diff options
| -rw-r--r-- | ChangeLog | 12 | ||||
| -rw-r--r-- | auth-krb4.c | 10 | ||||
| -rw-r--r-- | auth-passwd.c | 4 | ||||
| -rw-r--r-- | auth-rh-rsa.c | 14 | ||||
| -rw-r--r-- | auth-rhosts.c | 18 | ||||
| -rw-r--r-- | auth-rsa.c | 16 | ||||
| -rw-r--r-- | auth-skey.c | 18 | ||||
| -rw-r--r-- | auth.c | 62 | ||||
| -rw-r--r-- | authfd.c | 24 | ||||
| -rw-r--r-- | authfd.h | 22 | ||||
| -rw-r--r-- | authfile.c | 14 | ||||
| -rw-r--r-- | bufaux.c | 12 | ||||
| -rw-r--r-- | bufaux.h | 12 | ||||
| -rw-r--r-- | buffer.c | 34 | ||||
| -rw-r--r-- | canohost.c | 20 | ||||
| -rw-r--r-- | channels.c | 94 | ||||
| -rw-r--r-- | channels.h | 6 | ||||
| -rw-r--r-- | cipher.c | 34 | ||||
| -rw-r--r-- | cipher.h | 24 | ||||
| -rw-r--r-- | clientloop.c | 59 | ||||
| -rw-r--r-- | compat.c | 6 | ||||
| -rw-r--r-- | compress.c | 22 | ||||
| -rw-r--r-- | compress.h | 14 | ||||
| -rw-r--r-- | crc32.h | 14 | ||||
| -rw-r--r-- | dispatch.c | 78 | ||||
| -rw-r--r-- | dsa.c | 10 | ||||
| -rw-r--r-- | getput.h | 16 | ||||
| -rw-r--r-- | hostfile.c | 14 | ||||
| -rw-r--r-- | hostfile.h | 2 | ||||
| -rw-r--r-- | includes.h | 12 | ||||
| -rw-r--r-- | kex.c | 12 | ||||
| -rw-r--r-- | log-client.c | 14 | ||||
| -rw-r--r-- | log-server.c | 16 | ||||
| -rw-r--r-- | login.c | 20 | ||||
| -rw-r--r-- | match.c | 16 | ||||
| -rw-r--r-- | mpaux.c | 14 | ||||
| -rw-r--r-- | mpaux.h | 14 | ||||
| -rw-r--r-- | nchan.c | 6 | ||||
| -rw-r--r-- | packet.c | 32 | ||||
| -rw-r--r-- | packet.h | 29 | ||||
| -rw-r--r-- | pty.c | 22 | ||||
| -rw-r--r-- | pty.h | 14 | ||||
| -rw-r--r-- | radix.c | 12 | ||||
| -rw-r--r-- | readconf.c | 26 | ||||
| -rw-r--r-- | readconf.h | 22 | ||||
| -rw-r--r-- | readpass.c | 4 | ||||
| -rw-r--r-- | rsa.c | 30 | ||||
| -rw-r--r-- | rsa.h | 14 | ||||
| -rw-r--r-- | scp.c | 20 | ||||
| -rw-r--r-- | servconf.c | 24 | ||||
| -rw-r--r-- | servconf.h | 14 | ||||
| -rw-r--r-- | serverloop.c | 46 | ||||
| -rw-r--r-- | session.c | 25 | ||||
| -rw-r--r-- | ssh-agent.c | 10 | ||||
| -rw-r--r-- | ssh-keygen.c | 4 | ||||
| -rw-r--r-- | ssh.1 | 8 | ||||
| -rw-r--r-- | ssh.c | 42 | ||||
| -rw-r--r-- | ssh.h | 30 | ||||
| -rw-r--r-- | ssh2.h | 20 | ||||
| -rw-r--r-- | sshconnect.c | 56 | ||||
| -rw-r--r-- | sshd.c | 54 | ||||
| -rw-r--r-- | ttymodes.c | 10 | ||||
| -rw-r--r-- | ttymodes.h | 12 | ||||
| -rw-r--r-- | uidswap.c | 8 | ||||
| -rw-r--r-- | uidswap.h | 10 | ||||
| -rw-r--r-- | xmalloc.c | 4 | ||||
| -rw-r--r-- | xmalloc.h | 14 |
67 files changed, 779 insertions, 646 deletions
@@ -1,7 +1,17 @@ +20000415 + - OpenBSD CVS updates. + [ssh.1 ssh.c] + - ssh -2 + [auth.c channels.c clientloop.c packet.c packet.h serverloop.c] + [session.c sshconnect.c] + - check payload for (illegal) extra data + [ALL] + whitespace cleanup + 20000413 - INSTALL doc updates - Merged OpenBSD updates to include paths. - + 20000412 - OpenBSD CVS updates: - [channels.c] diff --git a/auth-krb4.c b/auth-krb4.c index 7e30646f..a2684271 100644 --- a/auth-krb4.c +++ b/auth-krb4.c @@ -19,7 +19,7 @@ extern ServerOptions options; * return 1 on success, 0 on failure, -1 if krb4 is not available */ -int +int auth_krb4_password(struct passwd * pw, const char *password) { AUTH_DAT adata; @@ -135,7 +135,7 @@ krb4_cleanup_proc(void *ignore) } } -int +int