Minix/minix
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

New files for previous update.

Browse Source
This commit is contained in:
James T. Sprinkle
2017-10-01 16:50:39 -07:00
parent b54c312497
commit 9e1f6eaec7
434 changed files with 60639 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
crypto/external/bsd/openssh/dist/CREDITS vendored Normal file
View File

@@ -0,0 +1,105 @@
Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
Theo de Raadt, and Dug Song - Creators of OpenSSH
Ahsan Rashid <arms@sco.com> - UnixWare long passwords
Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
Andre Lucas <andre@ae-35.com> - new login code, many fixes
Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
Andrew McGill <andrewm@datrix.co.za> - SCO fixes
Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
Andy Sloane <andy@guildsoftware.com> - bugfixes
Aran Cox <acox@cv.telegroup.com> - SCO bugfixes
Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes
Ben Lindstrom <mouring@eviladmin.org> - NeXT support
Ben Taylor <bent@clark.net> - Solaris debugging and fixes
Bratislav ILICH <bilic@zepter.ru> - Configure fix
Charles Levert <charles@comm.polymtl.ca> - SunOS 4 & bug fixes
Chip Salzenberg <chip@valinux.com> - Assorted patches
Chris Adams <cmadams@hiwaay.net> - OSF SIA support
Chris Saia <csaia@wtower.com> - SuSE packaging
Chris, the Young One <cky@pobox.com> - Password auth fixes
Christos Zoulas <christos@zoulas.com> - Autoconf fixes
Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
Corinna Vinschen <vinschen@redhat.com> - Cygwin support
Chad Mynhier <mynhier@interstel.net> - Solaris Process Contract support
Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
Darren Hall <dhall@virage.org> - AIX patches
Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
David Agraz <dagraz@jahoopa.com> - Build fixes
David Del Piero <David.DelPiero@qed.qld.gov.au> - bug fixes
David Hesprich <darkgrue@gue-tech.org> - Configure fixes
David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code.
Dhiraj Gulati <dgulati@sco.com> - UnixWare long passwords
Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
Garrick James <garrick@james.net> - configure fixes
Gary E. Miller <gem@rellim.com> - SCO support
Ged Lodder <lodder@yacc.com.au> - HPUX fixes and enhancements
Gert Doering <gd@hilb1.medat.de> - bug and portability fixes
HARUYAMA Seigo <haruyama@unixuser.org> - Translations & doc fixes
Hideaki YOSHIFUJI <yoshfuji@ecei.tohoku.ac.jp> - IPv6 and bug fixes
Hiroshi Takekawa <takekawa@sr3.t.u-tokyo.ac.jp> - Configure fixes
Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - KRB4/AFS config patch
IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes
Jani Hakala <jahakala@cc.jyu.fi> - Patches
Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes
Jim Knoble <jmknoble@pobox.com> - Many patches
Jonchen (email unknown) - the original author of PAM support of SSH
Juergen Keil <jk@tools.de> - scp bugfixing
KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp> - Configure fixes
Kees Cook <cook@cpoint.net> - scp fixes
Kenji Miyake <kenji@miyake.org> - Configure fixes
Kevin Cawlfield <cawlfiel@us.ibm.com> - AIX fixes.
Kevin O'Connor <kevin_oconnor@standardandpoors.com> - RSAless operation
Kevin Steves <stevesk@pobox.com> - HP support, bugfixes, improvements
Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
Larry Jones <larry.jones@sdrc.com> - Bugfixes
Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> - Bugfixes
Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
Mark D. Baushke <mdb@juniper.net> - bug fixes
Martin Johansson <fatbob@acc.umu.se> - Linux fixes
Mark D. Roth <roth+openssh@feep.net> - Features, bug fixes
Mark Miller <markm@swoon.net> - Bugfixes
Matt Richards <v2matt@btv.ibm.com> - AIX patches
Michael Steffens <michael_steffens at hp.com> - HP-UX fixes
Michael Stone <mstone@cs.loyola.edu> - Irix enhancements
Nakaji Hiroyuki <nakaji@tutrp.tut.ac.jp> - Sony News-OS patch
Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
Nate Itkin <nitkin@europa.com> - SunOS 4.1.x fixes
Niels Kristian Bech Jensen <nkbj@image.dk> - Assorted patches
Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> - Security fixes
Pavel Troller <patrol@omni.sinus.cz> - Bugfixes
Pekka Savola <pekkas@netcore.fi> - Bugfixes
Peter Kocks <peter.kocks@baygate.com> - Makefile fixes
Peter Stuge <stuge@cdy.org> - mdoc2man.awk script
Phil Hands <phil@hands.com> - Debian scripts, assorted patches
Phil Karn <karn@ka9q.ampr.org> - Autoconf fixes
Philippe WILLEM <Philippe.WILLEM@urssaf.fr> - Bugfixes
Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
Robert Dahlem <Robert.Dahlem at siemens.com> - Reliant Unix fixes
Roumen Petrov <openssh@roumenpetrov.info> - Compile & configure fixes
SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes, Compat with MIT KrbV
Solar Designer <solar@openwall.com> - many patches and technical assistance
Svante Signell <svante.signell@telia.com> - Bugfixes
Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
Tim Rice <tim@multitalents.net> - Portability & SCO fixes
Tobias Oetiker <oetiker@ee.ethz.ch> - Bugfixes
Tom Bertelson's <tbert@abac.com> - AIX auth fixes
Tor-Ake Fransson <torake@hotmail.com> - AIX support
Tudor Bosman <tudorb@jm.nu> - MD5 password support
Udo Schweigert <ust@cert.siemens.de> - ReliantUNIX support
Wendy Palm <wendyp at cray.com> - Cray support.
Zack Weinberg <zack@wolery.cumb.org> - GNOME askpass enhancement
Apologies to anyone I have missed.
Damien Miller <djm@mindrot.org>
$Id: CREDITS,v 1.81 2006/08/30 17:24:41 djm Exp $

9133
crypto/external/bsd/openssh/dist/ChangeLog vendored Normal file
View File

File diff suppressed because it is too large Load Diff

262
crypto/external/bsd/openssh/dist/INSTALL vendored Normal file
View File

@@ -0,0 +1,262 @@
1. Prerequisites
----------------
You will need working installations of Zlib and libcrypto (LibreSSL /
OpenSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
http://www.gzip.org/zlib/
libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/
LibreSSL/OpenSSL should be compiled as a position-independent library
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
If you must use a non-position-independent libcrypto, then you may need
to configure OpenSSH --without-pie.
The remaining items are optional.
NB. If you operating system supports /dev/random, you should configure
libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
direct support of /dev/random, or failing that, either prngd or egd
PRNGD:
If your system lacks kernel-based random collection, the use of Lutz
Jaenicke's PRNGd is recommended.
http://prngd.sourceforge.net/
EGD:
If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
supported only if libcrypto supports it.
http://egd.sourceforge.net/
PAM:
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
system supports it. PAM is standard most Linux distributions, Solaris,
HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
Information about the various PAM implementations are available:
Solaris PAM: http://www.sun.com/software/solaris/pam/
Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
OpenPAM: http://www.openpam.org/
If you wish to build the GNOME passphrase requester, you will need the GNOME
libraries and headers.
GNOME:
http://www.gnome.org/
Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
passphrase requester. This is maintained separately at:
http://www.jmknoble.net/software/x11-ssh-askpass/
S/Key Libraries:
If you wish to use --with-skey then you will need the library below
installed. No other S/Key library is currently known to be supported.
http://www.sparc.spb.su/solaris/skey/
LibEdit:
sftp supports command-line editing via NetBSD's libedit. If your platform
has it available natively you can use that, alternatively you might try
these multi-platform ports:
http://www.thrysoee.dk/editline/
http://sourceforge.net/projects/libedit/
LDNS:
LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
http://nlnetlabs.nl/projects/ldns/
Autoconf:
If you modify configure.ac or configure doesn't exist (eg if you checked
the code out of CVS yourself) then you will need autoconf-2.68 to rebuild
the automatically generated files by running "autoreconf". Earlier
versions may also work but this is not guaranteed.
http://www.gnu.org/software/autoconf/
Basic Security Module (BSM):
Native BSM support is know to exist in Solaris from at least 2.5.1,
FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
implementation (http://www.openbsm.org).
2. Building / Installation
--------------------------
To install OpenSSH with default options:
./configure
make
make install
This will install the OpenSSH binaries in /usr/local/bin, configuration files
in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
installation prefix, use the --prefix option to configure:
./configure --prefix=/opt
make
make install
Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
specific paths, for example:
./configure --prefix=/opt --sysconfdir=/etc/ssh
make
make install
This will install the binaries in /opt/{bin,lib,sbin}, but will place the
configuration files in /etc/ssh.
If you are using Privilege Separation (which is enabled by default)
then you will also need to create the user, group and directory used by
sshd for privilege separation. See README.privsep for details.
If you are using PAM, you may need to manually install a PAM control
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
them). Note that the service name used to start PAM is __progname,
which is the basename of the path of your sshd (e.g., the service name
for /usr/sbin/osshd will be osshd). If you have renamed your sshd
executable, your PAM configuration may need to be modified.
A generic PAM configuration is included as "contrib/sshd.pam.generic",
you may need to edit it before using it on your system. If you are
using a recent version of Red Hat Linux, the config file in
contrib/redhat/sshd.pam should be more useful. Failure to install a
valid PAM file may result in an inability to use password
authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf
configuration will work with sshd (sshd will match the other service
name).
There are a few other options to the configure script:
--with-audit=[module] enable additional auditing via the specified module.
Currently, drivers for "debug" (additional info via syslog) and "bsm"
(Sun's Basic Security Module) are supported.
--with-pam enables PAM support. If PAM support is compiled in, it must
also be enabled in sshd_config (refer to the UsePAM directive).
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
support and to specify a PRNGd socket. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.
--with-prngd-port=portnum allows you to enable EGD or PRNGD support
and to specify a EGD localhost TCP port. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.
--with-lastlog=FILE will specify the location of the lastlog file.
./configure searches a few locations for lastlog, but may not find
it if lastlog is installed in a different place.
--without-lastlog will disable lastlog support entirely.
--with-osfsia, --without-osfsia will enable or disable OSF1's Security
Integration Architecture. The default for OSF1 machines is enable.
--with-skey=PATH will enable S/Key one time password support. You will
need the S/Key libraries and header files installed for this to work.
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords and the system crypt() does
not support them directly (see the crypt(3/3c) man page). If enabled, the
resulting binary will support both MD5 and traditional crypt passwords.
--with-utmpx enables utmpx support. utmpx support is automatic for
some platforms.
--without-shadow disables shadow password support.
--with-ipaddr-display forces the use of a numeric IP address in the
$DISPLAY environment variable. Some broken systems need this.
--with-default-path=PATH allows you to specify a default $PATH for sessions
started by sshd. This replaces the standard path entirely.
--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
created.
--with-xauth=PATH specifies the location of the xauth binary
--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
libraries
are installed.
--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
If you need to pass special options to the compiler or linker, you
can specify these as environment variables before running ./configure.
For example:
CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
3. Configuration
----------------
The runtime configuration files are installed by in ${prefix}/etc or
whatever you specified as your --sysconfdir (/usr/local/etc by default).
The default configuration should be instantly usable, though you should
review it to ensure that it matches your security requirements.
To generate a host key, run "make host-key". Alternately you can do so
manually using the following commands:
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
Replacing /etc/ssh with the correct path to the configuration directory.
(${prefix}/etc or whatever you specified with --sysconfdir during
configuration)
If you have configured OpenSSH with EGD support, ensure that EGD is
running and has collected some Entropy.
For more information on configuration, please refer to the manual pages
for sshd, ssh and ssh-agent.
4. (Optional) Send survey
-------------------------
$ make survey
[check the contents of the file "survey" to ensure there's no information
that you consider sensitive]
$ make send-survey
This will send configuration information for the currently configured
host to a survey address. This will help determine which configurations
are actually in use, and what valid combinations of configure options
exist. The raw data is available only to the OpenSSH developers, however
summary data may be published.
5. Problems?
------------
If you experience problems compiling, installing or running OpenSSH.
Please refer to the "reporting bugs" section of the webpage at
http://www.openssh.com/
$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $

47
crypto/external/bsd/openssh/dist/README.dns vendored Normal file
View File

@@ -0,0 +1,47 @@
How to verify host keys using OpenSSH and DNS
---------------------------------------------
OpenSSH contains support for verifying host keys using DNS as described in
draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
on how to use this feature. Configuring DNS is out of the scope of this
document.
(1) Server: Generate and publish the DNS RR
To create a DNS resource record (RR) containing a fingerprint of the
public host key, use the following command:
ssh-keygen -r hostname -f keyfile -g
where "hostname" is your fully qualified hostname and "keyfile" is the
file containing the public host key file. If you have multiple keys,
you should generate one RR for each key.
In the example above, ssh-keygen will print the fingerprint in a
generic DNS RR format parsable by most modern name server
implementations. If your nameserver has support for the SSHFP RR
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
To publish the fingerprint using the DNS you must add the generated RR
to your DNS zone file and sign your zone.
(2) Client: Enable ssh to verify host keys using DNS
To enable the ssh client to verify host keys using DNS, you have to
add the following option to the ssh configuration file
($HOME/.ssh/config or /etc/ssh/ssh_config):
VerifyHostKeyDNS yes
Upon connection the client will try to look up the fingerprint RR
using DNS. If the fingerprint received from the DNS server matches
the remote host key, the user will be notified.
Jakob Schlyter
Wesley Griffin
$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $

96
crypto/external/bsd/openssh/dist/README.platform vendored Normal file
View File

@@ -0,0 +1,96 @@
This file contains notes about OpenSSH on specific platforms.
AIX
---
As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
settings, where previously it did not. Because of this, it's possible for
sites that have used OpenSSH's sshd exclusively to have accounts which
have passwords expired longer than the inactive time (ie the "Weeks between
password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
chuser attribute).
Accounts in this state must have their passwords reset manually by the
administrator. As a precaution, it is recommended that the administrative
passwords be reset before upgrading from OpenSSH <3.8.
As of OpenSSH 4.0, configure will attempt to detect if your version
and maintenance level of AIX has a working getaddrinfo, and will use it
if found. This will enable IPv6 support. If for some reason configure
gets it wrong, or if you want to build binaries to work on earlier MLs
than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
to force the previous IPv4-only behaviour.
IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
IPv6 known broken: 4.3.3ML11 5.1ML4
If you wish to use dynamic libraries that aren't in the normal system
locations (eg IBM's OpenSSL and zlib packages) then you will need to
define the environment variable blibpath before running configure, eg
blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
--with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
by default) then sshd checks that users are permitted via the
loginrestrictions() function, in particular that the user has the
"rlogin" attribute set. This check is not done for the root account,
instead the PermitRootLogin setting in sshd_config is used.
Cygwin
------
To build on Cygwin, OpenSSH requires the following packages:
gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
openssl-devel, zlib, minres, minires-devel.
Darwin and MacOS X
------------------
Darwin does not provide a tun(4) driver required for OpenSSH-based
virtual private networks. The BSD manpage still exists, but the driver
has been removed in recent releases of Darwin and MacOS X.
Nevertheless, tunnel support is known to work with Darwin 8 and
MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
using a third party driver. More information is available at:
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
Linux
-----
Some Linux distributions (including Red Hat/Fedora/CentOS) include
headers and library links in the -devel RPMs rather than the main
binary RPMs. If you get an error about headers, or complaining about a
missing prerequisite then you may need to install the equivalent
development packages. On Redhat based distros these may be openssl-devel,
zlib-devel and pam-devel, on Debian based distros these may be
libssl-dev, libz-dev and libpam-dev.
Solaris
-------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output. The following line needs to be
added to /etc/security/audit_event:
32800:AUE_openssh:OpenSSH login:lo
The BSM audit event range available for third party TCB applications is
32768 - 65535. Event number 32800 has been choosen for AUE_openssh.
There is no official registry of 3rd party event numbers, so if this
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
Platforms using PAM
-------------------
As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
PAM is enabled. To maintain existing behaviour, pam_nologin should be
added to sshd's session stack which will prevent users from starting shell
sessions. Alternatively, pam_nologin can be added to either the auth or
account stacks which will prevent authentication entirely, but will still
return the output from pam_nologin to the client.
$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $

63
crypto/external/bsd/openssh/dist/README.privsep vendored Normal file
View File

@@ -0,0 +1,63 @@
Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process.
More information is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
Privilege separation is now enabled by default; see the
UsePrivilegeSeparation option in sshd_config(5).
On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
compression must be disabled in order for privilege separation to
function.
When privsep is enabled, during the pre-authentication phase sshd will
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
and its primary group. sshd is a pseudo-account that should not be
used by other daemons, and must be locked and should contain a
"nologin" or invalid shell.
You should do something like the following to prepare the privsep
preauth environment:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
configure supports the following options to change the default
privsep user and chroot directory:
--with-privsep-path=xxx Path for privilege separation chroot
--with-privsep-user=user Specify non-privileged user for privilege separation
Privsep requires operating system support for file descriptor passing.
Compression will be disabled on systems without a working mmap MAP_ANON.
PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
part of privsep is supported. Post-authentication privsep is disabled
automatically (so you won't see the additional process mentioned below).
Note that for a normal interactive login with a shell, enabling privsep
will require 1 additional process per login session.
Given the following process listing (from HP-UX):
UID PID PPID C STIME TTY TIME COMMAND
root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0
root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv]
stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2
stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash
process 1005 is the sshd process listening for new connections.
process 6917 is the privileged monitor process, 6919 is the user owned
sshd process and 6921 is the shell process.
$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $

132
crypto/external/bsd/openssh/dist/README.tun vendored Normal file
View File

@@ -0,0 +1,132 @@
How to use OpenSSH-based virtual private networks
-------------------------------------------------
OpenSSH contains support for VPN tunneling using the tun(4) network
tunnel pseudo-device which is available on most platforms, either for
layer 2 or 3 traffic.
The following brief instructions on how to use this feature use
a network configuration specific to the OpenBSD operating system.
(1) Server: Enable support for SSH tunneling
To enable the ssh server to accept tunnel requests from the client, you
have to add the following option to the ssh server configuration file
(/etc/ssh/sshd_config):
PermitTunnel yes
Restart the server or send the hangup signal (SIGHUP) to let the server
reread it's configuration.
(2) Server: Restrict client access and assign the tunnel
The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
restrict the client to connect to a specified tunnel and to
automatically start the related interface configuration command. These
settings are optional but recommended:
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
(3) Client: Configure the local network tunnel interface
Use the hostname.if(5) interface-specific configuration file to set up
the network tunnel configuration with OpenBSD. For example, use the
following configuration in /etc/hostname.tun0 to set up the layer 3
tunnel on the client:
inet 192.168.5.1 255.255.255.252 192.168.5.2
OpenBSD also supports layer 2 tunneling over the tun device by adding
the link0 flag:
inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
interface, like the following example for /etc/bridgename.bridge0:
add tun0
add sis0
up
(4) Client: Configure the OpenSSH client
To establish tunnel forwarding for connections to a specified
remote host by default, use the following ssh client configuration for
the privileged user (in /root/.ssh/config):
Host sshgateway
Tunnel yes
TunnelDevice 0:any
PermitLocalCommand yes
LocalCommand sh /etc/netstart tun0
A more complicated configuration is possible to establish a tunnel to
a remote host which is not directly accessible by the client.
The following example describes a client configuration to connect to
the remote host over two ssh hops in between. It uses the OpenSSH
ProxyCommand in combination with the nc(1) program to forward the final
ssh tunnel destination over multiple ssh sessions.
Host access.somewhere.net
User puffy
Host dmzgw
User puffy
ProxyCommand ssh access.somewhere.net nc dmzgw 22
Host sshgateway
Tunnel Ethernet
TunnelDevice 0:any
PermitLocalCommand yes
LocalCommand sh /etc/netstart tun0
ProxyCommand ssh dmzgw nc sshgateway 22
The following network plan illustrates the previous configuration in
combination with layer 2 tunneling and Ethernet bridging.
+--------+ ( ) +----------------------+
| Client |------( Internet )-----| access.somewhere.net |
+--------+ ( ) +----------------------+
: 192.168.1.78 |
:............................. +-------+
Forwarded ssh connection : | dmzgw |
Layer 2 tunnel : +-------+
: |
: |
: +------------+
:......| sshgateway |
| +------------+
--- real connection Bridge -> | +----------+
... "virtual connection" [ X ]--------| somehost |
[X] switch +----------+
192.168.1.25
(5) Client: Connect to the server and establish the tunnel
Finally connect to the OpenSSH server to establish the tunnel by using
the following command:
ssh sshgateway
It is also possible to tell the client to fork into the background after
the connection has been successfully established:
ssh -f sshgateway true
Without the ssh configuration done in step (4), it is also possible
to use the following command lines:
ssh -fw 0:1 sshgateway true
ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
Using OpenSSH tunnel forwarding is a simple way to establish secure
and ad hoc virtual private networks. Possible fields of application
could be wireless networks or administrative VPN tunnels.
Nevertheless, ssh tunneling requires some packet header overhead and
runs on top of TCP. It is still suggested to use the IP Security
Protocol (IPSec) for robust and permanent VPN connections and to
interconnect corporate networks.
Reyk Floeter
$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $

86
crypto/external/bsd/openssh/dist/TODO vendored Normal file
View File

@@ -0,0 +1,86 @@
Documentation:
- Update the docs
- Update README
- Update INSTALL
- Merge INSTALL & README.privsep
- Install FAQ?
- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it
would be best to use them.
- Create a Documentation/ directory?
Programming:
- Grep for 'XXX' comments and fix
- Link order is incorrect for some systems using Kerberos 4 and AFS. Result
is multiple inclusion of DES symbols. Holger Trapp
<holger.trapp@hrz.tu-chemnitz.de> reports that changing the configure
generated link order from:
-lresolv -lkrb -lz -lnsl -lutil -lkafs -lkrb -ldes -lcrypto
to:
-lresolv -lkrb -lz -lnsl -lutil -lcrypto -lkafs -lkrb -ldes
fixing the problem.
- Write a test program that calls stat() to search for EGD/PRNGd socket
rather than use the (non-portable) "test -S".
- More platforms for for setproctitle() emulation (testing needed)
- Improve PAM ChallengeResponseAuthentication
- Informational messages
- Use different PAM service name for kbdint vs regular auth (suggest from
Solar Designer)
- Ability to select which ChallengeResponseAuthentications may be used
and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
- Complete Tru64 SIA support
- It looks like we could merge it into the password auth code to cut down
on diff size. Maybe PAM password auth too?
- Finish integrating kernel-level auditing code for IRIX and SOLARIS
(Gilbert.r.loomis@saic.com)
- 64-bit builds on HP-UX 11.X (stevesk@pobox.com):
- utmp/wtmp get corrupted (something in loginrec?)
- can't build with PAM (no 64-bit libpam yet)
Clean up configure/makefiles:
- Clean up configure.ac - There are a few double #defined variables
left to do. HAVE_LOGIN is one of them. Consider NOT looking for
information in wtmpx or utmpx or any of that stuff if it's not detected
from the start
- Replace the whole u_intXX_t evilness in acconfig.h with something better???
- Do it in configure.ac
- Consider splitting the u_intXX_t test for sys/bitype.h into seperate test
to allow people to (right/wrongfully) link against Bind directly.
- Consider splitting configure.ac into seperate files which do logically
similar tests. E.g move all the type detection stuff into one file,
entropy related stuff into another.
Packaging:
- HP-UX: Provide DEPOT package scripts.
(gilbert.r.loomis@saic.com)
PrivSep Issues:
- mmap() issues.
+ /dev/zero solution (Solaris)
+ No/broken MAP_ANON (Irix)
+ broken /dev/zero parse (Linux)
- PAM
+ See above PAM notes
- AIX
+ usrinfo() does not set TTY, but only required for legacy systems. Works
with PrivSep.
- OSF
+ SIA is broken
- Cygwin
+ Privsep for Pre-auth only (no fd passing)
$Id: TODO,v 1.58 2004/12/06 11:40:11 dtucker Exp $

457
crypto/external/bsd/openssh/dist/audit-bsm.c vendored Normal file
View File

@@ -0,0 +1,457 @@
/* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */
/*
* TODO
*
* - deal with overlap between this and sys_auth_allowed_user
* sys_auth_record_login and record_failed_login.
*/
/*
* Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
#include "includes.h"
#if defined(USE_BSM_AUDIT)
#include <sys/types.h>
#include <errno.h>
#include <netdb.h>
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#ifdef BROKEN_BSM_API
#include <libscf.h>
#endif
#include "ssh.h"
#include "log.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "xmalloc.h"
#ifndef AUE_openssh
# define AUE_openssh 32800
#endif
#include <bsm/audit.h>
#include <bsm/libbsm.h>
#include <bsm/audit_uevents.h>
#include <bsm/audit_record.h>
#include <locale.h>
#if defined(HAVE_GETAUDIT_ADDR)
#define AuditInfoStruct auditinfo_addr
#define AuditInfoTermID au_tid_addr_t
#define SetAuditFunc(a,b) setaudit_addr((a),(b))
#define SetAuditFuncText "setaudit_addr"
#define AUToSubjectFunc au_to_subject_ex
#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b))
#else
#define AuditInfoStruct auditinfo
#define AuditInfoTermID au_tid_t
#define SetAuditFunc(a,b) setaudit(a)
#define SetAuditFuncText "setaudit"
#define AUToSubjectFunc au_to_subject
#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b))
#endif
#ifndef cannot_audit
extern int cannot_audit(int);
#endif
extern void aug_init(void);
extern void aug_save_auid(au_id_t);
extern void aug_save_uid(uid_t);
extern void aug_save_euid(uid_t);
extern void aug_save_gid(gid_t);
extern void aug_save_egid(gid_t);
extern void aug_save_pid(pid_t);
extern void aug_save_asid(au_asid_t);
extern void aug_save_tid(dev_t, unsigned int);
extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
extern int aug_save_me(void);
extern int aug_save_namask(void);
extern void aug_save_event(au_event_t);
extern void aug_save_sorf(int);
extern void aug_save_text(char *);
extern void aug_save_text1(char *);
extern void aug_save_text2(char *);
extern void aug_save_na(int);
extern void aug_save_user(char *);
extern void aug_save_path(char *);
extern int aug_save_policy(void);
extern void aug_save_afunc(int (*)(int));
extern int aug_audit(void);
extern int aug_na_selected(void);
extern int aug_selected(void);
extern int aug_daemon_session(void);
#ifndef HAVE_GETTEXT
# define gettext(a) (a)
#endif
extern Authctxt *the_authctxt;
static AuditInfoTermID ssh_bsm_tid;
#ifdef BROKEN_BSM_API
/* For some reason this constant is no longer defined
in Solaris 11. */
#define BSM_TEXTBUFSZ 256
#endif
/* Below is the low-level BSM interface code */
/*
* aug_get_machine is only required on IPv6 capable machines, we use a
* different mechanism in audit_connection_from() for IPv4-only machines.
* getaudit_addr() is only present on IPv6 capable machines.
*/
#if defined(HAVE_AUG_GET_MACHINE) || !defined(HAVE_GETAUDIT_ADDR)
extern int aug_get_machine(char *, u_int32_t *, u_int32_t *);
#else
static int
aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
{
struct addrinfo *ai;
struct sockaddr_in *in4;
struct sockaddr_in6 *in6;
int ret = 0, r;
if ((r = getaddrinfo(host, NULL, NULL, &ai)) != 0) {
error("BSM audit: getaddrinfo failed for %.100s: %.100s", host,
r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
return -1;
}
switch (ai->ai_family) {
case AF_INET:
in4 = (struct sockaddr_in *)ai->ai_addr;
*type = AU_IPv4;
memcpy(addr, &in4->sin_addr, sizeof(struct in_addr));
break;
#ifdef AU_IPv6
case AF_INET6:
in6 = (struct sockaddr_in6 *)ai->ai_addr;
*type = AU_IPv6;
memcpy(addr, &in6->sin6_addr, sizeof(struct in6_addr));
break;
#endif
default:
error("BSM audit: unknown address family for %.100s: %d",
host, ai->ai_family);
ret = -1;
}
freeaddrinfo(ai);
return ret;
}
#endif
#ifdef BROKEN_BSM_API
/*
In Solaris 11 the audit daemon has been moved to SMF. In the process
they simply dropped getacna() from the API, since it read from a now
non-existent config file. This function re-implements getacna() to
read from the SMF repository instead.
*/
int
getacna(char *auditstring, int len)
{
scf_handle_t *handle = NULL;
scf_property_t *property = NULL;
scf_value_t *value = NULL;
int ret = 0;
handle = scf_handle_create(SCF_VERSION);
if (handle == NULL)
return -2; /* The man page for getacna on Solaris 10 states
we should return -2 in case of error and set
errno to indicate the error. We don't bother
with errno here, though, since the only use
of this function below doesn't check for errors
anyway.
*/
ret = scf_handle_bind(handle);
if (ret == -1)
return -2;
property = scf_property_create(handle);
if (property == NULL)
return -2;
ret = scf_handle_decode_fmri(handle,
"svc:/system/auditd:default/:properties/preselection/naflags",
NULL, NULL, NULL, NULL, property, 0);
if (ret == -1)
return -2;
value = scf_value_create(handle);
if (value == NULL)
return -2;
ret = scf_property_get_value(property, value);
if (ret == -1)
return -2;
ret = scf_value_get_astring(value, auditstring, len);
if (ret == -1)
return -2;
scf_value_destroy(value);
scf_property_destroy(property);
scf_handle_destroy(handle);
return 0;
}
#endif
/*
* Check if the specified event is selected (enabled) for auditing.
* Returns 1 if the event is selected, 0 if not and -1 on failure.
*/
static int
selected(char *username, uid_t uid, au_event_t event, int sf)
{
int rc, sorf;
char naflags[512];
struct au_mask mask;
mask.am_success = mask.am_failure = 0;
if (uid < 0) {
/* get flags for non-attributable (to a real user) events */
rc = getacna(naflags, sizeof(naflags));
if (rc == 0)
(void) getauditflagsbin(naflags, &mask);
} else
rc = au_user_mask(username, &mask);
sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}
static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
int ad, rc, sel;
uid_t uid = -1;
gid_t gid = -1;
pid_t pid = getpid();
AuditInfoTermID tid = ssh_bsm_tid;
if (the_authctxt != NULL && the_authctxt->valid) {
uid = the_authctxt->pw->pw_uid;
gid = the_authctxt->pw->pw_gid;
}
rc = (typ == 0) ? 0 : -1;
sel = selected(the_authctxt->user, uid, event_no, rc);
debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
if (!sel)
return; /* audit event does not match mask, do not write */
debug3("BSM audit: writing audit new record");
ad = au_open();
(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
pid, pid, &tid));
(void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc));
#ifdef BROKEN_BSM_API
/* The last argument is the event modifier flags. For
some seemingly undocumented reason it was added in
Solaris 11. */
rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
rc = au_close(ad, AU_TO_WRITE, event_no);
#endif
if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno));
}
static void
bsm_audit_session_setup(void)
{
int rc;
struct AuditInfoStruct info;
au_mask_t mask;
if (the_authctxt == NULL) {
error("BSM audit: session setup internal error (NULL ctxt)");
return;
}
if (the_authctxt->valid)
info.ai_auid = the_authctxt->pw->pw_uid;
else
info.ai_auid = -1;
info.ai_asid = getpid();
mask.am_success = 0;
mask.am_failure = 0;
(void) au_user_mask(the_authctxt->user, &mask);
info.ai_mask.am_success = mask.am_success;
info.ai_mask.am_failure = mask.am_failure;
info.ai_termid = ssh_bsm_tid;
rc = SetAuditFunc(&info, sizeof(info));
if (rc < 0)
error("BSM audit: %s: %s failed: %s", __func__,
SetAuditFuncText, strerror(errno));
}
static void
bsm_audit_bad_login(const char *what)
{
char textbuf[BSM_TEXTBUFSZ];
if (the_authctxt->valid) {
(void) snprintf(textbuf, sizeof (textbuf),
gettext("invalid %s for user %s"),
what, the_authctxt->user);
bsm_audit_record(4, textbuf, AUE_openssh);
} else {
(void) snprintf(textbuf, sizeof (textbuf),
gettext("invalid user name \"%s\""),
the_authctxt->user);
bsm_audit_record(3, textbuf, AUE_openssh);
}
}
/* Below is the sshd audit API code */
void
audit_connection_from(const char *host, int port)
{
AuditInfoTermID *tid = &ssh_bsm_tid;
char buf[1024];
if (cannot_audit(0))
return;
debug3("BSM audit: connection from %.100s port %d", host, port);
/* populate our terminal id structure */
#if defined(HAVE_GETAUDIT_ADDR)
tid->at_port = (dev_t)port;
aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
#else
/* this is used on IPv4-only machines */
tid->port = (dev_t)port;
tid->machine = inet_addr(host);
snprintf(buf, sizeof(buf), "%08x", tid->machine);
debug3("BSM audit: machine ID %s", buf);
#endif
}
void
audit_run_command(const char *command)
{
/* not implemented */
}
void
audit_session_open(struct logininfo *li)
{
/* not implemented */
}
void
audit_session_close(struct logininfo *li)
{
/* not implemented */
}
void
audit_event(ssh_audit_event_t event)
{
char textbuf[BSM_TEXTBUFSZ];
static int logged_in = 0;
const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
if (cannot_audit(0))
return;
switch(event) {
case SSH_AUTH_SUCCESS:
logged_in = 1;
bsm_audit_session_setup();
snprintf(textbuf, sizeof(textbuf),
gettext("successful login %s"), user);
bsm_audit_record(0, textbuf, AUE_openssh);
break;
case SSH_CONNECTION_CLOSE:
/*
* We can also get a close event if the user attempted auth
* but never succeeded.
*/
if (logged_in) {
snprintf(textbuf, sizeof(textbuf),
gettext("sshd logout %s"), the_authctxt->user);
bsm_audit_record(0, textbuf, AUE_logout);
} else {
debug("%s: connection closed without authentication",
__func__);
}
break;
case SSH_NOLOGIN:
bsm_audit_record(1,
gettext("logins disabled by /etc/nologin"), AUE_openssh);
break;
case SSH_LOGIN_EXCEED_MAXTRIES:
snprintf(textbuf, sizeof(textbuf),
gettext("too many tries for user %s"), the_authctxt->user);
bsm_audit_record(1, textbuf, AUE_openssh);
break;
case SSH_LOGIN_ROOT_DENIED:
bsm_audit_record(2, gettext("not_console"), AUE_openssh);
break;
case SSH_AUTH_FAIL_PASSWD:
bsm_audit_bad_login("password");
break;
case SSH_AUTH_FAIL_KBDINT:
bsm_audit_bad_login("interactive password entry");
break;
default:
debug("%s: unhandled event %d", __func__, event);
}
}
#endif /* BSM */

126
crypto/external/bsd/openssh/dist/audit-linux.c vendored Normal file
View File

@@ -0,0 +1,126 @@
/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */
/*
* Copyright 2010 Red Hat, Inc. All rights reserved.
* Use is subject to license terms.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
*/
#include "includes.h"
#if defined(USE_LINUX_AUDIT)
#include <libaudit.h>
#include <unistd.h>
#include <string.h>
#include "log.h"
#include "audit.h"
#include "canohost.h"
const char* audit_username(void);
int
linux_audit_record_event(int uid, const char *username,
const char *hostname, const char *ip, const char *ttyn, int success)
{
int audit_fd, rc, saved_errno;
audit_fd = audit_open();
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
return 1; /* No audit support in kernel */
else
return 0; /* Must prevent login */
}
rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
NULL, "login", username ? username : "(unknown)",
username == NULL ? uid : -1, hostname, ip, ttyn, success);
saved_errno = errno;
close(audit_fd);
/*
* Do not report error if the error is EPERM and sshd is run as non
* root user.
*/
if ((rc == -EPERM) && (geteuid() != 0))
rc = 0;
errno = saved_errno;
return (rc >= 0);
}
/* Below is the sshd audit API code */
void
audit_connection_from(const char *host, int port)
{
}
/* not implemented */
void
audit_run_command(const char *command)
{
/* not implemented */
}
void
audit_session_open(struct logininfo *li)
{
if (linux_audit_record_event(li->uid, NULL, li->hostname,
NULL, li->line, 1) == 0)
fatal("linux_audit_write_entry failed: %s", strerror(errno));
}
void
audit_session_close(struct logininfo *li)
{
/* not implemented */
}
void
audit_event(ssh_audit_event_t event)
{
switch(event) {
case SSH_AUTH_SUCCESS:
case SSH_CONNECTION_CLOSE:
case SSH_NOLOGIN:
case SSH_LOGIN_EXCEED_MAXTRIES:
case SSH_LOGIN_ROOT_DENIED:
break;
case SSH_AUTH_FAIL_NONE:
case SSH_AUTH_FAIL_PASSWD:
case SSH_AUTH_FAIL_KBDINT:
case SSH_AUTH_FAIL_PUBKEY:
case SSH_AUTH_FAIL_HOSTBASED:
case SSH_AUTH_FAIL_GSSAPI:
case SSH_INVALID_USER:
linux_audit_record_event(-1, audit_username(), NULL,
get_remote_ipaddr(), "sshd", 0);
break;
default:
debug("%s: unhandled event %d", __func__, event);
}
}
#endif /* USE_LINUX_AUDIT */

186
crypto/external/bsd/openssh/dist/audit.c vendored Normal file
View File

@@ -0,0 +1,186 @@
/* $Id: audit.c,v 1.6 2011/01/17 10:15:30 dtucker Exp $ */
/*
* Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include <stdarg.h>
#include <string.h>
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
#include "log.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
/*
* Care must be taken when using this since it WILL NOT be initialized when
* audit_connection_from() is called and MAY NOT be initialized when
* audit_event(CONNECTION_ABANDON) is called. Test for NULL before using.
*/
extern Authctxt *the_authctxt;
/* Maybe add the audit class to struct Authmethod? */
ssh_audit_event_t
audit_classify_auth(const char *method)
{
if (strcmp(method, "none") == 0)
return SSH_AUTH_FAIL_NONE;
else if (strcmp(method, "password") == 0)
return SSH_AUTH_FAIL_PASSWD;
else if (strcmp(method, "publickey") == 0 ||
strcmp(method, "rsa") == 0)
return SSH_AUTH_FAIL_PUBKEY;
else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
strcmp(method, "challenge-response") == 0)
return SSH_AUTH_FAIL_KBDINT;
else if (strcmp(method, "hostbased") == 0 ||
strcmp(method, "rhosts-rsa") == 0)
return SSH_AUTH_FAIL_HOSTBASED;
else if (strcmp(method, "gssapi-with-mic") == 0)
return SSH_AUTH_FAIL_GSSAPI;
else
return SSH_AUDIT_UNKNOWN;
}
/* helper to return supplied username */
const char *
audit_username(void)
{
static const char unknownuser[] = "(unknown user)";
static const char invaliduser[] = "(invalid user)";
if (the_authctxt == NULL || the_authctxt->user == NULL)
return (unknownuser);
if (!the_authctxt->valid)
return (invaliduser);
return (the_authctxt->user);
}
const char *
audit_event_lookup(ssh_audit_event_t ev)
{
int i;
static struct event_lookup_struct {
ssh_audit_event_t event;
const char *name;
} event_lookup[] = {
{SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"},
{SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"},
{SSH_AUTH_SUCCESS, "AUTH_SUCCESS"},
{SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"},
{SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"},
{SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"},
{SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"},
{SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"},
{SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"},
{SSH_INVALID_USER, "INVALID_USER"},
{SSH_NOLOGIN, "NOLOGIN"},
{SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"},
{SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"},
{SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"}
};
for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
if (event_lookup[i].event == ev)
break;
return(event_lookup[i].name);
}
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
* These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
*/
/*
* Called after a connection has been accepted but before any authentication
* has been attempted.
*/
void
audit_connection_from(const char *host, int port)
{
debug("audit connection from %s port %d euid %d", host, port,
(int)geteuid());
}
/*
* Called when various events occur (see audit.h for a list of possible
* events and what they mean).
*/
void
audit_event(ssh_audit_event_t event)
{
debug("audit event euid %d user %s event %d (%s)", geteuid(),
audit_username(), event, audit_event_lookup(event));
}
/*
* Called when a user session is started. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
*
* Note that this may be called multiple times if multiple sessions are used
* within a single connection.
*/
void
audit_session_open(struct logininfo *li)
{
const char *t = li->line ? li->line : "(no tty)";
debug("audit session open euid %d user %s tty name %s", geteuid(),
audit_username(), t);
}
/*
* Called when a user session is closed. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
*
* Note that this may be called multiple times if multiple sessions are used
* within a single connection.
*/
void
audit_session_close(struct logininfo *li)
{
const char *t = li->line ? li->line : "(no tty)";
debug("audit session close euid %d user %s tty name %s", geteuid(),
audit_username(), t);
}
/*
* This will be called when a user runs a non-interactive command. Note that
* it may be called multiple times for a single connection since SSH2 allows
* multiple sessions within a single connection.
*/
void
audit_run_command(const char *command)
{
debug("audit run command euid %d user %s command '%.200s'", geteuid(),
audit_username(), command);
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */

57
crypto/external/bsd/openssh/dist/audit.h vendored Normal file
View File

@@ -0,0 +1,57 @@
/* $Id: audit.h,v 1.4 2011/01/17 10:15:30 dtucker Exp $ */
/*
* Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _SSH_AUDIT_H
# define _SSH_AUDIT_H
#include "loginrec.h"
enum ssh_audit_event_type {
SSH_LOGIN_EXCEED_MAXTRIES,
SSH_LOGIN_ROOT_DENIED,
SSH_AUTH_SUCCESS,
SSH_AUTH_FAIL_NONE,
SSH_AUTH_FAIL_PASSWD,
SSH_AUTH_FAIL_KBDINT, /* keyboard-interactive or challenge-response */
SSH_AUTH_FAIL_PUBKEY, /* ssh2 pubkey or ssh1 rsa */
SSH_AUTH_FAIL_HOSTBASED, /* ssh2 hostbased or ssh1 rhostsrsa */
SSH_AUTH_FAIL_GSSAPI,
SSH_INVALID_USER,
SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */
SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */
SSH_CONNECTION_ABANDON, /* closed without completing auth */
SSH_AUDIT_UNKNOWN
};
typedef enum ssh_audit_event_type ssh_audit_event_t;
void audit_connection_from(const char *, int);
void audit_event(ssh_audit_event_t);
void audit_session_open(struct logininfo *);
void audit_session_close(struct logininfo *);
void audit_run_command(const char *);
ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */

142
crypto/external/bsd/openssh/dist/auth-shadow.c vendored Normal file
View File

@@ -0,0 +1,142 @@
/*
* Copyright (c) 2004 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
#include <shadow.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "buffer.h"
#include "log.h"
#ifdef DAY
# undef DAY
#endif
#define DAY (24L * 60 * 60) /* 1 day in seconds */
extern Buffer loginmsg;
/*
* For the account and password expiration functions, we assume the expiry
* occurs the day after the day specified.
*/
/*
* Check if specified account is expired. Returns 1 if account is expired,
* 0 otherwise.
*/
int
auth_shadow_acctexpired(struct spwd *spw)
{
time_t today;
int daysleft;
char buf[256];
today = time(NULL) / DAY;
daysleft = spw->sp_expire - today;
debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today,
(int)spw->sp_expire, daysleft);
if (spw->sp_expire == -1) {
debug3("account expiration disabled");
} else if (daysleft < 0) {
logit("Account %.100s has expired", spw->sp_namp);
return 1;
} else if (daysleft <= spw->sp_warn) {
debug3("account will expire in %d days", daysleft);
snprintf(buf, sizeof(buf),
"Your account will expire in %d day%s.\n", daysleft,
daysleft == 1 ? "" : "s");
buffer_append(&loginmsg, buf, strlen(buf));
}
return 0;
}
/*
* Checks password expiry for platforms that use shadow passwd files.
* Returns: 1 = password expired, 0 = password not expired
*/
int
auth_shadow_pwexpired(Authctxt *ctxt)
{
struct spwd *spw = NULL;
const char *user = ctxt->pw->pw_name;
char buf[256];
time_t today;
int daysleft, disabled = 0;
if ((spw = getspnam((char *)user)) == NULL) {
error("Could not get shadow information for %.100s", user);
return 0;
}
today = time(NULL) / DAY;
debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
(int)spw->sp_lstchg, (int)spw->sp_max);
#if defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec()) {
struct pr_passwd *pr;
pr = getprpwnam((char *)user);
/* Test for Trusted Mode expiry disabled */
if (pr != NULL && pr->ufld.fd_min == 0 &&
pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 &&
pr->ufld.fd_pw_expire_warning == 0 &&
pr->ufld.fd_schange != 0)
disabled = 1;
}
#endif
/* TODO: check sp_inact */
daysleft = spw->sp_lstchg + spw->sp_max - today;
if (disabled) {
debug3("password expiration disabled");
} else if (spw->sp_lstchg == 0) {
logit("User %.100s password has expired (root forced)", user);
return 1;
} else if (spw->sp_max == -1) {
debug3("password expiration disabled");
} else if (daysleft < 0) {
logit("User %.100s password has expired (password aged)", user);
return 1;
} else if (daysleft <= spw->sp_warn) {
debug3("password will expire in %d days", daysleft);
snprintf(buf, sizeof(buf),
"Your password will expire in %d day%s.\n", daysleft,
daysleft == 1 ? "" : "s");
buffer_append(&loginmsg, buf, strlen(buf));
}
return 0;
}
#endif /* USE_SHADOW && HAS_SHADOW_EXPIRE */

114
crypto/external/bsd/openssh/dist/auth-sia.c vendored Normal file
View File

@@ -0,0 +1,114 @@
/*
* Copyright (c) 2002 Chris Adams. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#ifdef HAVE_OSF_SIA
#include <sia.h>
#include <siad.h>
#include <pwd.h>
#include <signal.h>
#include <setjmp.h>
#include <sys/resource.h>
#include <unistd.h>
#include <stdarg.h>
#include <string.h>
#include "ssh.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "auth-sia.h"
#include "log.h"
#include "servconf.h"
#include "canohost.h"
#include "uidswap.h"
extern ServerOptions options;
extern int saved_argc;
extern char **saved_argv;
int
sys_auth_passwd(Authctxt *authctxt, const char *pass)
{
int ret;
SIAENTITY *ent = NULL;
const char *host;
host = get_canonical_hostname(options.use_dns);
if (!authctxt->user || pass == NULL || pass[0] == '\0')
return (0);
if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
NULL, 0, NULL) != SIASUCCESS)
return (0);
if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
error("Couldn't authenticate %s from %s",
authctxt->user, host);
if (ret & SIASTOP)
sia_ses_release(&ent);
return (0);
}
sia_ses_release(&ent);
return (1);
}
void
session_setup_sia(struct passwd *pw, char *tty)
{
SIAENTITY *ent = NULL;
const char *host;
host = get_canonical_hostname(options.use_dns);
if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
tty, 0, NULL) != SIASUCCESS)
fatal("sia_ses_init failed");
if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
sia_ses_release(&ent);
fatal("sia_make_entity_pwd failed");
}
ent->authtype = SIA_A_NONE;
if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
fatal("Couldn't establish session for %s from %s",
pw->pw_name, host);
if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
fatal("Couldn't launch session for %s from %s",
pw->pw_name, host);
sia_ses_release(&ent);
setuid(0);
permanently_set_uid(pw);
}
#endif /* HAVE_OSF_SIA */

31
crypto/external/bsd/openssh/dist/auth-sia.h vendored Normal file
View File

@@ -0,0 +1,31 @@
/*
* Copyright (c) 2002 Chris Adams. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#ifdef HAVE_OSF_SIA
void session_setup_sia(struct passwd *, char *);
#endif /* HAVE_OSF_SIA */

1
crypto/external/bsd/openssh/dist/bindresvport.c vendored Symbolic link
View File

@@ -0,0 +1 @@
openbsd-compat/bindresvport.c

1
crypto/external/bsd/openssh/dist/bsd-misc.c vendored Symbolic link
View File

@@ -0,0 +1 @@
openbsd-compat/bsd-misc.c

1
crypto/external/bsd/openssh/dist/bsd-setres_id.c vendored Symbolic link
View File

@@ -0,0 +1 @@
openbsd-compat/bsd-setres_id.c

161
crypto/external/bsd/openssh/dist/cipher-aes.c vendored Normal file
View File

@@ -0,0 +1,161 @@
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
#ifdef USE_BUILTIN_RIJNDAEL
#include <sys/types.h>
#include <openssl/evp.h>
#include <stdarg.h>
#include <string.h>
#include "rijndael.h"
#include "xmalloc.h"
#include "log.h"
#define RIJNDAEL_BLOCKSIZE 16
struct ssh_rijndael_ctx
{
rijndael_ctx r_ctx;
u_char r_iv[RIJNDAEL_BLOCKSIZE];
};
static int
ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
int enc)
{
struct ssh_rijndael_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xmalloc(sizeof(*c));
EVP_CIPHER_CTX_set_app_data(ctx, c);
}
if (key != NULL) {
if (enc == -1)
enc = ctx->encrypt;
rijndael_set_key(&c->r_ctx, (u_char *)key,
8*EVP_CIPHER_CTX_key_length(ctx), enc);
}
if (iv != NULL)
memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
return (1);
}
static int
ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
LIBCRYPTO_EVP_INL_TYPE len)
{
struct ssh_rijndael_ctx *c;
u_char buf[RIJNDAEL_BLOCKSIZE];
u_char *cprev, *cnow, *plain, *ivp;
int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
if (len == 0)
return (1);
if (len % RIJNDAEL_BLOCKSIZE)
fatal("ssh_rijndael_cbc: bad len %d", len);
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
error("ssh_rijndael_cbc: no context");
return (0);
}
if (ctx->encrypt) {
cnow = dest;
plain = (u_char *)src;
cprev = c->r_iv;
for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
cnow+=RIJNDAEL_BLOCKSIZE) {
for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
buf[j] = plain[j] ^ cprev[j];
rijndael_encrypt(&c->r_ctx, buf, cnow);
cprev = cnow;
}
memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
} else {
cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
plain = dest+len-RIJNDAEL_BLOCKSIZE;
memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
plain-=RIJNDAEL_BLOCKSIZE) {
rijndael_decrypt(&c->r_ctx, cnow, plain);
ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
plain[j] ^= ivp[j];
}
memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
}
return (1);
}
static int
ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
{
struct ssh_rijndael_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
memset(c, 0, sizeof(*c));
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);
}
void
ssh_rijndael_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len)
{
struct ssh_rijndael_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
fatal("ssh_rijndael_iv: no context");
if (doset)
memcpy(c->r_iv, iv, len);
else
memcpy(iv, c->r_iv, len);
}
const EVP_CIPHER *
evp_rijndael(void)
{
static EVP_CIPHER rijndal_cbc;
memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
rijndal_cbc.nid = NID_undef;
rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
rijndal_cbc.key_len = 16;
rijndal_cbc.init = ssh_rijndael_init;
rijndal_cbc.cleanup = ssh_rijndael_cleanup;
rijndal_cbc.do_cipher = ssh_rijndael_cbc;
#ifndef SSH_OLD_EVP
rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
#endif
return (&rijndal_cbc);
}
#endif /* USE_BUILTIN_RIJNDAEL */

146
crypto/external/bsd/openssh/dist/cipher-ctr.c vendored Normal file
View File

@@ -0,0 +1,146 @@
/* $OpenBSD: cipher-ctr.c,v 1.11 2010/10/01 23:05:32 djm Exp $ */
/*
* Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR)
#include <sys/types.h>
#include <stdarg.h>
#include <string.h>
#include <openssl/evp.h>
#include "xmalloc.h"
#include "log.h"
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
#ifndef USE_BUILTIN_RIJNDAEL
#include <openssl/aes.h>
#endif
struct ssh_aes_ctr_ctx
{
AES_KEY aes_ctx;
u_char aes_counter[AES_BLOCK_SIZE];
};
/*
* increment counter 'ctr',
* the counter is of size 'len' bytes and stored in network-byte-order.
* (LSB at ctr[len-1], MSB at ctr[0])
*/
static void
ssh_ctr_inc(u_char *ctr, size_t len)
{
int i;
for (i = len - 1; i >= 0; i--)
if (++ctr[i]) /* continue on overflow */
return;
}
static int
ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
LIBCRYPTO_EVP_INL_TYPE len)
{
struct ssh_aes_ctr_ctx *c;
size_t n = 0;
u_char buf[AES_BLOCK_SIZE];
if (len == 0)
return (1);
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
return (0);
while ((len--) > 0) {
if (n == 0) {
AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
}
*(dest++) = *(src++) ^ buf[n];
n = (n + 1) % AES_BLOCK_SIZE;
}
return (1);
}
static int
ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
int enc)
{
struct ssh_aes_ctr_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xmalloc(sizeof(*c));
EVP_CIPHER_CTX_set_app_data(ctx, c);
}
if (key != NULL)
AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
&c->aes_ctx);
if (iv != NULL)
memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
return (1);
}
static int
ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
{
struct ssh_aes_ctr_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
memset(c, 0, sizeof(*c));
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);
}
void
ssh_aes_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, size_t len)
{
struct ssh_aes_ctr_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
fatal("ssh_aes_ctr_iv: no context");
if (doset)
memcpy(c->aes_counter, iv, len);
else
memcpy(iv, c->aes_counter, len);
}
const EVP_CIPHER *
evp_aes_128_ctr(void)
{
static EVP_CIPHER aes_ctr;
memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
aes_ctr.nid = NID_undef;
aes_ctr.block_size = AES_BLOCK_SIZE;
aes_ctr.iv_len = AES_BLOCK_SIZE;
aes_ctr.key_len = 16;
aes_ctr.init = ssh_aes_ctr_init;
aes_ctr.cleanup = ssh_aes_ctr_cleanup;
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
#endif
return (&aes_ctr);
}
#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */

1708
crypto/external/bsd/openssh/dist/config.h vendored Normal file
View File

File diff suppressed because it is too large Load Diff

17
crypto/external/bsd/openssh/dist/contrib/Makefile vendored Normal file
View File

@@ -0,0 +1,17 @@
PKG_CONFIG = pkg-config
all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
$(CC) $(CFLAGS) `gnome-config --cflags gnome gnomeui` \
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
$(CC) $(CFLAGS) `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`$(PKG_CONFIG) --libs gtk+-2.0 x11`
clean:
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass

70
crypto/external/bsd/openssh/dist/contrib/README vendored Normal file
View File

@@ -0,0 +1,70 @@
Other patches and addons for OpenSSH. Please send submissions to
djm@mindrot.org
Externally maintained
---------------------
SSH Proxy Command -- connect.c
Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
https CONNECT style proxy server. His page for connect.c has extensive
documentation on its use as well as compiled versions for Win32.
https://bitbucket.org/gotoh/connect/wiki/Home
X11 SSH Askpass:
Jim Knoble <jmknoble@pobox.com> has written an excellent X11
passphrase requester. This is highly recommended:
http://www.jmknoble.net/software/x11-ssh-askpass/
In this directory
-----------------
ssh-copy-id:
Phil Hands' <phil@hands.com> shell script to automate the process of adding
your public key to a remote machine's ~/.ssh/authorized_keys file.
gnome-ssh-askpass[12]:
A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
"make gnome-ssh-askpass2" to build.
sshd.pam.generic:
A generic PAM config file which may be useful on your system. YMMV
sshd.pam.freebsd:
A PAM config file which works with FreeBSD's PAM port. Contributed by
Dominik Brettnacher <domi@saargate.de>
findssl.sh:
Search for all instances of OpenSSL headers and libraries and print their
versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not
match your library" errors.
aix:
Files to build an AIX native (installp or SMIT installable) package.
caldera:
RPM spec file and scripts for building Caldera OpenLinuix packages
cygwin:
Support files for Cygwin
hpux:
Support files for HP-UX
redhat:
RPM spec file and scripts for building Redhat packages
suse:
RPM spec file and scripts for building SuSE packages

50
crypto/external/bsd/openssh/dist/contrib/aix/README vendored Normal file
View File

@@ -0,0 +1,50 @@
Overview:
This directory contains files to build an AIX native (installp or SMIT
installable) openssh package.
Directions:
(optional) create config.local in your build dir
./configure [options]
contrib/aix/buildbff.sh
The file config.local or the environment is read to set the following options
(default first):
PERMIT_ROOT_LOGIN=[no|yes]
X11_FORWARDING=[no|yes]
AIX_SRC=[no|yes]
Acknowledgements:
The contents of this directory are based on Ben Lindstrom's Solaris
buildpkg.sh. Ben also supplied inventory.sh.
Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
and for comparison with the output from this script, however no code
from lppbuild is included and it is not required for operation.
SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
PrivSep account handling fixes contributed by W. Earl Allen.
Other notes:
The script treats all packages as USR packages (not ROOT+USR when
appropriate). It seems to work, though......
If there are any patches to this that have not yet been integrated they
may be found at http://www.zip.com.au/~dtucker/openssh/.
Disclaimer:
It is hoped that it is useful but there is no warranty. If it breaks
you get to keep both pieces.
- Darren Tucker (dtucker at zip dot com dot au)
2002/03/01
$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $

381
crypto/external/bsd/openssh/dist/contrib/aix/buildbff.sh vendored Executable file
View File

@@ -0,0 +1,381 @@
#!/bin/sh
#
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $
#
# Author: Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain and comes with absolutely
# no warranty.
#
# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
#
#
# Tunable configuration settings
# create a "config.local" in your build directory or set
# environment variables to override these.
#
[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
[ -z "$AIX_SRC" ] && AIX_SRC=no
umask 022
startdir=`pwd`
perl -v >/dev/null || (echo perl required; exit 1)
# Path to inventory.sh: same place as buildbff.sh
if echo $0 | egrep '^/'
then
inventory=`dirname $0`/inventory.sh # absolute path
else
inventory=`pwd`/`dirname $0`/inventory.sh # relative path
fi
#
# We still support running from contrib/aix, but this is deprecated
#
if pwd | egrep 'contrib/aix$'
then
echo "Changing directory to `pwd`/../.."
echo "Please run buildbff.sh from your build directory in future."
cd ../..
contribaix=1
fi
if [ ! -f Makefile ]
then
echo "Makefile not found (did you run configure?)"
exit 1
fi
#
# Directories used during build:
# current dir = $objdir directory you ran ./configure in.
# $objdir/$PKGDIR/ directory package files are constructed in
# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT)
#
objdir=`pwd`
PKGNAME=openssh
PKGDIR=package
#
# Collect local configuration settings to override defaults
#
if [ -s ./config.local ]
then
echo Reading local settings from config.local
. ./config.local
fi
#
# Fill in some details from Makefile, like prefix and sysconfdir
# the eval also expands variables like sysconfdir=${prefix}/etc
# provided they are eval'ed in the correct order
#
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
do
eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
done
#
# Collect values of privsep user and privsep path
# currently only found in config.h
#
for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
do
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
done
# Set privsep defaults if not defined
if [ -z "$SSH_PRIVSEP_USER" ]
then
SSH_PRIVSEP_USER=sshd
fi
if [ -z "$PRIVSEP_PATH" ]
then
PRIVSEP_PATH=/var/empty
fi
# Clean package build directory
rm -rf $objdir/$PKGDIR
FAKE_ROOT=$objdir/$PKGDIR/root
mkdir -p $FAKE_ROOT
# Start by faking root install
echo "Faking root install..."
cd $objdir
make install-nokeys DESTDIR=$FAKE_ROOT
if [ $? -gt 0 ]
then
echo "Fake root install failed, stopping."
exit 1
fi
#
# Copy informational files to include in package
#
cp $srcdir/LICENCE $objdir/$PKGDIR/
cp $srcdir/README* $objdir/$PKGDIR/
#
# Extract common info requires for the 'info' part of the package.
# AIX requires 4-part version numbers
#
VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
[ "$PATCH" = "" ] && PATCH=0
[ "$PORTABLE" = "" ] && PORTABLE=0
BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
#
# Set ssh and sshd parameters as per config.local
#
if [ "${PERMIT_ROOT_LOGIN}" = no ]
then
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
fi
if [ "${X11_FORWARDING}" = yes ]
then
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
fi
# Rename config files; postinstall script will copy them if necessary
for cfgfile in ssh_config sshd_config
do
mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
done
#
# Generate lpp control files.
# working dir is $FAKE_ROOT but files are generated in dir above
# and moved into place just before creation of .bff
#
cd $FAKE_ROOT
echo Generating LPP control files
find . ! -name . -print >../openssh.al
$inventory >../openssh.inventory
cat <<EOD >../openssh.copyright
This software is distributed under a BSD-style license.
For the full text of the license, see /usr/lpp/openssh/LICENCE
EOD
#
# openssh.size file allows filesystem expansion as required
# generate list of directories containing files
# then calculate disk usage for each directory and store in openssh.size
#
files=`find . -type f -print`
dirs=`for file in $files; do dirname $file; done | sort -u`
for dir in $dirs
do
du $dir
done > ../openssh.size
#
# Create postinstall script
#
cat <<EOF >>../openssh.post_i
#!/bin/sh
echo Creating configs from defaults if necessary.
for cfgfile in ssh_config sshd_config
do
if [ ! -f $sysconfdir/\$cfgfile ]
then
echo "Creating \$cfgfile from default"
cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
else
echo "\$cfgfile already exists."
fi
done
echo
# Create PrivilegeSeparation user and group if not present
echo Checking for PrivilegeSeparation user and group.
if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
then
echo "PrivSep group $SSH_PRIVSEP_USER already exists."
else
echo "Creating PrivSep group $SSH_PRIVSEP_USER."
mkgroup -A $SSH_PRIVSEP_USER
fi
# Create user if required
if lsuser "$SSH_PRIVSEP_USER" >/dev/null
then
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
else
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
fi
if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
then
echo UsePrivilegeSeparation not enabled, privsep directory not required.
else
# create chroot directory if required
if [ -d $PRIVSEP_PATH ]
then
echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
else
echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
mkdir $PRIVSEP_PATH
chown 0 $PRIVSEP_PATH
chgrp 0 $PRIVSEP_PATH
chmod 755 $PRIVSEP_PATH
fi
fi
echo
# Generate keys unless they already exist
echo Creating host keys if required.
if [ -f "$sysconfdir/ssh_host_key" ] ; then
echo "$sysconfdir/ssh_host_key already exists, skipping."
else
$bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
fi
if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
else
$bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
fi
if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
else
$bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
fi
echo
# Set startup command depending on SRC support
if [ "$AIX_SRC" = "yes" ]
then
echo Creating SRC sshd subsystem.
rmssys -s sshd 2>&1 >/dev/null
mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
oldstartcmd="$sbindir/sshd"
else
startupcmd="$sbindir/sshd"
oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
fi
# If migrating to or from SRC, change previous startup command
# otherwise add to rc.tcpip
if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
then
if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
then
chmod 0755 /etc/rc.tcpip.new
mv /etc/rc.tcpip /etc/rc.tcpip.old && \
mv /etc/rc.tcpip.new /etc/rc.tcpip
else
echo "Updating /etc/rc.tcpip failed, please check."
fi
else
# Add to system startup if required
if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
then
echo "sshd found in rc.tcpip, not adding."
else
echo "Adding sshd to rc.tcpip"
echo >>/etc/rc.tcpip
echo "# Start sshd" >>/etc/rc.tcpip
echo "\$startupcmd" >>/etc/rc.tcpip
fi
fi
EOF
#
# Create liblpp.a and move control files into it
#
echo Creating liblpp.a
(
cd ..
for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
do
ar -r liblpp.a $i
rm $i
done
)
#
# Create lpp_name
#
# This will end up looking something like:
# 4 R I OpenSSH {
# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
# [
# %
# /usr/local/bin 8073
# /usr/local/etc 189
# /usr/local/libexec 185
# /usr/local/man/man1 145
# /usr/local/man/man8 83
# /usr/local/sbin 2105
# /usr/local/share 3
# %
# ]
# }
echo Creating lpp_name
cat <<EOF >../lpp_name
4 R I $PKGNAME {
$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
[
%
EOF
for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
do
# get size in 512 byte blocks
if [ -d $FAKE_ROOT/$i ]
then
size=`du $FAKE_ROOT/$i | awk '{print $1}'`
echo "$i $size" >>../lpp_name
fi
done
echo '%' >>../lpp_name
echo ']' >>../lpp_name
echo '}' >>../lpp_name
#
# Move pieces into place
#
mkdir -p usr/lpp/openssh
mv ../liblpp.a usr/lpp/openssh
mv ../lpp_name .
#
# Now invoke backup to create .bff file
# note: lpp_name needs to be the first file so we generate the
# file list on the fly and feed it to backup using -i
#
echo Creating $PKGNAME-$VERSION.bff with backup...
rm -f $PKGNAME-$VERSION.bff
(
echo "./lpp_name"
find . ! -name lpp_name -a ! -name . -print
) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
#
# Move package into final location and clean up
#
mv ../$PKGNAME-$VERSION.bff $startdir
cd $startdir
rm -rf $objdir/$PKGDIR
echo $0: done.

63
crypto/external/bsd/openssh/dist/contrib/aix/inventory.sh vendored Executable file
View File

@@ -0,0 +1,63 @@
#!/bin/sh
#
# inventory.sh
# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
#
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
# This file is placed into the public domain.
#
# This will produce an AIX package inventory file, which looks like:
#
# /usr/local/bin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=755
# type=DIRECTORY
# /usr/local/bin/slogin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=777
# type=SYMLINK
# target=ssh
# /usr/local/share/Ssh.bin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=644
# type=FILE
# size=VOLATILE
# checksum=VOLATILE
find . ! -name . -print | perl -ne '{
chomp;
if ( -l $_ ) {
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
} else {
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
}
# Start to display inventory information
$name = $_;
$name =~ s|^.||; # Strip leading dot from path
print "$name:\n";
print "\tclass=apply,inventory,openssh\n";
print "\towner=root\n";
print "\tgroup=system\n";
printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits
if ( -l $_ ) {
# Entry is SymLink
print "\ttype=SYMLINK\n";
printf "\ttarget=%s\n", readlink($_);
} elsif ( -f $_ ) {
# Entry is File
print "\ttype=FILE\n";
print "\tsize=$sz\n";
print "\tchecksum=VOLATILE\n";
} elsif ( -d $_ ) {
# Entry is Directory
print "\ttype=DIRECTORY\n";
}
}'

20
crypto/external/bsd/openssh/dist/contrib/aix/pam.conf vendored Normal file
View File

@@ -0,0 +1,20 @@
#
# PAM configuration file /etc/pam.conf
# Example for OpenSSH on AIX 5.2
#
# Authentication Management
sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
# Account Management
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
# Password Management
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
# Session Management
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix

77
crypto/external/bsd/openssh/dist/contrib/cygwin/Makefile vendored Normal file
View File

@@ -0,0 +1,77 @@
srcdir=../..
copyidsrcdir=..
prefix=/usr
exec_prefix=$(prefix)
bindir=$(prefix)/bin
datadir=$(prefix)/share
mandir=$(datadir)/man
docdir=$(datadir)/doc
sshdocdir=$(docdir)/openssh
cygdocdir=$(docdir)/Cygwin
sysconfdir=/etc
defaultsdir=$(sysconfdir)/defaults/etc
inetdefdir=$(defaultsdir)/inetd.d
PRIVSEP_PATH=/var/empty
INSTALL=/usr/bin/install -c
DESTDIR=
all:
@echo
@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
@echo "Be sure having DESTDIR set correctly!"
@echo
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
$(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
remove-empty-dir:
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
install-inetd-config:
$(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir)
$(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd
install-sshdoc:
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
-$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
-$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
-$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
-$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
-$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
-$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
install-cygwindoc: README
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
install-doc: install-sshdoc install-cygwindoc
install-scripts: ssh-host-config ssh-user-config
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
install-copy-id: $(copyidsrcdir)/ssh-copy-id $(copyidsrcdir)/ssh-copy-id.1
$(INSTALL) -m 755 $(copyidsrcdir)/ssh-copy-id $(DESTDIR)$(bindir)/ssh-copy-id
$(INSTALL) -m 644 $(copyidsrcdir)/ssh-copy-id.1 $(DESTDIR)$(mandir)/man1/ssh-copy-id.1
gzip-man-pages:
rm $(DESTDIR)$(mandir)/man1/slogin.1
gzip $(DESTDIR)$(mandir)/man1/*.1
gzip $(DESTDIR)$(mandir)/man5/*.5
gzip $(DESTDIR)$(mandir)/man8/*.8
cd $(DESTDIR)$(mandir)/man1 && ln -s ssh.1.gz slogin.1.gz
cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts install-copy-id gzip-man-pages
@echo "Cygwin specific configuration finished."

90
crypto/external/bsd/openssh/dist/contrib/cygwin/README vendored Normal file
View File

@@ -0,0 +1,90 @@
This package describes important Cygwin specific stuff concerning OpenSSH.
The binary package is usually built for recent Cygwin versions and might
not run on older versions. Please check http://cygwin.com/ for information
about current Cygwin releases.
==================
Host configuration
==================
If you are installing OpenSSH the first time, you can generate global config
files and server keys, as well as installing sshd as a service, by running
/usr/bin/ssh-host-config
Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.
To support testing and unattended installation ssh-host-config got
some options:
usage: ssh-host-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
--port -p <n> sshd listens on port n.
--user -u <account> privileged user for service, default 'cyg_server'.
--pwd -w <passwd> Use "pwd" as password for privileged user.
--privileged On Windows XP, require privileged user
instead of LocalSystem for sshd service.
Installing sshd as daemon via ssh-host-config is recommended.
Alternatively you can start sshd via inetd, if you have the inetutils
package installed. Just run ssh-host-config, but answer "no" when asked
to install sshd as service. The ssh-host-config script also adds the
required lines to /etc/inetd.conf and /etc/services.
==================
User configuration
==================
Any user can simplify creating the own private and public keys by running
/usr/bin/ssh-user-config
To support testing and unattended installation ssh-user-config got
some options as well:
usage: ssh-user-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--passphrase -p word Use "word" as passphrase automatically.
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
If no home diretory is set in /etc/passwd, the root directory
is used instead!
================
Building OpenSSH
================
Building from source is easy. Just unpack the source archive, cd to that
directory, and call cygport:
cygport openssh.cygport all
You must have installed the following packages to be able to build OpenSSH
with the aforementioned cygport script:
zlib
crypt
openssl-devel
libedit-devel
libkrb5-devel
Please send requests, error reports etc. to cygwin@cygwin.com.
Have fun,
Corinna Vinschen
Cygwin Developer
Red Hat Inc.

718
crypto/external/bsd/openssh/dist/contrib/cygwin/ssh-host-config vendored Normal file
View File

@@ -0,0 +1,718 @@
#!/bin/bash
#
# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# ======================================================================
# Initialization
# ======================================================================
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
# List of apps used. This is checkad for existance in csih_sanity_check
# Don't use *any* transient commands before sourcing the csih helper script,
# otherwise the sanity checks are short-circuited.
declare -a csih_required_commands=(
/usr/bin/basename coreutils
/usr/bin/cat coreutils
/usr/bin/chmod coreutils
/usr/bin/dirname coreutils
/usr/bin/id coreutils
/usr/bin/mv coreutils
/usr/bin/rm coreutils
/usr/bin/cygpath cygwin
/usr/bin/mkpasswd cygwin
/usr/bin/mount cygwin
/usr/bin/ps cygwin
/usr/bin/umount cygwin
/usr/bin/cmp diffutils
/usr/bin/grep grep
/usr/bin/awk gawk
/usr/bin/ssh-keygen openssh
/usr/sbin/sshd openssh
/usr/bin/sed sed
)
csih_sanity_check_server=yes
source ${CSIH_SCRIPT}
PROGNAME=$(/usr/bin/basename $0)
_tdir=$(/usr/bin/dirname $0)
PROGDIR=$(cd $_tdir && pwd)
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
sshd_config_configured=no
port_number=22
service_name=sshd
strictmodes=yes
privsep_used=yes
cygwin_value=""
user_account=
password_value=
opt_force=no
# ======================================================================
# Routine: update_services_file
# ======================================================================
update_services_file() {
local _my_etcdir="/ssh-host-config.$$"
local _win_etcdir
local _services
local _spaces
local _serv_tmp
local _wservices
local ret=0
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
_spaces=" #"
_serv_tmp="${_my_etcdir}/srv.out.$$"
/usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Add ssh 22/tcp and ssh 22/udp to services
if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
then
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Added ssh to ${_wservices}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
let ++ret
fi
/usr/bin/rm -f "${_serv_tmp}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
let ++ret
fi
fi
/usr/bin/umount "${_my_etcdir}"
return $ret
} # --- End of update_services_file --- #
# ======================================================================
# Routine: sshd_strictmodes
# MODIFIES: strictmodes
# ======================================================================
sshd_strictmodes() {
if [ "${sshd_config_configured}" != "yes" ]
then
echo
csih_inform "StrictModes is set to 'yes' by default."
csih_inform "This is the recommended setting, but it requires that the POSIX"
csih_inform "permissions of the user's home directory, the user's .ssh"
csih_inform "directory, and the user's ssh key files are tight so that"
csih_inform "only the user has write permissions."
csih_inform "On the other hand, StrictModes don't work well with default"
csih_inform "Windows permissions of a home directory mounted with the"
csih_inform "'noacl' option, and they don't work at all if the home"
csih_inform "directory is on a FAT or FAT32 partition."
if ! csih_request "Should StrictModes be used?"
then
strictmodes=no
fi
fi
return 0
}
# ======================================================================
# Routine: sshd_privsep
# MODIFIES: privsep_used
# ======================================================================
sshd_privsep() {
local ret=0
if [ "${sshd_config_configured}" != "yes" ]
then
echo
csih_inform "Privilege separation is set to 'sandbox' by default since"
csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set"
csih_inform "to 'yes' or 'no'."
csih_inform "However, using privilege separation requires a non-privileged account"
csih_inform "called 'sshd'."
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
if csih_request "Should privilege separation be used?"
then
privsep_used=yes
if ! csih_create_unprivileged_user sshd
then
csih_error_recoverable "Couldn't create user 'sshd'!"
csih_error_recoverable "Privilege separation set to 'no' again!"
csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
privsep_used=no
fi
else
privsep_used=no
fi
fi
return $ret
} # --- End of sshd_privsep --- #
# ======================================================================
# Routine: sshd_config_tweak
# ======================================================================
sshd_config_tweak() {
local ret=0
# Modify sshd_config
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
if [ "${port_number}" -ne 22 ]
then
/usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting listening port to ${port_number} failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
if [ "${strictmodes}" = "no" ]
then
/usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting StrictModes to 'no' failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
if [ "${sshd_config_configured}" != "yes" ]
then
/usr/bin/sed -i -e "
s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting privilege separation failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
return $ret
} # --- End of sshd_config_tweak --- #
# ======================================================================
# Routine: update_inetd_conf
# ======================================================================
update_inetd_conf() {
local _inetcnf="${SYSCONFDIR}/inetd.conf"
local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
local _with_comment=1
local ret=0
if [ -d "${_inetcnf_dir}" ]
then
# we have inetutils-1.5 inetd.d support
if [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
# check for sshd OR ssh in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
then
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed ssh[d] from ${_inetcnf}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
let ++ret
fi
/usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
let ++ret
fi
fi
fi
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
then
if [ "${_with_comment}" -eq 0 ]
then
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
else
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
fi
if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
then
csih_inform "Updated ${_sshd_inetd_conf}"
else
csih_warning "Updating ${_sshd_inetd_conf} failed!"
let ++ret
fi
fi
elif [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
# check for sshd in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
/usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed sshd from ${_inetcnf}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
let ++ret
fi
/usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
let ++ret
fi
fi
# Add ssh line to inetd.conf
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${_with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
if [ $? -eq 0 ]
then
csih_inform "Added ssh to ${_inetcnf}"
else
csih_warning "Adding ssh to ${_inetcnf} failed!"
let ++ret
fi
fi
fi
return $ret
} # --- End of update_inetd_conf --- #
# ======================================================================
# Routine: check_service_files_ownership
# Checks that the files in /etc and /var belong to the right owner
# ======================================================================
check_service_files_ownership() {
local run_service_as=$1
local ret=0
if [ -z "${run_service_as}" ]
then
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
/usr/bin/sed -ne 's/^Account *: *//gp')
if [ "${accnt_name}" = "LocalSystem" ]
then
# Convert "LocalSystem" to "SYSTEM" as is the correct account name
run_service_as="SYSTEM"
else
dom="${accnt_name%%\\*}"
accnt_name="${accnt_name#*\\}"
if [ "${dom}" = '.' ]
then
# Check local account
run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
/usr/bin/awk -F: '{print $1;}')
else
# Check domain
run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
/usr/bin/awk -F: '{print $1;}')
fi
fi
if [ -z "${run_service_as}" ]
then
csih_warning "Couldn't determine name of user running sshd service from account database!"
csih_warning "As a result, this script cannot make sure that the files used"
csih_warning "by the sshd service belong to the user running the service."
return 1
fi
fi
for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
do
if [ -f "$i" ]
then
if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
then
csih_warning "Couldn't change owner of $i!"
let ++ret
fi
fi
done
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
let ++ret
fi
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
let ++ret
fi
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
let ++ret
fi
fi
if [ $ret -ne 0 ]
then
csih_warning "Couldn't change owner of important files to ${run_service_as}!"
csih_warning "This may cause the sshd service to fail! Please make sure that"
csih_warning "you have suufficient permissions to change the ownership of files"
csih_warning "and try to run the ssh-host-config script again."
fi
return $ret
} # --- End of check_service_files_ownership --- #
# ======================================================================
# Routine: install_service
# Install sshd as a service
# ======================================================================
install_service() {
local run_service_as
local password
local ret=0
echo
if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
then
csih_inform "Sshd service is already installed."
check_service_files_ownership "" || let ret+=$?
else
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
if csih_request "(Say \"no\" if it is already installed as a service)"
then
csih_get_cygenv "${cygwin_value}"
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
then
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
csih_inform "sshd requires. You need to have or to create a privileged"
csih_inform "account. This script will help you do so."
echo
[ "${opt_force}" = "yes" ] && opt_f=-f
[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
csih_select_privileged_username ${opt_f} ${opt_u} sshd
if ! csih_create_privileged_user "${password_value}"
then
csih_error_recoverable "There was a serious problem creating a privileged user."
csih_request "Do you want to proceed anyway?" || exit 1
let ++ret
fi
fi
# Never returns empty if NT or above
run_service_as=$(csih_service_should_run_as)
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
then
password="${csih_PRIVILEGED_PASSWORD}"
if [ -z "${password}" ]
then
csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
password="${csih_value}"
fi
fi
# At this point, we either have $run_service_as = "system" and
# $password is empty, or $run_service_as is some privileged user and
# (hopefully) $password contains the correct password. So, from here
# out, we use '-z "${password}"' to discriminate the two cases.
csih_check_user "${run_service_as}"
if [ -n "${csih_cygenv}" ]
then
cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
fi
if [ -z "${password}" ]
then
if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}"
then
echo
csih_inform "The sshd service has been installed under the LocalSystem"
csih_inform "account (also known as SYSTEM). To start the service now, call"
csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
csih_inform "will start automatically after the next reboot."
fi
else
if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}" \
-u "${run_service_as}" -w "${password}"
then
/usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
echo
csih_inform "The sshd service has been installed under the '${run_service_as}'"
csih_inform "account. To start the service now, call \`net start ${service_name}' or"
csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically"
csih_inform "after the next reboot."
fi
fi
if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
then
check_service_files_ownership "${run_service_as}" || let ret+=$?
else
csih_error_recoverable "Installing sshd as a service failed!"
let ++ret
fi
fi # user allowed us to install as service
fi # service not yet installed
return $ret
} # --- End of install_service --- #
# ======================================================================
# Main Entry Point
# ======================================================================
# Check how the script has been started. If
# (1) it has been started by giving the full path and
# that path is /etc/postinstall, OR
# (2) Otherwise, if the environment variable
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no". This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist. In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
csih_auto_answer="no"
csih_disable_color
opt_force=yes
fi
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
then
csih_auto_answer="no"
csih_disable_color
opt_force=yes
fi
# ======================================================================
# Parse options
# ======================================================================
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "${option}" in
-d | --debug )
set -x
csih_trace_on
;;
-y | --yes )
csih_auto_answer=yes
opt_force=yes
;;
-n | --no )
csih_auto_answer=no
opt_force=yes
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-N | --name )
service_name=$1
shift
;;
-p | --port )
port_number=$1
shift
;;
-u | --user )
user_account="$1"
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
--privileged )
csih_FORCE_PRIVILEGED_USER=yes
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --name -N <name> sshd windows service name."
echo " --port -p <n> sshd listens on port n."
echo " --user -u <account> privileged user for service, default 'cyg_server'."
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
echo " --privileged On Windows XP, require privileged user"
echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
esac
done
# ======================================================================
# Action!
# ======================================================================
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
then
echo
csih_error "There are still ssh processes running. Please shut them down first."
fi
# Make sure the user is running in an administrative context
admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
if [ "${admin}" != "yes" ]
then
echo
csih_warning "Running this script typically requires administrator privileges!"
csih_warning "However, it seems your account does not have these privileges."
csih_warning "Here's the list of groups in your user token:"
echo
/usr/bin/id -Gnz | xargs -0n1 echo " "
echo
csih_warning "This usually means you're running this script from a non-admin"
csih_warning "desktop session, or in a non-elevated shell under UAC control."
echo
csih_warning "Make sure you have the appropriate privileges right now,"
csih_warning "otherwise parts of this script will probably fail!"
echo
echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
if ! csih_request "you have the required privileges)"
then
echo
csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
csih_inform "or to start this script from an elevated shell."
exit 1
fi
fi
echo
warning_cnt=0
# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
echo
csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
"Cannot create ssh host configuration."
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
/usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
let ++warning_cnt
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
let ++warning_cnt
fi
# generate missing host keys
csih_inform "Generating missing SSH host keys"
/usr/bin/ssh-keygen -A || let warning_cnt+=$?
# handle ssh_config
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
then
if [ "${port_number}" != "22" ]
then
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
# handle sshd_config (and privsep)
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
sshd_config_configured=yes
fi
sshd_strictmodes || let warning_cnt+=$?
sshd_privsep || let warning_cnt+=$?
sshd_config_tweak || let warning_cnt+=$?
update_services_file || let warning_cnt+=$?
update_inetd_conf || let warning_cnt+=$?
install_service || let warning_cnt+=$?
echo
if [ $warning_cnt -eq 0 ]
then
csih_inform "Host configuration finished. Have fun!"
else
csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
csih_warning "Make sure that all problems reported are fixed,"
csih_warning "then re-run ssh-host-config."
fi
exit $warning_cnt

