Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh/dist merge OpenSSH 6.0
details: https://anonhg.NetBSD.org/src/rev/67ffb84f2f1d
branches: trunk
changeset: 779093:67ffb84f2f1d
user: christos <christos%NetBSD.org@localhost>
date: Wed May 02 02:41:08 2012 +0000
description:
merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening
* ssh-add(1): new -k option to load plain keys (skipping certificates)
* sshd(8): Add wildcard support to PermitOpen, allowing things like
"PermitOpen localhost:*". bz #1857
* ssh(1): support for cancelling local and remote port forwards via the
multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host"
to request the cancellation of the specified forwardings
* support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before
using it to extract xauth data so that it can't be used to play local
shell metacharacter games.
* ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
* scp(1): uppress adding '--' to remote commandlines when the first
argument does not start with '-'. saves breakage on some
difficult-to-upgrade embedded/router platforms
* ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class,
but there is an "AF21" class
* ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during
rekeying
* ssh(1): skip attempting to create ~/.ssh when -F is passed
* sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
* sshd(1): send tty break to pty master instead of (probably already
closed) slave side; bz#1859
* sftp(1): silence error spam for "ls */foo" in directory with files;
bz#1683
* Fixed a number of memory and file descriptor leaks
diffstat:
crypto/external/bsd/openssh/dist/PROTOCOL.mux | 4 +-
crypto/external/bsd/openssh/dist/auth-options.c | 22 +-
crypto/external/bsd/openssh/dist/auth2-pubkey.c | 11 +-
crypto/external/bsd/openssh/dist/auth2.c | 8 +-
crypto/external/bsd/openssh/dist/authfile.c | 8 +-
crypto/external/bsd/openssh/dist/channels.c | 258 +++++++++++++-----
crypto/external/bsd/openssh/dist/channels.h | 12 +-
crypto/external/bsd/openssh/dist/clientloop.c | 58 +++-
crypto/external/bsd/openssh/dist/clientloop.h | 5 +-
crypto/external/bsd/openssh/dist/compat.c | 7 +-
crypto/external/bsd/openssh/dist/compat.h | 9 +-
crypto/external/bsd/openssh/dist/dh.c | 8 +-
crypto/external/bsd/openssh/dist/key.c | 11 +-
crypto/external/bsd/openssh/dist/mac.c | 7 +-
crypto/external/bsd/openssh/dist/misc.c | 8 +-
crypto/external/bsd/openssh/dist/moduli.c | 75 +++++-
crypto/external/bsd/openssh/dist/monitor.c | 7 +-
crypto/external/bsd/openssh/dist/mux.c | 125 +++++++--
crypto/external/bsd/openssh/dist/packet.c | 20 +-
crypto/external/bsd/openssh/dist/packet.h | 5 +-
crypto/external/bsd/openssh/dist/readconf.c | 7 +-
crypto/external/bsd/openssh/dist/readconf.h | 5 +-
crypto/external/bsd/openssh/dist/roaming.h | 9 +-
crypto/external/bsd/openssh/dist/roaming_client.c | 8 +-
crypto/external/bsd/openssh/dist/roaming_common.c | 8 +-
crypto/external/bsd/openssh/dist/scp.1 | 10 +-
crypto/external/bsd/openssh/dist/scp.c | 18 +-
crypto/external/bsd/openssh/dist/servconf.c | 8 +-
crypto/external/bsd/openssh/dist/session.c | 8 +-
crypto/external/bsd/openssh/dist/sftp-client.c | 22 +-
crypto/external/bsd/openssh/dist/sftp-glob.c | 10 +-
crypto/external/bsd/openssh/dist/sftp.1 | 8 +-
crypto/external/bsd/openssh/dist/sftp.c | 13 +-
crypto/external/bsd/openssh/dist/ssh-add.1 | 12 +-
crypto/external/bsd/openssh/dist/ssh-add.c | 35 +-
