh/loginrec.c @@ -310,9 +310,13 @@ login_get_lastlog(struct logininfo *li, const uid_t uid) fatal("%s: Cannot find account for uid %ld", __func__, (long)uid); - /* No MIN_SIZEOF here - we absolutely *must not* truncate the - * username (XXX - so check for trunc!) */ - strlcpy(li->username, pw->pw_name, sizeof(li->username)); + if (strlcpy(li->username, pw->pw_name, sizeof(li->username)) >= + sizeof(li->username)) { + error("%s: username too long (%lu > max %lu)", __func__, + (unsigned long)strlen(pw->pw_name), + (unsigned long)sizeof(li->username) - 1); + return NULL; + } if (getlast_entry(li)) return (li); @@ -320,7 +324,6 @@ login_get_lastlog(struct logininfo *li, const uid_t uid) return (NULL); } - /* * login_alloc_entry(int, char*, char*, char*) - Allocate and initialise * a logininfo structure @@ -347,7 +350,7 @@ logininfo *login_alloc_entry(pid_t pid, const char *username, void login_free_entry(struct logininfo *li) { - xfree(li); + free(li); } diff --git a/crypto/openssh/mac.c b/crypto/openssh/mac.c index 3f2dc6f2a..097757213 100644 --- a/crypto/openssh/mac.c +++ b/crypto/openssh/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ +/* $OpenBSD: mac.c,v 1.28 2014/02/07 06:55:54 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -27,8 +27,6 @@ #include -#include - #include #include #include @@ -42,85 +40,107 @@ #include "mac.h" #include "misc.h" +#include "digest.h" +#include "hmac.h" #include "umac.h" #include "openbsd-compat/openssl-compat.h" -#define SSH_EVP 1 /* OpenSSL EVP-based MAC */ +#define SSH_DIGEST 1 /* SSH_DIGEST_XXX */ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ #define SSH_UMAC128 3 -struct { +struct macalg { char *name; int type; - const EVP_MD * (*mdfunc)(void); + int alg; int truncatebits; /* truncate digest if != 0 */ int key_len; /* just for UMAC */ int len; /* just for UMAC */ int etm; /* Encrypt-then-MAC */ -} macs[] = { +}; + +static const struct macalg macs[] = { /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ - { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, - { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, + { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, + { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 }, #ifdef HAVE_EVP_SHA256 - { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, - { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, + { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 }, + { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 }, #endif - { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 }, - { "hmac-md5-96", SSH_EVP, EVP_md5, 96, 0, 0, 0 }, - { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, - { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, - { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 0 }, - { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 0 }, + { "hmac-md5", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 }, + { "hmac-md5-96", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 }, + { "hmac-ripemd160", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 }, + { "hmac-ripemd160@openssh.com", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 }, + { "umac-64@openssh.com", SSH_UMAC, 0, 0, 128, 64, 0 }, + { "umac-128@openssh.com", SSH_UMAC128, 0, 0, 128, 128, 0 }, /* Encrypt-then-MAC variants */ - { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 }, - { "hmac-sha1-96-etm@openssh.com", SSH_EVP, EVP_sha1, 96, 0, 0, 1 }, + { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 }, + { "hmac-sha1-96-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 1 }, #ifdef HAVE_EVP_SHA256 - { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 }, - { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 }, + { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 }, + { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 }, #endif - { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 }, - { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, - { "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, - { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 }, - { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 }, + { "hmac-md5-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 1 }, + { "hmac-md5-96-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 }, + { "hmac-ripemd160-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 }, + { "umac-64-etm@openssh.com", SSH_UMAC, 0, 0, 128, 64, 1 }, + { "umac-128-etm@openssh.com", SSH_UMAC128, 0, 0, 128, 128, 1 }, - { NULL, 0, NULL, 0, 0, 0, 0 } + { NULL, 0, 0, 0, 0, 0, 0 } }; +/* Returns a list of supported MACs separated by the specified char. */ +char * +mac_alg_list(char sep) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct macalg *m; + + for (m = macs; m->name != NULL; m++) { + if (ret != NULL) + ret[rlen++] = sep; + nlen = strlen(m->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, m->name, nlen + 1); + rlen += nlen; + } + return ret; +} + static void -mac_setup_by_id(Mac *mac, int which) +mac_setup_by_alg(Mac *mac, const struct macalg *macalg) { - int evp_len; - mac->type = macs[which].type; - if (mac->type == SSH_EVP) { - mac->evp_md = (*macs[which].mdfunc)(); - if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0) - fatal("mac %s len %d", mac->name, evp_len); - mac->key_len = mac->mac_len = (u_int)evp_len; + mac->type = macalg->type; + if (mac->type == SSH_DIGEST) { + if ((mac->hmac_ctx = ssh_hmac_start(macalg->alg)) == NULL) + fatal("ssh_hmac_start(alg=%d) failed", macalg->alg); + mac->key_len = mac->mac_len = ssh_hmac_bytes(macalg->alg); } else { - mac->mac_len = macs[which].len / 8; - mac->key_len = macs[which].key_len / 8; + mac->mac_len = macalg->len / 8; + mac->key_len = macalg->key_len / 8; mac->umac_ctx = NULL; } - if (macs[which].truncatebits != 0) - mac->mac_len = macs[which].truncatebits / 8; - mac->etm = macs[which].etm; + if (macalg->truncatebits != 0) + mac->mac_len = macalg->truncatebits / 8; + mac->etm = macalg->etm; } int mac_setup(Mac *mac, char *name) { - int i; - - for (i = 0; macs[i].name; i++) { - if (strcmp(name, macs[i].name) == 0) { - if (mac != NULL) - mac_setup_by_id(mac, i); - debug2("mac_setup: found %s", name); - return (0); + const struct macalg *m; + + for (m = macs; m->name != NULL; m++) { + if (strcmp(name, m->name) != 0) + continue; + if (mac != NULL) { + mac_setup_by_alg(mac, m); + debug2("mac_setup: setup %s", name); } + return (0); } debug2("mac_setup: unknown %s", name); return (-1); @@ -130,13 +150,12 @@ int mac_init(Mac *mac) { if (mac->key == NULL) - fatal("mac_init: no key"); + fatal("%s: no key", __func__); switch (mac->type) { - case SSH_EVP: - if (mac->evp_md == NULL) + case SSH_DIGEST: + if (mac->hmac_ctx == NULL || + ssh_hmac_init(mac->hmac_ctx, mac->key, mac->key_len) < 0) return -1; - HMAC_CTX_init(&mac->evp_ctx); - HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md); return 0; case SSH_UMAC: mac->umac_ctx = umac_new(mac->key); @@ -152,36 +171,40 @@ mac_init(Mac *mac) u_char * mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) { - static u_char m[EVP_MAX_MD_SIZE]; + static union { + u_char m[EVP_MAX_MD_SIZE]; + u_int64_t for_align; + } u; u_char b[4], nonce[8]; - if (mac->mac_len > sizeof(m)) - fatal("mac_compute: mac too long %u %lu", - mac->mac_len, (u_long)sizeof(m)); + if (mac->mac_len > sizeof(u)) + fatal("mac_compute: mac too long %u %zu", + mac->mac_len, sizeof(u)); switch (mac->type) { - case SSH_EVP: + case SSH_DIGEST: put_u32(b, seqno); /* reset HMAC context */ - HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); - HMAC_Update(&mac->evp_ctx, b, sizeof(b)); - HMAC_Update(&mac->evp_ctx, data, datalen); - HMAC_Final(&mac->evp_ctx, m, NULL); + if (ssh_hmac_init(mac->hmac_ctx, NULL, 0) < 0 || + ssh_hmac_update(mac->hmac_ctx, b, sizeof(b)) < 0 || + ssh_hmac_update(mac->hmac_ctx, data, datalen) < 0 || + ssh_hmac_final(mac->hmac_ctx, u.m, sizeof(u.m)) < 0) + fatal("ssh_hmac failed"); break; case SSH_UMAC: put_u64(nonce, seqno); umac_update(mac->umac_ctx, data, datalen); - umac_final(mac->umac_ctx, m, nonce); + umac_final(mac->umac_ctx, u.m, nonce); break; case SSH_UMAC128: put_u64(nonce, seqno); umac128_update(mac->umac_ctx, data, datalen); - umac128_final(mac->umac_ctx, m, nonce); + umac128_final(mac->umac_ctx, u.m, nonce); break; default: fatal("mac_compute: unknown MAC type"); } - return (m); + return (u.m); } void @@ -193,9 +216,9 @@ mac_clear(Mac *mac) } else if (mac->type == SSH_UMAC128) { if (mac->umac_ctx != NULL) umac128_delete(mac->umac_ctx); - } else if (mac->evp_md != NULL) - HMAC_cleanup(&mac->evp_ctx); - mac->evp_md = NULL; + } else if (mac->hmac_ctx != NULL) + ssh_hmac_free(mac->hmac_ctx); + mac->hmac_ctx = NULL; mac->umac_ctx = NULL; } @@ -213,13 +236,11 @@ mac_valid(const char *names) (p = strsep(&cp, MAC_SEP))) { if (mac_setup(NULL, p) < 0) { debug("bad mac %s [%s]", p, names); - xfree(maclist); + free(maclist); return (0); - } else { - debug3("mac ok: %s [%s]", p, names); } } debug3("macs ok: [%s]", names); - xfree(maclist); + free(maclist); return (1); } diff --git a/crypto/openssh/mac.h b/crypto/openssh/mac.h index 39f564dd3..fbe18c463 100644 --- a/crypto/openssh/mac.h +++ b/crypto/openssh/mac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */ +/* $OpenBSD: mac.h,v 1.8 2013/11/07 11:58:27 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -24,6 +24,7 @@ */ int mac_valid(const char *); +char *mac_alg_list(char); int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); diff --git a/crypto/openssh/match.c b/crypto/openssh/match.c index 238947778..c35e32896 100644 --- a/crypto/openssh/match.c +++ b/crypto/openssh/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */ +/* $OpenBSD: match.c,v 1.29 2013/11/20 20:54:10 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -40,6 +40,7 @@ #include #include +#include #include #include "xmalloc.h" @@ -140,8 +141,8 @@ match_pattern_list(const char *string, const char *pattern, u_int len, for (subi = 0; i < len && subi < sizeof(sub) - 1 && pattern[i] != ','; subi++, i++) - sub[subi] = dolower && isupper(pattern[i]) ? - (char)tolower(pattern[i]) : pattern[i]; + sub[subi] = dolower && isupper((u_char)pattern[i]) ? + tolower((u_char)pattern[i]) : pattern[i]; /* If subpattern too long, return failure (no match). */ if (subi >= sizeof(sub) - 1) return 0; @@ -226,14 +227,14 @@ match_user(const char *user, const char *host, const char *ipaddr, if ((ret = match_pattern(user, pat)) == 1) ret = match_host_and_ip(host, ipaddr, p); - xfree(pat); + free(pat); return ret; } /* * Returns first item from client-list that is also supported by server-list, - * caller must xfree() returned string. + * caller must free the returned string. */ #define MAX_PROP 40 #define SEP "," @@ -264,15 +265,15 @@ match_list(const char *client, const char *server, u_int *next) if (next != NULL) *next = (cp == NULL) ? strlen(c) : (u_int)(cp - c); - xfree(c); - xfree(s); + free(c); + free(s); return ret; } } } if (next != NULL) *next = strlen(c); - xfree(c); - xfree(s); + free(c); + free(s); return NULL; } diff --git a/crypto/openssh/mdoc2man.awk b/crypto/openssh/mdoc2man.awk new file mode 100644 index 000000000..80e8d5ffa --- /dev/null +++ b/crypto/openssh/mdoc2man.awk @@ -0,0 +1,370 @@ +#!/usr/bin/awk +# +# $Id: mdoc2man.awk,v 1.9 2009/10/24 00:52:42 dtucker Exp $ +# +# Version history: +# v4+ Adapted for OpenSSH Portable (see cvs Id and history) +# v3, I put the program under a proper license +# Dan Nelson added .An, .Aq and fixed a typo +# v2, fixed to work on GNU awk --posix and MacOS X +# v1, first attempt, didn't work on MacOS X +# +# Copyright (c) 2003 Peter Stuge +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + +BEGIN { + optlist=0 + oldoptlist=0 + nospace=0 + synopsis=0 + reference=0 + block=0 + ext=0 + extopt=0 + literal=0 + prenl=0 + breakw=0 + line="" +} + +function wtail() { + retval="" + while(w0;i--) { + add(refauthors[i]) + if(i>1) + add(", ") + } + if(nrefauthors>1) + add(" and ") + if(nrefauthors>0) + add(refauthors[0] ", ") + add("\\fI" reftitle "\\fP") + if(length(refissue)) + add(", " refissue) + if(length(refreport)) { + add(", " refreport) + } + if(length(refdate)) + add(", " refdate) + if(length(refopt)) + add(", " refopt) + add(".") + reference=0 + } else if(reference) { + if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() } + if(match(words[w],"^%T$")) { + reftitle=wtail() + sub("^\"","",reftitle) + sub("\"$","",reftitle) + } + if(match(words[w],"^%N$")) { refissue=wtail() } + if(match(words[w],"^%D$")) { refdate=wtail() } + if(match(words[w],"^%O$")) { refopt=wtail() } + if(match(words[w],"^%R$")) { refreport=wtail() } + } else if(match(words[w],"^Nm$")) { + if(synopsis) { + add(".br") + prenl++ + } + n=words[++w] + if(!length(name)) + name=n + if(!length(n)) + n=name + add("\\fB" n "\\fP") + if(!nospace&&match(words[w+1],"^[\\.,]")) + nospace=1 + } else if(match(words[w],"^Nd$")) { + add("\\- " wtail()) + } else if(match(words[w],"^Fl$")) { + add("\\fB\\-" words[++w] "\\fP") + if(!nospace&&match(words[w+1],"^[\\.,]")) + nospace=1 + } else if(match(words[w],"^Ar$")) { + add("\\fI") + if(w==nwords) + add("file ...\\fP") + else { + add(words[++w] "\\fP") + while(match(words[w+1],"^\\|$")) + add(OFS words[++w] " \\fI" words[++w] "\\fP") + } + if(!nospace&&match(words[w+1],"^[\\.,]")) + nospace=1 + } else if(match(words[w],"^Cm$")) { + add("\\fB" words[++w] "\\fP") + while(w") + if(option) + add("]") + if(ext&&!extopt&&!match(line," $")) + add(OFS) + if(!ext&&!extopt&&length(line)) { + print line + prenl=0 + line="" + } +} diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c index d35472778..8e7f7c56d 100644 --- a/crypto/openssh/misc.c +++ b/crypto/openssh/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.92 2013/10/14 23:28:23 djm Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -26,6 +26,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -44,6 +45,7 @@ #include #include +#include #include #include #include @@ -128,7 +130,7 @@ unset_nonblock(int fd) const char * ssh_gai_strerror(int gaierr) { - if (gaierr == EAI_SYSTEM) + if (gaierr == EAI_SYSTEM && errno != 0) return strerror(errno); return gai_strerror(gaierr); } @@ -207,16 +209,18 @@ pwcopy(struct passwd *pw) copy->pw_name = xstrdup(pw->pw_name); copy->pw_passwd = xstrdup(pw->pw_passwd); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS copy->pw_gecos = xstrdup(pw->pw_gecos); +#endif copy->pw_uid = pw->pw_uid; copy->pw_gid = pw->pw_gid; -#ifdef HAVE_PW_EXPIRE_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE copy->pw_expire = pw->pw_expire; #endif -#ifdef HAVE_PW_CHANGE_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE copy->pw_change = pw->pw_change; #endif -#ifdef HAVE_PW_CLASS_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS copy->pw_class = xstrdup(pw->pw_class); #endif copy->pw_dir = xstrdup(pw->pw_dir); @@ -252,13 +256,13 @@ a2tun(const char *s, int *remote) *remote = SSH_TUNID_ANY; sp = xstrdup(s); if ((ep = strchr(sp, ':')) == NULL) { - xfree(sp); + free(sp); return (a2tun(s, NULL)); } ep[0] = '\0'; ep++; *remote = a2tun(ep, NULL); tun = a2tun(sp, NULL); - xfree(sp); + free(sp); return (*remote == SSH_TUNID_ERR ? *remote : tun); } @@ -491,7 +495,7 @@ replacearg(arglist *args, u_int which, char *fmt, ...) if (which >= args->num) fatal("replacearg: tried to replace invalid arg %d >= %d", which, args->num); - xfree(args->list[which]); + free(args->list[which]); args->list[which] = cp; } @@ -502,8 +506,8 @@ freeargs(arglist *args) if (args->list != NULL) { for (i = 0; i < args->num; i++) - xfree(args->list[i]); - xfree(args->list); + free(args->list[i]); + free(args->list); args->nalloc = args->num = 0; args->list = NULL; } @@ -516,8 +520,8 @@ freeargs(arglist *args) char * tilde_expand_filename(const char *filename, uid_t uid) { - const char *path; - char user[128], ret[MAXPATHLEN]; + const char *path, *sep; + char user[128], *ret; struct passwd *pw; u_int len, slash; @@ -537,22 +541,21 @@ tilde_expand_filename(const char *filename, uid_t uid) } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ fatal("tilde_expand_filename: No such uid %ld", (long)uid); - if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret)) - fatal("tilde_expand_filename: Path too long"); - /* Make sure directory has a trailing '/' */ len = strlen(pw->pw_dir); - if ((len == 0 || pw->pw_dir[len - 1] != '/') && - strlcat(ret, "/", sizeof(ret)) >= sizeof(ret)) - fatal("tilde_expand_filename: Path too long"); + if (len == 0 || pw->pw_dir[len - 1] != '/') + sep = "/"; + else + sep = ""; /* Skip leading '/' from specified path */ if (path != NULL) filename = path + 1; - if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret)) + + if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= MAXPATHLEN) fatal("tilde_expand_filename: Path too long"); - return (xstrdup(ret)); + return (ret); } /* @@ -854,6 +857,24 @@ ms_to_timeval(struct timeval *tv, int ms) tv->tv_usec = (ms % 1000) * 1000; } +time_t +monotime(void) +{ +#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC) + struct timespec ts; + static int gettime_failed = 0; + + if (!gettime_failed) { + if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) + return (ts.tv_sec); + debug3("clock_gettime: %s", strerror(errno)); + gettime_failed = 1; + } +#endif + + return time(NULL); +} + void bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen) { @@ -999,6 +1020,13 @@ iptos2str(int iptos) snprintf(iptos_str, sizeof iptos_str, "0x%02x", iptos); return iptos_str; } + +void +lowercase(char *s) +{ + for (; *s; s++) + *s = tolower((u_char)*s); +} void sock_set_v6only(int s) { diff --git a/crypto/openssh/misc.h b/crypto/openssh/misc.h index 5d3d0bd0f..ce4d78c13 100644 --- a/crypto/openssh/misc.h +++ b/crypto/openssh/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.48 2011/03/29 18:54:17 stevesk Exp $ */ +/* $OpenBSD: misc.h,v 1.50 2013/10/14 23:28:23 djm Exp $ */ /* $FreeBSD$ */ /* @@ -36,6 +36,9 @@ char *tohex(const void *, size_t); void sanitise_stdfd(void); void ms_subtract_diff(struct timeval *, int *); void ms_to_timeval(struct timeval *, int); +time_t monotime(void); +void lowercase(char *s); + void sock_set_v6only(int); void sock_get_rcvbuf(int *, int); diff --git a/crypto/openssh/moduli.0 b/crypto/openssh/moduli.0 new file mode 100644 index 000000000..7d678b459 --- /dev/null +++ b/crypto/openssh/moduli.0 @@ -0,0 +1,74 @@ +MODULI(5) OpenBSD Programmer's Manual MODULI(5) + +NAME + moduli - Diffie-Hellman moduli + +DESCRIPTION + The /etc/moduli file contains prime numbers and generators for use by + sshd(8) in the Diffie-Hellman Group Exchange key exchange method. + + New moduli may be generated with ssh-keygen(1) using a two-step process. + An initial candidate generation pass, using ssh-keygen -G, calculates + numbers that are likely to be useful. A second primality testing pass, + using ssh-keygen -T, provides a high degree of assurance that the numbers + are prime and are safe for use in Diffie-Hellman operations by sshd(8). + This moduli format is used as the output from each pass. + + The file consists of newline-separated records, one per modulus, + containing seven space-separated fields. These fields are as follows: + + timestamp The time that the modulus was last processed as + YYYYMMDDHHMMSS. + + type Decimal number specifying the internal structure of + the prime modulus. Supported types are: + + 0 Unknown, not tested. + 2 "Safe" prime; (p-1)/2 is also prime. + 4 Sophie Germain; 2p+1 is also prime. + + Moduli candidates initially produced by ssh-keygen(1) + are Sophie Germain primes (type 4). Further primality + testing with ssh-keygen(1) produces safe prime moduli + (type 2) that are ready for use in sshd(8). Other + types are not used by OpenSSH. + + tests Decimal number indicating the type of primality tests + that the number has been subjected to represented as a + bitmask of the following values: + + 0x00 Not tested. + 0x01 Composite number - not prime. + 0x02 Sieve of Eratosthenes. + 0x04 Probabilistic Miller-Rabin primality tests. + + The ssh-keygen(1) moduli candidate generation uses the + Sieve of Eratosthenes (flag 0x02). Subsequent + ssh-keygen(1) primality tests are Miller-Rabin tests + (flag 0x04). + + trials Decimal number indicating the number of primality + trials that have been performed on the modulus. + + size Decimal number indicating the size of the prime in + bits. + + generator The recommended generator for use with this modulus + (hexadecimal). + + modulus The modulus itself in hexadecimal. + + When performing Diffie-Hellman Group Exchange, sshd(8) first estimates + the size of the modulus required to produce enough Diffie-Hellman output + to sufficiently key the selected symmetric cipher. sshd(8) then randomly + selects a modulus from /etc/moduli that best meets the size requirement. + +SEE ALSO + ssh-keygen(1), sshd(8) + +STANDARDS + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006, + 2006. + +OpenBSD 5.5 September 26, 2012 OpenBSD 5.5 diff --git a/crypto/openssh/moduli.5 b/crypto/openssh/moduli.5 index d272d186d..dbb20a079 100644 --- a/crypto/openssh/moduli.5 +++ b/crypto/openssh/moduli.5 @@ -1,4 +1,5 @@ .\" $OpenBSD: moduli.5,v 1.17 2012/09/26 17:34:38 jmc Exp $ +.\" $FreeBSD$ .\" .\" Copyright (c) 2008 Damien Miller .\" diff --git a/crypto/openssh/moduli.c b/crypto/openssh/moduli.c index 5267bb9ab..bb4dd7beb 100644 --- a/crypto/openssh/moduli.c +++ b/crypto/openssh/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.26 2012/07/06 00:41:59 dtucker Exp $ */ +/* $OpenBSD: moduli.c,v 1.28 2013/10/24 00:49:49 dtucker Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -56,6 +56,7 @@ #include "xmalloc.h" #include "dh.h" #include "log.h" +#include "misc.h" #include "openbsd-compat/openssl-compat.h" @@ -433,9 +434,9 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) time(&time_stop); - xfree(LargeSieve); - xfree(SmallSieve); - xfree(TinySieve); + free(LargeSieve); + free(SmallSieve); + free(TinySieve); logit("%.24s Found %u candidates", ctime(&time_stop), r); @@ -488,6 +489,79 @@ read_checkpoint(char *cpfile) return lineno; } +static unsigned long +count_lines(FILE *f) +{ + unsigned long count = 0; + char lp[QLINESIZE + 1]; + + if (fseek(f, 0, SEEK_SET) != 0) { + debug("input file is not seekable"); + return ULONG_MAX; + } + while (fgets(lp, QLINESIZE + 1, f) != NULL) + count++; + rewind(f); + debug("input file has %lu lines", count); + return count; +} + +static char * +fmt_time(time_t seconds) +{ + int day, hr, min; + static char buf[128]; + + min = (seconds / 60) % 60; + hr = (seconds / 60 / 60) % 24; + day = seconds / 60 / 60 / 24; + if (day > 0) + snprintf(buf, sizeof buf, "%dd %d:%02d", day, hr, min); + else + snprintf(buf, sizeof buf, "%d:%02d", hr, min); + return buf; +} + +static void +print_progress(unsigned long start_lineno, unsigned long current_lineno, + unsigned long end_lineno) +{ + static time_t time_start, time_prev; + time_t time_now, elapsed; + unsigned long num_to_process, processed, remaining, percent, eta; + double time_per_line; + char *eta_str; + + time_now = monotime(); + if (time_start == 0) { + time_start = time_prev = time_now; + return; + } + /* print progress after 1m then once per 5m */ + if (time_now - time_prev < 5 * 60) + return; + time_prev = time_now; + elapsed = time_now - time_start; + processed = current_lineno - start_lineno; + remaining = end_lineno - current_lineno; + num_to_process = end_lineno - start_lineno; + time_per_line = (double)elapsed / processed; + /* if we don't know how many we're processing just report count+time */ + time(&time_now); + if (end_lineno == ULONG_MAX) { + logit("%.24s processed %lu in %s", ctime(&time_now), + processed, fmt_time(elapsed)); + return; + } + percent = 100 * processed / num_to_process; + eta = time_per_line * remaining; + eta_str = xstrdup(fmt_time(eta)); + logit("%.24s processed %lu of %lu (%lu%%) in %s, ETA %s", + ctime(&time_now), processed, num_to_process, percent, + fmt_time(elapsed), eta_str); + free(eta_str); +} + /* * perform a Miller-Rabin primality test * on the list of candidates @@ -512,6 +586,11 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, return (-1); } + if (num_lines == 0) + end_lineno = count_lines(in); + else + end_lineno = start_lineno + num_lines; + time(&time_start); if ((p = BN_new()) == NULL) @@ -526,26 +605,25 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, if (checkpoint_file != NULL) last_processed = read_checkpoint(checkpoint_file); - if (start_lineno > last_processed) - last_processed = start_lineno; - if (num_lines == 0) - end_lineno = ULONG_MAX; + last_processed = start_lineno = MAX(last_processed, start_lineno); + if (end_lineno == ULONG_MAX) + debug("process from line %lu from pipe", last_processed); else - end_lineno = last_processed + num_lines; - debug2("process line %lu to line %lu", last_processed, end_lineno); + debug("process from line %lu to line %lu", last_processed, + end_lineno); res = 0; lp = xmalloc(QLINESIZE + 1); while (fgets(lp, QLINESIZE + 1, in) != NULL && count_in < end_lineno) { count_in++; - if (checkpoint_file != NULL) { - if (count_in <= last_processed) { - debug3("skipping line %u, before checkpoint", - count_in); - continue; - } - write_checkpoint(checkpoint_file, count_in); + if (count_in <= last_processed) { + debug3("skipping line %u, before checkpoint or " + "specified start line", count_in); + continue; } + if (checkpoint_file != NULL) + write_checkpoint(checkpoint_file, count_in); + print_progress(start_lineno, count_in, end_lineno); if (strlen(lp) < 14 || *lp == '!' || *lp == '#') { debug2("%10u: comment or short line", count_in); continue; @@ -709,7 +787,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, } time(&time_stop); - xfree(lp); + free(lp); BN_free(p); BN_free(q); BN_CTX_free(ctx); diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 8006b833c..531c4f9a8 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -95,8 +95,8 @@ #include "misc.h" #include "compat.h" #include "ssh2.h" -#include "jpake.h" #include "roaming.h" +#include "authfd.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; @@ -160,11 +160,6 @@ int mm_answer_rsa_challenge(int, Buffer *); int mm_answer_rsa_response(int, Buffer *); int mm_answer_sesskey(int, Buffer *); int mm_answer_sessid(int, Buffer *); -int mm_answer_jpake_get_pwdata(int, Buffer *); -int mm_answer_jpake_step1(int, Buffer *); -int mm_answer_jpake_step2(int, Buffer *); -int mm_answer_jpake_key_confirm(int, Buffer *); -int mm_answer_jpake_check_confirm(int, Buffer *); #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); @@ -252,13 +247,6 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, -#endif -#ifdef JPAKE - {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, - {MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1}, - {MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2}, - {MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm}, - {MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm}, #endif {0, 0, NULL} }; @@ -392,7 +380,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) "with SSH protocol 1"); if (authenticated && !auth2_update_methods_lists(authctxt, - auth_method)) { + auth_method, auth_submethod)) { debug3("%s: method %s: partial", __func__, auth_method); authenticated = 0; @@ -422,20 +410,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) } if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { auth_log(authctxt, authenticated, partial, - auth_method, auth_submethod, - compat20 ? " ssh2" : ""); + auth_method, auth_submethod); if (!authenticated) authctxt->failures++; } -#ifdef JPAKE - /* Cleanup JPAKE context after authentication */ - if (ent->flags & MON_AUTHDECIDE) { - if (authctxt->jpake_ctx != NULL) { - jpake_free(authctxt->jpake_ctx); - authctxt->jpake_ctx = NULL; - } - } -#endif } if (!authctxt->valid) @@ -551,7 +529,7 @@ monitor_read_log(struct monitor *pmonitor) do_log2(level, "%s [preauth]", msg); buffer_free(&logmsg); - xfree(msg); + free(msg); return 0; } @@ -566,7 +544,7 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, struct pollfd pfd[2]; for (;;) { - bzero(&pfd, sizeof(pfd)); + memset(&pfd, 0, sizeof(pfd)); pfd[0].fd = pmonitor->m_sendfd; pfd[0].events = POLLIN; pfd[1].fd = pmonitor->m_log_recvfd; @@ -642,12 +620,9 @@ static void monitor_reset_key_state(void) { /* reset state */ - if (key_blob != NULL) - xfree(key_blob); - if (hostbased_cuser != NULL) - xfree(hostbased_cuser); - if (hostbased_chost != NULL) - xfree(hostbased_chost); + free(key_blob); + free(hostbased_cuser); + free(hostbased_chost); key_blob = NULL; key_bloblen = 0; key_blobtype = MM_NOKEY; @@ -690,6 +665,8 @@ mm_answer_moduli(int sock, Buffer *m) return (0); } +extern AuthenticationConnection *auth_conn; + int mm_answer_sign(int sock, Buffer *m) { @@ -718,18 +695,24 @@ mm_answer_sign(int sock, Buffer *m) memcpy(session_id2, p, session_id2_len); } - if ((key = get_hostkey_by_index(keyid)) == NULL) + if ((key = get_hostkey_by_index(keyid)) != NULL) { + if (key_sign(key, &signature, &siglen, p, datlen) < 0) + fatal("%s: key_sign failed", __func__); + } else if ((key = get_hostkey_public_by_index(keyid)) != NULL && + auth_conn != NULL) { + if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p, + datlen) < 0) + fatal("%s: ssh_agent_sign failed", __func__); + } else fatal("%s: no hostkey from index %d", __func__, keyid); - if (key_sign(key, &signature, &siglen, p, datlen) < 0) - fatal("%s: key_sign failed", __func__); debug3("%s: signature %p(%u)", __func__, signature, siglen); buffer_clear(m); buffer_put_string(m, signature, siglen); - xfree(p); - xfree(signature); + free(p); + free(signature); mm_request_send(sock, MONITOR_ANS_SIGN, m); @@ -760,7 +743,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) authctxt->user = xstrdup(username); setproctitle("%s [priv]", pwent ? username : "unknown"); - xfree(username); + free(username); buffer_clear(m); @@ -778,8 +761,10 @@ mm_answer_pwnamallow(int sock, Buffer *m) buffer_put_string(m, pwent, sizeof(struct passwd)); buffer_put_cstring(m, pwent->pw_name); buffer_put_cstring(m, "*"); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS buffer_put_cstring(m, pwent->pw_gecos); -#ifdef HAVE_PW_CLASS_IN_PASSWD +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS buffer_put_cstring(m, pwent->pw_class); #endif buffer_put_cstring(m, pwent->pw_dir); @@ -838,9 +823,7 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m) banner = auth2_read_banner(); buffer_put_cstring(m, banner != NULL ? banner : ""); mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); - - if (banner != NULL) - xfree(banner); + free(banner); return (0); } @@ -856,7 +839,7 @@ mm_answer_authserv(int sock, Buffer *m) __func__, authctxt->service, authctxt->style); if (strlen(authctxt->style) == 0) { - xfree(authctxt->style); + free(authctxt->style); authctxt->style = NULL; } @@ -875,8 +858,8 @@ mm_answer_authpassword(int sock, Buffer *m) /* Only authenticate if the context is valid */ authenticated = options.password_authentication && auth_password(authctxt, passwd); - memset(passwd, 0, strlen(passwd)); - xfree(passwd); + explicit_bzero(passwd, strlen(passwd)); + free(passwd); buffer_clear(m); buffer_put_int(m, authenticated); @@ -916,10 +899,10 @@ mm_answer_bsdauthquery(int sock, Buffer *m) mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); if (success) { - xfree(name); - xfree(infotxt); - xfree(prompts); - xfree(echo_on); + free(name); + free(infotxt); + free(prompts); + free(echo_on); } return (0); @@ -939,7 +922,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3("%s: <%s> = <%d>", __func__, response, authok); - xfree(response); + free(response); buffer_clear(m); buffer_put_int(m, authok); @@ -947,9 +930,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) debug3("%s: sending authenticated: %d", __func__, authok); mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); - if (compat20) - auth_method = "keyboard-interactive"; /* XXX auth_submethod */ - else + if (compat20) { + auth_method = "keyboard-interactive"; + auth_submethod = "bsdauth"; + } else auth_method = "bsdauth"; return (authok != 0); @@ -991,7 +975,7 @@ mm_answer_skeyrespond(int sock, Buffer *m) skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); - xfree(response); + free(response); buffer_clear(m); buffer_put_int(m, authok); @@ -1076,19 +1060,17 @@ mm_answer_pam_query(int sock, Buffer *m) buffer_clear(m); buffer_put_int(m, ret); buffer_put_cstring(m, name); - xfree(name); + free(name); buffer_put_cstring(m, info); - xfree(info); + free(info); buffer_put_int(m, num); for (i = 0; i < num; ++i) { buffer_put_cstring(m, prompts[i]); - xfree(prompts[i]); + free(prompts[i]); buffer_put_int(m, echo_on[i]); } - if (prompts != NULL) - xfree(prompts); - if (echo_on != NULL) - xfree(echo_on); + free(prompts); + free(echo_on); auth_method = "keyboard-interactive"; auth_submethod = "pam"; mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); @@ -1111,8 +1093,8 @@ mm_answer_pam_respond(int sock, Buffer *m) resp[i] = buffer_get_string(m, NULL); ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); for (i = 0; i < num; ++i) - xfree(resp[i]); - xfree(resp); + free(resp[i]); + free(resp); } else { ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); } @@ -1170,6 +1152,7 @@ mm_answer_keyallowed(int sock, Buffer *m) case MM_USERKEY: allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); + pubkey_auth_info(authctxt, key, NULL); auth_method = "publickey"; if (options.pubkey_authentication && allowed != 1) auth_clear_options(); @@ -1178,6 +1161,9 @@ mm_answer_keyallowed(int sock, Buffer *m) allowed = options.hostbased_authentication && hostbased_key_allowed(authctxt->pw, cuser, chost, key); + pubkey_auth_info(authctxt, key, + "client user \"%.100s\", client host \"%.100s\"", + cuser, chost); auth_method = "hostbased"; break; case MM_RSAHOSTKEY: @@ -1209,11 +1195,10 @@ mm_answer_keyallowed(int sock, Buffer *m) hostbased_chost = chost; } else { /* Log failed attempt */ - auth_log(authctxt, 0, 0, auth_method, NULL, - compat20 ? " ssh2" : ""); - xfree(blob); - xfree(cuser); - xfree(chost); + auth_log(authctxt, 0, 0, auth_method, NULL); + free(blob); + free(cuser); + free(chost); } debug3("%s: key %p is %s", @@ -1235,7 +1220,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; - char *p; + char *p, *userstyle; u_int len; int fail = 0; @@ -1256,26 +1241,30 @@ monitor_valid_userblob(u_char *data, u_int datalen) (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - xfree(p); + free(p); } if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); - if (strcmp(authctxt->user, p) != 0) { + p = buffer_get_cstring(&b, NULL); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + if (strcmp(userstyle, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); + userstyle, p); fail++; } - xfree(p); + free(userstyle); + free(p); buffer_skip_string(&b); if (datafellows & SSH_BUG_PKAUTH) { if (!buffer_get_char(&b)) fail++; } else { - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); if (strcmp("publickey", p) != 0) fail++; - xfree(p); + free(p); if (!buffer_get_char(&b)) fail++; buffer_skip_string(&b); @@ -1292,7 +1281,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, char *chost) { Buffer b; - char *p; + char *p, *userstyle; u_int len; int fail = 0; @@ -1304,22 +1293,26 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - xfree(p); + free(p); if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); - if (strcmp(authctxt->user, p) != 0) { + p = buffer_get_cstring(&b, NULL); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + if (strcmp(userstyle, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); + userstyle, p); fail++; } - xfree(p); + free(userstyle); + free(p); buffer_skip_string(&b); /* service */ - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); if (strcmp(p, "hostbased") != 0) fail++; - xfree(p); + free(p); buffer_skip_string(&b); /* pkalg */ buffer_skip_string(&b); /* pkblob */ @@ -1329,13 +1322,13 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, p[len - 1] = '\0'; if (strcmp(p, chost) != 0) fail++; - xfree(p); + free(p); /* verify client user */ p = buffer_get_string(&b, NULL); if (strcmp(p, cuser) != 0) fail++; - xfree(p); + free(p); if (buffer_len(&b) != 0) fail++; @@ -1384,9 +1377,9 @@ mm_answer_keyverify(int sock, Buffer *m) __func__, key, (verified == 1) ? "verified" : "unverified"); key_free(key); - xfree(blob); - xfree(signature); - xfree(data); + free(blob); + free(signature); + free(data); auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; @@ -1514,7 +1507,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m) if ((s = session_by_tty(tty)) != NULL) mm_session_close(s); buffer_clear(m); - xfree(tty); + free(tty); return (0); } @@ -1646,7 +1639,7 @@ mm_answer_rsa_challenge(int sock, Buffer *m) monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); - xfree(blob); + free(blob); key_free(key); return (0); } @@ -1678,9 +1671,9 @@ mm_answer_rsa_response(int sock, Buffer *m) fatal("%s: received bad response to challenge", __func__); success = auth_rsa_verify_response(key, ssh1_challenge, response); - xfree(blob); + free(blob); key_free(key); - xfree(response); + free(response); auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; @@ -1759,7 +1752,7 @@ mm_answer_audit_command(int socket, Buffer *m) cmd = buffer_get_string(m, &len); /* sanity check command, if so how? */ audit_run_command(cmd); - xfree(cmd); + free(cmd); return (0); } #endif /* SSH_AUDIT_EVENTS */ @@ -1774,20 +1767,20 @@ monitor_apply_keystate(struct monitor *pmonitor) packet_set_protocol_flags(child_state.ssh1protoflags); packet_set_encryption_key(child_state.ssh1key, child_state.ssh1keylen, child_state.ssh1cipher); - xfree(child_state.ssh1key); + free(child_state.ssh1key); } /* for rc4 and other stateful ciphers */ packet_set_keycontext(MODE_OUT, child_state.keyout); - xfree(child_state.keyout); + free(child_state.keyout); packet_set_keycontext(MODE_IN, child_state.keyin); - xfree(child_state.keyin); + free(child_state.keyin); if (!compat20) { packet_set_iv(MODE_OUT, child_state.ivout); - xfree(child_state.ivout); + free(child_state.ivout); packet_set_iv(MODE_IN, child_state.ivin); - xfree(child_state.ivin); + free(child_state.ivin); } memcpy(&incoming_stream, &child_state.incoming, @@ -1799,18 +1792,22 @@ monitor_apply_keystate(struct monitor *pmonitor) if (options.compression) mm_init_compression(pmonitor->m_zlib); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); + /* Network I/O buffers */ /* XXX inefficient for large buffers, need: buffer_init_from_string */ buffer_clear(packet_get_input()); buffer_append(packet_get_input(), child_state.input, child_state.ilen); - memset(child_state.input, 0, child_state.ilen); - xfree(child_state.input); + explicit_bzero(child_state.input, child_state.ilen); + free(child_state.input); buffer_clear(packet_get_output()); buffer_append(packet_get_output(), child_state.output, child_state.olen); - memset(child_state.output, 0, child_state.olen); - xfree(child_state.output); + explicit_bzero(child_state.output, child_state.olen); + free(child_state.output); /* Roaming */ if (compat20) @@ -1836,17 +1833,18 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); blob = buffer_get_string(m, &bloblen); buffer_init(&kex->my); buffer_append(&kex->my, blob, bloblen); - xfree(blob); + free(blob); blob = buffer_get_string(m, &bloblen); buffer_init(&kex->peer); buffer_append(&kex->peer, blob, bloblen); - xfree(blob); + free(blob); kex->done = 1; kex->flags = buffer_get_int(m); kex->client_version_string = buffer_get_string(m, NULL); @@ -1854,6 +1852,7 @@ mm_get_kex(Buffer *m) kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; + kex->sign = sshd_hostkey_sign; return (kex); } @@ -1889,12 +1888,12 @@ mm_get_keystate(struct monitor *pmonitor) blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); - xfree(blob); + free(blob); debug3("%s: Waiting for second key", __func__); blob = buffer_get_string(&m, &bloblen); current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); - xfree(blob); + free(blob); /* Now get sequence numbers for the packets */ seqnr = buffer_get_int(&m); @@ -1919,13 +1918,13 @@ mm_get_keystate(struct monitor *pmonitor) if (plen != sizeof(child_state.outgoing)) fatal("%s: bad request size", __func__); memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); - xfree(p); + free(p); p = buffer_get_string(&m, &plen); if (plen != sizeof(child_state.incoming)) fatal("%s: bad request size", __func__); memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); - xfree(p); + free(p); /* Network I/O buffers */ debug3("%s: Getting Network I/O buffers", __func__); @@ -2047,7 +2046,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) major = ssh_gssapi_server_ctx(&gsscontext, &goid); - xfree(goid.elements); + free(goid.elements); buffer_clear(m); buffer_put_int(m, major); @@ -2072,7 +2071,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); - xfree(in.value); + free(in.value); buffer_clear(m); buffer_put_int(m, major); @@ -2104,8 +2103,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); - xfree(gssbuf.value); - xfree(mic.value); + free(gssbuf.value); + free(mic.value); buffer_clear(m); buffer_put_int(m, ret); @@ -2138,205 +2137,3 @@ mm_answer_gss_userok(int sock, Buffer *m) } #endif /* GSSAPI */ -#ifdef JPAKE -int -mm_answer_jpake_step1(int sock, Buffer *m) -{ - struct jpake_ctx *pctx; - u_char *x3_proof, *x4_proof; - u_int x3_proof_len, x4_proof_len; - - if (!options.zero_knowledge_password_authentication) - fatal("zero_knowledge_password_authentication disabled"); - - if (authctxt->jpake_ctx != NULL) - fatal("%s: authctxt->jpake_ctx already set (%p)", - __func__, authctxt->jpake_ctx); - authctxt->jpake_ctx = pctx = jpake_new(); - - jpake_step1(pctx->grp, - &pctx->server_id, &pctx->server_id_len, - &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4, - &x3_proof, &x3_proof_len, - &x4_proof, &x4_proof_len); - - JPAKE_DEBUG_CTX((pctx, "step1 done in %s", __func__)); - - buffer_clear(m); - - buffer_put_string(m, pctx->server_id, pctx->server_id_len); - buffer_put_bignum2(m, pctx->g_x3); - buffer_put_bignum2(m, pctx->g_x4); - buffer_put_string(m, x3_proof, x3_proof_len); - buffer_put_string(m, x4_proof, x4_proof_len); - - debug3("%s: sending step1", __func__); - mm_request_send(sock, MONITOR_ANS_JPAKE_STEP1, m); - - bzero(x3_proof, x3_proof_len); - bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); - - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0); - - return 0; -} - -int -mm_answer_jpake_get_pwdata(int sock, Buffer *m) -{ - struct jpake_ctx *pctx = authctxt->jpake_ctx; - char *hash_scheme, *salt; - - if (pctx == NULL) - fatal("%s: pctx == NULL", __func__); - - auth2_jpake_get_pwdata(authctxt, &pctx->s, &hash_scheme, &salt); - - buffer_clear(m); - /* pctx->s is sensitive, not returned to slave */ - buffer_put_cstring(m, hash_scheme); - buffer_put_cstring(m, salt); - - debug3("%s: sending pwdata", __func__); - mm_request_send(sock, MONITOR_ANS_JPAKE_GET_PWDATA, m); - - bzero(hash_scheme, strlen(hash_scheme)); - bzero(salt, strlen(salt)); - xfree(hash_scheme); - xfree(salt); - - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1); - - return 0; -} - -int -mm_answer_jpake_step2(int sock, Buffer *m) -{ - struct jpake_ctx *pctx = authctxt->jpake_ctx; - u_char *x1_proof, *x2_proof, *x4_s_proof; - u_int x1_proof_len, x2_proof_len, x4_s_proof_len; - - if (pctx == NULL) - fatal("%s: pctx == NULL", __func__); - - if ((pctx->g_x1 = BN_new()) == NULL || - (pctx->g_x2 = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - buffer_get_bignum2(m, pctx->g_x1); - buffer_get_bignum2(m, pctx->g_x2); - pctx->client_id = buffer_get_string(m, &pctx->client_id_len); - x1_proof = buffer_get_string(m, &x1_proof_len); - x2_proof = buffer_get_string(m, &x2_proof_len); - - jpake_step2(pctx->grp, pctx->s, pctx->g_x3, - pctx->g_x1, pctx->g_x2, pctx->x4, - pctx->client_id, pctx->client_id_len, - pctx->server_id, pctx->server_id_len, - x1_proof, x1_proof_len, - x2_proof, x2_proof_len, - &pctx->b, - &x4_s_proof, &x4_s_proof_len); - - JPAKE_DEBUG_CTX((pctx, "step2 done in %s", __func__)); - - bzero(x1_proof, x1_proof_len); - bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); - - buffer_clear(m); - - buffer_put_bignum2(m, pctx->b); - buffer_put_string(m, x4_s_proof, x4_s_proof_len); - - debug3("%s: sending step2", __func__); - mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); - - bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); - - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); - - return 0; -} - -int -mm_answer_jpake_key_confirm(int sock, Buffer *m) -{ - struct jpake_ctx *pctx = authctxt->jpake_ctx; - u_char *x2_s_proof; - u_int x2_s_proof_len; - - if (pctx == NULL) - fatal("%s: pctx == NULL", __func__); - - if ((pctx->a = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - buffer_get_bignum2(m, pctx->a); - x2_s_proof = buffer_get_string(m, &x2_s_proof_len); - - jpake_key_confirm(pctx->grp, pctx->s, pctx->a, - pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2, - pctx->server_id, pctx->server_id_len, - pctx->client_id, pctx->client_id_len, - session_id2, session_id2_len, - x2_s_proof, x2_s_proof_len, - &pctx->k, - &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len); - - JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__)); - - bzero(x2_s_proof, x2_s_proof_len); - buffer_clear(m); - - /* pctx->k is sensitive, not sent */ - buffer_put_string(m, pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); - - debug3("%s: sending confirmation hash", __func__); - mm_request_send(sock, MONITOR_ANS_JPAKE_KEY_CONFIRM, m); - - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_CHECK_CONFIRM, 1); - - return 0; -} - -int -mm_answer_jpake_check_confirm(int sock, Buffer *m) -{ - int authenticated = 0; - u_char *peer_confirm_hash; - u_int peer_confirm_hash_len; - struct jpake_ctx *pctx = authctxt->jpake_ctx; - - if (pctx == NULL) - fatal("%s: pctx == NULL", __func__); - - peer_confirm_hash = buffer_get_string(m, &peer_confirm_hash_len); - - authenticated = jpake_check_confirm(pctx->k, - pctx->client_id, pctx->client_id_len, - session_id2, session_id2_len, - peer_confirm_hash, peer_confirm_hash_len) && authctxt->valid; - - JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__)); - - bzero(peer_confirm_hash, peer_confirm_hash_len); - xfree(peer_confirm_hash); - - buffer_clear(m); - buffer_put_int(m, authenticated); - - debug3("%s: sending result %d", __func__, authenticated); - mm_request_send(sock, MONITOR_ANS_JPAKE_CHECK_CONFIRM, m); - - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); - - auth_method = "jpake-01@openssh.com"; - return authenticated; -} - -#endif /* JPAKE */ diff --git a/crypto/openssh/monitor.h b/crypto/openssh/monitor.h index 2caa46933..5bc41b513 100644 --- a/crypto/openssh/monitor.h +++ b/crypto/openssh/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */ +/* $OpenBSD: monitor.h,v 1.18 2014/01/29 06:18:35 djm Exp $ */ /* * Copyright 2002 Niels Provos @@ -56,11 +56,6 @@ enum monitor_reqtype { MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47, MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_TERM = 50, - MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53, - MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55, - MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, - MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, - MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, diff --git a/crypto/openssh/monitor_mm.c b/crypto/openssh/monitor_mm.c index faf9f3dcb..0ba0658a1 100644 --- a/crypto/openssh/monitor_mm.c +++ b/crypto/openssh/monitor_mm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */ +/* $OpenBSD: monitor_mm.c,v 1.19 2014/01/04 17:50:55 tedu Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -35,6 +35,8 @@ #include #include +#include +#include #include #include "xmalloc.h" @@ -45,7 +47,7 @@ static int mm_compare(struct mm_share *a, struct mm_share *b) { - long diff = (char *)a->address - (char *)b->address; + ptrdiff_t diff = (char *)a->address - (char *)b->address; if (diff == 0) return (0); @@ -64,7 +66,7 @@ mm_make_entry(struct mm_master *mm, struct mmtree *head, struct mm_share *tmp, *tmp2; if (mm->mmalloc == NULL) - tmp = xmalloc(sizeof(struct mm_share)); + tmp = xcalloc(1, sizeof(struct mm_share)); else tmp = mm_xmalloc(mm->mmalloc, sizeof(struct mm_share)); tmp->address = address; @@ -72,8 +74,8 @@ mm_make_entry(struct mm_master *mm, struct mmtree *head, tmp2 = RB_INSERT(mmtree, head, tmp); if (tmp2 != NULL) - fatal("mm_make_entry(%p): double address %p->%p(%lu)", - mm, tmp2, address, (u_long)size); + fatal("mm_make_entry(%p): double address %p->%p(%zu)", + mm, tmp2, address, size); return (tmp); } @@ -87,7 +89,7 @@ mm_create(struct mm_master *mmalloc, size_t size) struct mm_master *mm; if (mmalloc == NULL) - mm = xmalloc(sizeof(struct mm_master)); + mm = xcalloc(1, sizeof(struct mm_master)); else mm = mm_xmalloc(mmalloc, sizeof(struct mm_master)); @@ -100,7 +102,7 @@ mm_create(struct mm_master *mmalloc, size_t size) address = xmmap(size); if (address == (void *)MAP_FAILED) - fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); + fatal("mmap(%zu): %s", size, strerror(errno)); mm->address = address; mm->size = size; @@ -124,7 +126,7 @@ mm_freelist(struct mm_master *mmalloc, struct mmtree *head) next = RB_NEXT(mmtree, head, mms); RB_REMOVE(mmtree, head, mms); if (mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mmalloc, mms); } @@ -140,14 +142,14 @@ mm_destroy(struct mm_master *mm) #ifdef HAVE_MMAP if (munmap(mm->address, mm->size) == -1) - fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size, + fatal("munmap(%p, %zu): %s", mm->address, mm->size, strerror(errno)); #else fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", __func__); #endif if (mm->mmalloc == NULL) - xfree(mm); + free(mm); else mm_free(mm->mmalloc, mm); } @@ -159,7 +161,8 @@ mm_xmalloc(struct mm_master *mm, size_t size) address = mm_malloc(mm, size); if (address == NULL) - fatal("%s: mm_malloc(%lu)", __func__, (u_long)size); + fatal("%s: mm_malloc(%zu)", __func__, size); + memset(address, 0, size); return (address); } @@ -193,12 +196,12 @@ mm_malloc(struct mm_master *mm, size_t size) /* Does not change order in RB tree */ mms->size -= size; - mms->address = (u_char *)mms->address + size; + mms->address = (char *)mms->address + size; if (mms->size == 0) { RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } @@ -246,15 +249,15 @@ mm_free(struct mm_master *mm, void *address) /* Check if range does not overlap */ if (prev != NULL && MM_ADDRESS_END(prev) > address) - fatal("mm_free: memory corruption: %p(%lu) > %p", - prev->address, (u_long)prev->size, address); + fatal("mm_free: memory corruption: %p(%zu) > %p", + prev->address, prev->size, address); /* See if we can merge backwards */ if (prev != NULL && MM_ADDRESS_END(prev) == address) { prev->size += mms->size; RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } else @@ -269,8 +272,8 @@ mm_free(struct mm_master *mm, void *address) return; if (MM_ADDRESS_END(prev) > mms->address) - fatal("mm_free: memory corruption: %p < %p(%lu)", - mms->address, prev->address, (u_long)prev->size); + fatal("mm_free: memory corruption: %p < %p(%zu)", + mms->address, prev->address, prev->size); if (MM_ADDRESS_END(prev) != mms->address) return; @@ -278,7 +281,7 @@ mm_free(struct mm_master *mm, void *address) RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } @@ -341,12 +344,12 @@ mm_share_sync(struct mm_master **pmm, struct mm_master **pmmalloc) void mm_memvalid(struct mm_master *mm, void *address, size_t size) { - void *end = (u_char *)address + size; + void *end = (char *)address + size; if (address < mm->address) fatal("mm_memvalid: address too small: %p", address); if (end < address) fatal("mm_memvalid: end < address: %p < %p", end, address); - if (end > (void *)((u_char *)mm->address + mm->size)) + if (end > MM_ADDRESS_END(mm)) fatal("mm_memvalid: address too large: %p", address); } diff --git a/crypto/openssh/monitor_mm.h b/crypto/openssh/monitor_mm.h index c890f7709..f1fae7e3b 100644 --- a/crypto/openssh/monitor_mm.h +++ b/crypto/openssh/monitor_mm.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.h,v 1.5 2008/04/29 11:20:31 otto Exp $ */ +/* $OpenBSD: monitor_mm.h,v 1.6 2014/01/04 17:50:55 tedu Exp $ */ /* * Copyright 2002 Niels Provos @@ -47,7 +47,7 @@ RB_PROTOTYPE(mmtree, mm_share, next, mm_compare) #define MM_MINSIZE 128 -#define MM_ADDRESS_END(x) (void *)((u_char *)(x)->address + (x)->size) +#define MM_ADDRESS_END(x) (void *)((char *)(x)->address + (x)->size) struct mm_master *mm_create(struct mm_master *, size_t); void mm_destroy(struct mm_master *); diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c index ea654a73f..1a47e4174 100644 --- a/crypto/openssh/monitor_wrap.c +++ b/crypto/openssh/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.79 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -71,8 +71,6 @@ #include "atomicio.h" #include "monitor_fdpass.h" #include "misc.h" -#include "schnorr.h" -#include "jpake.h" #include "uuencode.h" #include "channels.h" @@ -259,8 +257,10 @@ mm_getpwnamallow(const char *username) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS pw->pw_gecos = buffer_get_string(&m, NULL); -#ifdef HAVE_PW_CLASS_IN_PASSWD +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS pw->pw_class = buffer_get_string(&m, NULL); #endif pw->pw_dir = buffer_get_string(&m, NULL); @@ -286,7 +286,7 @@ out: #undef M_CP_STRARRAYOPT copy_set_server_options(&options, newopts, 1); - xfree(newopts); + free(newopts); buffer_free(&m); @@ -312,7 +312,7 @@ mm_auth2_read_banner(void) /* treat empty banner as missing banner */ if (strlen(banner) == 0) { - xfree(banner); + free(banner); banner = NULL; } return (banner); @@ -405,7 +405,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) buffer_put_cstring(&m, user ? user : ""); buffer_put_cstring(&m, host ? host : ""); buffer_put_string(&m, blob, len); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); @@ -448,7 +448,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); @@ -480,7 +480,7 @@ mm_newkeys_from_blob(u_char *blob, int blen) buffer_init(&b); buffer_append(&b, blob, blen); - newkey = xmalloc(sizeof(*newkey)); + newkey = xcalloc(1, sizeof(*newkey)); enc = &newkey->enc; mac = &newkey->mac; comp = &newkey->comp; @@ -572,7 +572,7 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) *blobp = xmalloc(len); memcpy(*blobp, buffer_ptr(&b), len); } - memset(buffer_ptr(&b), 0, len); + explicit_bzero(buffer_ptr(&b), len); buffer_free(&b); return len; } @@ -616,8 +616,8 @@ mm_send_keystate(struct monitor *monitor) key = xmalloc(keylen+1); /* add 1 if keylen == 0 */ keylen = packet_get_encryption_key(key); buffer_put_string(&m, key, keylen); - memset(key, 0, keylen); - xfree(key); + explicit_bzero(key, keylen); + free(key); ivlen = packet_get_keyiv_len(MODE_OUT); packet_get_keyiv(MODE_OUT, iv, ivlen); @@ -640,13 +640,13 @@ mm_send_keystate(struct monitor *monitor) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); - xfree(blob); + free(blob); if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); - xfree(blob); + free(blob); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); buffer_put_int(&m, seqnr); @@ -666,13 +666,13 @@ mm_send_keystate(struct monitor *monitor) p = xmalloc(plen+1); packet_get_keycontext(MODE_OUT, p); buffer_put_string(&m, p, plen); - xfree(p); + free(p); plen = packet_get_keycontext(MODE_IN, NULL); p = xmalloc(plen+1); packet_get_keycontext(MODE_IN, p); buffer_put_string(&m, p, plen); - xfree(p); + free(p); /* Compression state */ debug3("%s: Sending compression state", __func__); @@ -734,10 +734,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) buffer_free(&m); strlcpy(namebuf, p, namebuflen); /* Possible truncation */ - xfree(p); + free(p); buffer_append(&loginmsg, msg, strlen(msg)); - xfree(msg); + free(msg); if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) @@ -803,7 +803,7 @@ mm_do_pam_account(void) ret = buffer_get_int(&m); msg = buffer_get_string(&m, NULL); buffer_append(&loginmsg, msg, strlen(msg)); - xfree(msg); + free(msg); buffer_free(&m); @@ -1033,7 +1033,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt, mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); - xfree(challenge); + free(challenge); return (0); } @@ -1107,7 +1107,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) if ((key = key_from_blob(blob, blen)) == NULL) fatal("%s: key_from_blob failed", __func__); *rkey = key; - xfree(blob); + free(blob); } buffer_free(&m); @@ -1134,7 +1134,7 @@ mm_auth_rsa_generate_challenge(Key *key) buffer_init(&m); buffer_put_string(&m, blob, blen); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); @@ -1163,7 +1163,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) buffer_init(&m); buffer_put_string(&m, blob, blen); buffer_put_string(&m, response, 16); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); @@ -1290,164 +1290,3 @@ mm_ssh_gssapi_userok(char *user) } #endif /* GSSAPI */ -#ifdef JPAKE -void -mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s, - char **hash_scheme, char **salt) -{ - Buffer m; - - debug3("%s entering", __func__); - - buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, - MONITOR_REQ_JPAKE_GET_PWDATA, &m); - - debug3("%s: waiting for MONITOR_ANS_JPAKE_GET_PWDATA", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_JPAKE_GET_PWDATA, &m); - - *hash_scheme = buffer_get_string(&m, NULL); - *salt = buffer_get_string(&m, NULL); - - buffer_free(&m); -} - -void -mm_jpake_step1(struct modp_group *grp, - u_char **id, u_int *id_len, - BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2, - u_char **priv1_proof, u_int *priv1_proof_len, - u_char **priv2_proof, u_int *priv2_proof_len) -{ - Buffer m; - - debug3("%s entering", __func__); - - buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, - MONITOR_REQ_JPAKE_STEP1, &m); - - debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP1", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_JPAKE_STEP1, &m); - - if ((*priv1 = BN_new()) == NULL || - (*priv2 = BN_new()) == NULL || - (*g_priv1 = BN_new()) == NULL || - (*g_priv2 = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - - *id = buffer_get_string(&m, id_len); - /* priv1 and priv2 are, well, private */ - buffer_get_bignum2(&m, *g_priv1); - buffer_get_bignum2(&m, *g_priv2); - *priv1_proof = buffer_get_string(&m, priv1_proof_len); - *priv2_proof = buffer_get_string(&m, priv2_proof_len); - - buffer_free(&m); -} - -void -mm_jpake_step2(struct modp_group *grp, BIGNUM *s, - BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2, - const u_char *theirid, u_int theirid_len, - const u_char *myid, u_int myid_len, - const u_char *theirpub1_proof, u_int theirpub1_proof_len, - const u_char *theirpub2_proof, u_int theirpub2_proof_len, - BIGNUM **newpub, - u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len) -{ - Buffer m; - - debug3("%s entering", __func__); - - buffer_init(&m); - /* monitor already has all bignums except theirpub1, theirpub2 */ - buffer_put_bignum2(&m, theirpub1); - buffer_put_bignum2(&m, theirpub2); - /* monitor already knows our id */ - buffer_put_string(&m, theirid, theirid_len); - buffer_put_string(&m, theirpub1_proof, theirpub1_proof_len); - buffer_put_string(&m, theirpub2_proof, theirpub2_proof_len); - - mm_request_send(pmonitor->m_recvfd, - MONITOR_REQ_JPAKE_STEP2, &m); - - debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP2", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_JPAKE_STEP2, &m); - - if ((*newpub = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - - buffer_get_bignum2(&m, *newpub); - *newpub_exponent_proof = buffer_get_string(&m, - newpub_exponent_proof_len); - - buffer_free(&m); -} - -void -mm_jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val, - BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2, - BIGNUM *theirpub1, BIGNUM *theirpub2, - const u_char *my_id, u_int my_id_len, - const u_char *their_id, u_int their_id_len, - const u_char *sess_id, u_int sess_id_len, - const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len, - BIGNUM **k, - u_char **confirm_hash, u_int *confirm_hash_len) -{ - Buffer m; - - debug3("%s entering", __func__); - - buffer_init(&m); - /* monitor already has all bignums except step2_val */ - buffer_put_bignum2(&m, step2_val); - /* monitor already knows all the ids */ - buffer_put_string(&m, theirpriv2_s_proof, theirpriv2_s_proof_len); - - mm_request_send(pmonitor->m_recvfd, - MONITOR_REQ_JPAKE_KEY_CONFIRM, &m); - - debug3("%s: waiting for MONITOR_ANS_JPAKE_KEY_CONFIRM", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_JPAKE_KEY_CONFIRM, &m); - - /* 'k' is sensitive and stays in the monitor */ - *confirm_hash = buffer_get_string(&m, confirm_hash_len); - - buffer_free(&m); -} - -int -mm_jpake_check_confirm(const BIGNUM *k, - const u_char *peer_id, u_int peer_id_len, - const u_char *sess_id, u_int sess_id_len, - const u_char *peer_confirm_hash, u_int peer_confirm_hash_len) -{ - Buffer m; - int success = 0; - - debug3("%s entering", __func__); - - buffer_init(&m); - /* k is dummy in slave, ignored */ - /* monitor knows all the ids */ - buffer_put_string(&m, peer_confirm_hash, peer_confirm_hash_len); - mm_request_send(pmonitor->m_recvfd, - MONITOR_REQ_JPAKE_CHECK_CONFIRM, &m); - - debug3("%s: waiting for MONITOR_ANS_JPAKE_CHECK_CONFIRM", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_JPAKE_CHECK_CONFIRM, &m); - - success = buffer_get_int(&m); - buffer_free(&m); - - debug3("%s: success = %d", __func__, success); - return success; -} -#endif /* JPAKE */ diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h index 0c7f2e384..18c25010d 100644 --- a/crypto/openssh/monitor_wrap.h +++ b/crypto/openssh/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.23 2011/06/17 21:44:31 djm Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.24 2014/01/29 06:18:35 djm Exp $ */ /* * Copyright 2002 Niels Provos @@ -102,26 +102,6 @@ int mm_bsdauth_respond(void *, u_int, char **); int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); -/* jpake */ -struct modp_group; -void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **); -void mm_jpake_step1(struct modp_group *, u_char **, u_int *, - BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **, - u_char **, u_int *, u_char **, u_int *); -void mm_jpake_step2(struct modp_group *, BIGNUM *, - BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, - const u_char *, u_int, const u_char *, u_int, - const u_char *, u_int, const u_char *, u_int, - BIGNUM **, u_char **, u_int *); -void mm_jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *, - BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, - const u_char *, u_int, const u_char *, u_int, - const u_char *, u_int, const u_char *, u_int, - BIGNUM **, u_char **, u_int *); -int mm_jpake_check_confirm(const BIGNUM *, - const u_char *, u_int, const u_char *, u_int, const u_char *, u_int); - - /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); diff --git a/crypto/openssh/mux.c b/crypto/openssh/mux.c index 1ae0e0915..6ef88c9cb 100644 --- a/crypto/openssh/mux.c +++ b/crypto/openssh/mux.c @@ -1,4 +1,5 @@ -/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */ +/* $FreeBSD$ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -31,6 +32,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -184,7 +186,7 @@ static const struct { /* Cleanup callback fired on closure of mux slave _session_ channel */ /* ARGSUSED */ -void +static void mux_master_session_cleanup_cb(int cid, void *unused) { Channel *cc, *c = channel_by_id(cid); @@ -219,7 +221,8 @@ mux_master_control_cleanup_cb(int cid, void *unused) __func__, c->self, c->remote_id); c->remote_id = -1; sc->ctl_chan = -1; - if (sc->type != SSH_CHANNEL_OPEN) { + if (sc->type != SSH_CHANNEL_OPEN && + sc->type != SSH_CHANNEL_OPENING) { debug2("%s: channel %d: not open", __func__, sc->self); chan_mark_dead(sc); } else { @@ -286,13 +289,13 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r) char *value = buffer_get_string_ret(m, NULL); if (name == NULL || value == NULL) { - if (name != NULL) - xfree(name); + free(name); + free(value); goto malf; } debug2("Unrecognised slave extension \"%s\"", name); - xfree(name); - xfree(value); + free(name); + free(value); } state->hello_rcvd = 1; return 0; @@ -323,21 +326,17 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) (cctx->term = buffer_get_string_ret(m, &len)) == NULL || (cmd = buffer_get_string_ret(m, &len)) == NULL) { malf: - if (cmd != NULL) - xfree(cmd); - if (reserved != NULL) - xfree(reserved); + free(cmd); + free(reserved); for (j = 0; j < env_len; j++) - xfree(cctx->env[j]); - if (env_len > 0) - xfree(cctx->env); - if (cctx->term != NULL) - xfree(cctx->term); - xfree(cctx); + free(cctx->env[j]); + free(cctx->env); + free(cctx->term); + free(cctx); error("%s: malformed message", __func__); return -1; } - xfree(reserved); + free(reserved); reserved = NULL; while (buffer_len(m) > 0) { @@ -345,7 +344,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) if ((cp = buffer_get_string_ret(m, &len)) == NULL) goto malf; if (!env_permitted(cp)) { - xfree(cp); + free(cp); continue; } cctx->env = xrealloc(cctx->env, env_len + 2, @@ -366,7 +365,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_init(&cctx->cmd); buffer_append(&cctx->cmd, cmd, strlen(cmd)); - xfree(cmd); + free(cmd); cmd = NULL; /* Gather fds from client */ @@ -377,12 +376,11 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) for (j = 0; j < i; j++) close(new_fd[j]); for (j = 0; j < env_len; j++) - xfree(cctx->env[j]); - if (env_len > 0) - xfree(cctx->env); - xfree(cctx->term); + free(cctx->env[j]); + free(cctx->env); + free(cctx->term); buffer_free(&cctx->cmd); - xfree(cctx); + free(cctx); /* prepare reply */ buffer_put_int(r, MUX_S_FAILURE); @@ -407,14 +405,14 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) close(new_fd[0]); close(new_fd[1]); close(new_fd[2]); - xfree(cctx->term); + free(cctx->term); if (env_len != 0) { for (i = 0; i < env_len; i++) - xfree(cctx->env[i]); - xfree(cctx->env); + free(cctx->env[i]); + free(cctx->env); } buffer_free(&cctx->cmd); - xfree(cctx); + free(cctx); return 0; } @@ -619,7 +617,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) buffer_put_int(&out, MUX_S_FAILURE); buffer_put_int(&out, fctx->rid); buffer_put_cstring(&out, failmsg); - xfree(failmsg); + free(failmsg); out: buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out)); buffer_free(&out); @@ -634,25 +632,28 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) Forward fwd; char *fwd_desc = NULL; u_int ftype; + u_int lport, cport; int i, ret = 0, freefwd = 1; fwd.listen_host = fwd.connect_host = NULL; if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.listen_port, m) != 0 || + buffer_get_int_ret(&lport, m) != 0 || (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.connect_port, m) != 0) { + buffer_get_int_ret(&cport, m) != 0 || + lport > 65535 || cport > 65535) { error("%s: malformed message", __func__); ret = -1; goto out; } - + fwd.listen_port = lport; + fwd.connect_port = cport; if (*fwd.listen_host == '\0') { - xfree(fwd.listen_host); + free(fwd.listen_host); fwd.listen_host = NULL; } if (*fwd.connect_host == '\0') { - xfree(fwd.connect_host); + free(fwd.connect_host); fwd.connect_host = NULL; } @@ -663,10 +664,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) ftype != MUX_FWD_DYNAMIC) { logit("%s: invalid forwarding type %u", __func__, ftype); invalid: - if (fwd.listen_host) - xfree(fwd.listen_host); - if (fwd.connect_host) - xfree(fwd.connect_host); + free(fwd.listen_host); + free(fwd.connect_host); buffer_put_int(r, MUX_S_FAILURE); buffer_put_int(r, rid); buffer_put_cstring(r, "Invalid forwarding request"); @@ -768,13 +767,10 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_int(r, MUX_S_OK); buffer_put_int(r, rid); out: - if (fwd_desc != NULL) - xfree(fwd_desc); + free(fwd_desc); if (freefwd) { - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(fwd.listen_host); + free(fwd.connect_host); } return ret; } @@ -787,24 +783,28 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) const char *error_reason = NULL; u_int ftype; int i, listen_port, ret = 0; + u_int lport, cport; fwd.listen_host = fwd.connect_host = NULL; if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.listen_port, m) != 0 || + buffer_get_int_ret(&lport, m) != 0 || (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.connect_port, m) != 0) { + buffer_get_int_ret(&cport, m) != 0 || + lport > 65535 || cport > 65535) { error("%s: malformed message", __func__); ret = -1; goto out; } + fwd.listen_port = lport; + fwd.connect_port = cport; if (*fwd.listen_host == '\0') { - xfree(fwd.listen_host); + free(fwd.listen_host); fwd.listen_host = NULL; } if (*fwd.connect_host == '\0') { - xfree(fwd.connect_host); + free(fwd.connect_host); fwd.connect_host = NULL; } @@ -861,10 +861,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_int(r, MUX_S_OK); buffer_put_int(r, rid); - if (found_fwd->listen_host != NULL) - xfree(found_fwd->listen_host); - if (found_fwd->connect_host != NULL) - xfree(found_fwd->connect_host); + free(found_fwd->listen_host); + free(found_fwd->connect_host); found_fwd->listen_host = found_fwd->connect_host = NULL; found_fwd->listen_port = found_fwd->connect_port = 0; } else { @@ -873,12 +871,9 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_cstring(r, error_reason); } out: - if (fwd_desc != NULL) - xfree(fwd_desc); - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(fwd_desc); + free(fwd.listen_host); + free(fwd.connect_host); return ret; } @@ -895,14 +890,12 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || (chost = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&cport, m) != 0) { - if (reserved != NULL) - xfree(reserved); - if (chost != NULL) - xfree(chost); + free(reserved); + free(chost); error("%s: malformed message", __func__); return -1; } - xfree(reserved); + free(reserved); debug2("%s: channel %d: request stdio fwd to %s:%u", __func__, c->self, chost, cport); @@ -914,7 +907,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) __func__, i); for (j = 0; j < i; j++) close(new_fd[j]); - xfree(chost); + free(chost); /* prepare reply */ buffer_put_int(r, MUX_S_FAILURE); @@ -938,7 +931,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) cleanup: close(new_fd[0]); close(new_fd[1]); - xfree(chost); + free(chost); return 0; } @@ -1000,7 +993,7 @@ process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r) if (mux_listener_channel != NULL) { channel_free(mux_listener_channel); client_stop_mux(); - xfree(options.control_path); + free(options.control_path); options.control_path = NULL; mux_listener_channel = NULL; muxserver_sock = -1; @@ -1100,7 +1093,7 @@ mux_exit_message(Channel *c, int exitval) Buffer m; Channel *mux_chan; - debug3("%s: channel %d: exit message, evitval %d", __func__, c->self, + debug3("%s: channel %d: exit message, exitval %d", __func__, c->self, exitval); if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) @@ -1197,8 +1190,8 @@ muxserver_listen(void) close(muxserver_sock); muxserver_sock = -1; } - xfree(orig_control_path); - xfree(options.control_path); + free(orig_control_path); + free(options.control_path); options.control_path = NULL; options.control_master = SSHCTL_MASTER_NO; return; @@ -1223,7 +1216,7 @@ muxserver_listen(void) goto disable_mux_master; } unlink(options.control_path); - xfree(options.control_path); + free(options.control_path); options.control_path = orig_control_path; set_nonblock(muxserver_sock); @@ -1308,13 +1301,13 @@ mux_session_confirm(int id, int success, void *arg) cc->mux_pause = 0; /* start processing messages again */ c->open_confirm_ctx = NULL; buffer_free(&cctx->cmd); - xfree(cctx->term); + free(cctx->term); if (cctx->env != NULL) { for (i = 0; cctx->env[i] != NULL; i++) - xfree(cctx->env[i]); - xfree(cctx->env); + free(cctx->env[i]); + free(cctx->env); } - xfree(cctx); + free(cctx); } /* ** Multiplexing client support */ @@ -1444,7 +1437,9 @@ mux_client_read_packet(int fd, Buffer *m) buffer_init(&queue); if (mux_client_read(fd, &queue, 4) != 0) { if ((oerrno = errno) == EPIPE) - debug3("%s: read header failed: %s", __func__, strerror(errno)); + debug3("%s: read header failed: %s", __func__, + strerror(errno)); + buffer_free(&queue); errno = oerrno; return -1; } @@ -1452,6 +1447,7 @@ mux_client_read_packet(int fd, Buffer *m) if (mux_client_read(fd, &queue, need) != 0) { oerrno = errno; debug3("%s: read body failed: %s", __func__, strerror(errno)); + buffer_free(&queue); errno = oerrno; return -1; } @@ -1498,8 +1494,8 @@ mux_client_hello_exchange(int fd) char *value = buffer_get_string(&m, NULL); debug2("Unrecognised master extension \"%s\"", name); - xfree(name); - xfree(value); + free(name); + free(value); } buffer_free(&m); return 0; @@ -1608,7 +1604,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd) fwd_desc = format_forward(ftype, fwd); debug("Requesting %s %s", cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); - xfree(fwd_desc); + free(fwd_desc); buffer_init(&m); buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD); @@ -1845,7 +1841,7 @@ mux_client_request_session(int fd) leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); if (muxclient_terminate) { - debug2("Exiting on signal %d", muxclient_terminate); + debug2("Exiting on signal %ld", (long)muxclient_terminate); exitval = 255; } else if (!exitval_seen) { debug2("Control master terminated unexpectedly"); diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h index 26e0029a0..020054aa2 100644 --- a/crypto/openssh/myproposal.h +++ b/crypto/openssh/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.32 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */ /* $FreeBSD$ */ /* @@ -27,7 +27,10 @@ #include +/* conditional algorithm support */ + #ifdef OPENSSL_HAS_ECC +#ifdef OPENSSL_HAS_NISTP521 # define KEX_ECDH_METHODS \ "ecdh-sha2-nistp256," \ "ecdh-sha2-nistp384," \ @@ -41,20 +44,45 @@ "ecdsa-sha2-nistp384," \ "ecdsa-sha2-nistp521," #else +# define KEX_ECDH_METHODS \ + "ecdh-sha2-nistp256," \ + "ecdh-sha2-nistp384," +# define HOSTKEY_ECDSA_CERT_METHODS \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp384-cert-v01@openssh.com," +# define HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," +#endif +#else # define KEX_ECDH_METHODS # define HOSTKEY_ECDSA_CERT_METHODS # define HOSTKEY_ECDSA_METHODS #endif -/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ -#if OPENSSL_VERSION_NUMBER >= 0x00907000L +#ifdef OPENSSL_HAVE_EVPGCM +# define AESGCM_CIPHER_MODES \ + "aes128-gcm@openssh.com,aes256-gcm@openssh.com," +#else +# define AESGCM_CIPHER_MODES +#endif + +#ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," +#define KEX_CURVE25519_METHODS \ + "curve25519-sha256@libssh.org," +#define SHA2_HMAC_MODES \ + "hmac-sha2-256," \ + "hmac-sha2-512," #else # define KEX_SHA256_METHODS +# define KEX_CURVE25519_METHODS +# define SHA2_HMAC_MODES #endif # define KEX_DEFAULT_KEX \ + KEX_CURVE25519_METHODS \ KEX_ECDH_METHODS \ KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha1," \ @@ -69,25 +97,24 @@ "ssh-dss-cert-v00@openssh.com," \ HOSTKEY_ECDSA_METHODS \ "ssh-rsa," \ - "ssh-dss" + "ssh-dss," \ + "ssh-ed25519-cert-v01@openssh.com," \ + "ssh-ed25519" + +/* the actual algorithms */ #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ - "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ + AESGCM_CIPHER_MODES \ + "chacha20-poly1305@openssh.com," \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" #ifdef NONE_CIPHER_ENABLED #define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \ ",none" #endif -#ifdef HAVE_EVP_SHA256 -#define SHA2_HMAC_MODES \ - "hmac-sha2-256," \ - "hmac-sha2-512," -#else -# define SHA2_HMAC_MODES -#endif + #define KEX_DEFAULT_MAC \ "hmac-md5-etm@openssh.com," \ "hmac-sha1-etm@openssh.com," \ diff --git a/crypto/openssh/nchan.ms b/crypto/openssh/nchan.ms new file mode 100644 index 000000000..57576017b --- /dev/null +++ b/crypto/openssh/nchan.ms @@ -0,0 +1,99 @@ +.\" $OpenBSD: nchan.ms,v 1.8 2003/11/21 11:57:03 djm Exp $ +.\" +.\" +.\" Copyright (c) 1999 Markus Friedl. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.TL +OpenSSH Channel Close Protocol 1.5 Implementation +.SH +Channel Input State Diagram +.PS +reset +l=1 +s=1.2 +ellipsewid=s*ellipsewid +boxwid=s*boxwid +ellipseht=s*ellipseht +S1: ellipse "INPUT" "OPEN" +move right 2*l from last ellipse.e +S4: ellipse "INPUT" "CLOSED" +move down l from last ellipse.s +S3: ellipse "INPUT" "WAIT" "OCLOSED" +move down l from 1st ellipse.s +S2: ellipse "INPUT" "WAIT" "DRAIN" +arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w +arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w +arrow from S1.s to S2.n +box invis "read_failed/" "shutdown_read" with .e at last arrow.c +arrow from S3.n to S4.s +box invis "rcvd OCLOSE/" "-" with .w at last arrow.c +ellipse wid .9*ellipsewid ht .9*ellipseht at S4 +arrow "start" "" from S1.w+(-0.5,0) to S1.w +arrow from S2.ne to S4.sw +box invis "rcvd OCLOSE/ " with .e at last arrow.c +box invis " send IEOF" with .w at last arrow.c +.PE +.SH +Channel Output State Diagram +.PS +S1: ellipse "OUTPUT" "OPEN" +move right 2*l from last ellipse.e +S3: ellipse "OUTPUT" "WAIT" "IEOF" +move down l from last ellipse.s +S4: ellipse "OUTPUT" "CLOSED" +move down l from 1st ellipse.s +S2: ellipse "OUTPUT" "WAIT" "DRAIN" +arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w +arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w +arrow from S1.s to S2.n +box invis "rcvd IEOF/" "-" with .e at last arrow.c +arrow from S3.s to S4.n +box invis "rcvd IEOF/" "-" with .w at last arrow.c +ellipse wid .9*ellipsewid ht .9*ellipseht at S4 +arrow "start" "" from S1.w+(-0.5,0) to S1.w +.PE +.SH +Notes +.PP +The input buffer is filled with data from the socket +(the socket represents the local consumer/producer of the +forwarded channel). +The data is then sent over the INPUT-end (transmit-end) of the channel to the +remote peer. +Data sent by the peer is received on the OUTPUT-end (receive-end), +saved in the output buffer and written to the socket. +.PP +If the local protocol instance has forwarded all data on the +INPUT-end of the channel, it sends an IEOF message to the peer. +If the peer receives the IEOF and has consumed all +data he replies with an OCLOSE. +When the local instance receives the OCLOSE +he considers the INPUT-half of the channel closed. +The peer has his OUTOUT-half closed. +.PP +A channel can be deallocated by a protocol instance +if both the INPUT- and the OUTOUT-half on his +side of the channel are closed. +Note that when an instance is unable to consume the +received data, he is permitted to send an OCLOSE +before the matching IEOF is received. diff --git a/crypto/openssh/nchan2.ms b/crypto/openssh/nchan2.ms new file mode 100644 index 000000000..700150450 --- /dev/null +++ b/crypto/openssh/nchan2.ms @@ -0,0 +1,88 @@ +.\" $OpenBSD: nchan2.ms,v 1.4 2008/05/15 23:52:24 djm Exp $ +.\" +.\" Copyright (c) 2000 Markus Friedl. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.TL +OpenSSH Channel Close Protocol 2.0 Implementation +.SH +Channel Input State Diagram +.PS +reset +l=1 +s=1.2 +ellipsewid=s*ellipsewid +boxwid=s*boxwid +ellipseht=s*ellipseht +S1: ellipse "INPUT" "OPEN" +move right 2*l from last ellipse.e +S3: ellipse invis +move down l from last ellipse.s +S4: ellipse "INPUT" "CLOSED" +move down l from 1st ellipse.s +S2: ellipse "INPUT" "WAIT" "DRAIN" +arrow from S1.e to S4.n +box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c +arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w +arrow from S1.s to S2.n +box invis "read_failed ||" "rcvd EOW/" "shutdown_read" with .e at last arrow.c +ellipse wid .9*ellipsewid ht .9*ellipseht at S4 +arrow "start" "" from S1.w+(-0.5,0) to S1.w +.PE +.SH +Channel Output State Diagram +.PS +S1: ellipse "OUTPUT" "OPEN" +move right 2*l from last ellipse.e +S3: ellipse invis +move down l from last ellipse.s +S4: ellipse "OUTPUT" "CLOSED" +move down l from 1st ellipse.s +S2: ellipse "OUTPUT" "WAIT" "DRAIN" +arrow from S1.e to S4.n +box invis "write_failed/" "shutdown_write" "send EOW" with .sw at last arrow.c +arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w +arrow from S1.s to S2.n +box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c +ellipse wid .9*ellipsewid ht .9*ellipseht at S4 +arrow "start" "" from S1.w+(-0.5,0) to S1.w +.PE +.SH +Notes +.PP +The input buffer is filled with data from the socket +(the socket represents the local consumer/producer of the +forwarded channel). +The data is then sent over the INPUT-end (transmit-end) of the channel to the +remote peer. +Data sent by the peer is received on the OUTPUT-end (receive-end), +saved in the output buffer and written to the socket. +.PP +If the local protocol instance has forwarded all data on the +INPUT-end of the channel, it sends an EOF message to the peer. +.PP +A CLOSE message is sent to the peer if +both the INPUT- and the OUTOUT-half of the local +end of the channel are closed. +.PP +The channel can be deallocated by a protocol instance +if a CLOSE message he been both sent and received. diff --git a/crypto/openssh/openbsd-compat/Makefile.in b/crypto/openssh/openbsd-compat/Makefile.in new file mode 100644 index 000000000..6ecfb93d5 --- /dev/null +++ b/crypto/openssh/openbsd-compat/Makefile.in @@ -0,0 +1,42 @@ +# $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $ + +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +VPATH=@srcdir@ +CC=@CC@ +LD=@LD@ +CFLAGS=@CFLAGS@ +CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ +LIBS=@LIBS@ +AR=@AR@ +RANLIB=@RANLIB@ +INSTALL=@INSTALL@ +LDFLAGS=-L. @LDFLAGS@ + +OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o + +COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o + +PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o + +.c.o: + $(CC) $(CFLAGS) $(CPPFLAGS) -c $< + +all: libopenbsd-compat.a + +$(COMPAT): ../config.h +$(OPENBSD): ../config.h +$(PORTS): ../config.h + +libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS) + $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) + $(RANLIB) $@ + +clean: + rm -f *.o *.a core + +distclean: clean + rm -f Makefile *~ diff --git a/crypto/openssh/openbsd-compat/arc4random.c b/crypto/openssh/openbsd-compat/arc4random.c new file mode 100644 index 000000000..eac073cc0 --- /dev/null +++ b/crypto/openssh/openbsd-compat/arc4random.c @@ -0,0 +1,294 @@ +/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */ + +/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */ + +/* + * Copyright (c) 1996, David Mazieres + * Copyright (c) 2008, Damien Miller + * Copyright (c) 2013, Markus Friedl + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * ChaCha based random number generator for OpenBSD. + */ + +#include "includes.h" + +#include +#include +#include +#include + +#ifndef HAVE_ARC4RANDOM + +#include +#include + +#include "log.h" + +#define KEYSTREAM_ONLY +#include "chacha_private.h" + +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +/* OpenSSH isn't multithreaded */ +#define _ARC4_LOCK() +#define _ARC4_UNLOCK() + +#define KEYSZ 32 +#define IVSZ 8 +#define BLOCKSZ 64 +#define RSBUFSZ (16*BLOCKSZ) +static int rs_initialized; +static pid_t rs_stir_pid; +static chacha_ctx rs; /* chacha context for random keystream */ +static u_char rs_buf[RSBUFSZ]; /* keystream blocks */ +static size_t rs_have; /* valid bytes at end of rs_buf */ +static size_t rs_count; /* bytes till reseed */ + +static inline void _rs_rekey(u_char *dat, size_t datlen); + +static inline void +_rs_init(u_char *buf, size_t n) +{ + if (n < KEYSZ + IVSZ) + return; + chacha_keysetup(&rs, buf, KEYSZ * 8, 0); + chacha_ivsetup(&rs, buf + KEYSZ); +} + +static void +_rs_stir(void) +{ + u_char rnd[KEYSZ + IVSZ]; + + if (RAND_bytes(rnd, sizeof(rnd)) <= 0) + fatal("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); + + if (!rs_initialized) { + rs_initialized = 1; + _rs_init(rnd, sizeof(rnd)); + } else + _rs_rekey(rnd, sizeof(rnd)); + memset(rnd, 0, sizeof(rnd)); + + /* invalidate rs_buf */ + rs_have = 0; + memset(rs_buf, 0, RSBUFSZ); + + rs_count = 1600000; +} + +static inline void +_rs_stir_if_needed(size_t len) +{ + pid_t pid = getpid(); + + if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) { + rs_stir_pid = pid; + _rs_stir(); + } else + rs_count -= len; +} + +static inline void +_rs_rekey(u_char *dat, size_t datlen) +{ +#ifndef KEYSTREAM_ONLY + memset(rs_buf, 0,RSBUFSZ); +#endif + /* fill rs_buf with the keystream */ + chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ); + /* mix in optional user provided data */ + if (dat) { + size_t i, m; + + m = MIN(datlen, KEYSZ + IVSZ); + for (i = 0; i < m; i++) + rs_buf[i] ^= dat[i]; + } + /* immediately reinit for backtracking resistance */ + _rs_init(rs_buf, KEYSZ + IVSZ); + memset(rs_buf, 0, KEYSZ + IVSZ); + rs_have = RSBUFSZ - KEYSZ - IVSZ; +} + +static inline void +_rs_random_buf(void *_buf, size_t n) +{ + u_char *buf = (u_char *)_buf; + size_t m; + + _rs_stir_if_needed(n); + while (n > 0) { + if (rs_have > 0) { + m = MIN(n, rs_have); + memcpy(buf, rs_buf + RSBUFSZ - rs_have, m); + memset(rs_buf + RSBUFSZ - rs_have, 0, m); + buf += m; + n -= m; + rs_have -= m; + } + if (rs_have == 0) + _rs_rekey(NULL, 0); + } +} + +static inline void +_rs_random_u32(u_int32_t *val) +{ + _rs_stir_if_needed(sizeof(*val)); + if (rs_have < sizeof(*val)) + _rs_rekey(NULL, 0); + memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val)); + memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val)); + rs_have -= sizeof(*val); + return; +} + +void +arc4random_stir(void) +{ + _ARC4_LOCK(); + _rs_stir(); + _ARC4_UNLOCK(); +} + +void +arc4random_addrandom(u_char *dat, int datlen) +{ + int m; + + _ARC4_LOCK(); + if (!rs_initialized) + _rs_stir(); + while (datlen > 0) { + m = MIN(datlen, KEYSZ + IVSZ); + _rs_rekey(dat, m); + dat += m; + datlen -= m; + } + _ARC4_UNLOCK(); +} + +u_int32_t +arc4random(void) +{ + u_int32_t val; + + _ARC4_LOCK(); + _rs_random_u32(&val); + _ARC4_UNLOCK(); + return val; +} + +/* + * If we are providing arc4random, then we can provide a more efficient + * arc4random_buf(). + */ +# ifndef HAVE_ARC4RANDOM_BUF +void +arc4random_buf(void *buf, size_t n) +{ + _ARC4_LOCK(); + _rs_random_buf(buf, n); + _ARC4_UNLOCK(); +} +# endif /* !HAVE_ARC4RANDOM_BUF */ +#endif /* !HAVE_ARC4RANDOM */ + +/* arc4random_buf() that uses platform arc4random() */ +#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) +void +arc4random_buf(void *_buf, size_t n) +{ + size_t i; + u_int32_t r = 0; + char *buf = (char *)_buf; + + for (i = 0; i < n; i++) { + if (i % 4 == 0) + r = arc4random(); + buf[i] = r & 0xff; + r >>= 8; + } + i = r = 0; +} +#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ + +#ifndef HAVE_ARC4RANDOM_UNIFORM +/* + * Calculate a uniformly distributed random number less than upper_bound + * avoiding "modulo bias". + * + * Uniformity is achieved by generating new random numbers until the one + * returned is outside the range [0, 2**32 % upper_bound). This + * guarantees the selected random number will be inside + * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) + * after reduction modulo upper_bound. + */ +u_int32_t +arc4random_uniform(u_int32_t upper_bound) +{ + u_int32_t r, min; + + if (upper_bound < 2) + return 0; + + /* 2**32 % x == (2**32 - x) % x */ + min = -upper_bound % upper_bound; + + /* + * This could theoretically loop forever but each retry has + * p > 0.5 (worst case, usually far better) of selecting a + * number inside the range we need, so it should rarely need + * to re-roll. + */ + for (;;) { + r = arc4random(); + if (r >= min) + break; + } + + return r % upper_bound; +} +#endif /* !HAVE_ARC4RANDOM_UNIFORM */ + +#if 0 +/*-------- Test code for i386 --------*/ +#include +#include +int +main(int argc, char **argv) +{ + const int iter = 1000000; + int i; + pctrval v; + + v = rdtsc(); + for (i = 0; i < iter; i++) + arc4random(); + v = rdtsc() - v; + v /= iter; + + printf("%qd cycles\n", v); + exit(0); +} +#endif diff --git a/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c b/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c new file mode 100644 index 000000000..91b6ba07b --- /dev/null +++ b/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c @@ -0,0 +1,170 @@ +/* $OpenBSD: bcrypt_pbkdf.c,v 1.4 2013/07/29 00:55:53 tedu Exp $ */ +/* + * Copyright (c) 2013 Ted Unangst + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifndef HAVE_BCRYPT_PBKDF + +#include +#include + +#ifdef HAVE_STDLIB_H +# include +#endif +#include + +#ifdef HAVE_BLF_H +# include +#endif + +#include "crypto_api.h" +#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES + +/* + * pkcs #5 pbkdf2 implementation using the "bcrypt" hash + * + * The bcrypt hash function is derived from the bcrypt password hashing + * function with the following modifications: + * 1. The input password and salt are preprocessed with SHA512. + * 2. The output length is expanded to 256 bits. + * 3. Subsequently the magic string to be encrypted is lengthened and modifed + * to "OxychromaticBlowfishSwatDynamite" + * 4. The hash function is defined to perform 64 rounds of initial state + * expansion. (More rounds are performed by iterating the hash.) + * + * Note that this implementation pulls the SHA512 operations into the caller + * as a performance optimization. + * + * One modification from official pbkdf2. Instead of outputting key material + * linearly, we mix it. pbkdf2 has a known weakness where if one uses it to + * generate (i.e.) 512 bits of key material for use as two 256 bit keys, an + * attacker can merely run once through the outer loop below, but the user + * always runs it twice. Shuffling output bytes requires computing the + * entirety of the key material to assemble any subkey. This is something a + * wise caller could do; we just do it for you. + */ + +#define BCRYPT_BLOCKS 8 +#define BCRYPT_HASHSIZE (BCRYPT_BLOCKS * 4) + +static void +bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out) +{ + blf_ctx state; + u_int8_t ciphertext[BCRYPT_HASHSIZE] = + "OxychromaticBlowfishSwatDynamite"; + uint32_t cdata[BCRYPT_BLOCKS]; + int i; + uint16_t j; + size_t shalen = SHA512_DIGEST_LENGTH; + + /* key expansion */ + Blowfish_initstate(&state); + Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen); + for (i = 0; i < 64; i++) { + Blowfish_expand0state(&state, sha2salt, shalen); + Blowfish_expand0state(&state, sha2pass, shalen); + } + + /* encryption */ + j = 0; + for (i = 0; i < BCRYPT_BLOCKS; i++) + cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext), + &j); + for (i = 0; i < 64; i++) + blf_enc(&state, cdata, sizeof(cdata) / sizeof(uint64_t)); + + /* copy out */ + for (i = 0; i < BCRYPT_BLOCKS; i++) { + out[4 * i + 3] = (cdata[i] >> 24) & 0xff; + out[4 * i + 2] = (cdata[i] >> 16) & 0xff; + out[4 * i + 1] = (cdata[i] >> 8) & 0xff; + out[4 * i + 0] = cdata[i] & 0xff; + } + + /* zap */ + memset(ciphertext, 0, sizeof(ciphertext)); + memset(cdata, 0, sizeof(cdata)); + memset(&state, 0, sizeof(state)); +} + +int +bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t saltlen, + u_int8_t *key, size_t keylen, unsigned int rounds) +{ + u_int8_t sha2pass[SHA512_DIGEST_LENGTH]; + u_int8_t sha2salt[SHA512_DIGEST_LENGTH]; + u_int8_t out[BCRYPT_HASHSIZE]; + u_int8_t tmpout[BCRYPT_HASHSIZE]; + u_int8_t *countsalt; + size_t i, j, amt, stride; + uint32_t count; + + /* nothing crazy */ + if (rounds < 1) + return -1; + if (passlen == 0 || saltlen == 0 || keylen == 0 || + keylen > sizeof(out) * sizeof(out) || saltlen > 1<<20) + return -1; + if ((countsalt = calloc(1, saltlen + 4)) == NULL) + return -1; + stride = (keylen + sizeof(out) - 1) / sizeof(out); + amt = (keylen + stride - 1) / stride; + + memcpy(countsalt, salt, saltlen); + + /* collapse password */ + crypto_hash_sha512(sha2pass, pass, passlen); + + /* generate key, sizeof(out) at a time */ + for (count = 1; keylen > 0; count++) { + countsalt[saltlen + 0] = (count >> 24) & 0xff; + countsalt[saltlen + 1] = (count >> 16) & 0xff; + countsalt[saltlen + 2] = (count >> 8) & 0xff; + countsalt[saltlen + 3] = count & 0xff; + + /* first round, salt is salt */ + crypto_hash_sha512(sha2salt, countsalt, saltlen + 4); + + bcrypt_hash(sha2pass, sha2salt, tmpout); + memcpy(out, tmpout, sizeof(out)); + + for (i = 1; i < rounds; i++) { + /* subsequent rounds, salt is previous output */ + crypto_hash_sha512(sha2salt, tmpout, sizeof(tmpout)); + bcrypt_hash(sha2pass, sha2salt, tmpout); + for (j = 0; j < sizeof(out); j++) + out[j] ^= tmpout[j]; + } + + /* + * pbkdf2 deviation: ouput the key material non-linearly. + */ + amt = MIN(amt, keylen); + for (i = 0; i < amt; i++) + key[i * stride + (count - 1)] = out[i]; + keylen -= amt; + } + + /* zap */ + memset(out, 0, sizeof(out)); + memset(countsalt, 0, saltlen + 4); + free(countsalt); + + return 0; +} +#endif /* HAVE_BCRYPT_PBKDF */ diff --git a/crypto/openssh/openbsd-compat/blf.h b/crypto/openssh/openbsd-compat/blf.h new file mode 100644 index 000000000..f1ac5a5c2 --- /dev/null +++ b/crypto/openssh/openbsd-compat/blf.h @@ -0,0 +1,88 @@ +/* $OpenBSD: blf.h,v 1.7 2007/03/14 17:59:41 grunk Exp $ */ +/* + * Blowfish - a fast block cipher designed by Bruce Schneier + * + * Copyright 1997 Niels Provos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Niels Provos. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _BLF_H_ +#define _BLF_H_ + +#include "includes.h" + +#if !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) + +/* Schneier specifies a maximum key length of 56 bytes. + * This ensures that every key bit affects every cipher + * bit. However, the subkeys can hold up to 72 bytes. + * Warning: For normal blowfish encryption only 56 bytes + * of the key affect all cipherbits. + */ + +#define BLF_N 16 /* Number of Subkeys */ +#define BLF_MAXKEYLEN ((BLF_N-2)*4) /* 448 bits */ +#define BLF_MAXUTILIZED ((BLF_N+2)*4) /* 576 bits */ + +/* Blowfish context */ +typedef struct BlowfishContext { + u_int32_t S[4][256]; /* S-Boxes */ + u_int32_t P[BLF_N + 2]; /* Subkeys */ +} blf_ctx; + +/* Raw access to customized Blowfish + * blf_key is just: + * Blowfish_initstate( state ) + * Blowfish_expand0state( state, key, keylen ) + */ + +void Blowfish_encipher(blf_ctx *, u_int32_t *, u_int32_t *); +void Blowfish_decipher(blf_ctx *, u_int32_t *, u_int32_t *); +void Blowfish_initstate(blf_ctx *); +void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t); +void Blowfish_expandstate +(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t); + +/* Standard Blowfish */ + +void blf_key(blf_ctx *, const u_int8_t *, u_int16_t); +void blf_enc(blf_ctx *, u_int32_t *, u_int16_t); +void blf_dec(blf_ctx *, u_int32_t *, u_int16_t); + +void blf_ecb_encrypt(blf_ctx *, u_int8_t *, u_int32_t); +void blf_ecb_decrypt(blf_ctx *, u_int8_t *, u_int32_t); + +void blf_cbc_encrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t); +void blf_cbc_decrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t); + +/* Converts u_int8_t to u_int32_t */ +u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t , u_int16_t *); + +#endif /* !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) */ +#endif /* _BLF_H */ + diff --git a/crypto/openssh/openbsd-compat/blowfish.c b/crypto/openssh/openbsd-compat/blowfish.c new file mode 100644 index 000000000..37e0638b5 --- /dev/null +++ b/crypto/openssh/openbsd-compat/blowfish.c @@ -0,0 +1,698 @@ +/* $OpenBSD: blowfish.c,v 1.18 2004/11/02 17:23:26 hshoexer Exp $ */ +/* $FreeBSD$ */ +/* + * Blowfish block cipher for OpenBSD + * Copyright 1997 Niels Provos + * All rights reserved. + * + * Implementation advice by David Mazieres . + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Niels Provos. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code is derived from section 14.3 and the given source + * in section V of Applied Cryptography, second edition. + * Blowfish is an unpatented fast block cipher designed by + * Bruce Schneier. + */ + +#include "includes.h" +__RCSID("$FreeBSD$"); + +#if !defined(HAVE_BCRYPT_PBKDF) && (!defined(HAVE_BLOWFISH_INITSTATE) || \ + !defined(HAVE_BLOWFISH_EXPAND0STATE) || !defined(HAVE_BLF_ENC)) + +#if 0 +#include /* used for debugging */ +#include +#endif + +#include +#ifdef HAVE_BLF_H +#include +#endif + +#undef inline +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +/* Function for Feistel Networks */ + +#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \ + + (s)[0x100 + (((x)>>16)&0xFF)]) \ + ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \ + + (s)[0x300 + ( (x) &0xFF)]) + +#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n]) + +void +Blowfish_encipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr) +{ + u_int32_t Xl; + u_int32_t Xr; + u_int32_t *s = c->S[0]; + u_int32_t *p = c->P; + + Xl = *xl; + Xr = *xr; + + Xl ^= p[0]; + BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2); + BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4); + BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6); + BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8); + BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10); + BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12); + BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14); + BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16); + + *xl = Xr ^ p[17]; + *xr = Xl; +} + +void +Blowfish_decipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr) +{ + u_int32_t Xl; + u_int32_t Xr; + u_int32_t *s = c->S[0]; + u_int32_t *p = c->P; + + Xl = *xl; + Xr = *xr; + + Xl ^= p[17]; + BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15); + BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13); + BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11); + BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9); + BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7); + BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5); + BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3); + BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1); + + *xl = Xr ^ p[0]; + *xr = Xl; +} + +void +Blowfish_initstate(blf_ctx *c) +{ + /* P-box and S-box tables initialized with digits of Pi */ + + static const blf_ctx initstate = + { { + { + 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, + 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, + 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, + 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, + 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, + 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, + 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, + 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, + 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, + 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, + 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, + 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, + 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, + 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, + 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, + 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, + 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, + 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, + 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, + 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, + 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, + 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, + 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, + 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, + 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, + 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, + 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, + 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, + 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, + 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, + 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, + 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, + 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, + 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, + 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, + 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, + 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, + 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, + 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, + 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, + 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, + 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, + 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, + 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, + 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, + 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, + 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, + 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, + 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, + 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, + 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, + 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, + 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, + 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, + 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, + 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, + 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, + 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, + 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, + 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, + 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, + 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, + 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, + 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a}, + { + 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, + 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, + 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, + 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, + 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, + 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, + 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, + 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, + 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, + 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, + 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, + 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, + 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, + 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, + 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, + 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, + 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, + 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, + 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, + 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, + 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, + 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, + 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, + 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, + 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, + 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, + 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, + 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, + 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, + 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, + 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, + 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, + 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, + 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, + 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, + 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, + 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, + 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, + 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, + 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, + 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, + 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, + 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, + 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, + 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, + 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, + 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, + 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, + 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, + 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, + 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, + 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, + 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, + 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, + 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, + 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, + 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, + 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, + 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, + 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, + 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, + 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, + 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, + 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7}, + { + 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, + 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, + 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, + 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, + 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, + 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, + 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, + 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, + 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, + 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, + 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, + 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, + 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, + 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, + 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, + 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, + 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, + 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, + 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, + 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, + 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, + 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, + 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, + 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, + 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, + 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, + 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, + 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, + 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, + 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, + 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, + 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, + 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, + 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, + 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, + 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, + 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, + 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, + 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, + 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, + 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, + 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, + 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, + 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, + 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, + 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, + 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, + 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, + 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, + 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, + 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, + 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, + 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, + 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, + 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, + 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, + 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, + 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, + 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, + 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, + 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, + 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, + 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, + 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0}, + { + 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, + 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, + 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, + 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, + 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, + 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, + 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, + 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, + 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, + 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, + 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, + 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, + 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, + 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, + 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, + 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, + 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, + 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, + 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, + 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, + 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, + 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, + 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, + 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, + 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, + 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, + 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, + 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, + 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, + 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, + 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, + 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, + 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, + 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, + 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, + 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, + 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, + 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, + 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, + 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, + 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, + 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, + 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, + 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, + 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, + 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, + 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, + 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, + 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, + 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, + 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, + 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, + 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, + 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, + 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, + 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, + 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, + 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, + 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, + 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, + 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, + 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, + 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, + 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6} + }, + { + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, + 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, + 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, + 0x9216d5d9, 0x8979fb1b + } }; + + *c = initstate; +} + +u_int32_t +Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes, + u_int16_t *current) +{ + u_int8_t i; + u_int16_t j; + u_int32_t temp; + + temp = 0x00000000; + j = *current; + + for (i = 0; i < 4; i++, j++) { + if (j >= databytes) + j = 0; + temp = (temp << 8) | data[j]; + } + + *current = j; + return temp; +} + +void +Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes) +{ + u_int16_t i; + u_int16_t j; + u_int16_t k; + u_int32_t temp; + u_int32_t datal; + u_int32_t datar; + + j = 0; + for (i = 0; i < BLF_N + 2; i++) { + /* Extract 4 int8 to 1 int32 from keystream */ + temp = Blowfish_stream2word(key, keybytes, &j); + c->P[i] = c->P[i] ^ temp; + } + + j = 0; + datal = 0x00000000; + datar = 0x00000000; + for (i = 0; i < BLF_N + 2; i += 2) { + Blowfish_encipher(c, &datal, &datar); + + c->P[i] = datal; + c->P[i + 1] = datar; + } + + for (i = 0; i < 4; i++) { + for (k = 0; k < 256; k += 2) { + Blowfish_encipher(c, &datal, &datar); + + c->S[i][k] = datal; + c->S[i][k + 1] = datar; + } + } +} + + +void +Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes, + const u_int8_t *key, u_int16_t keybytes) +{ + u_int16_t i; + u_int16_t j; + u_int16_t k; + u_int32_t temp; + u_int32_t datal; + u_int32_t datar; + + j = 0; + for (i = 0; i < BLF_N + 2; i++) { + /* Extract 4 int8 to 1 int32 from keystream */ + temp = Blowfish_stream2word(key, keybytes, &j); + c->P[i] = c->P[i] ^ temp; + } + + j = 0; + datal = 0x00000000; + datar = 0x00000000; + for (i = 0; i < BLF_N + 2; i += 2) { + datal ^= Blowfish_stream2word(data, databytes, &j); + datar ^= Blowfish_stream2word(data, databytes, &j); + Blowfish_encipher(c, &datal, &datar); + + c->P[i] = datal; + c->P[i + 1] = datar; + } + + for (i = 0; i < 4; i++) { + for (k = 0; k < 256; k += 2) { + datal ^= Blowfish_stream2word(data, databytes, &j); + datar ^= Blowfish_stream2word(data, databytes, &j); + Blowfish_encipher(c, &datal, &datar); + + c->S[i][k] = datal; + c->S[i][k + 1] = datar; + } + } + +} + +void +blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len) +{ + /* Initialize S-boxes and subkeys with Pi */ + Blowfish_initstate(c); + + /* Transform S-boxes and subkeys with key */ + Blowfish_expand0state(c, k, len); +} + +void +blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks) +{ + u_int32_t *d; + u_int16_t i; + + d = data; + for (i = 0; i < blocks; i++) { + Blowfish_encipher(c, d, d + 1); + d += 2; + } +} + +void +blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks) +{ + u_int32_t *d; + u_int16_t i; + + d = data; + for (i = 0; i < blocks; i++) { + Blowfish_decipher(c, d, d + 1); + d += 2; + } +} + +void +blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int32_t i; + + for (i = 0; i < len; i += 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_encipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + data += 8; + } +} + +void +blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int32_t i; + + for (i = 0; i < len; i += 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_decipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + data += 8; + } +} + +void +blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int32_t i, j; + + for (i = 0; i < len; i += 8) { + for (j = 0; j < 8; j++) + data[j] ^= iv[j]; + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_encipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + iv = data; + data += 8; + } +} + +void +blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int8_t *iv; + u_int32_t i, j; + + iv = data + len - 16; + data = data + len - 8; + for (i = len - 8; i >= 8; i -= 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_decipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + for (j = 0; j < 8; j++) + data[j] ^= iv[j]; + iv -= 8; + data -= 8; + } + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_decipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + for (j = 0; j < 8; j++) + data[j] ^= iva[j]; +} + +#if 0 +void +report(u_int32_t data[], u_int16_t len) +{ + u_int16_t i; + for (i = 0; i < len; i += 2) + printf("Block %0hd: %08lx %08lx.\n", + i / 2, data[i], data[i + 1]); +} +void +main(void) +{ + + blf_ctx c; + char key[] = "AAAAA"; + char key2[] = "abcdefghijklmnopqrstuvwxyz"; + + u_int32_t data[10]; + u_int32_t data2[] = + {0x424c4f57l, 0x46495348l}; + + u_int16_t i; + + /* First test */ + for (i = 0; i < 10; i++) + data[i] = i; + + blf_key(&c, (u_int8_t *) key, 5); + blf_enc(&c, data, 5); + blf_dec(&c, data, 1); + blf_dec(&c, data + 2, 4); + printf("Should read as 0 - 9.\n"); + report(data, 10); + + /* Second test */ + blf_key(&c, (u_int8_t *) key2, strlen(key2)); + blf_enc(&c, data2, 1); + printf("\nShould read as: 0x324ed0fe 0xf413a203.\n"); + report(data2, 2); + blf_dec(&c, data2, 1); + report(data2, 2); +} +#endif + +#endif /* !defined(HAVE_BCRYPT_PBKDF) && (!defined(HAVE_BLOWFISH_INITSTATE) || \ + !defined(HAVE_BLOWFISH_EXPAND0STATE) || !defined(HAVE_BLF_ENC)) */ + diff --git a/crypto/openssh/openbsd-compat/bsd-arc4random.c b/crypto/openssh/openbsd-compat/bsd-arc4random.c deleted file mode 100644 index d7c586253..000000000 --- a/crypto/openssh/openbsd-compat/bsd-arc4random.c +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright (c) 1999,2000,2004 Damien Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "includes.h" - -#include - -#include -#include -#include - -#include "log.h" - -#ifndef HAVE_ARC4RANDOM - -#include -#include -#include - -/* Size of key to use */ -#define SEED_SIZE 20 - -/* Number of bytes to reseed after */ -#define REKEY_BYTES (1 << 24) - -static int rc4_ready = 0; -static RC4_KEY rc4; - -unsigned int -arc4random(void) -{ - unsigned int r = 0; - static int first_time = 1; - - if (rc4_ready <= 0) { - if (first_time) - seed_rng(); - first_time = 0; - arc4random_stir(); - } - - RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r); - - rc4_ready -= sizeof(r); - - return(r); -} - -void -arc4random_stir(void) -{ - unsigned char rand_buf[SEED_SIZE]; - int i; - - memset(&rc4, 0, sizeof(rc4)); - if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0) - fatal("Couldn't obtain random bytes (error %ld)", - ERR_get_error()); - RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); - - /* - * Discard early keystream, as per recommendations in: - * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps - */ - for(i = 0; i <= 256; i += sizeof(rand_buf)) - RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf); - - memset(rand_buf, 0, sizeof(rand_buf)); - - rc4_ready = REKEY_BYTES; -} -#endif /* !HAVE_ARC4RANDOM */ - -#ifndef HAVE_ARC4RANDOM_BUF -void -arc4random_buf(void *_buf, size_t n) -{ - size_t i; - u_int32_t r = 0; - char *buf = (char *)_buf; - - for (i = 0; i < n; i++) { - if (i % 4 == 0) - r = arc4random(); - buf[i] = r & 0xff; - r >>= 8; - } - i = r = 0; -} -#endif /* !HAVE_ARC4RANDOM_BUF */ - -#ifndef HAVE_ARC4RANDOM_UNIFORM -/* - * Calculate a uniformly distributed random number less than upper_bound - * avoiding "modulo bias". - * - * Uniformity is achieved by generating new random numbers until the one - * returned is outside the range [0, 2**32 % upper_bound). This - * guarantees the selected random number will be inside - * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) - * after reduction modulo upper_bound. - */ -u_int32_t -arc4random_uniform(u_int32_t upper_bound) -{ - u_int32_t r, min; - - if (upper_bound < 2) - return 0; - -#if (ULONG_MAX > 0xffffffffUL) - min = 0x100000000UL % upper_bound; -#else - /* Calculate (2**32 % upper_bound) avoiding 64-bit math */ - if (upper_bound > 0x80000000) - min = 1 + ~upper_bound; /* 2**32 - upper_bound */ - else { - /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */ - min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound; - } -#endif - - /* - * This could theoretically loop forever but each retry has - * p > 0.5 (worst case, usually far better) of selecting a - * number inside the range we need, so it should rarely need - * to re-roll. - */ - for (;;) { - r = arc4random(); - if (r >= min) - break; - } - - return r % upper_bound; -} -#endif /* !HAVE_ARC4RANDOM_UNIFORM */ diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c index d3d2d913a..267e77a11 100644 --- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c +++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c @@ -97,7 +97,7 @@ fetch_windows_environment(void) void free_windows_environment(char **p) { - xfree(p); + free(p); } #endif /* HAVE_CYGWIN */ diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h b/crypto/openssh/openbsd-compat/bsd-cygwin_util.h index 6061a6b01..1177366f1 100644 --- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h +++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cygwin_util.h,v 1.15.4.1 2013/04/04 23:53:31 dtucker Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */ /* * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen @@ -40,9 +40,15 @@ typedef void *HANDLE; #define INVALID_HANDLE_VALUE ((HANDLE) -1) +/* Cygwin functions for which declarations are only available when including + windows headers, so we have to define them here explicitely. */ +extern HANDLE cygwin_logon_user (const struct passwd *, const char *); +extern void cygwin_set_impersonation_token (const HANDLE); + #include #include + int binary_open(const char *, int , ...); int check_ntsec(const char *); char **fetch_windows_environment(void); diff --git a/crypto/openssh/openbsd-compat/bsd-misc.c b/crypto/openssh/openbsd-compat/bsd-misc.c index d75854e83..65e800397 100644 --- a/crypto/openssh/openbsd-compat/bsd-misc.c +++ b/crypto/openssh/openbsd-compat/bsd-misc.