257
crypto/external/bsd/openssh/dist/contrib/cygwin/ssh-user-config vendored Normal file
View File

@@ -0,0 +1,257 @@
#!/bin/bash
#
# ssh-user-config, Copyright 2000-2014 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# ======================================================================
# Initialization
# ======================================================================
PROGNAME=$(basename -- $0)
_tdir=$(dirname -- $0)
PROGDIR=$(cd $_tdir && pwd)
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
source ${CSIH_SCRIPT}
auto_passphrase="no"
passphrase=""
pwdhome=
with_passphrase=
# ======================================================================
# Routine: create_identity
# optionally create identity of type argument in ~/.ssh
# optionally add result to ~/.ssh/authorized_keys
# ======================================================================
create_identity() {
local file="$1"
local type="$2"
local name="$3"
if [ ! -f "${pwdhome}/.ssh/${file}" ]
then
if csih_request "Shall I create a ${name} identity file for you?"
then
csih_inform "Generating ${pwdhome}/.ssh/${file}"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null
else
ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
fi
if csih_request "Do you want to use this identity to login to this machine?"
then
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
} # === End of create_ssh1_identity() === #
readonly -f create_identity
# ======================================================================
# Routine: check_user_homedir
# Perform various checks on the user's home directory
# SETS GLOBAL VARIABLE:
# pwdhome
# ======================================================================
check_user_homedir() {
pwdhome=$(getent passwd $UID | awk -F: '{ print $6; }')
if [ "X${pwdhome}" = "X" ]
then
csih_error_multi \
"There is no home directory set for you in the account database." \
'Setting $HOME is not sufficient!'
fi
if [ ! -d "${pwdhome}" ]
then
csih_error_multi \
"${pwdhome} is set in the account database as your home directory" \
'but it is not a valid directory. Cannot create user identity files.'
fi
# If home is the root dir, set home to empty string to avoid error messages
# in subsequent parts of that script.
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
csih_warning "Your home directory in the account database is set to root (/). This is not recommended!"
if csih_request "Would you like to proceed anyway?"
then
pwdhome=''
else
csih_warning "Exiting. Configuration is not complete"
exit 1
fi
fi
if [ -d "${pwdhome}" -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
csih_warning 'group and other have been revoked write permission to your home'
csih_warning "directory ${pwdhome}."
csih_warning 'This is required by OpenSSH to allow public key authentication using'
csih_warning 'the key files stored in your .ssh subdirectory.'
csih_warning 'Revert this change ONLY if you know what you are doing!'
echo
fi
} # === End of check_user_homedir() === #
readonly -f check_user_homedir
# ======================================================================
# Routine: check_user_dot_ssh_dir
# Perform various checks on the ~/.ssh directory
# PREREQUISITE:
# pwdhome -- check_user_homedir()
# ======================================================================
check_user_dot_ssh_dir() {
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
fi
if [ ! -e "${pwdhome}/.ssh" ]
then
mkdir "${pwdhome}/.ssh"
if [ ! -e "${pwdhome}/.ssh" ]
then
csih_error "Creating users ${pwdhome}/.ssh directory failed"
fi
fi
} # === End of check_user_dot_ssh_dir() === #
readonly -f check_user_dot_ssh_dir
# ======================================================================
# Routine: fix_authorized_keys_perms
# Corrects the permissions of ~/.ssh/authorized_keys
# PREREQUISITE:
# pwdhome -- check_user_homedir()
# ======================================================================
fix_authorized_keys_perms() {
if [ -e "${pwdhome}/.ssh/authorized_keys" ]
then
setfacl -b "${pwdhome}/.ssh/authorized_keys" 2>/dev/null || echo -n
if ! chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys"
then
csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
csih_warning "failed. Please care for the correct permissions. The minimum requirement"
csih_warning "is, the owner needs read permissions."
echo
fi
fi
} # === End of fix_authorized_keys_perms() === #
readonly -f fix_authorized_keys_perms
# ======================================================================
# Main Entry Point
# ======================================================================
# Check how the script has been started. If
# (1) it has been started by giving the full path and
# that path is /etc/postinstall, OR
# (2) Otherwise, if the environment variable
# SSH_USER_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no". This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist. In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
csih_auto_answer="no"
csih_disable_color
fi
if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
then
csih_auto_answer="no"
csih_disable_color
fi
# ======================================================================
# Parse options
# ======================================================================
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
csih_trace_on
;;
-y | --yes )
csih_auto_answer=yes
;;
-n | --no )
csih_auto_answer=no
;;
-p | --passphrase )
with_passphrase="yes"
passphrase=$1
shift
;;
*)
echo "usage: ${PROGNAME} [OPTION]..."
echo
echo "This script creates an OpenSSH user configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
echo
exit 1
;;
esac
done
# ======================================================================
# Action!
# ======================================================================
check_user_homedir
check_user_dot_ssh_dir
create_identity id_rsa rsa "SSH2 RSA"
create_identity id_dsa dsa "SSH2 DSA"
create_identity id_ecdsa ecdsa "SSH2 ECDSA"
create_identity identity rsa1 "(deprecated) SSH1 RSA"
fix_authorized_keys_perms
echo
csih_inform "Configuration finished. Have fun!"

4
crypto/external/bsd/openssh/dist/contrib/cygwin/sshd-inetd vendored Normal file
View File

@@ -0,0 +1,4 @@
# This file can be used to enable sshd as a slave of the inetd service
# To do so, the line below should be uncommented.
@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i

186
crypto/external/bsd/openssh/dist/contrib/findssl.sh vendored Normal file
View File

@@ -0,0 +1,186 @@
#!/bin/sh
#
# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
#
# findssl.sh
# Search for all instances of OpenSSL headers and libraries
# and print their versions.
# Intended to help diagnose OpenSSH's "OpenSSL headers do not
# match your library" errors.
#
# Written by Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain.
#
# Release history:
# 2002-07-27: Initial release.
# 2002-08-04: Added public domain notice.
# 2003-06-24: Incorporated readme, set library paths. First cvs version.
# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole.
#
# "OpenSSL headers do not match your library" are usually caused by
# OpenSSH's configure picking up an older version of OpenSSL headers
# or libraries. You can use the following # procedure to help identify
# the cause.
#
# The output of configure will tell you the versions of the OpenSSL
# headers and libraries that were picked up, for example:
#
# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
# checking whether OpenSSL's headers match the library... no
# configure: error: Your OpenSSL headers do not match your library
#
# Now run findssl.sh. This should identify the headers and libraries
# present and their versions. You should be able to identify the
# libraries and headers used and adjust your CFLAGS or remove incorrect
# versions. The output will show OpenSSL's internal version identifier
# and should look something like:
# $ ./findssl.sh
# Searching for OpenSSL header files.
# 0x0090604fL /usr/include/openssl/opensslv.h
# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
#
# Searching for OpenSSL shared library files.
# 0x0090602fL /lib/libcrypto.so.0.9.6b
# 0x0090602fL /lib/libcrypto.so.2
# 0x0090581fL /usr/lib/libcrypto.so.0
# 0x0090602fL /usr/lib/libcrypto.so
# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
# 0x0090600fL /usr/lib/libcrypto.so.1
#
# Searching for OpenSSL static library files.
# 0x0090602fL /usr/lib/libcrypto.a
# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
#
# In this example, I gave configure no extra flags, so it's picking up
# the OpenSSL header from /usr/include/openssl (90604f) and the library
# from /usr/lib/ (90602f).
#
# Adjust these to suit your compiler.
# You may also need to set the *LIB*PATH environment variables if
# DEFAULT_LIBPATH is not correct for your system.
#
CC=gcc
STATIC=-static
#
# Cleanup on interrupt
#
trap 'rm -f conftest.c' INT HUP TERM
#
# Set up conftest C source
#
rm -f findssl.log
cat >conftest.c <<EOD
#include <stdio.h>
int main(){printf("0x%08xL\n", SSLeay());}
EOD
#
# Set default library paths if not already set
#
DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
# not all platforms have a 'which' command
if which ls >/dev/null 2>/dev/null; then
: which is defined
else
which () {
saveIFS="$IFS"
IFS=:
for p in $PATH; do
if test -x "$p/$1" -a -f "$p/$1"; then
IFS="$saveIFS"
echo "$p/$1"
return 0
fi
done
IFS="$saveIFS"
return 1
}
fi
#
# Search for OpenSSL headers and print versions
#
echo Searching for OpenSSL header files.
if [ -x "`which locate`" ]
then
headers=`locate opensslv.h`
else
headers=`find / -name opensslv.h -print 2>/dev/null`
fi
for header in $headers
do
ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
echo "$ver $header"
done
echo
#
# Search for shared libraries.
# Relies on shared libraries looking like "libcrypto.s*"
#
echo Searching for OpenSSL shared library files.
if [ -x "`which locate`" ]
then
libraries=`locate libcrypto.s`
else
libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
fi
for lib in $libraries
do
(echo "Trying libcrypto $lib" >>findssl.log
dir=`dirname $lib`
LIBPATH="$dir:$LIBPATH"
LD_LIBRARY_PATH="$dir:$LIBPATH"
LIBRARY_PATH="$dir:$LIBPATH"
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
${CC} -o conftest conftest.c $lib 2>>findssl.log
if [ -x ./conftest ]
then
ver=`./conftest 2>/dev/null`
rm -f ./conftest
echo "$ver $lib"
fi)
done
echo
#
# Search for static OpenSSL libraries and print versions
#
echo Searching for OpenSSL static library files.
if [ -x "`which locate`" ]
then
libraries=`locate libcrypto.a`
else
libraries=`find / -name libcrypto.a -print 2>/dev/null`
fi
for lib in $libraries
do
libdir=`dirname $lib`
echo "Trying libcrypto $lib" >>findssl.log
${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
if [ -x ./conftest ]
then
ver=`./conftest 2>/dev/null`
rm -f ./conftest
echo "$ver $lib"
fi
done
#
# Clean up
#
rm -f conftest.c

171
crypto/external/bsd/openssh/dist/contrib/gnome-ssh-askpass1.c vendored Normal file
View File

@@ -0,0 +1,171 @@
/*
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This is a simple GNOME SSH passphrase grabber. To use it, set the
* environment variable SSH_ASKPASS to point to the location of
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
*
* There is only two run-time options: if you set the environment variable
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
* pointer will be grabbed too. These may have some benefit to security if
* you don't trust your X server. We grab the keyboard always.
*/
/*
* Compile with:
*
* cc `gnome-config --cflags gnome gnomeui` \
* gnome-ssh-askpass1.c -o gnome-ssh-askpass \
* `gnome-config --libs gnome gnomeui`
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <gnome.h>
#include <X11/Xlib.h>
#include <gdk/gdkx.h>
void
report_failed_grab (void)
{
GtkWidget *err;
err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
"A malicious client may be eavesdropping on your session.",
GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
gnome_dialog_run_and_close(GNOME_DIALOG(err));
}
int
passphrase_dialog(char *message)
{
char *passphrase;
char **messages;
int result, i, grab_server, grab_pointer;
GtkWidget *dialog, *entry, *label;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
GNOME_STOCK_BUTTON_CANCEL, NULL);
messages = g_strsplit(message, "\\n", 0);
if (messages)
for(i = 0; messages[i]; i++) {
label = gtk_label_new(messages[i]);
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
label, FALSE, FALSE, 0);
}
entry = gtk_entry_new();
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
FALSE, 0);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
/* Center window and prepare for grab */
gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
GNOME_PAD);
gtk_widget_show_all(dialog);
/* Grab focus */
if (grab_server)
XGrabServer(GDK_DISPLAY());
if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
NULL, NULL, GDK_CURRENT_TIME))
goto nograb;
if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
goto nograbkb;
/* Make <enter> close dialog */
gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
/* Run dialog */
result = gnome_dialog_run(GNOME_DIALOG(dialog));
/* Ungrab */
if (grab_server)
XUngrabServer(GDK_DISPLAY());
if (grab_pointer)
gdk_pointer_ungrab(GDK_CURRENT_TIME);
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
gdk_flush();
/* Report passphrase if user selected OK */
passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
if (result == 0)
puts(passphrase);
/* Zero passphrase in memory */
memset(passphrase, '\0', strlen(passphrase));
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
gnome_dialog_close(GNOME_DIALOG(dialog));
return (result == 0 ? 0 : -1);
/* At least one grab failed - ungrab what we got, and report
the failure to the user. Note that XGrabServer() cannot
fail. */
nograbkb:
gdk_pointer_ungrab(GDK_CURRENT_TIME);
nograb:
if (grab_server)
XUngrabServer(GDK_DISPLAY());
gnome_dialog_close(GNOME_DIALOG(dialog));
report_failed_grab();
return (-1);
}
int
main(int argc, char **argv)
{
char *message;
int result;
gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
if (argc == 2)
message = argv[1];
else
message = "Enter your OpenSSH passphrase:";
setvbuf(stdout, 0, _IONBF, 0);
result = passphrase_dialog(message);
return (result);
}

223
crypto/external/bsd/openssh/dist/contrib/gnome-ssh-askpass2.c vendored Normal file
View File

@@ -0,0 +1,223 @@
/*
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
/*
* This is a simple GNOME SSH passphrase grabber. To use it, set the
* environment variable SSH_ASKPASS to point to the location of
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
*
* There is only two run-time options: if you set the environment variable
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
* pointer will be grabbed too. These may have some benefit to security if
* you don't trust your X server. We grab the keyboard always.
*/
#define GRAB_TRIES 16
#define GRAB_WAIT 250 /* milliseconds */
/*
* Compile with:
*
* cc -Wall `pkg-config --cflags gtk+-2.0` \
* gnome-ssh-askpass2.c -o gnome-ssh-askpass \
* `pkg-config --libs gtk+-2.0`
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <X11/Xlib.h>
#include <gtk/gtk.h>
#include <gdk/gdkx.h>
static void
report_failed_grab (const char *what)
{
GtkWidget *err;
err = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE,
"Could not grab %s. "
"A malicious client may be eavesdropping "
"on your session.", what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE);
gtk_dialog_run(GTK_DIALOG(err));
gtk_widget_destroy(err);
}
static void
ok_dialog(GtkWidget *entry, gpointer dialog)
{
g_return_if_fail(GTK_IS_DIALOG(dialog));
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
}
static int
passphrase_dialog(char *message)
{
const char *failed;
char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer;
GtkWidget *dialog, *entry;
GdkGrabStatus status;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
grab_tries = 0;
dialog = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_QUESTION,
GTK_BUTTONS_OK_CANCEL,
"%s",
message);
entry = gtk_entry_new();
gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
FALSE, 0);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
gtk_widget_show(entry);
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
TRUE);
/* Make <enter> close dialog */
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
/* Grab focus */
gtk_widget_show_now(dialog);
if (grab_pointer) {
for(;;) {
status = gdk_pointer_grab(
(GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
NULL, GDK_CURRENT_TIME);
if (status == GDK_GRAB_SUCCESS)
break;
usleep(GRAB_WAIT * 1000);
if (++grab_tries > GRAB_TRIES) {
failed = "mouse";
goto nograb;
}
}
}
for(;;) {
status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window,
FALSE, GDK_CURRENT_TIME);
if (status == GDK_GRAB_SUCCESS)
break;
usleep(GRAB_WAIT * 1000);
if (++grab_tries > GRAB_TRIES) {
failed = "keyboard";
goto nograbkb;
}
}
if (grab_server) {
gdk_x11_grab_server();
}
result = gtk_dialog_run(GTK_DIALOG(dialog));
/* Ungrab */
if (grab_server)
XUngrabServer(GDK_DISPLAY());
if (grab_pointer)
gdk_pointer_ungrab(GDK_CURRENT_TIME);
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
gdk_flush();
/* Report passphrase if user selected OK */
passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
if (result == GTK_RESPONSE_OK) {
local = g_locale_from_utf8(passphrase, strlen(passphrase),
NULL, NULL, NULL);
if (local != NULL) {
puts(local);
memset(local, '\0', strlen(local));
g_free(local);
} else {
puts(passphrase);
}
}
/* Zero passphrase in memory */
memset(passphrase, '\b', strlen(passphrase));
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
memset(passphrase, '\0', strlen(passphrase));
g_free(passphrase);
gtk_widget_destroy(dialog);
return (result == GTK_RESPONSE_OK ? 0 : -1);
/* At least one grab failed - ungrab what we got, and report
the failure to the user. Note that XGrabServer() cannot
fail. */
nograbkb:
gdk_pointer_ungrab(GDK_CURRENT_TIME);
nograb:
if (grab_server)
XUngrabServer(GDK_DISPLAY());
gtk_widget_destroy(dialog);
report_failed_grab(failed);
return (-1);
}
int
main(int argc, char **argv)
{
char *message;
int result;
gtk_init(&argc, &argv);
if (argc > 1) {
message = g_strjoinv(" ", argv + 1);
} else {
message = g_strdup("Enter your OpenSSH passphrase:");
}
setvbuf(stdout, 0, _IONBF, 0);
result = passphrase_dialog(message);
g_free(message);
return (result);
}

45
crypto/external/bsd/openssh/dist/contrib/hpux/README vendored Normal file
View File

@@ -0,0 +1,45 @@
README for OpenSSH HP-UX contrib files
Kevin Steves <stevesk@pobox.com>
sshd: configuration file for sshd.rc
sshd.rc: SSH startup script
egd: configuration file for egd.rc
egd.rc: EGD (entropy gathering daemon) startup script
To install:
sshd.rc:
o Verify paths in sshd.rc match your local installation
(WHAT_PATH and WHAT_PID)
o Customize sshd if needed (SSHD_ARGS)
o Install:
# cp sshd /etc/rc.config.d
# chmod 444 /etc/rc.config.d/sshd
# cp sshd.rc /sbin/init.d
# chmod 555 /sbin/init.d/sshd.rc
# ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
# ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
egd.rc:
o Verify egd.pl path in egd.rc matches your local installation
(WHAT_PATH)
o Customize egd if needed (EGD_ARGS and EGD_LOG)
o Add pseudo account:
# groupadd egd
# useradd -g egd egd
# mkdir -p /etc/opt/egd
# chown egd:egd /etc/opt/egd
# chmod 711 /etc/opt/egd
o Install:
# cp egd /etc/rc.config.d
# chmod 444 /etc/rc.config.d/egd
# cp egd.rc /sbin/init.d
# chmod 555 /sbin/init.d/egd.rc
# ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
# ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd

15
crypto/external/bsd/openssh/dist/contrib/hpux/egd vendored Normal file
View File

@@ -0,0 +1,15 @@
# EGD_START: Set to 1 to start entropy gathering daemon
# EGD_ARGS: Command line arguments to pass to egd
# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
#
# To configure the egd environment:
# groupadd egd
# useradd -g egd egd
# mkdir -p /etc/opt/egd
# chown egd:egd /etc/opt/egd
# chmod 711 /etc/opt/egd
EGD_START=1
EGD_ARGS='/etc/opt/egd/entropy'
EGD_LOG=

98
crypto/external/bsd/openssh/dist/contrib/hpux/egd.rc vendored Executable file
View File

@@ -0,0 +1,98 @@
#!/sbin/sh
#
# egd.rc: EGD start-up and shutdown script
#
# Allowed exit values:
# 0 = success; causes "OK" to show up in checklist.
# 1 = failure; causes "FAIL" to show up in checklist.
# 2 = skip; causes "N/A" to show up in the checklist.
# Use this value if execution of this script is overridden
# by the use of a control variable, or if this script is not
# appropriate to execute for some other reason.
# 3 = reboot; causes the system to be rebooted after execution.
# Input and output:
# stdin is redirected from /dev/null
#
# stdout and stderr are redirected to the /etc/rc.log file
# during checklist mode, or to the console in raw mode.
umask 022
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
WHAT='EGD (entropy gathering daemon)'
WHAT_PATH=/opt/perl/bin/egd.pl
WHAT_CONFIG=/etc/rc.config.d/egd
WHAT_LOG=/etc/opt/egd/egd.log
# NOTE: If your script executes in run state 0 or state 1, then /usr might
# not be available. Do not attempt to access commands or files in
# /usr unless your script executes in run state 2 or greater. Other
# file systems typically not mounted until run state 2 include /var
# and /opt.
rval=0
# Check the exit value of a command run by this script. If non-zero, the
# exit code is echoed to the log file and the return value of this script
# is set to indicate failure.
set_return() {
x=$?
if [ $x -ne 0 ]; then
echo "EXIT CODE: $x"
rval=1 # script FAILed
fi
}
case $1 in
'start_msg')
echo "Starting $WHAT"
;;
'stop_msg')
echo "Stopping $WHAT"
;;
'start')
if [ -f $WHAT_CONFIG ] ; then
. $WHAT_CONFIG
else
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
fi
if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
EGD_LOG=${EGD_LOG:-$WHAT_LOG}
su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
echo $WHAT started
set_return
else
rval=2
fi
;;
'stop')
pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
if [ "X$pid" != "X" ]; then
if kill "$pid"; then
echo "$WHAT stopped"
else
rval=1
echo "Unable to stop $WHAT"
fi
fi
set_return
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval

5
crypto/external/bsd/openssh/dist/contrib/hpux/sshd vendored Normal file
View File

@@ -0,0 +1,5 @@
# SSHD_START: Set to 1 to start SSH daemon
# SSHD_ARGS: Command line arguments to pass to sshd
#
SSHD_START=1
SSHD_ARGS=

90
crypto/external/bsd/openssh/dist/contrib/hpux/sshd.rc vendored Executable file
View File

@@ -0,0 +1,90 @@
#!/sbin/sh
#
# sshd.rc: SSH daemon start-up and shutdown script
#
# Allowed exit values:
# 0 = success; causes "OK" to show up in checklist.
# 1 = failure; causes "FAIL" to show up in checklist.
# 2 = skip; causes "N/A" to show up in the checklist.
# Use this value if execution of this script is overridden
# by the use of a control variable, or if this script is not
# appropriate to execute for some other reason.
# 3 = reboot; causes the system to be rebooted after execution.
# Input and output:
# stdin is redirected from /dev/null
#
# stdout and stderr are redirected to the /etc/rc.log file
# during checklist mode, or to the console in raw mode.
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
WHAT='OpenSSH'
WHAT_PATH=/opt/openssh/sbin/sshd
WHAT_PID=/var/run/sshd.pid
WHAT_CONFIG=/etc/rc.config.d/sshd
# NOTE: If your script executes in run state 0 or state 1, then /usr might
# not be available. Do not attempt to access commands or files in
# /usr unless your script executes in run state 2 or greater. Other
# file systems typically not mounted until run state 2 include /var
# and /opt.
rval=0
# Check the exit value of a command run by this script. If non-zero, the
# exit code is echoed to the log file and the return value of this script
# is set to indicate failure.
set_return() {
x=$?
if [ $x -ne 0 ]; then
echo "EXIT CODE: $x"
rval=1 # script FAILed
fi
}
case $1 in
'start_msg')
echo "Starting $WHAT"
;;
'stop_msg')
echo "Stopping $WHAT"
;;
'start')
if [ -f $WHAT_CONFIG ] ; then
. $WHAT_CONFIG
else
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
fi
if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
$WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
set_return
else
rval=2
fi
;;
'stop')
if kill `cat $WHAT_PID`; then
echo "$WHAT stopped"
else
rval=1
echo "Unable to stop $WHAT"
fi
set_return
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval

1
crypto/external/bsd/openssh/dist/contrib/redhat/gnome-ssh-askpass.csh vendored Normal file
View File

@@ -0,0 +1 @@
setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass

2
crypto/external/bsd/openssh/dist/contrib/redhat/gnome-ssh-askpass.sh vendored Normal file
View File

@@ -0,0 +1,2 @@
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
export SSH_ASKPASS

811
crypto/external/bsd/openssh/dist/contrib/redhat/openssh.spec vendored Normal file
View File

@@ -0,0 +1,811 @@
%define ver 7.1p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
%define sshd_uid 74
%define sshd_gid 74
# Version of ssh-askpass
%define aversion 1.2.4.1
# Do we want to disable building of x11-askpass? (1=yes 0=no)
%define no_x11_askpass 0
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%define no_gnome_askpass 0
# Do we want to link against a static libcrypto? (1=yes 0=no)
%define static_libcrypto 0
# Do we want smartcard support (1=yes 0=no)
%define scard 0
# Use GTK2 instead of GNOME in gnome-ssh-askpass
%define gtk2 1
# Is this build for RHL 6.x?
%define build6x 0
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
# Add option to build without GTK2 for older platforms with only GTK+.
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
%{?no_gtk2:%define gtk2 0}
# Is this a build for RHL 6.x or earlier?
%{?build_6x:%define build6x 1}
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%define _sysconfdir /etc
%endif
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%define static_libcrypto 1}
# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%define scard 1}
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
%{?build_rescue:%define rescue 1}
# Turn off some stuff for resuce builds
%if %{rescue}
%define kerberos5 0
%endif
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
%if ! %{no_x11_askpass}
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
%endif
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts >= 5.00
%else
Requires: initscripts >= 5.20
%endif
BuildRequires: perl, openssl-devel
BuildRequires: /bin/login
%if ! %{build6x}
BuildPreReq: glibc-devel, pam
%else
BuildRequires: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildRequires: /usr/include/X11/Xlib.h
%endif
%if ! %{no_gnome_askpass}
BuildRequires: pkgconfig
%endif
%if %{kerberos5}
BuildRequires: krb5-devel
BuildRequires: krb5-libs
%endif
%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients
%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif
%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to separate libraries.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
%description clients
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
You'll also need to install the openssh package on OpenSSH clients.
%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. You also need to have the openssh
package installed.
%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.
%description askpass-gnome
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
environment.
%prep
%if ! %{no_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif
%build
%if %{rescue}
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
%if %{kerberos5}
K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
echo K5DIR=$K5DIR
%endif
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-rsh=%{_bindir}/rsh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
--with-md5-passwords \
%if %{scard}
--with-smartcard \
%endif
%if %{rescue}
--without-pam \
%else
--with-pam \
%endif
%if %{kerberos5}
--with-kerberos5=$K5DIR \
%endif
%if %{static_libcrypto}
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
%endif
make
%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
%configure --libexecdir=%{_libexecdir}/openssh
xmkmf -a
make
popd
%endif
# Define a variable to toggle gnome1/gtk2 building. This is necessary
# because RPM doesn't handle nested %if statements.
%if %{gtk2}
gtk2=yes
%else
gtk2=no
%endif
%if ! %{no_gnome_askpass}
pushd contrib
if [ $gtk2 = yes ] ; then
make gnome-ssh-askpass2
mv gnome-ssh-askpass2 gnome-ssh-askpass
else
make gnome-ssh-askpass1
mv gnome-ssh-askpass1 gnome-ssh-askpass
fi
popd
%endif
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
make install DESTDIR=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
%if %{build6x}
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
%else
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
%endif
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
%if ! %{no_x11_askpass}
install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
%endif
%if ! %{no_gnome_askpass}
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%if ! %{scard}
rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
%endif
%if ! %{no_gnome_askpass}
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%endif
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
%clean
rm -rf $RPM_BUILD_ROOT
%triggerun server -- ssh-server
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
touch /var/run/sshd.restart
fi
%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk 'BEGIN {IGNORECASE=1}
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
END {exit sawhostkey}' /etc/ssh/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; then
echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
fi
%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then
/sbin/chkconfig --add sshd
if test -f /var/run/sshd.restart ; then
rm -f /var/run/sshd.restart
/sbin/service sshd start > /dev/null 2>&1 || :
fi
fi
%pre server
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-g sshd -M -r sshd 2>/dev/null || :
%post server
/sbin/chkconfig --add sshd
%postun server
/sbin/service sshd condrestart > /dev/null 2>&1 || :
%preun server
if [ "$1" = 0 ]
then
/sbin/service sshd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del sshd
fi
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
%endif
%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%endif
%if ! %{rescue}
%files server
%defattr(-,root,root)
%dir %attr(0111,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
%endif
%if ! %{no_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
%endif
%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%changelog
* Wed Jul 14 2010 Tim Rice <tim@multitalents.net>
- test for skip_x11_askpass (line 77) should have been for no_x11_askpass
* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
- Remove noip6 option. This may be controlled at run-time in client config
file using new AddressFamily directive
* Mon May 12 2003 Damien Miller <djm@mindrot.org>
- Don't install profile.d scripts when not building with GNOME/GTK askpass
(patch from bet@rahul.net)
* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
- Use contrib/ Makefile for building askpass programs
* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
- Add new {ssh,sshd}_config.5 manpages
- Add new ssh-keysign program and remove setuid from ssh client
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from RedHat, reorgansie a little
- Add Privsep user, group and directory
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
- bump and grind (through the build system)
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
- require sharutils for building (mindrot #137)
- require db1-devel only when building for 6.x (#55105), which probably won't
work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
- require pam-devel by file (not by package name) again
- add Markus's patch to compile with OpenSSL 0.9.5a (from
http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
building for 6.x
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
- update to 3.1p1
* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
- update to SNAP-20020305
- drop debug patch, fixed upstream
* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
- update to SNAP-20020220 for testing purposes (you've been warned, if there's
anything to be warned about, gss patches won't apply, I don't mind)
* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
exchange, authentication, and named key support
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
- remove dependency on db1-devel, which has just been swallowed up whole
by gnome-libs-devel
* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
- adjust build dependencies so that build6x actually works right (fix
from Hugo van der Kooij)
* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
- update to 3.0.2p1
* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
- update to 3.0.1p1
* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to current CVS (not for use in distribution)
* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
3.0p1 spec file and init script
* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.0p1
- update to x11-ssh-askpass 1.2.4.1
- change build dependency on a file from pam-devel to the pam-devel package
- replace primes with moduli
* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
- Merge changes to rescue build from current sysadmin survival cd
* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
- fix scp's server's reporting of file sizes, and build with the proper
preprocessor define to get large-file capable open(), stat(), etc.
(sftp has been doing this correctly all along) (#51827)
- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
- mark profile.d scriptlets as config files (#42337)
- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
- change a couple of log() statements to debug() statements (#50751)
- pull cvs patch to add -t flag to sshd (#28611)
- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
- pull cvs patch to fix remote port forwarding with protocol 2
* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
- pull cvs patch to add session initialization to no-pty sessions
- pull cvs patch to not cut off challengeresponse auth needlessly
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
it by default on a system that doesn't have X installed (#49263)
* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
- pass OPTIONS correctly to initlog (#50151)
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- switch to x11-ssh-askpass 1.2.2
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- disable the gssapi patch
* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.9p2
- refresh to a new version of the gssapi patch
* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
- change Copyright: BSD to License: BSD
- add Markus Friedl's unverified patch for the cookie file deletion problem
so that we can verify it
- drop patch to check if xauth is present (was folded into cookie patch)
- don't apply gssapi patches for the errata candidate
- clear supplemental groups list at startup
* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- fix an error parsing the new default sshd_config
- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
dealing with comments right
* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
to be removed before the next beta cycle because it's a big departure
from the upstream version
* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
- finish marking strings in the init script for translation
- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
at startup (change merged from openssh.com init script, originally by
Pekka Savola)
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
it by default on a system that doesn't have X installed
* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.9
- drop various patches that came from or went upstream or to or from CVS
* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
- remove explicit openssl requirement, fixes builddistro issue
- make initscript stop() function wait until sshd really dead to avoid
races in condrestart
* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- mention that challengereponse supports PAM, so disabling password doesn't
limit users to pubkey and rsa auth (#34378)
- bypass the daemon() function in the init script and call initlog directly,
because daemon() won't start a daemon it detects is already running (like
open connections)
- require the version of openssl we had when we were built
* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- make do_pam_setcred() smart enough to know when to establish creds and
when to reinitialize them
- add in a couple of other fixes from Damien for inclusion in the errata
* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.5.2p2
- call setcred() again after initgroups, because the "creds" could actually
be group memberships
* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
- don't enable challenge-response by default until we find a way to not
have too many userauth requests (we may make up to six pubkey and up to
three password attempts as it is)
- remove build dependency on rsh to match openssh.com's packages more closely
* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
- remove dependency on openssl -- would need to be too precise
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- Revert the patch to move pam_open_session.
- Init script and spec file changes from Pekka Savola. (#28750)
- Patch sftp to recognize '-o protocol' arguments. (#29540)
* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- Chuck the closing patch.
- Add a trigger to add host keys for protocol 2 to the config file, now that
configuration file syntax requires us to specify it with HostKey if we
specify any other HostKey values, which we do.
* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- Redo patch to move pam_open_session after the server setuid()s to the user.
- Rework the nopam patch to use be picked up by autoconf.
* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- Update for 2.5.1p1.
- Add init script mods from Pekka Savola.
- Tweak the init script to match the CVS contrib script more closely.
- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
adding id_rsa.
* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
- Update for 2.5.0p1.
- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
- Resync with parts of Damien Miller's openssh.spec from CVS, including
update of x11 askpass to 1.2.0.
- Only require openssl (don't prereq) because we generate keys in the init
script now.
* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't open a PAM session until we've forked and become the user (#25690).
- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
host the user is attempting a login from.
- Resync with parts of Damien Miller's openssh.spec from CVS.
- Don't expose KbdInt responses in debug messages (from CVS).
- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
- i18n-tweak to initscript.
* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- More gettextizing.
- Close all files after going into daemon mode (needs more testing).
- Extract patch from CVS to handle auth banners (in the client).
- Extract patch from CVS to handle compat weirdness.
* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- Finish with the gettextizing.
* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- Fix a bug in auth2-pam.c (#23877)
- Gettextize the init script.
* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Incorporate a switch for using PAM configs for 6.x, just in case.
* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Incorporate Bero's changes for a build specifically for rescue CDs.
* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
succeeded, to allow public-key authentication after a failure with "none"
authentication. (#21268)
* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to x11-askpass 1.1.1. (#21301)
- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- Merge multiple PAM text messages into subsequent prompts when possible when
doing keyboard-interactive authentication.
* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
- Disable the built-in MD5 password support. We're using PAM.
- Take a crack at doing keyboard-interactive authentication with PAM, and
enable use of it in the default client configuration so that the client
will try it when the server disallows password authentication.
- Build with debugging flags. Build root policies strip all binaries anyway.
* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
- Use DESTDIR instead of %%makeinstall.
- Remove /usr/X11R6/bin from the path-fixing patch.
* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add the primes file from the latest snapshot to the main package (#20884).
- Add the dev package to the prereq list (#19984).
- Remove the default path and mimic login's behavior in the server itself.
* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- Resync with conditional options in Damien Miller's .spec file for an errata.
- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to OpenSSH 2.3.0p1.
- Update to x11-askpass 1.1.0.
- Enable keyboard-interactive authentication.
* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to ssh-askpass-x11 1.0.3.
- Change authentication related messages to be private (#19966).
* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
- Patch ssh-keygen to be able to list signatures for DSA public key files
it generates.
* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always
build PAM authentication in.
- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
- Clean out no-longer-used patches.
- Patch ssh-add to try to add both identity and id_dsa, and to error only
when neither exists.
* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update x11-askpass to 1.0.2. (#17835)
- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will
always find them in the right place. (#17909)
- Set the default path to be the same as the one supplied by /bin/login, but
add /usr/X11R6/bin. (#17909)
- Try to handle obsoletion of ssh-server more cleanly. Package names
are different, but init script name isn't. (#17865)
* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.2.0p1. (#17835)
- Tweak the init script to allow proper restarting. (#18023)
* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 20000823 snapshot.
- Change subpackage requirements from %%{version} to %%{version}-%%{release}
- Back out the pipe patch.
* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p4, which includes fixes for config file parsing problems.
- Move the init script back.
- Add Damien's quick fix for wackiness.
* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- Move condrestart to server postun.
- Move key generation to init script.
- Actually use the right patch for moving the key generation to the init script.
- Clean up the init script a bit.
* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p2.
- Use of strtok() considered harmful.
* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
- Get the build root out of the man pages.
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add and use condrestart support in the init script.
- Add newer initscripts as a prereq.
* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- Build in new environment (release 2)
- Move -clients subpackage to Applications/Internet group
* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.2.1p1
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- Patch to build with neither RSA nor RSAref.
- Miscellaneous FHS-compliance tweaks.
- Fix for possibly-compressed man pages.
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
- Updated for new location
- Updated for new gnome-ssh-askpass build
* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
- Added Jim Knoble's <jmknoble@pobox.com> askpass
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
- Added 'Obsoletes' directives
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
- Use make install
- Subpackages
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
- Added links for slogin
- Fixed perms on manpages
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
- Renamed init script
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
- Back to old binary names
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
- Use autoconf
- New binary names
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.

106
crypto/external/bsd/openssh/dist/contrib/redhat/sshd.init vendored Executable file
View File

@@ -0,0 +1,106 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
SSHD=/usr/sbin/sshd
PID_FILE=/var/run/sshd.pid
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ $RETVAL -eq 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

172
crypto/external/bsd/openssh/dist/contrib/redhat/sshd.init.old vendored Executable file
View File

@@ -0,0 +1,172 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
my_success() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="done"
fi
case "`type -type success`" in
function)
success "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
my_failure() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="FAILED"
fi
case "`type -type failure`" in
function)
failure "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n "Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
my_success "RSA1 key generation"
echo
else
my_failure "RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n "Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
my_success "RSA key generation"
echo
else
my_failure "RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n "Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
my_success "DSA key generation"
echo
else
my_failure "DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check() {
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
my_failure "Configuration file or keys"
echo
fi
}
case "$1" in
start)
# Create keys if necessary
do_rsa1_keygen;
do_rsa_keygen;
do_dsa_keygen;
echo -n "Starting sshd: "
if [ ! -f $PID_FILE ] ; then
sshd $OPTIONS
RETVAL=$?
if [ "$RETVAL" = "0" ] ; then
my_success "sshd startup" "sshd"
touch /var/lock/subsys/sshd
else
my_failure "sshd startup" ""
fi
fi
echo
;;
stop)
echo -n "Shutting down sshd: "
if [ -f $PID_FILE ] ; then
killproc sshd
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
fi
echo
;;
restart)
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
fi
;;
status)
status sshd
RETVAL=$?
;;
*)
echo "Usage: sshd {start|stop|restart|status|condrestart}"
exit 1
;;
esac
exit $RETVAL

6
crypto/external/bsd/openssh/dist/contrib/redhat/sshd.pam vendored Normal file
View File

@@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

8
crypto/external/bsd/openssh/dist/contrib/redhat/sshd.pam.old vendored Normal file
View File

@@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so

30
crypto/external/bsd/openssh/dist/contrib/solaris/README vendored Normal file
View File

@@ -0,0 +1,30 @@
The following is a new package build script for Solaris. This is being
introduced into OpenSSH 3.0 and above in hopes of simplifying the build
process. As of 3.1p2 the script should work on all platforms that have
SVR4 style package tools.
The build process is called a 'dummy install'.. Which means the software does
a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should
be handled correctly and key are defered until the first time the sshd
is started.
Directions:
1. make -F Makefile.in distprep (Only if you are getting from the CVS tree)
2. ./configure --with-pam [..any other options you want..]
3. look at the top of buildpkg.sh for the configurable options and put
any changes you want in openssh-config.local. Additional customizations
can be done to the build process by creating one or more of the following
scripts that will be sourced by buildpkg.sh.
pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh
pkg-preinstall.local pkg-postinstall.local pkg-preremove.local
pkg-postremove.local pkg-request.local
4. Run "make package"
If all goes well you should have a solaris package ready to be installed.
If you have any problems with this script please post them to
openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
- Ben Lindstrom

300
crypto/external/bsd/openssh/dist/contrib/ssh-copy-id vendored Normal file
View File

@@ -0,0 +1,300 @@
#!/bin/sh
# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
# 2013 Martin Kletzander <mkletzan@redhat.com>
# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
# 2010 Eric Moret <eric.moret@gmail.com>
# 2009 Xr <xr@i-jeuxvideo.com>
# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
# 2004 Reini Urban <rurban@x-ray.at>
# 2003 Colin Watson <cjwatson@debian.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Shell script to install your public key(s) on a remote machine
# See the ssh-copy-id(1) man page for details
# check that we have something mildly sane as our shell, or try to find something better
if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
then
SANE_SH=${SANE_SH:-/usr/bin/ksh}
if printf 'true ^ false\n' | "$SANE_SH"
then
printf "'%s' seems viable.\n" "$SANE_SH"
exec "$SANE_SH" "$0" "$@"
else
cat <<-EOF
oh dear.
If you have a more recent shell available, that supports \$(...) etc.
please try setting the environment variable SANE_SH to the path of that
shell, and then retry running this script. If that works, please report
a bug describing your setup, and the shell you used to make it work.
EOF
printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
exit 1
fi
fi
DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
usage () {
printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
exit 1
}
# escape any single quotes in an argument
quote() {
printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
}
use_id_file() {
local L_ID_FILE="$1"
if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
PUB_ID_FILE="$L_ID_FILE"
else
PUB_ID_FILE="$L_ID_FILE.pub"
fi
PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
# check that the files are readable
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
ErrMSG=$( { : < $f ; } 2>&1 ) || {
printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
exit 1
}
done
GET_ID="cat \"$PUB_ID_FILE\""
}
if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
GET_ID="ssh-add -L"
fi
while test "$#" -gt 0
do
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
usage
}
OPT= OPTARG=
# implement something like getopt to avoid Solaris pain
case "$1" in
-i?*|-o?*|-p?*)
OPT="$(printf -- "$1"|cut -c1-2)"
OPTARG="$(printf -- "$1"|cut -c3-)"
shift
;;
-o|-p)
OPT="$1"
OPTARG="$2"
shift 2
;;
-i)
OPT="$1"
test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
OPTARG="$2"
shift
}
shift
;;
-n|-h|-\?)
OPT="$1"
OPTARG=
shift
;;
--)
shift
while test "$#" -gt 0
do
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
shift
done
break
;;
-*)
printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
usage
;;
*)
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
shift
continue
;;
esac
case "$OPT" in
-i)
SEEN_OPT_I="yes"
use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
;;
-o|-p)
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
;;
-n)
DRY_RUN=1
;;
-h|-\?)
usage
;;
esac
done
eval set -- "$SAVEARGS"
if [ $# = 0 ] ; then
usage
fi
if [ $# != 1 ] ; then
printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
usage
fi
# drop trailing colon
USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
# tack the hostname onto SSH_OPTS
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
# and populate "$@" for later use (only way to get proper quoting of options)
eval set -- "$SSH_OPTS"
if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
use_id_file "$PUB_ID_FILE"
fi
if [ -z "$(eval $GET_ID)" ] ; then
printf '%s: ERROR: No identities found\n' "$0" >&2
exit 1
fi
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
# and has the side effect of setting $NEW_IDS
populate_new_ids() {
local L_SUCCESS="$1"
# repopulate "$@" inside this function
eval set -- "$SSH_OPTS"
umask 0177
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
echo "mktemp failed" 1>&2
exit 1
fi
trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
NEW_IDS=$(
eval $GET_ID | {
while read ID ; do
printf '%s\n' "$ID" > $L_TMP_ID_FILE
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
# assumption will break if we implement the possibility of multiple -i options.
# The point being that if file based, ssh needs the private key, which it cannot
# find if only given the contents of the .pub file in an unrelated tmpfile
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
-o PreferredAuthentications=publickey \
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
if [ "$?" = "$L_SUCCESS" ] ; then
: > $L_TMP_ID_FILE
else
grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || {
sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE
cat >/dev/null #consume the other keys, causing loop to end
}
fi
cat $L_TMP_ID_FILE
done
}
)
rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
exit 1
fi
if [ -z "$NEW_IDS" ] ; then
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
exit 0
fi
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
}
REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
sed -ne 's/.*remote software version //p')
case "$REMOTE_VERSION" in
NetScreen*)
populate_new_ids 1
for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
KEY_NO=$(($KEY_NO + 1))
printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
continue
}
[ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
if [ $? = 255 ] ; then
printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
else
ADDED=$(($ADDED + 1))
fi
done
if [ -z "$ADDED" ] ; then
exit 1
fi
;;
*)
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
populate_new_ids 0
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
umask 077 ;
mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;
esac
if [ "$DRY_RUN" ] ; then
cat <<-EOF
=-=-=-=-=-=-=-=
Would have added the following key(s):
$NEW_IDS
=-=-=-=-=-=-=-=
EOF
else
cat <<-EOF
Number of key(s) added: $ADDED
Now try logging into the machine, with: "ssh $SSH_OPTS"
and check to make sure that only the key(s) you wanted were added.
EOF
fi
# =-=-=-=

186
crypto/external/bsd/openssh/dist/contrib/ssh-copy-id.1 vendored Normal file
View File

@@ -0,0 +1,186 @@
.ig \" -*- nroff -*-
Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
..
.Dd $Mdocdate: June 17 2010 $
.Dt SSH-COPY-ID 1
.Os
.Sh NAME
.Nm ssh-copy-id
.Nd use locally available keys to authorise logins on a remote machine
.Sh SYNOPSIS
.Nm
.Op Fl n
.Op Fl i Op Ar identity_file
.Op Fl p Ar port
.Op Fl o Ar ssh_option
.Op Ar user Ns @ Ns
.Ar hostname
.Nm
.Fl h | Fl ?
.br
.Sh DESCRIPTION
.Nm
is a script that uses
.Xr ssh 1
to log into a remote machine (presumably using a login password,
so password authentication should be enabled, unless you've done some
clever use of multiple identities). It assembles a list of one or more
fingerprints (as described below) and tries to log in with each key, to
see if any of them are already installed (of course, if you are not using
.Xr ssh-agent 1
this may result in you being repeatedly prompted for pass-phrases).
It then assembles a list of those that failed to log in, and using ssh,
enables logins with those keys on the remote server. By default it adds
the keys by appending them to the remote user's
.Pa ~/.ssh/authorized_keys
(creating the file, and directory, if necessary). It is also capable
of detecting if the remote system is a NetScreen, and using its
.Ql set ssh pka-dsa key ...
command instead.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl i Ar identity_file
Use only the key(s) contained in
.Ar identity_file
(rather than looking for identities via
.Xr ssh-add 1
or in the
.Ic default_ID_file ) .
If the filename does not end in
.Pa .pub
this is added. If the filename is omitted, the
.Ic default_ID_file
is used.
.Pp
Note that this can be used to ensure that the keys copied have the
comment one prefers and/or extra options applied, by ensuring that the
key file has these set as preferred before the copy is attempted.
.It Fl n
do a dry-run. Instead of installing keys on the remote system simply
prints the key(s) that would have been installed.
.It Fl h , Fl ?
Print Usage summary
.It Fl p Ar port , Fl o Ar ssh_option
These two options are simply passed through untouched, along with their
argument, to allow one to set the port or other
.Xr ssh 1
options, respectively.
.Pp
Rather than specifying these as command line options, it is often better to use (per-host) settings in
.Xr ssh 1 Ns 's
configuration file:
.Xr ssh_config 5 .
.El
.Pp
Default behaviour without
.Fl i ,
is to check if
.Ql ssh-add -L
provides any output, and if so those keys are used. Note that this results in
the comment on the key being the filename that was given to
.Xr ssh-add 1
when the key was loaded into your
.Xr ssh-agent 1
rather than the comment contained in that file, which is a bit of a shame.
Otherwise, if
.Xr ssh-add 1
provides no keys contents of the
.Ic default_ID_file
will be used.
.Pp
The
.Ic default_ID_file
is the most recent file that matches:
.Pa ~/.ssh/id*.pub ,
(excluding those that match
.Pa ~/.ssh/*-cert.pub )
so if you create a key that is not the one you want
.Nm
to use, just use
.Xr touch 1
on your preferred key's
.Pa .pub
file to reinstate it as the most recent.
.Pp
.Sh EXAMPLES
If you have already installed keys from one system on a lot of remote
hosts, and you then create a new key, on a new client machine, say,
it can be difficult to keep track of which systems on which you've
installed the new key. One way of dealing with this is to load both
the new key and old key(s) into your
.Xr ssh-agent 1 .
Load the new key first, without the
.Fl c
option, then load one or more old keys into the agent, possibly by
ssh-ing to the client machine that has that old key, using the
.Fl A
option to allow agent forwarding:
.Pp
.D1 user@newclient$ ssh-add
.D1 user@newclient$ ssh -A old.client
.D1 user@oldl$ ssh-add -c
.D1 No ... prompt for pass-phrase ...
.D1 user@old$ logoff
.D1 user@newclient$ ssh someserver
.Pp
now, if the new key is installed on the server, you'll be allowed in
unprompted, whereas if you only have the old key(s) enabled, you'll be
asked for confirmation, which is your cue to log back out and run
.Pp
.D1 user@newclient$ ssh-copy-id -i someserver
.Pp
The reason you might want to specify the -i option in this case is to
ensure that the comment on the installed key is the one from the
.Pa .pub
file, rather than just the filename that was loaded into you agent.
It also ensures that only the id you intended is installed, rather than
all the keys that you have in your
.Xr ssh-agent 1 .
Of course, you can specify another id, or use the contents of the
.Xr ssh-agent 1
as you prefer.
.Pp
Having mentioned
.Xr ssh-add 1 Ns 's
.Fl c
option, you might consider using this whenever using agent forwarding
to avoid your key being hijacked, but it is much better to instead use
.Xr ssh 1 Ns 's
.Ar ProxyCommand
and
.Fl W
option,
to bounce through remote servers while always doing direct end-to-end
authentication. This way the middle hop(s) don't get access to your
.Xr ssh-agent 1 .
A web search for
.Ql ssh proxycommand nc
should prove enlightening (N.B. the modern approach is to use the
.Fl W
option, rather than
.Xr nc 1 ) .
.Sh "SEE ALSO"
.Xr ssh 1 ,
.Xr ssh-agent 1 ,
.Xr sshd 8

5
crypto/external/bsd/openssh/dist/contrib/sshd.pam.freebsd vendored Normal file
View File

@@ -0,0 +1,5 @@
sshd auth required pam_unix.so try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so

8
crypto/external/bsd/openssh/dist/contrib/sshd.pam.generic vendored Normal file
View File

@@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_unix.so shadow nodelay
account required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so shadow nullok use_authtok
session required /lib/security/pam_unix.so
session required /lib/security/pam_limits.so

243
crypto/external/bsd/openssh/dist/contrib/suse/openssh.spec vendored Normal file
View File

@@ -0,0 +1,243 @@
# Default values for additional components
%define build_x11_askpass 1
# Define the UID/GID to use for privilege separation
%define sshd_gid 65
%define sshd_uid 71
# The version of x11-ssh-askpass to use
%define xversion 1.2.4.1
# Allow the ability to override defaults with -D skip_xxx=1
%{?skip_x11_askpass:%define build_x11_askpass 0}
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 7.1p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
Source1: x11-ssh-askpass-%{xversion}.tar.gz
License: BSD
Group: Productivity/Networking/SSH
BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
PreReq: openssl
Obsoletes: ssh
Provides: ssh
#
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
# building prerequisites -- stuff for
# OpenSSL (openssl-devel),
# and Gnome (glibdev, gtkdev, and gnlibsd)
#
BuildPrereq: openssl
BuildPrereq: zlib-devel
#BuildPrereq: glibdev
#BuildPrereq: gtkdev
#BuildPrereq: gnlibsd
%package askpass
Summary: A passphrase dialog for OpenSSH and the X window System.
Group: Productivity/Networking/SSH
Requires: openssh = %{version}
Obsoletes: ssh-extras
Provides: openssh:${_libdir}/ssh/ssh-askpass
%if %{build_x11_askpass}
BuildPrereq: XFree86-devel
%endif
%description
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to seperate libraries (OpenSSL).
This package includes all files necessary for both the OpenSSH
client and server.
%description askpass
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to seperate libraries (OpenSSL).
This package contains an X Window System passphrase dialog for OpenSSH.
%changelog
* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
- Removed accidental inclusion of --without-zlib-version-check
* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
- Overhaul to deal with newer versions of SuSE and OpenSSH
* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
- Glob manpages to catch compressed files
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
- Updated for new location
- Updated for new gnome-ssh-askpass build
* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
- Made symlink to gnome-ssh-askpass called ssh-askpass
* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
/var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
his released tarfile
- Changed permissions on ssh_config in the install procedure to 644 from 600
even though it was correct in the %files section and thus right in the RPMs
- Postinstall script for the server now only prints "Generating SSH host
key..." if we need to actually do this, in order to eliminate a confusing
message if an SSH host key is already in place
- Marked all manual pages as %doc(umentation)
* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
- Added flag to configure daemon with TCP Wrappers support
- Added building prerequisites (works in RPM 3.0 and newer)
* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
- Made this package correct for SuSE.
- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
with SuSE, and lib_pwdb.so isn't installed by default.
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
- Added 'Obsoletes' directives
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
- Use make install
- Subpackages
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
- Added links for slogin
- Fixed perms on manpages
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
- Renamed init script
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
- Back to old binary names
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
- Use autoconf
- New binary names
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
%prep
%if %{build_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif
%build
CFLAGS="$RPM_OPT_FLAGS" \
%configure --prefix=/usr \
--sysconfdir=%{_sysconfdir}/ssh \
--mandir=%{_mandir} \
--with-privsep-path=/var/lib/empty \
--with-pam \
--libexecdir=%{_libdir}/ssh
make
%if %{build_x11_askpass}
cd x11-ssh-askpass-%{xversion}
%configure --mandir=/usr/X11R6/man \
--libexecdir=%{_libdir}/ssh
xmkmf -a
make
cd ..
%endif
%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT/
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/init.d/
install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
install -m744 contrib/suse/sysconfig.ssh \
$RPM_BUILD_ROOT/var/adm/fillup-templates
%if %{build_x11_askpass}
cd x11-ssh-askpass-%{xversion}
make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
%endif
%clean
rm -rf $RPM_BUILD_ROOT
%pre
/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
%post
/usr/bin/ssh-keygen -A
%{fillup_and_insserv -n -y ssh sshd}
%run_permissions
%verifyscript
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
%preun
%stop_on_removal sshd
%postun
%restart_on_update sshd
%{insserv_cleanup}
%files
%defattr(-,root,root)
%doc ChangeLog OVERVIEW README* PROTOCOL*
%doc TODO CREDITS LICENCE
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/init.d/sshd
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %{_bindir}/scp
%attr(0755,root,root) %{_bindir}/ssh
%attr(-,root,root) %{_bindir}/slogin
%attr(0755,root,root) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %dir %{_libdir}/ssh
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %doc %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
%if %{build_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{xversion}/README
%doc x11-ssh-askpass-%{xversion}/ChangeLog
%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
%endif

5
crypto/external/bsd/openssh/dist/contrib/suse/rc.config.sshd vendored Normal file
View File

@@ -0,0 +1,5 @@
#
# Start the Secure Shell (SSH) Daemon?
#
START_SSHD="yes"

121
crypto/external/bsd/openssh/dist/contrib/suse/rc.sshd vendored Normal file
View File

@@ -0,0 +1,121 @@
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Jiri Smid <feedback@suse.de>
#
# /etc/init.d/sshd
#
# and symbolic its link
#
# /usr/sbin/rcsshd
#
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start the sshd daemon
### END INIT INFO
SSHD_BIN=/usr/sbin/sshd
test -x $SSHD_BIN || exit 5
SSHD_SYSCONFIG=/etc/sysconfig/ssh
test -r $SSHD_SYSCONFIG || exit 6
. $SSHD_SYSCONFIG
SSHD_PIDFILE=/var/run/sshd.init.pid
. /etc/rc.status
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
# First reset status of this service
rc_reset
case "$1" in
start)
# Generate any missing host keys
ssh-keygen -A
echo -n "Starting SSH daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down SSH daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload|reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
echo -n "Reload service sshd"
killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
rc_status -v
;;
status)
echo -n "Checking for service sshd "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
checkproc -p $SSHD_PIDFILE $SSHD_BIN
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

9
crypto/external/bsd/openssh/dist/contrib/suse/sysconfig.ssh vendored Normal file
View File

@@ -0,0 +1,9 @@
## Path: Network/Remote access/SSH
## Description: SSH server settings
## Type: string
## Default: ""
## ServiceRestart: sshd
#
# Options for sshd
#
SSHD_OPTS=""

853
crypto/external/bsd/openssh/dist/defines.h vendored Normal file
View File

@@ -0,0 +1,853 @@
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _DEFINES_H
#define _DEFINES_H
/* $Id: defines.h,v 1.183 2014/09/02 19:33:26 djm Exp $ */
/* Constants */
#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
enum
{
SHUT_RD = 0, /* No more receptions. */
SHUT_WR, /* No more transmissions. */
SHUT_RDWR /* No more receptions or transmissions. */
};
# define SHUT_RD SHUT_RD
# define SHUT_WR SHUT_WR
# define SHUT_RDWR SHUT_RDWR
#endif
/*
* Definitions for IP type of service (ip_tos)
*/
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#ifndef IPTOS_LOWDELAY
# define IPTOS_LOWDELAY 0x10
# define IPTOS_THROUGHPUT 0x08
# define IPTOS_RELIABILITY 0x04
# define IPTOS_LOWCOST 0x02
# define IPTOS_MINCOST IPTOS_LOWCOST
#endif /* IPTOS_LOWDELAY */
/*
* Definitions for DiffServ Codepoints as per RFC2474
*/
#ifndef IPTOS_DSCP_AF11
# define IPTOS_DSCP_AF11 0x28
# define IPTOS_DSCP_AF12 0x30
# define IPTOS_DSCP_AF13 0x38
# define IPTOS_DSCP_AF21 0x48
# define IPTOS_DSCP_AF22 0x50
# define IPTOS_DSCP_AF23 0x58
# define IPTOS_DSCP_AF31 0x68
# define IPTOS_DSCP_AF32 0x70
# define IPTOS_DSCP_AF33 0x78
# define IPTOS_DSCP_AF41 0x88
# define IPTOS_DSCP_AF42 0x90
# define IPTOS_DSCP_AF43 0x98
# define IPTOS_DSCP_EF 0xb8
#endif /* IPTOS_DSCP_AF11 */
#ifndef IPTOS_DSCP_CS0
# define IPTOS_DSCP_CS0 0x00
# define IPTOS_DSCP_CS1 0x20
# define IPTOS_DSCP_CS2 0x40
# define IPTOS_DSCP_CS3 0x60
# define IPTOS_DSCP_CS4 0x80
# define IPTOS_DSCP_CS5 0xa0
# define IPTOS_DSCP_CS6 0xc0
# define IPTOS_DSCP_CS7 0xe0
#endif /* IPTOS_DSCP_CS0 */
#ifndef IPTOS_DSCP_EF
# define IPTOS_DSCP_EF 0xb8
#endif /* IPTOS_DSCP_EF */
#ifndef PATH_MAX
# ifdef _POSIX_PATH_MAX
# define PATH_MAX _POSIX_PATH_MAX
# endif
#endif
#ifndef MAXPATHLEN
# ifdef PATH_MAX
# define MAXPATHLEN PATH_MAX
# else /* PATH_MAX */
# define MAXPATHLEN 64
/* realpath uses a fixed buffer of size MAXPATHLEN, so force use of ours */
# ifndef BROKEN_REALPATH
# define BROKEN_REALPATH 1
# endif /* BROKEN_REALPATH */
# endif /* PATH_MAX */
#endif /* MAXPATHLEN */
#ifndef HOST_NAME_MAX
# include "netdb.h" /* for MAXHOSTNAMELEN */
# if defined(_POSIX_HOST_NAME_MAX)
# define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
# elif defined(MAXHOSTNAMELEN)
# define HOST_NAME_MAX MAXHOSTNAMELEN
# else
# define HOST_NAME_MAX 255
# endif
#endif /* HOST_NAME_MAX */
#if defined(HAVE_DECL_MAXSYMLINKS) && HAVE_DECL_MAXSYMLINKS == 0
# define MAXSYMLINKS 5
#endif
#ifndef STDIN_FILENO
# define STDIN_FILENO 0
#endif
#ifndef STDOUT_FILENO
# define STDOUT_FILENO 1
#endif
#ifndef STDERR_FILENO
# define STDERR_FILENO 2
#endif
#ifndef NGROUPS_MAX /* Disable groupaccess if NGROUP_MAX is not set */
#ifdef NGROUPS
#define NGROUPS_MAX NGROUPS
#else
#define NGROUPS_MAX 0
#endif
#endif
#if defined(HAVE_DECL_O_NONBLOCK) && HAVE_DECL_O_NONBLOCK == 0
# define O_NONBLOCK 00004 /* Non Blocking Open */
#endif
#ifndef S_IFSOCK
# define S_IFSOCK 0
#endif /* S_IFSOCK */
#ifndef S_ISDIR
# define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR))
#endif /* S_ISDIR */
#ifndef S_ISREG
# define S_ISREG(mode) (((mode) & (_S_IFMT)) == (_S_IFREG))
#endif /* S_ISREG */
#ifndef S_ISLNK
# define S_ISLNK(mode) (((mode) & S_IFMT) == S_IFLNK)
#endif /* S_ISLNK */
#ifndef S_IXUSR
# define S_IXUSR 0000100 /* execute/search permission, */
# define S_IXGRP 0000010 /* execute/search permission, */
# define S_IXOTH 0000001 /* execute/search permission, */
# define _S_IWUSR 0000200 /* write permission, */
# define S_IWUSR _S_IWUSR /* write permission, owner */
# define S_IWGRP 0000020 /* write permission, group */
# define S_IWOTH 0000002 /* write permission, other */
# define S_IRUSR 0000400 /* read permission, owner */
# define S_IRGRP 0000040 /* read permission, group */
# define S_IROTH 0000004 /* read permission, other */
# define S_IRWXU 0000700 /* read, write, execute */
# define S_IRWXG 0000070 /* read, write, execute */
# define S_IRWXO 0000007 /* read, write, execute */
#endif /* S_IXUSR */
#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
#define MAP_ANON MAP_ANONYMOUS
#endif
#ifndef MAP_FAILED
# define MAP_FAILED ((void *)-1)
#endif
/*
SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but
including rpc/rpc.h breaks Solaris 6
*/
#ifndef INADDR_LOOPBACK
#define INADDR_LOOPBACK ((u_long)0x7f000001)
#endif
/* Types */
/* If sys/types.h does not supply intXX_t, supply them ourselves */
/* (or die trying) */
#ifndef HAVE_U_INT
typedef unsigned int u_int;
#endif
#ifndef HAVE_INTXX_T
typedef signed char int8_t;
# if (SIZEOF_SHORT_INT == 2)
typedef short int int16_t;
# else
# ifdef _UNICOS
# if (SIZEOF_SHORT_INT == 4)
typedef short int16_t;
# else
typedef long int16_t;
# endif
# else
# error "16 bit int type not found."
# endif /* _UNICOS */
# endif
# if (SIZEOF_INT == 4)
typedef int int32_t;
# else
# ifdef _UNICOS
typedef long int32_t;
# else
# error "32 bit int type not found."
# endif /* _UNICOS */
# endif
#endif
/* If sys/types.h does not supply u_intXX_t, supply them ourselves */
#ifndef HAVE_U_INTXX_T
# ifdef HAVE_UINTXX_T
typedef uint8_t u_int8_t;
typedef uint16_t u_int16_t;
typedef uint32_t u_int32_t;
# define HAVE_U_INTXX_T 1
# else
typedef unsigned char u_int8_t;
# if (SIZEOF_SHORT_INT == 2)
typedef unsigned short int u_int16_t;
# else
# ifdef _UNICOS
# if (SIZEOF_SHORT_INT == 4)
typedef unsigned short u_int16_t;
# else
typedef unsigned long u_int16_t;
# endif
# else
# error "16 bit int type not found."
# endif
# endif
# if (SIZEOF_INT == 4)
typedef unsigned int u_int32_t;
# else
# ifdef _UNICOS
typedef unsigned long u_int32_t;
# else
# error "32 bit int type not found."
# endif
# endif
# endif
#define __BIT_TYPES_DEFINED__
#endif
/* 64-bit types */
#ifndef HAVE_INT64_T
# if (SIZEOF_LONG_INT == 8)
typedef long int int64_t;
# else
# if (SIZEOF_LONG_LONG_INT == 8)
typedef long long int int64_t;
# endif
# endif
#endif
#ifndef HAVE_U_INT64_T
# if (SIZEOF_LONG_INT == 8)
typedef unsigned long int u_int64_t;
# else
# if (SIZEOF_LONG_LONG_INT == 8)
typedef unsigned long long int u_int64_t;
# endif
# endif
#endif
#ifndef HAVE_UINTXX_T
typedef u_int8_t uint8_t;
typedef u_int16_t uint16_t;
typedef u_int32_t uint32_t;
typedef u_int64_t uint64_t;
#endif
#ifndef HAVE_INTMAX_T
typedef long long intmax_t;
#endif
#ifndef HAVE_UINTMAX_T
typedef unsigned long long uintmax_t;
#endif
#ifndef HAVE_U_CHAR
typedef unsigned char u_char;
# define HAVE_U_CHAR
#endif /* HAVE_U_CHAR */
#ifndef ULLONG_MAX
# define ULLONG_MAX ((unsigned long long)-1)
#endif
#ifndef SIZE_T_MAX
#define SIZE_T_MAX ULONG_MAX
#endif /* SIZE_T_MAX */
#ifndef HAVE_SIZE_T
typedef unsigned int size_t;
# define HAVE_SIZE_T
# define SIZE_T_MAX UINT_MAX
#endif /* HAVE_SIZE_T */
#ifndef SIZE_MAX
#define SIZE_MAX SIZE_T_MAX
#endif
#ifndef HAVE_SSIZE_T
typedef int ssize_t;
# define HAVE_SSIZE_T
#endif /* HAVE_SSIZE_T */
#ifndef HAVE_CLOCK_T
typedef long clock_t;
# define HAVE_CLOCK_T
#endif /* HAVE_CLOCK_T */
#ifndef HAVE_SA_FAMILY_T
typedef int sa_family_t;
# define HAVE_SA_FAMILY_T
#endif /* HAVE_SA_FAMILY_T */
#ifndef HAVE_PID_T
typedef int pid_t;
# define HAVE_PID_T
#endif /* HAVE_PID_T */
#ifndef HAVE_SIG_ATOMIC_T
typedef int sig_atomic_t;
# define HAVE_SIG_ATOMIC_T
#endif /* HAVE_SIG_ATOMIC_T */
#ifndef HAVE_MODE_T
typedef int mode_t;
# define HAVE_MODE_T
#endif /* HAVE_MODE_T */
#if !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE___SS_FAMILY_IN_SS)
# define ss_family __ss_family
#endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */
#ifndef HAVE_SYS_UN_H
struct sockaddr_un {
short sun_family; /* AF_UNIX */
char sun_path[108]; /* path name (gag) */
};
#endif /* HAVE_SYS_UN_H */
#ifndef HAVE_IN_ADDR_T
typedef u_int32_t in_addr_t;
#endif
#ifndef HAVE_IN_PORT_T
typedef u_int16_t in_port_t;
#endif
#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
#define _STRUCT_WINSIZE
struct winsize {
unsigned short ws_row; /* rows, in characters */
unsigned short ws_col; /* columns, in character */
unsigned short ws_xpixel; /* horizontal size, pixels */
unsigned short ws_ypixel; /* vertical size, pixels */
};
#endif
/* bits needed for select that may not be in the system headers */
#ifndef HAVE_FD_MASK
typedef unsigned long int fd_mask;
#endif
#if defined(HAVE_DECL_NFDBITS) && HAVE_DECL_NFDBITS == 0
# define NFDBITS (8 * sizeof(unsigned long))
#endif
#if defined(HAVE_DECL_HOWMANY) && HAVE_DECL_HOWMANY == 0
# define howmany(x,y) (((x)+((y)-1))/(y))
#endif
/* Paths */
#ifndef _PATH_BSHELL
# define _PATH_BSHELL "/bin/sh"
#endif
#ifdef USER_PATH
# ifdef _PATH_STDPATH
# undef _PATH_STDPATH
# endif
# define _PATH_STDPATH USER_PATH
#endif
#ifndef _PATH_STDPATH
# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
#endif
#ifndef SUPERUSER_PATH
# define SUPERUSER_PATH _PATH_STDPATH
#endif
#ifndef _PATH_DEVNULL
# define _PATH_DEVNULL "/dev/null"
#endif
/* user may have set a different path */
#if defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY)
# undef _PATH_MAILDIR
#endif /* defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY) */
#ifdef MAIL_DIRECTORY
# define _PATH_MAILDIR MAIL_DIRECTORY
#endif
#ifndef _PATH_NOLOGIN
# define _PATH_NOLOGIN "/etc/nologin"
#endif
/* Define this to be the path of the xauth program. */
#ifdef XAUTH_PATH
#define _PATH_XAUTH XAUTH_PATH
#endif /* XAUTH_PATH */
/* derived from XF4/xc/lib/dps/Xlibnet.h */
#ifndef X_UNIX_PATH
# ifdef __hpux
# define X_UNIX_PATH "/var/spool/sockets/X11/%u"
# else
# define X_UNIX_PATH "/tmp/.X11-unix/X%u"
# endif
#endif /* X_UNIX_PATH */
#define _PATH_UNIX_X X_UNIX_PATH
#ifndef _PATH_TTY
# define _PATH_TTY "/dev/tty"
#endif
/* Macros */
#if defined(HAVE_LOGIN_GETCAPBOOL) && defined(HAVE_LOGIN_CAP_H)
# define HAVE_LOGIN_CAP
#endif
#ifndef MAX
# define MAX(a,b) (((a)>(b))?(a):(b))
# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
#ifndef roundup
# define roundup(x, y) ((((x)+((y)-1))/(y))*(y))
#endif
#ifndef timersub
#define timersub(a, b, result) \
do { \
(result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \
(result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \
if ((result)->tv_usec < 0) { \
--(result)->tv_sec; \
(result)->tv_usec += 1000000; \
} \
} while (0)
#endif
#ifndef TIMEVAL_TO_TIMESPEC
#define TIMEVAL_TO_TIMESPEC(tv, ts) { \
(ts)->tv_sec = (tv)->tv_sec; \
(ts)->tv_nsec = (tv)->tv_usec * 1000; \
}
#endif
#ifndef TIMESPEC_TO_TIMEVAL
#define TIMESPEC_TO_TIMEVAL(tv, ts) { \
(tv)->tv_sec = (ts)->tv_sec; \
(tv)->tv_usec = (ts)->tv_nsec / 1000; \
}
#endif
#ifndef __P
# define __P(x) x
#endif
#if !defined(IN6_IS_ADDR_V4MAPPED)
# define IN6_IS_ADDR_V4MAPPED(a) \
((((u_int32_t *) (a))[0] == 0) && (((u_int32_t *) (a))[1] == 0) && \
(((u_int32_t *) (a))[2] == htonl (0xffff)))
#endif /* !defined(IN6_IS_ADDR_V4MAPPED) */
#if !defined(__GNUC__) || (__GNUC__ < 2)
# define __attribute__(x)
#endif /* !defined(__GNUC__) || (__GNUC__ < 2) */
#if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__)
# define __sentinel__
#endif
#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
# define __bounded__(x, y, z)
#endif
#if !defined(HAVE_ATTRIBUTE__NONNULL__) && !defined(__nonnull__)
# define __nonnull__(x)
#endif
#ifndef OSSH_ALIGNBYTES
#define OSSH_ALIGNBYTES (sizeof(int) - 1)
#endif
#ifndef __CMSG_ALIGN
#define __CMSG_ALIGN(p) (((u_int)(p) + OSSH_ALIGNBYTES) &~ OSSH_ALIGNBYTES)
#endif
/* Length of the contents of a control message of length len */
#ifndef CMSG_LEN
#define CMSG_LEN(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + (len))
#endif
/* Length of the space taken up by a padded control message of length len */
#ifndef CMSG_SPACE
#define CMSG_SPACE(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len))
#endif
/* given pointer to struct cmsghdr, return pointer to data */
#ifndef CMSG_DATA
#define CMSG_DATA(cmsg) ((u_char *)(cmsg) + __CMSG_ALIGN(sizeof(struct cmsghdr)))
#endif /* CMSG_DATA */
/*
* RFC 2292 requires to check msg_controllen, in case that the kernel returns
* an empty list for some reasons.
*/
#ifndef CMSG_FIRSTHDR
#define CMSG_FIRSTHDR(mhdr) \
((mhdr)->msg_controllen >= sizeof(struct cmsghdr) ? \
(struct cmsghdr *)(mhdr)->msg_control : \
(struct cmsghdr *)NULL)
#endif /* CMSG_FIRSTHDR */
#if defined(HAVE_DECL_OFFSETOF) && HAVE_DECL_OFFSETOF == 0
# define offsetof(type, member) ((size_t) &((type *)0)->member)
#endif
/* Set up BSD-style BYTE_ORDER definition if it isn't there already */
/* XXX: doesn't try to cope with strange byte orders (PDP_ENDIAN) */
#ifndef BYTE_ORDER
# ifndef LITTLE_ENDIAN
# define LITTLE_ENDIAN 1234
# endif /* LITTLE_ENDIAN */
# ifndef BIG_ENDIAN
# define BIG_ENDIAN 4321
# endif /* BIG_ENDIAN */
# ifdef WORDS_BIGENDIAN
# define BYTE_ORDER BIG_ENDIAN
# else /* WORDS_BIGENDIAN */
# define BYTE_ORDER LITTLE_ENDIAN
# endif /* WORDS_BIGENDIAN */
#endif /* BYTE_ORDER */
/* Function replacement / compatibility hacks */
#if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
# define HAVE_GETADDRINFO
#endif
#ifndef HAVE_GETOPT_OPTRESET
# undef getopt
# undef opterr
# undef optind
# undef optopt
# undef optreset
# undef optarg
# define getopt(ac, av, o) BSDgetopt(ac, av, o)
# define opterr BSDopterr
# define optind BSDoptind
# define optopt BSDoptopt
# define optreset BSDoptreset
# define optarg BSDoptarg
#endif
#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO)
# undef HAVE_GETADDRINFO
#endif
#if defined(BROKEN_GETADDRINFO) && defined(HAVE_FREEADDRINFO)
# undef HAVE_FREEADDRINFO
#endif
#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GAI_STRERROR)
# undef HAVE_GAI_STRERROR
#endif
#if defined(HAVE_GETADDRINFO)
# if defined(HAVE_DECL_AI_NUMERICSERV) && HAVE_DECL_AI_NUMERICSERV == 0
# define AI_NUMERICSERV 0
# endif
#endif
#if defined(BROKEN_UPDWTMPX) && defined(HAVE_UPDWTMPX)
# undef HAVE_UPDWTMPX
#endif
#if defined(BROKEN_SHADOW_EXPIRE) && defined(HAS_SHADOW_EXPIRE)
# undef HAS_SHADOW_EXPIRE
#endif
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \
defined(SYSLOG_R_SAFE_IN_SIGHAND)
# define DO_LOG_SAFE_IN_SIGHAND
#endif
#if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY)
# define memmove(s1, s2, n) bcopy((s2), (s1), (n))
#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
#ifndef GETPGRP_VOID
# include <unistd.h>
# define getpgrp() getpgrp(0)
#endif
#ifdef USE_BSM_AUDIT
# define SSH_AUDIT_EVENTS
# define CUSTOM_SSH_AUDIT_EVENTS
#endif
#ifdef USE_LINUX_AUDIT
# define SSH_AUDIT_EVENTS
# define CUSTOM_SSH_AUDIT_EVENTS
#endif
#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
# define __func__ __FUNCTION__
#elif !defined(HAVE___func__)
# define __func__ ""
#endif
#if defined(KRB5) && !defined(HEIMDAL)
# define krb5_get_err_text(context,code) error_message(code)
#endif
#if defined(SKEYCHALLENGE_4ARG)
# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
#else
# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
#endif
/* Maximum number of file descriptors available */
#ifdef HAVE_SYSCONF
# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)
#else
# define SSH_SYSFDMAX 10000
#endif
#ifdef FSID_HAS_VAL
/* encode f_fsid into a 64 bit value */
#define FSID_TO_ULONG(f) \
((((u_int64_t)(f).val[0] & 0xffffffffUL) << 32) | \
((f).val[1] & 0xffffffffUL))
#elif defined(FSID_HAS___VAL)
#define FSID_TO_ULONG(f) \
((((u_int64_t)(f).__val[0] & 0xffffffffUL) << 32) | \
((f).__val[1] & 0xffffffffUL))
#else
# define FSID_TO_ULONG(f) ((f))
#endif
#if defined(__Lynx__)
/*
* LynxOS defines these in param.h which we do not want to include since
* it will also pull in a bunch of kernel definitions.
*/
# define ALIGNBYTES (sizeof(int) - 1)
# define ALIGN(p) (((unsigned)p + ALIGNBYTES) & ~ALIGNBYTES)
/* Missing prototypes on LynxOS */
int snprintf (char *, size_t, const char *, ...);
int mkstemp (char *);
char *crypt (const char *, const char *);
int seteuid (uid_t);
int setegid (gid_t);
char *mkdtemp (char *);
int rresvport_af (int *, sa_family_t);
int innetgr (const char *, const char *, const char *, const char *);
#endif
/*
* Define this to use pipes instead of socketpairs for communicating with the
* client program. Socketpairs do not seem to work on all systems.
*
* configure.ac sets this for a few OS's which are known to have problems
* but you may need to set it yourself
*/
/* #define USE_PIPES 1 */
/**
** login recorder definitions
**/
/* FIXME: put default paths back in */
#ifndef UTMP_FILE
# ifdef _PATH_UTMP
# define UTMP_FILE _PATH_UTMP
# else
# ifdef CONF_UTMP_FILE
# define UTMP_FILE CONF_UTMP_FILE
# endif
# endif
#endif
#ifndef WTMP_FILE
# ifdef _PATH_WTMP
# define WTMP_FILE _PATH_WTMP
# else
# ifdef CONF_WTMP_FILE
# define WTMP_FILE CONF_WTMP_FILE
# endif
# endif
#endif
/* pick up the user's location for lastlog if given */
#ifndef LASTLOG_FILE
# ifdef _PATH_LASTLOG
# define LASTLOG_FILE _PATH_LASTLOG
# else
# ifdef CONF_LASTLOG_FILE
# define LASTLOG_FILE CONF_LASTLOG_FILE
# endif
# endif
#endif
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
# define USE_SHADOW
#endif
/* The login() library function in libutil is first choice */
#if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)
# define USE_LOGIN
#else
/* Simply select your favourite login types. */
/* Can't do if-else because some systems use several... <sigh> */
# if !defined(DISABLE_UTMPX)
# define USE_UTMPX
# endif
# if defined(UTMP_FILE) && !defined(DISABLE_UTMP)
# define USE_UTMP
# endif
# if defined(WTMPX_FILE) && !defined(DISABLE_WTMPX)
# define USE_WTMPX
# endif
# if defined(WTMP_FILE) && !defined(DISABLE_WTMP)
# define USE_WTMP
# endif
#endif
#ifndef UT_LINESIZE
# define UT_LINESIZE 8
#endif
/* I hope that the presence of LASTLOG_FILE is enough to detect this */
#if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG)
# define USE_LASTLOG
#endif
#ifdef HAVE_OSF_SIA
# ifdef USE_SHADOW
# undef USE_SHADOW
# endif
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
#if defined(HAVE_LIBIAF) && defined(HAVE_SET_ID) && !defined(HAVE_SECUREWARE)
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
#if defined(HAVE_LIBIAF) && defined(HAVE_SET_ID) && !defined(BROKEN_LIBIAF)
# define USE_LIBIAF
#endif
/* HP-UX 11.11 */
#ifdef BTMP_FILE
# define _PATH_BTMP BTMP_FILE
#endif
#if defined(USE_BTMP) && defined(_PATH_BTMP)
# define CUSTOM_FAILED_LOGIN
#endif
/** end of login recorder definitions */
#ifdef BROKEN_GETGROUPS
# define getgroups(a,b) ((a)==0 && (b)==NULL ? NGROUPS_MAX : getgroups((a),(b)))
#endif
#if defined(HAVE_MMAP) && defined(BROKEN_MMAP)
# undef HAVE_MMAP
#endif
#ifndef IOV_MAX
# if defined(_XOPEN_IOV_MAX)
# define IOV_MAX _XOPEN_IOV_MAX
# elif defined(DEF_IOV_MAX)
# define IOV_MAX DEF_IOV_MAX
# else
# define IOV_MAX 16
# endif
#endif
#ifndef EWOULDBLOCK
# define EWOULDBLOCK EAGAIN
#endif
#ifndef INET6_ADDRSTRLEN /* for non IPv6 machines */
#define INET6_ADDRSTRLEN 46
#endif
#ifndef SSH_IOBUFSZ
# define SSH_IOBUFSZ 8192
#endif
/*
* Platforms that have arc4random_uniform() and not arc4random_stir()
* shouldn't need the latter.
*/
#if defined(HAVE_ARC4RANDOM) && defined(HAVE_ARC4RANDOM_UNIFORM) && \
!defined(HAVE_ARC4RANDOM_STIR)
# define arc4random_stir()
#endif
#ifndef HAVE_VA_COPY
# ifdef HAVE___VA_COPY
# define va_copy(dest, src) __va_copy(dest, src)
# else
# define va_copy(dest, src) (dest) = (src)
# endif
#endif
#ifndef __predict_true
# if defined(__GNUC__) && \
((__GNUC__ > (2)) || (__GNUC__ == (2) && __GNUC_MINOR__ >= (96)))
# define __predict_true(exp) __builtin_expect(((exp) != 0), 1)
# define __predict_false(exp) __builtin_expect(((exp) != 0), 0)
# else
# define __predict_true(exp) ((exp) != 0)
# define __predict_false(exp) ((exp) != 0)
# endif /* gcc version */
#endif /* __predict_true */
#endif /* _DEFINES_H */

244
crypto/external/bsd/openssh/dist/entropy.c vendored Normal file
View File

@@ -0,0 +1,244 @@
/*
* Copyright (c) 2001 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <sys/socket.h>
#ifdef HAVE_SYS_UN_H
# include <sys/un.h>
#endif
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <stddef.h> /* for offsetof */
#include <openssl/rand.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include "openbsd-compat/openssl-compat.h"
#include "ssh.h"
#include "misc.h"
#include "xmalloc.h"
#include "atomicio.h"
#include "pathnames.h"
#include "log.h"
#include "buffer.h"
/*
* Portable OpenSSH PRNG seeding:
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
* PRNGd.
*/
#ifndef OPENSSL_PRNG_ONLY
#define RANDOM_SEED_SIZE 48
/*
* Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon
* listening either on 'tcp_port', or via Unix domain socket at *
* 'socket_path'.
* Either a non-zero tcp_port or a non-null socket_path must be
* supplied.
* Returns 0 on success, -1 on error
*/
int
get_random_bytes_prngd(unsigned char *buf, int len,
unsigned short tcp_port, char *socket_path)
{
int fd, addr_len, rval, errors;
u_char msg[2];
struct sockaddr_storage addr;
struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr;
struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr;
mysig_t old_sigpipe;
/* Sanity checks */
if (socket_path == NULL && tcp_port == 0)
fatal("You must specify a port or a socket");
if (socket_path != NULL &&
strlen(socket_path) >= sizeof(addr_un->sun_path))
fatal("Random pool path is too long");
if (len <= 0 || len > 255)
fatal("Too many bytes (%d) to read from PRNGD", len);
memset(&addr, '\0', sizeof(addr));
if (tcp_port != 0) {
addr_in->sin_family = AF_INET;
addr_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
addr_in->sin_port = htons(tcp_port);
addr_len = sizeof(*addr_in);
} else {
addr_un->sun_family = AF_UNIX;
strlcpy(addr_un->sun_path, socket_path,
sizeof(addr_un->sun_path));
addr_len = offsetof(struct sockaddr_un, sun_path) +
strlen(socket_path) + 1;
}
old_sigpipe = mysignal(SIGPIPE, SIG_IGN);
errors = 0;
rval = -1;
reopen:
fd = socket(addr.ss_family, SOCK_STREAM, 0);
if (fd == -1) {
error("Couldn't create socket: %s", strerror(errno));
goto done;
}
if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) {
if (tcp_port != 0) {
error("Couldn't connect to PRNGD port %d: %s",
tcp_port, strerror(errno));
} else {
error("Couldn't connect to PRNGD socket \"%s\": %s",
addr_un->sun_path, strerror(errno));
}
goto done;
}
/* Send blocking read request to PRNGD */
msg[0] = 0x02;
msg[1] = len;
if (atomicio(vwrite, fd, msg, sizeof(msg)) != sizeof(msg)) {
if (errno == EPIPE && errors < 10) {
close(fd);
errors++;
goto reopen;
}
error("Couldn't write to PRNGD socket: %s",
strerror(errno));
goto done;
}
if (atomicio(read, fd, buf, len) != (size_t)len) {
if (errno == EPIPE && errors < 10) {
close(fd);
errors++;
goto reopen;
}
error("Couldn't read from PRNGD socket: %s",
strerror(errno));
goto done;
}
rval = 0;
done:
mysignal(SIGPIPE, old_sigpipe);
if (fd != -1)
close(fd);
return rval;
}
static int
seed_from_prngd(unsigned char *buf, size_t bytes)
{
#ifdef PRNGD_PORT
debug("trying egd/prngd port %d", PRNGD_PORT);
if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == 0)
return 0;
#endif
#ifdef PRNGD_SOCKET
debug("trying egd/prngd socket %s", PRNGD_SOCKET);
if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == 0)
return 0;
#endif
return -1;
}
void
rexec_send_rng_seed(Buffer *m)
{
u_char buf[RANDOM_SEED_SIZE];
if (RAND_bytes(buf, sizeof(buf)) <= 0) {
error("Couldn't obtain random bytes (error %ld)",
ERR_get_error());
buffer_put_string(m, "", 0);
} else
buffer_put_string(m, buf, sizeof(buf));
}
void
rexec_recv_rng_seed(Buffer *m)
{
u_char *buf;
u_int len;
buf = buffer_get_string_ret(m, &len);
if (buf != NULL) {
debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len);
RAND_add(buf, len, len);
}
}
#endif /* OPENSSL_PRNG_ONLY */
void
seed_rng(void)
{
#ifndef OPENSSL_PRNG_ONLY
unsigned char buf[RANDOM_SEED_SIZE];
#endif
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
return;
}
if (seed_from_prngd(buf, sizeof(buf)) == -1)
fatal("Could not obtain seed from PRNGd");
RAND_add(buf, sizeof(buf), sizeof(buf));
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
#else /* WITH_OPENSSL */
/* Handled in arc4random() */
void
seed_rng(void)
{
}
#endif /* WITH_OPENSSL */

37
crypto/external/bsd/openssh/dist/entropy.h vendored Normal file
View File

@@ -0,0 +1,37 @@
/*
* Copyright (c) 1999-2000 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* $Id: entropy.h,v 1.6 2011/09/09 01:29:41 dtucker Exp $ */
#ifndef _RANDOMS_H
#define _RANDOMS_H
#include "buffer.h"
void seed_rng(void);
void rexec_send_rng_seed(Buffer *);
void rexec_recv_rng_seed(Buffer *);
#endif /* _RANDOMS_H */

1
crypto/external/bsd/openssh/dist/explicit_bzero.c vendored Symbolic link
View File

@@ -0,0 +1 @@
openbsd-compat/explicit_bzero.c

1726
crypto/external/bsd/openssh/dist/loginrec.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

131
crypto/external/bsd/openssh/dist/loginrec.h vendored Normal file
View File

@@ -0,0 +1,131 @@
#ifndef _HAVE_LOGINREC_H_
#define _HAVE_LOGINREC_H_
/*
* Copyright (c) 2000 Andre Lucas. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
** loginrec.h: platform-independent login recording and lastlog retrieval
**/
#include "includes.h"
/**
** you should use the login_* calls to work around platform dependencies
**/
/*
* login_netinfo structure
*/
union login_netinfo {
struct sockaddr sa;
struct sockaddr_in sa_in;
struct sockaddr_storage sa_storage;
};
/*
* * logininfo structure *
*/
/* types - different to utmp.h 'type' macros */
/* (though set to the same value as linux, openbsd and others...) */
#define LTYPE_LOGIN 7
#define LTYPE_LOGOUT 8
/* string lengths - set very long */
#define LINFO_PROGSIZE 64
#define LINFO_LINESIZE 64
#define LINFO_NAMESIZE 512
#define LINFO_HOSTSIZE 256
struct logininfo {
char progname[LINFO_PROGSIZE]; /* name of program (for PAM) */
int progname_null;
short int type; /* type of login (LTYPE_*) */
pid_t pid; /* PID of login process */
uid_t uid; /* UID of this user */
char line[LINFO_LINESIZE]; /* tty/pty name */
char username[LINFO_NAMESIZE]; /* login username */
char hostname[LINFO_HOSTSIZE]; /* remote hostname */
/* 'exit_status' structure components */
int exit; /* process exit status */
int termination; /* process termination status */
/* struct timeval (sys/time.h) isn't always available, if it isn't we'll
* use time_t's value as tv_sec and set tv_usec to 0
*/
unsigned int tv_sec;
unsigned int tv_usec;
union login_netinfo hostaddr; /* caller's host address(es) */
}; /* struct logininfo */
/*
* login recording functions
*/
/** 'public' functions */
/* construct a new login entry */
struct logininfo *login_alloc_entry(pid_t pid, const char *username,
const char *hostname, const char *line);
/* free a structure */
void login_free_entry(struct logininfo *li);
/* fill out a pre-allocated structure with useful information */
int login_init_entry(struct logininfo *li, pid_t pid, const char *username,
const char *hostname, const char *line);
/* place the current time in a logininfo struct */
void login_set_current_time(struct logininfo *li);
/* record the entry */
int login_login (struct logininfo *li);
int login_logout(struct logininfo *li);
#ifdef LOGIN_NEEDS_UTMPX
int login_utmp_only(struct logininfo *li);
#endif
/** End of public functions */
/* record the entry */
int login_write (struct logininfo *li);
int login_log_entry(struct logininfo *li);
/* set the network address based on network address type */
void login_set_addr(struct logininfo *li, const struct sockaddr *sa,
const unsigned int sa_size);
/*
* lastlog retrieval functions
*/
/* lastlog *entry* functions fill out a logininfo */
struct logininfo *login_get_lastlog(struct logininfo *li, const uid_t uid);
/* lastlog *time* functions return time_t equivalent (uint) */
unsigned int login_get_lastlog_time(const uid_t uid);
/* produce various forms of the line filename */
char *line_fullname(char *dst, const char *src, u_int dstsize);
char *line_stripname(char *dst, const char *src, int dstsize);
char *line_abbrevname(char *dst, const char *src, int dstsize);
void record_failed_login(const char *, const char *, const char *);
#endif /* _HAVE_LOGINREC_H_ */

308
crypto/external/bsd/openssh/dist/logintest.c vendored Normal file
View File

@@ -0,0 +1,308 @@
/*
* Copyright (c) 2000 Andre Lucas. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
** logintest.c: simple test driver for platform-independent login recording
** and lastlog retrieval
**/
#include "includes.h"
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <pwd.h>
#include <netdb.h>
#ifdef HAVE_TIME_H
#include <time.h>
#endif
#include "loginrec.h"
extern char *__progname;
#define PAUSE_BEFORE_LOGOUT 3
int nologtest = 0;
int compile_opts_only = 0;
int be_verbose = 0;
/* Dump a logininfo to stdout. Assumes a tab size of 8 chars. */
void
dump_logininfo(struct logininfo *li, char *descname)
{
/* yes I know how nasty this is */
printf("struct logininfo %s = {\n\t"
"progname\t'%s'\n\ttype\t\t%d\n\t"
"pid\t\t%d\n\tuid\t\t%d\n\t"
"line\t\t'%s'\n\tusername\t'%s'\n\t"
"hostname\t'%s'\n\texit\t\t%d\n\ttermination\t%d\n\t"
"tv_sec\t%d\n\ttv_usec\t%d\n\t"
"struct login_netinfo hostaddr {\n\t\t"
"struct sockaddr sa {\n"
"\t\t\tfamily\t%d\n\t\t}\n"
"\t}\n"
"}\n",
descname, li->progname, li->type,
li->pid, li->uid, li->line,
li->username, li->hostname, li->exit,
li->termination, li->tv_sec, li->tv_usec,
li->hostaddr.sa.sa_family);
}
int
testAPI()
{
struct logininfo *li1;
struct passwd *pw;
struct hostent *he;
struct sockaddr_in sa_in4;
char cmdstring[256], stripline[8];
char username[32];
#ifdef HAVE_TIME_H
time_t t0, t1, t2, logintime, logouttime;
char s_t0[64],s_t1[64],s_t2[64];
char s_logintime[64], s_logouttime[64]; /* ctime() strings */
#endif
printf("**\n** Testing the API...\n**\n");
pw = getpwuid(getuid());
strlcpy(username, pw->pw_name, sizeof(username));
/* gethostname(hostname, sizeof(hostname)); */
printf("login_alloc_entry test (no host info):\n");
/* FIXME fake tty more effectively - this could upset some platforms */
li1 = login_alloc_entry((int)getpid(), username, NULL, ttyname(0));
strlcpy(li1->progname, "OpenSSH-logintest", sizeof(li1->progname));
if (be_verbose)
dump_logininfo(li1, "li1");
printf("Setting host address info for 'localhost' (may call out):\n");
if (! (he = gethostbyname("localhost"))) {
printf("Couldn't set hostname(lookup failed)\n");
} else {
/* NOTE: this is messy, but typically a program wouldn't have to set
* any of this, a sockaddr_in* would be already prepared */
memcpy((void *)&(sa_in4.sin_addr), (void *)&(he->h_addr_list[0][0]),
sizeof(struct in_addr));
login_set_addr(li1, (struct sockaddr *) &sa_in4, sizeof(sa_in4));
strlcpy(li1->hostname, "localhost", sizeof(li1->hostname));
}
if (be_verbose)
dump_logininfo(li1, "li1");
if ((int)geteuid() != 0) {
printf("NOT RUNNING LOGIN TESTS - you are not root!\n");
return 1;
}
if (nologtest)
return 1;
line_stripname(stripline, li1->line, sizeof(stripline));
printf("Performing an invalid login attempt (no type field)\n--\n");
login_write(li1);
printf("--\n(Should have written errors to stderr)\n");
#ifdef HAVE_TIME_H
(void)time(&t0);
strlcpy(s_t0, ctime(&t0), sizeof(s_t0));
t1 = login_get_lastlog_time(getuid());
strlcpy(s_t1, ctime(&t1), sizeof(s_t1));
printf("Before logging in:\n\tcurrent time is %d - %s\t"
"lastlog time is %d - %s\n",
(int)t0, s_t0, (int)t1, s_t1);
#endif
printf("Performing a login on line %s ", stripline);
#ifdef HAVE_TIME_H
(void)time(&logintime);
strlcpy(s_logintime, ctime(&logintime), sizeof(s_logintime));
printf("at %d - %s", (int)logintime, s_logintime);
#endif
printf("--\n");
login_login(li1);
snprintf(cmdstring, sizeof(cmdstring), "who | grep '%s '",
stripline);
system(cmdstring);
printf("--\nPausing for %d second(s)...\n", PAUSE_BEFORE_LOGOUT);
sleep(PAUSE_BEFORE_LOGOUT);
printf("Performing a logout ");
#ifdef HAVE_TIME_H
(void)time(&logouttime);
strlcpy(s_logouttime, ctime(&logouttime), sizeof(s_logouttime));
printf("at %d - %s", (int)logouttime, s_logouttime);
#endif
printf("\nThe root login shown above should be gone.\n"
"If the root login hasn't gone, but another user on the same\n"
"pty has, this is OK - we're hacking it here, and there\n"
"shouldn't be two users on one pty in reality...\n"
"-- ('who' output follows)\n");
login_logout(li1);
system(cmdstring);
printf("-- ('who' output ends)\n");
#ifdef HAVE_TIME_H
t2 = login_get_lastlog_time(getuid());
strlcpy(s_t2, ctime(&t2), sizeof(s_t2));
printf("After logging in, lastlog time is %d - %s\n", (int)t2, s_t2);
if (t1 == t2)
printf("The lastlog times before and after logging in are the "
"same.\nThis indicates that lastlog is ** NOT WORKING "
"CORRECTLY **\n");
else if (t0 != t2)
/* We can be off by a second or so, even when recording works fine.
* I'm not 100% sure why, but it's true. */
printf("** The login time and the lastlog time differ.\n"
"** This indicates that lastlog is either recording the "
"wrong time,\n** or retrieving the wrong entry.\n"
"If it's off by less than %d second(s) "
"run the test again.\n", PAUSE_BEFORE_LOGOUT);
else
printf("lastlog agrees with the login time. This is a good thing.\n");
#endif
printf("--\nThe output of 'last' shown next should have "
"an entry for root \n on %s for the time shown above:\n--\n",
stripline);
snprintf(cmdstring, sizeof(cmdstring), "last | grep '%s ' | head -3",
stripline);
system(cmdstring);
printf("--\nEnd of login test.\n");
login_free_entry(li1);
return 1;
} /* testAPI() */
void
testLineName(char *line)
{
/* have to null-terminate - these functions are designed for
* structures with fixed-length char arrays, and don't null-term.*/
char full[17], strip[9], abbrev[5];
memset(full, '\0', sizeof(full));
memset(strip, '\0', sizeof(strip));
memset(abbrev, '\0', sizeof(abbrev));
line_fullname(full, line, sizeof(full)-1);
line_stripname(strip, full, sizeof(strip)-1);
line_abbrevname(abbrev, full, sizeof(abbrev)-1);
printf("%s: %s, %s, %s\n", line, full, strip, abbrev);
} /* testLineName() */
int
testOutput()
{
printf("**\n** Testing linename functions\n**\n");
testLineName("/dev/pts/1");
testLineName("pts/1");
testLineName("pts/999");
testLineName("/dev/ttyp00");
testLineName("ttyp00");
return 1;
} /* testOutput() */
/* show which options got compiled in */
void
showOptions(void)
{
printf("**\n** Compile-time options\n**\n");
printf("login recording methods selected:\n");
#ifdef USE_LOGIN
printf("\tUSE_LOGIN\n");
#endif
#ifdef USE_UTMP
printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE);
#endif
#ifdef USE_UTMPX
printf("\tUSE_UTMPX\n");
#endif
#ifdef USE_WTMP
printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE);
#endif
#ifdef USE_WTMPX
printf("\tUSE_WTMPX (WTMPX_FILE=%s)\n", WTMPX_FILE);
#endif
#ifdef USE_LASTLOG
printf("\tUSE_LASTLOG (LASTLOG_FILE=%s)\n", LASTLOG_FILE);
#endif
printf("\n");
} /* showOptions() */
int
main(int argc, char *argv[])
{
printf("Platform-independent login recording test driver\n");
__progname = ssh_get_progname(argv[0]);
if (argc == 2) {
if (strncmp(argv[1], "-i", 3) == 0)
compile_opts_only = 1;
else if (strncmp(argv[1], "-v", 3) == 0)
be_verbose=1;
}
if (!compile_opts_only) {
if (be_verbose && !testOutput())
return 1;
if (!testAPI())
return 1;
}
showOptions();
return 0;
} /* main() */

167
crypto/external/bsd/openssh/dist/md5crypt.c vendored Normal file
View File

@@ -0,0 +1,167 @@
/*
* ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42):
* <phk@login.dknet.dk> wrote this file. As long as you retain this
* notice you can do whatever you want with this stuff. If we meet some
* day, and you think this stuff is worth it, you can buy me a beer in
* return. Poul-Henning Kamp
* ----------------------------------------------------------------------------
*/
#include "includes.h"
#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
#include <sys/types.h>
#include <string.h>
#include <openssl/md5.h>
/* 0 ... 63 => ascii - 64 */
static unsigned char itoa64[] =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
static char *magic = "$1$";
static char *
to64(unsigned long v, int n)
{
static char buf[5];
char *s = buf;
if (n > 4)
return (NULL);
memset(buf, '\0', sizeof(buf));
while (--n >= 0) {
*s++ = itoa64[v&0x3f];
v >>= 6;
}
return (buf);
}
int
is_md5_salt(const char *salt)
{
return (strncmp(salt, magic, strlen(magic)) == 0);
}
char *
md5_crypt(const char *pw, const char *salt)
{
static char passwd[120], salt_copy[9], *p;
static const char *sp, *ep;
unsigned char final[16];
int sl, pl, i, j;
MD5_CTX ctx, ctx1;
unsigned long l;
/* Refine the Salt first */
sp = salt;
/* If it starts with the magic string, then skip that */
if(strncmp(sp, magic, strlen(magic)) == 0)
sp += strlen(magic);
/* It stops at the first '$', max 8 chars */
for (ep = sp; *ep != '$'; ep++) {
if (*ep == '\0' || ep >= (sp + 8))
return (NULL);
}
/* get the length of the true salt */
sl = ep - sp;
/* Stash the salt */
memcpy(salt_copy, sp, sl);
salt_copy[sl] = '\0';
MD5_Init(&ctx);
/* The password first, since that is what is most unknown */
MD5_Update(&ctx, pw, strlen(pw));
/* Then our magic string */
MD5_Update(&ctx, magic, strlen(magic));
/* Then the raw salt */
MD5_Update(&ctx, sp, sl);
/* Then just as many characters of the MD5(pw, salt, pw) */
MD5_Init(&ctx1);
MD5_Update(&ctx1, pw, strlen(pw));
MD5_Update(&ctx1, sp, sl);
MD5_Update(&ctx1, pw, strlen(pw));
MD5_Final(final, &ctx1);
for(pl = strlen(pw); pl > 0; pl -= 16)
MD5_Update(&ctx, final, pl > 16 ? 16 : pl);
/* Don't leave anything around in vm they could use. */
memset(final, '\0', sizeof final);
/* Then something really weird... */
for (j = 0, i = strlen(pw); i != 0; i >>= 1)
if (i & 1)
MD5_Update(&ctx, final + j, 1);
else
MD5_Update(&ctx, pw + j, 1);
/* Now make the output string */
snprintf(passwd, sizeof(passwd), "%s%s$", magic, salt_copy);
MD5_Final(final, &ctx);
/*
* and now, just to make sure things don't run too fast
* On a 60 Mhz Pentium this takes 34 msec, so you would
* need 30 seconds to build a 1000 entry dictionary...
*/
for(i = 0; i < 1000; i++) {
MD5_Init(&ctx1);
if (i & 1)
MD5_Update(&ctx1, pw, strlen(pw));
else
MD5_Update(&ctx1, final, 16);
if (i % 3)
MD5_Update(&ctx1, sp, sl);
if (i % 7)
MD5_Update(&ctx1, pw, strlen(pw));
if (i & 1)
MD5_Update(&ctx1, final, 16);
else
MD5_Update(&ctx1, pw, strlen(pw));
MD5_Final(final, &ctx1);
}
p = passwd + strlen(passwd);
l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
strlcat(passwd, to64(l, 4), sizeof(passwd));
l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
strlcat(passwd, to64(l, 4), sizeof(passwd));
l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
strlcat(passwd, to64(l, 4), sizeof(passwd));
l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
strlcat(passwd, to64(l, 4), sizeof(passwd));
l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
strlcat(passwd, to64(l, 4), sizeof(passwd));
l = final[11] ;
strlcat(passwd, to64(l, 2), sizeof(passwd));
/* Don't leave anything around in vm they could use. */
memset(final, 0, sizeof(final));
memset(salt_copy, 0, sizeof(salt_copy));
memset(&ctx, 0, sizeof(ctx));
memset(&ctx1, 0, sizeof(ctx1));
(void)to64(0, 4);
return (passwd);
}
#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */

24
crypto/external/bsd/openssh/dist/md5crypt.h vendored Normal file
View File

@@ -0,0 +1,24 @@
/*
* ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42):
* <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you think
* this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
* ----------------------------------------------------------------------------
*/
/* $Id: md5crypt.h,v 1.4 2003/05/18 14:46:46 djm Exp $ */
#ifndef _MD5CRYPT_H
#define _MD5CRYPT_H
#include "config.h"
#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
int is_md5_salt(const char *);
char *md5_crypt(const char *, const char *);
#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
#endif /* MD5CRYPT_H */

74
crypto/external/bsd/openssh/dist/moduli.0 vendored Normal file
View File

@@ -0,0 +1,74 @@
MODULI(5) File Formats Manual MODULI(5)
NAME
moduli M-bM-^@M-^S Diffie-Hellman moduli
DESCRIPTION
The /etc/moduli file contains prime numbers and generators for use by
sshd(8) in the Diffie-Hellman Group Exchange key exchange method.
New moduli may be generated with ssh-keygen(1) using a two-step process.
An initial candidate generation pass, using ssh-keygen -G, calculates
numbers that are likely to be useful. A second primality testing pass,
using ssh-keygen -T, provides a high degree of assurance that the numbers
are prime and are safe for use in Diffie-Hellman operations by sshd(8).
This moduli format is used as the output from each pass.
The file consists of newline-separated records, one per modulus,
containing seven space-separated fields. These fields are as follows:
timestamp The time that the modulus was last processed as
YYYYMMDDHHMMSS.
type Decimal number specifying the internal structure of
the prime modulus. Supported types are:
0 Unknown, not tested.
2 "Safe" prime; (p-1)/2 is also prime.
4 Sophie Germain; 2p+1 is also prime.
Moduli candidates initially produced by ssh-keygen(1)
are Sophie Germain primes (type 4). Further primality
testing with ssh-keygen(1) produces safe prime moduli
(type 2) that are ready for use in sshd(8). Other
types are not used by OpenSSH.
tests Decimal number indicating the type of primality tests
that the number has been subjected to represented as a
bitmask of the following values:
0x00 Not tested.
0x01 Composite number M-bM-^@M-^S not prime.
0x02 Sieve of Eratosthenes.
0x04 Probabilistic Miller-Rabin primality tests.
The ssh-keygen(1) moduli candidate generation uses the
Sieve of Eratosthenes (flag 0x02). Subsequent
ssh-keygen(1) primality tests are Miller-Rabin tests
(flag 0x04).
trials Decimal number indicating the number of primality
trials that have been performed on the modulus.
size Decimal number indicating the size of the prime in
bits.
generator The recommended generator for use with this modulus
(hexadecimal).
modulus The modulus itself in hexadecimal.
When performing Diffie-Hellman Group Exchange, sshd(8) first estimates
the size of the modulus required to produce enough Diffie-Hellman output
to sufficiently key the selected symmetric cipher. sshd(8) then randomly
selects a modulus from /etc/moduli that best meets the size requirement.
SEE ALSO
ssh-keygen(1), sshd(8)
STANDARDS
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
2006.
OpenBSD 5.8 September 26, 2012 OpenBSD 5.8

1
crypto/external/bsd/openssh/dist/openbsd-compat/.cvsignore vendored Normal file
View File

@@ -0,0 +1 @@
Makefile

42
crypto/external/bsd/openssh/dist/openbsd-compat/Makefile vendored Normal file
View File

@@ -0,0 +1,42 @@
# $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $
sysconfdir=${prefix}/etc
piddir=/var/run
srcdir=.
top_srcdir=..
CC=cc
LD=cc
CFLAGS=-g -O2 -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. -DHAVE_CONFIG_H
LIBS=-lcrypto -lutil -lz
AR=ar
RANLIB=ranlib
INSTALL=/usr/bin/install -c
LDFLAGS=-L. -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
all: libopenbsd-compat.a
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
$(PORTS): ../config.h
libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS)
$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
$(RANLIB) $@
clean:
rm -f *.o *.a core
distclean: clean
rm -f Makefile *~

42
crypto/external/bsd/openssh/dist/openbsd-compat/Makefile.in vendored Normal file
View File

@@ -0,0 +1,42 @@
# $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $
sysconfdir=@sysconfdir@
piddir=@piddir@
srcdir=@srcdir@
top_srcdir=@top_srcdir@
VPATH=@srcdir@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
LIBS=@LIBS@
AR=@AR@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
all: libopenbsd-compat.a
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
$(PORTS): ../config.h
libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS)
$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
$(RANLIB) $@
clean:
rm -f *.o *.a core
distclean: clean
rm -f Makefile *~

328
crypto/external/bsd/openssh/dist/openbsd-compat/arc4random.c vendored Normal file
View File

@@ -0,0 +1,328 @@
/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */
/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */
/*
* Copyright (c) 1996, David Mazieres <dm@uun.org>
* Copyright (c) 2008, Damien Miller <djm@openbsd.org>
* Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* ChaCha based random number generator for OpenBSD.
*/
#include "includes.h"
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#ifndef HAVE_ARC4RANDOM
#ifdef WITH_OPENSSL
#include <openssl/rand.h>
#include <openssl/err.h>
#endif
#include "log.h"
#define KEYSTREAM_ONLY
#include "chacha_private.h"
#ifdef __GNUC__
#define inline __inline
#else /* !__GNUC__ */
#define inline
#endif /* !__GNUC__ */
/* OpenSSH isn't multithreaded */
#define _ARC4_LOCK()
#define _ARC4_UNLOCK()
#define KEYSZ 32
#define IVSZ 8
#define BLOCKSZ 64
#define RSBUFSZ (16*BLOCKSZ)
static int rs_initialized;
static pid_t rs_stir_pid;
static chacha_ctx rs; /* chacha context for random keystream */
static u_char rs_buf[RSBUFSZ]; /* keystream blocks */
static size_t rs_have; /* valid bytes at end of rs_buf */
static size_t rs_count; /* bytes till reseed */
static inline void _rs_rekey(u_char *dat, size_t datlen);
static inline void
_rs_init(u_char *buf, size_t n)
{
if (n < KEYSZ + IVSZ)
return;
chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
chacha_ivsetup(&rs, buf + KEYSZ);
}
#ifndef WITH_OPENSSL
#define SSH_RANDOM_DEV "/dev/urandom"
/* XXX use getrandom() if supported on Linux */
static void
getrnd(u_char *s, size_t len)
{
int fd;
ssize_t r;
size_t o = 0;
if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1)
fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno));
while (o < len) {
r = read(fd, s + o, len - o);
if (r < 0) {
if (errno == EAGAIN || errno == EINTR ||
errno == EWOULDBLOCK)
continue;
fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno));
}
o += r;
}
close(fd);
}
#endif
static void
_rs_stir(void)
{
u_char rnd[KEYSZ + IVSZ];
#ifdef WITH_OPENSSL
if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
fatal("Couldn't obtain random bytes (error %ld)",
ERR_get_error());
#else
getrnd(rnd, sizeof(rnd));
#endif
if (!rs_initialized) {
rs_initialized = 1;
_rs_init(rnd, sizeof(rnd));
} else
_rs_rekey(rnd, sizeof(rnd));
explicit_bzero(rnd, sizeof(rnd));
/* invalidate rs_buf */
rs_have = 0;
memset(rs_buf, 0, RSBUFSZ);
rs_count = 1600000;
}
static inline void
_rs_stir_if_needed(size_t len)
{
pid_t pid = getpid();
if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) {
rs_stir_pid = pid;
_rs_stir();
} else
rs_count -= len;
}
static inline void
_rs_rekey(u_char *dat, size_t datlen)
{
#ifndef KEYSTREAM_ONLY
memset(rs_buf, 0,RSBUFSZ);
#endif
/* fill rs_buf with the keystream */
chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
/* mix in optional user provided data */
if (dat) {
size_t i, m;
m = MIN(datlen, KEYSZ + IVSZ);
for (i = 0; i < m; i++)
rs_buf[i] ^= dat[i];
}
/* immediately reinit for backtracking resistance */
_rs_init(rs_buf, KEYSZ + IVSZ);
memset(rs_buf, 0, KEYSZ + IVSZ);
rs_have = RSBUFSZ - KEYSZ - IVSZ;
}
static inline void
_rs_random_buf(void *_buf, size_t n)
{
u_char *buf = (u_char *)_buf;
size_t m;
_rs_stir_if_needed(n);
while (n > 0) {
if (rs_have > 0) {
m = MIN(n, rs_have);
memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
memset(rs_buf + RSBUFSZ - rs_have, 0, m);
buf += m;
n -= m;
rs_have -= m;
}
if (rs_have == 0)
_rs_rekey(NULL, 0);
}
}
static inline void
_rs_random_u32(u_int32_t *val)
{
_rs_stir_if_needed(sizeof(*val));
if (rs_have < sizeof(*val))
_rs_rekey(NULL, 0);
memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
rs_have -= sizeof(*val);
return;
}
void
arc4random_stir(void)
{
_ARC4_LOCK();
_rs_stir();
_ARC4_UNLOCK();
}
void
arc4random_addrandom(u_char *dat, int datlen)
{
int m;
_ARC4_LOCK();
if (!rs_initialized)
_rs_stir();
while (datlen > 0) {
m = MIN(datlen, KEYSZ + IVSZ);
_rs_rekey(dat, m);
dat += m;
datlen -= m;
}
_ARC4_UNLOCK();
}
u_int32_t
arc4random(void)
{
u_int32_t val;
_ARC4_LOCK();
_rs_random_u32(&val);
_ARC4_UNLOCK();
return val;
}
/*
* If we are providing arc4random, then we can provide a more efficient
* arc4random_buf().
*/
# ifndef HAVE_ARC4RANDOM_BUF
void
arc4random_buf(void *buf, size_t n)
{
_ARC4_LOCK();
_rs_random_buf(buf, n);
_ARC4_UNLOCK();
}
# endif /* !HAVE_ARC4RANDOM_BUF */
#endif /* !HAVE_ARC4RANDOM */
/* arc4random_buf() that uses platform arc4random() */
#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM)
void
arc4random_buf(void *_buf, size_t n)
{
size_t i;
u_int32_t r = 0;
char *buf = (char *)_buf;
for (i = 0; i < n; i++) {
if (i % 4 == 0)
r = arc4random();
buf[i] = r & 0xff;
r >>= 8;
}
explicit_bzero(&r, sizeof(r));
}
#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
#ifndef HAVE_ARC4RANDOM_UNIFORM
/*
* Calculate a uniformly distributed random number less than upper_bound
* avoiding "modulo bias".
*
* Uniformity is achieved by generating new random numbers until the one
* returned is outside the range [0, 2**32 % upper_bound). This
* guarantees the selected random number will be inside
* [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
* after reduction modulo upper_bound.
*/
u_int32_t
arc4random_uniform(u_int32_t upper_bound)
{
u_int32_t r, min;
if (upper_bound < 2)
return 0;
/* 2**32 % x == (2**32 - x) % x */
min = -upper_bound % upper_bound;
/*
* This could theoretically loop forever but each retry has
* p > 0.5 (worst case, usually far better) of selecting a
* number inside the range we need, so it should rarely need
* to re-roll.
*/
for (;;) {
r = arc4random();
if (r >= min)
break;
}
return r % upper_bound;
}
#endif /* !HAVE_ARC4RANDOM_UNIFORM */
#if 0
/*-------- Test code for i386 --------*/
#include <stdio.h>
#include <machine/pctr.h>
int
main(int argc, char **argv)
{
const int iter = 1000000;
int i;
pctrval v;
v = rdtsc();
for (i = 0; i < iter; i++)
arc4random();
v = rdtsc() - v;
v /= iter;
printf("%qd cycles\n", v);
exit(0);
}
#endif

315
crypto/external/bsd/openssh/dist/openbsd-compat/base64.c vendored Normal file
View File

@@ -0,0 +1,315 @@
/* $OpenBSD: base64.c,v 1.5 2006/10/21 09:55:03 otto Exp $ */
/*
* Copyright (c) 1996 by Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
* CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
/*
* Portions Copyright (c) 1995 by International Business Machines, Inc.
*
* International Business Machines, Inc. (hereinafter called IBM) grants
* permission under its copyrights to use, copy, modify, and distribute this
* Software with or without fee, provided that the above copyright notice and
* all paragraphs of this notice appear in all copies, and that the name of IBM
* not be used in connection with the marketing of any product incorporating
* the Software or modifications thereof, without specific, written prior
* permission.
*
* To the extent it has a right to do so, IBM grants an immunity from suit
* under its patents, if any, for the use, sale or manufacture of products to
* the extent that such products are used for performing Domain Name System
* dynamic updates in TCP/IP networks by means of the Software. No immunity is
* granted for any product per se or for any other function of any product.
*
* THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
* DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
#include "includes.h"
#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON))
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "base64.h"
static const char Base64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static const char Pad64 = '=';
/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
The following encoding technique is taken from RFC 1521 by Borenstein
and Freed. It is reproduced here in a slightly edited form for
convenience.
A 65-character subset of US-ASCII is used, enabling 6 bits to be
represented per printable character. (The extra 65th character, "=",
is used to signify a special processing function.)
The encoding process represents 24-bit groups of input bits as output
strings of 4 encoded characters. Proceeding from left to right, a
24-bit input group is formed by concatenating 3 8-bit input groups.
These 24 bits are then treated as 4 concatenated 6-bit groups, each
of which is translated into a single digit in the base64 alphabet.
Each 6-bit group is used as an index into an array of 64 printable
characters. The character referenced by the index is placed in the
output string.
Table 1: The Base64 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 +
12 M 29 d 46 u 63 /
13 N 30 e 47 v
14 O 31 f 48 w (pad) =
15 P 32 g 49 x
16 Q 33 h 50 y
Special processing is performed if fewer than 24 bits are available
at the end of the data being encoded. A full encoding quantum is
always completed at the end of a quantity. When fewer than 24 input
bits are available in an input group, zero bits are added (on the
right) to form an integral number of 6-bit groups. Padding at the
end of the data is performed using the '=' character.
Since all base64 input is an integral number of octets, only the
-------------------------------------------------
following cases can arise:
(1) the final quantum of encoding input is an integral
multiple of 24 bits; here, the final unit of encoded
output will be an integral multiple of 4 characters
with no "=" padding,
(2) the final quantum of encoding input is exactly 8 bits;
here, the final unit of encoded output will be two
characters followed by two "=" padding characters, or
(3) the final quantum of encoding input is exactly 16 bits;
here, the final unit of encoded output will be three
characters followed by one "=" padding character.
*/
#if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)
int
b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
{
size_t datalength = 0;
u_char input[3];
u_char output[4];
u_int i;
while (2 < srclength) {
input[0] = *src++;
input[1] = *src++;
input[2] = *src++;
srclength -= 3;
output[0] = input[0] >> 2;
output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
output[3] = input[2] & 0x3f;
if (datalength + 4 > targsize)
return (-1);
target[datalength++] = Base64[output[0]];
target[datalength++] = Base64[output[1]];
target[datalength++] = Base64[output[2]];
target[datalength++] = Base64[output[3]];
}
/* Now we worry about padding. */
if (0 != srclength) {
/* Get what's left. */
input[0] = input[1] = input[2] = '\0';
for (i = 0; i < srclength; i++)
input[i] = *src++;
output[0] = input[0] >> 2;
output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
if (datalength + 4 > targsize)
return (-1);
target[datalength++] = Base64[output[0]];
target[datalength++] = Base64[output[1]];
if (srclength == 1)
target[datalength++] = Pad64;
else
target[datalength++] = Base64[output[2]];
target[datalength++] = Pad64;
}
if (datalength >= targsize)
return (-1);
target[datalength] = '\0'; /* Returned value doesn't count \0. */
return (datalength);
}
#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
#if !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)
/* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after)
src from base - 64 numbers into three 8 bit bytes in the target area.
it returns the number of data bytes stored at the target, or -1 on error.
*/
int
b64_pton(char const *src, u_char *target, size_t targsize)
{
u_int tarindex, state;
int ch;
char *pos;
state = 0;
tarindex = 0;
while ((ch = *src++) != '\0') {
if (isspace(ch)) /* Skip whitespace anywhere. */
continue;
if (ch == Pad64)
break;
pos = strchr(Base64, ch);
if (pos == 0) /* A non-base64 character. */
return (-1);
switch (state) {
case 0:
if (target) {
if (tarindex >= targsize)
return (-1);
target[tarindex] = (pos - Base64) << 2;
}
state = 1;
break;
case 1:
if (target) {
if (tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 4;
target[tarindex+1] = ((pos - Base64) & 0x0f)
<< 4 ;
}
tarindex++;
state = 2;
break;
case 2:
if (target) {
if (tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 2;
target[tarindex+1] = ((pos - Base64) & 0x03)
<< 6;
}
tarindex++;
state = 3;
break;
case 3:
if (target) {
if (tarindex >= targsize)
return (-1);
target[tarindex] |= (pos - Base64);
}
tarindex++;
state = 0;
break;
}
}
/*
* We are done decoding Base-64 chars. Let's see if we ended
* on a byte boundary, and/or with erroneous trailing characters.
*/
if (ch == Pad64) { /* We got a pad char. */
ch = *src++; /* Skip it, get next. */
switch (state) {
case 0: /* Invalid = in first position */
case 1: /* Invalid = in second position */
return (-1);
case 2: /* Valid, means one byte of info */
/* Skip any number of spaces. */
for (; ch != '\0'; ch = *src++)
if (!isspace(ch))
break;
/* Make sure there is another trailing = sign. */
if (ch != Pad64)
return (-1);
ch = *src++; /* Skip the = */
/* Fall through to "single trailing =" case. */
/* FALLTHROUGH */
case 3: /* Valid, means two bytes of info */
/*
* We know this char is an =. Is there anything but
* whitespace after it?
*/
for (; ch != '\0'; ch = *src++)
if (!isspace(ch))
return (-1);
/*
* Now make sure for cases 2 and 3 that the "extra"
* bits that slopped past the last full byte were
* zeros. If we don't check them, they become a
* subliminal channel.
*/
if (target && target[tarindex] != 0)
return (-1);
}
} else {
/*
* We ended by seeing the end of the string. Make sure we
* have no partial bytes lying around.
*/
if (state != 0)
return (-1);
}
return (tarindex);
}
#endif /* !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) */
#endif

65
crypto/external/bsd/openssh/dist/openbsd-compat/base64.h vendored Normal file
View File

@@ -0,0 +1,65 @@
/* $Id: base64.h,v 1.6 2003/08/29 16:59:52 mouring Exp $ */
/*
* Copyright (c) 1996 by Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
* CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
/*
* Portions Copyright (c) 1995 by International Business Machines, Inc.
*
* International Business Machines, Inc. (hereinafter called IBM) grants
* permission under its copyrights to use, copy, modify, and distribute this
* Software with or without fee, provided that the above copyright notice and
* all paragraphs of this notice appear in all copies, and that the name of IBM
* not be used in connection with the marketing of any product incorporating
* the Software or modifications thereof, without specific, written prior
* permission.
*
* To the extent it has a right to do so, IBM grants an immunity from suit
* under its patents, if any, for the use, sale or manufacture of products to
* the extent that such products are used for performing Domain Name System
* dynamic updates in TCP/IP networks by means of the Software. No immunity is
* granted for any product per se or for any other function of any product.
*
* THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
* DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
#ifndef _BSD_BASE64_H
#define _BSD_BASE64_H
#include "includes.h"
#ifndef HAVE___B64_NTOP
# ifndef HAVE_B64_NTOP
int b64_ntop(u_char const *src, size_t srclength, char *target,
size_t targsize);
# endif /* !HAVE_B64_NTOP */
# define __b64_ntop(a,b,c,d) b64_ntop(a,b,c,d)
#endif /* HAVE___B64_NTOP */
#ifndef HAVE___B64_PTON
# ifndef HAVE_B64_PTON
int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c)
#endif /* HAVE___B64_PTON */
#endif /* _BSD_BASE64_H */

67
crypto/external/bsd/openssh/dist/openbsd-compat/basename.c vendored Normal file
View File

@@ -0,0 +1,67 @@
/* $OpenBSD: basename.c,v 1.14 2005/08/08 08:05:33 espie Exp $ */
/*
* Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
#include "includes.h"
#ifndef HAVE_BASENAME
#include <errno.h>
#include <string.h>
char *
basename(const char *path)
{
static char bname[MAXPATHLEN];
size_t len;
const char *endp, *startp;
/* Empty or NULL string gets treated as "." */
if (path == NULL || *path == '\0') {
bname[0] = '.';
bname[1] = '\0';
return (bname);
}
/* Strip any trailing slashes */
endp = path + strlen(path) - 1;
while (endp > path && *endp == '/')
endp--;
/* All slashes becomes "/" */
if (endp == path && *endp == '/') {
bname[0] = '/';
bname[1] = '\0';
return (bname);
}
/* Find the start of the base */
startp = endp;
while (startp > path && *(startp - 1) != '/')
startp--;
len = endp - startp + 1;
if (len >= sizeof(bname)) {
errno = ENAMETOOLONG;
return (NULL);
}
memcpy(bname, startp, len);
bname[len] = '\0';
return (bname);
}
#endif /* !defined(HAVE_BASENAME) */

179
crypto/external/bsd/openssh/dist/openbsd-compat/bcrypt_pbkdf.c vendored Normal file
View File

@@ -0,0 +1,179 @@
/* $OpenBSD: bcrypt_pbkdf.c,v 1.13 2015/01/12 03:20:04 tedu Exp $ */
/*
* Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#ifndef HAVE_BCRYPT_PBKDF
#include <sys/types.h>
#include <sys/param.h>
#ifdef HAVE_STDLIB_H
# include <stdlib.h>
#endif
#include <string.h>
#ifdef HAVE_BLF_H
# include <blf.h>
#endif
#include "crypto_api.h"
#ifdef SHA512_DIGEST_LENGTH
# undef SHA512_DIGEST_LENGTH
#endif
#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES
#define MINIMUM(a,b) (((a) < (b)) ? (a) : (b))
/*
* pkcs #5 pbkdf2 implementation using the "bcrypt" hash
*
* The bcrypt hash function is derived from the bcrypt password hashing
* function with the following modifications:
* 1. The input password and salt are preprocessed with SHA512.
* 2. The output length is expanded to 256 bits.
* 3. Subsequently the magic string to be encrypted is lengthened and modifed
* to "OxychromaticBlowfishSwatDynamite"
* 4. The hash function is defined to perform 64 rounds of initial state
* expansion. (More rounds are performed by iterating the hash.)
*
* Note that this implementation pulls the SHA512 operations into the caller
* as a performance optimization.
*
* One modification from official pbkdf2. Instead of outputting key material
* linearly, we mix it. pbkdf2 has a known weakness where if one uses it to
* generate (e.g.) 512 bits of key material for use as two 256 bit keys, an
* attacker can merely run once through the outer loop, but the user
* always runs it twice. Shuffling output bytes requires computing the
* entirety of the key material to assemble any subkey. This is something a
* wise caller could do; we just do it for you.
*/
#define BCRYPT_WORDS 8
#define BCRYPT_HASHSIZE (BCRYPT_WORDS * 4)
static void
bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out)
{
blf_ctx state;
u_int8_t ciphertext[BCRYPT_HASHSIZE] =
"OxychromaticBlowfishSwatDynamite";
uint32_t cdata[BCRYPT_WORDS];
int i;
uint16_t j;
size_t shalen = SHA512_DIGEST_LENGTH;
/* key expansion */
Blowfish_initstate(&state);
Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen);
for (i = 0; i < 64; i++) {
Blowfish_expand0state(&state, sha2salt, shalen);
Blowfish_expand0state(&state, sha2pass, shalen);
}
/* encryption */
j = 0;
for (i = 0; i < BCRYPT_WORDS; i++)
cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext),
&j);
for (i = 0; i < 64; i++)
blf_enc(&state, cdata, sizeof(cdata) / sizeof(uint64_t));
/* copy out */
for (i = 0; i < BCRYPT_WORDS; i++) {
out[4 * i + 3] = (cdata[i] >> 24) & 0xff;
out[4 * i + 2] = (cdata[i] >> 16) & 0xff;
out[4 * i + 1] = (cdata[i] >> 8) & 0xff;
out[4 * i + 0] = cdata[i] & 0xff;
}
/* zap */
explicit_bzero(ciphertext, sizeof(ciphertext));
explicit_bzero(cdata, sizeof(cdata));
explicit_bzero(&state, sizeof(state));
}
int
bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t saltlen,
u_int8_t *key, size_t keylen, unsigned int rounds)
{
u_int8_t sha2pass[SHA512_DIGEST_LENGTH];
u_int8_t sha2salt[SHA512_DIGEST_LENGTH];
u_int8_t out[BCRYPT_HASHSIZE];
u_int8_t tmpout[BCRYPT_HASHSIZE];
u_int8_t *countsalt;
size_t i, j, amt, stride;
uint32_t count;
size_t origkeylen = keylen;
/* nothing crazy */
if (rounds < 1)
return -1;
if (passlen == 0 || saltlen == 0 || keylen == 0 ||
keylen > sizeof(out) * sizeof(out) || saltlen > 1<<20)
return -1;
if ((countsalt = calloc(1, saltlen + 4)) == NULL)
return -1;
stride = (keylen + sizeof(out) - 1) / sizeof(out);
amt = (keylen + stride - 1) / stride;
memcpy(countsalt, salt, saltlen);
/* collapse password */
crypto_hash_sha512(sha2pass, pass, passlen);
/* generate key, sizeof(out) at a time */
for (count = 1; keylen > 0; count++) {
countsalt[saltlen + 0] = (count >> 24) & 0xff;
countsalt[saltlen + 1] = (count >> 16) & 0xff;
countsalt[saltlen + 2] = (count >> 8) & 0xff;
countsalt[saltlen + 3] = count & 0xff;
/* first round, salt is salt */
crypto_hash_sha512(sha2salt, countsalt, saltlen + 4);
bcrypt_hash(sha2pass, sha2salt, tmpout);
memcpy(out, tmpout, sizeof(out));
for (i = 1; i < rounds; i++) {
/* subsequent rounds, salt is previous output */
crypto_hash_sha512(sha2salt, tmpout, sizeof(tmpout));
bcrypt_hash(sha2pass, sha2salt, tmpout);
for (j = 0; j < sizeof(out); j++)
out[j] ^= tmpout[j];
}
/*
* pbkdf2 deviation: output the key material non-linearly.
*/
amt = MINIMUM(amt, keylen);
for (i = 0; i < amt; i++) {
size_t dest = i * stride + (count - 1);
if (dest >= origkeylen)
break;
key[dest] = out[i];
}
keylen -= i;
}
/* zap */
explicit_bzero(out, sizeof(out));
free(countsalt);
return 0;
}
#endif /* HAVE_BCRYPT_PBKDF */

118
crypto/external/bsd/openssh/dist/openbsd-compat/bindresvport.c vendored Normal file
View File

@@ -0,0 +1,118 @@
/* This file has be substantially modified from the original OpenBSD source */
/* $OpenBSD: bindresvport.c,v 1.17 2005/12/21 01:40:22 millert Exp $ */
/*
* Copyright 1996, Jason Downs. All rights reserved.
* Copyright 1998, Theo de Raadt. All rights reserved.
* Copyright 2000, Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* OPENBSD ORIGINAL: lib/libc/rpc/bindresvport.c */
#include "includes.h"
#ifndef HAVE_BINDRESVPORT_SA
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <string.h>
#define STARTPORT 600
#define ENDPORT (IPPORT_RESERVED - 1)
#define NPORTS (ENDPORT - STARTPORT + 1)
/*
* Bind a socket to a privileged IP port
*/
int
bindresvport_sa(int sd, struct sockaddr *sa)
{
int error, af;
struct sockaddr_storage myaddr;
struct sockaddr_in *in;
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
socklen_t salen;
int i;
if (sa == NULL) {
memset(&myaddr, 0, sizeof(myaddr));
sa = (struct sockaddr *)&myaddr;
if (getsockname(sd, sa, &salen) == -1)
return -1; /* errno is correctly set */
af = sa->sa_family;
memset(&myaddr, 0, salen);
} else
af = sa->sa_family;
if (af == AF_INET) {
in = (struct sockaddr_in *)sa;
salen = sizeof(struct sockaddr_in);
portp = &in->sin_port;
} else if (af == AF_INET6) {
in6 = (struct sockaddr_in6 *)sa;
salen = sizeof(struct sockaddr_in6);
portp = &in6->sin6_port;
} else {
errno = EPFNOSUPPORT;
return (-1);
}
sa->sa_family = af;
port = ntohs(*portp);
if (port == 0)
port = arc4random_uniform(NPORTS) + STARTPORT;
/* Avoid warning */
error = -1;
for(i = 0; i < NPORTS; i++) {
*portp = htons(port);
error = bind(sd, sa, salen);
/* Terminate on success */
if (error == 0)
break;
/* Terminate on errors, except "address already in use" */
if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL)))
break;
port++;
if (port > ENDPORT)
port = STARTPORT;
}
return (error);
}
#endif /* HAVE_BINDRESVPORT_SA */

88
crypto/external/bsd/openssh/dist/openbsd-compat/blf.h vendored Normal file
View File

@@ -0,0 +1,88 @@
/* $OpenBSD: blf.h,v 1.7 2007/03/14 17:59:41 grunk Exp $ */
/*
* Blowfish - a fast block cipher designed by Bruce Schneier
*
* Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Niels Provos.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _BLF_H_
#define _BLF_H_
#include "includes.h"
#if !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H)
/* Schneier specifies a maximum key length of 56 bytes.
* This ensures that every key bit affects every cipher
* bit. However, the subkeys can hold up to 72 bytes.
* Warning: For normal blowfish encryption only 56 bytes
* of the key affect all cipherbits.
*/
#define BLF_N 16 /* Number of Subkeys */
#define BLF_MAXKEYLEN ((BLF_N-2)*4) /* 448 bits */
#define BLF_MAXUTILIZED ((BLF_N+2)*4) /* 576 bits */
/* Blowfish context */
typedef struct BlowfishContext {
u_int32_t S[4][256]; /* S-Boxes */
u_int32_t P[BLF_N + 2]; /* Subkeys */
} blf_ctx;
/* Raw access to customized Blowfish
* blf_key is just:
* Blowfish_initstate( state )
* Blowfish_expand0state( state, key, keylen )
*/
void Blowfish_encipher(blf_ctx *, u_int32_t *, u_int32_t *);
void Blowfish_decipher(blf_ctx *, u_int32_t *, u_int32_t *);
void Blowfish_initstate(blf_ctx *);
void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t);
void Blowfish_expandstate
(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t);
/* Standard Blowfish */
void blf_key(blf_ctx *, const u_int8_t *, u_int16_t);
void blf_enc(blf_ctx *, u_int32_t *, u_int16_t);
void blf_dec(blf_ctx *, u_int32_t *, u_int16_t);
void blf_ecb_encrypt(blf_ctx *, u_int8_t *, u_int32_t);
void blf_ecb_decrypt(blf_ctx *, u_int8_t *, u_int32_t);
void blf_cbc_encrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
void blf_cbc_decrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
/* Converts u_int8_t to u_int32_t */
u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t , u_int16_t *);
#endif /* !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) */
#endif /* _BLF_H */

696
crypto/external/bsd/openssh/dist/openbsd-compat/blowfish.c vendored Normal file
View File

@@ -0,0 +1,696 @@
/* $OpenBSD: blowfish.c,v 1.18 2004/11/02 17:23:26 hshoexer Exp $ */
/*
* Blowfish block cipher for OpenBSD
* Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
* All rights reserved.
*
* Implementation advice by David Mazieres <dm@lcs.mit.edu>.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Niels Provos.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This code is derived from section 14.3 and the given source
* in section V of Applied Cryptography, second edition.
* Blowfish is an unpatented fast block cipher designed by
* Bruce Schneier.
*/
#include "includes.h"
#if !defined(HAVE_BCRYPT_PBKDF) && (!defined(HAVE_BLOWFISH_INITSTATE) || \
!defined(HAVE_BLOWFISH_EXPAND0STATE) || !defined(HAVE_BLF_ENC))
#if 0
#include <stdio.h> /* used for debugging */
#include <string.h>
#endif
#include <sys/types.h>
#ifdef HAVE_BLF_H
#include <blf.h>
#endif
#undef inline
#ifdef __GNUC__
#define inline __inline
#else /* !__GNUC__ */
#define inline
#endif /* !__GNUC__ */
/* Function for Feistel Networks */
#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
+ (s)[0x100 + (((x)>>16)&0xFF)]) \
^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
+ (s)[0x300 + ( (x) &0xFF)])
#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
void
Blowfish_encipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
{
u_int32_t Xl;
u_int32_t Xr;
u_int32_t *s = c->S[0];
u_int32_t *p = c->P;
Xl = *xl;
Xr = *xr;
Xl ^= p[0];
BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
*xl = Xr ^ p[17];
*xr = Xl;
}
void
Blowfish_decipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
{
u_int32_t Xl;
u_int32_t Xr;
u_int32_t *s = c->S[0];
u_int32_t *p = c->P;
Xl = *xl;
Xr = *xr;
Xl ^= p[17];
BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
*xl = Xr ^ p[0];
*xr = Xl;
}
void
Blowfish_initstate(blf_ctx *c)
{
/* P-box and S-box tables initialized with digits of Pi */
static const blf_ctx initstate =
{ {
{
0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
{
0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
{
0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
{
0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
},
{
0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
0x9216d5d9, 0x8979fb1b
} };
*c = initstate;
}
u_int32_t
Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes,
u_int16_t *current)
{
u_int8_t i;
u_int16_t j;
u_int32_t temp;
temp = 0x00000000;
j = *current;
for (i = 0; i < 4; i++, j++) {
if (j >= databytes)
j = 0;
temp = (temp << 8) | data[j];
}
*current = j;
return temp;
}
void
Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
{
u_int16_t i;
u_int16_t j;
u_int16_t k;
u_int32_t temp;
u_int32_t datal;
u_int32_t datar;
j = 0;
for (i = 0; i < BLF_N + 2; i++) {
/* Extract 4 int8 to 1 int32 from keystream */
temp = Blowfish_stream2word(key, keybytes, &j);
c->P[i] = c->P[i] ^ temp;
}
j = 0;
datal = 0x00000000;
datar = 0x00000000;
for (i = 0; i < BLF_N + 2; i += 2) {
Blowfish_encipher(c, &datal, &datar);
c->P[i] = datal;
c->P[i + 1] = datar;
}
for (i = 0; i < 4; i++) {
for (k = 0; k < 256; k += 2) {
Blowfish_encipher(c, &datal, &datar);
c->S[i][k] = datal;
c->S[i][k + 1] = datar;
}
}
}
void
Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
const u_int8_t *key, u_int16_t keybytes)
{
u_int16_t i;
u_int16_t j;
u_int16_t k;
u_int32_t temp;
u_int32_t datal;
u_int32_t datar;
j = 0;
for (i = 0; i < BLF_N + 2; i++) {
/* Extract 4 int8 to 1 int32 from keystream */
temp = Blowfish_stream2word(key, keybytes, &j);
c->P[i] = c->P[i] ^ temp;
}
j = 0;
datal = 0x00000000;
datar = 0x00000000;
for (i = 0; i < BLF_N + 2; i += 2) {
datal ^= Blowfish_stream2word(data, databytes, &j);
datar ^= Blowfish_stream2word(data, databytes, &j);
Blowfish_encipher(c, &datal, &datar);
c->P[i] = datal;
c->P[i + 1] = datar;
}
for (i = 0; i < 4; i++) {
for (k = 0; k < 256; k += 2) {
datal ^= Blowfish_stream2word(data, databytes, &j);
datar ^= Blowfish_stream2word(data, databytes, &j);
Blowfish_encipher(c, &datal, &datar);
c->S[i][k] = datal;
c->S[i][k + 1] = datar;
}
}
}
void
blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
{
/* Initialize S-boxes and subkeys with Pi */
Blowfish_initstate(c);
/* Transform S-boxes and subkeys with key */
Blowfish_expand0state(c, k, len);
}
void
blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
{
u_int32_t *d;
u_int16_t i;
d = data;
for (i = 0; i < blocks; i++) {
Blowfish_encipher(c, d, d + 1);
d += 2;
}
}
void
blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
{
u_int32_t *d;
u_int16_t i;
d = data;
for (i = 0; i < blocks; i++) {
Blowfish_decipher(c, d, d + 1);
d += 2;
}
}
void
blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r;
u_int32_t i;
for (i = 0; i < len; i += 8) {
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
Blowfish_encipher(c, &l, &r);
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
data += 8;
}
}
void
blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r;
u_int32_t i;
for (i = 0; i < len; i += 8) {
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
Blowfish_decipher(c, &l, &r);
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
data += 8;
}
}
void
blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r;
u_int32_t i, j;
for (i = 0; i < len; i += 8) {
for (j = 0; j < 8; j++)
data[j] ^= iv[j];
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
Blowfish_encipher(c, &l, &r);
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
iv = data;
data += 8;
}
}
void
blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r;
u_int8_t *iv;
u_int32_t i, j;
iv = data + len - 16;
data = data + len - 8;
for (i = len - 8; i >= 8; i -= 8) {
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
Blowfish_decipher(c, &l, &r);
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
for (j = 0; j < 8; j++)
data[j] ^= iv[j];
iv -= 8;
data -= 8;
}
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
Blowfish_decipher(c, &l, &r);
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
for (j = 0; j < 8; j++)
data[j] ^= iva[j];
}
#if 0
void
report(u_int32_t data[], u_int16_t len)
{
u_int16_t i;
for (i = 0; i < len; i += 2)
printf("Block %0hd: %08lx %08lx.\n",
i / 2, data[i], data[i + 1]);
}
void
main(void)
{
blf_ctx c;
char key[] = "AAAAA";
char key2[] = "abcdefghijklmnopqrstuvwxyz";
u_int32_t data[10];
u_int32_t data2[] =
{0x424c4f57l, 0x46495348l};
u_int16_t i;
/* First test */
for (i = 0; i < 10; i++)
data[i] = i;
blf_key(&c, (u_int8_t *) key, 5);
blf_enc(&c, data, 5);
blf_dec(&c, data, 1);
blf_dec(&c, data + 2, 4);
printf("Should read as 0 - 9.\n");
report(data, 10);
/* Second test */
blf_key(&c, (u_int8_t *) key2, strlen(key2));
blf_enc(&c, data2, 1);
printf("\nShould read as: 0x324ed0fe 0xf413a203.\n");
report(data2, 2);
blf_dec(&c, data2, 1);
report(data2, 2);
}
#endif
#endif /* !defined(HAVE_BCRYPT_PBKDF) && (!defined(HAVE_BLOWFISH_INITSTATE) || \
!defined(HAVE_BLOWFISH_EXPAND0STATE) || !defined(HAVE_BLF_ENC)) */

101
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-asprintf.c vendored Normal file
View File

@@ -0,0 +1,101 @@
/*
* Copyright (c) 2004 Darren Tucker.
*
* Based originally on asprintf.c from OpenBSD:
* Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#ifndef HAVE_VASPRINTF
#include <errno.h>
#include <stdarg.h>
#include <stdlib.h>
#ifndef VA_COPY
# ifdef HAVE_VA_COPY
# define VA_COPY(dest, src) va_copy(dest, src)
# else
# ifdef HAVE___VA_COPY
# define VA_COPY(dest, src) __va_copy(dest, src)
# else
# define VA_COPY(dest, src) (dest) = (src)
# endif
# endif
#endif
#define INIT_SZ 128
int
vasprintf(char **str, const char *fmt, va_list ap)
{
int ret = -1;
va_list ap2;
char *string, *newstr;
size_t len;
VA_COPY(ap2, ap);
if ((string = malloc(INIT_SZ)) == NULL)
goto fail;
ret = vsnprintf(string, INIT_SZ, fmt, ap2);
if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
*str = string;
} else if (ret == INT_MAX || ret < 0) { /* Bad length */
free(string);
goto fail;
} else { /* bigger than initial, realloc allowing for nul */
len = (size_t)ret + 1;
if ((newstr = realloc(string, len)) == NULL) {
free(string);
goto fail;
} else {
va_end(ap2);
VA_COPY(ap2, ap);
ret = vsnprintf(newstr, len, fmt, ap2);
if (ret >= 0 && (size_t)ret < len) {
*str = newstr;
} else { /* failed with realloc'ed string, give up */
free(newstr);
goto fail;
}
}
}
va_end(ap2);
return (ret);
fail:
*str = NULL;
errno = ENOMEM;
va_end(ap2);
return (-1);
}
#endif
#ifndef HAVE_ASPRINTF
int asprintf(char **str, const char *fmt, ...)
{
va_list ap;
int ret;
*str = NULL;
va_start(ap, fmt);
ret = vasprintf(str, fmt, ap);
va_end(ap);
return ret;
}
#endif

109
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-closefrom.c vendored Normal file
View File

@@ -0,0 +1,109 @@
/*
* Copyright (c) 2004-2005 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#ifndef HAVE_CLOSEFROM
#include <sys/types.h>
#include <sys/param.h>
#include <unistd.h>
#include <stdio.h>
#ifdef HAVE_FCNTL_H
# include <fcntl.h>
#endif
#include <limits.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>
#ifdef HAVE_DIRENT_H
# include <dirent.h>
# define NAMLEN(dirent) strlen((dirent)->d_name)
#else
# define dirent direct
# define NAMLEN(dirent) (dirent)->d_namlen
# ifdef HAVE_SYS_NDIR_H
# include <sys/ndir.h>
# endif
# ifdef HAVE_SYS_DIR_H
# include <sys/dir.h>
# endif
# ifdef HAVE_NDIR_H
# include <ndir.h>
# endif
#endif
#ifndef OPEN_MAX
# define OPEN_MAX 256
#endif
#if 0
__unused static const char rcsid[] = "$Sudo: closefrom.c,v 1.11 2006/08/17 15:26:54 millert Exp $";
#endif /* lint */
/*
* Close all file descriptors greater than or equal to lowfd.
*/
#ifdef HAVE_FCNTL_CLOSEM
void
closefrom(int lowfd)
{
(void) fcntl(lowfd, F_CLOSEM, 0);
}
#else
void
closefrom(int lowfd)
{
long fd, maxfd;
#if defined(HAVE_DIRFD) && defined(HAVE_PROC_PID)
char fdpath[PATH_MAX], *endp;
struct dirent *dent;
DIR *dirp;
int len;
/* Check for a /proc/$$/fd directory. */
len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
if (len > 0 && (size_t)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
while ((dent = readdir(dirp)) != NULL) {
fd = strtol(dent->d_name, &endp, 10);
if (dent->d_name != endp && *endp == '\0' &&
fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
(void) close((int) fd);
}
(void) closedir(dirp);
} else
#endif
{
/*
* Fall back on sysconf() or getdtablesize(). We avoid checking
* resource limits since it is possible to open a file descriptor
* and then drop the rlimit such that it is below the open fd.
*/
#ifdef HAVE_SYSCONF
maxfd = sysconf(_SC_OPEN_MAX);
#else
maxfd = getdtablesize();
#endif /* HAVE_SYSCONF */
if (maxfd < 0)
maxfd = OPEN_MAX;
for (fd = lowfd; fd < maxfd; fd++)
(void) close((int) fd);
}
}
#endif /* !HAVE_FCNTL_CLOSEM */
#endif /* HAVE_CLOSEFROM */

817
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-cray.c vendored Normal file
View File

@@ -0,0 +1,817 @@
/*
* $Id: bsd-cray.c,v 1.17 2007/08/15 09:17:43 dtucker Exp $
*
* bsd-cray.c
*
* Copyright (c) 2002, Cray Inc. (Wendy Palm <wendyp@cray.com>)
* Significant portions provided by
* Wayne Schroeder, SDSC <schroeder@sdsc.edu>
* William Jones, UTexas <jones@tacc.utexas.edu>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Created: Apr 22 16.34:00 2002 wp
*
* This file contains functions required for proper execution
* on UNICOS systems.
*
*/
#ifdef _UNICOS
#include <udb.h>
#include <tmpdir.h>
#include <unistd.h>
#include <sys/category.h>
#include <utmp.h>
#include <sys/jtab.h>
#include <signal.h>
#include <sys/priv.h>
#include <sys/secparm.h>
#include <sys/tfm.h>
#include <sys/usrv.h>
#include <sys/sysv.h>
#include <sys/sectab.h>
#include <sys/secstat.h>
#include <sys/stat.h>
#include <sys/session.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <pwd.h>
#include <fcntl.h>
#include <errno.h>
#include <ia.h>
#include <urm.h>
#include "ssh.h"
#include "includes.h"
#include "sys/types.h"
#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
# define _SS_MAXSIZE 128 /* Implementation specific max size */
# define _SS_PADSIZE (_SS_MAXSIZE - sizeof (struct sockaddr))
# define ss_family ss_sa.sa_family
#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */
#ifndef IN6_IS_ADDR_LOOPBACK
# define IN6_IS_ADDR_LOOPBACK(a) \
(((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \
((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1))
#endif /* !IN6_IS_ADDR_LOOPBACK */
#ifndef AF_INET6
/* Define it to something that should never appear */
#define AF_INET6 AF_MAX
#endif
#include "log.h"
#include "servconf.h"
#include "bsd-cray.h"
#define MAXACID 80
extern ServerOptions options;
char cray_tmpdir[TPATHSIZ + 1]; /* job TMPDIR path */
struct sysv sysv; /* system security structure */
struct usrv usrv; /* user security structure */
/*
* Functions.
*/
void cray_retain_utmp(struct utmp *, int);
void cray_delete_tmpdir(char *, int, uid_t);
void cray_init_job(struct passwd *);
void cray_set_tmpdir(struct utmp *);
void cray_login_failure(char *, int);
int cray_setup(uid_t, char *, const char *);
int cray_access_denied(char *);
void
cray_login_failure(char *username, int errcode)
{
struct udb *ueptr; /* UDB pointer for username */
ia_failure_t fsent; /* ia_failure structure */
ia_failure_ret_t fret; /* ia_failure return stuff */
struct jtab jtab; /* job table structure */
int jid = 0; /* job id */
if ((jid = getjtab(&jtab)) < 0)
debug("cray_login_failure(): getjtab error");
getsysudb();
if ((ueptr = getudbnam(username)) == UDB_NULL)
debug("cray_login_failure(): getudbname() returned NULL");
endudb();
memset(&fsent, '\0', sizeof(fsent));
fsent.revision = 0;
fsent.uname = username;
fsent.host = (char *)get_canonical_hostname(options.use_dns);
fsent.ttyn = "sshd";
fsent.caller = IA_SSHD;
fsent.flags = IA_INTERACTIVE;
fsent.ueptr = ueptr;
fsent.jid = jid;
fsent.errcode = errcode;
fsent.pwdp = NULL;
fsent.exitcode = 0; /* dont exit in ia_failure() */
fret.revision = 0;
fret.normal = 0;
/*
* Call ia_failure because of an login failure.
*/
ia_failure(&fsent, &fret);
}
/*
* Cray access denied
*/
int
cray_access_denied(char *username)
{
struct udb *ueptr; /* UDB pointer for username */
int errcode; /* IA errorcode */
errcode = 0;
getsysudb();
if ((ueptr = getudbnam(username)) == UDB_NULL)
debug("cray_login_failure(): getudbname() returned NULL");
endudb();
if (ueptr != NULL && ueptr->ue_disabled)
errcode = IA_DISABLED;
if (errcode)
cray_login_failure(username, errcode);
return (errcode);
}
/*
* record_failed_login: generic "login failed" interface function
*/
void
record_failed_login(const char *user, const char *hostname, const char *ttyname)
{
cray_login_failure((char *)user, IA_UDBERR);
}
int
cray_setup (uid_t uid, char *username, const char *command)
{
extern struct udb *getudb();
extern char *setlimits();
int err; /* error return */
time_t system_time; /* current system clock */
time_t expiration_time; /* password expiration time */
int maxattempts; /* maximum no. of failed login attempts */
int SecureSys; /* unicos security flag */
int minslevel = 0; /* system minimum security level */
int i, j;
int valid_acct = -1; /* flag for reading valid acct */
char acct_name[MAXACID] = { "" }; /* used to read acct name */
struct jtab jtab; /* Job table struct */
struct udb ue; /* udb entry for logging-in user */
struct udb *up; /* pointer to UDB entry */
struct secstat secinfo; /* file security attributes */
struct servprov init_info; /* used for sesscntl() call */
int jid; /* job ID */
int pid; /* process ID */
char *sr; /* status return from setlimits() */
char *ttyn = NULL; /* ttyname or command name*/
char hostname[MAXHOSTNAMELEN];
/* passwd stuff for ia_user */
passwd_t pwdacm, pwddialup, pwdudb, pwdwal, pwddce;
ia_user_ret_t uret; /* stuff returned from ia_user */
ia_user_t usent; /* ia_user main structure */
int ia_rcode; /* ia_user return code */
ia_failure_t fsent; /* ia_failure structure */
ia_failure_ret_t fret; /* ia_failure return stuff */
ia_success_t ssent; /* ia_success structure */
ia_success_ret_t sret; /* ia_success return stuff */
int ia_mlsrcode; /* ia_mlsuser return code */
int secstatrc; /* [f]secstat return code */
if (SecureSys = (int)sysconf(_SC_CRAY_SECURE_SYS)) {
getsysv(&sysv, sizeof(struct sysv));
minslevel = sysv.sy_minlvl;
if (getusrv(&usrv) < 0)
fatal("getusrv() failed, errno = %d", errno);
}
hostname[0] = '\0';
strlcpy(hostname,
(char *)get_canonical_hostname(options.use_dns),
MAXHOSTNAMELEN);
/*
* Fetch user's UDB entry.
*/
getsysudb();
if ((up = getudbnam(username)) == UDB_NULL)
fatal("cannot fetch user's UDB entry");
/*
* Prevent any possible fudging so perform a data
* safety check and compare the supplied uid against
* the udb's uid.
*/
if (up->ue_uid != uid)
fatal("IA uid missmatch");
endudb();
if ((jid = getjtab(&jtab)) < 0) {
debug("getjtab");
return(-1);
}
pid = getpid();
ttyn = ttyname(0);
if (SecureSys) {
if (ttyn != NULL)
secstatrc = secstat(ttyn, &secinfo);
else
secstatrc = fsecstat(1, &secinfo);
if (secstatrc == 0)
debug("[f]secstat() successful");
else
fatal("[f]secstat() error, rc = %d", secstatrc);
}
if ((ttyn == NULL) && ((char *)command != NULL))
ttyn = (char *)command;
/*
* Initialize all structures to call ia_user
*/
usent.revision = 0;
usent.uname = username;
usent.host = hostname;
usent.ttyn = ttyn;
usent.caller = IA_SSHD;
usent.pswdlist = &pwdacm;
usent.ueptr = &ue;
usent.flags = IA_INTERACTIVE | IA_FFLAG;
pwdacm.atype = IA_SECURID;
pwdacm.pwdp = NULL;
pwdacm.next = &pwdudb;
pwdudb.atype = IA_UDB;
pwdudb.pwdp = NULL;
pwdudb.next = &pwddce;
pwddce.atype = IA_DCE;
pwddce.pwdp = NULL;
pwddce.next = &pwddialup;
pwddialup.atype = IA_DIALUP;
pwddialup.pwdp = NULL;
/* pwddialup.next = &pwdwal; */
pwddialup.next = NULL;
pwdwal.atype = IA_WAL;
pwdwal.pwdp = NULL;
pwdwal.next = NULL;
uret.revision = 0;
uret.pswd = NULL;
uret.normal = 0;
ia_rcode = ia_user(&usent, &uret);
switch (ia_rcode) {
/*
* These are acceptable return codes from ia_user()
*/
case IA_UDBWEEK: /* Password Expires in 1 week */
expiration_time = ue.ue_pwage.time + ue.ue_pwage.maxage;
printf ("WARNING - your current password will expire %s\n",
ctime((const time_t *)&expiration_time));
break;
case IA_UDBEXPIRED:
if (ttyname(0) != NULL) {
/* Force a password change */
printf("Your password has expired; Choose a new one.\n");
execl("/bin/passwd", "passwd", username, 0);
exit(9);
}
break;
case IA_NORMAL: /* Normal Return Code */
break;
case IA_BACKDOOR:
/* XXX: can we memset it to zero here so save some of this */
strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));
ue.ue_passwd[0] = '\0';
ue.ue_age[0] = '\0';
ue.ue_comment[0] = '\0';
ue.ue_loghost[0] = '\0';
ue.ue_logline[0] = '\0';
ue.ue_uid = -1;
ue.ue_nice[UDBRC_INTER] = 0;
for (i = 0; i < MAXVIDS; i++)
ue.ue_gids[i] = 0;
ue.ue_logfails = 0;
ue.ue_minlvl = ue.ue_maxlvl = ue.ue_deflvl = minslevel;
ue.ue_defcomps = 0;
ue.ue_comparts = 0;
ue.ue_permits = 0;
ue.ue_trap = 0;
ue.ue_disabled = 0;
ue.ue_logtime = 0;
break;
case IA_CONSOLE: /* Superuser not from Console */
case IA_TRUSTED: /* Trusted user */
if (options.permit_root_login > PERMIT_NO)
break; /* Accept root login */
default:
/*
* These are failed return codes from ia_user()
*/
switch (ia_rcode)
{
case IA_BADAUTH:
printf("Bad authorization, access denied.\n");
break;
case IA_DISABLED:
printf("Your login has been disabled. Contact the system ");
printf("administrator for assistance.\n");
break;
case IA_GETSYSV:
printf("getsysv() failed - errno = %d\n", errno);
break;
case IA_MAXLOGS:
printf("Maximum number of failed login attempts exceeded.\n");
printf("Access denied.\n");
break;
case IA_UDBPWDNULL:
if (SecureSys)
printf("NULL Password not allowed on MLS systems.\n");
break;
default:
break;
}
/*
* Authentication failed.
*/
printf("sshd: Login incorrect, (0%o)\n",
ia_rcode-IA_ERRORCODE);
/*
* Initialize structure for ia_failure
* which will exit.
*/
fsent.revision = 0;
fsent.uname = username;
fsent.host = hostname;
fsent.ttyn = ttyn;
fsent.caller = IA_SSHD;
fsent.flags = IA_INTERACTIVE;
fsent.ueptr = &ue;
fsent.jid = jid;
fsent.errcode = ia_rcode;
fsent.pwdp = uret.pswd;
fsent.exitcode = 1;
fret.revision = 0;
fret.normal = 0;
/*
* Call ia_failure because of an IA failure.
* There is no return because ia_failure exits.
*/
ia_failure(&fsent, &fret);
exit(1);
}
ia_mlsrcode = IA_NORMAL;
if (SecureSys) {
debug("calling ia_mlsuser()");
ia_mlsrcode = ia_mlsuser(&ue, &secinfo, &usrv, NULL, 0);
}
if (ia_mlsrcode != IA_NORMAL) {
printf("sshd: Login incorrect, (0%o)\n",
ia_mlsrcode-IA_ERRORCODE);
/*
* Initialize structure for ia_failure
* which will exit.
*/
fsent.revision = 0;
fsent.uname = username;
fsent.host = hostname;
fsent.ttyn = ttyn;
fsent.caller = IA_SSHD;
fsent.flags = IA_INTERACTIVE;
fsent.ueptr = &ue;
fsent.jid = jid;
fsent.errcode = ia_mlsrcode;
fsent.pwdp = uret.pswd;
fsent.exitcode = 1;
fret.revision = 0;
fret.normal = 0;
/*
* Call ia_failure because of an IA failure.
* There is no return because ia_failure exits.
*/
ia_failure(&fsent,&fret);
exit(1);
}
/* Provide login status information */
if (options.print_lastlog && ue.ue_logtime != 0) {
printf("Last successful login was : %.*s ", 19,
(char *)ctime(&ue.ue_logtime));
if (*ue.ue_loghost != '\0') {
printf("from %.*s\n", sizeof(ue.ue_loghost),
ue.ue_loghost);
} else {
printf("on %.*s\n", sizeof(ue.ue_logline),
ue.ue_logline);
}
if (SecureSys && (ue.ue_logfails != 0)) {
printf(" followed by %d failed attempts\n",
ue.ue_logfails);
}
}
/*
* Call ia_success to process successful I/A.
*/
ssent.revision = 0;
ssent.uname = username;
ssent.host = hostname;
ssent.ttyn = ttyn;
ssent.caller = IA_SSHD;
ssent.flags = IA_INTERACTIVE;
ssent.ueptr = &ue;
ssent.jid = jid;
ssent.errcode = ia_rcode;
ssent.us = NULL;
ssent.time = 1; /* Set ue_logtime */
sret.revision = 0;
sret.normal = 0;
ia_success(&ssent, &sret);
/*
* Query for account, iff > 1 valid acid & askacid permbit
*/
if (((ue.ue_permbits & PERMBITS_ACCTID) ||
(ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) &&
ue.ue_permbits & PERMBITS_ASKACID) {
if (ttyname(0) != NULL) {
debug("cray_setup: ttyname true case, %.100s", ttyname);
while (valid_acct == -1) {
printf("Account (? for available accounts)"
" [%s]: ", acid2nam(ue.ue_acids[0]));
fgets(acct_name, MAXACID, stdin);
switch (acct_name[0]) {
case EOF:
exit(0);
break;
case '\0':
valid_acct = ue.ue_acids[0];
strlcpy(acct_name, acid2nam(valid_acct), MAXACID);
break;
case '?':
/* Print the list 3 wide */
for (i = 0, j = 0; i < MAXVIDS; i++) {
if (ue.ue_acids[i] == -1) {
printf("\n");
break;
}
if (++j == 4) {
j = 1;
printf("\n");
}
printf(" %s",
acid2nam(ue.ue_acids[i]));
}
if (ue.ue_permbits & PERMBITS_ACCTID) {
printf("\"acctid\" permbit also allows"
" you to select any valid "
"account name.\n");
}
printf("\n");
break;
default:
valid_acct = nam2acid(acct_name);
if (valid_acct == -1)
printf(
"Account id not found for"
" account name \"%s\"\n\n",
acct_name);
break;
}
/*
* If an account was given, search the user's
* acids array to verify they can use this account.
*/
if ((valid_acct != -1) &&
!(ue.ue_permbits & PERMBITS_ACCTID)) {
for (i = 0; i < MAXVIDS; i++) {
if (ue.ue_acids[i] == -1)
break;
if (valid_acct == ue.ue_acids[i])
break;
}
if (i == MAXVIDS ||
ue.ue_acids[i] == -1) {
fprintf(stderr, "Cannot set"
" account name to "
"\"%s\", permission "
"denied\n\n", acct_name);
valid_acct = -1;
}
}
}
} else {
/*
* The client isn't connected to a terminal and can't
* respond to an acid prompt. Use default acid.
*/
debug("cray_setup: ttyname false case, %.100s",
ttyname);
valid_acct = ue.ue_acids[0];
}
} else {
/*
* The user doesn't have the askacid permbit set or
* only has one valid account to use.
*/
valid_acct = ue.ue_acids[0];
}
if (acctid(0, valid_acct) < 0) {
printf ("Bad account id: %d\n", valid_acct);
exit(1);
}
/*
* Now set shares, quotas, limits, including CPU time for the
* (interactive) job and process, and set up permissions
* (for chown etc), etc.
*/
if (setshares(ue.ue_uid, valid_acct, printf, 0, 0)) {
printf("Unable to give %d shares to <%s>(%d/%d)\n",
ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct);
exit(1);
}
sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
if (sr != NULL) {
debug("%.200s", sr);
exit(1);
}
sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
if (sr != NULL) {
debug("%.200s", sr);
exit(1);
}
/*
* Place the service provider information into
* the session table (Unicos) or job table (Unicos/mk).
* There exist double defines for the job/session table in
* unicos/mk (jtab.h) so no need for a compile time switch.
*/
memset(&init_info, '\0', sizeof(init_info));
init_info.s_sessinit.si_id = URM_SPT_LOGIN;
init_info.s_sessinit.si_pid = getpid();
init_info.s_sessinit.si_sid = jid;
sesscntl(0, S_SETSERVPO, (int)&init_info);
/*
* Set user and controlling tty security attributes.
*/
if (SecureSys) {
if (setusrv(&usrv) == -1) {
debug("setusrv() failed, errno = %d",errno);
exit(1);
}
}
return (0);
}
/*
* The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk
* can have pal privileges that sshd can inherit which
* could allow a user to su to root with out a password.
* This subroutine clears all privileges.
*/
void
drop_cray_privs()
{
#if defined(_SC_CRAY_PRIV_SU)
priv_proc_t *privstate;
int result;
extern int priv_set_proc();
extern priv_proc_t *priv_init_proc();
/*
* If ether of theses two flags are not set
* then don't allow this version of ssh to run.
*/
if (!sysconf(_SC_CRAY_PRIV_SU))
fatal("Not PRIV_SU system.");
if (!sysconf(_SC_CRAY_POSIX_PRIV))
fatal("Not POSIX_PRIV.");
debug("Setting MLS labels.");;
if (sysconf(_SC_CRAY_SECURE_MAC)) {
usrv.sv_minlvl = SYSLOW;
usrv.sv_actlvl = SYSHIGH;
usrv.sv_maxlvl = SYSHIGH;
} else {
usrv.sv_minlvl = sysv.sy_minlvl;
usrv.sv_actlvl = sysv.sy_minlvl;
usrv.sv_maxlvl = sysv.sy_maxlvl;
}
usrv.sv_actcmp = 0;
usrv.sv_valcmp = sysv.sy_valcmp;
usrv.sv_intcat = TFM_SYSTEM;
usrv.sv_valcat |= (TFM_SYSTEM | TFM_SYSFILE);
if (setusrv(&usrv) < 0) {
fatal("%s(%d): setusrv(): %s", __FILE__, __LINE__,
strerror(errno));
}
if ((privstate = priv_init_proc()) != NULL) {
result = priv_set_proc(privstate);
if (result != 0 ) {
fatal("%s(%d): priv_set_proc(): %s",
__FILE__, __LINE__, strerror(errno));
}
priv_free_proc(privstate);
}
debug ("Privileges should be cleared...");
#else
/* XXX: do this differently */
# error Cray systems must be run with _SC_CRAY_PRIV_SU on!
#endif
}
/*
* Retain utmp/wtmp information - used by cray accounting.
*/
void
cray_retain_utmp(struct utmp *ut, int pid)
{
int fd;
struct utmp utmp;
if ((fd = open(UTMP_FILE, O_RDONLY)) != -1) {
/* XXX use atomicio */
while (read(fd, (char *)&utmp, sizeof(utmp)) == sizeof(utmp)) {
if (pid == utmp.ut_pid) {
ut->ut_jid = utmp.ut_jid;
strncpy(ut->ut_tpath, utmp.ut_tpath, sizeof(utmp.ut_tpath));
strncpy(ut->ut_host, utmp.ut_host, sizeof(utmp.ut_host));
strncpy(ut->ut_name, utmp.ut_name, sizeof(utmp.ut_name));
break;
}
}
close(fd);
} else
fatal("Unable to open utmp file");
}
/*
* tmpdir support.
*/
/*
* find and delete jobs tmpdir.
*/
void
cray_delete_tmpdir(char *login, int jid, uid_t uid)
{
static char jtmp[TPATHSIZ];
struct stat statbuf;
int child, c, wstat;
for (c = 'a'; c <= 'z'; c++) {
snprintf(jtmp, TPATHSIZ, "%s/jtmp.%06d%c", JTMPDIR, jid, c);
if (stat(jtmp, &statbuf) == 0 && statbuf.st_uid == uid)
break;
}
if (c > 'z')
return;
if ((child = fork()) == 0) {
execl(CLEANTMPCMD, CLEANTMPCMD, login, jtmp, (char *)NULL);
fatal("cray_delete_tmpdir: execl of CLEANTMPCMD failed");
}
while (waitpid(child, &wstat, 0) == -1 && errno == EINTR)
;
}
/*
* Remove tmpdir on job termination.
*/
void
cray_job_termination_handler(int sig)
{
int jid;
char *login = NULL;
struct jtab jtab;
if ((jid = waitjob(&jtab)) == -1 ||
(login = uid2nam(jtab.j_uid)) == NULL)
return;
cray_delete_tmpdir(login, jid, jtab.j_uid);
}
/*
* Set job id and create tmpdir directory.
*/
void
cray_init_job(struct passwd *pw)
{
int jid;
int c;
jid = setjob(pw->pw_uid, WJSIGNAL);
if (jid < 0)
fatal("System call setjob failure");
for (c = 'a'; c <= 'z'; c++) {
snprintf(cray_tmpdir, TPATHSIZ, "%s/jtmp.%06d%c", JTMPDIR, jid, c);
if (mkdir(cray_tmpdir, JTMPMODE) != 0)
continue;
if (chown(cray_tmpdir, pw->pw_uid, pw->pw_gid) != 0) {
rmdir(cray_tmpdir);
continue;
}
break;
}
if (c > 'z')
cray_tmpdir[0] = '\0';
}
void
cray_set_tmpdir(struct utmp *ut)
{
int jid;
struct jtab jbuf;
if ((jid = getjtab(&jbuf)) < 0)
return;
/*
* Set jid and tmpdir in utmp record.
*/
ut->ut_jid = jid;
strncpy(ut->ut_tpath, cray_tmpdir, TPATHSIZ);
}
#endif /* UNICOS */
#ifdef _UNICOSMP
#include <pwd.h>
/*
* Set job id and create tmpdir directory.
*/
void
cray_init_job(struct passwd *pw)
{
initrm_silent(pw->pw_uid);
return;
}
#endif /* _UNICOSMP */

61
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-cray.h vendored Normal file
View File

@@ -0,0 +1,61 @@
/* $Id: bsd-cray.h,v 1.12 2005/02/02 06:10:11 dtucker Exp $ */
/*
* Copyright (c) 2002, Cray Inc. (Wendy Palm <wendyp@cray.com>)
* Significant portions provided by
* Wayne Schroeder, SDSC <schroeder@sdsc.edu>
* William Jones, UTexas <jones@tacc.utexas.edu>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Created: Apr 22 16.34:00 2002 wp
*
* This file contains functions required for proper execution
* on UNICOS systems.
*
*/
#ifndef _BSD_CRAY_H
#define _BSD_CRAY_H
#ifdef _UNICOS
void cray_init_job(struct passwd *);
void cray_job_termination_handler(int);
void cray_login_failure(char *, int );
int cray_access_denied(char *);
extern char cray_tmpdir[];
#define CUSTOM_FAILED_LOGIN 1
#ifndef IA_SSHD
# define IA_SSHD IA_LOGIN
#endif
#ifndef MAXHOSTNAMELEN
# define MAXHOSTNAMELEN 64
#endif
#ifndef _CRAYT3E
# define TIOCGPGRP (tIOC|20)
#endif
#endif /* UNICOS */
#endif /* _BSD_CRAY_H */

119
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-cygwin_util.c vendored Normal file
View File

@@ -0,0 +1,119 @@
/*
* Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Created: Sat Sep 02 12:17:00 2000 cv
*
* This file contains functions for forcing opened file descriptors to
* binary mode on Windows systems.
*/
#define NO_BINARY_OPEN /* Avoid redefining open to binary_open for this file */
#include "includes.h"
#ifdef HAVE_CYGWIN
#include <sys/types.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include "xmalloc.h"
int
binary_open(const char *filename, int flags, ...)
{
va_list ap;
mode_t mode;
va_start(ap, flags);
mode = va_arg(ap, mode_t);
va_end(ap);
return (open(filename, flags | O_BINARY, mode));
}
int
check_ntsec(const char *filename)
{
return (pathconf(filename, _PC_POSIX_PERMISSIONS));
}
const char *
cygwin_ssh_privsep_user()
{
static char cyg_privsep_user[DNLEN + UNLEN + 2];
if (!cyg_privsep_user[0])
{
#ifdef CW_CYGNAME_FROM_WINNAME
if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user,
sizeof cyg_privsep_user) != 0)
#endif
strlcpy(cyg_privsep_user, "sshd", sizeof(cyg_privsep_user));
}
return cyg_privsep_user;
}
#define NL(x) x, (sizeof (x) - 1)
#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
static struct wenv {
const char *name;
size_t namelen;
} wenv_arr[] = {
{ NL("ALLUSERSPROFILE=") },
{ NL("COMPUTERNAME=") },
{ NL("COMSPEC=") },
{ NL("CYGWIN=") },
{ NL("OS=") },
{ NL("PATH=") },
{ NL("PATHEXT=") },
{ NL("PROGRAMFILES=") },
{ NL("SYSTEMDRIVE=") },
{ NL("SYSTEMROOT=") },
{ NL("WINDIR=") }
};
char **
fetch_windows_environment(void)
{
char **e, **p;
unsigned int i, idx = 0;
p = xcalloc(WENV_SIZ + 1, sizeof(char *));
for (e = environ; *e != NULL; ++e) {
for (i = 0; i < WENV_SIZ; ++i) {
if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen))
p[idx++] = *e;
}
}
p[idx] = NULL;
return p;
}
void
free_windows_environment(char **p)
{
free(p);
}
#endif /* HAVE_CYGWIN */

67
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-cygwin_util.h vendored Normal file
View File

@@ -0,0 +1,67 @@
/* $Id: bsd-cygwin_util.h,v 1.18 2014/05/27 04:34:43 djm Exp $ */
/*
* Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Created: Sat Sep 02 12:17:00 2000 cv
*
* This file contains functions for forcing opened file descriptors to
* binary mode on Windows systems.
*/
#ifndef _BSD_CYGWIN_UTIL_H
#define _BSD_CYGWIN_UTIL_H
#ifdef HAVE_CYGWIN
#undef ERROR
/* Avoid including windows headers. */
typedef void *HANDLE;
#define INVALID_HANDLE_VALUE ((HANDLE) -1)
#define DNLEN 16
#define UNLEN 256
/* Cygwin functions for which declarations are only available when including
windows headers, so we have to define them here explicitely. */
extern HANDLE cygwin_logon_user (const struct passwd *, const char *);
extern void cygwin_set_impersonation_token (const HANDLE);
#include <sys/cygwin.h>
#include <io.h>
#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user())
const char *cygwin_ssh_privsep_user();
int binary_open(const char *, int , ...);
int check_ntsec(const char *);
char **fetch_windows_environment(void);
void free_windows_environment(char **);
#ifndef NO_BINARY_OPEN
#define open binary_open
#endif
#endif /* HAVE_CYGWIN */
#endif /* _BSD_CYGWIN_UTIL_H */

73
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-getpeereid.c vendored Normal file
View File

@@ -0,0 +1,73 @@
/*
* Copyright (c) 2002,2004 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#if !defined(HAVE_GETPEEREID)
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if defined(SO_PEERCRED)
int
getpeereid(int s, uid_t *euid, gid_t *gid)
{
struct ucred cred;
socklen_t len = sizeof(cred);
if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cred, &len) < 0)
return (-1);
*euid = cred.uid;
*gid = cred.gid;
return (0);
}
#elif defined(HAVE_GETPEERUCRED)
#ifdef HAVE_UCRED_H
# include <ucred.h>
#endif
int
getpeereid(int s, uid_t *euid, gid_t *gid)
{
ucred_t *ucred = NULL;
if (getpeerucred(s, &ucred) == -1)
return (-1);
if ((*euid = ucred_geteuid(ucred)) == -1)
return (-1);
if ((*gid = ucred_getrgid(ucred)) == -1)
return (-1);
ucred_free(ucred);
return (0);
}
#else
int
getpeereid(int s, uid_t *euid, gid_t *gid)
{
*euid = geteuid();
*gid = getgid();
return (0);
}
#endif /* defined(SO_PEERCRED) */
#endif /* !defined(HAVE_GETPEEREID) */

278
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-misc.c vendored Normal file
View File

@@ -0,0 +1,278 @@
/*
* Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#include <sys/types.h>
#ifdef HAVE_SYS_SELECT_H
# include <sys/select.h>
#endif
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h>
#endif
#include <string.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#ifndef HAVE___PROGNAME
char *__progname;
#endif
/*
* NB. duplicate __progname in case it is an alias for argv[0]
* Otherwise it may get clobbered by setproctitle()
*/
char *ssh_get_progname(char *argv0)
{
char *p, *q;
#ifdef HAVE___PROGNAME
extern char *__progname;
p = __progname;
#else
if (argv0 == NULL)
return ("unknown"); /* XXX */
p = strrchr(argv0, '/');
if (p == NULL)
p = argv0;
else
p++;
#endif
if ((q = strdup(p)) == NULL) {
perror("strdup");
exit(1);
}
return q;
}
#ifndef HAVE_SETLOGIN
int setlogin(const char *name)
{
return (0);
}
#endif /* !HAVE_SETLOGIN */
#ifndef HAVE_INNETGR
int innetgr(const char *netgroup, const char *host,
const char *user, const char *domain)
{
return (0);
}
#endif /* HAVE_INNETGR */
#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
int seteuid(uid_t euid)
{
return (setreuid(-1, euid));
}
#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
int setegid(uid_t egid)
{
return(setresgid(-1, egid, -1));
}
#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */
#if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR)
const char *strerror(int e)
{
extern int sys_nerr;
extern char *sys_errlist[];
if ((e >= 0) && (e < sys_nerr))
return (sys_errlist[e]);
return ("unlisted error");
}
#endif
#ifndef HAVE_UTIMES
int utimes(char *filename, struct timeval *tvp)
{
struct utimbuf ub;
ub.actime = tvp[0].tv_sec;
ub.modtime = tvp[1].tv_sec;
return (utime(filename, &ub));
}
#endif
#ifndef HAVE_TRUNCATE
int truncate(const char *path, off_t length)
{
int fd, ret, saverrno;
fd = open(path, O_WRONLY);
if (fd < 0)
return (-1);
ret = ftruncate(fd, length);
saverrno = errno;
close(fd);
if (ret == -1)
errno = saverrno;
return(ret);
}
#endif /* HAVE_TRUNCATE */
#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
int nanosleep(const struct timespec *req, struct timespec *rem)
{
int rc, saverrno;
extern int errno;
struct timeval tstart, tstop, tremain, time2wait;
TIMESPEC_TO_TIMEVAL(&time2wait, req)
(void) gettimeofday(&tstart, NULL);
rc = select(0, NULL, NULL, NULL, &time2wait);
if (rc == -1) {
saverrno = errno;
(void) gettimeofday (&tstop, NULL);
errno = saverrno;
tremain.tv_sec = time2wait.tv_sec -
(tstop.tv_sec - tstart.tv_sec);
tremain.tv_usec = time2wait.tv_usec -
(tstop.tv_usec - tstart.tv_usec);
tremain.tv_sec += tremain.tv_usec / 1000000L;
tremain.tv_usec %= 1000000L;
} else {
tremain.tv_sec = 0;
tremain.tv_usec = 0;
}
if (rem != NULL)
TIMEVAL_TO_TIMESPEC(&tremain, rem)
return(rc);
}
#endif
#if !defined(HAVE_USLEEP)
int usleep(unsigned int useconds)
{
struct timespec ts;
ts.tv_sec = useconds / 1000000;
ts.tv_nsec = (useconds % 1000000) * 1000;
return nanosleep(&ts, NULL);
}
#endif
#ifndef HAVE_TCGETPGRP
pid_t
tcgetpgrp(int fd)
{
int ctty_pgrp;
if (ioctl(fd, TIOCGPGRP, &ctty_pgrp) == -1)
return(-1);
else
return(ctty_pgrp);
}
#endif /* HAVE_TCGETPGRP */
#ifndef HAVE_TCSENDBREAK
int
tcsendbreak(int fd, int duration)
{
# if defined(TIOCSBRK) && defined(TIOCCBRK)
struct timeval sleepytime;
sleepytime.tv_sec = 0;
sleepytime.tv_usec = 400000;
if (ioctl(fd, TIOCSBRK, 0) == -1)
return (-1);
(void)select(0, 0, 0, 0, &sleepytime);
if (ioctl(fd, TIOCCBRK, 0) == -1)
return (-1);
return (0);
# else
return -1;
# endif
}
#endif /* HAVE_TCSENDBREAK */
mysig_t
mysignal(int sig, mysig_t act)
{
#ifdef HAVE_SIGACTION
struct sigaction sa, osa;
if (sigaction(sig, NULL, &osa) == -1)
return (mysig_t) -1;
if (osa.sa_handler != act) {
memset(&sa, 0, sizeof(sa));
sigemptyset(&sa.sa_mask);
sa.sa_flags = 0;
#ifdef SA_INTERRUPT
if (sig == SIGALRM)
sa.sa_flags |= SA_INTERRUPT;
#endif
sa.sa_handler = act;
if (sigaction(sig, &sa, NULL) == -1)
return (mysig_t) -1;
}
return (osa.sa_handler);
#else
#undef signal
return (signal(sig, act));
#endif
}
#ifndef HAVE_STRDUP
char *
strdup(const char *str)
{
size_t len;
char *cp;
len = strlen(str) + 1;
cp = malloc(len);
if (cp != NULL)
return(memcpy(cp, str, len));
return NULL;
}
#endif
#ifndef HAVE_ISBLANK
int
isblank(int c)
{
return (c == ' ' || c == '\t');
}
#endif
#ifndef HAVE_GETPGID
pid_t
getpgid(pid_t pid)
{
#if defined(HAVE_GETPGRP) && !defined(GETPGRP_VOID)
return getpgrp(pid);
#elif defined(HAVE_GETPGRP)
if (pid == 0)
return getpgrp();
#endif
errno = ESRCH;
return -1;
}
#endif

125
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-misc.h vendored Normal file
View File

@@ -0,0 +1,125 @@
/* $Id: bsd-misc.h,v 1.25 2013/08/04 11:48:41 dtucker Exp $ */
/*
* Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _BSD_MISC_H
#define _BSD_MISC_H
#include "includes.h"
char *ssh_get_progname(char *);
#ifndef HAVE_SETSID
#define setsid() setpgrp(0, getpid())
#endif /* !HAVE_SETSID */
#ifndef HAVE_SETENV
int setenv(const char *, const char *, int);
#endif /* !HAVE_SETENV */
#ifndef HAVE_SETLOGIN
int setlogin(const char *);
#endif /* !HAVE_SETLOGIN */
#ifndef HAVE_INNETGR
int innetgr(const char *, const char *, const char *, const char *);
#endif /* HAVE_INNETGR */
#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
int seteuid(uid_t);
#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
int setegid(uid_t);
#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */
#if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR)
const char *strerror(int);
#endif
#if !defined(HAVE_SETLINEBUF)
#define setlinebuf(a) (setvbuf((a), NULL, _IOLBF, 0))
#endif
#ifndef HAVE_UTIMES
#ifndef HAVE_STRUCT_TIMEVAL
struct timeval {
long tv_sec;
long tv_usec;
}
#endif /* HAVE_STRUCT_TIMEVAL */
int utimes(char *, struct timeval *);
#endif /* HAVE_UTIMES */
#ifndef HAVE_TRUNCATE
int truncate (const char *, off_t);
#endif /* HAVE_TRUNCATE */
#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
#ifndef HAVE_STRUCT_TIMESPEC
struct timespec {
time_t tv_sec;
long tv_nsec;
};
#endif
int nanosleep(const struct timespec *, struct timespec *);
#endif
#ifndef HAVE_USLEEP
int usleep(unsigned int useconds);
#endif
#ifndef HAVE_TCGETPGRP
pid_t tcgetpgrp(int);
#endif
#ifndef HAVE_TCSENDBREAK
int tcsendbreak(int, int);
#endif
#ifndef HAVE_UNSETENV
int unsetenv(const char *);
#endif
/* wrapper for signal interface */
typedef void (*mysig_t)(int);
mysig_t mysignal(int sig, mysig_t act);
#define signal(a,b) mysignal(a,b)
#ifndef HAVE_ISBLANK
int isblank(int);
#endif
#ifndef HAVE_GETPGID
pid_t getpgid(pid_t);
#endif
#ifndef HAVE_ENDGRENT
# define endgrent() do { } while(0)
#endif
#ifndef HAVE_KRB5_GET_ERROR_MESSAGE
# define krb5_get_error_message krb5_get_err_text
#endif
#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE
# define krb5_free_error_message(a,b) do { } while(0)
#endif
#endif /* _BSD_MISC_H */

103
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-nextstep.c vendored Normal file
View File

@@ -0,0 +1,103 @@
/*
* Copyright (c) 2000,2001 Ben Lindstrom. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#ifdef HAVE_NEXT
#include <errno.h>
#include <sys/wait.h>
#include "bsd-nextstep.h"
pid_t
posix_wait(int *status)
{
union wait statusp;
pid_t wait_pid;
#undef wait /* Use NeXT's wait() function */
wait_pid = wait(&statusp);
if (status)
*status = (int) statusp.w_status;
return (wait_pid);
}
int
tcgetattr(int fd, struct termios *t)
{
return (ioctl(fd, TIOCGETA, t));
}
int
tcsetattr(int fd, int opt, const struct termios *t)
{
struct termios localterm;
if (opt & TCSASOFT) {
localterm = *t;
localterm.c_cflag |= CIGNORE;
t = &localterm;
}
switch (opt & ~TCSASOFT) {
case TCSANOW:
return (ioctl(fd, TIOCSETA, t));
case TCSADRAIN:
return (ioctl(fd, TIOCSETAW, t));
case TCSAFLUSH:
return (ioctl(fd, TIOCSETAF, t));
default:
errno = EINVAL;
return (-1);
}
}
int tcsetpgrp(int fd, pid_t pgrp)
{
return (ioctl(fd, TIOCSPGRP, &pgrp));
}
speed_t cfgetospeed(const struct termios *t)
{
return (t->c_ospeed);
}
speed_t cfgetispeed(const struct termios *t)
{
return (t->c_ispeed);
}
int
cfsetospeed(struct termios *t,int speed)
{
t->c_ospeed = speed;
return (0);
}
int
cfsetispeed(struct termios *t, int speed)
{
t->c_ispeed = speed;
return (0);
}
#endif /* HAVE_NEXT */

59
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-nextstep.h vendored Normal file
View File

@@ -0,0 +1,59 @@
/* $Id: bsd-nextstep.h,v 1.9 2003/08/29 16:59:52 mouring Exp $ */
/*
* Copyright (c) 2000,2001 Ben Lindstrom. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef _NEXT_POSIX_H
#define _NEXT_POSIX_H
#ifdef HAVE_NEXT
#include <sys/dir.h>
/* NGROUPS_MAX is behind -lposix. Use the BSD version which is NGROUPS */
#undef NGROUPS_MAX
#define NGROUPS_MAX NGROUPS
/* NeXT's readdir() is BSD (struct direct) not POSIX (struct dirent) */
#define dirent direct
/* Swap out NeXT's BSD wait() for a more POSIX complient one */
pid_t posix_wait(int *);
#define wait(a) posix_wait(a)
/* #ifdef wrapped functions that need defining for clean compiling */
pid_t getppid(void);
void vhangup(void);
int innetgr(const char *, const char *, const char *, const char *);
/* TERMCAP */
int tcgetattr(int, struct termios *);
int tcsetattr(int, int, const struct termios *);
int tcsetpgrp(int, pid_t);
speed_t cfgetospeed(const struct termios *);
speed_t cfgetispeed(const struct termios *);
int cfsetospeed(struct termios *, int);
int cfsetispeed(struct termios *, int);
#endif /* HAVE_NEXT */
#endif /* _NEXT_POSIX_H */

220
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-openpty.c vendored Normal file
View File

@@ -0,0 +1,220 @@
/*
* Please note: this implementation of openpty() is far from complete.
* it is just enough for portable OpenSSH's needs.
*/
/*
* Copyright (c) 2004 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* Allocating a pseudo-terminal, and making it the controlling tty.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
#if !defined(HAVE_OPENPTY)
#include <sys/types.h>
#include <stdlib.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
#ifdef HAVE_SYS_IOCTL_H
# include <sys/ioctl.h>
#endif
#ifdef HAVE_FCNTL_H
# include <fcntl.h>
#endif
#ifdef HAVE_UTIL_H
# include <util.h>
#endif /* HAVE_UTIL_H */
#ifdef HAVE_PTY_H
# include <pty.h>
#endif
#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H)
# include <sys/stropts.h>
#endif
#include <signal.h>
#include <string.h>
#include <unistd.h>
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
int
openpty(int *amaster, int *aslave, char *name, struct termios *termp,
struct winsize *winp)
{
#if defined(HAVE__GETPTY)
/*
* _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
* pty's automagically when needed
*/
char *slave;
if ((slave = _getpty(amaster, O_RDWR, 0622, 0)) == NULL)
return (-1);
/* Open the slave side. */
if ((*aslave = open(slave, O_RDWR | O_NOCTTY)) == -1) {
close(*amaster);
return (-1);
}
return (0);
#elif defined(HAVE_DEV_PTMX)
/*
* This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3
* also has bsd-style ptys, but they simply do not work.)
*/
int ptm;
char *pts;
mysig_t old_signal;
if ((ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY)) == -1)
return (-1);
/* XXX: need to close ptm on error? */
old_signal = signal(SIGCHLD, SIG_DFL);
if (grantpt(ptm) < 0)
return (-1);
signal(SIGCHLD, old_signal);
if (unlockpt(ptm) < 0)
return (-1);
if ((pts = ptsname(ptm)) == NULL)
return (-1);
*amaster = ptm;
/* Open the slave side. */
if ((*aslave = open(pts, O_RDWR | O_NOCTTY)) == -1) {
close(*amaster);
return (-1);
}
/*
* Try to push the appropriate streams modules, as described
* in Solaris pts(7).
*/
ioctl(*aslave, I_PUSH, "ptem");
ioctl(*aslave, I_PUSH, "ldterm");
# ifndef __hpux
ioctl(*aslave, I_PUSH, "ttcompat");
# endif /* __hpux */
return (0);
#elif defined(HAVE_DEV_PTS_AND_PTC)
/* AIX-style pty code. */
const char *ttname;
if ((*amaster = open("/dev/ptc", O_RDWR | O_NOCTTY)) == -1)
return (-1);
if ((ttname = ttyname(*amaster)) == NULL)
return (-1);
if ((*aslave = open(ttname, O_RDWR | O_NOCTTY)) == -1) {
close(*amaster);
return (-1);
}
return (0);
#elif defined(_UNICOS)
char ptbuf[64], ttbuf[64];
int i;
int highpty;
highpty = 128;
#ifdef _SC_CRAY_NPTY
if ((highpty = sysconf(_SC_CRAY_NPTY)) == -1)
highpty = 128;
#endif /* _SC_CRAY_NPTY */
for (i = 0; i < highpty; i++) {
snprintf(ptbuf, sizeof(ptbuf), "/dev/pty/%03d", i);
snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%03d", i);
if ((*amaster = open(ptbuf, O_RDWR|O_NOCTTY)) == -1)
continue;
/* Open the slave side. */
if ((*aslave = open(ttbuf, O_RDWR|O_NOCTTY)) == -1) {
close(*amaster);
return (-1);
}
return (0);
}
return (-1);
#else
/* BSD-style pty code. */
char ptbuf[64], ttbuf[64];
int i;
const char *ptymajors = "pqrstuvwxyzabcdefghijklmno"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ";
const char *ptyminors = "0123456789abcdef";
int num_minors = strlen(ptyminors);
int num_ptys = strlen(ptymajors) * num_minors;
struct termios tio;
for (i = 0; i < num_ptys; i++) {
snprintf(ptbuf, sizeof(ptbuf), "/dev/pty%c%c",
ptymajors[i / num_minors], ptyminors[i % num_minors]);
snprintf(ttbuf, sizeof(ttbuf), "/dev/tty%c%c",
ptymajors[i / num_minors], ptyminors[i % num_minors]);
if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1) {
/* Try SCO style naming */
snprintf(ptbuf, sizeof(ptbuf), "/dev/ptyp%d", i);
snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%d", i);
if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1)
continue;
}
/* Open the slave side. */
if ((*aslave = open(ttbuf, O_RDWR | O_NOCTTY)) == -1) {
close(*amaster);
return (-1);
}
/* set tty modes to a sane state for broken clients */
if (tcgetattr(*amaster, &tio) != -1) {
tio.c_lflag |= (ECHO | ISIG | ICANON);
tio.c_oflag |= (OPOST | ONLCR);
tio.c_iflag |= ICRNL;
tcsetattr(*amaster, TCSANOW, &tio);
}
return (0);
}
return (-1);
#endif
}
#endif /* !defined(HAVE_OPENPTY) */

119
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-poll.c vendored Normal file
View File

@@ -0,0 +1,119 @@
/* $Id: bsd-poll.c,v 1.6 2014/02/05 23:44:13 dtucker Exp $ */
/*
* Copyright (c) 2004, 2005, 2007 Darren Tucker (dtucker at zip com au).
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#if !defined(HAVE_POLL)
#include <sys/types.h>
#include <sys/time.h>
#ifdef HAVE_SYS_SELECT_H
# include <sys/select.h>
#endif
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include "bsd-poll.h"
/*
* A minimal implementation of poll(2), built on top of select(2).
*
* Only supports POLLIN and POLLOUT flags in pfd.events, and POLLIN, POLLOUT
* and POLLERR flags in revents.
*
* Supports pfd.fd = -1 meaning "unused" although it's not standard.
*/
int
poll(struct pollfd *fds, nfds_t nfds, int timeout)
{
nfds_t i;
int saved_errno, ret, fd, maxfd = 0;
fd_set *readfds = NULL, *writefds = NULL, *exceptfds = NULL;
size_t nmemb;
struct timeval tv, *tvp = NULL;
for (i = 0; i < nfds; i++) {
fd = fds[i].fd;
if (fd >= FD_SETSIZE) {
errno = EINVAL;
return -1;
}
maxfd = MAX(maxfd, fd);
}
nmemb = howmany(maxfd + 1 , NFDBITS);
if ((readfds = calloc(nmemb, sizeof(fd_mask))) == NULL ||
(writefds = calloc(nmemb, sizeof(fd_mask))) == NULL ||
(exceptfds = calloc(nmemb, sizeof(fd_mask))) == NULL) {
saved_errno = ENOMEM;
ret = -1;
goto out;
}
/* populate event bit vectors for the events we're interested in */
for (i = 0; i < nfds; i++) {
fd = fds[i].fd;
if (fd == -1)
continue;
if (fds[i].events & POLLIN) {
FD_SET(fd, readfds);
FD_SET(fd, exceptfds);
}
if (fds[i].events & POLLOUT) {
FD_SET(fd, writefds);
FD_SET(fd, exceptfds);
}
}
/* poll timeout is msec, select is timeval (sec + usec) */
if (timeout >= 0) {
tv.tv_sec = timeout / 1000;
tv.tv_usec = (timeout % 1000) * 1000;
tvp = &tv;
}
ret = select(maxfd + 1, readfds, writefds, exceptfds, tvp);
saved_errno = errno;
/* scan through select results and set poll() flags */
for (i = 0; i < nfds; i++) {
fd = fds[i].fd;
fds[i].revents = 0;
if (fd == -1)
continue;
if (FD_ISSET(fd, readfds)) {
fds[i].revents |= POLLIN;
}
if (FD_ISSET(fd, writefds)) {
fds[i].revents |= POLLOUT;
}
if (FD_ISSET(fd, exceptfds)) {
fds[i].revents |= POLLERR;
}
}
out:
free(readfds);
free(writefds);
free(exceptfds);
if (ret == -1)
errno = saved_errno;
return ret;
}
#endif

61
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-poll.h vendored Normal file
View File

@@ -0,0 +1,61 @@
/* $OpenBSD: poll.h,v 1.11 2003/12/10 23:10:08 millert Exp $ */
/*
* Copyright (c) 1996 Theo de Raadt
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* OPENBSD ORIGINAL: sys/sys/poll.h */
#if !defined(HAVE_POLL) && !defined(HAVE_POLL_H)
#ifndef _COMPAT_POLL_H_
#define _COMPAT_POLL_H_
typedef struct pollfd {
int fd;
short events;
short revents;
} pollfd_t;
typedef unsigned int nfds_t;
#define POLLIN 0x0001
#define POLLOUT 0x0004
#define POLLERR 0x0008
#if 0
/* the following are currently not implemented */
#define POLLPRI 0x0002
#define POLLHUP 0x0010
#define POLLNVAL 0x0020
#define POLLRDNORM 0x0040
#define POLLNORM POLLRDNORM
#define POLLWRNORM POLLOUT
#define POLLRDBAND 0x0080
#define POLLWRBAND 0x0100
#endif
#define INFTIM (-1) /* not standard */
int poll(struct pollfd *, nfds_t, int);
#endif /* !_COMPAT_POLL_H_ */
#endif /* !HAVE_POLL_H */

100
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-setres_id.c vendored Normal file
View File

@@ -0,0 +1,100 @@
/* $Id: bsd-setres_id.c,v 1.2 2013/12/07 21:23:09 djm Exp $ */
/*
* Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#include <sys/types.h>
#include <stdarg.h>
#include <unistd.h>
#include <string.h>
#include "log.h"
#if !defined(HAVE_SETRESGID) || defined(BROKEN_SETRESGID)
int
setresgid(gid_t rgid, gid_t egid, gid_t sgid)
{
int ret = 0, saved_errno;
if (rgid != sgid) {
errno = ENOSYS;
return -1;
}
#if defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
if (setregid(rgid, egid) < 0) {
saved_errno = errno;
error("setregid %u: %.100s", rgid, strerror(errno));
errno = saved_errno;
ret = -1;
}
#else
if (setegid(egid) < 0) {
saved_errno = errno;
error("setegid %u: %.100s", (u_int)egid, strerror(errno));
errno = saved_errno;
ret = -1;
}
if (setgid(rgid) < 0) {
saved_errno = errno;
error("setgid %u: %.100s", rgid, strerror(errno));
errno = saved_errno;
ret = -1;
}
#endif
return ret;
}
#endif
#if !defined(HAVE_SETRESUID) || defined(BROKEN_SETRESUID)
int
setresuid(uid_t ruid, uid_t euid, uid_t suid)
{
int ret = 0, saved_errno;
if (ruid != suid) {
errno = ENOSYS;
return -1;
}
#if defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
if (setreuid(ruid, euid) < 0) {
saved_errno = errno;
error("setreuid %u: %.100s", ruid, strerror(errno));
errno = saved_errno;
ret = -1;
}
#else
# ifndef SETEUID_BREAKS_SETUID
if (seteuid(euid) < 0) {
saved_errno = errno;
error("seteuid %u: %.100s", euid, strerror(errno));
errno = saved_errno;
ret = -1;
}
# endif
if (setuid(ruid) < 0) {
saved_errno = errno;
error("setuid %u: %.100s", ruid, strerror(errno));
errno = saved_errno;
ret = -1;
}
#endif
return ret;
}
#endif

24
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-setres_id.h vendored Normal file
View File

@@ -0,0 +1,24 @@
/* $Id: bsd-setres_id.h,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */
/*
* Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef HAVE_SETRESGID
int setresgid(gid_t, gid_t, gid_t);
#endif
#ifndef HAVE_SETRESUID
int setresuid(uid_t, uid_t, uid_t);
#endif

892
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-snprintf.c vendored Normal file
View File

@@ -0,0 +1,892 @@
/*
* Copyright Patrick Powell 1995
* This code is based on code written by Patrick Powell (papowell@astart.com)
* It may be used for any purpose as long as this notice remains intact
* on all source code distributions
*/
/**************************************************************
* Original:
* Patrick Powell Tue Apr 11 09:48:21 PDT 1995
* A bombproof version of doprnt (dopr) included.
* Sigh. This sort of thing is always nasty do deal with. Note that
* the version here does not include floating point...
*
* snprintf() is used instead of sprintf() as it does limit checks
* for string length. This covers a nasty loophole.
*
* The other functions are there to prevent NULL pointers from
* causing nast effects.
*
* More Recently:
* Brandon Long <blong@fiction.net> 9/15/96 for mutt 0.43
* This was ugly. It is still ugly. I opted out of floating point
* numbers, but the formatter understands just about everything
* from the normal C string format, at least as far as I can tell from
* the Solaris 2.5 printf(3S) man page.
*
* Brandon Long <blong@fiction.net> 10/22/97 for mutt 0.87.1
* Ok, added some minimal floating point support, which means this
* probably requires libm on most operating systems. Don't yet
* support the exponent (e,E) and sigfig (g,G). Also, fmtint()
* was pretty badly broken, it just wasn't being exercised in ways
* which showed it, so that's been fixed. Also, formated the code
* to mutt conventions, and removed dead code left over from the
* original. Also, there is now a builtin-test, just compile with:
* gcc -DTEST_SNPRINTF -o snprintf snprintf.c -lm
* and run snprintf for results.
*
* Thomas Roessler <roessler@guug.de> 01/27/98 for mutt 0.89i
* The PGP code was using unsigned hexadecimal formats.
* Unfortunately, unsigned formats simply didn't work.
*
* Michael Elkins <me@cs.hmc.edu> 03/05/98 for mutt 0.90.8
* The original code assumed that both snprintf() and vsnprintf() were
* missing. Some systems only have snprintf() but not vsnprintf(), so
* the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF.
*
* Andrew Tridgell (tridge@samba.org) Oct 1998
* fixed handling of %.0f
* added test for HAVE_LONG_DOUBLE
*
* tridge@samba.org, idra@samba.org, April 2001
* got rid of fcvt code (twas buggy and made testing harder)
* added C99 semantics
*
* date: 2002/12/19 19:56:31; author: herb; state: Exp; lines: +2 -0
* actually print args for %g and %e
*
* date: 2002/06/03 13:37:52; author: jmcd; state: Exp; lines: +8 -0
* Since includes.h isn't included here, VA_COPY has to be defined here. I don't
* see any include file that is guaranteed to be here, so I'm defining it
* locally. Fixes AIX and Solaris builds.
*
* date: 2002/06/03 03:07:24; author: tridge; state: Exp; lines: +5 -13
* put the ifdef for HAVE_VA_COPY in one place rather than in lots of
* functions
*
* date: 2002/05/17 14:51:22; author: jmcd; state: Exp; lines: +21 -4
* Fix usage of va_list passed as an arg. Use __va_copy before using it
* when it exists.
*
* date: 2002/04/16 22:38:04; author: idra; state: Exp; lines: +20 -14
* Fix incorrect zpadlen handling in fmtfp.
* Thanks to Ollie Oldham <ollie.oldham@metro-optix.com> for spotting it.
* few mods to make it easier to compile the tests.
* addedd the "Ollie" test to the floating point ones.
*
* Martin Pool (mbp@samba.org) April 2003
* Remove NO_CONFIG_H so that the test case can be built within a source
* tree with less trouble.
* Remove unnecessary SAFE_FREE() definition.
*
* Martin Pool (mbp@samba.org) May 2003
* Put in a prototype for dummy_snprintf() to quiet compiler warnings.
*
* Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
* if the C library has some snprintf functions already.
*
* Damien Miller (djm@mindrot.org) Jan 2007
* Fix integer overflows in return value.
* Make formatting quite a bit faster by inlining dopr_outch()
*
**************************************************************/
#include "includes.h"
#if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */
# undef HAVE_SNPRINTF
# undef HAVE_VSNPRINTF
#endif
#ifndef VA_COPY
# ifdef HAVE_VA_COPY
# define VA_COPY(dest, src) va_copy(dest, src)
# else
# ifdef HAVE___VA_COPY
# define VA_COPY(dest, src) __va_copy(dest, src)
# else
# define VA_COPY(dest, src) (dest) = (src)
# endif
# endif
#endif
#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
#include <ctype.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <errno.h>
#ifdef HAVE_LONG_DOUBLE
# define LDOUBLE long double
#else
# define LDOUBLE double
#endif
#ifdef HAVE_LONG_LONG
# define LLONG long long
#else
# define LLONG long
#endif
/*
* dopr(): poor man's version of doprintf
*/
/* format read states */
#define DP_S_DEFAULT 0
#define DP_S_FLAGS 1
#define DP_S_MIN 2
#define DP_S_DOT 3
#define DP_S_MAX 4
#define DP_S_MOD 5
#define DP_S_CONV 6
#define DP_S_DONE 7
/* format flags - Bits */
#define DP_F_MINUS (1 << 0)
#define DP_F_PLUS (1 << 1)
#define DP_F_SPACE (1 << 2)
#define DP_F_NUM (1 << 3)
#define DP_F_ZERO (1 << 4)
#define DP_F_UP (1 << 5)
#define DP_F_UNSIGNED (1 << 6)
/* Conversion Flags */
#define DP_C_SHORT 1
#define DP_C_LONG 2
#define DP_C_LDOUBLE 3
#define DP_C_LLONG 4
#define DP_C_SIZE 5
#define DP_C_INTMAX 6
#define char_to_int(p) ((p)- '0')
#ifndef MAX
# define MAX(p,q) (((p) >= (q)) ? (p) : (q))
#endif
#define DOPR_OUTCH(buf, pos, buflen, thechar) \
do { \
if (pos + 1 >= INT_MAX) { \
errno = ERANGE; \
return -1; \
} \
if (pos < buflen) \
buf[pos] = thechar; \
(pos)++; \
} while (0)
static int dopr(char *buffer, size_t maxlen, const char *format,
va_list args_in);
static int fmtstr(char *buffer, size_t *currlen, size_t maxlen,
char *value, int flags, int min, int max);
static int fmtint(char *buffer, size_t *currlen, size_t maxlen,
intmax_t value, int base, int min, int max, int flags);
static int fmtfp(char *buffer, size_t *currlen, size_t maxlen,
LDOUBLE fvalue, int min, int max, int flags);
static int
dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
{
char ch;
intmax_t value;
LDOUBLE fvalue;
char *strvalue;
int min;
int max;
int state;
int flags;
int cflags;
size_t currlen;
va_list args;
VA_COPY(args, args_in);
state = DP_S_DEFAULT;
currlen = flags = cflags = min = 0;
max = -1;
ch = *format++;
while (state != DP_S_DONE) {
if (ch == '\0')
state = DP_S_DONE;
switch(state) {
case DP_S_DEFAULT:
if (ch == '%')
state = DP_S_FLAGS;
else
DOPR_OUTCH(buffer, currlen, maxlen, ch);
ch = *format++;
break;
case DP_S_FLAGS:
switch (ch) {
case '-':
flags |= DP_F_MINUS;
ch = *format++;
break;
case '+':
flags |= DP_F_PLUS;
ch = *format++;
break;
case ' ':
flags |= DP_F_SPACE;
ch = *format++;
break;
case '#':
flags |= DP_F_NUM;
ch = *format++;
break;
case '0':
flags |= DP_F_ZERO;
ch = *format++;
break;
default:
state = DP_S_MIN;
break;
}
break;
case DP_S_MIN:
if (isdigit((unsigned char)ch)) {
min = 10*min + char_to_int (ch);
ch = *format++;
} else if (ch == '*') {
min = va_arg (args, int);
ch = *format++;
state = DP_S_DOT;
} else {
state = DP_S_DOT;
}
break;
case DP_S_DOT:
if (ch == '.') {
state = DP_S_MAX;
ch = *format++;
} else {
state = DP_S_MOD;
}
break;
case DP_S_MAX:
if (isdigit((unsigned char)ch)) {
if (max < 0)
max = 0;
max = 10*max + char_to_int (ch);
ch = *format++;
} else if (ch == '*') {
max = va_arg (args, int);
ch = *format++;
state = DP_S_MOD;
} else {
state = DP_S_MOD;
}
break;
case DP_S_MOD:
switch (ch) {
case 'h':
cflags = DP_C_SHORT;
ch = *format++;
break;
case 'j':
cflags = DP_C_INTMAX;
ch = *format++;
break;
case 'l':
cflags = DP_C_LONG;
ch = *format++;
if (ch == 'l') { /* It's a long long */
cflags = DP_C_LLONG;
ch = *format++;
}
break;
case 'L':
cflags = DP_C_LDOUBLE;
ch = *format++;
break;
case 'z':
cflags = DP_C_SIZE;
ch = *format++;
break;
default:
break;
}
state = DP_S_CONV;
break;
case DP_S_CONV:
switch (ch) {
case 'd':
case 'i':
if (cflags == DP_C_SHORT)
value = va_arg (args, int);
else if (cflags == DP_C_LONG)
value = va_arg (args, long int);
else if (cflags == DP_C_LLONG)
value = va_arg (args, LLONG);
else if (cflags == DP_C_SIZE)
value = va_arg (args, ssize_t);
else if (cflags == DP_C_INTMAX)
value = va_arg (args, intmax_t);
else
value = va_arg (args, int);
if (fmtint(buffer, &currlen, maxlen,
value, 10, min, max, flags) == -1)
return -1;
break;
case 'o':
flags |= DP_F_UNSIGNED;
if (cflags == DP_C_SHORT)
value = va_arg (args, unsigned int);
else if (cflags == DP_C_LONG)
value = (long)va_arg (args, unsigned long int);
else if (cflags == DP_C_LLONG)
value = (long)va_arg (args, unsigned LLONG);
else if (cflags == DP_C_SIZE)
value = va_arg (args, size_t);
#ifdef notyet
else if (cflags == DP_C_INTMAX)
value = va_arg (args, uintmax_t);
#endif
else
value = (long)va_arg (args, unsigned int);
if (fmtint(buffer, &currlen, maxlen, value,
8, min, max, flags) == -1)
return -1;
break;
case 'u':
flags |= DP_F_UNSIGNED;
if (cflags == DP_C_SHORT)
value = va_arg (args, unsigned int);
else if (cflags == DP_C_LONG)
value = (long)va_arg (args, unsigned long int);
else if (cflags == DP_C_LLONG)
value = (LLONG)va_arg (args, unsigned LLONG);
else if (cflags == DP_C_SIZE)
value = va_arg (args, size_t);
#ifdef notyet
else if (cflags == DP_C_INTMAX)
value = va_arg (args, uintmax_t);
#endif
else
value = (long)va_arg (args, unsigned int);
if (fmtint(buffer, &currlen, maxlen, value,
10, min, max, flags) == -1)
return -1;
break;
case 'X':
flags |= DP_F_UP;
case 'x':
flags |= DP_F_UNSIGNED;
if (cflags == DP_C_SHORT)
value = va_arg (args, unsigned int);
else if (cflags == DP_C_LONG)
value = (long)va_arg (args, unsigned long int);
else if (cflags == DP_C_LLONG)
value = (LLONG)va_arg (args, unsigned LLONG);
else if (cflags == DP_C_SIZE)
value = va_arg (args, size_t);
#ifdef notyet
else if (cflags == DP_C_INTMAX)
value = va_arg (args, uintmax_t);
#endif
else
value = (long)va_arg (args, unsigned int);
if (fmtint(buffer, &currlen, maxlen, value,
16, min, max, flags) == -1)
return -1;
break;
case 'f':
if (cflags == DP_C_LDOUBLE)
fvalue = va_arg (args, LDOUBLE);
else
fvalue = va_arg (args, double);
if (fmtfp(buffer, &currlen, maxlen, fvalue,
min, max, flags) == -1)
return -1;
break;
case 'E':
flags |= DP_F_UP;
case 'e':
if (cflags == DP_C_LDOUBLE)
fvalue = va_arg (args, LDOUBLE);
else
fvalue = va_arg (args, double);
if (fmtfp(buffer, &currlen, maxlen, fvalue,
min, max, flags) == -1)
return -1;
break;
case 'G':
flags |= DP_F_UP;
case 'g':
if (cflags == DP_C_LDOUBLE)
fvalue = va_arg (args, LDOUBLE);
else
fvalue = va_arg (args, double);
if (fmtfp(buffer, &currlen, maxlen, fvalue,
min, max, flags) == -1)
return -1;
break;
case 'c':
DOPR_OUTCH(buffer, currlen, maxlen,
va_arg (args, int));
break;
case 's':
strvalue = va_arg (args, char *);
if (!strvalue) strvalue = "(NULL)";
if (max == -1) {
max = strlen(strvalue);
}
if (min > 0 && max >= 0 && min > max) max = min;
if (fmtstr(buffer, &currlen, maxlen,
strvalue, flags, min, max) == -1)
return -1;
break;
case 'p':
strvalue = va_arg (args, void *);
if (fmtint(buffer, &currlen, maxlen,
(long) strvalue, 16, min, max, flags) == -1)
return -1;
break;
#if we_dont_want_this_in_openssh
case 'n':
if (cflags == DP_C_SHORT) {
short int *num;
num = va_arg (args, short int *);
*num = currlen;
} else if (cflags == DP_C_LONG) {
long int *num;
num = va_arg (args, long int *);
*num = (long int)currlen;
} else if (cflags == DP_C_LLONG) {
LLONG *num;
num = va_arg (args, LLONG *);
*num = (LLONG)currlen;
} else if (cflags == DP_C_SIZE) {
ssize_t *num;
num = va_arg (args, ssize_t *);
*num = (ssize_t)currlen;
} else if (cflags == DP_C_INTMAX) {
intmax_t *num;
num = va_arg (args, intmax_t *);
*num = (intmax_t)currlen;
} else {
int *num;
num = va_arg (args, int *);
*num = currlen;
}
break;
#endif
case '%':
DOPR_OUTCH(buffer, currlen, maxlen, ch);
break;
case 'w':
/* not supported yet, treat as next char */
ch = *format++;
break;
default:
/* Unknown, skip */
break;
}
ch = *format++;
state = DP_S_DEFAULT;
flags = cflags = min = 0;
max = -1;
break;
case DP_S_DONE:
break;
default:
/* hmm? */
break; /* some picky compilers need this */
}
}
if (maxlen != 0) {
if (currlen < maxlen - 1)
buffer[currlen] = '\0';
else if (maxlen > 0)
buffer[maxlen - 1] = '\0';
}
return currlen < INT_MAX ? (int)currlen : -1;
}
static int
fmtstr(char *buffer, size_t *currlen, size_t maxlen,
char *value, int flags, int min, int max)
{
int padlen, strln; /* amount to pad */
int cnt = 0;
#ifdef DEBUG_SNPRINTF
printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value);
#endif
if (value == 0) {
value = "<NULL>";
}
for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
padlen = min - strln;
if (padlen < 0)
padlen = 0;
if (flags & DP_F_MINUS)
padlen = -padlen; /* Left Justify */
while ((padlen > 0) && (cnt < max)) {
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
--padlen;
++cnt;
}
while (*value && (cnt < max)) {
DOPR_OUTCH(buffer, *currlen, maxlen, *value);
value++;
++cnt;
}
while ((padlen < 0) && (cnt < max)) {
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
++padlen;
++cnt;
}
return 0;
}
/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
static int
fmtint(char *buffer, size_t *currlen, size_t maxlen,
intmax_t value, int base, int min, int max, int flags)
{
int signvalue = 0;
unsigned LLONG uvalue;
char convert[20];
int place = 0;
int spadlen = 0; /* amount to space pad */
int zpadlen = 0; /* amount to zero pad */
int caps = 0;
if (max < 0)
max = 0;
uvalue = value;
if(!(flags & DP_F_UNSIGNED)) {
if( value < 0 ) {
signvalue = '-';
uvalue = -value;
} else {
if (flags & DP_F_PLUS) /* Do a sign (+/i) */
signvalue = '+';
else if (flags & DP_F_SPACE)
signvalue = ' ';
}
}
if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
do {
convert[place++] =
(caps? "0123456789ABCDEF":"0123456789abcdef")
[uvalue % (unsigned)base ];
uvalue = (uvalue / (unsigned)base );
} while(uvalue && (place < 20));
if (place == 20) place--;
convert[place] = 0;
zpadlen = max - place;
spadlen = min - MAX (max, place) - (signvalue ? 1 : 0);
if (zpadlen < 0) zpadlen = 0;
if (spadlen < 0) spadlen = 0;
if (flags & DP_F_ZERO) {
zpadlen = MAX(zpadlen, spadlen);
spadlen = 0;
}
if (flags & DP_F_MINUS)
spadlen = -spadlen; /* Left Justifty */
#ifdef DEBUG_SNPRINTF
printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
zpadlen, spadlen, min, max, place);
#endif
/* Spaces */
while (spadlen > 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
--spadlen;
}
/* Sign */
if (signvalue)
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
/* Zeros */
if (zpadlen > 0) {
while (zpadlen > 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
--zpadlen;
}
}
/* Digits */
while (place > 0) {
--place;
DOPR_OUTCH(buffer, *currlen, maxlen, convert[place]);
}
/* Left Justified spaces */
while (spadlen < 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
++spadlen;
}
return 0;
}
static LDOUBLE abs_val(LDOUBLE value)
{
LDOUBLE result = value;
if (value < 0)
result = -value;
return result;
}
static LDOUBLE POW10(int val)
{
LDOUBLE result = 1;
while (val) {
result *= 10;
val--;
}
return result;
}
static LLONG ROUND(LDOUBLE value)
{
LLONG intpart;
intpart = (LLONG)value;
value = value - intpart;
if (value >= 0.5) intpart++;
return intpart;
}
/* a replacement for modf that doesn't need the math library. Should
be portable, but slow */
static double my_modf(double x0, double *iptr)
{
int i;
long l;
double x = x0;
double f = 1.0;
for (i=0;i<100;i++) {
l = (long)x;
if (l <= (x+1) && l >= (x-1)) break;
x *= 0.1;
f *= 10.0;
}
if (i == 100) {
/*
* yikes! the number is beyond what we can handle.
* What do we do?
*/
(*iptr) = 0;
return 0;
}
if (i != 0) {
double i2;
double ret;
ret = my_modf(x0-l*f, &i2);
(*iptr) = l*f + i2;
return ret;
}
(*iptr) = l;
return x - (*iptr);
}
static int
fmtfp (char *buffer, size_t *currlen, size_t maxlen,
LDOUBLE fvalue, int min, int max, int flags)
{
int signvalue = 0;
double ufvalue;
char iconvert[311];
char fconvert[311];
int iplace = 0;
int fplace = 0;
int padlen = 0; /* amount to pad */
int zpadlen = 0;
int caps = 0;
int idx;
double intpart;
double fracpart;
double temp;
/*
* AIX manpage says the default is 0, but Solaris says the default
* is 6, and sprintf on AIX defaults to 6
*/
if (max < 0)
max = 6;
ufvalue = abs_val (fvalue);
if (fvalue < 0) {
signvalue = '-';
} else {
if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
signvalue = '+';
} else {
if (flags & DP_F_SPACE)
signvalue = ' ';
}
}
#if 0
if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
#endif
#if 0
if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */
#endif
/*
* Sorry, we only support 16 digits past the decimal because of our
* conversion method
*/
if (max > 16)
max = 16;
/* We "cheat" by converting the fractional part to integer by
* multiplying by a factor of 10
*/
temp = ufvalue;
my_modf(temp, &intpart);
fracpart = ROUND((POW10(max)) * (ufvalue - intpart));
if (fracpart >= POW10(max)) {
intpart++;
fracpart -= POW10(max);
}
/* Convert integer part */
do {
temp = intpart*0.1;
my_modf(temp, &intpart);
idx = (int) ((temp -intpart +0.05)* 10.0);
/* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
/* printf ("%llf, %f, %x\n", temp, intpart, idx); */
iconvert[iplace++] =
(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
} while (intpart && (iplace < 311));
if (iplace == 311) iplace--;
iconvert[iplace] = 0;
/* Convert fractional part */
if (fracpart)
{
do {
temp = fracpart*0.1;
my_modf(temp, &fracpart);
idx = (int) ((temp -fracpart +0.05)* 10.0);
/* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
/* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
fconvert[fplace++] =
(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
} while(fracpart && (fplace < 311));
if (fplace == 311) fplace--;
}
fconvert[fplace] = 0;
/* -1 for decimal point, another -1 if we are printing a sign */
padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
zpadlen = max - fplace;
if (zpadlen < 0) zpadlen = 0;
if (padlen < 0)
padlen = 0;
if (flags & DP_F_MINUS)
padlen = -padlen; /* Left Justifty */
if ((flags & DP_F_ZERO) && (padlen > 0)) {
if (signvalue) {
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
--padlen;
signvalue = 0;
}
while (padlen > 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
--padlen;
}
}
while (padlen > 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
--padlen;
}
if (signvalue)
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
while (iplace > 0) {
--iplace;
DOPR_OUTCH(buffer, *currlen, maxlen, iconvert[iplace]);
}
#ifdef DEBUG_SNPRINTF
printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
#endif
/*
* Decimal point. This should probably use locale to find the correct
* char to print out.
*/
if (max > 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, '.');
while (zpadlen > 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
--zpadlen;
}
while (fplace > 0) {
--fplace;
DOPR_OUTCH(buffer, *currlen, maxlen, fconvert[fplace]);
}
}
while (padlen < 0) {
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
++padlen;
}
return 0;
}
#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
#if !defined(HAVE_VSNPRINTF)
int
vsnprintf (char *str, size_t count, const char *fmt, va_list args)
{
return dopr(str, count, fmt, args);
}
#endif
#if !defined(HAVE_SNPRINTF)
int
snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
{
size_t ret;
va_list ap;
va_start(ap, fmt);
ret = vsnprintf(str, count, fmt, ap);
va_end(ap);
return ret;
}
#endif

82
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-statvfs.c vendored Normal file
View File

@@ -0,0 +1,82 @@
/* $Id: bsd-statvfs.c,v 1.2 2014/01/17 07:10:59 dtucker Exp $ */
/*
* Copyright (c) 2008,2014 Darren Tucker <dtucker@zip.com.au>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
* IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS)
#include <sys/param.h>
#ifdef HAVE_SYS_MOUNT_H
# include <sys/mount.h>
#endif
#include <errno.h>
static void
copy_statfs_to_statvfs(struct statvfs *to, struct statfs *from)
{
to->f_bsize = from->f_bsize;
to->f_frsize = from->f_bsize; /* no exact equivalent */
to->f_blocks = from->f_blocks;
to->f_bfree = from->f_bfree;
to->f_bavail = from->f_bavail;
to->f_files = from->f_files;
to->f_ffree = from->f_ffree;
to->f_favail = from->f_ffree; /* no exact equivalent */
to->f_fsid = 0; /* XXX fix me */
to->f_flag = from->f_flags;
to->f_namemax = MNAMELEN;
}
# ifndef HAVE_STATVFS
int statvfs(const char *path, struct statvfs *buf)
{
# ifdef HAVE_STATFS
struct statfs fs;
memset(&fs, 0, sizeof(fs));
if (statfs(path, &fs) == -1)
return -1;
copy_statfs_to_statvfs(buf, &fs);
return 0;
# else
errno = ENOSYS;
return -1;
# endif
}
# endif
# ifndef HAVE_FSTATVFS
int fstatvfs(int fd, struct statvfs *buf)
{
# ifdef HAVE_FSTATFS
struct statfs fs;
memset(&fs, 0, sizeof(fs));
if (fstatfs(fd, &fs) == -1)
return -1;
copy_statfs_to_statvfs(buf, &fs);
return 0;
# else
errno = ENOSYS;
return -1;
# endif
}
# endif
#endif

71
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-statvfs.h vendored Normal file
View File

@@ -0,0 +1,71 @@
/* $Id: bsd-statvfs.h,v 1.3 2014/01/17 07:48:22 dtucker Exp $ */
/*
* Copyright (c) 2008,2014 Darren Tucker <dtucker@zip.com.au>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
* IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS)
#include <sys/types.h>
#ifdef HAVE_SYS_MOUNT_H
#include <sys/mount.h>
#endif
#ifdef HAVE_SYS_STATFS_H
#include <sys/statfs.h>
#endif
#ifndef HAVE_FSBLKCNT_T
typedef unsigned long fsblkcnt_t;
#endif
#ifndef HAVE_FSFILCNT_T
typedef unsigned long fsfilcnt_t;
#endif
#ifndef ST_RDONLY
#define ST_RDONLY 1
#endif
#ifndef ST_NOSUID
#define ST_NOSUID 2
#endif
/* as defined in IEEE Std 1003.1, 2004 Edition */
struct statvfs {
unsigned long f_bsize; /* File system block size. */
unsigned long f_frsize; /* Fundamental file system block size. */
fsblkcnt_t f_blocks; /* Total number of blocks on file system in */
/* units of f_frsize. */
fsblkcnt_t f_bfree; /* Total number of free blocks. */
fsblkcnt_t f_bavail; /* Number of free blocks available to */
/* non-privileged process. */
fsfilcnt_t f_files; /* Total number of file serial numbers. */
fsfilcnt_t f_ffree; /* Total number of free file serial numbers. */
fsfilcnt_t f_favail; /* Number of file serial numbers available to */
/* non-privileged process. */
unsigned long f_fsid; /* File system ID. */
unsigned long f_flag; /* BBit mask of f_flag values. */
unsigned long f_namemax;/* Maximum filename length. */
};
#endif
#ifndef HAVE_STATVFS
int statvfs(const char *, struct statvfs *);
#endif
#ifndef HAVE_FSTATVFS
int fstatvfs(int, struct statvfs *);
#endif

53
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-waitpid.c vendored Normal file
View File

@@ -0,0 +1,53 @@
/*
* Copyright (c) 2000 Ben Lindstrom. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#ifndef HAVE_WAITPID
#include <errno.h>
#include <sys/wait.h>
#include "bsd-waitpid.h"
pid_t
waitpid(int pid, int *stat_loc, int options)
{
union wait statusp;
pid_t wait_pid;
if (pid <= 0) {
if (pid != -1) {
errno = EINVAL;
return (-1);
}
/* wait4() wants pid=0 for indiscriminate wait. */
pid = 0;
}
wait_pid = wait4(pid, &statusp, options, NULL);
if (stat_loc)
*stat_loc = (int) statusp.w_status;
return (wait_pid);
}
#endif /* !HAVE_WAITPID */

51
crypto/external/bsd/openssh/dist/openbsd-compat/bsd-waitpid.h vendored Normal file
View File

@@ -0,0 +1,51 @@
/* $Id: bsd-waitpid.h,v 1.5 2003/08/29 16:59:52 mouring Exp $ */
/*
* Copyright (c) 2000 Ben Lindstrom. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef _BSD_WAITPID_H
#define _BSD_WAITPID_H
#ifndef HAVE_WAITPID
/* Clean out any potental issues */
#undef WIFEXITED
#undef WIFSTOPPED
#undef WIFSIGNALED
/* Define required functions to mimic a POSIX look and feel */
#define _W_INT(w) (*(int*)&(w)) /* convert union wait to int */
#define WIFEXITED(w) (!((_W_INT(w)) & 0377))
#define WIFSTOPPED(w) ((_W_INT(w)) & 0100)
#define WIFSIGNALED(w) (!WIFEXITED(w) && !WIFSTOPPED(w))
#define WEXITSTATUS(w) (int)(WIFEXITED(w) ? ((_W_INT(w) >> 8) & 0377) : -1)
#define WTERMSIG(w) (int)(WIFSIGNALED(w) ? (_W_INT(w) & 0177) : -1)
#define WCOREFLAG 0x80
#define WCOREDUMP(w) ((_W_INT(w)) & WCOREFLAG)
/* Prototype */
pid_t waitpid(int, int *, int);
#endif /* !HAVE_WAITPID */
#endif /* _BSD_WAITPID_H */

222
crypto/external/bsd/openssh/dist/openbsd-compat/chacha_private.h vendored Normal file
View File

@@ -0,0 +1,222 @@
/*
chacha-merged.c version 20080118
D. J. Bernstein
Public domain.
*/
/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
typedef unsigned char u8;
typedef unsigned int u32;
typedef struct
{
u32 input[16]; /* could be compressed */
} chacha_ctx;
#define U8C(v) (v##U)
#define U32C(v) (v##U)
#define U8V(v) ((u8)(v) & U8C(0xFF))
#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
#define ROTL32(v, n) \
(U32V((v) << (n)) | ((v) >> (32 - (n))))
#define U8TO32_LITTLE(p) \
(((u32)((p)[0]) ) | \
((u32)((p)[1]) << 8) | \
((u32)((p)[2]) << 16) | \
((u32)((p)[3]) << 24))
#define U32TO8_LITTLE(p, v) \
do { \
(p)[0] = U8V((v) ); \
(p)[1] = U8V((v) >> 8); \
(p)[2] = U8V((v) >> 16); \
(p)[3] = U8V((v) >> 24); \
} while (0)
#define ROTATE(v,c) (ROTL32(v,c))
#define XOR(v,w) ((v) ^ (w))
#define PLUS(v,w) (U32V((v) + (w)))
#define PLUSONE(v) (PLUS((v),1))
#define QUARTERROUND(a,b,c,d) \
a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
static const char sigma[16] = "expand 32-byte k";
static const char tau[16] = "expand 16-byte k";
static void
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
{
const char *constants;
x->input[4] = U8TO32_LITTLE(k + 0);
x->input[5] = U8TO32_LITTLE(k + 4);
x->input[6] = U8TO32_LITTLE(k + 8);
x->input[7] = U8TO32_LITTLE(k + 12);
if (kbits == 256) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbits == 128 */
constants = tau;
}
x->input[8] = U8TO32_LITTLE(k + 0);
x->input[9] = U8TO32_LITTLE(k + 4);
x->input[10] = U8TO32_LITTLE(k + 8);
x->input[11] = U8TO32_LITTLE(k + 12);
x->input[0] = U8TO32_LITTLE(constants + 0);
x->input[1] = U8TO32_LITTLE(constants + 4);
x->input[2] = U8TO32_LITTLE(constants + 8);
x->input[3] = U8TO32_LITTLE(constants + 12);
}
static void
chacha_ivsetup(chacha_ctx *x,const u8 *iv)
{
x->input[12] = 0;
x->input[13] = 0;
x->input[14] = U8TO32_LITTLE(iv + 0);
x->input[15] = U8TO32_LITTLE(iv + 4);
}
static void
chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
{
u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
u8 *ctarget = NULL;
u8 tmp[64];
u_int i;
if (!bytes) return;
j0 = x->input[0];
j1 = x->input[1];
j2 = x->input[2];
j3 = x->input[3];
j4 = x->input[4];
j5 = x->input[5];
j6 = x->input[6];
j7 = x->input[7];
j8 = x->input[8];
j9 = x->input[9];
j10 = x->input[10];
j11 = x->input[11];
j12 = x->input[12];
j13 = x->input[13];
j14 = x->input[14];
j15 = x->input[15];
for (;;) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) tmp[i] = m[i];
m = tmp;
ctarget = c;
c = tmp;
}
x0 = j0;
x1 = j1;
x2 = j2;
x3 = j3;
x4 = j4;
x5 = j5;
x6 = j6;
x7 = j7;
x8 = j8;
x9 = j9;
x10 = j10;
x11 = j11;
x12 = j12;
x13 = j13;
x14 = j14;
x15 = j15;
for (i = 20;i > 0;i -= 2) {
QUARTERROUND( x0, x4, x8,x12)
QUARTERROUND( x1, x5, x9,x13)
QUARTERROUND( x2, x6,x10,x14)
QUARTERROUND( x3, x7,x11,x15)
QUARTERROUND( x0, x5,x10,x15)
QUARTERROUND( x1, x6,x11,x12)
QUARTERROUND( x2, x7, x8,x13)
QUARTERROUND( x3, x4, x9,x14)
}
x0 = PLUS(x0,j0);
x1 = PLUS(x1,j1);
x2 = PLUS(x2,j2);
x3 = PLUS(x3,j3);
x4 = PLUS(x4,j4);
x5 = PLUS(x5,j5);
x6 = PLUS(x6,j6);
x7 = PLUS(x7,j7);
x8 = PLUS(x8,j8);
x9 = PLUS(x9,j9);
x10 = PLUS(x10,j10);
x11 = PLUS(x11,j11);
x12 = PLUS(x12,j12);
x13 = PLUS(x13,j13);
x14 = PLUS(x14,j14);
x15 = PLUS(x15,j15);
#ifndef KEYSTREAM_ONLY
x0 = XOR(x0,U8TO32_LITTLE(m + 0));
x1 = XOR(x1,U8TO32_LITTLE(m + 4));
x2 = XOR(x2,U8TO32_LITTLE(m + 8));
x3 = XOR(x3,U8TO32_LITTLE(m + 12));
x4 = XOR(x4,U8TO32_LITTLE(m + 16));
x5 = XOR(x5,U8TO32_LITTLE(m + 20));
x6 = XOR(x6,U8TO32_LITTLE(m + 24));
x7 = XOR(x7,U8TO32_LITTLE(m + 28));
x8 = XOR(x8,U8TO32_LITTLE(m + 32));
x9 = XOR(x9,U8TO32_LITTLE(m + 36));
x10 = XOR(x10,U8TO32_LITTLE(m + 40));
x11 = XOR(x11,U8TO32_LITTLE(m + 44));
x12 = XOR(x12,U8TO32_LITTLE(m + 48));
x13 = XOR(x13,U8TO32_LITTLE(m + 52));
x14 = XOR(x14,U8TO32_LITTLE(m + 56));
x15 = XOR(x15,U8TO32_LITTLE(m + 60));
#endif
j12 = PLUSONE(j12);
if (!j12) {
j13 = PLUSONE(j13);
/* stopping at 2^70 bytes per nonce is user's responsibility */
}
U32TO8_LITTLE(c + 0,x0);
U32TO8_LITTLE(c + 4,x1);
U32TO8_LITTLE(c + 8,x2);
U32TO8_LITTLE(c + 12,x3);
U32TO8_LITTLE(c + 16,x4);
U32TO8_LITTLE(c + 20,x5);
U32TO8_LITTLE(c + 24,x6);
U32TO8_LITTLE(c + 28,x7);
U32TO8_LITTLE(c + 32,x8);
U32TO8_LITTLE(c + 36,x9);
U32TO8_LITTLE(c + 40,x10);
U32TO8_LITTLE(c + 44,x11);
U32TO8_LITTLE(c + 48,x12);
U32TO8_LITTLE(c + 52,x13);
U32TO8_LITTLE(c + 56,x14);
U32TO8_LITTLE(c + 60,x15);
if (bytes <= 64) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) ctarget[i] = c[i];
}
x->input[12] = j12;
x->input[13] = j13;
return;
}
bytes -= 64;
c += 64;
#ifndef KEYSTREAM_ONLY
m += 64;
#endif
}
}

31
crypto/external/bsd/openssh/dist/openbsd-compat/charclass.h vendored Normal file
View File

@@ -0,0 +1,31 @@
/*
* Public domain, 2008, Todd C. Miller <Todd.Miller@courtesan.com>
*
* $OpenBSD: charclass.h,v 1.1 2008/10/01 23:04:13 millert Exp $
*/
/* OPENBSD ORIGINAL: lib/libc/gen/charclass.h */
/*
* POSIX character class support for fnmatch() and glob().
*/
static struct cclass {
const char *name;
int (*isctype)(int);
} cclasses[] = {
{ "alnum", isalnum },
{ "alpha", isalpha },
{ "blank", isblank },
{ "cntrl", iscntrl },
{ "digit", isdigit },
{ "graph", isgraph },
{ "lower", islower },
{ "print", isprint },
{ "punct", ispunct },
{ "space", isspace },
{ "upper", isupper },
{ "xdigit", isxdigit },
{ NULL, NULL }
};
#define NCCLASSES (sizeof(cclasses) / sizeof(cclasses[0]) - 1)

Some files were not shown because too many files have changed in this diff Show More