crypto/external/bsd/openssh/dist/ssh-ecdsa.c | 7 +-
crypto/external/bsd/openssh/dist/ssh-keygen.1 | 17 +-
crypto/external/bsd/openssh/dist/ssh-keygen.c | 20 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c | 7 +-
crypto/external/bsd/openssh/dist/ssh.1 | 26 +-
crypto/external/bsd/openssh/dist/ssh.c | 98 ++++---
crypto/external/bsd/openssh/dist/ssh_config.5 | 8 +-
crypto/external/bsd/openssh/dist/sshd.8 | 9 +-
crypto/external/bsd/openssh/dist/sshd.c | 26 +-
crypto/external/bsd/openssh/dist/sshd_config.5 | 8 +-
crypto/external/bsd/openssh/dist/umac.c | 8 +-
crypto/external/bsd/openssh/dist/version.h | 7 +-
47 files changed, 730 insertions(+), 360 deletions(-)
diffs (truncated from 2743 to 300 lines):
diff -r a00c79620c56 -r 67ffb84f2f1d crypto/external/bsd/openssh/dist/PROTOCOL.mux
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.mux Wed May 02 00:55:26 2012 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.mux Wed May 02 02:41:08 2012 +0000
@@ -133,6 +133,7 @@
uint32 MUX_C_CLOSE_FWD
uint32 request id
+ uint32 forwarding type
string listen host
string listen port
string connect host
@@ -219,4 +220,5 @@
XXX send signals via mux
$OpenBSD: PROTOCOL.mux,v 1.7 2011/05/08 12:52:01 djm Exp $
-$NetBSD: PROTOCOL.mux,v 1.3 2011/09/07 17:49:19 christos Exp $
+$OpenBSD: PROTOCOL.mux,v 1.8 2011/09/09 00:44:07 djm Exp $
+$NetBSD: PROTOCOL.mux,v 1.4 2012/05/02 02:41:08 christos Exp $
diff -r a00c79620c56 -r 67ffb84f2f1d crypto/external/bsd/openssh/dist/auth-options.c
--- a/crypto/external/bsd/openssh/dist/auth-options.c Wed May 02 00:55:26 2012 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.c Wed May 02 02:41:08 2012 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth-options.c,v 1.4 2011/07/25 03:03:10 christos Exp $ */
-/* $OpenBSD: auth-options.c,v 1.54 2010/12/24 21:41:48 djm Exp $ */
+/* $NetBSD: auth-options.c,v 1.5 2012/05/02 02:41:08 christos Exp $ */
+/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth-options.c,v 1.4 2011/07/25 03:03:10 christos Exp $");
+__RCSID("$NetBSD: auth-options.c,v 1.5 2012/05/02 02:41:08 christos Exp $");
#include <sys/types.h>
#include <sys/queue.h>
@@ -344,7 +344,7 @@
goto bad_option;
}
host = cleanhostname(host);
- if (p == NULL || (port = a2port(p)) <= 0) {
+ if (p == NULL || (port = permitopen_port(p)) < 0) {
debug("%.100s, line %lu: Bad permitopen port "
"<%.100s>", file, linenum, p ? p : "");
auth_debug_add("%.100s, line %lu: "
@@ -455,10 +455,6 @@
buffer_append(&data, data_blob, dlen);
debug3("found certificate option \"%.100s\" len %u",
name, dlen);
- if (strlen(name) != nlen) {
- error("Certificate constraint name contains \\0");
- goto out;
- }
found = 0;
if ((which & OPTIONS_EXTENSIONS) != 0) {
if (strcmp(name, "permit-X11-forwarding") == 0) {
@@ -488,11 +484,6 @@
"corrupt", name);
goto out;
}
- if (strlen(command) != clen) {
- error("force-command constraint "
- "contains \\0");
- goto out;
- }
if (*cert_forced_command != NULL) {
error("Certificate has multiple "
"force-command options");
@@ -509,11 +500,6 @@
"\"%s\" corrupt", name);
goto out;
}
- if (strlen(allowed) != clen) {
- error("source-address constraint "
- "contains \\0");
- goto out;
- }
if ((*cert_source_address_done)++) {
error("Certificate has multiple "
"source-address options");
diff -r a00c79620c56 -r 67ffb84f2f1d crypto/external/bsd/openssh/dist/auth2-pubkey.c