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include "xmalloc.h" diff --git a/crypto/openssh/openbsd-compat/bsd-misc.h b/crypto/openssh/openbsd-compat/bsd-misc.h index 430066376..e2fd6460d 100644 --- a/crypto/openssh/openbsd-compat/bsd-misc.h +++ b/crypto/openssh/openbsd-compat/bsd-misc.h @@ -1,4 +1,5 @@ -/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */ +/* $Id: bsd-misc.h,v 1.25 2013/08/04 11:48:41 dtucker Exp $ */ +/* $FreeBSD$ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -20,6 +21,7 @@ #define _BSD_MISC_H #include "includes.h" +__RCSID("$FreeBSD$"); char *ssh_get_progname(char *); @@ -110,4 +112,16 @@ int isblank(int); pid_t getpgid(pid_t); #endif +#ifndef HAVE_ENDGRENT +# define endgrent() do { } while (0) +#endif + +#ifndef HAVE_KRB5_GET_ERROR_MESSAGE +# define krb5_get_error_message krb5_get_err_text +#endif + +#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE +# define krb5_free_error_message(a,b) do { } while(0) +#endif + #endif /* _BSD_MISC_H */ diff --git a/crypto/openssh/openbsd-compat/bsd-poll.c b/crypto/openssh/openbsd-compat/bsd-poll.c index f899d7a24..73a852480 100644 --- a/crypto/openssh/openbsd-compat/bsd-poll.c +++ b/crypto/openssh/openbsd-compat/bsd-poll.c @@ -1,4 +1,4 @@ -/* $Id: bsd-poll.c,v 1.4 2008/08/29 21:32:38 dtucker Exp $ */ +/* $Id: bsd-poll.c,v 1.6 2014/02/05 23:44:13 dtucker Exp $ */ /* * Copyright (c) 2004, 2005, 2007 Darren Tucker (dtucker at zip com au). @@ -19,12 +19,15 @@ #include "includes.h" #if !defined(HAVE_POLL) +#include +#include #ifdef HAVE_SYS_SELECT_H # include #endif -#include #include +#include +#include #include "bsd-poll.h" /* @@ -106,12 +109,9 @@ poll(struct pollfd *fds, nfds_t nfds, int timeout) } out: - if (readfds != NULL) - free(readfds); - if (writefds != NULL) - free(writefds); - if (exceptfds != NULL) - free(exceptfds); + free(readfds); + free(writefds); + free(exceptfds); if (ret == -1) errno = saved_errno; return ret; diff --git a/crypto/openssh/openbsd-compat/bsd-setres_id.c b/crypto/openssh/openbsd-compat/bsd-setres_id.c index 020b214b8..018bde8c7 100644 --- a/crypto/openssh/openbsd-compat/bsd-setres_id.c +++ b/crypto/openssh/openbsd-compat/bsd-setres_id.c @@ -1,4 +1,4 @@ -/* $Id: bsd-setres_id.c,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */ +/* $Id: bsd-setres_id.c,v 1.2 2013/12/07 21:23:09 djm Exp $ */ /* * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). @@ -22,6 +22,7 @@ #include #include +#include #include "log.h" diff --git a/crypto/openssh/openbsd-compat/bsd-snprintf.c b/crypto/openssh/openbsd-compat/bsd-snprintf.c index 41d2be238..975991e7f 100644 --- a/crypto/openssh/openbsd-compat/bsd-snprintf.c +++ b/crypto/openssh/openbsd-compat/bsd-snprintf.c @@ -160,6 +160,8 @@ #define DP_C_LONG 2 #define DP_C_LDOUBLE 3 #define DP_C_LLONG 4 +#define DP_C_SIZE 5 +#define DP_C_INTMAX 6 #define char_to_int(p) ((p)- '0') #ifndef MAX @@ -182,7 +184,7 @@ static int dopr(char *buffer, size_t maxlen, const char *format, static int fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, int min, int max); static int fmtint(char *buffer, size_t *currlen, size_t maxlen, - LLONG value, int base, int min, int max, int flags); + intmax_t value, int base, int min, int max, int flags); static int fmtfp(char *buffer, size_t *currlen, size_t maxlen, LDOUBLE fvalue, int min, int max, int flags); @@ -190,7 +192,7 @@ static int dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) { char ch; - LLONG value; + intmax_t value; LDOUBLE fvalue; char *strvalue; int min; @@ -287,6 +289,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) cflags = DP_C_SHORT; ch = *format++; break; + case 'j': + cflags = DP_C_INTMAX; + ch = *format++; + break; case 'l': cflags = DP_C_LONG; ch = *format++; @@ -299,6 +305,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) cflags = DP_C_LDOUBLE; ch = *format++; break; + case 'z': + cflags = DP_C_SIZE; + ch = *format++; + break; default: break; } @@ -314,6 +324,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = va_arg (args, long int); else if (cflags == DP_C_LLONG) value = va_arg (args, LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, ssize_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, intmax_t); else value = va_arg (args, int); if (fmtint(buffer, &currlen, maxlen, @@ -328,6 +342,12 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (long)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); +#ifdef notyet + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -342,6 +362,12 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (LLONG)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); +#ifdef notyet + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -358,6 +384,12 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (LLONG)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); +#ifdef notyet + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -416,6 +448,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) (long) strvalue, 16, min, max, flags) == -1) return -1; break; +#if we_dont_want_this_in_openssh case 'n': if (cflags == DP_C_SHORT) { short int *num; @@ -429,12 +462,21 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) LLONG *num; num = va_arg (args, LLONG *); *num = (LLONG)currlen; + } else if (cflags == DP_C_SIZE) { + ssize_t *num; + num = va_arg (args, ssize_t *); + *num = (ssize_t)currlen; + } else if (cflags == DP_C_INTMAX) { + intmax_t *num; + num = va_arg (args, intmax_t *); + *num = (intmax_t)currlen; } else { int *num; num = va_arg (args, int *); *num = currlen; } break; +#endif case '%': DOPR_OUTCH(buffer, currlen, maxlen, ch); break; diff --git a/crypto/openssh/openbsd-compat/bsd-statvfs.c b/crypto/openssh/openbsd-compat/bsd-statvfs.c index 844d5b464..2b1da80ec 100644 --- a/crypto/openssh/openbsd-compat/bsd-statvfs.c +++ b/crypto/openssh/openbsd-compat/bsd-statvfs.c @@ -1,7 +1,7 @@ -/* $Id: bsd-statvfs.c,v 1.1 2008/06/08 17:32:29 dtucker Exp $ */ +/* $Id: bsd-statvfs.c,v 1.2 2014/01/17 07:10:59 dtucker Exp $ */ /* - * Copyright (c) 2008 Darren Tucker + * Copyright (c) 2008,2014 Darren Tucker * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,20 +18,65 @@ #include "includes.h" +#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS) + +#include +#ifdef HAVE_SYS_MOUNT_H +# include +#endif + #include -#ifndef HAVE_STATVFS +static void +copy_statfs_to_statvfs(struct statvfs *to, struct statfs *from) +{ + to->f_bsize = from->f_bsize; + to->f_frsize = from->f_bsize; /* no exact equivalent */ + to->f_blocks = from->f_blocks; + to->f_bfree = from->f_bfree; + to->f_bavail = from->f_bavail; + to->f_files = from->f_files; + to->f_ffree = from->f_ffree; + to->f_favail = from->f_ffree; /* no exact equivalent */ + to->f_fsid = 0; /* XXX fix me */ + to->f_flag = from->f_flags; + to->f_namemax = MNAMELEN; +} + +# ifndef HAVE_STATVFS int statvfs(const char *path, struct statvfs *buf) { +# ifdef HAVE_STATFS + struct statfs fs; + + memset(&fs, 0, sizeof(fs)); + if (statfs(path, &fs) == -1) + return -1; + copy_statfs_to_statvfs(buf, &fs); + return 0; +# else errno = ENOSYS; return -1; +# endif } -#endif +# endif -#ifndef HAVE_FSTATVFS +# ifndef HAVE_FSTATVFS int fstatvfs(int fd, struct statvfs *buf) { +# ifdef HAVE_FSTATFS + struct statfs fs; + + memset(&fs, 0, sizeof(fs)); + if (fstatfs(fd, &fs) == -1) + return -1; + copy_statfs_to_statvfs(buf, &fs); + return 0; +# else errno = ENOSYS; return -1; +# endif } +# endif + #endif diff --git a/crypto/openssh/openbsd-compat/bsd-statvfs.h b/crypto/openssh/openbsd-compat/bsd-statvfs.h index da215ffc6..dfd609974 100644 --- a/crypto/openssh/openbsd-compat/bsd-statvfs.h +++ b/crypto/openssh/openbsd-compat/bsd-statvfs.h @@ -1,7 +1,7 @@ -/* $Id: bsd-statvfs.h,v 1.1 2008/06/08 17:32:29 dtucker Exp $ */ +/* $Id: bsd-statvfs.h,v 1.3 2014/01/17 07:48:22 dtucker Exp $ */ /* - * Copyright (c) 2008 Darren Tucker + * Copyright (c) 2008,2014 Darren Tucker * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,14 +18,17 @@ #include "includes.h" +#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS) + #include +#ifdef HAVE_SYS_MOUNT_H +#include +#endif #ifdef HAVE_SYS_STATFS_H #include #endif -#ifndef HAVE_STATVFS - #ifndef HAVE_FSBLKCNT_T typedef unsigned long fsblkcnt_t; #endif diff --git a/crypto/openssh/openbsd-compat/chacha_private.h b/crypto/openssh/openbsd-compat/chacha_private.h new file mode 100644 index 000000000..7c3680fa6 --- /dev/null +++ b/crypto/openssh/openbsd-compat/chacha_private.h @@ -0,0 +1,222 @@ +/* +chacha-merged.c version 20080118 +D. J. Bernstein +Public domain. +*/ + +/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */ + +typedef unsigned char u8; +typedef unsigned int u32; + +typedef struct +{ + u32 input[16]; /* could be compressed */ +} chacha_ctx; + +#define U8C(v) (v##U) +#define U32C(v) (v##U) + +#define U8V(v) ((u8)(v) & U8C(0xFF)) +#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) + +#define ROTL32(v, n) \ + (U32V((v) << (n)) | ((v) >> (32 - (n)))) + +#define U8TO32_LITTLE(p) \ + (((u32)((p)[0]) ) | \ + ((u32)((p)[1]) << 8) | \ + ((u32)((p)[2]) << 16) | \ + ((u32)((p)[3]) << 24)) + +#define U32TO8_LITTLE(p, v) \ + do { \ + (p)[0] = U8V((v) ); \ + (p)[1] = U8V((v) >> 8); \ + (p)[2] = U8V((v) >> 16); \ + (p)[3] = U8V((v) >> 24); \ + } while (0) + +#define ROTATE(v,c) (ROTL32(v,c)) +#define XOR(v,w) ((v) ^ (w)) +#define PLUS(v,w) (U32V((v) + (w))) +#define PLUSONE(v) (PLUS((v),1)) + +#define QUARTERROUND(a,b,c,d) \ + a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ + a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); + +static const char sigma[16] = "expand 32-byte k"; +static const char tau[16] = "expand 16-byte k"; + +static void +chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits) +{ + const char *constants; + + x->input[4] = U8TO32_LITTLE(k + 0); + x->input[5] = U8TO32_LITTLE(k + 4); + x->input[6] = U8TO32_LITTLE(k + 8); + x->input[7] = U8TO32_LITTLE(k + 12); + if (kbits == 256) { /* recommended */ + k += 16; + constants = sigma; + } else { /* kbits == 128 */ + constants = tau; + } + x->input[8] = U8TO32_LITTLE(k + 0); + x->input[9] = U8TO32_LITTLE(k + 4); + x->input[10] = U8TO32_LITTLE(k + 8); + x->input[11] = U8TO32_LITTLE(k + 12); + x->input[0] = U8TO32_LITTLE(constants + 0); + x->input[1] = U8TO32_LITTLE(constants + 4); + x->input[2] = U8TO32_LITTLE(constants + 8); + x->input[3] = U8TO32_LITTLE(constants + 12); +} + +static void +chacha_ivsetup(chacha_ctx *x,const u8 *iv) +{ + x->input[12] = 0; + x->input[13] = 0; + x->input[14] = U8TO32_LITTLE(iv + 0); + x->input[15] = U8TO32_LITTLE(iv + 4); +} + +static void +chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) +{ + u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + u8 *ctarget = NULL; + u8 tmp[64]; + u_int i; + + if (!bytes) return; + + j0 = x->input[0]; + j1 = x->input[1]; + j2 = x->input[2]; + j3 = x->input[3]; + j4 = x->input[4]; + j5 = x->input[5]; + j6 = x->input[6]; + j7 = x->input[7]; + j8 = x->input[8]; + j9 = x->input[9]; + j10 = x->input[10]; + j11 = x->input[11]; + j12 = x->input[12]; + j13 = x->input[13]; + j14 = x->input[14]; + j15 = x->input[15]; + + for (;;) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) tmp[i] = m[i]; + m = tmp; + ctarget = c; + c = tmp; + } + x0 = j0; + x1 = j1; + x2 = j2; + x3 = j3; + x4 = j4; + x5 = j5; + x6 = j6; + x7 = j7; + x8 = j8; + x9 = j9; + x10 = j10; + x11 = j11; + x12 = j12; + x13 = j13; + x14 = j14; + x15 = j15; + for (i = 20;i > 0;i -= 2) { + QUARTERROUND( x0, x4, x8,x12) + QUARTERROUND( x1, x5, x9,x13) + QUARTERROUND( x2, x6,x10,x14) + QUARTERROUND( x3, x7,x11,x15) + QUARTERROUND( x0, x5,x10,x15) + QUARTERROUND( x1, x6,x11,x12) + QUARTERROUND( x2, x7, x8,x13) + QUARTERROUND( x3, x4, x9,x14) + } + x0 = PLUS(x0,j0); + x1 = PLUS(x1,j1); + x2 = PLUS(x2,j2); + x3 = PLUS(x3,j3); + x4 = PLUS(x4,j4); + x5 = PLUS(x5,j5); + x6 = PLUS(x6,j6); + x7 = PLUS(x7,j7); + x8 = PLUS(x8,j8); + x9 = PLUS(x9,j9); + x10 = PLUS(x10,j10); + x11 = PLUS(x11,j11); + x12 = PLUS(x12,j12); + x13 = PLUS(x13,j13); + x14 = PLUS(x14,j14); + x15 = PLUS(x15,j15); + +#ifndef KEYSTREAM_ONLY + x0 = XOR(x0,U8TO32_LITTLE(m + 0)); + x1 = XOR(x1,U8TO32_LITTLE(m + 4)); + x2 = XOR(x2,U8TO32_LITTLE(m + 8)); + x3 = XOR(x3,U8TO32_LITTLE(m + 12)); + x4 = XOR(x4,U8TO32_LITTLE(m + 16)); + x5 = XOR(x5,U8TO32_LITTLE(m + 20)); + x6 = XOR(x6,U8TO32_LITTLE(m + 24)); + x7 = XOR(x7,U8TO32_LITTLE(m + 28)); + x8 = XOR(x8,U8TO32_LITTLE(m + 32)); + x9 = XOR(x9,U8TO32_LITTLE(m + 36)); + x10 = XOR(x10,U8TO32_LITTLE(m + 40)); + x11 = XOR(x11,U8TO32_LITTLE(m + 44)); + x12 = XOR(x12,U8TO32_LITTLE(m + 48)); + x13 = XOR(x13,U8TO32_LITTLE(m + 52)); + x14 = XOR(x14,U8TO32_LITTLE(m + 56)); + x15 = XOR(x15,U8TO32_LITTLE(m + 60)); +#endif + + j12 = PLUSONE(j12); + if (!j12) { + j13 = PLUSONE(j13); + /* stopping at 2^70 bytes per nonce is user's responsibility */ + } + + U32TO8_LITTLE(c + 0,x0); + U32TO8_LITTLE(c + 4,x1); + U32TO8_LITTLE(c + 8,x2); + U32TO8_LITTLE(c + 12,x3); + U32TO8_LITTLE(c + 16,x4); + U32TO8_LITTLE(c + 20,x5); + U32TO8_LITTLE(c + 24,x6); + U32TO8_LITTLE(c + 28,x7); + U32TO8_LITTLE(c + 32,x8); + U32TO8_LITTLE(c + 36,x9); + U32TO8_LITTLE(c + 40,x10); + U32TO8_LITTLE(c + 44,x11); + U32TO8_LITTLE(c + 48,x12); + U32TO8_LITTLE(c + 52,x13); + U32TO8_LITTLE(c + 56,x14); + U32TO8_LITTLE(c + 60,x15); + + if (bytes <= 64) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) ctarget[i] = c[i]; + } + x->input[12] = j12; + x->input[13] = j13; + return; + } + bytes -= 64; + c += 64; +#ifndef KEYSTREAM_ONLY + m += 64; +#endif + } +} diff --git a/crypto/openssh/openbsd-compat/explicit_bzero.c b/crypto/openssh/openbsd-compat/explicit_bzero.c new file mode 100644 index 000000000..b106741e5 --- /dev/null +++ b/crypto/openssh/openbsd-compat/explicit_bzero.c @@ -0,0 +1,20 @@ +/* OPENBSD ORIGINAL: lib/libc/string/explicit_bzero.c */ +/* $OpenBSD: explicit_bzero.c,v 1.1 2014/01/22 21:06:45 tedu Exp $ */ +/* + * Public domain. + * Written by Ted Unangst + */ + +#include "includes.h" + +#ifndef HAVE_EXPLICIT_BZERO + +/* + * explicit_bzero - don't let the compiler optimize away bzero + */ +void +explicit_bzero(void *p, size_t n) +{ + bzero(p, n); +} +#endif diff --git a/crypto/openssh/openbsd-compat/getopt.c b/crypto/openssh/openbsd-compat/getopt.c deleted file mode 100644 index 5450e43d9..000000000 --- a/crypto/openssh/openbsd-compat/getopt.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * Copyright (c) 1987, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */ - -#include "includes.h" -#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) - -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include - -int BSDopterr = 1, /* if error message should be printed */ - BSDoptind = 1, /* index into parent argv vector */ - BSDoptopt, /* character checked for validity */ - BSDoptreset; /* reset getopt */ -char *BSDoptarg; /* argument associated with option */ - -#define BADCH (int)'?' -#define BADARG (int)':' -#define EMSG "" - -/* - * getopt -- - * Parse argc/argv argument vector. - */ -int -BSDgetopt(nargc, nargv, ostr) - int nargc; - char * const *nargv; - const char *ostr; -{ - extern char *__progname; - static char *place = EMSG; /* option letter processing */ - char *oli; /* option letter list index */ - - if (ostr == NULL) - return (-1); - - if (BSDoptreset || !*place) { /* update scanning pointer */ - BSDoptreset = 0; - if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') { - place = EMSG; - return (-1); - } - if (place[1] && *++place == '-') { /* found "--" */ - ++BSDoptind; - place = EMSG; - return (-1); - } - } /* option letter okay? */ - if ((BSDoptopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, BSDoptopt))) { - /* - * if the user didn't specify '-' as an option, - * assume it means -1. - */ - if (BSDoptopt == (int)'-') - return (-1); - if (!*place) - ++BSDoptind; - if (BSDopterr && *ostr != ':') - (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, BSDoptopt); - return (BADCH); - } - if (*++oli != ':') { /* don't need argument */ - BSDoptarg = NULL; - if (!*place) - ++BSDoptind; - } - else { /* need an argument */ - if (*place) /* no white space */ - BSDoptarg = place; - else if (nargc <= ++BSDoptind) { /* no arg */ - place = EMSG; - if (*ostr == ':') - return (BADARG); - if (BSDopterr) - (void)fprintf(stderr, - "%s: option requires an argument -- %c\n", - __progname, BSDoptopt); - return (BADCH); - } - else /* white space */ - BSDoptarg = nargv[BSDoptind]; - place = EMSG; - ++BSDoptind; - } - return (BSDoptopt); /* dump back option letter */ -} - -#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ diff --git a/crypto/openssh/openbsd-compat/getopt.h b/crypto/openssh/openbsd-compat/getopt.h new file mode 100644 index 000000000..8eb12447e --- /dev/null +++ b/crypto/openssh/openbsd-compat/getopt.h @@ -0,0 +1,74 @@ +/* $OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $ */ +/* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */ + +/*- + * Copyright (c) 2000 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Dieter Baron and Thomas Klausner. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _GETOPT_H_ +#define _GETOPT_H_ + +/* + * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions + */ +#define no_argument 0 +#define required_argument 1 +#define optional_argument 2 + +struct option { + /* name of long option */ + const char *name; + /* + * one of no_argument, required_argument, and optional_argument: + * whether option takes an argument + */ + int has_arg; + /* if not NULL, set *flag to val when option found */ + int *flag; + /* if flag not NULL, value to set *flag to; else return value */ + int val; +}; + +int getopt_long(int, char * const *, const char *, + const struct option *, int *); +int getopt_long_only(int, char * const *, const char *, + const struct option *, int *); +#ifndef _GETOPT_DEFINED_ +#define _GETOPT_DEFINED_ +int getopt(int, char * const *, const char *); +int getsubopt(char **, char * const *, char **); + +extern char *optarg; /* getopt(3) external variables */ +extern int opterr; +extern int optind; +extern int optopt; +extern int optreset; +extern char *suboptarg; /* getsubopt(3) external variable */ +#endif + +#endif /* !_GETOPT_H_ */ diff --git a/crypto/openssh/openbsd-compat/getopt_long.c b/crypto/openssh/openbsd-compat/getopt_long.c new file mode 100644 index 000000000..e28947430 --- /dev/null +++ b/crypto/openssh/openbsd-compat/getopt_long.c @@ -0,0 +1,532 @@ +/* $OpenBSD: getopt_long.c,v 1.25 2011/03/05 22:10:11 guenther Exp $ */ +/* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */ + +/* + * Copyright (c) 2002 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ +/*- + * Copyright (c) 2000 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Dieter Baron and Thomas Klausner. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt_long.c */ +#include "includes.h" + +#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) + +/* + * Some defines to make it easier to keep the code in sync with upstream. + * getopt opterr optind optopt optreset optarg are all in defines.h which is + * pulled in by includes.h. + */ +#define warnx logit + +#if 0 +#include +#include +#endif +#include +#include +#include +#include + +#include "log.h" + +int opterr = 1; /* if error message should be printed */ +int optind = 1; /* index into parent argv vector */ +int optopt = '?'; /* character checked for validity */ +int optreset; /* reset getopt */ +char *optarg; /* argument associated with option */ + +#define PRINT_ERROR ((opterr) && (*options != ':')) + +#define FLAG_PERMUTE 0x01 /* permute non-options to the end of argv */ +#define FLAG_ALLARGS 0x02 /* treat non-options as args to option "-1" */ +#define FLAG_LONGONLY 0x04 /* operate as getopt_long_only */ + +/* return values */ +#define BADCH (int)'?' +#define BADARG ((*options == ':') ? (int)':' : (int)'?') +#define INORDER (int)1 + +#define EMSG "" + +static int getopt_internal(int, char * const *, const char *, + const struct option *, int *, int); +static int parse_long_options(char * const *, const char *, + const struct option *, int *, int); +static int gcd(int, int); +static void permute_args(int, int, int, char * const *); + +static char *place = EMSG; /* option letter processing */ + +/* XXX: set optreset to 1 rather than these two */ +static int nonopt_start = -1; /* first non option argument (for permute) */ +static int nonopt_end = -1; /* first option after non options (for permute) */ + +/* Error messages */ +static const char recargchar[] = "option requires an argument -- %c"; +static const char recargstring[] = "option requires an argument -- %s"; +static const char ambig[] = "ambiguous option -- %.*s"; +static const char noarg[] = "option doesn't take an argument -- %.*s"; +static const char illoptchar[] = "unknown option -- %c"; +static const char illoptstring[] = "unknown option -- %s"; + +/* + * Compute the greatest common divisor of a and b. + */ +static int +gcd(int a, int b) +{ + int c; + + c = a % b; + while (c != 0) { + a = b; + b = c; + c = a % b; + } + + return (b); +} + +/* + * Exchange the block from nonopt_start to nonopt_end with the block + * from nonopt_end to opt_end (keeping the same order of arguments + * in each block). + */ +static void +permute_args(int panonopt_start, int panonopt_end, int opt_end, + char * const *nargv) +{ + int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos; + char *swap; + + /* + * compute lengths of blocks and number and size of cycles + */ + nnonopts = panonopt_end - panonopt_start; + nopts = opt_end - panonopt_end; + ncycle = gcd(nnonopts, nopts); + cyclelen = (opt_end - panonopt_start) / ncycle; + + for (i = 0; i < ncycle; i++) { + cstart = panonopt_end+i; + pos = cstart; + for (j = 0; j < cyclelen; j++) { + if (pos >= panonopt_end) + pos -= nnonopts; + else + pos += nopts; + swap = nargv[pos]; + /* LINTED const cast */ + ((char **) nargv)[pos] = nargv[cstart]; + /* LINTED const cast */ + ((char **)nargv)[cstart] = swap; + } + } +} + +/* + * parse_long_options -- + * Parse long options in argc/argv argument vector. + * Returns -1 if short_too is set and the option does not match long_options. + */ +static int +parse_long_options(char * const *nargv, const char *options, + const struct option *long_options, int *idx, int short_too) +{ + char *current_argv, *has_equal; + size_t current_argv_len; + int i, match; + + current_argv = place; + match = -1; + + optind++; + + if ((has_equal = strchr(current_argv, '=')) != NULL) { + /* argument found (--option=arg) */ + current_argv_len = has_equal - current_argv; + has_equal++; + } else + current_argv_len = strlen(current_argv); + + for (i = 0; long_options[i].name; i++) { + /* find matching long option */ + if (strncmp(current_argv, long_options[i].name, + current_argv_len)) + continue; + + if (strlen(long_options[i].name) == current_argv_len) { + /* exact match */ + match = i; + break; + } + /* + * If this is a known short option, don't allow + * a partial match of a single character. + */ + if (short_too && current_argv_len == 1) + continue; + + if (match == -1) /* partial match */ + match = i; + else { + /* ambiguous abbreviation */ + if (PRINT_ERROR) + warnx(ambig, (int)current_argv_len, + current_argv); + optopt = 0; + return (BADCH); + } + } + if (match != -1) { /* option found */ + if (long_options[match].has_arg == no_argument + && has_equal) { + if (PRINT_ERROR) + warnx(noarg, (int)current_argv_len, + current_argv); + /* + * XXX: GNU sets optopt to val regardless of flag + */ + if (long_options[match].flag == NULL) + optopt = long_options[match].val; + else + optopt = 0; + return (BADARG); + } + if (long_options[match].has_arg == required_argument || + long_options[match].has_arg == optional_argument) { + if (has_equal) + optarg = has_equal; + else if (long_options[match].has_arg == + required_argument) { + /* + * optional argument doesn't use next nargv + */ + optarg = nargv[optind++]; + } + } + if ((long_options[match].has_arg == required_argument) + && (optarg == NULL)) { + /* + * Missing argument; leading ':' indicates no error + * should be generated. + */ + if (PRINT_ERROR) + warnx(recargstring, + current_argv); + /* + * XXX: GNU sets optopt to val regardless of flag + */ + if (long_options[match].flag == NULL) + optopt = long_options[match].val; + else + optopt = 0; + --optind; + return (BADARG); + } + } else { /* unknown option */ + if (short_too) { + --optind; + return (-1); + } + if (PRINT_ERROR) + warnx(illoptstring, current_argv); + optopt = 0; + return (BADCH); + } + if (idx) + *idx = match; + if (long_options[match].flag) { + *long_options[match].flag = long_options[match].val; + return (0); + } else + return (long_options[match].val); +} + +/* + * getopt_internal -- + * Parse argc/argv argument vector. Called by user level routines. + */ +static int +getopt_internal(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx, int flags) +{ + char *oli; /* option letter list index */ + int optchar, short_too; + static int posixly_correct = -1; + + if (options == NULL) + return (-1); + + /* + * XXX Some GNU programs (like cvs) set optind to 0 instead of + * XXX using optreset. Work around this braindamage. + */ + if (optind == 0) + optind = optreset = 1; + + /* + * Disable GNU extensions if POSIXLY_CORRECT is set or options + * string begins with a '+'. + */ + if (posixly_correct == -1 || optreset) + posixly_correct = (getenv("POSIXLY_CORRECT") != NULL); + if (*options == '-') + flags |= FLAG_ALLARGS; + else if (posixly_correct || *options == '+') + flags &= ~FLAG_PERMUTE; + if (*options == '+' || *options == '-') + options++; + + optarg = NULL; + if (optreset) + nonopt_start = nonopt_end = -1; +start: + if (optreset || !*place) { /* update scanning pointer */ + optreset = 0; + if (optind >= nargc) { /* end of argument vector */ + place = EMSG; + if (nonopt_end != -1) { + /* do permutation, if we have to */ + permute_args(nonopt_start, nonopt_end, + optind, nargv); + optind -= nonopt_end - nonopt_start; + } + else if (nonopt_start != -1) { + /* + * If we skipped non-options, set optind + * to the first of them. + */ + optind = nonopt_start; + } + nonopt_start = nonopt_end = -1; + return (-1); + } + if (*(place = nargv[optind]) != '-' || + (place[1] == '\0' && strchr(options, '-') == NULL)) { + place = EMSG; /* found non-option */ + if (flags & FLAG_ALLARGS) { + /* + * GNU extension: + * return non-option as argument to option 1 + */ + optarg = nargv[optind++]; + return (INORDER); + } + if (!(flags & FLAG_PERMUTE)) { + /* + * If no permutation wanted, stop parsing + * at first non-option. + */ + return (-1); + } + /* do permutation */ + if (nonopt_start == -1) + nonopt_start = optind; + else if (nonopt_end != -1) { + permute_args(nonopt_start, nonopt_end, + optind, nargv); + nonopt_start = optind - + (nonopt_end - nonopt_start); + nonopt_end = -1; + } + optind++; + /* process next argument */ + goto start; + } + if (nonopt_start != -1 && nonopt_end == -1) + nonopt_end = optind; + + /* + * If we have "-" do nothing, if "--" we are done. + */ + if (place[1] != '\0' && *++place == '-' && place[1] == '\0') { + optind++; + place = EMSG; + /* + * We found an option (--), so if we skipped + * non-options, we have to permute. + */ + if (nonopt_end != -1) { + permute_args(nonopt_start, nonopt_end, + optind, nargv); + optind -= nonopt_end - nonopt_start; + } + nonopt_start = nonopt_end = -1; + return (-1); + } + } + + /* + * Check long options if: + * 1) we were passed some + * 2) the arg is not just "-" + * 3) either the arg starts with -- we are getopt_long_only() + */ + if (long_options != NULL && place != nargv[optind] && + (*place == '-' || (flags & FLAG_LONGONLY))) { + short_too = 0; + if (*place == '-') + place++; /* --foo long option */ + else if (*place != ':' && strchr(options, *place) != NULL) + short_too = 1; /* could be short option too */ + + optchar = parse_long_options(nargv, options, long_options, + idx, short_too); + if (optchar != -1) { + place = EMSG; + return (optchar); + } + } + + if ((optchar = (int)*place++) == (int)':' || + (optchar == (int)'-' && *place != '\0') || + (oli = strchr(options, optchar)) == NULL) { + /* + * If the user specified "-" and '-' isn't listed in + * options, return -1 (non-option) as per POSIX. + * Otherwise, it is an unknown option character (or ':'). + */ + if (optchar == (int)'-' && *place == '\0') + return (-1); + if (!*place) + ++optind; + if (PRINT_ERROR) + warnx(illoptchar, optchar); + optopt = optchar; + return (BADCH); + } + if (long_options != NULL && optchar == 'W' && oli[1] == ';') { + /* -W long-option */ + if (*place) /* no space */ + /* NOTHING */; + else if (++optind >= nargc) { /* no arg */ + place = EMSG; + if (PRINT_ERROR) + warnx(recargchar, optchar); + optopt = optchar; + return (BADARG); + } else /* white space */ + place = nargv[optind]; + optchar = parse_long_options(nargv, options, long_options, + idx, 0); + place = EMSG; + return (optchar); + } + if (*++oli != ':') { /* doesn't take argument */ + if (!*place) + ++optind; + } else { /* takes (optional) argument */ + optarg = NULL; + if (*place) /* no white space */ + optarg = place; + else if (oli[1] != ':') { /* arg not optional */ + if (++optind >= nargc) { /* no arg */ + place = EMSG; + if (PRINT_ERROR) + warnx(recargchar, optchar); + optopt = optchar; + return (BADARG); + } else + optarg = nargv[optind]; + } + place = EMSG; + ++optind; + } + /* dump back option letter */ + return (optchar); +} + +/* + * getopt -- + * Parse argc/argv argument vector. + * + * [eventually this will replace the BSD getopt] + */ +int +getopt(int nargc, char * const *nargv, const char *options) +{ + + /* + * We don't pass FLAG_PERMUTE to getopt_internal() since + * the BSD getopt(3) (unlike GNU) has never done this. + * + * Furthermore, since many privileged programs call getopt() + * before dropping privileges it makes sense to keep things + * as simple (and bug-free) as possible. + */ + return (getopt_internal(nargc, nargv, options, NULL, NULL, 0)); +} + +#if 0 +/* + * getopt_long -- + * Parse argc/argv argument vector. + */ +int +getopt_long(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx) +{ + + return (getopt_internal(nargc, nargv, options, long_options, idx, + FLAG_PERMUTE)); +} + +/* + * getopt_long_only -- + * Parse argc/argv argument vector. + */ +int +getopt_long_only(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx) +{ + + return (getopt_internal(nargc, nargv, options, long_options, idx, + FLAG_PERMUTE|FLAG_LONGONLY)); +} +#endif + +#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ diff --git a/crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c b/crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c new file mode 100644 index 000000000..343720f10 --- /dev/null +++ b/crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c @@ -0,0 +1,284 @@ +/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */ + +/* + * Copyright (c) 2007 Simon Vallet / Genoscope + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Portions Copyright (c) 1999-2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#if !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS) + +#include +#include + +#include + +#include "getrrsetbyname.h" +#include "log.h" +#include "xmalloc.h" + +#define malloc(x) (xmalloc(x)) +#define calloc(x, y) (xcalloc((x),(y))) + +int +getrrsetbyname(const char *hostname, unsigned int rdclass, + unsigned int rdtype, unsigned int flags, + struct rrsetinfo **res) +{ + int result; + unsigned int i, j, index_ans, index_sig; + struct rrsetinfo *rrset = NULL; + struct rdatainfo *rdata; + size_t len; + ldns_resolver *ldns_res; + ldns_rdf *domain = NULL; + ldns_pkt *pkt = NULL; + ldns_rr_list *rrsigs = NULL, *rrdata = NULL; + ldns_status err; + ldns_rr *rr; + + /* check for invalid class and type */ + if (rdclass > 0xffff || rdtype > 0xffff) { + result = ERRSET_INVAL; + goto fail; + } + + /* don't allow queries of class or type ANY */ + if (rdclass == 0xff || rdtype == 0xff) { + result = ERRSET_INVAL; + goto fail; + } + + /* don't allow flags yet, unimplemented */ + if (flags) { + result = ERRSET_INVAL; + goto fail; + } + + /* Initialize resolver from resolv.conf */ + domain = ldns_dname_new_frm_str(hostname); + if ((err = ldns_resolver_new_frm_file(&ldns_res, NULL)) != \ + LDNS_STATUS_OK) { + result = ERRSET_FAIL; + goto fail; + } + +#ifdef LDNS_DEBUG + ldns_resolver_set_debug(ldns_res, true); +#endif /* LDNS_DEBUG */ + + ldns_resolver_set_dnssec(ldns_res, true); /* Use DNSSEC */ + + /* make query */ + pkt = ldns_resolver_query(ldns_res, domain, rdtype, rdclass, LDNS_RD); + + /*** TODO: finer errcodes -- see original **/ + if (!pkt || ldns_pkt_ancount(pkt) < 1) { + result = ERRSET_FAIL; + goto fail; + } + + /* initialize rrset */ + rrset = calloc(1, sizeof(struct rrsetinfo)); + if (rrset == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + rrdata = ldns_pkt_rr_list_by_type(pkt, rdtype, LDNS_SECTION_ANSWER); + rrset->rri_nrdatas = ldns_rr_list_rr_count(rrdata); + if (!rrset->rri_nrdatas) { + result = ERRSET_NODATA; + goto fail; + } + + /* copy name from answer section */ + len = ldns_rdf_size(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0))); + if ((rrset->rri_name = malloc(len)) == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + memcpy(rrset->rri_name, + ldns_rdf_data(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0))), len); + + rrset->rri_rdclass = ldns_rr_get_class(ldns_rr_list_rr(rrdata, 0)); + rrset->rri_rdtype = ldns_rr_get_type(ldns_rr_list_rr(rrdata, 0)); + rrset->rri_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrdata, 0)); + + debug2("ldns: got %u answers from DNS", rrset->rri_nrdatas); + + /* Check for authenticated data */ + if (ldns_pkt_ad(pkt)) { + rrset->rri_flags |= RRSET_VALIDATED; + } else { /* AD is not set, try autonomous validation */ + ldns_rr_list * trusted_keys = ldns_rr_list_new(); + + debug2("ldns: trying to validate RRset"); + /* Get eventual sigs */ + rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, + LDNS_SECTION_ANSWER); + + rrset->rri_nsigs = ldns_rr_list_rr_count(rrsigs); + debug2("ldns: got %u signature(s) (RRTYPE %u) from DNS", + rrset->rri_nsigs, LDNS_RR_TYPE_RRSIG); + + if ((err = ldns_verify_trusted(ldns_res, rrdata, rrsigs, + trusted_keys)) == LDNS_STATUS_OK) { + rrset->rri_flags |= RRSET_VALIDATED; + debug2("ldns: RRset is signed with a valid key"); + } else { + debug2("ldns: RRset validation failed: %s", + ldns_get_errorstr_by_id(err)); + } + + ldns_rr_list_deep_free(trusted_keys); + } + + /* allocate memory for answers */ + rrset->rri_rdatas = calloc(rrset->rri_nrdatas, + sizeof(struct rdatainfo)); + + if (rrset->rri_rdatas == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + /* allocate memory for signatures */ + if (rrset->rri_nsigs > 0) { + rrset->rri_sigs = calloc(rrset->rri_nsigs, + sizeof(struct rdatainfo)); + + if (rrset->rri_sigs == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + } + + /* copy answers & signatures */ + for (i=0, index_ans=0, index_sig=0; i< pkt->_header->_ancount; i++) { + rdata = NULL; + rr = ldns_rr_list_rr(ldns_pkt_answer(pkt), i); + + if (ldns_rr_get_class(rr) == rrset->rri_rdclass && + ldns_rr_get_type(rr) == rrset->rri_rdtype) { + rdata = &rrset->rri_rdatas[index_ans++]; + } + + if (rr->_rr_class == rrset->rri_rdclass && + rr->_rr_type == LDNS_RR_TYPE_RRSIG && + rrset->rri_sigs) { + rdata = &rrset->rri_sigs[index_sig++]; + } + + if (rdata) { + size_t rdata_offset = 0; + + rdata->rdi_length = 0; + for (j=0; j< rr->_rd_count; j++) { + rdata->rdi_length += + ldns_rdf_size(ldns_rr_rdf(rr, j)); + } + + rdata->rdi_data = malloc(rdata->rdi_length); + if (rdata->rdi_data == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + /* Re-create the raw DNS RDATA */ + for (j=0; j< rr->_rd_count; j++) { + len = ldns_rdf_size(ldns_rr_rdf(rr, j)); + memcpy(rdata->rdi_data + rdata_offset, + ldns_rdf_data(ldns_rr_rdf(rr, j)), len); + rdata_offset += len; + } + } + } + + *res = rrset; + result = ERRSET_SUCCESS; + +fail: + /* freerrset(rrset); */ + ldns_rdf_deep_free(domain); + ldns_pkt_free(pkt); + ldns_rr_list_deep_free(rrsigs); + ldns_rr_list_deep_free(rrdata); + ldns_resolver_deep_free(ldns_res); + + return result; +} + + +void +freerrset(struct rrsetinfo *rrset) +{ + u_int16_t i; + + if (rrset == NULL) + return; + + if (rrset->rri_rdatas) { + for (i = 0; i < rrset->rri_nrdatas; i++) { + if (rrset->rri_rdatas[i].rdi_data == NULL) + break; + free(rrset->rri_rdatas[i].rdi_data); + } + free(rrset->rri_rdatas); + } + + if (rrset->rri_sigs) { + for (i = 0; i < rrset->rri_nsigs; i++) { + if (rrset->rri_sigs[i].rdi_data == NULL) + break; + free(rrset->rri_sigs[i].rdi_data); + } + free(rrset->rri_sigs); + } + + if (rrset->rri_name) + free(rrset->rri_name); + free(rrset); +} + + +#endif /* !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS) */ diff --git a/crypto/openssh/openbsd-compat/openbsd-compat.h b/crypto/openssh/openbsd-compat/openbsd-compat.h index a8c579f49..bc9888e31 100644 --- a/crypto/openssh/openbsd-compat/openbsd-compat.h +++ b/crypto/openssh/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -44,6 +44,7 @@ #include "vis.h" #include "getrrsetbyname.h" #include "sha2.h" +#include "blf.h" #ifndef HAVE_BASENAME char *basename(const char *path); @@ -111,6 +112,10 @@ char *dirname(const char *path); int fmt_scaled(long long number, char *result); #endif +#ifndef HAVE_SCAN_SCALED +int scan_scaled(char *, long long *); +#endif + #if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) char *inet_ntoa(struct in_addr in); #endif @@ -139,6 +144,7 @@ int getgrouplist(const char *, gid_t, gid_t *, int *); #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) int BSDgetopt(int argc, char * const *argv, const char *opts); +#include "openbsd-compat/getopt.h" #endif #if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0 @@ -156,9 +162,13 @@ int writev(int, struct iovec *, int); #ifndef HAVE_GETPEEREID int getpeereid(int , uid_t *, gid_t *); -#endif +#endif -#ifndef HAVE_ARC4RANDOM +#ifdef HAVE_ARC4RANDOM +# ifndef HAVE_ARC4RANDOM_STIR +# define arc4random_stir() +# endif +#else unsigned int arc4random(void); void arc4random_stir(void); #endif /* !HAVE_ARC4RANDOM */ @@ -202,6 +212,11 @@ unsigned long long strtoull(const char *, char **, int); long long strtonum(const char *, long long, long long, const char **); #endif +/* multibyte character support */ +#ifndef HAVE_MBLEN +# define mblen(x, y) 1 +#endif + #if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF) # include #endif @@ -226,6 +241,15 @@ char *group_from_gid(gid_t, int); int timingsafe_bcmp(const void *, const void *, size_t); #endif +#ifndef HAVE_BCRYPT_PBKDF +int bcrypt_pbkdf(const char *, size_t, const u_int8_t *, size_t, + u_int8_t *, size_t, unsigned int); +#endif + +#ifndef HAVE_EXPLICIT_BZERO +void explicit_bzero(void *p, size_t n); +#endif + void *xmmap(size_t size); char *xcrypt(const char *password, const char *salt); char *shadow_pw(struct passwd *pw); diff --git a/crypto/openssh/openbsd-compat/openssl-compat.c b/crypto/openssh/openbsd-compat/openssl-compat.c index 5189cab61..885c121f2 100644 --- a/crypto/openssh/openbsd-compat/openssl-compat.c +++ b/crypto/openssh/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.14 2011/05/10 01:13:38 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -59,6 +59,34 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) } #endif +#ifndef HAVE_EVP_DIGESTINIT_EX +int +EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine) +{ + if (engine != NULL) + fatal("%s: ENGINE is not supported", __func__); +# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID + EVP_DigestInit(ctx, md); + return 1; +# else + return EVP_DigestInit(ctx, md); +# endif +} +#endif + +#ifndef HAVE_EVP_DIGESTFINAL_EX +int +EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s) +{ +# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID + EVP_DigestFinal(ctx, md, s); + return 1; +# else + return EVP_DigestFinal(ctx, md, s); +# endif +} +#endif + #ifdef OPENSSL_EVP_DIGESTUPDATE_VOID int ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) @@ -68,6 +96,14 @@ ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) } #endif +#ifndef HAVE_EVP_MD_CTX_COPY_EX +int +EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) +{ + return EVP_MD_CTX_copy(out, in); +} +#endif + #ifndef HAVE_BN_IS_PRIME_EX int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb) diff --git a/crypto/openssh/openbsd-compat/openssl-compat.h b/crypto/openssh/openbsd-compat/openssl-compat.h index e7439b4e7..276b9706d 100644 --- a/crypto/openssh/openbsd-compat/openssl-compat.h +++ b/crypto/openssh/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.24 2013/02/12 00:00:40 djm Exp $ */ +/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -148,6 +148,18 @@ int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *, int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *); # endif +# ifndef HAVE_EVP_DIGESTINIT_EX +int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *); +# endif + +# ifndef HAVE_EVP_DISESTFINAL_EX +int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *); +# endif + +# ifndef EVP_MD_CTX_COPY_EX +int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); +# endif + int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, unsigned char *, int); int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); @@ -158,5 +170,13 @@ void ssh_OpenSSL_add_all_algorithms(void); # define HMAC_CTX_init(a) # endif +# ifndef HAVE_EVP_MD_CTX_INIT +# define EVP_MD_CTX_init(a) +# endif + +# ifndef HAVE_EVP_MD_CTX_CLEANUP +# define EVP_MD_CTX_cleanup(a) +# endif + #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ diff --git a/crypto/openssh/openbsd-compat/port-aix.c b/crypto/openssh/openbsd-compat/port-aix.c index 0bdefbf6d..8da367d48 100644 --- a/crypto/openssh/openbsd-compat/port-aix.c +++ b/crypto/openssh/openbsd-compat/port-aix.c @@ -86,7 +86,7 @@ aix_usrinfo(struct passwd *pw) fatal("Couldn't set usrinfo: %s", strerror(errno)); debug3("AIX/UsrInfo: set len %d", i); - xfree(cp); + free(cp); } # ifdef WITH_AIXAUTHENTICATE @@ -215,16 +215,14 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) default: /* user can't change(2) or other error (-1) */ logit("Password can't be changed for user %s: %.100s", name, msg); - if (msg) - xfree(msg); + free(msg); authsuccess = 0; } aix_restoreauthdb(); } - if (authmsg != NULL) - xfree(authmsg); + free(authmsg); return authsuccess; } @@ -269,7 +267,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg) if (!permitted) logit("Login restricted for %s: %.100s", pw->pw_name, msg); - xfree(msg); + free(msg); return permitted; } diff --git a/crypto/openssh/openbsd-compat/port-linux.c b/crypto/openssh/openbsd-compat/port-linux.c index aba75387c..4637a7a3e 100644 --- a/crypto/openssh/openbsd-compat/port-linux.c +++ b/crypto/openssh/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */ +/* $Id: port-linux.c,v 1.18 2013/06/01 22:07:32 dtucker Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -96,10 +96,8 @@ ssh_selinux_getctxbyname(char *pwname) } #ifdef HAVE_GETSEUSERBYNAME - if (sename != NULL) - xfree(sename); - if (lvl != NULL) - xfree(lvl); + free(sename); + free(lvl); #endif return sc; @@ -217,8 +215,8 @@ ssh_selinux_change_context(const char *newname) if (setcon(newctx) < 0) switchlog("%s: setcon %s from %s failed with %s", __func__, newctx, oldctx, strerror(errno)); - xfree(oldctx); - xfree(newctx); + free(oldctx); + free(newctx); } void diff --git a/crypto/openssh/openbsd-compat/regress/Makefile.in b/crypto/openssh/openbsd-compat/regress/Makefile.in new file mode 100644 index 000000000..bcf214bd0 --- /dev/null +++ b/crypto/openssh/openbsd-compat/regress/Makefile.in @@ -0,0 +1,38 @@ +# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $ + +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +VPATH=@srcdir@ +CC=@CC@ +LD=@LD@ +CFLAGS=@CFLAGS@ +CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ +EXEEXT=@EXEEXT@ +LIBCOMPAT=../libopenbsd-compat.a +LIBS=@LIBS@ +LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) + +TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ + strtonumtest$(EXEEXT) + +all: t-exec ${OTHERTESTS} + +%$(EXEEXT): %.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) + +t-exec: $(TESTPROGS) + @echo running compat regress tests + @for TEST in ""$?; do \ + echo "run test $${TEST}" ... 1>&2; \ + ./$${TEST}$(EXEEXT) || exit $$? ; \ + done + @echo finished compat regress tests + +clean: + rm -f *.o *.a core $(TESTPROGS) valid.out + +distclean: clean + rm -f Makefile *~ diff --git a/crypto/openssh/openbsd-compat/regress/closefromtest.c b/crypto/openssh/openbsd-compat/regress/closefromtest.c new file mode 100644 index 000000000..82ffeb9a7 --- /dev/null +++ b/crypto/openssh/openbsd-compat/regress/closefromtest.c @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2006 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include +#include +#include + +#define NUM_OPENS 10 + +int closefrom(int); + +void +fail(char *msg) +{ + fprintf(stderr, "closefrom: %s\n", msg); + exit(1); +} + +int +main(void) +{ + int i, max, fds[NUM_OPENS]; + char buf[512]; + + for (i = 0; i < NUM_OPENS; i++) + if ((fds[i] = open("/dev/null", O_RDONLY)) == -1) + exit(0); /* can't test */ + max = i - 1; + + /* should close last fd only */ + closefrom(fds[max]); + if (close(fds[max]) != -1) + fail("failed to close highest fd"); + + /* make sure we can still use remaining descriptors */ + for (i = 0; i < max; i++) + if (read(fds[i], buf, sizeof(buf)) == -1) + fail("closed descriptors it should not have"); + + /* should close all fds */ + closefrom(fds[0]); + for (i = 0; i < NUM_OPENS; i++) + if (close(fds[i]) != -1) + fail("failed to close from lowest fd"); + return 0; +} diff --git a/crypto/openssh/openbsd-compat/regress/snprintftest.c b/crypto/openssh/openbsd-compat/regress/snprintftest.c new file mode 100644 index 000000000..4ca63e180 --- /dev/null +++ b/crypto/openssh/openbsd-compat/regress/snprintftest.c @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2005 Darren Tucker + * Copyright (c) 2005 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#define BUFSZ 2048 + +#include +#include +#include +#include +#include + +static int failed = 0; + +static void +fail(const char *m) +{ + fprintf(stderr, "snprintftest: %s\n", m); + failed = 1; +} + +int x_snprintf(char *str, size_t count, const char *fmt, ...) +{ + size_t ret; + va_list ap; + + va_start(ap, fmt); + ret = vsnprintf(str, count, fmt, ap); + va_end(ap); + return ret; +} + +int +main(void) +{ + char b[5]; + char *src; + + snprintf(b,5,"123456789"); + if (b[4] != '\0') + fail("snprintf does not correctly terminate long strings"); + + /* check for read overrun on unterminated string */ + if ((src = malloc(BUFSZ)) == NULL) { + fail("malloc failed"); + } else { + memset(src, 'a', BUFSZ); + snprintf(b, sizeof(b), "%.*s", 1, src); + if (strcmp(b, "a") != 0) + fail("failed with length limit '%%.s'"); + } + + /* check that snprintf and vsnprintf return sane values */ + if (snprintf(b, 1, "%s %d", "hello", 12345) != 11) + fail("snprintf does not return required length"); + if (x_snprintf(b, 1, "%s %d", "hello", 12345) != 11) + fail("vsnprintf does not return required length"); + + return failed; +} diff --git a/crypto/openssh/openbsd-compat/regress/strduptest.c b/crypto/openssh/openbsd-compat/regress/strduptest.c new file mode 100644 index 000000000..7f6d779be --- /dev/null +++ b/crypto/openssh/openbsd-compat/regress/strduptest.c @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2005 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +static int fail = 0; + +void +test(const char *a) +{ + char *b; + + b = strdup(a); + if (b == 0) { + fail = 1; + return; + } + if (strcmp(a, b) != 0) + fail = 1; + free(b); +} + +int +main(void) +{ + test(""); + test("a"); + test("\0"); + test("abcdefghijklmnopqrstuvwxyz"); + return fail; +} diff --git a/crypto/openssh/openbsd-compat/regress/strtonumtest.c b/crypto/openssh/openbsd-compat/regress/strtonumtest.c new file mode 100644 index 000000000..50ca5bd22 --- /dev/null +++ b/crypto/openssh/openbsd-compat/regress/strtonumtest.c @@ -0,0 +1,80 @@ +/* $OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $ */ +/* + * Copyright (c) 2004 Otto Moerbeek + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* OPENBSD ORIGINAL: regress/lib/libc/strtonum/strtonumtest.c */ + +#include +#include +#include + +/* LLONG_MAX is known as LONGLONG_MAX on AIX */ +#if defined(LONGLONG_MAX) && !defined(LLONG_MAX) +# define LLONG_MAX LONGLONG_MAX +# define LLONG_MIN LONGLONG_MIN +#endif + +/* LLONG_MAX is known as LONG_LONG_MAX on HP-UX */ +#if defined(LONG_LONG_MAX) && !defined(LLONG_MAX) +# define LLONG_MAX LONG_LONG_MAX +# define LLONG_MIN LONG_LONG_MIN +#endif + +long long strtonum(const char *, long long, long long, const char **); + +int fail; + +void +test(const char *p, long long lb, long long ub, int ok) +{ + long long val; + const char *q; + + val = strtonum(p, lb, ub, &q); + if (ok && q != NULL) { + fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub); + fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q); + fail = 1; + } else if (!ok && q == NULL) { + fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val); + fprintf(stderr, "NUMBER ACCEPTED\n"); + fail = 1; + } +} + +int main(int argc, char *argv[]) +{ + test("1", 0, 10, 1); + test("0", -2, 5, 1); + test("0", 2, 5, 0); + test("0", 2, LLONG_MAX, 0); + test("-2", 0, LLONG_MAX, 0); + test("0", -5, LLONG_MAX, 1); + test("-3", -3, LLONG_MAX, 1); + test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1); + test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1); + test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0); + test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0); + test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0); + test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0); + test("-2", 10, -1, 0); + test("-2", -10, -1, 1); + test("-20", -10, -1, 0); + test("20", -10, -1, 0); + + return (fail); +} + diff --git a/crypto/openssh/openbsd-compat/setproctitle.c b/crypto/openssh/openbsd-compat/setproctitle.c index 2965f689e..9f7ca14c2 100644 --- a/crypto/openssh/openbsd-compat/setproctitle.c +++ b/crypto/openssh/openbsd-compat/setproctitle.c @@ -67,7 +67,8 @@ static size_t argv_env_len = 0; void compat_init_setproctitle(int argc, char *argv[]) { -#if defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV +#if !defined(HAVE_SETPROCTITLE) && \ + defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV extern char **environ; char *lastargv = NULL; char **envp = environ; @@ -125,6 +126,7 @@ setproctitle(const char *fmt, ...) va_list ap; char buf[1024], ptitle[1024]; size_t len; + int r; extern char *__progname; #if SPT_TYPE == SPT_PSTAT union pstun pst; @@ -137,13 +139,16 @@ setproctitle(const char *fmt, ...) strlcpy(buf, __progname, sizeof(buf)); + r = -1; va_start(ap, fmt); if (fmt != NULL) { len = strlcat(buf, ": ", sizeof(buf)); if (len < sizeof(buf)) - vsnprintf(buf + len, sizeof(buf) - len , fmt, ap); + r = vsnprintf(buf + len, sizeof(buf) - len , fmt, ap); } va_end(ap); + if (r == -1 || (size_t)r >= sizeof(buf) - len) + return; strnvis(ptitle, buf, sizeof(ptitle), VIS_CSTYLE|VIS_NL|VIS_TAB|VIS_OCTAL); diff --git a/crypto/openssh/openbsd-compat/strnlen.c b/crypto/openssh/openbsd-compat/strnlen.c new file mode 100644 index 000000000..93d515595 --- /dev/null +++ b/crypto/openssh/openbsd-compat/strnlen.c @@ -0,0 +1,37 @@ +/* $OpenBSD: strnlen.c,v 1.3 2010/06/02 12:58:12 millert Exp $ */ + +/* + * Copyright (c) 2010 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* OPENBSD ORIGINAL: lib/libc/string/strnlen.c */ + +#include "config.h" +#ifndef HAVE_STRNLEN +#include + +#include + +size_t +strnlen(const char *str, size_t maxlen) +{ + const char *cp; + + for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--) + ; + + return (size_t)(cp - str); +} +#endif diff --git a/crypto/openssh/openbsd-compat/xcrypt.c b/crypto/openssh/openbsd-compat/xcrypt.c index 6291e2884..c8aea461d 100644 --- a/crypto/openssh/openbsd-compat/xcrypt.c +++ b/crypto/openssh/openbsd-compat/xcrypt.c @@ -55,7 +55,12 @@ # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) # include "md5crypt.h" -# endif +# endif + +# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) +# include +# define crypt DES_crypt +# endif char * xcrypt(const char *password, const char *salt) diff --git a/crypto/openssh/openssh.xml.in b/crypto/openssh/openssh.xml.in new file mode 100644 index 000000000..8afe1d366 --- /dev/null +++ b/crypto/openssh/openssh.xml.in @@ -0,0 +1,90 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/crypto/openssh/opensshd.init.in b/crypto/openssh/opensshd.init.in new file mode 100755 index 000000000..0db60caa7 --- /dev/null +++ b/crypto/openssh/opensshd.init.in @@ -0,0 +1,88 @@ +#!@STARTUP_SCRIPT_SHELL@ +# Donated code that was put under PD license. +# +# Stripped PRNGd out of it for the time being. + +umask 022 + +CAT=@CAT@ +KILL=@KILL@ + +prefix=@prefix@ +sysconfdir=@sysconfdir@ +piddir=@piddir@ + +SSHD=$prefix/sbin/sshd +PIDFILE=$piddir/sshd.pid +PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'` +[ X$PidFile = X ] || PIDFILE=$PidFile +SSH_KEYGEN=$prefix/bin/ssh-keygen +HOST_KEY_RSA1=$sysconfdir/ssh_host_key +HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key +HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key +@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key + + +checkkeys() { + if [ ! -f $HOST_KEY_RSA1 ]; then + ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" + fi + if [ ! -f $HOST_KEY_DSA ]; then + ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" + fi + if [ ! -f $HOST_KEY_RSA ]; then + ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" + fi +@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then +@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N "" +@COMMENT_OUT_ECC@ fi +} + +stop_service() { + if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then + PID=`${CAT} ${PIDFILE}` + fi + if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then + ${KILL} ${PID} + else + echo "Unable to read PID file" + fi +} + +start_service() { + # XXX We really should check if the service is already going, but + # XXX we will opt out at this time. - Bal + + # Check to see if we have keys that need to be made + checkkeys + + # Start SSHD + echo "starting $SSHD... \c" ; $SSHD + + sshd_rc=$? + if [ $sshd_rc -ne 0 ]; then + echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing." + exit $sshd_rc + fi + echo done. +} + +case $1 in + +'start') + start_service + ;; + +'stop') + stop_service + ;; + +'restart') + stop_service + start_service + ;; + +*) + echo "$0: usage: $0 {start|stop|restart}" + ;; +esac diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c index 1fb89d36f..27f9e832f 100644 --- a/crypto/openssh/packet.c +++ b/crypto/openssh/packet.c @@ -1,5 +1,5 @@ -/* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */ -/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.192 2014/02/02 03:44:31 djm Exp $ */ +/* $FreeBSD$ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -39,6 +39,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include "openbsd-compat/sys-queue.h" @@ -59,6 +60,7 @@ #include #include #include +#include #include "xmalloc.h" #include "buffer.h" @@ -166,9 +168,14 @@ struct session_state { Newkeys *newkeys[MODE_MAX]; struct packet_state p_read, p_send; + /* Volume-based rekeying */ u_int64_t max_blocks_in, max_blocks_out; u_int32_t rekey_limit; + /* Time-based rekeying */ + time_t rekey_interval; /* how often in seconds */ + time_t rekey_time; /* time of last rekeying */ + /* Session key for protocol v1 */ u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; u_int ssh1_keylen; @@ -219,7 +226,7 @@ alloc_session_state(void) void packet_set_connection(int fd_in, int fd_out) { - Cipher *none = cipher_by_name("none"); + const Cipher *none = cipher_by_name("none"); if (none == NULL) fatal("packet_set_connection: cannot load cipher 'none'"); @@ -549,7 +556,7 @@ packet_start_compression(int level) void packet_set_encryption_key(const u_char *key, u_int keylen, int number) { - Cipher *cipher = cipher_by_number(number); + const Cipher *cipher = cipher_by_number(number); if (cipher == NULL) fatal("packet_set_encryption_key: unknown cipher number %d", number); @@ -711,9 +718,10 @@ packet_send1(void) buffer_append(&active_state->output, buf, 4); cp = buffer_append_space(&active_state->output, buffer_len(&active_state->outgoing_packet)); - cipher_crypt(&active_state->send_context, cp, + if (cipher_crypt(&active_state->send_context, 0, cp, buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet), 0, 0); + buffer_len(&active_state->outgoing_packet), 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); @@ -761,16 +769,16 @@ set_newkeys(int mode) mac = &active_state->newkeys[mode]->mac; comp = &active_state->newkeys[mode]->comp; mac_clear(mac); - memset(enc->iv, 0, enc->iv_len); - memset(enc->key, 0, enc->key_len); - memset(mac->key, 0, mac->key_len); - xfree(enc->name); - xfree(enc->iv); - xfree(enc->key); - xfree(mac->name); - xfree(mac->key); - xfree(comp->name); - xfree(active_state->newkeys[mode]); + explicit_bzero(enc->iv, enc->iv_len); + explicit_bzero(enc->key, enc->key_len); + explicit_bzero(mac->key, mac->key_len); + free(enc->name); + free(enc->iv); + free(enc->key); + free(mac->name); + free(mac->key); + free(comp->name); + free(active_state->newkeys[mode]); } active_state->newkeys[mode] = kex_get_newkeys(mode); if (active_state->newkeys[mode] == NULL) @@ -784,9 +792,9 @@ set_newkeys(int mode) cipher_init(cc, enc->cipher, enc->key, enc->key_len, enc->iv, enc->iv_len, crypt_type); /* Deleting the keys does not gain extra security */ - /* memset(enc->iv, 0, enc->block_size); - memset(enc->key, 0, enc->key_len); - memset(mac->key, 0, mac->key_len); */ + /* explicit_bzero(enc->iv, enc->block_size); + explicit_bzero(enc->key, enc->key_len); + explicit_bzero(mac->key, mac->key_len); */ if ((comp->type == COMP_ZLIB || (comp->type == COMP_DELAYED && active_state->after_authentication)) && comp->enabled == 0) { @@ -925,7 +933,7 @@ packet_send2_wrapped(void) } } else { /* clear padding */ - memset(cp, 0, padlen); + explicit_bzero(cp, padlen); } /* sizeof (packet_len + pad_len + payload + padding) */ len = buffer_len(&active_state->outgoing_packet); @@ -944,9 +952,10 @@ packet_send2_wrapped(void) } /* encrypt packet and append to output buffer. */ cp = buffer_append_space(&active_state->output, len + authlen); - cipher_crypt(&active_state->send_context, cp, - buffer_ptr(&active_state->outgoing_packet), - len - aadlen, aadlen, authlen); + if (cipher_crypt(&active_state->send_context, active_state->p_send.seqnr, + cp, buffer_ptr(&active_state->outgoing_packet), + len - aadlen, aadlen, authlen) != 0) + fatal("%s: cipher_crypt failed", __func__); /* append unencrypted MAC */ if (mac && mac->enabled) { if (mac->etm) { @@ -994,7 +1003,7 @@ packet_send2(void) (type == SSH2_MSG_SERVICE_REQUEST) || (type == SSH2_MSG_SERVICE_ACCEPT)) { debug("enqueue packet: %u", type); - p = xmalloc(sizeof(*p)); + p = xcalloc(1, sizeof(*p)); p->type = type; memcpy(&p->payload, &active_state->outgoing_packet, sizeof(Buffer)); @@ -1013,6 +1022,7 @@ packet_send2(void) /* after a NEWKEYS message we can send the complete queue */ if (type == SSH2_MSG_NEWKEYS) { active_state->rekeying = 0; + active_state->rekey_time = monotime(); while ((p = TAILQ_FIRST(&active_state->outgoing))) { type = p->type; debug("dequeue packet: %u", type); @@ -1020,7 +1030,7 @@ packet_send2(void) memcpy(&active_state->outgoing_packet, &p->payload, sizeof(Buffer)); TAILQ_REMOVE(&active_state->outgoing, p, next); - xfree(p); + free(p); packet_send2_wrapped(); } } @@ -1045,7 +1055,7 @@ packet_send(void) int packet_read_seqnr(u_int32_t *seqnr_p) { - int type, len, ret, ms_remain, cont; + int type, len, ret, cont, ms_remain = 0; fd_set *setp; char buf[8192]; struct timeval timeout, start, *timeoutp = NULL; @@ -1070,7 +1080,7 @@ packet_read_seqnr(u_int32_t *seqnr_p) packet_check_eom(); /* If we got a packet, return it. */ if (type != SSH_MSG_NONE) { - xfree(setp); + free(setp); return type; } /* @@ -1205,8 +1215,9 @@ packet_read_poll1(void) /* Decrypt data to incoming_packet. */ buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, padded_len); - cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), padded_len, 0, 0); + if (cipher_crypt(&active_state->receive_context, 0, cp, + buffer_ptr(&active_state->input), padded_len, 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); buffer_consume(&active_state->input, padded_len); @@ -1276,10 +1287,12 @@ packet_read_poll2(u_int32_t *seqnr_p) aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; if (aadlen && active_state->packlen == 0) { - if (buffer_len(&active_state->input) < 4) + if (cipher_get_length(&active_state->receive_context, + &active_state->packlen, + active_state->p_read.seqnr, + buffer_ptr(&active_state->input), + buffer_len(&active_state->input)) != 0) return SSH_MSG_NONE; - cp = buffer_ptr(&active_state->input); - active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || active_state->packlen > PACKET_MAX_SIZE) { #ifdef PACKET_DEBUG @@ -1299,8 +1312,10 @@ packet_read_poll2(u_int32_t *seqnr_p) buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, block_size); - cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), block_size, 0, 0); + if (cipher_crypt(&active_state->receive_context, + active_state->p_read.seqnr, cp, + buffer_ptr(&active_state->input), block_size, 0, 0) != 0) + fatal("Decryption integrity check failed"); cp = buffer_ptr(&active_state->incoming_packet); active_state->packlen = get_u32(cp); @@ -1355,8 +1370,10 @@ packet_read_poll2(u_int32_t *seqnr_p) macbuf = mac_compute(mac, active_state->p_read.seqnr, buffer_ptr(&active_state->input), aadlen + need); cp = buffer_append_space(&active_state->incoming_packet, aadlen + need); - cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), need, aadlen, authlen); + if (cipher_crypt(&active_state->receive_context, + active_state->p_read.seqnr, cp, + buffer_ptr(&active_state->input), need, aadlen, authlen) != 0) + fatal("Decryption integrity check failed"); buffer_consume(&active_state->input, aadlen + need + authlen); /* * compute MAC over seqnr and packet, @@ -1458,9 +1475,9 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) packet_get_char(); msg = packet_get_string(NULL); debug("Remote: %.900s", msg); - xfree(msg); + free(msg); msg = packet_get_string(NULL); - xfree(msg); + free(msg); break; case SSH2_MSG_DISCONNECT: reason = packet_get_int(); @@ -1471,7 +1488,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, "Received disconnect from %s: %u: %.400s", get_remote_ipaddr(), reason, msg); - xfree(msg); + free(msg); cleanup_exit(255); break; case SSH2_MSG_UNIMPLEMENTED: @@ -1485,12 +1502,14 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) } else { type = packet_read_poll1(); switch (type) { + case SSH_MSG_NONE: + return SSH_MSG_NONE; case SSH_MSG_IGNORE: break; case SSH_MSG_DEBUG: msg = packet_get_string(NULL); debug("Remote: %.900s", msg); - xfree(msg); + free(msg); break; case SSH_MSG_DISCONNECT: msg = packet_get_string(NULL); @@ -1499,8 +1518,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) cleanup_exit(255); break; default: - if (type) - DBG(debug("received packet type %d", type)); + DBG(debug("received packet type %d", type)); return type; } } @@ -1737,7 +1755,7 @@ void packet_write_wait(void) { fd_set *setp; - int ret, ms_remain; + int ret, ms_remain = 0; struct timeval start, timeout, *timeoutp = NULL; setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, @@ -1778,7 +1796,7 @@ packet_write_wait(void) } packet_write_poll(); } - xfree(setp); + free(setp); } /* Returns true if there is buffered data to write to the connection. */ @@ -1952,13 +1970,33 @@ packet_need_rekeying(void) (active_state->max_blocks_out && (active_state->p_send.blocks > active_state->max_blocks_out)) || (active_state->max_blocks_in && - (active_state->p_read.blocks > active_state->max_blocks_in)); + (active_state->p_read.blocks > active_state->max_blocks_in)) || + (active_state->rekey_interval != 0 && active_state->rekey_time + + active_state->rekey_interval <= monotime()); } void -packet_set_rekey_limit(u_int32_t bytes) +packet_set_rekey_limits(u_int32_t bytes, time_t seconds) { + debug3("rekey after %lld bytes, %d seconds", (long long)bytes, + (int)seconds); active_state->rekey_limit = bytes; + active_state->rekey_interval = seconds; + /* + * We set the time here so that in post-auth privsep slave we count + * from the completion of the authentication. + */ + active_state->rekey_time = monotime(); +} + +time_t +packet_get_rekey_timeout(void) +{ + time_t seconds; + + seconds = active_state->rekey_time + active_state->rekey_interval - + monotime(); + return (seconds <= 0 ? 1 : seconds); } void diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h index 74fffe715..524b920d5 100644 --- a/crypto/openssh/packet.h +++ b/crypto/openssh/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */ +/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */ /* $FreeBSD$ */ /* @@ -75,7 +75,7 @@ void *packet_get_raw(u_int *length_ptr); void *packet_get_string(u_int *length_ptr); char *packet_get_cstring(u_int *length_ptr); void *packet_get_string_ptr(u_int *length_ptr); -void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); +void packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2))); void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); void set_newkeys(int mode); @@ -122,7 +122,8 @@ int packet_need_rekeying(void); #ifdef NONE_CIPHER_ENABLED void packet_request_rekeying(void); #endif -void packet_set_rekey_limit(u_int32_t); +void packet_set_rekey_limits(u_int32_t, time_t); +time_t packet_get_rekey_timeout(void); void packet_backup_state(void); void packet_restore_state(void); diff --git a/crypto/openssh/pathnames.h b/crypto/openssh/pathnames.h index 813af9a49..e53d67a19 100644 --- a/crypto/openssh/pathnames.h +++ b/crypto/openssh/pathnames.h @@ -1,4 +1,5 @@ -/* $OpenBSD: pathnames.h,v 1.22 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: pathnames.h,v 1.24 2013/12/06 13:39:49 markus Exp $ */ +/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -39,6 +40,7 @@ #define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key" #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" +#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" #define _PATH_DH_MODULI SSHDIR "/moduli" /* Backwards compatibility */ @@ -65,18 +67,19 @@ * readable by anyone except the user him/herself, though this does not * contain anything particularly secret. */ -#define _PATH_SSH_USER_HOSTFILE "~/.ssh/known_hosts" +#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts" /* backward compat for protocol 2 */ -#define _PATH_SSH_USER_HOSTFILE2 "~/.ssh/known_hosts2" +#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2" /* * Name of the default file containing client-side authentication key. This * file should only be readable by the user him/herself. */ -#define _PATH_SSH_CLIENT_IDENTITY ".ssh/identity" -#define _PATH_SSH_CLIENT_ID_DSA ".ssh/id_dsa" -#define _PATH_SSH_CLIENT_ID_ECDSA ".ssh/id_ecdsa" -#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa" +#define _PATH_SSH_CLIENT_IDENTITY _PATH_SSH_USER_DIR "/identity" +#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa" +#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa" +#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa" +#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519" /* * Configuration file in user's home directory. This file need not be @@ -84,7 +87,7 @@ * particularly secret. If the user's home directory resides on an NFS * volume where root is mapped to nobody, this may need to be world-readable. */ -#define _PATH_SSH_USER_CONFFILE ".ssh/config" +#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config" /* * File containing a list of those rsa keys that permit logging in as this @@ -94,10 +97,10 @@ * may need to be world-readable. (This file is read by the daemon which is * running as root.) */ -#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" +#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys" /* backward compat for protocol v2 */ -#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" +#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2" /* * Per-user and system-wide ssh "rc" files. These files are executed with @@ -105,7 +108,7 @@ * passed "proto cookie" as arguments if X11 forwarding with spoofing is in * use. xauth will be run if neither of these exists. */ -#define _PATH_SSH_USER_RC ".ssh/rc" +#define _PATH_SSH_USER_RC _PATH_SSH_USER_DIR "/rc" #define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc" /* diff --git a/crypto/openssh/pkcs11.h b/crypto/openssh/pkcs11.h index 2cde5b3f4..b01d58f94 100644 --- a/crypto/openssh/pkcs11.h +++ b/crypto/openssh/pkcs11.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs11.h,v 1.2 2010/02/24 06:12:53 djm Exp $ */ +/* $OpenBSD: pkcs11.h,v 1.3 2013/11/26 19:15:09 deraadt Exp $ */ /* pkcs11.h Copyright 2006, 2007 g10 Code GmbH Copyright 2006 Andreas Jellinghaus @@ -319,7 +319,7 @@ typedef unsigned long ck_object_class_t; #define CKO_HW_FEATURE (5) #define CKO_DOMAIN_PARAMETERS (6) #define CKO_MECHANISM (7) -#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKO_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_hw_feature_type_t; @@ -327,7 +327,7 @@ typedef unsigned long ck_hw_feature_type_t; #define CKH_MONOTONIC_COUNTER (1) #define CKH_CLOCK (2) #define CKH_USER_INTERFACE (3) -#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKH_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_key_type_t; @@ -357,14 +357,14 @@ typedef unsigned long ck_key_type_t; #define CKK_AES (0x1f) #define CKK_BLOWFISH (0x20) #define CKK_TWOFISH (0x21) -#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKK_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_certificate_type_t; #define CKC_X_509 (0) #define CKC_X_509_ATTR_CERT (1) #define CKC_WTLS (2) -#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKC_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_attribute_type_t; @@ -453,7 +453,7 @@ typedef unsigned long ck_attribute_type_t; #define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211) #define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212) #define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600) -#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKA_VENDOR_DEFINED (1U << 31) struct ck_attribute @@ -672,7 +672,7 @@ typedef unsigned long ck_mechanism_type_t; #define CKM_DSA_PARAMETER_GEN (0x2000) #define CKM_DH_PKCS_PARAMETER_GEN (0x2001) #define CKM_X9_42_DH_PARAMETER_GEN (0x2002) -#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKM_VENDOR_DEFINED (1U << 31) struct ck_mechanism @@ -703,7 +703,7 @@ struct ck_mechanism_info #define CKF_WRAP (1 << 17) #define CKF_UNWRAP (1 << 18) #define CKF_DERIVE (1 << 19) -#define CKF_EXTENSION ((unsigned long) (1 << 31)) +#define CKF_EXTENSION (1U << 31) /* Flags for C_WaitForSlotEvent. */ @@ -1179,7 +1179,7 @@ struct ck_c_initialize_args #define CKR_MUTEX_BAD (0x1a0) #define CKR_MUTEX_NOT_LOCKED (0x1a1) #define CKR_FUNCTION_REJECTED (0x200) -#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKR_VENDOR_DEFINED (1U << 31) diff --git a/crypto/openssh/platform.c b/crypto/openssh/platform.c index 3262b2478..30fc60909 100644 --- a/crypto/openssh/platform.c +++ b/crypto/openssh/platform.c @@ -1,4 +1,4 @@ -/* $Id: platform.c,v 1.19 2013/03/12 00:31:05 dtucker Exp $ */ +/* $Id: platform.c,v 1.21 2014/01/21 01:59:29 tim Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -54,6 +54,14 @@ platform_pre_fork(void) #endif } +void +platform_pre_restart(void) +{ +#ifdef LINUX_OOM_ADJUST + oom_adjust_restore(); +#endif +} + void platform_post_fork_parent(pid_t child_pid) { @@ -156,12 +164,6 @@ platform_setusercontext_post_groups(struct passwd *pw) aix_usrinfo(pw); #endif /* _AIX */ -#if !defined(HAVE_LOGIN_CAP) && defined(USE_LIBIAF) - if (set_id(pw->pw_name) != 0) { - exit(1); - } -# endif /* USE_LIBIAF */ - #ifdef HAVE_SETPCRED /* * If we have a chroot directory, we set all creds except real diff --git a/crypto/openssh/platform.h b/crypto/openssh/platform.h index 19f6bfdd3..1c7a45d8f 100644 --- a/crypto/openssh/platform.h +++ b/crypto/openssh/platform.h @@ -1,4 +1,4 @@ -/* $Id: platform.h,v 1.8 2013/03/12 00:31:05 dtucker Exp $ */ +/* $Id: platform.h,v 1.9 2013/09/22 09:02:40 dtucker Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -22,6 +22,7 @@ void platform_pre_listen(void); void platform_pre_fork(void); +void platform_pre_restart(void); void platform_post_fork_parent(pid_t child_pid); void platform_post_fork_child(void); int platform_privileged_uidswap(void); diff --git a/crypto/openssh/poly1305.c b/crypto/openssh/poly1305.c new file mode 100644 index 000000000..6fd1fc8cd --- /dev/null +++ b/crypto/openssh/poly1305.c @@ -0,0 +1,160 @@ +/* + * Public Domain poly1305 from Andrew Moon + * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna + */ + +/* $OpenBSD: poly1305.c,v 1.3 2013/12/19 22:57:13 djm Exp $ */ + +#include "includes.h" + +#include +#ifdef HAVE_STDINT_H +# include +#endif + +#include "poly1305.h" + +#define mul32x32_64(a,b) ((uint64_t)(a) * (b)) + +#define U8TO32_LE(p) \ + (((uint32_t)((p)[0])) | \ + ((uint32_t)((p)[1]) << 8) | \ + ((uint32_t)((p)[2]) << 16) | \ + ((uint32_t)((p)[3]) << 24)) + +#define U32TO8_LE(p, v) \ + do { \ + (p)[0] = (uint8_t)((v)); \ + (p)[1] = (uint8_t)((v) >> 8); \ + (p)[2] = (uint8_t)((v) >> 16); \ + (p)[3] = (uint8_t)((v) >> 24); \ + } while (0) + +void +poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen, const unsigned char key[POLY1305_KEYLEN]) { + uint32_t t0,t1,t2,t3; + uint32_t h0,h1,h2,h3,h4; + uint32_t r0,r1,r2,r3,r4; + uint32_t s1,s2,s3,s4; + uint32_t b, nb; + size_t j; + uint64_t t[5]; + uint64_t f0,f1,f2,f3; + uint32_t g0,g1,g2,g3,g4; + uint64_t c; + unsigned char mp[16]; + + /* clamp key */ + t0 = U8TO32_LE(key+0); + t1 = U8TO32_LE(key+4); + t2 = U8TO32_LE(key+8); + t3 = U8TO32_LE(key+12); + + /* precompute multipliers */ + r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6; + r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12; + r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18; + r3 = t2 & 0x3f03fff; t3 >>= 8; + r4 = t3 & 0x00fffff; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + /* init state */ + h0 = 0; + h1 = 0; + h2 = 0; + h3 = 0; + h4 = 0; + + /* full blocks */ + if (inlen < 16) goto poly1305_donna_atmost15bytes; +poly1305_donna_16bytes: + m += 16; + inlen -= 16; + + t0 = U8TO32_LE(m-16); + t1 = U8TO32_LE(m-12); + t2 = U8TO32_LE(m-8); + t3 = U8TO32_LE(m-4); + + h0 += t0 & 0x3ffffff; + h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; + h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; + h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; + h4 += (t3 >> 8) | (1 << 24); + + +poly1305_donna_mul: + t[0] = mul32x32_64(h0,r0) + mul32x32_64(h1,s4) + mul32x32_64(h2,s3) + mul32x32_64(h3,s2) + mul32x32_64(h4,s1); + t[1] = mul32x32_64(h0,r1) + mul32x32_64(h1,r0) + mul32x32_64(h2,s4) + mul32x32_64(h3,s3) + mul32x32_64(h4,s2); + t[2] = mul32x32_64(h0,r2) + mul32x32_64(h1,r1) + mul32x32_64(h2,r0) + mul32x32_64(h3,s4) + mul32x32_64(h4,s3); + t[3] = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4); + t[4] = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0); + + h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26); + t[1] += c; h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26); + t[2] += b; h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26); + t[3] += b; h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26); + t[4] += b; h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26); + h0 += b * 5; + + if (inlen >= 16) goto poly1305_donna_16bytes; + + /* final bytes */ +poly1305_donna_atmost15bytes: + if (!inlen) goto poly1305_donna_finish; + + for (j = 0; j < inlen; j++) mp[j] = m[j]; + mp[j++] = 1; + for (; j < 16; j++) mp[j] = 0; + inlen = 0; + + t0 = U8TO32_LE(mp+0); + t1 = U8TO32_LE(mp+4); + t2 = U8TO32_LE(mp+8); + t3 = U8TO32_LE(mp+12); + + h0 += t0 & 0x3ffffff; + h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; + h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; + h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; + h4 += (t3 >> 8); + + goto poly1305_donna_mul; + +poly1305_donna_finish: + b = h0 >> 26; h0 = h0 & 0x3ffffff; + h1 += b; b = h1 >> 26; h1 = h1 & 0x3ffffff; + h2 += b; b = h2 >> 26; h2 = h2 & 0x3ffffff; + h3 += b; b = h3 >> 26; h3 = h3 & 0x3ffffff; + h4 += b; b = h4 >> 26; h4 = h4 & 0x3ffffff; + h0 += b * 5; b = h0 >> 26; h0 = h0 & 0x3ffffff; + h1 += b; + + g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; + g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; + g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; + g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff; + g4 = h4 + b - (1 << 26); + + b = (g4 >> 31) - 1; + nb = ~b; + h0 = (h0 & nb) | (g0 & b); + h1 = (h1 & nb) | (g1 & b); + h2 = (h2 & nb) | (g2 & b); + h3 = (h3 & nb) | (g3 & b); + h4 = (h4 & nb) | (g4 & b); + + f0 = ((h0 ) | (h1 << 26)) + (uint64_t)U8TO32_LE(&key[16]); + f1 = ((h1 >> 6) | (h2 << 20)) + (uint64_t)U8TO32_LE(&key[20]); + f2 = ((h2 >> 12) | (h3 << 14)) + (uint64_t)U8TO32_LE(&key[24]); + f3 = ((h3 >> 18) | (h4 << 8)) + (uint64_t)U8TO32_LE(&key[28]); + + U32TO8_LE(&out[ 0], f0); f1 += (f0 >> 32); + U32TO8_LE(&out[ 4], f1); f2 += (f1 >> 32); + U32TO8_LE(&out[ 8], f2); f3 += (f2 >> 32); + U32TO8_LE(&out[12], f3); +} diff --git a/crypto/openssh/poly1305.h b/crypto/openssh/poly1305.h new file mode 100644 index 000000000..221efc462 --- /dev/null +++ b/crypto/openssh/poly1305.h @@ -0,0 +1,22 @@ +/* $OpenBSD: poly1305.h,v 1.2 2013/12/19 22:57:13 djm Exp $ */ + +/* + * Public Domain poly1305 from Andrew Moon + * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna + */ + +#ifndef POLY1305_H +#define POLY1305_H + +#include + +#define POLY1305_KEYLEN 32 +#define POLY1305_TAGLEN 16 + +void poly1305_auth(u_char out[POLY1305_TAGLEN], const u_char *m, size_t inlen, + const u_char key[POLY1305_KEYLEN]) + __attribute__((__bounded__(__minbytes__, 1, POLY1305_TAGLEN))) + __attribute__((__bounded__(__buffer__, 2, 3))) + __attribute__((__bounded__(__minbytes__, 4, POLY1305_KEYLEN))); + +#endif /* POLY1305_H */ diff --git a/crypto/openssh/progressmeter.c b/crypto/openssh/progressmeter.c index 0f95222d2..bbbc7066b 100644 --- a/crypto/openssh/progressmeter.c +++ b/crypto/openssh/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.40 2013/09/19 00:24:52 djm Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * @@ -66,6 +66,7 @@ static void update_progress_meter(int); static time_t start; /* start progress */ static time_t last_update; /* last progress update */ static char *file; /* name of the file being transferred */ +static off_t start_pos; /* initial position of transfer */ static off_t end_pos; /* ending position of transfer */ static off_t cur_pos; /* transfer position as of last refresh */ static volatile off_t *counter; /* progress counter */ @@ -129,9 +130,9 @@ refresh_progress_meter(void) int i, len; int file_len; - transferred = *counter - cur_pos; + transferred = *counter - (cur_pos ? cur_pos : start_pos); cur_pos = *counter; - now = time(NULL); + now = monotime(); bytes_left = end_pos - cur_pos; if (bytes_left > 0) @@ -139,7 +140,7 @@ refresh_progress_meter(void) else { elapsed = now - start; /* Calculate true total speed when done */ - transferred = end_pos; + transferred = end_pos - start_pos; bytes_per_second = 0; } @@ -249,8 +250,9 @@ update_progress_meter(int ignore) void start_progress_meter(char *f, off_t filesize, off_t *ctr) { - start = last_update = time(NULL); + start = last_update = monotime(); file = f; + start_pos = *ctr; end_pos = filesize; cur_pos = 0; counter = ctr; diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index 2543d68cd..5f799d2d1 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.218 2014/02/23 20:11:36 djm Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -20,19 +20,29 @@ __RCSID("$FreeBSD$"); #include #include #include +#include #include #include #include +#include #include #include +#include #include +#ifdef HAVE_PATHS_H +# include +#endif +#include #include #include #include #include #include +#ifdef HAVE_UTIL_H +#include +#endif #include "xmalloc.h" #include "ssh.h" @@ -47,6 +57,7 @@ __RCSID("$FreeBSD$"); #include "buffer.h" #include "kex.h" #include "mac.h" +#include "uidswap.h" #include "version.h" /* Format of the configuration file: @@ -116,12 +127,13 @@ __RCSID("$FreeBSD$"); typedef enum { oBadOption, + oHost, oMatch, oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, oGatewayPorts, oExitOnForwardFailure, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, - oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, + oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, @@ -137,14 +149,16 @@ typedef enum { oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, - oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, + oVisualHostKey, oUseRoaming, + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, + oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, + oIgnoredUnknownOption, oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, #ifdef NONE_CIPHER_ENABLED oNoneEnabled, oNoneSwitch, #endif - oVersionAddendum, - oDeprecated, oUnsupported + oVersionAddendum, oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@ -200,6 +214,7 @@ static struct { { "localforward", oLocalForward }, { "user", oUser }, { "host", oHost }, + { "match", oMatch }, { "escapechar", oEscapeChar }, { "globalknownhostsfile", oGlobalKnownHostsFile }, { "globalknownhostsfile2", oDeprecated }, @@ -246,15 +261,16 @@ static struct { { "permitlocalcommand", oPermitLocalCommand }, { "visualhostkey", oVisualHostKey }, { "useroaming", oUseRoaming }, -#ifdef JPAKE - { "zeroknowledgepasswordauthentication", - oZeroKnowledgePasswordAuthentication }, -#else - { "zeroknowledgepasswordauthentication", oUnsupported }, -#endif { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, + { "proxyusefdpass", oProxyUseFdpass }, + { "canonicaldomains", oCanonicalDomains }, + { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, + { "canonicalizehostname", oCanonicalizeHostname }, + { "canonicalizemaxdots", oCanonicalizeMaxDots }, + { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, + { "ignoreunknown", oIgnoreUnknown }, { "hpndisabled", oHPNDisabled }, { "hpnbuffersize", oHPNBufferSize }, { "tcprcvbufpoll", oTcpRcvBufPoll }, @@ -334,22 +350,20 @@ clear_forwardings(Options *options) int i; for (i = 0; i < options->num_local_forwards; i++) { - if (options->local_forwards[i].listen_host != NULL) - xfree(options->local_forwards[i].listen_host); - xfree(options->local_forwards[i].connect_host); + free(options->local_forwards[i].listen_host); + free(options->local_forwards[i].connect_host); } if (options->num_local_forwards > 0) { - xfree(options->local_forwards); + free(options->local_forwards); options->local_forwards = NULL; } options->num_local_forwards = 0; for (i = 0; i < options->num_remote_forwards; i++) { - if (options->remote_forwards[i].listen_host != NULL) - xfree(options->remote_forwards[i].listen_host); - xfree(options->remote_forwards[i].connect_host); + free(options->remote_forwards[i].listen_host); + free(options->remote_forwards[i].connect_host); } if (options->num_remote_forwards > 0) { - xfree(options->remote_forwards); + free(options->remote_forwards); options->remote_forwards = NULL; } options->num_remote_forwards = 0; @@ -376,43 +390,358 @@ add_identity_file(Options *options, const char *dir, const char *filename, options->identity_files[options->num_identity_files++] = path; } +int +default_ssh_port(void) +{ + static int port; + struct servent *sp; + + if (port == 0) { + sp = getservbyname(SSH_SERVICE_NAME, "tcp"); + port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; + } + return port; +} + /* - * Returns the number of the token pointed to by cp or oBadOption. + * Execute a command in a shell. + * Return its exit status or -1 on abnormal exit. */ +static int +execute_in_shell(const char *cmd) +{ + char *shell, *command_string; + pid_t pid; + int devnull, status; + extern uid_t original_real_uid; + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + /* + * Use "exec" to avoid "sh -c" processes on some platforms + * (e.g. Solaris) + */ + xasprintf(&command_string, "exec %s", cmd); + + /* Need this to redirect subprocess stdin/out */ + if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) + fatal("open(/dev/null): %s", strerror(errno)); + + debug("Executing command: '%.500s'", cmd); + + /* Fork and execute the command. */ + if ((pid = fork()) == 0) { + char *argv[4]; + + /* Child. Permanently give up superuser privileges. */ + permanently_drop_suid(original_real_uid); + + /* Redirect child stdin and stdout. Leave stderr */ + if (dup2(devnull, STDIN_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (dup2(devnull, STDOUT_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (devnull > STDERR_FILENO) + close(devnull); + closefrom(STDERR_FILENO + 1); + + argv[0] = shell; + argv[1] = "-c"; + argv[2] = command_string; + argv[3] = NULL; + + execv(argv[0], argv); + error("Unable to execute '%.100s': %s", cmd, strerror(errno)); + /* Die with signal to make this error apparent to parent. */ + signal(SIGTERM, SIG_DFL); + kill(getpid(), SIGTERM); + _exit(1); + } + /* Parent. */ + if (pid < 0) + fatal("%s: fork: %.100s", __func__, strerror(errno)); + + close(devnull); + free(command_string); + + while (waitpid(pid, &status, 0) == -1) { + if (errno != EINTR && errno != EAGAIN) + fatal("%s: waitpid: %s", __func__, strerror(errno)); + } + if (!WIFEXITED(status)) { + error("command '%.100s' exited abnormally", cmd); + return -1; + } + debug3("command returned status %d", WEXITSTATUS(status)); + return WEXITSTATUS(status); +} + +/* + * Parse and execute a Match directive. + */ +static int +match_cfg_line(Options *options, char **condition, struct passwd *pw, + const char *host_arg, const char *filename, int linenum) +{ + char *arg, *attrib, *cmd, *cp = *condition, *host; + const char *ruser; + int r, port, result = 1, attributes = 0; + size_t len; + char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; + + /* + * Configuration is likely to be incomplete at this point so we + * must be prepared to use default values. + */ + port = options->port <= 0 ? default_ssh_port() : options->port; + ruser = options->user == NULL ? pw->pw_name : options->user; + if (options->hostname != NULL) { + /* NB. Please keep in sync with ssh.c:main() */ + host = percent_expand(options->hostname, + "h", host_arg, (char *)NULL); + } else + host = xstrdup(host_arg); + + debug3("checking match for '%s' host %s", cp, host); + while ((attrib = strdelim(&cp)) && *attrib != '\0') { + attributes++; + if (strcasecmp(attrib, "all") == 0) { + if (attributes != 1 || + ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { + error("'all' cannot be combined with other " + "Match attributes"); + result = -1; + goto out; + } + *condition = cp; + result = 1; + goto out; + } + if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { + error("Missing Match criteria for %s", attrib); + result = -1; + goto out; + } + len = strlen(arg); + if (strcasecmp(attrib, "host") == 0) { + if (match_hostname(host, arg, len) != 1) + result = 0; + else + debug("%.200s line %d: matched 'Host %.100s' ", + filename, linenum, host); + } else if (strcasecmp(attrib, "originalhost") == 0) { + if (match_hostname(host_arg, arg, len) != 1) + result = 0; + else + debug("%.200s line %d: matched " + "'OriginalHost %.100s' ", + filename, linenum, host_arg); + } else if (strcasecmp(attrib, "user") == 0) { + if (match_pattern_list(ruser, arg, len, 0) != 1) + result = 0; + else + debug("%.200s line %d: matched 'User %.100s' ", + filename, linenum, ruser); + } else if (strcasecmp(attrib, "localuser") == 0) { + if (match_pattern_list(pw->pw_name, arg, len, 0) != 1) + result = 0; + else + debug("%.200s line %d: matched " + "'LocalUser %.100s' ", + filename, linenum, pw->pw_name); + } else if (strcasecmp(attrib, "exec") == 0) { + if (gethostname(thishost, sizeof(thishost)) == -1) + fatal("gethostname: %s", strerror(errno)); + strlcpy(shorthost, thishost, sizeof(shorthost)); + shorthost[strcspn(thishost, ".")] = '\0'; + snprintf(portstr, sizeof(portstr), "%d", port); + + cmd = percent_expand(arg, + "L", shorthost, + "d", pw->pw_dir, + "h", host, + "l", thishost, + "n", host_arg, + "p", portstr, + "r", ruser, + "u", pw->pw_name, + (char *)NULL); + if (result != 1) { + /* skip execution if prior predicate failed */ + debug("%.200s line %d: skipped exec \"%.100s\"", + filename, linenum, cmd); + } else { + r = execute_in_shell(cmd); + if (r == -1) { + fatal("%.200s line %d: match exec " + "'%.100s' error", filename, + linenum, cmd); + } else if (r == 0) { + debug("%.200s line %d: matched " + "'exec \"%.100s\"'", filename, + linenum, cmd); + } else { + debug("%.200s line %d: no match " + "'exec \"%.100s\"'", filename, + linenum, cmd); + result = 0; + } + } + free(cmd); + } else { + error("Unsupported Match attribute %s", attrib); + result = -1; + goto out; + } + } + if (attributes == 0) { + error("One or more attributes required for Match"); + result = -1; + goto out; + } + debug3("match %sfound", result ? "" : "not "); + *condition = cp; + out: + free(host); + return result; +} +/* Check and prepare a domain name: removes trailing '.' and lowercases */ +static void +valid_domain(char *name, const char *filename, int linenum) +{ + size_t i, l = strlen(name); + u_char c, last = '\0'; + + if (l == 0) + fatal("%s line %d: empty hostname suffix", filename, linenum); + if (!isalpha((u_char)name[0]) && !isdigit((u_char)name[0])) + fatal("%s line %d: hostname suffix \"%.100s\" " + "starts with invalid character", filename, linenum, name); + for (i = 0; i < l; i++) { + c = tolower((u_char)name[i]); + name[i] = (char)c; + if (last == '.' && c == '.') + fatal("%s line %d: hostname suffix \"%.100s\" contains " + "consecutive separators", filename, linenum, name); + if (c != '.' && c != '-' && !isalnum(c) && + c != '_') /* technically invalid, but common */ + fatal("%s line %d: hostname suffix \"%.100s\" contains " + "invalid characters", filename, linenum, name); + last = c; + } + if (name[l - 1] == '.') + name[l - 1] = '\0'; +} + +/* + * Returns the number of the token pointed to by cp or oBadOption. + */ static OpCodes -parse_token(const char *cp, const char *filename, int linenum) +parse_token(const char *cp, const char *filename, int linenum, + const char *ignored_unknown) { - u_int i; + int i; for (i = 0; keywords[i].name; i++) - if (strcasecmp(cp, keywords[i].name) == 0) + if (strcmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - + if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown, + strlen(ignored_unknown), 1) == 1) + return oIgnoredUnknownOption; error("%s: line %d: Bad configuration option: %s", filename, linenum, cp); return oBadOption; } +/* Multistate option parsing */ +struct multistate { + char *key; + int value; +}; +static const struct multistate multistate_flag[] = { + { "true", 1 }, + { "false", 0 }, + { "yes", 1 }, + { "no", 0 }, + { NULL, -1 } +}; +static const struct multistate multistate_yesnoask[] = { + { "true", 1 }, + { "false", 0 }, + { "yes", 1 }, + { "no", 0 }, + { "ask", 2 }, + { NULL, -1 } +}; +static const struct multistate multistate_addressfamily[] = { + { "inet", AF_INET }, + { "inet6", AF_INET6 }, + { "any", AF_UNSPEC }, + { NULL, -1 } +}; +static const struct multistate multistate_controlmaster[] = { + { "true", SSHCTL_MASTER_YES }, + { "yes", SSHCTL_MASTER_YES }, + { "false", SSHCTL_MASTER_NO }, + { "no", SSHCTL_MASTER_NO }, + { "auto", SSHCTL_MASTER_AUTO }, + { "ask", SSHCTL_MASTER_ASK }, + { "autoask", SSHCTL_MASTER_AUTO_ASK }, + { NULL, -1 } +}; +static const struct multistate multistate_tunnel[] = { + { "ethernet", SSH_TUNMODE_ETHERNET }, + { "point-to-point", SSH_TUNMODE_POINTOPOINT }, + { "true", SSH_TUNMODE_DEFAULT }, + { "yes", SSH_TUNMODE_DEFAULT }, + { "false", SSH_TUNMODE_NO }, + { "no", SSH_TUNMODE_NO }, + { NULL, -1 } +}; +static const struct multistate multistate_requesttty[] = { + { "true", REQUEST_TTY_YES }, + { "yes", REQUEST_TTY_YES }, + { "false", REQUEST_TTY_NO }, + { "no", REQUEST_TTY_NO }, + { "force", REQUEST_TTY_FORCE }, + { "auto", REQUEST_TTY_AUTO }, + { NULL, -1 } +}; +static const struct multistate multistate_canonicalizehostname[] = { + { "true", SSH_CANONICALISE_YES }, + { "false", SSH_CANONICALISE_NO }, + { "yes", SSH_CANONICALISE_YES }, + { "no", SSH_CANONICALISE_NO }, + { "always", SSH_CANONICALISE_ALWAYS }, + { NULL, -1 } +}; + /* * Processes a single option line as used in the configuration files. This * only sets those values that have not already been set. */ #define WHITESPACE " \t\r\n" - int -process_config_line(Options *options, const char *host, - char *line, const char *filename, int linenum, - int *activep, int userconfig) +process_config_line(Options *options, struct passwd *pw, const char *host, + char *line, const char *filename, int linenum, int *activep, int userconfig) { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; - u_int *uintptr, max_entries = 0; - int negated, opcode, *intptr, value, value2, scale; + u_int i, *uintptr, max_entries = 0; + int negated, opcode, *intptr, value, value2, cmdline = 0; LogLevel *log_level_ptr; - long long orig, val64; + long long val64; size_t len; Forward fwd; + const struct multistate *multistate_ptr; + struct allowed_cname *cname; + + if (activep == NULL) { /* We are processing a command line directive */ + cmdline = 1; + activep = &cmdline; + } /* Strip trailing whitespace */ for (len = strlen(line) - 1; len > 0; len--) { @@ -430,14 +759,21 @@ process_config_line(Options *options, const char *host, keyword = strdelim(&s); if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') return 0; + /* Match lowercase keyword */ + lowercase(keyword); - opcode = parse_token(keyword, filename, linenum); + opcode = parse_token(keyword, filename, linenum, + options->ignored_unknown); switch (opcode) { case oBadOption: /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + case oIgnoredUnknownOption: + debug("%s line %d: Ignored unknown option \"%s\"", + filename, linenum, keyword); + return 0; case oConnectTimeout: intptr = &options->connection_timeout; parse_time: @@ -454,17 +790,23 @@ parse_time: case oForwardAgent: intptr = &options->forward_agent; -parse_flag: + parse_flag: + multistate_ptr = multistate_flag; + parse_multistate: arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing yes/no argument.", filename, linenum); - value = 0; /* To avoid compiler warning... */ - if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) - value = 1; - else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) - value = 0; - else - fatal("%.200s line %d: Bad yes/no argument.", filename, linenum); + fatal("%s line %d: missing argument.", + filename, linenum); + value = -1; + for (i = 0; multistate_ptr[i].key != NULL; i++) { + if (strcasecmp(arg, multistate_ptr[i].key) == 0) { + value = multistate_ptr[i].value; + break; + } + } + if (value == -1) + fatal("%s line %d: unsupported option \"%s\".", + filename, linenum, arg); if (*activep && *intptr == -1) *intptr = value; break; @@ -497,10 +839,6 @@ parse_flag: intptr = &options->password_authentication; goto parse_flag; - case oZeroKnowledgePasswordAuthentication: - intptr = &options->zero_knowledge_password_authentication; - goto parse_flag; - case oKbdInteractiveAuthentication: intptr = &options->kbd_interactive_authentication; goto parse_flag; @@ -547,27 +885,13 @@ parse_flag: case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; - goto parse_yesnoask; + multistate_ptr = multistate_yesnoask; + goto parse_multistate; case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; -parse_yesnoask: - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing yes/no/ask argument.", - filename, linenum); - value = 0; /* To avoid compiler warning... */ - if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) - value = 1; - else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) - value = 0; - else if (strcmp(arg, "ask") == 0) - value = 2; - else - fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_yesnoask; + goto parse_multistate; case oCompression: intptr = &options->compression; @@ -592,39 +916,32 @@ parse_yesnoask: case oRekeyLimit: arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing argument.", filename, linenum); - if (arg[0] < '0' || arg[0] > '9') - fatal("%.200s line %d: Bad number.", filename, linenum); - orig = val64 = strtoll(arg, &endofnumber, 10); - if (arg == endofnumber) - fatal("%.200s line %d: Bad number.", filename, linenum); - switch (toupper(*endofnumber)) { - case '\0': - scale = 1; - break; - case 'K': - scale = 1<<10; - break; - case 'M': - scale = 1<<20; - break; - case 'G': - scale = 1<<30; - break; - default: - fatal("%.200s line %d: Invalid RekeyLimit suffix", - filename, linenum); + fatal("%.200s line %d: Missing argument.", filename, + linenum); + if (strcmp(arg, "default") == 0) { + val64 = 0; + } else { + if (scan_scaled(arg, &val64) == -1) + fatal("%.200s line %d: Bad number '%s': %s", + filename, linenum, arg, strerror(errno)); + /* check for too-large or too-small limits */ + if (val64 > UINT_MAX) + fatal("%.200s line %d: RekeyLimit too large", + filename, linenum); + if (val64 != 0 && val64 < 16) + fatal("%.200s line %d: RekeyLimit too small", + filename, linenum); } - val64 *= scale; - /* detect integer wrap and too-large limits */ - if ((val64 / scale) != orig || val64 > UINT_MAX) - fatal("%.200s line %d: RekeyLimit too large", - filename, linenum); - if (val64 < 16) - fatal("%.200s line %d: RekeyLimit too small", - filename, linenum); if (*activep && options->rekey_limit == -1) options->rekey_limit = (u_int32_t)val64; + if (s != NULL) { /* optional rekey interval present */ + if (strcmp(s, "none") == 0) { + (void)strdelim(&s); /* discard */ + break; + } + intptr = &options->rekey_interval; + goto parse_time; + } break; case oIdentityFile: @@ -851,6 +1168,9 @@ parse_int: goto parse_flag; case oHost: + if (cmdline) + fatal("Host directive not supported as a command-line " + "option"); *activep = 0; arg2 = NULL; while ((arg = strdelim(&s)) != NULL && *arg != '\0') { @@ -877,6 +1197,18 @@ parse_int: /* Avoid garbage check below, as strdelim is done. */ return 0; + case oMatch: + if (cmdline) + fatal("Host directive not supported as a command-line " + "option"); + value = match_cfg_line(options, &s, pw, host, + filename, linenum); + if (value < 0) + fatal("%.200s line %d: Bad Match condition", filename, + linenum); + *activep = value; + break; + case oEscapeChar: intptr = &options->escape_char; arg = strdelim(&s); @@ -900,22 +1232,9 @@ parse_int: break; case oAddressFamily: - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%s line %d: missing address family.", - filename, linenum); intptr = &options->address_family; - if (strcasecmp(arg, "inet") == 0) - value = AF_INET; - else if (strcasecmp(arg, "inet6") == 0) - value = AF_INET6; - else if (strcasecmp(arg, "any") == 0) - value = AF_UNSPEC; - else - fatal("Unsupported AddressFamily \"%s\"", arg); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_addressfamily; + goto parse_multistate; case oEnableSSHKeysign: intptr = &options->enable_ssh_keysign; @@ -954,27 +1273,8 @@ parse_int: case oControlMaster: intptr = &options->control_master; - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing ControlMaster argument.", - filename, linenum); - value = 0; /* To avoid compiler warning... */ - if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) - value = SSHCTL_MASTER_YES; - else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) - value = SSHCTL_MASTER_NO; - else if (strcmp(arg, "auto") == 0) - value = SSHCTL_MASTER_AUTO; - else if (strcmp(arg, "ask") == 0) - value = SSHCTL_MASTER_ASK; - else if (strcmp(arg, "autoask") == 0) - value = SSHCTL_MASTER_AUTO_ASK; - else - fatal("%.200s line %d: Bad ControlMaster argument.", - filename, linenum); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_controlmaster; + goto parse_multistate; case oControlPersist: /* no/false/yes/true, or a time spec */ @@ -1006,25 +1306,8 @@ parse_int: case oTunnel: intptr = &options->tun_open; - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%s line %d: Missing yes/point-to-point/" - "ethernet/no argument.", filename, linenum); - value = 0; /* silence compiler */ - if (strcasecmp(arg, "ethernet") == 0) - value = SSH_TUNMODE_ETHERNET; - else if (strcasecmp(arg, "point-to-point") == 0) - value = SSH_TUNMODE_POINTOPOINT; - else if (strcasecmp(arg, "yes") == 0) - value = SSH_TUNMODE_DEFAULT; - else if (strcasecmp(arg, "no") == 0) - value = SSH_TUNMODE_NO; - else - fatal("%s line %d: Bad yes/point-to-point/ethernet/" - "no argument: %s", filename, linenum, arg); - if (*activep) - *intptr = value; - break; + multistate_ptr = multistate_tunnel; + goto parse_multistate; case oTunnelDevice: arg = strdelim(&s); @@ -1073,24 +1356,9 @@ parse_int: goto parse_flag; case oRequestTTY: - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%s line %d: missing argument.", - filename, linenum); intptr = &options->request_tty; - if (strcasecmp(arg, "yes") == 0) - value = REQUEST_TTY_YES; - else if (strcasecmp(arg, "no") == 0) - value = REQUEST_TTY_NO; - else if (strcasecmp(arg, "force") == 0) - value = REQUEST_TTY_FORCE; - else if (strcasecmp(arg, "auto") == 0) - value = REQUEST_TTY_AUTO; - else - fatal("Unsupported RequestTTY \"%s\"", arg); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_requesttty; + goto parse_multistate; case oHPNDisabled: intptr = &options->hpn_disabled; @@ -1149,6 +1417,70 @@ parse_int: } return 0; + case oIgnoreUnknown: + charptr = &options->ignored_unknown; + goto parse_string; + + case oProxyUseFdpass: + intptr = &options->proxy_use_fdpass; + goto parse_flag; + + case oCanonicalDomains: + value = options->num_canonical_domains != 0; + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + valid_domain(arg, filename, linenum); + if (!*activep || value) + continue; + if (options->num_canonical_domains >= MAX_CANON_DOMAINS) + fatal("%s line %d: too many hostname suffixes.", + filename, linenum); + options->canonical_domains[ + options->num_canonical_domains++] = xstrdup(arg); + } + break; + + case oCanonicalizePermittedCNAMEs: + value = options->num_permitted_cnames != 0; + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + /* Either '*' for everything or 'list:list' */ + if (strcmp(arg, "*") == 0) + arg2 = arg; + else { + lowercase(arg); + if ((arg2 = strchr(arg, ':')) == NULL || + arg2[1] == '\0') { + fatal("%s line %d: " + "Invalid permitted CNAME \"%s\"", + filename, linenum, arg); + } + *arg2 = '\0'; + arg2++; + } + if (!*activep || value) + continue; + if (options->num_permitted_cnames >= MAX_CANON_DOMAINS) + fatal("%s line %d: too many permitted CNAMEs.", + filename, linenum); + cname = options->permitted_cnames + + options->num_permitted_cnames++; + cname->source_list = xstrdup(arg); + cname->target_list = xstrdup(arg2); + } + break; + + case oCanonicalizeHostname: + intptr = &options->canonicalize_hostname; + multistate_ptr = multistate_canonicalizehostname; + goto parse_multistate; + + case oCanonicalizeMaxDots: + intptr = &options->canonicalize_max_dots; + goto parse_int; + + case oCanonicalizeFallbackLocal: + intptr = &options->canonicalize_fallback_local; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1179,8 +1511,8 @@ parse_int: */ int -read_config_file(const char *filename, const char *host, Options *options, - int flags) +read_config_file(const char *filename, struct passwd *pw, const char *host, + Options *options, int flags) { FILE *f; char line[1024]; @@ -1211,8 +1543,8 @@ read_config_file(const char *filename, const char *host, Options *options, while (fgets(line, sizeof(line), f)) { /* Update line number counter. */ linenum++; - if (process_config_line(options, host, line, filename, linenum, - &active, flags & SSHCONF_USERCONF) != 0) + if (process_config_line(options, pw, host, line, filename, + linenum, &active, flags & SSHCONF_USERCONF) != 0) bad_options++; } fclose(f); @@ -1222,6 +1554,13 @@ read_config_file(const char *filename, const char *host, Options *options, return 1; } +/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ +int +option_clear_or_none(const char *o) +{ + return o == NULL || strcasecmp(o, "none") == 0; +} + /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options @@ -1289,6 +1628,7 @@ initialize_options(Options * options) options->no_host_authentication_for_localhost = - 1; options->identities_only = - 1; options->rekey_limit = - 1; + options->rekey_interval = -1; options->verify_host_key_dns = -1; options->server_alive_interval = -1; options->server_alive_count_max = -1; @@ -1305,10 +1645,16 @@ initialize_options(Options * options) options->permit_local_command = -1; options->use_roaming = -1; options->visual_host_key = -1; - options->zero_knowledge_password_authentication = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; + options->proxy_use_fdpass = -1; + options->ignored_unknown = NULL; + options->num_canonical_domains = 0; + options->num_permitted_cnames = 0; + options->canonicalize_max_dots = -1; + options->canonicalize_fallback_local = -1; + options->canonicalize_hostname = -1; options->version_addendum = NULL; options->hpn_disabled = -1; options->hpn_buffer_size = -1; @@ -1320,16 +1666,28 @@ initialize_options(Options * options) #endif } +/* + * A petite version of fill_default_options() that just fills the options + * needed for hostname canonicalization to proceed. + */ +void +fill_default_options_for_canonicalization(Options *options) +{ + if (options->canonicalize_max_dots == -1) + options->canonicalize_max_dots = 1; + if (options->canonicalize_fallback_local == -1) + options->canonicalize_fallback_local = 1; + if (options->canonicalize_hostname == -1) + options->canonicalize_hostname = SSH_CANONICALISE_NO; +} + /* * Called after processing other sources of option data, this fills those * options for which no value has been specified with their default values. */ - void fill_default_options(Options * options) { - int len; - if (options->forward_agent == -1) options->forward_agent = 0; if (options->forward_x11 == -1) @@ -1407,6 +1765,8 @@ fill_default_options(Options * options) add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); #endif + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_ED25519, 0); } } if (options->escape_char == -1) @@ -1435,6 +1795,8 @@ fill_default_options(Options * options) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; if (options->server_alive_interval == -1) @@ -1461,16 +1823,30 @@ fill_default_options(Options * options) options->use_roaming = 1; if (options->visual_host_key == -1) options->visual_host_key = 0; - if (options->zero_knowledge_password_authentication == -1) - options->zero_knowledge_password_authentication = 0; if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; - /* options->local_command should not be set by default */ - /* options->proxy_command should not be set by default */ + if (options->proxy_use_fdpass == -1) + options->proxy_use_fdpass = 0; + if (options->canonicalize_max_dots == -1) + options->canonicalize_max_dots = 1; + if (options->canonicalize_fallback_local == -1) + options->canonicalize_fallback_local = 1; + if (options->canonicalize_hostname == -1) + options->canonicalize_hostname = SSH_CANONICALISE_NO; +#define CLEAR_ON_NONE(v) \ + do { \ + if (option_clear_or_none(v)) { \ + free(v); \ + v = NULL; \ + } \ + } while(0) + CLEAR_ON_NONE(options->local_command); + CLEAR_ON_NONE(options->proxy_command); + CLEAR_ON_NONE(options->control_path); /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ /* options->host_key_alias should not be set by default */ @@ -1529,7 +1905,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) cp = p = xstrdup(fwdspec); /* skip leading spaces */ - while (isspace(*cp)) + while (isspace((u_char)*cp)) cp++; for (i = 0; i < 4; ++i) @@ -1570,7 +1946,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) i = 0; /* failure */ } - xfree(p); + free(p); if (dynamicfwd) { if (!(i == 1 || i == 2)) @@ -1596,13 +1972,9 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) return (i); fail_free: - if (fwd->connect_host != NULL) { - xfree(fwd->connect_host); - fwd->connect_host = NULL; - } - if (fwd->listen_host != NULL) { - xfree(fwd->listen_host); - fwd->listen_host = NULL; - } + free(fwd->connect_host); + fwd->connect_host = NULL; + free(fwd->listen_host); + fwd->listen_host = NULL; return (0); } diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h index 45bac5171..17a600374 100644 --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.101 2014/02/23 20:11:36 djm Exp $ */ /* $FreeBSD$ */ /* @@ -30,7 +30,13 @@ typedef struct { /* Data structure for representing option data. */ #define MAX_SEND_ENV 256 -#define SSH_MAX_HOSTS_FILES 256 +#define SSH_MAX_HOSTS_FILES 32 +#define MAX_CANON_DOMAINS 32 + +struct allowed_cname { + char *source_list; + char *target_list; +}; typedef struct { int forward_agent; /* Forward authentication agent. */ @@ -54,7 +60,6 @@ typedef struct { * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ - int zero_knowledge_password_authentication; /* Try jpake */ int batch_mode; /* Batch mode: do not ask for passwords. */ int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ @@ -111,6 +116,7 @@ typedef struct { int enable_ssh_keysign; int64_t rekey_limit; + int rekey_interval; int no_host_authentication_for_localhost; int identities_only; int server_alive_interval; @@ -137,6 +143,19 @@ typedef struct { int use_roaming; int request_tty; + + int proxy_use_fdpass; + + int num_canonical_domains; + char *canonical_domains[MAX_CANON_DOMAINS]; + int canonicalize_hostname; + int canonicalize_max_dots; + int canonicalize_fallback_local; + int num_permitted_cnames; + struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; + + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ + char *version_addendum; /* Appended to SSH banner */ int hpn_disabled; /* Switch to disable HPN buffer management. */ @@ -152,6 +171,10 @@ typedef struct { #endif } Options; +#define SSH_CANONICALISE_NO 0 +#define SSH_CANONICALISE_YES 1 +#define SSH_CANONICALISE_ALWAYS 2 + #define SSHCTL_MASTER_NO 0 #define SSHCTL_MASTER_YES 1 #define SSHCTL_MASTER_AUTO 2 @@ -168,12 +191,14 @@ typedef struct { void initialize_options(Options *); void fill_default_options(Options *); -int read_config_file(const char *, const char *, Options *, int); +void fill_default_options_for_canonicalization(Options *); +int process_config_line(Options *, struct passwd *, const char *, char *, + const char *, int, int *, int); +int read_config_file(const char *, struct passwd *, const char *, + Options *, int); int parse_forward(Forward *, const char *, int, int); - -int -process_config_line(Options *, const char *, char *, const char *, int, int *, - int); +int default_ssh_port(void); +int option_clear_or_none(const char *); void add_local_forward(Options *, const Forward *); void add_remote_forward(Options *, const Forward *); diff --git a/crypto/openssh/readpass.c b/crypto/openssh/readpass.c index 599c8ef9a..869d86425 100644 --- a/crypto/openssh/readpass.c +++ b/crypto/openssh/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.48 2010/12/15 00:49:27 djm Exp $ */ +/* $OpenBSD: readpass.c,v 1.50 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -99,13 +99,13 @@ ssh_askpass(char *askpass, const char *msg) break; signal(SIGCHLD, osigchld); if (ret == -1 || !WIFEXITED(status) || WEXITSTATUS(status) != 0) { - memset(buf, 0, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); return NULL; } buf[strcspn(buf, "\r\n")] = '\0'; pass = xstrdup(buf); - memset(buf, 0, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); return pass; } @@ -162,7 +162,7 @@ read_passphrase(const char *prompt, int flags) } ret = xstrdup(buf); - memset(buf, 'x', sizeof buf); + explicit_bzero(buf, sizeof(buf)); return ret; } @@ -186,7 +186,7 @@ ask_permission(const char *fmt, ...) if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0) allowed = 1; - xfree(p); + free(p); } return (allowed); diff --git a/crypto/openssh/regress/Makefile b/crypto/openssh/regress/Makefile new file mode 100644 index 000000000..6e3b8d634 --- /dev/null +++ b/crypto/openssh/regress/Makefile @@ -0,0 +1,182 @@ +# $OpenBSD: Makefile,v 1.68 2014/01/25 04:35:32 dtucker Exp $ + +REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec +tests: $(REGRESS_TARGETS) + +# Interop tests are not run by default +interop interop-tests: t-exec-interop + +clean: + for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done + test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} + rm -rf $(OBJ).putty + +distclean: clean + +LTESTS= connect \ + proxy-connect \ + connect-privsep \ + proto-version \ + proto-mismatch \ + exit-status \ + envpass \ + transfer \ + banner \ + rekey \ + stderr-data \ + stderr-after-eof \ + broken-pipe \ + try-ciphers \ + yes-head \ + login-timeout \ + agent \ + agent-getpeereid \ + agent-timeout \ + agent-ptrace \ + keyscan \ + keygen-change \ + keygen-convert \ + key-options \ + scp \ + sftp \ + sftp-chroot \ + sftp-cmds \ + sftp-badcmds \ + sftp-batch \ + sftp-glob \ + sftp-perm \ + reconfigure \ + dynamic-forward \ + forwarding \ + multiplex \ + reexec \ + brokenkeys \ + cfgmatch \ + addrmatch \ + localcommand \ + forcecommand \ + portnum \ + keytype \ + kextype \ + cert-hostkey \ + cert-userkey \ + host-expand \ + keys-command \ + forward-control \ + integrity \ + krl +# dhgex \ + +INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers +#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp + +#LTESTS= cipher-speed + +USER!= id -un +CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ + t8.out t8.out.pub t9.out t9.out.pub t10.out t10.out.pub \ + authorized_keys_${USER} known_hosts pidfile testdata \ + ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ + rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ + rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ + ls.copy banner.in banner.out empty.in \ + scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ + sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ + known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \ + putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ + key.rsa-* key.dsa-* key.ecdsa-* \ + authorized_principals_${USER} expect actual ready \ + sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ + ssh.log failed-ssh.log sshd.log failed-sshd.log \ + regress.log failed-regress.log ssh-log-wrapper.sh \ + sftp-server.sh sftp-server.log sftp.log setuid-allowed \ + data ed25519-agent ed25519-agent.pub key.ed25519-512 \ + key.ed25519-512.pub + +SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} + +# Enable all malloc(3) randomisations and checks +TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" + +TEST_SSH_SSHKEYGEN?=ssh-keygen + +CPPFLAGS=-I.. + +t1: + ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv + tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv + ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv + awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv + ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv + +t2: + cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out + chmod 600 $(OBJ)/t2.out + ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub + +t3: + ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out + ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub + +t4: + ${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t4.ok + +t5: + ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t5.ok + +t6: + ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 + ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 + chmod 600 $(OBJ)/t6.out1 + ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2 + +$(OBJ)/t7.out: + ${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ + +t7: $(OBJ)/t7.out + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null + +$(OBJ)/t8.out: + ${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ + +t8: $(OBJ)/t8.out + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null + +$(OBJ)/t9.out: + test "${TEST_SSH_ECC}" != yes || \ + ${TEST_SSH_SSHKEYGEN} -q -t ecdsa -N '' -f $@ + +t9: $(OBJ)/t9.out + test "${TEST_SSH_ECC}" != yes || \ + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t9.out > /dev/null + test "${TEST_SSH_ECC}" != yes || \ + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null + + +$(OBJ)/t10.out: + ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -f $@ + +t10: $(OBJ)/t10.out + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null + +t-exec: ${LTESTS:=.sh} + @if [ "x$?" = "x" ]; then exit 0; fi; \ + for TEST in ""$?; do \ + echo "run test $${TEST}" ... 1>&2; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + done + +t-exec-interop: ${INTEROP_TESTS:=.sh} + @if [ "x$?" = "x" ]; then exit 0; fi; \ + for TEST in ""$?; do \ + echo "run test $${TEST}" ... 1>&2; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + done + +# Not run by default +interop: ${INTEROP_TARGETS} diff --git a/crypto/openssh/regress/README.regress b/crypto/openssh/regress/README.regress new file mode 100644 index 000000000..82e4cc751 --- /dev/null +++ b/crypto/openssh/regress/README.regress @@ -0,0 +1,104 @@ +Overview. + +$ ./configure && make tests + +You'll see some progress info. A failure will cause either the make to +abort or the driver script to report a "FATAL" failure. + +The test consists of 2 parts. The first is the file-based tests which is +driven by the Makefile, and the second is a set of network or proxycommand +based tests, which are driven by a driver script (test-exec.sh) which is +called multiple times by the Makefile. + +Failures in the first part will cause the Makefile to return an error. +Failures in the second part will print a "FATAL" message for the failed +test and continue. + +OpenBSD has a system-wide regression test suite. OpenSSH Portable's test +suite is based on OpenBSD's with modifications. + + +Environment variables. + +SUDO: path to sudo command, if desired. Note that some systems (notably + systems using PAM) require sudo to execute some tests. +TEST_SSH_TRACE: set to "yes" for verbose output from tests +TEST_SSH_QUIET: set to "yes" to suppress non-fatal output. +TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD + SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER +OBJ: used by test scripts to access build dir. +TEST_SHELL: shell used for running the test scripts. +TEST_SSH_PORT: TCP port to be used for the listening tests. +TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config + before running each test. +TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config + before running each test. + + +Individual tests. + +You can run an individual test from the top-level Makefile, eg: +$ make tests LTESTS=agent-timeout + +If you need to manipulate the environment more you can invoke test-exec.sh +directly if you set up the path to find the binaries under test and the +test scripts themselves, for example: + +$ cd regress +$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \ + agent-timeout.sh +ok agent timeout test + + +Files. + +test-exec.sh: the main test driver. Sets environment, creates config files +and keys and runs the specified test. + +At the time of writing, the individual tests are: +agent-timeout.sh: agent timeout test +agent.sh: simple agent test +broken-pipe.sh: broken pipe test +connect-privsep.sh: proxy connect with privsep +connect.sh: simple connect +exit-status.sh: remote exit status +forwarding.sh: local and remote forwarding +keygen-change.sh: change passphrase for key +keyscan.sh: keyscan +proto-mismatch.sh: protocol version mismatch +proto-version.sh: sshd version with different protocol combinations +proxy-connect.sh: proxy connect +sftp.sh: basic sftp put/get +ssh-com-client.sh: connect with ssh.com client +ssh-com-keygen.sh: ssh.com key import +ssh-com-sftp.sh: basic sftp put/get with ssh.com server +ssh-com.sh: connect to ssh.com server +stderr-after-eof.sh: stderr data after eof +stderr-data.sh: stderr data transfer +transfer.sh: transfer data +try-ciphers.sh: try ciphers +yes-head.sh: yes pipe head + + +Problems? + +Run the failing test with shell tracing (-x) turned on: +$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh + +Failed tests can be difficult to diagnose. Suggestions: +- run the individual test via ./test-exec.sh `pwd` [testname] +- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of + auth.debug (eg to /var/log/authlog). + + +Known Issues. + +- Similarly, if you do not have "scp" in your system's $PATH then the + multiplex scp tests will fail (since the system's shell startup scripts + will determine where the shell started by sshd will look for scp). + +- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head + test to fail. The old behaviour can be restored by setting (and + exporting) _POSIX2_VERSION=199209 before running the tests. + +$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $ diff --git a/crypto/openssh/regress/addrmatch.sh b/crypto/openssh/regress/addrmatch.sh new file mode 100755 index 000000000..1584bd405 --- /dev/null +++ b/crypto/openssh/regress/addrmatch.sh @@ -0,0 +1,56 @@ +# $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $ +# Placed in the Public Domain. + +tid="address match" + +mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + +run_trial() +{ + user="$1"; addr="$2"; host="$3"; laddr="$4"; lport="$5" + expected="$6"; descr="$7" + + verbose "test $descr for $user $addr $host" + result=`${SSHD} -f $OBJ/sshd_proxy -T \ + -C user=${user},addr=${addr},host=${host},laddr=${laddr},lport=${lport} | \ + awk '/^forcecommand/ {print $2}'` + if [ "$result" != "$expected" ]; then + fail "failed '$descr' expected $expected got $result" + fi +} + +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +cat >>$OBJ/sshd_proxy < /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + chmod 644 ${SSH_AUTH_SOCK} + + ssh-add -l > /dev/null 2>&1 + r=$? + if [ $r -ne 1 ]; then + fail "ssh-add failed with $r != 1" + fi + + < /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l 2>/dev/null + r=$? + if [ $r -lt 2 ]; then + fail "ssh-add did not fail for ${UNPRIV}: $r < 2" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi + +rm -f ${OBJ}/agent diff --git a/crypto/openssh/regress/agent-pkcs11.sh b/crypto/openssh/regress/agent-pkcs11.sh new file mode 100755 index 000000000..db33ab37e --- /dev/null +++ b/crypto/openssh/regress/agent-pkcs11.sh @@ -0,0 +1,69 @@ +# $OpenBSD: agent-pkcs11.sh,v 1.1 2010/02/08 10:52:47 markus Exp $ +# Placed in the Public Domain. + +tid="pkcs11 agent test" + +TEST_SSH_PIN="" +TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0 + +# setup environment for soft-pkcs11 token +SOFTPKCS11RC=$OBJ/pkcs11.info +export SOFTPKCS11RC +# prevent ssh-agent from calling ssh-askpass +SSH_ASKPASS=/usr/bin/true +export SSH_ASKPASS +unset DISPLAY + +# start command w/o tty, so ssh-add accepts pin from stdin +notty() { + perl -e 'use POSIX; POSIX::setsid(); + if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" +} + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + trace "generating key/cert" + rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt + openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1 + chmod 600 $OBJ/pkcs11.key + openssl req -key $OBJ/pkcs11.key -new -x509 \ + -out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null + printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC + # add to authorized keys + ${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER + + trace "add pkcs11 key to agent" + echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -s failed: exit code $r" + fi + + trace "pkcs11 list via agent" + ${SSHADD} -l > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l failed: exit code $r" + fi + + trace "pkcs11 connect via agent" + ${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5 + r=$? + if [ $r -ne 5 ]; then + fail "ssh connect failed (exit code $r)" + fi + + trace "remove pkcs11 keys" + echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -e failed: exit code $r" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi diff --git a/crypto/openssh/regress/agent-ptrace.sh b/crypto/openssh/regress/agent-ptrace.sh new file mode 100644 index 000000000..1912ca8f9 --- /dev/null +++ b/crypto/openssh/regress/agent-ptrace.sh @@ -0,0 +1,61 @@ +# $OpenBSD: agent-ptrace.sh,v 1.2 2014/02/27 21:21:25 djm Exp $ +# Placed in the Public Domain. + +tid="disallow agent ptrace attach" + +if have_prog uname ; then + case `uname` in + AIX|CYGWIN*|OSF1) + echo "skipped (not supported on this platform)" + exit 0 + ;; + esac +fi + +if have_prog gdb ; then + : ok +else + echo "skipped (gdb not found)" + exit 0 +fi + +if $OBJ/setuid-allowed ${SSHAGENT} ; then + : ok +else + echo "skipped (${SSHAGENT} is mounted on a no-setuid filesystem)" + exit 0 +fi + +if test -z "$SUDO" ; then + echo "skipped (SUDO not set)" + exit 0 +else + $SUDO chown 0 ${SSHAGENT} + $SUDO chgrp 0 ${SSHAGENT} + $SUDO chmod 2755 ${SSHAGENT} +fi + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + # ls -l ${SSH_AUTH_SOCK} + gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF + quit +EOF + r=$? + if [ $r -ne 0 ]; then + fail "gdb failed: exit code $r" + fi + egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out + r=$? + rm -f ${OBJ}/gdb.out + if [ $r -ne 0 ]; then + fail "ptrace succeeded?: exit code $r" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi diff --git a/crypto/openssh/regress/agent-timeout.sh b/crypto/openssh/regress/agent-timeout.sh new file mode 100644 index 000000000..68826594e --- /dev/null +++ b/crypto/openssh/regress/agent-timeout.sh @@ -0,0 +1,36 @@ +# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $ +# Placed in the Public Domain. + +tid="agent timeout test" + +SSHAGENT_TIMEOUT=10 + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + trace "add keys with timeout" + for t in rsa rsa1; do + ${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add did succeed exit code 0" + fi + done + n=`${SSHADD} -l 2> /dev/null | wc -l` + trace "agent has $n keys" + if [ $n -ne 2 ]; then + fail "ssh-add -l did not return 2 keys: $n" + fi + trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds" + sleep ${SSHAGENT_TIMEOUT} + sleep ${SSHAGENT_TIMEOUT} + ${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null + if [ $? -ne 0 ]; then + fail "ssh-add -l still returns keys after timeout" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi diff --git a/crypto/openssh/regress/agent.sh b/crypto/openssh/regress/agent.sh new file mode 100644 index 000000000..caad3c88e --- /dev/null +++ b/crypto/openssh/regress/agent.sh @@ -0,0 +1,81 @@ +# $OpenBSD: agent.sh,v 1.10 2014/02/27 21:21:25 djm Exp $ +# Placed in the Public Domain. + +tid="simple agent test" + +SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 +if [ $? -ne 2 ]; then + fail "ssh-add -l did not fail with exit code 2" +fi + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + ${SSHADD} -l > /dev/null 2>&1 + if [ $? -ne 1 ]; then + fail "ssh-add -l did not fail with exit code 1" + fi + trace "overwrite authorized keys" + printf '' > $OBJ/authorized_keys_$USER + for t in ed25519 rsa rsa1; do + # generate user key for agent + rm -f $OBJ/$t-agent + ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ + fail "ssh-keygen for $t-agent failed" + # add to authorized keys + cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER + # add privat key to agent + ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add did succeed exit code 0" + fi + done + ${SSHADD} -l > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l failed: exit code $r" + fi + # the same for full pubkey output + ${SSHADD} -L > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -L failed: exit code $r" + fi + + trace "simple connect via agent" + for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p + r=$? + if [ $r -ne 5$p ]; then + fail "ssh connect with protocol $p failed (exit code $r)" + fi + done + + trace "agent forwarding" + for p in 1 2; do + ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l via agent fwd proto $p failed (exit code $r)" + fi + ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ + "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" + r=$? + if [ $r -ne 5$p ]; then + fail "agent fwd proto $p failed (exit code $r)" + fi + done + + trace "delete all agent keys" + ${SSHADD} -D > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -D failed: exit code $r" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi diff --git a/crypto/openssh/regress/banner.sh b/crypto/openssh/regress/banner.sh new file mode 100644 index 000000000..0b9c95007 --- /dev/null +++ b/crypto/openssh/regress/banner.sh @@ -0,0 +1,44 @@ +# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $ +# Placed in the Public Domain. + +tid="banner" +echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy + +rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in +touch $OBJ/empty.in + +trace "test missing banner file" +verbose "test $tid: missing banner file" +( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/empty.in $OBJ/banner.out ) || \ + fail "missing banner file" + +for s in 0 10 100 1000 10000 100000 ; do + if [ "$s" = "0" ]; then + # create empty banner + touch $OBJ/banner.in + elif [ "$s" = "10" ]; then + # create 10-byte banner file + echo "abcdefghi" >$OBJ/banner.in + else + # increase size 10x + cp $OBJ/banner.in $OBJ/banner.out + for i in 0 1 2 3 4 5 6 7 8 ; do + cat $OBJ/banner.out >> $OBJ/banner.in + done + fi + + trace "test banner size $s" + verbose "test $tid: size $s" + ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/banner.in $OBJ/banner.out ) || \ + fail "banner size $s mismatch" +done + +trace "test suppress banner (-q)" +verbose "test $tid: suppress banner (-q)" +( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/empty.in $OBJ/banner.out ) || \ + fail "suppress banner (-q)" + +rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in diff --git a/crypto/openssh/regress/broken-pipe.sh b/crypto/openssh/regress/broken-pipe.sh new file mode 100644 index 000000000..c08c849a7 --- /dev/null +++ b/crypto/openssh/regress/broken-pipe.sh @@ -0,0 +1,15 @@ +# $OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="broken pipe test" + +for p in 1 2; do + trace "protocol $p" + for i in 1 2 3 4; do + ${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true + r=$? + if [ $r -ne 0 ]; then + fail "broken pipe returns $r for protocol $p" + fi + done +done diff --git a/crypto/openssh/regress/brokenkeys.sh b/crypto/openssh/regress/brokenkeys.sh new file mode 100644 index 000000000..3e70c348a --- /dev/null +++ b/crypto/openssh/regress/brokenkeys.sh @@ -0,0 +1,23 @@ +# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $ +# Placed in the Public Domain. + +tid="broken keys" + +KEYS="$OBJ/authorized_keys_${USER}" + +start_sshd + +mv ${KEYS} ${KEYS}.bak + +# Truncated key +echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS +cat ${KEYS}.bak >> ${KEYS} +cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + +${SSH} -2 -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect with protocol $p failed" +fi + +mv ${KEYS}.bak ${KEYS} + diff --git a/crypto/openssh/regress/cert-hostkey.sh b/crypto/openssh/regress/cert-hostkey.sh new file mode 100755 index 000000000..1d9e0ed8e --- /dev/null +++ b/crypto/openssh/regress/cert-hostkey.sh @@ -0,0 +1,244 @@ +# $OpenBSD: cert-hostkey.sh,v 1.9 2014/01/26 10:22:10 djm Exp $ +# Placed in the Public Domain. + +tid="certified host keys" + +rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + +HOSTS='localhost-with-alias,127.0.0.1,::1' + +# Create a CA key and add it to known hosts +${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ + fail "ssh-keygen of host_ca_key failed" +( + printf '@cert-authority ' + printf "$HOSTS " + cat $OBJ/host_ca_key.pub +) > $OBJ/known_hosts-cert + +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + +# Generate and sign host keys +for ktype in $PLAIN_TYPES ; do + verbose "$tid: sign host ${ktype} cert" + # Generate and sign a host key + ${SSHKEYGEN} -q -N '' -t ${ktype} \ + -f $OBJ/cert_host_key_${ktype} || \ + fail "ssh-keygen of cert_host_key_${ktype} failed" + ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${ktype} || + fail "couldn't sign cert_host_key_${ktype}" + type_has_legacy $ktype || continue + cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 + cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" + ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || + fail "couldn't sign cert_host_key_${ktype}_v00" +done + +# Basic connect tests +for privsep in yes no ; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + verbose "$tid: host ${ktype} cert connect privsep $privsep" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + echo UsePrivilegeSeparation $privsep + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +done + +# Revoked certificates with key present +( + printf '@cert-authority ' + printf "$HOSTS " + cat $OBJ/host_ca_key.pub + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" + printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" + done +) > $OBJ/known_hosts-cert +for privsep in yes no ; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + verbose "$tid: host ${ktype} revoked cert privsep $privsep" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + echo UsePrivilegeSeparation $privsep + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + done +done + +# Revoked CA +( + printf '@cert-authority ' + printf "$HOSTS " + cat $OBJ/host_ca_key.pub + printf '@revoked ' + printf "* " + cat $OBJ/host_ca_key.pub +) > $OBJ/known_hosts-cert +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do + verbose "$tid: host ${ktype} revoked cert" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + ) > $OBJ/sshd_proxy + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi +done + +# Create a CA key and add it to known hosts +( + printf '@cert-authority ' + printf "$HOSTS " + cat $OBJ/host_ca_key.pub +) > $OBJ/known_hosts-cert + +test_one() { + ident=$1 + result=$2 + sign_opts=$3 + + for kt in rsa rsa_v00 ; do + case $kt in + *_v00) args="-t v00" ;; + *) args="" ;; + esac + + verbose "$tid: host cert connect $ident $kt expect $result" + ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + $sign_opts $args \ + $OBJ/cert_host_key_${kt} || + fail "couldn't sign cert_host_key_${kt}" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${kt} + echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + rc=$? + if [ "x$result" = "xsuccess" ] ; then + if [ $rc -ne 0 ]; then + fail "ssh cert connect $ident failed unexpectedly" + fi + else + if [ $rc -eq 0 ]; then + fail "ssh cert connect $ident succeeded unexpectedly" + fi + fi + done +} + +test_one "user-certificate" failure "-n $HOSTS" +test_one "empty principals" success "-h" +test_one "wrong principals" failure "-h -n foo" +test_one "cert not yet valid" failure "-h -V20200101:20300101" +test_one "cert expired" failure "-h -V19800101:19900101" +test_one "cert valid interval" success "-h -V-1w:+2w" +test_one "cert has constraints" failure "-h -Oforce-command=false" + +# Check downgrade of cert to raw key when no CA found +for v in v01 v00 ; do + for ktype in $PLAIN_TYPES ; do + type_has_legacy $ktype || continue + rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* + verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" + # Generate and sign a host key + ${SSHKEYGEN} -q -N '' -t ${ktype} \ + -f $OBJ/cert_host_key_${ktype} || \ + fail "ssh-keygen of cert_host_key_${ktype} failed" + ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${ktype} || + fail "couldn't sign cert_host_key_${ktype}" + ( + printf "$HOSTS " + cat $OBJ/cert_host_key_${ktype}.pub + ) > $OBJ/known_hosts-cert + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +done + +# Wrong certificate +( + printf '@cert-authority ' + printf "$HOSTS " + cat $OBJ/host_ca_key.pub +) > $OBJ/known_hosts-cert +for v in v01 v00 ; do + for kt in $PLAIN_TYPES ; do + type_has_legacy $kt || continue + rm -f $OBJ/cert_host_key* + # Self-sign key + ${SSHKEYGEN} -q -N '' -t ${kt} \ + -f $OBJ/cert_host_key_${kt} || \ + fail "ssh-keygen of cert_host_key_${kt} failed" + ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${kt} || + fail "couldn't sign cert_host_key_${kt}" + verbose "$tid: host ${kt} connect wrong cert" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${kt} + echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect $ident succeeded unexpectedly" + fi + done +done + +rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* diff --git a/crypto/openssh/regress/cert-userkey.sh b/crypto/openssh/regress/cert-userkey.sh new file mode 100755 index 000000000..b093a9196 --- /dev/null +++ b/crypto/openssh/regress/cert-userkey.sh @@ -0,0 +1,358 @@ +# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ +# Placed in the Public Domain. + +tid="certified user keys" + +rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + +# Create a CA key +${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ + fail "ssh-keygen of user_ca_key failed" + +# Generate and sign user keys +for ktype in $PLAIN_TYPES ; do + verbose "$tid: sign user ${ktype} cert" + ${SSHKEYGEN} -q -N '' -t ${ktype} \ + -f $OBJ/cert_user_key_${ktype} || \ + fail "ssh-keygen of cert_user_key_${ktype} failed" + ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ + -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || + fail "couldn't sign cert_user_key_${ktype}" + type_has_legacy $ktype || continue + cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 + cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" + ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ + "regress user key for $USER" \ + -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || + fatal "couldn't sign cert_user_key_${ktype}_v00" +done + +# Test explicitly-specified principals +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do + for privsep in yes no ; do + _prefix="${ktype} privsep $privsep" + + # Setup for AuthorizedPrincipalsFile + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "AuthorizedPrincipalsFile " \ + "$OBJ/authorized_principals_%u" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # Missing authorized_principals + verbose "$tid: ${_prefix} missing authorized_principals" + rm -f $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # authorized_principals with bad key option + verbose "$tid: ${_prefix} authorized_principals bad key opt" + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=false + verbose "$tid: ${_prefix} authorized_principals command=false" + echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + + # authorized_principals with command=true + verbose "$tid: ${_prefix} authorized_principals command=true" + echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + printf 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + printf 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +done + +basic_tests() { + auth=$1 + if test "x$auth" = "xauthorized_keys" ; then + # Add CA to authorized_keys + ( + printf 'cert-authority ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + else + echo > $OBJ/authorized_keys_$USER + extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" + fi + + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do + for privsep in yes no ; do + _prefix="${ktype} privsep $privsep $auth" + # Simple connect + verbose "$tid: ${_prefix} connect" + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Revoked keys + verbose "$tid: ${_prefix} revoked key" + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "RevokedKeys $OBJ/cert_user_key_revoked" + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + cp $OBJ/cert_user_key_${ktype}.pub \ + $OBJ/cert_user_key_revoked + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi + verbose "$tid: ${_prefix} revoked via KRL" + rm $OBJ/cert_user_key_revoked + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ + $OBJ/cert_user_key_${ktype}.pub + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi + verbose "$tid: ${_prefix} empty KRL" + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done + + # Revoked CA + verbose "$tid: ${ktype} $auth revoked CA key" + ( + cat $OBJ/sshd_proxy_bak + echo "RevokedKeys $OBJ/user_ca_key.pub" + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ + somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi + done + + verbose "$tid: $auth CA does not authenticate" + ( + cat $OBJ/sshd_proxy_bak + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + verbose "$tid: ensure CA key does not authenticate user" + ${SSH} -2i $OBJ/user_ca_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect with CA key succeeded unexpectedly" + fi +} + +basic_tests authorized_keys +basic_tests TrustedUserCAKeys + +test_one() { + ident=$1 + result=$2 + sign_opts=$3 + auth_choice=$4 + auth_opt=$5 + + if test "x$auth_choice" = "x" ; then + auth_choice="authorized_keys TrustedUserCAKeys" + fi + + for auth in $auth_choice ; do + for ktype in rsa rsa_v00 ; do + case $ktype in + *_v00) keyv="-t v00" ;; + *) keyv="" ;; + esac + + cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy + if test "x$auth" = "xauthorized_keys" ; then + # Add CA to authorized_keys + ( + printf "cert-authority${auth_opt} " + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + else + echo > $OBJ/authorized_keys_$USER + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ + >> $OBJ/sshd_proxy + if test "x$auth_opt" != "x" ; then + echo $auth_opt >> $OBJ/sshd_proxy + fi + fi + + verbose "$tid: $ident auth $auth expect $result $ktype" + ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ + -I "regress user key for $USER" \ + $sign_opts $keyv \ + $OBJ/cert_user_key_${ktype} || + fail "couldn't sign cert_user_key_${ktype}" + + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + rc=$? + if [ "x$result" = "xsuccess" ] ; then + if [ $rc -ne 0 ]; then + fail "$ident failed unexpectedly" + fi + else + if [ $rc -eq 0 ]; then + fail "$ident succeeded unexpectedly" + fi + fi + done + done +} + +test_one "correct principal" success "-n ${USER}" +test_one "host-certificate" failure "-n ${USER} -h" +test_one "wrong principals" failure "-n foo" +test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" +test_one "cert expired" failure "-n ${USER} -V19800101:19900101" +test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" +test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" +test_one "force-command" failure "-n ${USER} -Oforce-command=false" + +# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals +test_one "empty principals" success "" authorized_keys +test_one "empty principals" failure "" TrustedUserCAKeys + +# Check explicitly-specified principals: an empty principals list in the cert +# should always be refused. + +# AuthorizedPrincipalsFile +rm -f $OBJ/authorized_keys_$USER +echo mekmitasdigoat > $OBJ/authorized_principals_$USER +test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" +test_one "AuthorizedPrincipalsFile no principals" failure "" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" + +# principals= key option +rm -f $OBJ/authorized_principals_$USER +test_one "principals key option principals" success "-n mekmitasdigoat" \ + authorized_keys ',principals="mekmitasdigoat"' +test_one "principals key option no principals" failure "" \ + authorized_keys ',principals="mekmitasdigoat"' + +# Wrong certificate +cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do + case $ktype in + *_v00) args="-t v00" ;; + *) args="" ;; + esac + # Self-sign + ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ + "regress user key for $USER" \ + -n $USER $OBJ/cert_user_key_${ktype} || + fail "couldn't sign cert_user_key_${ktype}" + verbose "$tid: user ${ktype} connect wrong cert" + ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ + somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect $ident succeeded unexpectedly" + fi +done + +rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* +rm -f $OBJ/authorized_principals_$USER + diff --git a/crypto/openssh/regress/cfgmatch.sh b/crypto/openssh/regress/cfgmatch.sh new file mode 100644 index 000000000..80cf22930 --- /dev/null +++ b/crypto/openssh/regress/cfgmatch.sh @@ -0,0 +1,126 @@ +# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# Placed in the Public Domain. + +tid="sshd_config match" + +pidfile=$OBJ/remote_pid +fwdport=3301 +fwd="-L $fwdport:127.0.0.1:$PORT" + +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy + +start_client() +{ + rm -f $pidfile + ${SSH} -q -$p $fwd "$@" somehost \ + exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ + >>$TEST_REGRESS_LOGFILE 2>&1 & + client_pid=$! + # Wait for remote end + n=0 + while test ! -f $pidfile ; do + sleep 1 + n=`expr $n + 1` + if test $n -gt 60; then + kill $client_pid + fatal "timeout waiting for background ssh" + fi + done +} + +stop_client() +{ + pid=`cat $pidfile` + if [ ! -z "$pid" ]; then + kill $pid + fi + wait +} + +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config +echo "Match Address 127.0.0.1" >>$OBJ/sshd_config +echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config + +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy +echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy +echo "Match user $USER" >>$OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy +echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy +echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy + +start_sshd + +#set -x + +# Test Match + PermitOpen in sshd_config. This should be permitted +for p in 1 2; do + trace "match permitopen localhost proto $p" + start_client -F $OBJ/ssh_config + ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match permitopen permit proto $p" + stop_client +done + +# Same but from different source. This should not be permitted +for p in 1 2; do + trace "match permitopen proxy proto $p" + start_client -F $OBJ/ssh_proxy + ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ + fail "match permitopen deny proto $p" + stop_client +done + +# Retry previous with key option, should also be denied. +printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER +cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER +printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER +cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER +for p in 1 2; do + trace "match permitopen proxy w/key opts proto $p" + start_client -F $OBJ/ssh_proxy + ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ + fail "match permitopen deny w/key opt proto $p" + stop_client +done + +# Test both sshd_config and key options permitting the same dst/port pair. +# Should be permitted. +for p in 1 2; do + trace "match permitopen localhost proto $p" + start_client -F $OBJ/ssh_config + ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match permitopen permit proto $p" + stop_client +done + +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy +echo "Match User $USER" >>$OBJ/sshd_proxy +echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy + +# Test that a Match overrides a PermitOpen in the global section +for p in 1 2; do + trace "match permitopen proxy w/key opts proto $p" + start_client -F $OBJ/ssh_proxy + ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ + fail "match override permitopen proto $p" + stop_client +done + +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy +echo "Match User NoSuchUser" >>$OBJ/sshd_proxy +echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy + +# Test that a rule that doesn't match doesn't override, plus test a +# PermitOpen entry that's not at the start of the list +for p in 1 2; do + trace "nomatch permitopen proxy w/key opts proto $p" + start_client -F $OBJ/ssh_proxy + ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "nomatch override permitopen proto $p" + stop_client +done diff --git a/crypto/openssh/regress/cipher-speed.sh b/crypto/openssh/regress/cipher-speed.sh new file mode 100644 index 000000000..a6d53a78d --- /dev/null +++ b/crypto/openssh/regress/cipher-speed.sh @@ -0,0 +1,47 @@ +# $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $ +# Placed in the Public Domain. + +tid="cipher speed" + +getbytes () +{ + sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \ + -e '/copied/s/.*s, \(.* MB.s\).*/\1/p' +} + +tries="1 2" + +for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do + trace "proto 2 cipher $c mac $m" + for x in $tries; do + printf "%-60s" "$c/$m:" + ( ${SSH} -o 'compression no' \ + -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ + exec sh -c \'"dd of=/dev/null obs=32k"\' \ + < ${DATA} ) 2>&1 | getbytes + + if [ $? -ne 0 ]; then + fail "ssh -2 failed with mac $m cipher $c" + fi + done + # No point trying all MACs for AEAD ciphers since they are ignored. + if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + break + fi + n=`expr $n + 1` +done; done + +ciphers="3des blowfish" +for c in $ciphers; do + trace "proto 1 cipher $c" + for x in $tries; do + printf "%-60s" "$c:" + ( ${SSH} -o 'compression no' \ + -F $OBJ/ssh_proxy -1 -c $c somehost \ + exec sh -c \'"dd of=/dev/null obs=32k"\' \ + < ${DATA} ) 2>&1 | getbytes + if [ $? -ne 0 ]; then + fail "ssh -1 failed with cipher $c" + fi + done +done diff --git a/crypto/openssh/regress/conch-ciphers.sh b/crypto/openssh/regress/conch-ciphers.sh new file mode 100755 index 000000000..199d863a0 --- /dev/null +++ b/crypto/openssh/regress/conch-ciphers.sh @@ -0,0 +1,28 @@ +# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="conch ciphers" + +if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then + echo "conch interop tests not enabled" + exit 0 +fi + +start_sshd + +for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ + cast128-cbc blowfish 3des-cbc ; do + verbose "$tid: cipher $c" + rm -f ${COPY} + # XXX the 2nd "cat" seems to be needed because of buggy FD handling + # in conch + ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ + --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ + 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" +done +rm -f ${COPY} + diff --git a/crypto/openssh/regress/connect-privsep.sh b/crypto/openssh/regress/connect-privsep.sh new file mode 100644 index 000000000..94cc64acf --- /dev/null +++ b/crypto/openssh/regress/connect-privsep.sh @@ -0,0 +1,36 @@ +# $OpenBSD: connect-privsep.sh,v 1.4 2012/07/02 14:37:06 dtucker Exp $ +# Placed in the Public Domain. + +tid="proxy connect with privsep" + +cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig +echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy + +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh privsep+proxyconnect protocol $p failed" + fi +done + +cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy +echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy + +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + # XXX replace this with fail once sandbox has stabilised + warn "ssh privsep/sandbox+proxyconnect protocol $p failed" + fi +done + +# Because sandbox is sensitive to changes in libc, especially malloc, retest +# with every malloc.conf option (and none). +for m in '' A F G H J P R S X Z '<' '>'; do + for p in 1 2; do + env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed" + fi + done +done diff --git a/crypto/openssh/regress/connect.sh b/crypto/openssh/regress/connect.sh new file mode 100644 index 000000000..2186fa6e7 --- /dev/null +++ b/crypto/openssh/regress/connect.sh @@ -0,0 +1,13 @@ +# $OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="simple connect" + +start_sshd + +for p in 1 2; do + ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true + if [ $? -ne 0 ]; then + fail "ssh connect with protocol $p failed" + fi +done diff --git a/crypto/openssh/regress/dhgex.sh b/crypto/openssh/regress/dhgex.sh new file mode 100755 index 000000000..4c1a3d83c --- /dev/null +++ b/crypto/openssh/regress/dhgex.sh @@ -0,0 +1,54 @@ +# $OpenBSD: dhgex.sh,v 1.1 2014/01/25 04:35:32 dtucker Exp $ +# Placed in the Public Domain. + +tid="dhgex" + +LOG=${TEST_SSH_LOGFILE} +rm -f ${LOG} + +kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange` + +ssh_test_dhgex() +{ + bits="$1"; shift + cipher="$1"; shift + kex="$1"; shift + + rm -f ${LOG} + opts="-oKexAlgorithms=$kex -oCiphers=$cipher" + groupsz="1024<$bits<8192" + verbose "$tid bits $bits $kex $cipher" + ${SSH} ${opts} $@ -vvv -F ${OBJ}/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh failed ($@)" + fi + # check what we request + grep "SSH2_MSG_KEX_DH_GEX_REQUEST($groupsz) sent" ${LOG} >/dev/null + if [ $? != 0 ]; then + got=`egrep "SSH2_MSG_KEX_DH_GEX_REQUEST(.*) sent" ${LOG}` + fail "$tid unexpected GEX sizes, expected $groupsz, got $got" + fi + # check what we got (depends on contents of system moduli file) + gotbits="`awk '/bits set:/{print $4}' ${LOG} | head -1 | cut -f2 -d/`" + if [ "$gotbits" -lt "$bits" ]; then + fatal "$tid expected $bits bit group, got $gotbits" + fi +} + +check() +{ + bits="$1"; shift + + for c in $@; do + for k in $kexs; do + ssh_test_dhgex $bits $c $k + done + done +} + +#check 2048 3des-cbc +check 3072 `${SSH} -Q cipher | grep 128` +check 3072 arcfour blowfish-cbc +check 7680 `${SSH} -Q cipher | grep 192` +check 8192 `${SSH} -Q cipher | grep 256` +check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com diff --git a/crypto/openssh/regress/dsa_ssh2.prv b/crypto/openssh/regress/dsa_ssh2.prv new file mode 100644 index 000000000..c93b40371 --- /dev/null +++ b/crypto/openssh/regress/dsa_ssh2.prv @@ -0,0 +1,14 @@ +---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- +Subject: ssh-keygen test +Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100" +P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA +AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR +Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg +x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv +MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt +F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1 +kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik +ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6 +75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV +zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A== +---- END SSH2 ENCRYPTED PRIVATE KEY ---- diff --git a/crypto/openssh/regress/dsa_ssh2.pub b/crypto/openssh/regress/dsa_ssh2.pub new file mode 100644 index 000000000..215d73bae --- /dev/null +++ b/crypto/openssh/regress/dsa_ssh2.pub @@ -0,0 +1,13 @@ +---- BEGIN SSH2 PUBLIC KEY ---- +Subject: ssh-keygen test +Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100" +AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8 +NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l +ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo +0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE +MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk +JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC +eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv +JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1 +ixaVivLt8RgTwGF99uI= +---- END SSH2 PUBLIC KEY ---- diff --git a/crypto/openssh/regress/dynamic-forward.sh b/crypto/openssh/regress/dynamic-forward.sh new file mode 100644 index 000000000..42fa8acdc --- /dev/null +++ b/crypto/openssh/regress/dynamic-forward.sh @@ -0,0 +1,59 @@ +# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="dynamic forwarding" + +FWDPORT=`expr $PORT + 1` + +if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then + proxycmd="nc -x 127.0.0.1:$FWDPORT -X" +elif have_prog connect; then + proxycmd="connect -S 127.0.0.1:$FWDPORT -" +else + echo "skipped (no suitable ProxyCommand found)" + exit 0 +fi +trace "will use ProxyCommand $proxycmd" + +start_sshd + +for p in 1 2; do + n=0 + error="1" + trace "start dynamic forwarding, fork to background" + while [ "$error" -ne 0 -a "$n" -lt 3 ]; do + n=`expr $n + 1` + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? + if [ "$error" -ne 0 ]; then + trace "forward failed proto $p attempt $n err $error" + sleep $n + fi + done + if [ "$error" -ne 0 ]; then + fatal "failed to start dynamic forwarding proto $p" + fi + + for s in 4 5; do + for h in 127.0.0.1 localhost; do + trace "testing ssh protocol $p socks version $s host $h" + ${SSH} -F $OBJ/ssh_config \ + -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ + somehost cat $DATA > $OBJ/ls.copy + test -f $OBJ/ls.copy || fail "failed copy $DATA" + cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" + done + done + + if [ -f $OBJ/remote_pid ]; then + remote=`cat $OBJ/remote_pid` + trace "terminate remote shell, pid $remote" + if [ $remote -gt 1 ]; then + kill -HUP $remote + fi + else + fail "no pid file: $OBJ/remote_pid" + fi +done diff --git a/crypto/openssh/regress/envpass.sh b/crypto/openssh/regress/envpass.sh new file mode 100644 index 000000000..af7eafe3d --- /dev/null +++ b/crypto/openssh/regress/envpass.sh @@ -0,0 +1,60 @@ +# $OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $ +# Placed in the Public Domain. + +tid="environment passing" + +# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST) + +# Prepare a custom config to test for a configuration parsing bug fixed in 4.0 +cat << EOF > $OBJ/ssh_proxy_envpass +Host test-sendenv-confparse-bug + SendEnv * +EOF +cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass + +trace "pass env, don't accept" +verbose "test $tid: pass env, don't accept" +_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \ + sh << 'EOF' + test -z "$_TEST_ENV" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment found" +fi + +trace "don't pass env, accept" +verbose "test $tid: don't pass env, accept" +_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \ + sh << 'EOF' + test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment found" +fi + +trace "pass single env, accept single env" +verbose "test $tid: pass single env, accept single env" +_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \ + otherhost sh << 'EOF' + test X"$_XXX_TEST" = X"blah" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment not found" +fi + +trace "pass multiple env, accept multiple env" +verbose "test $tid: pass multiple env, accept multiple env" +_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \ + -F $OBJ/ssh_proxy_envpass otherhost \ + sh << 'EOF' + test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment not found" +fi + +rm -f $OBJ/ssh_proxy_envpass diff --git a/crypto/openssh/regress/exit-status.sh b/crypto/openssh/regress/exit-status.sh new file mode 100644 index 000000000..56b78a622 --- /dev/null +++ b/crypto/openssh/regress/exit-status.sh @@ -0,0 +1,24 @@ +# $OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="remote exit status" + +for p in 1 2; do + for s in 0 1 4 5 44; do + trace "proto $p status $s" + verbose "test $tid: proto $p status $s" + ${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s + r=$? + if [ $r -ne $s ]; then + fail "exit code mismatch for protocol $p: $r != $s" + fi + + # same with early close of stdout/err + ${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \ + exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' + r=$? + if [ $r -ne $s ]; then + fail "exit code (with sleep) mismatch for protocol $p: $r != $s" + fi + done +done diff --git a/crypto/openssh/regress/forcecommand.sh b/crypto/openssh/regress/forcecommand.sh new file mode 100644 index 000000000..44d2b7ffd --- /dev/null +++ b/crypto/openssh/regress/forcecommand.sh @@ -0,0 +1,42 @@ +# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ +# Placed in the Public Domain. + +tid="forced command" + +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + +printf 'command="true" ' >$OBJ/authorized_keys_$USER +cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER +printf 'command="true" ' >>$OBJ/authorized_keys_$USER +cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER + +for p in 1 2; do + trace "forced command in key option proto $p" + ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || + fail "forced command in key proto $p" +done + +printf 'command="false" ' >$OBJ/authorized_keys_$USER +cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER +printf 'command="false" ' >>$OBJ/authorized_keys_$USER +cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER + +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "ForceCommand true" >> $OBJ/sshd_proxy + +for p in 1 2; do + trace "forced command in sshd_config overrides key option proto $p" + ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || + fail "forced command in key proto $p" +done + +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "ForceCommand false" >> $OBJ/sshd_proxy +echo "Match User $USER" >> $OBJ/sshd_proxy +echo " ForceCommand true" >> $OBJ/sshd_proxy + +for p in 1 2; do + trace "forced command with match proto $p" + ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || + fail "forced command in key proto $p" +done diff --git a/crypto/openssh/regress/forward-control.sh b/crypto/openssh/regress/forward-control.sh new file mode 100755 index 000000000..7f7d105e8 --- /dev/null +++ b/crypto/openssh/regress/forward-control.sh @@ -0,0 +1,168 @@ +# $OpenBSD: forward-control.sh,v 1.2 2013/11/18 05:09:32 naddy Exp $ +# Placed in the Public Domain. + +tid="sshd control of local and remote forwarding" + +LFWD_PORT=3320 +RFWD_PORT=3321 +CTL=$OBJ/ctl-sock +READY=$OBJ/ready + +wait_for_file_to_appear() { + _path=$1 + _n=0 + while test ! -f $_path ; do + test $_n -eq 1 && trace "waiting for $_path to appear" + _n=`expr $_n + 1` + test $_n -ge 20 && return 1 + sleep 1 + done + return 0 +} + +wait_for_process_to_exit() { + _pid=$1 + _n=0 + while kill -0 $_pid 2>/dev/null ; do + test $_n -eq 1 && trace "waiting for $_pid to exit" + _n=`expr $_n + 1` + test $_n -ge 20 && return 1 + sleep 1 + done + return 0 +} + +# usage: check_lfwd protocol Y|N message +check_lfwd() { + _proto=$1 + _expected=$2 + _message=$3 + rm -f $READY + ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ + -L$LFWD_PORT:127.0.0.1:$PORT \ + -o ExitOnForwardFailure=yes \ + -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ + >/dev/null 2>&1 & + _sshpid=$! + wait_for_file_to_appear $READY || \ + fatal "check_lfwd ssh fail: $_message" + ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \ + -oConnectionAttempts=4 host true >/dev/null 2>&1 + _result=$? + kill $_sshpid `cat $READY` 2>/dev/null + wait_for_process_to_exit $_sshpid + if test "x$_expected" = "xY" -a $_result -ne 0 ; then + fail "check_lfwd failed (expecting success): $_message" + elif test "x$_expected" = "xN" -a $_result -eq 0 ; then + fail "check_lfwd succeeded (expecting failure): $_message" + elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then + fatal "check_lfwd invalid argument \"$_expected\"" + else + verbose "check_lfwd done (expecting $_expected): $_message" + fi +} + +# usage: check_rfwd protocol Y|N message +check_rfwd() { + _proto=$1 + _expected=$2 + _message=$3 + rm -f $READY + ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ + -R$RFWD_PORT:127.0.0.1:$PORT \ + -o ExitOnForwardFailure=yes \ + -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ + >/dev/null 2>&1 & + _sshpid=$! + wait_for_file_to_appear $READY + _result=$? + if test $_result -eq 0 ; then + ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \ + -oConnectionAttempts=4 host true >/dev/null 2>&1 + _result=$? + kill $_sshpid `cat $READY` 2>/dev/null + wait_for_process_to_exit $_sshpid + fi + if test "x$_expected" = "xY" -a $_result -ne 0 ; then + fail "check_rfwd failed (expecting success): $_message" + elif test "x$_expected" = "xN" -a $_result -eq 0 ; then + fail "check_rfwd succeeded (expecting failure): $_message" + elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then + fatal "check_rfwd invalid argument \"$_expected\"" + else + verbose "check_rfwd done (expecting $_expected): $_message" + fi +} + +start_sshd +cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak +cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak + +# Sanity check: ensure the default config allows forwarding +for p in 1 2 ; do + check_lfwd $p Y "proto $p, default configuration" + check_rfwd $p Y "proto $p, default configuration" +done + +# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +all_tests() { + _tcpfwd=$1 + _plain_lfwd=$2 + _plain_rfwd=$3 + _nopermit_lfwd=$4 + _nopermit_rfwd=$5 + _permit_lfwd=$6 + _permit_rfwd=$7 + _badfwd=127.0.0.1:22 + _goodfwd=127.0.0.1:${PORT} + for _proto in 1 2 ; do + cp ${OBJ}/authorized_keys_${USER}.bak \ + ${OBJ}/authorized_keys_${USER} + _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" + # No PermitOpen + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_plain_lfwd "$_prefix" + check_rfwd $_proto $_plain_rfwd "$_prefix" + # PermitOpen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" + check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" + # PermitOpen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd $_goodfwd" ) \ + > ${OBJ}/sshd_proxy + # NB. permitopen via authorized_keys should have same + # success/fail as via sshd_config + # permitopen via authorized_keys that doesn't match + sed "s/^/permitopen=\"$_badfwd\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" + check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" + # permitopen via authorized_keys that does match + sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen" + check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen" + done +} + +# no-permitopen mismatch-permitopen match-permitopen +# AllowTcpForwarding local remote local remote local remote +all_tests yes Y Y N Y Y Y +all_tests local Y N N N Y N +all_tests remote N Y N Y N Y +all_tests no N N N N N N diff --git a/crypto/openssh/regress/forwarding.sh b/crypto/openssh/regress/forwarding.sh new file mode 100644 index 000000000..94873f22c --- /dev/null +++ b/crypto/openssh/regress/forwarding.sh @@ -0,0 +1,121 @@ +# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $ +# Placed in the Public Domain. + +tid="local and remote forwarding" + +DATA=/bin/ls${EXEEXT} + +start_sshd + +base=33 +last=$PORT +fwd="" +for j in 0 1 2; do + for i in 0 1 2; do + a=$base$j$i + b=`expr $a + 50` + c=$last + # fwd chain: $a -> $b -> $c + fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c" + last=$a + done +done +for p in 1 2; do + q=`expr 3 - $p` + trace "start forwarding, fork to background" + ${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10 + + trace "transfer over forwarded channels and check result" + ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ + somehost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "failed copy of ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + + sleep 10 +done + +for p in 1 2; do +for d in L R; do + trace "exit on -$d forward failure, proto $p" + + # this one should succeed + ${SSH} -$p -F $OBJ/ssh_config \ + -$d ${base}01:127.0.0.1:$PORT \ + -$d ${base}02:127.0.0.1:$PORT \ + -$d ${base}03:127.0.0.1:$PORT \ + -$d ${base}04:127.0.0.1:$PORT \ + -oExitOnForwardFailure=yes somehost true + if [ $? != 0 ]; then + fail "connection failed, should not" + else + # this one should fail + ${SSH} -q -$p -F $OBJ/ssh_config \ + -$d ${base}01:127.0.0.1:$PORT \ + -$d ${base}02:127.0.0.1:$PORT \ + -$d ${base}03:127.0.0.1:$PORT \ + -$d ${base}01:127.0.0.1:$PORT \ + -$d ${base}04:127.0.0.1:$PORT \ + -oExitOnForwardFailure=yes somehost true + r=$? + if [ $r != 255 ]; then + fail "connection not termintated, but should ($r)" + fi + fi +done +done + +for p in 1 2; do + trace "simple clear forwarding proto $p" + ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true + + trace "clear local forward proto $p" + ${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ + -oClearAllForwardings=yes somehost sleep 10 + if [ $? != 0 ]; then + fail "connection failed with cleared local forwarding" + else + # this one should fail + ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ + fail "local forwarding not cleared" + fi + sleep 10 + + trace "clear remote forward proto $p" + ${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ + -oClearAllForwardings=yes somehost sleep 10 + if [ $? != 0 ]; then + fail "connection failed with cleared remote forwarding" + else + # this one should fail + ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ + fail "remote forwarding not cleared" + fi + sleep 10 +done + +for p in 2; do + trace "stdio forwarding proto $p" + cmd="${SSH} -$p -F $OBJ/ssh_config" + $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \ + somehost true + if [ $? != 0 ]; then + fail "stdio forwarding proto $p" + fi +done + +echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config +echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config +for p in 1 2; do + trace "config file: start forwarding, fork to background" + ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10 + + trace "config file: transfer over forwarded channels and check result" + ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ + somehost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "failed copy of ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + + wait +done diff --git a/crypto/openssh/regress/host-expand.sh b/crypto/openssh/regress/host-expand.sh new file mode 100755 index 000000000..6cc0e6055 --- /dev/null +++ b/crypto/openssh/regress/host-expand.sh @@ -0,0 +1,19 @@ +# $OpenBSD: host-expand.sh,v 1.3 2014/02/27 23:17:41 djm Exp $ +# Placed in the Public Domain. + +tid="expand %h and %n" + +echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy +printf 'LocalCommand printf "%%%%s\\n" "%%n" "%%h"\n' >> $OBJ/ssh_proxy + +cat >$OBJ/expect <$OBJ/actual + diff $OBJ/expect $OBJ/actual || fail "$tid proto $p" +done + diff --git a/crypto/openssh/regress/integrity.sh b/crypto/openssh/regress/integrity.sh new file mode 100755 index 000000000..852d82690 --- /dev/null +++ b/crypto/openssh/regress/integrity.sh @@ -0,0 +1,70 @@ +# $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $ +# Placed in the Public Domain. + +tid="integrity" + +# start at byte 2900 (i.e. after kex) and corrupt at different offsets +# XXX the test hangs if we modify the low bytes of the packet length +# XXX and ssh tries to read... +tries=10 +startoffset=2900 +macs=`${SSH} -Q mac` +# The following are not MACs, but ciphers with integrated integrity. They are +# handled specially below. +macs="$macs `${SSH} -Q cipher-auth`" + +# avoid DH group exchange as the extra traffic makes it harder to get the +# offset into the stream right. +echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ + >> $OBJ/ssh_proxy + +# sshd-command for proxy (see test-exec.sh) +cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" + +for m in $macs; do + trace "test $tid: mac $m" + elen=0 + epad=0 + emac=0 + ecnt=0 + skip=0 + for off in `jot $tries $startoffset`; do + skip=`expr $skip - 1` + if [ $skip -gt 0 ]; then + # avoid modifying the high bytes of the length + continue + fi + # modify output from sshd at offset $off + pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" + if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then + macopt="-c $m" + else + macopt="-m $m -c aes128-ctr" + fi + verbose "test $tid: $m @$off" + ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + -oServerAliveInterval=1 -oServerAliveCountMax=30 \ + 999.999.999.999 'printf "%4096s" " "' >/dev/null + if [ $? -eq 0 ]; then + fail "ssh -m $m succeeds with bit-flip at $off" + fi + ecnt=`expr $ecnt + 1` + output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \ + tr -s '\r\n' '.') + case "$output" in + Bad?packet*) elen=`expr $elen + 1`; skip=3;; + Corrupted?MAC* | Decryption?integrity?check?failed*) + emac=`expr $emac + 1`; skip=0;; + padding*) epad=`expr $epad + 1`; skip=0;; + *) fail "unexpected error mac $m at $off";; + esac + done + verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen" + if [ $emac -eq 0 ]; then + fail "$m: no mac errors" + fi + expect=`expr $ecnt - $epad - $elen` + if [ $emac -ne $expect ]; then + fail "$m: expected $expect mac errors, got $emac" + fi +done diff --git a/crypto/openssh/regress/kextype.sh b/crypto/openssh/regress/kextype.sh new file mode 100755 index 000000000..8c2ac09d6 --- /dev/null +++ b/crypto/openssh/regress/kextype.sh @@ -0,0 +1,20 @@ +# $OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $ +# Placed in the Public Domain. + +tid="login with different key exchange algorithms" + +TIME=/usr/bin/time +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak + +tries="1 2 3 4" +for k in `${SSH} -Q kex`; do + verbose "kex $k" + for i in $tries; do + ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true + if [ $? -ne 0 ]; then + fail "ssh kex $k" + fi + done +done + diff --git a/crypto/openssh/regress/key-options.sh b/crypto/openssh/regress/key-options.sh new file mode 100755 index 000000000..f98d78b30 --- /dev/null +++ b/crypto/openssh/regress/key-options.sh @@ -0,0 +1,71 @@ +# $OpenBSD: key-options.sh,v 1.2 2008/06/30 08:07:34 djm Exp $ +# Placed in the Public Domain. + +tid="key options" + +origkeys="$OBJ/authkeys_orig" +authkeys="$OBJ/authorized_keys_${USER}" +cp $authkeys $origkeys + +# Test command= forced command +for p in 1 2; do + for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do + sed "s/.*/$c &/" $origkeys >$authkeys + verbose "key option proto $p $c" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo` + if [ "$r" = "foo" ]; then + fail "key option forced command not restricted" + fi + if [ "$r" != "bar" ]; then + fail "key option forced command not executed" + fi + done +done + +# Test no-pty +sed 's/.*/no-pty &/' $origkeys >$authkeys +for p in 1 2; do + verbose "key option proto $p no-pty" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty` + if [ -f "$r" ]; then + fail "key option failed proto $p no-pty (pty $r)" + fi +done + +# Test environment= +echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy +sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys +for p in 1 2; do + verbose "key option proto $p environment" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` + if [ "$r" != "bar" ]; then + fail "key option environment not set" + fi +done + +# Test from= restriction +start_sshd +for p in 1 2; do + for f in 127.0.0.1 '127.0.0.0\/8'; do + cat $origkeys >$authkeys + ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "key option proto $p failed without restriction" + fi + + sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys + from=`head -1 $authkeys | cut -f1 -d ' '` + verbose "key option proto $p $from" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` + if [ "$r" = "true" ]; then + fail "key option proto $p $from not restricted" + fi + + r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'` + if [ "$r" != "true" ]; then + fail "key option proto $p $from not allowed but should be" + fi + done +done + +rm -f "$origkeys" diff --git a/crypto/openssh/regress/keygen-change.sh b/crypto/openssh/regress/keygen-change.sh new file mode 100644 index 000000000..08d359023 --- /dev/null +++ b/crypto/openssh/regress/keygen-change.sh @@ -0,0 +1,23 @@ +# $OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $ +# Placed in the Public Domain. + +tid="change passphrase for key" + +S1="secret1" +S2="2secret" + +for t in rsa dsa rsa1; do + # generate user key for agent + trace "generating $t key" + rm -f $OBJ/$t-key + ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key + if [ $? -eq 0 ]; then + ${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null + if [ $? -ne 0 ]; then + fail "ssh-keygen -p failed for $t-key" + fi + else + fail "ssh-keygen for $t-key failed" + fi + rm -f $OBJ/$t-key $OBJ/$t-key.pub +done diff --git a/crypto/openssh/regress/keygen-convert.sh b/crypto/openssh/regress/keygen-convert.sh new file mode 100755 index 000000000..ad0e9c637 --- /dev/null +++ b/crypto/openssh/regress/keygen-convert.sh @@ -0,0 +1,33 @@ +# $OpenBSD: keygen-convert.sh,v 1.1 2009/11/09 04:20:04 dtucker Exp $ +# Placed in the Public Domain. + +tid="convert keys" + +for t in rsa dsa; do + # generate user key for agent + trace "generating $t key" + rm -f $OBJ/$t-key + ${SSHKEYGEN} -q -N "" -t $t -f $OBJ/$t-key + + trace "export $t private to rfc4716 public" + ${SSHKEYGEN} -q -e -f $OBJ/$t-key >$OBJ/$t-key-rfc || \ + fail "export $t private to rfc4716 public" + + trace "export $t public to rfc4716 public" + ${SSHKEYGEN} -q -e -f $OBJ/$t-key.pub >$OBJ/$t-key-rfc.pub || \ + fail "$t public to rfc4716 public" + + cmp $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub || \ + fail "$t rfc4716 exports differ between public and private" + + trace "import $t rfc4716 public" + ${SSHKEYGEN} -q -i -f $OBJ/$t-key-rfc >$OBJ/$t-rfc-imported || \ + fail "$t import rfc4716 public" + + cut -f1,2 -d " " $OBJ/$t-key.pub >$OBJ/$t-key-nocomment.pub + cmp $OBJ/$t-key-nocomment.pub $OBJ/$t-rfc-imported || \ + fail "$t imported differs from original" + + rm -f $OBJ/$t-key $OBJ/$t-key.pub $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub \ + $OBJ/$t-rfc-imported $OBJ/$t-key-nocomment.pub +done diff --git a/crypto/openssh/regress/keys-command.sh b/crypto/openssh/regress/keys-command.sh new file mode 100755 index 000000000..b595a434f --- /dev/null +++ b/crypto/openssh/regress/keys-command.sh @@ -0,0 +1,39 @@ +# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $ +# Placed in the Public Domain. + +tid="authorized keys from command" + +if test -z "$SUDO" ; then + echo "skipped (SUDO not set)" + echo "need SUDO to create file in /var/run, test won't work without" + exit 0 +fi + +# Establish a AuthorizedKeysCommand in /var/run where it will have +# acceptable directory permissions. +KEY_COMMAND="/var/run/keycommand_${LOGNAME}" +cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'" +#!/bin/sh +test "x\$1" != "x${LOGNAME}" && exit 1 +exec cat "$OBJ/authorized_keys_${LOGNAME}" +_EOF +$SUDO chmod 0755 "$KEY_COMMAND" + +cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak +( + grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak + echo AuthorizedKeysFile none + echo AuthorizedKeysCommand $KEY_COMMAND + echo AuthorizedKeysCommandUser ${LOGNAME} +) > $OBJ/sshd_proxy + +if [ -x $KEY_COMMAND ]; then + ${SSH} -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "connect failed" + fi +else + echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" +fi + +$SUDO rm -f $KEY_COMMAND diff --git a/crypto/openssh/regress/keyscan.sh b/crypto/openssh/regress/keyscan.sh new file mode 100644 index 000000000..33f14f0fc --- /dev/null +++ b/crypto/openssh/regress/keyscan.sh @@ -0,0 +1,19 @@ +# $OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="keyscan" + +# remove DSA hostkey +rm -f ${OBJ}/host.dsa + +start_sshd + +for t in rsa1 rsa dsa; do + trace "keyscan type $t" + ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ + > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-keyscan -t $t failed with: $r" + fi +done diff --git a/crypto/openssh/regress/keytype.sh b/crypto/openssh/regress/keytype.sh new file mode 100755 index 000000000..9752acb0a --- /dev/null +++ b/crypto/openssh/regress/keytype.sh @@ -0,0 +1,61 @@ +# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $ +# Placed in the Public Domain. + +tid="login with different key types" + +TIME=`which time 2>/dev/null` +if test ! -x "$TIME"; then + TIME="" +fi + +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak + +# Traditional and builtin key types. +ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512" +# Types not present in all OpenSSL versions. +for i in `$SSH -Q key`; do + case "$i" in + ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; + ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; + ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; + esac +done + +for kt in $ktypes; do + rm -f $OBJ/key.$kt + bits=`echo ${kt} | awk -F- '{print $2}'` + type=`echo ${kt} | awk -F- '{print $1}'` + printf "keygen $type, $bits bits:\t" + ${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ + fail "ssh-keygen for type $type, $bits bits failed" +done + +tries="1 2 3" +for ut in $ktypes; do + htypes=$ut + #htypes=$ktypes + for ht in $htypes; do + trace "ssh connect, userkey $ut, hostkey $ht" + ( + grep -v HostKey $OBJ/sshd_proxy_bak + echo HostKey $OBJ/key.$ht + ) > $OBJ/sshd_proxy + ( + grep -v IdentityFile $OBJ/ssh_proxy_bak + echo IdentityFile $OBJ/key.$ut + ) > $OBJ/ssh_proxy + ( + printf 'localhost-with-alias,127.0.0.1,::1 ' + cat $OBJ/key.$ht.pub + ) > $OBJ/known_hosts + cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER + for i in $tries; do + printf "userkey $ut, hostkey ${ht}:\t" + ${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh userkey $ut, hostkey $ht failed" + fi + done + done +done diff --git a/crypto/openssh/regress/krl.sh b/crypto/openssh/regress/krl.sh new file mode 100755 index 000000000..09246371c --- /dev/null +++ b/crypto/openssh/regress/krl.sh @@ -0,0 +1,160 @@ +# $OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $ +# Placed in the Public Domain. + +tid="key revocation lists" + +# If we don't support ecdsa keys then this tell will be much slower. +ECDSA=ecdsa +if test "x$TEST_SSH_ECC" != "xyes"; then + ECDSA=rsa +fi + +# Do most testing with ssh-keygen; it uses the same verification code as sshd. + +# Old keys will interfere with ssh-keygen. +rm -f $OBJ/revoked-* $OBJ/krl-* + +# Generate a CA key +$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || + fatal "$SSHKEYGEN CA failed" + +# A specification that revokes some certificates by serial numbers +# The serial pattern is chosen to ensure the KRL includes list, range and +# bitmap sections. +cat << EOF >> $OBJ/revoked-serials +serial: 1-4 +serial: 10 +serial: 15 +serial: 30 +serial: 50 +serial: 999 +# The following sum to 500-799 +serial: 500 +serial: 501 +serial: 502 +serial: 503-600 +serial: 700-797 +serial: 798 +serial: 799 +serial: 599-701 +EOF + +# A specification that revokes some certificated by key ID. +touch $OBJ/revoked-keyid +for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do + # Fill in by-ID revocation spec. + echo "id: revoked $n" >> $OBJ/revoked-keyid +done + +keygen() { + N=$1 + f=$OBJ/revoked-`printf "%04d" $N` + # Vary the keytype. We use mostly ECDSA since this is fastest by far. + keytype=$ECDSA + case $N in + 2 | 10 | 510 | 1001) keytype=rsa;; + 4 | 30 | 520 | 1002) keytype=dsa;; + esac + $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ + || fatal "$SSHKEYGEN failed" + # Sign cert + $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ + || fatal "$SSHKEYGEN sign failed" + echo $f +} + +# Generate some keys. +verbose "$tid: generating test keys" +REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" +for n in $REVOKED_SERIALS ; do + f=`keygen $n` + REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" + REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" +done +NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" +NOTREVOKED="" +for n in $NOTREVOKED_SERIALS ; do + NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" + NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" +done + +genkrls() { + OPTS=$1 +$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - /dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +# KRLs from serial/key-id spec need the CA specified. +$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ + >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ + >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" +$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +} + +## XXX dump with trace and grep for set cert serials +## XXX test ranges near (u64)-1, etc. + +verbose "$tid: generating KRLs" +genkrls + +check_krl() { + KEY=$1 + KRL=$2 + EXPECT_REVOKED=$3 + TAG=$4 + $SSHKEYGEN -Qf $KRL $KEY >/dev/null + result=$? + if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then + fatal "key $KEY not revoked by KRL $KRL: $TAG" + elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then + fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" + fi +} +test_all() { + FILES=$1 + TAG=$2 + KEYS_RESULT=$3 + ALL_RESULT=$4 + SERIAL_RESULT=$5 + KEYID_RESULT=$6 + CERTS_RESULT=$7 + CA_RESULT=$8 + verbose "$tid: checking revocations for $TAG" + for f in $FILES ; do + check_krl $f $OBJ/krl-empty no "$TAG" + check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" + check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" + check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" + check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" + check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" + check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" + done +} +# keys all serial keyid certs CA +test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no +test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no +test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes +test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes + +# Check update. Results should be identical. +verbose "$tid: testing KRL update" +for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ + $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do + cp -f $OBJ/krl-empty $f + genkrls -u +done +# keys all serial keyid certs CA +test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no +test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no +test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes +test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes diff --git a/crypto/openssh/regress/localcommand.sh b/crypto/openssh/regress/localcommand.sh new file mode 100755 index 000000000..8a9b56971 --- /dev/null +++ b/crypto/openssh/regress/localcommand.sh @@ -0,0 +1,15 @@ +# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $ +# Placed in the Public Domain. + +tid="localcommand" + +echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy +echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy + +for p in 1 2; do + verbose "test $tid: proto $p localcommand" + a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true` + if [ "$a" != "foo" ] ; then + fail "$tid proto $p" + fi +done diff --git a/crypto/openssh/regress/login-timeout.sh b/crypto/openssh/regress/login-timeout.sh new file mode 100644 index 000000000..d9b48f391 --- /dev/null +++ b/crypto/openssh/regress/login-timeout.sh @@ -0,0 +1,31 @@ +# $OpenBSD: login-timeout.sh,v 1.6 2014/02/27 20:04:16 djm Exp $ +# Placed in the Public Domain. + +tid="connect after login grace timeout" + +trace "test login grace with privsep" +cp $OBJ/sshd_config $OBJ/sshd_config.orig +grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config +echo "LoginGraceTime 10s" >> $OBJ/sshd_config +echo "MaxStartups 1" >> $OBJ/sshd_config +start_sshd + +(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & +sleep 15 +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect after login grace timeout failed with privsep" +fi + +$SUDO kill `$SUDO cat $PIDFILE` + +trace "test login grace without privsep" +echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config +start_sshd + +(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & +sleep 15 +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect after login grace timeout failed without privsep" +fi diff --git a/crypto/openssh/regress/modpipe.c b/crypto/openssh/regress/modpipe.c new file mode 100755 index 000000000..e854f9e07 --- /dev/null +++ b/crypto/openssh/regress/modpipe.c @@ -0,0 +1,175 @@ +/* + * Copyright (c) 2012 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include +#include "openbsd-compat/getopt_long.c" + +static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); +static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); + +static void +err(int r, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + fprintf(stderr, "%s: ", strerror(errno)); + vfprintf(stderr, fmt, args); + fputc('\n', stderr); + va_end(args); + exit(r); +} + +static void +errx(int r, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fputc('\n', stderr); + va_end(args); + exit(r); +} + +static void +usage(void) +{ + fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n"); + fprintf(stderr, "modspec is one of:\n"); + fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n"); + fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n"); + exit(1); +} + +#define MAX_MODIFICATIONS 256 +struct modification { + enum { MOD_XOR, MOD_AND_OR } what; + unsigned long long offset; + u_int8_t m1, m2; +}; + +static void +parse_modification(const char *s, struct modification *m) +{ + char what[16+1]; + int n, m1, m2; + + bzero(m, sizeof(*m)); + if ((n = sscanf(s, "%16[^:]%*[:]%llu%*[:]%i%*[:]%i", + what, &m->offset, &m1, &m2)) < 3) + errx(1, "Invalid modification spec \"%s\"", s); + if (strcasecmp(what, "xor") == 0) { + if (n > 3) + errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid XOR modification value"); + m->what = MOD_XOR; + m->m1 = m1; + } else if (strcasecmp(what, "andor") == 0) { + if (n != 4) + errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid AND modification value"); + if (m2 < 0 || m2 > 0xff) + errx(1, "Invalid OR modification value"); + m->what = MOD_AND_OR; + m->m1 = m1; + m->m2 = m2; + } else + errx(1, "Invalid modification type \"%s\"", what); +} + +int +main(int argc, char **argv) +{ + int ch; + u_char buf[8192]; + size_t total; + ssize_t r, s, o; + struct modification mods[MAX_MODIFICATIONS]; + u_int i, wflag = 0, num_mods = 0; + + while ((ch = getopt(argc, argv, "wm:")) != -1) { + switch (ch) { + case 'm': + if (num_mods >= MAX_MODIFICATIONS) + errx(1, "Too many modifications"); + parse_modification(optarg, &(mods[num_mods++])); + break; + case 'w': + wflag = 1; + break; + default: + usage(); + /* NOTREACHED */ + } + } + for (total = 0;;) { + r = s = read(STDIN_FILENO, buf, sizeof(buf)); + if (r == 0) + break; + if (r < 0) { + if (errno == EAGAIN || errno == EINTR) + continue; + err(1, "read"); + } + for (i = 0; i < num_mods; i++) { + if (mods[i].offset < total || + mods[i].offset >= total + s) + continue; + switch (mods[i].what) { + case MOD_XOR: + buf[mods[i].offset - total] ^= mods[i].m1; + break; + case MOD_AND_OR: + buf[mods[i].offset - total] &= mods[i].m1; + buf[mods[i].offset - total] |= mods[i].m2; + break; + } + } + for (o = 0; o < s; o += r) { + r = write(STDOUT_FILENO, buf, s - o); + if (r == 0) + break; + if (r < 0) { + if (errno == EAGAIN || errno == EINTR) + continue; + err(1, "write"); + } + } + total += s; + } + /* Warn if modifications not reached in input stream */ + r = 0; + for (i = 0; wflag && i < num_mods; i++) { + if (mods[i].offset < total) + continue; + r = 1; + fprintf(stderr, "modpipe: warning - mod %u not reached\n", i); + } + return r; +} diff --git a/crypto/openssh/regress/multiplex.sh b/crypto/openssh/regress/multiplex.sh new file mode 100644 index 000000000..3e697e691 --- /dev/null +++ b/crypto/openssh/regress/multiplex.sh @@ -0,0 +1,143 @@ +# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +CTL=/tmp/openssh.regress.ctl-sock.$$ + +tid="connection multiplexing" + +if config_defined DISABLE_FD_PASSING ; then + echo "skipped (not supported on this platform)" + exit 0 +fi + +P=3301 # test port + +wait_for_mux_master_ready() +{ + for i in 1 2 3 4 5; do + ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \ + >/dev/null 2>&1 && return 0 + sleep $i + done + fatal "mux master never becomes ready" +} + +start_sshd + +start_mux_master() +{ + trace "start master, fork to background" + ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \ + -E $TEST_REGRESS_LOGFILE 2>&1 & + MASTER_PID=$! + wait_for_mux_master_ready +} + +start_mux_master + +verbose "test $tid: envpass" +trace "env passing over multiplexed connection" +_XXX_TEST=blah ${SSH} -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF' + test X"$_XXX_TEST" = X"blah" +EOF +if [ $? -ne 0 ]; then + fail "environment not found" +fi + +verbose "test $tid: transfer" +rm -f ${COPY} +trace "ssh transfer over multiplexed connection and check result" +${SSH} -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY} +test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}" + +rm -f ${COPY} +trace "ssh transfer over multiplexed connection and check result" +${SSH} -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY} +test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}" + +rm -f ${COPY} +trace "sftp transfer over multiplexed connection and check result" +echo "get ${DATA} ${COPY}" | \ + ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1 +test -f ${COPY} || fail "sftp: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" + +rm -f ${COPY} +trace "scp transfer over multiplexed connection and check result" +${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1 +test -f ${COPY} || fail "scp: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" + +rm -f ${COPY} + +for s in 0 1 4 5 44; do + trace "exit status $s over multiplexed connection" + verbose "test $tid: status $s" + ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s + r=$? + if [ $r -ne $s ]; then + fail "exit code mismatch for protocol $p: $r != $s" + fi + + # same with early close of stdout/err + trace "exit status $s with early close over multiplexed connection" + ${SSH} -F $OBJ/ssh_config -S $CTL -n otherhost \ + exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' + r=$? + if [ $r -ne $s ]; then + fail "exit code (with sleep) mismatch for protocol $p: $r != $s" + fi +done + +verbose "test $tid: cmd check" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ + || fail "check command failed" + +verbose "test $tid: cmd forward local" +${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \ + || fail "request local forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + || fail "connect to local forward port failed" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \ + || fail "cancel local forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + && fail "local forward port still listening" + +verbose "test $tid: cmd forward remote" +${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \ + || fail "request remote forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + || fail "connect to remote forwarded port failed" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \ + || fail "cancel remote forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + && fail "remote forward port still listening" + +verbose "test $tid: cmd exit" +${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ + || fail "send exit command failed" + +# Wait for master to exit +wait $MASTER_PID +kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" + +# Restart master and test -O stop command with master using -N +verbose "test $tid: cmd stop" +trace "restart master, fork to background" +start_mux_master + +# start a long-running command then immediately request a stop +${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ + >>$TEST_REGRESS_LOGFILE 2>&1 & +SLEEP_PID=$! +${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ + || fail "send stop command failed" + +# wait until both long-running command and master have exited. +wait $SLEEP_PID +[ $! != 0 ] || fail "waiting for concurrent command" +wait $MASTER_PID +[ $! != 0 ] || fail "waiting for master stop" +kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed" diff --git a/crypto/openssh/regress/portnum.sh b/crypto/openssh/regress/portnum.sh new file mode 100755 index 000000000..c56b869a3 --- /dev/null +++ b/crypto/openssh/regress/portnum.sh @@ -0,0 +1,34 @@ +# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $ +# Placed in the Public Domain. + +tid="port number parsing" + +badport() { + port=$1 + verbose "$tid: invalid port $port" + if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then + fail "$tid accepted invalid port $port" + fi +} +goodport() { + port=$1 + verbose "$tid: valid port $port" + if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then + : + else + fail "$tid rejected valid port $port" + fi +} + +badport 0 +badport 65536 +badport 131073 +badport 2000blah +badport blah2000 + +goodport 1 +goodport 22 +goodport 2222 +goodport 22222 +goodport 65535 + diff --git a/crypto/openssh/regress/proto-mismatch.sh b/crypto/openssh/regress/proto-mismatch.sh new file mode 100644 index 000000000..fb521f214 --- /dev/null +++ b/crypto/openssh/regress/proto-mismatch.sh @@ -0,0 +1,19 @@ +# $OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="protocol version mismatch" + +mismatch () +{ + server=$1 + client=$2 + banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy` + r=$? + trace "sshd prints ${banner}" + if [ $r -ne 255 ]; then + fail "sshd prints ${banner} and accepts connect with version ${client}" + fi +} + +mismatch 2 SSH-1.5-HALLO +mismatch 1 SSH-2.0-HALLO diff --git a/crypto/openssh/regress/proto-version.sh b/crypto/openssh/regress/proto-version.sh new file mode 100644 index 000000000..b876dd7ec --- /dev/null +++ b/crypto/openssh/regress/proto-version.sh @@ -0,0 +1,34 @@ +# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $ +# Placed in the Public Domain. + +tid="sshd version with different protocol combinations" + +# we just start sshd in inetd mode and check the banner +check_version () +{ + version=$1 + expect=$2 + banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` + case ${banner} in + SSH-1.99-*) + proto=199 + ;; + SSH-2.0-*) + proto=20 + ;; + SSH-1.5-*) + proto=15 + ;; + *) + proto=0 + ;; + esac + if [ ${expect} -ne ${proto} ]; then + fail "wrong protocol version ${banner} for ${version}" + fi +} + +check_version 2,1 199 +check_version 1,2 199 +check_version 2 20 +check_version 1 15 diff --git a/crypto/openssh/regress/proxy-connect.sh b/crypto/openssh/regress/proxy-connect.sh new file mode 100644 index 000000000..76e602dd6 --- /dev/null +++ b/crypto/openssh/regress/proxy-connect.sh @@ -0,0 +1,26 @@ +# $OpenBSD: proxy-connect.sh,v 1.6 2013/03/07 00:20:34 djm Exp $ +# Placed in the Public Domain. + +tid="proxy connect" + +verbose "plain username" +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh proxyconnect protocol $p failed" + fi + SSH_CONNECTION=`${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 'echo $SSH_CONNECTION'` + if [ $? -ne 0 ]; then + fail "ssh proxyconnect protocol $p failed" + fi + if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then + fail "bad SSH_CONNECTION" + fi +done + +verbose "username with style" +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ + fail "ssh proxyconnect protocol $p failed" +done + diff --git a/crypto/openssh/regress/putty-ciphers.sh b/crypto/openssh/regress/putty-ciphers.sh new file mode 100755 index 000000000..724a98cc1 --- /dev/null +++ b/crypto/openssh/regress/putty-ciphers.sh @@ -0,0 +1,26 @@ +# $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="putty ciphers" + +if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then + echo "putty interop tests not enabled" + exit 0 +fi + +for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do + verbose "$tid: cipher $c" + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/cipher_$c + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + + rm -f ${COPY} + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i putty.rsa2 \ + 127.0.0.1 cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" +done +rm -f ${COPY} + diff --git a/crypto/openssh/regress/putty-kex.sh b/crypto/openssh/regress/putty-kex.sh new file mode 100755 index 000000000..1844d6599 --- /dev/null +++ b/crypto/openssh/regress/putty-kex.sh @@ -0,0 +1,23 @@ +# $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="putty KEX" + +if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then + echo "putty interop tests not enabled" + exit 0 +fi + +for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do + verbose "$tid: kex $k" + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/kex_$k + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k + + env HOME=$PWD ${PLINK} -load kex_$k -batch -i putty.rsa2 \ + 127.0.0.1 true + if [ $? -ne 0 ]; then + fail "KEX $k failed" + fi +done + diff --git a/crypto/openssh/regress/putty-transfer.sh b/crypto/openssh/regress/putty-transfer.sh new file mode 100755 index 000000000..aec0e04ee --- /dev/null +++ b/crypto/openssh/regress/putty-transfer.sh @@ -0,0 +1,41 @@ +# $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="putty transfer data" + +if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then + echo "putty interop tests not enabled" + exit 0 +fi + +# XXX support protocol 1 too +for p in 2; do + for c in 0 1 ; do + verbose "$tid: proto $p compression $c" + rm -f ${COPY} + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/compression_$c + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k + env HOME=$PWD ${PLINK} -load compression_$c -batch \ + -i putty.rsa$p 127.0.0.1 cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + + for s in 10 100 1k 32k 64k 128k 256k; do + trace "proto $p compression $c dd-size ${s}" + rm -f ${COPY} + dd if=$DATA obs=${s} 2> /dev/null | \ + env HOME=$PWD ${PLINK} -load compression_$c \ + -batch -i putty.rsa$p 127.0.0.1 \ + "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + done + done +done +rm -f ${COPY} + diff --git a/crypto/openssh/regress/reconfigure.sh b/crypto/openssh/regress/reconfigure.sh new file mode 100644 index 000000000..9fd289531 --- /dev/null +++ b/crypto/openssh/regress/reconfigure.sh @@ -0,0 +1,36 @@ +# $OpenBSD: reconfigure.sh,v 1.2 2003/06/21 09:14:05 markus Exp $ +# Placed in the Public Domain. + +tid="simple connect after reconfigure" + +# we need the full path to sshd for -HUP +case $SSHD in +/*) + # full path is OK + ;; +*) + # otherwise make fully qualified + SSHD=$OBJ/$SSHD +esac + +start_sshd + +PID=`$SUDO cat $PIDFILE` +rm -f $PIDFILE +$SUDO kill -HUP $PID + +trace "wait for sshd to restart" +i=0; +while [ ! -f $PIDFILE -a $i -lt 10 ]; do + i=`expr $i + 1` + sleep $i +done + +test -f $PIDFILE || fatal "sshd did not restart" + +for p in 1 2; do + ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true + if [ $? -ne 0 ]; then + fail "ssh connect with protocol $p failed after reconfigure" + fi +done diff --git a/crypto/openssh/regress/reexec.sh b/crypto/openssh/regress/reexec.sh new file mode 100644 index 000000000..433573f06 --- /dev/null +++ b/crypto/openssh/regress/reexec.sh @@ -0,0 +1,73 @@ +# $OpenBSD: reexec.sh,v 1.7 2013/05/17 10:23:52 dtucker Exp $ +# Placed in the Public Domain. + +tid="reexec tests" + +SSHD_ORIG=$SSHD +SSHD_COPY=$OBJ/sshd + +# Start a sshd and then delete it +start_sshd_copy () +{ + cp $SSHD_ORIG $SSHD_COPY + SSHD=$SSHD_COPY + start_sshd + SSHD=$SSHD_ORIG +} + +# Do basic copy tests +copy_tests () +{ + rm -f ${COPY} + for p in 1 2; do + verbose "$tid: proto $p" + ${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + rm -f ${COPY} + done +} + +verbose "test config passing" + +cp $OBJ/sshd_config $OBJ/sshd_config.orig +start_sshd +echo "InvalidXXX=no" >> $OBJ/sshd_config + +copy_tests + +$SUDO kill `$SUDO cat $PIDFILE` +rm -f $PIDFILE + +cp $OBJ/sshd_config.orig $OBJ/sshd_config + +# cygwin can't fork a deleted binary +if [ "$os" != "cygwin" ]; then + +verbose "test reexec fallback" + +start_sshd_copy +rm -f $SSHD_COPY + +copy_tests + +$SUDO kill `$SUDO cat $PIDFILE` +rm -f $PIDFILE + +verbose "test reexec fallback without privsep" + +cp $OBJ/sshd_config.orig $OBJ/sshd_config +echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config + +start_sshd_copy +rm -f $SSHD_COPY + +copy_tests + +$SUDO kill `$SUDO cat $PIDFILE` +rm -f $PIDFILE + +fi diff --git a/crypto/openssh/regress/rekey.sh b/crypto/openssh/regress/rekey.sh new file mode 100644 index 000000000..cf9401ea0 --- /dev/null +++ b/crypto/openssh/regress/rekey.sh @@ -0,0 +1,142 @@ +# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ +# Placed in the Public Domain. + +tid="rekey" + +LOG=${TEST_SSH_LOGFILE} + +rm -f ${LOG} + +# Test rekeying based on data volume only. +# Arguments will be passed to ssh. +ssh_data_rekeying() +{ + rm -f ${COPY} ${LOG} + ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \ + "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh failed ($@)" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured ($@)" + fi +} + +increase_datafile_size 300 + +opts="" +for i in `${SSH} -Q kex`; do + opts="$opts KexAlgorithms=$i" +done +for i in `${SSH} -Q cipher`; do + opts="$opts Ciphers=$i" +done +for i in `${SSH} -Q mac`; do + opts="$opts MACs=$i" +done + +for opt in $opts; do + verbose "client rekey $opt" + ssh_data_rekeying -oRekeyLimit=256k -o$opt +done + +# AEAD ciphers are magical so test with all KexAlgorithms +if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then + for c in `${SSH} -Q cipher-auth`; do + for kex in `${SSH} -Q kex`; do + verbose "client rekey $c $kex" + ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex + done + done +fi + +for s in 16 1k 128k 256k; do + verbose "client rekeylimit ${s}" + ssh_data_rekeying -oCompression=no -oRekeyLimit=$s +done + +for s in 5 10; do + verbose "client rekeylimit default ${s}" + rm -f ${COPY} ${LOG} + ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + +for s in 5 10; do + verbose "client rekeylimit default ${s} no data" + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "sleep $s;sleep 3" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + +echo "rekeylimit default 5" >>$OBJ/sshd_proxy +for s in 5 10; do + verbose "server rekeylimit default ${s} no data" + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + +verbose "rekeylimit parsing" +for size in 16 1k 1K 1m 1M 1g 1G; do + for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do + case $size in + 16) bytes=16 ;; + 1k|1K) bytes=1024 ;; + 1m|1M) bytes=1048576 ;; + 1g|1G) bytes=1073741824 ;; + esac + case $time in + 1) seconds=1 ;; + 1m|1M) seconds=60 ;; + 1h|1H) seconds=3600 ;; + 1d|1D) seconds=86400 ;; + 1w|1W) seconds=604800 ;; + esac + + b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $2}'` + s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $3}'` + + if [ "$bytes" != "$b" ]; then + fatal "rekeylimit size: expected $bytes bytes got $b" + fi + if [ "$seconds" != "$s" ]; then + fatal "rekeylimit time: expected $time seconds got $s" + fi + done +done + +rm -f ${COPY} ${DATA} diff --git a/crypto/openssh/regress/rsa_openssh.prv b/crypto/openssh/regress/rsa_openssh.prv new file mode 100644 index 000000000..267555572 --- /dev/null +++ b/crypto/openssh/regress/rsa_openssh.prv @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko ++dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3 +xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB +An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7 +Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN +wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V +mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj +qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI +7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ +9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC +/ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg +PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr +dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i +-----END RSA PRIVATE KEY----- diff --git a/crypto/openssh/regress/rsa_openssh.pub b/crypto/openssh/regress/rsa_openssh.pub new file mode 100644 index 000000000..b504730f3 --- /dev/null +++ b/crypto/openssh/regress/rsa_openssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQ== diff --git a/crypto/openssh/regress/rsa_ssh2.prv b/crypto/openssh/regress/rsa_ssh2.prv new file mode 100644 index 000000000..1ece3d7de --- /dev/null +++ b/crypto/openssh/regress/rsa_ssh2.prv @@ -0,0 +1,16 @@ +---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- +Subject: ssh-keygen test +Comment: "1024-bit rsa, Sat Jun 23 2001 12:21:26 -0400" +P2/56wAAAi4AAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS +1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAB3wAAAdsAAAARAQABAAAD9icflXO8eQxtKonp +45gOxXCiZG9hsfkgRpiXXHpUBMhM28C72RR1Dg2xKm4xz7smP2Apm+Y7XLZgIpzQ/+I76L +95XQv7JCHVHDXyNBmWX7XZP4tmspFq/Tdg28zHSA3CpZjjwq3qG/b8395tDMpF7v34PS3Z +xOH3aFPvEQ0UsgEAAAQA7IpcCnGijesEjDXdVoEPfh0akBJA9JAk1bba2sxrtDoQVN1JKP +nRQ9SKdAsXV5jduSUFsTmBe4fznLvD948790U1/O8SkdGM5V0y1/ki7Rf8knm0t8Vj65X0 +VA4YdN4UeVfvMcb78vcInT2CsP6CLcBkrnjrBKtS03Mwg79nQI0AAAH/VdpOHYCMLPl/GF ++uRLMshY55Q6l+MdJ0jo0AdZrCCnxwa3YeVywwU0wsZyoTCdGMf6KYDr39PVxwRcGkJ7Ue +YgAAAgDWXpLlKafIgS3i0moMORZHD8D86us3xMW4b7GV2/AaP+En5TbOCR18CO0g/WfGiS +7zOLkP+TO9JW5QzEONIt6NAAACAQEaegYoWMBSQkLA7VWbOlSowelFlU6uo/2FSY+PM0nm +gE8UZ7j6HWGhJEU4DNo25m3yyxuposKTMHxt/OOqFmoB +---- END SSH2 ENCRYPTED PRIVATE KEY ---- +--- diff --git a/crypto/openssh/regress/scp-ssh-wrapper.sh b/crypto/openssh/regress/scp-ssh-wrapper.sh new file mode 100644 index 000000000..59f1ff63e --- /dev/null +++ b/crypto/openssh/regress/scp-ssh-wrapper.sh @@ -0,0 +1,59 @@ +#!/bin/sh +# $OpenBSD: scp-ssh-wrapper.sh,v 1.3 2014/01/26 10:49:17 djm Exp $ +# Placed in the Public Domain. + +printname () { + NAME=$1 + save_IFS=$IFS + IFS=/ + set -- `echo "$NAME"` + IFS="$save_IFS" + while [ $# -ge 1 ] ; do + if [ "x$1" != "x" ]; then + echo "D0755 0 $1" + fi + shift; + done +} + +# Discard all but last argument. We use arg later. +while test "x$1" != "x"; do + arg="$1" + shift +done + +BAD="../../../../../../../../../../../../../${DIR}/dotpathdir" + +case "$SCPTESTMODE" in +badserver_0) + echo "D0755 0 /${DIR}/rootpathdir" + echo "C755 2 rootpathfile" + echo "X" + ;; +badserver_1) + echo "D0755 0 $BAD" + echo "C755 2 file" + echo "X" + ;; +badserver_2) + echo "D0755 0 $BAD" + echo "C755 2 file" + echo "X" + ;; +badserver_3) + printname $BAD + echo "C755 2 file" + echo "X" + ;; +badserver_4) + printname $BAD + echo "D0755 0 .." + echo "C755 2 file" + echo "X" + ;; +*) + set -- $arg + shift + exec $SCP "$@" + ;; +esac diff --git a/crypto/openssh/regress/scp.sh b/crypto/openssh/regress/scp.sh new file mode 100644 index 000000000..57cc77066 --- /dev/null +++ b/crypto/openssh/regress/scp.sh @@ -0,0 +1,126 @@ +# $OpenBSD: scp.sh,v 1.10 2014/01/26 10:49:17 djm Exp $ +# Placed in the Public Domain. + +tid="scp" + +#set -x + +# Figure out if diff understands "-N" +if diff -N ${SRC}/scp.sh ${SRC}/scp.sh 2>/dev/null; then + DIFFOPT="-rN" +else + DIFFOPT="-r" +fi + +COPY2=${OBJ}/copy2 +DIR=${COPY}.dd +DIR2=${COPY}.dd2 + +SRC=`dirname ${SCRIPT}` +cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp +chmod 755 ${OBJ}/scp-ssh-wrapper.scp +scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp" +export SCP # used in scp-ssh-wrapper.scp + +scpclean() { + rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2} + mkdir ${DIR} ${DIR2} +} + +verbose "$tid: simple copy local file to local file" +scpclean +$SCP $scpopts ${DATA} ${COPY} || fail "copy failed" +cmp ${DATA} ${COPY} || fail "corrupted copy" + +verbose "$tid: simple copy local file to remote file" +scpclean +$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed" +cmp ${DATA} ${COPY} || fail "corrupted copy" + +verbose "$tid: simple copy remote file to local file" +scpclean +$SCP $scpopts somehost:${DATA} ${COPY} || fail "copy failed" +cmp ${DATA} ${COPY} || fail "corrupted copy" + +verbose "$tid: simple copy local file to remote dir" +scpclean +cp ${DATA} ${COPY} +$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed" +cmp ${COPY} ${DIR}/copy || fail "corrupted copy" + +verbose "$tid: simple copy local file to local dir" +scpclean +cp ${DATA} ${COPY} +$SCP $scpopts ${COPY} ${DIR} || fail "copy failed" +cmp ${COPY} ${DIR}/copy || fail "corrupted copy" + +verbose "$tid: simple copy remote file to local dir" +scpclean +cp ${DATA} ${COPY} +$SCP $scpopts somehost:${COPY} ${DIR} || fail "copy failed" +cmp ${COPY} ${DIR}/copy || fail "corrupted copy" + +verbose "$tid: recursive local dir to remote dir" +scpclean +rm -rf ${DIR2} +cp ${DATA} ${DIR}/copy +$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed" +diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + +verbose "$tid: recursive local dir to local dir" +scpclean +rm -rf ${DIR2} +cp ${DATA} ${DIR}/copy +$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed" +diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + +verbose "$tid: recursive remote dir to local dir" +scpclean +rm -rf ${DIR2} +cp ${DATA} ${DIR}/copy +$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed" +diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + +verbose "$tid: shell metacharacters" +scpclean +(cd ${DIR} && \ +touch '`touch metachartest`' && \ +$SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \ +[ ! -f metachartest ] ) || fail "shell metacharacters" + +if [ ! -z "$SUDO" ]; then + verbose "$tid: skipped file after scp -p with failed chown+utimes" + scpclean + cp -p ${DATA} ${DIR}/copy + cp -p ${DATA} ${DIR}/copy2 + cp ${DATA} ${DIR2}/copy + chmod 660 ${DIR2}/copy + $SUDO chown root ${DIR2}/copy + $SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1 + $SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + $SUDO rm ${DIR2}/copy +fi + +for i in 0 1 2 3 4; do + verbose "$tid: disallow bad server #$i" + SCPTESTMODE=badserver_$i + export DIR SCPTESTMODE + scpclean + $SCP $scpopts somehost:${DATA} ${DIR} >/dev/null 2>/dev/null + [ -d {$DIR}/rootpathdir ] && fail "allows dir relative to root dir" + [ -d ${DIR}/dotpathdir ] && fail "allows dir creation in non-recursive mode" + + scpclean + $SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null + [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir" +done + +verbose "$tid: detect non-directory target" +scpclean +echo a > ${COPY} +echo b > ${COPY2} +$SCP $scpopts ${DATA} ${COPY} ${COPY2} +cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target" + +scpclean +rm -f ${OBJ}/scp-ssh-wrapper.scp diff --git a/crypto/openssh/regress/setuid-allowed.c b/crypto/openssh/regress/setuid-allowed.c new file mode 100644 index 000000000..676d2661c --- /dev/null +++ b/crypto/openssh/regress/setuid-allowed.c @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD$ */ + +#include "includes.h" + +#include +#ifdef HAVE_SYS_STATVFS_H +# include +#endif +#include +#include +#include + +void +usage(void) +{ + fprintf(stderr, "check-setuid [path]\n"); + exit(1); +} + +int +main(int argc, char **argv) +{ + const char *path = "."; + struct statvfs sb; + + if (argc > 2) + usage(); + else if (argc == 2) + path = argv[1]; + + if (statvfs(path, &sb) != 0) { + /* Don't return an error if the host doesn't support statvfs */ + if (errno == ENOSYS) + return 0; + fprintf(stderr, "statvfs for \"%s\" failed: %s\n", + path, strerror(errno)); + } + return (sb.f_flag & ST_NOSUID) ? 1 : 0; +} + + diff --git a/crypto/openssh/regress/sftp-badcmds.sh b/crypto/openssh/regress/sftp-badcmds.sh new file mode 100644 index 000000000..7f85c4f22 --- /dev/null +++ b/crypto/openssh/regress/sftp-badcmds.sh @@ -0,0 +1,65 @@ +# $OpenBSD: sftp-badcmds.sh,v 1.6 2013/05/17 10:26:26 dtucker Exp $ +# Placed in the Public Domain. + +tid="sftp invalid commands" + +DATA2=/bin/sh${EXEEXT} +NONEXIST=/NONEXIST.$$ +GLOBFILES=`(cd /bin;echo l*)` + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd + +rm -f ${COPY} +verbose "$tid: get nonexistent" +echo "get $NONEXIST $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get nonexistent failed" +test -f ${COPY} && fail "existing copy after get nonexistent" + +rm -f ${COPY}.dd/* +verbose "$tid: glob get to nonexistent directory" +echo "get /bin/l* $NONEXIST" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get nonexistent failed" +for x in $GLOBFILES; do + test -f ${COPY}.dd/$x && fail "existing copy after get nonexistent" +done + +rm -f ${COPY} +verbose "$tid: put nonexistent" +echo "put $NONEXIST $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put nonexistent failed" +test -f ${COPY} && fail "existing copy after put nonexistent" + +rm -f ${COPY}.dd/* +verbose "$tid: glob put to nonexistent directory" +echo "put /bin/l* ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put nonexistent failed" +for x in $GLOBFILES; do + test -f ${COPY}.dd/$x && fail "existing copy after nonexistent" +done + +rm -f ${COPY} +verbose "$tid: rename nonexistent" +echo "rename $NONEXIST ${COPY}.1" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename nonexist failed" +test -f ${COPY}.1 && fail "file exists after rename nonexistent" + +rm -rf ${COPY} ${COPY}.dd +cp $DATA $COPY +mkdir ${COPY}.dd +verbose "$tid: rename target exists (directory)" +echo "rename $COPY ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename target exists (directory) failed" +test -f ${COPY} || fail "oldname missing after rename target exists (directory)" +test -d ${COPY}.dd || fail "newname missing after rename target exists (directory)" +cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists (directory)" + +rm -f ${COPY}.dd/* +rm -rf ${COPY} +cp ${DATA2} ${COPY} +verbose "$tid: glob put files to local file" +echo "put /bin/l* $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 +cmp ${DATA2} ${COPY} || fail "put successed when it should have failed" + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd + + diff --git a/crypto/openssh/regress/sftp-batch.sh b/crypto/openssh/regress/sftp-batch.sh new file mode 100644 index 000000000..41011549b --- /dev/null +++ b/crypto/openssh/regress/sftp-batch.sh @@ -0,0 +1,55 @@ +# $OpenBSD: sftp-batch.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="sftp batchfile" + +BATCH=${OBJ}/sftp.bb + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* + +cat << EOF > ${BATCH}.pass.1 + get $DATA $COPY + put ${COPY} ${COPY}.1 + rm ${COPY} + -put ${COPY} ${COPY}.2 +EOF + +cat << EOF > ${BATCH}.pass.2 + # This is a comment + + # That was a blank line + ls +EOF + +cat << EOF > ${BATCH}.fail.1 + get $DATA $COPY + put ${COPY} ${COPY}.3 + rm ${COPY}.* + # The next command should fail + put ${COPY}.3 ${COPY}.4 +EOF + +cat << EOF > ${BATCH}.fail.2 + # The next command should fail + jajajajaja +EOF + +verbose "$tid: good commands" +${SFTP} -b ${BATCH}.pass.1 -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "good commands failed" + +verbose "$tid: bad commands" +${SFTP} -b ${BATCH}.fail.1 -D ${SFTPSERVER} >/dev/null 2>&1 \ + && fail "bad commands succeeded" + +verbose "$tid: comments and blanks" +${SFTP} -b ${BATCH}.pass.2 -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "comments & blanks failed" + +verbose "$tid: junk command" +${SFTP} -b ${BATCH}.fail.2 -D ${SFTPSERVER} >/dev/null 2>&1 \ + && fail "junk command succeeded" + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* + + diff --git a/crypto/openssh/regress/sftp-chroot.sh b/crypto/openssh/regress/sftp-chroot.sh new file mode 100755 index 000000000..23f7456e8 --- /dev/null +++ b/crypto/openssh/regress/sftp-chroot.sh @@ -0,0 +1,26 @@ +# $OpenBSD: sftp-chroot.sh,v 1.4 2014/01/20 00:00:30 dtucker Exp $ +# Placed in the Public Domain. + +tid="sftp in chroot" + +CHROOT=/var/run +FILENAME=testdata_${USER} +PRIVDATA=${CHROOT}/${FILENAME} + +if [ -z "$SUDO" ]; then + echo "skipped: need SUDO to create file in /var/run, test won't work without" + exit 0 +fi + +$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ + fatal "create $PRIVDATA failed" + +start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /" + +verbose "test $tid: get" +${SFTP} -S "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY \ + >>$TEST_REGRESS_LOGFILE 2>&1 || \ + fatal "Fetch ${FILENAME} failed" +cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ" + +$SUDO rm $PRIVDATA diff --git a/crypto/openssh/regress/sftp-cmds.sh b/crypto/openssh/regress/sftp-cmds.sh new file mode 100644 index 000000000..aad7fcac2 --- /dev/null +++ b/crypto/openssh/regress/sftp-cmds.sh @@ -0,0 +1,232 @@ +# $OpenBSD: sftp-cmds.sh,v 1.14 2013/06/21 02:26:26 djm Exp $ +# Placed in the Public Domain. + +# XXX - TODO: +# - chmod / chown / chgrp +# - -p flag for get & put + +tid="sftp commands" + +# test that these files are readable! +for i in `(cd /bin;echo l*)` +do + if [ -r $i ]; then + GLOBFILES="$GLOBFILES $i" + fi +done + +# Path with embedded quote +QUOTECOPY=${COPY}".\"blah\"" +QUOTECOPY_ARG=${COPY}'.\"blah\"' +# File with spaces +SPACECOPY="${COPY} this has spaces.txt" +SPACECOPY_ARG="${COPY}\ this\ has\ spaces.txt" +# File with glob metacharacters +GLOBMETACOPY="${COPY} [metachar].txt" + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 +mkdir ${COPY}.dd + +verbose "$tid: lls" +(echo "lcd ${OBJ}" ; echo "lls") | ${SFTP} -D ${SFTPSERVER} 2>&1 | \ + grep copy.dd >/dev/null 2>&1 || fail "lls failed" + +verbose "$tid: lls w/path" +echo "lls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \ + grep copy.dd >/dev/null 2>&1 || fail "lls w/path failed" + +verbose "$tid: ls" +echo "ls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "ls failed" +# XXX always successful + +verbose "$tid: shell" +echo "!echo hi there" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "shell failed" +# XXX always successful + +verbose "$tid: pwd" +echo "pwd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "pwd failed" +# XXX always successful + +verbose "$tid: lpwd" +echo "lpwd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "lpwd failed" +# XXX always successful + +verbose "$tid: quit" +echo "quit" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "quit failed" +# XXX always successful + +verbose "$tid: help" +echo "help" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "help failed" +# XXX always successful + +rm -f ${COPY} +verbose "$tid: get" +echo "get $DATA $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY} || fail "corrupted copy after get" + +rm -f ${COPY} +verbose "$tid: get quoted" +echo "get \"$DATA\" $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY} || fail "corrupted copy after get" + +if [ "$os" != "cygwin" ]; then +rm -f ${QUOTECOPY} +cp $DATA ${QUOTECOPY} +verbose "$tid: get filename with quotes" +echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes" +rm -f ${QUOTECOPY} ${COPY} +fi + +rm -f "$SPACECOPY" ${COPY} +cp $DATA "$SPACECOPY" +verbose "$tid: get filename with spaces" +echo "get ${SPACECOPY_ARG} ${COPY}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp ${COPY} "$SPACECOPY" || fail "corrupted copy after get with spaces" + +rm -f "$GLOBMETACOPY" ${COPY} +cp $DATA "$GLOBMETACOPY" +verbose "$tid: get filename with glob metacharacters" +echo "get \"${GLOBMETACOPY}\" ${COPY}" | \ + ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "get failed" +cmp ${COPY} "$GLOBMETACOPY" || \ + fail "corrupted copy after get with glob metacharacters" + +rm -f ${COPY}.dd/* +verbose "$tid: get to directory" +echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" + +rm -f ${COPY}.dd/* +verbose "$tid: glob get to directory" +echo "get /bin/l* ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get" +done + +rm -f ${COPY}.dd/* +verbose "$tid: get to local dir" +(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" + +rm -f ${COPY}.dd/* +verbose "$tid: glob get to local dir" +(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get" +done + +rm -f ${COPY} +verbose "$tid: put" +echo "put $DATA $COPY" | \ + ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" +cmp $DATA ${COPY} || fail "corrupted copy after put" + +if [ "$os" != "cygwin" ]; then +rm -f ${QUOTECOPY} +verbose "$tid: put filename with quotes" +echo "put $DATA \"$QUOTECOPY_ARG\"" | \ + ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" +cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes" +fi + +rm -f "$SPACECOPY" +verbose "$tid: put filename with spaces" +echo "put $DATA ${SPACECOPY_ARG}" | \ + ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" +cmp $DATA "$SPACECOPY" || fail "corrupted copy after put with spaces" + +rm -f ${COPY}.dd/* +verbose "$tid: put to directory" +echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" + +rm -f ${COPY}.dd/* +verbose "$tid: glob put to directory" +echo "put /bin/l? ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put" +done + +rm -f ${COPY}.dd/* +verbose "$tid: put to local dir" +(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" + +rm -f ${COPY}.dd/* +verbose "$tid: glob put to local dir" +(echo "cd ${COPY}.dd"; echo "put /bin/l?") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put" +done + +verbose "$tid: rename" +echo "rename $COPY ${COPY}.1" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename failed" +test -f ${COPY}.1 || fail "missing file after rename" +cmp $DATA ${COPY}.1 >/dev/null 2>&1 || fail "corrupted copy after rename" + +verbose "$tid: rename directory" +echo "rename ${COPY}.dd ${COPY}.dd2" | \ + ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || \ + fail "rename directory failed" +test -d ${COPY}.dd && fail "oldname exists after rename directory" +test -d ${COPY}.dd2 || fail "missing newname after rename directory" + +verbose "$tid: ln" +echo "ln ${COPY}.1 ${COPY}.2" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "ln failed" +test -f ${COPY}.2 || fail "missing file after ln" +cmp ${COPY}.1 ${COPY}.2 || fail "created file is not equal after ln" + +verbose "$tid: ln -s" +rm -f ${COPY}.2 +echo "ln -s ${COPY}.1 ${COPY}.2" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "ln -s failed" +test -h ${COPY}.2 || fail "missing file after ln -s" + +verbose "$tid: mkdir" +echo "mkdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "mkdir failed" +test -d ${COPY}.dd || fail "missing directory after mkdir" + +# XXX do more here +verbose "$tid: chdir" +echo "chdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "chdir failed" + +verbose "$tid: rmdir" +echo "rmdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rmdir failed" +test -d ${COPY}.1 && fail "present directory after rmdir" + +verbose "$tid: lmkdir" +echo "lmkdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "lmkdir failed" +test -d ${COPY}.dd || fail "missing directory after lmkdir" + +# XXX do more here +verbose "$tid: lchdir" +echo "lchdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "lchdir failed" + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 +rm -rf ${QUOTECOPY} "$SPACECOPY" "$GLOBMETACOPY" + + diff --git a/crypto/openssh/regress/sftp-glob.sh b/crypto/openssh/regress/sftp-glob.sh new file mode 100644 index 000000000..8d4df2c98 --- /dev/null +++ b/crypto/openssh/regress/sftp-glob.sh @@ -0,0 +1,75 @@ +# $OpenBSD: sftp-glob.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ +# Placed in the Public Domain. + +tid="sftp glob" + +config_defined FILESYSTEM_NO_BACKSLASH && nobs="not supported on this platform" + +sftp_ls() { + target=$1 + errtag=$2 + expected=$3 + unexpected=$4 + skip=$5 + if test "x$skip" != "x" ; then + verbose "$tid: $errtag (skipped: $skip)" + return + fi + verbose "$tid: $errtag" + printf "ls -l %s" "${target}" | \ + ${SFTP} -b - -D ${SFTPSERVER} 2>/dev/null | \ + grep -v "^sftp>" > ${RESULTS} + if [ $? -ne 0 ]; then + fail "$errtag failed" + fi + if test "x$expected" != "x" ; then + if fgrep "$expected" ${RESULTS} >/dev/null 2>&1 ; then + : + else + fail "$expected missing from $errtag results" + fi + fi + if test "x$unexpected" != "x" && \ + fgrep "$unexpected" ${RESULTS} >/dev/null 2>&1 ; then + fail "$unexpected present in $errtag results" + fi + rm -f ${RESULTS} +} + +BASE=${OBJ}/glob +RESULTS=${OBJ}/results +DIR=${BASE}/dir +DATA=${DIR}/file + +GLOB1="${DIR}/g-wild*" +GLOB2="${DIR}/g-wildx" +QUOTE="${DIR}/g-quote\"" +SLASH="${DIR}/g-sl\\ash" +ESLASH="${DIR}/g-slash\\" +QSLASH="${DIR}/g-qs\\\"" +SPACE="${DIR}/g-q space" + +rm -rf ${BASE} +mkdir -p ${DIR} +touch "${DATA}" "${GLOB1}" "${GLOB2}" "${QUOTE}" "${SPACE}" +test "x$nobs" = "x" && touch "${QSLASH}" "${ESLASH}" "${SLASH}" + +# target message expected unexpected +sftp_ls "${DIR}/fil*" "file glob" "${DATA}" "" +sftp_ls "${BASE}/d*" "dir glob" "`basename ${DATA}`" "" +sftp_ls "${DIR}/g-wild\"*\"" "quoted glob" "g-wild*" "g-wildx" +sftp_ls "${DIR}/g-wild\*" "escaped glob" "g-wild*" "g-wildx" +sftp_ls "${DIR}/g-quote\\\"" "escaped quote" "g-quote\"" "" +sftp_ls "\"${DIR}/g-quote\\\"\"" "quoted quote" "g-quote\"" "" +sftp_ls "'${DIR}/g-quote\"'" "single-quoted quote" "g-quote\"" "" +sftp_ls "${DIR}/g-q\\ space" "escaped space" "g-q space" "" +sftp_ls "'${DIR}/g-q space'" "quoted space" "g-q space" "" +sftp_ls "${DIR}/g-sl\\\\ash" "escaped slash" "g-sl\\ash" "" "$nobs" +sftp_ls "'${DIR}/g-sl\\\\ash'" "quoted slash" "g-sl\\ash" "" "$nobs" +sftp_ls "${DIR}/g-slash\\\\" "escaped slash at EOL" "g-slash\\" "" "$nobs" +sftp_ls "'${DIR}/g-slash\\\\'" "quoted slash at EOL" "g-slash\\" "" "$nobs" +sftp_ls "${DIR}/g-qs\\\\\\\"" "escaped slash+quote" "g-qs\\\"" "" "$nobs" +sftp_ls "'${DIR}/g-qs\\\\\"'" "quoted slash+quote" "g-qs\\\"" "" "$nobs" + +rm -rf ${BASE} + diff --git a/crypto/openssh/regress/sftp-perm.sh b/crypto/openssh/regress/sftp-perm.sh new file mode 100644 index 000000000..304ca0ac5 --- /dev/null +++ b/crypto/openssh/regress/sftp-perm.sh @@ -0,0 +1,269 @@ +# $OpenBSD: sftp-perm.sh,v 1.2 2013/10/17 22:00:18 djm Exp $ +# Placed in the Public Domain. + +tid="sftp permissions" + +SERVER_LOG=${OBJ}/sftp-server.log +CLIENT_LOG=${OBJ}/sftp.log +TEST_SFTP_SERVER=${OBJ}/sftp-server.sh + +prepare_server() { + printf "#!/bin/sh\nexec $SFTPSERVER -el debug3 $* 2>$SERVER_LOG\n" \ + > $TEST_SFTP_SERVER + chmod a+x $TEST_SFTP_SERVER +} + +run_client() { + echo "$@" | ${SFTP} -D ${TEST_SFTP_SERVER} -vvvb - >$CLIENT_LOG 2>&1 +} + +prepare_files() { + _prep="$1" + rm -f ${COPY} ${COPY}.1 + test -d ${COPY}.dd && { rmdir ${COPY}.dd || fatal "rmdir ${COPY}.dd"; } + test -z "$_prep" && return + sh -c "$_prep" || fail "preparation failed: \"$_prep\"" +} + +postcondition() { + _title="$1" + _check="$2" + test -z "$_check" && return + ${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title" +} + +ro_test() { + _desc=$1 + _cmd="$2" + _prep="$3" + _expect_success_post="$4" + _expect_fail_post="$5" + verbose "$tid: read-only $_desc" + # Plain (no options, mostly to test that _cmd is good) + prepare_files "$_prep" + prepare_server + run_client "$_cmd" || fail "plain $_desc failed" + postcondition "$_desc no-readonly" "$_expect_success_post" + # Read-only enabled + prepare_files "$_prep" + prepare_server -R + run_client "$_cmd" && fail "read-only $_desc succeeded" + postcondition "$_desc readonly" "$_expect_fail_post" +} + +perm_test() { + _op=$1 + _whitelist_ops=$2 + _cmd="$3" + _prep="$4" + _expect_success_post="$5" + _expect_fail_post="$6" + verbose "$tid: explicit $_op" + # Plain (no options, mostly to test that _cmd is good) + prepare_files "$_prep" + prepare_server + run_client "$_cmd" || fail "plain $_op failed" + postcondition "$_op no white/blacklists" "$_expect_success_post" + # Whitelist + prepare_files "$_prep" + prepare_server -p $_op,$_whitelist_ops + run_client "$_cmd" || fail "whitelisted $_op failed" + postcondition "$_op whitelisted" "$_expect_success_post" + # Blacklist + prepare_files "$_prep" + prepare_server -P $_op + run_client "$_cmd" && fail "blacklisted $_op succeeded" + postcondition "$_op blacklisted" "$_expect_fail_post" + # Whitelist with op missing. + prepare_files "$_prep" + prepare_server -p $_whitelist_ops + run_client "$_cmd" && fail "no whitelist $_op succeeded" + postcondition "$_op not in whitelist" "$_expect_fail_post" +} + +ro_test \ + "upload" \ + "put $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "test ! -f $COPY" + +ro_test \ + "setstat" \ + "chmod 0700 $COPY" \ + "touch $COPY; chmod 0400 $COPY" \ + "test -x $COPY" \ + "test ! -x $COPY" + +ro_test \ + "rm" \ + "rm $COPY" \ + "touch $COPY" \ + "test ! -f $COPY" \ + "test -f $COPY" + +ro_test \ + "mkdir" \ + "mkdir ${COPY}.dd" \ + "" \ + "test -d ${COPY}.dd" \ + "test ! -d ${COPY}.dd" + +ro_test \ + "rmdir" \ + "rmdir ${COPY}.dd" \ + "mkdir ${COPY}.dd" \ + "test ! -d ${COPY}.dd" \ + "test -d ${COPY}.dd" + +ro_test \ + "posix-rename" \ + "rename $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +ro_test \ + "oldrename" \ + "rename -l $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +ro_test \ + "symlink" \ + "ln -s $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -h ${COPY}.1" \ + "test ! -h ${COPY}.1" + +ro_test \ + "hardlink" \ + "ln $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1" \ + "test ! -f ${COPY}.1" + +# Test explicit permissions + +perm_test \ + "open" \ + "realpath,stat,lstat,read,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "read" \ + "realpath,stat,lstat,open,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "write" \ + "realpath,stat,lstat,open,close" \ + "put $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "lstat" \ + "realpath,stat,open,read,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "opendir" \ + "realpath,readdir,stat,lstat" \ + "ls -ln $OBJ" + +perm_test \ + "readdir" \ + "realpath,opendir,stat,lstat" \ + "ls -ln $OBJ" + +perm_test \ + "setstat" \ + "realpath,stat,lstat" \ + "chmod 0700 $COPY" \ + "touch $COPY; chmod 0400 $COPY" \ + "test -x $COPY" \ + "test ! -x $COPY" + +perm_test \ + "remove" \ + "realpath,stat,lstat" \ + "rm $COPY" \ + "touch $COPY" \ + "test ! -f $COPY" \ + "test -f $COPY" + +perm_test \ + "mkdir" \ + "realpath,stat,lstat" \ + "mkdir ${COPY}.dd" \ + "" \ + "test -d ${COPY}.dd" \ + "test ! -d ${COPY}.dd" + +perm_test \ + "rmdir" \ + "realpath,stat,lstat" \ + "rmdir ${COPY}.dd" \ + "mkdir ${COPY}.dd" \ + "test ! -d ${COPY}.dd" \ + "test -d ${COPY}.dd" + +perm_test \ + "posix-rename" \ + "realpath,stat,lstat" \ + "rename $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +perm_test \ + "rename" \ + "realpath,stat,lstat" \ + "rename -l $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +perm_test \ + "symlink" \ + "realpath,stat,lstat" \ + "ln -s $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -h ${COPY}.1" \ + "test ! -h ${COPY}.1" + +perm_test \ + "hardlink" \ + "realpath,stat,lstat" \ + "ln $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1" \ + "test ! -f ${COPY}.1" + +perm_test \ + "statvfs" \ + "realpath,stat,lstat" \ + "df /" + +# XXX need good tests for: +# fstat +# fsetstat +# realpath +# stat +# readlink +# fstatvfs + +rm -rf ${COPY} ${COPY}.1 ${COPY}.dd + diff --git a/crypto/openssh/regress/sftp.sh b/crypto/openssh/regress/sftp.sh new file mode 100644 index 000000000..b8e9f7527 --- /dev/null +++ b/crypto/openssh/regress/sftp.sh @@ -0,0 +1,32 @@ +# $OpenBSD: sftp.sh,v 1.5 2013/05/17 10:28:11 dtucker Exp $ +# Placed in the Public Domain. + +tid="basic sftp put/get" + +SFTPCMDFILE=${OBJ}/batch +cat >$SFTPCMDFILE < /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "sftp failed with $r" + else + cmp $DATA ${COPY}.1 || fail "corrupted copy after get" + cmp $DATA ${COPY}.2 || fail "corrupted copy after put" + fi + done +done +rm -f ${COPY}.1 ${COPY}.2 +rm -f $SFTPCMDFILE diff --git a/crypto/openssh/regress/ssh-com-client.sh b/crypto/openssh/regress/ssh-com-client.sh new file mode 100644 index 000000000..e4f80cf0a --- /dev/null +++ b/crypto/openssh/regress/ssh-com-client.sh @@ -0,0 +1,130 @@ +# $OpenBSD: ssh-com-client.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="connect with ssh.com client" + +#TEST_COMBASE=/path/to/ssh/com/binaries +if [ "X${TEST_COMBASE}" = "X" ]; then + fatal '$TEST_COMBASE is not set' +fi + +VERSIONS=" + 2.1.0 + 2.2.0 + 2.3.0 + 2.3.1 + 2.4.0 + 3.0.0 + 3.1.0 + 3.2.0 + 3.2.2 + 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 + 3.3.0" + +# 2.0.10 2.0.12 2.0.13 don't like the test setup + +# setup authorized keys +SRC=`dirname ${SCRIPT}` +cp ${SRC}/dsa_ssh2.prv ${OBJ}/id.com +chmod 600 ${OBJ}/id.com +${SSHKEYGEN} -i -f ${OBJ}/id.com > $OBJ/id.openssh +chmod 600 ${OBJ}/id.openssh +${SSHKEYGEN} -y -f ${OBJ}/id.openssh > $OBJ/authorized_keys_$USER +${SSHKEYGEN} -e -f ${OBJ}/id.openssh > $OBJ/id.com.pub +echo IdKey ${OBJ}/id.com > ${OBJ}/id.list + +# we need a DSA host key +t=dsa +rm -f ${OBJ}/$t ${OBJ}/$t.pub +${SSHKEYGEN} -q -N '' -t $t -f ${OBJ}/$t +$SUDO cp $OBJ/$t $OBJ/host.$t +echo HostKey $OBJ/host.$t >> $OBJ/sshd_config + +# add hostkeys to known hosts +mkdir -p ${OBJ}/${USER}/hostkeys +HK=${OBJ}/${USER}/hostkeys/key_${PORT}_127.0.0.1 +${SSHKEYGEN} -e -f ${OBJ}/rsa.pub > ${HK}.ssh-rsa.pub +${SSHKEYGEN} -e -f ${OBJ}/dsa.pub > ${HK}.ssh-dss.pub + +cat > ${OBJ}/ssh2_config << EOF +*: + QuietMode yes + StrictHostKeyChecking yes + Port ${PORT} + User ${USER} + Host 127.0.0.1 + IdentityFile ${OBJ}/id.list + RandomSeedFile ${OBJ}/random_seed + UserConfigDirectory ${OBJ}/%U + AuthenticationSuccessMsg no + BatchMode yes + ForwardX11 no +EOF + +# we need a real server (no ProxyConnect option) +start_sshd + +# go for it +for v in ${VERSIONS}; do + ssh2=${TEST_COMBASE}/${v}/ssh2 + if [ ! -x ${ssh2} ]; then + continue + fi + verbose "ssh2 ${v}" + key=ssh-dss + skipcat=0 + case $v in + 2.1.*|2.3.0) + skipcat=1 + ;; + 3.0.*) + key=ssh-rsa + ;; + esac + cp ${HK}.$key.pub ${HK}.pub + + # check exit status + ${ssh2} -q -F ${OBJ}/ssh2_config somehost exit 42 + r=$? + if [ $r -ne 42 ]; then + fail "ssh2 ${v} exit code test failed (got $r, expected 42)" + fi + + # data transfer + rm -f ${COPY} + ${ssh2} -F ${OBJ}/ssh2_config somehost cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh2 ${v} cat test (receive) failed" + fi + cmp ${DATA} ${COPY} || fail "ssh2 ${v} cat test (receive) data mismatch" + + # data transfer, again + if [ $skipcat -eq 0 ]; then + rm -f ${COPY} + cat ${DATA} | \ + ${ssh2} -F ${OBJ}/ssh2_config host "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh2 ${v} cat test (send) failed" + fi + cmp ${DATA} ${COPY} || \ + fail "ssh2 ${v} cat test (send) data mismatch" + fi + + # no stderr after eof + rm -f ${COPY} + ${ssh2} -F ${OBJ}/ssh2_config somehost \ + exec sh -c \'"exec > /dev/null; sleep 1; echo bla 1>&2; exit 0"\' \ + 2> /dev/null + if [ $? -ne 0 ]; then + fail "ssh2 ${v} stderr test failed" + fi +done + +rm -rf ${OBJ}/${USER} +for i in ssh2_config random_seed dsa.pub dsa host.dsa \ + id.list id.com id.com.pub id.openssh; do + rm -f ${OBJ}/$i +done diff --git a/crypto/openssh/regress/ssh-com-keygen.sh b/crypto/openssh/regress/ssh-com-keygen.sh new file mode 100644 index 000000000..29b02d946 --- /dev/null +++ b/crypto/openssh/regress/ssh-com-keygen.sh @@ -0,0 +1,74 @@ +# $OpenBSD: ssh-com-keygen.sh,v 1.4 2004/02/24 17:06:52 markus Exp $ +# Placed in the Public Domain. + +tid="ssh.com key import" + +#TEST_COMBASE=/path/to/ssh/com/binaries +if [ "X${TEST_COMBASE}" = "X" ]; then + fatal '$TEST_COMBASE is not set' +fi + +VERSIONS=" + 2.0.10 + 2.0.12 + 2.0.13 + 2.1.0 + 2.2.0 + 2.3.0 + 2.3.1 + 2.4.0 + 3.0.0 + 3.1.0 + 3.2.0 + 3.2.2 + 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 + 3.3.0" + +COMPRV=${OBJ}/comkey +COMPUB=${COMPRV}.pub +OPENSSHPRV=${OBJ}/opensshkey +OPENSSHPUB=${OPENSSHPRV}.pub + +# go for it +for v in ${VERSIONS}; do + keygen=${TEST_COMBASE}/${v}/ssh-keygen2 + if [ ! -x ${keygen} ]; then + continue + fi + types="dss" + case $v in + 2.3.1|3.*) + types="$types rsa" + ;; + esac + for t in $types; do + verbose "ssh-keygen $v/$t" + rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB + ${keygen} -q -P -t $t ${COMPRV} > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "${keygen} -t $t failed" + continue + fi + ${SSHKEYGEN} -if ${COMPUB} > ${OPENSSHPUB} + if [ $? -ne 0 ]; then + fail "import public key ($v/$t) failed" + continue + fi + ${SSHKEYGEN} -if ${COMPRV} > ${OPENSSHPRV} + if [ $? -ne 0 ]; then + fail "import private key ($v/$t) failed" + continue + fi + chmod 600 ${OPENSSHPRV} + ${SSHKEYGEN} -yf ${OPENSSHPRV} |\ + diff - ${OPENSSHPUB} + if [ $? -ne 0 ]; then + fail "public keys ($v/$t) differ" + fi + done +done + +rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB diff --git a/crypto/openssh/regress/ssh-com-sftp.sh b/crypto/openssh/regress/ssh-com-sftp.sh new file mode 100644 index 000000000..fabfa4983 --- /dev/null +++ b/crypto/openssh/regress/ssh-com-sftp.sh @@ -0,0 +1,65 @@ +# $OpenBSD: ssh-com-sftp.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="basic sftp put/get with ssh.com server" + +SFTPCMDFILE=${OBJ}/batch + +cat >$SFTPCMDFILE < /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "sftp failed with $r" + else + cmp $DATA ${COPY}.1 || fail "corrupted copy after get" + cmp $DATA ${COPY}.2 || fail "corrupted copy after put" + fi + done + done +done +rm -f ${COPY}.1 ${COPY}.2 +rm -f $SFTPCMDFILE diff --git a/crypto/openssh/regress/ssh-com.sh b/crypto/openssh/regress/ssh-com.sh new file mode 100644 index 000000000..6c5cfe888 --- /dev/null +++ b/crypto/openssh/regress/ssh-com.sh @@ -0,0 +1,119 @@ +# $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# Placed in the Public Domain. + +tid="connect to ssh.com server" + +#TEST_COMBASE=/path/to/ssh/com/binaries +if [ "X${TEST_COMBASE}" = "X" ]; then + fatal '$TEST_COMBASE is not set' +fi + +VERSIONS=" + 2.0.12 + 2.0.13 + 2.1.0 + 2.2.0 + 2.3.0 + 2.4.0 + 3.0.0 + 3.1.0 + 3.2.0 + 3.2.2 + 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 + 3.3.0" +# 2.0.10 does not support UserConfigDirectory +# 2.3.1 requires a config in $HOME/.ssh2 + +SRC=`dirname ${SCRIPT}` + +# ssh.com +cat << EOF > $OBJ/sshd2_config +#*: + # Port and ListenAddress are not used. + QuietMode yes + Port 4343 + ListenAddress 127.0.0.1 + UserConfigDirectory ${OBJ}/%U + Ciphers AnyCipher + PubKeyAuthentication yes + #AllowedAuthentications publickey + AuthorizationFile authorization + HostKeyFile ${SRC}/dsa_ssh2.prv + PublicHostKeyFile ${SRC}/dsa_ssh2.pub + RandomSeedFile ${OBJ}/random_seed + MaxConnections 0 + PermitRootLogin yes + VerboseMode no + CheckMail no + Ssh1Compatibility no +EOF + +# create client config +sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \ + < $OBJ/ssh_config > $OBJ/ssh_config_com + +# we need a DSA key for +rm -f ${OBJ}/dsa ${OBJ}/dsa.pub +${SSHKEYGEN} -q -N '' -t dsa -f ${OBJ}/dsa + +# setup userdir, try rsa first +mkdir -p ${OBJ}/${USER} +cp /dev/null ${OBJ}/${USER}/authorization +for t in rsa dsa; do + ${SSHKEYGEN} -e -f ${OBJ}/$t.pub > ${OBJ}/${USER}/$t.com + echo Key $t.com >> ${OBJ}/${USER}/authorization + echo IdentityFile ${OBJ}/$t >> ${OBJ}/ssh_config_com +done + +# convert and append DSA hostkey +( + printf 'ssh2-localhost-with-alias,127.0.0.1,::1 ' + ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub +) >> $OBJ/known_hosts + +# go for it +for v in ${VERSIONS}; do + sshd2=${TEST_COMBASE}/${v}/sshd2 + if [ ! -x ${sshd2} ]; then + continue + fi + trace "sshd2 ${v}" + PROXY="proxycommand ${sshd2} -qif ${OBJ}/sshd2_config 2> /dev/null" + ${SSH} -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0 + if [ $? -ne 0 ]; then + fail "ssh connect to sshd2 ${v} failed" + fi + + ciphers="3des-cbc blowfish-cbc arcfour" + macs="hmac-md5" + case $v in + 2.4.*) + ciphers="$ciphers cast128-cbc" + macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96" + ;; + 3.*) + ciphers="$ciphers aes128-cbc cast128-cbc" + macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96" + ;; + esac + #ciphers="3des-cbc" + for m in $macs; do + for c in $ciphers; do + trace "sshd2 ${v} cipher $c mac $m" + verbose "test ${tid}: sshd2 ${v} cipher $c mac $m" + ${SSH} -c $c -m $m -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0 + if [ $? -ne 0 ]; then + fail "ssh connect to sshd2 ${v} with $c/$m failed" + fi + done + done +done + +rm -rf ${OBJ}/${USER} +for i in sshd_config_proxy ssh_config_proxy random_seed \ + sshd2_config dsa.pub dsa ssh_config_com; do + rm -f ${OBJ}/$i +done diff --git a/crypto/openssh/regress/ssh2putty.sh b/crypto/openssh/regress/ssh2putty.sh new file mode 100755 index 000000000..691db1690 --- /dev/null +++ b/crypto/openssh/regress/ssh2putty.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# $OpenBSD: ssh2putty.sh,v 1.2 2009/10/06 23:51:49 dtucker Exp $ + +if test "x$1" = "x" -o "x$2" = "x" -o "x$3" = "x" ; then + echo "Usage: ssh2putty hostname port ssh-private-key" + exit 1 +fi + +HOST=$1 +PORT=$2 +KEYFILE=$3 + +# XXX - support DSA keys too +if grep "BEGIN RSA PRIVATE KEY" $KEYFILE >/dev/null 2>&1 ; then + : +else + echo "Unsupported private key format" + exit 1 +fi + +public_exponent=` + openssl rsa -noout -text -in $KEYFILE | grep ^publicExponent | + sed 's/.*(//;s/).*//' +` +test $? -ne 0 && exit 1 + +modulus=` + openssl rsa -noout -modulus -in $KEYFILE | grep ^Modulus= | + sed 's/^Modulus=/0x/' | tr A-Z a-z +` +test $? -ne 0 && exit 1 + +echo "rsa2@$PORT:$HOST $public_exponent,$modulus" + diff --git a/crypto/openssh/regress/sshd-log-wrapper.sh b/crypto/openssh/regress/sshd-log-wrapper.sh new file mode 100644 index 000000000..a9386be4d --- /dev/null +++ b/crypto/openssh/regress/sshd-log-wrapper.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ +# Placed in the Public Domain. +# +# simple wrapper for sshd proxy mode to catch stderr output +# sh sshd-log-wrapper.sh /path/to/sshd /path/to/logfile + +sshd=$1 +log=$2 +shift +shift + +exec $sshd -E$log $@ diff --git a/crypto/openssh/regress/stderr-after-eof.sh b/crypto/openssh/regress/stderr-after-eof.sh new file mode 100644 index 000000000..218ac6b68 --- /dev/null +++ b/crypto/openssh/regress/stderr-after-eof.sh @@ -0,0 +1,24 @@ +# $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="stderr data after eof" + +# setup data +rm -f ${DATA} ${COPY} +cp /dev/null ${DATA} +for i in 1 2 3 4 5 6; do + (date;echo $i) | md5 >> ${DATA} +done + +${SSH} -2 -F $OBJ/ssh_proxy otherhost \ + exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ + 2> ${COPY} +r=$? +if [ $r -ne 0 ]; then + fail "ssh failed with exit code $r" +fi +egrep 'Disconnecting: Received extended_data after EOF' ${COPY} && + fail "ext data received after eof" +cmp ${DATA} ${COPY} || fail "stderr corrupt" + +rm -f ${DATA} ${COPY} diff --git a/crypto/openssh/regress/stderr-data.sh b/crypto/openssh/regress/stderr-data.sh new file mode 100644 index 000000000..b0bd2355c --- /dev/null +++ b/crypto/openssh/regress/stderr-data.sh @@ -0,0 +1,29 @@ +# $OpenBSD: stderr-data.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="stderr data transfer" + +for n in '' -n; do +for p in 1 2; do + verbose "test $tid: proto $p ($n)" + ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ + exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ + 2> ${COPY} + r=$? + if [ $r -ne 0 ]; then + fail "ssh failed with exit code $r" + fi + cmp ${DATA} ${COPY} || fail "stderr corrupt" + rm -f ${COPY} + + ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ + exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ + > /dev/null 2> ${COPY} + r=$? + if [ $r -ne 0 ]; then + fail "ssh failed with exit code $r" + fi + cmp ${DATA} ${COPY} || fail "stderr corrupt" + rm -f ${COPY} +done +done diff --git a/crypto/openssh/regress/t4.ok b/crypto/openssh/regress/t4.ok new file mode 100644 index 000000000..8c4942bf1 --- /dev/null +++ b/crypto/openssh/regress/t4.ok @@ -0,0 +1 @@ +3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 diff --git a/crypto/openssh/regress/t5.ok b/crypto/openssh/regress/t5.ok new file mode 100644 index 000000000..bd622f300 --- /dev/null +++ b/crypto/openssh/regress/t5.ok @@ -0,0 +1 @@ +xokes-lylis-byleh-zebib-kalus-bihas-tevah-haroz-suhar-foved-noxex diff --git a/crypto/openssh/regress/test-exec.sh b/crypto/openssh/regress/test-exec.sh new file mode 100644 index 000000000..aac8aa5c2 --- /dev/null +++ b/crypto/openssh/regress/test-exec.sh @@ -0,0 +1,487 @@ +# $OpenBSD: test-exec.sh,v 1.47 2013/11/09 05:41:34 dtucker Exp $ +# Placed in the Public Domain. + +#SUDO=sudo + +# Unbreak GNU head(1) +_POSIX2_VERSION=199209 +export _POSIX2_VERSION + +case `uname -s 2>/dev/null` in +OSF1*) + BIN_SH=xpg4 + export BIN_SH + ;; +CYGWIN_NT-5.0) + os=cygwin + TEST_SSH_IPV6=no + ;; +CYGWIN*) + os=cygwin + ;; +esac + +if [ ! -z "$TEST_SSH_PORT" ]; then + PORT="$TEST_SSH_PORT" +else + PORT=4242 +fi + +if [ -x /usr/ucb/whoami ]; then + USER=`/usr/ucb/whoami` +elif whoami >/dev/null 2>&1; then + USER=`whoami` +elif logname >/dev/null 2>&1; then + USER=`logname` +else + USER=`id -un` +fi + +OBJ=$1 +if [ "x$OBJ" = "x" ]; then + echo '$OBJ not defined' + exit 2 +fi +if [ ! -d $OBJ ]; then + echo "not a directory: $OBJ" + exit 2 +fi +SCRIPT=$2 +if [ "x$SCRIPT" = "x" ]; then + echo '$SCRIPT not defined' + exit 2 +fi +if [ ! -f $SCRIPT ]; then + echo "not a file: $SCRIPT" + exit 2 +fi +if $TEST_SHELL -n $SCRIPT; then + true +else + echo "syntax error in $SCRIPT" + exit 2 +fi +unset SSH_AUTH_SOCK + +SRC=`dirname ${SCRIPT}` + +# defaults +SSH=ssh +SSHD=sshd +SSHAGENT=ssh-agent +SSHADD=ssh-add +SSHKEYGEN=ssh-keygen +SSHKEYSCAN=ssh-keyscan +SFTP=sftp +SFTPSERVER=/usr/libexec/openssh/sftp-server +SCP=scp + +# Interop testing +PLINK=plink +PUTTYGEN=puttygen +CONCH=conch + +if [ "x$TEST_SSH_SSH" != "x" ]; then + SSH="${TEST_SSH_SSH}" +fi +if [ "x$TEST_SSH_SSHD" != "x" ]; then + SSHD="${TEST_SSH_SSHD}" +fi +if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then + SSHAGENT="${TEST_SSH_SSHAGENT}" +fi +if [ "x$TEST_SSH_SSHADD" != "x" ]; then + SSHADD="${TEST_SSH_SSHADD}" +fi +if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then + SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" +fi +if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then + SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" +fi +if [ "x$TEST_SSH_SFTP" != "x" ]; then + SFTP="${TEST_SSH_SFTP}" +fi +if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then + SFTPSERVER="${TEST_SSH_SFTPSERVER}" +fi +if [ "x$TEST_SSH_SCP" != "x" ]; then + SCP="${TEST_SSH_SCP}" +fi +if [ "x$TEST_SSH_PLINK" != "x" ]; then + # Find real binary, if it exists + case "${TEST_SSH_PLINK}" in + /*) PLINK="${TEST_SSH_PLINK}" ;; + *) PLINK=`which ${TEST_SSH_PLINK} 2>/dev/null` ;; + esac +fi +if [ "x$TEST_SSH_PUTTYGEN" != "x" ]; then + # Find real binary, if it exists + case "${TEST_SSH_PUTTYGEN}" in + /*) PUTTYGEN="${TEST_SSH_PUTTYGEN}" ;; + *) PUTTYGEN=`which ${TEST_SSH_PUTTYGEN} 2>/dev/null` ;; + esac +fi +if [ "x$TEST_SSH_CONCH" != "x" ]; then + # Find real binary, if it exists + case "${TEST_SSH_CONCH}" in + /*) CONCH="${TEST_SSH_CONCH}" ;; + *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; + esac +fi + +# Path to sshd must be absolute for rexec +case "$SSHD" in +/*) ;; +*) SSHD=`which $SSHD` ;; +esac + +case "$SSHAGENT" in +/*) ;; +*) SSHAGENT=`which $SSHAGENT` ;; +esac + +# Logfiles. +# SSH_LOGFILE should be the debug output of ssh(1) only +# SSHD_LOGFILE should be the debug output of sshd(8) only +# REGRESS_LOGFILE is the output of the test itself stdout and stderr +if [ "x$TEST_SSH_LOGFILE" = "x" ]; then + TEST_SSH_LOGFILE=$OBJ/ssh.log +fi +if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then + TEST_SSHD_LOGFILE=$OBJ/sshd.log +fi +if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then + TEST_REGRESS_LOGFILE=$OBJ/regress.log +fi + +# truncate logfiles +>$TEST_SSH_LOGFILE +>$TEST_SSHD_LOGFILE +>$TEST_REGRESS_LOGFILE + +# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." +# because sftp and scp don't handle spaces in arguments. +SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh +echo "#!/bin/sh" > $SSHLOGWRAP +echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP + +chmod a+rx $OBJ/ssh-log-wrapper.sh +SSH="$SSHLOGWRAP" + +# Some test data. We make a copy because some tests will overwrite it. +# The tests may assume that $DATA exists and is writable and $COPY does +# not exist. Tests requiring larger data files can call increase_datafile_size +# [kbytes] to ensure the file is at least that large. +DATANAME=data +DATA=$OBJ/${DATANAME} +cat ${SSHAGENT} >${DATA} +chmod u+w ${DATA} +COPY=$OBJ/copy +rm -f ${COPY} + +increase_datafile_size() +{ + while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do + cat ${SSHAGENT} >>${DATA} + done +} + +# these should be used in tests +export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP +#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP + +# Portable specific functions +have_prog() +{ + saved_IFS="$IFS" + IFS=":" + for i in $PATH + do + if [ -x $i/$1 ]; then + IFS="$saved_IFS" + return 0 + fi + done + IFS="$saved_IFS" + return 1 +} + +jot() { + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" +} + +# Check whether preprocessor symbols are defined in config.h. +config_defined () +{ + str=$1 + while test "x$2" != "x" ; do + str="$str|$2" + shift + done + egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 +} + +md5 () { + if have_prog md5sum; then + md5sum + elif have_prog openssl; then + openssl md5 + elif have_prog cksum; then + cksum + elif have_prog sum; then + sum + else + wc -c + fi +} +# End of portable specific functions + +# helper +cleanup () +{ + if [ -f $PIDFILE ]; then + pid=`$SUDO cat $PIDFILE` + if [ "X$pid" = "X" ]; then + echo no sshd running + else + if [ $pid -lt 2 ]; then + echo bad pid for ssh: $pid + else + $SUDO kill $pid + trace "wait for sshd to exit" + i=0; + while [ -f $PIDFILE -a $i -lt 5 ]; do + i=`expr $i + 1` + sleep $i + done + test -f $PIDFILE && \ + fatal "sshd didn't exit port $PORT pid $pid" + fi + fi + fi +} + +start_debug_log () +{ + echo "trace: $@" >$TEST_REGRESS_LOGFILE + echo "trace: $@" >$TEST_SSH_LOGFILE + echo "trace: $@" >$TEST_SSHD_LOGFILE +} + +save_debug_log () +{ + echo $@ >>$TEST_REGRESS_LOGFILE + echo $@ >>$TEST_SSH_LOGFILE + echo $@ >>$TEST_SSHD_LOGFILE + (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log + (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log + (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log +} + +trace () +{ + start_debug_log $@ + if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then + echo "$@" + fi +} + +verbose () +{ + start_debug_log $@ + if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then + echo "$@" + fi +} + +warn () +{ + echo "WARNING: $@" >>$TEST_SSH_LOGFILE + echo "WARNING: $@" +} + +fail () +{ + save_debug_log "FAIL: $@" + RESULT=1 + echo "$@" + +} + +fatal () +{ + save_debug_log "FATAL: $@" + printf "FATAL: " + fail "$@" + cleanup + exit $RESULT +} + +RESULT=0 +PIDFILE=$OBJ/pidfile + +trap fatal 3 2 + +# create server config +cat << EOF > $OBJ/sshd_config + StrictModes no + Port $PORT + Protocol 2,1 + AddressFamily inet + ListenAddress 127.0.0.1 + #ListenAddress ::1 + PidFile $PIDFILE + AuthorizedKeysFile $OBJ/authorized_keys_%u + LogLevel DEBUG3 + AcceptEnv _XXX_TEST_* + AcceptEnv _XXX_TEST + Subsystem sftp $SFTPSERVER +EOF + +if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then + trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS" + echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config +fi + +# server config for proxy connects +cp $OBJ/sshd_config $OBJ/sshd_proxy + +# allow group-writable directories in proxy-mode +echo 'StrictModes no' >> $OBJ/sshd_proxy + +# create client config +cat << EOF > $OBJ/ssh_config +Host * + Protocol 2,1 + Hostname 127.0.0.1 + HostKeyAlias localhost-with-alias + Port $PORT + User $USER + GlobalKnownHostsFile $OBJ/known_hosts + UserKnownHostsFile $OBJ/known_hosts + RSAAuthentication yes + PubkeyAuthentication yes + ChallengeResponseAuthentication no + HostbasedAuthentication no + PasswordAuthentication no + RhostsRSAAuthentication no + BatchMode yes + StrictHostKeyChecking yes + LogLevel DEBUG3 +EOF + +if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then + trace "adding ssh_config option $TEST_SSH_SSHD_CONFOPTS" + echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config +fi + +rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER + +trace "generate keys" +for t in rsa rsa1; do + # generate user key + if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then + rm -f $OBJ/$t + ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ + fail "ssh-keygen for $t failed" + fi + + # known hosts file for client + ( + printf 'localhost-with-alias,127.0.0.1,::1 ' + cat $OBJ/$t.pub + ) >> $OBJ/known_hosts + + # setup authorized keys + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + echo IdentityFile $OBJ/$t >> $OBJ/ssh_config + + # use key as host key, too + $SUDO cp $OBJ/$t $OBJ/host.$t + echo HostKey $OBJ/host.$t >> $OBJ/sshd_config + + # don't use SUDO for proxy connect + echo HostKey $OBJ/$t >> $OBJ/sshd_proxy +done +chmod 644 $OBJ/authorized_keys_$USER + +# Activate Twisted Conch tests if the binary is present +REGRESS_INTEROP_CONCH=no +if test -x "$CONCH" ; then + REGRESS_INTEROP_CONCH=yes +fi + +# If PuTTY is present and we are running a PuTTY test, prepare keys and +# configuration +REGRESS_INTEROP_PUTTY=no +if test -x "$PUTTYGEN" -a -x "$PLINK" ; then + REGRESS_INTEROP_PUTTY=yes +fi +case "$SCRIPT" in +*putty*) ;; +*) REGRESS_INTEROP_PUTTY=no ;; +esac + +if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then + mkdir -p ${OBJ}/.putty + + # Add a PuTTY key to authorized_keys + rm -f ${OBJ}/putty.rsa2 + puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null + puttygen -O public-openssh ${OBJ}/putty.rsa2 \ + >> $OBJ/authorized_keys_$USER + + # Convert rsa2 host key to PuTTY format + ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa > \ + ${OBJ}/.putty/sshhostkeys + ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa >> \ + ${OBJ}/.putty/sshhostkeys + + # Setup proxied session + mkdir -p ${OBJ}/.putty/sessions + rm -f ${OBJ}/.putty/sessions/localhost_proxy + echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy + + REGRESS_INTEROP_PUTTY=yes +fi + +# create a proxy version of the client config +( + cat $OBJ/ssh_config + echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy +) > $OBJ/ssh_proxy + +# check proxy config +${SSHD} -t -f $OBJ/sshd_proxy || fatal "sshd_proxy broken" + +start_sshd () +{ + # start sshd + $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" + $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE + + trace "wait for sshd" + i=0; + while [ ! -f $PIDFILE -a $i -lt 10 ]; do + i=`expr $i + 1` + sleep $i + done + + test -f $PIDFILE || fatal "no sshd running on port $PORT" +} + +# source test body +. $SCRIPT + +# kill sshd +cleanup +if [ $RESULT -eq 0 ]; then + verbose ok $tid +else + echo failed $tid +fi +exit $RESULT diff --git a/crypto/openssh/regress/transfer.sh b/crypto/openssh/regress/transfer.sh new file mode 100644 index 000000000..1ae3ef5bf --- /dev/null +++ b/crypto/openssh/regress/transfer.sh @@ -0,0 +1,26 @@ +# $OpenBSD: transfer.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ +# Placed in the Public Domain. + +tid="transfer data" + +for p in 1 2; do + verbose "$tid: proto $p" + rm -f ${COPY} + ${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + + for s in 10 100 1k 32k 64k 128k 256k; do + trace "proto $p dd-size ${s}" + rm -f ${COPY} + dd if=$DATA obs=${s} 2> /dev/null | \ + ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + done +done +rm -f ${COPY} diff --git a/crypto/openssh/regress/try-ciphers.sh b/crypto/openssh/regress/try-ciphers.sh new file mode 100644 index 000000000..ac34cedbf --- /dev/null +++ b/crypto/openssh/regress/try-ciphers.sh @@ -0,0 +1,33 @@ +# $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $ +# Placed in the Public Domain. + +tid="try ciphers" + +for c in `${SSH} -Q cipher`; do + n=0 + for m in `${SSH} -Q mac`; do + trace "proto 2 cipher $c mac $m" + verbose "test $tid: proto 2 cipher $c mac $m" + ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true + if [ $? -ne 0 ]; then + fail "ssh -2 failed with mac $m cipher $c" + fi + # No point trying all MACs for AEAD ciphers since they + # are ignored. + if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + break + fi + n=`expr $n + 1` + done +done + +ciphers="3des blowfish" +for c in $ciphers; do + trace "proto 1 cipher $c" + verbose "test $tid: proto 1 cipher $c" + ${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true + if [ $? -ne 0 ]; then + fail "ssh -1 failed with cipher $c" + fi +done + diff --git a/crypto/openssh/regress/yes-head.sh b/crypto/openssh/regress/yes-head.sh new file mode 100644 index 000000000..a8e6bc800 --- /dev/null +++ b/crypto/openssh/regress/yes-head.sh @@ -0,0 +1,15 @@ +# $OpenBSD: yes-head.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="yes pipe head" + +for p in 1 2; do + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` + if [ $? -ne 0 ]; then + fail "yes|head test failed" + lines = 0; + fi + if [ $lines -ne 2000 ]; then + fail "yes|head returns $lines lines instead of 2000" + fi +done diff --git a/crypto/openssh/roaming_client.c b/crypto/openssh/roaming_client.c index 48009d781..de049cdc1 100644 --- a/crypto/openssh/roaming_client.c +++ b/crypto/openssh/roaming_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: roaming_client.c,v 1.7 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -48,6 +48,7 @@ #include "roaming.h" #include "ssh2.h" #include "sshconnect.h" +#include "digest.h" /* import */ extern Options options; @@ -90,10 +91,8 @@ request_roaming(void) static void roaming_auth_required(void) { - u_char digest[SHA_DIGEST_LENGTH]; - EVP_MD_CTX md; + u_char digest[SSH_DIGEST_MAX_LENGTH]; Buffer b; - const EVP_MD *evp_md = EVP_sha1(); u_int64_t chall, oldchall; chall = packet_get_int64(); @@ -107,14 +106,13 @@ roaming_auth_required(void) buffer_init(&b); buffer_put_int64(&b, cookie); buffer_put_int64(&b, chall); - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); packet_start(SSH2_MSG_KEX_ROAMING_AUTH); packet_put_int64(key1 ^ get_recv_bytes()); - packet_put_raw(digest, sizeof(digest)); + packet_put_raw(digest, ssh_digest_bytes(SSH_DIGEST_SHA1)); packet_send(); oldkey1 = key1; @@ -187,10 +185,10 @@ roaming_resume(void) debug("server doesn't allow resume"); goto fail; } - xfree(str); + free(str); for (i = 1; i < PROPOSAL_MAX; i++) { /* kex algorithm taken care of so start with i=1 and not 0 */ - xfree(packet_get_string(&len)); + free(packet_get_string(&len)); } i = packet_get_char(); /* first_kex_packet_follows */ if (i && (c = strchr(kexlist, ','))) @@ -226,8 +224,7 @@ roaming_resume(void) return 0; fail: - if (kexlist) - xfree(kexlist); + free(kexlist); if (packet_get_connection_in() == packet_get_connection_out()) close(packet_get_connection_in()); else { @@ -260,10 +257,10 @@ wait_for_roaming_reconnect(void) if (c != '\n' && c != '\r') continue; - if (ssh_connect(host, &hostaddr, options.port, + if (ssh_connect(host, NULL, &hostaddr, options.port, options.address_family, 1, &timeout_ms, - options.tcp_keep_alive, options.use_privileged_port, - options.proxy_command) == 0 && roaming_resume() == 0) { + options.tcp_keep_alive, options.use_privileged_port) == 0 && + roaming_resume() == 0) { packet_restore_state(); reenter_guard = 0; fprintf(stderr, "[connection resumed]\n"); diff --git a/crypto/openssh/roaming_common.c b/crypto/openssh/roaming_common.c index 8d0b6054a..787bef04a 100644 --- a/crypto/openssh/roaming_common.c +++ b/crypto/openssh/roaming_common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: roaming_common.c,v 1.12 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -36,6 +36,7 @@ #include "cipher.h" #include "buffer.h" #include "roaming.h" +#include "digest.h" static size_t out_buf_size = 0; static char *out_buf = NULL; @@ -49,7 +50,7 @@ int roaming_enabled = 0; int resume_in_progress = 0; int -get_snd_buf_size() +get_snd_buf_size(void) { int fd = packet_get_connection_out(); int optval; @@ -61,7 +62,7 @@ get_snd_buf_size() } int -get_recv_buf_size() +get_recv_buf_size(void) { int fd = packet_get_connection_in(); int optval; @@ -225,9 +226,7 @@ resend_bytes(int fd, u_int64_t *offset) void calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) { - const EVP_MD *md = EVP_sha1(); - EVP_MD_CTX ctx; - char hash[EVP_MAX_MD_SIZE]; + u_char hash[SSH_DIGEST_MAX_LENGTH]; Buffer b; buffer_init(&b); @@ -235,12 +234,11 @@ calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) buffer_put_int64(&b, cookie); buffer_put_int64(&b, challenge); - EVP_DigestInit(&ctx, md); - EVP_DigestUpdate(&ctx, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&ctx, hash, NULL); + if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0) + fatal("%s: digest_buffer failed", __func__); buffer_clear(&b); - buffer_append(&b, hash, EVP_MD_size(md)); + buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); *key = buffer_get_int64(&b); buffer_free(&b); } diff --git a/crypto/openssh/rsa.c b/crypto/openssh/rsa.c index bec1d190b..d0b5bbf5e 100644 --- a/crypto/openssh/rsa.c +++ b/crypto/openssh/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: rsa.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -94,10 +94,10 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) if (BN_bin2bn(outbuf, len, out) == NULL) fatal("rsa_public_encrypt: BN_bin2bn failed"); - memset(outbuf, 0, olen); - memset(inbuf, 0, ilen); - xfree(outbuf); - xfree(inbuf); + explicit_bzero(outbuf, olen); + explicit_bzero(inbuf, ilen); + free(outbuf); + free(inbuf); } int @@ -120,10 +120,10 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) if (BN_bin2bn(outbuf, len, out) == NULL) fatal("rsa_private_decrypt: BN_bin2bn failed"); } - memset(outbuf, 0, olen); - memset(inbuf, 0, ilen); - xfree(outbuf); - xfree(inbuf); + explicit_bzero(outbuf, olen); + explicit_bzero(inbuf, ilen); + free(outbuf); + free(inbuf); return len; } diff --git a/crypto/openssh/sandbox-capsicum.c b/crypto/openssh/sandbox-capsicum.c new file mode 100644 index 000000000..fd88de0bf --- /dev/null +++ b/crypto/openssh/sandbox-capsicum.c @@ -0,0 +1,123 @@ +/* + * Copyright (c) 2011 Dag-Erling Smorgrav + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +__RCSID("$FreeBSD$"); + +#ifdef SANDBOX_CAPSICUM + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "monitor.h" +#include "ssh-sandbox.h" +#include "xmalloc.h" + +/* + * Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits, + * limits rights on stdout, stdin, stderr, monitor and switches to + * capability mode. + */ + +struct ssh_sandbox { + struct monitor *monitor; + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(struct monitor *monitor) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing capsicum sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->monitor = monitor; + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + cap_rights_t rights; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); +#ifndef SANDBOX_SKIP_RLIMIT_NOFILE + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); +#endif + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); + + cap_rights_init(&rights); + + if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) + fatal("can't limit stdin: %m"); + if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS) + fatal("can't limit stdout: %m"); + if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS) + fatal("can't limit stderr: %m"); + + cap_rights_init(&rights, CAP_READ, CAP_WRITE); + if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 && + errno != ENOSYS) + fatal("%s: failed to limit the network socket", __func__); + cap_rights_init(&rights, CAP_WRITE); + if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 && + errno != ENOSYS) + fatal("%s: failed to limit the logging socket", __func__); + if (cap_enter() < 0 && errno != ENOSYS) + fatal("%s: failed to enter capability mode", __func__); + +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_CAPSICUM */ diff --git a/crypto/openssh/sandbox-darwin.c b/crypto/openssh/sandbox-darwin.c index 69901ef14..35f0c4d1a 100644 --- a/crypto/openssh/sandbox-darwin.c +++ b/crypto/openssh/sandbox-darwin.c @@ -40,7 +40,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; diff --git a/crypto/openssh/sandbox-null.c b/crypto/openssh/sandbox-null.c index 29fa9669f..d4cb9188b 100644 --- a/crypto/openssh/sandbox-null.c +++ b/crypto/openssh/sandbox-null.c @@ -39,7 +39,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; diff --git a/crypto/openssh/sandbox-rlimit.c b/crypto/openssh/sandbox-rlimit.c index a00386337..bba80778b 100644 --- a/crypto/openssh/sandbox-rlimit.c +++ b/crypto/openssh/sandbox-rlimit.c @@ -42,7 +42,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; @@ -69,9 +69,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); #endif +#ifndef SANDBOX_SKIP_RLIMIT_NOFILE if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror(errno)); +#endif #ifdef HAVE_RLIMIT_NPROC if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", diff --git a/crypto/openssh/sandbox-seccomp-filter.c b/crypto/openssh/sandbox-seccomp-filter.c new file mode 100644 index 000000000..c0c17c2fc --- /dev/null +++ b/crypto/openssh/sandbox-seccomp-filter.c @@ -0,0 +1,240 @@ +/* + * Copyright (c) 2012 Will Drewry + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Uncomment the SANDBOX_SECCOMP_FILTER_DEBUG macro below to help diagnose + * filter breakage during development. *Do not* use this in production, + * as it relies on making library calls that are unsafe in signal context. + * + * Instead, live systems the auditctl(8) may be used to monitor failures. + * E.g. + * auditctl -a task,always -F uid= + */ +/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ + +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG +/* Use the kernel headers in case of an older toolchain. */ +# include +# define __have_siginfo_t 1 +# define __have_sigval_t 1 +# define __have_sigevent_t 1 +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + +#include "includes.h" + +#ifdef SANDBOX_SECCOMP_FILTER + +#include +#include +#include + +#include +#include +#include +#include + +#include + +#include +#include +#include +#include /* for offsetof */ +#include +#include +#include +#include + +#include "log.h" +#include "ssh-sandbox.h" +#include "xmalloc.h" + +/* Linux seccomp_filter sandbox */ +#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL + +/* Use a signal handler to emit violations when debugging */ +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG +# undef SECCOMP_FILTER_FAIL +# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + +/* Simple helpers to avoid manual errors (but larger BPF programs). */ +#define SC_DENY(_nr, _errno) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) +#define SC_ALLOW(_nr) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +/* Syscall filtering set for preauth. */ +static const struct sock_filter preauth_insns[] = { + /* Ensure the syscall arch convention is as expected. */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, + offsetof(struct seccomp_data, arch)), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), + /* Load the syscall number for checking. */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, + offsetof(struct seccomp_data, nr)), + SC_DENY(open, EACCES), + SC_ALLOW(getpid), + SC_ALLOW(gettimeofday), + SC_ALLOW(clock_gettime), +#ifdef __NR_time /* not defined on EABI ARM */ + SC_ALLOW(time), +#endif + SC_ALLOW(read), + SC_ALLOW(write), + SC_ALLOW(close), +#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ + SC_ALLOW(shutdown), +#endif + SC_ALLOW(brk), + SC_ALLOW(poll), +#ifdef __NR__newselect + SC_ALLOW(_newselect), +#else + SC_ALLOW(select), +#endif + SC_ALLOW(madvise), +#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ + SC_ALLOW(mmap2), +#endif +#ifdef __NR_mmap + SC_ALLOW(mmap), +#endif + SC_ALLOW(munmap), + SC_ALLOW(exit_group), +#ifdef __NR_rt_sigprocmask + SC_ALLOW(rt_sigprocmask), +#else + SC_ALLOW(sigprocmask), +#endif + BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), +}; + +static const struct sock_fprog preauth_program = { + .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])), + .filter = (struct sock_filter *)preauth_insns, +}; + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(struct monitor *monitor) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing seccomp filter sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG +extern struct monitor *pmonitor; +void mm_log_handler(LogLevel level, const char *msg, void *ctx); + +static void +ssh_sandbox_violation(int signum, siginfo_t *info, void *void_context) +{ + char msg[256]; + + snprintf(msg, sizeof(msg), + "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)", + __func__, info->si_arch, info->si_syscall, info->si_call_addr); + mm_log_handler(SYSLOG_LEVEL_FATAL, msg, pmonitor); + _exit(1); +} + +static void +ssh_sandbox_child_debugging(void) +{ + struct sigaction act; + sigset_t mask; + + debug3("%s: installing SIGSYS handler", __func__); + memset(&act, 0, sizeof(act)); + sigemptyset(&mask); + sigaddset(&mask, SIGSYS); + + act.sa_sigaction = &ssh_sandbox_violation; + act.sa_flags = SA_SIGINFO; + if (sigaction(SIGSYS, &act, NULL) == -1) + fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno)); + if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) + fatal("%s: sigprocmask(SIGSYS): %s", + __func__, strerror(errno)); +} +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + int nnp_failed = 0; + + /* Set rlimits for completeness if possible. */ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); + +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG + ssh_sandbox_child_debugging(); +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + + debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__); + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) { + debug("%s: prctl(PR_SET_NO_NEW_PRIVS): %s", + __func__, strerror(errno)); + nnp_failed = 1; + } + debug3("%s: attaching seccomp filter program", __func__); + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1) + debug("%s: prctl(PR_SET_SECCOMP): %s", + __func__, strerror(errno)); + else if (nnp_failed) + fatal("%s: SECCOMP_MODE_FILTER activated but " + "PR_SET_NO_NEW_PRIVS failed", __func__); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_SECCOMP_FILTER */ diff --git a/crypto/openssh/sandbox-systrace.c b/crypto/openssh/sandbox-systrace.c index 2d16a627f..6706c9a80 100644 --- a/crypto/openssh/sandbox-systrace.c +++ b/crypto/openssh/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.6 2012/06/30 14:35:09 markus Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.9 2014/01/31 16:39:19 tedu Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -57,6 +57,7 @@ static const struct sandbox_policy preauth_policy[] = { { SYS_exit, SYSTR_POLICY_PERMIT }, { SYS_getpid, SYSTR_POLICY_PERMIT }, { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, + { SYS_clock_gettime, SYSTR_POLICY_PERMIT }, { SYS_madvise, SYSTR_POLICY_PERMIT }, { SYS_mmap, SYSTR_POLICY_PERMIT }, { SYS_mprotect, SYSTR_POLICY_PERMIT }, @@ -65,6 +66,7 @@ static const struct sandbox_policy preauth_policy[] = { { SYS_munmap, SYSTR_POLICY_PERMIT }, { SYS_read, SYSTR_POLICY_PERMIT }, { SYS_select, SYSTR_POLICY_PERMIT }, + { SYS_shutdown, SYSTR_POLICY_PERMIT }, { SYS_sigprocmask, SYSTR_POLICY_PERMIT }, { SYS_write, SYSTR_POLICY_PERMIT }, { -1, -1 } @@ -77,7 +79,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; @@ -140,7 +142,7 @@ ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, box->systrace_fd, child_pid, strerror(errno)); /* Allocate and assign policy */ - bzero(&policy, sizeof(policy)); + memset(&policy, 0, sizeof(policy)); policy.strp_op = SYSTR_POLICY_NEW; policy.strp_maxents = SYS_MAXSYSCALL; if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1) diff --git a/crypto/openssh/sc25519.c b/crypto/openssh/sc25519.c new file mode 100644 index 000000000..1568d9a58 --- /dev/null +++ b/crypto/openssh/sc25519.c @@ -0,0 +1,308 @@ +/* $OpenBSD: sc25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c + */ + +#include "includes.h" + +#include "sc25519.h" + +/*Arithmetic modulo the group order m = 2^252 + 27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */ + +static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; + +static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21, + 0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F}; + +static crypto_uint32 lt(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */ +{ + unsigned int x = a; + x -= (unsigned int) b; /* 0..65535: no; 4294901761..4294967295: yes */ + x >>= 31; /* 0: no; 1: yes */ + return x; +} + +/* Reduce coefficients of r before calling reduce_add_sub */ +static void reduce_add_sub(sc25519 *r) +{ + crypto_uint32 pb = 0; + crypto_uint32 b; + crypto_uint32 mask; + int i; + unsigned char t[32]; + + for(i=0;i<32;i++) + { + pb += m[i]; + b = lt(r->v[i],pb); + t[i] = r->v[i]-pb+(b<<8); + pb = b; + } + mask = b - 1; + for(i=0;i<32;i++) + r->v[i] ^= mask & (r->v[i] ^ t[i]); +} + +/* Reduce coefficients of x before calling barrett_reduce */ +static void barrett_reduce(sc25519 *r, const crypto_uint32 x[64]) +{ + /* See HAC, Alg. 14.42 */ + int i,j; + crypto_uint32 q2[66]; + crypto_uint32 *q3 = q2 + 33; + crypto_uint32 r1[33]; + crypto_uint32 r2[33]; + crypto_uint32 carry; + crypto_uint32 pb = 0; + crypto_uint32 b; + + for (i = 0;i < 66;++i) q2[i] = 0; + for (i = 0;i < 33;++i) r2[i] = 0; + + for(i=0;i<33;i++) + for(j=0;j<33;j++) + if(i+j >= 31) q2[i+j] += mu[i]*x[j+31]; + carry = q2[31] >> 8; + q2[32] += carry; + carry = q2[32] >> 8; + q2[33] += carry; + + for(i=0;i<33;i++)r1[i] = x[i]; + for(i=0;i<32;i++) + for(j=0;j<33;j++) + if(i+j < 33) r2[i+j] += m[i]*q3[j]; + + for(i=0;i<32;i++) + { + carry = r2[i] >> 8; + r2[i+1] += carry; + r2[i] &= 0xff; + } + + for(i=0;i<32;i++) + { + pb += r2[i]; + b = lt(r1[i],pb); + r->v[i] = r1[i]-pb+(b<<8); + pb = b; + } + + /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3 + * If so: Handle it here! + */ + + reduce_add_sub(r); + reduce_add_sub(r); +} + +void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]) +{ + int i; + crypto_uint32 t[64]; + for(i=0;i<32;i++) t[i] = x[i]; + for(i=32;i<64;++i) t[i] = 0; + barrett_reduce(r, t); +} + +void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]) +{ + int i; + for(i=0;i<16;i++) r->v[i] = x[i]; +} + +void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]) +{ + int i; + crypto_uint32 t[64]; + for(i=0;i<64;i++) t[i] = x[i]; + barrett_reduce(r, t); +} + +void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x) +{ + int i; + for(i=0;i<16;i++) + r->v[i] = x->v[i]; + for(i=0;i<16;i++) + r->v[16+i] = 0; +} + +void sc25519_to32bytes(unsigned char r[32], const sc25519 *x) +{ + int i; + for(i=0;i<32;i++) r[i] = x->v[i]; +} + +int sc25519_iszero_vartime(const sc25519 *x) +{ + int i; + for(i=0;i<32;i++) + if(x->v[i] != 0) return 0; + return 1; +} + +int sc25519_isshort_vartime(const sc25519 *x) +{ + int i; + for(i=31;i>15;i--) + if(x->v[i] != 0) return 0; + return 1; +} + +int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y) +{ + int i; + for(i=31;i>=0;i--) + { + if(x->v[i] < y->v[i]) return 1; + if(x->v[i] > y->v[i]) return 0; + } + return 0; +} + +void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + int i, carry; + for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i]; + for(i=0;i<31;i++) + { + carry = r->v[i] >> 8; + r->v[i+1] += carry; + r->v[i] &= 0xff; + } + reduce_add_sub(r); +} + +void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + crypto_uint32 b = 0; + crypto_uint32 t; + int i; + for(i=0;i<32;i++) + { + t = x->v[i] - y->v[i] - b; + r->v[i] = t & 255; + b = (t >> 8) & 1; + } +} + +void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + int i,j,carry; + crypto_uint32 t[64]; + for(i=0;i<64;i++)t[i] = 0; + + for(i=0;i<32;i++) + for(j=0;j<32;j++) + t[i+j] += x->v[i] * y->v[j]; + + /* Reduce coefficients */ + for(i=0;i<63;i++) + { + carry = t[i] >> 8; + t[i+1] += carry; + t[i] &= 0xff; + } + + barrett_reduce(r, t); +} + +void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y) +{ + sc25519 t; + sc25519_from_shortsc(&t, y); + sc25519_mul(r, x, &t); +} + +void sc25519_window3(signed char r[85], const sc25519 *s) +{ + char carry; + int i; + for(i=0;i<10;i++) + { + r[8*i+0] = s->v[3*i+0] & 7; + r[8*i+1] = (s->v[3*i+0] >> 3) & 7; + r[8*i+2] = (s->v[3*i+0] >> 6) & 7; + r[8*i+2] ^= (s->v[3*i+1] << 2) & 7; + r[8*i+3] = (s->v[3*i+1] >> 1) & 7; + r[8*i+4] = (s->v[3*i+1] >> 4) & 7; + r[8*i+5] = (s->v[3*i+1] >> 7) & 7; + r[8*i+5] ^= (s->v[3*i+2] << 1) & 7; + r[8*i+6] = (s->v[3*i+2] >> 2) & 7; + r[8*i+7] = (s->v[3*i+2] >> 5) & 7; + } + r[8*i+0] = s->v[3*i+0] & 7; + r[8*i+1] = (s->v[3*i+0] >> 3) & 7; + r[8*i+2] = (s->v[3*i+0] >> 6) & 7; + r[8*i+2] ^= (s->v[3*i+1] << 2) & 7; + r[8*i+3] = (s->v[3*i+1] >> 1) & 7; + r[8*i+4] = (s->v[3*i+1] >> 4) & 7; + + /* Making it signed */ + carry = 0; + for(i=0;i<84;i++) + { + r[i] += carry; + r[i+1] += r[i] >> 3; + r[i] &= 7; + carry = r[i] >> 2; + r[i] -= carry<<3; + } + r[84] += carry; +} + +void sc25519_window5(signed char r[51], const sc25519 *s) +{ + char carry; + int i; + for(i=0;i<6;i++) + { + r[8*i+0] = s->v[5*i+0] & 31; + r[8*i+1] = (s->v[5*i+0] >> 5) & 31; + r[8*i+1] ^= (s->v[5*i+1] << 3) & 31; + r[8*i+2] = (s->v[5*i+1] >> 2) & 31; + r[8*i+3] = (s->v[5*i+1] >> 7) & 31; + r[8*i+3] ^= (s->v[5*i+2] << 1) & 31; + r[8*i+4] = (s->v[5*i+2] >> 4) & 31; + r[8*i+4] ^= (s->v[5*i+3] << 4) & 31; + r[8*i+5] = (s->v[5*i+3] >> 1) & 31; + r[8*i+6] = (s->v[5*i+3] >> 6) & 31; + r[8*i+6] ^= (s->v[5*i+4] << 2) & 31; + r[8*i+7] = (s->v[5*i+4] >> 3) & 31; + } + r[8*i+0] = s->v[5*i+0] & 31; + r[8*i+1] = (s->v[5*i+0] >> 5) & 31; + r[8*i+1] ^= (s->v[5*i+1] << 3) & 31; + r[8*i+2] = (s->v[5*i+1] >> 2) & 31; + + /* Making it signed */ + carry = 0; + for(i=0;i<50;i++) + { + r[i] += carry; + r[i+1] += r[i] >> 5; + r[i] &= 31; + carry = r[i] >> 4; + r[i] -= carry<<5; + } + r[50] += carry; +} + +void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2) +{ + int i; + for(i=0;i<31;i++) + { + r[4*i] = ( s1->v[i] & 3) ^ (( s2->v[i] & 3) << 2); + r[4*i+1] = ((s1->v[i] >> 2) & 3) ^ (((s2->v[i] >> 2) & 3) << 2); + r[4*i+2] = ((s1->v[i] >> 4) & 3) ^ (((s2->v[i] >> 4) & 3) << 2); + r[4*i+3] = ((s1->v[i] >> 6) & 3) ^ (((s2->v[i] >> 6) & 3) << 2); + } + r[124] = ( s1->v[31] & 3) ^ (( s2->v[31] & 3) << 2); + r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2); + r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2); +} diff --git a/crypto/openssh/sc25519.h b/crypto/openssh/sc25519.h new file mode 100644 index 000000000..a2c15d5ff --- /dev/null +++ b/crypto/openssh/sc25519.h @@ -0,0 +1,80 @@ +/* $OpenBSD: sc25519.h,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.h + */ + +#ifndef SC25519_H +#define SC25519_H + +#include "crypto_api.h" + +#define sc25519 crypto_sign_ed25519_ref_sc25519 +#define shortsc25519 crypto_sign_ed25519_ref_shortsc25519 +#define sc25519_from32bytes crypto_sign_ed25519_ref_sc25519_from32bytes +#define shortsc25519_from16bytes crypto_sign_ed25519_ref_shortsc25519_from16bytes +#define sc25519_from64bytes crypto_sign_ed25519_ref_sc25519_from64bytes +#define sc25519_from_shortsc crypto_sign_ed25519_ref_sc25519_from_shortsc +#define sc25519_to32bytes crypto_sign_ed25519_ref_sc25519_to32bytes +#define sc25519_iszero_vartime crypto_sign_ed25519_ref_sc25519_iszero_vartime +#define sc25519_isshort_vartime crypto_sign_ed25519_ref_sc25519_isshort_vartime +#define sc25519_lt_vartime crypto_sign_ed25519_ref_sc25519_lt_vartime +#define sc25519_add crypto_sign_ed25519_ref_sc25519_add +#define sc25519_sub_nored crypto_sign_ed25519_ref_sc25519_sub_nored +#define sc25519_mul crypto_sign_ed25519_ref_sc25519_mul +#define sc25519_mul_shortsc crypto_sign_ed25519_ref_sc25519_mul_shortsc +#define sc25519_window3 crypto_sign_ed25519_ref_sc25519_window3 +#define sc25519_window5 crypto_sign_ed25519_ref_sc25519_window5 +#define sc25519_2interleave2 crypto_sign_ed25519_ref_sc25519_2interleave2 + +typedef struct +{ + crypto_uint32 v[32]; +} +sc25519; + +typedef struct +{ + crypto_uint32 v[16]; +} +shortsc25519; + +void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]); + +void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]); + +void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]); + +void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x); + +void sc25519_to32bytes(unsigned char r[32], const sc25519 *x); + +int sc25519_iszero_vartime(const sc25519 *x); + +int sc25519_isshort_vartime(const sc25519 *x); + +int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y); + +void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y); + +/* Convert s into a representation of the form \sum_{i=0}^{84}r[i]2^3 + * with r[i] in {-4,...,3} + */ +void sc25519_window3(signed char r[85], const sc25519 *s); + +/* Convert s into a representation of the form \sum_{i=0}^{50}r[i]2^5 + * with r[i] in {-16,...,15} + */ +void sc25519_window5(signed char r[51], const sc25519 *s); + +void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2); + +#endif diff --git a/crypto/openssh/schnorr.c b/crypto/openssh/schnorr.c index fb6bd5e12..63b7b5c53 100644 --- a/crypto/openssh/schnorr.c +++ b/crypto/openssh/schnorr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: schnorr.c,v 1.5 2010/12/03 23:49:26 djm Exp $ */ +/* $OpenBSD: schnorr.c,v 1.9 2014/01/09 23:20:00 djm Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -27,6 +27,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include @@ -42,6 +43,7 @@ #include "log.h" #include "schnorr.h" +#include "digest.h" #ifdef JPAKE @@ -60,12 +62,12 @@ /* * Calculate hash component of Schnorr signature H(g || g^v || g^x || id) - * using the hash function defined by "evp_md". Returns signature as + * using the hash function defined by "hash_alg". Returns signature as * bignum or NULL on error. */ static BIGNUM * schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, - const EVP_MD *evp_md, const BIGNUM *g_v, const BIGNUM *g_x, + int hash_alg, const BIGNUM *g_v, const BIGNUM *g_x, const u_char *id, u_int idlen) { u_char *digest; @@ -91,7 +93,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b), "%s: hashblob", __func__)); - if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_md, + if (hash_buffer(buffer_ptr(&b), buffer_len(&b), hash_alg, &digest, &digest_len) != 0) { error("%s: hash_buffer", __func__); goto out; @@ -105,7 +107,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, out: buffer_free(&b); bzero(digest, digest_len); - xfree(digest); + free(digest); digest_len = 0; if (success == 0) return h; @@ -116,7 +118,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, /* * Generate Schnorr signature to prove knowledge of private value 'x' used * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g' - * using the hash function "evp_md". + * using the hash function "hash_alg". * 'idlen' bytes from 'id' will be included in the signature hash as an anti- * replay salt. * @@ -126,7 +128,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, */ int schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x, + int hash_alg, const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p) { int success = -1; @@ -176,7 +178,7 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__)); /* h = H(g || g^v || g^x || id) */ - if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, g_v, g_x, + if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, g_v, g_x, id, idlen)) == NULL) { error("%s: schnorr_hash failed", __func__); goto out; @@ -226,7 +228,7 @@ schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, Buffer b; BIGNUM *r, *e; - if (schnorr_sign(grp_p, grp_q, grp_g, EVP_sha256(), + if (schnorr_sign(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256, x, g_x, id, idlen, &r, &e) != 0) return -1; @@ -251,13 +253,13 @@ schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, /* * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and - * 'grp_g' using hash "evp_md". + * 'grp_g' using hash "hash_alg". * Signature hash will be salted with 'idlen' bytes from 'id'. * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature. */ int schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen, + int hash_alg, const BIGNUM *g_x, const u_char *id, u_int idlen, const BIGNUM *r, const BIGNUM *e) { int success = -1; @@ -305,7 +307,7 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__)); /* h = H(g || g^v || g^x || id) */ - if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x, + if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, e, g_x, id, idlen)) == NULL) { error("%s: schnorr_hash failed", __func__); goto out; @@ -388,7 +390,7 @@ schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, goto out; } - ret = schnorr_verify(grp_p, grp_q, grp_g, EVP_sha256(), + ret = schnorr_verify(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256, g_x, id, idlen, r, e); out: BN_clear_free(e); @@ -446,43 +448,33 @@ bn_rand_range_gt_one(const BIGNUM *high) return NULL; } +/* XXX convert all callers of this to use ssh_digest_memory() directly */ /* * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success, * with digest via 'digestp' (caller to free) and length via 'lenp'. * Returns -1 on failure. */ int -hash_buffer(const u_char *buf, u_int len, const EVP_MD *md, +hash_buffer(const u_char *buf, u_int len, int hash_alg, u_char **digestp, u_int *lenp) { - u_char digest[EVP_MAX_MD_SIZE]; - u_int digest_len; - EVP_MD_CTX evp_md_ctx; - int success = -1; + u_char digest[SSH_DIGEST_MAX_LENGTH]; + u_int digest_len = ssh_digest_bytes(hash_alg); - EVP_MD_CTX_init(&evp_md_ctx); - - if (EVP_DigestInit_ex(&evp_md_ctx, md, NULL) != 1) { - error("%s: EVP_DigestInit_ex", __func__); - goto out; - } - if (EVP_DigestUpdate(&evp_md_ctx, buf, len) != 1) { - error("%s: EVP_DigestUpdate", __func__); - goto out; + if (digest_len == 0) { + error("%s: invalid hash", __func__); + return -1; } - if (EVP_DigestFinal_ex(&evp_md_ctx, digest, &digest_len) != 1) { - error("%s: EVP_DigestFinal_ex", __func__); - goto out; + if (ssh_digest_memory(hash_alg, buf, len, digest, digest_len) != 0) { + error("%s: digest_memory failed", __func__); + return -1; } *digestp = xmalloc(digest_len); *lenp = digest_len; memcpy(*digestp, digest, *lenp); - success = 0; - out: - EVP_MD_CTX_cleanup(&evp_md_ctx); bzero(digest, sizeof(digest)); digest_len = 0; - return success; + return 0; } /* print formatted string followed by bignum */ @@ -491,12 +483,13 @@ debug3_bn(const BIGNUM *n, const char *fmt, ...) { char *out, *h; va_list args; + int ret; out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); + ret = vasprintf(&out, fmt, args); va_end(args); - if (out == NULL) + if (ret == -1 || out == NULL) fatal("%s: vasprintf failed", __func__); if (n == NULL) @@ -516,12 +509,13 @@ debug3_buf(const u_char *buf, u_int len, const char *fmt, ...) char *out, h[65]; u_int i, j; va_list args; + int ret; out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); + ret = vasprintf(&out, fmt, args); va_end(args); - if (out == NULL) + if (ret == -1 || out == NULL) fatal("%s: vasprintf failed", __func__); debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : ""); @@ -550,7 +544,7 @@ modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p) { struct modp_group *ret; - ret = xmalloc(sizeof(*ret)); + ret = xcalloc(1, sizeof(*ret)); ret->p = ret->q = ret->g = NULL; if (BN_hex2bn(&ret->p, grp_p) == 0 || BN_hex2bn(&ret->g, grp_g) == 0) @@ -574,7 +568,7 @@ modp_group_free(struct modp_group *grp) if (grp->q != NULL) BN_clear_free(grp->q); bzero(grp, sizeof(*grp)); - xfree(grp); + free(grp); } /* main() function for self-test */ @@ -609,7 +603,7 @@ schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q, if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4, sig, siglen) != 0) fatal("%s: verify should have failed (bit error)", __func__); - xfree(sig); + free(sig); BN_free(g_x); BN_CTX_free(bn_ctx); } diff --git a/crypto/openssh/schnorr.h b/crypto/openssh/schnorr.h deleted file mode 100644 index 9730b47ce..000000000 --- a/crypto/openssh/schnorr.h +++ /dev/null @@ -1,60 +0,0 @@ -/* $OpenBSD: schnorr.h,v 1.1 2009/03/05 07:18:19 djm Exp $ */ -/* - * Copyright (c) 2009 Damien Miller. All rights reserved. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef SCHNORR_H -#define SCHNORR_H - -#include - -#include - -struct modp_group { - BIGNUM *p, *q, *g; -}; - -BIGNUM *bn_rand_range_gt_one(const BIGNUM *high); -int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *); -void debug3_bn(const BIGNUM *, const char *, ...) - __attribute__((__nonnull__ (2))) - __attribute__((format(printf, 2, 3))); -void debug3_buf(const u_char *, u_int, const char *, ...) - __attribute__((__nonnull__ (3))) - __attribute__((format(printf, 3, 4))); -struct modp_group *modp_group_from_g_and_safe_p(const char *, const char *); -void modp_group_free(struct modp_group *); - -/* Signature and verification functions */ -int -schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x, - const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p); -int -schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen, - u_char **sig, u_int *siglen); -int -schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen, - const BIGNUM *r, const BIGNUM *e); -int -schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, - const BIGNUM *grp_g, - const BIGNUM *g_x, const u_char *id, u_int idlen, - const u_char *sig, u_int siglen); - -#endif /* JPAKE_H */ - diff --git a/crypto/openssh/scp.0 b/crypto/openssh/scp.0 new file mode 100644 index 000000000..b9eeffc4e --- /dev/null +++ b/crypto/openssh/scp.0 @@ -0,0 +1,163 @@ +SCP(1) OpenBSD Reference Manual SCP(1) + +NAME + scp - secure copy (remote file copy program) + +SYNOPSIS + scp [-12346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file] + [-l limit] [-o ssh_option] [-P port] [-S program] + [[user@]host1:]file1 ... [[user@]host2:]file2 + +DESCRIPTION + scp copies files between hosts on a network. It uses ssh(1) for data + transfer, and uses the same authentication and provides the same security + as ssh(1). Unlike rcp(1), scp will ask for passwords or passphrases if + they are needed for authentication. + + File names may contain a user and host specification to indicate that the + file is to be copied to/from that host. Local file names can be made + explicit using absolute or relative pathnames to avoid scp treating file + names containing `:' as host specifiers. Copies between two remote hosts + are also permitted. + + The options are as follows: + + -1 Forces scp to use protocol 1. + + -2 Forces scp to use protocol 2. + + -3 Copies between two remote hosts are transferred through the local + host. Without this option the data is copied directly between + the two remote hosts. Note that this option disables the + progress meter. + + -4 Forces scp to use IPv4 addresses only. + + -6 Forces scp to use IPv6 addresses only. + + -B Selects batch mode (prevents asking for passwords or + passphrases). + + -C Compression enable. Passes the -C flag to ssh(1) to enable + compression. + + -c cipher + Selects the cipher to use for encrypting the data transfer. This + option is directly passed to ssh(1). + + -F ssh_config + Specifies an alternative per-user configuration file for ssh. + This option is directly passed to ssh(1). + + -i identity_file + Selects the file from which the identity (private key) for public + key authentication is read. This option is directly passed to + ssh(1). + + -l limit + Limits the used bandwidth, specified in Kbit/s. + + -o ssh_option + Can be used to pass options to ssh in the format used in + ssh_config(5). This is useful for specifying options for which + there is no separate scp command-line flag. For full details of + the options listed below, and their possible values, see + ssh_config(5). + + AddressFamily + BatchMode + BindAddress + CanonicalDomains + CanonicalizeFallbackLocal + CanonicalizeHostname + CanonicalizeMaxDots + CanonicalizePermittedCNAMEs + ChallengeResponseAuthentication + CheckHostIP + Cipher + Ciphers + Compression + CompressionLevel + ConnectionAttempts + ConnectTimeout + ControlMaster + ControlPath + ControlPersist + GlobalKnownHostsFile + GSSAPIAuthentication + GSSAPIDelegateCredentials + HashKnownHosts + Host + HostbasedAuthentication + HostKeyAlgorithms + HostKeyAlias + HostName + IdentityFile + IdentitiesOnly + IPQoS + KbdInteractiveAuthentication + KbdInteractiveDevices + KexAlgorithms + LogLevel + MACs + NoHostAuthenticationForLocalhost + NumberOfPasswordPrompts + PasswordAuthentication + PKCS11Provider + Port + PreferredAuthentications + Protocol + ProxyCommand + PubkeyAuthentication + RekeyLimit + RhostsRSAAuthentication + RSAAuthentication + SendEnv + ServerAliveInterval + ServerAliveCountMax + StrictHostKeyChecking + TCPKeepAlive + UsePrivilegedPort + User + UserKnownHostsFile + VerifyHostKeyDNS + + -P port + Specifies the port to connect to on the remote host. Note that + this option is written with a capital `P', because -p is already + reserved for preserving the times and modes of the file in + rcp(1). + + -p Preserves modification times, access times, and modes from the + original file. + + -q Quiet mode: disables the progress meter as well as warning and + diagnostic messages from ssh(1). + + -r Recursively copy entire directories. Note that scp follows + symbolic links encountered in the tree traversal. + + -S program + Name of program to use for the encrypted connection. The program + must understand ssh(1) options. + + -v Verbose mode. Causes scp and ssh(1) to print debugging messages + about their progress. This is helpful in debugging connection, + authentication, and configuration problems. + +EXIT STATUS + The scp utility exits 0 on success, and >0 if an error occurs. + +SEE ALSO + rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), + ssh_config(5), sshd(8) + +HISTORY + scp is based on the rcp(1) program in BSD source code from the Regents of + the University of California. + +AUTHORS + Timo Rinne + Tatu Ylonen + +OpenBSD 5.5 October 20, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1 index f37a56d09..21d94ba95 100644 --- a/crypto/openssh/scp.1 +++ b/crypto/openssh/scp.1 @@ -8,9 +8,10 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.58 2011/09/05 07:01:44 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.61 2013/10/20 09:51:26 djm Exp $ +.\" $FreeBSD$ .\" -.Dd September 5, 2011 +.Dd October 20, 2013 .Dt SCP 1 .Os .Sh NAME @@ -130,6 +131,11 @@ For full details of the options listed below, and their possible values, see .It AddressFamily .It BatchMode .It BindAddress +.It CanonicalDomains +.It CanonicalizeFallbackLocal +.It CanonicalizeHostname +.It CanonicalizeMaxDots +.It CanonicalizePermittedCNAMEs .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher @@ -232,8 +238,9 @@ debugging connection, authentication, and configuration problems. .Nm is based on the .Xr rcp 1 -program in BSD source code from the Regents of the University of -California. +program in +.Bx +source code from the Regents of the University of California. .Sh AUTHORS -.An Timo Rinne Aq tri@iki.fi -.An Tatu Ylonen Aq ylo@cs.hut.fi +.An Timo Rinne Aq Mt tri@iki.fi +.An Tatu Ylonen Aq Mt ylo@cs.hut.fi diff --git a/crypto/openssh/scp.c b/crypto/openssh/scp.c index 645d7403b..18d3b1dc9 100644 --- a/crypto/openssh/scp.c +++ b/crypto/openssh/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.171 2011/09/09 22:37:01 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.179 2013/11/20 20:53:10 deraadt Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -550,6 +550,24 @@ scpio(void *_cnt, size_t s) return 0; } +static int +do_times(int fd, int verb, const struct stat *sb) +{ + /* strlen(2^64) == 20; strlen(10^6) == 7 */ + char buf[(20 + 7 + 2) * 2 + 2]; + + (void)snprintf(buf, sizeof(buf), "T%llu 0 %llu 0\n", + (unsigned long long) (sb->st_mtime < 0 ? 0 : sb->st_mtime), + (unsigned long long) (sb->st_atime < 0 ? 0 : sb->st_atime)); + if (verb) { + fprintf(stderr, "File mtime %lld atime %lld\n", + (long long)sb->st_mtime, (long long)sb->st_atime); + fprintf(stderr, "Sending file timestamps: %s", buf); + } + (void) atomicio(vwrite, fd, buf, strlen(buf)); + return (response()); +} + void toremote(char *targ, int argc, char **argv) { @@ -578,7 +596,7 @@ toremote(char *targ, int argc, char **argv) } if (tuser != NULL && !okname(tuser)) { - xfree(arg); + free(arg); return; } @@ -605,13 +623,13 @@ toremote(char *targ, int argc, char **argv) *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) exit(1); - (void) xfree(bp); + free(bp); host = cleanhostname(thost); xasprintf(&bp, "%s -t %s%s", cmd, *targ == '-' ? "-- " : "", targ); if (do_cmd2(host, tuser, bp, remin, remout) < 0) exit(1); - (void) xfree(bp); + free(bp); (void) close(remin); (void) close(remout); remin = remout = -1; @@ -662,12 +680,12 @@ toremote(char *targ, int argc, char **argv) exit(1); if (response() < 0) exit(1); - (void) xfree(bp); + free(bp); } source(1, argv + i); } } - xfree(arg); + free(arg); } void @@ -711,11 +729,11 @@ tolocal(int argc, char **argv) xasprintf(&bp, "%s -f %s%s", cmd, *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) { - (void) xfree(bp); + free(bp); ++errs; continue; } - xfree(bp); + free(bp); sink(1, argv + argc - 1); (void) close(remin); remin = remout = -1; @@ -774,21 +792,7 @@ syserr: run_err("%s: %s", name, strerror(errno)); ++last; curfile = last; if (pflag) { - /* - * Make it compatible with possible future - * versions expecting microseconds. - */ - (void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n", - (u_long) (stb.st_mtime < 0 ? 0 : stb.st_mtime), - (u_long) (stb.st_atime < 0 ? 0 : stb.st_atime)); - if (verbose_mode) { - fprintf(stderr, "File mtime %ld atime %ld\n", - (long)stb.st_mtime, (long)stb.st_atime); - fprintf(stderr, "Sending file timestamps: %s", - buf); - } - (void) atomicio(vwrite, remout, buf, strlen(buf)); - if (response() < 0) + if (do_times(remout, verbose_mode, &stb) < 0) goto next; } #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) @@ -850,7 +854,7 @@ rsource(char *name, struct stat *statp) { DIR *dirp; struct dirent *dp; - char *last, *vect[1], path[1100]; + char *last, *vect[1], path[MAXPATHLEN]; if (!(dirp = opendir(name))) { run_err("%s: %s", name, strerror(errno)); @@ -862,11 +866,7 @@ rsource(char *name, struct stat *statp) else last++; if (pflag) { - (void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n", - (u_long) statp->st_mtime, - (u_long) statp->st_atime); - (void) atomicio(vwrite, remout, path, strlen(path)); - if (response() < 0) { + if (do_times(remout, verbose_mode, statp) < 0) { closedir(dirp); return; } @@ -912,6 +912,7 @@ sink(int argc, char **argv) int amt, exists, first, ofd; mode_t mode, omode, mask; off_t size, statbytes; + unsigned long long ull; int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; struct timeval tv[2]; @@ -970,17 +971,31 @@ sink(int argc, char **argv) if (*cp == 'T') { setimes++; cp++; - mtime.tv_sec = strtol(cp, &cp, 10); + if (!isdigit((unsigned char)*cp)) + SCREWUP("mtime.sec not present"); + ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); + if ((time_t)ull < 0 || + (unsigned long long)(time_t)ull != ull) + setimes = 0; /* out of range */ + mtime.tv_sec = ull; mtime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != ' ') + if (!cp || *cp++ != ' ' || mtime.tv_usec < 0 || + mtime.tv_usec > 999999) SCREWUP("mtime.usec not delimited"); - atime.tv_sec = strtol(cp, &cp, 10); + if (!isdigit((unsigned char)*cp)) + SCREWUP("atime.sec not present"); + ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); + if ((time_t)ull < 0 || + (unsigned long long)(time_t)ull != ull) + setimes = 0; /* out of range */ + atime.tv_sec = ull; atime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != '\0') + if (!cp || *cp++ != '\0' || atime.tv_usec < 0 || + atime.tv_usec > 999999) SCREWUP("atime.usec not delimited"); (void) atomicio(vwrite, remout, "", 1); continue; @@ -1008,7 +1023,7 @@ sink(int argc, char **argv) if (*cp++ != ' ') SCREWUP("mode not delimited"); - for (size = 0; isdigit(*cp);) + for (size = 0; isdigit((unsigned char)*cp);) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') SCREWUP("size not delimited"); @@ -1023,8 +1038,7 @@ sink(int argc, char **argv) need = strlen(targ) + strlen(cp) + 250; if (need > cursize) { - if (namebuf) - xfree(namebuf); + free(namebuf); namebuf = xmalloc(need); cursize = need; } @@ -1063,12 +1077,11 @@ sink(int argc, char **argv) } if (mod_flag) (void) chmod(vect[0], mode); - if (vect[0]) - xfree(vect[0]); + free(vect[0]); continue; } omode = mode; - mode |= S_IWRITE; + mode |= S_IWUSR; if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); continue; @@ -1274,7 +1287,7 @@ okname(char *cp0) c = (int)*cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c)) { + if (!isalpha(c) && !isdigit((unsigned char)c)) { switch (c) { case '\'': case '"': @@ -1325,7 +1338,7 @@ void lostconn(int signo) { if (!iamremote) - write(STDERR_FILENO, "lost connection\n", 16); + (void)write(STDERR_FILENO, "lost connection\n", 16); if (signo) _exit(1); else diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index a6aeea301..5ea47f65d 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -22,6 +22,7 @@ __RCSID("$FreeBSD$"); #include #include +#include #include #include #include @@ -31,6 +32,9 @@ __RCSID("$FreeBSD$"); #include #include #include +#ifdef HAVE_UTIL_H +#include +#endif #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -78,6 +82,7 @@ initialize_server_options(ServerOptions *options) options->address_family = -1; options->num_host_key_files = 0; options->num_host_cert_files = 0; + options->host_key_agent = NULL; options->pid_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; @@ -90,6 +95,7 @@ initialize_server_options(ServerOptions *options) options->x11_forwarding = -1; options->x11_display_offset = -1; options->x11_use_localhost = -1; + options->permit_tty = -1; options->xauth_location = NULL; options->strict_modes = -1; options->tcp_keep_alive = -1; @@ -113,6 +119,8 @@ initialize_server_options(ServerOptions *options) options->permit_user_env = -1; options->use_login = -1; options->compression = -1; + options->rekey_limit = -1; + options->rekey_interval = -1; options->allow_tcp_forwarding = -1; options->allow_agent_forwarding = -1; options->num_allow_users = 0; @@ -142,7 +150,6 @@ initialize_server_options(ServerOptions *options) options->chroot_directory = NULL; options->authorized_keys_command = NULL; options->authorized_keys_command_user = NULL; - options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; options->authorized_principals_file = NULL; @@ -181,6 +188,8 @@ fill_default_server_options(ServerOptions *options) options->host_key_files[options->num_host_key_files++] = _PATH_HOST_ECDSA_KEY_FILE; #endif + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_ED25519_KEY_FILE; } } /* No certificates by default */ @@ -214,6 +223,8 @@ fill_default_server_options(ServerOptions *options) options->x11_use_localhost = 1; if (options->xauth_location == NULL) options->xauth_location = _PATH_XAUTH; + if (options->permit_tty == -1) + options->permit_tty = 1; if (options->strict_modes == -1) options->strict_modes = 1; if (options->tcp_keep_alive == -1) @@ -258,6 +269,10 @@ fill_default_server_options(ServerOptions *options) options->use_login = 0; if (options->compression == -1) options->compression = COMP_DELAYED; + if (options->rekey_limit == -1) + options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) @@ -288,8 +303,6 @@ fill_default_server_options(ServerOptions *options) } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; - if (options->zero_knowledge_password_authentication == -1) - options->zero_knowledge_password_authentication = 0; if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) @@ -359,9 +372,9 @@ typedef enum { sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, - sStrictModes, sEmptyPasswd, sTCPKeepAlive, + sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, @@ -371,11 +384,11 @@ typedef enum { sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, + sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, + sAuthenticationMethods, sHostKeyAgent, sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll, #ifdef NONE_CIPHER_ENABLED sNoneEnabled, @@ -404,6 +417,7 @@ static struct { { "port", sPort, SSHCFG_GLOBAL }, { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ + { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, @@ -446,11 +460,6 @@ static struct { { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ -#ifdef JPAKE - { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, -#else - { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, -#endif { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, @@ -467,6 +476,7 @@ static struct { { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, { "uselogin", sUseLogin, SSHCFG_GLOBAL }, { "compression", sCompression, SSHCFG_GLOBAL }, + { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, @@ -494,6 +504,7 @@ static struct { { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, { "acceptenv", sAcceptEnv, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, + { "permittty", sPermitTTY, SSHCFG_ALL }, { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, @@ -560,7 +571,7 @@ derelativise_path(const char *path) if (getcwd(cwd, sizeof(cwd)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); - xfree(expanded); + free(expanded); return ret; } @@ -679,13 +690,13 @@ out: /* * All of the attributes on a single Match line are ANDed together, so we need - * to check every * attribute and set the result to zero if any attribute does + * to check every attribute and set the result to zero if any attribute does * not match. */ static int match_cfg_line(char **condition, int line, struct connection_info *ci) { - int result = 1, port; + int result = 1, attributes = 0, port; char *arg, *attrib, *cp = *condition; size_t len; @@ -699,6 +710,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) ci->laddress ? ci->laddress : "(null)", ci->lport); while ((attrib = strdelim(&cp)) && *attrib != '\0') { + attributes++; + if (strcasecmp(attrib, "all") == 0) { + if (attributes != 1 || + ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { + error("'all' cannot be combined with other " + "Match attributes"); + return -1; + } + *condition = cp; + return 1; + } if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { error("Missing Match criteria for %s", attrib); return -1; @@ -792,6 +814,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) return -1; } } + if (attributes == 0) { + error("One or more attributes required for Match"); + return -1; + } if (ci != NULL) debug3("match %sfound", result ? "" : "not "); *condition = cp; @@ -852,13 +878,13 @@ process_server_config_line(ServerOptions *options, char *line, struct connection_info *connectinfo) { char *cp, **charptr, *arg, *p; - int cmdline = 0, *intptr, value, value2, n; + int cmdline = 0, *intptr, value, value2, n, port; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; ServerOpCodes opcode; - int port; u_int i, flags = 0; size_t len; + long long val64; const struct multistate *multistate_ptr; cp = line; @@ -1018,6 +1044,17 @@ process_server_config_line(ServerOptions *options, char *line, } break; + case sHostKeyAgent: + charptr = &options->host_key_agent; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing socket name.", + filename, linenum); + if (*activep && *charptr == NULL) + *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? + xstrdup(arg) : derelativise_path(arg); + break; + case sHostCertificate: intptr = &options->num_host_cert_files; if (*intptr >= MAX_HOSTKEYS) @@ -1108,10 +1145,6 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->password_authentication; goto parse_flag; - case sZeroKnowledgePasswordAuthentication: - intptr = &options->zero_knowledge_password_authentication; - goto parse_flag; - case sKbdInteractiveAuthentication: intptr = &options->kbd_interactive_authentication; goto parse_flag; @@ -1144,6 +1177,10 @@ process_server_config_line(ServerOptions *options, char *line, charptr = &options->xauth_location; goto parse_filename; + case sPermitTTY: + intptr = &options->permit_tty; + goto parse_flag; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; @@ -1169,6 +1206,37 @@ process_server_config_line(ServerOptions *options, char *line, multistate_ptr = multistate_compression; goto parse_multistate; + case sRekeyLimit: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, + linenum); + if (strcmp(arg, "default") == 0) { + val64 = 0; + } else { + if (scan_scaled(arg, &val64) == -1) + fatal("%.200s line %d: Bad number '%s': %s", + filename, linenum, arg, strerror(errno)); + /* check for too-large or too-small limits */ + if (val64 > UINT_MAX) + fatal("%.200s line %d: RekeyLimit too large", + filename, linenum); + if (val64 != 0 && val64 < 16) + fatal("%.200s line %d: RekeyLimit too small", + filename, linenum); + } + if (*activep && options->rekey_limit == -1) + options->rekey_limit = (u_int32_t)val64; + if (cp != NULL) { /* optional rekey interval present */ + if (strcmp(cp, "none") == 0) { + (void)strdelim(&cp); /* discard */ + break; + } + intptr = &options->rekey_interval; + goto parse_time; + } + break; + case sGatewayPorts: intptr = &options->gateway_ports; multistate_ptr = multistate_gatewayports; @@ -1733,25 +1801,6 @@ int server_match_spec_complete(struct connection_info *ci) return 0; /* partial */ } -/* Helper macros */ -#define M_CP_INTOPT(n) do {\ - if (src->n != -1) \ - dst->n = src->n; \ -} while (0) -#define M_CP_STROPT(n) do {\ - if (src->n != NULL) { \ - if (dst->n != NULL) \ - xfree(dst->n); \ - dst->n = src->n; \ - } \ -} while(0) -#define M_CP_STRARRAYOPT(n, num_n) do {\ - if (src->num_n != 0) { \ - for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ - dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ - } \ -} while(0) - /* * Copy any supported values that are set. * @@ -1762,6 +1811,11 @@ int server_match_spec_complete(struct connection_info *ci) void copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { +#define M_CP_INTOPT(n) do {\ + if (src->n != -1) \ + dst->n = src->n; \ +} while (0) + M_CP_INTOPT(password_authentication); M_CP_INTOPT(gss_authentication); M_CP_INTOPT(rsa_authentication); @@ -1770,9 +1824,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(kbd_interactive_authentication); - M_CP_INTOPT(zero_knowledge_password_authentication); - M_CP_STROPT(authorized_keys_command); - M_CP_STROPT(authorized_keys_command_user); M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_empty_passwd); @@ -1783,10 +1834,27 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_use_localhost); + M_CP_INTOPT(permit_tty); M_CP_INTOPT(max_sessions); M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); + M_CP_INTOPT(rekey_limit); + M_CP_INTOPT(rekey_interval); + + /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ +#define M_CP_STROPT(n) do {\ + if (src->n != NULL && dst->n != src->n) { \ + free(dst->n); \ + dst->n = src->n; \ + } \ +} while(0) +#define M_CP_STRARRAYOPT(n, num_n) do {\ + if (src->num_n != 0) { \ + for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ + dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ + } \ +} while(0) /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); @@ -1823,7 +1891,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, linenum++, &active, connectinfo) != 0) bad_options++; } - xfree(obuf); + free(obuf); if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); @@ -1997,10 +2065,6 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); -#endif -#ifdef JPAKE - dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, - o->zero_knowledge_password_authentication); #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, @@ -2011,6 +2075,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); + dump_cfg_fmtint(sPermitTTY, o->permit_tty); dump_cfg_fmtint(sStrictModes, o->strict_modes); dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); @@ -2025,8 +2090,9 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); - dump_cfg_string(sCiphers, o->ciphers); - dump_cfg_string(sMacs, o->macs); + dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : + cipher_alg_list(',', 0)); + dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); dump_cfg_string(sBanner, o->banner); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); @@ -2037,6 +2103,9 @@ dump_config(ServerOptions *o) dump_cfg_string(sVersionAddendum, o->version_addendum); dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); + dump_cfg_string(sHostKeyAgent, o->host_key_agent); + dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : + kex_alg_list(',')); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); @@ -2075,5 +2144,8 @@ dump_config(ServerOptions *o) printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); printf("%s\n", iptos2str(o->ip_qos_bulk)); + printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, + o->rekey_interval); + channel_print_adm_permitted_opens(); } diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h index 6e5df9e0d..36d9966fc 100644 --- a/crypto/openssh/servconf.h +++ b/crypto/openssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */ /* $FreeBSD$ */ /* @@ -66,6 +66,7 @@ typedef struct { int num_host_key_files; /* Number of files for host keys. */ char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ int num_host_cert_files; /* Number of files for host certs. */ + char *host_key_agent; /* ssh-agent socket for host keys. */ char *pid_file; /* Where to put our pid */ int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time @@ -82,6 +83,7 @@ typedef struct { * searching at */ int x11_use_localhost; /* If true, use localhost for fake X11 server. */ char *xauth_location; /* Location of xauth program */ + int permit_tty; /* If false, deny pty allocation */ int strict_modes; /* If true, require string home dir modes. */ int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ @@ -116,8 +118,6 @@ typedef struct { * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_response_authentication; - int zero_knowledge_password_authentication; - /* If true, permit jpake auth */ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int permit_user_env; /* If true, read ~/.ssh/environment */ @@ -177,6 +177,9 @@ typedef struct { char *authorized_keys_command; char *authorized_keys_command_user; + int64_t rekey_limit; + int rekey_interval; + char *version_addendum; /* Appended to SSH banner */ int hpn_disabled; /* Disable HPN functionality. */ @@ -206,6 +209,9 @@ struct connection_info { * Match sub-config and the main config, and must be sent from the * privsep slave to the privsep master. We use a macro to ensure all * the options are copied and the copies are done in the correct order. + * + * NB. an option must appear in servconf.c:copy_set_server_options() or + * COPY_MATCH_STRING_OPTS here but never both. */ #define COPY_MATCH_STRING_OPTS() do { \ M_CP_STROPT(banner); \ diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c index 53a99ca83..48934bb88 100644 --- a/crypto/openssh/serverloop.c +++ b/crypto/openssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.170 2014/02/02 03:44:31 djm Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -37,6 +37,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -149,7 +150,7 @@ static void notify_parent(void) { if (notify_pipe[1] != -1) - write(notify_pipe[1], "", 1); + (void)write(notify_pipe[1], "", 1); } static void notify_prepare(fd_set *readset) @@ -278,7 +279,7 @@ client_alive_check(void) */ static void wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, - u_int *nallocp, u_int max_time_milliseconds) + u_int *nallocp, u_int64_t max_time_milliseconds) { struct timeval tv, *tvp; int ret; @@ -305,7 +306,8 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, if (compat20 && max_time_milliseconds == 0 && options.client_alive_interval) { client_alive_scheduled = 1; - max_time_milliseconds = options.client_alive_interval * 1000; + max_time_milliseconds = + (u_int64_t)options.client_alive_interval * 1000; } if (compat20) { @@ -564,7 +566,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) int wait_status; /* Status returned by wait(). */ pid_t wait_pid; /* pid returned by wait(). */ int waiting_termination = 0; /* Have displayed waiting close message. */ - u_int max_time_milliseconds; + u_int64_t max_time_milliseconds; u_int previous_stdout_buffer_bytes; u_int stdout_buffer_bytes; int type; @@ -695,7 +697,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) /* Display list of open channels. */ cp = channel_open_message(); buffer_append(&stderr_buffer, cp, strlen(cp)); - xfree(cp); + free(cp); } } max_fd = MAX(connection_in, connection_out); @@ -723,10 +725,8 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) /* Process output to the client and to program stdin. */ process_output(writeset); } - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* Cleanup and termination code. */ @@ -826,7 +826,9 @@ void server_loop2(Authctxt *authctxt) { fd_set *readset = NULL, *writeset = NULL; - int rekeying = 0, max_fd, nalloc = 0; + int rekeying = 0, max_fd; + u_int nalloc = 0; + u_int64_t rekey_timeout_ms = 0; debug("Entering interactive session for SSH2."); @@ -855,8 +857,13 @@ server_loop2(Authctxt *authctxt) if (!rekeying && packet_not_very_much_data_to_write()) channel_output_poll(); + if (options.rekey_interval > 0 && compat20 && !rekeying) + rekey_timeout_ms = packet_get_rekey_timeout() * 1000; + else + rekey_timeout_ms = 0; + wait_until_can_do_something(&readset, &writeset, &max_fd, - &nalloc, 0); + &nalloc, rekey_timeout_ms); if (received_sigterm) { logit("Exiting on signal %d", (int)received_sigterm); @@ -880,10 +887,8 @@ server_loop2(Authctxt *authctxt) } collect_children(); - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* free all channels, no more reads and writes */ channel_free_all(); @@ -917,8 +922,8 @@ server_input_stdin_data(int type, u_int32_t seq, void *ctxt) data = packet_get_string(&data_len); packet_check_eom(); buffer_append(&stdin_buffer, data, data_len); - memset(data, 0, data_len); - xfree(data); + explicit_bzero(data, data_len); + free(data); } static void @@ -975,8 +980,8 @@ server_request_direct_tcpip(void) originator, originator_port, target, target_port); } - xfree(originator); - xfree(target); + free(originator); + free(target); return c; } @@ -1113,7 +1118,7 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt) } packet_send(); } - xfree(ctype); + free(ctype); } static void @@ -1158,7 +1163,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) listen_address, listen_port, &allocated_listen_port, options.gateway_ports); } - xfree(listen_address); + free(listen_address); } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { char *cancel_address; u_short cancel_port; @@ -1170,7 +1175,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) success = channel_cancel_rport_listener(cancel_address, cancel_port); - xfree(cancel_address); + free(cancel_address); } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { no_more_sessions = 1; success = 1; @@ -1183,7 +1188,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) packet_send(); packet_write_wait(); } - xfree(rtype); + free(rtype); } static void @@ -1215,7 +1220,7 @@ server_input_channel_req(int type, u_int32_t seq, void *ctxt) packet_put_int(c->remote_id); packet_send(); } - xfree(rtype); + free(rtype); } static void diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index 315538e59..9fe6a1ad2 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: session.c,v 1.270 2014/01/31 16:39:19 tedu Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -82,6 +82,7 @@ __RCSID("$FreeBSD$"); #include "hostfile.h" #include "auth.h" #include "auth-options.h" +#include "authfd.h" #include "pathnames.h" #include "log.h" #include "servconf.h" @@ -201,7 +202,7 @@ auth_input_request_forwarding(struct passwd * pw) packet_send_debug("Agent forwarding disabled: " "mkdtemp() failed: %.100s", strerror(errno)); restore_uid(); - xfree(auth_sock_dir); + free(auth_sock_dir); auth_sock_dir = NULL; goto authsock_err; } @@ -249,11 +250,10 @@ auth_input_request_forwarding(struct passwd * pw) return 1; authsock_err: - if (auth_sock_name != NULL) - xfree(auth_sock_name); + free(auth_sock_name); if (auth_sock_dir != NULL) { rmdir(auth_sock_dir); - xfree(auth_sock_dir); + free(auth_sock_dir); } if (sock != -1) close(sock); @@ -369,8 +369,8 @@ do_authenticated1(Authctxt *authctxt) packet_check_eom(); success = session_setup_x11fwd(s); if (!success) { - xfree(s->auth_proto); - xfree(s->auth_data); + free(s->auth_proto); + free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } @@ -417,7 +417,7 @@ do_authenticated1(Authctxt *authctxt) if (do_exec(s, command) != 0) packet_disconnect( "command execution failed"); - xfree(command); + free(command); } else { if (do_exec(s, NULL) != 0) packet_disconnect( @@ -446,7 +446,7 @@ do_authenticated1(Authctxt *authctxt) } } -#define USE_PIPES +#define USE_PIPES 1 /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after @@ -799,27 +799,50 @@ int do_exec(Session *s, const char *command) { int ret; + const char *forced = NULL; + char session_type[1024], *tty = NULL; if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if (IS_INTERNAL_SFTP(command)) { - s->is_subsystem = s->is_subsystem ? - SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; - } else if (s->is_subsystem) - s->is_subsystem = SUBSYSTEM_EXT; - debug("Forced command (config) '%.900s'", command); + forced = "(config)"; } else if (forced_command) { original_command = command; command = forced_command; + forced = "(key-option)"; + } + if (forced != NULL) { if (IS_INTERNAL_SFTP(command)) { s->is_subsystem = s->is_subsystem ? SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; } else if (s->is_subsystem) s->is_subsystem = SUBSYSTEM_EXT; - debug("Forced command (key option) '%.900s'", command); + snprintf(session_type, sizeof(session_type), + "forced-command %s '%.900s'", forced, command); + } else if (s->is_subsystem) { + snprintf(session_type, sizeof(session_type), + "subsystem '%.900s'", s->subsys); + } else if (command == NULL) { + snprintf(session_type, sizeof(session_type), "shell"); + } else { + /* NB. we don't log unforced commands to preserve privacy */ + snprintf(session_type, sizeof(session_type), "command"); + } + + if (s->ttyfd != -1) { + tty = s->tty; + if (strncmp(tty, "/dev/", 5) == 0) + tty += 5; } + verbose("Starting session: %s%s%s for %s from %.200s port %d", + session_type, + tty == NULL ? "" : " on ", + tty == NULL ? "" : tty, + s->pw->pw_name, + get_remote_ipaddr(), + get_remote_port()); + #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); @@ -960,6 +983,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, u_int envsize; u_int i, namelen; + if (strchr(name, '=') != NULL) { + error("Invalid environment variable \"%.100s\"", name); + return; + } + /* * If we're passed an uninitialized list, allocate a single null * entry before continuing. @@ -982,7 +1010,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, break; if (env[i]) { /* Reuse the slot. */ - xfree(env[i]); + free(env[i]); } else { /* New variable. Expand if necessary. */ envsize = *envsizep; @@ -1098,8 +1126,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) umask((mode_t)mask); for (i = 0; tmpenv[i] != NULL; i++) - xfree(tmpenv[i]); - xfree(tmpenv); + free(tmpenv[i]); + free(tmpenv); } #endif /* HAVE_ETC_DEFAULT_LOGIN */ @@ -1115,7 +1143,7 @@ copy_environment(char **source, char ***env, u_int *envsize) for(i = 0; source[i] != NULL; i++) { var_name = xstrdup(source[i]); if ((var_val = strstr(var_name, "=")) == NULL) { - xfree(var_name); + free(var_name); continue; } *var_val++ = '\0'; @@ -1123,7 +1151,7 @@ copy_environment(char **source, char ***env, u_int *envsize) debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); - xfree(var_name); + free(var_name); } } @@ -1195,8 +1223,8 @@ do_setup_env(Session *s, const char *shell) LOGIN_SETENV|LOGIN_SETPATH); copy_environment(environ, &env, &envsize); for (var = environ; *var != NULL; ++var) - xfree(*var); - xfree(environ); + free(*var); + free(environ); environ = senv; #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN @@ -1235,8 +1263,8 @@ do_setup_env(Session *s, const char *shell) child_set_env(&env, &envsize, str, str + i + 1); } custom_environment = ce->next; - xfree(ce->s); - xfree(ce); + free(ce->s); + free(ce); } } @@ -1248,7 +1276,7 @@ do_setup_env(Session *s, const char *shell) laddr = get_local_ipaddr(packet_get_connection_in()); snprintf(buf, sizeof buf, "%.50s %d %.50s %d", get_remote_ipaddr(), get_remote_port(), laddr, get_local_port()); - xfree(laddr); + free(laddr); child_set_env(&env, &envsize, "SSH_CONNECTION", buf); if (s->ttyfd != -1) @@ -1419,7 +1447,7 @@ do_nologin(struct passwd *pw) #endif if (stat(nl, &sb) == -1) { if (nl != def_nl) - xfree(nl); + free(nl); return; } @@ -1529,6 +1557,9 @@ do_setusercontext(struct passwd *pw) safely_chroot(chroot_path, pw->pw_uid); free(tmp); free(chroot_path); + /* Make sure we don't attempt to chroot again */ + free(options.chroot_directory); + options.chroot_directory = NULL; } #ifdef HAVE_LOGIN_CAP @@ -1542,9 +1573,17 @@ do_setusercontext(struct passwd *pw) */ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); #else +# ifdef USE_LIBIAF + if (set_id(pw->pw_name) != 0) { + fatal("set_id(%s) Failed", pw->pw_name); + } +# endif /* USE_LIBIAF */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif + } else if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { + fatal("server lacks privileges to chroot to ChrootDirectory"); } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) @@ -1600,6 +1639,13 @@ launch_login(struct passwd *pw, const char *hostname) static void child_close_fds(void) { + extern AuthenticationConnection *auth_conn; + + if (auth_conn) { + ssh_close_authentication_connection(auth_conn); + auth_conn = NULL; + } + if (packet_get_connection_in() == packet_get_connection_out()) close(packet_get_connection_in()); else { @@ -1864,7 +1910,7 @@ session_unused(int id) fatal("%s: insane session id %d (max %d nalloc %d)", __func__, id, options.max_sessions, sessions_nalloc); } - bzero(&sessions[id], sizeof(*sessions)); + memset(&sessions[id], 0, sizeof(*sessions)); sessions[id].self = id; sessions[id].used = 0; sessions[id].chanid = -1; @@ -2042,7 +2088,7 @@ session_pty_req(Session *s) u_int len; int n_bytes; - if (no_pty_flag) { + if (no_pty_flag || !options.permit_tty) { debug("Allocating a pty not permitted for this authentication."); return 0; } @@ -2064,7 +2110,7 @@ session_pty_req(Session *s) s->ypixel = packet_get_int(); if (strcmp(s->term, "") == 0) { - xfree(s->term); + free(s->term); s->term = NULL; } @@ -2072,8 +2118,7 @@ session_pty_req(Session *s) debug("Allocating pty."); if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) { - if (s->term) - xfree(s->term); + free(s->term); s->term = NULL; s->ptyfd = -1; s->ttyfd = -1; @@ -2104,15 +2149,16 @@ session_subsystem_req(Session *s) struct stat st; u_int len; int success = 0; - char *prog, *cmd, *subsys = packet_get_string(&len); + char *prog, *cmd; u_int i; + s->subsys = packet_get_string(&len); packet_check_eom(); - logit("subsystem request for %.100s by user %s", subsys, + debug2("subsystem request for %.100s by user %s", s->subsys, s->pw->pw_name); for (i = 0; i < options.num_subsystems; i++) { - if (strcmp(subsys, options.subsystem_name[i]) == 0) { + if (strcmp(s->subsys, options.subsystem_name[i]) == 0) { prog = options.subsystem_command[i]; cmd = options.subsystem_args[i]; if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) { @@ -2131,10 +2177,9 @@ session_subsystem_req(Session *s) } if (!success) - logit("subsystem request for %.100s failed, subsystem not found", - subsys); + logit("subsystem request for %.100s by user %s failed, " + "subsystem not found", s->subsys, s->pw->pw_name); - xfree(subsys); return success; } @@ -2156,8 +2201,8 @@ session_x11_req(Session *s) success = session_setup_x11fwd(s); if (!success) { - xfree(s->auth_proto); - xfree(s->auth_data); + free(s->auth_proto); + free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } @@ -2179,7 +2224,7 @@ session_exec_req(Session *s) char *command = packet_get_string(&len); packet_check_eom(); success = do_exec(s, command) == 0; - xfree(command); + free(command); return success; } @@ -2201,8 +2246,8 @@ session_env_req(Session *s) char *name, *val; u_int name_len, val_len, i; - name = packet_get_string(&name_len); - val = packet_get_string(&val_len); + name = packet_get_cstring(&name_len); + val = packet_get_cstring(&val_len); packet_check_eom(); /* Don't set too many environment variables */ @@ -2225,8 +2270,8 @@ session_env_req(Session *s) debug2("Ignoring env request %s: disallowed name", name); fail: - xfree(name); - xfree(val); + free(name); + free(val); return (0); } @@ -2412,24 +2457,16 @@ session_close_single_x11(int id, void *arg) if (s->x11_chanids[i] != id) session_close_x11(s->x11_chanids[i]); } - xfree(s->x11_chanids); + free(s->x11_chanids); s->x11_chanids = NULL; - if (s->display) { - xfree(s->display); - s->display = NULL; - } - if (s->auth_proto) { - xfree(s->auth_proto); - s->auth_proto = NULL; - } - if (s->auth_data) { - xfree(s->auth_data); - s->auth_data = NULL; - } - if (s->auth_display) { - xfree(s->auth_display); - s->auth_display = NULL; - } + free(s->display); + s->display = NULL; + free(s->auth_proto); + s->auth_proto = NULL; + free(s->auth_data); + s->auth_data = NULL; + free(s->auth_display); + s->auth_display = NULL; } static void @@ -2491,24 +2528,19 @@ session_close(Session *s) debug("session_close: session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) session_pty_cleanup(s); - if (s->term) - xfree(s->term); - if (s->display) - xfree(s->display); - if (s->x11_chanids) - xfree(s->x11_chanids); - if (s->auth_display) - xfree(s->auth_display); - if (s->auth_data) - xfree(s->auth_data); - if (s->auth_proto) - xfree(s->auth_proto); + free(s->term); + free(s->display); + free(s->x11_chanids); + free(s->auth_display); + free(s->auth_data); + free(s->auth_proto); + free(s->subsys); if (s->env != NULL) { for (i = 0; i < s->num_env; i++) { - xfree(s->env[i].name); - xfree(s->env[i].val); + free(s->env[i].name); + free(s->env[i].val); } - xfree(s->env); + free(s->env); } session_proctitle(s); session_unused(s->self); diff --git a/crypto/openssh/session.h b/crypto/openssh/session.h index cbb8e3a32..6a2f35e41 100644 --- a/crypto/openssh/session.h +++ b/crypto/openssh/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ +/* $OpenBSD: session.h,v 1.31 2013/10/14 21:20:52 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -55,6 +55,7 @@ struct Session { int chanid; int *x11_chanids; int is_subsystem; + char *subsys; u_int num_env; struct { char *name; diff --git a/crypto/openssh/sftp-client.c b/crypto/openssh/sftp-client.c index 85f2bd444..2f5907c85 100644 --- a/crypto/openssh/sftp-client.c +++ b/crypto/openssh/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.97 2012/07/02 12:13:26 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.114 2014/01/31 16:39:19 tedu Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -42,6 +42,7 @@ #include #include #include +#include #include #include @@ -76,6 +77,7 @@ struct sftp_conn { #define SFTP_EXT_STATVFS 0x00000002 #define SFTP_EXT_FSTATVFS 0x00000004 #define SFTP_EXT_HARDLINK 0x00000008 +#define SFTP_EXT_FSYNC 0x00000010 u_int exts; u_int64_t limit_kbps; struct bwlimit bwlimit_in, bwlimit_out; @@ -112,7 +114,7 @@ send_msg(struct sftp_conn *conn, Buffer *m) iov[1].iov_len = buffer_len(m); if (atomiciov6(writev, conn->fd_out, iov, 2, - conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != + conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != buffer_len(m) + sizeof(mlen)) fatal("Couldn't send packet: %s", strerror(errno)); @@ -308,7 +310,7 @@ get_decode_statvfs(struct sftp_conn *conn, struct sftp_statvfs *st, SSH2_FXP_EXTENDED_REPLY, type); } - bzero(st, sizeof(*st)); + memset(st, 0, sizeof(*st)); st->f_bsize = buffer_get_int64(&msg); st->f_frsize = buffer_get_int64(&msg); st->f_blocks = buffer_get_int64(&msg); @@ -337,7 +339,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, Buffer msg; struct sftp_conn *ret; - ret = xmalloc(sizeof(*ret)); + ret = xcalloc(1, sizeof(*ret)); + ret->msg_id = 1; ret->fd_in = fd_in; ret->fd_out = fd_out; ret->transfer_buflen = transfer_buflen; @@ -387,6 +390,10 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, strcmp(value, "1") == 0) { ret->exts |= SFTP_EXT_HARDLINK; known = 1; + } else if (strcmp(name, "fsync@openssh.com") == 0 && + strcmp(value, "1") == 0) { + ret->exts |= SFTP_EXT_FSYNC; + known = 1; } if (known) { debug2("Server supports extension \"%s\" revision %s", @@ -394,8 +401,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, } else { debug2("Unrecognised server extension \"%s\"", name); } - xfree(name); - xfree(value); + free(name); + free(value); } buffer_free(&msg); @@ -447,12 +454,16 @@ do_close(struct sftp_conn *conn, char *handle, u_int handle_len) static int -do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, +do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, SFTP_DIRENT ***dir) { Buffer msg; u_int count, type, id, handle_len, i, expected_id, ents = 0; char *handle; + int status = SSH2_FX_FAILURE; + + if (dir) + *dir = NULL; id = conn->msg_id++; @@ -471,7 +482,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, if (dir) { ents = 0; - *dir = xmalloc(sizeof(**dir)); + *dir = xcalloc(1, sizeof(**dir)); (*dir)[0] = NULL; } @@ -499,20 +510,12 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, fatal("ID mismatch (%u != %u)", id, expected_id); if (type == SSH2_FXP_STATUS) { - int status = buffer_get_int(&msg); - + status = buffer_get_int(&msg); debug3("Received SSH2_FXP_STATUS %d", status); - - if (status == SSH2_FX_EOF) { + if (status == SSH2_FX_EOF) break; - } else { - error("Couldn't read directory: %s", - fx2txt(status)); - do_close(conn, handle, handle_len); - xfree(handle); - buffer_free(&msg); - return(status); - } + error("Couldn't read directory: %s", fx2txt(status)); + goto out; } else if (type != SSH2_FXP_NAME) fatal("Expected SSH2_FXP_NAME(%u) packet, got %u", SSH2_FXP_NAME, type); @@ -529,7 +532,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, longname = buffer_get_string(&msg, NULL); a = decode_attrib(&msg); - if (printflag) + if (print_flag) printf("%s\n", longname); /* @@ -540,35 +543,37 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, if (strchr(filename, '/') != NULL) { error("Server sent suspect path \"%s\" " "during readdir of \"%s\"", filename, path); - goto next; - } - - if (dir) { + } else if (dir) { *dir = xrealloc(*dir, ents + 2, sizeof(**dir)); - (*dir)[ents] = xmalloc(sizeof(***dir)); + (*dir)[ents] = xcalloc(1, sizeof(***dir)); (*dir)[ents]->filename = xstrdup(filename); (*dir)[ents]->longname = xstrdup(longname); memcpy(&(*dir)[ents]->a, a, sizeof(*a)); (*dir)[++ents] = NULL; } - next: - xfree(filename); - xfree(longname); + free(filename); + free(longname); } } + status = 0; + out: buffer_free(&msg); do_close(conn, handle, handle_len); - xfree(handle); + free(handle); - /* Don't return partial matches on interrupt */ - if (interrupted && dir != NULL && *dir != NULL) { + if (status != 0 && dir != NULL) { + /* Don't return results on error */ + free_sftp_dirents(*dir); + *dir = NULL; + } else if (interrupted && dir != NULL && *dir != NULL) { + /* Don't return partial matches on interrupt */ free_sftp_dirents(*dir); - *dir = xmalloc(sizeof(**dir)); + *dir = xcalloc(1, sizeof(**dir)); **dir = NULL; } - return 0; + return status; } int @@ -581,12 +586,14 @@ void free_sftp_dirents(SFTP_DIRENT **s) { int i; + if (s == NULL) + return; for (i = 0; s[i]; i++) { - xfree(s[i]->filename); - xfree(s[i]->longname); - xfree(s[i]); + free(s[i]->filename); + free(s[i]->longname); + free(s[i]); } - xfree(s); + free(s); } int @@ -605,7 +612,7 @@ do_rm(struct sftp_conn *conn, char *path) } int -do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag) +do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag) { u_int status, id; @@ -614,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag) strlen(path), a); status = get_status(conn, id); - if (status != SSH2_FX_OK && printflag) + if (status != SSH2_FX_OK && print_flag) error("Couldn't create directory: %s", fx2txt(status)); return(status); @@ -742,7 +749,7 @@ do_realpath(struct sftp_conn *conn, char *path) if (type == SSH2_FXP_STATUS) { u_int status = buffer_get_int(&msg); - error("Couldn't canonicalise: %s", fx2txt(status)); + error("Couldn't canonicalize: %s", fx2txt(status)); buffer_free(&msg); return NULL; } else if (type != SSH2_FXP_NAME) @@ -760,7 +767,7 @@ do_realpath(struct sftp_conn *conn, char *path) debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename, (unsigned long)a->size); - xfree(longname); + free(longname); buffer_free(&msg); @@ -768,16 +775,18 @@ do_realpath(struct sftp_conn *conn, char *path) } int -do_rename(struct sftp_conn *conn, char *oldpath, char *newpath) +do_rename(struct sftp_conn *conn, char *oldpath, char *newpath, + int force_legacy) { Buffer msg; u_int status, id; + int use_ext = (conn->exts & SFTP_EXT_POSIX_RENAME) && !force_legacy; buffer_init(&msg); /* Send rename request */ id = conn->msg_id++; - if ((conn->exts & SFTP_EXT_POSIX_RENAME)) { + if (use_ext) { buffer_put_char(&msg, SSH2_FXP_EXTENDED); buffer_put_int(&msg, id); buffer_put_cstring(&msg, "posix-rename@openssh.com"); @@ -789,8 +798,8 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath) buffer_put_cstring(&msg, newpath); send_msg(conn, &msg); debug3("Sent message %s \"%s\" -> \"%s\"", - (conn->exts & SFTP_EXT_POSIX_RENAME) ? "posix-rename@openssh.com" : - "SSH2_FXP_RENAME", oldpath, newpath); + use_ext ? "posix-rename@openssh.com" : "SSH2_FXP_RENAME", + oldpath, newpath); buffer_free(&msg); status = get_status(conn, id); @@ -866,6 +875,36 @@ do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath) return(status); } +int +do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len) +{ + Buffer msg; + u_int status, id; + + /* Silently return if the extension is not supported */ + if ((conn->exts & SFTP_EXT_FSYNC) == 0) + return -1; + + buffer_init(&msg); + + /* Send fsync request */ + id = conn->msg_id++; + + buffer_put_char(&msg, SSH2_FXP_EXTENDED); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, "fsync@openssh.com"); + buffer_put_string(&msg, handle, handle_len); + send_msg(conn, &msg); + debug3("Sent message fsync@openssh.com I:%u", id); + buffer_free(&msg); + + status = get_status(conn, id); + if (status != SSH2_FX_OK) + error("Couldn't sync file: %s", fx2txt(status)); + + return status; +} + #ifdef notyet char * do_readlink(struct sftp_conn *conn, char *path) @@ -907,7 +946,7 @@ do_readlink(struct sftp_conn *conn, char *path) debug3("SSH_FXP_READLINK %s -> %s", path, filename); - xfree(longname); + free(longname); buffer_free(&msg); @@ -988,16 +1027,17 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset, int do_download(struct sftp_conn *conn, char *remote_path, char *local_path, - Attrib *a, int pflag) + Attrib *a, int preserve_flag, int resume_flag, int fsync_flag) { Attrib junk; Buffer msg; char *handle; - int local_fd, status = 0, write_error; - int read_error, write_errno; - u_int64_t offset, size; + int local_fd = -1, status = 0, write_error; + int read_error, write_errno, reordered = 0; + u_int64_t offset = 0, size, highwater; u_int handle_len, mode, type, id, buflen, num_req, max_req; off_t progress_counter; + struct stat st; struct request { u_int id; u_int len; @@ -1050,21 +1090,42 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, - mode | S_IWRITE); + local_fd = open(local_path, + O_WRONLY | O_CREAT | (resume_flag ? 0 : O_TRUNC), mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); - do_close(conn, handle, handle_len); - buffer_free(&msg); - xfree(handle); - return(-1); + goto fail; + } + offset = highwater = 0; + if (resume_flag) { + if (fstat(local_fd, &st) == -1) { + error("Unable to stat local file \"%s\": %s", + local_path, strerror(errno)); + goto fail; + } + if (st.st_size < 0) { + error("\"%s\" has negative size", local_path); + goto fail; + } + if ((u_int64_t)st.st_size > size) { + error("Unable to resume download of \"%s\": " + "local file is larger than remote", local_path); + fail: + do_close(conn, handle, handle_len); + buffer_free(&msg); + free(handle); + if (local_fd != -1) + close(local_fd); + return -1; + } + offset = highwater = st.st_size; } /* Read from remote and write to local */ - write_error = read_error = write_errno = num_req = offset = 0; + write_error = read_error = write_errno = num_req = 0; max_req = 1; - progress_counter = 0; + progress_counter = offset; if (showprogress && size != 0) start_progress_meter(remote_path, size, &progress_counter); @@ -1089,7 +1150,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, (unsigned long long)offset, (unsigned long long)offset + buflen - 1, num_req, max_req); - req = xmalloc(sizeof(*req)); + req = xcalloc(1, sizeof(*req)); req->id = conn->msg_id++; req->len = buflen; req->offset = offset; @@ -1121,7 +1182,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, read_error = 1; max_req = 0; TAILQ_REMOVE(&requests, req, tq); - xfree(req); + free(req); num_req--; break; case SSH2_FXP_DATA: @@ -1139,12 +1200,16 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, write_error = 1; max_req = 0; } + else if (!reordered && req->offset <= highwater) + highwater = req->offset + len; + else if (!reordered && req->offset > highwater) + reordered = 1; progress_counter += len; - xfree(data); + free(data); if (len == req->len) { TAILQ_REMOVE(&requests, req, tq); - xfree(req); + free(req); num_req--; } else { /* Resend the request for the missing data */ @@ -1187,10 +1252,19 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, /* Sanity check */ if (TAILQ_FIRST(&requests) != NULL) fatal("Transfer complete, but requests still in queue"); - + /* Truncate at highest contiguous point to avoid holes on interrupt */ + if (read_error || write_error || interrupted) { + if (reordered && resume_flag) { + error("Unable to resume download of \"%s\": " + "server reordered requests", local_path); + } + debug("truncating at %llu", (unsigned long long)highwater); + ftruncate(local_fd, highwater); + } if (read_error) { error("Couldn't read from remote file \"%s\" : %s", remote_path, fx2txt(status)); + status = -1; do_close(conn, handle, handle_len); } else if (write_error) { error("Couldn't write to \"%s\": %s", local_path, @@ -1199,16 +1273,18 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, do_close(conn, handle, handle_len); } else { status = do_close(conn, handle, handle_len); - + if (interrupted || status != SSH2_FX_OK) + status = -1; /* Override umask and utimes if asked */ #ifdef HAVE_FCHMOD - if (pflag && fchmod(local_fd, mode) == -1) + if (preserve_flag && fchmod(local_fd, mode) == -1) #else - if (pflag && chmod(local_path, mode) == -1) + if (preserve_flag && chmod(local_path, mode) == -1) #endif /* HAVE_FCHMOD */ error("Couldn't set mode on \"%s\": %s", local_path, strerror(errno)); - if (pflag && (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) { + if (preserve_flag && + (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) { struct timeval tv[2]; tv[0].tv_sec = a->atime; tv[1].tv_sec = a->mtime; @@ -1217,17 +1293,24 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, error("Can't set times on \"%s\": %s", local_path, strerror(errno)); } + if (fsync_flag) { + debug("syncing \"%s\"", local_path); + if (fsync(local_fd) == -1) + error("Couldn't sync file \"%s\": %s", + local_path, strerror(errno)); + } } close(local_fd); buffer_free(&msg); - xfree(handle); + free(handle); return(status); } static int -download_dir_internal(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag, int depth) +download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, + Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag, + int fsync_flag) { int i, ret = 0; SFTP_DIRENT **dir_entries; @@ -1248,7 +1331,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, error("\"%s\" is not a directory", src); return -1; } - if (printflag) + if (print_flag) printf("Retrieving %s\n", src); if (dirattrib->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) @@ -1279,12 +1362,13 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, strcmp(filename, "..") == 0) continue; if (download_dir_internal(conn, new_src, new_dst, - &(dir_entries[i]->a), pflag, printflag, - depth + 1) == -1) + depth + 1, &(dir_entries[i]->a), preserve_flag, + print_flag, resume_flag, fsync_flag) == -1) ret = -1; } else if (S_ISREG(dir_entries[i]->a.perm) ) { if (do_download(conn, new_src, new_dst, - &(dir_entries[i]->a), pflag) == -1) { + &(dir_entries[i]->a), preserve_flag, + resume_flag, fsync_flag) == -1) { error("Download of file %s to %s failed", new_src, new_dst); ret = -1; @@ -1292,11 +1376,11 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, } else logit("%s: not a regular file\n", new_src); - xfree(new_dst); - xfree(new_src); + free(new_dst); + free(new_src); } - if (pflag) { + if (preserve_flag) { if (dirattrib->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { struct timeval tv[2]; tv[0].tv_sec = dirattrib->atime; @@ -1317,30 +1401,31 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int download_dir(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag) + Attrib *dirattrib, int preserve_flag, int print_flag, + int resume_flag, int fsync_flag) { char *src_canon; int ret; if ((src_canon = do_realpath(conn, src)) == NULL) { - error("Unable to canonicalise path \"%s\"", src); + error("Unable to canonicalize path \"%s\"", src); return -1; } - ret = download_dir_internal(conn, src_canon, dst, - dirattrib, pflag, printflag, 0); - xfree(src_canon); + ret = download_dir_internal(conn, src_canon, dst, 0, + dirattrib, preserve_flag, print_flag, resume_flag, fsync_flag); + free(src_canon); return ret; } int do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, - int pflag) + int preserve_flag, int fsync_flag) { int local_fd; int status = SSH2_FX_OK; u_int handle_len, id, type; - off_t offset; + off_t offset, progress_counter; char *handle, *data; Buffer msg; struct stat sb; @@ -1379,7 +1464,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID; a.perm &= 0777; - if (!pflag) + if (!preserve_flag) a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; buffer_init(&msg); @@ -1408,9 +1493,10 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, data = xmalloc(conn->transfer_buflen); /* Read from local and write to remote */ - offset = 0; + offset = progress_counter = 0; if (showprogress) - start_progress_meter(local_path, sb.st_size, &offset); + start_progress_meter(local_path, sb.st_size, + &progress_counter); for (;;) { int len; @@ -1433,7 +1519,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, strerror(errno)); if (len != 0) { - ack = xmalloc(sizeof(*ack)); + ack = xcalloc(1, sizeof(*ack)); ack->id = ++id; ack->offset = offset; ack->len = len; @@ -1481,7 +1567,8 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, debug3("In write loop, ack for %u %u bytes at %lld", ack->id, ack->len, (long long)ack->offset); ++ackid; - xfree(ack); + progress_counter += ack->len; + free(ack); } offset += len; if (offset < 0) @@ -1491,7 +1578,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, if (showprogress) stop_progress_meter(); - xfree(data); + free(data); if (status != SSH2_FX_OK) { error("Couldn't write to remote file \"%s\": %s", @@ -1506,19 +1593,22 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, } /* Override umask and utimes if asked */ - if (pflag) + if (preserve_flag) do_fsetstat(conn, handle, handle_len, &a); + if (fsync_flag) + (void)do_fsync(conn, handle, handle_len); + if (do_close(conn, handle, handle_len) != SSH2_FX_OK) status = -1; - xfree(handle); + free(handle); return status; } static int -upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, - int pflag, int printflag, int depth) +upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, + int preserve_flag, int print_flag, int fsync_flag) { int ret = 0, status; DIR *dirp; @@ -1541,7 +1631,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, error("\"%s\" is not a directory", src); return -1; } - if (printflag) + if (print_flag) printf("Entering %s\n", src); attrib_clear(&a); @@ -1549,9 +1639,9 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID; a.perm &= 01777; - if (!pflag) + if (!preserve_flag) a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; - + status = do_mkdir(conn, dst, &a, 0); /* * we lack a portable status for errno EEXIST, @@ -1561,7 +1651,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, if (status != SSH2_FX_OK) { if (status != SSH2_FX_FAILURE) return -1; - if (do_stat(conn, dst, 0) == NULL) + if (do_stat(conn, dst, 0) == NULL) return -1; } @@ -1569,7 +1659,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, error("Failed to open dir \"%s\": %s", src, strerror(errno)); return -1; } - + while (((dp = readdir(dirp)) != NULL) && !interrupted) { if (dp->d_ino == 0) continue; @@ -1587,18 +1677,20 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, continue; if (upload_dir_internal(conn, new_src, new_dst, - pflag, printflag, depth + 1) == -1) + depth + 1, preserve_flag, print_flag, + fsync_flag) == -1) ret = -1; } else if (S_ISREG(sb.st_mode)) { - if (do_upload(conn, new_src, new_dst, pflag) == -1) { + if (do_upload(conn, new_src, new_dst, + preserve_flag, fsync_flag) == -1) { error("Uploading of file %s to %s failed!", new_src, new_dst); ret = -1; } } else logit("%s: not a regular file\n", filename); - xfree(new_dst); - xfree(new_src); + free(new_dst); + free(new_src); } do_setstat(conn, dst, &a); @@ -1608,19 +1700,21 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, } int -upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag, - int pflag) +upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag, + int print_flag, int fsync_flag) { char *dst_canon; int ret; if ((dst_canon = do_realpath(conn, dst)) == NULL) { - error("Unable to canonicalise path \"%s\"", dst); + error("Unable to canonicalize path \"%s\"", dst); return -1; } - ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0); - xfree(dst_canon); + ret = upload_dir_internal(conn, src, dst_canon, 0, preserve_flag, + print_flag, fsync_flag); + + free(dst_canon); return ret; } diff --git a/crypto/openssh/sftp-client.h b/crypto/openssh/sftp-client.h index aef54ef49..ba92ad01a 100644 --- a/crypto/openssh/sftp-client.h +++ b/crypto/openssh/sftp-client.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.20 2010/12/04 00:18:01 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.24 2013/10/17 00:30:13 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -92,7 +92,7 @@ char *do_realpath(struct sftp_conn *, char *); int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int); /* Rename 'oldpath' to 'newpath' */ -int do_rename(struct sftp_conn *, char *, char *); +int do_rename(struct sftp_conn *, char *, char *m, int force_legacy); /* Link 'oldpath' to 'newpath' */ int do_hardlink(struct sftp_conn *, char *, char *); @@ -100,31 +100,33 @@ int do_hardlink(struct sftp_conn *, char *, char *); /* Rename 'oldpath' to 'newpath' */ int do_symlink(struct sftp_conn *, char *, char *); -/* XXX: add callbacks to do_download/do_upload so we can do progress meter */ +/* Call fsync() on open file 'handle' */ +int do_fsync(struct sftp_conn *conn, char *, u_int); /* * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ -int do_download(struct sftp_conn *, char *, char *, Attrib *, int); +int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int, int); /* * Recursively download 'remote_directory' to 'local_directory'. Preserve * times if 'pflag' is set */ -int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int); +int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, + int, int, int); /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times * if 'pflag' is set */ -int do_upload(struct sftp_conn *, char *, char *, int); +int do_upload(struct sftp_conn *, char *, char *, int, int); /* * Recursively upload 'local_directory' to 'remote_directory'. Preserve * times if 'pflag' is set */ -int upload_dir(struct sftp_conn *, char *, char *, int, int); +int upload_dir(struct sftp_conn *, char *, char *, int, int, int); /* Concatenate paths, taking care of slashes. Caller must free result. */ char *path_append(char *, char *); diff --git a/crypto/openssh/sftp-common.c b/crypto/openssh/sftp-common.c index a042875c6..5b4680747 100644 --- a/crypto/openssh/sftp-common.c +++ b/crypto/openssh/sftp-common.c @@ -1,4 +1,5 @@ -/* $OpenBSD: sftp-common.c,v 1.23 2010/01/15 09:24:23 markus Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.26 2014/01/09 03:26:00 guenther Exp $ */ +/* $FreeBSD$ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -25,6 +26,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -33,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -128,8 +131,8 @@ decode_attrib(Buffer *b) type = buffer_get_string(b, NULL); data = buffer_get_string(b, NULL); debug3("Got file attribute \"%s\"", type); - xfree(type); - xfree(data); + free(type); + free(data); } } return &a; @@ -191,9 +194,10 @@ ls_file(const char *name, const struct stat *st, int remote, int si_units) { int ulen, glen, sz = 0; struct tm *ltime = localtime(&st->st_mtime); - char *user, *group; + const char *user, *group; char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1]; char sbuf[FMT_SCALED_STRSIZE]; + time_t now; strmode(st->st_mode, mode); if (!remote) { @@ -209,7 +213,9 @@ ls_file(const char *name, const struct stat *st, int remote, int si_units) group = gbuf; } if (ltime != NULL) { - if (time(NULL) - st->st_mtime < (365*24*60*60)/2) + now = time(NULL); + if (now - (365*24*60*60)/2 < st->st_mtime && + now >= st->st_mtime) sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime); else sz = strftime(tbuf, sizeof tbuf, "%b %e %Y", ltime); diff --git a/crypto/openssh/sftp-glob.c b/crypto/openssh/sftp-glob.c index 06bf157ca..d85aecc9a 100644 --- a/crypto/openssh/sftp-glob.c +++ b/crypto/openssh/sftp-glob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-glob.c,v 1.23 2011/10/04 14:17:32 djm Exp $ */ +/* $OpenBSD: sftp-glob.c,v 1.26 2013/11/08 11:15:19 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -23,6 +23,7 @@ #endif #include +#include #include #include "xmalloc.h" @@ -48,10 +49,10 @@ fudge_opendir(const char *path) { struct SFTP_OPENDIR *r; - r = xmalloc(sizeof(*r)); + r = xcalloc(1, sizeof(*r)); if (do_readdir(cur.conn, (char *)path, &r->dir)) { - xfree(r); + free(r); return(NULL); } @@ -103,7 +104,7 @@ static void fudge_closedir(struct SFTP_OPENDIR *od) { free_sftp_dirents(od->dir); - xfree(od); + free(od); } static int diff --git a/crypto/openssh/sftp-server.0 b/crypto/openssh/sftp-server.0 new file mode 100644 index 000000000..ce7ddc07f --- /dev/null +++ b/crypto/openssh/sftp-server.0 @@ -0,0 +1,95 @@ +SFTP-SERVER(8) OpenBSD System Manager's Manual SFTP-SERVER(8) + +NAME + sftp-server - SFTP server subsystem + +SYNOPSIS + sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level] + [-P blacklisted_requests] [-p whitelisted_requests] + [-u umask] + sftp-server -Q protocol_feature + +DESCRIPTION + sftp-server is a program that speaks the server side of SFTP protocol to + stdout and expects client requests from stdin. sftp-server is not + intended to be called directly, but from sshd(8) using the Subsystem + option. + + Command-line flags to sftp-server should be specified in the Subsystem + declaration. See sshd_config(5) for more information. + + Valid options are: + + -d start_directory + specifies an alternate starting directory for users. The + pathname may contain the following tokens that are expanded at + runtime: %% is replaced by a literal '%', %h is replaced by the + home directory of the user being authenticated, and %u is + replaced by the username of that user. The default is to use the + user's home directory. This option is useful in conjunction with + the sshd_config(5) ChrootDirectory option. + + -e Causes sftp-server to print logging information to stderr instead + of syslog for debugging. + + -f log_facility + Specifies the facility code that is used when logging messages + from sftp-server. The possible values are: DAEMON, USER, AUTH, + LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + + -h Displays sftp-server usage information. + + -l log_level + Specifies which messages will be logged by sftp-server. The + possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, + DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions + that sftp-server performs on behalf of the client. DEBUG and + DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher + levels of debugging output. The default is ERROR. + + -P blacklisted_requests + Specify a comma-separated list of SFTP protocol requests that are + banned by the server. sftp-server will reply to any blacklisted + request with a failure. The -Q flag can be used to determine the + supported request types. If both a blacklist and a whitelist are + specified, then the blacklist is applied before the whitelist. + + -p whitelisted_requests + Specify a comma-separated list of SFTP protocol requests that are + permitted by the server. All request types that are not on the + whitelist will be logged and replied to with a failure message. + + Care must be taken when using this feature to ensure that + requests made implicitly by SFTP clients are permitted. + + -Q protocol_feature + Query protocol features supported by sftp-server. At present the + only feature that may be queried is ``requests'', which may be + used for black or whitelisting (flags -P and -p respectively). + + -R Places this instance of sftp-server into a read-only mode. + Attempts to open files for writing, as well as other operations + that change the state of the filesystem, will be denied. + + -u umask + Sets an explicit umask(2) to be applied to newly-created files + and directories, instead of the user's default mask. + + For logging to work, sftp-server must be able to access /dev/log. Use of + sftp-server in a chroot configuration therefore requires that syslogd(8) + establish a logging socket inside the chroot directory. + +SEE ALSO + sftp(1), ssh(1), sshd_config(5), sshd(8) + + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-02.txt, October 2001, work in progress material. + +HISTORY + sftp-server first appeared in OpenBSD 2.8. + +AUTHORS + Markus Friedl + +OpenBSD 5.5 October 14, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/sftp-server.8 b/crypto/openssh/sftp-server.8 index 0db514e5c..4407045cf 100644 --- a/crypto/openssh/sftp-server.8 +++ b/crypto/openssh/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $ +.\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $ .\" $FreeBSD$ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 4, 2013 +.Dd October 14, 2013 .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -31,11 +31,17 @@ .Nd SFTP server subsystem .Sh SYNOPSIS .Nm sftp-server +.Bk -words .Op Fl ehR .Op Fl d Ar start_directory .Op Fl f Ar log_facility .Op Fl l Ar log_level +.Op Fl P Ar blacklisted_requests +.Op Fl p Ar whitelisted_requests .Op Fl u Ar umask +.Ek +.Nm +.Fl Q Ar protocol_feature .Sh DESCRIPTION .Nm is a program that speaks the server side of SFTP protocol @@ -94,6 +100,34 @@ performs on behalf of the client. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. The default is ERROR. +.It Fl P Ar blacklisted_requests +Specify a comma-separated list of SFTP protocol requests that are banned by +the server. +.Nm +will reply to any blacklisted request with a failure. +The +.Fl Q +flag can be used to determine the supported request types. +If both a blacklist and a whitelist are specified, then the blacklist is +applied before the whitelist. +.It Fl p Ar whitelisted_requests +Specify a comma-separated list of SFTP protocol requests that are permitted +by the server. +All request types that are not on the whitelist will be logged and replied +to with a failure message. +.Pp +Care must be taken when using this feature to ensure that requests made +implicitly by SFTP clients are permitted. +.It Fl Q Ar protocol_feature +Query protocol features supported by +.Nm . +At present the only feature that may be queried is +.Dq requests , +which may be used for black or whitelisting (flags +.Fl P +and +.Fl p +respectively). .It Fl R Places this instance of .Nm @@ -125,8 +159,8 @@ establish a logging socket inside the chroot directory. .%A T. Ylonen .%A S. Lehtinen .%T "SSH File Transfer Protocol" -.%N draft-ietf-secsh-filexfer-00.txt -.%D January 2001 +.%N draft-ietf-secsh-filexfer-02.txt +.%D October 2001 .%O work in progress material .Re .Sh HISTORY @@ -134,4 +168,4 @@ establish a logging socket inside the chroot directory. first appeared in .Ox 2.8 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org diff --git a/crypto/openssh/sftp-server.c b/crypto/openssh/sftp-server.c index cce074a56..b8eb59c36 100644 --- a/crypto/openssh/sftp-server.c +++ b/crypto/openssh/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.103 2014/01/17 06:23:24 dtucker Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -46,6 +46,7 @@ #include "buffer.h" #include "log.h" #include "misc.h" +#include "match.h" #include "uidswap.h" #include "sftp.h" @@ -57,24 +58,29 @@ #define get_string(lenp) buffer_get_string(&iqueue, lenp); /* Our verbosity */ -LogLevel log_level = SYSLOG_LEVEL_ERROR; +static LogLevel log_level = SYSLOG_LEVEL_ERROR; /* Our client */ -struct passwd *pw = NULL; -char *client_addr = NULL; +static struct passwd *pw = NULL; +static char *client_addr = NULL; /* input and output queue */ -Buffer iqueue; -Buffer oqueue; +static Buffer iqueue; +static Buffer oqueue; /* Version of client */ -u_int version; +static u_int version; + +/* SSH2_FXP_INIT received */ +static int init_done; /* Disable writes */ -int readonly; +static int readonly; -/* portable attributes, etc. */ +/* Requests that are allowed/denied */ +static char *request_whitelist, *request_blacklist; +/* portable attributes, etc. */ typedef struct Stat Stat; struct Stat { @@ -83,6 +89,102 @@ struct Stat { Attrib attrib; }; +/* Packet handlers */ +static void process_open(u_int32_t id); +static void process_close(u_int32_t id); +static void process_read(u_int32_t id); +static void process_write(u_int32_t id); +static void process_stat(u_int32_t id); +static void process_lstat(u_int32_t id); +static void process_fstat(u_int32_t id); +static void process_setstat(u_int32_t id); +static void process_fsetstat(u_int32_t id); +static void process_opendir(u_int32_t id); +static void process_readdir(u_int32_t id); +static void process_remove(u_int32_t id); +static void process_mkdir(u_int32_t id); +static void process_rmdir(u_int32_t id); +static void process_realpath(u_int32_t id); +static void process_rename(u_int32_t id); +static void process_readlink(u_int32_t id); +static void process_symlink(u_int32_t id); +static void process_extended_posix_rename(u_int32_t id); +static void process_extended_statvfs(u_int32_t id); +static void process_extended_fstatvfs(u_int32_t id); +static void process_extended_hardlink(u_int32_t id); +static void process_extended_fsync(u_int32_t id); +static void process_extended(u_int32_t id); + +struct sftp_handler { + const char *name; /* user-visible name for fine-grained perms */ + const char *ext_name; /* extended request name */ + u_int type; /* packet type, for non extended packets */ + void (*handler)(u_int32_t); + int does_write; /* if nonzero, banned for readonly mode */ +}; + +struct sftp_handler handlers[] = { + /* NB. SSH2_FXP_OPEN does the readonly check in the handler itself */ + { "open", NULL, SSH2_FXP_OPEN, process_open, 0 }, + { "close", NULL, SSH2_FXP_CLOSE, process_close, 0 }, + { "read", NULL, SSH2_FXP_READ, process_read, 0 }, + { "write", NULL, SSH2_FXP_WRITE, process_write, 1 }, + { "lstat", NULL, SSH2_FXP_LSTAT, process_lstat, 0 }, + { "fstat", NULL, SSH2_FXP_FSTAT, process_fstat, 0 }, + { "setstat", NULL, SSH2_FXP_SETSTAT, process_setstat, 1 }, + { "fsetstat", NULL, SSH2_FXP_FSETSTAT, process_fsetstat, 1 }, + { "opendir", NULL, SSH2_FXP_OPENDIR, process_opendir, 0 }, + { "readdir", NULL, SSH2_FXP_READDIR, process_readdir, 0 }, + { "remove", NULL, SSH2_FXP_REMOVE, process_remove, 1 }, + { "mkdir", NULL, SSH2_FXP_MKDIR, process_mkdir, 1 }, + { "rmdir", NULL, SSH2_FXP_RMDIR, process_rmdir, 1 }, + { "realpath", NULL, SSH2_FXP_REALPATH, process_realpath, 0 }, + { "stat", NULL, SSH2_FXP_STAT, process_stat, 0 }, + { "rename", NULL, SSH2_FXP_RENAME, process_rename, 1 }, + { "readlink", NULL, SSH2_FXP_READLINK, process_readlink, 0 }, + { "symlink", NULL, SSH2_FXP_SYMLINK, process_symlink, 1 }, + { NULL, NULL, 0, NULL, 0 } +}; + +/* SSH2_FXP_EXTENDED submessages */ +struct sftp_handler extended_handlers[] = { + { "posix-rename", "posix-rename@openssh.com", 0, + process_extended_posix_rename, 1 }, + { "statvfs", "statvfs@openssh.com", 0, process_extended_statvfs, 0 }, + { "fstatvfs", "fstatvfs@openssh.com", 0, process_extended_fstatvfs, 0 }, + { "hardlink", "hardlink@openssh.com", 0, process_extended_hardlink, 1 }, + { "fsync", "fsync@openssh.com", 0, process_extended_fsync, 1 }, + { NULL, NULL, 0, NULL, 0 } +}; + +static int +request_permitted(struct sftp_handler *h) +{ + char *result; + + if (readonly && h->does_write) { + verbose("Refusing %s request in read-only mode", h->name); + return 0; + } + if (request_blacklist != NULL && + ((result = match_list(h->name, request_blacklist, NULL))) != NULL) { + free(result); + verbose("Refusing blacklisted %s request", h->name); + return 0; + } + if (request_whitelist != NULL && + ((result = match_list(h->name, request_whitelist, NULL))) != NULL) { + free(result); + debug2("Permitting whitelisted %s request", h->name); + return 1; + } + if (request_whitelist != NULL) { + verbose("Refusing non-whitelisted %s request", h->name); + return 0; + } + return 1; +} + static int errno_to_portable(int unixerrno) { @@ -130,6 +232,8 @@ flags_from_portable(int pflags) } else if (pflags & SSH2_FXF_WRITE) { flags = O_WRONLY; } + if (pflags & SSH2_FXF_APPEND) + flags |= O_APPEND; if (pflags & SSH2_FXF_CREAT) flags |= O_CREAT; if (pflags & SSH2_FXF_TRUNC) @@ -156,6 +260,8 @@ string_from_portable(int pflags) PAPPEND("READ") if (pflags & SSH2_FXF_WRITE) PAPPEND("WRITE") + if (pflags & SSH2_FXF_APPEND) + PAPPEND("APPEND") if (pflags & SSH2_FXF_CREAT) PAPPEND("CREATE") if (pflags & SSH2_FXF_TRUNC) @@ -179,6 +285,7 @@ struct Handle { int use; DIR *dirp; int fd; + int flags; char *name; u_int64_t bytes_read, bytes_write; int next_unused; @@ -202,7 +309,7 @@ static void handle_unused(int i) } static int -handle_new(int use, const char *name, int fd, DIR *dirp) +handle_new(int use, const char *name, int fd, int flags, DIR *dirp) { int i; @@ -220,6 +327,7 @@ handle_new(int use, const char *name, int fd, DIR *dirp) handles[i].use = use; handles[i].dirp = dirp; handles[i].fd = fd; + handles[i].flags = flags; handles[i].name = xstrdup(name); handles[i].bytes_read = handles[i].bytes_write = 0; @@ -282,6 +390,14 @@ handle_to_fd(int handle) return -1; } +static int +handle_to_flags(int handle) +{ + if (handle_is_ok(handle, HANDLE_FILE)) + return handles[handle].flags; + return 0; +} + static void handle_update_read(int handle, ssize_t bytes) { @@ -319,11 +435,11 @@ handle_close(int handle) if (handle_is_ok(handle, HANDLE_FILE)) { ret = close(handles[handle].fd); - xfree(handles[handle].name); + free(handles[handle].name); handle_unused(handle); } else if (handle_is_ok(handle, HANDLE_DIR)) { ret = closedir(handles[handle].dirp); - xfree(handles[handle].name); + free(handles[handle].name); handle_unused(handle); } else { errno = ENOENT; @@ -367,7 +483,7 @@ get_handle(void) handle = get_string(&hlen); if (hlen < 256) val = handle_from_string(handle, hlen); - xfree(handle); + free(handle); return val; } @@ -450,7 +566,7 @@ send_handle(u_int32_t id, int handle) handle_to_string(handle, &string, &hlen); debug("request %u: sent handle handle %d", id, handle); send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen); - xfree(string); + free(string); } static void @@ -538,19 +654,21 @@ process_init(void) /* hardlink extension */ buffer_put_cstring(&msg, "hardlink@openssh.com"); buffer_put_cstring(&msg, "1"); /* version */ + /* fsync extension */ + buffer_put_cstring(&msg, "fsync@openssh.com"); + buffer_put_cstring(&msg, "1"); /* version */ send_msg(&msg); buffer_free(&msg); } static void -process_open(void) +process_open(u_int32_t id) { - u_int32_t id, pflags; + u_int32_t pflags; Attrib *a; char *name; int handle, fd, flags, mode, status = SSH2_FX_FAILURE; - id = get_int(); name = get_string(NULL); pflags = get_int(); /* portable flags */ debug3("request %u: open flags %d", id, pflags); @@ -560,14 +678,16 @@ process_open(void) logit("open \"%s\" flags %s mode 0%o", name, string_from_portable(pflags), mode); if (readonly && - ((flags & O_ACCMODE) == O_WRONLY || (flags & O_ACCMODE) == O_RDWR)) - status = SSH2_FX_PERMISSION_DENIED; - else { + ((flags & O_ACCMODE) == O_WRONLY || + (flags & O_ACCMODE) == O_RDWR)) { + verbose("Refusing open request in read-only mode"); + status = SSH2_FX_PERMISSION_DENIED; + } else { fd = open(name, flags, mode); if (fd < 0) { status = errno_to_portable(errno); } else { - handle = handle_new(HANDLE_FILE, name, fd, NULL); + handle = handle_new(HANDLE_FILE, name, fd, flags, NULL); if (handle < 0) { close(fd); } else { @@ -578,16 +698,14 @@ process_open(void) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(name); + free(name); } static void -process_close(void) +process_close(u_int32_t id) { - u_int32_t id; int handle, ret, status = SSH2_FX_FAILURE; - id = get_int(); handle = get_handle(); debug3("request %u: close handle %u", id, handle); handle_log_close(handle, NULL); @@ -597,14 +715,13 @@ process_close(void) } static void -process_read(void) +process_read(u_int32_t id) { char buf[64*1024]; - u_int32_t id, len; + u_int32_t len; int handle, fd, ret, status = SSH2_FX_FAILURE; u_int64_t off; - id = get_int(); handle = get_handle(); off = get_int64(); len = get_int(); @@ -638,15 +755,13 @@ process_read(void) } static void -process_write(void) +process_write(u_int32_t id) { - u_int32_t id; u_int64_t off; u_int len; int handle, fd, ret, status; char *data; - id = get_int(); handle = get_handle(); off = get_int64(); data = get_string(&len); @@ -657,10 +772,9 @@ process_write(void) if (fd < 0) status = SSH2_FX_FAILURE; - else if (readonly) - status = SSH2_FX_PERMISSION_DENIED; else { - if (lseek(fd, off, SEEK_SET) < 0) { + if (!(handle_to_flags(handle) & O_APPEND) && + lseek(fd, off, SEEK_SET) < 0) { status = errno_to_portable(errno); error("process_write: seek failed"); } else { @@ -679,19 +793,17 @@ process_write(void) } } send_status(id, status); - xfree(data); + free(data); } static void -process_do_stat(int do_lstat) +process_do_stat(u_int32_t id, int do_lstat) { Attrib a; struct stat st; - u_int32_t id; char *name; int ret, status = SSH2_FX_FAILURE; - id = get_int(); name = get_string(NULL); debug3("request %u: %sstat", id, do_lstat ? "l" : ""); verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name); @@ -705,30 +817,28 @@ process_do_stat(int do_lstat) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(name); + free(name); } static void -process_stat(void) +process_stat(u_int32_t id) { - process_do_stat(0); + process_do_stat(id, 0); } static void -process_lstat(void) +process_lstat(u_int32_t id) { - process_do_stat(1); + process_do_stat(id, 1); } static void -process_fstat(void) +process_fstat(u_int32_t id) { Attrib a; struct stat st; - u_int32_t id; int fd, ret, handle, status = SSH2_FX_FAILURE; - id = get_int(); handle = get_handle(); debug("request %u: fstat \"%s\" (handle %u)", id, handle_to_name(handle), handle); @@ -760,21 +870,15 @@ attrib_to_tv(const Attrib *a) } static void -process_setstat(void) +process_setstat(u_int32_t id) { Attrib *a; - u_int32_t id; char *name; int status = SSH2_FX_OK, ret; - id = get_int(); name = get_string(NULL); a = get_attrib(); debug("request %u: setstat name \"%s\"", id, name); - if (readonly) { - status = SSH2_FX_PERMISSION_DENIED; - a->flags = 0; - } if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { logit("set \"%s\" size %llu", name, (unsigned long long)a->size); @@ -807,26 +911,22 @@ process_setstat(void) status = errno_to_portable(errno); } send_status(id, status); - xfree(name); + free(name); } static void -process_fsetstat(void) +process_fsetstat(u_int32_t id) { Attrib *a; - u_int32_t id; int handle, fd, ret; int status = SSH2_FX_OK; - id = get_int(); handle = get_handle(); a = get_attrib(); debug("request %u: fsetstat handle %d", id, handle); fd = handle_to_fd(handle); if (fd < 0) status = SSH2_FX_FAILURE; - else if (readonly) - status = SSH2_FX_PERMISSION_DENIED; else { char *name = handle_to_name(handle); @@ -878,14 +978,12 @@ process_fsetstat(void) } static void -process_opendir(void) +process_opendir(u_int32_t id) { DIR *dirp = NULL; char *path; int handle, status = SSH2_FX_FAILURE; - u_int32_t id; - id = get_int(); path = get_string(NULL); debug3("request %u: opendir", id); logit("opendir \"%s\"", path); @@ -893,7 +991,7 @@ process_opendir(void) if (dirp == NULL) { status = errno_to_portable(errno); } else { - handle = handle_new(HANDLE_DIR, path, 0, dirp); + handle = handle_new(HANDLE_DIR, path, 0, 0, dirp); if (handle < 0) { closedir(dirp); } else { @@ -904,19 +1002,17 @@ process_opendir(void) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(path); + free(path); } static void -process_readdir(void) +process_readdir(u_int32_t id) { DIR *dirp; struct dirent *dp; char *path; int handle; - u_int32_t id; - id = get_int(); handle = get_handle(); debug("request %u: readdir \"%s\" (handle %d)", id, handle_to_name(handle), handle); @@ -953,95 +1049,75 @@ process_readdir(void) if (count > 0) { send_names(id, count, stats); for (i = 0; i < count; i++) { - xfree(stats[i].name); - xfree(stats[i].long_name); + free(stats[i].name); + free(stats[i].long_name); } } else { send_status(id, SSH2_FX_EOF); } - xfree(stats); + free(stats); } } static void -process_remove(void) +process_remove(u_int32_t id) { char *name; - u_int32_t id; int status = SSH2_FX_FAILURE; int ret; - id = get_int(); name = get_string(NULL); debug3("request %u: remove", id); logit("remove name \"%s\"", name); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = unlink(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = unlink(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); - xfree(name); + free(name); } static void -process_mkdir(void) +process_mkdir(u_int32_t id) { Attrib *a; - u_int32_t id; char *name; int ret, mode, status = SSH2_FX_FAILURE; - id = get_int(); name = get_string(NULL); a = get_attrib(); mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm & 07777 : 0777; debug3("request %u: mkdir", id); logit("mkdir name \"%s\" mode 0%o", name, mode); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = mkdir(name, mode); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = mkdir(name, mode); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); - xfree(name); + free(name); } static void -process_rmdir(void) +process_rmdir(u_int32_t id) { - u_int32_t id; char *name; int ret, status; - id = get_int(); name = get_string(NULL); debug3("request %u: rmdir", id); logit("rmdir name \"%s\"", name); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = rmdir(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = rmdir(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); - xfree(name); + free(name); } static void -process_realpath(void) +process_realpath(u_int32_t id) { char resolvedname[MAXPATHLEN]; - u_int32_t id; char *path; - id = get_int(); path = get_string(NULL); if (path[0] == '\0') { - xfree(path); + free(path); path = xstrdup("."); } debug3("request %u: realpath", id); @@ -1054,26 +1130,22 @@ process_realpath(void) s.name = s.long_name = resolvedname; send_names(id, 1, &s); } - xfree(path); + free(path); } static void -process_rename(void) +process_rename(u_int32_t id) { - u_int32_t id; char *oldpath, *newpath; int status; struct stat sb; - id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); debug3("request %u: rename", id); logit("rename old \"%s\" new \"%s\"", oldpath, newpath); status = SSH2_FX_FAILURE; - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else if (lstat(oldpath, &sb) == -1) + if (lstat(oldpath, &sb) == -1) status = errno_to_portable(errno); else if (S_ISREG(sb.st_mode)) { /* Race-free rename of regular files */ @@ -1115,19 +1187,17 @@ process_rename(void) status = SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void -process_readlink(void) +process_readlink(u_int32_t id) { - u_int32_t id; int len; char buf[MAXPATHLEN]; char *path; - id = get_int(); path = get_string(NULL); debug3("request %u: readlink", id); verbose("readlink \"%s\"", path); @@ -1141,31 +1211,25 @@ process_readlink(void) s.name = s.long_name = buf; send_names(id, 1, &s); } - xfree(path); + free(path); } static void -process_symlink(void) +process_symlink(u_int32_t id) { - u_int32_t id; char *oldpath, *newpath; int ret, status; - id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); debug3("request %u: symlink", id); logit("symlink old \"%s\" new \"%s\"", oldpath, newpath); /* this will fail if 'newpath' exists */ - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = symlink(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = symlink(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1178,15 +1242,11 @@ process_extended_posix_rename(u_int32_t id) newpath = get_string(NULL); debug3("request %u: posix-rename", id); logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = rename(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = rename(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1196,14 +1256,14 @@ process_extended_statvfs(u_int32_t id) struct statvfs st; path = get_string(NULL); - debug3("request %u: statfs", id); - logit("statfs \"%s\"", path); + debug3("request %u: statvfs", id); + logit("statvfs \"%s\"", path); if (statvfs(path, &st) != 0) send_status(id, errno_to_portable(errno)); else send_statvfs(id, &st); - xfree(path); + free(path); } static void @@ -1235,36 +1295,51 @@ process_extended_hardlink(u_int32_t id) newpath = get_string(NULL); debug3("request %u: hardlink", id); logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = link(oldpath, newpath); + ret = link(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + send_status(id, status); + free(oldpath); + free(newpath); +} + +static void +process_extended_fsync(u_int32_t id) +{ + int handle, fd, ret, status = SSH2_FX_OP_UNSUPPORTED; + + handle = get_handle(); + debug3("request %u: fsync (handle %u)", id, handle); + verbose("fsync \"%s\"", handle_to_name(handle)); + if ((fd = handle_to_fd(handle)) < 0) + status = SSH2_FX_NO_SUCH_FILE; + else if (handle_is_ok(handle, HANDLE_FILE)) { + ret = fsync(fd); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); } static void -process_extended(void) +process_extended(u_int32_t id) { - u_int32_t id; char *request; + u_int i; - id = get_int(); request = get_string(NULL); - if (strcmp(request, "posix-rename@openssh.com") == 0) - process_extended_posix_rename(id); - else if (strcmp(request, "statvfs@openssh.com") == 0) - process_extended_statvfs(id); - else if (strcmp(request, "fstatvfs@openssh.com") == 0) - process_extended_fstatvfs(id); - else if (strcmp(request, "hardlink@openssh.com") == 0) - process_extended_hardlink(id); - else + for (i = 0; extended_handlers[i].handler != NULL; i++) { + if (strcmp(request, extended_handlers[i].ext_name) == 0) { + if (!request_permitted(&extended_handlers[i])) + send_status(id, SSH2_FX_PERMISSION_DENIED); + else + extended_handlers[i].handler(id); + break; + } + } + if (extended_handlers[i].handler == NULL) { + error("Unknown extended request \"%.100s\"", request); send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ - xfree(request); + } + free(request); } /* stolen from ssh-agent */ @@ -1272,11 +1347,9 @@ process_extended(void) static void process(void) { - u_int msg_len; - u_int buf_len; - u_int consumed; - u_int type; + u_int msg_len, buf_len, consumed, type, i; u_char *cp; + u_int32_t id; buf_len = buffer_len(&iqueue); if (buf_len < 5) @@ -1293,70 +1366,35 @@ process(void) buffer_consume(&iqueue, 4); buf_len -= 4; type = buffer_get_char(&iqueue); + switch (type) { case SSH2_FXP_INIT: process_init(); - break; - case SSH2_FXP_OPEN: - process_open(); - break; - case SSH2_FXP_CLOSE: - process_close(); - break; - case SSH2_FXP_READ: - process_read(); - break; - case SSH2_FXP_WRITE: - process_write(); - break; - case SSH2_FXP_LSTAT: - process_lstat(); - break; - case SSH2_FXP_FSTAT: - process_fstat(); - break; - case SSH2_FXP_SETSTAT: - process_setstat(); - break; - case SSH2_FXP_FSETSTAT: - process_fsetstat(); - break; - case SSH2_FXP_OPENDIR: - process_opendir(); - break; - case SSH2_FXP_READDIR: - process_readdir(); - break; - case SSH2_FXP_REMOVE: - process_remove(); - break; - case SSH2_FXP_MKDIR: - process_mkdir(); - break; - case SSH2_FXP_RMDIR: - process_rmdir(); - break; - case SSH2_FXP_REALPATH: - process_realpath(); - break; - case SSH2_FXP_STAT: - process_stat(); - break; - case SSH2_FXP_RENAME: - process_rename(); - break; - case SSH2_FXP_READLINK: - process_readlink(); - break; - case SSH2_FXP_SYMLINK: - process_symlink(); + init_done = 1; break; case SSH2_FXP_EXTENDED: - process_extended(); + if (!init_done) + fatal("Received extended request before init"); + id = get_int(); + process_extended(id); break; default: - error("Unknown message %d", type); - break; + if (!init_done) + fatal("Received %u request before init", type); + id = get_int(); + for (i = 0; handlers[i].handler != NULL; i++) { + if (type == handlers[i].type) { + if (!request_permitted(&handlers[i])) { + send_status(id, + SSH2_FX_PERMISSION_DENIED); + } else { + handlers[i].handler(id); + } + break; + } + } + if (handlers[i].handler == NULL) + error("Unknown message %u", type); } /* discard the remaining bytes from the current packet */ if (buf_len < buffer_len(&iqueue)) { @@ -1365,7 +1403,7 @@ process(void) } consumed = buf_len - buffer_len(&iqueue); if (msg_len < consumed) { - error("msg_len %d < consumed %d", msg_len, consumed); + error("msg_len %u < consumed %u", msg_len, consumed); sftp_server_cleanup_exit(255); } if (msg_len > consumed) @@ -1391,8 +1429,10 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-u umask]\n", - __progname); + "[-l log_level]\n\t[-P blacklisted_requests] " + "[-p whitelisted_requests] [-u umask]\n" + " %s -Q protocol_feature\n", + __progname, __progname); exit(1); } @@ -1400,7 +1440,7 @@ int sftp_server_main(int argc, char **argv, struct passwd *user_pw) { fd_set *rset, *wset; - int in, out, max, ch, skipargs = 0, log_stderr = 0; + int i, in, out, max, ch, skipargs = 0, log_stderr = 0; ssize_t len, olen, set_size; SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; char *cp, *homedir = NULL, buf[4*4096]; @@ -1414,8 +1454,20 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) pw = pwcopy(user_pw); - while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) { + while (!skipargs && (ch = getopt(argc, argv, + "d:f:l:P:p:Q:u:cehR")) != -1) { switch (ch) { + case 'Q': + if (strcasecmp(optarg, "requests") != 0) { + fprintf(stderr, "Invalid query type\n"); + exit(1); + } + for (i = 0; handlers[i].handler != NULL; i++) + printf("%s\n", handlers[i].name); + for (i = 0; extended_handlers[i].handler != NULL; i++) + printf("%s\n", extended_handlers[i].name); + exit(0); + break; case 'R': readonly = 1; break; @@ -1445,6 +1497,16 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) "u", user_pw->pw_name, (char *)NULL); free(cp); break; + case 'p': + if (request_whitelist != NULL) + fatal("Permitted requests already set"); + request_whitelist = xstrdup(optarg); + break; + case 'P': + if (request_blacklist != NULL) + fatal("Refused requests already set"); + request_blacklist = xstrdup(optarg); + break; case 'u': errno = 0; mask = strtol(optarg, &cp, 8); diff --git a/crypto/openssh/sftp.0 b/crypto/openssh/sftp.0 new file mode 100644 index 000000000..7139aac43 --- /dev/null +++ b/crypto/openssh/sftp.0 @@ -0,0 +1,370 @@ +SFTP(1) OpenBSD Reference Manual SFTP(1) + +NAME + sftp - secure file transfer program + +SYNOPSIS + sftp [-1246aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher] + [-D sftp_server_path] [-F ssh_config] [-i identity_file] [-l limit] + [-o ssh_option] [-P port] [-R num_requests] [-S program] + [-s subsystem | sftp_server] host + sftp [user@]host[:file ...] + sftp [user@]host[:dir[/]] + sftp -b batchfile [user@]host + +DESCRIPTION + sftp is an interactive file transfer program, similar to ftp(1), which + performs all operations over an encrypted ssh(1) transport. It may also + use many features of ssh, such as public key authentication and + compression. sftp connects and logs into the specified host, then enters + an interactive command mode. + + The second usage format will retrieve files automatically if a non- + interactive authentication method is used; otherwise it will do so after + successful interactive authentication. + + The third usage format allows sftp to start in a remote directory. + + The final usage format allows for automated sessions using the -b option. + In such cases, it is necessary to configure non-interactive + authentication to obviate the need to enter a password at connection time + (see sshd(8) and ssh-keygen(1) for details). + + Since some usage formats use colon characters to delimit host names from + path names, IPv6 addresses must be enclosed in square brackets to avoid + ambiguity. + + The options are as follows: + + -1 Specify the use of protocol version 1. + + -2 Specify the use of protocol version 2. + + -4 Forces sftp to use IPv4 addresses only. + + -6 Forces sftp to use IPv6 addresses only. + + -a Attempt to continue interrupted downloads rather than overwriting + existing partial or complete copies of files. If the remote file + contents differ from the partial local copy then the resultant + file is likely to be corrupt. + + -B buffer_size + Specify the size of the buffer that sftp uses when transferring + files. Larger buffers require fewer round trips at the cost of + higher memory consumption. The default is 32768 bytes. + + -b batchfile + Batch mode reads a series of commands from an input batchfile + instead of stdin. Since it lacks user interaction it should be + used in conjunction with non-interactive authentication. A + batchfile of `-' may be used to indicate standard input. sftp + will abort if any of the following commands fail: get, put, + reget, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, + chgrp, lpwd, df, symlink, and lmkdir. Termination on error can + be suppressed on a command by command basis by prefixing the + command with a `-' character (for example, -rm /tmp/blah*). + + -C Enables compression (via ssh's -C flag). + + -c cipher + Selects the cipher to use for encrypting the data transfers. + This option is directly passed to ssh(1). + + -D sftp_server_path + Connect directly to a local sftp server (rather than via ssh(1)). + This option may be useful in debugging the client and server. + + -F ssh_config + Specifies an alternative per-user configuration file for ssh(1). + This option is directly passed to ssh(1). + + -f Requests that files be flushed to disk immediately after + transfer. When uploading files, this feature is only enabled if + the server implements the "fsync@openssh.com" extension. + + -i identity_file + Selects the file from which the identity (private key) for public + key authentication is read. This option is directly passed to + ssh(1). + + -l limit + Limits the used bandwidth, specified in Kbit/s. + + -o ssh_option + Can be used to pass options to ssh in the format used in + ssh_config(5). This is useful for specifying options for which + there is no separate sftp command-line flag. For example, to + specify an alternate port use: sftp -oPort=24. For full details + of the options listed below, and their possible values, see + ssh_config(5). + + AddressFamily + BatchMode + BindAddress + CanonicalDomains + CanonicalizeFallbackLocal + CanonicalizeHostname + CanonicalizeMaxDots + CanonicalizePermittedCNAMEs + ChallengeResponseAuthentication + CheckHostIP + Cipher + Ciphers + Compression + CompressionLevel + ConnectionAttempts + ConnectTimeout + ControlMaster + ControlPath + ControlPersist + GlobalKnownHostsFile + GSSAPIAuthentication + GSSAPIDelegateCredentials + HashKnownHosts + Host + HostbasedAuthentication + HostKeyAlgorithms + HostKeyAlias + HostName + IdentityFile + IdentitiesOnly + IPQoS + KbdInteractiveAuthentication + KbdInteractiveDevices + KexAlgorithms + LogLevel + MACs + NoHostAuthenticationForLocalhost + NumberOfPasswordPrompts + PasswordAuthentication + PKCS11Provider + Port + PreferredAuthentications + Protocol + ProxyCommand + PubkeyAuthentication + RekeyLimit + RhostsRSAAuthentication + RSAAuthentication + SendEnv + ServerAliveInterval + ServerAliveCountMax + StrictHostKeyChecking + TCPKeepAlive + UsePrivilegedPort + User + UserKnownHostsFile + VerifyHostKeyDNS + + -P port + Specifies the port to connect to on the remote host. + + -p Preserves modification times, access times, and modes from the + original files transferred. + + -q Quiet mode: disables the progress meter as well as warning and + diagnostic messages from ssh(1). + + -R num_requests + Specify how many requests may be outstanding at any one time. + Increasing this may slightly improve file transfer speed but will + increase memory usage. The default is 64 outstanding requests. + + -r Recursively copy entire directories when uploading and + downloading. Note that sftp does not follow symbolic links + encountered in the tree traversal. + + -S program + Name of the program to use for the encrypted connection. The + program must understand ssh(1) options. + + -s subsystem | sftp_server + Specifies the SSH2 subsystem or the path for an sftp server on + the remote host. A path is useful for using sftp over protocol + version 1, or when the remote sshd(8) does not have an sftp + subsystem configured. + + -v Raise logging level. This option is also passed to ssh. + +INTERACTIVE COMMANDS + Once in interactive mode, sftp understands a set of commands similar to + those of ftp(1). Commands are case insensitive. Pathnames that contain + spaces must be enclosed in quotes. Any special characters contained + within pathnames that are recognized by glob(3) must be escaped with + backslashes (`\'). + + bye Quit sftp. + + cd path + Change remote directory to path. + + chgrp grp path + Change group of file path to grp. path may contain glob(3) + characters and may match multiple files. grp must be a numeric + GID. + + chmod mode path + Change permissions of file path to mode. path may contain + glob(3) characters and may match multiple files. + + chown own path + Change owner of file path to own. path may contain glob(3) + characters and may match multiple files. own must be a numeric + UID. + + df [-hi] [path] + Display usage information for the filesystem holding the current + directory (or path if specified). If the -h flag is specified, + the capacity information will be displayed using "human-readable" + suffixes. The -i flag requests display of inode information in + addition to capacity information. This command is only supported + on servers that implement the ``statvfs@openssh.com'' extension. + + exit Quit sftp. + + get [-afPpr] remote-path [local-path] + Retrieve the remote-path and store it on the local machine. If + the local path name is not specified, it is given the same name + it has on the remote machine. remote-path may contain glob(3) + characters and may match multiple files. If it does and + local-path is specified, then local-path must specify a + directory. + + If the -a flag is specified, then attempt to resume partial + transfers of existing files. Note that resumption assumes that + any partial copy of the local file matches the remote copy. If + the remote file contents differ from the partial local copy then + the resultant file is likely to be corrupt. + + If the -f flag is specified, then fsync(2) will be called after + the file transfer has completed to flush the file to disk. + + If either the -P or -p flag is specified, then full file + permissions and access times are copied too. + + If the -r flag is specified then directories will be copied + recursively. Note that sftp does not follow symbolic links when + performing recursive transfers. + + help Display help text. + + lcd path + Change local directory to path. + + lls [ls-options [path]] + Display local directory listing of either path or current + directory if path is not specified. ls-options may contain any + flags supported by the local system's ls(1) command. path may + contain glob(3) characters and may match multiple files. + + lmkdir path + Create local directory specified by path. + + ln [-s] oldpath newpath + Create a link from oldpath to newpath. If the -s flag is + specified the created link is a symbolic link, otherwise it is a + hard link. + + lpwd Print local working directory. + + ls [-1afhlnrSt] [path] + Display a remote directory listing of either path or the current + directory if path is not specified. path may contain glob(3) + characters and may match multiple files. + + The following flags are recognized and alter the behaviour of ls + accordingly: + + -1 Produce single columnar output. + + -a List files beginning with a dot (`.'). + + -f Do not sort the listing. The default sort order is + lexicographical. + + -h When used with a long format option, use unit suffixes: + Byte, Kilobyte, Megabyte, Gigabyte, Terabyte, Petabyte, + and Exabyte in order to reduce the number of digits to + four or fewer using powers of 2 for sizes (K=1024, + M=1048576, etc.). + + -l Display additional details including permissions and + ownership information. + + -n Produce a long listing with user and group information + presented numerically. + + -r Reverse the sort order of the listing. + + -S Sort the listing by file size. + + -t Sort the listing by last modification time. + + lumask umask + Set local umask to umask. + + mkdir path + Create remote directory specified by path. + + progress + Toggle display of progress meter. + + put [-fPpr] local-path [remote-path] + Upload local-path and store it on the remote machine. If the + remote path name is not specified, it is given the same name it + has on the local machine. local-path may contain glob(3) + characters and may match multiple files. If it does and + remote-path is specified, then remote-path must specify a + directory. + + If the -f flag is specified, then a request will be sent to the + server to call fsync(2) after the file has been transferred. + Note that this is only supported by servers that implement the + "fsync@openssh.com" extension. + + If either the -P or -p flag is specified, then full file + permissions and access times are copied too. + + If the -r flag is specified then directories will be copied + recursively. Note that sftp does not follow symbolic links when + performing recursive transfers. + + pwd Display remote working directory. + + quit Quit sftp. + + reget [-Ppr] remote-path [local-path] + Resume download of remote-path. Equivalent to get with the -a + flag set. + + rename oldpath newpath + Rename remote file from oldpath to newpath. + + rm path + Delete remote file specified by path. + + rmdir path + Remove remote directory specified by path. + + symlink oldpath newpath + Create a symbolic link from oldpath to newpath. + + version + Display the sftp protocol version. + + !command + Execute command in local shell. + + ! Escape to local shell. + + ? Synonym for help. + +SEE ALSO + ftp(1), ls(1), scp(1), ssh(1), ssh-add(1), ssh-keygen(1), glob(3), + ssh_config(5), sftp-server(8), sshd(8) + + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. + +OpenBSD 5.5 October 20, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1 index 539c7c038..b97f62cc3 100644 --- a/crypto/openssh/sftp.1 +++ b/crypto/openssh/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.91 2011/09/05 05:56:13 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.97 2013/10/20 09:51:26 djm Exp $ .\" $FreeBSD$ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 5, 2011 +.Dd October 20, 2013 .Dt SFTP 1 .Os .Sh NAME @@ -32,7 +32,7 @@ .Sh SYNOPSIS .Nm sftp .Bk -words -.Op Fl 1246Cpqrv +.Op Fl 1246aCfpqrv .Op Fl B Ar buffer_size .Op Fl b Ar batchfile .Op Fl c Ar cipher @@ -108,6 +108,11 @@ to use IPv4 addresses only. Forces .Nm to use IPv6 addresses only. +.It Fl a +Attempt to continue interrupted downloads rather than overwriting existing +partial or complete copies of files. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. .It Fl B Ar buffer_size Specify the size of the buffer that .Nm @@ -130,7 +135,7 @@ may be used to indicate standard input. .Nm will abort if any of the following commands fail: -.Ic get , put , rename , ln , +.Ic get , put , reget , rename , ln , .Ic rm , mkdir , chdir , ls , .Ic lchdir , chmod , chown , .Ic chgrp , lpwd , df , symlink , @@ -160,6 +165,10 @@ per-user configuration file for .Xr ssh 1 . This option is directly passed to .Xr ssh 1 . +.It Fl f +Requests that files be flushed to disk immediately after transfer. +When uploading files, this feature is only enabled if the server +implements the "fsync@openssh.com" extension. .It Fl i Ar identity_file Selects the file from which the identity (private key) for public key authentication is read. @@ -185,6 +194,11 @@ For full details of the options listed below, and their possible values, see .It AddressFamily .It BatchMode .It BindAddress +.It CanonicalDomains +.It CanonicalizeFallbackLocal +.It CanonicalizeHostname +.It CanonicalizeMaxDots +.It CanonicalizePermittedCNAMEs .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher @@ -345,7 +359,7 @@ extension. Quit .Nm sftp . .It Xo Ic get -.Op Fl Ppr +.Op Fl afPpr .Ar remote-path .Op Ar local-path .Xc @@ -365,6 +379,21 @@ is specified, then .Ar local-path must specify a directory. .Pp +If the +.Fl a +flag is specified, then attempt to resume partial transfers of existing files. +Note that resumption assumes that any partial copy of the local file matches +the remote copy. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. +.Pp +If the +.Fl f +flag is specified, then +.Xr fsync 2 +will be called after the file transfer has completed to flush the file +to disk. +.Pp If either the .Fl P or @@ -468,7 +497,7 @@ Create remote directory specified by .It Ic progress Toggle display of progress meter. .It Xo Ic put -.Op Fl Ppr +.Op Fl fPpr .Ar local-path .Op Ar remote-path .Xc @@ -487,6 +516,14 @@ is specified, then .Ar remote-path must specify a directory. .Pp +If the +.Fl f +flag is specified, then a request will be sent to the server to call +.Xr fsync 2 +after the file has been transferred. +Note that this is only supported by servers that implement +the "fsync@openssh.com" extension. +.Pp If either the .Fl P or @@ -505,6 +542,18 @@ Display remote working directory. .It Ic quit Quit .Nm sftp . +.It Xo Ic reget +.Op Fl Ppr +.Ar remote-path +.Op Ar local-path +.Xc +Resume download of +.Ar remote-path . +Equivalent to +.Ic get +with the +.Fl a +flag set. .It Ic rename Ar oldpath Ar newpath Rename remote file from .Ar oldpath diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c index d7cbb0349..0ec00b4b7 100644 --- a/crypto/openssh/sftp.c +++ b/crypto/openssh/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.158 2013/11/20 20:54:10 deraadt Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -17,6 +17,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -39,6 +40,9 @@ #ifdef HAVE_LIBGEN_H #include #endif +#ifdef HAVE_LOCALE_H +# include +#endif #ifdef USE_LIBEDIT #include #else @@ -77,15 +81,24 @@ int batchmode = 0; /* PID of ssh transport process */ static pid_t sshpid = -1; +/* Suppress diagnositic messages */ +int quiet = 0; + /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; /* When this option is set, we always recursively download/upload directories */ int global_rflag = 0; +/* When this option is set, we resume download if possible */ +int global_aflag = 0; + /* When this option is set, the file transfers will always preserve times */ int global_pflag = 0; +/* When this option is set, transfers will have fsync() called on each file */ +int global_fflag = 0; + /* SIGINT received during command processing */ volatile sig_atomic_t interrupted = 0; @@ -121,31 +134,34 @@ extern char *__progname; #define SORT_FLAGS (LS_NAME_SORT|LS_TIME_SORT|LS_SIZE_SORT) /* Commands for interactive mode */ -#define I_CHDIR 1 -#define I_CHGRP 2 -#define I_CHMOD 3 -#define I_CHOWN 4 -#define I_DF 24 -#define I_GET 5 -#define I_HELP 6 -#define I_LCHDIR 7 -#define I_LINK 25 -#define I_LLS 8 -#define I_LMKDIR 9 -#define I_LPWD 10 -#define I_LS 11 -#define I_LUMASK 12 -#define I_MKDIR 13 -#define I_PUT 14 -#define I_PWD 15 -#define I_QUIT 16 -#define I_RENAME 17 -#define I_RM 18 -#define I_RMDIR 19 -#define I_SHELL 20 -#define I_SYMLINK 21 -#define I_VERSION 22 -#define I_PROGRESS 23 +enum sftp_command { + I_CHDIR = 1, + I_CHGRP, + I_CHMOD, + I_CHOWN, + I_DF, + I_GET, + I_HELP, + I_LCHDIR, + I_LINK, + I_LLS, + I_LMKDIR, + I_LPWD, + I_LS, + I_LUMASK, + I_MKDIR, + I_PUT, + I_PWD, + I_QUIT, + I_RENAME, + I_RM, + I_RMDIR, + I_SHELL, + I_SYMLINK, + I_VERSION, + I_PROGRESS, + I_REGET, +}; struct CMD { const char *c; @@ -185,6 +201,7 @@ static const struct CMD cmds[] = { { "put", I_PUT, LOCAL }, { "pwd", I_PWD, REMOTE }, { "quit", I_QUIT, NOARGS }, + { "reget", I_REGET, REMOTE }, { "rename", I_RENAME, REMOTE }, { "rm", I_RM, REMOTE }, { "rmdir", I_RMDIR, REMOTE }, @@ -216,7 +233,7 @@ cmd_interrupt(int signo) const char msg[] = "\rInterrupt \n"; int olderrno = errno; - write(STDERR_FILENO, msg, sizeof(msg) - 1); + (void)write(STDERR_FILENO, msg, sizeof(msg) - 1); interrupted = 1; errno = olderrno; } @@ -234,6 +251,7 @@ help(void) " filesystem containing 'path'\n" "exit Quit sftp\n" "get [-Ppr] remote [local] Download file\n" + "reget remote [local] Resume download file\n" "help Display this help text\n" "lcd path Change local directory to 'path'\n" "lls [ls-options [path]] Display local directory listing\n" @@ -307,7 +325,7 @@ local_do_ls(const char *args) /* XXX: quoting - rip quoting code from ftp? */ snprintf(buf, len, _PATH_LS " %s", args); local_do_shell(buf); - xfree(buf); + free(buf); } } @@ -338,15 +356,15 @@ make_absolute(char *p, char *pwd) /* Derelativise */ if (p && p[0] != '/') { abs_str = path_append(pwd, p); - xfree(p); + free(p); return(abs_str); } else return(p); } static int -parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, - int *rflag) +parse_getput_flags(const char *cmd, char **argv, int argc, + int *aflag, int *fflag, int *pflag, int *rflag) { extern int opterr, optind, optopt, optreset; int ch; @@ -354,9 +372,15 @@ parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, optind = optreset = 1; opterr = 0; - *rflag = *pflag = 0; - while ((ch = getopt(argc, argv, "PpRr")) != -1) { + *aflag = *fflag = *rflag = *pflag = 0; + while ((ch = getopt(argc, argv, "afPpRr")) != -1) { switch (ch) { + case 'a': + *aflag = 1; + break; + case 'f': + *fflag = 1; + break; case 'p': case 'P': *pflag = 1; @@ -398,6 +422,30 @@ parse_link_flags(const char *cmd, char **argv, int argc, int *sflag) return optind; } +static int +parse_rename_flags(const char *cmd, char **argv, int argc, int *lflag) +{ + extern int opterr, optind, optopt, optreset; + int ch; + + optind = optreset = 1; + opterr = 0; + + *lflag = 0; + while ((ch = getopt(argc, argv, "l")) != -1) { + switch (ch) { + case 'l': + *lflag = 1; + break; + default: + error("%s: Invalid flag -%c", cmd, optopt); + return -1; + } + } + + return optind; +} + static int parse_ls_flags(char **argv, int argc, int *lflag) { @@ -478,6 +526,26 @@ parse_df_flags(const char *cmd, char **argv, int argc, int *hflag, int *iflag) return optind; } +static int +parse_no_flags(const char *cmd, char **argv, int argc) +{ + extern int opterr, optind, optopt, optreset; + int ch; + + optind = optreset = 1; + opterr = 0; + + while ((ch = getopt(argc, argv, "")) != -1) { + switch (ch) { + default: + error("%s: Invalid flag -%c", cmd, optopt); + return -1; + } + } + + return optind; +} + static int is_dir(char *path) { @@ -514,7 +582,7 @@ pathname_is_dir(char *pathname) static int process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, - int pflag, int rflag) + int pflag, int rflag, int resume, int fflag) { char *abs_src = NULL; char *abs_dst = NULL; @@ -548,7 +616,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); - xfree(tmp); + free(tmp); err = -1; goto out; } @@ -564,31 +632,37 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, } else { abs_dst = xstrdup(filename); } - xfree(tmp); + free(tmp); - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); + resume |= global_aflag; + if (!quiet && resume) + printf("Resuming %s to %s\n", g.gl_pathv[i], abs_dst); + else if (!quiet && !resume) + printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { - if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag, 1) == -1) + if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, + pflag || global_pflag, 1, resume, + fflag || global_fflag) == -1) err = -1; } else { if (do_download(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag) == -1) + pflag || global_pflag, resume, + fflag || global_fflag) == -1) err = -1; } - xfree(abs_dst); + free(abs_dst); abs_dst = NULL; } out: - xfree(abs_src); + free(abs_src); globfree(&g); return(err); } static int process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, - int pflag, int rflag) + int pflag, int rflag, int fflag) { char *tmp_dst = NULL; char *abs_dst = NULL; @@ -629,11 +703,11 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, error("stat %s: %s", g.gl_pathv[i], strerror(errno)); continue; } - + tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); - xfree(tmp); + free(tmp); err = -1; goto out; } @@ -649,25 +723,26 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, } else { abs_dst = make_absolute(xstrdup(filename), pwd); } - xfree(tmp); + free(tmp); - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); + if (!quiet) + printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (upload_dir(conn, g.gl_pathv[i], abs_dst, - pflag || global_pflag, 1) == -1) + pflag || global_pflag, 1, + fflag || global_fflag) == -1) err = -1; } else { if (do_upload(conn, g.gl_pathv[i], abs_dst, - pflag || global_pflag) == -1) + pflag || global_pflag, + fflag || global_fflag) == -1) err = -1; } } out: - if (abs_dst) - xfree(abs_dst); - if (tmp_dst) - xfree(tmp_dst); + free(abs_dst); + free(tmp_dst); globfree(&g); return(err); } @@ -715,7 +790,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) /* Add any subpath that also needs to be counted */ tmp = path_strip(path, strip_path); m += strlen(tmp); - xfree(tmp); + free(tmp); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) width = ws.ws_col; @@ -741,7 +816,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) tmp = path_append(path, d[n]->filename); fname = path_strip(tmp, strip_path); - xfree(tmp); + free(tmp); if (lflag & LS_LONG_VIEW) { if (lflag & (LS_NUMERIC_VIEW|LS_SI_UNITS)) { @@ -753,7 +828,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) lname = ls_file(fname, &sb, 1, (lflag & LS_SI_UNITS)); printf("%s\n", lname); - xfree(lname); + free(lname); } else printf("%s\n", d[n]->longname); } else { @@ -765,7 +840,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) c++; } - xfree(fname); + free(fname); } if (!(lflag & LS_LONG_VIEW) && (c != 1)) @@ -835,7 +910,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, lname = ls_file(fname, g.gl_statv[i], 1, (lflag & LS_SI_UNITS)); printf("%s\n", lname); - xfree(lname); + free(lname); } else { printf("%-*s", colspace, fname); if (c >= columns) { @@ -844,7 +919,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, } else c++; } - xfree(fname); + free(fname); } if (!(lflag & LS_LONG_VIEW) && (c != 1)) @@ -958,7 +1033,7 @@ undo_glob_escape(char *s) * * If "lastquote" is not NULL, the quoting character used for the last * argument is placed in *lastquote ("\0", "'" or "\""). - * + * * If "terminated" is not NULL, *terminated will be set to 1 when the * last argument's quote has been properly terminated or 0 otherwise. * This parameter is only of use if "sloppy" is set. @@ -992,7 +1067,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, error("Too many arguments."); return NULL; } - if (isspace(arg[i])) { + if (isspace((unsigned char)arg[i])) { if (state == MA_UNQUOTED) { /* Terminate current argument */ argvs[j++] = '\0'; @@ -1007,7 +1082,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, state = q; if (lastquote != NULL) *lastquote = arg[i]; - } else if (state == MA_UNQUOTED) + } else if (state == MA_UNQUOTED) state = q; else if (state == q) state = MA_UNQUOTED; @@ -1113,8 +1188,9 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, } static int -parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, - int *hflag, int *sflag, unsigned long *n_arg, char **path1, char **path2) +parse_args(const char **cpp, int *ignore_errors, int *aflag, int *fflag, + int *hflag, int *iflag, int *lflag, int *pflag, int *rflag, int *sflag, + unsigned long *n_arg, char **path1, char **path2) { const char *cmd, *cp = *cpp; char *cp2, **argv; @@ -1126,9 +1202,9 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, cp = cp + strspn(cp, WHITESPACE); /* Check for leading '-' (disable error processing) */ - *iflag = 0; + *ignore_errors = 0; if (*cp == '-') { - *iflag = 1; + *ignore_errors = 1; cp++; cp = cp + strspn(cp, WHITESPACE); } @@ -1158,14 +1234,16 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, } /* Get arguments and parse flags */ - *lflag = *pflag = *rflag = *hflag = *n_arg = 0; + *aflag = *fflag = *hflag = *iflag = *lflag = *pflag = 0; + *rflag = *sflag = 0; *path1 = *path2 = NULL; optidx = 1; switch (cmdnum) { case I_GET: + case I_REGET: case I_PUT: if ((optidx = parse_getput_flags(cmd, argv, argc, - pflag, rflag)) == -1) + aflag, fflag, pflag, rflag)) == -1) return -1; /* Get first pathname (mandatory) */ if (argc - optidx < 1) { @@ -1180,12 +1258,24 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, /* Destination is not globbed */ undo_glob_escape(*path2); } + if (*aflag && cmdnum == I_PUT) { + /* XXX implement resume for uploads */ + error("Resume is not supported for uploads"); + return -1; + } break; case I_LINK: if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1) return -1; - case I_SYMLINK: + goto parse_two_paths; case I_RENAME: + if ((optidx = parse_rename_flags(cmd, argv, argc, lflag)) == -1) + return -1; + goto parse_two_paths; + case I_SYMLINK: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; + parse_two_paths: if (argc - optidx < 2) { error("You must specify two paths after a %s " "command.", cmd); @@ -1203,6 +1293,8 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, case I_CHDIR: case I_LCHDIR: case I_LMKDIR: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; /* Get pathname (mandatory) */ if (argc - optidx < 1) { error("You must specify a path after a %s command.", @@ -1244,6 +1336,8 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, base = 8; case I_CHOWN: case I_CHGRP: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; /* Get numeric arg (mandatory) */ if (argc - optidx < 1) goto need_num_arg; @@ -1274,6 +1368,8 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, case I_HELP: case I_VERSION: case I_PROGRESS: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; break; default: fatal("Command not implemented"); @@ -1288,7 +1384,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, int err_abort) { char *path1, *path2, *tmp; - int pflag = 0, rflag = 0, lflag = 0, iflag = 0, hflag = 0, sflag = 0; + int ignore_errors = 0, aflag = 0, fflag = 0, hflag = 0, iflag = 0; + int lflag = 0, pflag = 0, rflag = 0, sflag = 0; int cmdnum, i; unsigned long n_arg = 0; Attrib a, *aa; @@ -1297,10 +1394,9 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, glob_t g; path1 = path2 = NULL; - cmdnum = parse_args(&cmd, &pflag, &rflag, &lflag, &iflag, &hflag, - &sflag, &n_arg, &path1, &path2); - - if (iflag != 0) + cmdnum = parse_args(&cmd, &ignore_errors, &aflag, &fflag, &hflag, + &iflag, &lflag, &pflag, &rflag, &sflag, &n_arg, &path1, &path2); + if (ignore_errors != 0) err_abort = 0; memset(&g, 0, sizeof(g)); @@ -1314,16 +1410,21 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, /* Unrecognized command */ err = -1; break; + case I_REGET: + aflag = 1; + /* FALLTHROUGH */ case I_GET: - err = process_get(conn, path1, path2, *pwd, pflag, rflag); + err = process_get(conn, path1, path2, *pwd, pflag, + rflag, aflag, fflag); break; case I_PUT: - err = process_put(conn, path1, path2, *pwd, pflag, rflag); + err = process_put(conn, path1, path2, *pwd, pflag, + rflag, fflag); break; case I_RENAME: path1 = make_absolute(path1, *pwd); path2 = make_absolute(path2, *pwd); - err = do_rename(conn, path1, path2); + err = do_rename(conn, path1, path2, lflag); break; case I_SYMLINK: sflag = 1; @@ -1337,7 +1438,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, path1 = make_absolute(path1, *pwd); remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i] && !interrupted; i++) { - printf("Removing %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Removing %s\n", g.gl_pathv[i]); err = do_rm(conn, g.gl_pathv[i]); if (err != 0 && err_abort) break; @@ -1361,24 +1463,24 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, break; } if ((aa = do_stat(conn, tmp, 0)) == NULL) { - xfree(tmp); + free(tmp); err = 1; break; } if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { error("Can't change directory: Can't check target"); - xfree(tmp); + free(tmp); err = 1; break; } if (!S_ISDIR(aa->perm)) { error("Can't change directory: \"%s\" is not " "a directory", tmp); - xfree(tmp); + free(tmp); err = 1; break; } - xfree(*pwd); + free(*pwd); *pwd = tmp; break; case I_LS: @@ -1433,7 +1535,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, a.perm = n_arg; remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i] && !interrupted; i++) { - printf("Changing mode on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing mode on %s\n", g.gl_pathv[i]); err = do_setstat(conn, g.gl_pathv[i], &a); if (err != 0 && err_abort) break; @@ -1462,10 +1565,14 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, } aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; if (cmdnum == I_CHOWN) { - printf("Changing owner on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing owner on %s\n", + g.gl_pathv[i]); aa->uid = n_arg; } else { - printf("Changing group on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing group on %s\n", + g.gl_pathv[i]); aa->gid = n_arg; } err = do_setstat(conn, g.gl_pathv[i], aa); @@ -1506,10 +1613,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, if (g.gl_pathc) globfree(&g); - if (path1) - xfree(path1); - if (path2) - xfree(path2); + free(path1); + free(path2); /* If an unignored error occurs in batch mode we should abort. */ if (err_abort && err != 0) @@ -1536,7 +1641,7 @@ complete_display(char **list, u_int len) char *tmp; /* Count entries for sort and find longest */ - for (y = 0; list[y]; y++) + for (y = 0; list[y]; y++) m = MAX(m, strlen(list[y])); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) @@ -1581,8 +1686,8 @@ complete_ambiguous(const char *word, char **list, size_t count) for (y = 1; list[y]; y++) { u_int x; - for (x = 0; x < matchlen; x++) - if (list[0][x] != list[y][x]) + for (x = 0; x < matchlen; x++) + if (list[0][x] != list[y][x]) break; matchlen = x; @@ -1594,7 +1699,7 @@ complete_ambiguous(const char *word, char **list, size_t count) tmp[matchlen] = '\0'; return tmp; } - } + } return xstrdup(word); } @@ -1614,26 +1719,26 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (cmd == NULL) { for (y = 0; cmds[y].c; y++) list[count++] = xstrdup(cmds[y].c); - + list[count] = NULL; complete_display(list, 0); - for (y = 0; list[y] != NULL; y++) - xfree(list[y]); - xfree(list); + for (y = 0; list[y] != NULL; y++) + free(list[y]); + free(list); return count; } /* Prepare subset of commands that start with "cmd" */ cmdlen = strlen(cmd); for (y = 0; cmds[y].c; y++) { - if (!strncasecmp(cmd, cmds[y].c, cmdlen)) + if (!strncasecmp(cmd, cmds[y].c, cmdlen)) list[count++] = xstrdup(cmds[y].c); } list[count] = NULL; if (count == 0) { - xfree(list); + free(list); return 0; } @@ -1642,9 +1747,9 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (count > 1) complete_display(list, 0); - for (y = 0; list[y]; y++) - xfree(list[y]); - xfree(list); + for (y = 0; list[y]; y++) + free(list[y]); + free(list); if (tmp != NULL) { tmplen = strlen(tmp); @@ -1665,7 +1770,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (y > 0 && el_insertstr(el, argterm) == -1) fatal("el_insertstr failed."); } - xfree(tmp); + free(tmp); } return count; @@ -1683,7 +1788,7 @@ complete_is_remote(char *cmd) { return -1; for (i = 0; cmds[i].c; i++) { - if (!strncasecmp(cmd, cmds[i].c, strlen(cmds[i].c))) + if (!strncasecmp(cmd, cmds[i].c, strlen(cmds[i].c))) return cmds[i].t; } @@ -1696,10 +1801,11 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, char *file, int remote, int lastarg, char quote, int terminated) { glob_t g; - char *tmp, *tmp2, ins[3]; + char *tmp, *tmp2, ins[8]; u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; + int clen; const LineInfo *lf; - + /* Glob from "file" location */ if (file == NULL) tmp = xstrdup("*"); @@ -1713,9 +1819,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (remote != LOCAL) { tmp = make_absolute(tmp, remote_path); remote_glob(conn, tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); - } else + } else glob(tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); - + /* Determine length of pwd so we can trim completion display */ for (hadglob = tmplen = pwdlen = 0; tmp[tmplen] != 0; tmplen++) { /* Terminate counting on first unescaped glob metacharacter */ @@ -1729,9 +1835,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (tmp[tmplen] == '/') pwdlen = tmplen + 1; /* track last seen '/' */ } - xfree(tmp); + free(tmp); - if (g.gl_matchc == 0) + if (g.gl_matchc == 0) goto out; if (g.gl_matchc > 1) @@ -1744,7 +1850,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); tmp = path_strip(tmp2, isabs ? NULL : remote_path); - xfree(tmp2); + free(tmp2); if (tmp == NULL) goto out; @@ -1764,12 +1870,15 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (tmplen > (filelen - cesc)) { tmp2 = tmp + filelen - cesc; - len = strlen(tmp2); + len = strlen(tmp2); /* quote argument on way out */ - for (i = 0; i < len; i++) { + for (i = 0; i < len; i += clen) { + if ((clen = mblen(tmp2 + i, len - i)) < 0 || + (size_t)clen > sizeof(ins) - 2) + fatal("invalid multibyte character"); ins[0] = '\\'; - ins[1] = tmp2[i]; - ins[2] = '\0'; + memcpy(ins + 1, tmp2 + i, clen); + ins[clen + 1] = '\0'; switch (tmp2[i]) { case '\'': case '"': @@ -1806,7 +1915,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (i > 0 && el_insertstr(el, ins) == -1) fatal("el_insertstr failed."); } - xfree(tmp); + free(tmp); out: globfree(&g); @@ -1817,8 +1926,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, static unsigned char complete(EditLine *el, int ch) { - char **argv, *line, quote; - u_int argc, carg, cursor, len, terminated, ret = CC_ERROR; + char **argv, *line, quote; + int argc, carg; + u_int cursor, len, terminated, ret = CC_ERROR; const LineInfo *lf; struct complete_ctx *complete_ctx; @@ -1832,7 +1942,7 @@ complete(EditLine *el, int ch) memcpy(line, lf->buffer, cursor); line[cursor] = '\0'; argv = makeargv(line, &carg, 1, "e, &terminated); - xfree(line); + free(line); /* Get all the arguments on the line */ len = lf->lastchar - lf->buffer; @@ -1844,7 +1954,7 @@ complete(EditLine *el, int ch) /* Ensure cursor is at EOL or a argument boundary */ if (line[cursor] != ' ' && line[cursor] != '\0' && line[cursor] != '\n') { - xfree(line); + free(line); return ret; } @@ -1855,7 +1965,7 @@ complete(EditLine *el, int ch) } else if (carg == 1 && cursor > 0 && line[cursor - 1] != ' ') { /* Handle the command parsing */ if (complete_cmd_parse(el, argv[0], argc == carg, - quote, terminated) != 0) + quote, terminated) != 0) ret = CC_REDISPLAY; } else if (carg >= 1) { /* Handle file parsing */ @@ -1868,11 +1978,11 @@ complete(EditLine *el, int ch) if (remote != 0 && complete_match(el, complete_ctx->conn, *complete_ctx->remote_pathp, filematch, - remote, carg == argc, quote, terminated) != 0) + remote, carg == argc, quote, terminated) != 0) ret = CC_REDISPLAY; } - xfree(line); + free(line); return ret; } #endif /* USE_LIBEDIT */ @@ -1906,12 +2016,19 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) el_source(el, NULL); /* Tab Completion */ - el_set(el, EL_ADDFN, "ftp-complete", + el_set(el, EL_ADDFN, "ftp-complete", "Context sensitive argument completion", complete); complete_ctx.conn = conn; complete_ctx.remote_pathp = &remote_path; el_set(el, EL_CLIENTDATA, (void*)&complete_ctx); el_set(el, EL_BIND, "^I", "ftp-complete", NULL); + /* enable ctrl-left-arrow and ctrl-right-arrow */ + el_set(el, EL_BIND, "\\e[1;5C", "em-next-word", NULL); + el_set(el, EL_BIND, "\\e[5C", "em-next-word", NULL); + el_set(el, EL_BIND, "\\e[1;5D", "ed-prev-word", NULL); + el_set(el, EL_BIND, "\\e\\e[D", "ed-prev-word", NULL); + /* make ^w match ksh behaviour */ + el_set(el, EL_BIND, "^w", "ed-delete-prev-word", NULL); } #endif /* USE_LIBEDIT */ @@ -1924,31 +2041,30 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) dir = make_absolute(dir, remote_path); if (remote_is_dir(conn, dir) && file2 == NULL) { - printf("Changing to: %s\n", dir); + if (!quiet) + printf("Changing to: %s\n", dir); snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); if (parse_dispatch_command(conn, cmd, &remote_path, 1) != 0) { - xfree(dir); - xfree(remote_path); - xfree(conn); + free(dir); + free(remote_path); + free(conn); return (-1); } } else { /* XXX this is wrong wrt quoting */ - if (file2 == NULL) - snprintf(cmd, sizeof cmd, "get %s", dir); - else - snprintf(cmd, sizeof cmd, "get %s %s", dir, - file2); - + snprintf(cmd, sizeof cmd, "get%s %s%s%s", + global_aflag ? " -a" : "", dir, + file2 == NULL ? "" : " ", + file2 == NULL ? "" : file2); err = parse_dispatch_command(conn, cmd, &remote_path, 1); - xfree(dir); - xfree(remote_path); - xfree(conn); + free(dir); + free(remote_path); + free(conn); return (err); } - xfree(dir); + free(dir); } setlinebuf(stdout); @@ -2006,8 +2122,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) if (err != 0) break; } - xfree(remote_path); - xfree(conn); + free(remote_path); + free(conn); #ifdef USE_LIBEDIT if (el != NULL) @@ -2081,7 +2197,7 @@ usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-1246Cpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" + "usage: %s [-1246aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" " [-D sftp_server_path] [-F ssh_config] " "[-i identity_file] [-l limit]\n" " [-o ssh_option] [-P port] [-R num_requests] " @@ -2114,6 +2230,7 @@ main(int argc, char **argv) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); + setlocale(LC_CTYPE, ""); __progname = ssh_get_progname(argv[0]); memset(&args, '\0', sizeof(args)); @@ -2128,7 +2245,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, - "1246hpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { + "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ case '4': @@ -2145,6 +2262,8 @@ main(int argc, char **argv) addargs(&args, "%s", optarg); break; case 'q': + ll = SYSLOG_LEVEL_ERROR; + quiet = 1; showprogress = 0; addargs(&args, "-%c", ch); break; @@ -2166,6 +2285,9 @@ main(int argc, char **argv) case '2': sshver = 2; break; + case 'a': + global_aflag = 1; + break; case 'B': copy_buffer_len = strtol(optarg, &cp, 10); if (copy_buffer_len == 0 || *cp != '\0') @@ -2180,9 +2302,12 @@ main(int argc, char **argv) (infile = fopen(optarg, "r")) == NULL) fatal("%s (%s).", strerror(errno), optarg); showprogress = 0; - batchmode = 1; + quiet = batchmode = 1; addargs(&args, "-obatchmode yes"); break; + case 'f': + global_fflag = 1; + break; case 'p': global_pflag = 1; break; @@ -2277,7 +2402,7 @@ main(int argc, char **argv) if (conn == NULL) fatal("Couldn't initialise connection to server"); - if (!batchmode) { + if (!quiet) { if (sftp_direct == NULL) fprintf(stderr, "Connected to %s.\n", host); else diff --git a/crypto/openssh/smult_curve25519_ref.c b/crypto/openssh/smult_curve25519_ref.c new file mode 100644 index 000000000..2e69934d4 --- /dev/null +++ b/crypto/openssh/smult_curve25519_ref.c @@ -0,0 +1,265 @@ +/* $OpenBSD: smult_curve25519_ref.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* +version 20081011 +Matthew Dempsky +Public domain. +Derived from public domain code by D. J. Bernstein. +*/ + +int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *); + +static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) +{ + unsigned int j; + unsigned int u; + u = 0; + for (j = 0;j < 31;++j) { u += a[j] + b[j]; out[j] = u & 255; u >>= 8; } + u += a[31] + b[31]; out[31] = u; +} + +static void sub(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) +{ + unsigned int j; + unsigned int u; + u = 218; + for (j = 0;j < 31;++j) { + u += a[j] + 65280 - b[j]; + out[j] = u & 255; + u >>= 8; + } + u += a[31] - b[31]; + out[31] = u; +} + +static void squeeze(unsigned int a[32]) +{ + unsigned int j; + unsigned int u; + u = 0; + for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u & 127; + u = 19 * (u >> 7); + for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u; +} + +static const unsigned int minusp[32] = { + 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128 +} ; + +static void freeze(unsigned int a[32]) +{ + unsigned int aorig[32]; + unsigned int j; + unsigned int negative; + + for (j = 0;j < 32;++j) aorig[j] = a[j]; + add(a,a,minusp); + negative = -((a[31] >> 7) & 1); + for (j = 0;j < 32;++j) a[j] ^= negative & (aorig[j] ^ a[j]); +} + +static void mult(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) +{ + unsigned int i; + unsigned int j; + unsigned int u; + + for (i = 0;i < 32;++i) { + u = 0; + for (j = 0;j <= i;++j) u += a[j] * b[i - j]; + for (j = i + 1;j < 32;++j) u += 38 * a[j] * b[i + 32 - j]; + out[i] = u; + } + squeeze(out); +} + +static void mult121665(unsigned int out[32],const unsigned int a[32]) +{ + unsigned int j; + unsigned int u; + + u = 0; + for (j = 0;j < 31;++j) { u += 121665 * a[j]; out[j] = u & 255; u >>= 8; } + u += 121665 * a[31]; out[31] = u & 127; + u = 19 * (u >> 7); + for (j = 0;j < 31;++j) { u += out[j]; out[j] = u & 255; u >>= 8; } + u += out[j]; out[j] = u; +} + +static void square(unsigned int out[32],const unsigned int a[32]) +{ + unsigned int i; + unsigned int j; + unsigned int u; + + for (i = 0;i < 32;++i) { + u = 0; + for (j = 0;j < i - j;++j) u += a[j] * a[i - j]; + for (j = i + 1;j < i + 32 - j;++j) u += 38 * a[j] * a[i + 32 - j]; + u *= 2; + if ((i & 1) == 0) { + u += a[i / 2] * a[i / 2]; + u += 38 * a[i / 2 + 16] * a[i / 2 + 16]; + } + out[i] = u; + } + squeeze(out); +} + +static void select(unsigned int p[64],unsigned int q[64],const unsigned int r[64],const unsigned int s[64],unsigned int b) +{ + unsigned int j; + unsigned int t; + unsigned int bminus1; + + bminus1 = b - 1; + for (j = 0;j < 64;++j) { + t = bminus1 & (r[j] ^ s[j]); + p[j] = s[j] ^ t; + q[j] = r[j] ^ t; + } +} + +static void mainloop(unsigned int work[64],const unsigned char e[32]) +{ + unsigned int xzm1[64]; + unsigned int xzm[64]; + unsigned int xzmb[64]; + unsigned int xzm1b[64]; + unsigned int xznb[64]; + unsigned int xzn1b[64]; + unsigned int a0[64]; + unsigned int a1[64]; + unsigned int b0[64]; + unsigned int b1[64]; + unsigned int c1[64]; + unsigned int r[32]; + unsigned int s[32]; + unsigned int t[32]; + unsigned int u[32]; + unsigned int j; + unsigned int b; + int pos; + + for (j = 0;j < 32;++j) xzm1[j] = work[j]; + xzm1[32] = 1; + for (j = 33;j < 64;++j) xzm1[j] = 0; + + xzm[0] = 1; + for (j = 1;j < 64;++j) xzm[j] = 0; + + for (pos = 254;pos >= 0;--pos) { + b = e[pos / 8] >> (pos & 7); + b &= 1; + select(xzmb,xzm1b,xzm,xzm1,b); + add(a0,xzmb,xzmb + 32); + sub(a0 + 32,xzmb,xzmb + 32); + add(a1,xzm1b,xzm1b + 32); + sub(a1 + 32,xzm1b,xzm1b + 32); + square(b0,a0); + square(b0 + 32,a0 + 32); + mult(b1,a1,a0 + 32); + mult(b1 + 32,a1 + 32,a0); + add(c1,b1,b1 + 32); + sub(c1 + 32,b1,b1 + 32); + square(r,c1 + 32); + sub(s,b0,b0 + 32); + mult121665(t,s); + add(u,t,b0); + mult(xznb,b0,b0 + 32); + mult(xznb + 32,s,u); + square(xzn1b,c1); + mult(xzn1b + 32,r,work); + select(xzm,xzm1,xznb,xzn1b,b); + } + + for (j = 0;j < 64;++j) work[j] = xzm[j]; +} + +static void recip(unsigned int out[32],const unsigned int z[32]) +{ + unsigned int z2[32]; + unsigned int z9[32]; + unsigned int z11[32]; + unsigned int z2_5_0[32]; + unsigned int z2_10_0[32]; + unsigned int z2_20_0[32]; + unsigned int z2_50_0[32]; + unsigned int z2_100_0[32]; + unsigned int t0[32]; + unsigned int t1[32]; + int i; + + /* 2 */ square(z2,z); + /* 4 */ square(t1,z2); + /* 8 */ square(t0,t1); + /* 9 */ mult(z9,t0,z); + /* 11 */ mult(z11,z9,z2); + /* 22 */ square(t0,z11); + /* 2^5 - 2^0 = 31 */ mult(z2_5_0,t0,z9); + + /* 2^6 - 2^1 */ square(t0,z2_5_0); + /* 2^7 - 2^2 */ square(t1,t0); + /* 2^8 - 2^3 */ square(t0,t1); + /* 2^9 - 2^4 */ square(t1,t0); + /* 2^10 - 2^5 */ square(t0,t1); + /* 2^10 - 2^0 */ mult(z2_10_0,t0,z2_5_0); + + /* 2^11 - 2^1 */ square(t0,z2_10_0); + /* 2^12 - 2^2 */ square(t1,t0); + /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^20 - 2^0 */ mult(z2_20_0,t1,z2_10_0); + + /* 2^21 - 2^1 */ square(t0,z2_20_0); + /* 2^22 - 2^2 */ square(t1,t0); + /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^40 - 2^0 */ mult(t0,t1,z2_20_0); + + /* 2^41 - 2^1 */ square(t1,t0); + /* 2^42 - 2^2 */ square(t0,t1); + /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { square(t1,t0); square(t0,t1); } + /* 2^50 - 2^0 */ mult(z2_50_0,t0,z2_10_0); + + /* 2^51 - 2^1 */ square(t0,z2_50_0); + /* 2^52 - 2^2 */ square(t1,t0); + /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^100 - 2^0 */ mult(z2_100_0,t1,z2_50_0); + + /* 2^101 - 2^1 */ square(t1,z2_100_0); + /* 2^102 - 2^2 */ square(t0,t1); + /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { square(t1,t0); square(t0,t1); } + /* 2^200 - 2^0 */ mult(t1,t0,z2_100_0); + + /* 2^201 - 2^1 */ square(t0,t1); + /* 2^202 - 2^2 */ square(t1,t0); + /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^250 - 2^0 */ mult(t0,t1,z2_50_0); + + /* 2^251 - 2^1 */ square(t1,t0); + /* 2^252 - 2^2 */ square(t0,t1); + /* 2^253 - 2^3 */ square(t1,t0); + /* 2^254 - 2^4 */ square(t0,t1); + /* 2^255 - 2^5 */ square(t1,t0); + /* 2^255 - 21 */ mult(out,t1,z11); +} + +int crypto_scalarmult_curve25519(unsigned char *q, + const unsigned char *n, + const unsigned char *p) +{ + unsigned int work[96]; + unsigned char e[32]; + unsigned int i; + for (i = 0;i < 32;++i) e[i] = n[i]; + e[0] &= 248; + e[31] &= 127; + e[31] |= 64; + for (i = 0;i < 32;++i) work[i] = p[i]; + mainloop(work,e); + recip(work + 32,work + 32); + mult(work + 64,work,work + 32); + freeze(work + 64); + for (i = 0;i < 32;++i) q[i] = work[64 + i]; + return 0; +} diff --git a/crypto/openssh/ssh-add.0 b/crypto/openssh/ssh-add.0 new file mode 100644 index 000000000..ba43fee69 --- /dev/null +++ b/crypto/openssh/ssh-add.0 @@ -0,0 +1,123 @@ +SSH-ADD(1) OpenBSD Reference Manual SSH-ADD(1) + +NAME + ssh-add - adds private key identities to the authentication agent + +SYNOPSIS + ssh-add [-cDdkLlXx] [-t life] [file ...] + ssh-add -s pkcs11 + ssh-add -e pkcs11 + +DESCRIPTION + ssh-add adds private key identities to the authentication agent, + ssh-agent(1). When run without arguments, it adds the files + ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and + ~/.ssh/identity. After loading a private key, ssh-add will try to load + corresponding certificate information from the filename obtained by + appending -cert.pub to the name of the private key file. Alternative + file names can be given on the command line. + + If any file requires a passphrase, ssh-add asks for the passphrase from + the user. The passphrase is read from the user's tty. ssh-add retries + the last passphrase if multiple identity files are given. + + The authentication agent must be running and the SSH_AUTH_SOCK + environment variable must contain the name of its socket for ssh-add to + work. + + The options are as follows: + + -c Indicates that added identities should be subject to confirmation + before being used for authentication. Confirmation is performed + by the SSH_ASKPASS program mentioned below. Successful + confirmation is signaled by a zero exit status from the + SSH_ASKPASS program, rather than text entered into the requester. + + -D Deletes all identities from the agent. + + -d Instead of adding identities, removes identities from the agent. + If ssh-add has been run without arguments, the keys for the + default identities and their corresponding certificates will be + removed. Otherwise, the argument list will be interpreted as a + list of paths to public key files to specify keys and + certificates to be removed from the agent. If no public key is + found at a given path, ssh-add will append .pub and retry. + + -e pkcs11 + Remove keys provided by the PKCS#11 shared library pkcs11. + + -k When loading keys into or deleting keys from the agent, process + plain private keys only and skip certificates. + + -L Lists public key parameters of all identities currently + represented by the agent. + + -l Lists fingerprints of all identities currently represented by the + agent. + + -s pkcs11 + Add keys provided by the PKCS#11 shared library pkcs11. + + -t life + Set a maximum lifetime when adding identities to an agent. The + lifetime may be specified in seconds or in a time format + specified in sshd_config(5). + + -X Unlock the agent. + + -x Lock the agent with a password. + +ENVIRONMENT + DISPLAY and SSH_ASKPASS + If ssh-add needs a passphrase, it will read the passphrase from + the current terminal if it was run from a terminal. If ssh-add + does not have a terminal associated with it but DISPLAY and + SSH_ASKPASS are set, it will execute the program specified by + SSH_ASKPASS and open an X11 window to read the passphrase. This + is particularly useful when calling ssh-add from a .xsession or + related script. (Note that on some machines it may be necessary + to redirect the input from /dev/null to make this work.) + + SSH_AUTH_SOCK + Identifies the path of a UNIX-domain socket used to communicate + with the agent. + +FILES + ~/.ssh/identity + Contains the protocol version 1 RSA authentication identity of + the user. + + ~/.ssh/id_dsa + Contains the protocol version 2 DSA authentication identity of + the user. + + ~/.ssh/id_ecdsa + Contains the protocol version 2 ECDSA authentication identity of + the user. + + ~/.ssh/id_ed25519 + Contains the protocol version 2 ED25519 authentication identity + of the user. + + ~/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of + the user. + + Identity files should not be readable by anyone but the user. Note that + ssh-add ignores identity files if they are accessible by others. + +EXIT STATUS + Exit status is 0 on success, 1 if the specified command fails, and 2 if + ssh-add is unable to contact the authentication agent. + +SEE ALSO + ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8) + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +OpenBSD 5.5 December 7, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/ssh-add.1 b/crypto/openssh/ssh-add.1 index 3cfc3766a..915e0a6e8 100644 --- a/crypto/openssh/ssh-add.1 +++ b/crypto/openssh/ssh-add.1 @@ -1,4 +1,5 @@ -.\" $OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.59 2013/12/07 11:58:46 naddy Exp $ +.\" $FreeBSD$ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +36,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 3, 2012 +.Dd December 7, 2013 .Dt SSH-ADD 1 .Os .Sh NAME @@ -57,7 +58,8 @@ adds private key identities to the authentication agent, When run without arguments, it adds the files .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/identity . After loading a private key, @@ -169,6 +171,8 @@ Contains the protocol version 1 RSA authentication identity of the user. Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa Contains the protocol version 2 ECDSA authentication identity of the user. +.It Pa ~/.ssh/id_ed25519 +Contains the protocol version 2 ED25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .El diff --git a/crypto/openssh/ssh-add.c b/crypto/openssh/ssh-add.c index 008084704..3421452af 100644 --- a/crypto/openssh/ssh-add.c +++ b/crypto/openssh/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.109 2014/02/02 03:44:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -73,6 +73,7 @@ static char *default_files[] = { #ifdef OPENSSL_HAS_ECC _PATH_SSH_CLIENT_ID_ECDSA, #endif + _PATH_SSH_CLIENT_ID_ED25519, _PATH_SSH_CLIENT_IDENTITY, NULL }; @@ -89,8 +90,8 @@ static void clear_pass(void) { if (pass) { - memset(pass, 0, strlen(pass)); - xfree(pass); + explicit_bzero(pass, strlen(pass)); + free(pass); pass = NULL; } } @@ -215,7 +216,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) pass = read_passphrase(msg, RP_ALLOW_STDIN); if (strcmp(pass, "") == 0) { clear_pass(); - xfree(comment); + free(comment); buffer_free(&keyblob); return -1; } @@ -282,8 +283,8 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) fprintf(stderr, "The user must confirm each use of the key\n"); out: if (certpath != NULL) - xfree(certpath); - xfree(comment); + free(certpath); + free(comment); key_free(private); return ret; @@ -292,14 +293,17 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) static int update_card(AuthenticationConnection *ac, int add, const char *id) { - char *pin; + char *pin = NULL; int ret = -1; - pin = read_passphrase("Enter passphrase for PKCS#11: ", RP_ALLOW_STDIN); - if (pin == NULL) - return -1; + if (add) { + if ((pin = read_passphrase("Enter passphrase for PKCS#11: ", + RP_ALLOW_STDIN)) == NULL) + return -1; + } - if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) { + if (ssh_update_card(ac, add, id, pin == NULL ? "" : pin, + lifetime, confirm)) { fprintf(stderr, "Card %s: %s\n", add ? "added" : "removed", id); ret = 0; @@ -308,7 +312,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) add ? "add" : "remove", id); ret = -1; } - xfree(pin); + free(pin); return ret; } @@ -330,14 +334,14 @@ list_identities(AuthenticationConnection *ac, int do_fp) SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); - xfree(fp); + free(fp); } else { if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); } key_free(key); - xfree(comment); + free(comment); } } if (!had_identities) { @@ -362,16 +366,16 @@ lock_agent(AuthenticationConnection *ac, int lock) fprintf(stderr, "Passwords do not match.\n"); passok = 0; } - memset(p2, 0, strlen(p2)); - xfree(p2); + explicit_bzero(p2, strlen(p2)); + free(p2); } if (passok && ssh_lock_agent(ac, lock, p1)) { fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un"); ret = 0; } else fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un"); - memset(p1, 0, strlen(p1)); - xfree(p1); + explicit_bzero(p1, strlen(p1)); + free(p1); return (ret); } diff --git a/crypto/openssh/ssh-agent.0 b/crypto/openssh/ssh-agent.0 new file mode 100644 index 000000000..c11523db3 --- /dev/null +++ b/crypto/openssh/ssh-agent.0 @@ -0,0 +1,128 @@ +SSH-AGENT(1) OpenBSD Reference Manual SSH-AGENT(1) + +NAME + ssh-agent - authentication agent + +SYNOPSIS + ssh-agent [-c | -s] [-d] [-a bind_address] [-t life] [command [arg ...]] + ssh-agent [-c | -s] -k + +DESCRIPTION + ssh-agent is a program to hold private keys used for public key + authentication (RSA, DSA, ECDSA, ED25519). The idea is that ssh-agent is + started in the beginning of an X-session or a login session, and all + other windows or programs are started as clients to the ssh-agent + program. Through use of environment variables the agent can be located + and automatically used for authentication when logging in to other + machines using ssh(1). + + The options are as follows: + + -a bind_address + Bind the agent to the UNIX-domain socket bind_address. The + default is $TMPDIR/ssh-XXXXXXXXXX/agent.. + + -c Generate C-shell commands on stdout. This is the default if + SHELL looks like it's a csh style of shell. + + -d Debug mode. When this option is specified ssh-agent will not + fork. + + -k Kill the current agent (given by the SSH_AGENT_PID environment + variable). + + -s Generate Bourne shell commands on stdout. This is the default if + SHELL does not look like it's a csh style of shell. + + -t life + Set a default value for the maximum lifetime of identities added + to the agent. The lifetime may be specified in seconds or in a + time format specified in sshd_config(5). A lifetime specified + for an identity with ssh-add(1) overrides this value. Without + this option the default maximum lifetime is forever. + + If a commandline is given, this is executed as a subprocess of the agent. + When the command dies, so does the agent. + + The agent initially does not have any private keys. Keys are added using + ssh-add(1). When executed without arguments, ssh-add(1) adds the files + ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and + ~/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for + the passphrase on the terminal if it has one or from a small X11 program + if running under X11. If neither of these is the case then the + authentication will fail. It then sends the identity to the agent. + Several identities can be stored in the agent; the agent can + automatically use any of these identities. ssh-add -l displays the + identities currently held by the agent. + + The idea is that the agent is run in the user's local PC, laptop, or + terminal. Authentication data need not be stored on any other machine, + and authentication passphrases never go over the network. However, the + connection to the agent is forwarded over SSH remote logins, and the user + can thus use the privileges given by the identities anywhere in the + network in a secure way. + + There are two main ways to get an agent set up: The first is that the + agent starts a new subcommand into which some environment variables are + exported, eg ssh-agent xterm &. The second is that the agent prints the + needed shell commands (either sh(1) or csh(1) syntax can be generated) + which can be evaluated in the calling shell, eg eval `ssh-agent -s` for + Bourne-type shells such as sh(1) or ksh(1) and eval `ssh-agent -c` for + csh(1) and derivatives. + + Later ssh(1) looks at these variables and uses them to establish a + connection to the agent. + + The agent will never send a private key over its request channel. + Instead, operations that require a private key will be performed by the + agent, and the result will be returned to the requester. This way, + private keys are not exposed to clients using the agent. + + A UNIX-domain socket is created and the name of this socket is stored in + the SSH_AUTH_SOCK environment variable. The socket is made accessible + only to the current user. This method is easily abused by root or + another instance of the same user. + + The SSH_AGENT_PID environment variable holds the agent's process ID. + + The agent exits automatically when the command given on the command line + terminates. + +FILES + ~/.ssh/identity + Contains the protocol version 1 RSA authentication identity of + the user. + + ~/.ssh/id_dsa + Contains the protocol version 2 DSA authentication identity of + the user. + + ~/.ssh/id_ecdsa + Contains the protocol version 2 ECDSA authentication identity of + the user. + + ~/.ssh/id_ed25519 + Contains the protocol version 2 ED25519 authentication identity + of the user. + + ~/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of + the user. + + $TMPDIR/ssh-XXXXXXXXXX/agent. + UNIX-domain sockets used to contain the connection to the + authentication agent. These sockets should only be readable by + the owner. The sockets should get automatically removed when the + agent exits. + +SEE ALSO + ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +OpenBSD 5.5 December 7, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1 index b14461570..2a1c58e6c 100644 --- a/crypto/openssh/ssh-agent.1 +++ b/crypto/openssh/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.53 2010/11/21 01:01:13 djm Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.54 2013/12/07 11:58:46 naddy Exp $ .\" $FreeBSD$ .\" .\" Author: Tatu Ylonen @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 21, 2010 +.Dd December 7, 2013 .Dt SSH-AGENT 1 .Os .Sh NAME @@ -54,7 +54,7 @@ .Sh DESCRIPTION .Nm is a program to hold private keys used for public key authentication -(RSA, DSA, ECDSA). +(RSA, DSA, ECDSA, ED25519). The idea is that .Nm is started in the beginning of an X-session or a login session, and @@ -118,7 +118,8 @@ When executed without arguments, adds the files .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/identity . If the identity has a passphrase, @@ -193,6 +194,8 @@ Contains the protocol version 1 RSA authentication identity of the user. Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa Contains the protocol version 2 ECDSA authentication identity of the user. +.It Pa ~/.ssh/id_ed25519 +Contains the protocol version 2 ED25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index 9d4e0c9c6..e402fa977 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ssh-agent.c,v 1.172 2011/06/03 01:37:40 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.183 2014/02/02 03:44:31 djm Exp $ */ +/* $FreeBSD$ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -51,7 +52,6 @@ __RCSID("$FreeBSD$"); #include "openbsd-compat/sys-queue.h" #include -#include #include "openbsd-compat/openssl-compat.h" #include @@ -76,6 +76,7 @@ __RCSID("$FreeBSD$"); #include "compat.h" #include "log.h" #include "misc.h" +#include "digest.h" #ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" @@ -107,7 +108,7 @@ typedef struct identity { Key *key; char *comment; char *provider; - u_int death; + time_t death; u_int confirm; } Identity; @@ -123,7 +124,7 @@ int max_fd = 0; /* pid of shell == parent of agent */ pid_t parent_pid = -1; -u_int parent_alive_interval = 0; +time_t parent_alive_interval = 0; /* pathname and directory for AUTH_SOCKET */ char socket_name[MAXPATHLEN]; @@ -135,8 +136,8 @@ char *lock_passwd = NULL; extern char *__progname; -/* Default lifetime (0 == forever) */ -static int lifetime = 0; +/* Default lifetime in seconds (0 == forever) */ +static long lifetime = 0; /* * Client connection count; incremented in new_socket() and decremented in @@ -192,10 +193,9 @@ static void free_identity(Identity *id) { key_free(id->key); - if (id->provider != NULL) - xfree(id->provider); - xfree(id->comment); - xfree(id); + free(id->provider); + free(id->comment); + free(id); } /* return matching private key for given public key */ @@ -223,7 +223,7 @@ confirm_key(Identity *id) if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", id->comment, p)) ret = 0; - xfree(p); + free(p); return (ret); } @@ -250,7 +250,7 @@ process_request_identities(SocketEntry *e, int version) u_int blen; key_to_blob(id->key, &blob, &blen); buffer_put_string(&msg, blob, blen); - xfree(blob); + free(blob); } buffer_put_cstring(&msg, id->comment); } @@ -269,7 +269,7 @@ process_authentication_challenge1(SocketEntry *e) Identity *id; int i, len; Buffer msg; - MD5_CTX md; + struct ssh_digest_ctx *md; Key *key; buffer_init(&msg); @@ -305,10 +305,12 @@ process_authentication_challenge1(SocketEntry *e) } memset(buf, 0, 32); BN_bn2bin(challenge, buf + 32 - len); - MD5_Init(&md); - MD5_Update(&md, buf, 32); - MD5_Update(&md, session_id, 16); - MD5_Final(mdbuf, &md); + if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || + ssh_digest_update(md, buf, 32) < 0 || + ssh_digest_update(md, session_id, 16) < 0 || + ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0) + fatal("%s: md5 failed", __func__); + ssh_digest_free(md); /* Send the response. */ buffer_put_char(&msg, SSH_AGENT_RSA_RESPONSE); @@ -368,10 +370,9 @@ process_sign_request2(SocketEntry *e) buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg)); buffer_free(&msg); - xfree(data); - xfree(blob); - if (signature != NULL) - xfree(signature); + free(data); + free(blob); + free(signature); datafellows = odatafellows; } @@ -398,7 +399,7 @@ process_remove_identity(SocketEntry *e, int version) case 2: blob = buffer_get_string(&e->request, &blen); key = key_from_blob(blob, blen); - xfree(blob); + free(blob); break; } if (key != NULL) { @@ -450,10 +451,10 @@ process_remove_all_identities(SocketEntry *e, int version) } /* removes expired keys and returns number of seconds until the next expiry */ -static u_int +static time_t reaper(void) { - u_int deadline = 0, now = time(NULL); + time_t deadline = 0, now = monotime(); Identity *id, *nxt; int version; Idtab *tab; @@ -485,16 +486,10 @@ process_add_identity(SocketEntry *e, int version) { Idtab *tab = idtab_lookup(version); Identity *id; - int type, success = 0, death = 0, confirm = 0; - char *type_name, *comment; + int type, success = 0, confirm = 0; + char *comment; + time_t death = 0; Key *k = NULL; -#ifdef OPENSSL_HAS_ECC - BIGNUM *exponent; - EC_POINT *q; - char *curve; -#endif - u_char *cert; - u_int len; switch (version) { case 1: @@ -511,135 +506,31 @@ process_add_identity(SocketEntry *e, int version) /* Generate additional parameters */ rsa_generate_additional_parameters(k->rsa); - break; - case 2: - type_name = buffer_get_string(&e->request, NULL); - type = key_type_from_name(type_name); - switch (type) { - case KEY_DSA: - k = key_new_private(type); - buffer_get_bignum2(&e->request, k->dsa->p); - buffer_get_bignum2(&e->request, k->dsa->q); - buffer_get_bignum2(&e->request, k->dsa->g); - buffer_get_bignum2(&e->request, k->dsa->pub_key); - buffer_get_bignum2(&e->request, k->dsa->priv_key); - break; - case KEY_DSA_CERT_V00: - case KEY_DSA_CERT: - cert = buffer_get_string(&e->request, &len); - if ((k = key_from_blob(cert, len)) == NULL) - fatal("Certificate parse failed"); - xfree(cert); - key_add_private(k); - buffer_get_bignum2(&e->request, k->dsa->priv_key); - break; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - k = key_new_private(type); - k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); - curve = buffer_get_string(&e->request, NULL); - if (k->ecdsa_nid != key_curve_name_to_nid(curve)) - fatal("%s: curve names mismatch", __func__); - xfree(curve); - k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); - if (k->ecdsa == NULL) - fatal("%s: EC_KEY_new_by_curve_name failed", - __func__); - q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); - if (q == NULL) - fatal("%s: BN_new failed", __func__); - if ((exponent = BN_new()) == NULL) - fatal("%s: BN_new failed", __func__); - buffer_get_ecpoint(&e->request, - EC_KEY_get0_group(k->ecdsa), q); - buffer_get_bignum2(&e->request, exponent); - if (EC_KEY_set_public_key(k->ecdsa, q) != 1) - fatal("%s: EC_KEY_set_public_key failed", - __func__); - if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) - fatal("%s: EC_KEY_set_private_key failed", - __func__); - if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), - EC_KEY_get0_public_key(k->ecdsa)) != 0) - fatal("%s: bad ECDSA public key", __func__); - if (key_ec_validate_private(k->ecdsa) != 0) - fatal("%s: bad ECDSA private key", __func__); - BN_clear_free(exponent); - EC_POINT_free(q); - break; - case KEY_ECDSA_CERT: - cert = buffer_get_string(&e->request, &len); - if ((k = key_from_blob(cert, len)) == NULL) - fatal("Certificate parse failed"); - xfree(cert); - key_add_private(k); - if ((exponent = BN_new()) == NULL) - fatal("%s: BN_new failed", __func__); - buffer_get_bignum2(&e->request, exponent); - if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) - fatal("%s: EC_KEY_set_private_key failed", - __func__); - if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), - EC_KEY_get0_public_key(k->ecdsa)) != 0 || - key_ec_validate_private(k->ecdsa) != 0) - fatal("%s: bad ECDSA key", __func__); - BN_clear_free(exponent); - break; -#endif /* OPENSSL_HAS_ECC */ - case KEY_RSA: - k = key_new_private(type); - buffer_get_bignum2(&e->request, k->rsa->n); - buffer_get_bignum2(&e->request, k->rsa->e); - buffer_get_bignum2(&e->request, k->rsa->d); - buffer_get_bignum2(&e->request, k->rsa->iqmp); - buffer_get_bignum2(&e->request, k->rsa->p); - buffer_get_bignum2(&e->request, k->rsa->q); - - /* Generate additional parameters */ - rsa_generate_additional_parameters(k->rsa); - break; - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - cert = buffer_get_string(&e->request, &len); - if ((k = key_from_blob(cert, len)) == NULL) - fatal("Certificate parse failed"); - xfree(cert); - key_add_private(k); - buffer_get_bignum2(&e->request, k->rsa->d); - buffer_get_bignum2(&e->request, k->rsa->iqmp); - buffer_get_bignum2(&e->request, k->rsa->p); - buffer_get_bignum2(&e->request, k->rsa->q); - break; - default: - xfree(type_name); - buffer_clear(&e->request); - goto send; - } - xfree(type_name); - break; - } - /* enable blinding */ - switch (k->type) { - case KEY_RSA: - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - case KEY_RSA1: + + /* enable blinding */ if (RSA_blinding_on(k->rsa, NULL) != 1) { error("process_add_identity: RSA_blinding_on failed"); key_free(k); goto send; } break; + case 2: + k = key_private_deserialize(&e->request); + if (k == NULL) { + buffer_clear(&e->request); + goto send; + } + break; } comment = buffer_get_string(&e->request, NULL); if (k == NULL) { - xfree(comment); + free(comment); goto send; } while (buffer_len(&e->request)) { switch ((type = buffer_get_char(&e->request))) { case SSH_AGENT_CONSTRAIN_LIFETIME: - death = time(NULL) + buffer_get_int(&e->request); + death = monotime() + buffer_get_int(&e->request); break; case SSH_AGENT_CONSTRAIN_CONFIRM: confirm = 1; @@ -647,14 +538,14 @@ process_add_identity(SocketEntry *e, int version) default: error("process_add_identity: " "Unknown constraint type %d", type); - xfree(comment); + free(comment); key_free(k); goto send; } } success = 1; if (lifetime && !death) - death = time(NULL) + lifetime; + death = monotime() + lifetime; if ((id = lookup_identity(k, version)) == NULL) { id = xcalloc(1, sizeof(Identity)); id->key = k; @@ -663,7 +554,7 @@ process_add_identity(SocketEntry *e, int version) tab->nentries++; } else { key_free(k); - xfree(id->comment); + free(id->comment); } id->comment = comment; id->death = death; @@ -684,8 +575,8 @@ process_lock_agent(SocketEntry *e, int lock) passwd = buffer_get_string(&e->request, NULL); if (locked && !lock && strcmp(passwd, lock_passwd) == 0) { locked = 0; - memset(lock_passwd, 0, strlen(lock_passwd)); - xfree(lock_passwd); + explicit_bzero(lock_passwd, strlen(lock_passwd)); + free(lock_passwd); lock_passwd = NULL; success = 1; } else if (!locked && lock) { @@ -693,8 +584,8 @@ process_lock_agent(SocketEntry *e, int lock) lock_passwd = xstrdup(passwd); success = 1; } - memset(passwd, 0, strlen(passwd)); - xfree(passwd); + explicit_bzero(passwd, strlen(passwd)); + free(passwd); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, @@ -721,7 +612,8 @@ static void process_add_smartcard_key(SocketEntry *e) { char *provider = NULL, *pin; - int i, type, version, count = 0, success = 0, death = 0, confirm = 0; + int i, type, version, count = 0, success = 0, confirm = 0; + time_t death = 0; Key **keys = NULL, *k; Identity *id; Idtab *tab; @@ -732,7 +624,7 @@ process_add_smartcard_key(SocketEntry *e) while (buffer_len(&e->request)) { switch ((type = buffer_get_char(&e->request))) { case SSH_AGENT_CONSTRAIN_LIFETIME: - death = time(NULL) + buffer_get_int(&e->request); + death = monotime() + buffer_get_int(&e->request); break; case SSH_AGENT_CONSTRAIN_CONFIRM: confirm = 1; @@ -744,7 +636,7 @@ process_add_smartcard_key(SocketEntry *e) } } if (lifetime && !death) - death = time(NULL) + lifetime; + death = monotime() + lifetime; count = pkcs11_add_provider(provider, pin, &keys); for (i = 0; i < count; i++) { @@ -767,12 +659,9 @@ process_add_smartcard_key(SocketEntry *e) keys[i] = NULL; } send: - if (pin) - xfree(pin); - if (provider) - xfree(provider); - if (keys) - xfree(keys); + free(pin); + free(provider); + free(keys); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); @@ -788,12 +677,15 @@ process_remove_smartcard_key(SocketEntry *e) provider = buffer_get_string(&e->request, NULL); pin = buffer_get_string(&e->request, NULL); - xfree(pin); + free(pin); for (version = 1; version < 3; version++) { tab = idtab_lookup(version); for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) { nxt = TAILQ_NEXT(id, next); + /* Skip file--based keys */ + if (id->provider == NULL) + continue; if (!strcmp(provider, id->provider)) { TAILQ_REMOVE(&tab->idlist, id, next); free_identity(id); @@ -806,7 +698,7 @@ process_remove_smartcard_key(SocketEntry *e) else error("process_remove_smartcard_key:" " pkcs11_del_provider failed"); - xfree(provider); + free(provider); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); @@ -955,9 +847,10 @@ static int prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, struct timeval **tvpp) { - u_int i, sz, deadline; + u_int i, sz; int n = 0; static struct timeval tv; + time_t deadline; for (i = 0; i < sockets_alloc; i++) { switch (sockets[i].type) { @@ -975,10 +868,8 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); if (*fdrp == NULL || sz > *nallocp) { - if (*fdrp) - xfree(*fdrp); - if (*fdwp) - xfree(*fdwp); + free(*fdrp); + free(*fdwp); *fdrp = xmalloc(sz); *fdwp = xmalloc(sz); *nallocp = sz; @@ -1377,8 +1268,8 @@ skip: if (ac > 0) parent_alive_interval = 10; idtab_init(); - signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); signal(SIGPIPE, SIG_IGN); + signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); signal(SIGHUP, cleanup_handler); signal(SIGTERM, cleanup_handler); nalloc = 0; diff --git a/crypto/openssh/ssh-dss.c b/crypto/openssh/ssh-dss.c index ede5e21e5..6b4abcb7d 100644 --- a/crypto/openssh/ssh-dss.c +++ b/crypto/openssh/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.27 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -38,6 +38,7 @@ #include "compat.h" #include "log.h" #include "key.h" +#include "digest.h" #define INTBLOB_LEN 20 #define SIGBLOB_LEN (2*INTBLOB_LEN) @@ -47,23 +48,24 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { DSA_SIG *sig; - const EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN]; - u_int rlen, slen, len, dlen; + u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; + u_int rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); Buffer b; - if (key == NULL || key->dsa == NULL || (key->type != KEY_DSA && - key->type != KEY_DSA_CERT && key->type != KEY_DSA_CERT_V00)) { - error("ssh_dss_sign: no DSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_DSA || + key->dsa == NULL) { + error("%s: no DSA key", __func__); + return -1; + } + + if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: ssh_digest_memory failed", __func__); return -1; } - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); sig = DSA_do_sign(digest, dlen, key->dsa); - memset(digest, 'd', sizeof(digest)); + explicit_bzero(digest, sizeof(digest)); if (sig == NULL) { error("ssh_dss_sign: sign failed"); @@ -77,7 +79,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, DSA_SIG_free(sig); return -1; } - memset(sigblob, 0, SIGBLOB_LEN); + explicit_bzero(sigblob, SIGBLOB_LEN); BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen); BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen); DSA_SIG_free(sig); @@ -110,16 +112,14 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { DSA_SIG *sig; - const EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], *sigblob; - u_int len, dlen; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob; + u_int len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); int rlen, ret; Buffer b; - if (key == NULL || key->dsa == NULL || (key->type != KEY_DSA && - key->type != KEY_DSA_CERT && key->type != KEY_DSA_CERT_V00)) { - error("ssh_dss_verify: no DSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_DSA || + key->dsa == NULL) { + error("%s: no DSA key", __func__); return -1; } @@ -135,19 +135,19 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, buffer_append(&b, signature, signaturelen); ktype = buffer_get_cstring(&b, NULL); if (strcmp("ssh-dss", ktype) != 0) { - error("ssh_dss_verify: cannot handle type %s", ktype); + error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { - error("ssh_dss_verify: " - "remaining bytes in signature %d", rlen); - xfree(sigblob); + error("%s: remaining bytes in signature %d", + __func__, rlen); + free(sigblob); return -1; } } @@ -158,30 +158,32 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, /* parse signature */ if ((sig = DSA_SIG_new()) == NULL) - fatal("ssh_dss_verify: DSA_SIG_new failed"); + fatal("%s: DSA_SIG_new failed", __func__); if ((sig->r = BN_new()) == NULL) - fatal("ssh_dss_verify: BN_new failed"); + fatal("%s: BN_new failed", __func__); if ((sig->s = BN_new()) == NULL) fatal("ssh_dss_verify: BN_new failed"); if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) || (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) - fatal("ssh_dss_verify: BN_bin2bn failed"); + fatal("%s: BN_bin2bn failed", __func__); /* clean up */ - memset(sigblob, 0, len); - xfree(sigblob); + explicit_bzero(sigblob, len); + free(sigblob); /* sha1 the data */ - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); + if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: digest_memory failed", __func__); + return -1; + } ret = DSA_do_verify(digest, dlen, sig, key->dsa); - memset(digest, 'd', sizeof(digest)); + explicit_bzero(digest, sizeof(digest)); DSA_SIG_free(sig); - debug("ssh_dss_verify: signature %s", + debug("%s: signature %s", __func__, ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error"); return ret; } diff --git a/crypto/openssh/ssh-ecdsa.c b/crypto/openssh/ssh-ecdsa.c index 085468ee7..551c9c460 100644 --- a/crypto/openssh/ssh-ecdsa.c +++ b/crypto/openssh/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa.c,v 1.5 2012/01/08 13:17:11 miod Exp $ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.10 2014/02/03 23:28:00 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -42,30 +42,37 @@ #include "compat.h" #include "log.h" #include "key.h" +#include "digest.h" int ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { ECDSA_SIG *sig; - const EVP_MD *evp_md; - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE]; + int hash_alg; + u_char digest[SSH_DIGEST_MAX_LENGTH]; u_int len, dlen; Buffer b, bb; - if (key == NULL || key->ecdsa == NULL || - (key->type != KEY_ECDSA && key->type != KEY_ECDSA_CERT)) { + if (key == NULL || key_type_plain(key->type) != KEY_ECDSA || + key->ecdsa == NULL) { error("%s: no ECDSA key", __func__); return -1; } - evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); + + hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid); + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: digest_memory failed", __func__); + return -1; + } sig = ECDSA_do_sign(digest, dlen, key->ecdsa); - memset(digest, 'd', sizeof(digest)); + explicit_bzero(digest, sizeof(digest)); if (sig == NULL) { error("%s: sign failed", __func__); @@ -97,20 +104,18 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { ECDSA_SIG *sig; - const EVP_MD *evp_md; - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], *sigblob; + int hash_alg; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob; u_int len, dlen; int rlen, ret; Buffer b, bb; char *ktype; - if (key == NULL || key->ecdsa == NULL || - (key->type != KEY_ECDSA && key->type != KEY_ECDSA_CERT)) { + if (key == NULL || key_type_plain(key->type) != KEY_ECDSA || + key->ecdsa == NULL) { error("%s: no ECDSA key", __func__); return -1; } - evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); /* fetch signature */ buffer_init(&b); @@ -119,25 +124,22 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, if (strcmp(key_ssh_name_plain(key), ktype) != 0) { error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("%s: remaining bytes in signature %d", __func__, rlen); - xfree(sigblob); + free(sigblob); return -1; } /* parse signature */ if ((sig = ECDSA_SIG_new()) == NULL) fatal("%s: ECDSA_SIG_new failed", __func__); - if ((sig->r = BN_new()) == NULL || - (sig->s = BN_new()) == NULL) - fatal("%s: BN_new failed", __func__); buffer_init(&bb); buffer_append(&bb, sigblob, len); @@ -148,16 +150,23 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, buffer_free(&bb); /* clean up */ - memset(sigblob, 0, len); - xfree(sigblob); + explicit_bzero(sigblob, len); + free(sigblob); /* hash the data */ - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); + hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid); + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: digest_memory failed", __func__); + return -1; + } ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa); - memset(digest, 'd', sizeof(digest)); + explicit_bzero(digest, sizeof(digest)); ECDSA_SIG_free(sig); diff --git a/crypto/openssh/ssh-ed25519.c b/crypto/openssh/ssh-ed25519.c new file mode 100644 index 000000000..160d1f23b --- /dev/null +++ b/crypto/openssh/ssh-ed25519.c @@ -0,0 +1,149 @@ +/* $OpenBSD: ssh-ed25519.c,v 1.3 2014/02/23 20:03:42 djm Exp $ */ +/* + * Copyright (c) 2013 Markus Friedl + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include + +#include "crypto_api.h" + +#include +#include +#include + +#include "xmalloc.h" +#include "log.h" +#include "buffer.h" +#include "key.h" +#include "ssh.h" + +int +ssh_ed25519_sign(const Key *key, u_char **sigp, u_int *lenp, + const u_char *data, u_int datalen) +{ + u_char *sig; + u_int slen, len; + unsigned long long smlen; + int ret; + Buffer b; + + if (key == NULL || key_type_plain(key->type) != KEY_ED25519 || + key->ed25519_sk == NULL) { + error("%s: no ED25519 key", __func__); + return -1; + } + + if (datalen >= UINT_MAX - crypto_sign_ed25519_BYTES) { + error("%s: datalen %u too long", __func__, datalen); + return -1; + } + smlen = slen = datalen + crypto_sign_ed25519_BYTES; + sig = xmalloc(slen); + + if ((ret = crypto_sign_ed25519(sig, &smlen, data, datalen, + key->ed25519_sk)) != 0 || smlen <= datalen) { + error("%s: crypto_sign_ed25519 failed: %d", __func__, ret); + free(sig); + return -1; + } + /* encode signature */ + buffer_init(&b); + buffer_put_cstring(&b, "ssh-ed25519"); + buffer_put_string(&b, sig, smlen - datalen); + len = buffer_len(&b); + if (lenp != NULL) + *lenp = len; + if (sigp != NULL) { + *sigp = xmalloc(len); + memcpy(*sigp, buffer_ptr(&b), len); + } + buffer_free(&b); + explicit_bzero(sig, slen); + free(sig); + + return 0; +} + +int +ssh_ed25519_verify(const Key *key, const u_char *signature, u_int signaturelen, + const u_char *data, u_int datalen) +{ + Buffer b; + char *ktype; + u_char *sigblob, *sm, *m; + u_int len; + unsigned long long smlen, mlen; + int rlen, ret; + + if (key == NULL || key_type_plain(key->type) != KEY_ED25519 || + key->ed25519_pk == NULL) { + error("%s: no ED25519 key", __func__); + return -1; + } + buffer_init(&b); + buffer_append(&b, signature, signaturelen); + ktype = buffer_get_cstring(&b, NULL); + if (strcmp("ssh-ed25519", ktype) != 0) { + error("%s: cannot handle type %s", __func__, ktype); + buffer_free(&b); + free(ktype); + return -1; + } + free(ktype); + sigblob = buffer_get_string(&b, &len); + rlen = buffer_len(&b); + buffer_free(&b); + if (rlen != 0) { + error("%s: remaining bytes in signature %d", __func__, rlen); + free(sigblob); + return -1; + } + if (len > crypto_sign_ed25519_BYTES) { + error("%s: len %u > crypto_sign_ed25519_BYTES %u", __func__, + len, crypto_sign_ed25519_BYTES); + free(sigblob); + return -1; + } + smlen = len + datalen; + sm = xmalloc(smlen); + memcpy(sm, sigblob, len); + memcpy(sm+len, data, datalen); + mlen = smlen; + m = xmalloc(mlen); + if ((ret = crypto_sign_ed25519_open(m, &mlen, sm, smlen, + key->ed25519_pk)) != 0) { + debug2("%s: crypto_sign_ed25519_open failed: %d", + __func__, ret); + } + if (ret == 0 && mlen != datalen) { + debug2("%s: crypto_sign_ed25519_open " + "mlen != datalen (%llu != %u)", __func__, mlen, datalen); + ret = -1; + } + /* XXX compare 'm' and 'data' ? */ + + explicit_bzero(sigblob, len); + explicit_bzero(sm, smlen); + explicit_bzero(m, smlen); /* NB. mlen may be invalid if ret != 0 */ + free(sigblob); + free(sm); + free(m); + debug("%s: signature %scorrect", __func__, (ret != 0) ? "in" : ""); + + /* translate return code carefully */ + return (ret == 0) ? 1 : -1; +} diff --git a/crypto/openssh/ssh-gss.h b/crypto/openssh/ssh-gss.h index 077e13ce4..64d155174 100644 --- a/crypto/openssh/ssh-gss.h +++ b/crypto/openssh/ssh-gss.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ +/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ +/* $FreeBSD$ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * @@ -28,10 +29,10 @@ #ifdef GSSAPI -#ifdef HAVE_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_GSSAPI_H) +#if defined(HAVE_GSSAPI_GSSAPI_H) #include +#elif defined(HAVE_GSSAPI_H) +#include #endif #ifdef KRB5 @@ -104,6 +105,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); void ssh_gssapi_set_oid(Gssctxt *, gss_OID); void ssh_gssapi_supported_oids(gss_OID_set *); ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *); +void ssh_gssapi_prepare_supported_oids(void); +OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, diff --git a/crypto/openssh/ssh-keygen.0 b/crypto/openssh/ssh-keygen.0 new file mode 100644 index 000000000..c43678ff0 --- /dev/null +++ b/crypto/openssh/ssh-keygen.0 @@ -0,0 +1,562 @@ +SSH-KEYGEN(1) OpenBSD Reference Manual SSH-KEYGEN(1) + +NAME + ssh-keygen - authentication key generation, management and conversion + +SYNOPSIS + ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-C comment] + [-f output_keyfile] + ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] + ssh-keygen -i [-m key_format] [-f input_keyfile] + ssh-keygen -e [-m key_format] [-f input_keyfile] + ssh-keygen -y [-f input_keyfile] + ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] + ssh-keygen -l [-f input_keyfile] + ssh-keygen -B [-f input_keyfile] + ssh-keygen -D pkcs11 + ssh-keygen -F hostname [-f known_hosts_file] [-l] + ssh-keygen -H [-f known_hosts_file] + ssh-keygen -R hostname [-f known_hosts_file] + ssh-keygen -r hostname [-f input_keyfile] [-g] + ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] + ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] + [-j start_line] [-K checkpt] [-W generator] + ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] + [-O option] [-V validity_interval] [-z serial_number] file ... + ssh-keygen -L [-f input_keyfile] + ssh-keygen -A + ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] + file ... + ssh-keygen -Q -f krl_file file ... + +DESCRIPTION + ssh-keygen generates, manages and converts authentication keys for + ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 + and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. + The type of key to be generated is specified with the -t option. If + invoked without any arguments, ssh-keygen will generate an RSA key for + use in SSH protocol 2 connections. + + ssh-keygen is also used to generate groups for use in Diffie-Hellman + group exchange (DH-GEX). See the MODULI GENERATION section for details. + + Finally, ssh-keygen can be used to generate and update Key Revocation + Lists, and to test whether given keys have been revoked by one. See the + KEY REVOCATION LISTS section for details. + + Normally each user wishing to use SSH with public key authentication runs + this once to create the authentication key in ~/.ssh/identity, + ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. + Additionally, the system administrator may use this to generate host + keys, as seen in /etc/rc. + + Normally this program generates the key and asks for a file in which to + store the private key. The public key is stored in a file with the same + name but ``.pub'' appended. The program also asks for a passphrase. The + passphrase may be empty to indicate no passphrase (host keys must have an + empty passphrase), or it may be a string of arbitrary length. A + passphrase is similar to a password, except it can be a phrase with a + series of words, punctuation, numbers, whitespace, or any string of + characters you want. Good passphrases are 10-30 characters long, are not + simple sentences or otherwise easily guessable (English prose has only + 1-2 bits of entropy per character, and provides very bad passphrases), + and contain a mix of upper and lowercase letters, numbers, and non- + alphanumeric characters. The passphrase can be changed later by using + the -p option. + + There is no way to recover a lost passphrase. If the passphrase is lost + or forgotten, a new key must be generated and the corresponding public + key copied to other machines. + + For RSA1 keys, there is also a comment field in the key file that is only + for convenience to the user to help identify the key. The comment can + tell what the key is for, or whatever is useful. The comment is + initialized to ``user@host'' when the key is created, but can be changed + using the -c option. + + After a key is generated, instructions below detail where the keys should + be placed to be activated. + + The options are as follows: + + -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for + which host keys do not exist, generate the host keys with the + default key file path, an empty passphrase, default bits for the + key type, and default comment. This is used by /etc/rc to + generate new host keys. + + -a rounds + When saving a new-format private key (i.e. an ed25519 key or any + SSH protocol 2 key when the -o flag is set), this option + specifies the number of KDF (key derivation function) rounds + used. Higher numbers result in slower passphrase verification + and increased resistance to brute-force password cracking (should + the keys be stolen). + + When screening DH-GEX candidates ( using the -T command). This + option specifies the number of primality tests to perform. + + -B Show the bubblebabble digest of specified private or public key + file. + + -b bits + Specifies the number of bits in the key to create. For RSA keys, + the minimum size is 768 bits and the default is 2048 bits. + Generally, 2048 bits is considered sufficient. DSA keys must be + exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, + the -b flag determines the key length by selecting from one of + three elliptic curve sizes: 256, 384 or 521 bits. Attempting to + use bit lengths other than these three values for ECDSA keys will + fail. ED25519 keys have a fixed length and the -b flag will be + ignored. + + -C comment + Provides a new comment. + + -c Requests changing the comment in the private and public key + files. This operation is only supported for RSA1 keys. The + program will prompt for the file containing the private keys, for + the passphrase if the key has one, and for the new comment. + + -D pkcs11 + Download the RSA public keys provided by the PKCS#11 shared + library pkcs11. When used in combination with -s, this option + indicates that a CA key resides in a PKCS#11 token (see the + CERTIFICATES section for details). + + -e This option will read a private or public OpenSSH key file and + print to stdout the key in one of the formats specified by the -m + option. The default export format is ``RFC4716''. This option + allows exporting OpenSSH keys for use by other programs, + including several commercial SSH implementations. + + -F hostname + Search for the specified hostname in a known_hosts file, listing + any occurrences found. This option is useful to find hashed host + names or addresses and may also be used in conjunction with the + -H option to print found keys in a hashed format. + + -f filename + Specifies the filename of the key file. + + -G output_file + Generate candidate primes for DH-GEX. These primes must be + screened for safety (using the -T option) before use. + + -g Use generic DNS format when printing fingerprint resource records + using the -r command. + + -H Hash a known_hosts file. This replaces all hostnames and + addresses with hashed representations within the specified file; + the original content is moved to a file with a .old suffix. + These hashes may be used normally by ssh and sshd, but they do + not reveal identifying information should the file's contents be + disclosed. This option will not modify existing hashed hostnames + and is therefore safe to use on files that mix hashed and non- + hashed names. + + -h When signing a key, create a host certificate instead of a user + certificate. Please see the CERTIFICATES section for details. + + -I certificate_identity + Specify the key identity when signing a public key. Please see + the CERTIFICATES section for details. + + -i This option will read an unencrypted private (or public) key file + in the format specified by the -m option and print an OpenSSH + compatible private (or public) key to stdout. + + -J num_lines + Exit after screening the specified number of lines while + performing DH candidate screening using the -T option. + + -j start_line + Start screening at the specified line number while performing DH + candidate screening using the -T option. + + -K checkpt + Write the last line processed to the file checkpt while + performing DH candidate screening using the -T option. This will + be used to skip lines in the input file that have already been + processed if the job is restarted. This option allows importing + keys from other software, including several commercial SSH + implementations. The default import format is ``RFC4716''. + + -k Generate a KRL file. In this mode, ssh-keygen will generate a + KRL file at the location specified via the -f flag that revokes + every key or certificate presented on the command line. + Keys/certificates to be revoked may be specified by public key + file or using the format described in the KEY REVOCATION LISTS + section. + + -L Prints the contents of a certificate. + + -l Show fingerprint of specified public key file. Private RSA1 keys + are also supported. For RSA and DSA keys ssh-keygen tries to + find the matching public key file and prints its fingerprint. If + combined with -v, an ASCII art representation of the key is + supplied with the fingerprint. + + -M memory + Specify the amount of memory to use (in megabytes) when + generating candidate moduli for DH-GEX. + + -m key_format + Specify a key format for the -i (import) or -e (export) + conversion options. The supported key formats are: ``RFC4716'' + (RFC 4716/SSH2 public or private key), ``PKCS8'' (PEM PKCS8 + public key) or ``PEM'' (PEM public key). The default conversion + format is ``RFC4716''. + + -N new_passphrase + Provides the new passphrase. + + -n principals + Specify one or more principals (user or host names) to be + included in a certificate when signing a key. Multiple + principals may be specified, separated by commas. Please see the + CERTIFICATES section for details. + + -O option + Specify a certificate option when signing a key. This option may + be specified multiple times. Please see the CERTIFICATES section + for details. The options that are valid for user certificates + are: + + clear Clear all enabled permissions. This is useful for + clearing the default set of permissions so permissions + may be added individually. + + force-command=command + Forces the execution of command instead of any shell or + command specified by the user when the certificate is + used for authentication. + + no-agent-forwarding + Disable ssh-agent(1) forwarding (permitted by default). + + no-port-forwarding + Disable port forwarding (permitted by default). + + no-pty Disable PTY allocation (permitted by default). + + no-user-rc + Disable execution of ~/.ssh/rc by sshd(8) (permitted by + default). + + no-x11-forwarding + Disable X11 forwarding (permitted by default). + + permit-agent-forwarding + Allows ssh-agent(1) forwarding. + + permit-port-forwarding + Allows port forwarding. + + permit-pty + Allows PTY allocation. + + permit-user-rc + Allows execution of ~/.ssh/rc by sshd(8). + + permit-x11-forwarding + Allows X11 forwarding. + + source-address=address_list + Restrict the source addresses from which the certificate + is considered valid. The address_list is a comma- + separated list of one or more address/netmask pairs in + CIDR format. + + At present, no options are valid for host keys. + + -o Causes ssh-keygen to save SSH protocol 2 private keys using the + new OpenSSH format rather than the more compatible PEM format. + The new format has increased resistance to brute-force password + cracking but is not supported by versions of OpenSSH prior to + 6.5. Ed25519 keys always use the new private key format. + + -P passphrase + Provides the (old) passphrase. + + -p Requests changing the passphrase of a private key file instead of + creating a new private key. The program will prompt for the file + containing the private key, for the old passphrase, and twice for + the new passphrase. + + -Q Test whether keys have been revoked in a KRL. + + -q Silence ssh-keygen. + + -R hostname + Removes all keys belonging to hostname from a known_hosts file. + This option is useful to delete hashed hosts (see the -H option + above). + + -r hostname + Print the SSHFP fingerprint resource record named hostname for + the specified public key file. + + -S start + Specify start point (in hex) when generating candidate moduli for + DH-GEX. + + -s ca_key + Certify (sign) a public key using the specified CA key. Please + see the CERTIFICATES section for details. + + When generating a KRL, -s specifies a path to a CA public key + file used to revoke certificates directly by key ID or serial + number. See the KEY REVOCATION LISTS section for details. + + -T output_file + Test DH group exchange candidate primes (generated using the -G + option) for safety. + + -t type + Specifies the type of key to create. The possible values are + ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'', + ``ed25519'', or ``rsa'' for protocol version 2. + + -u Update a KRL. When specified with -k, keys listed via the + command line are added to the existing KRL rather than a new KRL + being created. + + -V validity_interval + Specify a validity interval when signing a certificate. A + validity interval may consist of a single time, indicating that + the certificate is valid beginning now and expiring at that time, + or may consist of two times separated by a colon to indicate an + explicit time interval. The start time may be specified as a + date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a + relative time (to the current time) consisting of a minus sign + followed by a relative time in the format described in the TIME + FORMATS section of sshd_config(5). The end time may be specified + as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time + starting with a plus character. + + For example: ``+52w1d'' (valid from now to 52 weeks and one day + from now), ``-4w:+4w'' (valid from four weeks ago to four weeks + from now), ``20100101123000:20110101123000'' (valid from 12:30 + PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), + ``-1d:20110101'' (valid from yesterday to midnight, January 1st, + 2011). + + -v Verbose mode. Causes ssh-keygen to print debugging messages + about its progress. This is helpful for debugging moduli + generation. Multiple -v options increase the verbosity. The + maximum is 3. + + -W generator + Specify desired generator when testing candidate moduli for DH- + GEX. + + -y This option will read a private OpenSSH format file and print an + OpenSSH public key to stdout. + + -z serial_number + Specifies a serial number to be embedded in the certificate to + distinguish this certificate from others from the same CA. The + default serial number is zero. + + When generating a KRL, the -z flag is used to specify a KRL + version number. + +MODULI GENERATION + ssh-keygen may be used to generate groups for the Diffie-Hellman Group + Exchange (DH-GEX) protocol. Generating these groups is a two-step + process: first, candidate primes are generated using a fast, but memory + intensive process. These candidate primes are then tested for + suitability (a CPU-intensive process). + + Generation of primes is performed using the -G option. The desired + length of the primes may be specified by the -b option. For example: + + # ssh-keygen -G moduli-2048.candidates -b 2048 + + By default, the search for primes begins at a random point in the desired + length range. This may be overridden using the -S option, which + specifies a different start point (in hex). + + Once a set of candidates have been generated, they must be screened for + suitability. This may be performed using the -T option. In this mode + ssh-keygen will read candidates from standard input (or a file specified + using the -f option). For example: + + # ssh-keygen -T moduli-2048 -f moduli-2048.candidates + + By default, each candidate will be subjected to 100 primality tests. + This may be overridden using the -a option. The DH generator value will + be chosen automatically for the prime under consideration. If a specific + generator is desired, it may be requested using the -W option. Valid + generator values are 2, 3, and 5. + + Screened DH groups may be installed in /etc/moduli. It is important that + this file contains moduli of a range of bit lengths and that both ends of + a connection share common moduli. + +CERTIFICATES + ssh-keygen supports signing of keys to produce certificates that may be + used for user or host authentication. Certificates consist of a public + key, some identity information, zero or more principal (user or host) + names and a set of options that are signed by a Certification Authority + (CA) key. Clients or servers may then trust only the CA key and verify + its signature on a certificate rather than trusting many user/host keys. + Note that OpenSSH certificates are a different, and much simpler, format + to the X.509 certificates used in ssl(8). + + ssh-keygen supports two types of certificates: user and host. User + certificates authenticate users to servers, whereas host certificates + authenticate server hosts to users. To generate a user certificate: + + $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub + + The resultant certificate will be placed in /path/to/user_key-cert.pub. + A host certificate requires the -h option: + + $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub + + The host certificate will be output to /path/to/host_key-cert.pub. + + It is possible to sign using a CA key stored in a PKCS#11 token by + providing the token library using -D and identifying the CA key by + providing its public half as an argument to -s: + + $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub + + In all cases, key_id is a "key identifier" that is logged by the server + when the certificate is used for authentication. + + Certificates may be limited to be valid for a set of principal + (user/host) names. By default, generated certificates are valid for all + users or hosts. To generate a certificate for a specified set of + principals: + + $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub + $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub + + Additional limitations on the validity and use of user certificates may + be specified through certificate options. A certificate option may + disable features of the SSH session, may be valid only when presented + from particular source addresses or may force the use of a specific + command. For a list of valid certificate options, see the documentation + for the -O option above. + + Finally, certificates may be defined with a validity lifetime. The -V + option allows specification of certificate start and end times. A + certificate that is presented at a time outside this range will not be + considered valid. By default, certificates are valid from UNIX Epoch to + the distant future. + + For certificates to be used for user or host authentication, the CA + public key must be trusted by sshd(8) or ssh(1). Please refer to those + manual pages for details. + +KEY REVOCATION LISTS + ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs). + These binary files specify keys or certificates to be revoked using a + compact format, taking as little as one bit per certificate if they are + being revoked by serial number. + + KRLs may be generated using the -k flag. This option reads one or more + files from the command line and generates a new KRL. The files may + either contain a KRL specification (see below) or public keys, listed one + per line. Plain public keys are revoked by listing their hash or + contents in the KRL and certificates revoked by serial number or key ID + (if the serial is zero or not available). + + Revoking keys using a KRL specification offers explicit control over the + types of record used to revoke keys and may be used to directly revoke + certificates by serial number or key ID without having the complete + original certificate on hand. A KRL specification consists of lines + containing one of the following directives followed by a colon and some + directive-specific information. + + serial: serial_number[-serial_number] + Revokes a certificate with the specified serial number. Serial + numbers are 64-bit values, not including zero and may be + expressed in decimal, hex or octal. If two serial numbers are + specified separated by a hyphen, then the range of serial numbers + including and between each is revoked. The CA key must have been + specified on the ssh-keygen command line using the -s option. + + id: key_id + Revokes a certificate with the specified key ID string. The CA + key must have been specified on the ssh-keygen command line using + the -s option. + + key: public_key + Revokes the specified key. If a certificate is listed, then it + is revoked as a plain public key. + + sha1: public_key + Revokes the specified key by its SHA1 hash. + + KRLs may be updated using the -u flag in addition to -k. When this + option is specified, keys listed via the command line are merged into the + KRL, adding to those already there. + + It is also possible, given a KRL, to test whether it revokes a particular + key (or keys). The -Q flag will query an existing KRL, testing each key + specified on the commandline. If any key listed on the command line has + been revoked (or an error encountered) then ssh-keygen will exit with a + non-zero exit status. A zero exit status will only be returned if no key + was revoked. + +FILES + ~/.ssh/identity + Contains the protocol version 1 RSA authentication identity of + the user. This file should not be readable by anyone but the + user. It is possible to specify a passphrase when generating the + key; that passphrase will be used to encrypt the private part of + this file using 3DES. This file is not automatically accessed by + ssh-keygen but it is offered as the default file for the private + key. ssh(1) will read this file when a login attempt is made. + + ~/.ssh/identity.pub + Contains the protocol version 1 RSA public key for + authentication. The contents of this file should be added to + ~/.ssh/authorized_keys on all machines where the user wishes to + log in using RSA authentication. There is no need to keep the + contents of this file secret. + + ~/.ssh/id_dsa + ~/.ssh/id_ecdsa + ~/.ssh/id_ed25519 + ~/.ssh/id_rsa + Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA + authentication identity of the user. This file should not be + readable by anyone but the user. It is possible to specify a + passphrase when generating the key; that passphrase will be used + to encrypt the private part of this file using 128-bit AES. This + file is not automatically accessed by ssh-keygen but it is + offered as the default file for the private key. ssh(1) will + read this file when a login attempt is made. + + ~/.ssh/id_dsa.pub + ~/.ssh/id_ecdsa.pub + ~/.ssh/id_ed25519.pub + ~/.ssh/id_rsa.pub + Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public + key for authentication. The contents of this file should be + added to ~/.ssh/authorized_keys on all machines where the user + wishes to log in using public key authentication. There is no + need to keep the contents of this file secret. + + /etc/moduli + Contains Diffie-Hellman groups used for DH-GEX. The file format + is described in moduli(5). + +SEE ALSO + ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8) + + The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +OpenBSD 5.5 February 5, 2014 OpenBSD 5.5 diff --git a/crypto/openssh/ssh-keygen.1 b/crypto/openssh/ssh-keygen.1 index 3b7b0ca01..6adb20206 100644 --- a/crypto/openssh/ssh-keygen.1 +++ b/crypto/openssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.120 2014/02/05 20:13:25 naddy Exp $ .\" $FreeBSD$ .\" .\" Author: Tatu Ylonen @@ -36,7 +36,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 19, 2013 +.Dd February 5, 2014 .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -47,7 +47,7 @@ .Nm ssh-keygen .Op Fl q .Op Fl b Ar bits -.Fl t Ar type +.Op Fl t Ar type .Op Fl N Ar new_passphrase .Op Fl C Ar comment .Op Fl f Ar output_keyfile @@ -104,7 +104,7 @@ .Fl T Ar output_file .Fl f Ar input_file .Op Fl v -.Op Fl a Ar num_trials +.Op Fl a Ar rounds .Op Fl J Ar num_lines .Op Fl j Ar start_line .Op Fl K Ar checkpt @@ -140,8 +140,8 @@ generates, manages and converts authentication keys for .Xr ssh 1 . .Nm -can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA -keys for use by SSH protocol version 2. +can create RSA keys for use by SSH protocol version 1 and +DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. The type of key to be generated is specified with the .Fl t option. @@ -168,8 +168,9 @@ Normally each user wishing to use SSH with public key authentication runs this once to create the authentication key in .Pa ~/.ssh/identity , +.Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , -.Pa ~/.ssh/id_dsa +.Pa ~/.ssh/id_ed25519 or .Pa ~/.ssh/id_rsa . Additionally, the system administrator may use this to generate host keys, @@ -217,17 +218,27 @@ should be placed to be activated. The options are as follows: .Bl -tag -width Ds .It Fl A -For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys +For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) +for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by .Pa /etc/rc to generate new host keys. -.It Fl a Ar trials -Specifies the number of primality tests to perform when screening DH-GEX -candidates using the +.It Fl a Ar rounds +When saving a new-format private key (i.e. an ed25519 key or any SSH protocol +2 key when the +.Fl o +flag is set), this option specifies the number of KDF (key derivation function) +rounds used. +Higher numbers result in slower passphrase verification and increased +resistance to brute-force password cracking (should the keys be stolen). +.Pp +When screening DH-GEX candidates ( +using the .Fl T -command. +command). +This option specifies the number of primality tests to perform. .It Fl B Show the bubblebabble digest of specified private or public key file. .It Fl b Ar bits @@ -241,6 +252,9 @@ flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. +ED25519 keys have a fixed length and the +.Fl b +flag will be ignored. .It Fl C Ar comment Provides a new comment. .It Fl c @@ -448,6 +462,14 @@ format. .El .Pp At present, no options are valid for host keys. +.It Fl o +Causes +.Nm +to save SSH protocol 2 private keys using the new OpenSSH format rather than +the more compatible PEM format. +The new format has increased resistance to brute-force password cracking +but is not supported by versions of OpenSSH prior to 6.5. +Ed25519 keys always use the new private key format. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p @@ -499,7 +521,8 @@ The possible values are .Dq rsa1 for protocol version 1 and .Dq dsa , -.Dq ecdsa +.Dq ecdsa , +.Dq ed25519 , or .Dq rsa for protocol version 2. @@ -517,8 +540,7 @@ of two times separated by a colon to indicate an explicit time interval. The start time may be specified as a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting of a minus sign followed by a relative time in the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character. @@ -693,7 +715,7 @@ Please refer to those manual pages for details. .Nm is able to manage OpenSSH format Key Revocation Lists (KRLs). These binary files specify keys or certificates to be revoked using a -compact format, taking as little a one bit per certificate if they are being +compact format, taking as little as one bit per certificate if they are being revoked by serial number. .Pp KRLs may be generated using the @@ -780,8 +802,10 @@ There is no need to keep the contents of this file secret. .Pp .It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa +.It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_rsa -Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. +Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA +authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -794,8 +818,10 @@ will read this file when a login attempt is made. .Pp .It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub +.It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_rsa.pub -Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. +Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA +public key for authentication. The contents of this file should be added to .Pa ~/.ssh/authorized_keys on all machines diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c index d1a205e18..2a316bcea 100644 --- a/crypto/openssh/ssh-keygen.c +++ b/crypto/openssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.241 2014/02/05 20:13:25 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -150,6 +150,18 @@ char *key_type_name = NULL; /* Load key from this PKCS#11 provider */ char *pkcs11provider = NULL; +/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ +int use_new_format = 0; + +/* Cipher for new-format private keys */ +char *new_format_cipher = NULL; + +/* + * Number of KDF rounds to derive new format keys / + * number of primality trials when screening moduli. + */ +int rounds = 0; + /* argv0 */ extern char *__progname; @@ -185,7 +197,7 @@ type_bits_valid(int type, u_int32_t *bitsp) } if (type == KEY_DSA && *bitsp != 1024) fatal("DSA keys must be 1024 bits"); - else if (type != KEY_ECDSA && *bitsp < 768) + else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) fatal("Key must at least be 768 bits"); else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) fatal("Invalid ECDSA key length - valid lengths are " @@ -221,6 +233,10 @@ ask_filename(struct passwd *pw, const char *prompt) case KEY_RSA: name = _PATH_SSH_CLIENT_ID_RSA; break; + case KEY_ED25519: + case KEY_ED25519_CERT: + name = _PATH_SSH_CLIENT_ID_ED25519; + break; default: fprintf(stderr, "bad key type\n"); exit(1); @@ -251,8 +267,8 @@ load_identity(char *filename) pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN); prv = key_load_private(filename, pass, NULL); - memset(pass, 0, strlen(pass)); - xfree(pass); + explicit_bzero(pass, strlen(pass)); + free(pass); } return prv; } @@ -288,7 +304,7 @@ do_convert_to_ssh2(struct passwd *pw, Key *k) dump_base64(stdout, blob, len); fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); key_free(k); - xfree(blob); + free(blob); exit(0); } @@ -415,12 +431,12 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) debug("ignore (%d %d %d %d)", i1, i2, i3, i4); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); - xfree(cipher); + free(cipher); buffer_free(&b); - xfree(type); + free(type); return NULL; } - xfree(cipher); + free(cipher); if (strstr(type, "dsa")) { ktype = KEY_DSA; @@ -428,11 +444,11 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) ktype = KEY_RSA; } else { buffer_free(&b); - xfree(type); + free(type); return NULL; } key = key_new_private(ktype); - xfree(type); + free(type); switch (key->type) { case KEY_DSA: @@ -475,7 +491,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) /* try the key */ key_sign(key, &sig, &slen, data, sizeof(data)); key_verify(key, sig, slen, data, sizeof(data)); - xfree(sig); + free(sig); return key; } @@ -524,7 +540,7 @@ do_convert_from_ssh2(struct passwd *pw, Key **k, int *private) fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); encoded[0] = '\0'; while ((blen = get_line(fp, line, sizeof(line))) != -1) { - if (line[blen - 1] == '\\') + if (blen > 0 && line[blen - 1] == '\\') escaped++; if (strncmp(line, "----", 4) == 0 || strstr(line, ": ") != NULL) { @@ -746,15 +762,15 @@ do_download(struct passwd *pw) fp, key_type(keys[i])); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } else { key_write(keys[i], stdout); fprintf(stdout, "\n"); } key_free(keys[i]); } - xfree(keys); + free(keys); pkcs11_terminate(); exit(0); #else @@ -791,13 +807,13 @@ do_fingerprint(struct passwd *pw) if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); key_free(public); - xfree(comment); - xfree(ra); - xfree(fp); + free(comment); + free(ra); + free(fp); exit(0); } if (comment) { - xfree(comment); + free(comment); comment = NULL; } @@ -856,8 +872,8 @@ do_fingerprint(struct passwd *pw) comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); key_free(public); invalid = 0; } @@ -884,6 +900,7 @@ do_gen_all_hostkeys(struct passwd *pw) #ifdef OPENSSL_HAS_ECC { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, #endif + { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, { NULL, NULL, NULL } }; @@ -910,7 +927,6 @@ do_gen_all_hostkeys(struct passwd *pw) } printf("%s ", key_types[i].key_type_display); fflush(stdout); - arc4random_stir(); type = key_type_from_name(key_types[i].key_type); strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); bits = 0; @@ -924,7 +940,8 @@ do_gen_all_hostkeys(struct passwd *pw) public = key_from_private(private); snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); - if (!key_save_private(private, identity_file, "", comment)) { + if (!key_save_private(private, identity_file, "", comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); key_free(private); key_free(public); @@ -932,7 +949,6 @@ do_gen_all_hostkeys(struct passwd *pw) continue; } key_free(private); - arc4random_stir(); strlcat(identity_file, ".pub", sizeof(identity_file)); fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd == -1) { @@ -980,8 +996,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash) key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } else { if (hash && (name = host_hash(name, NULL, 0)) == NULL) fatal("hash_host failed"); @@ -1001,13 +1017,14 @@ do_known_hosts(struct passwd *pw, const char *name) char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; int ca; + int found_key = 0; if (!have_identity) { cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); if (strlcpy(identity_file, cp, sizeof(identity_file)) >= sizeof(identity_file)) fatal("Specified known hosts path too long"); - xfree(cp); + free(cp); have_identity = 1; } if ((in = fopen(identity_file, "r")) == NULL) @@ -1103,11 +1120,13 @@ do_known_hosts(struct passwd *pw, const char *name) } c = (strcmp(cp2, cp) == 0); if (find_host && c) { - printf("# Host %s found: " - "line %d type %s%s\n", name, - num, key_type(pub), - ca ? " (CA key)" : ""); + if (!quiet) + printf("# Host %s found: " + "line %d type %s%s\n", name, + num, key_type(pub), + ca ? " (CA key)" : ""); printhost(out, cp, pub, ca, 0); + found_key = 1; } if (delete_host) { if (!c && !ca) @@ -1124,12 +1143,14 @@ do_known_hosts(struct passwd *pw, const char *name) c = (match_hostname(name, cp, strlen(cp)) == 1); if (find_host && c) { - printf("# Host %s found: " - "line %d type %s%s\n", name, - num, key_type(pub), - ca ? " (CA key)" : ""); + if (!quiet) + printf("# Host %s found: " + "line %d type %s%s\n", name, + num, key_type(pub), + ca ? " (CA key)" : ""); printhost(out, name, pub, ca, hash_hosts && !ca); + found_key = 1; } if (delete_host) { if (!c && !ca) @@ -1205,7 +1226,7 @@ do_known_hosts(struct passwd *pw, const char *name) } } - exit(0); + exit (find_host && !found_key); } /* @@ -1237,8 +1258,8 @@ do_change_passphrase(struct passwd *pw) RP_ALLOW_STDIN); private = key_load_private(identity_file, old_passphrase, &comment); - memset(old_passphrase, 0, strlen(old_passphrase)); - xfree(old_passphrase); + explicit_bzero(old_passphrase, strlen(old_passphrase)); + free(old_passphrase); if (private == NULL) { printf("Bad passphrase.\n"); exit(1); @@ -1259,32 +1280,33 @@ do_change_passphrase(struct passwd *pw) /* Verify that they are the same. */ if (strcmp(passphrase1, passphrase2) != 0) { - memset(passphrase1, 0, strlen(passphrase1)); - memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase1); - xfree(passphrase2); + explicit_bzero(passphrase1, strlen(passphrase1)); + explicit_bzero(passphrase2, strlen(passphrase2)); + free(passphrase1); + free(passphrase2); printf("Pass phrases do not match. Try again.\n"); exit(1); } /* Destroy the other copy. */ - memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase2); + explicit_bzero(passphrase2, strlen(passphrase2)); + free(passphrase2); } /* Save the file using the new passphrase. */ - if (!key_save_private(private, identity_file, passphrase1, comment)) { + if (!key_save_private(private, identity_file, passphrase1, comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); - memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + explicit_bzero(passphrase1, strlen(passphrase1)); + free(passphrase1); key_free(private); - xfree(comment); + free(comment); exit(1); } /* Destroy the passphrase and the copy of the key in memory. */ - memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + explicit_bzero(passphrase1, strlen(passphrase1)); + free(passphrase1); key_free(private); /* Destroys contents */ - xfree(comment); + free(comment); printf("Your identification has been saved with the new passphrase.\n"); exit(0); @@ -1301,7 +1323,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname) struct stat st; if (fname == NULL) - ask_filename(pw, "Enter file in which the key is"); + fatal("%s: no filename", __func__); if (stat(fname, &st) < 0) { if (errno == ENOENT) return 0; @@ -1312,11 +1334,11 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname) if (public != NULL) { export_dns_rr(hname, public, stdout, print_generic); key_free(public); - xfree(comment); + free(comment); return 1; } if (comment) - xfree(comment); + free(comment); printf("failed to read v2 public key from %s.\n", fname); exit(1); @@ -1353,8 +1375,8 @@ do_change_comment(struct passwd *pw) /* Try to load using the passphrase. */ private = key_load_private(identity_file, passphrase, &comment); if (private == NULL) { - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + explicit_bzero(passphrase, strlen(passphrase)); + free(passphrase); printf("Bad passphrase.\n"); exit(1); } @@ -1374,7 +1396,7 @@ do_change_comment(struct passwd *pw) printf("Enter new comment: "); fflush(stdout); if (!fgets(new_comment, sizeof(new_comment), stdin)) { - memset(passphrase, 0, strlen(passphrase)); + explicit_bzero(passphrase, strlen(passphrase)); key_free(private); exit(1); } @@ -1382,16 +1404,17 @@ do_change_comment(struct passwd *pw) } /* Save the file using the new passphrase. */ - if (!key_save_private(private, identity_file, passphrase, new_comment)) { + if (!key_save_private(private, identity_file, passphrase, new_comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + explicit_bzero(passphrase, strlen(passphrase)); + free(passphrase); key_free(private); - xfree(comment); + free(comment); exit(1); } - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + explicit_bzero(passphrase, strlen(passphrase)); + free(passphrase); public = key_from_private(private); key_free(private); @@ -1412,7 +1435,7 @@ do_change_comment(struct passwd *pw) fprintf(f, " %s\n", new_comment); fclose(f); - xfree(comment); + free(comment); printf("The comment in your key file has been changed.\n"); exit(0); @@ -1529,7 +1552,7 @@ load_pkcs11_key(char *path) } key_free(keys[i]); } - xfree(keys); + free(keys); key_free(public); return private; #else @@ -1573,7 +1596,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) fatal("No PKCS#11 key matching %s found", ca_key_path); } else if ((ca = load_identity(tmp)) == NULL) fatal("Couldn't load CA key \"%s\"", tmp); - xfree(tmp); + free(tmp); for (i = 0; i < argc; i++) { /* Split list of principals */ @@ -1586,14 +1609,14 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) if (*(plist[n] = xstrdup(cp)) == '\0') fatal("Empty principal name"); } - xfree(otmp); + free(otmp); } tmp = tilde_expand_filename(argv[i], pw->pw_uid); if ((public = key_load_public(tmp, &comment)) == NULL) fatal("%s: unable to open \"%s\"", __func__, tmp); if (public->type != KEY_RSA && public->type != KEY_DSA && - public->type != KEY_ECDSA) + public->type != KEY_ECDSA && public->type != KEY_ED25519) fatal("%s: key \"%s\" type %s cannot be certified", __func__, tmp, key_type(public)); @@ -1624,7 +1647,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) *cp = '\0'; xasprintf(&out, "%s-cert.pub", tmp); - xfree(tmp); + free(tmp); if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) fatal("Could not open \"%s\" for writing: %s", out, @@ -1647,7 +1670,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) } key_free(public); - xfree(out); + free(out); } pkcs11_terminate(); exit(0); @@ -1693,7 +1716,7 @@ parse_absolute_time(const char *s) fatal("Invalid certificate time format %s", s); } - bzero(&tm, sizeof(tm)); + memset(&tm, 0, sizeof(tm)); if (strptime(buf, fmt, &tm) == NULL) fatal("Invalid certificate time %s", s); if ((tt = mktime(&tm)) < 0) @@ -1738,13 +1761,13 @@ parse_cert_times(char *timespec) cert_valid_from = parse_absolute_time(from); if (*to == '-' || *to == '+') - cert_valid_to = parse_relative_time(to, cert_valid_from); + cert_valid_to = parse_relative_time(to, now); else cert_valid_to = parse_absolute_time(to); if (cert_valid_to <= cert_valid_from) fatal("Empty certificate validity interval"); - xfree(from); + free(from); } static void @@ -1797,7 +1820,8 @@ add_cert_option(char *opt) static void show_options(const Buffer *optbuf, int v00, int in_critical) { - u_char *name, *data; + char *name; + u_char *data; u_int dlen; Buffer options, option; @@ -1822,13 +1846,13 @@ show_options(const Buffer *optbuf, int v00, int in_critical) strcmp(name, "source-address") == 0)) { data = buffer_get_string(&option, NULL); printf(" %s\n", data); - xfree(data); + free(data); } else { printf(" UNKNOWN OPTION (len %u)\n", buffer_len(&option)); buffer_clear(&option); } - xfree(name); + free(name); if (buffer_len(&option) != 0) fatal("Option corrupt: extra data at end"); } @@ -1962,7 +1986,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, continue; if (strncasecmp(cp, "serial:", 7) == 0) { if (ca == NULL) { - fatal("revoking certificated by serial number " + fatal("revoking certificates by serial number " "requires specification of a CA key"); } cp += 7; @@ -1999,7 +2023,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, } } else if (strncasecmp(cp, "id:", 3) == 0) { if (ca == NULL) { - fatal("revoking certificated by key ID " + fatal("revoking certificates by key ID " "requires specification of a CA key"); } cp += 3; @@ -2038,6 +2062,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, } if (strcmp(path, "-") != 0) fclose(krl_spec); + free(path); } static void @@ -2063,7 +2088,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); if ((ca = key_load_public(tmp, NULL)) == NULL) fatal("Cannot load CA public key %s", tmp); - xfree(tmp); + free(tmp); } if (updating) @@ -2090,6 +2115,8 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) close(fd); buffer_free(&kbuf); ssh_krl_free(krl); + if (ca != NULL) + key_free(ca); } static void @@ -2125,7 +2152,7 @@ usage(void) fprintf(stderr, "usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); - fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); + fprintf(stderr, " -a number Number of KDF rounds for new key format or moduli primality tests.\n"); fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); fprintf(stderr, " -b bits Number of bits in the key to create.\n"); fprintf(stderr, " -C comment Provide new comment.\n"); @@ -2153,6 +2180,7 @@ usage(void) fprintf(stderr, " -N phrase Provide new passphrase.\n"); fprintf(stderr, " -n name,... User/host principal names to include in certificate\n"); fprintf(stderr, " -O option Specify a certificate option.\n"); + fprintf(stderr, " -o Enforce new private key format.\n"); fprintf(stderr, " -P phrase Provide old passphrase.\n"); fprintf(stderr, " -p Change passphrase of private key file.\n"); fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n"); @@ -2168,6 +2196,7 @@ usage(void) fprintf(stderr, " -v Verbose.\n"); fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -y Read private key file and print public key.\n"); + fprintf(stderr, " -Z cipher Specify a cipher for new private key format.\n"); fprintf(stderr, " -z serial Specify a serial number.\n"); exit(1); @@ -2186,7 +2215,7 @@ main(int argc, char **argv) struct passwd *pw; struct stat st; int opt, type, fd; - u_int32_t memory = 0, generator_wanted = 0, trials = 100; + u_int32_t memory = 0, generator_wanted = 0; int do_gen_candidates = 0, do_screen_candidates = 0; int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; unsigned long start_lineno = 0, lines_to_process = 0; @@ -2210,7 +2239,7 @@ main(int argc, char **argv) /* we need this for the home * directory. */ pw = getpwuid(getuid()); if (!pw) { - printf("You don't exist, go away!\n"); + printf("No user exists for uid %lu\n", (u_long)getuid()); exit(1); } if (gethostname(hostname, sizeof(hostname)) < 0) { @@ -2218,8 +2247,9 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy" - "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { + /* Remaining characters: EUYdw */ + while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" + "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -2277,6 +2307,9 @@ main(int argc, char **argv) case 'n': cert_principals = optarg; break; + case 'o': + use_new_format = 1; + break; case 'p': change_passphrase = 1; break; @@ -2304,6 +2337,9 @@ main(int argc, char **argv) case 'O': add_cert_option(optarg); break; + case 'Z': + new_format_cipher = optarg; + break; case 'C': identity_comment = optarg; break; @@ -2362,9 +2398,9 @@ main(int argc, char **argv) optarg, errstr); break; case 'a': - trials = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); + rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr); if (errstr) - fatal("Invalid number of trials: %s (%s)", + fatal("Invalid number: %s (%s)", optarg, errstr); break; case 'M': @@ -2523,7 +2559,8 @@ main(int argc, char **argv) fatal("Couldn't open moduli file \"%s\": %s", out_file, strerror(errno)); } - if (prime_test(in, out, trials, generator_wanted, checkpoint, + if (prime_test(in, out, rounds == 0 ? 100 : rounds, + generator_wanted, checkpoint, start_lineno, lines_to_process) != 0) fatal("modulus screening failed"); return (0); @@ -2534,8 +2571,6 @@ main(int argc, char **argv) return (0); } - arc4random_stir(); - if (key_type_name == NULL) key_type_name = "rsa"; @@ -2597,16 +2632,16 @@ passphrase_again: * The passphrases do not match. Clear them and * retry. */ - memset(passphrase1, 0, strlen(passphrase1)); - memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase1); - xfree(passphrase2); + explicit_bzero(passphrase1, strlen(passphrase1)); + explicit_bzero(passphrase2, strlen(passphrase2)); + free(passphrase1); + free(passphrase2); printf("Passphrases do not match. Try again.\n"); goto passphrase_again; } /* Clear the other copy of the passphrase. */ - memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase2); + explicit_bzero(passphrase2, strlen(passphrase2)); + free(passphrase2); } if (identity_comment) { @@ -2617,19 +2652,19 @@ passphrase_again: } /* Save the key with the given passphrase and comment. */ - if (!key_save_private(private, identity_file, passphrase1, comment)) { + if (!key_save_private(private, identity_file, passphrase1, comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); - memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + explicit_bzero(passphrase1, strlen(passphrase1)); + free(passphrase1); exit(1); } /* Clear the passphrase. */ - memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + explicit_bzero(passphrase1, strlen(passphrase1)); + free(passphrase1); /* Clear the private key and the random number generator. */ key_free(private); - arc4random_stir(); if (!quiet) printf("Your identification has been saved in %s.\n", identity_file); @@ -2660,8 +2695,8 @@ passphrase_again: printf("%s %s\n", fp, comment); printf("The key's randomart image is:\n"); printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } key_free(public); diff --git a/crypto/openssh/ssh-keyscan.0 b/crypto/openssh/ssh-keyscan.0 new file mode 100644 index 000000000..638c19b48 --- /dev/null +++ b/crypto/openssh/ssh-keyscan.0 @@ -0,0 +1,110 @@ +SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1) + +NAME + ssh-keyscan - gather ssh public keys + +SYNOPSIS + ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type] + [host | addrlist namelist] ... + +DESCRIPTION + ssh-keyscan is a utility for gathering the public ssh host keys of a + number of hosts. It was designed to aid in building and verifying + ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable + for use by shell and perl scripts. + + ssh-keyscan uses non-blocking socket I/O to contact as many hosts as + possible in parallel, so it is very efficient. The keys from a domain of + 1,000 hosts can be collected in tens of seconds, even when some of those + hosts are down or do not run ssh. For scanning, one does not need login + access to the machines that are being scanned, nor does the scanning + process involve any encryption. + + The options are as follows: + + -4 Forces ssh-keyscan to use IPv4 addresses only. + + -6 Forces ssh-keyscan to use IPv6 addresses only. + + -f file + Read hosts or ``addrlist namelist'' pairs from file, one per + line. If - is supplied instead of a filename, ssh-keyscan will + read hosts or ``addrlist namelist'' pairs from the standard + input. + + -H Hash all hostnames and addresses in the output. Hashed names may + be used normally by ssh and sshd, but they do not reveal + identifying information should the file's contents be disclosed. + + -p port + Port to connect to on the remote host. + + -T timeout + Set the timeout for connection attempts. If timeout seconds have + elapsed since a connection was initiated to a host or since the + last time anything was read from that host, then the connection + is closed and the host in question considered unavailable. + Default is 5 seconds. + + -t type + Specifies the type of the key to fetch from the scanned hosts. + The possible values are ``rsa1'' for protocol version 1 and + ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version + 2. Multiple values may be specified by separating them with + commas. The default is to fetch ``rsa'' and ``ecdsa'' keys. + + -v Verbose mode. Causes ssh-keyscan to print debugging messages + about its progress. + +SECURITY + If an ssh_known_hosts file is constructed using ssh-keyscan without + verifying the keys, users will be vulnerable to man in the middle + attacks. On the other hand, if the security model allows such a risk, + ssh-keyscan can help in the detection of tampered keyfiles or man in the + middle attacks which have begun after the ssh_known_hosts file was + created. + +FILES + Input format: + + 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 + + Output format for rsa1 keys: + + host-or-namelist bits exponent modulus + + Output format for rsa, dsa and ecdsa keys: + + host-or-namelist keytype base64-encoded-key + + Where keytype is either ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'', + ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss'' or ``ssh-rsa''. + + /etc/ssh/ssh_known_hosts + +EXAMPLES + Print the rsa host key for machine hostname: + + $ ssh-keyscan hostname + + Find all hosts from the file ssh_hosts which have new or different keys + from those in the sorted file ssh_known_hosts: + + $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \ + sort -u - ssh_known_hosts | diff ssh_known_hosts - + +SEE ALSO + ssh(1), sshd(8) + +AUTHORS + David Mazieres wrote the initial version, and Wayne + Davison added support for protocol version + 2. + +BUGS + It generates "Connection closed by remote host" messages on the consoles + of all the machines it scans if the server is older than version 2.9. + This is because it opens a connection to the ssh port, reads the public + key, and drops the connection as soon as it gets the key. + +OpenBSD 5.5 January 28, 2014 OpenBSD 5.5 diff --git a/crypto/openssh/ssh-keyscan.1 b/crypto/openssh/ssh-keyscan.1 index 17d98a1ef..1b2fd40c3 100644 --- a/crypto/openssh/ssh-keyscan.1 +++ b/crypto/openssh/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.30 2012/04/11 13:34:17 djm Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.34 2014/01/28 14:13:39 jmc Exp $ .\" $FreeBSD$ .\" .\" Copyright 1995, 1996 by David Mazieres . @@ -7,7 +7,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd April 11, 2012 +.Dd January 28, 2014 .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -57,14 +57,16 @@ Forces to use IPv6 addresses only. .It Fl f Ar file Read hosts or -.Pa addrlist namelist -pairs from this file, one per line. +.Dq addrlist namelist +pairs from +.Ar file , +one per line. If .Pa - is supplied instead of a filename, .Nm will read hosts or -.Pa addrlist namelist +.Dq addrlist namelist pairs from the standard input. .It Fl H Hash all hostnames and addresses in the output. @@ -79,7 +81,7 @@ Port to connect to on the remote host. .It Fl T Ar timeout Set the timeout for connection attempts. If -.Pa timeout +.Ar timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is closed and the host in question considered unavailable. @@ -90,7 +92,8 @@ The possible values are .Dq rsa1 for protocol version 1 and .Dq dsa , -.Dq ecdsa +.Dq ecdsa , +.Dq ed25519 , or .Dq rsa for protocol version 2. @@ -117,37 +120,36 @@ On the other hand, if the security model allows such a risk, can help in the detection of tampered keyfiles or man in the middle attacks which have begun after the ssh_known_hosts file was created. .Sh FILES -.Pa Input format: +Input format: .Bd -literal 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 .Ed .Pp -.Pa Output format for rsa1 keys: +Output format for rsa1 keys: .Bd -literal host-or-namelist bits exponent modulus .Ed .Pp -.Pa Output format for rsa, dsa and ecdsa keys: +Output format for rsa, dsa and ecdsa keys: .Bd -literal host-or-namelist keytype base64-encoded-key .Ed .Pp Where -.Pa keytype +.Ar keytype is either .Dq ecdsa-sha2-nistp256 , .Dq ecdsa-sha2-nistp384 , .Dq ecdsa-sha2-nistp521 , +.Dq ssh-ed25519 , .Dq ssh-dss or .Dq ssh-rsa . .Pp .Pa /etc/ssh/ssh_known_hosts .Sh EXAMPLES -Print the -.Pa rsa -host key for machine -.Pa hostname : +Print the rsa host key for machine +.Ar hostname : .Bd -literal $ ssh-keyscan hostname .Ed @@ -165,9 +167,9 @@ $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e .Xr sshd 8 .Sh AUTHORS .An -nosplit -.An David Mazieres Aq dm@lcs.mit.edu +.An David Mazieres Aq Mt dm@lcs.mit.edu wrote the initial version, and -.An Wayne Davison Aq wayned@users.sourceforge.net +.An Wayne Davison Aq Mt wayned@users.sourceforge.net added support for protocol version 2. .Sh BUGS It generates "Connection closed by remote host" messages on the consoles diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c index 878fac506..8d0a6b8d8 100644 --- a/crypto/openssh/ssh-keyscan.c +++ b/crypto/openssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.85 2011/03/15 10:36:02 okan Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.89 2013/12/06 13:39:49 markus Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -56,6 +56,7 @@ int ssh_port = SSH_DEFAULT_PORT; #define KT_DSA 2 #define KT_RSA 4 #define KT_ECDSA 8 +#define KT_ED25519 16 int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */ @@ -245,15 +246,18 @@ keygrab_ssh2(con *c) packet_set_connection(c->c_fd, c->c_fd); enable_compat20(); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? - "ssh-dss" : (c->c_keytype == KT_RSA ? "ssh-rsa" : - "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + c->c_keytype == KT_DSA ? "ssh-dss" : + (c->c_keytype == KT_RSA ? "ssh-rsa" : + (c->c_keytype == KT_ED25519 ? "ssh-ed25519" : + "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")); c->c_kex = kex_setup(myproposal); c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client; + c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client; c->c_kex->verify_host_key = hostjump; if (!(j = setjmp(kexjmp))) { @@ -263,7 +267,7 @@ keygrab_ssh2(con *c) exit(1); } nonfatal_fatal = 0; - xfree(c->c_kex); + free(c->c_kex); c->c_kex = NULL; packet_close(); @@ -329,7 +333,7 @@ conalloc(char *iname, char *oname, int keytype) do { name = xstrsep(&namelist, ","); if (!name) { - xfree(namebase); + free(namebase); return (-1); } } while ((s = tcpconnect(name)) < 0); @@ -363,10 +367,10 @@ confree(int s) if (s >= maxfd || fdcon[s].c_status == CS_UNUSED) fatal("confree: attempt to free bad fdno %d", s); close(s); - xfree(fdcon[s].c_namebase); - xfree(fdcon[s].c_output_name); + free(fdcon[s].c_namebase); + free(fdcon[s].c_output_name); if (fdcon[s].c_status == CS_KEYS) - xfree(fdcon[s].c_data); + free(fdcon[s].c_data); fdcon[s].c_status = CS_UNUSED; fdcon[s].c_keytype = 0; TAILQ_REMOVE(&tq, &fdcon[s], c_link); @@ -553,8 +557,8 @@ conloop(void) } else if (FD_ISSET(i, r)) conread(i); } - xfree(r); - xfree(e); + free(r); + free(e); c = TAILQ_FIRST(&tq); while (c && (c->c_tv.tv_sec < now.tv_sec || @@ -574,7 +578,7 @@ do_host(char *host) if (name == NULL) return; - for (j = KT_RSA1; j <= KT_ECDSA; j *= 2) { + for (j = KT_RSA1; j <= KT_ED25519; j *= 2) { if (get_keytypes & j) { while (ncon >= MAXCON) conloop(); @@ -681,6 +685,9 @@ main(int argc, char **argv) case KEY_RSA: get_keytypes |= KT_RSA; break; + case KEY_ED25519: + get_keytypes |= KT_ED25519; + break; case KEY_UNSPEC: fatal("unknown key type %s", tname); } diff --git a/crypto/openssh/ssh-keysign.0 b/crypto/openssh/ssh-keysign.0 new file mode 100644 index 000000000..5f18b54e3 --- /dev/null +++ b/crypto/openssh/ssh-keysign.0 @@ -0,0 +1,53 @@ +SSH-KEYSIGN(8) OpenBSD System Manager's Manual SSH-KEYSIGN(8) + +NAME + ssh-keysign - ssh helper program for host-based authentication + +SYNOPSIS + ssh-keysign + +DESCRIPTION + ssh-keysign is used by ssh(1) to access the local host keys and generate + the digital signature required during host-based authentication with SSH + protocol version 2. + + ssh-keysign is disabled by default and can only be enabled in the global + client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign + to ``yes''. + + ssh-keysign is not intended to be invoked by the user, but from ssh(1). + See ssh(1) and sshd(8) for more information about host-based + authentication. + +FILES + /etc/ssh/ssh_config + Controls whether ssh-keysign is enabled. + + /etc/ssh/ssh_host_dsa_key + /etc/ssh/ssh_host_ecdsa_key + /etc/ssh/ssh_host_ed25519_key + /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys used to + generate the digital signature. They should be owned by root, + readable only by root, and not accessible to others. Since they + are readable only by root, ssh-keysign must be set-uid root if + host-based authentication is used. + + /etc/ssh/ssh_host_dsa_key-cert.pub + /etc/ssh/ssh_host_ecdsa_key-cert.pub + /etc/ssh/ssh_host_ed25519_key-cert.pub + /etc/ssh/ssh_host_rsa_key-cert.pub + If these files exist they are assumed to contain public + certificate information corresponding with the private keys + above. + +SEE ALSO + ssh(1), ssh-keygen(1), ssh_config(5), sshd(8) + +HISTORY + ssh-keysign first appeared in OpenBSD 3.2. + +AUTHORS + Markus Friedl + +OpenBSD 5.5 December 7, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/ssh-keysign.8 b/crypto/openssh/ssh-keysign.8 index a266af923..32e725316 100644 --- a/crypto/openssh/ssh-keysign.8 +++ b/crypto/openssh/ssh-keysign.8 @@ -1,4 +1,5 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.12 2010/08/31 11:54:45 djm Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.14 2013/12/07 11:58:46 naddy Exp $ +.\" $FreeBSD$ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -22,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 31, 2010 +.Dd December 7, 2013 .Dt SSH-KEYSIGN 8 .Os .Sh NAME @@ -63,6 +64,7 @@ is enabled. .Pp .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key +.It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys used to generate the digital signature. @@ -74,6 +76,7 @@ must be set-uid root if host-based authentication is used. .Pp .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub +.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub If these files exist they are assumed to contain public certificate information corresponding with the private keys above. @@ -88,4 +91,4 @@ information corresponding with the private keys above. first appeared in .Ox 3.2 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org diff --git a/crypto/openssh/ssh-keysign.c b/crypto/openssh/ssh-keysign.c index 1deb7e141..6bde8ad17 100644 --- a/crypto/openssh/ssh-keysign.c +++ b/crypto/openssh/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.36 2011/02/16 00:31:14 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.39 2013/12/06 13:39:49 markus Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -78,7 +78,7 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, p = buffer_get_string(&b, &len); if (len != 20 && len != 32) fail++; - xfree(p); + free(p); if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -90,13 +90,13 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, p = buffer_get_string(&b, NULL); if (strcmp("ssh-connection", p) != 0) fail++; - xfree(p); + free(p); /* method */ p = buffer_get_string(&b, NULL); if (strcmp("hostbased", p) != 0) fail++; - xfree(p); + free(p); /* pubkey */ pkalg = buffer_get_string(&b, NULL); @@ -109,8 +109,8 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, fail++; else if (key->type != pktype) fail++; - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); /* client host name, handle trailing dot */ p = buffer_get_string(&b, &len); @@ -121,14 +121,14 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, fail++; else if (strncasecmp(host, p, len - 1) != 0) fail++; - xfree(p); + free(p); /* local user */ p = buffer_get_string(&b, NULL); if (strcmp(pw->pw_name, p) != 0) fail++; - xfree(p); + free(p); /* end of message */ if (buffer_len(&b) != 0) @@ -150,7 +150,7 @@ main(int argc, char **argv) { Buffer b; Options options; -#define NUM_KEYTYPES 3 +#define NUM_KEYTYPES 4 Key *keys[NUM_KEYTYPES], *key = NULL; struct passwd *pw; int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; @@ -169,6 +169,7 @@ main(int argc, char **argv) i = 0; key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); original_real_uid = getuid(); /* XXX readconf.c needs this */ @@ -179,7 +180,6 @@ main(int argc, char **argv) permanently_set_uid(pw); seed_rng(); - arc4random_stir(); #ifdef DEBUG_SSH_KEYSIGN log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); @@ -187,7 +187,7 @@ main(int argc, char **argv) /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); - (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", &options, 0); fill_default_options(&options); if (options.enable_ssh_keysign != 1) fatal("ssh-keysign not enabled in %s", @@ -233,7 +233,7 @@ main(int argc, char **argv) data = buffer_get_string(&b, &dlen); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); - xfree(host); + free(host); found = 0; for (i = 0; i < NUM_KEYTYPES; i++) { @@ -248,7 +248,7 @@ main(int argc, char **argv) if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) fatal("key_sign failed"); - xfree(data); + free(data); /* send reply */ buffer_clear(&b); diff --git a/crypto/openssh/ssh-pkcs11-client.c b/crypto/openssh/ssh-pkcs11-client.c index 82b11daf5..6c9f9d2c1 100644 --- a/crypto/openssh/ssh-pkcs11-client.c +++ b/crypto/openssh/ssh-pkcs11-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-client.c,v 1.3 2012/01/16 20:34:09 miod Exp $ */ +/* $OpenBSD: ssh-pkcs11-client.c,v 1.4 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -121,7 +121,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, from, flen); buffer_put_int(&msg, 0); - xfree(blob); + free(blob); send_msg(&msg); buffer_clear(&msg); @@ -131,7 +131,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, memcpy(to, signature, slen); ret = slen; } - xfree(signature); + free(signature); } buffer_free(&msg); return (ret); @@ -205,11 +205,11 @@ pkcs11_add_provider(char *name, char *pin, Key ***keysp) *keysp = xcalloc(nkeys, sizeof(Key *)); for (i = 0; i < nkeys; i++) { blob = buffer_get_string(&msg, &blen); - xfree(buffer_get_string(&msg, NULL)); + free(buffer_get_string(&msg, NULL)); k = key_from_blob(blob, blen); wrap_key(k->rsa); (*keysp)[i] = k; - xfree(blob); + free(blob); } } else { nkeys = -1; diff --git a/crypto/openssh/ssh-pkcs11-helper.0 b/crypto/openssh/ssh-pkcs11-helper.0 new file mode 100644 index 000000000..20d62f7a9 --- /dev/null +++ b/crypto/openssh/ssh-pkcs11-helper.0 @@ -0,0 +1,25 @@ +SSH-PKCS11-HELPER(8) OpenBSD System Manager's Manual SSH-PKCS11-HELPER(8) + +NAME + ssh-pkcs11-helper - ssh-agent helper program for PKCS#11 support + +SYNOPSIS + ssh-pkcs11-helper + +DESCRIPTION + ssh-pkcs11-helper is used by ssh-agent(1) to access keys provided by a + PKCS#11 token. + + ssh-pkcs11-helper is not intended to be invoked by the user, but from + ssh-agent(1). + +SEE ALSO + ssh(1), ssh-add(1), ssh-agent(1) + +HISTORY + ssh-pkcs11-helper first appeared in OpenBSD 4.7. + +AUTHORS + Markus Friedl + +OpenBSD 5.5 July 16, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/ssh-pkcs11-helper.8 b/crypto/openssh/ssh-pkcs11-helper.8 index 76f8d30d7..17beebe45 100644 --- a/crypto/openssh/ssh-pkcs11-helper.8 +++ b/crypto/openssh/ssh-pkcs11-helper.8 @@ -1,4 +1,5 @@ -.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.3 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.4 2013/07/16 00:07:52 schwarze Exp $ +.\" $FreeBSD$ .\" .\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" @@ -14,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd February 10, 2010 +.Dd July 16, 2013 .Dt SSH-PKCS11-HELPER 8 .Os .Sh NAME @@ -40,4 +41,4 @@ is not intended to be invoked by the user, but from first appeared in .Ox 4.7 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org diff --git a/crypto/openssh/ssh-pkcs11-helper.c b/crypto/openssh/ssh-pkcs11-helper.c index fcb5defc0..b7c52beb8 100644 --- a/crypto/openssh/ssh-pkcs11-helper.c +++ b/crypto/openssh/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.4 2012/07/02 12:13:26 dtucker Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.7 2013/12/02 02:56:17 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -79,7 +79,7 @@ del_keys_by_name(char *name) nxt = TAILQ_NEXT(ki, next); if (!strcmp(ki->providername, name)) { TAILQ_REMOVE(&pkcs11_keylist, ki, next); - xfree(ki->providername); + free(ki->providername); key_free(ki->key); free(ki); } @@ -127,18 +127,19 @@ process_add(void) buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER); buffer_put_int(&msg, nkeys); for (i = 0; i < nkeys; i++) { - key_to_blob(keys[i], &blob, &blen); + if (key_to_blob(keys[i], &blob, &blen) == 0) + continue; buffer_put_string(&msg, blob, blen); buffer_put_cstring(&msg, name); - xfree(blob); + free(blob); add_key(keys[i], name); } - xfree(keys); + free(keys); } else { buffer_put_char(&msg, SSH_AGENT_FAILURE); } - xfree(pin); - xfree(name); + free(pin); + free(name); send_msg(&msg); buffer_free(&msg); } @@ -157,8 +158,8 @@ process_del(void) buffer_put_char(&msg, SSH_AGENT_SUCCESS); else buffer_put_char(&msg, SSH_AGENT_FAILURE); - xfree(pin); - xfree(name); + free(pin); + free(name); send_msg(&msg); buffer_free(&msg); } @@ -195,10 +196,9 @@ process_sign(void) } else { buffer_put_char(&msg, SSH_AGENT_FAILURE); } - xfree(data); - xfree(blob); - if (signature != NULL) - xfree(signature); + free(data); + free(blob); + free(signature); send_msg(&msg); buffer_free(&msg); } @@ -274,7 +274,6 @@ main(int argc, char **argv) LogLevel log_level = SYSLOG_LEVEL_ERROR; char buf[4*4096]; - extern char *optarg; extern char *__progname; TAILQ_INIT(&pkcs11_keylist); diff --git a/crypto/openssh/ssh-pkcs11.c b/crypto/openssh/ssh-pkcs11.c index 1f4c1c8e4..c49cbf42b 100644 --- a/crypto/openssh/ssh-pkcs11.c +++ b/crypto/openssh/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.11 2013/11/13 13:48:20 markus Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -31,6 +31,8 @@ #include "openbsd-compat/sys-queue.h" +#include + #define CRYPTOKI_COMPAT #include "pkcs11.h" @@ -120,9 +122,9 @@ pkcs11_provider_unref(struct pkcs11_provider *p) if (--p->refcount <= 0) { if (p->valid) error("pkcs11_provider_unref: %p still valid", p); - xfree(p->slotlist); - xfree(p->slotinfo); - xfree(p); + free(p->slotlist); + free(p->slotinfo); + free(p); } } @@ -180,9 +182,8 @@ pkcs11_rsa_finish(RSA *rsa) rv = k11->orig_finish(rsa); if (k11->provider) pkcs11_provider_unref(k11->provider); - if (k11->keyid) - xfree(k11->keyid); - xfree(k11); + free(k11->keyid); + free(k11); } return (rv); } @@ -226,7 +227,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, CK_OBJECT_HANDLE obj; CK_ULONG tlen = 0; CK_RV rv; - CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; + CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; CK_BBOOL true_val = CK_TRUE; CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 @@ -239,8 +240,6 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, char *pin, prompt[1024]; int rval = -1; - /* some compilers complain about non-constant initializer so we - use NULL in CK_ATTRIBUTE above and set the values here */ key_filter[0].pValue = &private_key_class; key_filter[2].pValue = &true_val; @@ -264,13 +263,13 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) - != CKR_OK) { - xfree(pin); + if ((rv = f->C_Login(si->session, CKU_USER, + (u_char *)pin, strlen(pin))) != CKR_OK) { + free(pin); error("C_Login failed: %lu", rv); return (-1); } - xfree(pin); + free(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid; @@ -329,7 +328,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, /* remove trailing spaces */ static void -rmspace(char *buf, size_t len) +rmspace(u_char *buf, size_t len) { size_t i; @@ -367,8 +366,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) return (-1); } if (login_required && pin) { - if ((rv = f->C_Login(session, CKU_USER, pin, strlen(pin))) - != CKR_OK) { + if ((rv = f->C_Login(session, CKU_USER, + (u_char *)pin, strlen(pin))) != CKR_OK) { error("C_Login failed: %lu", rv); if ((rv = f->C_CloseSession(session)) != CKR_OK) error("C_CloseSession failed: %lu", rv); @@ -385,36 +384,75 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) * add 'wrapped' public keys to the 'keysp' array and increment nkeys. * keysp points to an (possibly empty) array with *nkeys keys. */ +static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, + CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *) + __attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE)))); + static int -pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, - int *nkeys) +pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, + Key ***keysp, int *nkeys) { - Key *key; - RSA *rsa; - int i; - CK_RV rv; - CK_OBJECT_HANDLE obj; - CK_ULONG nfound; - CK_SESSION_HANDLE session; - CK_FUNCTION_LIST *f; - CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; CK_ATTRIBUTE pubkey_filter[] = { { CKA_CLASS, NULL, sizeof(pubkey_class) } }; - CK_ATTRIBUTE attribs[] = { + CK_ATTRIBUTE cert_filter[] = { + { CKA_CLASS, NULL, sizeof(cert_class) } + }; + CK_ATTRIBUTE pubkey_attribs[] = { { CKA_ID, NULL, 0 }, { CKA_MODULUS, NULL, 0 }, { CKA_PUBLIC_EXPONENT, NULL, 0 } }; - - /* some compilers complain about non-constant initializer so we - use NULL in CK_ATTRIBUTE above and set the value here */ + CK_ATTRIBUTE cert_attribs[] = { + { CKA_ID, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_VALUE, NULL, 0 } + }; pubkey_filter[0].pValue = &pubkey_class; + cert_filter[0].pValue = &cert_class; + + if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, + keysp, nkeys) < 0 || + pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, + keysp, nkeys) < 0) + return (-1); + return (0); +} + +static int +pkcs11_key_included(Key ***keysp, int *nkeys, Key *key) +{ + int i; + + for (i = 0; i < *nkeys; i++) + if (key_equal(key, (*keysp)[i])) + return (1); + return (0); +} + +static int +pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, + CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], + Key ***keysp, int *nkeys) +{ + Key *key; + RSA *rsa; + X509 *x509; + EVP_PKEY *evp; + int i; + const u_char *cp; + CK_RV rv; + CK_OBJECT_HANDLE obj; + CK_ULONG nfound; + CK_SESSION_HANDLE session; + CK_FUNCTION_LIST *f; f = p->function_list; session = p->slotinfo[slotidx].session; /* setup a filter the looks for public keys */ - if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) { + if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) { error("C_FindObjectsInit failed: %lu", rv); return (-1); } @@ -442,35 +480,62 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, /* allocate buffers for attributes */ for (i = 0; i < 3; i++) attribs[i].pValue = xmalloc(attribs[i].ulValueLen); - /* retrieve ID, modulus and public exponent of RSA key */ + /* + * retrieve ID, modulus and public exponent of RSA key, + * or ID, subject and value for certificates. + */ + rsa = NULL; if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); - } else if ((rsa = RSA_new()) == NULL) { - error("RSA_new failed"); + } else if (attribs[1].type == CKA_MODULUS ) { + if ((rsa = RSA_new()) == NULL) { + error("RSA_new failed"); + } else { + rsa->n = BN_bin2bn(attribs[1].pValue, + attribs[1].ulValueLen, NULL); + rsa->e = BN_bin2bn(attribs[2].pValue, + attribs[2].ulValueLen, NULL); + } } else { - rsa->n = BN_bin2bn(attribs[1].pValue, - attribs[1].ulValueLen, NULL); - rsa->e = BN_bin2bn(attribs[2].pValue, - attribs[2].ulValueLen, NULL); - if (rsa->n && rsa->e && - pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { - key = key_new(KEY_UNSPEC); - key->rsa = rsa; - key->type = KEY_RSA; - key->flags |= KEY_FLAG_EXT; + cp = attribs[2].pValue; + if ((x509 = X509_new()) == NULL) { + error("X509_new failed"); + } else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen) + == NULL) { + error("d2i_X509 failed"); + } else if ((evp = X509_get_pubkey(x509)) == NULL || + evp->type != EVP_PKEY_RSA || + evp->pkey.rsa == NULL) { + debug("X509_get_pubkey failed or no rsa"); + } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) + == NULL) { + error("RSAPublicKey_dup"); + } + if (x509) + X509_free(x509); + } + if (rsa && rsa->n && rsa->e && + pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { + key = key_new(KEY_UNSPEC); + key->rsa = rsa; + key->type = KEY_RSA; + key->flags |= KEY_FLAG_EXT; + if (pkcs11_key_included(keysp, nkeys, key)) { + key_free(key); + } else { /* expand key array and add key */ *keysp = xrealloc(*keysp, *nkeys + 1, sizeof(Key *)); (*keysp)[*nkeys] = key; *nkeys = *nkeys + 1; debug("have %d keys", *nkeys); - } else { - RSA_free(rsa); } + } else if (rsa) { + RSA_free(rsa); } for (i = 0; i < 3; i++) - xfree(attribs[i].pValue); + free(attribs[i].pValue); } if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK) error("C_FindObjectsFinal failed: %lu", rv); @@ -579,11 +644,9 @@ fail: if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK) error("C_Finalize failed: %lu", rv); if (p) { - if (p->slotlist) - xfree(p->slotlist); - if (p->slotinfo) - xfree(p->slotinfo); - xfree(p); + free(p->slotlist); + free(p->slotinfo); + free(p); } if (handle) dlclose(handle); diff --git a/crypto/openssh/ssh-rsa.c b/crypto/openssh/ssh-rsa.c index c6355fa09..c6f25b3ee 100644 --- a/crypto/openssh/ssh-rsa.c +++ b/crypto/openssh/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.45 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.51 2014/02/02 03:44:31 djm Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -32,6 +32,7 @@ #include "compat.h" #include "misc.h" #include "ssh.h" +#include "digest.h" static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *); @@ -40,49 +41,53 @@ int ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { - const EVP_MD *evp_md; - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], *sig; + int hash_alg; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sig; u_int slen, dlen, len; int ok, nid; Buffer b; - if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA && - key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) { - error("ssh_rsa_sign: no RSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_RSA || + key->rsa == NULL) { + error("%s: no RSA key", __func__); return -1; } - nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; - if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { - error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid); + + /* hash the data */ + hash_alg = SSH_DIGEST_SHA1; + nid = NID_sha1; + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: ssh_digest_memory failed", __func__); return -1; } - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); slen = RSA_size(key->rsa); sig = xmalloc(slen); ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa); - memset(digest, 'd', sizeof(digest)); + explicit_bzero(digest, sizeof(digest)); if (ok != 1) { int ecode = ERR_get_error(); - error("ssh_rsa_sign: RSA_sign failed: %s", + error("%s: RSA_sign failed: %s", __func__, ERR_error_string(ecode, NULL)); - xfree(sig); + free(sig); return -1; } if (len < slen) { u_int diff = slen - len; debug("slen %u > len %u", slen, len); memmove(sig + diff, sig, len); - memset(sig, 0, diff); + explicit_bzero(sig, diff); } else if (len > slen) { - error("ssh_rsa_sign: slen %u slen2 %u", slen, len); - xfree(sig); + error("%s: slen %u slen2 %u", __func__, slen, len); + free(sig); return -1; } /* encode signature */ @@ -97,8 +102,8 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, memcpy(*sigp, buffer_ptr(&b), len); } buffer_free(&b); - memset(sig, 's', slen); - xfree(sig); + explicit_bzero(sig, slen); + free(sig); return 0; } @@ -108,71 +113,75 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { Buffer b; - const EVP_MD *evp_md; - EVP_MD_CTX md; + int hash_alg; char *ktype; - u_char digest[EVP_MAX_MD_SIZE], *sigblob; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob; u_int len, dlen, modlen; - int rlen, ret, nid; + int rlen, ret; - if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA && - key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) { - error("ssh_rsa_verify: no RSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_RSA || + key->rsa == NULL) { + error("%s: no RSA key", __func__); return -1; } + if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits", - BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); + error("%s: RSA modulus too small: %d < minimum %d bits", + __func__, BN_num_bits(key->rsa->n), + SSH_RSA_MINIMUM_MODULUS_SIZE); return -1; } buffer_init(&b); buffer_append(&b, signature, signaturelen); ktype = buffer_get_cstring(&b, NULL); if (strcmp("ssh-rsa", ktype) != 0) { - error("ssh_rsa_verify: cannot handle type %s", ktype); + error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { - error("ssh_rsa_verify: remaining bytes in signature %d", rlen); - xfree(sigblob); + error("%s: remaining bytes in signature %d", __func__, rlen); + free(sigblob); return -1; } /* RSA_verify expects a signature of RSA_size */ modlen = RSA_size(key->rsa); if (len > modlen) { - error("ssh_rsa_verify: len %u > modlen %u", len, modlen); - xfree(sigblob); + error("%s: len %u > modlen %u", __func__, len, modlen); + free(sigblob); return -1; } else if (len < modlen) { u_int diff = modlen - len; - debug("ssh_rsa_verify: add padding: modlen %u > len %u", + debug("%s: add padding: modlen %u > len %u", __func__, modlen, len); sigblob = xrealloc(sigblob, 1, modlen); memmove(sigblob + diff, sigblob, len); - memset(sigblob, 0, diff); + explicit_bzero(sigblob, diff); len = modlen; } - nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; - if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { - error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); - xfree(sigblob); + /* hash the data */ + hash_alg = SSH_DIGEST_SHA1; + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: ssh_digest_memory failed", __func__); return -1; } - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); - ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); - memset(digest, 'd', sizeof(digest)); - memset(sigblob, 's', len); - xfree(sigblob); - debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); + ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len, + key->rsa); + explicit_bzero(digest, sizeof(digest)); + explicit_bzero(sigblob, len); + free(sigblob); + debug("%s: signature %scorrect", __func__, (ret == 0) ? "in" : ""); return ret; } @@ -193,21 +202,9 @@ static const u_char id_sha1[] = { 0x05, 0x00, /* NULL */ 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */ }; -/* - * id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) - * rsadsi(113549) digestAlgorithm(2) 5 } - */ -static const u_char id_md5[] = { - 0x30, 0x20, /* type Sequence, length 0x20 (32) */ - 0x30, 0x0c, /* type Sequence, length 0x09 */ - 0x06, 0x08, /* type OID, length 0x05 */ - 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */ - 0x05, 0x00, /* NULL */ - 0x04, 0x10 /* Octet string, length 0x10 (16), followed by md5 hash */ -}; static int -openssh_RSA_verify(int type, u_char *hash, u_int hashlen, +openssh_RSA_verify(int hash_alg, u_char *hash, u_int hashlen, u_char *sigbuf, u_int siglen, RSA *rsa) { u_int ret, rsasize, oidlen = 0, hlen = 0; @@ -216,17 +213,12 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, u_char *decrypted = NULL; ret = 0; - switch (type) { - case NID_sha1: + switch (hash_alg) { + case SSH_DIGEST_SHA1: oid = id_sha1; oidlen = sizeof(id_sha1); hlen = 20; break; - case NID_md5: - oid = id_md5; - oidlen = sizeof(id_md5); - hlen = 16; - break; default: goto done; } @@ -262,7 +254,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, } ret = 1; done: - if (decrypted) - xfree(decrypted); + free(decrypted); return ret; } diff --git a/crypto/openssh/ssh-sandbox.h b/crypto/openssh/ssh-sandbox.h index dfecd5aa0..bd5fd8372 100644 --- a/crypto/openssh/ssh-sandbox.h +++ b/crypto/openssh/ssh-sandbox.h @@ -15,9 +15,10 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +struct monitor; struct ssh_sandbox; -struct ssh_sandbox *ssh_sandbox_init(void); +struct ssh_sandbox *ssh_sandbox_init(struct monitor *); void ssh_sandbox_child(struct ssh_sandbox *); void ssh_sandbox_parent_finish(struct ssh_sandbox *); void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); diff --git a/crypto/openssh/ssh.0 b/crypto/openssh/ssh.0 new file mode 100644 index 000000000..16868cfca --- /dev/null +++ b/crypto/openssh/ssh.0 @@ -0,0 +1,946 @@ +SSH(1) OpenBSD Reference Manual SSH(1) + +NAME + ssh - OpenSSH SSH client (remote login program) + +SYNOPSIS + ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] + [-D [bind_address:]port] [-E log_file] [-e escape_char] + [-F configfile] [-I pkcs11] [-i identity_file] + [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] + [-O ctl_cmd] [-o option] [-p port] + [-Q cipher | cipher-auth | mac | kex | key] + [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] + [-w local_tun[:remote_tun]] [user@]hostname [command] + +DESCRIPTION + ssh (SSH client) is a program for logging into a remote machine and for + executing commands on a remote machine. It is intended to replace rlogin + and rsh, and provide secure encrypted communications between two + untrusted hosts over an insecure network. X11 connections and arbitrary + TCP ports can also be forwarded over the secure channel. + + ssh connects and logs into the specified hostname (with optional user + name). The user must prove his/her identity to the remote machine using + one of several methods depending on the protocol version used (see + below). + + If command is specified, it is executed on the remote host instead of a + login shell. + + The options are as follows: + + -1 Forces ssh to try protocol version 1 only. + + -2 Forces ssh to try protocol version 2 only. + + -4 Forces ssh to use IPv4 addresses only. + + -6 Forces ssh to use IPv6 addresses only. + + -A Enables forwarding of the authentication agent connection. This + can also be specified on a per-host basis in a configuration + file. + + Agent forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + agent's UNIX-domain socket) can access the local agent through + the forwarded connection. An attacker cannot obtain key material + from the agent, however they can perform operations on the keys + that enable them to authenticate using the identities loaded into + the agent. + + -a Disables forwarding of the authentication agent connection. + + -b bind_address + Use bind_address on the local machine as the source address of + the connection. Only useful on systems with more than one + address. + + -C Requests compression of all data (including stdin, stdout, + stderr, and data for forwarded X11 and TCP connections). The + compression algorithm is the same used by gzip(1), and the + ``level'' can be controlled by the CompressionLevel option for + protocol version 1. Compression is desirable on modem lines and + other slow connections, but will only slow down things on fast + networks. The default value can be set on a host-by-host basis + in the configuration files; see the Compression option. + + -c cipher_spec + Selects the cipher specification for encrypting the session. + + Protocol version 1 allows specification of a single cipher. The + supported values are ``3des'', ``blowfish'', and ``des''. 3des + (triple-des) is an encrypt-decrypt-encrypt triple with three + different keys. It is believed to be secure. blowfish is a fast + block cipher; it appears very secure and is much faster than + 3des. des is only supported in the ssh client for + interoperability with legacy protocol 1 implementations that do + not support the 3des cipher. Its use is strongly discouraged due + to cryptographic weaknesses. The default is ``3des''. + + For protocol version 2, cipher_spec is a comma-separated list of + ciphers listed in order of preference. See the Ciphers keyword + in ssh_config(5) for more information. + + -D [bind_address:]port + Specifies a local ``dynamic'' application-level port forwarding. + This works by allocating a socket to listen to port on the local + side, optionally bound to the specified bind_address. Whenever a + connection is made to this port, the connection is forwarded over + the secure channel, and the application protocol is then used to + determine where to connect to from the remote machine. Currently + the SOCKS4 and SOCKS5 protocols are supported, and ssh will act + as a SOCKS server. Only root can forward privileged ports. + Dynamic port forwardings can also be specified in the + configuration file. + + IPv6 addresses can be specified by enclosing the address in + square brackets. Only the superuser can forward privileged + ports. By default, the local port is bound in accordance with + the GatewayPorts setting. However, an explicit bind_address may + be used to bind the connection to a specific address. The + bind_address of ``localhost'' indicates that the listening port + be bound for local use only, while an empty address or `*' + indicates that the port should be available from all interfaces. + + -E log_file + Append debug logs to log_file instead of standard error. + + -e escape_char + Sets the escape character for sessions with a pty (default: `~'). + The escape character is only recognized at the beginning of a + line. The escape character followed by a dot (`.') closes the + connection; followed by control-Z suspends the connection; and + followed by itself sends the escape character once. Setting the + character to ``none'' disables any escapes and makes the session + fully transparent. + + -F configfile + Specifies an alternative per-user configuration file. If a + configuration file is given on the command line, the system-wide + configuration file (/etc/ssh/ssh_config) will be ignored. The + default for the per-user configuration file is ~/.ssh/config. + + -f Requests ssh to go to background just before command execution. + This is useful if ssh is going to ask for passwords or + passphrases, but the user wants it in the background. This + implies -n. The recommended way to start X11 programs at a + remote site is with something like ssh -f host xterm. + + If the ExitOnForwardFailure configuration option is set to + ``yes'', then a client started with -f will wait for all remote + port forwards to be successfully established before placing + itself in the background. + + -g Allows remote hosts to connect to local forwarded ports. + + -I pkcs11 + Specify the PKCS#11 shared library ssh should use to communicate + with a PKCS#11 token providing the user's private RSA key. + + -i identity_file + Selects a file from which the identity (private key) for public + key authentication is read. The default is ~/.ssh/identity for + protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, + ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. + Identity files may also be specified on a per-host basis in the + configuration file. It is possible to have multiple -i options + (and multiple identities specified in configuration files). ssh + will also try to load certificate information from the filename + obtained by appending -cert.pub to identity filenames. + + -K Enables GSSAPI-based authentication and forwarding (delegation) + of GSSAPI credentials to the server. + + -k Disables forwarding (delegation) of GSSAPI credentials to the + server. + + -L [bind_address:]port:host:hostport + Specifies that the given port on the local (client) host is to be + forwarded to the given host and port on the remote side. This + works by allocating a socket to listen to port on the local side, + optionally bound to the specified bind_address. Whenever a + connection is made to this port, the connection is forwarded over + the secure channel, and a connection is made to host port + hostport from the remote machine. Port forwardings can also be + specified in the configuration file. IPv6 addresses can be + specified by enclosing the address in square brackets. Only the + superuser can forward privileged ports. By default, the local + port is bound in accordance with the GatewayPorts setting. + However, an explicit bind_address may be used to bind the + connection to a specific address. The bind_address of + ``localhost'' indicates that the listening port be bound for + local use only, while an empty address or `*' indicates that the + port should be available from all interfaces. + + -l login_name + Specifies the user to log in as on the remote machine. This also + may be specified on a per-host basis in the configuration file. + + -M Places the ssh client into ``master'' mode for connection + sharing. Multiple -M options places ssh into ``master'' mode + with confirmation required before slave connections are accepted. + Refer to the description of ControlMaster in ssh_config(5) for + details. + + -m mac_spec + Additionally, for protocol version 2 a comma-separated list of + MAC (message authentication code) algorithms can be specified in + order of preference. See the MACs keyword for more information. + + -N Do not execute a remote command. This is useful for just + forwarding ports (protocol version 2 only). + + -n Redirects stdin from /dev/null (actually, prevents reading from + stdin). This must be used when ssh is run in the background. A + common trick is to use this to run X11 programs on a remote + machine. For example, ssh -n shadows.cs.hut.fi emacs & will + start an emacs on shadows.cs.hut.fi, and the X11 connection will + be automatically forwarded over an encrypted channel. The ssh + program will be put in the background. (This does not work if + ssh needs to ask for a password or passphrase; see also the -f + option.) + + -O ctl_cmd + Control an active connection multiplexing master process. When + the -O option is specified, the ctl_cmd argument is interpreted + and passed to the master process. Valid commands are: ``check'' + (check that the master process is running), ``forward'' (request + forwardings without command execution), ``cancel'' (cancel + forwardings), ``exit'' (request the master to exit), and ``stop'' + (request the master to stop accepting further multiplexing + requests). + + -o option + Can be used to give options in the format used in the + configuration file. This is useful for specifying options for + which there is no separate command-line flag. For full details + of the options listed below, and their possible values, see + ssh_config(5). + + AddressFamily + BatchMode + BindAddress + CanonicalDomains + CanonicalizeFallbackLocal + CanonicalizeHostname + CanonicalizeMaxDots + CanonicalizePermittedCNAMEs + ChallengeResponseAuthentication + CheckHostIP + Cipher + Ciphers + ClearAllForwardings + Compression + CompressionLevel + ConnectionAttempts + ConnectTimeout + ControlMaster + ControlPath + ControlPersist + DynamicForward + EscapeChar + ExitOnForwardFailure + ForwardAgent + ForwardX11 + ForwardX11Timeout + ForwardX11Trusted + GatewayPorts + GlobalKnownHostsFile + GSSAPIAuthentication + GSSAPIDelegateCredentials + HashKnownHosts + Host + HostbasedAuthentication + HostKeyAlgorithms + HostKeyAlias + HostName + IdentityFile + IdentitiesOnly + IPQoS + KbdInteractiveAuthentication + KbdInteractiveDevices + KexAlgorithms + LocalCommand + LocalForward + LogLevel + MACs + Match + NoHostAuthenticationForLocalhost + NumberOfPasswordPrompts + PasswordAuthentication + PermitLocalCommand + PKCS11Provider + Port + PreferredAuthentications + Protocol + ProxyCommand + ProxyUseFdpass + PubkeyAuthentication + RekeyLimit + RemoteForward + RequestTTY + RhostsRSAAuthentication + RSAAuthentication + SendEnv + ServerAliveInterval + ServerAliveCountMax + StrictHostKeyChecking + TCPKeepAlive + Tunnel + TunnelDevice + UsePrivilegedPort + User + UserKnownHostsFile + VerifyHostKeyDNS + VisualHostKey + XAuthLocation + + -p port + Port to connect to on the remote host. This can be specified on + a per-host basis in the configuration file. + + -Q cipher | cipher-auth | mac | kex | key + Queries ssh for the algorithms supported for the specified + version 2. The available features are: cipher (supported + symmetric ciphers), cipher-auth (supported symmetric ciphers that + support authenticated encryption), mac (supported message + integrity codes), kex (key exchange algorithms), key (key types). + + -q Quiet mode. Causes most warning and diagnostic messages to be + suppressed. + + -R [bind_address:]port:host:hostport + Specifies that the given port on the remote (server) host is to + be forwarded to the given host and port on the local side. This + works by allocating a socket to listen to port on the remote + side, and whenever a connection is made to this port, the + connection is forwarded over the secure channel, and a connection + is made to host port hostport from the local machine. + + Port forwardings can also be specified in the configuration file. + Privileged ports can be forwarded only when logging in as root on + the remote machine. IPv6 addresses can be specified by enclosing + the address in square brackets. + + By default, the listening socket on the server will be bound to + the loopback interface only. This may be overridden by + specifying a bind_address. An empty bind_address, or the address + `*', indicates that the remote socket should listen on all + interfaces. Specifying a remote bind_address will only succeed + if the server's GatewayPorts option is enabled (see + sshd_config(5)). + + If the port argument is `0', the listen port will be dynamically + allocated on the server and reported to the client at run time. + When used together with -O forward the allocated port will be + printed to the standard output. + + -S ctl_path + Specifies the location of a control socket for connection + sharing, or the string ``none'' to disable connection sharing. + Refer to the description of ControlPath and ControlMaster in + ssh_config(5) for details. + + -s May be used to request invocation of a subsystem on the remote + system. Subsystems are a feature of the SSH2 protocol which + facilitate the use of SSH as a secure transport for other + applications (eg. sftp(1)). The subsystem is specified as the + remote command. + + -T Disable pseudo-tty allocation. + + -t Force pseudo-tty allocation. This can be used to execute + arbitrary screen-based programs on a remote machine, which can be + very useful, e.g. when implementing menu services. Multiple -t + options force tty allocation, even if ssh has no local tty. + + -V Display the version number and exit. + + -v Verbose mode. Causes ssh to print debugging messages about its + progress. This is helpful in debugging connection, + authentication, and configuration problems. Multiple -v options + increase the verbosity. The maximum is 3. + + -W host:port + Requests that standard input and output on the client be + forwarded to host on port over the secure channel. Implies -N, + -T, ExitOnForwardFailure and ClearAllForwardings. Works with + Protocol version 2 only. + + -w local_tun[:remote_tun] + Requests tunnel device forwarding with the specified tun(4) + devices between the client (local_tun) and the server + (remote_tun). + + The devices may be specified by numerical ID or the keyword + ``any'', which uses the next available tunnel device. If + remote_tun is not specified, it defaults to ``any''. See also + the Tunnel and TunnelDevice directives in ssh_config(5). If the + Tunnel directive is unset, it is set to the default tunnel mode, + which is ``point-to-point''. + + -X Enables X11 forwarding. This can also be specified on a per-host + basis in a configuration file. + + X11 forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + user's X authorization database) can access the local X11 display + through the forwarded connection. An attacker may then be able + to perform activities such as keystroke monitoring. + + For this reason, X11 forwarding is subjected to X11 SECURITY + extension restrictions by default. Please refer to the ssh -Y + option and the ForwardX11Trusted directive in ssh_config(5) for + more information. + + -x Disables X11 forwarding. + + -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not + subjected to the X11 SECURITY extension controls. + + -y Send log information using the syslog(3) system module. By + default this information is sent to stderr. + + ssh may additionally obtain configuration data from a per-user + configuration file and a system-wide configuration file. The file format + and configuration options are described in ssh_config(5). + +AUTHENTICATION + The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to + use protocol 2 only, though this can be changed via the Protocol option + in ssh_config(5) or the -1 and -2 options (see above). Both protocols + support similar authentication methods, but protocol 2 is the default + since it provides additional mechanisms for confidentiality (the traffic + is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and + integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64, + umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for + ensuring the integrity of the connection. + + The methods available for authentication are: GSSAPI-based + authentication, host-based authentication, public key authentication, + challenge-response authentication, and password authentication. + Authentication methods are tried in the order specified above, though + protocol 2 has a configuration option to change the default order: + PreferredAuthentications. + + Host-based authentication works as follows: If the machine the user logs + in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote + machine, and the user names are the same on both sides, or if the files + ~/.rhosts or ~/.shosts exist in the user's home directory on the remote + machine and contain a line containing the name of the client machine and + the name of the user on that machine, the user is considered for login. + Additionally, the server must be able to verify the client's host key + (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts, + below) for login to be permitted. This authentication method closes + security holes due to IP spoofing, DNS spoofing, and routing spoofing. + [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the + rlogin/rsh protocol in general, are inherently insecure and should be + disabled if security is desired.] + + Public key authentication works as follows: The scheme is based on + public-key cryptography, using cryptosystems where encryption and + decryption are done using separate keys, and it is unfeasible to derive + the decryption key from the encryption key. The idea is that each user + creates a public/private key pair for authentication purposes. The + server knows the public key, and only the user knows the private key. + ssh implements public key authentication protocol automatically, using + one of the DSA, ECDSA, ED25519 or RSA algorithms. Protocol 1 is + restricted to using only RSA keys, but protocol 2 may use any. The + HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA + algorithms. + + The file ~/.ssh/authorized_keys lists the public keys that are permitted + for logging in. When the user logs in, the ssh program tells the server + which key pair it would like to use for authentication. The client + proves that it has access to the private key and the server checks that + the corresponding public key is authorized to accept the account. + + The user creates his/her key pair by running ssh-keygen(1). This stores + the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol + 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2 + ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in + ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), + ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2 + ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home + directory. The user should then copy the public key to + ~/.ssh/authorized_keys in his/her home directory on the remote machine. + The authorized_keys file corresponds to the conventional ~/.rhosts file, + and has one key per line, though the lines can be very long. After this, + the user can log in without giving the password. + + A variation on public key authentication is available in the form of + certificate authentication: instead of a set of public/private keys, + signed certificates are used. This has the advantage that a single + trusted certification authority can be used in place of many + public/private keys. See the CERTIFICATES section of ssh-keygen(1) for + more information. + + The most convenient way to use public key or certificate authentication + may be with an authentication agent. See ssh-agent(1) for more + information. + + Challenge-response authentication works as follows: The server sends an + arbitrary "challenge" text, and prompts for a response. Protocol 2 + allows multiple challenges and responses; protocol 1 is restricted to + just one challenge/response. Examples of challenge-response + authentication include BSD Authentication (see login.conf(5)) and PAM + (some non-OpenBSD systems). + + Finally, if other authentication methods fail, ssh prompts the user for a + password. The password is sent to the remote host for checking; however, + since all communications are encrypted, the password cannot be seen by + someone listening on the network. + + ssh automatically maintains and checks a database containing + identification for all hosts it has ever been used with. Host keys are + stored in ~/.ssh/known_hosts in the user's home directory. Additionally, + the file /etc/ssh/ssh_known_hosts is automatically checked for known + hosts. Any new hosts are automatically added to the user's file. If a + host's identification ever changes, ssh warns about this and disables + password authentication to prevent server spoofing or man-in-the-middle + attacks, which could otherwise be used to circumvent the encryption. The + StrictHostKeyChecking option can be used to control logins to machines + whose host key is not known or has changed. + + When the user's identity has been accepted by the server, the server + either executes the given command, or logs into the machine and gives the + user a normal shell on the remote machine. All communication with the + remote command or shell will be automatically encrypted. + + If a pseudo-terminal has been allocated (normal login session), the user + may use the escape characters noted below. + + If no pseudo-tty has been allocated, the session is transparent and can + be used to reliably transfer binary data. On most systems, setting the + escape character to ``none'' will also make the session transparent even + if a tty is used. + + The session terminates when the command or shell on the remote machine + exits and all X11 and TCP connections have been closed. + +ESCAPE CHARACTERS + When a pseudo-terminal has been requested, ssh supports a number of + functions through the use of an escape character. + + A single tilde character can be sent as ~~ or by following the tilde by a + character other than those described below. The escape character must + always follow a newline to be interpreted as special. The escape + character can be changed in configuration files using the EscapeChar + configuration directive or on the command line by the -e option. + + The supported escapes (assuming the default `~') are: + + ~. Disconnect. + + ~^Z Background ssh. + + ~# List forwarded connections. + + ~& Background ssh at logout when waiting for forwarded connection / + X11 sessions to terminate. + + ~? Display a list of escape characters. + + ~B Send a BREAK to the remote system (only useful for SSH protocol + version 2 and if the peer supports it). + + ~C Open command line. Currently this allows the addition of port + forwardings using the -L, -R and -D options (see above). It also + allows the cancellation of existing port-forwardings with + -KL[bind_address:]port for local, -KR[bind_address:]port for + remote and -KD[bind_address:]port for dynamic port-forwardings. + !command allows the user to execute a local command if the + PermitLocalCommand option is enabled in ssh_config(5). Basic + help is available, using the -h option. + + ~R Request rekeying of the connection (only useful for SSH protocol + version 2 and if the peer supports it). + + ~V Decrease the verbosity (LogLevel) when errors are being written + to stderr. + + ~v Increase the verbosity (LogLevel) when errors are being written + to stderr. + +TCP FORWARDING + Forwarding of arbitrary TCP connections over the secure channel can be + specified either on the command line or in a configuration file. One + possible application of TCP forwarding is a secure connection to a mail + server; another is going through firewalls. + + In the example below, we look at encrypting communication between an IRC + client and server, even though the IRC server does not directly support + encrypted communications. This works as follows: the user connects to + the remote host using ssh, specifying a port to be used to forward + connections to the remote server. After that it is possible to start the + service which is to be encrypted on the client machine, connecting to the + same local port, and ssh will encrypt and forward the connection. + + The following example tunnels an IRC session from client machine + ``127.0.0.1'' (localhost) to remote server ``server.example.com'': + + $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10 + $ irc -c '#users' -p 1234 pinky 127.0.0.1 + + This tunnels a connection to IRC server ``server.example.com'', joining + channel ``#users'', nickname ``pinky'', using port 1234. It doesn't + matter which port is used, as long as it's greater than 1023 (remember, + only root can open sockets on privileged ports) and doesn't conflict with + any ports already in use. The connection is forwarded to port 6667 on + the remote server, since that's the standard port for IRC services. + + The -f option backgrounds ssh and the remote command ``sleep 10'' is + specified to allow an amount of time (10 seconds, in the example) to + start the service which is to be tunnelled. If no connections are made + within the time specified, ssh will exit. + +X11 FORWARDING + If the ForwardX11 variable is set to ``yes'' (or see the description of + the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY + environment variable is set), the connection to the X11 display is + automatically forwarded to the remote side in such a way that any X11 + programs started from the shell (or command) will go through the + encrypted channel, and the connection to the real X server will be made + from the local machine. The user should not manually set DISPLAY. + Forwarding of X11 connections can be configured on the command line or in + configuration files. + + The DISPLAY value set by ssh will point to the server machine, but with a + display number greater than zero. This is normal, and happens because + ssh creates a ``proxy'' X server on the server machine for forwarding the + connections over the encrypted channel. + + ssh will also automatically set up Xauthority data on the server machine. + For this purpose, it will generate a random authorization cookie, store + it in Xauthority on the server, and verify that any forwarded connections + carry this cookie and replace it by the real cookie when the connection + is opened. The real authentication cookie is never sent to the server + machine (and no cookies are sent in the plain). + + If the ForwardAgent variable is set to ``yes'' (or see the description of + the -A and -a options above) and the user is using an authentication + agent, the connection to the agent is automatically forwarded to the + remote side. + +VERIFYING HOST KEYS + When connecting to a server for the first time, a fingerprint of the + server's public key is presented to the user (unless the option + StrictHostKeyChecking has been disabled). Fingerprints can be determined + using ssh-keygen(1): + + $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key + + If the fingerprint is already known, it can be matched and the key can be + accepted or rejected. Because of the difficulty of comparing host keys + just by looking at hex strings, there is also support to compare host + keys visually, using random art. By setting the VisualHostKey option to + ``yes'', a small ASCII graphic gets displayed on every login to a server, + no matter if the session itself is interactive or not. By learning the + pattern a known server produces, a user can easily find out that the host + key has changed when a completely different pattern is displayed. + Because these patterns are not unambiguous however, a pattern that looks + similar to the pattern remembered only gives a good probability that the + host key is the same, not guaranteed proof. + + To get a listing of the fingerprints along with their random art for all + known hosts, the following command line can be used: + + $ ssh-keygen -lv -f ~/.ssh/known_hosts + + If the fingerprint is unknown, an alternative method of verification is + available: SSH fingerprints verified by DNS. An additional resource + record (RR), SSHFP, is added to a zonefile and the connecting client is + able to match the fingerprint with that of the key presented. + + In this example, we are connecting a client to a server, + ``host.example.com''. The SSHFP resource records should first be added + to the zonefile for host.example.com: + + $ ssh-keygen -r host.example.com. + + The output lines will have to be added to the zonefile. To check that + the zone is answering fingerprint queries: + + $ dig -t SSHFP host.example.com + + Finally the client connects: + + $ ssh -o "VerifyHostKeyDNS ask" host.example.com + [...] + Matching host key fingerprint found in DNS. + Are you sure you want to continue connecting (yes/no)? + + See the VerifyHostKeyDNS option in ssh_config(5) for more information. + +SSH-BASED VIRTUAL PRIVATE NETWORKS + ssh contains support for Virtual Private Network (VPN) tunnelling using + the tun(4) network pseudo-device, allowing two networks to be joined + securely. The sshd_config(5) configuration option PermitTunnel controls + whether the server supports this, and at what level (layer 2 or 3 + traffic). + + The following example would connect client network 10.0.50.0/24 with + remote network 10.0.99.0/24 using a point-to-point connection from + 10.1.1.1 to 10.1.1.2, provided that the SSH server running on the gateway + to the remote network, at 192.168.1.15, allows it. + + On the client: + + # ssh -f -w 0:1 192.168.1.15 true + # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252 + # route add 10.0.99.0/24 10.1.1.2 + + On the server: + + # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252 + # route add 10.0.50.0/24 10.1.1.1 + + Client access may be more finely tuned via the /root/.ssh/authorized_keys + file (see below) and the PermitRootLogin server option. The following + entry would permit connections on tun(4) device 1 from user ``jane'' and + on tun device 2 from user ``john'', if PermitRootLogin is set to + ``forced-commands-only'': + + tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane + tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john + + Since an SSH-based setup entails a fair amount of overhead, it may be + more suited to temporary setups, such as for wireless VPNs. More + permanent VPNs are better provided by tools such as ipsecctl(8) and + isakmpd(8). + +ENVIRONMENT + ssh will normally set the following environment variables: + + DISPLAY The DISPLAY variable indicates the location of the + X11 server. It is automatically set by ssh to + point to a value of the form ``hostname:n'', where + ``hostname'' indicates the host where the shell + runs, and `n' is an integer >= 1. ssh uses this + special value to forward X11 connections over the + secure channel. The user should normally not set + DISPLAY explicitly, as that will render the X11 + connection insecure (and will require the user to + manually copy any required authorization cookies). + + HOME Set to the path of the user's home directory. + + LOGNAME Synonym for USER; set for compatibility with + systems that use this variable. + + MAIL Set to the path of the user's mailbox. + + PATH Set to the default PATH, as specified when + compiling ssh. + + SSH_ASKPASS If ssh needs a passphrase, it will read the + passphrase from the current terminal if it was run + from a terminal. If ssh does not have a terminal + associated with it but DISPLAY and SSH_ASKPASS are + set, it will execute the program specified by + SSH_ASKPASS and open an X11 window to read the + passphrase. This is particularly useful when + calling ssh from a .xsession or related script. + (Note that on some machines it may be necessary to + redirect the input from /dev/null to make this + work.) + + SSH_AUTH_SOCK Identifies the path of a UNIX-domain socket used to + communicate with the agent. + + SSH_CONNECTION Identifies the client and server ends of the + connection. The variable contains four space- + separated values: client IP address, client port + number, server IP address, and server port number. + + SSH_ORIGINAL_COMMAND This variable contains the original command line if + a forced command is executed. It can be used to + extract the original arguments. + + SSH_TTY This is set to the name of the tty (path to the + device) associated with the current shell or + command. If the current session has no tty, this + variable is not set. + + TZ This variable is set to indicate the present time + zone if it was set when the daemon was started + (i.e. the daemon passes the value on to new + connections). + + USER Set to the name of the user logging in. + + Additionally, ssh reads ~/.ssh/environment, and adds lines of the format + ``VARNAME=value'' to the environment if the file exists and users are + allowed to change their environment. For more information, see the + PermitUserEnvironment option in sshd_config(5). + +FILES + ~/.rhosts + This file is used for host-based authentication (see above). On + some machines this file may need to be world-readable if the + user's home directory is on an NFS partition, because sshd(8) + reads it as root. Additionally, this file must be owned by the + user, and must not have write permissions for anyone else. The + recommended permission for most machines is read/write for the + user, and not accessible by others. + + ~/.shosts + This file is used in exactly the same way as .rhosts, but allows + host-based authentication without permitting login with + rlogin/rsh. + + ~/.ssh/ + This directory is the default location for all user-specific + configuration and authentication information. There is no + general requirement to keep the entire contents of this directory + secret, but the recommended permissions are read/write/execute + for the user, and not accessible by others. + + ~/.ssh/authorized_keys + Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used + for logging in as this user. The format of this file is + described in the sshd(8) manual page. This file is not highly + sensitive, but the recommended permissions are read/write for the + user, and not accessible by others. + + ~/.ssh/config + This is the per-user configuration file. The file format and + configuration options are described in ssh_config(5). Because of + the potential for abuse, this file must have strict permissions: + read/write for the user, and not writable by others. + + ~/.ssh/environment + Contains additional definitions for environment variables; see + ENVIRONMENT, above. + + ~/.ssh/identity + ~/.ssh/id_dsa + ~/.ssh/id_ecdsa + ~/.ssh/id_ed25519 + ~/.ssh/id_rsa + Contains the private key for authentication. These files contain + sensitive data and should be readable by the user but not + accessible by others (read/write/execute). ssh will simply + ignore a private key file if it is accessible by others. It is + possible to specify a passphrase when generating the key which + will be used to encrypt the sensitive part of this file using + 3DES. + + ~/.ssh/identity.pub + ~/.ssh/id_dsa.pub + ~/.ssh/id_ecdsa.pub + ~/.ssh/id_ed25519.pub + ~/.ssh/id_rsa.pub + Contains the public key for authentication. These files are not + sensitive and can (but need not) be readable by anyone. + + ~/.ssh/known_hosts + Contains a list of host keys for all hosts the user has logged + into that are not already in the systemwide list of known host + keys. See sshd(8) for further details of the format of this + file. + + ~/.ssh/rc + Commands in this file are executed by ssh when the user logs in, + just before the user's shell (or command) is started. See the + sshd(8) manual page for more information. + + /etc/hosts.equiv + This file is for host-based authentication (see above). It + should only be writable by root. + + /etc/shosts.equiv + This file is used in exactly the same way as hosts.equiv, but + allows host-based authentication without permitting login with + rlogin/rsh. + + /etc/ssh/ssh_config + Systemwide configuration file. The file format and configuration + options are described in ssh_config(5). + + /etc/ssh/ssh_host_key + /etc/ssh/ssh_host_dsa_key + /etc/ssh/ssh_host_ecdsa_key + /etc/ssh/ssh_host_ed25519_key + /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys and are + used for host-based authentication. If protocol version 1 is + used, ssh must be setuid root, since the host key is readable + only by root. For protocol version 2, ssh uses ssh-keysign(8) to + access the host keys, eliminating the requirement that ssh be + setuid root when host-based authentication is used. By default + ssh is not setuid root. + + /etc/ssh/ssh_known_hosts + Systemwide list of known host keys. This file should be prepared + by the system administrator to contain the public host keys of + all machines in the organization. It should be world-readable. + See sshd(8) for further details of the format of this file. + + /etc/ssh/sshrc + Commands in this file are executed by ssh when the user logs in, + just before the user's shell (or command) is started. See the + sshd(8) manual page for more information. + +EXIT STATUS + ssh exits with the exit status of the remote command or with 255 if an + error occurred. + +SEE ALSO + scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), + tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) + +STANDARDS + S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned + Numbers, RFC 4250, January 2006. + + T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture, + RFC 4251, January 2006. + + T. Ylonen and C. Lonvick, The Secure Shell (SSH) Authentication Protocol, + RFC 4252, January 2006. + + T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer + Protocol, RFC 4253, January 2006. + + T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC + 4254, January 2006. + + J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell + (SSH) Key Fingerprints, RFC 4255, January 2006. + + F. Cusack and M. Forssen, Generic Message Exchange Authentication for the + Secure Shell Protocol (SSH), RFC 4256, January 2006. + + J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break + Extension, RFC 4335, January 2006. + + M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport + Layer Encryption Modes, RFC 4344, January 2006. + + B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport + Layer Protocol, RFC 4345, January 2006. + + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. + + J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File + Format, RFC 4716, November 2006. + + D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the + Secure Shell Transport Layer, RFC 5656, December 2009. + + A. Perrig and D. Song, Hash Visualization: a New Technique to improve + Real-World Security, 1999, International Workshop on Cryptographic + Techniques and E-Commerce (CrypTEC '99). + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +OpenBSD 5.5 December 7, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1 index a86b587bd..48aa748ea 100644 --- a/crypto/openssh/ssh.1 +++ b/crypto/openssh/ssh.1 @@ -33,9 +33,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.343 2013/12/07 11:58:46 naddy Exp $ .\" $FreeBSD$ -.Dd October 4, 2012 +.Dd December 7, 2013 .Dt SSH 1 .Os .Sh NAME @@ -48,6 +48,7 @@ .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Oo Ar bind_address : Oc Ns Ar port +.Op Fl E Ar log_file .Op Fl e Ar escape_char .Op Fl F Ar configfile .Op Fl I Ar pkcs11 @@ -58,6 +59,7 @@ .Op Fl O Ar ctl_cmd .Op Fl o Ar option .Op Fl p Ar port +.Op Fl Q Cm cipher | cipher-auth | mac | kex | key .Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport .Op Fl S Ar ctl_path .Op Fl W Ar host : Ns Ar port @@ -218,6 +220,10 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. +.It Fl E Ar log_file +Append debug logs to +.Ar log_file +instead of standard error. .It Fl e Ar escape_char Sets the escape character for sessions with a pty (default: .Ql ~ ) . @@ -274,7 +280,8 @@ The default is .Pa ~/.ssh/identity for protocol version 1, and .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/id_rsa for protocol version 2. @@ -411,6 +418,11 @@ For full details of the options listed below, and their possible values, see .It AddressFamily .It BatchMode .It BindAddress +.It CanonicalDomains +.It CanonicalizeFallbackLocal +.It CanonicalizeHostname +.It CanonicalizeMaxDots +.It CanonicalizePermittedCNAMEs .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher @@ -450,6 +462,7 @@ For full details of the options listed below, and their possible values, see .It LocalForward .It LogLevel .It MACs +.It Match .It NoHostAuthenticationForLocalhost .It NumberOfPasswordPrompts .It PasswordAuthentication @@ -459,6 +472,7 @@ For full details of the options listed below, and their possible values, see .It PreferredAuthentications .It Protocol .It ProxyCommand +.It ProxyUseFdpass .It PubkeyAuthentication .It RekeyLimit .It RemoteForward @@ -484,6 +498,21 @@ For full details of the options listed below, and their possible values, see Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. +.It Fl Q Cm cipher | cipher-auth | mac | kex | key +Queries +.Nm +for the algorithms supported for the specified version 2. +The available features are: +.Ar cipher +(supported symmetric ciphers), +.Ar cipher-auth +(supported symmetric ciphers that support authenticated encryption), +.Ar mac +(supported message integrity codes), +.Ar kex +(key exchange algorithms), +.Ar key +(key types). .It Fl q Quiet mode. Causes most warning and diagnostic messages to be suppressed. @@ -731,12 +760,10 @@ key pair for authentication purposes. The server knows the public key, and only the user knows the private key. .Nm implements public key authentication protocol automatically, -using one of the DSA, ECDSA or RSA algorithms. +using one of the DSA, ECDSA, ED25519 or RSA algorithms. Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. -The -.Sx HISTORY -section of +The HISTORY section of .Xr ssl 8 contains a brief discussion of the DSA and RSA algorithms. .Pp @@ -760,6 +787,8 @@ This stores the private key in (protocol 2 DSA), .Pa ~/.ssh/id_ecdsa (protocol 2 ECDSA), +.Pa ~/.ssh/id_ed25519 +(protocol 2 ED25519), or .Pa ~/.ssh/id_rsa (protocol 2 RSA) @@ -770,6 +799,8 @@ and stores the public key in (protocol 2 DSA), .Pa ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), +.Pa ~/.ssh/id_ed25519.pub +(protocol 2 ED25519), or .Pa ~/.ssh/id_rsa.pub (protocol 2 RSA) @@ -792,9 +823,7 @@ instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. -See the -.Sx CERTIFICATES -section of +See the CERTIFICATES section of .Xr ssh-keygen 1 for more information. .Pp @@ -811,9 +840,12 @@ text, and prompts for a response. Protocol 2 allows multiple challenges and responses; protocol 1 is restricted to just one challenge/response. Examples of challenge-response authentication include -BSD Authentication (see +.Bx +Authentication (see .Xr login.conf 5 ) -and PAM (some non-OpenBSD systems). +and PAM (some +.Pf non- Ox +systems). .Pp Finally, if other authentication methods fail, .Nm @@ -1308,8 +1340,8 @@ secret, but the recommended permissions are read/write/execute for the user, and not accessible by others. .Pp .It Pa ~/.ssh/authorized_keys -Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as -this user. +Lists the public keys (DSA, ECDSA, ED25519, RSA) +that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 manual page. @@ -1321,7 +1353,7 @@ This is the per-user configuration file. The file format and configuration options are described in .Xr ssh_config 5 . Because of the potential for abuse, this file must have strict permissions: -read/write for the user, and not accessible by others. +read/write for the user, and not writable by others. .Pp .It Pa ~/.ssh/environment Contains additional definitions for environment variables; see @@ -1331,6 +1363,7 @@ above. .It Pa ~/.ssh/identity .It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa +.It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_rsa Contains the private key for authentication. These files @@ -1345,6 +1378,7 @@ sensitive part of this file using 3DES. .It Pa ~/.ssh/identity.pub .It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub +.It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_rsa.pub Contains the public key for authentication. These files are not @@ -1384,6 +1418,7 @@ The file format and configuration options are described in .It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key +.It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys and are used for host-based authentication. diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index 2e704a9f7..91f19de16 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.373 2013/02/22 22:09:01 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.401 2014/02/26 20:18:37 djm Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -199,13 +199,13 @@ usage(void) { fprintf(stderr, "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" -" [-I pkcs11] [-i identity_file]\n" -" [-L [bind_address:]port:host:hostport]\n" -" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" -" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" -" [-W host:port] [-w local_tun[:remote_tun]]\n" -" [user@]hostname [command]\n" +" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" +" [-F configfile] [-I pkcs11] [-i identity_file]\n" +" [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" +" [-O ctl_cmd] [-o option] [-p port]\n" +" [-Q cipher | cipher-auth | mac | kex | key]\n" +" [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]\n" +" [-w local_tun[:remote_tun]] [user@]hostname [command]\n" ); exit(255); } @@ -228,11 +228,185 @@ tilde_expand_paths(char **paths, u_int num_paths) for (i = 0; i < num_paths; i++) { cp = tilde_expand_filename(paths[i], original_real_uid); - xfree(paths[i]); + free(paths[i]); paths[i] = cp; } } +/* + * Attempt to resolve a host name / port to a set of addresses and + * optionally return any CNAMEs encountered along the way. + * Returns NULL on failure. + * NB. this function must operate with a options having undefined members. + */ +static struct addrinfo * +resolve_host(const char *name, int port, int logerr, char *cname, size_t clen) +{ + char strport[NI_MAXSERV]; + struct addrinfo hints, *res; + int gaierr, loglevel = SYSLOG_LEVEL_DEBUG1; + + if (port <= 0) + port = default_ssh_port(); + + snprintf(strport, sizeof strport, "%u", port); + memset(&hints, 0, sizeof(hints)); + hints.ai_family = options.address_family == -1 ? + AF_UNSPEC : options.address_family; + hints.ai_socktype = SOCK_STREAM; + if (cname != NULL) + hints.ai_flags = AI_CANONNAME; + if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) { + if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA)) + loglevel = SYSLOG_LEVEL_ERROR; + do_log2(loglevel, "%s: Could not resolve hostname %.100s: %s", + __progname, name, ssh_gai_strerror(gaierr)); + return NULL; + } + if (cname != NULL && res->ai_canonname != NULL) { + if (strlcpy(cname, res->ai_canonname, clen) >= clen) { + error("%s: host \"%s\" cname \"%s\" too long (max %lu)", + __func__, name, res->ai_canonname, (u_long)clen); + if (clen > 0) + *cname = '\0'; + } + } + return res; +} + +/* + * Check whether the cname is a permitted replacement for the hostname + * and perform the replacement if it is. + * NB. this function must operate with a options having undefined members. + */ +static int +check_follow_cname(char **namep, const char *cname) +{ + int i; + struct allowed_cname *rule; + + if (*cname == '\0' || options.num_permitted_cnames == 0 || + strcmp(*namep, cname) == 0) + return 0; + if (options.canonicalize_hostname == SSH_CANONICALISE_NO) + return 0; + /* + * Don't attempt to canonicalize names that will be interpreted by + * a proxy unless the user specifically requests so. + */ + if (!option_clear_or_none(options.proxy_command) && + options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS) + return 0; + debug3("%s: check \"%s\" CNAME \"%s\"", __func__, *namep, cname); + for (i = 0; i < options.num_permitted_cnames; i++) { + rule = options.permitted_cnames + i; + if (match_pattern_list(*namep, rule->source_list, + strlen(rule->source_list), 1) != 1 || + match_pattern_list(cname, rule->target_list, + strlen(rule->target_list), 1) != 1) + continue; + verbose("Canonicalized DNS aliased hostname " + "\"%s\" => \"%s\"", *namep, cname); + free(*namep); + *namep = xstrdup(cname); + return 1; + } + return 0; +} + +/* + * Attempt to resolve the supplied hostname after applying the user's + * canonicalization rules. Returns the address list for the host or NULL + * if no name was found after canonicalization. + * NB. this function must operate with a options having undefined members. + */ +static struct addrinfo * +resolve_canonicalize(char **hostp, int port) +{ + int i, ndots; + char *cp, *fullhost, cname_target[NI_MAXHOST]; + struct addrinfo *addrs; + + if (options.canonicalize_hostname == SSH_CANONICALISE_NO) + return NULL; + + /* + * Don't attempt to canonicalize names that will be interpreted by + * a proxy unless the user specifically requests so. + */ + if (!option_clear_or_none(options.proxy_command) && + options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS) + return NULL; + + /* Don't apply canonicalization to sufficiently-qualified hostnames */ + ndots = 0; + for (cp = *hostp; *cp != '\0'; cp++) { + if (*cp == '.') + ndots++; + } + if (ndots > options.canonicalize_max_dots) { + debug3("%s: not canonicalizing hostname \"%s\" (max dots %d)", + __func__, *hostp, options.canonicalize_max_dots); + return NULL; + } + /* Attempt each supplied suffix */ + for (i = 0; i < options.num_canonical_domains; i++) { + *cname_target = '\0'; + xasprintf(&fullhost, "%s.%s.", *hostp, + options.canonical_domains[i]); + debug3("%s: attempting \"%s\" => \"%s\"", __func__, + *hostp, fullhost); + if ((addrs = resolve_host(fullhost, port, 0, + cname_target, sizeof(cname_target))) == NULL) { + free(fullhost); + continue; + } + /* Remove trailing '.' */ + fullhost[strlen(fullhost) - 1] = '\0'; + /* Follow CNAME if requested */ + if (!check_follow_cname(&fullhost, cname_target)) { + debug("Canonicalized hostname \"%s\" => \"%s\"", + *hostp, fullhost); + } + free(*hostp); + *hostp = fullhost; + return addrs; + } + if (!options.canonicalize_fallback_local) + fatal("%s: Could not resolve host \"%s\"", __progname, *hostp); + debug2("%s: host %s not found in any suffix", __func__, *hostp); + return NULL; +} + +/* + * Read per-user configuration file. Ignore the system wide config + * file if the user specifies a config file on the command line. + */ +static void +process_config_files(struct passwd *pw) +{ + char buf[MAXPATHLEN]; + int r; + + if (config != NULL) { + if (strcasecmp(config, "none") != 0 && + !read_config_file(config, pw, host, &options, + SSHCONF_USERCONF)) + fatal("Can't open user config file %.100s: " + "%.100s", config, strerror(errno)); + } else { + r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, + _PATH_SSH_USER_CONFFILE); + if (r > 0 && (size_t)r < sizeof(buf)) + (void)read_config_file(buf, pw, host, &options, + SSHCONF_CHECKPERM|SSHCONF_USERCONF); + + /* Read systemwide configuration file after user config. */ + (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, host, + &options, 0); + } +} + /* * Main program for the ssh client. */ @@ -240,16 +414,16 @@ int main(int ac, char **av) { int i, r, opt, exit_status, use_syslog; - char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; + char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; + char cname[NI_MAXHOST]; struct stat st; struct passwd *pw; - int dummy, timeout_ms; + int timeout_ms; extern int optind, optreset; extern char *optarg; - - struct servent *sp; Forward fwd; + struct addrinfo *addrs = NULL; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -301,7 +475,7 @@ main(int ac, char **av) /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { - logit("You don't exist, go away!"); + logit("No user exists for uid %lu", (u_long)original_real_uid); exit(255); } /* Take a copy of the returned structure. */ @@ -324,11 +498,12 @@ main(int ac, char **av) /* Parse command-line arguments. */ host = NULL; use_syslog = 0; + logfile = NULL; argv0 = av[0]; again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" - "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { + "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -358,6 +533,9 @@ main(int ac, char **av) case 'y': use_syslog = 1; break; + case 'E': + logfile = xstrdup(optarg); + break; case 'Y': options.forward_x11 = 1; options.forward_x11_trusted = 1; @@ -387,6 +565,28 @@ main(int ac, char **av) case 'P': /* deprecated */ options.use_privileged_port = 0; break; + case 'Q': + cp = NULL; + if (strcmp(optarg, "cipher") == 0) + cp = cipher_alg_list('\n', 0); + else if (strcmp(optarg, "cipher-auth") == 0) + cp = cipher_alg_list('\n', 1); + else if (strcmp(optarg, "mac") == 0) + cp = mac_alg_list('\n'); + else if (strcmp(optarg, "kex") == 0) + cp = kex_alg_list('\n'); + else if (strcmp(optarg, "key") == 0) + cp = key_alg_list(0, 0); + else if (strcmp(optarg, "key-cert") == 0) + cp = key_alg_list(1, 0); + else if (strcmp(optarg, "key-plain") == 0) + cp = key_alg_list(0, 1); + if (cp == NULL) + fatal("Unsupported query \"%s\"", optarg); + printf("%s\n", cp); + free(cp); + exit(0); + break; case 'a': options.forward_agent = 0; break; @@ -429,9 +629,8 @@ main(int ac, char **av) } else { if (options.log_level < SYSLOG_LEVEL_DEBUG3) options.log_level++; - break; } - /* FALLTHROUGH */ + break; case 'V': if (options.version_addendum && *options.version_addendum != '\0') @@ -464,7 +663,7 @@ main(int ac, char **av) if (parse_forward(&fwd, optarg, 1, 0)) { stdio_forward_host = fwd.listen_host; stdio_forward_port = fwd.listen_port; - xfree(fwd.connect_host); + free(fwd.connect_host); } else { fprintf(stderr, "Bad stdio forwarding specification '%s'\n", @@ -595,13 +794,12 @@ main(int ac, char **av) #endif break; case 'o': - dummy = 1; line = xstrdup(optarg); - if (process_config_line(&options, host ? host : "", - line, "command-line", 0, &dummy, SSHCONF_USERCONF) + if (process_config_line(&options, pw, host ? host : "", + line, "command-line", 0, NULL, SSHCONF_USERCONF) != 0) exit(255); - xfree(line); + free(line); break; case 's': subsystem_flag = 1; @@ -633,9 +831,9 @@ main(int ac, char **av) usage(); options.user = p; *cp = '\0'; - host = ++cp; + host = xstrdup(++cp); } else - host = *av; + host = xstrdup(*av); if (ac > 1) { optind = optreset = 1; goto again; @@ -647,6 +845,8 @@ main(int ac, char **av) if (!host) usage(); + host_arg = xstrdup(host); + OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); @@ -682,37 +882,91 @@ main(int ac, char **av) /* * Initialize "log" output. Since we are the client all output - * actually goes to stderr. + * goes to stderr unless otherwise specified by -y or -E. */ + if (use_syslog && logfile != NULL) + fatal("Can't specify both -y and -E"); + if (logfile != NULL) { + log_redirect_stderr_to(logfile); + free(logfile); + } log_init(argv0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, SYSLOG_FACILITY_USER, !use_syslog); + if (debug_flag) + logit("%s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); + + /* Parse the configuration files */ + process_config_files(pw); + + /* Hostname canonicalisation needs a few options filled. */ + fill_default_options_for_canonicalization(&options); + + /* If the user has replaced the hostname then take it into use now */ + if (options.hostname != NULL) { + /* NB. Please keep in sync with readconf.c:match_cfg_line() */ + cp = percent_expand(options.hostname, + "h", host, (char *)NULL); + free(host); + host = cp; + } + + /* If canonicalization requested then try to apply it */ + lowercase(host); + if (options.canonicalize_hostname != SSH_CANONICALISE_NO) + addrs = resolve_canonicalize(&host, options.port); + /* - * Read per-user configuration file. Ignore the system wide config - * file if the user specifies a config file on the command line. + * If CanonicalizePermittedCNAMEs have been specified but + * other canonicalization did not happen (by not being requested + * or by failing with fallback) then the hostname may still be changed + * as a result of CNAME following. + * + * Try to resolve the bare hostname name using the system resolver's + * usual search rules and then apply the CNAME follow rules. + * + * Skip the lookup if a ProxyCommand is being used unless the user + * has specifically requested canonicalisation for this case via + * CanonicalizeHostname=always */ - if (config != NULL) { - if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) - fatal("Can't open user config file %.100s: " - "%.100s", config, strerror(errno)); - } else { - r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, - _PATH_SSH_USER_CONFFILE); - if (r > 0 && (size_t)r < sizeof(buf)) - (void)read_config_file(buf, host, &options, - SSHCONF_CHECKPERM|SSHCONF_USERCONF); + if (addrs == NULL && options.num_permitted_cnames != 0 && + (option_clear_or_none(options.proxy_command) || + options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) { + if ((addrs = resolve_host(host, options.port, 1, + cname, sizeof(cname))) == NULL) + cleanup_exit(255); /* resolve_host logs the error */ + check_follow_cname(&host, cname); + } - /* Read systemwide configuration file after user config. */ - (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, - &options, 0); + /* + * If the target hostname has changed as a result of canonicalisation + * then re-parse the configuration files as new stanzas may match. + */ + if (strcasecmp(host_arg, host) != 0) { + debug("Hostname has changed; re-reading configuration"); + process_config_files(pw); } /* Fill configuration defaults. */ fill_default_options(&options); + if (options.port == 0) + options.port = default_ssh_port(); channel_set_af(options.address_family); + /* Tidy and check options */ + if (options.host_key_alias != NULL) + lowercase(options.host_key_alias); + if (options.proxy_command != NULL && + strcmp(options.proxy_command, "-") == 0 && + options.proxy_use_fdpass) + fatal("ProxyCommand=- and ProxyUseFDPass are incompatible"); +#ifndef HAVE_CYGWIN + if (original_effective_uid != 0) + options.use_privileged_port = 0; +#endif + /* reinit */ log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog); @@ -741,19 +995,6 @@ main(int ac, char **av) if (options.user == NULL) options.user = xstrdup(pw->pw_name); - /* Get default port if port has not been set. */ - if (options.port == 0) { - sp = getservbyname(SSH_SERVICE_NAME, "tcp"); - options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; - } - - /* preserve host name given on command line for %n expansion */ - host_arg = host; - if (options.hostname != NULL) { - host = percent_expand(options.hostname, - "h", host, (char *)NULL); - } - if (gethostname(thishost, sizeof(thishost)) == -1) fatal("gethostname: %s", strerror(errno)); strlcpy(shorthost, thishost, sizeof(shorthost)); @@ -768,72 +1009,48 @@ main(int ac, char **av) "p", portstr, "u", pw->pw_name, "L", shorthost, (char *)NULL); debug3("expanded LocalCommand: %s", options.local_command); - xfree(cp); - } - - /* Find canonic host name. */ - if (strchr(host, '.') == 0) { - struct addrinfo hints; - struct addrinfo *ai = NULL; - int errgai; - memset(&hints, 0, sizeof(hints)); - hints.ai_family = options.address_family; - hints.ai_flags = AI_CANONNAME; - hints.ai_socktype = SOCK_STREAM; - errgai = getaddrinfo(host, NULL, &hints, &ai); - if (errgai == 0) { - if (ai->ai_canonname != NULL) - host = xstrdup(ai->ai_canonname); - freeaddrinfo(ai); - } - } - - /* force lowercase for hostkey matching */ - if (options.host_key_alias != NULL) { - for (p = options.host_key_alias; *p; p++) - if (isupper(*p)) - *p = (char)tolower(*p); - } - - if (options.proxy_command != NULL && - strcmp(options.proxy_command, "none") == 0) { - xfree(options.proxy_command); - options.proxy_command = NULL; - } - if (options.control_path != NULL && - strcmp(options.control_path, "none") == 0) { - xfree(options.control_path); - options.control_path = NULL; + free(cp); } if (options.control_path != NULL) { cp = tilde_expand_filename(options.control_path, original_real_uid); - xfree(options.control_path); + free(options.control_path); options.control_path = percent_expand(cp, "h", host, "l", thishost, "n", host_arg, "r", options.user, "p", portstr, "u", pw->pw_name, "L", shorthost, (char *)NULL); - xfree(cp); + free(cp); } if (muxclient_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); if (options.control_path != NULL) muxclient(options.control_path); + /* + * If hostname canonicalisation was not enabled, then we may not + * have yet resolved the hostname. Do so now. + */ + if (addrs == NULL && options.proxy_command == NULL) { + if ((addrs = resolve_host(host, options.port, 1, + cname, sizeof(cname))) == NULL) + cleanup_exit(255); /* resolve_host logs the error */ + } + timeout_ms = options.connection_timeout * 1000; /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, - options.address_family, options.connection_attempts, &timeout_ms, - options.tcp_keep_alive, -#ifdef HAVE_CYGWIN - options.use_privileged_port, -#else - original_effective_uid == 0 && options.use_privileged_port, -#endif - options.proxy_command) != 0) - exit(255); + if (ssh_connect(host, addrs, &hostaddr, options.port, + options.address_family, options.connection_attempts, + &timeout_ms, options.tcp_keep_alive, + options.use_privileged_port) != 0) + exit(255); + + if (addrs != NULL) + freeaddrinfo(addrs); + + packet_set_timeout(options.server_alive_interval, + options.server_alive_count_max); if (timeout_ms > 0) debug3("timeout: %d ms remain after connect", timeout_ms); @@ -851,7 +1068,7 @@ main(int ac, char **av) sensitive_data.external_keysign = 0; if (options.rhosts_rsa_authentication || options.hostbased_authentication) { - sensitive_data.nkeys = 7; + sensitive_data.nkeys = 9; sensitive_data.keys = xcalloc(sensitive_data.nkeys, sizeof(Key)); for (i = 0; i < sensitive_data.nkeys; i++) @@ -868,21 +1085,26 @@ main(int ac, char **av) #endif sensitive_data.keys[3] = key_load_private_cert(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL); - sensitive_data.keys[4] = key_load_private_type(KEY_DSA, + sensitive_data.keys[4] = key_load_private_cert(KEY_ED25519, + _PATH_HOST_ED25519_KEY_FILE, "", NULL); + sensitive_data.keys[5] = key_load_private_type(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); #ifdef OPENSSL_HAS_ECC - sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA, + sensitive_data.keys[6] = key_load_private_type(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL); #endif - sensitive_data.keys[6] = key_load_private_type(KEY_RSA, + sensitive_data.keys[7] = key_load_private_type(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); + sensitive_data.keys[8] = key_load_private_type(KEY_ED25519, + _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL); PRIV_END; if (options.hostbased_authentication == 1 && sensitive_data.keys[0] == NULL && - sensitive_data.keys[4] == NULL && sensitive_data.keys[5] == NULL && - sensitive_data.keys[6] == NULL) { + sensitive_data.keys[6] == NULL && + sensitive_data.keys[7] == NULL && + sensitive_data.keys[8] == NULL) { sensitive_data.keys[1] = key_load_cert( _PATH_HOST_DSA_KEY_FILE); #ifdef OPENSSL_HAS_ECC @@ -891,14 +1113,18 @@ main(int ac, char **av) #endif sensitive_data.keys[3] = key_load_cert( _PATH_HOST_RSA_KEY_FILE); - sensitive_data.keys[4] = key_load_public( + sensitive_data.keys[4] = key_load_cert( + _PATH_HOST_ED25519_KEY_FILE); + sensitive_data.keys[5] = key_load_public( _PATH_HOST_DSA_KEY_FILE, NULL); #ifdef OPENSSL_HAS_ECC - sensitive_data.keys[5] = key_load_public( + sensitive_data.keys[6] = key_load_public( _PATH_HOST_ECDSA_KEY_FILE, NULL); #endif - sensitive_data.keys[6] = key_load_public( + sensitive_data.keys[7] = key_load_public( _PATH_HOST_RSA_KEY_FILE, NULL); + sensitive_data.keys[8] = key_load_public( + _PATH_HOST_ED25519_KEY_FILE, NULL); sensitive_data.external_keysign = 1; } } @@ -965,13 +1191,11 @@ main(int ac, char **av) sensitive_data.keys[i] = NULL; } } - xfree(sensitive_data.keys); + free(sensitive_data.keys); } for (i = 0; i < options.num_identity_files; i++) { - if (options.identity_files[i]) { - xfree(options.identity_files[i]); - options.identity_files[i] = NULL; - } + free(options.identity_files[i]); + options.identity_files[i] = NULL; if (options.identity_keys[i]) { key_free(options.identity_keys[i]); options.identity_keys[i] = NULL; @@ -1031,6 +1255,7 @@ control_persist_detach(void) if (devnull > STDERR_FILENO) close(devnull); } + daemon(1, 1); setproctitle("%s [mux]", options.control_path); } @@ -1099,7 +1324,7 @@ ssh_init_stdio_forwarding(void) if (stdio_forward_host == NULL) return; - if (!compat20) + if (!compat20) fatal("stdio forwarding require Protocol 2"); debug3("%s: %s:%d", __func__, stdio_forward_host, stdio_forward_port); @@ -1271,7 +1496,7 @@ ssh_session(void) char *proto, *data; /* Get reasonable local authentication information. */ client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, + options.forward_x11_trusted, options.forward_x11_timeout, &proto, &data); /* Request forwarding with authentication spoofing. */ @@ -1530,6 +1755,11 @@ ssh_session2(void) if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) id = ssh_session2_open(); + else { + packet_set_interactive( + options.control_master == SSHCTL_MASTER_NO, + options.ip_qos_interactive, options.ip_qos_bulk); + } /* If we don't expect to open a new session, then disallow it */ if (options.control_master == SSHCTL_MASTER_NO && @@ -1583,8 +1813,8 @@ load_public_identity_files(void) #endif /* PKCS11 */ n_ids = 0; - bzero(identity_files, sizeof(identity_files)); - bzero(identity_keys, sizeof(identity_keys)); + memset(identity_files, 0, sizeof(identity_files)); + memset(identity_keys, 0, sizeof(identity_keys)); #ifdef ENABLE_PKCS11 if (options.pkcs11_provider != NULL && @@ -1602,7 +1832,7 @@ load_public_identity_files(void) xstrdup(options.pkcs11_provider); /* XXX */ n_ids++; } - xfree(keys); + free(keys); } #endif /* ENABLE_PKCS11 */ if ((pw = getpwuid(original_real_uid)) == NULL) @@ -1615,7 +1845,7 @@ load_public_identity_files(void) for (i = 0; i < options.num_identity_files; i++) { if (n_ids >= SSH_MAX_IDENTITY_FILES || strcasecmp(options.identity_files[i], "none") == 0) { - xfree(options.identity_files[i]); + free(options.identity_files[i]); continue; } cp = tilde_expand_filename(options.identity_files[i], @@ -1623,11 +1853,11 @@ load_public_identity_files(void) filename = percent_expand(cp, "d", pwdir, "u", pwname, "l", thishost, "h", host, "r", options.user, (char *)NULL); - xfree(cp); + free(cp); public = key_load_public(filename, NULL); debug("identity file %s type %d", filename, public ? public->type : -1); - xfree(options.identity_files[i]); + free(options.identity_files[i]); identity_files[n_ids] = filename; identity_keys[n_ids] = public; @@ -1640,14 +1870,14 @@ load_public_identity_files(void) debug("identity file %s type %d", cp, public ? public->type : -1); if (public == NULL) { - xfree(cp); + free(cp); continue; } if (!key_is_cert(public)) { debug("%s: key %s type %s is not a certificate", __func__, cp, key_type(public)); key_free(public); - xfree(cp); + free(cp); continue; } identity_keys[n_ids] = public; @@ -1659,10 +1889,10 @@ load_public_identity_files(void) memcpy(options.identity_files, identity_files, sizeof(identity_files)); memcpy(options.identity_keys, identity_keys, sizeof(identity_keys)); - bzero(pwname, strlen(pwname)); - xfree(pwname); - bzero(pwdir, strlen(pwdir)); - xfree(pwdir); + explicit_bzero(pwname, strlen(pwname)); + free(pwname); + explicit_bzero(pwdir, strlen(pwdir)); + free(pwdir); } static void @@ -1679,4 +1909,3 @@ main_sigchld_handler(int sig) signal(sig, main_sigchld_handler); errno = save_errno; } - diff --git a/crypto/openssh/ssh2.h b/crypto/openssh/ssh2.h index 51a963cae..59417e612 100644 --- a/crypto/openssh/ssh2.h +++ b/crypto/openssh/ssh2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh2.h,v 1.14 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: ssh2.h,v 1.15 2014/01/29 06:18:35 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -115,12 +115,6 @@ #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 -#define SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1 60 -#define SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1 61 -#define SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2 62 -#define SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2 63 -#define SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM 64 -#define SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM 65 /* connection protocol: generic */ diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config index 2917477ba..de9e2ece3 100644 --- a/crypto/openssh/ssh_config +++ b/crypto/openssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ +# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ # $FreeBSD$ # This is the ssh client system-wide configuration file. See @@ -46,4 +46,5 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com -# VersionAddendum FreeBSD-20130515 +# RekeyLimit 1G 1h +# VersionAddendum FreeBSD-20140324 diff --git a/crypto/openssh/ssh_config.0 b/crypto/openssh/ssh_config.0 new file mode 100644 index 000000000..6fbd10d61 --- /dev/null +++ b/crypto/openssh/ssh_config.0 @@ -0,0 +1,889 @@ +SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) + +NAME + ssh_config - OpenSSH SSH client configuration files + +SYNOPSIS + ~/.ssh/config + /etc/ssh/ssh_config + +DESCRIPTION + ssh(1) obtains configuration data from the following sources in the + following order: + + 1. command-line options + 2. user's configuration file (~/.ssh/config) + 3. system-wide configuration file (/etc/ssh/ssh_config) + + For each parameter, the first obtained value will be used. The + configuration files contain sections separated by ``Host'' + specifications, and that section is only applied for hosts that match one + of the patterns given in the specification. The matched host name is the + one given on the command line. + + Since the first obtained value for each parameter is used, more host- + specific declarations should be given near the beginning of the file, and + general defaults at the end. + + The configuration file has the following format: + + Empty lines and lines starting with `#' are comments. Otherwise a line + is of the format ``keyword arguments''. Configuration options may be + separated by whitespace or optional whitespace and exactly one `='; the + latter format is useful to avoid the need to quote whitespace when + specifying configuration options using the ssh, scp, and sftp -o option. + Arguments may optionally be enclosed in double quotes (") in order to + represent arguments containing spaces. + + The possible keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): + + Host Restricts the following declarations (up to the next Host or + Match keyword) to be only for those hosts that match one of the + patterns given after the keyword. If more than one pattern is + provided, they should be separated by whitespace. A single `*' + as a pattern can be used to provide global defaults for all + hosts. The host is the hostname argument given on the command + line (i.e. the name is not converted to a canonicalized host name + before matching). + + A pattern entry may be negated by prefixing it with an + exclamation mark (`!'). If a negated entry is matched, then the + Host entry is ignored, regardless of whether any other patterns + on the line match. Negated matches are therefore useful to + provide exceptions for wildcard matches. + + See PATTERNS for more information on patterns. + + Match Restricts the following declarations (up to the next Host or + Match keyword) to be used only when the conditions following the + Match keyword are satisfied. Match conditions are specified + using one or more keyword/criteria pairs or the single token all + which matches all criteria. The available keywords are: exec, + host, originalhost, user, and localuser. + + The exec keyword executes the specified command under the user's + shell. If the command returns a zero exit status then the + condition is considered true. Commands containing whitespace + characters must be quoted. The following character sequences in + the command will be expanded prior to execution: `%L' will be + substituted by the first component of the local host name, `%l' + will be substituted by the local host name (including any domain + name), `%h' will be substituted by the target host name, `%n' + will be substituted by the original target host name specified on + the command-line, `%p' the destination port, `%r' by the remote + login username, and `%u' by the username of the user running + ssh(1). + + The other keywords' criteria must be single entries or comma- + separated lists and may use the wildcard and negation operators + described in the PATTERNS section. The criteria for the host + keyword are matched against the target hostname, after any + substitution by the Hostname option. The originalhost keyword + matches against the hostname as it was specified on the command- + line. The user keyword matches against the target username on + the remote host. The localuser keyword matches against the name + of the local user running ssh(1) (this keyword may be useful in + system-wide ssh_config files). + + AddressFamily + Specifies which address family to use when connecting. Valid + arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' + (use IPv6 only). + + BatchMode + If set to ``yes'', passphrase/password querying will be disabled. + This option is useful in scripts and other batch jobs where no + user is present to supply the password. The argument must be + ``yes'' or ``no''. The default is ``no''. + + BindAddress + Use the specified address on the local machine as the source + address of the connection. Only useful on systems with more than + one address. Note that this option does not work if + UsePrivilegedPort is set to ``yes''. + + CanonicalDomains + When CanonicalizeHostname is enabled, this option specifies the + list of domain suffixes in which to search for the specified + destination host. + + CanonicalizeFallbackLocal + Specifies whether to fail with an error when hostname + canonicalization fails. The default, ``yes'', will attempt to + look up the unqualified hostname using the system resolver's + search rules. A value of ``no'' will cause ssh(1) to fail + instantly if CanonicalizeHostname is enabled and the target + hostname cannot be found in any of the domains specified by + CanonicalDomains. + + CanonicalizeHostname + Controls whether explicit hostname canonicalization is performed. + The default, ``no'', is not to perform any name rewriting and let + the system resolver handle all hostname lookups. If set to + ``yes'' then, for connections that do not use a ProxyCommand, + ssh(1) will attempt to canonicalize the hostname specified on the + command line using the CanonicalDomains suffixes and + CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is + set to ``always'', then canonicalization is applied to proxied + connections too. + + If this option is enabled and canonicalisation results in the + target hostname changing, then the configuration files are + processed again using the new target name to pick up any new + configuration in matching Host stanzas. + + CanonicalizeMaxDots + Specifies the maximum number of dot characters in a hostname + before canonicalization is disabled. The default, ``1'', allows + a single dot (i.e. hostname.subdomain). + + CanonicalizePermittedCNAMEs + Specifies rules to determine whether CNAMEs should be followed + when canonicalizing hostnames. The rules consist of one or more + arguments of source_domain_list:target_domain_list, where + source_domain_list is a pattern-list of domains that may follow + CNAMEs in canonicalization, and target_domain_list is a pattern- + list of domains that they may resolve to. + + For example, ``*.a.example.com:*.b.example.com,*.c.example.com'' + will allow hostnames matching ``*.a.example.com'' to be + canonicalized to names in the ``*.b.example.com'' or + ``*.c.example.com'' domains. + + ChallengeResponseAuthentication + Specifies whether to use challenge-response authentication. The + argument to this keyword must be ``yes'' or ``no''. The default + is ``yes''. + + CheckHostIP + If this flag is set to ``yes'', ssh(1) will additionally check + the host IP address in the known_hosts file. This allows ssh to + detect if a host key changed due to DNS spoofing. If the option + is set to ``no'', the check will not be executed. The default is + ``yes''. + + Cipher Specifies the cipher to use for encrypting the session in + protocol version 1. Currently, ``blowfish'', ``3des'', and + ``des'' are supported. des is only supported in the ssh(1) + client for interoperability with legacy protocol 1 + implementations that do not support the 3des cipher. Its use is + strongly discouraged due to cryptographic weaknesses. The + default is ``3des''. + + Ciphers + Specifies the ciphers allowed for protocol version 2 in order of + preference. Multiple ciphers must be comma-separated. The + supported ciphers are: + + ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', + ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', + ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', + ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', + ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''. + + The default is: + + aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, + aes128-gcm@openssh.com,aes256-gcm@openssh.com, + chacha20-poly1305@openssh.com, + aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, + aes256-cbc,arcfour + + The list of available ciphers may also be obtained using the -Q + option of ssh(1). + + ClearAllForwardings + Specifies that all local, remote, and dynamic port forwardings + specified in the configuration files or on the command line be + cleared. This option is primarily useful when used from the + ssh(1) command line to clear port forwardings set in + configuration files, and is automatically set by scp(1) and + sftp(1). The argument must be ``yes'' or ``no''. The default is + ``no''. + + Compression + Specifies whether to use compression. The argument must be + ``yes'' or ``no''. The default is ``no''. + + CompressionLevel + Specifies the compression level to use if compression is enabled. + The argument must be an integer from 1 (fast) to 9 (slow, best). + The default level is 6, which is good for most applications. The + meaning of the values is the same as in gzip(1). Note that this + option applies to protocol version 1 only. + + ConnectionAttempts + Specifies the number of tries (one per second) to make before + exiting. The argument must be an integer. This may be useful in + scripts if the connection sometimes fails. The default is 1. + + ConnectTimeout + Specifies the timeout (in seconds) used when connecting to the + SSH server, instead of using the default system TCP timeout. + This value is used only when the target is down or really + unreachable, not when it refuses the connection. + + ControlMaster + Enables the sharing of multiple sessions over a single network + connection. When set to ``yes'', ssh(1) will listen for + connections on a control socket specified using the ControlPath + argument. Additional sessions can connect to this socket using + the same ControlPath with ControlMaster set to ``no'' (the + default). These sessions will try to reuse the master instance's + network connection rather than initiating new ones, but will fall + back to connecting normally if the control socket does not exist, + or is not listening. + + Setting this to ``ask'' will cause ssh to listen for control + connections, but require confirmation using the SSH_ASKPASS + program before they are accepted (see ssh-add(1) for details). + If the ControlPath cannot be opened, ssh will continue without + connecting to a master instance. + + X11 and ssh-agent(1) forwarding is supported over these + multiplexed connections, however the display and agent forwarded + will be the one belonging to the master connection i.e. it is not + possible to forward multiple displays or agents. + + Two additional options allow for opportunistic multiplexing: try + to use a master connection but fall back to creating a new one if + one does not already exist. These options are: ``auto'' and + ``autoask''. The latter requires confirmation like the ``ask'' + option. + + ControlPath + Specify the path to the control socket used for connection + sharing as described in the ControlMaster section above or the + string ``none'' to disable connection sharing. In the path, `%L' + will be substituted by the first component of the local host + name, `%l' will be substituted by the local host name (including + any domain name), `%h' will be substituted by the target host + name, `%n' will be substituted by the original target host name + specified on the command line, `%p' the destination port, `%r' by + the remote login username, and `%u' by the username of the user + running ssh(1). It is recommended that any ControlPath used for + opportunistic connection sharing include at least %h, %p, and %r. + This ensures that shared connections are uniquely identified. + + ControlPersist + When used in conjunction with ControlMaster, specifies that the + master connection should remain open in the background (waiting + for future client connections) after the initial client + connection has been closed. If set to ``no'', then the master + connection will not be placed into the background, and will close + as soon as the initial client connection is closed. If set to + ``yes'', then the master connection will remain in the background + indefinitely (until killed or closed via a mechanism such as the + ssh(1) ``-O exit'' option). If set to a time in seconds, or a + time in any of the formats documented in sshd_config(5), then the + backgrounded master connection will automatically terminate after + it has remained idle (with no client connections) for the + specified time. + + DynamicForward + Specifies that a TCP port on the local machine be forwarded over + the secure channel, and the application protocol is then used to + determine where to connect to from the remote machine. + + The argument must be [bind_address:]port. IPv6 addresses can be + specified by enclosing addresses in square brackets. By default, + the local port is bound in accordance with the GatewayPorts + setting. However, an explicit bind_address may be used to bind + the connection to a specific address. The bind_address of + ``localhost'' indicates that the listening port be bound for + local use only, while an empty address or `*' indicates that the + port should be available from all interfaces. + + Currently the SOCKS4 and SOCKS5 protocols are supported, and + ssh(1) will act as a SOCKS server. Multiple forwardings may be + specified, and additional forwardings can be given on the command + line. Only the superuser can forward privileged ports. + + EnableSSHKeysign + Setting this option to ``yes'' in the global client configuration + file /etc/ssh/ssh_config enables the use of the helper program + ssh-keysign(8) during HostbasedAuthentication. The argument must + be ``yes'' or ``no''. The default is ``no''. This option should + be placed in the non-hostspecific section. See ssh-keysign(8) + for more information. + + EscapeChar + Sets the escape character (default: `~'). The escape character + can also be set on the command line. The argument should be a + single character, `^' followed by a letter, or ``none'' to + disable the escape character entirely (making the connection + transparent for binary data). + + ExitOnForwardFailure + Specifies whether ssh(1) should terminate the connection if it + cannot set up all requested dynamic, tunnel, local, and remote + port forwardings. The argument must be ``yes'' or ``no''. The + default is ``no''. + + ForwardAgent + Specifies whether the connection to the authentication agent (if + any) will be forwarded to the remote machine. The argument must + be ``yes'' or ``no''. The default is ``no''. + + Agent forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + agent's Unix-domain socket) can access the local agent through + the forwarded connection. An attacker cannot obtain key material + from the agent, however they can perform operations on the keys + that enable them to authenticate using the identities loaded into + the agent. + + ForwardX11 + Specifies whether X11 connections will be automatically + redirected over the secure channel and DISPLAY set. The argument + must be ``yes'' or ``no''. The default is ``no''. + + X11 forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + user's X11 authorization database) can access the local X11 + display through the forwarded connection. An attacker may then + be able to perform activities such as keystroke monitoring if the + ForwardX11Trusted option is also enabled. + + ForwardX11Timeout + Specify a timeout for untrusted X11 forwarding using the format + described in the TIME FORMATS section of sshd_config(5). X11 + connections received by ssh(1) after this time will be refused. + The default is to disable untrusted X11 forwarding after twenty + minutes has elapsed. + + ForwardX11Trusted + If this option is set to ``yes'', remote X11 clients will have + full access to the original X11 display. + + If this option is set to ``no'', remote X11 clients will be + considered untrusted and prevented from stealing or tampering + with data belonging to trusted X11 clients. Furthermore, the + xauth(1) token used for the session will be set to expire after + 20 minutes. Remote clients will be refused access after this + time. + + The default is ``no''. + + See the X11 SECURITY extension specification for full details on + the restrictions imposed on untrusted clients. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to local + forwarded ports. By default, ssh(1) binds local port forwardings + to the loopback address. This prevents other remote hosts from + connecting to forwarded ports. GatewayPorts can be used to + specify that ssh should bind local port forwardings to the + wildcard address, thus allowing remote hosts to connect to + forwarded ports. The argument must be ``yes'' or ``no''. The + default is ``no''. + + GlobalKnownHostsFile + Specifies one or more files to use for the global host key + database, separated by whitespace. The default is + /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. + + GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. + The default is ``no''. Note that this option applies to protocol + version 2 only. + + GSSAPIDelegateCredentials + Forward (delegate) credentials to the server. The default is + ``no''. Note that this option applies to protocol version 2 + only. + + HashKnownHosts + Indicates that ssh(1) should hash host names and addresses when + they are added to ~/.ssh/known_hosts. These hashed names may be + used normally by ssh(1) and sshd(8), but they do not reveal + identifying information should the file's contents be disclosed. + The default is ``no''. Note that existing names and addresses in + known hosts files will not be converted automatically, but may be + manually hashed using ssh-keygen(1). + + HostbasedAuthentication + Specifies whether to try rhosts based authentication with public + key authentication. The argument must be ``yes'' or ``no''. The + default is ``no''. This option applies to protocol version 2 + only and is similar to RhostsRSAAuthentication. + + HostKeyAlgorithms + Specifies the protocol version 2 host key algorithms that the + client wants to use in order of preference. The default for this + option is: + + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, + ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + ssh-ed25519,ssh-rsa,ssh-dss + + If hostkeys are known for the destination host then this default + is modified to prefer their algorithms. + + HostKeyAlias + Specifies an alias that should be used instead of the real host + name when looking up or saving the host key in the host key + database files. This option is useful for tunneling SSH + connections or for multiple servers running on a single host. + + HostName + Specifies the real host name to log into. This can be used to + specify nicknames or abbreviations for hosts. If the hostname + contains the character sequence `%h', then this will be replaced + with the host name specified on the command line (this is useful + for manipulating unqualified names). The default is the name + given on the command line. Numeric IP addresses are also + permitted (both on the command line and in HostName + specifications). + + IdentitiesOnly + Specifies that ssh(1) should only use the authentication identity + files configured in the ssh_config files, even if ssh-agent(1) or + a PKCS11Provider offers more identities. The argument to this + keyword must be ``yes'' or ``no''. This option is intended for + situations where ssh-agent offers many different identities. The + default is ``no''. + + IdentityFile + Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA + authentication identity is read. The default is ~/.ssh/identity + for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, + ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. + Additionally, any identities represented by the authentication + agent will be used for authentication unless IdentitiesOnly is + set. ssh(1) will try to load certificate information from the + filename obtained by appending -cert.pub to the path of a + specified IdentityFile. + + The file name may use the tilde syntax to refer to a user's home + directory or one of the following escape characters: `%d' (local + user's home directory), `%u' (local user name), `%l' (local host + name), `%h' (remote host name) or `%r' (remote user name). + + It is possible to have multiple identity files specified in + configuration files; all these identities will be tried in + sequence. Multiple IdentityFile directives will add to the list + of identities tried (this behaviour differs from that of other + configuration directives). + + IdentityFile may be used in conjunction with IdentitiesOnly to + select which identities in an agent are offered during + authentication. + + IgnoreUnknown + Specifies a pattern-list of unknown options to be ignored if they + are encountered in configuration parsing. This may be used to + suppress errors if ssh_config contains options that are + unrecognised by ssh(1). It is recommended that IgnoreUnknown be + listed early in the configuration file as it will not be applied + to unknown options that appear before it. + + IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. + Accepted values are ``af11'', ``af12'', ``af13'', ``af21'', + ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', ``af41'', + ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', ``cs4'', + ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', ``throughput'', + ``reliability'', or a numeric value. This option may take one or + two arguments, separated by whitespace. If one argument is + specified, it is used as the packet class unconditionally. If + two values are specified, the first is automatically selected for + interactive sessions and the second for non-interactive sessions. + The default is ``lowdelay'' for interactive sessions and + ``throughput'' for non-interactive sessions. + + KbdInteractiveAuthentication + Specifies whether to use keyboard-interactive authentication. + The argument to this keyword must be ``yes'' or ``no''. The + default is ``yes''. + + KbdInteractiveDevices + Specifies the list of methods to use in keyboard-interactive + authentication. Multiple method names must be comma-separated. + The default is to use the server specified list. The methods + available vary depending on what the server supports. For an + OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', + and ``skey''. + + KexAlgorithms + Specifies the available KEX (Key Exchange) algorithms. Multiple + algorithms must be comma-separated. The default is: + + curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group-exchange-sha1, + diffie-hellman-group14-sha1, + diffie-hellman-group1-sha1 + + LocalCommand + Specifies a command to execute on the local machine after + successfully connecting to the server. The command string + extends to the end of the line, and is executed with the user's + shell. The following escape character substitutions will be + performed: `%d' (local user's home directory), `%h' (remote host + name), `%l' (local host name), `%n' (host name as provided on the + command line), `%p' (remote port), `%r' (remote user name) or + `%u' (local user name). + + The command is run synchronously and does not have access to the + session of the ssh(1) that spawned it. It should not be used for + interactive commands. + + This directive is ignored unless PermitLocalCommand has been + enabled. + + LocalForward + Specifies that a TCP port on the local machine be forwarded over + the secure channel to the specified host and port from the remote + machine. The first argument must be [bind_address:]port and the + second argument must be host:hostport. IPv6 addresses can be + specified by enclosing addresses in square brackets. Multiple + forwardings may be specified, and additional forwardings can be + given on the command line. Only the superuser can forward + privileged ports. By default, the local port is bound in + accordance with the GatewayPorts setting. However, an explicit + bind_address may be used to bind the connection to a specific + address. The bind_address of ``localhost'' indicates that the + listening port be bound for local use only, while an empty + address or `*' indicates that the port should be available from + all interfaces. + + LogLevel + Gives the verbosity level that is used when logging messages from + ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, + VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. + DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify + higher levels of verbose output. + + MACs Specifies the MAC (message authentication code) algorithms in + order of preference. The MAC algorithm is used in protocol + version 2 for data integrity protection. Multiple algorithms + must be comma-separated. The algorithms that contain ``-etm'' + calculate the MAC after encryption (encrypt-then-mac). These are + considered safer and their use recommended. The default is: + + hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, + umac-64-etm@openssh.com,umac-128-etm@openssh.com, + hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, + hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, + hmac-md5-96-etm@openssh.com, + hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, + hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, + hmac-sha1-96,hmac-md5-96 + + NoHostAuthenticationForLocalhost + This option can be used if the home directory is shared across + machines. In this case localhost will refer to a different + machine on each of the machines and the user will get many + warnings about changed host keys. However, this option disables + host authentication for localhost. The argument to this keyword + must be ``yes'' or ``no''. The default is to check the host key + for localhost. + + NumberOfPasswordPrompts + Specifies the number of password prompts before giving up. The + argument to this keyword must be an integer. The default is 3. + + PasswordAuthentication + Specifies whether to use password authentication. The argument + to this keyword must be ``yes'' or ``no''. The default is + ``yes''. + + PermitLocalCommand + Allow local command execution via the LocalCommand option or + using the !command escape sequence in ssh(1). The argument must + be ``yes'' or ``no''. The default is ``no''. + + PKCS11Provider + Specifies which PKCS#11 provider to use. The argument to this + keyword is the PKCS#11 shared library ssh(1) should use to + communicate with a PKCS#11 token providing the user's private RSA + key. + + Port Specifies the port number to connect on the remote host. The + default is 22. + + PreferredAuthentications + Specifies the order in which the client should try protocol 2 + authentication methods. This allows a client to prefer one + method (e.g. keyboard-interactive) over another method (e.g. + password). The default is: + + gssapi-with-mic,hostbased,publickey, + keyboard-interactive,password + + Protocol + Specifies the protocol versions ssh(1) should support in order of + preference. The possible values are `1' and `2'. Multiple + versions must be comma-separated. When this option is set to + ``2,1'' ssh will try version 2 and fall back to version 1 if + version 2 is not available. The default is `2'. + + ProxyCommand + Specifies the command to use to connect to the server. The + command string extends to the end of the line, and is executed + with the user's shell. In the command string, any occurrence of + `%h' will be substituted by the host name to connect, `%p' by the + port, and `%r' by the remote user name. The command can be + basically anything, and should read from its standard input and + write to its standard output. It should eventually connect an + sshd(8) server running on some machine, or execute sshd -i + somewhere. Host key management will be done using the HostName + of the host being connected (defaulting to the name typed by the + user). Setting the command to ``none'' disables this option + entirely. Note that CheckHostIP is not available for connects + with a proxy command. + + This directive is useful in conjunction with nc(1) and its proxy + support. For example, the following directive would connect via + an HTTP proxy at 192.0.2.0: + + ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p + + ProxyUseFdpass + Specifies that ProxyCommand will pass a connected file descriptor + back to ssh(1) instead of continuing to execute and pass data. + The default is ``no''. + + PubkeyAuthentication + Specifies whether to try public key authentication. The argument + to this keyword must be ``yes'' or ``no''. The default is + ``yes''. This option applies to protocol version 2 only. + + RekeyLimit + Specifies the maximum amount of data that may be transmitted + before the session key is renegotiated, optionally followed a + maximum amount of time that may pass before the session key is + renegotiated. The first argument is specified in bytes and may + have a suffix of `K', `M', or `G' to indicate Kilobytes, + Megabytes, or Gigabytes, respectively. The default is between + `1G' and `4G', depending on the cipher. The optional second + value is specified in seconds and may use any of the units + documented in the TIME FORMATS section of sshd_config(5). The + default value for RekeyLimit is ``default none'', which means + that rekeying is performed after the cipher's default amount of + data has been sent or received and no time based rekeying is + done. This option applies to protocol version 2 only. + + RemoteForward + Specifies that a TCP port on the remote machine be forwarded over + the secure channel to the specified host and port from the local + machine. The first argument must be [bind_address:]port and the + second argument must be host:hostport. IPv6 addresses can be + specified by enclosing addresses in square brackets. Multiple + forwardings may be specified, and additional forwardings can be + given on the command line. Privileged ports can be forwarded + only when logging in as root on the remote machine. + + If the port argument is `0', the listen port will be dynamically + allocated on the server and reported to the client at run time. + + If the bind_address is not specified, the default is to only bind + to loopback addresses. If the bind_address is `*' or an empty + string, then the forwarding is requested to listen on all + interfaces. Specifying a remote bind_address will only succeed + if the server's GatewayPorts option is enabled (see + sshd_config(5)). + + RequestTTY + Specifies whether to request a pseudo-tty for the session. The + argument may be one of: ``no'' (never request a TTY), ``yes'' + (always request a TTY when standard input is a TTY), ``force'' + (always request a TTY) or ``auto'' (request a TTY when opening a + login session). This option mirrors the -t and -T flags for + ssh(1). + + RhostsRSAAuthentication + Specifies whether to try rhosts based authentication with RSA + host authentication. The argument must be ``yes'' or ``no''. + The default is ``no''. This option applies to protocol version 1 + only and requires ssh(1) to be setuid root. + + RSAAuthentication + Specifies whether to try RSA authentication. The argument to + this keyword must be ``yes'' or ``no''. RSA authentication will + only be attempted if the identity file exists, or an + authentication agent is running. The default is ``yes''. Note + that this option applies to protocol version 1 only. + + SendEnv + Specifies what variables from the local environ(7) should be sent + to the server. Note that environment passing is only supported + for protocol 2. The server must also support it, and the server + must be configured to accept these environment variables. Refer + to AcceptEnv in sshd_config(5) for how to configure the server. + Variables are specified by name, which may contain wildcard + characters. Multiple environment variables may be separated by + whitespace or spread across multiple SendEnv directives. The + default is not to send any environment variables. + + See PATTERNS for more information on patterns. + + ServerAliveCountMax + Sets the number of server alive messages (see below) which may be + sent without ssh(1) receiving any messages back from the server. + If this threshold is reached while server alive messages are + being sent, ssh will disconnect from the server, terminating the + session. It is important to note that the use of server alive + messages is very different from TCPKeepAlive (below). The server + alive messages are sent through the encrypted channel and + therefore will not be spoofable. The TCP keepalive option + enabled by TCPKeepAlive is spoofable. The server alive mechanism + is valuable when the client or server depend on knowing when a + connection has become inactive. + + The default value is 3. If, for example, ServerAliveInterval + (see below) is set to 15 and ServerAliveCountMax is left at the + default, if the server becomes unresponsive, ssh will disconnect + after approximately 45 seconds. This option applies to protocol + version 2 only. + + ServerAliveInterval + Sets a timeout interval in seconds after which if no data has + been received from the server, ssh(1) will send a message through + the encrypted channel to request a response from the server. The + default is 0, indicating that these messages will not be sent to + the server. This option applies to protocol version 2 only. + + StrictHostKeyChecking + If this flag is set to ``yes'', ssh(1) will never automatically + add host keys to the ~/.ssh/known_hosts file, and refuses to + connect to hosts whose host key has changed. This provides + maximum protection against trojan horse attacks, though it can be + annoying when the /etc/ssh/ssh_known_hosts file is poorly + maintained or when connections to new hosts are frequently made. + This option forces the user to manually add all new hosts. If + this flag is set to ``no'', ssh will automatically add new host + keys to the user known hosts files. If this flag is set to + ``ask'', new host keys will be added to the user known host files + only after the user has confirmed that is what they really want + to do, and ssh will refuse to connect to hosts whose host key has + changed. The host keys of known hosts will be verified + automatically in all cases. The argument must be ``yes'', + ``no'', or ``ask''. The default is ``ask''. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages + to the other side. If they are sent, death of the connection or + crash of one of the machines will be properly noticed. However, + this means that connections will die if the route is down + temporarily, and some people find it annoying. + + The default is ``yes'' (to send TCP keepalive messages), and the + client will notice if the network goes down or the remote host + dies. This is important in scripts, and many users want it too. + + To disable TCP keepalive messages, the value should be set to + ``no''. + + Tunnel Request tun(4) device forwarding between the client and the + server. The argument must be ``yes'', ``point-to-point'' (layer + 3), ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' + requests the default tunnel mode, which is ``point-to-point''. + The default is ``no''. + + TunnelDevice + Specifies the tun(4) devices to open on the client (local_tun) + and the server (remote_tun). + + The argument must be local_tun[:remote_tun]. The devices may be + specified by numerical ID or the keyword ``any'', which uses the + next available tunnel device. If remote_tun is not specified, it + defaults to ``any''. The default is ``any:any''. + + UsePrivilegedPort + Specifies whether to use a privileged port for outgoing + connections. The argument must be ``yes'' or ``no''. The + default is ``no''. If set to ``yes'', ssh(1) must be setuid + root. Note that this option must be set to ``yes'' for + RhostsRSAAuthentication with older servers. + + User Specifies the user to log in as. This can be useful when a + different user name is used on different machines. This saves + the trouble of having to remember to give the user name on the + command line. + + UserKnownHostsFile + Specifies one or more files to use for the user host key + database, separated by whitespace. The default is + ~/.ssh/known_hosts, ~/.ssh/known_hosts2. + + VerifyHostKeyDNS + Specifies whether to verify the remote key using DNS and SSHFP + resource records. If this option is set to ``yes'', the client + will implicitly trust keys that match a secure fingerprint from + DNS. Insecure fingerprints will be handled as if this option was + set to ``ask''. If this option is set to ``ask'', information on + fingerprint match will be displayed, but the user will still need + to confirm new host keys according to the StrictHostKeyChecking + option. The argument must be ``yes'', ``no'', or ``ask''. The + default is ``no''. Note that this option applies to protocol + version 2 only. + + See also VERIFYING HOST KEYS in ssh(1). + + VisualHostKey + If this flag is set to ``yes'', an ASCII art representation of + the remote host key fingerprint is printed in addition to the hex + fingerprint string at login and for unknown host keys. If this + flag is set to ``no'', no fingerprint strings are printed at + login and only the hex fingerprint string will be printed for + unknown host keys. The default is ``no''. + + XAuthLocation + Specifies the full pathname of the xauth(1) program. The default + is /usr/X11R6/bin/xauth. + +PATTERNS + A pattern consists of zero or more non-whitespace characters, `*' (a + wildcard that matches zero or more characters), or `?' (a wildcard that + matches exactly one character). For example, to specify a set of + declarations for any host in the ``.co.uk'' set of domains, the following + pattern could be used: + + Host *.co.uk + + The following pattern would match any host in the 192.168.0.[0-9] network + range: + + Host 192.168.0.? + + A pattern-list is a comma-separated list of patterns. Patterns within + pattern-lists may be negated by preceding them with an exclamation mark + (`!'). For example, to allow a key to be used from anywhere within an + organization except from the ``dialup'' pool, the following entry (in + authorized_keys) could be used: + + from="!*.dialup.example.com,*.example.com" + +FILES + ~/.ssh/config + This is the per-user configuration file. The format of this file + is described above. This file is used by the SSH client. + Because of the potential for abuse, this file must have strict + permissions: read/write for the user, and not accessible by + others. + + /etc/ssh/ssh_config + Systemwide configuration file. This file provides defaults for + those values that are not specified in the user's configuration + file, and for those users who do not have a configuration file. + This file must be world-readable. + +SEE ALSO + ssh(1) + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +OpenBSD 5.5 February 23, 2014 OpenBSD 5.5 diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 4cbaee9e4..9cbfc1b56 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -33,9 +33,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $ .\" $FreeBSD$ -.Dd January 8, 2013 +.Dd February 23, 2014 .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -101,6 +101,8 @@ keywords are case-insensitive and arguments are case-sensitive): .It Cm Host Restricts the following declarations (up to the next .Cm Host +or +.Cm Match keyword) to be only for those hosts that match one of the patterns given after the keyword. If more than one pattern is provided, they should be separated by whitespace. @@ -125,6 +127,73 @@ matches. See .Sx PATTERNS for more information on patterns. +.It Cm Match +Restricts the following declarations (up to the next +.Cm Host +or +.Cm Match +keyword) to be used only when the conditions following the +.Cm Match +keyword are satisfied. +Match conditions are specified using one or more keyword/criteria pairs +or the single token +.Cm all +which matches all criteria. +The available keywords are: +.Cm exec , +.Cm host , +.Cm originalhost , +.Cm user , +and +.Cm localuser . +.Pp +The +.Cm exec +keyword executes the specified command under the user's shell. +If the command returns a zero exit status then the condition is considered true. +Commands containing whitespace characters must be quoted. +The following character sequences in the command will be expanded prior to +execution: +.Ql %L +will be substituted by the first component of the local host name, +.Ql %l +will be substituted by the local host name (including any domain name), +.Ql %h +will be substituted by the target host name, +.Ql %n +will be substituted by the original target host name +specified on the command-line, +.Ql %p +the destination port, +.Ql %r +by the remote login username, and +.Ql %u +by the username of the user running +.Xr ssh 1 . +.Pp +The other keywords' criteria must be single entries or comma-separated +lists and may use the wildcard and negation operators described in the +.Sx PATTERNS +section. +The criteria for the +.Cm host +keyword are matched against the target hostname, after any substitution +by the +.Cm Hostname +option. +The +.Cm originalhost +keyword matches against the hostname as it was specified on the command-line. +The +.Cm user +keyword matches against the target username on the remote host. +The +.Cm localuser +keyword matches against the name of the local user running +.Xr ssh 1 +(this keyword may be useful in system-wide +.Nm +files). .It Cm AddressFamily Specifies which address family to use when connecting. Valid arguments are @@ -153,6 +222,81 @@ Note that this option does not work if .Cm UsePrivilegedPort is set to .Dq yes . +.It Cm CanonicalDomains +When +.Cm CanonicalizeHostname +is enabled, this option specifies the list of domain suffixes in which to +search for the specified destination host. +.It Cm CanonicalizeFallbackLocal +Specifies whether to fail with an error when hostname canonicalization fails. +The default, +.Dq yes , +will attempt to look up the unqualified hostname using the system resolver's +search rules. +A value of +.Dq no +will cause +.Xr ssh 1 +to fail instantly if +.Cm CanonicalizeHostname +is enabled and the target hostname cannot be found in any of the domains +specified by +.Cm CanonicalDomains . +.It Cm CanonicalizeHostname +Controls whether explicit hostname canonicalization is performed. +The default, +.Dq no , +is not to perform any name rewriting and let the system resolver handle all +hostname lookups. +If set to +.Dq yes +then, for connections that do not use a +.Cm ProxyCommand , +.Xr ssh 1 +will attempt to canonicalize the hostname specified on the command line +using the +.Cm CanonicalDomains +suffixes and +.Cm CanonicalizePermittedCNAMEs +rules. +If +.Cm CanonicalizeHostname +is set to +.Dq always , +then canonicalization is applied to proxied connections too. +.Pp +If this option is enabled and canonicalisation results in the target hostname +changing, then the configuration files are processed again using the new +target name to pick up any new configuration in matching +.Cm Host +stanzas. +.It Cm CanonicalizeMaxDots +Specifies the maximum number of dot characters in a hostname before +canonicalization is disabled. +The default, +.Dq 1 , +allows a single dot (i.e. hostname.subdomain). +.It Cm CanonicalizePermittedCNAMEs +Specifies rules to determine whether CNAMEs should be followed when +canonicalizing hostnames. +The rules consist of one or more arguments of +.Ar source_domain_list : Ns Ar target_domain_list , +where +.Ar source_domain_list +is a pattern-list of domains that may follow CNAMEs in canonicalization, +and +.Ar target_domain_list +is a pattern-list of domains that they may resolve to. +.Pp +For example, +.Dq *.a.example.com:*.b.example.com,*.c.example.com +will allow hostnames matching +.Dq *.a.example.com +to be canonicalized to names in the +.Dq *.b.example.com +or +.Dq *.c.example.com +domains. .It Cm ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. The argument to this keyword must be @@ -197,7 +341,8 @@ The default is Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. -The supported ciphers are +The supported ciphers are: +.Pp .Dq 3des-cbc , .Dq aes128-cbc , .Dq aes192-cbc , @@ -211,15 +356,23 @@ The supported ciphers are .Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , +.Dq cast128-cbc , and -.Dq cast128-cbc . +.Dq chacha20-poly1305@openssh.com . +.Pp The default is: .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, +chacha20-poly1305@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour .Ed +.Pp +The list of available ciphers may also be obtained using the +.Fl Q +option of +.Xr ssh 1 . .It Cm ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be @@ -328,7 +481,7 @@ will be substituted by the target host name, will be substituted by the original target host name specified on the command line, .Ql %p -the port, +the destination port, .Ql %r by the remote login username, and .Ql %u @@ -475,8 +628,7 @@ option is also enabled. .It Cm ForwardX11Timeout Specify a timeout for untrusted X11 forwarding using the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . X11 connections received by .Xr ssh 1 @@ -573,10 +725,11 @@ The default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, +ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-rsa,ssh-dss +ssh-ed25519,ssh-rsa,ssh-dss .Ed .Pp If hostkeys are known for the destination host then this default is modified @@ -618,18 +771,21 @@ offers many different identities. The default is .Dq no . .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA or RSA authentication +Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication identity is read. The default is .Pa ~/.ssh/identity for protocol version 1, and .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/id_rsa for protocol version 2. Additionally, any identities represented by the authentication agent -will be used for authentication. +will be used for authentication unless +.Cm IdentitiesOnly +is set. .Xr ssh 1 will try to load certificate information from the filename obtained by appending @@ -658,6 +814,22 @@ Multiple .Cm IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configuration directives). +.Pp +.Cm IdentityFile +may be used in conjunction with +.Cm IdentitiesOnly +to select which identities in an agent are offered during authentication. +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. .It Cm IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. Accepted values are @@ -719,6 +891,7 @@ Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent +curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, @@ -921,6 +1094,14 @@ For example, the following directive would connect via an HTTP proxy at .Bd -literal -offset 3n ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed +.It Cm ProxyUseFdpass +Specifies that +.Cm ProxyCommand +will pass a connected file descriptor back to +.Xr ssh 1 +instead of continuing to execute and pass data. +The default is +.Dq no . .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be @@ -932,8 +1113,9 @@ The default is This option applies to protocol version 2 only. .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted before the -session key is renegotiated. -The argument is the number of bytes, with an optional suffix of +session key is renegotiated, optionally followed a maximum amount of +time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of .Sq K , .Sq M , or @@ -944,6 +1126,16 @@ The default is between and .Sq 4G , depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +TIME FORMATS section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Dq default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over @@ -1222,15 +1414,13 @@ The default is .Dq no . Note that this option applies to protocol version 2 only. .Pp -See also -.Sx VERIFYING HOST KEYS -in +See also VERIFYING HOST KEYS in .Xr ssh 1 . .It Cm VersionAddendum Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20130515 . +.Dq FreeBSD-20140324 . .It Cm VisualHostKey If this flag is set to .Dq yes , @@ -1278,7 +1468,7 @@ Patterns within pattern-lists may be negated by preceding them with an exclamation mark .Pq Sq !\& . For example, -to allow a key to be used from anywhere within an organisation +to allow a key to be used from anywhere within an organization except from the .Dq dialup pool, diff --git a/crypto/openssh/ssh_namespace.h b/crypto/openssh/ssh_namespace.h index edfff3b31..50f9b1834 100644 --- a/crypto/openssh/ssh_namespace.h +++ b/crypto/openssh/ssh_namespace.h @@ -7,10 +7,16 @@ * * A list of symbols which need munging is obtained as follows: * - * nm libssh.a | awk '/[0-9a-z] [A-Z] / && $3 !~ /^ssh_/ { printf("#define %-39s ssh_%s\n", $3, $3) }' | unexpand -a | sort + * nm libssh.a | awk '/[0-9a-z] [A-Z] / && $3 !~ /^ssh_/ { printf("#define %-39s ssh_%s\n", $3, $3) }' | unexpand -a | sort -u * $FreeBSD$ */ +#define Blowfish_decipher ssh_Blowfish_decipher +#define Blowfish_encipher ssh_Blowfish_encipher +#define Blowfish_expand0state ssh_Blowfish_expand0state +#define Blowfish_expandstate ssh_Blowfish_expandstate +#define Blowfish_initstate ssh_Blowfish_initstate +#define Blowfish_stream2word ssh_Blowfish_stream2word #define a2port ssh_a2port #define a2tun ssh_a2tun #define add_host_to_hostfile ssh_add_host_to_hostfile @@ -25,6 +31,14 @@ #define auth_request_forwarding ssh_auth_request_forwarding #define bandwidth_limit ssh_bandwidth_limit #define bandwidth_limit_init ssh_bandwidth_limit_init +#define bcrypt_pbkdf ssh_bcrypt_pbkdf +#define blf_cbc_decrypt ssh_blf_cbc_decrypt +#define blf_cbc_encrypt ssh_blf_cbc_encrypt +#define blf_dec ssh_blf_dec +#define blf_ecb_decrypt ssh_blf_ecb_decrypt +#define blf_ecb_encrypt ssh_blf_ecb_encrypt +#define blf_enc ssh_blf_enc +#define blf_key ssh_blf_key #define buffer_append ssh_buffer_append #define buffer_append_space ssh_buffer_append_space #define buffer_check_alloc ssh_buffer_check_alloc @@ -42,6 +56,8 @@ #define buffer_get ssh_buffer_get #define buffer_get_bignum ssh_buffer_get_bignum #define buffer_get_bignum2 ssh_buffer_get_bignum2 +#define buffer_get_bignum2_as_string ssh_buffer_get_bignum2_as_string +#define buffer_get_bignum2_as_string_ret ssh_buffer_get_bignum2_as_string_ret #define buffer_get_bignum2_ret ssh_buffer_get_bignum2_ret #define buffer_get_bignum_ret ssh_buffer_get_bignum_ret #define buffer_get_char ssh_buffer_get_char @@ -67,6 +83,7 @@ #define buffer_ptr ssh_buffer_ptr #define buffer_put_bignum ssh_buffer_put_bignum #define buffer_put_bignum2 ssh_buffer_put_bignum2 +#define buffer_put_bignum2_from_string ssh_buffer_put_bignum2_from_string #define buffer_put_bignum2_ret ssh_buffer_put_bignum2_ret #define buffer_put_bignum_ret ssh_buffer_put_bignum_ret #define buffer_put_char ssh_buffer_put_char @@ -78,6 +95,12 @@ #define buffer_put_short ssh_buffer_put_short #define buffer_put_string ssh_buffer_put_string #define buffer_uncompress ssh_buffer_uncompress +#define chacha_encrypt_bytes ssh_chacha_encrypt_bytes +#define chacha_ivsetup ssh_chacha_ivsetup +#define chacha_keysetup ssh_chacha_keysetup +#define chachapoly_crypt ssh_chachapoly_crypt +#define chachapoly_get_length ssh_chachapoly_get_length +#define chachapoly_init ssh_chachapoly_init #define chan_ibuf_empty ssh_chan_ibuf_empty #define chan_is_dead ssh_chan_is_dead #define chan_mark_dead ssh_chan_mark_dead @@ -147,6 +170,7 @@ #define check_key_in_hostkeys ssh_check_key_in_hostkeys #define choose_dh ssh_choose_dh #define chop ssh_chop +#define cipher_alg_list ssh_cipher_alg_list #define cipher_authlen ssh_cipher_authlen #define cipher_blocksize ssh_cipher_blocksize #define cipher_by_name ssh_cipher_by_name @@ -156,6 +180,7 @@ #define cipher_get_keycontext ssh_cipher_get_keycontext #define cipher_get_keyiv ssh_cipher_get_keyiv #define cipher_get_keyiv_len ssh_cipher_get_keyiv_len +#define cipher_get_length ssh_cipher_get_length #define cipher_get_number ssh_cipher_get_number #define cipher_init ssh_cipher_init #define cipher_is_cbc ssh_cipher_is_cbc @@ -164,10 +189,10 @@ #define cipher_mask_ssh1 ssh_cipher_mask_ssh1 #define cipher_name ssh_cipher_name #define cipher_number ssh_cipher_number +#define cipher_seclen ssh_cipher_seclen #define cipher_set_key_string ssh_cipher_set_key_string #define cipher_set_keycontext ssh_cipher_set_keycontext #define cipher_set_keyiv ssh_cipher_set_keyiv -#define ciphers ssh_ciphers #define ciphers_valid ssh_ciphers_valid #define cleanhostname ssh_cleanhostname #define cleanup_exit ssh_cleanup_exit @@ -177,7 +202,52 @@ #define compat20 ssh_compat20 #define compat_cipher_proposal ssh_compat_cipher_proposal #define compat_datafellows ssh_compat_datafellows +#define compat_pkalg_proposal ssh_compat_pkalg_proposal #define convtime ssh_convtime +#define crypto_hash_sha512 ssh_crypto_hash_sha512 +#define crypto_hashblocks_sha512 ssh_crypto_hashblocks_sha512 +#define crypto_scalarmult_curve25519 ssh_crypto_scalarmult_curve25519 +#define crypto_sign_ed25519 ssh_crypto_sign_ed25519 +#define crypto_sign_ed25519_keypair ssh_crypto_sign_ed25519_keypair +#define crypto_sign_ed25519_open ssh_crypto_sign_ed25519_open +#define crypto_sign_ed25519_ref_double_scalarmult_vartime ssh_crypto_sign_ed25519_ref_double_scalarmult_vartime +#define crypto_sign_ed25519_ref_fe25519_add ssh_crypto_sign_ed25519_ref_fe25519_add +#define crypto_sign_ed25519_ref_fe25519_cmov ssh_crypto_sign_ed25519_ref_fe25519_cmov +#define crypto_sign_ed25519_ref_fe25519_freeze ssh_crypto_sign_ed25519_ref_fe25519_freeze +#define crypto_sign_ed25519_ref_fe25519_getparity ssh_crypto_sign_ed25519_ref_fe25519_getparity +#define crypto_sign_ed25519_ref_fe25519_invert ssh_crypto_sign_ed25519_ref_fe25519_invert +#define crypto_sign_ed25519_ref_fe25519_iseq_vartime ssh_crypto_sign_ed25519_ref_fe25519_iseq_vartime +#define crypto_sign_ed25519_ref_fe25519_iszero ssh_crypto_sign_ed25519_ref_fe25519_iszero +#define crypto_sign_ed25519_ref_fe25519_mul ssh_crypto_sign_ed25519_ref_fe25519_mul +#define crypto_sign_ed25519_ref_fe25519_neg ssh_crypto_sign_ed25519_ref_fe25519_neg +#define crypto_sign_ed25519_ref_fe25519_pack ssh_crypto_sign_ed25519_ref_fe25519_pack +#define crypto_sign_ed25519_ref_fe25519_pow2523 ssh_crypto_sign_ed25519_ref_fe25519_pow2523 +#define crypto_sign_ed25519_ref_fe25519_setone ssh_crypto_sign_ed25519_ref_fe25519_setone +#define crypto_sign_ed25519_ref_fe25519_setzero ssh_crypto_sign_ed25519_ref_fe25519_setzero +#define crypto_sign_ed25519_ref_fe25519_square ssh_crypto_sign_ed25519_ref_fe25519_square +#define crypto_sign_ed25519_ref_fe25519_sub ssh_crypto_sign_ed25519_ref_fe25519_sub +#define crypto_sign_ed25519_ref_fe25519_unpack ssh_crypto_sign_ed25519_ref_fe25519_unpack +#define crypto_sign_ed25519_ref_ge25519_base ssh_crypto_sign_ed25519_ref_ge25519_base +#define crypto_sign_ed25519_ref_isneutral_vartime ssh_crypto_sign_ed25519_ref_isneutral_vartime +#define crypto_sign_ed25519_ref_pack ssh_crypto_sign_ed25519_ref_pack +#define crypto_sign_ed25519_ref_sc25519_2interleave2 ssh_crypto_sign_ed25519_ref_sc25519_2interleave2 +#define crypto_sign_ed25519_ref_sc25519_add ssh_crypto_sign_ed25519_ref_sc25519_add +#define crypto_sign_ed25519_ref_sc25519_from32bytes ssh_crypto_sign_ed25519_ref_sc25519_from32bytes +#define crypto_sign_ed25519_ref_sc25519_from64bytes ssh_crypto_sign_ed25519_ref_sc25519_from64bytes +#define crypto_sign_ed25519_ref_sc25519_from_shortsc ssh_crypto_sign_ed25519_ref_sc25519_from_shortsc +#define crypto_sign_ed25519_ref_sc25519_isshort_vartime ssh_crypto_sign_ed25519_ref_sc25519_isshort_vartime +#define crypto_sign_ed25519_ref_sc25519_iszero_vartime ssh_crypto_sign_ed25519_ref_sc25519_iszero_vartime +#define crypto_sign_ed25519_ref_sc25519_lt_vartime ssh_crypto_sign_ed25519_ref_sc25519_lt_vartime +#define crypto_sign_ed25519_ref_sc25519_mul ssh_crypto_sign_ed25519_ref_sc25519_mul +#define crypto_sign_ed25519_ref_sc25519_mul_shortsc ssh_crypto_sign_ed25519_ref_sc25519_mul_shortsc +#define crypto_sign_ed25519_ref_sc25519_sub_nored ssh_crypto_sign_ed25519_ref_sc25519_sub_nored +#define crypto_sign_ed25519_ref_sc25519_to32bytes ssh_crypto_sign_ed25519_ref_sc25519_to32bytes +#define crypto_sign_ed25519_ref_sc25519_window3 ssh_crypto_sign_ed25519_ref_sc25519_window3 +#define crypto_sign_ed25519_ref_sc25519_window5 ssh_crypto_sign_ed25519_ref_sc25519_window5 +#define crypto_sign_ed25519_ref_scalarmult_base ssh_crypto_sign_ed25519_ref_scalarmult_base +#define crypto_sign_ed25519_ref_shortsc25519_from16bytes ssh_crypto_sign_ed25519_ref_shortsc25519_from16bytes +#define crypto_sign_ed25519_ref_unpackneg_vartime ssh_crypto_sign_ed25519_ref_unpackneg_vartime +#define crypto_verify_32 ssh_crypto_verify_32 #define current_keys ssh_current_keys #define datafellows ssh_datafellows #define debug ssh_debug @@ -194,6 +264,7 @@ #define dh_new_group14 ssh_dh_new_group14 #define dh_new_group_asc ssh_dh_new_group_asc #define dh_pub_is_valid ssh_dh_pub_is_valid +#define digests ssh_digests #define dispatch ssh_dispatch #define dispatch_init ssh_dispatch_init #define dispatch_protocol_error ssh_dispatch_protocol_error @@ -209,6 +280,7 @@ #define error ssh_error #define evp_ssh1_3des ssh_evp_ssh1_3des #define evp_ssh1_bf ssh_evp_ssh1_bf +#define explicit_bzero ssh_explicit_bzero #define export_dns_rr ssh_export_dns_rr #define fatal ssh_fatal #define fmt_scaled ssh_fmt_scaled @@ -239,22 +311,27 @@ #define init_hostkeys ssh_init_hostkeys #define iptos2str ssh_iptos2str #define ipv64_normalise_mapped ssh_ipv64_normalise_mapped +#define kex_alg_list ssh_kex_alg_list +#define kex_c25519_hash ssh_kex_c25519_hash #define kex_derive_keys ssh_kex_derive_keys +#define kex_derive_keys_bn ssh_kex_derive_keys_bn #define kex_dh_hash ssh_kex_dh_hash #define kex_ecdh_hash ssh_kex_ecdh_hash -#define kex_ecdh_name_to_evpmd ssh_kex_ecdh_name_to_evpmd -#define kex_ecdh_name_to_nid ssh_kex_ecdh_name_to_nid #define kex_finish ssh_kex_finish #define kex_get_newkeys ssh_kex_get_newkeys #define kex_input_kexinit ssh_kex_input_kexinit #define kex_names_valid ssh_kex_names_valid #define kex_send_kexinit ssh_kex_send_kexinit #define kex_setup ssh_kex_setup +#define kexc25519_client ssh_kexc25519_client +#define kexc25519_keygen ssh_kexc25519_keygen +#define kexc25519_shared_key ssh_kexc25519_shared_key #define kexdh_client ssh_kexdh_client #define kexecdh_client ssh_kexecdh_client #define kexgex_client ssh_kexgex_client #define kexgex_hash ssh_kexgex_hash #define key_add_private ssh_key_add_private +#define key_alg_list ssh_key_alg_list #define key_cert_check_authority ssh_key_cert_check_authority #define key_cert_copy ssh_key_cert_copy #define key_cert_is_legacy ssh_key_cert_is_legacy @@ -265,7 +342,7 @@ #define key_curve_nid_to_name ssh_key_curve_nid_to_name #define key_demote ssh_key_demote #define key_drop_cert ssh_key_drop_cert -#define key_ec_nid_to_evpmd ssh_key_ec_nid_to_evpmd +#define key_ec_nid_to_hash_alg ssh_key_ec_nid_to_hash_alg #define key_ec_validate_private ssh_key_ec_validate_private #define key_ec_validate_public ssh_key_ec_validate_public #define key_ecdsa_bits_to_nid ssh_key_ecdsa_bits_to_nid @@ -294,6 +371,8 @@ #define key_new_private ssh_key_new_private #define key_parse_private ssh_key_parse_private #define key_perm_ok ssh_key_perm_ok +#define key_private_deserialize ssh_key_private_deserialize +#define key_private_serialize ssh_key_private_serialize #define key_read ssh_key_read #define key_save_private ssh_key_save_private #define key_sign ssh_key_sign @@ -304,6 +383,7 @@ #define key_to_certified ssh_key_to_certified #define key_type ssh_key_type #define key_type_from_name ssh_key_type_from_name +#define key_type_is_cert ssh_key_type_is_cert #define key_type_plain ssh_key_type_plain #define key_verify ssh_key_verify #define key_write ssh_key_write @@ -315,14 +395,16 @@ #define log_is_on_stderr ssh_log_is_on_stderr #define log_level_name ssh_log_level_name #define log_level_number ssh_log_level_number +#define log_redirect_stderr_to ssh_log_redirect_stderr_to #define logit ssh_logit #define lookup_key_in_hostkeys_by_type ssh_lookup_key_in_hostkeys_by_type +#define lowercase ssh_lowercase +#define mac_alg_list ssh_mac_alg_list #define mac_clear ssh_mac_clear #define mac_compute ssh_mac_compute #define mac_init ssh_mac_init #define mac_setup ssh_mac_setup #define mac_valid ssh_mac_valid -#define macs ssh_macs #define match_host_and_ip ssh_match_host_and_ip #define match_hostname ssh_match_hostname #define match_list ssh_match_list @@ -332,6 +414,7 @@ #define mktemp_proto ssh_mktemp_proto #define mm_receive_fd ssh_mm_receive_fd #define mm_send_fd ssh_mm_send_fd +#define monotime ssh_monotime #define ms_subtract_diff ssh_ms_subtract_diff #define ms_to_timeval ssh_ms_to_timeval #define mysignal ssh_mysignal @@ -360,6 +443,7 @@ #define packet_get_output ssh_packet_get_output #define packet_get_protocol_flags ssh_packet_get_protocol_flags #define packet_get_raw ssh_packet_get_raw +#define packet_get_rekey_timeout ssh_packet_get_rekey_timeout #define packet_get_ssh1_cipher ssh_packet_get_ssh1_cipher #define packet_get_state ssh_packet_get_state #define packet_get_string ssh_packet_get_string @@ -398,7 +482,7 @@ #define packet_set_maxsize ssh_packet_set_maxsize #define packet_set_nonblocking ssh_packet_set_nonblocking #define packet_set_protocol_flags ssh_packet_set_protocol_flags -#define packet_set_rekey_limit ssh_packet_set_rekey_limit +#define packet_set_rekey_limits ssh_packet_set_rekey_limits #define packet_set_server ssh_packet_set_server #define packet_set_state ssh_packet_set_state #define packet_set_timeout ssh_packet_set_timeout @@ -417,6 +501,7 @@ #define pkcs11_interactive ssh_pkcs11_interactive #define pkcs11_providers ssh_pkcs11_providers #define pkcs11_terminate ssh_pkcs11_terminate +#define poly1305_auth ssh_poly1305_auth #define prime_test ssh_prime_test #define proto_spec ssh_proto_spec #define put_host_port ssh_put_host_port @@ -461,10 +546,11 @@ #define tty_make_modes ssh_tty_make_modes #define tty_parse_modes ssh_tty_parse_modes #define tun_open ssh_tun_open +#define umac128_ctx ssh_umac128_ctx +#define umac128_delete ssh_umac128_delete +#define umac128_final ssh_umac128_final #define umac128_new ssh_umac128_new #define umac128_update ssh_umac128_update -#define umac128_final ssh_umac128_final -#define umac128_delete ssh_umac128_delete #define umac_ctx ssh_umac_ctx #define umac_delete ssh_umac_delete #define umac_final ssh_umac_final @@ -483,7 +569,6 @@ #define xasprintf ssh_xasprintf #define xcalloc ssh_xcalloc #define xcrypt ssh_xcrypt -#define xfree ssh_xfree #define xmalloc ssh_xmalloc #define xmmap ssh_xmmap #define xrealloc ssh_xrealloc diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 163ba8841..fd8ad1dd3 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -1,5 +1,5 @@ -/* $OpenBSD: sshconnect.c,v 1.236 2012/09/14 16:51:34 markus Exp $ */ -/* $OpenBSD: sshconnect.c,v 1.237 2013/02/22 19:13:56 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ +/* $FreeBSD$ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -15,6 +15,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -26,6 +27,7 @@ #include #include +#include #include #include @@ -60,6 +62,7 @@ #include "misc.h" #include "dns.h" #include "roaming.h" +#include "monitor_fdpass.h" #include "ssh2.h" #include "version.h" @@ -79,47 +82,122 @@ extern uid_t original_effective_uid; static int show_other_keys(struct hostkeys *, Key *); static void warn_changed_key(Key *); +/* Expand a proxy command */ +static char * +expand_proxy_command(const char *proxy_command, const char *user, + const char *host, int port) +{ + char *tmp, *ret, strport[NI_MAXSERV]; + + snprintf(strport, sizeof strport, "%d", port); + xasprintf(&tmp, "exec %s", proxy_command); + ret = percent_expand(tmp, "h", host, "p", strport, + "r", options.user, (char *)NULL); + free(tmp); + return ret; +} + +/* + * Connect to the given ssh server using a proxy command that passes a + * a connected fd back to us. + */ +static int +ssh_proxy_fdpass_connect(const char *host, u_short port, + const char *proxy_command) +{ + char *command_string; + int sp[2], sock; + pid_t pid; + char *shell; + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0) + fatal("Could not create socketpair to communicate with " + "proxy dialer: %.100s", strerror(errno)); + + command_string = expand_proxy_command(proxy_command, options.user, + host, port); + debug("Executing proxy dialer command: %.500s", command_string); + + /* Fork and execute the proxy command. */ + if ((pid = fork()) == 0) { + char *argv[10]; + + /* Child. Permanently give up superuser privileges. */ + permanently_drop_suid(original_real_uid); + + close(sp[1]); + /* Redirect stdin and stdout. */ + if (sp[0] != 0) { + if (dup2(sp[0], 0) < 0) + perror("dup2 stdin"); + } + if (sp[0] != 1) { + if (dup2(sp[0], 1) < 0) + perror("dup2 stdout"); + } + if (sp[0] >= 2) + close(sp[0]); + + /* + * Stderr is left as it is so that error messages get + * printed on the user's terminal. + */ + argv[0] = shell; + argv[1] = "-c"; + argv[2] = command_string; + argv[3] = NULL; + + /* + * Execute the proxy command. + * Note that we gave up any extra privileges above. + */ + execv(argv[0], argv); + perror(argv[0]); + exit(1); + } + /* Parent. */ + if (pid < 0) + fatal("fork failed: %.100s", strerror(errno)); + close(sp[0]); + free(command_string); + + if ((sock = mm_receive_fd(sp[1])) == -1) + fatal("proxy dialer did not pass back a connection"); + + while (waitpid(pid, NULL, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + + /* Set the connection file descriptors. */ + packet_set_connection(sock, sock); + + return 0; +} + /* * Connect to the given ssh server using a proxy command. */ static int ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) { - char *command_string, *tmp; + char *command_string; int pin[2], pout[2]; pid_t pid; - char *shell, strport[NI_MAXSERV]; - - if (!strcmp(proxy_command, "-")) { - packet_set_connection(STDIN_FILENO, STDOUT_FILENO); - packet_set_timeout(options.server_alive_interval, - options.server_alive_count_max); - return 0; - } + char *shell; if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; - /* Convert the port number into a string. */ - snprintf(strport, sizeof strport, "%hu", port); - - /* - * Build the final command string in the buffer by making the - * appropriate substitutions to the given proxy command. - * - * Use "exec" to avoid "sh -c" processes on some platforms - * (e.g. Solaris) - */ - xasprintf(&tmp, "exec %s", proxy_command); - command_string = percent_expand(tmp, "h", host, "p", strport, - "r", options.user, (char *)NULL); - xfree(tmp); - /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) fatal("Could not create pipes to communicate with the proxy: %.100s", strerror(errno)); + command_string = expand_proxy_command(proxy_command, options.user, + host, port); debug("Executing proxy command: %.500s", command_string); /* Fork and execute the proxy command. */ @@ -167,12 +245,10 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) close(pout[1]); /* Free the command name. */ - xfree(command_string); + free(command_string); /* Set the connection file descriptors. */ packet_set_connection(pout[0], pin[1]); - packet_set_timeout(options.server_alive_interval, - options.server_alive_count_max); /* Indicate OK return */ return 0; @@ -218,30 +294,12 @@ ssh_set_socket_recvbuf(int sock) static int ssh_create_socket(int privileged, struct addrinfo *ai) { - int sock, gaierr; - struct addrinfo hints, *res; + int sock, r, gaierr; + struct addrinfo hints, *res = NULL; - /* - * If we are running as root and want to connect to a privileged - * port, bind our own socket to a privileged port. - */ - if (privileged) { - int p = IPPORT_RESERVED - 1; - PRIV_START; - sock = rresvport_af(&p, ai->ai_family); - PRIV_END; - if (sock < 0) - error("rresvport: af=%d %.100s", ai->ai_family, - strerror(errno)); - else - debug("Allocated local port %d.", p); - if (options.tcp_rcv_buf > 0) - ssh_set_socket_recvbuf(sock); - return sock; - } sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); if (sock < 0) { - error("socket: %.100s", strerror(errno)); + error("socket: %s", strerror(errno)); return -1; } fcntl(sock, F_SETFD, FD_CLOEXEC); @@ -250,28 +308,48 @@ ssh_create_socket(int privileged, struct addrinfo *ai) ssh_set_socket_recvbuf(sock); /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL) + if (options.bind_address == NULL && !privileged) return sock; - memset(&hints, 0, sizeof(hints)); - hints.ai_family = ai->ai_family; - hints.ai_socktype = ai->ai_socktype; - hints.ai_protocol = ai->ai_protocol; - hints.ai_flags = AI_PASSIVE; - gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res); - if (gaierr) { - error("getaddrinfo: %s: %s", options.bind_address, - ssh_gai_strerror(gaierr)); - close(sock); - return -1; + if (options.bind_address) { + memset(&hints, 0, sizeof(hints)); + hints.ai_family = ai->ai_family; + hints.ai_socktype = ai->ai_socktype; + hints.ai_protocol = ai->ai_protocol; + hints.ai_flags = AI_PASSIVE; + gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res); + if (gaierr) { + error("getaddrinfo: %s: %s", options.bind_address, + ssh_gai_strerror(gaierr)); + close(sock); + return -1; + } } - if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { - error("bind: %s: %s", options.bind_address, strerror(errno)); - close(sock); - freeaddrinfo(res); - return -1; + /* + * If we are running as root and want to connect to a privileged + * port, bind our own socket to a privileged port. + */ + if (privileged) { + PRIV_START; + r = bindresvport_sa(sock, res ? res->ai_addr : NULL); + PRIV_END; + if (r < 0) { + error("bindresvport_sa: af=%d %s", ai->ai_family, + strerror(errno)); + goto fail; + } + } else { + if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { + error("bind: %s: %s", options.bind_address, + strerror(errno)); + fail: + close(sock); + freeaddrinfo(res); + return -1; + } } - freeaddrinfo(res); + if (res != NULL) + freeaddrinfo(res); return sock; } @@ -344,7 +422,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, fatal("Bogus return (%d) from select()", rc); } - xfree(fdset); + free(fdset); done: if (result == 0 && *timeoutp > 0) { @@ -369,33 +447,18 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, * and %p substituted for host and port, respectively) to use to contact * the daemon. */ -int -ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int family, int connection_attempts, int *timeout_ms, - int want_keepalive, int needpriv, const char *proxy_command) +static int +ssh_connect_direct(const char *host, struct addrinfo *aitop, + struct sockaddr_storage *hostaddr, u_short port, int family, + int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) { - int gaierr; int on = 1; int sock = -1, attempt; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; - struct addrinfo hints, *ai, *aitop; + struct addrinfo *ai; debug2("ssh_connect: needpriv %d", needpriv); - /* If a proxy command is given, connect using it. */ - if (proxy_command != NULL) - return ssh_proxy_connect(host, port, proxy_command); - - /* No proxy command. */ - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = family; - hints.ai_socktype = SOCK_STREAM; - snprintf(strport, sizeof strport, "%u", port); - if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) - fatal("%s: Could not resolve hostname %.100s: %s", __progname, - host, ssh_gai_strerror(gaierr)); - for (attempt = 0; attempt < connection_attempts; attempt++) { if (attempt > 0) { /* Sleep a moment before retrying. */ @@ -407,7 +470,8 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, * sequence until the connection succeeds. */ for (ai = aitop; ai; ai = ai->ai_next) { - if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + if (ai->ai_family != AF_INET && + ai->ai_family != AF_INET6) continue; if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), @@ -440,8 +504,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, break; /* Successful connection. */ } - freeaddrinfo(aitop); - /* Return failure if we didn't get a successful connection. */ if (sock == -1) { error("ssh: connect to host %s port %s: %s", @@ -459,12 +521,28 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, /* Set the connection. */ packet_set_connection(sock, sock); - packet_set_timeout(options.server_alive_interval, - options.server_alive_count_max); return 0; } +int +ssh_connect(const char *host, struct addrinfo *addrs, + struct sockaddr_storage *hostaddr, u_short port, int family, + int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) +{ + if (options.proxy_command == NULL) { + return ssh_connect_direct(host, addrs, hostaddr, port, family, + connection_attempts, timeout_ms, want_keepalive, needpriv); + } else if (strcmp(options.proxy_command, "-") == 0) { + packet_set_connection(STDIN_FILENO, STDOUT_FILENO); + return 0; /* Always succeeds */ + } else if (options.proxy_use_fdpass) { + return ssh_proxy_fdpass_connect(host, port, + options.proxy_command); + } + return ssh_proxy_connect(host, port, options.proxy_command); +} + static void send_client_banner(int connection_out, int minor1) { @@ -562,7 +640,7 @@ ssh_exchange_identification(int timeout_ms) debug("ssh_exchange_identification: %s", buf); } server_version_string = xstrdup(buf); - xfree(fdset); + free(fdset); /* * Check that the versions match. In future this might accept @@ -615,6 +693,12 @@ ssh_exchange_identification(int timeout_ms) fatal("Protocol major versions differ: %d vs. %d", (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, remote_major); + if ((datafellows & SSH_BUG_DERIVEKEY) != 0) + fatal("Server version \"%.100s\" uses unsafe key agreement; " + "refusing connection", remote_version); + if ((datafellows & SSH_BUG_RSASIGMD5) != 0) + logit("Server version \"%.100s\" uses unsafe RSA signature " + "scheme; disabling use of RSA keys", remote_version); if (!client_banner_sent) send_client_banner(connection_out, minor1); chop(server_version_string); @@ -638,8 +722,7 @@ confirm(const char *prompt) ret = 0; if (p && strncasecmp(p, "yes", 3) == 0) ret = 1; - if (p) - xfree(p); + free(p); if (ret != -1) return ret; } @@ -863,8 +946,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, ra = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_RANDOMART); logit("Host key fingerprint is %s\n%s\n", fp, ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } break; case HOST_NEW: @@ -924,8 +1007,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, options.visual_host_key ? "\n" : "", options.visual_host_key ? ra : "", msg2); - xfree(ra); - xfree(fp); + free(ra); + free(fp); if (!confirm(msg)) goto fail; } @@ -1126,8 +1209,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, } } - xfree(ip); - xfree(host); + free(ip); + free(host); if (host_hostkeys != NULL) free_hostkeys(host_hostkeys); if (ip_hostkeys != NULL) @@ -1149,8 +1232,8 @@ fail: } if (raw_key != NULL) key_free(raw_key); - xfree(ip); - xfree(host); + free(ip); + free(host); if (host_hostkeys != NULL) free_hostkeys(host_hostkeys); if (ip_hostkeys != NULL) @@ -1167,7 +1250,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); debug("Server host key: %s %s", key_type(host_key), fp); - xfree(fp); + free(fp); /* XXX certs are not yet supported for DNS */ if (!key_is_cert(host_key) && options.verify_host_key_dns && @@ -1205,7 +1288,7 @@ void ssh_login(Sensitive *sensitive, const char *orighost, struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms) { - char *host, *cp; + char *host; char *server_user, *local_user; local_user = xstrdup(pw->pw_name); @@ -1213,9 +1296,7 @@ ssh_login(Sensitive *sensitive, const char *orighost, /* Convert the user-supplied hostname into all lowercase. */ host = xstrdup(orighost); - for (cp = host; *cp; cp++) - if (isupper(*cp)) - *cp = (char)tolower(*cp); + lowercase(host); /* Exchange protocol version identification strings with the server. */ ssh_exchange_identification(timeout_ms); @@ -1232,7 +1313,7 @@ ssh_login(Sensitive *sensitive, const char *orighost, ssh_kex(host, hostaddr); ssh_userauth1(local_user, server_user, host, sensitive); } - xfree(local_user); + free(local_user); } void @@ -1249,15 +1330,22 @@ ssh_put_password(char *password) padded = xcalloc(1, size); strlcpy(padded, password, size); packet_put_string(padded, size); - memset(padded, 0, size); - xfree(padded); + explicit_bzero(padded, size); + free(padded); } /* print all known host keys for a given host, but skip keys of given type */ static int show_other_keys(struct hostkeys *hostkeys, Key *key) { - int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, KEY_ECDSA, -1}; + int type[] = { + KEY_RSA1, + KEY_RSA, + KEY_DSA, + KEY_ECDSA, + KEY_ED25519, + -1 + }; int i, ret = 0; char *fp, *ra; const struct hostkey_entry *found; @@ -1277,8 +1365,8 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) key_type(found->key), fp); if (options.visual_host_key) logit("%s", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); ret = 1; } return ret; @@ -1301,7 +1389,7 @@ warn_changed_key(Key *host_key) key_type(host_key), fp); error("Please contact your system administrator."); - xfree(fp); + free(fp); } /* diff --git a/crypto/openssh/sshconnect.h b/crypto/openssh/sshconnect.h index fd7f7f7c6..0ea6e99f6 100644 --- a/crypto/openssh/sshconnect.h +++ b/crypto/openssh/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.27 2010/11/29 23:45:51 djm Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.28 2013/10/16 02:31:47 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -31,9 +31,9 @@ struct Sensitive { int external_keysign; }; -int -ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, - int *, int, int, const char *); +struct addrinfo; +int ssh_connect(const char *, struct addrinfo *, struct sockaddr_storage *, + u_short, int, int, int *, int, int); void ssh_kill_proxy_command(void); void ssh_login(Sensitive *, const char *, struct sockaddr *, u_short, diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c index fd07bbf74..921408ec1 100644 --- a/crypto/openssh/sshconnect1.c +++ b/crypto/openssh/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.74 2014/02/02 03:44:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -19,7 +19,6 @@ #include #include -#include #include #include @@ -47,6 +46,7 @@ #include "canohost.h" #include "hostfile.h" #include "auth.h" +#include "digest.h" /* Session id for the current session. */ u_char session_id[16]; @@ -84,7 +84,7 @@ try_agent_authentication(void) /* Try this identity. */ debug("Trying RSA authentication via agent with '%.100s'", comment); - xfree(comment); + free(comment); /* Tell the server that we are willing to authenticate using this key. */ packet_start(SSH_CMSG_AUTH_RSA); @@ -120,7 +120,7 @@ try_agent_authentication(void) * return a wrong value. */ logit("Authentication agent failed to decrypt challenge."); - memset(response, 0, sizeof(response)); + explicit_bzero(response, sizeof(response)); } key_free(key); debug("Sending response to RSA challenge."); @@ -161,7 +161,7 @@ static void respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) { u_char buf[32], response[16]; - MD5_CTX md; + struct ssh_digest_ctx *md; int i, len; /* Decrypt the challenge using the private key. */ @@ -179,10 +179,12 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) memset(buf, 0, sizeof(buf)); BN_bn2bin(challenge, buf + sizeof(buf) - len); - MD5_Init(&md); - MD5_Update(&md, buf, 32); - MD5_Update(&md, session_id, 16); - MD5_Final(response, &md); + if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || + ssh_digest_update(md, buf, 32) < 0 || + ssh_digest_update(md, session_id, 16) < 0 || + ssh_digest_final(md, response, sizeof(response)) < 0) + fatal("%s: md5 failed", __func__); + ssh_digest_free(md); debug("Sending response to host key RSA challenge."); @@ -193,9 +195,9 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) packet_send(); packet_write_wait(); - memset(buf, 0, sizeof(buf)); - memset(response, 0, sizeof(response)); - memset(&md, 0, sizeof(md)); + explicit_bzero(buf, sizeof(buf)); + explicit_bzero(response, sizeof(response)); + explicit_bzero(&md, sizeof(md)); } /* @@ -231,7 +233,7 @@ try_rsa_authentication(int idx) */ if (type == SSH_SMSG_FAILURE) { debug("Server refused our key."); - xfree(comment); + free(comment); return 0; } /* Otherwise, the server should respond with a challenge. */ @@ -269,15 +271,15 @@ try_rsa_authentication(int idx) debug2("no passphrase given, try next key"); quit = 1; } - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + explicit_bzero(passphrase, strlen(passphrase)); + free(passphrase); if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); } } /* We no longer need the comment. */ - xfree(comment); + free(comment); if (private == NULL) { if (!options.batch_mode && perm_ok) @@ -412,7 +414,7 @@ try_challenge_response_authentication(void) packet_check_eom(); snprintf(prompt, sizeof prompt, "%s%s", challenge, strchr(challenge, '\n') ? "" : "\nResponse: "); - xfree(challenge); + free(challenge); if (i != 0) error("Permission denied, please try again."); if (options.cipher == SSH_CIPHER_NONE) @@ -420,13 +422,13 @@ try_challenge_response_authentication(void) "Response will be transmitted in clear text."); response = read_passphrase(prompt, 0); if (strcmp(response, "") == 0) { - xfree(response); + free(response); break; } packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); ssh_put_password(response); - memset(response, 0, strlen(response)); - xfree(response); + explicit_bzero(response, strlen(response)); + free(response); packet_send(); packet_write_wait(); type = packet_read(); @@ -458,8 +460,8 @@ try_password_authentication(char *prompt) password = read_passphrase(prompt, 0); packet_start(SSH_CMSG_AUTH_PASSWORD); ssh_put_password(password); - memset(password, 0, strlen(password)); - xfree(password); + explicit_bzero(password, strlen(password)); + free(password); packet_send(); packet_write_wait(); @@ -542,9 +544,6 @@ ssh_kex(char *host, struct sockaddr *hostaddr) derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id); - /* Generate a session key. */ - arc4random_stir(); - /* * Generate an encryption key for the session. The key is a 256 bit * random number, interpreted as a 32-byte key, with the least @@ -653,8 +652,11 @@ ssh_kex(char *host, struct sockaddr *hostaddr) /* Set the encryption key. */ packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); - /* We will no longer need the session key here. Destroy any extra copies. */ - memset(session_key, 0, sizeof(session_key)); + /* + * We will no longer need the session key here. + * Destroy any extra copies. + */ + explicit_bzero(session_key, sizeof(session_key)); /* * Expect a success message from the server. Note that this message diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index ad86df77d..eb86ab11b 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.204 2014/02/02 03:44:32 djm Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -26,6 +26,7 @@ */ #include "includes.h" +__RCSID("$FreeBSD$"); #include #include @@ -71,8 +72,6 @@ #include "pathnames.h" #include "uidswap.h" #include "hostfile.h" -#include "schnorr.h" -#include "jpake.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -157,10 +156,10 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) if (*first != '\0') debug3("%s: prefer hostkeyalgs: %s", __func__, first); - xfree(first); - xfree(last); - xfree(hostname); - xfree(oavail); + free(first); + free(last); + free(hostname); + free(oavail); free_hostkeys(hostkeys); return ret; @@ -199,17 +198,19 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) } if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - options.hostkeyalgorithms; + compat_pkalg_proposal(options.hostkeyalgorithms); else { /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - order_hostkeyalgs(host, hostaddr, port); + compat_pkalg_proposal( + order_hostkeyalgs(host, hostaddr, port)); } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - if (options.rekey_limit) - packet_set_rekey_limit((u_int32_t)options.rekey_limit); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); /* start key exchange */ kex = kex_setup(myproposal); @@ -218,6 +219,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; kex->kex[KEX_ECDH_SHA2] = kexecdh_client; + kex->kex[KEX_C25519_SHA256] = kexc25519_client; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->verify_host_key=&verify_host_key_callback; @@ -297,18 +299,12 @@ void input_userauth_error(int, u_int32_t, void *); void input_userauth_info_req(int, u_int32_t, void *); void input_userauth_pk_ok(int, u_int32_t, void *); void input_userauth_passwd_changereq(int, u_int32_t, void *); -void input_userauth_jpake_server_step1(int, u_int32_t, void *); -void input_userauth_jpake_server_step2(int, u_int32_t, void *); -void input_userauth_jpake_server_confirm(int, u_int32_t, void *); int userauth_none(Authctxt *); int userauth_pubkey(Authctxt *); int userauth_passwd(Authctxt *); int userauth_kbdint(Authctxt *); int userauth_hostbased(Authctxt *); -int userauth_jpake(Authctxt *); - -void userauth_jpake_cleanup(Authctxt *); #ifdef GSSAPI int userauth_gssapi(Authctxt *authctxt); @@ -348,13 +344,6 @@ Authmethod authmethods[] = { NULL, &options.pubkey_authentication, NULL}, -#ifdef JPAKE - {"jpake-01@openssh.com", - userauth_jpake, - userauth_jpake_cleanup, - &options.zero_knowledge_password_authentication, - &options.batch_mode}, -#endif {"keyboard-interactive", userauth_kbdint, NULL, @@ -394,7 +383,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, if (packet_remaining() > 0) { char *reply = packet_get_string(NULL); debug2("service_accept: %s", reply); - xfree(reply); + free(reply); } else { debug2("buggy server: service_accept w/o service"); } @@ -464,15 +453,12 @@ userauth(Authctxt *authctxt, char *authlist) if (authctxt->method != NULL && authctxt->method->cleanup != NULL) authctxt->method->cleanup(authctxt); - if (authctxt->methoddata) { - xfree(authctxt->methoddata); - authctxt->methoddata = NULL; - } + free(authctxt->methoddata); + authctxt->methoddata = NULL; if (authlist == NULL) { authlist = authctxt->authlist; } else { - if (authctxt->authlist) - xfree(authctxt->authlist); + free(authctxt->authlist); authctxt->authlist = authlist; } for (;;) { @@ -520,10 +506,10 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt) msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH); fprintf(stderr, "%s", msg); - xfree(msg); + free(msg); } - xfree(raw); - xfree(lang); + free(raw); + free(lang); } /* ARGSUSED */ @@ -534,16 +520,12 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt) if (authctxt == NULL) fatal("input_userauth_success: no authentication context"); - if (authctxt->authlist) { - xfree(authctxt->authlist); - authctxt->authlist = NULL; - } + free(authctxt->authlist); + authctxt->authlist = NULL; if (authctxt->method != NULL && authctxt->method->cleanup != NULL) authctxt->method->cleanup(authctxt); - if (authctxt->methoddata) { - xfree(authctxt->methoddata); - authctxt->methoddata = NULL; - } + free(authctxt->methoddata); + authctxt->methoddata = NULL; authctxt->success = 1; /* break out */ } @@ -574,8 +556,12 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt) partial = packet_get_char(); packet_check_eom(); - if (partial != 0) + if (partial != 0) { logit("Authenticated with partial success."); + /* reset state */ + pubkey_cleanup(authctxt); + pubkey_prepare(authctxt); + } debug("Authentications that can continue: %s", authlist); userauth(authctxt, authlist); @@ -628,7 +614,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) } fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); debug2("input_userauth_pk_ok: fp %s", fp); - xfree(fp); + free(fp); /* * search keys in the reverse order, because last candidate has been @@ -644,8 +630,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) done: if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); /* try another method if we did not send a packet */ if (sent == 0) @@ -783,7 +769,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) if (oidlen <= 2 || oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen - 2) { - xfree(oidv); + free(oidv); debug("Badly encoded mechanism OID received"); userauth(authctxt, NULL); return; @@ -794,7 +780,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) packet_check_eom(); - xfree(oidv); + free(oidv); if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { /* Start again with next method on list */ @@ -823,7 +809,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) status = process_gssapi_token(ctxt, &recv_tok); - xfree(recv_tok.value); + free(recv_tok.value); if (GSS_ERROR(status)) { /* Start again with the next method in the list */ @@ -840,7 +826,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) Gssctxt *gssctxt; gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; gss_buffer_desc recv_tok; - OM_uint32 status, ms; + OM_uint32 ms; u_int len; if (authctxt == NULL) @@ -853,10 +839,10 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) packet_check_eom(); /* Stick it into GSSAPI and see what it says */ - status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + (void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, &recv_tok, &send_tok, NULL); - xfree(recv_tok.value); + free(recv_tok.value); gss_release_buffer(&ms, &send_tok); /* Server will be returning a failed packet after this one */ @@ -866,20 +852,19 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) void input_gssapi_error(int type, u_int32_t plen, void *ctxt) { - OM_uint32 maj, min; char *msg; char *lang; - maj=packet_get_int(); - min=packet_get_int(); + /* maj */(void)packet_get_int(); + /* min */(void)packet_get_int(); msg=packet_get_string(NULL); lang=packet_get_string(NULL); packet_check_eom(); debug("Server GSSAPI Error:\n%s", msg); - xfree(msg); - xfree(lang); + free(msg); + free(lang); } #endif /* GSSAPI */ @@ -919,8 +904,8 @@ userauth_passwd(Authctxt *authctxt) packet_put_cstring(authctxt->method->name); packet_put_char(0); packet_put_cstring(password); - memset(password, 0, strlen(password)); - xfree(password); + explicit_bzero(password, strlen(password)); + free(password); packet_add_padding(64); packet_send(); @@ -953,8 +938,8 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) lang = packet_get_string(NULL); if (strlen(info) > 0) logit("%s", info); - xfree(info); - xfree(lang); + free(info); + free(lang); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); @@ -965,8 +950,8 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) authctxt->server_user, host); password = read_passphrase(prompt, 0); packet_put_cstring(password); - memset(password, 0, strlen(password)); - xfree(password); + explicit_bzero(password, strlen(password)); + free(password); password = NULL; while (password == NULL) { snprintf(prompt, sizeof(prompt), @@ -982,17 +967,17 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) authctxt->server_user, host); retype = read_passphrase(prompt, 0); if (strcmp(password, retype) != 0) { - memset(password, 0, strlen(password)); - xfree(password); + explicit_bzero(password, strlen(password)); + free(password); logit("Mismatch; try again, EOF to quit."); password = NULL; } - memset(retype, 0, strlen(retype)); - xfree(retype); + explicit_bzero(retype, strlen(retype)); + free(retype); } packet_put_cstring(password); - memset(password, 0, strlen(password)); - xfree(password); + explicit_bzero(password, strlen(password)); + free(password); packet_add_padding(64); packet_send(); @@ -1000,209 +985,6 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) &input_userauth_passwd_changereq); } -#ifdef JPAKE -static char * -pw_encrypt(const char *password, const char *crypt_scheme, const char *salt) -{ - /* OpenBSD crypt(3) handles all of these */ - if (strcmp(crypt_scheme, "crypt") == 0 || - strcmp(crypt_scheme, "bcrypt") == 0 || - strcmp(crypt_scheme, "md5crypt") == 0 || - strcmp(crypt_scheme, "crypt-extended") == 0) - return xstrdup(crypt(password, salt)); - error("%s: unsupported password encryption scheme \"%.100s\"", - __func__, crypt_scheme); - return NULL; -} - -static BIGNUM * -jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme, - const char *salt) -{ - char prompt[256], *password, *crypted; - u_char *secret; - u_int secret_len; - BIGNUM *ret; - - snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ", - authctxt->server_user, authctxt->host); - password = read_passphrase(prompt, 0); - - if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) { - logit("Disabling %s authentication", authctxt->method->name); - authctxt->method->enabled = NULL; - /* Continue with an empty password to fail gracefully */ - crypted = xstrdup(""); - } - -#ifdef JPAKE_DEBUG - debug3("%s: salt = %s", __func__, salt); - debug3("%s: scheme = %s", __func__, crypt_scheme); - debug3("%s: crypted = %s", __func__, crypted); -#endif - - if (hash_buffer(crypted, strlen(crypted), EVP_sha256(), - &secret, &secret_len) != 0) - fatal("%s: hash_buffer", __func__); - - bzero(password, strlen(password)); - bzero(crypted, strlen(crypted)); - xfree(password); - xfree(crypted); - - if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL) - fatal("%s: BN_bin2bn (secret)", __func__); - bzero(secret, secret_len); - xfree(secret); - - return ret; -} - -/* ARGSUSED */ -void -input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt) -{ - Authctxt *authctxt = ctxt; - struct jpake_ctx *pctx = authctxt->methoddata; - u_char *x3_proof, *x4_proof, *x2_s_proof; - u_int x3_proof_len, x4_proof_len, x2_s_proof_len; - char *crypt_scheme, *salt; - - /* Disable this message */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL); - - if ((pctx->g_x3 = BN_new()) == NULL || - (pctx->g_x4 = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - - /* Fetch step 1 values */ - crypt_scheme = packet_get_string(NULL); - salt = packet_get_string(NULL); - pctx->server_id = packet_get_string(&pctx->server_id_len); - packet_get_bignum2(pctx->g_x3); - packet_get_bignum2(pctx->g_x4); - x3_proof = packet_get_string(&x3_proof_len); - x4_proof = packet_get_string(&x4_proof_len); - packet_check_eom(); - - JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__)); - - /* Obtain password and derive secret */ - pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt); - bzero(crypt_scheme, strlen(crypt_scheme)); - bzero(salt, strlen(salt)); - xfree(crypt_scheme); - xfree(salt); - JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__)); - - /* Calculate step 2 values */ - jpake_step2(pctx->grp, pctx->s, pctx->g_x1, - pctx->g_x3, pctx->g_x4, pctx->x2, - pctx->server_id, pctx->server_id_len, - pctx->client_id, pctx->client_id_len, - x3_proof, x3_proof_len, - x4_proof, x4_proof_len, - &pctx->a, - &x2_s_proof, &x2_s_proof_len); - - bzero(x3_proof, x3_proof_len); - bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); - - JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); - - /* Send values for step 2 */ - packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2); - packet_put_bignum2(pctx->a); - packet_put_string(x2_s_proof, x2_s_proof_len); - packet_send(); - - bzero(x2_s_proof, x2_s_proof_len); - xfree(x2_s_proof); - - /* Expect step 2 packet from peer */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, - input_userauth_jpake_server_step2); -} - -/* ARGSUSED */ -void -input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt) -{ - Authctxt *authctxt = ctxt; - struct jpake_ctx *pctx = authctxt->methoddata; - u_char *x4_s_proof; - u_int x4_s_proof_len; - - /* Disable this message */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL); - - if ((pctx->b = BN_new()) == NULL) - fatal("%s: BN_new", __func__); - - /* Fetch step 2 values */ - packet_get_bignum2(pctx->b); - x4_s_proof = packet_get_string(&x4_s_proof_len); - packet_check_eom(); - - JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__)); - - /* Derive shared key and calculate confirmation hash */ - jpake_key_confirm(pctx->grp, pctx->s, pctx->b, - pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4, - pctx->client_id, pctx->client_id_len, - pctx->server_id, pctx->server_id_len, - session_id2, session_id2_len, - x4_s_proof, x4_s_proof_len, - &pctx->k, - &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len); - - bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); - - JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); - - /* Send key confirmation proof */ - packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM); - packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len); - packet_send(); - - /* Expect confirmation from peer */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, - input_userauth_jpake_server_confirm); -} - -/* ARGSUSED */ -void -input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt) -{ - Authctxt *authctxt = ctxt; - struct jpake_ctx *pctx = authctxt->methoddata; - - /* Disable this message */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL); - - pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len); - packet_check_eom(); - - JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__)); - - /* Verify expected confirmation hash */ - if (jpake_check_confirm(pctx->k, - pctx->server_id, pctx->server_id_len, - session_id2, session_id2_len, - pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1) - debug("%s: %s success", __func__, authctxt->method->name); - else { - debug("%s: confirmation mismatch", __func__); - /* XXX stash this so if auth succeeds then we can warn/kill */ - } - - userauth_jpake_cleanup(authctxt); -} -#endif /* JPAKE */ - static int identity_sign(Identity *id, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) @@ -1241,7 +1023,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); - xfree(fp); + free(fp); if (key_to_blob(id->key, &blob, &bloblen) == 0) { /* we cannot handle this key */ @@ -1276,7 +1058,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) ret = identity_sign(id, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { - xfree(blob); + free(blob); buffer_free(&b); return 0; } @@ -1296,11 +1078,11 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) buffer_put_cstring(&b, key_ssh_name(id->key)); buffer_put_string(&b, blob, bloblen); } - xfree(blob); + free(blob); /* append signature */ buffer_put_string(&b, signature, slen); - xfree(signature); + free(signature); /* skip session id and packet type */ if (buffer_len(&b) < skip + 1) @@ -1340,7 +1122,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) if (!(datafellows & SSH_BUG_PKAUTH)) packet_put_cstring(key_ssh_name(id->key)); packet_put_string(blob, bloblen); - xfree(blob); + free(blob); packet_send(); return 1; } @@ -1359,8 +1141,11 @@ load_identity_file(char *filename, int userprovided) return NULL; } private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); - if (!perm_ok) + if (!perm_ok) { + if (private != NULL) + key_free(private); return NULL; + } if (private == NULL) { if (options.batch_mode) return NULL; @@ -1376,8 +1161,8 @@ load_identity_file(char *filename, int userprovided) debug2("no passphrase given, try next key"); quit = 1; } - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + explicit_bzero(passphrase, strlen(passphrase)); + free(passphrase); if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); @@ -1440,7 +1225,7 @@ pubkey_prepare(Authctxt *authctxt) /* If IdentitiesOnly set and key not found then don't use it */ if (!found && options.identities_only) { TAILQ_REMOVE(&files, id, next); - bzero(id, sizeof(id)); + explicit_bzero(id, sizeof(*id)); free(id); } } @@ -1454,7 +1239,7 @@ pubkey_prepare(Authctxt *authctxt) /* agent keys from the config file are preferred */ if (key_equal(key, id->key)) { key_free(key); - xfree(comment); + free(comment); TAILQ_REMOVE(&files, id, next); TAILQ_INSERT_TAIL(preferred, id, next); id->ac = ac; @@ -1500,9 +1285,8 @@ pubkey_cleanup(Authctxt *authctxt) TAILQ_REMOVE(&authctxt->keys, id, next); if (id->key) key_free(id->key); - if (id->filename) - xfree(id->filename); - xfree(id); + free(id->filename); + free(id); } } @@ -1523,17 +1307,31 @@ userauth_pubkey(Authctxt *authctxt) * encrypted keys we cannot do this and have to load the * private key instead */ - if (id->key && id->key->type != KEY_RSA1) { - debug("Offering %s public key: %s", key_type(id->key), - id->filename); - sent = send_pubkey_test(authctxt, id); - } else if (id->key == NULL) { + if (id->key != NULL) { + if (key_type_plain(id->key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + debug("Skipped %s key %s for RSA/MD5 server", + key_type(id->key), id->filename); + } else if (id->key->type != KEY_RSA1) { + debug("Offering %s public key: %s", + key_type(id->key), id->filename); + sent = send_pubkey_test(authctxt, id); + } + } else { debug("Trying private key: %s", id->filename); id->key = load_identity_file(id->filename, id->userprovided); if (id->key != NULL) { id->isprivate = 1; - sent = sign_and_send_pubkey(authctxt, id); + if (key_type_plain(id->key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + debug("Skipped %s key %s for RSA/MD5 " + "server", key_type(id->key), + id->filename); + } else { + sent = sign_and_send_pubkey( + authctxt, id); + } key_free(id->key); id->key = NULL; } @@ -1600,9 +1398,9 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt) logit("%s", name); if (strlen(inst) > 0) logit("%s", inst); - xfree(name); - xfree(inst); - xfree(lang); + free(name); + free(inst); + free(lang); num_prompts = packet_get_int(); /* @@ -1622,9 +1420,9 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt) response = read_passphrase(prompt, echo ? RP_ECHO : 0); packet_put_cstring(response); - memset(response, 0, strlen(response)); - xfree(response); - xfree(prompt); + explicit_bzero(response, strlen(response)); + free(response); + free(prompt); } packet_check_eom(); /* done with parsing incoming message. */ @@ -1744,12 +1542,12 @@ userauth_hostbased(Authctxt *authctxt) if (p == NULL) { error("userauth_hostbased: cannot get local ipaddr/name"); key_free(private); - xfree(blob); + free(blob); return 0; } xasprintf(&chost, "%s.", p); debug2("userauth_hostbased: chost %s", chost); - xfree(p); + free(p); service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; @@ -1778,9 +1576,9 @@ userauth_hostbased(Authctxt *authctxt) buffer_free(&b); if (ok != 0) { error("key_sign failed"); - xfree(chost); - xfree(pkalg); - xfree(blob); + free(chost); + free(pkalg); + free(blob); return 0; } packet_start(SSH2_MSG_USERAUTH_REQUEST); @@ -1792,89 +1590,16 @@ userauth_hostbased(Authctxt *authctxt) packet_put_cstring(chost); packet_put_cstring(authctxt->local_user); packet_put_string(signature, slen); - memset(signature, 's', slen); - xfree(signature); - xfree(chost); - xfree(pkalg); - xfree(blob); + explicit_bzero(signature, slen); + free(signature); + free(chost); + free(pkalg); + free(blob); packet_send(); return 1; } -#ifdef JPAKE -int -userauth_jpake(Authctxt *authctxt) -{ - struct jpake_ctx *pctx; - u_char *x1_proof, *x2_proof; - u_int x1_proof_len, x2_proof_len; - static int attempt = 0; /* XXX share with userauth_password's? */ - - if (attempt++ >= options.number_of_password_prompts) - return 0; - if (attempt != 1) - error("Permission denied, please try again."); - - if (authctxt->methoddata != NULL) - fatal("%s: authctxt->methoddata already set (%p)", - __func__, authctxt->methoddata); - - authctxt->methoddata = pctx = jpake_new(); - - /* - * Send request immediately, to get the protocol going while - * we do the initial computations. - */ - packet_start(SSH2_MSG_USERAUTH_REQUEST); - packet_put_cstring(authctxt->server_user); - packet_put_cstring(authctxt->service); - packet_put_cstring(authctxt->method->name); - packet_send(); - packet_write_wait(); - - jpake_step1(pctx->grp, - &pctx->client_id, &pctx->client_id_len, - &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2, - &x1_proof, &x1_proof_len, - &x2_proof, &x2_proof_len); - - JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__)); - - packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1); - packet_put_string(pctx->client_id, pctx->client_id_len); - packet_put_bignum2(pctx->g_x1); - packet_put_bignum2(pctx->g_x2); - packet_put_string(x1_proof, x1_proof_len); - packet_put_string(x2_proof, x2_proof_len); - packet_send(); - - bzero(x1_proof, x1_proof_len); - bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); - - /* Expect step 1 packet from peer */ - dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, - input_userauth_jpake_server_step1); - dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, - &input_userauth_success_unexpected); - - return 1; -} - -void -userauth_jpake_cleanup(Authctxt *authctxt) -{ - debug3("%s: clean up", __func__); - if (authctxt->methoddata != NULL) { - jpake_free(authctxt->methoddata); - authctxt->methoddata = NULL; - } - dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); -} -#endif /* JPAKE */ - /* find auth method */ /* @@ -1929,8 +1654,7 @@ authmethod_get(char *authlist) if (supported == NULL || strcmp(authlist, supported) != 0) { debug3("start over, passed a different list %s", authlist); - if (supported != NULL) - xfree(supported); + free(supported); supported = xstrdup(authlist); preferred = options.preferred_authentications; debug3("preferred %s", preferred); @@ -1951,9 +1675,10 @@ authmethod_get(char *authlist) authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); debug("Next authentication method: %s", name); - xfree(name); + free(name); return current; } + free(name); } } diff --git a/crypto/openssh/sshd.0 b/crypto/openssh/sshd.0 new file mode 100644 index 000000000..c61d51535 --- /dev/null +++ b/crypto/openssh/sshd.0 @@ -0,0 +1,643 @@ +SSHD(8) OpenBSD System Manager's Manual SSHD(8) + +NAME + sshd - OpenSSH SSH daemon + +SYNOPSIS + sshd [-46DdeiqTt] [-b bits] [-C connection_spec] + [-c host_certificate_file] [-E log_file] [-f config_file] + [-g login_grace_time] [-h host_key_file] [-k key_gen_time] + [-o option] [-p port] [-u len] + +DESCRIPTION + sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these + programs replace rlogin(1) and rsh(1), and provide secure encrypted + communications between two untrusted hosts over an insecure network. + + sshd listens for connections from clients. It is normally started at + boot from /etc/rc. It forks a new daemon for each incoming connection. + The forked daemons handle key exchange, encryption, authentication, + command execution, and data exchange. + + sshd can be configured using command-line options or a configuration file + (by default sshd_config(5)); command-line options override values + specified in the configuration file. sshd rereads its configuration file + when it receives a hangup signal, SIGHUP, by executing itself with the + name and options it was started with, e.g. /usr/sbin/sshd. + + The options are as follows: + + -4 Forces sshd to use IPv4 addresses only. + + -6 Forces sshd to use IPv6 addresses only. + + -b bits + Specifies the number of bits in the ephemeral protocol version 1 + server key (default 1024). + + -C connection_spec + Specify the connection parameters to use for the -T extended test + mode. If provided, any Match directives in the configuration + file that would apply to the specified user, host, and address + will be set before the configuration is written to standard + output. The connection parameters are supplied as keyword=value + pairs. The keywords are ``user'', ``host'', ``laddr'', + ``lport'', and ``addr''. All are required and may be supplied in + any order, either with multiple -C options or as a comma- + separated list. + + -c host_certificate_file + Specifies a path to a certificate file to identify sshd during + key exchange. The certificate file must match a host key file + specified using the -h option or the HostKey configuration + directive. + + -D When this option is specified, sshd will not detach and does not + become a daemon. This allows easy monitoring of sshd. + + -d Debug mode. The server sends verbose debug output to standard + error, and does not put itself in the background. The server + also will not fork and will only process one connection. This + option is only intended for debugging for the server. Multiple + -d options increase the debugging level. Maximum is 3. + + -E log_file + Append debug logs to log_file instead of the system log. + + -e Write debug logs to standard error instead of the system log. + + -f config_file + Specifies the name of the configuration file. The default is + /etc/ssh/sshd_config. sshd refuses to start if there is no + configuration file. + + -g login_grace_time + Gives the grace time for clients to authenticate themselves + (default 120 seconds). If the client fails to authenticate the + user within this many seconds, the server disconnects and exits. + A value of zero indicates no limit. + + -h host_key_file + Specifies a file from which a host key is read. This option must + be given if sshd is not run as root (as the normal host key files + are normally not readable by anyone but root). The default is + /etc/ssh/ssh_host_key for protocol version 1, and + /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key. + /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for + protocol version 2. It is possible to have multiple host key + files for the different protocol versions and host key + algorithms. + + -i Specifies that sshd is being run from inetd(8). sshd is normally + not run from inetd because it needs to generate the server key + before it can respond to the client, and this may take tens of + seconds. Clients would have to wait too long if the key was + regenerated every time. However, with small key sizes (e.g. 512) + using sshd from inetd may be feasible. + + -k key_gen_time + Specifies how often the ephemeral protocol version 1 server key + is regenerated (default 3600 seconds, or one hour). The + motivation for regenerating the key fairly often is that the key + is not stored anywhere, and after about an hour it becomes + impossible to recover the key for decrypting intercepted + communications even if the machine is cracked into or physically + seized. A value of zero indicates that the key will never be + regenerated. + + -o option + Can be used to give options in the format used in the + configuration file. This is useful for specifying options for + which there is no separate command-line flag. For full details + of the options, and their values, see sshd_config(5). + + -p port + Specifies the port on which the server listens for connections + (default 22). Multiple port options are permitted. Ports + specified in the configuration file with the Port option are + ignored when a command-line port is specified. Ports specified + using the ListenAddress option override command-line ports. + + -q Quiet mode. Nothing is sent to the system log. Normally the + beginning, authentication, and termination of each connection is + logged. + + -T Extended test mode. Check the validity of the configuration + file, output the effective configuration to stdout and then exit. + Optionally, Match rules may be applied by specifying the + connection parameters using one or more -C options. + + -t Test mode. Only check the validity of the configuration file and + sanity of the keys. This is useful for updating sshd reliably as + configuration options may change. + + -u len This option is used to specify the size of the field in the utmp + structure that holds the remote host name. If the resolved host + name is longer than len, the dotted decimal value will be used + instead. This allows hosts with very long host names that + overflow this field to still be uniquely identified. Specifying + -u0 indicates that only dotted decimal addresses should be put + into the utmp file. -u0 may also be used to prevent sshd from + making DNS requests unless the authentication mechanism or + configuration requires it. Authentication mechanisms that may + require DNS include RhostsRSAAuthentication, + HostbasedAuthentication, and using a from="pattern-list" option + in a key file. Configuration options that require DNS include + using a USER@HOST pattern in AllowUsers or DenyUsers. + +AUTHENTICATION + The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to + use protocol 2 only, though this can be changed via the Protocol option + in sshd_config(5). Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys; + protocol 1 only supports RSA keys. For both protocols, each host has a + host-specific key, normally 2048 bits, used to identify the host. + + Forward security for protocol 1 is provided through an additional server + key, normally 768 bits, generated when the server starts. This key is + normally regenerated every hour if it has been used, and is never stored + on disk. Whenever a client connects, the daemon responds with its public + host and server keys. The client compares the RSA host key against its + own database to verify that it has not changed. The client then + generates a 256-bit random number. It encrypts this random number using + both the host key and the server key, and sends the encrypted number to + the server. Both sides then use this random number as a session key + which is used to encrypt all further communications in the session. The + rest of the session is encrypted using a conventional cipher, currently + Blowfish or 3DES, with 3DES being used by default. The client selects + the encryption algorithm to use from those offered by the server. + + For protocol 2, forward security is provided through a Diffie-Hellman key + agreement. This key agreement results in a shared session key. The rest + of the session is encrypted using a symmetric cipher, currently 128-bit + AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The + client selects the encryption algorithm to use from those offered by the + server. Additionally, session integrity is provided through a + cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64, + umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). + + Finally, the server and the client enter an authentication dialog. The + client tries to authenticate itself using host-based authentication, + public key authentication, challenge-response authentication, or password + authentication. + + Regardless of the authentication type, the account is checked to ensure + that it is accessible. An account is not accessible if it is locked, + listed in DenyUsers or its group is listed in DenyGroups . The + definition of a locked account is system dependant. Some platforms have + their own account database (eg AIX) and some modify the passwd field ( + `*LK*' on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on + Tru64, a leading `*LOCKED*' on FreeBSD and a leading `!' on most + Linuxes). If there is a requirement to disable password authentication + for the account while allowing still public-key, then the passwd field + should be set to something other than these values (eg `NP' or `*NP*' ). + + If the client successfully authenticates itself, a dialog for preparing + the session is entered. At this time the client may request things like + allocating a pseudo-tty, forwarding X11 connections, forwarding TCP + connections, or forwarding the authentication agent connection over the + secure channel. + + After this, the client either requests a shell or execution of a command. + The sides then enter session mode. In this mode, either side may send + data at any time, and such data is forwarded to/from the shell or command + on the server side, and the user terminal in the client side. + + When the user program terminates and all forwarded X11 and other + connections have been closed, the server sends command exit status to the + client, and both sides exit. + +LOGIN PROCESS + When a user successfully logs in, sshd does the following: + + 1. If the login is on a tty, and no command has been specified, + prints last login time and /etc/motd (unless prevented in the + configuration file or by ~/.hushlogin; see the FILES section). + + 2. If the login is on a tty, records login time. + + 3. Checks /etc/nologin; if it exists, prints contents and quits + (unless root). + + 4. Changes to run with normal user privileges. + + 5. Sets up basic environment. + + 6. Reads the file ~/.ssh/environment, if it exists, and users are + allowed to change their environment. See the + PermitUserEnvironment option in sshd_config(5). + + 7. Changes to user's home directory. + + 8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, + runs it; otherwise runs xauth. The ``rc'' files are given the + X11 authentication protocol and cookie in standard input. See + SSHRC, below. + + 9. Runs user's shell or command. + +SSHRC + If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment + files but before starting the user's shell or command. It must not + produce any output on stdout; stderr must be used instead. If X11 + forwarding is in use, it will receive the "proto cookie" pair in its + standard input (and DISPLAY in its environment). The script must call + xauth(1) because sshd will not run xauth automatically to add X11 + cookies. + + The primary purpose of this file is to run any initialization routines + which may be needed before the user's home directory becomes accessible; + AFS is a particular example of such an environment. + + This file will probably contain some initialization code followed by + something similar to: + + if read proto cookie && [ -n "$DISPLAY" ]; then + if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then + # X11UseLocalhost=yes + echo add unix:`echo $DISPLAY | + cut -c11-` $proto $cookie + else + # X11UseLocalhost=no + echo add $DISPLAY $proto $cookie + fi | xauth -q - + fi + + If this file does not exist, /etc/ssh/sshrc is run, and if that does not + exist either, xauth is used to add the cookie. + +AUTHORIZED_KEYS FILE FORMAT + AuthorizedKeysFile specifies the files containing public keys for public + key authentication; if none is specified, the default is + ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the + file contains one key (empty lines and lines starting with a `#' are + ignored as comments). Protocol 1 public keys consist of the following + space-separated fields: options, bits, exponent, modulus, comment. + Protocol 2 public key consist of: options, keytype, base64-encoded key, + comment. The options field is optional; its presence is determined by + whether the line starts with a number or not (the options field never + starts with a number). The bits, exponent, modulus, and comment fields + give the RSA key for protocol version 1; the comment field is not used + for anything (but may be convenient for the user to identify the key). + For protocol version 2 the keytype is ``ecdsa-sha2-nistp256'', + ``ecdsa-sha2-nistp384'', ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', + ``ssh-dss'' or ``ssh-rsa''. + + Note that lines in this file are usually several hundred bytes long + (because of the size of the public key encoding) up to a limit of 8 + kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 + kilobits. You don't want to type them in; instead, copy the + identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub + file and edit it. + + sshd enforces a minimum RSA key modulus size for protocol 1 and protocol + 2 keys of 768 bits. + + The options (if present) consist of comma-separated option + specifications. No spaces are permitted, except within double quotes. + The following option specifications are supported (note that option + keywords are case-insensitive): + + cert-authority + Specifies that the listed key is a certification authority (CA) + that is trusted to validate signed certificates for user + authentication. + + Certificates may encode access restrictions similar to these key + options. If both certificate restrictions and key options are + present, the most restrictive union of the two is applied. + + command="command" + Specifies that the command is executed whenever this key is used + for authentication. The command supplied by the user (if any) is + ignored. The command is run on a pty if the client requests a + pty; otherwise it is run without a tty. If an 8-bit clean + channel is required, one must not request a pty or should specify + no-pty. A quote may be included in the command by quoting it + with a backslash. This option might be useful to restrict + certain public keys to perform just a specific operation. An + example might be a key that permits remote backups but nothing + else. Note that the client may specify TCP and/or X11 forwarding + unless they are explicitly prohibited. The command originally + supplied by the client is available in the SSH_ORIGINAL_COMMAND + environment variable. Note that this option applies to shell, + command or subsystem execution. Also note that this command may + be superseded by either a sshd_config(5) ForceCommand directive + or a command embedded in a certificate. + + environment="NAME=value" + Specifies that the string is to be added to the environment when + logging in using this key. Environment variables set this way + override other default environment values. Multiple options of + this type are permitted. Environment processing is disabled by + default and is controlled via the PermitUserEnvironment option. + This option is automatically disabled if UseLogin is enabled. + + from="pattern-list" + Specifies that in addition to public key authentication, either + the canonical name of the remote host or its IP address must be + present in the comma-separated list of patterns. See PATTERNS in + ssh_config(5) for more information on patterns. + + In addition to the wildcard matching that may be applied to + hostnames or addresses, a from stanza may match IP addresses + using CIDR address/masklen notation. + + The purpose of this option is to optionally increase security: + public key authentication by itself does not trust the network or + name servers or anything (but the key); however, if somebody + somehow steals the key, the key permits an intruder to log in + from anywhere in the world. This additional option makes using a + stolen key more difficult (name servers and/or routers would have + to be compromised in addition to just the key). + + no-agent-forwarding + Forbids authentication agent forwarding when this key is used for + authentication. + + no-port-forwarding + Forbids TCP forwarding when this key is used for authentication. + Any port forward requests by the client will return an error. + This might be used, e.g. in connection with the command option. + + no-pty Prevents tty allocation (a request to allocate a pty will fail). + + no-user-rc + Disables execution of ~/.ssh/rc. + + no-X11-forwarding + Forbids X11 forwarding when this key is used for authentication. + Any X11 forward requests by the client will return an error. + + permitopen="host:port" + Limit local ``ssh -L'' port forwarding such that it may only + connect to the specified host and port. IPv6 addresses can be + specified by enclosing the address in square brackets. Multiple + permitopen options may be applied separated by commas. No + pattern matching is performed on the specified hostnames, they + must be literal domains or addresses. A port specification of * + matches any port. + + principals="principals" + On a cert-authority line, specifies allowed principals for + certificate authentication as a comma-separated list. At least + one name from the list must appear in the certificate's list of + principals for the certificate to be accepted. This option is + ignored for keys that are not marked as trusted certificate + signers using the cert-authority option. + + tunnel="n" + Force a tun(4) device on the server. Without this option, the + next available device will be used if the client requests a + tunnel. + + An example authorized_keys file: + + # Comments allowed at start of line + ssh-rsa AAAAB3Nza...LiPk== user@example.net + from="*.sales.example.net,!pc.sales.example.net" ssh-rsa + AAAAB2...19Q== john@example.net + command="dump /home",no-pty,no-port-forwarding ssh-dss + AAAAC3...51R== example.net + permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss + AAAAB5...21S== + tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== + jane@example.net + +SSH_KNOWN_HOSTS FILE FORMAT + The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host + public keys for all known hosts. The global file should be prepared by + the administrator (optional), and the per-user file is maintained + automatically: whenever the user connects from an unknown host, its key + is added to the per-user file. + + Each line in these files contains the following fields: markers + (optional), hostnames, bits, exponent, modulus, comment. The fields are + separated by spaces. + + The marker is optional, but if it is present then it must be one of + ``@cert-authority'', to indicate that the line contains a certification + authority (CA) key, or ``@revoked'', to indicate that the key contained + on the line is revoked and must not ever be accepted. Only one marker + should be used on a key line. + + Hostnames is a comma-separated list of patterns (`*' and `?' act as + wildcards); each pattern in turn is matched against the canonical host + name (when authenticating a client) or against the user-supplied name + (when authenticating a server). A pattern may also be preceded by `!' to + indicate negation: if the host name matches a negated pattern, it is not + accepted (by that line) even if it matched another pattern on the line. + A hostname or address may optionally be enclosed within `[' and `]' + brackets then followed by `:' and a non-standard port number. + + Alternately, hostnames may be stored in a hashed form which hides host + names and addresses should the file's contents be disclosed. Hashed + hostnames start with a `|' character. Only one hashed hostname may + appear on a single line and none of the above negation or wildcard + operators may be applied. + + Bits, exponent, and modulus are taken directly from the RSA host key; + they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The + optional comment field continues to the end of the line, and is not used. + + Lines starting with `#' and empty lines are ignored as comments. + + When performing host authentication, authentication is accepted if any + matching line has the proper key; either one that matches exactly or, if + the server has presented a certificate for authentication, the key of the + certification authority that signed the certificate. For a key to be + trusted as a certification authority, it must use the ``@cert-authority'' + marker described above. + + The known hosts file also provides a facility to mark keys as revoked, + for example when it is known that the associated private key has been + stolen. Revoked keys are specified by including the ``@revoked'' marker + at the beginning of the key line, and are never accepted for + authentication or as certification authorities, but instead will produce + a warning from ssh(1) when they are encountered. + + It is permissible (but not recommended) to have several lines or + different host keys for the same names. This will inevitably happen when + short forms of host names from different domains are put in the file. It + is possible that the files contain conflicting information; + authentication is accepted if valid information can be found from either + file. + + Note that the lines in these files are typically hundreds of characters + long, and you definitely don't want to type in the host keys by hand. + Rather, generate them by a script, ssh-keyscan(1) or by taking + /etc/ssh/ssh_host_key.pub and adding the host names at the front. + ssh-keygen(1) also offers some basic automated editing for + ~/.ssh/known_hosts including removing hosts matching a host name and + converting all host names to their hashed representations. + + An example ssh_known_hosts file: + + # Comments allowed at start of line + closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net + cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= + # A hashed hostname + |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa + AAAA1234.....= + # A revoked key + @revoked * ssh-rsa AAAAB5W... + # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org + @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... + +FILES + ~/.hushlogin + This file is used to suppress printing the last login time and + /etc/motd, if PrintLastLog and PrintMotd, respectively, are + enabled. It does not suppress printing of the banner specified + by Banner. + + ~/.rhosts + This file is used for host-based authentication (see ssh(1) for + more information). On some machines this file may need to be + world-readable if the user's home directory is on an NFS + partition, because sshd reads it as root. Additionally, this + file must be owned by the user, and must not have write + permissions for anyone else. The recommended permission for most + machines is read/write for the user, and not accessible by + others. + + ~/.shosts + This file is used in exactly the same way as .rhosts, but allows + host-based authentication without permitting login with + rlogin/rsh. + + ~/.ssh/ + This directory is the default location for all user-specific + configuration and authentication information. There is no + general requirement to keep the entire contents of this directory + secret, but the recommended permissions are read/write/execute + for the user, and not accessible by others. + + ~/.ssh/authorized_keys + Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used + for logging in as this user. The format of this file is + described above. The content of the file is not highly + sensitive, but the recommended permissions are read/write for the + user, and not accessible by others. + + If this file, the ~/.ssh directory, or the user's home directory + are writable by other users, then the file could be modified or + replaced by unauthorized users. In this case, sshd will not + allow it to be used unless the StrictModes option has been set to + ``no''. + + ~/.ssh/environment + This file is read into the environment at login (if it exists). + It can only contain empty lines, comment lines (that start with + `#'), and assignment lines of the form name=value. The file + should be writable only by the user; it need not be readable by + anyone else. Environment processing is disabled by default and + is controlled via the PermitUserEnvironment option. + + ~/.ssh/known_hosts + Contains a list of host keys for all hosts the user has logged + into that are not already in the systemwide list of known host + keys. The format of this file is described above. This file + should be writable only by root/the owner and can, but need not + be, world-readable. + + ~/.ssh/rc + Contains initialization routines to be run before the user's home + directory becomes accessible. This file should be writable only + by the user, and need not be readable by anyone else. + + /etc/hosts.allow + /etc/hosts.deny + Access controls that should be enforced by tcp-wrappers are + defined here. Further details are described in hosts_access(5). + + /etc/hosts.equiv + This file is for host-based authentication (see ssh(1)). It + should only be writable by root. + + /etc/moduli + Contains Diffie-Hellman groups used for the "Diffie-Hellman Group + Exchange". The file format is described in moduli(5). + + /etc/motd + See motd(5). + + /etc/nologin + If this file exists, sshd refuses to let anyone except root log + in. The contents of the file are displayed to anyone trying to + log in, and non-root connections are refused. The file should be + world-readable. + + /etc/shosts.equiv + This file is used in exactly the same way as hosts.equiv, but + allows host-based authentication without permitting login with + rlogin/rsh. + + /etc/ssh/ssh_host_key + /etc/ssh/ssh_host_dsa_key + /etc/ssh/ssh_host_ecdsa_key + /etc/ssh/ssh_host_ed25519_key + /etc/ssh/ssh_host_rsa_key + These files contain the private parts of the host keys. These + files should only be owned by root, readable only by root, and + not accessible to others. Note that sshd does not start if these + files are group/world-accessible. + + /etc/ssh/ssh_host_key.pub + /etc/ssh/ssh_host_dsa_key.pub + /etc/ssh/ssh_host_ecdsa_key.pub + /etc/ssh/ssh_host_ed25519_key.pub + /etc/ssh/ssh_host_rsa_key.pub + These files contain the public parts of the host keys. These + files should be world-readable but writable only by root. Their + contents should match the respective private parts. These files + are not really used for anything; they are provided for the + convenience of the user so their contents can be copied to known + hosts files. These files are created using ssh-keygen(1). + + /etc/ssh/ssh_known_hosts + Systemwide list of known host keys. This file should be prepared + by the system administrator to contain the public host keys of + all machines in the organization. The format of this file is + described above. This file should be writable only by root/the + owner and should be world-readable. + + /etc/ssh/sshd_config + Contains configuration data for sshd. The file format and + configuration options are described in sshd_config(5). + + /etc/ssh/sshrc + Similar to ~/.ssh/rc, it can be used to specify machine-specific + login-time initializations globally. This file should be + writable only by root, and should be world-readable. + + /var/empty + chroot(2) directory used by sshd during privilege separation in + the pre-authentication phase. The directory should not contain + any files and must be owned by root and not group or world- + writable. + + /var/run/sshd.pid + Contains the process ID of the sshd listening for connections (if + there are several daemons running concurrently for different + ports, this contains the process ID of the one started last). + The content of this file is not sensitive; it can be world- + readable. + +SEE ALSO + scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), + ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5), + sshd_config(5), inetd(8), sftp-server(8) + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +CAVEATS + System security is not improved unless rshd, rlogind, and rexecd are + disabled (thus completely disabling rlogin and rsh into the machine). + +OpenBSD 5.5 December 7, 2013 OpenBSD 5.5 diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8 index 6ea2a4b6d..b9ae6ffc0 100644 --- a/crypto/openssh/sshd.8 +++ b/crypto/openssh/sshd.8 @@ -33,9 +33,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ +.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $ .\" $FreeBSD$ -.Dd October 4, 2012 +.Dd December 7, 2013 .Dt SSHD 8 .Os .Sh NAME @@ -48,6 +48,7 @@ .Op Fl b Ar bits .Op Fl C Ar connection_spec .Op Fl c Ar host_certificate_file +.Op Fl E Ar log_file .Op Fl f Ar config_file .Op Fl g Ar login_grace_time .Op Fl h Ar host_key_file @@ -147,10 +148,12 @@ Multiple .Fl d options increase the debugging level. Maximum is 3. +.It Fl E Ar log_file +Append debug logs to +.Ar log_file +instead of the system log. .It Fl e -When this option is specified, -.Nm -will send the output to the standard error instead of the system log. +Write debug logs to standard error instead of the system log. .It Fl f Ar config_file Specifies the name of the configuration file. The default is @@ -173,7 +176,8 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and .Pa /etc/ssh/ssh_host_dsa_key , -.Pa /etc/ssh/ssh_host_ecdsa_key +.Pa /etc/ssh/ssh_host_ecdsa_key . +.Pa /etc/ssh/ssh_host_ed25519_key and .Pa /etc/ssh/ssh_host_rsa_key for protocol version 2. @@ -278,7 +282,7 @@ though this can be changed via the .Cm Protocol option in .Xr sshd_config 5 . -Protocol 2 supports DSA, ECDSA and RSA keys; +Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys; protocol 1 only supports RSA keys. For both protocols, each host has a host-specific key, @@ -494,6 +498,7 @@ For protocol version 2 the keytype is .Dq ecdsa-sha2-nistp256 , .Dq ecdsa-sha2-nistp384 , .Dq ecdsa-sha2-nistp521 , +.Dq ssh-ed25519 , .Dq ssh-dss or .Dq ssh-rsa . @@ -506,6 +511,7 @@ You don't want to type them in; instead, copy the .Pa identity.pub , .Pa id_dsa.pub , .Pa id_ecdsa.pub , +.Pa id_ed25519.pub , or the .Pa id_rsa.pub file and edit it. @@ -567,9 +573,7 @@ is enabled. Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .Pp @@ -807,8 +811,8 @@ secret, but the recommended permissions are read/write/execute for the user, and not accessible by others. .Pp .It Pa ~/.ssh/authorized_keys -Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in -as this user. +Lists the public keys (DSA, ECDSA, ED25519, RSA) +that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. @@ -888,6 +892,7 @@ rlogin/rsh. .It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key +.It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not @@ -899,6 +904,7 @@ does not start if these files are group/world-accessible. .It Pa /etc/ssh/ssh_host_key.pub .It Pa /etc/ssh/ssh_host_dsa_key.pub .It Pa /etc/ssh/ssh_host_ecdsa_key.pub +.It Pa /etc/ssh/ssh_host_ed25519_key.pub .It Pa /etc/ssh/ssh_host_rsa_key.pub These files contain the public parts of the host keys. These files should be world-readable but writable only by diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index d63439729..ce7fa65f3 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.420 2014/02/26 21:53:37 markus Exp $ */ /* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -77,7 +77,6 @@ __RCSID("$FreeBSD$"); #include #include -#include #include #include "openbsd-compat/openssl-compat.h" @@ -88,10 +87,10 @@ __RCSID("$FreeBSD$"); #ifdef __FreeBSD__ #include -#if defined(GSSAPI) && defined(HAVE_GSSAPI_H) -#include -#elif defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H) +#if defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H) #include +#elif defined(GSSAPI) && defined(HAVE_GSSAPI_H) +#include #endif #endif @@ -108,6 +107,7 @@ __RCSID("$FreeBSD$"); #include "uidswap.h" #include "compat.h" #include "cipher.h" +#include "digest.h" #include "key.h" #include "kex.h" #include "dh.h" @@ -118,6 +118,7 @@ __RCSID("$FreeBSD$"); #include "canohost.h" #include "hostfile.h" #include "auth.h" +#include "authfd.h" #include "misc.h" #include "msg.h" #include "dispatch.h" @@ -206,6 +207,10 @@ char *server_version_string = NULL; /* for rekeying XXX fixme */ Kex *xxx_kex; +/* Daemon's agent connection */ +AuthenticationConnection *auth_conn = NULL; +int have_agent = 0; + /* * Any really sensitive data in the application is contained in this * structure. The idea is that this structure could be locked into memory so @@ -218,6 +223,7 @@ struct { Key *server_key; /* ephemeral server key */ Key *ssh1_host_key; /* ssh1 host key */ Key **host_keys; /* all private host keys */ + Key **host_pubkeys; /* all public host keys */ Key **host_certificates; /* all public host certificates */ int have_ssh1_key; int have_ssh2_key; @@ -321,6 +327,7 @@ static void sighup_restart(void) { logit("Received SIGHUP; restarting."); + platform_pre_restart(); close_listen_socks(); close_startup_pipes(); alarm(0); /* alarm timer persists across exec */ @@ -377,7 +384,7 @@ grace_alarm_handler(int sig) */ if (getpgid(0) == getpid()) { signal(SIGTERM, SIG_IGN); - killpg(0, SIGTERM); + kill(0, SIGTERM); } /* Log error and exit. */ @@ -403,7 +410,6 @@ generate_ephemeral_server_key(void) verbose("RSA key generation complete."); arc4random_buf(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); - arc4random_stir(); } /*ARGSUSED*/ @@ -487,10 +493,11 @@ sshd_exchange_identification(int sock_in, int sock_out) &remote_major, &remote_minor, remote_version) != 3) { s = "Protocol mismatch.\n"; (void) atomicio(vwrite, sock_out, s, strlen(s)); + logit("Bad protocol version identification '%.100s' " + "from %s port %d", client_version_string, + get_remote_ipaddr(), get_remote_port()); close(sock_in); close(sock_out); - logit("Bad protocol version identification '%.100s' from %s", - client_version_string, get_remote_ipaddr()); cleanup_exit(255); } debug("Client protocol version %d.%d; client software version %.100s", @@ -498,17 +505,24 @@ sshd_exchange_identification(int sock_in, int sock_out) compat_datafellows(remote_version); - if (datafellows & SSH_BUG_PROBE) { + if ((datafellows & SSH_BUG_PROBE) != 0) { logit("probed from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); cleanup_exit(255); } - - if (datafellows & SSH_BUG_SCANNER) { + if ((datafellows & SSH_BUG_SCANNER) != 0) { logit("scanned from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); cleanup_exit(255); } + if ((datafellows & SSH_BUG_RSASIGMD5) != 0) { + logit("Client version \"%.100s\" uses unsafe RSA signature " + "scheme; disabling use of RSA keys", remote_version); + } + if ((datafellows & SSH_BUG_DERIVEKEY) != 0) { + fatal("Client version \"%.100s\" uses unsafe key agreement; " + "refusing connection", remote_version); + } mismatch = 0; switch (remote_major) { @@ -578,7 +592,7 @@ destroy_sensitive_data(void) } } sensitive_data.ssh1_host_key = NULL; - memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH); + explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); } /* Demote private to public keys for network child */ @@ -617,9 +631,16 @@ privsep_preauth_child(void) /* Enable challenge-response authentication for privilege separation */ privsep_challenge_enable(); +#ifdef GSSAPI + /* Cache supported mechanism OIDs for later use */ + if (options.gss_authentication) + ssh_gssapi_prepare_supported_oids(); +#endif + arc4random_stir(); arc4random_buf(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd)); + explicit_bzero(rnd, sizeof(rnd)); /* Demote the private keys to public keys. */ demote_sensitive_data(); @@ -658,7 +679,7 @@ privsep_preauth(Authctxt *authctxt) pmonitor->m_pkex = &xxx_kex; if (use_privsep == PRIVSEP_ON) - box = ssh_sandbox_init(); + box = ssh_sandbox_init(pmonitor); pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); @@ -666,6 +687,8 @@ privsep_preauth(Authctxt *authctxt) debug2("Network child is on pid %ld", (long)pid); pmonitor->m_pid = pid; + if (have_agent) + auth_conn = ssh_get_authentication_connection(); if (box != NULL) ssh_sandbox_parent_preauth(box, pid); monitor_child_preauth(authctxt, pmonitor); @@ -752,6 +775,7 @@ privsep_postauth(Authctxt *authctxt) arc4random_stir(); arc4random_buf(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd)); + explicit_bzero(rnd, sizeof(rnd)); /* Drop privileges */ do_setusercontext(authctxt->pw); @@ -779,12 +803,15 @@ list_hostkey_types(void) buffer_init(&b); for (i = 0; i < options.num_host_key_files; i++) { key = sensitive_data.host_keys[i]; + if (key == NULL) + key = sensitive_data.host_pubkeys[i]; if (key == NULL) continue; switch (key->type) { case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); p = key_ssh_name(key); @@ -801,6 +828,7 @@ list_hostkey_types(void) case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: + case KEY_ED25519_CERT: if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); p = key_ssh_name(key); @@ -828,10 +856,13 @@ get_hostkey_by_type(int type, int need_private) case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: + case KEY_ED25519_CERT: key = sensitive_data.host_certificates[i]; break; default: key = sensitive_data.host_keys[i]; + if (key == NULL && !need_private) + key = sensitive_data.host_pubkeys[i]; break; } if (key != NULL && key->type == type) @@ -861,6 +892,14 @@ get_hostkey_by_index(int ind) return (sensitive_data.host_keys[ind]); } +Key * +get_hostkey_public_by_index(int ind) +{ + if (ind < 0 || ind >= options.num_host_key_files) + return (NULL); + return (sensitive_data.host_pubkeys[ind]); +} + int get_hostkey_index(Key *key) { @@ -873,6 +912,8 @@ get_hostkey_index(Key *key) } else { if (key == sensitive_data.host_keys[i]) return (i); + if (key == sensitive_data.host_pubkeys[i]) + return (i); } } return (-1); @@ -919,8 +960,9 @@ usage(void) SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" -" [-f config_file] [-g login_grace_time] [-h host_key_file]\n" -" [-k key_gen_time] [-o option] [-p port] [-u len]\n" +" [-E log_file] [-f config_file] [-g login_grace_time]\n" +" [-h host_key_file] [-k key_gen_time] [-o option] [-p port]\n" +" [-u len]\n" ); exit(1); } @@ -991,7 +1033,7 @@ recv_rexec_state(int fd, Buffer *conf) cp = buffer_get_string(&m, &len); if (conf != NULL) buffer_append(conf, cp, len + 1); - xfree(cp); + free(cp); if (buffer_get_int(&m)) { if (sensitive_data.server_key != NULL) @@ -1042,7 +1084,9 @@ server_accept_inetd(int *sock_in, int *sock_out) if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { dup2(fd, STDIN_FILENO); dup2(fd, STDOUT_FILENO); - if (fd > STDOUT_FILENO) + if (!log_stderr) + dup2(fd, STDERR_FILENO); + if (fd > (log_stderr ? STDERR_FILENO : STDOUT_FILENO)) close(fd); } debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); @@ -1140,6 +1184,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) struct sockaddr_storage from; socklen_t fromlen; pid_t pid; + u_char rnd[256]; /* setup fd set for accept */ fdset = NULL; @@ -1160,7 +1205,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) if (received_sighup) sighup_restart(); if (fdset != NULL) - xfree(fdset); + free(fdset); fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask)); @@ -1209,8 +1254,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) *newsock = accept(listen_socks[i], (struct sockaddr *)&from, &fromlen); if (*newsock < 0) { - if (errno != EINTR && errno != EAGAIN && - errno != EWOULDBLOCK) + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED && errno != EAGAIN) error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) @@ -1340,6 +1385,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) * from that of the child */ arc4random_stir(); + arc4random_buf(rnd, sizeof(rnd)); + RAND_seed(rnd, sizeof(rnd)); + explicit_bzero(rnd, sizeof(rnd)); } /* child process check (or debug mode) */ @@ -1361,12 +1409,14 @@ main(int ac, char **av) int sock_in = -1, sock_out = -1, newsock = -1; const char *remote_ip; int remote_port; - char *line; + char *line, *logfile = NULL; int config_s[2] = { -1 , -1 }; u_int n; u_int64_t ibytes, obytes; mode_t new_umask; Key *key; + Key *pubkey; + int keytype; Authctxt *authctxt; struct connection_info *connection_info = get_connection_info(0, 0); @@ -1399,7 +1449,7 @@ main(int ac, char **av) initialize_server_options(&options); /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeiqrtQRT46")) != -1) { + while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeE:iqrtQRT46")) != -1) { switch (opt) { case '4': options.address_family = AF_INET; @@ -1428,6 +1478,9 @@ main(int ac, char **av) case 'D': no_daemon_flag = 1; break; + case 'E': + logfile = xstrdup(optarg); + /* FALLTHROUGH */ case 'e': log_stderr = 1; break; @@ -1506,7 +1559,7 @@ main(int ac, char **av) if (process_server_config_line(&options, line, "command-line", 0, NULL, NULL) != 0) exit(1); - xfree(line); + free(line); break; case '?': default: @@ -1525,6 +1578,11 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) { + log_redirect_stderr_to(logfile); + free(logfile); + } /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) @@ -1635,29 +1693,53 @@ main(int ac, char **av) fatal("Privilege separation user %s does not exist", SSH_PRIVSEP_USER); } else { - memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd)); + explicit_bzero(privsep_pw->pw_passwd, + strlen(privsep_pw->pw_passwd)); privsep_pw = pwcopy(privsep_pw); - xfree(privsep_pw->pw_passwd); + free(privsep_pw->pw_passwd); privsep_pw->pw_passwd = xstrdup("*"); } endpwent(); - /* load private host keys */ + /* load host keys */ sensitive_data.host_keys = xcalloc(options.num_host_key_files, sizeof(Key *)); - for (i = 0; i < options.num_host_key_files; i++) + sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files, + sizeof(Key *)); + for (i = 0; i < options.num_host_key_files; i++) { sensitive_data.host_keys[i] = NULL; + sensitive_data.host_pubkeys[i] = NULL; + } + + if (options.host_key_agent) { + if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME)) + setenv(SSH_AUTHSOCKET_ENV_NAME, + options.host_key_agent, 1); + have_agent = ssh_agent_present(); + } for (i = 0; i < options.num_host_key_files; i++) { key = key_load_private(options.host_key_files[i], "", NULL); + pubkey = key_load_public(options.host_key_files[i], NULL); sensitive_data.host_keys[i] = key; - if (key == NULL) { + sensitive_data.host_pubkeys[i] = pubkey; + + if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 && + have_agent) { + debug("will rely on agent for hostkey %s", + options.host_key_files[i]); + keytype = pubkey->type; + } else if (key != NULL) { + keytype = key->type; + } else { error("Could not load host key: %s", options.host_key_files[i]); sensitive_data.host_keys[i] = NULL; + sensitive_data.host_pubkeys[i] = NULL; continue; } - switch (key->type) { + + switch (keytype) { case KEY_RSA1: sensitive_data.ssh1_host_key = key; sensitive_data.have_ssh1_key = 1; @@ -1665,11 +1747,12 @@ main(int ac, char **av) case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: sensitive_data.have_ssh2_key = 1; break; } - debug("private host key: #%d type %d %s", i, key->type, - key_type(key)); + debug("private host key: #%d type %d %s", i, keytype, + key_type(key ? key : pubkey)); } if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); @@ -1835,12 +1918,10 @@ main(int ac, char **av) if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) debug("madvise(): %.200s", strerror(errno)); - /* Initialize the random number generator. */ - arc4random_stir(); - /* Chdir to the root directory so that the current disk can be unmounted if desired. */ - chdir("/"); + if (chdir("/") == -1) + error("chdir(\"/\"): %s", strerror(errno)); /* ignore SIGPIPE */ signal(SIGPIPE, SIG_IGN); @@ -1908,13 +1989,14 @@ main(int ac, char **av) dup2(STDIN_FILENO, STDOUT_FILENO); if (startup_pipe == -1) close(REEXEC_STARTUP_PIPE_FD); - else + else if (startup_pipe != REEXEC_STARTUP_PIPE_FD) { dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD); + close(startup_pipe); + startup_pipe = REEXEC_STARTUP_PIPE_FD; + } dup2(config_s[1], REEXEC_CONFIG_PASS_FD); close(config_s[1]); - if (startup_pipe != -1) - close(startup_pipe); execv(rexec_argv[0], rexec_argv); @@ -1925,8 +2007,6 @@ main(int ac, char **av) options.log_facility, log_stderr); /* Clean up fds */ - startup_pipe = REEXEC_STARTUP_PIPE_FD; - close(config_s[1]); close(REEXEC_CONFIG_PASS_FD); newsock = sock_out = sock_in = dup(STDIN_FILENO); if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { @@ -2031,7 +2111,9 @@ main(int ac, char **av) #endif /* LIBWRAP */ /* Log the connection. */ - verbose("Connection from %.500s port %d", remote_ip, remote_port); + verbose("Connection from %s port %d on %s port %d", + remote_ip, remote_port, + get_local_ipaddr(sock_in), get_local_port()); /* Set HPN options for the child. */ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); @@ -2068,9 +2150,11 @@ main(int ac, char **av) buffer_init(&loginmsg); auth_debug_reset(); - if (use_privsep) + if (use_privsep) { if (privsep_preauth(authctxt) == 1) goto authenticated; + } else if (compat20 && have_agent) + auth_conn = ssh_get_authentication_connection(); /* perform the key exchange */ /* authenticate user and start session */ @@ -2324,7 +2408,7 @@ do_ssh1_kex(void) get_remote_ipaddr(), len, (u_long)sizeof(session_key)); rsafail++; } else { - memset(session_key, 0, sizeof(session_key)); + explicit_bzero(session_key, sizeof(session_key)); BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); @@ -2343,21 +2427,27 @@ do_ssh1_kex(void) if (rsafail) { int bytes = BN_num_bytes(session_key_int); u_char *buf = xmalloc(bytes); - MD5_CTX md; + struct ssh_digest_ctx *md; logit("do_connection: generating a fake encryption key"); BN_bn2bin(session_key_int, buf); - MD5_Init(&md); - MD5_Update(&md, buf, bytes); - MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); - MD5_Final(session_key, &md); - MD5_Init(&md); - MD5_Update(&md, session_key, 16); - MD5_Update(&md, buf, bytes); - MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); - MD5_Final(session_key + 16, &md); - memset(buf, 0, bytes); - xfree(buf); + if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || + ssh_digest_update(md, buf, bytes) < 0 || + ssh_digest_update(md, sensitive_data.ssh1_cookie, + SSH_SESSION_KEY_LENGTH) < 0 || + ssh_digest_final(md, session_key, sizeof(session_key)) < 0) + fatal("%s: md5 failed", __func__); + ssh_digest_free(md); + if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || + ssh_digest_update(md, session_key, 16) < 0 || + ssh_digest_update(md, sensitive_data.ssh1_cookie, + SSH_SESSION_KEY_LENGTH) < 0 || + ssh_digest_final(md, session_key + 16, + sizeof(session_key) - 16) < 0) + fatal("%s: md5 failed", __func__); + ssh_digest_free(md); + explicit_bzero(buf, bytes); + free(buf); for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; } @@ -2374,7 +2464,7 @@ do_ssh1_kex(void) packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type); /* Destroy our copy of the session key. It is no longer needed. */ - memset(session_key, 0, sizeof(session_key)); + explicit_bzero(session_key, sizeof(session_key)); debug("Received session key; encryption turned on."); @@ -2384,6 +2474,23 @@ do_ssh1_kex(void) packet_write_wait(); } +void +sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen, + u_char *data, u_int dlen) +{ + if (privkey) { + if (PRIVSEP(key_sign(privkey, signature, slen, data, dlen) < 0)) + fatal("%s: key_sign failed", __func__); + } else if (use_privsep) { + if (mm_key_sign(pubkey, signature, slen, data, dlen) < 0) + fatal("%s: pubkey_sign failed", __func__); + } else { + if (ssh_agent_sign(auth_conn, pubkey, signature, slen, data, + dlen)) + fatal("%s: ssh_agent_sign failed", __func__); + } +} + /* * SSH2 key exchange: diffie-hellman-group1-sha1 */ @@ -2421,7 +2528,12 @@ do_ssh2_kex(void) if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); + + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( + list_hostkey_types()); /* start key exchange */ kex = kex_setup(myproposal); @@ -2430,12 +2542,14 @@ do_ssh2_kex(void) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; + kex->sign = sshd_hostkey_sign; xxx_kex = kex; diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 6e3063765..e2855c5ea 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # $FreeBSD$ # This is the sshd server system-wide configuration file. See @@ -28,11 +28,15 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -85,7 +89,7 @@ #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -101,6 +105,7 @@ #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes @@ -115,7 +120,7 @@ #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#VersionAddendum FreeBSD-20130515 +#VersionAddendum FreeBSD-20140324 # no default banner path #Banner none @@ -139,4 +144,5 @@ Subsystem sftp /usr/libexec/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server diff --git a/crypto/openssh/sshd_config.0 b/crypto/openssh/sshd_config.0 new file mode 100644 index 000000000..413c26008 --- /dev/null +++ b/crypto/openssh/sshd_config.0 @@ -0,0 +1,835 @@ +SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) + +NAME + sshd_config - OpenSSH SSH daemon configuration file + +SYNOPSIS + /etc/ssh/sshd_config + +DESCRIPTION + sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file + specified with -f on the command line). The file contains keyword- + argument pairs, one per line. Lines starting with `#' and empty lines + are interpreted as comments. Arguments may optionally be enclosed in + double quotes (") in order to represent arguments containing spaces. + + The possible keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): + + AcceptEnv + Specifies what environment variables sent by the client will be + copied into the session's environ(7). See SendEnv in + ssh_config(5) for how to configure the client. Note that + environment passing is only supported for protocol 2. Variables + are specified by name, which may contain the wildcard characters + `*' and `?'. Multiple environment variables may be separated by + whitespace or spread across multiple AcceptEnv directives. Be + warned that some environment variables could be used to bypass + restricted user environments. For this reason, care should be + taken in the use of this directive. The default is not to accept + any environment variables. + + AddressFamily + Specifies which address family should be used by sshd(8). Valid + arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' + (use IPv6 only). The default is ``any''. + + AllowAgentForwarding + Specifies whether ssh-agent(1) forwarding is permitted. The + default is ``yes''. Note that disabling agent forwarding does + not improve security unless users are also denied shell access, + as they can always install their own forwarders. + + AllowGroups + This keyword can be followed by a list of group name patterns, + separated by spaces. If specified, login is allowed only for + users whose primary group or supplementary group list matches one + of the patterns. Only group names are valid; a numerical group + ID is not recognized. By default, login is allowed for all + groups. The allow/deny directives are processed in the following + order: DenyUsers, AllowUsers, DenyGroups, and finally + AllowGroups. + + See PATTERNS in ssh_config(5) for more information on patterns. + + AllowTcpForwarding + Specifies whether TCP forwarding is permitted. The available + options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to + prevent all TCP forwarding, ``local'' to allow local (from the + perspective of ssh(1)) forwarding only or ``remote'' to allow + remote forwarding only. The default is ``yes''. Note that + disabling TCP forwarding does not improve security unless users + are also denied shell access, as they can always install their + own forwarders. + + AllowUsers + This keyword can be followed by a list of user name patterns, + separated by spaces. If specified, login is allowed only for + user names that match one of the patterns. Only user names are + valid; a numerical user ID is not recognized. By default, login + is allowed for all users. If the pattern takes the form + USER@HOST then USER and HOST are separately checked, restricting + logins to particular users from particular hosts. The allow/deny + directives are processed in the following order: DenyUsers, + AllowUsers, DenyGroups, and finally AllowGroups. + + See PATTERNS in ssh_config(5) for more information on patterns. + + AuthenticationMethods + Specifies the authentication methods that must be successfully + completed for a user to be granted access. This option must be + followed by one or more comma-separated lists of authentication + method names. Successful authentication requires completion of + every method in at least one of these lists. + + For example, an argument of ``publickey,password + publickey,keyboard-interactive'' would require the user to + complete public key authentication, followed by either password + or keyboard interactive authentication. Only methods that are + next in one or more lists are offered at each stage, so for this + example, it would not be possible to attempt password or + keyboard-interactive authentication before public key. + + For keyboard interactive authentication it is also possible to + restrict authentication to a specific device by appending a colon + followed by the device identifier ``bsdauth'', ``pam'', or + ``skey'', depending on the server configuration. For example, + ``keyboard-interactive:bsdauth'' would restrict keyboard + interactive authentication to the ``bsdauth'' device. + + This option is only available for SSH protocol 2 and will yield a + fatal error if enabled if protocol 1 is also enabled. Note that + each authentication method listed should also be explicitly + enabled in the configuration. The default is not to require + multiple authentication; successful completion of a single + authentication method is sufficient. + + AuthorizedKeysCommand + Specifies a program to be used to look up the user's public keys. + The program must be owned by root and not writable by group or + others. It will be invoked with a single argument of the + username being authenticated, and should produce on standard + output zero or more lines of authorized_keys output (see + AUTHORIZED_KEYS in sshd(8)). If a key supplied by + AuthorizedKeysCommand does not successfully authenticate and + authorize the user then public key authentication continues using + the usual AuthorizedKeysFile files. By default, no + AuthorizedKeysCommand is run. + + AuthorizedKeysCommandUser + Specifies the user under whose account the AuthorizedKeysCommand + is run. It is recommended to use a dedicated user that has no + other role on the host than running authorized keys commands. + + AuthorizedKeysFile + Specifies the file that contains the public keys that can be used + for user authentication. The format is described in the + AUTHORIZED_KEYS FILE FORMAT section of sshd(8). + AuthorizedKeysFile may contain tokens of the form %T which are + substituted during connection setup. The following tokens are + defined: %% is replaced by a literal '%', %h is replaced by the + home directory of the user being authenticated, and %u is + replaced by the username of that user. After expansion, + AuthorizedKeysFile is taken to be an absolute path or one + relative to the user's home directory. Multiple files may be + listed, separated by whitespace. The default is + ``.ssh/authorized_keys .ssh/authorized_keys2''. + + AuthorizedPrincipalsFile + Specifies a file that lists principal names that are accepted for + certificate authentication. When using certificates signed by a + key listed in TrustedUserCAKeys, this file lists names, one of + which must appear in the certificate for it to be accepted for + authentication. Names are listed one per line preceded by key + options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). + Empty lines and comments starting with `#' are ignored. + + AuthorizedPrincipalsFile may contain tokens of the form %T which + are substituted during connection setup. The following tokens + are defined: %% is replaced by a literal '%', %h is replaced by + the home directory of the user being authenticated, and %u is + replaced by the username of that user. After expansion, + AuthorizedPrincipalsFile is taken to be an absolute path or one + relative to the user's home directory. + + The default is ``none'', i.e. not to use a principals file - in + this case, the username of the user must appear in a + certificate's principals list for it to be accepted. Note that + AuthorizedPrincipalsFile is only used when authentication + proceeds using a CA listed in TrustedUserCAKeys and is not + consulted for certification authorities trusted via + ~/.ssh/authorized_keys, though the principals= key option offers + a similar facility (see sshd(8) for details). + + Banner The contents of the specified file are sent to the remote user + before authentication is allowed. If the argument is ``none'' + then no banner is displayed. This option is only available for + protocol version 2. By default, no banner is displayed. + + ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed + (e.g. via PAM or though authentication styles supported in + login.conf(5)) The default is ``yes''. + + ChrootDirectory + Specifies the pathname of a directory to chroot(2) to after + authentication. All components of the pathname must be root- + owned directories that are not writable by any other user or + group. After the chroot, sshd(8) changes the working directory + to the user's home directory. + + The pathname may contain the following tokens that are expanded + at runtime once the connecting user has been authenticated: %% is + replaced by a literal '%', %h is replaced by the home directory + of the user being authenticated, and %u is replaced by the + username of that user. + + The ChrootDirectory must contain the necessary files and + directories to support the user's session. For an interactive + session this requires at least a shell, typically sh(1), and + basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), + stderr(4), arandom(4) and tty(4) devices. For file transfer + sessions using ``sftp'', no additional configuration of the + environment is necessary if the in-process sftp server is used, + though sessions which use logging do require /dev/log inside the + chroot directory (see sftp-server(8) for details). + + The default is not to chroot(2). + + Ciphers + Specifies the ciphers allowed for protocol version 2. Multiple + ciphers must be comma-separated. The supported ciphers are: + + ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', + ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', + ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', + ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', + ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''. + + The default is: + + aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, + aes128-gcm@openssh.com,aes256-gcm@openssh.com, + chacha20-poly1305@openssh.com, + aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, + aes256-cbc,arcfour + + The list of available ciphers may also be obtained using the -Q + option of ssh(1). + + ClientAliveCountMax + Sets the number of client alive messages (see below) which may be + sent without sshd(8) receiving any messages back from the client. + If this threshold is reached while client alive messages are + being sent, sshd will disconnect the client, terminating the + session. It is important to note that the use of client alive + messages is very different from TCPKeepAlive (below). The client + alive messages are sent through the encrypted channel and + therefore will not be spoofable. The TCP keepalive option + enabled by TCPKeepAlive is spoofable. The client alive mechanism + is valuable when the client or server depend on knowing when a + connection has become inactive. + + The default value is 3. If ClientAliveInterval (see below) is + set to 15, and ClientAliveCountMax is left at the default, + unresponsive SSH clients will be disconnected after approximately + 45 seconds. This option applies to protocol version 2 only. + + ClientAliveInterval + Sets a timeout interval in seconds after which if no data has + been received from the client, sshd(8) will send a message + through the encrypted channel to request a response from the + client. The default is 0, indicating that these messages will + not be sent to the client. This option applies to protocol + version 2 only. + + Compression + Specifies whether compression is allowed, or delayed until the + user has authenticated successfully. The argument must be + ``yes'', ``delayed'', or ``no''. The default is ``delayed''. + + DenyGroups + This keyword can be followed by a list of group name patterns, + separated by spaces. Login is disallowed for users whose primary + group or supplementary group list matches one of the patterns. + Only group names are valid; a numerical group ID is not + recognized. By default, login is allowed for all groups. The + allow/deny directives are processed in the following order: + DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. + + See PATTERNS in ssh_config(5) for more information on patterns. + + DenyUsers + This keyword can be followed by a list of user name patterns, + separated by spaces. Login is disallowed for user names that + match one of the patterns. Only user names are valid; a + numerical user ID is not recognized. By default, login is + allowed for all users. If the pattern takes the form USER@HOST + then USER and HOST are separately checked, restricting logins to + particular users from particular hosts. The allow/deny + directives are processed in the following order: DenyUsers, + AllowUsers, DenyGroups, and finally AllowGroups. + + See PATTERNS in ssh_config(5) for more information on patterns. + + ForceCommand + Forces the execution of the command specified by ForceCommand, + ignoring any command supplied by the client and ~/.ssh/rc if + present. The command is invoked by using the user's login shell + with the -c option. This applies to shell, command, or subsystem + execution. It is most useful inside a Match block. The command + originally supplied by the client is available in the + SSH_ORIGINAL_COMMAND environment variable. Specifying a command + of ``internal-sftp'' will force the use of an in-process sftp + server that requires no support files when used with + ChrootDirectory. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to ports + forwarded for the client. By default, sshd(8) binds remote port + forwardings to the loopback address. This prevents other remote + hosts from connecting to forwarded ports. GatewayPorts can be + used to specify that sshd should allow remote port forwardings to + bind to non-loopback addresses, thus allowing other hosts to + connect. The argument may be ``no'' to force remote port + forwardings to be available to the local host only, ``yes'' to + force remote port forwardings to bind to the wildcard address, or + ``clientspecified'' to allow the client to select the address to + which the forwarding is bound. The default is ``no''. + + GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. + The default is ``no''. Note that this option applies to protocol + version 2 only. + + GSSAPICleanupCredentials + Specifies whether to automatically destroy the user's credentials + cache on logout. The default is ``yes''. Note that this option + applies to protocol version 2 only. + + HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication + together with successful public key client host authentication is + allowed (host-based authentication). This option is similar to + RhostsRSAAuthentication and applies to protocol version 2 only. + The default is ``no''. + + HostbasedUsesNameFromPacketOnly + Specifies whether or not the server will attempt to perform a + reverse name lookup when matching the name in the ~/.shosts, + ~/.rhosts, and /etc/hosts.equiv files during + HostbasedAuthentication. A setting of ``yes'' means that sshd(8) + uses the name supplied by the client rather than attempting to + resolve the name from the TCP connection itself. The default is + ``no''. + + HostCertificate + Specifies a file containing a public host certificate. The + certificate's public key must match a private host key already + specified by HostKey. The default behaviour of sshd(8) is not to + load any certificates. + + HostKey + Specifies a file containing a private host key used by SSH. The + default is /etc/ssh/ssh_host_key for protocol version 1, and + /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, + /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for + protocol version 2. Note that sshd(8) will refuse to use a file + if it is group/world-accessible. It is possible to have multiple + host key files. ``rsa1'' keys are used for version 1 and + ``dsa'', ``ecdsa'', ``ed25519'' or ``rsa'' are used for version 2 + of the SSH protocol. It is also possible to specify public host + key files instead. In this case operations on the private key + will be delegated to an ssh-agent(1). + + HostKeyAgent + Identifies the UNIX-domain socket used to communicate with an + agent that has access to the private host keys. If + ``SSH_AUTH_SOCK'' is specified, the location of the socket will + be read from the SSH_AUTH_SOCK environment variable. + + IgnoreRhosts + Specifies that .rhosts and .shosts files will not be used in + RhostsRSAAuthentication or HostbasedAuthentication. + + /etc/hosts.equiv and /etc/shosts.equiv are still used. The + default is ``yes''. + + IgnoreUserKnownHosts + Specifies whether sshd(8) should ignore the user's + ~/.ssh/known_hosts during RhostsRSAAuthentication or + HostbasedAuthentication. The default is ``no''. + + IPQoS Specifies the IPv4 type-of-service or DSCP class for the + connection. Accepted values are ``af11'', ``af12'', ``af13'', + ``af21'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', + ``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', + ``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', + ``throughput'', ``reliability'', or a numeric value. This option + may take one or two arguments, separated by whitespace. If one + argument is specified, it is used as the packet class + unconditionally. If two values are specified, the first is + automatically selected for interactive sessions and the second + for non-interactive sessions. The default is ``lowdelay'' for + interactive sessions and ``throughput'' for non-interactive + sessions. + + KbdInteractiveAuthentication + Specifies whether to allow keyboard-interactive authentication. + The argument to this keyword must be ``yes'' or ``no''. The + default is to use whatever value ChallengeResponseAuthentication + is set to (by default ``yes''). + + KerberosAuthentication + Specifies whether the password provided by the user for + PasswordAuthentication will be validated through the Kerberos + KDC. To use this option, the server needs a Kerberos servtab + which allows the verification of the KDC's identity. The default + is ``no''. + + KerberosGetAFSToken + If AFS is active and the user has a Kerberos 5 TGT, attempt to + acquire an AFS token before accessing the user's home directory. + The default is ``no''. + + KerberosOrLocalPasswd + If password authentication through Kerberos fails then the + password will be validated via any additional local mechanism + such as /etc/passwd. The default is ``yes''. + + KerberosTicketCleanup + Specifies whether to automatically destroy the user's ticket + cache file on logout. The default is ``yes''. + + KexAlgorithms + Specifies the available KEX (Key Exchange) algorithms. Multiple + algorithms must be comma-separated. The default is + + curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group-exchange-sha1, + diffie-hellman-group14-sha1, + diffie-hellman-group1-sha1 + + KeyRegenerationInterval + In protocol version 1, the ephemeral server key is automatically + regenerated after this many seconds (if it has been used). The + purpose of regeneration is to prevent decrypting captured + sessions by later breaking into the machine and stealing the + keys. The key is never stored anywhere. If the value is 0, the + key is never regenerated. The default is 3600 (seconds). + + ListenAddress + Specifies the local addresses sshd(8) should listen on. The + following forms may be used: + + ListenAddress host|IPv4_addr|IPv6_addr + ListenAddress host|IPv4_addr:port + ListenAddress [host|IPv6_addr]:port + + If port is not specified, sshd will listen on the address and all + prior Port options specified. The default is to listen on all + local addresses. Multiple ListenAddress options are permitted. + Additionally, any Port options must precede this option for non- + port qualified addresses. + + LoginGraceTime + The server disconnects after this time if the user has not + successfully logged in. If the value is 0, there is no time + limit. The default is 120 seconds. + + LogLevel + Gives the verbosity level that is used when logging messages from + sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, + VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. + DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify + higher levels of debugging output. Logging with a DEBUG level + violates the privacy of users and is not recommended. + + MACs Specifies the available MAC (message authentication code) + algorithms. The MAC algorithm is used in protocol version 2 for + data integrity protection. Multiple algorithms must be comma- + separated. The algorithms that contain ``-etm'' calculate the + MAC after encryption (encrypt-then-mac). These are considered + safer and their use recommended. The default is: + + hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, + umac-64-etm@openssh.com,umac-128-etm@openssh.com, + hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, + hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, + hmac-md5-96-etm@openssh.com, + hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, + hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, + hmac-sha1-96,hmac-md5-96 + + Match Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines + override those set in the global section of the config file, + until either another Match line or the end of the file. If a + keyword appears in multiple Match blocks that are satisified, + only the first instance of the keyword is applied. + + The arguments to Match are one or more criteria-pattern pairs or + the single token All which matches all criteria. The available + criteria are User, Group, Host, LocalAddress, LocalPort, and + Address. The match patterns may consist of single entries or + comma-separated lists and may use the wildcard and negation + operators described in the PATTERNS section of ssh_config(5). + + The patterns in an Address criteria may additionally contain + addresses to match in CIDR address/masklen format, e.g. + ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask + length provided must be consistent with the address - it is an + error to specify a mask length that is too long for the address + or one with bits set in this host portion of the address. For + example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. + + Only a subset of keywords may be used on the lines following a + Match keyword. Available keywords are AcceptEnv, + AllowAgentForwarding, AllowGroups, AllowTcpForwarding, + AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, + AuthorizedKeysCommandUser, AuthorizedKeysFile, + AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups, + DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, + HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, + KbdInteractiveAuthentication, KerberosAuthentication, + MaxAuthTries, MaxSessions, PasswordAuthentication, + PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, + PermitTunnel, PubkeyAuthentication, RekeyLimit, + RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, + X11Forwarding and X11UseLocalHost. + + MaxAuthTries + Specifies the maximum number of authentication attempts permitted + per connection. Once the number of failures reaches half this + value, additional failures are logged. The default is 6. + + MaxSessions + Specifies the maximum number of open sessions permitted per + network connection. The default is 10. + + MaxStartups + Specifies the maximum number of concurrent unauthenticated + connections to the SSH daemon. Additional connections will be + dropped until authentication succeeds or the LoginGraceTime + expires for a connection. The default is 10:30:100. + + Alternatively, random early drop can be enabled by specifying the + three colon separated values ``start:rate:full'' (e.g. + "10:30:60"). sshd(8) will refuse connection attempts with a + probability of ``rate/100'' (30%) if there are currently + ``start'' (10) unauthenticated connections. The probability + increases linearly and all connection attempts are refused if the + number of unauthenticated connections reaches ``full'' (60). + + PasswordAuthentication + Specifies whether password authentication is allowed. The + default is ``yes''. + + PermitEmptyPasswords + When password authentication is allowed, it specifies whether the + server allows login to accounts with empty password strings. The + default is ``no''. + + PermitOpen + Specifies the destinations to which TCP port forwarding is + permitted. The forwarding specification must be one of the + following forms: + + PermitOpen host:port + PermitOpen IPv4_addr:port + PermitOpen [IPv6_addr]:port + + Multiple forwards may be specified by separating them with + whitespace. An argument of ``any'' can be used to remove all + restrictions and permit any forwarding requests. An argument of + ``none'' can be used to prohibit all forwarding requests. By + default all port forwarding requests are permitted. + + PermitRootLogin + Specifies whether root can log in using ssh(1). The argument + must be ``yes'', ``without-password'', ``forced-commands-only'', + or ``no''. The default is ``yes''. + + If this option is set to ``without-password'', password + authentication is disabled for root. + + If this option is set to ``forced-commands-only'', root login + with public key authentication will be allowed, but only if the + command option has been specified (which may be useful for taking + remote backups even if root login is normally not allowed). All + other authentication methods are disabled for root. + + If this option is set to ``no'', root is not allowed to log in. + + PermitTunnel + Specifies whether tun(4) device forwarding is allowed. The + argument must be ``yes'', ``point-to-point'' (layer 3), + ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits + both ``point-to-point'' and ``ethernet''. The default is ``no''. + + PermitTTY + Specifies whether pty(4) allocation is permitted. The default is + ``yes''. + + PermitUserEnvironment + Specifies whether ~/.ssh/environment and environment= options in + ~/.ssh/authorized_keys are processed by sshd(8). The default is + ``no''. Enabling environment processing may enable users to + bypass access restrictions in some configurations using + mechanisms such as LD_PRELOAD. + + PidFile + Specifies the file that contains the process ID of the SSH + daemon. The default is /var/run/sshd.pid. + + Port Specifies the port number that sshd(8) listens on. The default + is 22. Multiple options of this type are permitted. See also + ListenAddress. + + PrintLastLog + Specifies whether sshd(8) should print the date and time of the + last user login when a user logs in interactively. The default + is ``yes''. + + PrintMotd + Specifies whether sshd(8) should print /etc/motd when a user logs + in interactively. (On some systems it is also printed by the + shell, /etc/profile, or equivalent.) The default is ``yes''. + + Protocol + Specifies the protocol versions sshd(8) supports. The possible + values are `1' and `2'. Multiple versions must be comma- + separated. The default is `2'. Note that the order of the + protocol list does not indicate preference, because the client + selects among multiple protocol versions offered by the server. + Specifying ``2,1'' is identical to ``1,2''. + + PubkeyAuthentication + Specifies whether public key authentication is allowed. The + default is ``yes''. Note that this option applies to protocol + version 2 only. + + RekeyLimit + Specifies the maximum amount of data that may be transmitted + before the session key is renegotiated, optionally followed a + maximum amount of time that may pass before the session key is + renegotiated. The first argument is specified in bytes and may + have a suffix of `K', `M', or `G' to indicate Kilobytes, + Megabytes, or Gigabytes, respectively. The default is between + `1G' and `4G', depending on the cipher. The optional second + value is specified in seconds and may use any of the units + documented in the TIME FORMATS section. The default value for + RekeyLimit is ``default none'', which means that rekeying is + performed after the cipher's default amount of data has been sent + or received and no time based rekeying is done. This option + applies to protocol version 2 only. + + RevokedKeys + Specifies revoked public keys. Keys listed in this file will be + refused for public key authentication. Note that if this file is + not readable, then public key authentication will be refused for + all users. Keys may be specified as a text file, listing one + public key per line, or as an OpenSSH Key Revocation List (KRL) + as generated by ssh-keygen(1). For more information on KRLs, see + the KEY REVOCATION LISTS section in ssh-keygen(1). + + RhostsRSAAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication + together with successful RSA host authentication is allowed. The + default is ``no''. This option applies to protocol version 1 + only. + + RSAAuthentication + Specifies whether pure RSA authentication is allowed. The + default is ``yes''. This option applies to protocol version 1 + only. + + ServerKeyBits + Defines the number of bits in the ephemeral protocol version 1 + server key. The minimum value is 512, and the default is 1024. + + StrictModes + Specifies whether sshd(8) should check file modes and ownership + of the user's files and home directory before accepting login. + This is normally desirable because novices sometimes accidentally + leave their directory or files world-writable. The default is + ``yes''. Note that this does not apply to ChrootDirectory, whose + permissions and ownership are checked unconditionally. + + Subsystem + Configures an external subsystem (e.g. file transfer daemon). + Arguments should be a subsystem name and a command (with optional + arguments) to execute upon subsystem request. + + The command sftp-server(8) implements the ``sftp'' file transfer + subsystem. + + Alternately the name ``internal-sftp'' implements an in-process + ``sftp'' server. This may simplify configurations using + ChrootDirectory to force a different filesystem root on clients. + + By default no subsystems are defined. Note that this option + applies to protocol version 2 only. + + SyslogFacility + Gives the facility code that is used when logging messages from + sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, + LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The + default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages + to the other side. If they are sent, death of the connection or + crash of one of the machines will be properly noticed. However, + this means that connections will die if the route is down + temporarily, and some people find it annoying. On the other + hand, if TCP keepalives are not sent, sessions may hang + indefinitely on the server, leaving ``ghost'' users and consuming + server resources. + + The default is ``yes'' (to send TCP keepalive messages), and the + server will notice if the network goes down or the client host + crashes. This avoids infinitely hanging sessions. + + To disable TCP keepalive messages, the value should be set to + ``no''. + + TrustedUserCAKeys + Specifies a file containing public keys of certificate + authorities that are trusted to sign user certificates for + authentication. Keys are listed one per line; empty lines and + comments starting with `#' are allowed. If a certificate is + presented for authentication and has its signing CA key listed in + this file, then it may be used for authentication for any user + listed in the certificate's principals list. Note that + certificates that lack a list of principals will not be permitted + for authentication using TrustedUserCAKeys. For more details on + certificates, see the CERTIFICATES section in ssh-keygen(1). + + UseDNS Specifies whether sshd(8) should look up the remote host name and + check that the resolved host name for the remote IP address maps + back to the very same IP address. The default is ``yes''. + + UseLogin + Specifies whether login(1) is used for interactive login + sessions. The default is ``no''. Note that login(1) is never + used for remote command execution. Note also, that if this is + enabled, X11Forwarding will be disabled because login(1) does not + know how to handle xauth(1) cookies. If UsePrivilegeSeparation + is specified, it will be disabled after authentication. + + UsePAM Enables the Pluggable Authentication Module interface. If set to + ``yes'' this will enable PAM authentication using + ChallengeResponseAuthentication and PasswordAuthentication in + addition to PAM account and session module processing for all + authentication types. + + Because PAM challenge-response authentication usually serves an + equivalent role to password authentication, you should disable + either PasswordAuthentication or ChallengeResponseAuthentication. + + If UsePAM is enabled, you will not be able to run sshd(8) as a + non-root user. The default is ``no''. + + UsePrivilegeSeparation + Specifies whether sshd(8) separates privileges by creating an + unprivileged child process to deal with incoming network traffic. + After successful authentication, another process will be created + that has the privilege of the authenticated user. The goal of + privilege separation is to prevent privilege escalation by + containing any corruption within the unprivileged processes. The + default is ``yes''. If UsePrivilegeSeparation is set to + ``sandbox'' then the pre-authentication unprivileged process is + subject to additional restrictions. + + VersionAddendum + Optionally specifies additional text to append to the SSH + protocol banner sent by the server upon connection. The default + is ``none''. + + X11DisplayOffset + Specifies the first display number available for sshd(8)'s X11 + forwarding. This prevents sshd from interfering with real X11 + servers. The default is 10. + + X11Forwarding + Specifies whether X11 forwarding is permitted. The argument must + be ``yes'' or ``no''. The default is ``no''. + + When X11 forwarding is enabled, there may be additional exposure + to the server and to client displays if the sshd(8) proxy display + is configured to listen on the wildcard address (see + X11UseLocalhost below), though this is not the default. + Additionally, the authentication spoofing and authentication data + verification and substitution occur on the client side. The + security risk of using X11 forwarding is that the client's X11 + display server may be exposed to attack when the SSH client + requests forwarding (see the warnings for ForwardX11 in + ssh_config(5)). A system administrator may have a stance in + which they want to protect clients that may expose themselves to + attack by unwittingly requesting X11 forwarding, which can + warrant a ``no'' setting. + + Note that disabling X11 forwarding does not prevent users from + forwarding X11 traffic, as users can always install their own + forwarders. X11 forwarding is automatically disabled if UseLogin + is enabled. + + X11UseLocalhost + Specifies whether sshd(8) should bind the X11 forwarding server + to the loopback address or to the wildcard address. By default, + sshd binds the forwarding server to the loopback address and sets + the hostname part of the DISPLAY environment variable to + ``localhost''. This prevents remote hosts from connecting to the + proxy display. However, some older X11 clients may not function + with this configuration. X11UseLocalhost may be set to ``no'' to + specify that the forwarding server should be bound to the + wildcard address. The argument must be ``yes'' or ``no''. The + default is ``yes''. + + XAuthLocation + Specifies the full pathname of the xauth(1) program. The default + is /usr/X11R6/bin/xauth. + +TIME FORMATS + sshd(8) command-line arguments and configuration file options that + specify time may be expressed using a sequence of the form: + time[qualifier], where time is a positive integer value and qualifier is + one of the following: + + seconds + s | S seconds + m | M minutes + h | H hours + d | D days + w | W weeks + + Each member of the sequence is added together to calculate the total time + value. + + Time format examples: + + 600 600 seconds (10 minutes) + 10m 10 minutes + 1h30m 1 hour 30 minutes (90 minutes) + +FILES + /etc/ssh/sshd_config + Contains configuration data for sshd(8). This file should be + writable by root only, but it is recommended (though not + necessary) that it be world-readable. + +SEE ALSO + sshd(8) + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +OpenBSD 5.5 February 27, 2014 OpenBSD 5.5 diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 5e3e28992..dca8db540 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -33,9 +33,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $ .\" $FreeBSD$ -.Dd February 6, 2013 +.Dd February 27, 2014 .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -118,9 +118,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AllowTcpForwarding @@ -160,9 +158,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AuthenticationMethods @@ -181,6 +177,20 @@ Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key. .Pp +For keyboard interactive authentication it is also possible to +restrict authentication to a specific device by appending a +colon followed by the device identifier +.Dq bsdauth , +.Dq pam , +or +.Dq skey , +depending on the server configuration. +For example, +.Dq keyboard-interactive:bsdauth +would restrict keyboard interactive authentication to the +.Dq bsdauth +device. +.Pp This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled @@ -189,11 +199,10 @@ The default is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. -The program will be invoked with a single argument of the username +The program must be owned by root and not writable by group or others. +It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or -more lines of authorized_keys output (see -.Sx AUTHORIZED_KEYS -in +more lines of authorized_keys output (see AUTHORIZED_KEYS in .Xr sshd 8 ) . If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual @@ -208,7 +217,7 @@ than running authorized keys commands. Specifies the file that contains the public keys that can be used for user authentication. The format is described in the -.Sx AUTHORIZED_KEYS FILE FORMAT +AUTHORIZED_KEYS FILE FORMAT section of .Xr sshd 8 . .Cm AuthorizedKeysFile @@ -232,9 +241,7 @@ When using certificates signed by a key listed in this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described -in -.Sx AUTHORIZED_KEYS FILE FORMAT -in +in AUTHORIZED_KEYS FILE FORMAT in .Xr sshd 8 ) . Empty lines and comments starting with .Ql # @@ -329,7 +336,8 @@ The default is not to .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. -The supported ciphers are +The supported ciphers are: +.Pp .Dq 3des-cbc , .Dq aes128-cbc , .Dq aes192-cbc , @@ -343,15 +351,23 @@ The supported ciphers are .Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , +.Dq cast128-cbc , and -.Dq cast128-cbc . +.Dq chacha20-poly1305@openssh.com . +.Pp The default is: .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, +chacha20-poly1305@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour .Ed +.Pp +The list of available ciphers may also be obtained using the +.Fl Q +option of +.Xr ssh 1 . .It Cm ClientAliveCountMax Sets the number of client alive messages (see below) which may be sent without @@ -412,9 +428,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm DenyUsers @@ -433,9 +447,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm ForceCommand @@ -529,7 +541,8 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and .Pa /etc/ssh/ssh_host_dsa_key , -.Pa /etc/ssh/ssh_host_ecdsa_key +.Pa /etc/ssh/ssh_host_ecdsa_key , +.Pa /etc/ssh/ssh_host_ed25519_key and .Pa /etc/ssh/ssh_host_rsa_key for protocol version 2. @@ -540,10 +553,23 @@ It is possible to have multiple host key files. .Dq rsa1 keys are used for version 1 and .Dq dsa , -.Dq ecdsa +.Dq ecdsa , +.Dq ed25519 or .Dq rsa are used for version 2 of the SSH protocol. +It is also possible to specify public host key files instead. +In this case operations on the private key will be delegated +to an +.Xr ssh-agent 1 . +.It Cm HostKeyAgent +Identifies the UNIX-domain socket used to communicate +with an agent that has access to the private host keys. +If +.Dq SSH_AUTH_SOCK +is specified, the location of the socket will be read from the +.Ev SSH_AUTH_SOCK +environment variable. .It Cm IgnoreRhosts Specifies that .Pa .rhosts @@ -608,6 +634,17 @@ The default is for interactive sessions and .Dq throughput for non-interactive sessions. +.It Cm KbdInteractiveAuthentication +Specifies whether to allow keyboard-interactive authentication. +The argument to this keyword must be +.Dq yes +or +.Dq no . +The default is to use whatever value +.Cm ChallengeResponseAuthentication +is set to +(by default +.Dq yes ) . .It Cm KerberosAuthentication Specifies whether the password provided by the user for .Cm PasswordAuthentication @@ -637,13 +674,14 @@ The default is Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is -.Dq ecdh-sha2-nistp256 , -.Dq ecdh-sha2-nistp384 , -.Dq ecdh-sha2-nistp521 , -.Dq diffie-hellman-group-exchange-sha256 , -.Dq diffie-hellman-group-exchange-sha1 , -.Dq diffie-hellman-group14-sha1 , -.Dq diffie-hellman-group1-sha1 . +.Bd -literal -offset indent +curve25519-sha256@libssh.org, +ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +diffie-hellman-group-exchange-sha256, +diffie-hellman-group-exchange-sha1, +diffie-hellman-group14-sha1, +diffie-hellman-group1-sha1 +.Ed .It Cm KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). @@ -733,10 +771,16 @@ line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another .Cm Match line or the end of the file. +If a keyword appears in multiple +.Cm Match +blocks that are satisified, only the first instance of the keyword is +applied. .Pp The arguments to .Cm Match -are one or more criteria-pattern pairs. +are one or more criteria-pattern pairs or the single token +.Cm All +which matches all criteria. The available criteria are .Cm User , .Cm Group , @@ -747,8 +791,7 @@ and .Cm Address . The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the -.Sx PATTERNS -section of +PATTERNS section of .Xr ssh_config 5 . .Pp The patterns in an @@ -798,8 +841,10 @@ Available keywords are .Cm PermitEmptyPasswords , .Cm PermitOpen , .Cm PermitRootLogin , +.Cm PermitTTY , .Cm PermitTunnel , .Cm PubkeyAuthentication , +.Cm RekeyLimit , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , .Cm X11DisplayOffset , @@ -935,6 +980,12 @@ and .Dq ethernet . The default is .Dq no . +.It Cm PermitTTY +Specifies whether +.Xr pty 4 +allocation is permitted. +The default is +.Dq yes . .It Cm PermitUserEnvironment Specifies whether .Pa ~/.ssh/environment @@ -1003,6 +1054,32 @@ Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. +.It Cm RekeyLimit +Specifies the maximum amount of data that may be transmitted before the +session key is renegotiated, optionally followed a maximum amount of +time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of +.Sq K , +.Sq M , +or +.Sq G +to indicate Kilobytes, Megabytes, or Gigabytes, respectively. +The default is between +.Sq 1G +and +.Sq 4G , +depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +.Sx TIME FORMATS +section. +The default value for +.Cm RekeyLimit +is +.Dq default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. +This option applies to protocol version 2 only. .It Cm RevokedKeys Specifies revoked public keys. Keys listed in this file will be refused for public key authentication. @@ -1011,9 +1088,7 @@ be refused for all users. Keys may be specified as a text file, listing one public key per line, or as an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . -For more information on KRLs, see the -.Sx KEY REVOCATION LISTS -section in +For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication Specifies whether rhosts or @@ -1104,9 +1179,7 @@ listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using .Cm TrustedUserCAKeys . -For more details on certificates, see the -.Sx CERTIFICATES -section in +For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . .It Cm UseDNS Specifies whether @@ -1180,7 +1253,7 @@ restrictions. Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is -.Dq FreeBSD-20130515 . +.Dq FreeBSD-20140324 . .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c index 54629f747..e79ca9b47 100644 --- a/crypto/openssh/sshlogin.c +++ b/crypto/openssh/sshlogin.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshlogin.c,v 1.27 2011/01/11 06:06:09 djm Exp $ */ +/* $OpenBSD: sshlogin.c,v 1.28 2014/01/31 16:39:19 tedu Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -97,7 +97,7 @@ store_lastlog_message(const char *user, uid_t uid) time_string = sys_auth_get_lastlogin_msg(user, uid); if (time_string != NULL) { buffer_append(&loginmsg, time_string, strlen(time_string)); - xfree(time_string); + free(time_string); } # else last_login_time = get_last_login_time(uid, user, hostname, diff --git a/crypto/openssh/sshlogin.h b/crypto/openssh/sshlogin.h index 500d3fefd..52119a979 100644 --- a/crypto/openssh/sshlogin.h +++ b/crypto/openssh/sshlogin.h @@ -15,7 +15,7 @@ void record_login(pid_t, const char *, const char *, uid_t, const char *, struct sockaddr *, socklen_t); void record_logout(pid_t, const char *, const char *); -time_t get_last_login_time(uid_t, const char *, char *, u_int); +time_t get_last_login_time(uid_t, const char *, char *, size_t); #ifdef LOGIN_NEEDS_UTMPX void record_utmp_only(pid_t, const char *, const char *, const char *, diff --git a/crypto/openssh/survey.sh.in b/crypto/openssh/survey.sh.in new file mode 100644 index 000000000..d6075a6b3 --- /dev/null +++ b/crypto/openssh/survey.sh.in @@ -0,0 +1,69 @@ +#!/bin/sh +# +# Copyright (c) 2004, 2005 Darren Tucker +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +host="@host@" +AWK="@AWK@" +CC="@CC@" +CPP="@CPP@" +CFLAGS="@CFLAGS@" +CPPFLAGS="@CPPFLAGS@" +LDFLAGS="@LDFLAGS@" +LIBS="@LIBS@" + +# Note format: +# identifier: [data] CRCR + +echo "openssh-survey-version: 1" +echo +echo "openssh-version: `./ssh -V 2>&1`" +echo +configinv=`$AWK '/^ \\\$.*configure/' config.log | sed 's/^ \\\$ //g'` +echo "configure-invocation: $configinv" +echo +echo "host: $host" +echo +echo "uname: `uname`" +echo +echo "uname-r: `uname -r`" +echo +echo "uname-m: `uname -m`" +echo +echo "uname-p: `uname -p`" +echo +echo "oslevel: `oslevel 2>/dev/null`" +echo +echo "oslevel-r: `oslevel -r 2>/dev/null`" +echo +echo "cc: $CC" +echo +echo "cflags: $CFLAGS" +echo +echo "cppflags: $CPPFLAGS" +echo +echo "ldflags: $LDFLAGS" +echo +echo "libs: $LIBS" +echo +echo "ccver-v: `$CC -v 2>&1 | sed '/^[ \t]*$/d'`" +echo +echo "ccver-V: `$CC -V 2>&1 | sed '/^[ \t]*$/d'`" +echo +echo "cppdefines:" +${CPP} -dM - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -20,6 +20,7 @@ #include #include #include +#include #include @@ -90,8 +91,7 @@ temporarily_use_uid(struct passwd *pw) if (getgroups(saved_egroupslen, saved_egroups) < 0) fatal("getgroups: %.100s", strerror(errno)); } else { /* saved_egroupslen == 0 */ - if (saved_egroups != NULL) - xfree(saved_egroups); + free(saved_egroups); } /* set and save the user's groups */ @@ -109,8 +109,7 @@ temporarily_use_uid(struct passwd *pw) if (getgroups(user_groupslen, user_groups) < 0) fatal("getgroups: %.100s", strerror(errno)); } else { /* user_groupslen == 0 */ - if (user_groups) - xfree(user_groups); + free(user_groups); } } /* Set the effective uid to the given (unprivileged) uid. */ @@ -135,7 +134,9 @@ temporarily_use_uid(struct passwd *pw) void permanently_drop_suid(uid_t uid) { +#ifndef HAVE_CYGWIN uid_t old_uid = getuid(); +#endif debug("permanently_drop_suid: %u", (u_int)uid); if (setresuid(uid, uid, uid) < 0) @@ -198,8 +199,10 @@ restore_uid(void) void permanently_set_uid(struct passwd *pw) { +#ifndef HAVE_CYGWIN uid_t old_uid = getuid(); gid_t old_gid = getgid(); +#endif if (pw == NULL) fatal("permanently_set_uid: no user given"); diff --git a/crypto/openssh/umac.c b/crypto/openssh/umac.c index 0567c37f9..0c62145fa 100644 --- a/crypto/openssh/umac.c +++ b/crypto/openssh/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.4 2011/10/19 10:39:48 djm Exp $ */ +/* $OpenBSD: umac.c,v 1.8 2013/11/08 00:39:15 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -132,13 +132,13 @@ typedef unsigned int UWORD; /* Register */ /* ---------------------------------------------------------------------- */ #if HAVE_SWAP32 -#define LOAD_UINT32_REVERSED(p) (swap32(*(UINT32 *)(p))) +#define LOAD_UINT32_REVERSED(p) (swap32(*(const UINT32 *)(p))) #define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v)) #else /* HAVE_SWAP32 */ -static UINT32 LOAD_UINT32_REVERSED(void *ptr) +static UINT32 LOAD_UINT32_REVERSED(const void *ptr) { - UINT32 temp = *(UINT32 *)ptr; + UINT32 temp = *(const UINT32 *)ptr; temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 ) | ((temp & 0x0000FF00) << 8 ) | (temp << 24); return (UINT32)temp; @@ -159,7 +159,7 @@ static void STORE_UINT32_REVERSED(void *ptr, UINT32 x) */ #if (__LITTLE_ENDIAN__) -#define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr)) +#define LOAD_UINT32_LITTLE(ptr) (*(const UINT32 *)(ptr)) #define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x) #else #define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr) @@ -184,7 +184,7 @@ typedef AES_KEY aes_int_key[1]; #define aes_encryption(in,out,int_key) \ AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key) #define aes_key_setup(key,int_key) \ - AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key) + AES_set_encrypt_key((const u_char *)(key),UMAC_KEY_LEN*8,int_key) /* The user-supplied UMAC key is stretched using AES in a counter * mode to supply all random bits needed by UMAC. The kdf function takes @@ -240,7 +240,7 @@ static void pdf_init(pdf_ctx *pc, aes_int_key prf_key) aes_encryption(pc->nonce, pc->cache, pc->prf_key); } -static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) +static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8]) { /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes * of the AES output. If last time around we returned the ndx-1st @@ -254,19 +254,21 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) #elif (UMAC_OUTPUT_LEN > 8) #define LOW_BIT_MASK 0 #endif - - UINT8 tmp_nonce_lo[4]; + union { + UINT8 tmp_nonce_lo[4]; + UINT32 align; + } t; #if LOW_BIT_MASK != 0 int ndx = nonce[7] & LOW_BIT_MASK; #endif - *(UINT32 *)tmp_nonce_lo = ((UINT32 *)nonce)[1]; - tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ + *(UINT32 *)t.tmp_nonce_lo = ((const UINT32 *)nonce)[1]; + t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ - if ( (((UINT32 *)tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || - (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) + if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || + (((const UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) { - ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; - ((UINT32 *)pc->nonce)[1] = ((UINT32 *)tmp_nonce_lo)[0]; + ((UINT32 *)pc->nonce)[0] = ((const UINT32 *)nonce)[0]; + ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0]; aes_encryption(pc->nonce, pc->cache, pc->prf_key); } @@ -333,7 +335,7 @@ typedef struct { #if (UMAC_OUTPUT_LEN == 4) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* NH hashing primitive. Previous (partial) hash result is loaded and * then stored via hp pointer. The length of the data pointed at by "dp", * "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key @@ -343,7 +345,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7; @@ -368,7 +370,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 8) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 16 bytes of hash-state per call. */ @@ -376,7 +378,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11; @@ -415,7 +417,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 12) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 24 bytes of hash-state per call. */ @@ -423,7 +425,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2,h3; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11,k12,k13,k14,k15; @@ -470,7 +472,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 16) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 24 bytes of hash-state per call. */ @@ -478,7 +480,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2,h3,h4; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11,k12,k13,k14,k15, @@ -539,7 +541,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) /* ---------------------------------------------------------------------- */ -static void nh_transform(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) +static void nh_transform(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes) /* This function is a wrapper for the primitive NH hash functions. It takes * as argument "hc" the current hash context and a buffer which must be a * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset @@ -614,7 +616,7 @@ static void nh_init(nh_ctx *hc, aes_int_key prf_key) /* ---------------------------------------------------------------------- */ -static void nh_update(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) +static void nh_update(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes) /* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */ /* even multiple of HASH_BUF_BYTES. */ { @@ -709,7 +711,7 @@ static void nh_final(nh_ctx *hc, UINT8 *result) /* ---------------------------------------------------------------------- */ -static void nh(nh_ctx *hc, UINT8 *buf, UINT32 padded_len, +static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len, UINT32 unpadded_len, UINT8 *result) /* All-in-one nh_update() and nh_final() equivalent. * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is @@ -1047,7 +1049,7 @@ static int uhash_free(uhash_ctx_t ctx) #endif /* ---------------------------------------------------------------------- */ -static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) +static int uhash_update(uhash_ctx_t ctx, const u_char *input, long len) /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and * hash each one with NH, calling the polyhash on each NH output. */ @@ -1057,7 +1059,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) UINT8 *nh_result = (UINT8 *)&result_buf; if (ctx->msg_len + len <= L1_KEY_LEN) { - nh_update(&ctx->hash, (UINT8 *)input, len); + nh_update(&ctx->hash, (const UINT8 *)input, len); ctx->msg_len += len; } else { @@ -1072,7 +1074,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* bytes to complete the current nh_block. */ if (bytes_hashed) { bytes_remaining = (L1_KEY_LEN - bytes_hashed); - nh_update(&ctx->hash, (UINT8 *)input, bytes_remaining); + nh_update(&ctx->hash, (const UINT8 *)input, bytes_remaining); nh_final(&ctx->hash, nh_result); ctx->msg_len += bytes_remaining; poly_hash(ctx,(UINT32 *)nh_result); @@ -1082,7 +1084,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* Hash directly from input stream if enough bytes */ while (len >= L1_KEY_LEN) { - nh(&ctx->hash, (UINT8 *)input, L1_KEY_LEN, + nh(&ctx->hash, (const UINT8 *)input, L1_KEY_LEN, L1_KEY_LEN, nh_result); ctx->msg_len += L1_KEY_LEN; len -= L1_KEY_LEN; @@ -1093,7 +1095,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* pass remaining < L1_KEY_LEN bytes of input data to NH */ if (len) { - nh_update(&ctx->hash, (UINT8 *)input, len); + nh_update(&ctx->hash, (const UINT8 *)input, len); ctx->msg_len += len; } } @@ -1209,14 +1211,14 @@ int umac_delete(struct umac_ctx *ctx) if (ctx) { if (ALLOC_BOUNDARY) ctx = (struct umac_ctx *)ctx->free_ptr; - xfree(ctx); + free(ctx); } return (1); } /* ---------------------------------------------------------------------- */ -struct umac_ctx *umac_new(u_char key[]) +struct umac_ctx *umac_new(const u_char key[]) /* Dynamically allocate a umac_ctx struct, initialize variables, * generate subkeys from key. Align to 16-byte boundary. */ @@ -1225,7 +1227,7 @@ struct umac_ctx *umac_new(u_char key[]) size_t bytes_to_add; aes_int_key prf_key; - octx = ctx = xmalloc(sizeof(*ctx) + ALLOC_BOUNDARY); + octx = ctx = xcalloc(1, sizeof(*ctx) + ALLOC_BOUNDARY); if (ctx) { if (ALLOC_BOUNDARY) { bytes_to_add = ALLOC_BOUNDARY - @@ -1233,7 +1235,7 @@ struct umac_ctx *umac_new(u_char key[]) ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add); } ctx->free_ptr = octx; - aes_key_setup(key,prf_key); + aes_key_setup(key, prf_key); pdf_init(&ctx->pdf, prf_key); uhash_init(&ctx->hash, prf_key); } @@ -1243,18 +1245,18 @@ struct umac_ctx *umac_new(u_char key[]) /* ---------------------------------------------------------------------- */ -int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]) +int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]) /* Incorporate any pending data, pad, and generate tag */ { uhash_final(&ctx->hash, (u_char *)tag); - pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); + pdf_gen_xor(&ctx->pdf, (const UINT8 *)nonce, (UINT8 *)tag); return (1); } /* ---------------------------------------------------------------------- */ -int umac_update(struct umac_ctx *ctx, u_char *input, long len) +int umac_update(struct umac_ctx *ctx, const u_char *input, long len) /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */ /* hash each one, calling the PDF on the hashed output whenever the hash- */ /* output buffer is full. */ diff --git a/crypto/openssh/umac.h b/crypto/openssh/umac.h index 6795112a3..7fb770f8a 100644 --- a/crypto/openssh/umac.h +++ b/crypto/openssh/umac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ +/* $OpenBSD: umac.h,v 1.3 2013/07/22 12:20:02 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.h -- C Implementation UMAC Message Authentication @@ -52,7 +52,7 @@ extern "C" { #endif -struct umac_ctx *umac_new(u_char key[]); +struct umac_ctx *umac_new(const u_char key[]); /* Dynamically allocate a umac_ctx struct, initialize variables, * generate subkeys from key. */ @@ -62,10 +62,10 @@ int umac_reset(struct umac_ctx *ctx); /* Reset a umac_ctx to begin authenicating a new message */ #endif -int umac_update(struct umac_ctx *ctx, u_char *input, long len); +int umac_update(struct umac_ctx *ctx, const u_char *input, long len); /* Incorporate len bytes pointed to by input into context ctx */ -int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]); /* Incorporate any pending data and the ctr value, and return tag. * This function returns error code if ctr < 0. */ @@ -117,9 +117,9 @@ int uhash(uhash_ctx_t ctx, #endif /* matching umac-128 API, we reuse umac_ctx, since it's opaque */ -struct umac_ctx *umac128_new(u_char key[]); -int umac128_update(struct umac_ctx *ctx, u_char *input, long len); -int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +struct umac_ctx *umac128_new(const u_char key[]); +int umac128_update(struct umac_ctx *ctx, const u_char *input, long len); +int umac128_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]); int umac128_delete(struct umac_ctx *ctx); #ifdef __cplusplus diff --git a/crypto/openssh/umac128.c b/crypto/openssh/umac128.c index b0fc8e987..7a439e4e2 100644 --- a/crypto/openssh/umac128.c +++ b/crypto/openssh/umac128.c @@ -1,11 +1,13 @@ /* $FreeBSD$ */ #define UMAC_OUTPUT_LEN 16 +#undef umac_ctx +#define umac_ctx umac128_ctx #undef umac_new -#define umac_new ssh_umac128_new +#define umac_new umac128_new #undef umac_update -#define umac_update ssh_umac128_update +#define umac_update umac128_update #undef umac_final -#define umac_final ssh_umac128_final +#define umac_final umac128_final #undef umac_delete -#define umac_delete ssh_umac128_delete +#define umac_delete umac128_delete #include "umac.c" diff --git a/crypto/openssh/uuencode.c b/crypto/openssh/uuencode.c index 09d80d2fc..294c74304 100644 --- a/crypto/openssh/uuencode.c +++ b/crypto/openssh/uuencode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.c,v 1.26 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: uuencode.c,v 1.27 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -29,6 +29,7 @@ #include #include #include +#include #include "xmalloc.h" #include "uuencode.h" @@ -67,7 +68,7 @@ uudecode(const char *src, u_char *target, size_t targsize) /* and remove trailing whitespace because __b64_pton needs this */ *p = '\0'; len = __b64_pton(encoded, target, targsize); - xfree(encoded); + free(encoded); return len; } @@ -90,5 +91,5 @@ dump_base64(FILE *fp, const u_char *data, u_int len) } if (i % 70 != 69) fprintf(fp, "\n"); - xfree(buf); + free(buf); } diff --git a/crypto/openssh/verify.c b/crypto/openssh/verify.c new file mode 100644 index 000000000..1671a4132 --- /dev/null +++ b/crypto/openssh/verify.c @@ -0,0 +1,49 @@ +/* $OpenBSD: verify.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ + +/* + * Public Domain, Author: Daniel J. Bernstein + * Copied from nacl-20110221/crypto_verify/32/ref/verify.c + */ + +#include "includes.h" + +#include "crypto_api.h" + +int crypto_verify_32(const unsigned char *x,const unsigned char *y) +{ + unsigned int differentbits = 0; +#define F(i) differentbits |= x[i] ^ y[i]; + F(0) + F(1) + F(2) + F(3) + F(4) + F(5) + F(6) + F(7) + F(8) + F(9) + F(10) + F(11) + F(12) + F(13) + F(14) + F(15) + F(16) + F(17) + F(18) + F(19) + F(20) + F(21) + F(22) + F(23) + F(24) + F(25) + F(26) + F(27) + F(28) + F(29) + F(30) + F(31) + return (1 & ((differentbits - 1) >> 8)) - 1; +} diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index 8c6865e5a..adad6a769 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -1,10 +1,10 @@ -/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */ +/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ /* $FreeBSD$ */ -#define SSH_VERSION "OpenSSH_6.2" +#define SSH_VERSION "OpenSSH_6.6" -#define SSH_PORTABLE "p2" +#define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -#define SSH_VERSION_FREEBSD "FreeBSD-20130515" +#define SSH_VERSION_FREEBSD "FreeBSD-20140324" #define SSH_VERSION_HPN "_hpn13v11" diff --git a/crypto/openssh/xmalloc.c b/crypto/openssh/xmalloc.c index 9985b4cc2..2f1cd2306 100644 --- a/crypto/openssh/xmalloc.c +++ b/crypto/openssh/xmalloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: xmalloc.c,v 1.29 2014/01/04 17:50:55 tedu Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -33,7 +33,7 @@ xmalloc(size_t size) fatal("xmalloc: zero size"); ptr = malloc(size); if (ptr == NULL) - fatal("xmalloc: out of memory (allocating %lu bytes)", (u_long) size); + fatal("xmalloc: out of memory (allocating %zu bytes)", size); return ptr; } @@ -48,8 +48,8 @@ xcalloc(size_t nmemb, size_t size) fatal("xcalloc: nmemb * size > SIZE_T_MAX"); ptr = calloc(nmemb, size); if (ptr == NULL) - fatal("xcalloc: out of memory (allocating %lu bytes)", - (u_long)(size * nmemb)); + fatal("xcalloc: out of memory (allocating %zu bytes)", + size * nmemb); return ptr; } @@ -68,19 +68,11 @@ xrealloc(void *ptr, size_t nmemb, size_t size) else new_ptr = realloc(ptr, new_size); if (new_ptr == NULL) - fatal("xrealloc: out of memory (new_size %lu bytes)", - (u_long) new_size); + fatal("xrealloc: out of memory (new_size %zu bytes)", + new_size); return new_ptr; } -void -xfree(void *ptr) -{ - if (ptr == NULL) - fatal("xfree: NULL pointer given as argument"); - free(ptr); -} - char * xstrdup(const char *str) { diff --git a/crypto/openssh/xmalloc.h b/crypto/openssh/xmalloc.h index fb217a45c..261dfd612 100644 --- a/crypto/openssh/xmalloc.h +++ b/crypto/openssh/xmalloc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: xmalloc.h,v 1.14 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen @@ -19,7 +19,6 @@ void *xmalloc(size_t); void *xcalloc(size_t, size_t); void *xrealloc(void *, size_t, size_t); -void xfree(void *); char *xstrdup(const char *); int xasprintf(char **, const char *, ...) __attribute__((__format__ (printf, 2, 3))) diff --git a/etc/rc.d/sshd b/etc/rc.d/sshd index 490a1c719..9f747164f 100755 --- a/etc/rc.d/sshd +++ b/etc/rc.d/sshd @@ -14,80 +14,61 @@ rcvar="sshd_enable" command="/usr/sbin/${name}" keygen_cmd="sshd_keygen" start_precmd="sshd_precmd" -reload_precmd="sshd_precmd" -restart_precmd="sshd_precmd" +reload_precmd="sshd_configtest" +restart_precmd="sshd_configtest" configtest_cmd="sshd_configtest" pidfile="/var/run/${name}.pid" extra_commands="configtest keygen reload" -timeout=300 +: ${sshd_rsa1_enable:="yes"} +: ${sshd_rsa_enable:="yes"} +: ${sshd_dsa_enable:="yes"} +: ${sshd_ecdsa_enable:="yes"} +: ${sshd_ed25519_enable:="yes"} -user_reseed() +sshd_keygen_alg() { - ( - seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null` - if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then - warn "Setting entropy source to blocking mode." - echo "====================================================" - echo "Type a full screenful of random junk to unblock" - echo "it and remember to finish with . This will" - echo "timeout in ${timeout} seconds, but waiting for" - echo "the timeout without typing junk may make the" - echo "entropy source deliver predictable output." - echo "" - echo "Just hit for fast+insecure startup." - echo "====================================================" - sysctl kern.random.sys.seeded=0 2>/dev/null - read -t ${timeout} junk - echo "${junk}" `sysctl -a` `date` > /dev/random + local alg=$1 + local ALG="$(echo $alg | tr a-z A-Z)" + local keyfile + + if ! checkyesno "sshd_${alg}_enable" ; then + return 0 fi - ) -} -sshd_keygen() -{ - ( - umask 022 + case $alg in + rsa1) + keyfile="/etc/ssh/ssh_host_key" + ;; + rsa|dsa|ecdsa|ed25519) + keyfile="/etc/ssh/ssh_host_${alg}_key" + ;; + *) + return 1 + ;; + esac - # Can't do anything if ssh is not installed - [ -x /usr/bin/ssh-keygen ] || { + if [ ! -x /usr/bin/ssh-keygen ] ; then warn "/usr/bin/ssh-keygen does not exist." return 1 - } - - if [ -f /etc/ssh/ssh_host_key ]; then - echo "You already have an RSA host key" \ - "in /etc/ssh/ssh_host_key" - echo "Skipping protocol version 1 RSA Key Generation" - else - /usr/bin/ssh-keygen -t rsa1 -b 1024 \ - -f /etc/ssh/ssh_host_key -N '' - fi - - if [ -f /etc/ssh/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in /etc/ssh/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - else - /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' fi - if [ -f /etc/ssh/ssh_host_rsa_key ]; then - echo "You already have an RSA host key" \ - "in /etc/ssh/ssh_host_rsa_key" - echo "Skipping protocol version 2 RSA Key Generation" + if [ -f "${keyfile}" ] ; then + info "$ALG host key exists." else - /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' + echo "Generating $ALG host key." + /usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N "" + /usr/bin/ssh-keygen -l -f "$keyfile.pub" fi +} - if [ -f /etc/ssh/ssh_host_ecdsa_key ]; then - echo "You already have an ECDSA host key" \ - "in /etc/ssh/ssh_host_ecdsa_key" - echo "Skipping protocol version 2 ECDSA Key Generation" - else - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' - fi - ) +sshd_keygen() +{ + sshd_keygen_alg rsa1 + sshd_keygen_alg rsa + sshd_keygen_alg dsa + sshd_keygen_alg ecdsa + sshd_keygen_alg ed25519 } sshd_configtest() @@ -98,14 +79,8 @@ sshd_configtest() sshd_precmd() { - if [ ! -f /etc/ssh/ssh_host_key -o \ - ! -f /etc/ssh/ssh_host_dsa_key -o \ - ! -f /etc/ssh/ssh_host_ecdsa_key -o \ - ! -f /etc/ssh/ssh_host_rsa_key ]; then - user_reseed - run_rc_command keygen - fi - sshd_configtest + run_rc_command keygen + run_rc_command configtest } load_rc_config $name diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index 3d30a18de..84e18cba4 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -9,32 +9,31 @@ SRCS= authfd.c authfile.c bufaux.c bufbn.c buffer.c \ canohost.c channels.c cipher.c cipher-aes.c \ cipher-bf1.c cipher-ctr.c cipher-3des1.c cleanup.c \ compat.c compress.c crc32.c deattack.c fatal.c hostfile.c \ - krl.c log.c match.c md-sha256.c moduli.c nchan.c packet.c \ + log.c match.c md-sha256.c moduli.c nchan.c packet.c \ readpass.c rsa.c ttymodes.c xmalloc.c addrmatch.c \ atomicio.c key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c \ monitor_fdpass.c rijndael.c ssh-dss.c ssh-ecdsa.c ssh-rsa.c dh.c \ kexdh.c kexgex.c kexdhc.c kexgexc.c bufec.c kexecdh.c kexecdhc.c \ - msg.c progressmeter.c dns.c entropy.c umac.c umac128.c jpake.c \ - schnorr.c ssh-pkcs11.c + msg.c progressmeter.c dns.c entropy.c umac.c umac128.c \ + ssh-pkcs11.c krl.c smult_curve25519_ref.c \ + kexc25519.c kexc25519c.c poly1305.c chacha.c cipher-chachapoly.c \ + ssh-ed25519.c digest-openssl.c hmac.c \ + sc25519.c ge25519.c fe25519.c ed25519.c verify.c hash.c blocks.c # gss-genr.c should be in $SRCS but causes linking problems, so it is # compiled directly into sshd instead. # Portability layer -SRCS+= bsd-misc.c fmt_scaled.c getrrsetbyname.c glob.c \ - openssl-compat.c port-tun.c strtonum.c timingsafe_bcmp.c \ - vis.c xcrypt.c xmmap.c +SRCS+= bcrypt_pbkdf.c blowfish.c bsd-misc.c explicit_bzero.c fmt_scaled.c \ + glob.c openssl-compat.c port-tun.c strtonum.c timingsafe_bcmp.c \ + vis.c xcrypt.c xmmap.c getrrsetbyname.c -.if defined(COMPAT_GETADDRINFO) -SRCS+= getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c -.endif +SRCS+= getrrsetbyname.c CFLAGS+= -I${SSHDIR} -include ssh_namespace.h -DPADD= ${LIBZ} -LDADD= -lz .if ${MK_KERBEROS_SUPPORT} != "no" -CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL +CFLAGS+= -include krb5_config.h DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCOM_ERR} ${LIBMD} ${LIBROKEN} LDADD+= -lgssapi -lkrb5 -lhx509 -lasn1 -lcom_err -lmd -lroken .endif @@ -45,11 +44,14 @@ CFLAGS+= -DNONE_CIPHER_ENABLED NO_LINT= -DPADD+= ${LIBCRYPTO} ${LIBCRYPT} -LDADD+= -lcrypto -lcrypt +DPADD+= ${LIBCRYPTO} ${LIBCRYPT} ${LIBZ} +LDADD+= -lcrypto -lcrypt -lz .include .PATH: ${SSHDIR} ${SSHDIR}/openbsd-compat ${OBJS} ${POBJS} ${SOBJS}: ssh_namespace.h +.if ${MK_KERBEROS_SUPPORT} != "no" +${OBJS} ${POBJS} ${SOBJS}: krb5_config.h +.endif diff --git a/secure/libexec/sftp-server/Makefile b/secure/libexec/sftp-server/Makefile index 3755c986d..526312911 100644 --- a/secure/libexec/sftp-server/Makefile +++ b/secure/libexec/sftp-server/Makefile @@ -1,17 +1,24 @@ # $FreeBSD$ +.include + PROG= sftp-server SRCS= sftp-server.c sftp-common.c sftp-server-main.c MAN= sftp-server.8 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -# required when linking with a dynamic libssh +.if !defined(NO_SHARED) +# required when linking with a dynamic libssh SRCS+= roaming_dummy.c +.endif -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/libexec/ssh-keysign/Makefile b/secure/libexec/ssh-keysign/Makefile index 66528e3ff..c8125e01f 100644 --- a/secure/libexec/ssh-keysign/Makefile +++ b/secure/libexec/ssh-keysign/Makefile @@ -1,15 +1,20 @@ # $FreeBSD$ +.include + PROG= ssh-keysign -SRCS= ssh-keysign.c readconf.c roaming_dummy.c +SRCS= ssh-keysign.c roaming_dummy.c readconf.c MAN= ssh-keysign.8 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h BINMODE=4555 -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/libexec/ssh-pkcs11-helper/Makefile b/secure/libexec/ssh-pkcs11-helper/Makefile index ec57a613b..4adb1bc6c 100644 --- a/secure/libexec/ssh-pkcs11-helper/Makefile +++ b/secure/libexec/ssh-pkcs11-helper/Makefile @@ -1,15 +1,24 @@ # $FreeBSD$ +.include + PROG= ssh-pkcs11-helper SRCS= ssh-pkcs11.c ssh-pkcs11-helper.c -SRCS+= roaming_dummy.c MAN= ssh-pkcs11-helper.8 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +.if !defined(NO_SHARED) +# required when linking with a dynamic libssh +SRCS+= roaming_dummy.c +.endif + +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile index fe248ab76..d7c5cec75 100644 --- a/secure/usr.bin/scp/Makefile +++ b/secure/usr.bin/scp/Makefile @@ -1,16 +1,23 @@ # $FreeBSD$ +.include + PROG= scp SRCS= scp.c CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +.if !defined(NO_SHARED) # required when linking with a dynamic libssh SRCS+= roaming_dummy.c +.endif -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile index 8164dac7b..35f7fa1a0 100644 --- a/secure/usr.bin/sftp/Makefile +++ b/secure/usr.bin/sftp/Makefile @@ -1,16 +1,23 @@ # $FreeBSD$ +.include + PROG= sftp SRCS= sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -# required when linking with a dynamic libssh +.if !defined(NO_SHARED) +# required when linking with a dynamic libssh SRCS+= roaming_dummy.c +.endif -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} ${LIBEDIT} ${LIBNCURSES} -LDADD= -lssh -lcrypt -lcrypto -lz -ledit -lncurses +DPADD= ${LIBSSH} ${LIBEDIT} ${LIBNCURSES} +LDADD= -lssh -ledit -lncurses USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile index cb14ce6c8..05d429b5d 100644 --- a/secure/usr.bin/ssh-add/Makefile +++ b/secure/usr.bin/ssh-add/Makefile @@ -1,16 +1,23 @@ # $FreeBSD$ +.include + PROG= ssh-add SRCS+= ssh-add.c CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -# required when linking with a dynamic libssh +.if !defined(NO_SHARED) +# required when linking with a dynamic libssh SRCS+= roaming_dummy.c +.endif -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile index 29620d186..cbc4eb813 100644 --- a/secure/usr.bin/ssh-agent/Makefile +++ b/secure/usr.bin/ssh-agent/Makefile @@ -1,16 +1,23 @@ # $FreeBSD$ +.include + PROG= ssh-agent SRCS= ssh-agent.c CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -# required when linking with a dynamic libssh +.if !defined(NO_SHARED) +# required when linking with a dynamic libssh SRCS+= roaming_dummy.c +.endif -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile index 48e486e57..4fb27e296 100644 --- a/secure/usr.bin/ssh-keygen/Makefile +++ b/secure/usr.bin/ssh-keygen/Makefile @@ -1,16 +1,23 @@ # $FreeBSD$ +.include + PROG= ssh-keygen SRCS= ssh-keygen.c CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -# required when linking with a dynamic libssh -SRCS+= roaming_dummy.c +.if !defined(NO_SHARED) +# required when linking with a dynamic libssh +SRCS+= roaming_dummy.c +.endif -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile index cc82d07e1..87a8d46cd 100644 --- a/secure/usr.bin/ssh-keyscan/Makefile +++ b/secure/usr.bin/ssh-keyscan/Makefile @@ -1,13 +1,18 @@ # $FreeBSD$ +.include + PROG= ssh-keyscan SRCS= ssh-keyscan.c roaming_dummy.c CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypt -lcrypto -lz +DPADD= ${LIBSSH} +LDADD= -lssh USEPRIVATELIB= ssh +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz + .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index a5e580879..f59d82c39 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -1,5 +1,4 @@ # $FreeBSD$ -# .include @@ -16,12 +15,12 @@ SRCS= ssh.c readconf.c clientloop.c sshtty.c \ # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile SRCS+= gss-genr.c -DPADD= ${LIBSSH} ${LIBUTIL} ${LIBZ} -LDADD= -lssh -lutil -lz +DPADD= ${LIBSSH} ${LIBUTIL} +LDADD= -lssh -lutil USEPRIVATELIB= ssh .if ${MK_KERBEROS_SUPPORT} != "no" -CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL +CFLAGS+= -include krb5_config.h DPADD+= ${LIBGSSAPI} LDADD+= -lgssapi .endif @@ -30,8 +29,8 @@ LDADD+= -lgssapi CFLAGS+= -DNONE_CIPHER_ENABLED .endif -DPADD+= ${LIBCRYPT} ${LIBCRYPTO} -LDADD+= -lcrypt -lcrypto +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz .if defined(LOCALBASE) CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" @@ -42,3 +41,6 @@ CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" .PATH: ${SSHDIR} ${OBJS} ${POBJS} ${SOBJS}: ssh_namespace.h +.if ${MK_KERBEROS_SUPPORT} != "no" +${OBJS} ${POBJS} ${SOBJS}: krb5_config.h +.endif diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index bb37ae477..eb6fa2dec 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -1,5 +1,4 @@ # $FreeBSD$ -# .include @@ -10,14 +9,15 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ auth.c auth1.c auth2.c auth-options.c session.c \ auth-chall.c auth2-chall.c groupaccess.c \ auth-skey.c auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \ - auth2-none.c auth2-passwd.c auth2-pubkey.c auth2-jpake.c \ + auth2-none.c auth2-passwd.c auth2-pubkey.c \ monitor_mm.c monitor.c monitor_wrap.c kexdhs.c kexgexs.c kexecdhs.c \ - auth-krb5.c \ + kexc25519s.c auth-krb5.c \ auth2-gss.c gss-serv.c gss-serv-krb5.c \ loginrec.c auth-pam.c auth-shadow.c auth-sia.c md5crypt.c \ sftp-server.c sftp-common.c \ roaming_common.c roaming_serv.c \ - sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c + sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c \ + sandbox-seccomp-filter.c sandbox-capsicum.c # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile SRCS+= gss-genr.c @@ -25,8 +25,8 @@ SRCS+= gss-genr.c MAN= sshd.8 sshd_config.5 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -DPADD= ${LIBSSH} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPAM} -LDADD= -lssh -lutil -lz -lwrap ${MINUSLPAM} +DPADD= ${LIBSSH} ${LIBUTIL} ${LIBWRAP} ${LIBPAM} +LDADD= -lssh -lutil -lwrap ${MINUSLPAM} USEPRIVATELIB= ssh .if ${MK_AUDIT} != "no" @@ -36,17 +36,19 @@ LDADD+= -lbsm .endif .if ${MK_KERBEROS_SUPPORT} != "no" -CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1 -DKRB5 -DHEIMDAL -DPADD+= ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} -LDADD+= -lgssapi_krb5 -lgssapi -lkrb5 -lasn1 +CFLAGS+= -include krb5_config.h +DPADD+= ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} \ + ${LIBCOM_ERR} ${LIBROKEN} +LDADD+= -lgssapi_krb5 -lgssapi -lkrb5 -lhx509 -lasn1 \ + -lcom_err -lroken .endif .if ${MK_OPENSSH_NONE_CIPHER} != "no" CFLAGS+= -DNONE_CIPHER_ENABLED .endif -DPADD+= ${LIBCRYPTO} ${LIBCRYPT} -LDADD+= -lcrypto -lcrypt +DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} +LDADD+= -lcrypt -lcrypto -lz .if defined(LOCALBASE) CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" @@ -57,3 +59,6 @@ CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" .PATH: ${SSHDIR} ${OBJS} ${POBJS} ${SOBJS}: ssh_namespace.h +.if ${MK_KERBEROS_SUPPORT} != "no" +${OBJS} ${POBJS} ${SOBJS}: krb5_config.h +.endif -- 2.45.0