krb4_init(uid_t uid) { static int cleanup_registered = 0; @@ -179,7 +179,7 @@ krb4_init(uid_t uid) return 0; } -int +int auth_krb4(const char *server_user, KTEXT auth, char **client) { AUTH_DAT adat = {0}; @@ -252,7 +252,7 @@ auth_krb4(const char *server_user, KTEXT auth, char **client) #endif /* KRB4 */ #ifdef AFS -int +int auth_kerberos_tgt(struct passwd *pw, const char *string) { CREDENTIALS creds; @@ -307,7 +307,7 @@ auth_kerberos_tgt_failure: return 0; } -int +int auth_afs_token(struct passwd *pw, const char *token_string) { CREDENTIALS creds; diff --git a/auth-passwd.c b/auth-passwd.c index 278212aa..d2c2ea87 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -11,7 +11,7 @@ #ifndef USE_PAM -RCSID("$Id: auth-passwd.c,v 1.16 2000/01/22 23:32:03 damien Exp $"); +RCSID("$Id: auth-passwd.c,v 1.17 2000/04/16 01:18:39 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -33,7 +33,7 @@ RCSID("$Id: auth-passwd.c,v 1.16 2000/01/22 23:32:03 damien Exp $"); * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ -int +int auth_password(struct passwd * pw, const char *password) { extern ServerOptions options; diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index d3d90246..150132fb 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -1,21 +1,21 @@ /* - * + * * auth-rh-rsa.c - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Sun May 7 03:08:06 1995 ylo - * + * * Rhosts or /etc/hosts.equiv authentication combined with RSA host * authentication. * */ #include "includes.h" -RCSID("$Id: auth-rh-rsa.c,v 1.9 2000/04/13 02:26:35 damien Exp $"); +RCSID("$Id: auth-rh-rsa.c,v 1.10 2000/04/16 01:18:39 damien Exp $"); #ifdef HAVE_OPENSSL #include <openssl/bn.h> @@ -42,7 +42,7 @@ RCSID("$Id: auth-rh-rsa.c,v 1.9 2000/04/13 02:26:35 damien Exp $"); * its host key. Returns true if authentication succeeds. */ -int +int auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key) { extern ServerOptions options; diff --git a/auth-rhosts.c b/auth-rhosts.c index 318bcfef..6a5c13e4 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -1,22 +1,22 @@ /* - * + * * auth-rhosts.c - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Fri Mar 17 05:12:18 1995 ylo - * + * * Rhosts authentication. This file contains code to check whether to admit * the login based on rhosts authentication. This file also processes * /etc/hosts.equiv. - * + * */ #include "includes.h" -RCSID("$Id: auth-rhosts.c,v 1.7 1999/12/27 12:54:55 damien Exp $"); +RCSID("$Id: auth-rhosts.c,v 1.8 2000/04/16 01:18:39 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -30,7 +30,7 @@ RCSID("$Id: auth-rhosts.c,v 1.7 1999/12/27 12:54:55 damien Exp $"); * based on the file, and returns zero otherwise. */ -int +int check_rhosts_file(const char *filename, const char *hostname, const char *ipaddr, const char *client_user, const char *server_user) @@ -146,7 +146,7 @@ check_rhosts_file(const char *filename, const char *hostname, * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). */ -int +int auth_rhosts(struct passwd *pw, const char *client_user) { extern ServerOptions options; @@ -1,22 +1,22 @@ /* - * + * * auth-rsa.c - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Mon Mar 27 01:46:52 1995 ylo - * + * * RSA-based authentication. This code determines whether to admit