--- a/crypto/external/bsd/openssh/dist/auth2-pubkey.c Wed May 02 00:55:26 2012 +0000
+++ b/crypto/external/bsd/openssh/dist/auth2-pubkey.c Wed May 02 02:41:08 2012 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth2-pubkey.c,v 1.6 2011/09/07 17:49:19 christos Exp $ */
-/* $OpenBSD: auth2-pubkey.c,v 1.29 2011/05/23 03:30:07 djm Exp $ */
+/* $NetBSD: auth2-pubkey.c,v 1.7 2012/05/02 02:41:08 christos Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth2-pubkey.c,v 1.6 2011/09/07 17:49:19 christos Exp $");
+__RCSID("$NetBSD: auth2-pubkey.c,v 1.7 2012/05/02 02:41:08 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
@@ -243,8 +243,9 @@
}
for (i = 0; i < cert->nprincipals; i++) {
if (strcmp(cp, cert->principals[i]) == 0) {
- debug3("matched principal from file \"%.100s\"",
- cert->principals[i]);
+ debug3("matched principal \"%.100s\" "
+ "from file \"%s\" on line %lu",
+ cert->principals[i], file, linenum);
if (auth_parse_options(pw, line_opts,
file, linenum) != 1)
continue;
diff -r a00c79620c56 -r 67ffb84f2f1d crypto/external/bsd/openssh/dist/auth2.c
--- a/crypto/external/bsd/openssh/dist/auth2.c Wed May 02 00:55:26 2012 +0000
+++ b/crypto/external/bsd/openssh/dist/auth2.c Wed May 02 02:41:08 2012 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth2.c,v 1.5 2011/09/07 17:49:19 christos Exp $ */
-/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
+/* $NetBSD: auth2.c,v 1.6 2012/05/02 02:41:08 christos Exp $ */
+/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth2.c,v 1.5 2011/09/07 17:49:19 christos Exp $");
+__RCSID("$NetBSD: auth2.c,v 1.6 2012/05/02 02:41:08 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/uio.h>
@@ -124,7 +124,7 @@
close(fd);
return (NULL);
}
- if (st.st_size > 1*1024*1024) {
+ if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
close(fd);
return (NULL);
}
diff -r a00c79620c56 -r 67ffb84f2f1d crypto/external/bsd/openssh/dist/authfile.c
--- a/crypto/external/bsd/openssh/dist/authfile.c Wed May 02 00:55:26 2012 +0000
+++ b/crypto/external/bsd/openssh/dist/authfile.c Wed May 02 02:41:08 2012 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: authfile.c,v 1.5 2011/09/07 17:49:19 christos Exp $ */
-/* $OpenBSD: authfile.c,v 1.92 2011/06/14 22:49:18 markus Exp $ */
+/* $NetBSD: authfile.c,v 1.6 2012/05/02 02:41:08 christos Exp $ */
+/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -38,7 +38,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: authfile.c,v 1.5 2011/09/07 17:49:19 christos Exp $");
+__RCSID("$NetBSD: authfile.c,v 1.6 2012/05/02 02:41:08 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
@@ -331,7 +331,7 @@
filename == NULL ? "" : " ");
return 0;
}
- buffer_init(blob);
+ buffer_clear(blob);
for (;;) {
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
if (errno == EPIPE)
diff -r a00c79620c56 -r 67ffb84f2f1d crypto/external/bsd/openssh/dist/channels.c
--- a/crypto/external/bsd/openssh/dist/channels.c Wed May 02 00:55:26 2012 +0000
+++ b/crypto/external/bsd/openssh/dist/channels.c Wed May 02 02:41:08 2012 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: channels.c,v 1.7 2011/09/07 17:49:19 christos Exp $ */
-/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */
+/* $NetBSD: channels.c,v 1.8 2012/05/02 02:41:08 christos Exp $ */
+/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -41,7 +41,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: channels.c,v 1.7 2011/09/07 17:49:19 christos Exp $");
+__RCSID("$NetBSD: channels.c,v 1.8 2012/05/02 02:41:08 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -129,6 +129,9 @@
/* Number of permitted host/port pair in the array permitted by the admin. */
static int num_adm_permitted_opens = 0;
+/* special-case port number meaning allow any port */
+#define FWD_PERMIT_ANY_PORT 0
+
/*
* If this is true, all opens are permitted. This is the case on the server
* on which we have to trust the client anyway, and the user could do
@@ -306,6 +309,8 @@
buffer_init(&c->output);
buffer_init(&c->extended);
c->path = NULL;
+ c->listening_addr = NULL;
+ c->listening_port = 0;
c->ostate = CHAN_OUTPUT_OPEN;
c->istate = CHAN_INPUT_OPEN;
c->flags = 0;
@@ -416,6 +421,10 @@
xfree(c->path);
c->path = NULL;
}
+ if (c->listening_addr) {
+ xfree(c->listening_addr);
+ c->listening_addr = NULL;
+ }
while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
if (cc->abandon_cb != NULL)
cc->abandon_cb(c, cc->ctx);
@@ -2657,7 +2666,6 @@
IPv4or6 = af;
}
-
void
channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
{
@@ -2666,6 +2674,45 @@
debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
}
+/*
+ * Determine whether or not a port forward listens to loopback, the
+ * specified address or wildcard. On the client, a specified bind
+ * address will always override gateway_ports. On the server, a
+ * gateway_ports of 1 (``yes'') will override the client's specification
+ * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
+ * will bind to whatever address the client asked for.
+ *
+ * Special-case listen_addrs are:
+ *
+ * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
+ * "" (empty string), "*" -> wildcard v4/v6
+ * "localhost" -> loopback v4/v6
+ */
+static const char *
+channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+ int is_client, int gateway_ports)
+{
+ const char *addr = NULL;
+ int wildcard = 0;
+
+ if (listen_addr == NULL) {
+ /* No address specified: default to gateway_ports setting */
+ if (gateway_ports)
+ wildcard = 1;
+ } else if (gateway_ports || is_client) {
+ if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
+ strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
+ *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
+ (!is_client && gateway_ports == 1))
+ wildcard = 1;
+ else if (strcmp(listen_addr, "localhost") != 0)
+ addr = listen_addr;
+ }
+ if (wildcardp != NULL)
+ *wildcardp = wildcard;
+ return addr;
+}
+
static int
channel_setup_fwd_listener(int type, const char *listen_addr,
u_short listen_port, int *allocated_listen_port,
@@ -2691,36 +2738,9 @@
return 0;
}
- /*
- * Determine whether or not a port forward listens to loopback,
- * specified address or wildcard. On the client, a specified bind
- * address will always override gateway_ports. On the server, a
- * gateway_ports of 1 (``yes'') will override the client's
- * specification and force a wildcard bind, whereas a value of 2
- * (``clientspecified'') will bind to whatever address the client
- * asked for.
- *
- * Special-case listen_addrs are:
- *
- * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
- * "" (empty string), "*" -> wildcard v4/v6
- * "localhost" -> loopback v4/v6
- */
- addr = NULL;
- if (listen_addr == NULL) {
- /* No address specified: default to gateway_ports setting */
- if (gateway_ports)
- wildcard = 1;
Home |
Main Index |
Thread Index |
Old Index