a login * based on RSA authentication. This file also contains functions to check * validity of the host key. - * + * */ #include "includes.h" -RCSID("$Id: auth-rsa.c,v 1.15 2000/04/13 02:26:35 damien Exp $"); +RCSID("$Id: auth-rsa.c,v 1.16 2000/04/16 01:18:39 damien Exp $"); #include "rsa.h" #include "packet.h" @@ -244,7 +244,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) debug("%.100s, line %lu: bad key syntax", SSH_USER_PERMITTED_KEYS, linenum); packet_send_debug("%.100s, line %lu: bad key syntax", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); continue; } /* cp now points to the comment part. */ diff --git a/auth-skey.c b/auth-skey.c index f403a196..056efeb9 100644 --- a/auth-skey.c +++ b/auth-skey.c @@ -1,7 +1,7 @@ #include "includes.h" #ifdef SKEY -RCSID("$Id: auth-skey.c,v 1.5 1999/12/06 19:04:57 deraadt Exp $"); +RCSID("$Id: auth-skey.c,v 1.6 2000/04/14 10:30:29 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -15,12 +15,12 @@ RCSID("$Id: auth-skey.c,v 1.5 1999/12/06 19:04:57 deraadt Exp $"); /* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */ -/* +/* * try skey authentication, - * return 1 on success, 0 on failure, -1 if skey is not available + * return 1 on success, 0 on failure, -1 if skey is not available */ -int +int auth_skey_password(struct passwd * pw, const char *password) { if (strncasecmp(password, "s/key", 5) == 0) { @@ -53,18 +53,18 @@ auth_skey_password(struct passwd * pw, const char *password) */ static u_int32_t hash_collapse(s) - u_char *s; + u_char *s; { - int len, target; + int len, target; u_int32_t i; if ((strlen(s) % sizeof(u_int32_t)) == 0) - target = strlen(s); /* Multiple of 4 */ + target = strlen(s); /* Multiple of 4 */ else target = strlen(s) - (strlen(s) % sizeof(u_int32_t)); - + for (i = 0, len = 0; len < target; len += 4) - i ^= ROUND(s + len); + i ^= ROUND(s + len); return i; } @@ -5,7 +5,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.2 2000/04/06 08:55:22 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.4 2000/04/14 10:30:29 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -36,9 +36,9 @@ extern char *forced_command; * DenyUsers or user's primary group is listed in DenyGroups, false will * be returned. If AllowUsers isn't empty and user isn't listed there, or * if AllowGroups isn't empty and user isn't listed there, false will be - * returned. + * returned. * If the user's shell is not executable, false will be returned. - * Otherwise true is returned. + * Otherwise true is returned. */ static int allowed_user(struct passwd * pw) @@ -201,10 +201,10 @@ do_fake_authloop1(char *user) packet_write_wait(); continue; } else if (type == SSH_CMSG_AUTH_PASSWORD && - options.password_authentication && - (password = packet_get_string(&dlen)) != NULL && - dlen == 5 && - strncasecmp(password, "s/key", 5) == 0 ) { + options.password_authentication && + (password = packet_get_string(&dlen)) != NULL && + dlen == 5 && + strncasecmp(password, "s/key", 5) == 0 ) { packet_send_debug(skeyinfo); } if (password != NULL) @@ -457,20 +457,20 @@ do_authloop(struct passwd * pw) break; } - /* - * Check if the user is logging in as root and root logins - * are disallowed. - * Note that root login is allowed for forced commands. - */ - if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) { - if (forced_command) { - log("Root login accepted for forced command."); - } else { - authenticated = 0; - log("ROOT LOGIN REFUSED FROM %.200s", - get_canonical_hostname()); - } - } + /* + * Check if the user is logging in as root and root logins + * are disallowed. + * Note that root login is allowed for forced commands. + */ + if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) { + if (forced_command) { + log("Root login accepted for forced command."); + } else { + authenticated = 0; + log("ROOT LOGIN REFUSED FROM %.200s", + get_canonical_hostname()); + } + } /* Raise logging level */ if (authenticated || @@ -685,6 +685,7 @@ input_service_request(int type, int plen) unsigned int len; int accept = 0; char *service = packet_get_string(&len); + packet_done(); if (strcmp(service, "ssh-userauth") == 0) { if (!userauth_success) { @@ -727,6 +728,7 @@ input_userauth_request(int type, int plen) pw = auth_set_user(user, service); if (pw && strcmp(service, "ssh-connection")==0) { if (strcmp(method, "none") == 0 && try == 1) { + packet_done(); #ifdef USE_PAM /* Do PAM auth with password */ authenticated = auth_pam_password(pw, ""); @@ -740,6 +742,7 @@ input_userauth_request(int type, int plen) if (c) debug("password change not supported"); password = packet_get_string(&len); + packet_done(); #ifdef USE_PAM /* Do PAM auth with password */ authenticated = auth_pam_password(pw, password); @@ -751,11 +754,19 @@ input_userauth_request(int type, int plen) xfree(password); } else if (strcmp(method, "publickey") == 0) { /* XXX TODO */ - char *pkalg; - char *pkblob; - c = packet_get_char(); + char *pkalg, *pkblob, *sig; + int have_sig = packet_get_char(); pkalg = packet_get_string(&len); pkblob = packet_get_string(&len); + if (have_sig) { + sig = packet_get_string(&len); + /* test for correct signature */ + packet_done(); + xfree(sig); + } else { + packet_done(); + /* test whether pkalg/pkblob are acceptable */ + } xfree(pkalg); xfree(pkblob); } @@ -764,7 +775,6 @@ input_userauth_request(int type, int plen) if (authenticated) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); - /* success! */ packet_start(SSH2_MSG_USERAUTH_SUCCESS); packet_send(); packet_write_wait(); @@ -782,7 +792,7 @@ input_userauth_request(int type, int plen) xfree(user); xfree(method); } -void +void do_authentication2() { dispatch_init(&protocol_error); @@ -1,20 +1,20 @@ /* - * + * * authfd.c - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Wed Mar 29 01:30:28 1995 ylo - * + * * Functions for connecting the local authentication agent. - * + * */ #include "includes.h" -RCSID("$Id: authfd.c,v 1.11 2000/04/13 02:26:35 damien Exp $"); +RCSID("$Id: authfd.c,v 1.12 2000/04/16 01:18:40 damien Exp $"); #include "ssh.h" #include "rsa.h" @@ -69,7 +69,7 @@ ssh_get_authentication_socket() * ssh_get_authentication_socket(). */ -void +void ssh_close_authentication_socket(int sock) { if (getenv(SSH_AUTHSOCKET_ENV_NAME)) @@ -113,7 +113,7 @@ ssh_get_authentication_connection() * memory. */ -void +void ssh_close_authentication_connection(AuthenticationConnection *ac) { buffer_free(&ac->packet); @@ -343,7 +343,7 @@ error_cleanup: * be used by normal applications. */ -int +int ssh_add_identity(AuthenticationConnection *auth, RSA * key, const char *comment) { @@ -431,7 +431,7 @@ error_cleanup: * meant to be used by normal applications. */ -int +int ssh_remove_identity(AuthenticationConnection *auth, RSA *key) { Buffer buffer; @@ -514,7 +514,7 @@ error_cleanup: * by normal applications. */ -int +int ssh_remove_all_identities(AuthenticationConnection *auth) { Buffer buffer; @@ -1,19 +1,19 @@ /* - * + * * authfd.h - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Wed Mar 29 01:17:41 1995 ylo - * + * * Functions to interface with the SSH_AUTHENTICATION_FD socket. - * + * */ -/* RCSID("$Id: authfd.h,v 1.4 1999/11/25 00:54:58 damien Exp $"); */ +/* RCSID("$Id: authfd.h,v 1.5 2000/04/16 01:18:40 damien Exp $"); */ #ifndef AUTHFD_H #define AUTHFD_H @@ -67,7 +67,7 @@ void ssh_close_authentication_connection(AuthenticationConnection * ac); * integers before the call, and free the comment after a successful call * (before calling ssh_get_next_identity). */ -int +int ssh_get_first_identity(AuthenticationConnection * connection, BIGNUM * e, BIGNUM * n, char **comment); @@ -77,13 +77,13 @@ ssh_get_first_identity(AuthenticationConnection * connection, * function. This returns 0 if there are no more identities. The caller * must free comment after a successful return. */ -int +int ssh_get_next_identity(AuthenticationConnection * connection, BIGNUM * e, BIGNUM * n, char **comment); /* Requests the agent to decrypt the given challenge. Returns true if the agent claims it was able to decrypt it. */ -int +int ssh_decrypt_challenge(AuthenticationConnection * auth, BIGNUM * e, BIGNUM * n, BIGNUM * challenge, unsigned char session_id[16], @@ -95,7 +95,7 @@ ssh_decrypt_challenge(AuthenticationConnection * auth, * be used by normal applications. This returns true if the identity was * successfully added. */ -int +int ssh_add_identity(AuthenticationConnection * connection, RSA * key, const char *comment); @@ -1,21 +1,21 @@ /* - * + * * authfile.c - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Mon Mar 27 03:52:05 1995 ylo - * + * * This file contains functions for reading and writing identity files, and * for reading the passphrase from the user. - * + * */ #include "includes.h" -RCSID("$Id: authfile.c,v 1.9 2000/04/13 02:26:36 damien Exp $"); +RCSID("$Id: authfile.c,v 1.10 2000/04/16 01:18:40 damien Exp $"); #ifdef HAVE_OPENSSL #include <openssl/bn.h> @@ -1,14 +1,14 @@ /* - * + * * bufaux.c - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Wed Mar 29 02:24:47 1995 ylo - * + * * Auxiliary functions for storing and retrieving various data types to/from * Buffers. * @@ -17,7 +17,7 @@ */ #include "includes.h" -RCSID("$Id: bufaux.c,v 1.10 2000/04/13 02:26:36 damien Exp $"); +RCSID("$Id: bufaux.c,v 1.11 2000/04/16 01:18:40 damien Exp $"); #include "ssh.h" @@ -1,17 +1,17 @@ /* - * + * * bufaux.h - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved - * + * * Created: Wed Mar 29 02:18:23 1995 ylo - * + * */ -/* RCSID("$Id: bufaux.h,v 1.4 2000/04/01 01:09:23 damien Exp $"); */ +/* RCSID("$Id: bufaux.h,v 1.5 2000/04/16 01:18:40 damien Exp $"); */ #ifndef BUFAUX_H #define BUFAUX_H @@ -1,20 +1,20 @@ /* - * + * * buffer.c - * + * * Author: Tatu Ylonen <ylo@cs.hut.fi> - * + * * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut |