From b5741382c55b97728e02a6b9d9376b30c29e2bce Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 23 Feb 2012 23:40:41 +0000 Subject: - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM audit breakage in Solaris 11. Patch from Magnus Johansson. --- ChangeLog | 4 +++ audit-bsm.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- configure.ac | 9 +++++-- 3 files changed, 89 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f5630da..05749a6a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120224 + - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM + audit breakage in Solaris 11. Patch from Magnus Johansson. + 20120215 - (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c diff --git a/audit-bsm.c b/audit-bsm.c index f196d4f1..61355914 100644 --- a/audit-bsm.c +++ b/audit-bsm.c @@ -1,4 +1,4 @@ -/* $Id: audit-bsm.c,v 1.7 2011/01/17 10:15:29 dtucker Exp $ */ +/* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */ /* * TODO @@ -45,6 +45,10 @@ #include #include +#ifdef BROKEN_BSM_API +#include +#endif + #include "ssh.h" #include "log.h" #include "key.h" @@ -114,6 +118,12 @@ extern int aug_daemon_session(void); extern Authctxt *the_authctxt; static AuditInfoTermID ssh_bsm_tid; +#ifdef BROKEN_BSM_API +/* For some reason this constant is no longer defined + in Solaris 11. */ +#define BSM_TEXTBUFSZ 256 +#endif + /* Below is the low-level BSM interface code */ /* @@ -161,6 +171,65 @@ aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type) } #endif +#ifdef BROKEN_BSM_API +/* + In Solaris 11 the audit daemon has been moved to SMF. In the process + they simply dropped getacna() from the API, since it read from a now + non-existent config file. This function re-implements getacna() to + read from the SMF repository instead. + */ +int +getacna(char *auditstring, int len) +{ + scf_handle_t *handle = NULL; + scf_property_t *property = NULL; + scf_value_t *value = NULL; + int ret = 0; + + handle = scf_handle_create(SCF_VERSION); + if (handle == NULL) + return -2; /* The man page for getacna on Solaris 10 states + we should return -2 in case of error and set + errno to indicate the error. We don't bother + with errno here, though, since the only use + of this function below doesn't check for errors + anyway. + */ + + ret = scf_handle_bind(handle); + if (ret == -1) + return -2; + + property = scf_property_create(handle); + if (property == NULL) + return -2; + + ret = scf_handle_decode_fmri(handle, + "svc:/system/auditd:default/:properties/preselection/naflags", + NULL, NULL, NULL, NULL, property, 0); + if (ret == -1) + return -2; + + value = scf_value_create(handle); + if (value == NULL) + return -2; + + ret = scf_property_get_value(property, value); + if (ret == -1) + return -2; + + ret = scf_value_get_astring(value, auditstring, len); + if (ret == -1) + return -2; + + scf_value_destroy(value); + scf_property_destroy(property); + scf_handle_destroy(handle); + + return 0; +} +#endif + /* * Check if the specified event is selected (enabled) for auditing. * Returns 1 if the event is selected, 0 if not and -1 on failure. @@ -213,7 +282,15 @@ bsm_audit_record(int typ, char *string, au_event_t event_no) (void) au_write(ad, au_to_text(string)); (void) au_write(ad, AUToReturnFunc(typ, rc)); +#ifdef BROKEN_BSM_API + /* The last argument is the event modifier flags. For + some seemingly undocumented reason it was added in + Solaris 11. */ + rc = au_close(ad, AU_TO_WRITE, event_no, 0); +#else rc = au_close(ad, AU_TO_WRITE, event_no); +#endif + if (rc < 0) error("BSM audit: %s failed to write \"%s\" record: %s", __func__, string, strerror(errno)); diff --git a/configure.ac b/configure.ac index 54fc7d0c..acf529b0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.486 2012/01/17 03:03:37 dtucker Exp $ +# $Id: configure.ac,v 1.487 2012/02/23 23:40:43 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.486 $) +AC_REVISION($Revision: 1.487 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1434,6 +1434,11 @@ AC_ARG_WITH([audit], # These are optional AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) + if test "$sol2ver" -eq 11; then + SSHDLIBS="$SSHDLIBS -lscf" + AC_DEFINE([BROKEN_BSM_API], [1], + [The system has incomplete BSM API]) + fi ;; linux) AC_MSG_RESULT([linux]) -- cgit v1.2.1 From 048593ec57e6f7ee93f4ae986c7b5261602ce9e8 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 8 Mar 2012 23:25:16 +0000 Subject: - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux systems where sshd is run in te wrong context. Patch from Sven Vermeulen; ok dtucker@ --- ChangeLog | 5 +++++ openbsd-compat/port-linux.c | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 05749a6a..97b39aaa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120309 + - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux + systems where sshd is run in te wrong context. Patch from Sven + Vermeulen; ok dtucker@ + 20120224 - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM audit breakage in Solaris 11. Patch from Magnus Johansson. diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index ea8dff40..aba75387 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */ +/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -60,7 +60,7 @@ ssh_selinux_enabled(void) static security_context_t ssh_selinux_getctxbyname(char *pwname) { - security_context_t sc; + security_context_t sc = NULL; char *sename = NULL, *lvl = NULL; int r; @@ -86,6 +86,7 @@ ssh_selinux_getctxbyname(char *pwname) case 0: error("%s: Failed to get default SELinux security " "context for %s", __func__, pwname); + sc = NULL; break; default: fatal("%s: Failed to get default SELinux security " @@ -101,7 +102,7 @@ ssh_selinux_getctxbyname(char *pwname) xfree(lvl); #endif - return (sc); + return sc; } /* Set the execution context to the default for the specified user */ -- cgit v1.2.1 From e6925baa18fd18d11784f0b038912afb2ce41338 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 8 Mar 2012 23:28:07 +0000 Subject: - (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections. ok dtucker@ --- ChangeLog | 2 ++ packet.c | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 97b39aaa..03c2674f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux systems where sshd is run in te wrong context. Patch from Sven Vermeulen; ok dtucker@ + - (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6 + addressed connections. ok dtucker@ 20120224 - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM diff --git a/packet.c b/packet.c index 2f85232a..d0c66fe5 100644 --- a/packet.c +++ b/packet.c @@ -432,8 +432,6 @@ packet_connection_af(void) if (getsockname(active_state->connection_out, (struct sockaddr *)&to, &tolen) < 0) return 0; - if (to.ss_family == AF_INET) - return 1; #ifdef IPV4_IN_IPV6 if (to.ss_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr)) -- cgit v1.2.1 From e5683513beff6a5060e1a72145a3115ec875e4f0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 29 Mar 2012 23:19:56 +0000 Subject: - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING file from spec file. From crighter at nuclioss com. --- ChangeLog | 4 ++++ contrib/redhat/openssh.spec | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 03c2674f..ac8fd70b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120330 + - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING + file from spec file. From crighter at nuclioss com. + 20120309 - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux systems where sshd is run in te wrong context. Patch from Sven diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index be6de088..87c37562 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -335,7 +335,7 @@ fi %files %defattr(-,root,root) -%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING* +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0755,root,root) %dir %{_sysconfdir}/ssh -- cgit v1.2.1 From a71557c0ab3a4fbc9499016494de8e0b9de41601 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 30 Mar 2012 00:34:27 +0000 Subject: - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running openssh binaries on a newer fix release than they were compiled on. with and ok dtucker@ --- ChangeLog | 3 +++ entropy.c | 9 +++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ac8fd70b..00be8d36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20120330 - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING file from spec file. From crighter at nuclioss com. + - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running + openssh binaries on a newer fix release than they were compiled on. + with and ok dtucker@ 20120309 - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux diff --git a/entropy.c b/entropy.c index 2d6d3ec5..2d483b39 100644 --- a/entropy.c +++ b/entropy.c @@ -211,9 +211,14 @@ seed_rng(void) #endif /* * OpenSSL version numbers: MNNFFPPS: major minor fix patch status - * We match major, minor, fix and status (not patch) + * We match major, minor, fix and status (not patch) for <1.0.0. + * After that, we acceptable compatible fix versions (so we + * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed + * within a patch series. */ - if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) + u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; + if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || + (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); -- cgit v1.2.1 From d9762dbb608495c3ab81ab0936b9cbc0e170a8a0 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 30 Mar 2012 03:07:05 +0000 Subject: - (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect assumptions when building on Cygwin; patch from Corinna Vinschen --- ChangeLog | 2 ++ openbsd-compat/bsd-cygwin_util.h | 8 +++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 00be8d36..2bd907cc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running openssh binaries on a newer fix release than they were compiled on. with and ok dtucker@ + - (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect + assumptions when building on Cygwin; patch from Corinna Vinschen 20120309 - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 48f64b74..d223792d 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cygwin_util.h,v 1.13 2011/08/17 01:31:09 djm Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.14 2012/03/30 03:07:07 djm Exp $ */ /* * Copyright (c) 2000, 2001, 2011 Corinna Vinschen @@ -40,6 +40,12 @@ #include #include +/* Make sure _WIN32 isn't defined later in the code, otherwise headers from + other packages might get the wrong idea about the target system. */ +#ifdef _WIN32 +#undef _WIN32 +#endif + int binary_open(const char *, int , ...); int check_ntsec(const char *); char **fetch_windows_environment(void); -- cgit v1.2.1 From b119bf7a7d262eb8acaf0e24bf60548d19edbc94 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Apr 2012 01:27:54 +0000 Subject: - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox mode for Linux's new seccomp filter; patch from Will Drewry; feedback and ok dtucker@ --- ChangeLog | 5 ++ Makefile.in | 5 +- configure.ac | 68 ++++++++++++++- sandbox-seccomp-filter.c | 222 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 295 insertions(+), 5 deletions(-) create mode 100644 sandbox-seccomp-filter.c diff --git a/ChangeLog b/ChangeLog index 2bd907cc..a89bb4b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120404 + - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox + mode for Linux's new seccomp filter; patch from Will Drewry; feedback + and ok dtucker@ + 20120330 - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING file from spec file. From crighter at nuclioss com. diff --git a/Makefile.in b/Makefile.in index 3be3aa61..566f58fe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.325 2011/08/05 20:15:18 djm Exp $ +# $Id: Makefile.in,v 1.326 2012/04/04 01:27:57 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -90,7 +90,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ + sandbox-seccomp-filter.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 diff --git a/configure.ac b/configure.ac index acf529b0..23ac1490 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.487 2012/02/23 23:40:43 dtucker Exp $ +# $Id: configure.ac,v 1.488 2012/04/04 01:27:57 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.487 $) +AC_REVISION($Revision: 1.488 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -116,6 +116,35 @@ AC_CHECK_DECL([RLIMIT_NPROC], #include #include ]) +AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ + #include + #include +]) +if test "x$have_linux_no_new_privs" = "x1" ; then +AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ + #include + #include +]) +fi +if test "x$have_seccomp_filter" = "x1" ; then +AC_MSG_CHECKING([kernel for seccomp_filter support]) +AC_RUN_IFELSE([AC_LANG_PROGRAM([[ + #include + #include + #include + #include + ]], + [[ errno = 0; + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); + exit(errno == EFAULT ? 0 : 1); ]])], + [ AC_MSG_RESULT([yes]) ], [ + AC_MSG_RESULT([no]) + # Disable seccomp filter as a target + have_seccomp_filter=0 + ], + [ AC_MSG_RESULT([cross-compiling, assuming yes]) ] +) +fi use_stack_protector=1 AC_ARG_WITH([stackprotect], @@ -657,6 +686,22 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) fi + AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h]) + AC_CHECK_FUNCS([prctl]) + have_seccomp_audit_arch=1 + case "$host" in + x86_64-*) + AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], + [Specify the system call convention in use]) + ;; + i*86-*) + AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], + [Specify the system call convention in use]) + ;; + *) + have_seccomp_audit_arch=0 + ;; + esac ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) @@ -2518,7 +2563,7 @@ AC_SUBST([SSH_PRIVSEP_USER]) # Decide which sandbox style to use sandbox_arg="" AC_ARG_WITH([sandbox], - [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace)], + [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], [ if test "x$withval" = "xyes" ; then sandbox_arg="" @@ -2541,6 +2586,23 @@ elif test "x$sandbox_arg" = "xdarwin" || \ AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) SANDBOX_STYLE="darwin" AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) +elif test "x$sandbox_arg" = "xseccomp_filter" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_seccomp_filter" == "x1" && \ + test "x$ac_cv_header_linux_audit_h" = "xyes" && \ + test "x$have_seccomp_audit_arch" = "x1" && \ + test "x$have_linux_no_new_privs" = "x1" && \ + test "x$ac_cv_func_prctl" = "xyes" ) ; then + test "x$have_seccomp_audit_arch" != "x1" && \ + AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) + test "x$have_linux_no_new_privs" != "x1" && \ + AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) + test "x$have_seccomp_filter" != "x1" && \ + AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers]) + test "x$ac_cv_func_prctl" != "xyes" && \ + AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) + SANDBOX_STYLE="seccomp_filter" + AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then test "x$ac_cv_func_setrlimit" != "xyes" && \ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c new file mode 100644 index 00000000..68681295 --- /dev/null +++ b/sandbox-seccomp-filter.c @@ -0,0 +1,222 @@ +/* + * Copyright (c) 2012 Will Drewry + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Uncomment the SANDBOX_SECCOMP_FILTER_DEBUG macro below to help diagnose + * filter breakage during development. *Do not* use this in production, + * as it relies on making library calls that are unsafe in signal context. + * + * Instead, live systems the auditctl(8) may be used to monitor failures. + * E.g. + * auditctl -a task,always -F uid= + */ +/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ + +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG +/* Use the kernel headers in case of an older toolchain. */ +# include +# define __have_siginfo_t 1 +# define __have_sigval_t 1 +# define __have_sigevent_t 1 +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + +#include "includes.h" + +#ifdef SANDBOX_SECCOMP_FILTER + +#include +#include +#include + +#include +#include +#include + +#include + +#include +#include +#include +#include /* for offsetof */ +#include +#include +#include +#include + +#include "log.h" +#include "ssh-sandbox.h" +#include "xmalloc.h" + +/* Linux seccomp_filter sandbox */ +#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL + +/* Use a signal handler to emit violations when debugging */ +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG +# undef SECCOMP_FILTER_FAIL +# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + +/* Simple helpers to avoid manual errors (but larger BPF programs). */ +#define SC_DENY(_nr, _errno) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) +#define SC_ALLOW(_nr) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +/* Syscall filtering set for preauth. */ +static const struct sock_filter preauth_insns[] = { + /* Ensure the syscall arch convention is as expected. */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, + offsetof(struct seccomp_data, arch)), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), + /* Load the syscall number for checking. */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, + offsetof(struct seccomp_data, nr)), + SC_DENY(open, EACCES), + SC_ALLOW(getpid), + SC_ALLOW(gettimeofday), + SC_ALLOW(time), + SC_ALLOW(read), + SC_ALLOW(write), + SC_ALLOW(close), + SC_ALLOW(brk), + SC_ALLOW(poll), +#ifdef __NR__newselect + SC_ALLOW(_newselect), +#else + SC_ALLOW(select), +#endif + SC_ALLOW(madvise), + SC_ALLOW(mmap), + SC_ALLOW(munmap), + SC_ALLOW(exit_group), +#ifdef __NR_rt_sigprocmask + SC_ALLOW(rt_sigprocmask), +#else + SC_ALLOW(sigprocmask), +#endif + BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), +}; + +static const struct sock_fprog preauth_program = { + .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])), + .filter = (struct sock_filter *)preauth_insns, +}; + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing seccomp filter sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG +extern struct monitor *pmonitor; +void mm_log_handler(LogLevel level, const char *msg, void *ctx); + +static void +ssh_sandbox_violation(int signum, siginfo_t *info, void *void_context) +{ + char msg[256]; + + snprintf(msg, sizeof(msg), + "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)", + __func__, info->si_arch, info->si_syscall, info->si_call_addr); + mm_log_handler(SYSLOG_LEVEL_FATAL, msg, pmonitor); + _exit(1); +} + +static void +ssh_sandbox_child_debugging(void) +{ + struct sigaction act; + sigset_t mask; + + debug3("%s: installing SIGSYS handler", __func__); + memset(&act, 0, sizeof(act)); + sigemptyset(&mask); + sigaddset(&mask, SIGSYS); + + act.sa_sigaction = &ssh_sandbox_violation; + act.sa_flags = SA_SIGINFO; + if (sigaction(SIGSYS, &act, NULL) == -1) + fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno)); + if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) + fatal("%s: sigprocmask(SIGSYS): %s", + __func__, strerror(errno)); +} +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + + /* Set rlimits for completeness if possible. */ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); + +#ifdef SANDBOX_SECCOMP_FILTER_DEBUG + ssh_sandbox_child_debugging(); +#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ + + debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__); + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) + fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s", + __func__, strerror(errno)); + debug3("%s: attaching seccomp filter program", __func__); + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1) + fatal("%s: prctl(PR_SET_SECCOMP): %s", + __func__, strerror(errno)); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_SECCOMP_FILTER */ -- cgit v1.2.1 From 064f85dc68dedfa61ea05455a7c2606c4cf85975 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 19 Apr 2012 11:46:35 +0000 Subject: - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil contains openpty() but not login() --- ChangeLog | 4 ++++ configure.ac | 15 +++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index a89bb4b5..fc7fad99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120419 + - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil + contains openpty() but not login() + 20120404 - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox mode for Linux's new seccomp filter; patch from Will Drewry; feedback diff --git a/configure.ac b/configure.ac index 23ac1490..1457b8a8 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.488 2012/04/04 01:27:57 djm Exp $ +# $Id: configure.ac,v 1.489 2012/04/19 11:46:38 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.488 $) +AC_REVISION($Revision: 1.489 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1170,9 +1170,13 @@ AC_CHECK_FUNCS([utimes], dnl Checks for libutil functions AC_CHECK_HEADERS([libutil.h]) -AC_SEARCH_LIBS([login], [util bsd], [AC_DEFINE([HAVE_LOGIN], [1], - [Define if your libraries define login()])]) -AC_CHECK_FUNCS([fmt_scaled logout updwtmp logwtmp]) +AC_SEARCH_LIBS([fmt_scaled], [util bsd]) +AC_SEARCH_LIBS([login], [util bsd]) +AC_SEARCH_LIBS([logout], [util bsd]) +AC_SEARCH_LIBS([logwtmp], [util bsd]) +AC_SEARCH_LIBS([openpty], [util bsd]) +AC_SEARCH_LIBS([updwtmp], [util bsd]) +AC_CHECK_FUNCS([fmt_scaled login logout openpty updwtmp logwtmp]) AC_FUNC_STRFTIME @@ -1552,7 +1556,6 @@ AC_CHECK_FUNCS([ \ nsleep \ ogetaddrinfo \ openlog_r \ - openpty \ poll \ prctl \ pstat \ -- cgit v1.2.1 From 4cf24f62324623bbc756ac7c6adc7612103d0222 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 20 Apr 2012 00:58:34 +0000 Subject: - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update for release 6.0 --- ChangeLog | 4 ++++ contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index fc7fad99..ce7c50ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120420 + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update for release 6.0 + 20120419 - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil contains openpty() but not login() diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 29129917..90be57da 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 5.9p1 +%define version 6.0p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.76 2011/09/05 00:29:06 djm Exp $ +$Id: openssh.spec,v 1.77 2012/04/20 00:58:43 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 87c37562..d4e44d26 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 5.9p1 +%define ver 6.0p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 3a4dfea3..8d99fb5a 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 5.9p1 +Version: 6.0p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.1 From 189a890f997512579660d24b8d08095ebdbe0d4c Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 20 Apr 2012 04:11:04 +0000 Subject: - (djm) [README] Update URL to release notes. --- ChangeLog | 1 + README | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce7c50ed..15177b0a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update for release 6.0 + - (djm) [README] Update URL to release notes. 20120419 - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil diff --git a/README b/README index b725957d..ad2adc49 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-5.9 for the release notes. +See http://www.openssh.com/txt/release-6.0 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.79 2011/09/06 23:11:54 djm Exp $ +$Id: README,v 1.80 2012/04/20 04:11:04 djm Exp $ -- cgit v1.2.1 From d44a9d9966a86854325f9d0cd3e634e50f545515 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 20 Apr 2012 05:01:01 +0000 Subject: - (djm) Release openssh-6.0 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 15177b0a..5df76186 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update for release 6.0 - (djm) [README] Update URL to release notes. + - (djm) Release openssh-6.0 20120419 - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil -- cgit v1.2.1 From 18a48760b11687df2f43d2fc2ed9a49b3b9f930b Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:07:28 +0000 Subject: - djm@cvs.openbsd.org 2012/02/29 11:21:26 [ssh-keygen.c] allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@ --- ChangeLog | 6 ++++++ ssh-keygen.c | 12 +++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5df76186..179d3b50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20120422 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/02/29 11:21:26 + [ssh-keygen.c] + allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@ + 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update for release 6.0 diff --git a/ssh-keygen.c b/ssh-keygen.c index 5fcd3a15..c5130c86 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.212 2011/10/16 15:02:41 jmc Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.213 2012/02/29 11:21:26 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -265,6 +265,10 @@ do_convert_to_ssh2(struct passwd *pw, Key *k) u_char *blob; char comment[61]; + if (k->type == KEY_RSA1) { + fprintf(stderr, "version 1 keys are not supported\n"); + exit(1); + } if (key_to_blob(k, &blob, &len) <= 0) { fprintf(stderr, "key_to_blob failed\n"); exit(1); @@ -288,6 +292,7 @@ static void do_convert_to_pkcs8(Key *k) { switch (key_type_plain(k->type)) { + case KEY_RSA1: case KEY_RSA: if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) fatal("PEM_write_RSA_PUBKEY failed"); @@ -312,6 +317,7 @@ static void do_convert_to_pem(Key *k) { switch (key_type_plain(k->type)) { + case KEY_RSA1: case KEY_RSA: if (!PEM_write_RSAPublicKey(stdout, k->rsa)) fatal("PEM_write_RSAPublicKey failed"); @@ -345,10 +351,6 @@ do_convert_to(struct passwd *pw) exit(1); } } - if (k->type == KEY_RSA1) { - fprintf(stderr, "version 1 keys are not supported\n"); - exit(1); - } switch (convert_format) { case FMT_RFC4716: -- cgit v1.2.1 From 8dd968aadc70689caa9b04d6b2fdc56b430b5c0e Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:08:10 +0000 Subject: - guenther@cvs.openbsd.org 2012/03/15 03:10:27 [session.c] root should always be excluded from the test for /etc/nologin instead of having it always enforced even when marked as ignorenologin. This regressed when the logic was incompletely flipped around in rev 1.251 ok halex@ millert@ --- ChangeLog | 6 ++++++ session.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 179d3b50..5e621928 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,12 @@ - djm@cvs.openbsd.org 2012/02/29 11:21:26 [ssh-keygen.c] allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@ + - guenther@cvs.openbsd.org 2012/03/15 03:10:27 + [session.c] + root should always be excluded from the test for /etc/nologin instead + of having it always enforced even when marked as ignorenologin. This + regressed when the logic was incompletely flipped around in rev 1.251 + ok halex@ millert@ 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/session.c b/session.c index 5dad2629..65bf2877 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.259 2011/10/24 02:13:13 djm Exp $ */ +/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1390,7 +1390,7 @@ do_nologin(struct passwd *pw) struct stat sb; #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) + if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) return; nl = login_getcapstr(lc, "nologin", def_nl, def_nl); #else -- cgit v1.2.1 From 0ed82cec503cb7eaad7c34e52e553f9656ac0e92 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:08:30 +0000 Subject: - djm@cvs.openbsd.org 2012/03/28 07:23:22 [PROTOCOL.certkeys] explain certificate extensions/crit split rationale. Mention requirement that each appear at most once per cert. --- ChangeLog | 4 ++++ PROTOCOL.certkeys | 15 ++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5e621928..f89e1b17 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ of having it always enforced even when marked as ignorenologin. This regressed when the logic was incompletely flipped around in rev 1.251 ok halex@ millert@ + - djm@cvs.openbsd.org 2012/03/28 07:23:22 + [PROTOCOL.certkeys] + explain certificate extensions/crit split rationale. Mention requirement + that each appear at most once per cert. 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 2f976498..c9859109 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys @@ -162,6 +162,13 @@ extensions is a set of zero or more optional extensions. These extensions are not critical, and an implementation that encounters one that it does not recognise may safely ignore it. +Generally, critical options are used to control features that restrict +access where extensions are used to enable features that grant access. +This ensures that certificates containing unknown restrictions do not +inadvertently grant access while allowing new protocol features to be +enabled via extensions without breaking certificates' backwards +compatibility. + The reserved field is currently unused and is ignored in this version of the protocol. @@ -189,7 +196,7 @@ is a sequence of zero or more tuples: string data Options must be lexically ordered by "name" if they appear in the -sequence. +sequence. Each named option may only appear once in a certificate. The name field identifies the option and the data field encodes option-specific information (see below). All options are @@ -220,7 +227,9 @@ Extensions The extensions section of the certificate specifies zero or more non-critical certificate extensions. The encoding and ordering of -extensions in this field is identical to that of the critical options. +extensions in this field is identical to that of the critical options, +as is the requirement that each name appear only once. + If an implementation does not recognise an extension, then it should ignore it. @@ -253,4 +262,4 @@ permit-user-rc empty Flag indicating that execution of of this script will not be permitted if this option is not present. -$OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $ +$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $ -- cgit v1.2.1 From 7a926575f9cf0b7e573d69614fd44bd7446198f0 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:18:53 +0000 Subject: - dtucker@cvs.openbsd.org 2012/03/29 23:54:36 [channels.c channels.h servconf.c] Add PermitOpen none option based on patch from Loganaden Velvindron (bz #1949). ok djm@ --- ChangeLog | 4 ++++ channels.c | 17 +++++++++++++++-- channels.h | 3 ++- servconf.c | 10 +++++++++- 4 files changed, 30 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index f89e1b17..1b5e78a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ [PROTOCOL.certkeys] explain certificate extensions/crit split rationale. Mention requirement that each appear at most once per cert. + - dtucker@cvs.openbsd.org 2012/03/29 23:54:36 + [channels.c channels.h servconf.c] + Add PermitOpen none option based on patch from Loganaden Velvindron + (bz #1949). ok djm@ 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/channels.c b/channels.c index f6e9b4d8..e5783b19 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: channels.c,v 1.316 2012/03/29 23:54:36 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -3126,6 +3126,17 @@ channel_add_adm_permitted_opens(char *host, int port) return ++num_adm_permitted_opens; } +void +channel_disable_adm_local_opens(void) +{ + if (num_adm_permitted_opens == 0) { + permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); + permitted_adm_opens[num_adm_permitted_opens].host_to_connect + = NULL; + num_adm_permitted_opens = 1; + } +} + void channel_clear_permitted_opens(void) { @@ -3167,7 +3178,9 @@ channel_print_adm_permitted_opens(void) return; } for (i = 0; i < num_adm_permitted_opens; i++) - if (permitted_adm_opens[i].host_to_connect != NULL) + if (permitted_adm_opens[i].host_to_connect == NULL) + printf(" none"); + else printf(" %s:%d", permitted_adm_opens[i].host_to_connect, permitted_adm_opens[i].port_to_connect); printf("\n"); diff --git a/channels.h b/channels.h index c1f01c48..6ed1ce00 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.109 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: channels.h,v 1.110 2012/03/29 23:54:36 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -253,6 +253,7 @@ void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); int channel_add_adm_permitted_opens(char *, int); +void channel_disable_adm_local_opens(void); void channel_update_permitted_opens(int, int); void channel_clear_permitted_opens(void); void channel_clear_adm_permitted_opens(void); diff --git a/servconf.c b/servconf.c index 8ec5ca0e..6de77164 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.223 2011/09/23 00:22:04 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1333,6 +1333,14 @@ process_server_config_line(ServerOptions *options, char *line, } break; } + if (strcmp(arg, "none") == 0) { + if (*activep && n == -1) { + channel_clear_adm_permitted_opens(); + options->num_permitted_opens = 1; + channel_disable_adm_local_opens(); + } + break; + } if (*activep && n == -1) channel_clear_adm_permitted_opens(); for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { -- cgit v1.2.1 From 84cfdc9f5776f096938d977bb4675adfff287a2f Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:21:10 +0000 Subject: - djm@cvs.openbsd.org 2012/04/11 13:16:19 [channels.c channels.h clientloop.c serverloop.c] don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a while; ok deraadt@ markus@ --- ChangeLog | 4 ++++ channels.c | 52 ++++++++++++++++++++++++++++++++++++++++++++-------- channels.h | 6 ++++-- clientloop.c | 8 ++++++-- serverloop.c | 14 ++++++++++---- 5 files changed, 68 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1b5e78a4..d19da34a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,10 @@ [channels.c channels.h servconf.c] Add PermitOpen none option based on patch from Loganaden Velvindron (bz #1949). ok djm@ + - djm@cvs.openbsd.org 2012/04/11 13:16:19 + [channels.c channels.h clientloop.c serverloop.c] + don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a + while; ok deraadt@ markus@ 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/channels.c b/channels.c index e5783b19..cacd2fe5 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.316 2012/03/29 23:54:36 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.317 2012/04/11 13:16:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -311,6 +311,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, c->istate = CHAN_INPUT_OPEN; c->flags = 0; channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); + c->notbefore = 0; c->self = found; c->type = type; c->ctype = ctype; @@ -1339,6 +1340,8 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) } if (newsock < 0) { error("accept: %.100s", strerror(errno)); + if (errno == EMFILE || errno == ENFILE) + c->notbefore = time(NULL) + 1; return; } set_nodelay(newsock); @@ -1482,6 +1485,8 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (newsock < 0) { error("accept: %.100s", strerror(errno)); + if (errno == EMFILE || errno == ENFILE) + c->notbefore = time(NULL) + 1; return; } set_nodelay(newsock); @@ -1514,7 +1519,10 @@ channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) addrlen = sizeof(addr); newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (newsock < 0) { - error("accept from auth socket: %.100s", strerror(errno)); + error("accept from auth socket: %.100s", + strerror(errno)); + if (errno == EMFILE || errno == ENFILE) + c->notbefore = time(NULL) + 1; return; } nc = channel_new("accepted auth socket", @@ -1917,6 +1925,8 @@ channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) if ((newsock = accept(c->sock, (struct sockaddr*)&addr, &addrlen)) == -1) { error("%s accept: %s", __func__, strerror(errno)); + if (errno == EMFILE || errno == ENFILE) + c->notbefore = time(NULL) + 1; return; } @@ -2067,16 +2077,21 @@ channel_garbage_collect(Channel *c) } static void -channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) +channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, + time_t *unpause_secs) { static int did_init = 0; u_int i, oalloc; Channel *c; + time_t now; if (!did_init) { channel_handler_init(); did_init = 1; } + now = time(NULL); + if (unpause_secs != NULL) + *unpause_secs = 0; for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { c = channels[i]; if (c == NULL) @@ -2087,10 +2102,30 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) else continue; } - if (ftab[c->type] != NULL) - (*ftab[c->type])(c, readset, writeset); + if (ftab[c->type] != NULL) { + /* + * Run handlers that are not paused. + */ + if (c->notbefore <= now) + (*ftab[c->type])(c, readset, writeset); + else if (unpause_secs != NULL) { + /* + * Collect the time that the earliest + * channel comes off pause. + */ + debug3("%s: chan %d: skip for %d more seconds", + __func__, c->self, + (int)(c->notbefore - now)); + if (*unpause_secs == 0 || + (c->notbefore - now) < *unpause_secs) + *unpause_secs = c->notbefore - now; + } + } channel_garbage_collect(c); } + if (unpause_secs != NULL && *unpause_secs != 0) + debug3("%s: first channel unpauses in %d seconds", + __func__, (int)*unpause_secs); } /* @@ -2099,7 +2134,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) */ void channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, - u_int *nallocp, int rekeying) + u_int *nallocp, int *minwait_secs, int rekeying) { u_int n, sz, nfdset; @@ -2122,7 +2157,8 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, memset(*writesetp, 0, sz); if (!rekeying) - channel_handler(channel_pre, *readsetp, *writesetp); + channel_handler(channel_pre, *readsetp, *writesetp, + minwait_secs); } /* @@ -2132,7 +2168,7 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, void channel_after_select(fd_set *readset, fd_set *writeset) { - channel_handler(channel_post, readset, writeset); + channel_handler(channel_post, readset, writeset, NULL); } diff --git a/channels.h b/channels.h index 6ed1ce00..d75b800f 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.110 2012/03/29 23:54:36 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */ /* * Author: Tatu Ylonen @@ -105,6 +105,7 @@ struct Channel { int wfd_isatty; /* wfd is a tty */ int client_tty; /* (client) TTY has been requested */ int force_drain; /* force close on iEOF */ + time_t notbefore; /* Pause IO until deadline (time_t) */ int delayed; /* post-select handlers for newly created * channels are delayed until the first call * to a matching pre-select handler. @@ -238,7 +239,8 @@ void channel_input_status_confirm(int, u_int32_t, void *); /* file descriptor handling (read/write) */ -void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int); +void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, + time_t*, int); void channel_after_select(fd_set *, fd_set *); void channel_output_poll(void); diff --git a/clientloop.c b/clientloop.c index f69a9b02..58357cf3 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.239 2012/04/11 13:16:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -583,10 +583,12 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, { struct timeval tv, *tvp; int timeout_secs; + time_t minwait_secs; int ret; /* Add any selections by the channel mechanism. */ - channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying); + channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, + &minwait_secs, rekeying); if (!compat20) { /* Read from the connection, unless our buffers are full. */ @@ -639,6 +641,8 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, if (timeout_secs < 0) timeout_secs = 0; } + if (minwait_secs != 0) + timeout_secs = MIN(timeout_secs, (int)minwait_secs); if (timeout_secs == INT_MAX) tvp = NULL; else { diff --git a/serverloop.c b/serverloop.c index 19b84ff2..50be16b7 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.160 2011/05/15 08:09:01 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.161 2012/04/11 13:16:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -281,9 +281,18 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, { struct timeval tv, *tvp; int ret; + time_t minwait_secs; int client_alive_scheduled = 0; int program_alive_scheduled = 0; + /* Allocate and update select() masks for channel descriptors. */ + channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, + &minwait_secs, 0); + + if (minwait_secs != 0) + max_time_milliseconds = MIN(max_time_milliseconds, + (u_int)minwait_secs * 1000); + /* * if using client_alive, set the max timeout accordingly, * and indicate that this particular timeout was for client @@ -298,9 +307,6 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, max_time_milliseconds = options.client_alive_interval * 1000; } - /* Allocate and update select() masks for channel descriptors. */ - channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, 0); - if (compat20) { #if 0 /* wrong: bad condition XXX */ -- cgit v1.2.1 From 5af5b1085c4f9e1542ae7a7f74a6d5aa201f17d0 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:21:43 +0000 Subject: - djm@cvs.openbsd.org 2012/04/11 13:17:54 [auth.c] Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read. --- ChangeLog | 4 ++++ auth.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d19da34a..7cc59758 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,10 @@ [channels.c channels.h clientloop.c serverloop.c] don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a while; ok deraadt@ markus@ + - djm@cvs.openbsd.org 2012/04/11 13:17:54 + [auth.c] + Support "none" as an argument for AuthorizedPrincipalsFile to indicate + no file should be read. 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/auth.c b/auth.c index cd95da93..97693288 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.94 2011/05/23 03:33:38 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.95 2012/04/11 13:17:54 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -357,7 +357,8 @@ expand_authorized_keys(const char *filename, struct passwd *pw) char * authorized_principals_file(struct passwd *pw) { - if (options.authorized_principals_file == NULL) + if (options.authorized_principals_file == NULL || + strcasecmp(options.authorized_principals_file, "none") == 0) return NULL; return expand_authorized_keys(options.authorized_principals_file, pw); } -- cgit v1.2.1 From 47c2fe49ef6452f6f3dd4176fae88a42f223766a Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:23:46 +0000 Subject: - djm@cvs.openbsd.org 2012/04/11 13:26:40 [sshd.c] don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a while; ok deraadt@ markus@ --- ChangeLog | 4 ++++ sshd.c | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7cc59758..f5890757 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,10 @@ [auth.c] Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read. + - djm@cvs.openbsd.org 2012/04/11 13:26:40 + [sshd.c] + don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a + while; ok deraadt@ markus@ 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/sshd.c b/sshd.c index b63aaa42..fddbc9d3 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.388 2011/09/30 21:22:49 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.389 2012/04/11 13:26:40 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1174,7 +1174,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) if (*newsock < 0) { if (errno != EINTR && errno != EAGAIN && errno != EWOULDBLOCK) - error("accept: %.100s", strerror(errno)); + error("accept: %.100s", + strerror(errno)); + if (errno == EMFILE || errno == ENFILE) + usleep(100 * 1000); continue; } if (unset_nonblock(*newsock) == -1) { -- cgit v1.2.1 From 213a3044b9f80eaad797fa1a4dbb8ff6354df744 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:24:21 +0000 Subject: - djm@cvs.openbsd.org 2012/04/11 13:34:17 [ssh-keyscan.1 ssh-keyscan.c] now that sshd defaults to offering ECDSA keys, ssh-keyscan should also look for them by default; bz#1971 --- ChangeLog | 4 ++++ ssh-keyscan.1 | 11 +++++++---- ssh-keyscan.c | 4 ++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index f5890757..9c9b3fd0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ [sshd.c] don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a while; ok deraadt@ markus@ + - djm@cvs.openbsd.org 2012/04/11 13:34:17 + [ssh-keyscan.1 ssh-keyscan.c] + now that sshd defaults to offering ECDSA keys, ssh-keyscan should also + look for them by default; bz#1971 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index fe9bb6e0..f2b0fc8f 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.29 2010/08/31 11:54:45 djm Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.30 2012/04/11 13:34:17 djm Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: August 31 2010 $ +.Dd $Mdocdate: April 11 2012 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -94,8 +94,11 @@ or .Dq rsa for protocol version 2. Multiple values may be specified by separating them with commas. -The default is -.Dq rsa . +The default is to fetch +.Dq rsa +and +.Dq ecdsa +keys. .It Fl v Verbose mode. Causes diff --git a/ssh-keyscan.c b/ssh-keyscan.c index b085dd41..c9de130f 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.85 2011/03/15 10:36:02 okan Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.86 2012/04/11 13:34:17 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -57,7 +57,7 @@ int ssh_port = SSH_DEFAULT_PORT; #define KT_RSA 4 #define KT_ECDSA 8 -int get_keytypes = KT_RSA; /* Get only RSA keys by default */ +int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */ int hash_hosts = 0; /* Hash hostname on output */ -- cgit v1.2.1 From 0ce969ebc4595f9122fb57681605063e91f7f674 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:24:43 +0000 Subject: - djm@cvs.openbsd.org 2012/04/12 02:42:32 [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@ --- ChangeLog | 4 ++++ servconf.c | 26 +++++++++++++++++++++++--- servconf.h | 4 +++- sshd.c | 10 ++++++---- sshd_config | 3 ++- sshd_config.5 | 9 +++++++-- 6 files changed, 45 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9c9b3fd0..a8312a5e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ [ssh-keyscan.1 ssh-keyscan.c] now that sshd defaults to offering ECDSA keys, ssh-keyscan should also look for them by default; bz#1971 + - djm@cvs.openbsd.org 2012/04/12 02:42:32 + [servconf.c servconf.h sshd.c sshd_config sshd_config.5] + VersionAddendum option to allow server operators to append some arbitrary + text to the SSH-... banner; ok deraadt@ "don't care" markus@ 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/servconf.c b/servconf.c index 6de77164..a8a40f97 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.225 2012/04/12 02:42:32 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -138,6 +138,7 @@ initialize_server_options(ServerOptions *options) options->authorized_principals_file = NULL; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; + options->version_addendum = NULL; } void @@ -277,7 +278,8 @@ fill_default_server_options(ServerOptions *options) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_THROUGHPUT; - + if (options->version_addendum == NULL) + options->version_addendum = xstrdup(""); /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_ON; @@ -323,7 +325,7 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, - sKexAlgorithms, sIPQoS, + sKexAlgorithms, sIPQoS, sVersionAddendum, sDeprecated, sUnsupported } ServerOpCodes; @@ -448,6 +450,7 @@ static struct { { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, + { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1403,6 +1406,22 @@ process_server_config_line(ServerOptions *options, char *line, } break; + case sVersionAddendum: + if (cp == NULL) + fatal("%.200s line %d: Missing argument.", filename, + linenum); + len = strspn(cp, WHITESPACE); + if (*activep && options->version_addendum == NULL) { + if (strcasecmp(cp + len, "none") == 0) + options->version_addendum = xstrdup(""); + else if (strchr(cp + len, '\r') != NULL) + fatal("%.200s line %d: Invalid argument", + filename, linenum); + else + options->version_addendum = xstrdup(cp + len); + } + return 0; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1766,6 +1785,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sRevokedKeys, o->revoked_keys_file); dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); + dump_cfg_string(sVersionAddendum, o->version_addendum); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff --git a/servconf.h b/servconf.h index 89f38e20..66ba387d 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.100 2012/04/12 02:42:32 djm Exp $ */ /* * Author: Tatu Ylonen @@ -166,6 +166,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; char *authorized_principals_file; + + char *version_addendum; /* Appended to SSH banner */ } ServerOptions; /* diff --git a/sshd.c b/sshd.c index fddbc9d3..b7066df5 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.389 2012/04/11 13:26:40 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.390 2012/04/12 02:42:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -419,9 +419,11 @@ sshd_exchange_identification(int sock_in, int sock_out) major = PROTOCOL_MAJOR_1; minor = PROTOCOL_MINOR_1; } - snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, - SSH_VERSION, newline); - server_version_string = xstrdup(buf); + + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", + major, minor, SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); /* Send our protocol version identification. */ if (roaming_atomicio(vwrite, sock_out, server_version_string, diff --git a/sshd_config b/sshd_config index 473e8665..99dbd858 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ +# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -107,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys #MaxStartups 10 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none diff --git a/sshd_config.5 b/sshd_config.5 index 4ef8b9e6..1522355a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $ -.Dd $Mdocdate: September 9 2011 $ +.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $ +.Dd $Mdocdate: April 12 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1079,6 +1079,11 @@ is set to .Dq sandbox then the pre-authentication unprivileged process is subject to additional restrictions. +.It Cm VersionAddendum +Optionally specifies additional text to append to the SSH protocol banner +sent by the server upon connection. +The default is +.Dq none . .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -- cgit v1.2.1 From 5be90452b3aabb59a275f6cccf7efec0782c78da Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:25:10 +0000 Subject: - djm@cvs.openbsd.org 2012/04/12 02:43:55 [sshd_config sshd_config.5] mention AuthorizedPrincipalsFile=none default --- ChangeLog | 3 +++ sshd_config | 4 +++- sshd_config.5 | 6 ++++-- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a8312a5e..5ca22714 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@ + - djm@cvs.openbsd.org 2012/04/12 02:43:55 + [sshd_config sshd_config.5] + mention AuthorizedPrincipalsFile=none default 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/sshd_config b/sshd_config index 99dbd858..ec3ca2af 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $ +# $OpenBSD: sshd_config,v 1.86 2012/04/12 02:43:55 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -49,6 +49,8 @@ # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 diff --git a/sshd_config.5 b/sshd_config.5 index 1522355a..27ee1914 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.138 2012/04/12 02:43:55 djm Exp $ .Dd $Mdocdate: April 12 2012 $ .Dt SSHD_CONFIG 5 .Os @@ -198,7 +198,9 @@ After expansion, is taken to be an absolute path or one relative to the user's home directory. .Pp -The default is not to use a principals file \(en in this case, the username +The default is +.Dq none , +i.e. not to use a principals file \(en in this case, the username of the user must appear in a certificate's principals list for it to be accepted. Note that -- cgit v1.2.1 From 5707213a65c18ea172e116dc7f80e8e85bb15ff4 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:25:47 +0000 Subject: - djm@cvs.openbsd.org 2012/04/20 03:24:23 [sftp.c] setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...) --- ChangeLog | 3 +++ sftp.c | 7 +------ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5ca22714..b9fda322 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - djm@cvs.openbsd.org 2012/04/12 02:43:55 [sshd_config sshd_config.5] mention AuthorizedPrincipalsFile=none default + - djm@cvs.openbsd.org 2012/04/20 03:24:23 + [sftp.c] + setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...) 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/sftp.c b/sftp.c index da7fbab3..22cf3145 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.134 2011/11/16 12:24:28 oga Exp $ */ +/* $OpenBSD: sftp.c,v 1.135 2012/04/20 03:24:23 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1934,13 +1934,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) xfree(dir); } -#if defined(HAVE_SETVBUF) && !defined(BROKEN_SETVBUF) - setvbuf(stdout, NULL, _IOLBF, 0); - setvbuf(infile, NULL, _IOLBF, 0); -#else setlinebuf(stdout); setlinebuf(infile); -#endif interactive = !batchmode && isatty(STDIN_FILENO); err = 0; -- cgit v1.2.1 From 21d9650016dfc2de965accc38de294cd27508ead Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 22 Apr 2012 01:26:10 +0000 Subject: - jmc@cvs.openbsd.org 2012/04/20 16:26:22 [ssh.1] use "brackets" instead of "braces", for consistency; --- ChangeLog | 3 +++ ssh.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b9fda322..e928ac4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - djm@cvs.openbsd.org 2012/04/20 03:24:23 [sftp.c] setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...) + - jmc@cvs.openbsd.org 2012/04/20 16:26:22 + [ssh.1] + use "brackets" instead of "braces", for consistency; 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/ssh.1 b/ssh.1 index ac61326e..20783403 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.323 2011/09/11 06:59:05 okan Exp $ -.Dd $Mdocdate: September 11 2011 $ +.\" $OpenBSD: ssh.1,v 1.324 2012/04/20 16:26:22 jmc Exp $ +.Dd $Mdocdate: April 20 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -506,7 +506,7 @@ from the local machine. Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. -IPv6 addresses can be specified by enclosing the address in square braces. +IPv6 addresses can be specified by enclosing the address in square brackets. .Pp By default, the listening socket on the server will be bound to the loopback interface only. -- cgit v1.2.1 From e267a3ca430696f1194de809d949261890f1f45c Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 23 Apr 2012 08:21:05 +0000 Subject: - djm@cvs.openbsd.org 2012/04/23 08:18:17 [channels.c] fix function proto/source mismatch --- ChangeLog | 6 ++++++ channels.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e928ac4d..dedf2f33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20120423 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/04/23 08:18:17 + [channels.c] + fix function proto/source mismatch + 20120422 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2012/02/29 11:21:26 diff --git a/channels.c b/channels.c index cacd2fe5..7791febd 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.317 2012/04/11 13:16:19 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2134,7 +2134,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, */ void channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, - u_int *nallocp, int *minwait_secs, int rekeying) + u_int *nallocp, time_t *minwait_secs, int rekeying) { u_int n, sz, nfdset; -- cgit v1.2.1 From 665184632b73495a82871b56cd99bc2ca510a8d7 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 25 Apr 2012 23:51:26 +0000 Subject: - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters via Niels --- ChangeLog | 4 ++++ auth-passwd.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index dedf2f33..908dcd49 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120426 + - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters + via Niels + 20120423 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2012/04/23 08:18:17 diff --git a/auth-passwd.c b/auth-passwd.c index b1c6ce09..68bbd18d 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -209,6 +209,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) * Authentication is accepted if the encrypted passwords * are identical. */ - return (strcmp(encrypted_password, pw_password) == 0); + return encrypted_password != NULL && + strcmp(encrypted_password, pw_password) == 0; } #endif -- cgit v1.2.1 From 9381a8e77ce7d4bc6211f73e2bdc3ca1fca6c2fa Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 25 Apr 2012 23:52:15 +0000 Subject: - (djm) [auth-krb5.c] Save errno across calls that might modify it; ok dtucker@ --- ChangeLog | 2 ++ auth-krb5.c | 12 +++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 908dcd49..7ec760c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20120426 - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters via Niels + - (djm) [auth-krb5.c] Save errno across calls that might modify it; + ok dtucker@ 20120423 - OpenBSD CVS Sync diff --git a/auth-krb5.c b/auth-krb5.c index d019fe20..922c66c6 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -226,7 +226,7 @@ krb5_cleanup_proc(Authctxt *authctxt) #ifndef HEIMDAL krb5_error_code ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { - int tmpfd, ret; + int tmpfd, ret, oerrno; char ccname[40]; mode_t old_umask; @@ -237,16 +237,18 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { old_umask = umask(0177); tmpfd = mkstemp(ccname + strlen("FILE:")); + oerrno = errno; umask(old_umask); if (tmpfd == -1) { - logit("mkstemp(): %.100s", strerror(errno)); - return errno; + logit("mkstemp(): %.100s", strerror(oerrno)); + return oerrno; } if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { - logit("fchmod(): %.100s", strerror(errno)); + oerrno = errno; + logit("fchmod(): %.100s", strerror(oerrno)); close(tmpfd); - return errno; + return oerrno; } close(tmpfd); -- cgit v1.2.1 From 349ea7bb409ed3af96e2bf1eeef9143eca66406d Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 27 Apr 2012 00:55:39 +0000 Subject: - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6 platform rather than exiting early, so that we still clean up and return status to test-exec.sh --- ChangeLog | 5 +++++ regress/addrmatch.sh | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7ec760c6..5eda2f27 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120427 + - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6 + platform rather than exiting early, so that we still clean up and return + success or failure to test-exec.sh + 20120426 - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters via Niels diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh index 23ddd65c..5102317d 100644 --- a/regress/addrmatch.sh +++ b/regress/addrmatch.sh @@ -33,13 +33,14 @@ run_trial user 19.0.0.1 somehost no "deny, no match" run_trial user 10.255.255.254 somehost yes "permit, list middle" run_trial user 192.168.30.1 192.168.0.1 no "deny, faked IP in hostname" run_trial user 1.1.1.1 somehost.example.com yes "permit, bare IP4 address" -test "$TEST_SSH_IPV6" = "no" && exit +if test "$TEST_SSH_IPV6" != "no"; then run_trial user ::1 somehost.example.com yes "permit, bare IP6 address" run_trial user ::2 somehost.exaple.com no "deny IPv6" run_trial user ::3 somehost no "deny IP6 negated" run_trial user ::4 somehost no "deny, IP6 no match" run_trial user 2000::1 somehost yes "permit, IP6 network" run_trial user 2001::1 somehost no "deny, IP6 network" +fi cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy rm $OBJ/sshd_proxy_bak -- cgit v1.2.1 From 254b47abbedef7fbfe48a70b55c992baad98214e Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 4 May 2012 01:05:45 +0000 Subject: - (dtucker) [configure.ac] Include rather than to fix building on some plaforms. Fom bowman at math utah edu and des at des no. --- ChangeLog | 5 +++++ configure.ac | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5eda2f27..06046beb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120504 + - (dtucker) [configure.ac] Include rather than + to fix building on some plaforms. Fom bowman at math utah edu and + des at des no. + 20120427 - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6 platform rather than exiting early, so that we still clean up and return diff --git a/configure.ac b/configure.ac index 1457b8a8..6ece6e18 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.489 2012/04/19 11:46:38 djm Exp $ +# $Id: configure.ac,v 1.490 2012/05/04 01:05:45 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.489 $) +AC_REVISION($Revision: 1.490 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3234,7 +3234,7 @@ fi AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -#include +#include #include #ifdef HAVE_SYS_TIME_H # include -- cgit v1.2.1 From 6860c9697794450a5e148f3ae53bdc0191d3eece Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 19 May 2012 04:25:39 +0000 Subject: - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch from cjwatson at debian org. --- ChangeLog | 4 ++++ configure.ac | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 06046beb..8f568e95 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120519 + - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch + from cjwatson at debian org. + 20120504 - (dtucker) [configure.ac] Include rather than to fix building on some plaforms. Fom bowman at math utah edu and diff --git a/configure.ac b/configure.ac index 6ece6e18..bdf1d12c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.490 2012/05/04 01:05:45 dtucker Exp $ +# $Id: configure.ac,v 1.491 2012/05/19 04:25:42 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.490 $) +AC_REVISION($Revision: 1.491 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2591,7 +2591,7 @@ elif test "x$sandbox_arg" = "xdarwin" || \ AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) elif test "x$sandbox_arg" = "xseccomp_filter" || \ ( test -z "$sandbox_arg" && \ - test "x$have_seccomp_filter" == "x1" && \ + test "x$have_seccomp_filter" = "x1" && \ test "x$ac_cv_header_linux_audit_h" = "xyes" && \ test "x$have_seccomp_audit_arch" = "x1" && \ test "x$have_linux_no_new_privs" = "x1" && \ -- cgit v1.2.1 From 6e68ed945d3acfa3d3420e940f15f407ab97fd88 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 19 May 2012 05:24:37 +0000 Subject: - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find pkg-config so it does the right thing when cross-compiling. Patch from cjwatson at debian org. --- ChangeLog | 3 +++ configure.ac | 6 +++--- contrib/Makefile | 6 ++++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8f568e95..9cdce589 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch from cjwatson at debian org. + - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find + pkg-config so it does the right thing when cross-compiling. Patch from + cjwatson at debian org. 20120504 - (dtucker) [configure.ac] Include rather than diff --git a/configure.ac b/configure.ac index bdf1d12c..02f8bf85 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.491 2012/05/19 04:25:42 dtucker Exp $ +# $Id: configure.ac,v 1.492 2012/05/19 05:24:37 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.491 $) +AC_REVISION($Revision: 1.492 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1410,7 +1410,7 @@ AC_ARG_WITH([libedit], [ --with-libedit[[=PATH]] Enable libedit support for sftp], [ if test "x$withval" != "xno" ; then if test "x$withval" = "xyes" ; then - AC_PATH_PROG([PKGCONFIG], [pkg-config], [no]) + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) if test "x$PKGCONFIG" != "xno"; then AC_MSG_CHECKING([if $PKGCONFIG knows about libedit]) if "$PKGCONFIG" libedit; then diff --git a/contrib/Makefile b/contrib/Makefile index 8b34eb22..c6c48e78 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -1,3 +1,5 @@ +PKG_CONFIG = pkg-config + all: @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" @@ -7,9 +9,9 @@ gnome-ssh-askpass1: gnome-ssh-askpass1.c `gnome-config --libs gnome gnomeui` gnome-ssh-askpass2: gnome-ssh-askpass2.c - $(CC) `pkg-config --cflags gtk+-2.0` \ + $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ - `pkg-config --libs gtk+-2.0 x11` + `$(PKG_CONFIG) --libs gtk+-2.0 x11` clean: rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass -- cgit v1.2.1 From 900c4dda8047798881f0cf94e50ec649939c0189 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 19 May 2012 09:37:01 +0000 Subject: - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@. --- ChangeLog | 5 ++ auth.c | 7 +-- servconf.c | 163 ++++++++++++++++++++++++++++++++++++++++++++++++---------- servconf.h | 22 ++++++-- sshd.8 | 6 ++- sshd.c | 39 +++++--------- sshd_config.5 | 6 ++- 7 files changed, 181 insertions(+), 67 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9cdce589..1ed4b228 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find pkg-config so it does the right thing when cross-compiling. Patch from cjwatson at debian org. +- (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 + [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] + Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests + to match. Feedback and ok djm@ markus@. 20120504 - (dtucker) [configure.ac] Include rather than diff --git a/auth.c b/auth.c index 97693288..a8cffd5c 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.95 2012/04/11 13:17:54 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.96 2012/05/13 01:42:32 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -545,9 +545,10 @@ getpwnamallow(const char *user) #endif #endif struct passwd *pw; + struct connection_info *ci = get_connection_info(1, options.use_dns); - parse_server_match_config(&options, user, - get_canonical_hostname(options.use_dns), get_remote_ipaddr()); + ci->user = user; + parse_server_match_config(&options, ci); #if defined(_AIX) && defined(HAVE_SETAUTHDB) aix_setauthdb(user); diff --git a/servconf.c b/servconf.c index a8a40f97..12f43c91 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.225 2012/04/12 02:42:32 djm Exp $ */ + +/* $OpenBSD: servconf.c,v 1.226 2012/05/13 01:42:32 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -45,6 +46,8 @@ #include "match.h" #include "channels.h" #include "groupaccess.h" +#include "canohost.h" +#include "packet.h" static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); @@ -539,6 +542,20 @@ add_one_listen_addr(ServerOptions *options, char *addr, int port) options->listen_addrs = aitop; } +struct connection_info * +get_connection_info(int populate, int use_dns) +{ + static struct connection_info ci; + + if (!populate) + return &ci; + ci.host = get_canonical_hostname(use_dns); + ci.address = get_remote_ipaddr(); + ci.laddress = get_local_ipaddr(packet_get_connection_in()); + ci.lport = get_local_port(); + return &ci; +} + /* * The strategy for the Match blocks is that the config file is parsed twice. * @@ -600,20 +617,25 @@ out: return result; } +/* + * All of the attributes on a single Match line are ANDed together, so we need to check every + * attribute and set the result to zero if any attribute does not match. + */ static int -match_cfg_line(char **condition, int line, const char *user, const char *host, - const char *address) +match_cfg_line(char **condition, int line, struct connection_info *ci) { - int result = 1; + int result = 1, port; char *arg, *attrib, *cp = *condition; size_t len; - if (user == NULL) + if (ci == NULL) debug3("checking syntax for 'Match %s'", cp); else - debug3("checking match for '%s' user %s host %s addr %s", cp, - user ? user : "(null)", host ? host : "(null)", - address ? address : "(null)"); + debug3("checking match for '%s' user %s host %s addr %s " + "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", + ci->host ? ci->host : "(null)", + ci->address ? ci->address : "(null)", + ci->laddress ? ci->laddress : "(null)", ci->lport); while ((attrib = strdelim(&cp)) && *attrib != '\0') { if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { @@ -622,37 +644,45 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, } len = strlen(arg); if (strcasecmp(attrib, "user") == 0) { - if (!user) { + if (ci == NULL || ci->user == NULL) { result = 0; continue; } - if (match_pattern_list(user, arg, len, 0) != 1) + if (match_pattern_list(ci->user, arg, len, 0) != 1) result = 0; else debug("user %.100s matched 'User %.100s' at " - "line %d", user, arg, line); + "line %d", ci->user, arg, line); } else if (strcasecmp(attrib, "group") == 0) { - switch (match_cfg_line_group(arg, line, user)) { + if (ci == NULL || ci->user == NULL) { + result = 0; + continue; + } + switch (match_cfg_line_group(arg, line, ci->user)) { case -1: return -1; case 0: result = 0; } } else if (strcasecmp(attrib, "host") == 0) { - if (!host) { + if (ci == NULL || ci->host == NULL) { result = 0; continue; } - if (match_hostname(host, arg, len) != 1) + if (match_hostname(ci->host, arg, len) != 1) result = 0; else debug("connection from %.100s matched 'Host " - "%.100s' at line %d", host, arg, line); + "%.100s' at line %d", ci->host, arg, line); } else if (strcasecmp(attrib, "address") == 0) { - switch (addr_match_list(address, arg)) { + if (ci == NULL || ci->address == NULL) { + result = 0; + continue; + } + switch (addr_match_list(ci->address, arg)) { case 1: debug("connection from %.100s matched 'Address " - "%.100s' at line %d", address, arg, line); + "%.100s' at line %d", ci->address, arg, line); break; case 0: case -1: @@ -661,12 +691,47 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, case -2: return -1; } + } else if (strcasecmp(attrib, "localaddress") == 0){ + if (ci == NULL || ci->laddress == NULL) { + result = 0; + continue; + } + switch (addr_match_list(ci->laddress, arg)) { + case 1: + debug("connection from %.100s matched " + "'LocalAddress %.100s' at line %d", + ci->laddress, arg, line); + break; + case 0: + case -1: + result = 0; + break; + case -2: + return -1; + } + } else if (strcasecmp(attrib, "localport") == 0) { + if ((port = a2port(arg)) == -1) { + error("Invalid LocalPort '%s' on Match line", + arg); + return -1; + } + if (ci == NULL || ci->lport == 0) { + result = 0; + continue; + } + /* TODO support port lists */ + if (port == ci->lport) + debug("connection from %.100s matched " + "'LocalPort %d' at line %d", + ci->laddress, port, line); + else + result = 0; } else { error("Unsupported Match attribute %s", attrib); return -1; } } - if (user != NULL) + if (ci != NULL) debug3("match %sfound", result ? "" : "not "); *condition = cp; return result; @@ -713,8 +778,8 @@ static const struct multistate multistate_privsep[] = { int process_server_config_line(ServerOptions *options, char *line, - const char *filename, int linenum, int *activep, const char *user, - const char *host, const char *address) + const char *filename, int linenum, int *activep, + struct connection_info *connectinfo) { char *cp, **charptr, *arg, *p; int cmdline = 0, *intptr, value, value2, n; @@ -745,7 +810,7 @@ process_server_config_line(ServerOptions *options, char *line, if (*activep && opcode != sMatch) debug3("%s:%d setting %s %s", filename, linenum, arg, cp); if (*activep == 0 && !(flags & SSHCFG_MATCH)) { - if (user == NULL) { + if (connectinfo == NULL) { fatal("%s line %d: Directive '%s' is not allowed " "within a Match block", filename, linenum, arg); } else { /* this is a directive we have already processed */ @@ -1316,7 +1381,7 @@ process_server_config_line(ServerOptions *options, char *line, if (cmdline) fatal("Match directive not supported as a command-line " "option"); - value = match_cfg_line(&cp, linenum, user, host, address); + value = match_cfg_line(&cp, linenum, connectinfo); if (value < 0) fatal("%s line %d: Bad Match condition", filename, linenum); @@ -1478,16 +1543,58 @@ load_server_config(const char *filename, Buffer *conf) } void -parse_server_match_config(ServerOptions *options, const char *user, - const char *host, const char *address) +parse_server_match_config(ServerOptions *options, + struct connection_info *connectinfo) { ServerOptions mo; initialize_server_options(&mo); - parse_server_config(&mo, "reprocess config", &cfg, user, host, address); + parse_server_config(&mo, "reprocess config", &cfg, connectinfo); copy_set_server_options(options, &mo, 0); } +int parse_server_match_testspec(struct connection_info *ci, char *spec) +{ + char *p; + + while ((p = strsep(&spec, ",")) && *p != '\0') { + if (strncmp(p, "addr=", 5) == 0) { + ci->address = xstrdup(p + 5); + } else if (strncmp(p, "host=", 5) == 0) { + ci->host = xstrdup(p + 5); + } else if (strncmp(p, "user=", 5) == 0) { + ci->user = xstrdup(p + 5); + } else if (strncmp(p, "laddr=", 6) == 0) { + ci->laddress = xstrdup(p + 6); + } else if (strncmp(p, "lport=", 6) == 0) { + ci->lport = a2port(p + 6); + if (ci->lport == -1) { + fprintf(stderr, "Invalid port '%s' in test mode" + " specification %s\n", p+6, p); + return -1; + } + } else { + fprintf(stderr, "Invalid test mode specification %s\n", + p); + return -1; + } + } + return 0; +} + +/* + * returns 1 for a complete spec, 0 for partial spec and -1 for an + * empty spec. + */ +int server_match_spec_complete(struct connection_info *ci) +{ + if (ci->user && ci->host && ci->address) + return 1; /* complete */ + if (!ci->user && !ci->host && !ci->address) + return -1; /* empty */ + return 0; /* partial */ +} + /* Helper macros */ #define M_CP_INTOPT(n) do {\ if (src->n != -1) \ @@ -1561,7 +1668,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) void parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, - const char *user, const char *host, const char *address) + struct connection_info *connectinfo) { int active, linenum, bad_options = 0; char *cp, *obuf, *cbuf; @@ -1569,11 +1676,11 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); obuf = cbuf = xstrdup(buffer_ptr(conf)); - active = user ? 0 : 1; + active = connectinfo ? 0 : 1; linenum = 1; while ((cp = strsep(&cbuf, "\n")) != NULL) { if (process_server_config_line(options, cp, filename, - linenum++, &active, user, host, address) != 0) + linenum++, &active, connectinfo) != 0) bad_options++; } xfree(obuf); diff --git a/servconf.h b/servconf.h index 66ba387d..2ffaecdc 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.100 2012/04/12 02:42:32 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.101 2012/05/13 01:42:32 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -170,6 +170,16 @@ typedef struct { char *version_addendum; /* Appended to SSH banner */ } ServerOptions; +/* Information about the incoming connection as used by Match */ +struct connection_info { + const char *user; + const char *host; /* possibly resolved hostname */ + const char *address; /* remote address */ + const char *laddress; /* local address */ + int lport; /* local port */ +}; + + /* * These are string config options that must be copied between the * Match sub-config and the main config, and must be sent from the @@ -184,15 +194,17 @@ typedef struct { M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ } while (0) +struct connection_info *get_connection_info(int, int); void initialize_server_options(ServerOptions *); void fill_default_server_options(ServerOptions *); int process_server_config_line(ServerOptions *, char *, const char *, int, - int *, const char *, const char *, const char *); + int *, struct connection_info *); void load_server_config(const char *, Buffer *); void parse_server_config(ServerOptions *, const char *, Buffer *, - const char *, const char *, const char *); -void parse_server_match_config(ServerOptions *, const char *, const char *, - const char *); + struct connection_info *); +void parse_server_match_config(ServerOptions *, struct connection_info *); +int parse_server_match_testspec(struct connection_info *, char *); +int server_match_spec_complete(struct connection_info *); void copy_set_server_options(ServerOptions *, ServerOptions *, int); void dump_config(ServerOptions *); char *derelativise_path(const char *); diff --git a/sshd.8 b/sshd.8 index 72101570..6d79c7dd 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $ -.Dd $Mdocdate: September 23 2011 $ +.\" $OpenBSD: sshd.8,v 1.265 2012/05/13 01:42:32 dtucker Exp $ +.Dd $Mdocdate: May 13 2012 $ .Dt SSHD 8 .Os .Sh NAME @@ -114,6 +114,8 @@ The connection parameters are supplied as keyword=value pairs. The keywords are .Dq user , .Dq host , +.Dq laddr , +.Dq lport , and .Dq addr . All are required and may be supplied in any order, either with multiple diff --git a/sshd.c b/sshd.c index b7066df5..7cc7044b 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.390 2012/04/12 02:42:32 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.391 2012/05/13 01:42:32 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1325,14 +1325,14 @@ main(int ac, char **av) int opt, i, j, on = 1; int sock_in = -1, sock_out = -1, newsock = -1; const char *remote_ip; - char *test_user = NULL, *test_host = NULL, *test_addr = NULL; int remote_port; - char *line, *p, *cp; + char *line; int config_s[2] = { -1 , -1 }; u_int64_t ibytes, obytes; mode_t new_umask; Key *key; Authctxt *authctxt; + struct connection_info *connection_info = get_connection_info(0, 0); #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); @@ -1454,20 +1454,9 @@ main(int ac, char **av) test_flag = 2; break; case 'C': - cp = optarg; - while ((p = strsep(&cp, ",")) && *p != '\0') { - if (strncmp(p, "addr=", 5) == 0) - test_addr = xstrdup(p + 5); - else if (strncmp(p, "host=", 5) == 0) - test_host = xstrdup(p + 5); - else if (strncmp(p, "user=", 5) == 0) - test_user = xstrdup(p + 5); - else { - fprintf(stderr, "Invalid test " - "mode specification %s\n", p); - exit(1); - } - } + if (parse_server_match_testspec(connection_info, + optarg) == -1) + exit(1); break; case 'u': utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL); @@ -1479,7 +1468,7 @@ main(int ac, char **av) case 'o': line = xstrdup(optarg); if (process_server_config_line(&options, line, - "command-line", 0, NULL, NULL, NULL, NULL) != 0) + "command-line", 0, NULL, NULL) != 0) exit(1); xfree(line); break; @@ -1535,13 +1524,10 @@ main(int ac, char **av) * the parameters we need. If we're not doing an extended test, * do not silently ignore connection test params. */ - if (test_flag >= 2 && - (test_user != NULL || test_host != NULL || test_addr != NULL) - && (test_user == NULL || test_host == NULL || test_addr == NULL)) + if (test_flag >= 2 && server_match_spec_complete(connection_info) == 0) fatal("user, host and addr are all required when testing " "Match configs"); - if (test_flag < 2 && (test_user != NULL || test_host != NULL || - test_addr != NULL)) + if (test_flag < 2 && server_match_spec_complete(connection_info) >= 0) fatal("Config test connection parameter (-C) provided without " "test mode (-T)"); @@ -1553,7 +1539,7 @@ main(int ac, char **av) load_server_config(config_file_name, &cfg); parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - &cfg, NULL, NULL, NULL); + &cfg, NULL); seed_rng(); @@ -1715,9 +1701,8 @@ main(int ac, char **av) } if (test_flag > 1) { - if (test_user != NULL && test_addr != NULL && test_host != NULL) - parse_server_match_config(&options, test_user, - test_host, test_addr); + if (server_match_spec_complete(connection_info) == 1) + parse_server_match_config(&options, connection_info); dump_config(&options); } diff --git a/sshd_config.5 b/sshd_config.5 index 27ee1914..17df9e6c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.138 2012/04/12 02:43:55 djm Exp $ -.Dd $Mdocdate: April 12 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.139 2012/05/13 01:42:32 dtucker Exp $ +.Dd $Mdocdate: May 13 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -677,6 +677,8 @@ The available criteria are .Cm User , .Cm Group , .Cm Host , +.Cm LocalAddress , +.Cm LocalPort , and .Cm Address . The match patterns may consist of single entries or comma-separated -- cgit v1.2.1 From 7e95971d8a3456fe691840c8185f8e8cc28401d7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 19 May 2012 09:37:33 +0000 Subject: - dtucker@cvs.openbsd.org 2012/05/19 06:30:30 [sshd_config.5] Document PermitOpen none. bz#2001, patch from Loganaden Velvindron --- ChangeLog | 3 +++ sshd_config.5 | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1ed4b228..1ffcdd17 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@. + - dtucker@cvs.openbsd.org 2012/05/19 06:30:30 + [sshd_config.5] + Document PermitOpen none. bz#2001, patch from Loganaden Velvindron 20120504 - (dtucker) [configure.ac] Include rather than diff --git a/sshd_config.5 b/sshd_config.5 index 17df9e6c..ddcf51f0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.139 2012/05/13 01:42:32 dtucker Exp $ -.Dd $Mdocdate: May 13 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.140 2012/05/19 06:30:30 dtucker Exp $ +.Dd $Mdocdate: May 19 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -802,6 +802,9 @@ Multiple forwards may be specified by separating them with whitespace. An argument of .Dq any can be used to remove all restrictions and permit any forwarding requests. +An argument of +.Dq none +can be used to prohibit all forwarding requests. By default all port forwarding requests are permitted. .It Cm PermitRootLogin Specifies whether root can log in using -- cgit v1.2.1 From fdd3683b8e6a30c50e4a13956e855d95eeab05d4 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:44:56 +0000 Subject: - djm@cvs.openbsd.org 2011/12/02 00:41:56 [mux.c] fix bz#1948: ssh -f doesn't fork for multiplexed connection. ok dtucker@ --- ChangeLog | 8 ++++++++ mux.c | 5 ++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1ffcdd17..67daa548 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20120620 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/12/02 00:41:56 + [mux.c] + fix bz#1948: ssh -f doesn't fork for multiplexed connection. + ok dtucker@ + + 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch from cjwatson at debian org. diff --git a/mux.c b/mux.c index d90605eb..35108ef8 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.34 2012/01/07 21:11:36 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.32 2011/12/02 00:41:56 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -95,6 +95,7 @@ extern Buffer command; extern volatile sig_atomic_t quit_pending; extern char *stdio_forward_host; extern int stdio_forward_port; +extern int fork_after_authentication_flag; /* Context for session open confirmation callback */ struct mux_session_confirm_ctx { @@ -1800,6 +1801,8 @@ mux_client_request_session(int fd) if (tty_flag) enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); + if (fork_after_authentication_flag) + daemon(1, 1); /* * Stick around until the controlee closes the client_fd. * Before it does, it is expected to write an exit message. -- cgit v1.2.1 From 070bc9ea03542841fa720141894e40e52f0fe123 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:46:57 +0000 Subject: - djm@cvs.openbsd.org 2011/12/04 23:16:12 [mux.c] revert: > revision 1.32 > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 > fix bz#1948: ssh -f doesn't fork for multiplexed connection. > ok dtucker@ it interacts badly with ControlPersist --- ChangeLog | 9 ++++++++- mux.c | 5 +---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 67daa548..76c6e920 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,7 +4,14 @@ [mux.c] fix bz#1948: ssh -f doesn't fork for multiplexed connection. ok dtucker@ - + - djm@cvs.openbsd.org 2011/12/04 23:16:12 + [mux.c] + revert: + > revision 1.32 + > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 + > fix bz#1948: ssh -f doesn't fork for multiplexed connection. + > ok dtucker@ + it interacts badly with ControlPersist 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/mux.c b/mux.c index 35108ef8..30b4f6f9 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.32 2011/12/02 00:41:56 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.33 2011/12/04 23:16:12 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -95,7 +95,6 @@ extern Buffer command; extern volatile sig_atomic_t quit_pending; extern char *stdio_forward_host; extern int stdio_forward_port; -extern int fork_after_authentication_flag; /* Context for session open confirmation callback */ struct mux_session_confirm_ctx { @@ -1801,8 +1800,6 @@ mux_client_request_session(int fd) if (tty_flag) enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); - if (fork_after_authentication_flag) - daemon(1, 1); /* * Stick around until the controlee closes the client_fd. * Before it does, it is expected to write an exit message. -- cgit v1.2.1 From 3e3bbbd2525665fcc2c7922472acd1edbfef0a02 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:50:47 +0000 Subject: - djm@cvs.openbsd.org 2012/01/07 21:11:36 [mux.c] fix double-free in new session handler NB. Id sync only --- ChangeLog | 4 ++++ mux.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 76c6e920..419640c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ > fix bz#1948: ssh -f doesn't fork for multiplexed connection. > ok dtucker@ it interacts badly with ControlPersist + - djm@cvs.openbsd.org 2012/01/07 21:11:36 + [mux.c] + fix double-free in new session handler + NB. Id sync only 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/mux.c b/mux.c index 30b4f6f9..d90605eb 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.33 2011/12/04 23:16:12 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.34 2012/01/07 21:11:36 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * -- cgit v1.2.1 From 6c338b6cd41554a09ac8ed2ee106bb8beb86807a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:51:11 +0000 Subject: - djm@cvs.openbsd.org 2012/05/23 03:28:28 [dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ --- ChangeLog | 4 +++ dns.c | 103 +++++++++++++++++++++++++++++++++++++++-------------------- dns.h | 15 +++++---- key.c | 5 ++- key.h | 5 +-- ssh-keygen.c | 4 ++- 6 files changed, 92 insertions(+), 44 deletions(-) diff --git a/ChangeLog b/ChangeLog index 419640c2..f0356d32 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ [mux.c] fix double-free in new session handler NB. Id sync only + - djm@cvs.openbsd.org 2012/05/23 03:28:28 + [dns.c dns.h key.c key.h ssh-keygen.c] + add support for RFC6594 SSHFP DNS records for ECDSA key types. + patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/dns.c b/dns.c index 131cb3d8..9e3084ba 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.27 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -78,27 +78,46 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, u_char **digest, u_int *digest_len, Key *key) { int success = 0; + enum fp_type fp_type = 0; switch (key->type) { case KEY_RSA: *algorithm = SSHFP_KEY_RSA; + if (!*digest_type) + *digest_type = SSHFP_HASH_SHA1; break; case KEY_DSA: *algorithm = SSHFP_KEY_DSA; + if (!*digest_type) + *digest_type = SSHFP_HASH_SHA1; + break; + case KEY_ECDSA: + *algorithm = SSHFP_KEY_ECDSA; + if (!*digest_type) + *digest_type = SSHFP_HASH_SHA256; break; - /* XXX KEY_ECDSA */ default: *algorithm = SSHFP_KEY_RESERVED; /* 0 */ + *digest_type = SSHFP_HASH_RESERVED; /* 0 */ + } + + switch (*digest_type) { + case SSHFP_HASH_SHA1: + fp_type = SSH_FP_SHA1; + break; + case SSHFP_HASH_SHA256: + fp_type = SSH_FP_SHA256; + break; + default: + *digest_type = SSHFP_HASH_RESERVED; /* 0 */ } - if (*algorithm) { - *digest_type = SSHFP_HASH_SHA1; - *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); + if (*algorithm && *digest_type) { + *digest = key_fingerprint_raw(key, fp_type, digest_len); if (*digest == NULL) fatal("dns_read_key: null from key_fingerprint_raw()"); success = 1; } else { - *digest_type = SSHFP_HASH_RESERVED; *digest = NULL; *digest_len = 0; success = 0; @@ -180,7 +199,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, struct rrsetinfo *fingerprints = NULL; u_int8_t hostkey_algorithm; - u_int8_t hostkey_digest_type; + u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED; u_char *hostkey_digest; u_int hostkey_digest_len; @@ -216,7 +235,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, fingerprints->rri_nrdatas); } - /* Initialize host key parameters */ + /* Initialize default host key parameters */ if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, &hostkey_digest, &hostkey_digest_len, hostkey)) { error("Error calculating host key fingerprint."); @@ -240,16 +259,27 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, continue; } + if (hostkey_digest_type != dnskey_digest_type) { + hostkey_digest_type = dnskey_digest_type; + xfree(hostkey_digest); + + /* Initialize host key parameters */ + if (!dns_read_key(&hostkey_algorithm, + &hostkey_digest_type, &hostkey_digest, + &hostkey_digest_len, hostkey)) { + error("Error calculating key fingerprint."); + freerrset(fingerprints); + return -1; + } + } + /* Check if the current key is the same as the given key */ if (hostkey_algorithm == dnskey_algorithm && hostkey_digest_type == dnskey_digest_type) { - if (hostkey_digest_len == dnskey_digest_len && - memcmp(hostkey_digest, dnskey_digest, - hostkey_digest_len) == 0) { - + timingsafe_bcmp(hostkey_digest, dnskey_digest, + hostkey_digest_len) == 0) *flags |= DNS_VERIFY_MATCH; - } } xfree(dnskey_digest); } @@ -275,31 +305,36 @@ int export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) { u_int8_t rdata_pubkey_algorithm = 0; - u_int8_t rdata_digest_type = SSHFP_HASH_SHA1; + u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED; + u_int8_t dtype; u_char *rdata_digest; - u_int rdata_digest_len; - - u_int i; + u_int i, rdata_digest_len; int success = 0; - if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, - &rdata_digest, &rdata_digest_len, key)) { - - if (generic) - fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, - DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len, - rdata_pubkey_algorithm, rdata_digest_type); - else - fprintf(f, "%s IN SSHFP %d %d ", hostname, - rdata_pubkey_algorithm, rdata_digest_type); + for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) { + rdata_digest_type = dtype; + if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, + &rdata_digest, &rdata_digest_len, key)) { + if (generic) { + fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", + hostname, DNS_RDATATYPE_SSHFP, + 2 + rdata_digest_len, + rdata_pubkey_algorithm, rdata_digest_type); + } else { + fprintf(f, "%s IN SSHFP %d %d ", hostname, + rdata_pubkey_algorithm, rdata_digest_type); + } + for (i = 0; i < rdata_digest_len; i++) + fprintf(f, "%02x", rdata_digest[i]); + fprintf(f, "\n"); + xfree(rdata_digest); /* from key_fingerprint_raw() */ + success = 1; + } + } - for (i = 0; i < rdata_digest_len; i++) - fprintf(f, "%02x", rdata_digest[i]); - fprintf(f, "\n"); - xfree(rdata_digest); /* from key_fingerprint_raw() */ - success = 1; - } else { - error("export_dns_rr: unsupported algorithm"); + /* No SSHFP record was generated at all */ + if (success == 0) { + error("%s: unsupported algorithm and/or digest_type", __func__); } return success; diff --git a/dns.h b/dns.h index 90cfd7b9..d5f42817 100644 --- a/dns.h +++ b/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.11 2010/02/26 20:29:54 djm Exp $ */ +/* $OpenBSD: dns.h,v 1.12 2012/05/23 03:28:28 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -29,14 +29,17 @@ #define DNS_H enum sshfp_types { - SSHFP_KEY_RESERVED, - SSHFP_KEY_RSA, - SSHFP_KEY_DSA + SSHFP_KEY_RESERVED = 0, + SSHFP_KEY_RSA = 1, + SSHFP_KEY_DSA = 2, + SSHFP_KEY_ECDSA = 3 }; enum sshfp_hashes { - SSHFP_HASH_RESERVED, - SSHFP_HASH_SHA1 + SSHFP_HASH_RESERVED = 0, + SSHFP_HASH_SHA1 = 1, + SSHFP_HASH_SHA256 = 2, + SSHFP_HASH_MAX = 3 }; #define DNS_RDATACLASS_IN 1 diff --git a/key.c b/key.c index 5cc4132c..8ef0b7e3 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.98 2011/10/18 04:58:26 djm Exp $ */ +/* $OpenBSD: key.c,v 1.99 2012/05/23 03:28:28 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -342,6 +342,9 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) case SSH_FP_SHA1: md = EVP_sha1(); break; + case SSH_FP_SHA256: + md = EVP_sha256(); + break; default: fatal("key_fingerprint_raw: bad digest type %d", dgst_type); diff --git a/key.h b/key.h index ec5ac5eb..39e5577f 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.33 2010/10/28 11:22:09 djm Exp $ */ +/* $OpenBSD: key.h,v 1.34 2012/05/23 03:28:28 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -48,7 +48,8 @@ enum types { }; enum fp_type { SSH_FP_SHA1, - SSH_FP_MD5 + SSH_FP_MD5, + SSH_FP_SHA256 }; enum fp_rep { SSH_FP_HEX, diff --git a/ssh-keygen.c b/ssh-keygen.c index c5130c86..9407321d 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.213 2012/02/29 11:21:26 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.214 2012/05/23 03:28:28 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2194,6 +2194,8 @@ main(int argc, char **argv) _PATH_HOST_RSA_KEY_FILE, rr_hostname); n += do_print_resource_record(pw, _PATH_HOST_DSA_KEY_FILE, rr_hostname); + n += do_print_resource_record(pw, + _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); if (n == 0) fatal("no keys found."); -- cgit v1.2.1 From 7eeff159025936bc875ebbf640614f2100c1c62a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:51:29 +0000 Subject: - djm@cvs.openbsd.org 2012/06/01 00:49:35 [PROTOCOL.mux] correct types of port numbers (integers, not strings); bz#2004 from bert.wesarg AT googlemail.com --- ChangeLog | 4 ++++ PROTOCOL.mux | 10 +++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index f0356d32..cd7b523f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,10 @@ [dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ + - djm@cvs.openbsd.org 2012/06/01 00:49:35 + [PROTOCOL.mux] + correct types of port numbers (integers, not strings); bz#2004 from + bert.wesarg AT googlemail.com 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/PROTOCOL.mux b/PROTOCOL.mux index 49cbe5b4..b5832561 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -110,9 +110,9 @@ A client may request the master to establish a port forward: uint32 request id uint32 forwarding type string listen host - string listen port + uint32 listen port string connect host - string connect port + uint32 connect port forwarding type may be MUX_FWD_LOCAL, MUX_FWD_REMOTE, MUX_FWD_DYNAMIC. @@ -135,9 +135,9 @@ A client may request the master to close a port forward: uint32 request id uint32 forwarding type string listen host - string listen port + uint32 listen port string connect host - string connect port + uint32 connect port A server may reply with a MUX_S_OK, a MUX_S_PERMISSION_DENIED or a MUX_S_FAILURE. @@ -219,4 +219,4 @@ XXX inject packet (what about replies) XXX server->client error/warning notifications XXX send signals via mux -$OpenBSD: PROTOCOL.mux,v 1.8 2011/09/09 00:44:07 djm Exp $ +$OpenBSD: PROTOCOL.mux,v 1.9 2012/06/01 00:49:35 djm Exp $ -- cgit v1.2.1 From 8cefd9d71692db4d8222f15e17d4645db7c57980 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:52:00 +0000 Subject: - djm@cvs.openbsd.org 2012/06/01 01:01:22 [mux.c] fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg AT googlemail.com --- ChangeLog | 4 ++++ mux.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index cd7b523f..72a50c72 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,10 @@ [PROTOCOL.mux] correct types of port numbers (integers, not strings); bz#2004 from bert.wesarg AT googlemail.com + - djm@cvs.openbsd.org 2012/06/01 01:01:22 + [mux.c] + fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg + AT googlemail.com 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/mux.c b/mux.c index d90605eb..3dd5e262 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.34 2012/01/07 21:11:36 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.35 2012/06/01 01:01:22 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -1195,6 +1195,7 @@ muxserver_listen(void) close(muxserver_sock); muxserver_sock = -1; } + xfree(orig_control_path); xfree(options.control_path); options.control_path = NULL; options.control_master = SSHCTL_MASTER_NO; @@ -1216,7 +1217,6 @@ muxserver_listen(void) } error("ControlSocket %s already exists, disabling multiplexing", orig_control_path); - xfree(orig_control_path); unlink(options.control_path); goto disable_mux_master; } -- cgit v1.2.1 From a21b4f6cda17ecd039599b9aa84b6584a676fcca Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:52:18 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/18 11:43:53 [jpake.c] correct sizeof usage. patch from saw at online.de, ok deraadt --- ChangeLog | 3 +++ jpake.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 72a50c72..32eb1dfc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ [mux.c] fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg AT googlemail.com + - dtucker@cvs.openbsd.org 2012/06/18 11:43:53 + [jpake.c] + correct sizeof usage. patch from saw at online.de, ok deraadt 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/jpake.c b/jpake.c index ac9a4bc3..b010dafa 100644 --- a/jpake.c +++ b/jpake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: jpake.c,v 1.6 2010/09/20 04:54:07 djm Exp $ */ +/* $OpenBSD: jpake.c,v 1.7 2012/06/18 11:43:53 dtucker Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -133,7 +133,7 @@ jpake_free(struct jpake_ctx *pctx) #undef JPAKE_BN_CLEAR_FREE #undef JPAKE_BUF_CLEAR_FREE - bzero(pctx, sizeof(pctx)); + bzero(pctx, sizeof(*pctx)); xfree(pctx); } -- cgit v1.2.1 From aec424312a6d2725525cf40c3700c8fcda3ba1ea Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:52:38 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/18 11:49:58 [ssh_config.5] RSA instead of DSA twice. From Steve.McClellan at radisys com --- ChangeLog | 3 +++ ssh_config.5 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 32eb1dfc..47b1c165 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,9 @@ - dtucker@cvs.openbsd.org 2012/06/18 11:43:53 [jpake.c] correct sizeof usage. patch from saw at online.de, ok deraadt + - dtucker@cvs.openbsd.org 2012/06/18 11:49:58 + [ssh_config.5] + RSA instead of DSA twice. From Steve.McClellan at radisys com 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/ssh_config.5 b/ssh_config.5 index 78a542dc..c9917d25 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.154 2011/09/09 00:43:00 djm Exp $ -.Dd $Mdocdate: September 9 2011 $ +.\" $OpenBSD: ssh_config.5,v 1.155 2012/06/18 11:49:58 dtucker Exp $ +.Dd $Mdocdate: June 18 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -612,7 +612,7 @@ offers many different identities. The default is .Dq no . .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA or DSA authentication +Specifies a file from which the user's DSA, ECDSA or RSA authentication identity is read. The default is .Pa ~/.ssh/identity -- cgit v1.2.1 From d54c1615bc646912379d54e15af24e24a8dc5596 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:52:58 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/18 12:07:07 [ssh.1 sshd.8] Remove mention of 'three' key files since there are now four. From Steve.McClellan at radisys com. --- ChangeLog | 4 ++++ ssh.1 | 6 +++--- sshd.8 | 8 ++++---- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 47b1c165..25c46c1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,10 @@ - dtucker@cvs.openbsd.org 2012/06/18 11:49:58 [ssh_config.5] RSA instead of DSA twice. From Steve.McClellan at radisys com + - dtucker@cvs.openbsd.org 2012/06/18 12:07:07 + [ssh.1 sshd.8] + Remove mention of 'three' key files since there are now four. From + Steve.McClellan at radisys com. 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/ssh.1 b/ssh.1 index 20783403..71beefc1 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.324 2012/04/20 16:26:22 jmc Exp $ -.Dd $Mdocdate: April 20 2012 $ +.\" $OpenBSD: ssh.1,v 1.325 2012/06/18 12:07:07 dtucker Exp $ +.Dd $Mdocdate: June 18 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -1375,7 +1375,7 @@ The file format and configuration options are described in .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key .It Pa /etc/ssh/ssh_host_rsa_key -These three files contain the private parts of the host keys +These files contain the private parts of the host keys and are used for host-based authentication. If protocol version 1 is used, .Nm diff --git a/sshd.8 b/sshd.8 index 6d79c7dd..a1a74d86 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.265 2012/05/13 01:42:32 dtucker Exp $ -.Dd $Mdocdate: May 13 2012 $ +.\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $ +.Dd $Mdocdate: June 18 2012 $ .Dt SSHD 8 .Os .Sh NAME @@ -886,7 +886,7 @@ rlogin/rsh. .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key .It Pa /etc/ssh/ssh_host_rsa_key -These three files contain the private parts of the host keys. +These files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not accessible to others. Note that @@ -897,7 +897,7 @@ does not start if these files are group/world-accessible. .It Pa /etc/ssh/ssh_host_dsa_key.pub .It Pa /etc/ssh/ssh_host_ecdsa_key.pub .It Pa /etc/ssh/ssh_host_rsa_key.pub -These three files contain the public parts of the host keys. +These files contain the public parts of the host keys. These files should be world-readable but writable only by root. Their contents should match the respective private parts. -- cgit v1.2.1 From 3ba344db17513559fe934d13bedccd40e1ea9bb6 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:53:25 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/18 12:17:18 [ssh.1] Clarify description of -W. Noted by Steve.McClellan at radisys com, ok jmc --- ChangeLog | 4 ++++ ssh.1 | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 25c46c1c..df10ce09 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,10 @@ [ssh.1 sshd.8] Remove mention of 'three' key files since there are now four. From Steve.McClellan at radisys com. + - dtucker@cvs.openbsd.org 2012/06/18 12:17:18 + [ssh.1] + Clarify description of -W. Noted by Steve.McClellan at radisys com, + ok jmc 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/ssh.1 b/ssh.1 index 71beefc1..eaf5d83d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.325 2012/06/18 12:07:07 dtucker Exp $ +.\" $OpenBSD: ssh.1,v 1.326 2012/06/18 12:17:18 dtucker Exp $ .Dd $Mdocdate: June 18 2012 $ .Dt SSH 1 .Os @@ -587,8 +587,8 @@ Implies .Fl T , .Cm ExitOnForwardFailure and -.Cm ClearAllForwardings -and works with Protocol version 2 only. +.Cm ClearAllForwardings . +Works with Protocol version 2 only. .It Fl w Xo .Ar local_tun Ns Op : Ns Ar remote_tun .Xc -- cgit v1.2.1 From 805955628d0798e62d252bfe379e8cfccfb44389 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:53:58 +0000 Subject: - markus@cvs.openbsd.org 2012/06/19 18:25:28 [servconf.c servconf.h sshd_config.5] sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' ok djm@ (back in March) --- ChangeLog | 5 +++++ servconf.c | 25 +++++++++++++++++-------- servconf.h | 7 ++++++- sshd_config.5 | 13 +++++++++---- 4 files changed, 37 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index df10ce09..331a34f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,11 @@ [ssh.1] Clarify description of -W. Noted by Steve.McClellan at radisys com, ok jmc + - markus@cvs.openbsd.org 2012/06/19 18:25:28 + [servconf.c servconf.h sshd_config.5] + sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} + this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' + ok djm@ (back in March) 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/servconf.c b/servconf.c index 12f43c91..eccfbad4 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.226 2012/05/13 01:42:32 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.227 2012/06/19 18:25:27 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -420,10 +420,10 @@ static struct { { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, - { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, - { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, - { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, - { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, + { "allowusers", sAllowUsers, SSHCFG_ALL }, + { "denyusers", sDenyUsers, SSHCFG_ALL }, + { "allowgroups", sAllowGroups, SSHCFG_ALL }, + { "denygroups", sDenyGroups, SSHCFG_ALL }, { "ciphers", sCiphers, SSHCFG_GLOBAL }, { "macs", sMacs, SSHCFG_GLOBAL }, { "protocol", sProtocol, SSHCFG_GLOBAL }, @@ -441,7 +441,7 @@ static struct { { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, - { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, + { "acceptenv", sAcceptEnv, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, @@ -1148,6 +1148,8 @@ process_server_config_line(ServerOptions *options, char *line, if (options->num_allow_users >= MAX_ALLOW_USERS) fatal("%s line %d: too many allow users.", filename, linenum); + if (!*activep) + continue; options->allow_users[options->num_allow_users++] = xstrdup(arg); } @@ -1158,6 +1160,8 @@ process_server_config_line(ServerOptions *options, char *line, if (options->num_deny_users >= MAX_DENY_USERS) fatal("%s line %d: too many deny users.", filename, linenum); + if (!*activep) + continue; options->deny_users[options->num_deny_users++] = xstrdup(arg); } @@ -1168,6 +1172,8 @@ process_server_config_line(ServerOptions *options, char *line, if (options->num_allow_groups >= MAX_ALLOW_GROUPS) fatal("%s line %d: too many allow groups.", filename, linenum); + if (!*activep) + continue; options->allow_groups[options->num_allow_groups++] = xstrdup(arg); } @@ -1178,7 +1184,10 @@ process_server_config_line(ServerOptions *options, char *line, if (options->num_deny_groups >= MAX_DENY_GROUPS) fatal("%s line %d: too many deny groups.", filename, linenum); - options->deny_groups[options->num_deny_groups++] = xstrdup(arg); + if (!*activep) + continue; + options->deny_groups[options->num_deny_groups++] = + xstrdup(arg); } break; @@ -1352,7 +1361,7 @@ process_server_config_line(ServerOptions *options, char *line, fatal("%s line %d: too many allow env.", filename, linenum); if (!*activep) - break; + continue; options->accept_env[options->num_accept_env++] = xstrdup(arg); } diff --git a/servconf.h b/servconf.h index 2ffaecdc..c2eeed66 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.101 2012/05/13 01:42:32 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.102 2012/06/19 18:25:28 markus Exp $ */ /* * Author: Tatu Ylonen @@ -192,6 +192,11 @@ struct connection_info { M_CP_STROPT(revoked_keys_file); \ M_CP_STROPT(authorized_principals_file); \ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ + M_CP_STRARRAYOPT(allow_users, num_allow_users); \ + M_CP_STRARRAYOPT(deny_users, num_deny_users); \ + M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ + M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ + M_CP_STRARRAYOPT(accept_env, num_accept_env); \ } while (0) struct connection_info *get_connection_info(int, int); diff --git a/sshd_config.5 b/sshd_config.5 index ddcf51f0..9ef0bcaa 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.140 2012/05/19 06:30:30 dtucker Exp $ -.Dd $Mdocdate: May 19 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.141 2012/06/19 18:25:28 markus Exp $ +.Dd $Mdocdate: June 19 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -707,15 +707,20 @@ Only a subset of keywords may be used on the lines following a .Cm Match keyword. Available keywords are +.Cm AcceptEnv .Cm AllowAgentForwarding , +.Cm AllowGroups . .Cm AllowTcpForwarding , +.Cm AllowUsers , .Cm AuthorizedKeysFile , .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , +.Cm DenyGroups , +.Cm DenyUsers , .Cm ForceCommand , -.Cm GatewayPorts , .Cm GSSAPIAuthentication , +.Cm GatewayPorts , .Cm HostbasedAuthentication , .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , @@ -728,8 +733,8 @@ Available keywords are .Cm PermitRootLogin , .Cm PermitTunnel , .Cm PubkeyAuthentication , -.Cm RhostsRSAAuthentication , .Cm RSAAuthentication , +.Cm RhostsRSAAuthentication , .Cm X11DisplayOffset , .Cm X11Forwarding and -- cgit v1.2.1 From a927123bef06912df55289841084bce1795de010 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 11:54:15 +0000 Subject: - jmc@cvs.openbsd.org 2012/06/19 21:35:54 [sshd_config.5] tweak previous; ok markus --- ChangeLog | 3 +++ sshd_config.5 | 10 +++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 331a34f8..d1ad692e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,9 @@ sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' ok djm@ (back in March) + - jmc@cvs.openbsd.org 2012/06/19 21:35:54 + [sshd_config.5] + tweak previous; ok markus 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/sshd_config.5 b/sshd_config.5 index 9ef0bcaa..1b9ffad4 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.141 2012/06/19 18:25:28 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.142 2012/06/19 21:35:54 jmc Exp $ .Dd $Mdocdate: June 19 2012 $ .Dt SSHD_CONFIG 5 .Os @@ -707,9 +707,9 @@ Only a subset of keywords may be used on the lines following a .Cm Match keyword. Available keywords are -.Cm AcceptEnv +.Cm AcceptEnv , .Cm AllowAgentForwarding , -.Cm AllowGroups . +.Cm AllowGroups , .Cm AllowTcpForwarding , .Cm AllowUsers , .Cm AuthorizedKeysFile , @@ -719,8 +719,8 @@ Available keywords are .Cm DenyGroups , .Cm DenyUsers , .Cm ForceCommand , -.Cm GSSAPIAuthentication , .Cm GatewayPorts , +.Cm GSSAPIAuthentication , .Cm HostbasedAuthentication , .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , @@ -733,8 +733,8 @@ Available keywords are .Cm PermitRootLogin , .Cm PermitTunnel , .Cm PubkeyAuthentication , -.Cm RSAAuthentication , .Cm RhostsRSAAuthentication , +.Cm RSAAuthentication , .Cm X11DisplayOffset , .Cm X11Forwarding and -- cgit v1.2.1 From 58a808829fda2c35cef88f2f0d78261161678d1a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Jun 2012 12:31:26 +0000 Subject: - djm@cvs.openbsd.org 2012/06/20 04:42:58 [clientloop.c serverloop.c] initialise accept() backoff timer to avoid EINVAL from select(2) in rekeying --- ChangeLog | 4 ++++ clientloop.c | 4 ++-- serverloop.c | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index d1ad692e..6f9031ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,10 @@ - jmc@cvs.openbsd.org 2012/06/19 21:35:54 [sshd_config.5] tweak previous; ok markus + - djm@cvs.openbsd.org 2012/06/20 04:42:58 + [clientloop.c serverloop.c] + initialise accept() backoff timer to avoid EINVAL from select(2) in + rekeying 20120519 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch diff --git a/clientloop.c b/clientloop.c index 58357cf3..1c1a7708 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.239 2012/04/11 13:16:19 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.240 2012/06/20 04:42:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -583,7 +583,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, { struct timeval tv, *tvp; int timeout_secs; - time_t minwait_secs; + time_t minwait_secs = 0; int ret; /* Add any selections by the channel mechanism. */ diff --git a/serverloop.c b/serverloop.c index 50be16b7..741c5bef 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.161 2012/04/11 13:16:19 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -281,7 +281,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, { struct timeval tv, *tvp; int ret; - time_t minwait_secs; + time_t minwait_secs = 0; int client_alive_scheduled = 0; int program_alive_scheduled = 0; -- cgit v1.2.1 From d1ecf2c24863b4233005d832b22a8c0895068f55 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 22 Jun 2012 12:02:42 +0000 Subject: - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as can logon as a service. Patch from vinschen at redhat com. --- ChangeLog | 4 ++++ contrib/cygwin/ssh-host-config | 1 + 2 files changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 6f9031ff..499d3d2a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120622 + - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as + can logon as a service. Patch from vinschen at redhat com. + 20120620 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/12/02 00:41:56 diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 3ac39a62..3c9046f5 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -493,6 +493,7 @@ install_service() { -a "-D" -y tcpip "${cygwin_env[@]}" \ -u "${run_service_as}" -w "${password}" then + /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight echo csih_inform "The sshd service has been installed under the '${run_service_as}'" csih_inform "account. To start the service now, call \`net start sshd' or" -- cgit v1.2.1 From 8435aa790c348339bf2c3561a659f13f22a9d4e0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 28 Jun 2012 05:21:32 +0000 Subject: - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null pointer deref in the client when built with LDNS and using DNSSEC with a CNAME. Patch from gregdlg+mr at hochet info. --- ChangeLog | 5 +++++ openbsd-compat/getrrsetbyname-ldns.c | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 499d3d2a..1de0165b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120628 + - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null + pointer deref in the client when built with LDNS and using DNSSEC with a + CNAME. Patch from gregdlg+mr at hochet info. + 20120622 - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as can logon as a service. Patch from vinschen at redhat com. diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c index 8ce5678c..19666346 100644 --- a/openbsd-compat/getrrsetbyname-ldns.c +++ b/openbsd-compat/getrrsetbyname-ldns.c @@ -205,7 +205,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, } if (rr->_rr_class == rrset->rri_rdclass && - rr->_rr_type == LDNS_RR_TYPE_RRSIG) { + rr->_rr_type == LDNS_RR_TYPE_RRSIG && + rrset->rri_sigs) { rdata = &rrset->rri_sigs[index_sig++]; } -- cgit v1.2.1 From 7a674cea4ddfc728737deb2705decdc9c44b0ca6 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 29 Jun 2012 22:32:29 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/21 00:16:07 [addrmatch.c] fix strlcpy truncation check. from carsten at debian org, ok markus --- ChangeLog | 6 ++++++ addrmatch.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1de0165b..448c968c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20120629 + - OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/06/21 00:16:07 + [addrmatch.c] + fix strlcpy truncation check. from carsten at debian org, ok markus + 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null pointer deref in the client when built with LDNS and using DNSSEC with a diff --git a/addrmatch.c b/addrmatch.c index 5b6773cc..388603ca 100644 --- a/addrmatch.c +++ b/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.5 2010/02/26 20:29:54 djm Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -318,7 +318,7 @@ addr_pton_cidr(const char *p, struct xaddr *n, u_int *l) char addrbuf[64], *mp, *cp; /* Don't modify argument */ - if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) > sizeof(addrbuf)) + if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) >= sizeof(addrbuf)) return -1; if ((mp = strchr(addrbuf, '/')) != NULL) { -- cgit v1.2.1 From ce074902881d5a5db0c24ab1902f4858fb34d5bd Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 29 Jun 2012 22:33:17 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/22 12:30:26 [monitor.c sshconnect2.c] remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@ --- ChangeLog | 4 ++++ monitor.c | 5 +---- sshconnect2.c | 4 +--- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 448c968c..a76c408f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - dtucker@cvs.openbsd.org 2012/06/21 00:16:07 [addrmatch.c] fix strlcpy truncation check. from carsten at debian org, ok markus + - dtucker@cvs.openbsd.org 2012/06/22 12:30:26 + [monitor.c sshconnect2.c] + remove dead code following 'for (;;)' loops. + From Steve.McClellan at radisys com, ok markus@ 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/monitor.c b/monitor.c index e7abf249..e9802a3f 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.116 2012/01/05 00:16:56 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -479,9 +479,6 @@ monitor_child_postauth(struct monitor *pmonitor) for (;;) monitor_read(pmonitor, mon_dispatch, NULL); - - close(pmonitor->m_sendfd); - pmonitor->m_sendfd = -1; } void diff --git a/sshconnect2.c b/sshconnect2.c index c24b2027..7c369d74 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.188 2011/05/24 07:15:47 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1893,8 +1893,6 @@ authmethod_get(char *authlist) return current; } } - if (name != NULL) - xfree(name); } static char * -- cgit v1.2.1 From 237820f1fc7bdcaf0e936244be8f170cb97700b3 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 29 Jun 2012 22:33:32 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/22 14:36:33 [sftp.c] Remove unused variable leftover from tab-completion changes. From Steve.McClellan at radisys com, ok markus@ --- ChangeLog | 4 ++++ sftp.c | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a76c408f..5c00e186 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ [monitor.c sshconnect2.c] remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@ + - dtucker@cvs.openbsd.org 2012/06/22 14:36:33 + [sftp.c] + Remove unused variable leftover from tab-completion changes. + From Steve.McClellan at radisys com, ok markus@ 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/sftp.c b/sftp.c index 22cf3145..235c6ad0 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.135 2012/04/20 03:24:23 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.136 2012/06/22 14:36:33 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -783,7 +783,6 @@ static int do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, int lflag) { - Attrib *a = NULL; char *fname, *lname; glob_t g; int err; @@ -829,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, colspace = width / columns; } - for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) { + for (i = 0; g.gl_pathv[i] && !interrupted; i++) { fname = path_strip(g.gl_pathv[i], strip_path); if (lflag & LS_LONG_VIEW) { if (g.gl_statv[i] == NULL) { -- cgit v1.2.1 From 2f2d803e5a556c85892a3e808f4e9fa17bdfb2c2 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 29 Jun 2012 22:33:53 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/26 11:02:30 [sandbox-systrace.c] Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation sandbox" since malloc now uses it. From johnw.mail at gmail com. --- ChangeLog | 4 ++++ sandbox-systrace.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5c00e186..f4627f04 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ [sftp.c] Remove unused variable leftover from tab-completion changes. From Steve.McClellan at radisys com, ok markus@ + - dtucker@cvs.openbsd.org 2012/06/26 11:02:30 + [sandbox-systrace.c] + Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation + sandbox" since malloc now uses it. From johnw.mail at gmail com. 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 5a39f4fe..199b69f4 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.4 2011/07/29 14:42:45 djm Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.5 2012/06/26 11:02:30 dtucker Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -58,6 +58,7 @@ static const struct sandbox_policy preauth_policy[] = { { SYS_madvise, SYSTR_POLICY_PERMIT }, { SYS_mmap, SYSTR_POLICY_PERMIT }, { SYS_mprotect, SYSTR_POLICY_PERMIT }, + { SYS_mquery, SYSTR_POLICY_PERMIT }, { SYS_poll, SYSTR_POLICY_PERMIT }, { SYS_munmap, SYSTR_POLICY_PERMIT }, { SYS_read, SYSTR_POLICY_PERMIT }, -- cgit v1.2.1 From efbc0c426b7cc160a8442d602dd30dd3dd8eadba Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 29 Jun 2012 22:34:59 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 [mac.c myproposal.h ssh_config.5 sshd_config.5] Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus. --- ChangeLog | 5 +++++ mac.c | 4 +--- myproposal.h | 4 +--- ssh_config.5 | 7 +++---- sshd_config.5 | 7 +++---- 5 files changed, 13 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index f4627f04..5f574f4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,11 @@ [sandbox-systrace.c] Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation sandbox" since malloc now uses it. From johnw.mail at gmail com. + - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 + [mac.c myproposal.h ssh_config.5 sshd_config.5] + Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed + from draft6 of the spec and will not be in the RFC when published. Patch + from mdb at juniper net via bz#2023, ok markus. 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/mac.c b/mac.c index 332d3c62..9b450e4e 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.17 2011/12/02 00:43:57 djm Exp $ */ +/* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -61,9 +61,7 @@ struct { { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, #ifdef HAVE_EVP_SHA256 { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, - { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, - { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, #endif { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, diff --git a/myproposal.h b/myproposal.h index 0bc1c778..2e6a0dca 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.28 2011/08/02 01:22:11 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.29 2012/06/28 05:07:45 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -78,9 +78,7 @@ #ifdef HAVE_EVP_SHA256 #define SHA2_HMAC_MODES \ "hmac-sha2-256," \ - "hmac-sha2-256-96," \ "hmac-sha2-512," \ - "hmac-sha2-512-96," #else # define SHA2_HMAC_MODES #endif diff --git a/ssh_config.5 b/ssh_config.5 index c9917d25..db7ea5cd 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.155 2012/06/18 11:49:58 dtucker Exp $ -.Dd $Mdocdate: June 18 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.156 2012/06/28 05:07:45 dtucker Exp $ +.Dd $Mdocdate: June 28 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -794,8 +794,7 @@ The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, hmac-ripemd160,hmac-sha1-96,hmac-md5-96, -hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512, -hmac-sha2-512-96 +hmac-sha2-256,hmac-sha2-512 .Ed .It Cm NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. diff --git a/sshd_config.5 b/sshd_config.5 index 1b9ffad4..897b8a41 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.142 2012/06/19 21:35:54 jmc Exp $ -.Dd $Mdocdate: June 19 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.143 2012/06/28 05:07:45 dtucker Exp $ +.Dd $Mdocdate: June 28 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -658,8 +658,7 @@ The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, hmac-ripemd160,hmac-sha1-96,hmac-md5-96, -hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, -hmac-sha2-512-96 +hmac-sha2-256,hmac-sha2-512 .Ed .It Cm Match Introduces a conditional block. -- cgit v1.2.1 From 2a6483e9009829ef83baa676d642518bd7a016d0 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 29 Jun 2012 22:35:59 +0000 Subject: - naddy@cvs.openbsd.org 2012/06/29 13:57:25 [ssh_config.5 sshd_config.5] match the documented MAC order of preference to the actual one; ok dtucker@ (actual patch accidentally committed with previous) --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5f574f4d..12083c1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus. + - naddy@cvs.openbsd.org 2012/06/29 13:57:25 + [ssh_config.5 sshd_config.5] + match the documented MAC order of preference to the actual one; ok dtucker@ 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null -- cgit v1.2.1 From 188ed146f1b41c6d0823e96cbd427988f51bede9 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 30 Jun 2012 05:01:22 +0000 Subject: - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 [regress/addrmatch.sh] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@. --- ChangeLog | 4 ++++ regress/addrmatch.sh | 50 ++++++++++++++++++++++++++++++-------------------- 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index 12083c1b..970c35c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ - naddy@cvs.openbsd.org 2012/06/29 13:57:25 [ssh_config.5 sshd_config.5] match the documented MAC order of preference to the actual one; ok dtucker@ + - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 + [regress/addrmatch.sh] + Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests + to match. Feedback and ok djm@ markus@. 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh index 5102317d..1584bd40 100644 --- a/regress/addrmatch.sh +++ b/regress/addrmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: addrmatch.sh,v 1.3 2010/02/09 04:57:36 djm Exp $ +# $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $ # Placed in the Public Domain. tid="address match" @@ -7,39 +7,49 @@ mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak run_trial() { - user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5" + user="$1"; addr="$2"; host="$3"; laddr="$4"; lport="$5" + expected="$6"; descr="$7" verbose "test $descr for $user $addr $host" result=`${SSHD} -f $OBJ/sshd_proxy -T \ - -C user=${user},addr=${addr},host=${host} | \ - awk '/^passwordauthentication/ {print $2}'` + -C user=${user},addr=${addr},host=${host},laddr=${laddr},lport=${lport} | \ + awk '/^forcecommand/ {print $2}'` if [ "$result" != "$expected" ]; then - fail "failed for $user $addr $host: expected $expected, got $result" + fail "failed '$descr' expected $expected got $result" fi } cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy cat >>$OBJ/sshd_proxy < Date: Sat, 30 Jun 2012 05:03:28 +0000 Subject: - djm@cvs.openbsd.org 2012/06/01 00:47:35 [multiplex.sh forwarding.sh] append to rather than truncate test log; bz#2013 from openssh AT roumenpetrov. --- ChangeLog | 4 ++++ regress/forwarding.sh | 6 +++--- regress/multiplex.sh | 7 +++---- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 970c35c9..f6c39be2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,10 @@ [regress/addrmatch.sh] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@. + - djm@cvs.openbsd.org 2012/06/01 00:47:35 + [multiplex.sh forwarding.sh] + append to rather than truncate test log; bz#2013 from openssh AT + roumenpetrov.info 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 6dec991a..f9c367be 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.7 2010/01/11 02:53:44 dtucker Exp $ +# $OpenBSD: forwarding.sh,v 1.8 2012/06/01 00:47:35 djm Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -75,7 +75,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>${TEST_SSH_LOGFILE} && \ + 2>>$TEST_SSH_LOGFILE && \ fail "local forwarding not cleared" fi sleep 10 @@ -88,7 +88,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>${TEST_SSH_LOGFILE} && \ + 2>>$TEST_SSH_LOGFILE && \ fail "remote forwarding not cleared" fi sleep 10 diff --git a/regress/multiplex.sh b/regress/multiplex.sh index b94cdf02..93e15088 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.12 2009/05/05 07:51:36 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.13 2012/06/01 00:47:36 djm Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -12,7 +12,6 @@ fi DATA=/bin/ls${EXEEXT} COPY=$OBJ/ls.copy -LOG=$TEST_SSH_LOGFILE start_sshd @@ -48,13 +47,13 @@ cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}" rm -f ${COPY} trace "sftp transfer over multiplexed connection and check result" echo "get ${DATA} ${COPY}" | \ - ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >$LOG 2>&1 + ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_SSH_LOGFILE 2>&1 test -f ${COPY} || fail "sftp: failed copy ${DATA}" cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" rm -f ${COPY} trace "scp transfer over multiplexed connection and check result" -${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >$LOG 2>&1 +${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_SSH_LOGFILE 2>&1 test -f ${COPY} || fail "scp: failed copy ${DATA}" cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" -- cgit v1.2.1 From bc403d0ca1c5ffbc5208a1dd5e4fbf7137d8f4e7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 30 Jun 2012 05:04:13 +0000 Subject: - djm@cvs.openbsd.org 2012/06/01 00:52:52 [regress/sftp-cmds.sh] don't delete .* on cleanup due to unintended env expansion; pointed out in bz#2014 by openssh AT roumenpetrov.info --- ChangeLog | 4 ++++ regress/sftp-cmds.sh | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f6c39be2..5cb04951 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,10 @@ [multiplex.sh forwarding.sh] append to rather than truncate test log; bz#2013 from openssh AT roumenpetrov.info + - djm@cvs.openbsd.org 2012/06/01 00:52:52 + [sftp-cmds.sh] + don't delete .* on cleanup due to unintended env expansion; pointed out in + bz#2014 by openssh AT roumenpetrov.info 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index 1c67b647..d10d01a3 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-cmds.sh,v 1.11 2010/12/04 00:21:19 djm Exp $ +# $OpenBSD: sftp-cmds.sh,v 1.12 2012/06/01 00:52:52 djm Exp $ # Placed in the Public Domain. # XXX - TODO: @@ -40,7 +40,7 @@ SPACECOPY_ARG="${COPY}\ this\ has\ spaces.txt" # File with glob metacharacters GLOBMETACOPY="${COPY} [metachar].txt" -rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 ${BATCH}.* +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 mkdir ${COPY}.dd verbose "$tid: lls" @@ -242,7 +242,7 @@ verbose "$tid: lchdir" echo "lchdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "lchdir failed" -rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 ${BATCH}.* +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 rm -rf ${QUOTECOPY} "$SPACECOPY" "$GLOBMETACOPY" -- cgit v1.2.1 From b466f0433253e8d8d1d6ed9491e6e18c0d1d359a Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 30 Jun 2012 05:06:28 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/26 12:06:59 [regress/connect-privsep.sh] test sandbox with every malloc option --- ChangeLog | 7 +++++-- regress/connect-privsep.sh | 15 ++++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5cb04951..f32a6190 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,13 +28,16 @@ Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@. - djm@cvs.openbsd.org 2012/06/01 00:47:35 - [multiplex.sh forwarding.sh] + [regress/multiplex.sh regress/forwarding.sh] append to rather than truncate test log; bz#2013 from openssh AT roumenpetrov.info - djm@cvs.openbsd.org 2012/06/01 00:52:52 - [sftp-cmds.sh] + [regress/sftp-cmds.sh] don't delete .* on cleanup due to unintended env expansion; pointed out in bz#2014 by openssh AT roumenpetrov.info + - dtucker@cvs.openbsd.org 2012/06/26 12:06:59 + [regress/connect-privsep.sh] + test sandbox with every malloc option 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index 11fb9aef..f2401035 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -1,4 +1,4 @@ -# $OpenBSD: connect-privsep.sh,v 1.2 2011/06/30 22:44:43 markus Exp $ +# $OpenBSD: connect-privsep.sh,v 1.3 2012/06/26 12:06:59 dtucker Exp $ # Placed in the Public Domain. tid="proxy connect with privsep" @@ -23,3 +23,16 @@ for p in 1 2; do warn "ssh privsep/sandbox+proxyconnect protocol $p failed" fi done + +# Because sandbox is sensitive to changes in libc, especially malloc, retest +# with every malloc.conf option (and none). +for m in '' A F G H J P R S X Z '<' '>'; do + for p in 1 2; do + env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed" + fi + done +done + +exit -- cgit v1.2.1 From 7f75bfde372933614aa94697ad253f19dc0f6dee Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 30 Jun 2012 05:08:53 +0000 Subject: - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 [regress/try-ciphers.sh regress/cipher-speed.sh] Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus --- ChangeLog | 5 +++++ regress/cipher-speed.sh | 4 ++-- regress/try-ciphers.sh | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index f32a6190..d40227e2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,11 @@ - dtucker@cvs.openbsd.org 2012/06/26 12:06:59 [regress/connect-privsep.sh] test sandbox with every malloc option + - dtucker@cvs.openbsd.org 2012/06/28 05:07:45 + [regress/try-ciphers.sh regress/cipher-speed.sh] + Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed + from draft6 of the spec and will not be in the RFC when published. Patch + from mdb at juniper net via bz#2023, ok markus. 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 257afd17..5800f4b0 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.4 2011/08/02 01:23:41 djm Exp $ +# $OpenBSD: cipher-speed.sh,v 1.5 2012/06/28 05:07:45 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -18,7 +18,7 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes128-ctr aes192-ctr aes256-ctr" macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" config_defined HAVE_EVP_SHA256 && - macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" + macs="$macs hmac-sha2-256 hmac-sha2-512" for c in $ciphers; do for m in $macs; do trace "proto 2 cipher $c mac $m" diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 0918d224..92586350 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.12 2011/08/02 01:23:41 djm Exp $ +# $OpenBSD: try-ciphers.sh,v 1.13 2012/06/28 05:07:45 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -9,7 +9,7 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes128-ctr aes192-ctr aes256-ctr" macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" config_defined HAVE_EVP_SHA256 && - macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" + macs="$macs hmac-sha2-256 hmac-sha2-512" for c in $ciphers; do for m in $macs; do -- cgit v1.2.1 From b56bdd6feef1df886721926a84b7c23251749580 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 30 Jun 2012 09:47:01 +0000 Subject: - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error --- ChangeLog | 1 + myproposal.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d40227e2..37f9f486 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,7 @@ Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus. + - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error. 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/myproposal.h b/myproposal.h index 2e6a0dca..b9b819c0 100644 --- a/myproposal.h +++ b/myproposal.h @@ -78,7 +78,7 @@ #ifdef HAVE_EVP_SHA256 #define SHA2_HMAC_MODES \ "hmac-sha2-256," \ - "hmac-sha2-512," \ + "hmac-sha2-512," #else # define SHA2_HMAC_MODES #endif -- cgit v1.2.1 From d0556a4c93ad6caa9d4e4b1ed11522988d6c631f Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 30 Jun 2012 10:05:02 +0000 Subject: - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have the required functions in libcrypto. --- ChangeLog | 2 ++ key.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 37f9f486..3754146b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,8 @@ from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus. - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error. + - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have + the required functions in libcrypto. 20120628 - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null diff --git a/key.c b/key.c index 8ef0b7e3..7e909970 100644 --- a/key.c +++ b/key.c @@ -342,9 +342,11 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) case SSH_FP_SHA1: md = EVP_sha1(); break; +#ifdef HAVE_EVP_SHA256 case SSH_FP_SHA256: md = EVP_sha256(); break; +#endif default: fatal("key_fingerprint_raw: bad digest type %d", dgst_type); -- cgit v1.2.1 From e473eee669909006f0c487d4a65d2e2753137b26 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 2 Jul 2012 08:53:37 +0000 Subject: - naddy@cvs.openbsd.org 2012/06/29 13:57:25 [ssh_config.5 sshd_config.5] match the documented MAC order of preference to the actual one; ok dtucker@ --- ChangeLog | 7 +++++++ ssh_config.5 | 8 ++++---- sshd_config.5 | 8 ++++---- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3754146b..5608909d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20120702 +- (dtucker) OpenBSD CVS Sync + - naddy@cvs.openbsd.org 2012/06/29 13:57:25 + [ssh_config.5 sshd_config.5] + match the documented MAC order of preference to the actual one; + ok dtucker@ + 20120629 - OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2012/06/21 00:16:07 diff --git a/ssh_config.5 b/ssh_config.5 index db7ea5cd..36b1af19 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.156 2012/06/28 05:07:45 dtucker Exp $ -.Dd $Mdocdate: June 28 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.157 2012/06/29 13:57:25 naddy Exp $ +.Dd $Mdocdate: June 29 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -793,8 +793,8 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96, -hmac-sha2-256,hmac-sha2-512 +hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, +hmac-sha1-96,hmac-md5-96 .Ed .It Cm NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. diff --git a/sshd_config.5 b/sshd_config.5 index 897b8a41..314ecfb0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.143 2012/06/28 05:07:45 dtucker Exp $ -.Dd $Mdocdate: June 28 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $ +.Dd $Mdocdate: June 29 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -657,8 +657,8 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96, -hmac-sha2-256,hmac-sha2-512 +hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, +hmac-sha1-96,hmac-md5-96 .Ed .It Cm Match Introduces a conditional block. -- cgit v1.2.1 From c5d0df3d65fa167bd63575876844719225669df0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 2 Jul 2012 08:54:31 +0000 Subject: - markus@cvs.openbsd.org 2012/06/30 14:35:09 [sandbox-systrace.c sshd.c] fix a during the load of the sandbox policies (child can still make the read-syscall and wait forever for systrace-answers) by replacing the read/write synchronisation with SIGSTOP/SIGCONT; report and help hshoexer@; ok djm@, dtucker@ --- ChangeLog | 6 ++++++ sandbox-systrace.c | 55 +++++++++++++++++++++++++++--------------------------- sshd.c | 4 ++-- 3 files changed, 35 insertions(+), 30 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5608909d..66c4ef57 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,12 @@ [ssh_config.5 sshd_config.5] match the documented MAC order of preference to the actual one; ok dtucker@ + - markus@cvs.openbsd.org 2012/06/30 14:35:09 + [sandbox-systrace.c sshd.c] + fix a during the load of the sandbox policies (child can still make + the read-syscall and wait forever for systrace-answers) by replacing + the read/write synchronisation with SIGSTOP/SIGCONT; + report and help hshoexer@; ok djm@, dtucker@ 20120629 - OpenBSD CVS Sync diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 199b69f4..2d16a627 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.5 2012/06/26 11:02:30 dtucker Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.6 2012/06/30 14:35:09 markus Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -24,12 +24,14 @@ #include #include #include +#include #include #include #include #include +#include #include #include #include @@ -69,26 +71,21 @@ static const struct sandbox_policy preauth_policy[] = { }; struct ssh_sandbox { - int child_sock; - int parent_sock; int systrace_fd; pid_t child_pid; + void (*osigchld)(int); }; struct ssh_sandbox * ssh_sandbox_init(void) { struct ssh_sandbox *box; - int s[2]; debug3("%s: preparing systrace sandbox", __func__); box = xcalloc(1, sizeof(*box)); - if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1) - fatal("%s: socketpair: %s", __func__, strerror(errno)); - box->child_sock = s[0]; - box->parent_sock = s[1]; box->systrace_fd = -1; box->child_pid = 0; + box->osigchld = signal(SIGCHLD, SIG_IGN); return box; } @@ -96,35 +93,38 @@ ssh_sandbox_init(void) void ssh_sandbox_child(struct ssh_sandbox *box) { - char whatever = 0; - - close(box->parent_sock); - /* Signal parent that we are ready */ debug3("%s: ready", __func__); - if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1) - fatal("%s: write: %s", __func__, strerror(errno)); - /* Wait for parent to signal for us to go */ - if (atomicio(read, box->child_sock, &whatever, 1) != 1) - fatal("%s: read: %s", __func__, strerror(errno)); + signal(SIGCHLD, box->osigchld); + if (kill(getpid(), SIGSTOP) != 0) + fatal("%s: kill(%d, SIGSTOP)", __func__, getpid()); debug3("%s: started", __func__); - close(box->child_sock); } static void ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, const struct sandbox_policy *allowed_syscalls) { - int dev_systrace, i, j, found; - char whatever = 0; + int dev_systrace, i, j, found, status; + pid_t pid; struct systrace_policy policy; + /* Wait for the child to send itself a SIGSTOP */ debug3("%s: wait for child %ld", __func__, (long)child_pid); + do { + pid = waitpid(child_pid, &status, WUNTRACED); + } while (pid == -1 && errno == EINTR); + signal(SIGCHLD, box->osigchld); + if (!WIFSTOPPED(status)) { + if (WIFSIGNALED(status)) + fatal("%s: child terminated with signal %d", + __func__, WTERMSIG(status)); + if (WIFEXITED(status)) + fatal("%s: child exited with status %d", + __func__, WEXITSTATUS(status)); + fatal("%s: child not stopped", __func__); + } + debug3("%s: child %ld stopped", __func__, (long)child_pid); box->child_pid = child_pid; - close(box->child_sock); - /* Wait for child to signal that it is ready */ - if (atomicio(read, box->parent_sock, &whatever, 1) != 1) - fatal("%s: read: %s", __func__, strerror(errno)); - debug3("%s: child %ld ready", __func__, (long)child_pid); /* Set up systracing of child */ if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1) @@ -175,9 +175,8 @@ ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, /* Signal the child to start running */ debug3("%s: start child %ld", __func__, (long)child_pid); - if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1) - fatal("%s: write: %s", __func__, strerror(errno)); - close(box->parent_sock); + if (kill(box->child_pid, SIGCONT) != 0) + fatal("%s: kill(%d, SIGCONT)", __func__, box->child_pid); } void diff --git a/sshd.c b/sshd.c index 7cc7044b..64b846f6 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.391 2012/05/13 01:42:32 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.392 2012/06/30 14:35:09 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -643,9 +643,9 @@ privsep_preauth(Authctxt *authctxt) } else if (pid != 0) { debug2("Network child is on pid %ld", (long)pid); + pmonitor->m_pid = pid; if (box != NULL) ssh_sandbox_parent_preauth(box, pid); - pmonitor->m_pid = pid; monitor_child_preauth(authctxt, pmonitor); /* Sync memory */ -- cgit v1.2.1 From a3ec91cdbe2e2df60c333ff1b3725094119fbb14 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 2 Jul 2012 08:55:09 +0000 Subject: - dtucker@cvs.openbsd.org 2012/07/02 08:50:03 [ssh.c] set interactive ToS for forwarded X11 sessions. ok djm@ --- ChangeLog | 3 +++ ssh.c | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 66c4ef57..4a0301cc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ the read-syscall and wait forever for systrace-answers) by replacing the read/write synchronisation with SIGSTOP/SIGCONT; report and help hshoexer@; ok djm@, dtucker@ + - dtucker@cvs.openbsd.org 2012/07/02 08:50:03 + [ssh.c] + set interactive ToS for forwarded X11 sessions. ok djm@ 20120629 - OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index 68e13152..3c376d0f 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.368 2011/10/24 02:10:46 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.369 2012/07/02 08:50:03 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1359,6 +1359,10 @@ ssh_session2_setup(int id, int success, void *arg) packet_send(); } + /* Tell the packet module whether this is an interactive session. */ + packet_set_interactive(interactive, + options.ip_qos_interactive, options.ip_qos_bulk); + client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), NULL, fileno(stdin), &command, environ); } -- cgit v1.2.1 From 66c58623965b5e0141e1b13863542f11c2a50d71 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 2 Jul 2012 12:15:38 +0000 Subject: - dtucker@cvs.openbsd.org 2012/07/02 12:13:26 [ssh-pkcs11-helper.c sftp-client.c] fix a couple of "assigned but not used" warnings. ok markus@ --- ChangeLog | 3 +++ sftp-client.c | 5 +++-- ssh-pkcs11-helper.c | 6 +++--- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4a0301cc..42b1888c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ - dtucker@cvs.openbsd.org 2012/07/02 08:50:03 [ssh.c] set interactive ToS for forwarded X11 sessions. ok djm@ + - dtucker@cvs.openbsd.org 2012/07/02 12:13:26 + [ssh-pkcs11-helper.c sftp-client.c] + fix a couple of "assigned but not used" warnings. ok markus@ 20120629 - OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index d7eff70b..85f2bd44 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.96 2011/09/12 08:46:15 markus Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.97 2012/07/02 12:13:26 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -757,7 +757,8 @@ do_realpath(struct sftp_conn *conn, char *path) longname = buffer_get_string(&msg, NULL); a = decode_attrib(&msg); - debug3("SSH_FXP_REALPATH %s -> %s", path, filename); + debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename, + (unsigned long)a->size); xfree(longname); diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index cd33515f..fcb5defc 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.3 2010/02/24 06:12:53 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.4 2012/07/02 12:13:26 dtucker Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -168,13 +168,13 @@ process_sign(void) { u_char *blob, *data, *signature = NULL; u_int blen, dlen, slen = 0; - int ok = -1, flags, ret; + int ok = -1, ret; Key *key, *found; Buffer msg; blob = get_string(&blen); data = get_string(&dlen); - flags = get_int(); /* XXX ignore */ + (void)get_int(); /* XXX ignore flags */ if ((key = key_from_blob(blob, blen)) != NULL) { if ((found = lookup_key(key)) != NULL) { -- cgit v1.2.1 From da0e671ddc1729b515795417d769e515c00b5f1f Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 2 Jul 2012 14:53:18 +0000 Subject: - dtucker@cvs.openbsd.org 2012/07/02 14:37:06 [regress/connect-privsep.sh] remove exit from end of test since it prevents reporting failure --- ChangeLog | 3 +++ regress/connect-privsep.sh | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 42b1888c..b55f6ba9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - dtucker@cvs.openbsd.org 2012/07/02 12:13:26 [ssh-pkcs11-helper.c sftp-client.c] fix a couple of "assigned but not used" warnings. ok markus@ + - dtucker@cvs.openbsd.org 2012/07/02 14:37:06 + [regress/connect-privsep.sh] + remove exit from end of test since it prevents reporting failure 20120629 - OpenBSD CVS Sync diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index f2401035..94cc64ac 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -1,4 +1,4 @@ -# $OpenBSD: connect-privsep.sh,v 1.3 2012/06/26 12:06:59 dtucker Exp $ +# $OpenBSD: connect-privsep.sh,v 1.4 2012/07/02 14:37:06 dtucker Exp $ # Placed in the Public Domain. tid="proxy connect with privsep" @@ -34,5 +34,3 @@ for m in '' A F G H J P R S X Z '<' '>'; do fi done done - -exit -- cgit v1.2.1 From 4cb44cb9b3c61e66936aebc4e2e5308d47563ee5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 2 Jul 2012 15:06:49 +0000 Subject: - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh] Move cygwin detection to test-exec and use to skip reexec test on cygwin. --- ChangeLog | 2 ++ regress/reexec.sh | 5 ++++- regress/sftp-cmds.sh | 14 -------------- regress/test-exec.sh | 7 +++++++ 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index b55f6ba9..1b69cd3c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,8 @@ - dtucker@cvs.openbsd.org 2012/07/02 14:37:06 [regress/connect-privsep.sh] remove exit from end of test since it prevents reporting failure + - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh] + Move cygwin detection to test-exec and use to skip reexec test on cygwin. 20120629 - OpenBSD CVS Sync diff --git a/regress/reexec.sh b/regress/reexec.sh index 6edfc318..9464eb69 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -46,6 +46,9 @@ rm -f $PIDFILE cp $OBJ/sshd_config.orig $OBJ/sshd_config +# cygwin can't fork a deleted binary +if [ "$os" != "cygwin" ]; then + verbose "test reexec fallback" start_sshd_copy @@ -69,4 +72,4 @@ copy_tests $SUDO kill `$SUDO cat $PIDFILE` rm -f $PIDFILE - +fi diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index d10d01a3..2e0300e1 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -17,20 +17,6 @@ do fi done -if have_prog uname -then - case `uname` in - CYGWIN*) - os=cygwin - ;; - *) - os=`uname` - ;; - esac -else - os="unknown" -fi - # Path with embedded quote QUOTECOPY=${COPY}".\"blah\"" QUOTECOPY_ARG=${COPY}'.\"blah\"' diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 092cfed5..514fffb1 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -12,6 +12,13 @@ OSF1*) BIN_SH=xpg4 export BIN_SH ;; +CYGWIN_5.0) + os=cygwin + TEST_SSH_IPV6=no + ;; +CYGWIN*) + os=cygwin + ;; esac if [ ! -z "$TEST_SSH_PORT" ]; then -- cgit v1.2.1 From 529d9c3f761277bc60b7bcba6630abcf36ccb8c7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 2 Jul 2012 15:11:28 +0000 Subject: - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k. --- ChangeLog | 1 + regress/test-exec.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1b69cd3c..48374155 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,7 @@ remove exit from end of test since it prevents reporting failure - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh] Move cygwin detection to test-exec and use to skip reexec test on cygwin. + - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k. 20120629 - OpenBSD CVS Sync diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 514fffb1..bdc2c1a4 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -12,7 +12,7 @@ OSF1*) BIN_SH=xpg4 export BIN_SH ;; -CYGWIN_5.0) +CYGWIN_NT-5.0) os=cygwin TEST_SSH_IPV6=no ;; -- cgit v1.2.1 From 5512433f27077be8d6524f47389af8cd0752e53a Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 3 Jul 2012 04:31:18 +0000 Subject: - (dtucker) [configure.ac] Detect platforms that can't use select(2) with setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. --- ChangeLog | 4 ++++ configure.ac | 51 +++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 51 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 48374155..bd174a47 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120703 + - (dtucker) [configure.ac] Detect platforms that can't use select(2) with + setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. + 20120702 - (dtucker) OpenBSD CVS Sync - naddy@cvs.openbsd.org 2012/06/29 13:57:25 diff --git a/configure.ac b/configure.ac index 02f8bf85..97cf7b17 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.492 2012/05/19 05:24:37 dtucker Exp $ +# $Id: configure.ac,v 1.493 2012/07/03 04:31:18 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.492 $) +AC_REVISION($Revision: 1.493 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -686,7 +686,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) fi - AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h]) + AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], + [], [#include ]) AC_CHECK_FUNCS([prctl]) have_seccomp_audit_arch=1 case "$host" in @@ -2575,6 +2576,45 @@ AC_ARG_WITH([sandbox], fi ] ) + +# Some platforms (seems to be the ones that have a kernel poll(2)-type +# function with which they implement select(2)) use an extra file descriptor +# when calling select(2), which means we can't use the rlimit sandbox. +AC_MSG_CHECKING([if select works with descriptor rlimit]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#include +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#include +#include +#include + ]],[[ + struct rlimit rl_zero; + int fd, r; + fd_set fds; + + fd = open("/dev/null", O_RDONLY); + FD_ZERO(&fds); + FD_SET(fd, &fds); + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + setrlimit(RLIMIT_FSIZE, &rl_zero); + setrlimit(RLIMIT_NOFILE, &rl_zero); + r = select(fd+1, &fds, NULL, NULL, NULL); + exit (r == -1 ? 1 : 0); + ]])], + [AC_MSG_RESULT([yes]) + select_works_with_rlimit=yes], + [AC_MSG_RESULT([no]) + select_works_with_rlimit=no], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + if test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then test "x$have_systr_policy_kill" != "x1" && \ @@ -2607,9 +2647,12 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ SANDBOX_STYLE="seccomp_filter" AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xrlimit" || \ - ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then + ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ + test "x$select_works_with_rlimit" == "xyes" ) ; then test "x$ac_cv_func_setrlimit" != "xyes" && \ AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) + test "x$select_works_with_rlimit" != "xyes" && \ + AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit]) SANDBOX_STYLE="rlimit" AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ -- cgit v1.2.1 From ab46356c6f442324ec095ecf136a5cdaae052cd6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 3 Jul 2012 12:48:31 +0000 Subject: - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its benefit is minor, so it's not worth disabling the sandbox if it doesn't work. --- ChangeLog | 4 ++++ configure.ac | 23 +++++++++++++++++++++-- sandbox-rlimit.c | 2 ++ 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bd174a47..2c998748 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20120703 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. + - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not + setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its + benefit is minor, so it's not worth disabling the sandbox if it doesn't + work. 20120702 - (dtucker) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 97cf7b17..f7033bc0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.493 2012/07/03 04:31:18 dtucker Exp $ +# $Id: configure.ac,v 1.494 2012/07/03 12:48:31 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.493 $) +AC_REVISION($Revision: 1.494 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2615,6 +2615,25 @@ AC_RUN_IFELSE( [AC_MSG_WARN([cross compiling: assuming yes])] ) +AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include + ]],[[ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0); + ]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1, + [setrlimit RLIMIT_FSIZE works])], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + if test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then test "x$have_systr_policy_kill" != "x1" && \ diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index 761e9284..a0038633 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c @@ -64,9 +64,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) rl_zero.rlim_cur = rl_zero.rlim_max = 0; +#ifndef SANDBOX_SKIP_RLIMIT_FSIZE if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); +#endif if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror(errno)); -- cgit v1.2.1 From c2570b2232f4e9421f6a84cb667c9c33559cbe59 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 3 Jul 2012 22:50:09 +0000 Subject: - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for platforms that don't have it. "looks good" tim@ --- ChangeLog | 4 ++++ configure.ac | 5 +++-- openbsd-compat/bsd-misc.h | 5 ++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2c998748..b19f41cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120704 + - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for + platforms that don't have it. "looks good" tim@ + 20120703 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. diff --git a/configure.ac b/configure.ac index f7033bc0..da919a63 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.494 2012/07/03 12:48:31 dtucker Exp $ +# $Id: configure.ac,v 1.495 2012/07/03 22:50:10 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.494 $) +AC_REVISION($Revision: 1.495 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1571,6 +1571,7 @@ AC_CHECK_FUNCS([ \ seteuid \ setgroupent \ setgroups \ + setlinebuf \ setlogin \ setpassent\ setpcred \ diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index e3717562..eac5217c 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.20 2012/02/14 18:03:31 tim Exp $ */ +/* $Id: bsd-misc.h,v 1.21 2012/07/03 22:50:10 dtucker Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -51,6 +51,9 @@ int setegid(uid_t); const char *strerror(int); #endif +#if !defined(HAVE_SETLINEBUF) +#define setlinebuf(a) (setvbuf((a), NULL, _IOLBF, 0)) +#endif #ifndef HAVE_UTIMES #ifndef HAVE_STRUCT_TIMEVAL -- cgit v1.2.1 From a3c62ee860951c46375a09c2445c043d8d70e21d Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Jul 2012 00:27:10 +0000 Subject: - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is not available. Allows use of sshd compiled on host with a filter-capable kernel on hosts that lack the support. bz#2011 ok dtucker@ --- ChangeLog | 5 +++++ sandbox-seccomp-filter.c | 12 +++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b19f41cf..771ba79c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120706 + - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is + not available. Allows use of sshd compiled on host with a filter-capable + kernel on hosts that lack the support. bz#2011 ok dtucker@ + 20120704 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for platforms that don't have it. "looks good" tim@ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 68681295..ef2b13c4 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -179,6 +179,7 @@ void ssh_sandbox_child(struct ssh_sandbox *box) { struct rlimit rl_zero; + int nnp_failed = 0; /* Set rlimits for completeness if possible. */ rl_zero.rlim_cur = rl_zero.rlim_max = 0; @@ -197,13 +198,18 @@ ssh_sandbox_child(struct ssh_sandbox *box) #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__); - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) - fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s", + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) { + debug("%s: prctl(PR_SET_NO_NEW_PRIVS): %s", __func__, strerror(errno)); + nnp_failed = 1; + } debug3("%s: attaching seccomp filter program", __func__); if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1) - fatal("%s: prctl(PR_SET_SECCOMP): %s", + debug("%s: prctl(PR_SET_SECCOMP): %s", __func__, strerror(errno)); + else if (nnp_failed) + fatal("%s: SECCOMP_MODE_FILTER activated but " + "PR_SET_NO_NEW_PRIVS failed", __func__); } void -- cgit v1.2.1 From 5b7e1c4cde595a12667822a662094d30bfb40797 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Jul 2012 01:49:28 +0000 Subject: - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT esperi.org.uk; ok dtucker@ --- ChangeLog | 3 +++ configure.ac | 21 ++++++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 771ba79c..63045f04 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is not available. Allows use of sshd compiled on host with a filter-capable kernel on hosts that lack the support. bz#2011 ok dtucker@ + - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no + unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT + esperi.org.uk; ok dtucker@ 20120704 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for diff --git a/configure.ac b/configure.ac index da919a63..a704fc7f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.495 2012/07/03 22:50:10 dtucker Exp $ +# $Id: configure.ac,v 1.496 2012/07/06 01:49:29 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.495 $) +AC_REVISION($Revision: 1.496 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -4005,13 +4005,16 @@ otherwise scp will not work.]) [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ] ) # make sure $bindir is in USER_PATH so scp will work - t_bindir=`eval echo ${bindir}` - case $t_bindir in - NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; - esac - case $t_bindir in - NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; - esac + t_bindir="${bindir}" + while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do + t_bindir=`eval echo ${t_bindir}` + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; + esac + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; + esac + done echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 if test $? -ne 0 ; then echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 -- cgit v1.2.1 From bc16c243905ee248de76a26e26b87fd31a4744f8 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Jul 2012 03:44:19 +0000 Subject: - dtucker@cvs.openbsd.org 2012/07/06 00:41:59 [moduli.c ssh-keygen.1 ssh-keygen.c] Add options to specify starting line number and number of lines to process when screening moduli candidates. This allows processing of different parts of a candidate moduli file in parallel. man page help jmc@, ok djm@ --- ChangeLog | 6 ++++++ moduli.c | 18 +++++++++++++----- ssh-keygen.1 | 18 +++++++++++++++--- ssh-keygen.c | 22 ++++++++++++++++------ 4 files changed, 50 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 63045f04..0d876d2a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,12 @@ - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT esperi.org.uk; ok dtucker@ +- (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/07/06 00:41:59 + [moduli.c ssh-keygen.1 ssh-keygen.c] + Add options to specify starting line number and number of lines to process + when screening moduli candidates. This allows processing of different + parts of a candidate moduli file in parallel. man page help jmc@, ok djm@ 20120704 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for diff --git a/moduli.c b/moduli.c index 973ee628..5267bb9a 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.25 2011/10/19 00:06:10 djm Exp $ */ +/* $OpenBSD: moduli.c,v 1.26 2012/07/06 00:41:59 dtucker Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -140,7 +140,8 @@ static u_int32_t largebits, largememory; /* megabytes */ static BIGNUM *largebase; int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); -int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *); +int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, + unsigned long); /* * print moduli out in consistent form, @@ -495,14 +496,14 @@ read_checkpoint(char *cpfile) */ int prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, - char *checkpoint_file) + char *checkpoint_file, unsigned long start_lineno, unsigned long num_lines) { BIGNUM *q, *p, *a; BN_CTX *ctx; char *cp, *lp; u_int32_t count_in = 0, count_out = 0, count_possible = 0; u_int32_t generator_known, in_tests, in_tries, in_type, in_size; - unsigned long last_processed = 0; + unsigned long last_processed = 0, end_lineno; time_t time_start, time_stop; int res; @@ -525,10 +526,17 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, if (checkpoint_file != NULL) last_processed = read_checkpoint(checkpoint_file); + if (start_lineno > last_processed) + last_processed = start_lineno; + if (num_lines == 0) + end_lineno = ULONG_MAX; + else + end_lineno = last_processed + num_lines; + debug2("process line %lu to line %lu", last_processed, end_lineno); res = 0; lp = xmalloc(QLINESIZE + 1); - while (fgets(lp, QLINESIZE + 1, in) != NULL) { + while (fgets(lp, QLINESIZE + 1, in) != NULL && count_in < end_lineno) { count_in++; if (checkpoint_file != NULL) { if (count_in <= last_processed) { diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 41da2077..03f927ed 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.108 2011/10/16 11:02:46 dtucker Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 16 2011 $ +.Dd $Mdocdate: July 6 2012 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -104,6 +104,8 @@ .Fl f Ar input_file .Op Fl v .Op Fl a Ar num_trials +.Op Fl J Ar num_lines +.Op Fl j Ar start_line .Op Fl K Ar checkpt .Op Fl W Ar generator .Nm ssh-keygen @@ -297,6 +299,16 @@ in the format specified by the .Fl m option and print an OpenSSH compatible private (or public) key to stdout. +.It Fl J Ar num_lines +Exit after screening the specified number of lines +while performing DH candidate screening using the +.Fl T +option. +.It Fl j Ar start_line +Start screening at the specified line number +while performing DH candidate screening using the +.Fl T +option. .It Fl K Ar checkpt Write the last line processed to the file .Ar checkpt @@ -518,7 +530,7 @@ This may be overridden using the .Fl S option, which specifies a different start point (in hex). .Pp -Once a set of candidates have been generated, they must be tested for +Once a set of candidates have been generated, they must be screened for suitability. This may be performed using the .Fl T diff --git a/ssh-keygen.c b/ssh-keygen.c index 9407321d..57679ee4 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.214 2012/05/23 03:28:28 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.215 2012/07/06 00:41:59 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -154,7 +154,8 @@ char hostname[MAXHOSTNAMELEN]; /* moduli.c */ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); -int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *); +int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, + unsigned long); static void type_bits_valid(int type, u_int32_t *bitsp) @@ -1888,6 +1889,8 @@ usage(void) fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n"); + fprintf(stderr, " -J number Screen this number of moduli lines\n"); + fprintf(stderr, " -j number Start screening moduli at specified line.\n"); fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); fprintf(stderr, " -L Print the contents of a certificate.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); @@ -1930,6 +1933,7 @@ main(int argc, char **argv) u_int32_t memory = 0, generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; int gen_all_hostkeys = 0; + unsigned long start_lineno = 0, lines_to_process = 0; BIGNUM *start = NULL; FILE *f; const char *errstr; @@ -1958,8 +1962,8 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:K:P:m:N:n:" - "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { + while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:J:j:K:P:" + "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -1980,6 +1984,12 @@ main(int argc, char **argv) case 'I': cert_key_id = optarg; break; + case 'J': + lines_to_process = strtoul(optarg, NULL, 10); + break; + case 'j': + start_lineno = strtoul(optarg, NULL, 10); + break; case 'R': delete_host = 1; rr_hostname = optarg; @@ -2238,8 +2248,8 @@ main(int argc, char **argv) fatal("Couldn't open moduli file \"%s\": %s", out_file, strerror(errno)); } - if (prime_test(in, out, trials, generator_wanted, checkpoint) - != 0) + if (prime_test(in, out, trials, generator_wanted, checkpoint, + start_lineno, lines_to_process) != 0) fatal("modulus screening failed"); return (0); } -- cgit v1.2.1 From 08e0d059971d5ed0bb885af549f85269746ec4f0 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Jul 2012 03:44:43 +0000 Subject: - djm@cvs.openbsd.org 2012/07/06 01:37:21 [mux.c] fix memory leak of passed-in environment variables and connection context when new session message is malformed; bz#2003 from Bert.Wesarg AT googlemail.com --- ChangeLog | 5 +++++ mux.c | 12 +++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0d876d2a..68811e63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,11 @@ Add options to specify starting line number and number of lines to process when screening moduli candidates. This allows processing of different parts of a candidate moduli file in parallel. man page help jmc@, ok djm@ + - djm@cvs.openbsd.org 2012/07/06 01:37:21 + [mux.c] + fix memory leak of passed-in environment variables and connection + context when new session message is malformed; bz#2003 from Bert.Wesarg + AT googlemail.com 20120704 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for diff --git a/mux.c b/mux.c index 3dd5e262..5e0e65ff 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.35 2012/06/01 01:01:22 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -316,6 +316,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) cctx->term = NULL; cctx->rid = rid; cmd = reserved = NULL; + cctx->env = NULL; + env_len = 0; if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&cctx->want_tty, m) != 0 || buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || @@ -329,16 +331,19 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) xfree(cmd); if (reserved != NULL) xfree(reserved); + for (j = 0; j < env_len; j++) + xfree(cctx->env[j]); + if (env_len > 0) + xfree(cctx->env); if (cctx->term != NULL) xfree(cctx->term); + xfree(cctx); error("%s: malformed message", __func__); return -1; } xfree(reserved); reserved = NULL; - cctx->env = NULL; - env_len = 0; while (buffer_len(m) > 0) { #define MUX_MAX_ENV_VARS 4096 if ((cp = buffer_get_string_ret(m, &len)) == NULL) @@ -413,6 +418,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) xfree(cctx->env); } buffer_free(&cctx->cmd); + xfree(cctx); return 0; } -- cgit v1.2.1 From b19f4342cc29c4e77e0a46fd69d6f814c73c6dfa Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Jul 2012 03:45:01 +0000 Subject: - djm@cvs.openbsd.org 2012/07/06 01:47:38 [ssh.c] move setting of tty_flag to after config parsing so RequestTTY options are correctly picked up. bz#1995 patch from przemoc AT gmail.com; ok dtucker@ --- ChangeLog | 5 +++++ ssh.c | 43 +++++++++++++++++++++---------------------- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 68811e63..07c17486 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,11 @@ fix memory leak of passed-in environment variables and connection context when new session message is malformed; bz#2003 from Bert.Wesarg AT googlemail.com + - djm@cvs.openbsd.org 2012/07/06 01:47:38 + [ssh.c] + move setting of tty_flag to after config parsing so RequestTTY options + are correctly picked up. bz#1995 patch from przemoc AT gmail.com; + ok dtucker@ 20120704 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for diff --git a/ssh.c b/ssh.c index 3c376d0f..3f61eb02 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.369 2012/07/02 08:50:03 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.370 2012/07/06 01:47:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -638,10 +638,6 @@ main(int ac, char **av) /* Initialize the command to execute on remote host. */ buffer_init(&command); - if (options.request_tty == REQUEST_TTY_YES || - options.request_tty == REQUEST_TTY_FORCE) - tty_flag = 1; - /* * Save the command to execute on the remote host in a buffer. There * is no limit on the length of the command, except by the maximum @@ -649,7 +645,6 @@ main(int ac, char **av) */ if (!ac) { /* No command specified - execute shell on a tty. */ - tty_flag = options.request_tty != REQUEST_TTY_NO; if (subsystem_flag) { fprintf(stderr, "You must specify a subsystem to invoke.\n"); @@ -670,22 +665,6 @@ main(int ac, char **av) fatal("Cannot fork into background without a command " "to execute."); - /* Allocate a tty by default if no command specified. */ - if (buffer_len(&command) == 0) - tty_flag = options.request_tty != REQUEST_TTY_NO; - - /* Force no tty */ - if (options.request_tty == REQUEST_TTY_NO || muxclient_command != 0) - tty_flag = 0; - /* Do not allocate a tty if stdin is not a tty. */ - if ((!isatty(fileno(stdin)) || stdin_null_flag) && - options.request_tty != REQUEST_TTY_FORCE) { - if (tty_flag) - logit("Pseudo-terminal will not be allocated because " - "stdin is not a terminal."); - tty_flag = 0; - } - /* * Initialize "log" output. Since we are the client all output * actually goes to stderr. @@ -721,6 +700,26 @@ main(int ac, char **av) /* reinit */ log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog); + if (options.request_tty == REQUEST_TTY_YES || + options.request_tty == REQUEST_TTY_FORCE) + tty_flag = 1; + + /* Allocate a tty by default if no command specified. */ + if (buffer_len(&command) == 0) + tty_flag = options.request_tty != REQUEST_TTY_NO; + + /* Force no tty */ + if (options.request_tty == REQUEST_TTY_NO || muxclient_command != 0) + tty_flag = 0; + /* Do not allocate a tty if stdin is not a tty. */ + if ((!isatty(fileno(stdin)) || stdin_null_flag) && + options.request_tty != REQUEST_TTY_FORCE) { + if (tty_flag) + logit("Pseudo-terminal will not be allocated because " + "stdin is not a terminal."); + tty_flag = 0; + } + seed_rng(); if (options.user == NULL) -- cgit v1.2.1 From 047cb1296bdbe246000b3eb3c55d5a5929677478 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 20 Jul 2012 00:42:06 +0000 Subject: Import regened moduli file. --- ChangeLog | 3 + moduli | 448 +++++++++++++++++++++++++++++++++++++------------------------- 2 files changed, 271 insertions(+), 180 deletions(-) diff --git a/ChangeLog b/ChangeLog index 07c17486..1bd4d2c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20120720 + - (dtucker) Import regened moduli file. + 20120706 - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is not available. Allows use of sshd compiled on host with a filter-capable diff --git a/moduli b/moduli index f406ad31..3bb155de 100644 --- a/moduli +++ b/moduli @@ -1,181 +1,269 @@ -# $OpenBSD: moduli,v 1.6 2011/11/04 00:09:39 dtucker Exp $ +# $OpenBSD: moduli,v 1.7 2012/07/20 00:39:57 dtucker Exp $ # Time Type Tests Tries Size Generator Modulus -20111016112852 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC20B3343 -20111016112853 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC20E815B -20111016112857 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC227B937 -20111016112858 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC22951DF -20111016112901 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC232013F -20111016112907 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC25EA68B -20111016112910 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC26E9CA3 -20111016112912 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC26F5C7F -20111016112915 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC27EC0F3 -20111016112918 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC28E4883 -20111016112919 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC293907B -20111016112920 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC293F2D3 -20111016112922 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC29C3C9F -20111016112924 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2A020F3 -20111016112927 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2B2E52B -20111016112932 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2D1F8A7 -20111016112936 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2E52A8F -20111016112939 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2F531FF -20111016112940 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2F8A183 -20111016112942 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2FAFF83 -20111016112943 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2FBA567 -20111016112944 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC2FF5EBF -20111016112946 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC30837D7 -20111016112948 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC30F7B9B -20111016112949 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC3107A6B -20111016112956 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC33BD083 -20111016112958 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC33E8433 -20111016113002 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC3531E4B -20111016113005 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC368DF0B -20111016113006 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC369E717 -20111016113009 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC3726167 -20111016113015 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC39FAE6B -20111016113019 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC3B05733 -20111016113023 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC3C8342F -20111016113025 2 6 100 1023 5 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC3D0A24F -20111016113029 2 6 100 1023 2 FB9AFEB297524D1A7A34A4B67CEF09332DE1CB05711182210425A05D3576E75BEB3A3D3CC99389609E5434DBC6CFF6ECAD6B54F4351C4D0BAB3BEDD2AE936AFD22226C62254B8C8C0ED8189C0CC54634956F93600351610A3EAF60C0FDBCD61384FB161BE50E0F0BB0F1AC522044E44361870D6A2BC871BC94B529EAC3ED114B -20111016113557 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB1048043 -20111016113618 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB1338BFF -20111016113627 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB140EEE3 -20111016113640 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB15B201F -20111016113645 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB1605C6B -20111016113651 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB1670D23 -20111016113700 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB17783FF -20111016113705 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB17C11A3 -20111016113709 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB17DB8BB -20111016113715 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB18640BB -20111016113801 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB1F27217 -20111016113812 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB2057C63 -20111016113819 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB2122BA7 -20111016113829 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB2214263 -20111016113904 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB27621B3 -20111016113912 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB27F8CE7 -20111016113940 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB2BFB33B -20111016113948 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB2CCE95B -20111016114034 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB33B315F -20111016114053 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB36263E7 -20111016114057 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB362E277 -20111016114122 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB399342B -20111016114127 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB39F81EF -20111016114131 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB3A178E7 -20111016114143 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB3B94617 -20111016114227 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB42121AF -20111016114234 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB429B19B -20111016114346 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB4DDFA1F -20111016114401 2 6 100 1535 5 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB4F9E0EF -20111016114414 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB5154FFB -20111016114440 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB54FFD8B -20111016114443 2 6 100 1535 2 F62191A170EC6171C620D3B334952F220077AA5C0FA7F1A7FE08C6B7B0C5F865CDB24346E3BE05B99E2D7FCC3582D0D2D637672EB0EB1DBB95BCE1A0CA54DFC83EBF598A24928CA42A5ABC2AE75E9802451B0C9E180D5D52698DAAF79DA3B968F72B48DA1D04246EA07C2FAD367392C458D34FA17DAA04C22975E417ABD18FC6407D0A04300D521A8A867FE850EB9BA6F1AD32084856AAFDE112247F20579F74950EFA36A803A47134BBF024F561DDE90042A5AF2547ED9520BE77AFB550068B -20111016115243 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B62AF07E3 -20111016115319 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B62D02043 -20111016115330 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B62D3C483 -20111016115410 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B62F6F79F -20111016115857 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B64365B73 -20111016120019 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B6487F1EB -20111016120100 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B64AF2F53 -20111016120108 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B64B0009F -20111016120211 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B64EA9647 -20111016120312 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B65276D57 -20111016120424 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B656D2937 -20111016120513 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B659D1C5F -20111016120533 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B65AC51CF -20111016120631 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B65E62417 -20111016121024 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B66E230FB -20111016121123 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B671AE1CF -20111016121152 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B6732A9B3 -20111016121256 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B677372C7 -20111016121308 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B67792893 -20111016121745 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B68A8BB57 -20111016121829 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B68D4DA1B -20111016121844 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B68DE0CBB -20111016121951 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B69233E77 -20111016122306 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B69F6C057 -20111016122320 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B69FDDA0F -20111016122337 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B6A08ADEB -20111016122357 2 6 100 2047 5 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B6A17777F -20111016122422 2 6 100 2047 2 F98E7DDB0BB851699D3EA9E04987BACF7A646E98507456A1D7048046D818C6C164F762BDB39510B199F2E85E029F7F0CD378CE912E393CD1602EFCBE68131FBD0F866ED4F1C488D0569D7DCE44D49F4574BB9186C3458DF2D42BEFCACDA8E100337928A9B8D1E6C22BCC33437EBF4571711A4272EDE3F5B6A629D9BD44E9D4C41A2DAAFF5E417A2E0E90FA8438FB7868142F779EA9B1CC53AABDB13AAF2FE2580A55138826CBED8F8A0674A08513110E7C1F1ADF17371789DD766B53E454ADCBCEBDABBD050F469FF2F355841E8B823C0854825424DC87B273446CC70C2FDB828B43E017BEFC9AC6578DA0298C64CC2B6A33A6651CB55E720F193D7B6A2C5253 -20111016123841 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02524EFAF83 -20111016124416 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025255DD88B -20111016125629 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252654738F -20111016130638 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025271B3D8B -20111016131447 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02527B1E0AB -20111016131720 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02527DE4403 -20111016132301 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252844EF27 -20111016132443 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02528601117 -20111016134949 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252A6D1DD7 -20111016135208 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252A95BBB3 -20111016140013 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252B37A53F -20111016140630 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252BB1C4DB -20111016140858 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252BDB1B07 -20111016141216 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252C19DC1F -20111016145709 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0252EFF7C87 -20111016152316 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02531269677 -20111016153558 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025322E1E9B -20111016154232 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02532B0D1E3 -20111016154831 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025332903AB -20111016154921 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02533323CAB -20111016155024 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025334024C7 -20111016155250 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025336A6067 -20111016155621 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB02533AF3637 -20111016161525 2 6 100 3071 2 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB0253536D8F3 -20111016162555 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025360C11B7 -20111016163016 2 6 100 3071 5 E6846A58148AC762DD0CA90662E5626D0C5647E5C8CE7D6190997846FB17A509767A28E1E7B5F1AD994407661C1225E05F37EE490AA3C4C5AE757129BE9EEC5DEDD6501D26F43C2CC0A1E1FF7D11A55616D02061E20573AC75DAB592D55C781608B8A20CB3DA2EB9C2C4C2FDA0CF1E083B6CFB43772FEFE969FDF56FA96EBCBFB4110384CBF0307F2DB59954BADE376AEB544ABAA269D39DE57EC52E7CEB5E7A5855BA1523CB774D387F4C018E66BFCDC81CCE6E59A2E9BD9D0E788E6DA081B1588173E0C3C7D7BEC6625D62AFB21B9E1228FD2620E3C257DECFB079DEEBD43EEC3FD8B67AF6D41FB7355BD184796D66FFEB384DB41C7D14ECFDDAF59F845B351D55E24AE97CBD3C21B093E58BF51AEE312A561B9B7C532C859547E1E19D539378B8B806B3ECC2AD7C0ADBC628AAB91DEBC5FA329C2E71F678F962BC12305316936D5A5063411610632451C837D83806B98DD038548592A2910C4BF4713FDF8BFD70897697FFF17B7F59FD8AD505103EEAB7A39BE1BDECD2833DB025365EBB6F -20111016174236 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A1A016AFF -20111016180550 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A1AD638E3 -20111016184221 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A1C280E1B -20111016184933 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A1C6693C3 -20111016190136 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A1CD26BDF -20111016192019 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A1D7AF093 -20111016200408 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A1F0EA03F -20111016203816 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A203A2C8F -20111016211011 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A2160E077 -20111016222042 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A23F56DCB -20111016222359 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A240A25EF -20111016222847 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A242BA9FB -20111016223306 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A244B6A0F -20111016225817 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A25319D4F -20111017013900 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A2B06A893 -20111017020339 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A2BE061B7 -20111017021940 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A2C6885BF -20111017022558 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A2C9B19CB -20111017022903 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A2CB034D7 -20111017025209 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A2D7B4DE3 -20111017043945 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A3151F387 -20111017044448 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A317A826F -20111017044959 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A31A26F87 -20111017051520 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A32855A13 -20111017054808 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A33B0E8DF -20111017060238 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A342F248B -20111017065731 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A3625C04B -20111017072929 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A3741BA1F -20111017073730 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A37848973 -20111017073836 2 6 100 4095 5 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A37862917 -20111017074116 2 6 100 4095 2 F5D3849D2092FD427B4EBD838EA4830397A55F80B644626320DBBE51E8F63ED88148D787C94E7E67E4F393F26C565E1992B0CFF8A47A953439462A4D0FFA5763EF60FF908F8EE6C4F6EF9F32B9BA50F01AD56FE7EBE90876A5CF61813A4AD4BA7EC0704303C9BF887D36ABBD6C2AA9545FC2263232927E731060F5C701C96DC34016636DF438CE30973715F121D767CFB98B5D09AE7B86FA36A051AD3C2941A295A68E2F583A56BC69913EC9D25ABEF4FDF1E31EDE827A02620DB058B9F041DA051C8C0F13B132C17CEB893FA7C4CD8D8FEEBD82C5F9120CB221B8E88C5FE4DC17CA020A535484C92C7D4BEE69C7703E1FA9A652D444C80065342C6EC0FAC23C24DE246E3DEE72CA8BC8BECCDADE2B36771EFCC350558268F5352AE53F2F71DB62249AD9AC4FABDD6DFB099C6CFF8C05BDEA894390F9860F011CCA046DFEB2F6EF81094E7980BE526742706D1F3DB920DB107409291BB4C11F9A7DCBFAF26D808E6F9FE636B26B939DE419129E86B1E632C60EC23B65C815723C5D861AF068FD0AC8B37F4C06ECBD5CB2EF069CA8DAAC5CBD67C6182A65FED656D0DFBBB8A430B1DBAC7BD6303BEC8DE078FE69F443A7BC8131A284D25DC2844F096240BFC61B62E91A87802987659B884C094C68741D29AA5CA19B9457E1F9DF61C7DBBB13A61A79E4670B086027F20DA2AF4F5B020725F8828726379F429178926A3797039B -20111007105655 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B29C5D603 -20111007105938 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B29D7233B -20111007115211 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B2BA2FE0B -20111007125656 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B2DDDBECB -20111007141522 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B308E49CF -20111007160248 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3440E19F -20111007190634 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3A94CB43 -20111007194444 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3BDA256F -20111007200841 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3CA3812B -20111007202834 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3D47F0CB -20111007210544 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3E7E62A3 -20111007211239 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3EAFE99F -20111007211555 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3EC3E0A3 -20111007215259 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B3FFF795B -20111007222210 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B40FAAAAF -20111007230624 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B42759A07 -20111007232634 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B431EFA63 -20111007233708 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B436E7997 -20111008000107 2 6 100 6143 5 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B443671AF -20111008001457 2 6 100 6143 2 EEECABB15BA767CF1068832B8CA6FB7D86A7B3CD2A23BDBB1D0718A821586412C0A65556B7BE9512DE675D290A8008634E7AFFE1962ED92137ADDF2A5A26D1C980029F732AC12AF544CE2B8E95760E5BE78DDEC7AF5D9120D466A20E48ECAE1A0F852221E35FB3DE98108BF906BB410388964A889D85EC2B0C68A5B8FAB9ECD364594E9B8DF61159A07BFA2589D2AC0879BCAB1EACE52C5CBD0E9F1F399487877AB032C8B4C20AE92D6410D39946828B19B10EEA02F462534E72140AD79E8DBAD531967EACF160CF74ED011988AE5FC17519989CCDF1AD354A3CC2B55B80B84D2FCF6AC81B1DB5435813638ECFC58FDCA058F46B67644C968810557B9873AEAFBBB8FC43D0C91A78ECF8828BC8FA3240D8F9CE5F5759FA36D4A5E80E4EAD83497A5772C0A6225FACB02F932C497426503F4306DC2312A167837FD50EB9D63CC3FDDF10D195CE61842596A85B54BC1A3B0D0459D1A32D2CE1B30161A04B0E9B98F79045E77303A95EC6BC2AAAFEC305826C1DEBEB1015C16F30E07A19C7CAB3D0ADCF2DD4158ADCFE75E1A26033C83C1AEDBEC09D509C301A558179EE7D32ACFFB9826075CBC649F10FB32134375223DB0F5232F1FD7DFB0151E4FF24135A97F331F3B8BD6B0BDF8E1CC56E144B3FE8C9A77F2E5077F15C461F0F3900F91615F84EE3D42078AAEAF60DFF47D79139B6FBB920CF901D66C86D81A360F267BFBACAC6528D0558B1A4388B18C94479AC6F5EB70B148617A90056533149C38311FD4149AD54C5D47607A5D67D30DB70B9F4C4DB59FFC4D765B1866EBCEAD21F0F4C19633F76A33D341E62BD5861C94C24490AAB34FECA441CAF9F2E2979423E061B5FFE5A3E12335204354AE4CE57D882DB502E0EC7AF792F2BBED91CE6D980B810BE44E72BC326A853FD0BB9752278899FF24DFC97ACBA85FDFCDA0CBD8D1D51ABCD71F75BC85A4EDE9989AEAE0EE94D22AB01346FB5B5349CDD0163BD98CE835E44AF09E1EC550950BC0D146D391E353DC70FC995A1435B2B9A0BCF88F1D48822CFFB27AEFA112B8487AD96E84F0FC5F9B032659FBE156E50BCC9553F0B44A69D2B -20111006035941 2 6 100 8191 2 DC1D85A42DE4C80C1455C33938AC46F508FDBE197DF8FE8BDF59E1C8A231B1624DEDB6646D1DC4261826F11473EF3339E6B5B0303106815477E91C136E9B3EBC68397ED71BF54892DE86E5F72D23EACCB5C3D16565453F58D3DCFA28A812D11A540D1B38C29DA6531CC43F08F655E067A16248391F7AE8C506E02AF15754DAB728C250C13EAD01CFEBFAFF7480D7BF4ACC079244346B781DE51F864C830647165532155A85DA9A3AAE48EA9EF5287208F249E4C54EEF46522F2762EB44CAC8D58929DB658AB4BD9C69EEDAFF63CD7808D59DF9018779240959A43FC2FC40D55C2E12C60CFCA55DD4502BC7E3F799DBDB199CC5DC3B39825A443F33A0CFDBE157251978A986CE9208369360C26E99631E740805A73E24B0B95CFB3F7794E1D874C031FEAC1D5993FD260148BA9CFC24640A4AD34A5AB89838B24D7205E1C595618ED497BACBB4B3278454F04525AFF3FD9FC838851F50B819AF80CDF922255F86F480F9D3F37AD1196446F37801E9B98507228C649D5FF908292CFE5D0392A4E98BB77012C9D13D2CB6B94122526C4BA893A94F0D60ADBE4EDA7117AB65CDE8B3A0ED3E19301C1BA65CEF6B4080E86696F729C876CCDC403B7ED070B1BD11CD114B6FD05FA7FC7323DC5EB03AEF10CD74D9DF3548E8E7895DF418C10E97BA6D08A28EF05BFA9086F35B0A131F91B6B905C01E2CFBB6917694DF3996E4417391127BB032EB2490589B5ACFE46D689C84CAD47A0C4FD47CDAF7174B284AF05518A930E60E95DF7B07F40545EC5DF700587A42493A3BDCDB23AC834A762122C91B1E9EB303EA372D6FCA20A4BA33514B245D109805A00575E60AAA5269F6ED9B32D5794D45127D5273F4CCE7469724ED8DBAD208B501F39A2941C4F487356C6131D3C4EF02DA616F0BF39D114C92054C98FC5AE5AFEE146BBD1466E90BF81352D6B28F40E4411A7AA22D49D824A0972E3F202EDDE7AEAB34D7271CED7529E123A810CED480EAA077CD45AE6F4BBEE477CC78C5D8B54ED2531E60C9516DCB84ABD210277D2E6A1CB2F70914447ED7BE54B7081CB3A0B9FD50BDE2396DACEF196AB03D0FB6A73C0C106630E82E5F58BE2F1A94236A3B3BC1F2704CF4B59D08D1C4CDEA9A3F4C9A4856349A7AA8146F25A1AA335C60F798007FCCA3C53DCC88090B28BAEAAA9E232625A3DEE44E4DE7E0B262B02CAD4C7C03CD866F78A60798037EA9463CDEFB58F85547AF9D9D38D7B5E265F9B111BDC579E352699B766135CC148E054A8F1D22974414B86B31DF58D55AEF1780FF911154ED5B6CA0E16B2764D4E00C3A2489381953649EBCEC78541DC62663E1B38EB3B6CF791B6393137D91F4C5FE6625DFB9630C2198D78477C2A7C07C5DD8320BC8EB7C1FDD4C2D65BF3F3059FF9194EA87892C311EA1B1CF9345DF144D82EFF4A3C62EDA8E977535B83D6C86CB -20111006044651 2 6 100 8191 5 DC1D85A42DE4C80C1455C33938AC46F508FDBE197DF8FE8BDF59E1C8A231B1624DEDB6646D1DC4261826F11473EF3339E6B5B0303106815477E91C136E9B3EBC68397ED71BF54892DE86E5F72D23EACCB5C3D16565453F58D3DCFA28A812D11A540D1B38C29DA6531CC43F08F655E067A16248391F7AE8C506E02AF15754DAB728C250C13EAD01CFEBFAFF7480D7BF4ACC079244346B781DE51F864C830647165532155A85DA9A3AAE48EA9EF5287208F249E4C54EEF46522F2762EB44CAC8D58929DB658AB4BD9C69EEDAFF63CD7808D59DF9018779240959A43FC2FC40D55C2E12C60CFCA55DD4502BC7E3F799DBDB199CC5DC3B39825A443F33A0CFDBE157251978A986CE9208369360C26E99631E740805A73E24B0B95CFB3F7794E1D874C031FEAC1D5993FD260148BA9CFC24640A4AD34A5AB89838B24D7205E1C595618ED497BACBB4B3278454F04525AFF3FD9FC838851F50B819AF80CDF922255F86F480F9D3F37AD1196446F37801E9B98507228C649D5FF908292CFE5D0392A4E98BB77012C9D13D2CB6B94122526C4BA893A94F0D60ADBE4EDA7117AB65CDE8B3A0ED3E19301C1BA65CEF6B4080E86696F729C876CCDC403B7ED070B1BD11CD114B6FD05FA7FC7323DC5EB03AEF10CD74D9DF3548E8E7895DF418C10E97BA6D08A28EF05BFA9086F35B0A131F91B6B905C01E2CFBB6917694DF3996E4417391127BB032EB2490589B5ACFE46D689C84CAD47A0C4FD47CDAF7174B284AF05518A930E60E95DF7B07F40545EC5DF700587A42493A3BDCDB23AC834A762122C91B1E9EB303EA372D6FCA20A4BA33514B245D109805A00575E60AAA5269F6ED9B32D5794D45127D5273F4CCE7469724ED8DBAD208B501F39A2941C4F487356C6131D3C4EF02DA616F0BF39D114C92054C98FC5AE5AFEE146BBD1466E90BF81352D6B28F40E4411A7AA22D49D824A0972E3F202EDDE7AEAB34D7271CED7529E123A810CED480EAA077CD45AE6F4BBEE477CC78C5D8B54ED2531E60C9516DCB84ABD210277D2E6A1CB2F70914447ED7BE54B7081CB3A0B9FD50BDE2396DACEF196AB03D0FB6A73C0C106630E82E5F58BE2F1A94236A3B3BC1F2704CF4B59D08D1C4CDEA9A3F4C9A4856349A7AA8146F25A1AA335C60F798007FCCA3C53DCC88090B28BAEAAA9E232625A3DEE44E4DE7E0B262B02CAD4C7C03CD866F78A60798037EA9463CDEFB58F85547AF9D9D38D7B5E265F9B111BDC579E352699B766135CC148E054A8F1D22974414B86B31DF58D55AEF1780FF911154ED5B6CA0E16B2764D4E00C3A2489381953649EBCEC78541DC62663E1B38EB3B6CF791B6393137D91F4C5FE6625DFB9630C2198D78477C2A7C07C5DD8320BC8EB7C1FDD4C2D65BF3F3059FF9194EA87892C311EA1B1CF9345DF144D82EFF4A3C62EDA8E977535B83E2EC20F -20111006062727 2 6 100 8191 2 DC1D85A42DE4C80C1455C33938AC46F508FDBE197DF8FE8BDF59E1C8A231B1624DEDB6646D1DC4261826F11473EF3339E6B5B0303106815477E91C136E9B3EBC68397ED71BF54892DE86E5F72D23EACCB5C3D16565453F58D3DCFA28A812D11A540D1B38C29DA6531CC43F08F655E067A16248391F7AE8C506E02AF15754DAB728C250C13EAD01CFEBFAFF7480D7BF4ACC079244346B781DE51F864C830647165532155A85DA9A3AAE48EA9EF5287208F249E4C54EEF46522F2762EB44CAC8D58929DB658AB4BD9C69EEDAFF63CD7808D59DF9018779240959A43FC2FC40D55C2E12C60CFCA55DD4502BC7E3F799DBDB199CC5DC3B39825A443F33A0CFDBE157251978A986CE9208369360C26E99631E740805A73E24B0B95CFB3F7794E1D874C031FEAC1D5993FD260148BA9CFC24640A4AD34A5AB89838B24D7205E1C595618ED497BACBB4B3278454F04525AFF3FD9FC838851F50B819AF80CDF922255F86F480F9D3F37AD1196446F37801E9B98507228C649D5FF908292CFE5D0392A4E98BB77012C9D13D2CB6B94122526C4BA893A94F0D60ADBE4EDA7117AB65CDE8B3A0ED3E19301C1BA65CEF6B4080E86696F729C876CCDC403B7ED070B1BD11CD114B6FD05FA7FC7323DC5EB03AEF10CD74D9DF3548E8E7895DF418C10E97BA6D08A28EF05BFA9086F35B0A131F91B6B905C01E2CFBB6917694DF3996E4417391127BB032EB2490589B5ACFE46D689C84CAD47A0C4FD47CDAF7174B284AF05518A930E60E95DF7B07F40545EC5DF700587A42493A3BDCDB23AC834A762122C91B1E9EB303EA372D6FCA20A4BA33514B245D109805A00575E60AAA5269F6ED9B32D5794D45127D5273F4CCE7469724ED8DBAD208B501F39A2941C4F487356C6131D3C4EF02DA616F0BF39D114C92054C98FC5AE5AFEE146BBD1466E90BF81352D6B28F40E4411A7AA22D49D824A0972E3F202EDDE7AEAB34D7271CED7529E123A810CED480EAA077CD45AE6F4BBEE477CC78C5D8B54ED2531E60C9516DCB84ABD210277D2E6A1CB2F70914447ED7BE54B7081CB3A0B9FD50BDE2396DACEF196AB03D0FB6A73C0C106630E82E5F58BE2F1A94236A3B3BC1F2704CF4B59D08D1C4CDEA9A3F4C9A4856349A7AA8146F25A1AA335C60F798007FCCA3C53DCC88090B28BAEAAA9E232625A3DEE44E4DE7E0B262B02CAD4C7C03CD866F78A60798037EA9463CDEFB58F85547AF9D9D38D7B5E265F9B111BDC579E352699B766135CC148E054A8F1D22974414B86B31DF58D55AEF1780FF911154ED5B6CA0E16B2764D4E00C3A2489381953649EBCEC78541DC62663E1B38EB3B6CF791B6393137D91F4C5FE6625DFB9630C2198D78477C2A7C07C5DD8320BC8EB7C1FDD4C2D65BF3F3059FF9194EA87892C311EA1B1CF9345DF144D82EFF4A3C62EDA8E977535B83FD87D93 -20111006134408 2 6 100 8191 2 DC1D85A42DE4C80C1455C33938AC46F508FDBE197DF8FE8BDF59E1C8A231B1624DEDB6646D1DC4261826F11473EF3339E6B5B0303106815477E91C136E9B3EBC68397ED71BF54892DE86E5F72D23EACCB5C3D16565453F58D3DCFA28A812D11A540D1B38C29DA6531CC43F08F655E067A16248391F7AE8C506E02AF15754DAB728C250C13EAD01CFEBFAFF7480D7BF4ACC079244346B781DE51F864C830647165532155A85DA9A3AAE48EA9EF5287208F249E4C54EEF46522F2762EB44CAC8D58929DB658AB4BD9C69EEDAFF63CD7808D59DF9018779240959A43FC2FC40D55C2E12C60CFCA55DD4502BC7E3F799DBDB199CC5DC3B39825A443F33A0CFDBE157251978A986CE9208369360C26E99631E740805A73E24B0B95CFB3F7794E1D874C031FEAC1D5993FD260148BA9CFC24640A4AD34A5AB89838B24D7205E1C595618ED497BACBB4B3278454F04525AFF3FD9FC838851F50B819AF80CDF922255F86F480F9D3F37AD1196446F37801E9B98507228C649D5FF908292CFE5D0392A4E98BB77012C9D13D2CB6B94122526C4BA893A94F0D60ADBE4EDA7117AB65CDE8B3A0ED3E19301C1BA65CEF6B4080E86696F729C876CCDC403B7ED070B1BD11CD114B6FD05FA7FC7323DC5EB03AEF10CD74D9DF3548E8E7895DF418C10E97BA6D08A28EF05BFA9086F35B0A131F91B6B905C01E2CFBB6917694DF3996E4417391127BB032EB2490589B5ACFE46D689C84CAD47A0C4FD47CDAF7174B284AF05518A930E60E95DF7B07F40545EC5DF700587A42493A3BDCDB23AC834A762122C91B1E9EB303EA372D6FCA20A4BA33514B245D109805A00575E60AAA5269F6ED9B32D5794D45127D5273F4CCE7469724ED8DBAD208B501F39A2941C4F487356C6131D3C4EF02DA616F0BF39D114C92054C98FC5AE5AFEE146BBD1466E90BF81352D6B28F40E4411A7AA22D49D824A0972E3F202EDDE7AEAB34D7271CED7529E123A810CED480EAA077CD45AE6F4BBEE477CC78C5D8B54ED2531E60C9516DCB84ABD210277D2E6A1CB2F70914447ED7BE54B7081CB3A0B9FD50BDE2396DACEF196AB03D0FB6A73C0C106630E82E5F58BE2F1A94236A3B3BC1F2704CF4B59D08D1C4CDEA9A3F4C9A4856349A7AA8146F25A1AA335C60F798007FCCA3C53DCC88090B28BAEAAA9E232625A3DEE44E4DE7E0B262B02CAD4C7C03CD866F78A60798037EA9463CDEFB58F85547AF9D9D38D7B5E265F9B111BDC579E352699B766135CC148E054A8F1D22974414B86B31DF58D55AEF1780FF911154ED5B6CA0E16B2764D4E00C3A2489381953649EBCEC78541DC62663E1B38EB3B6CF791B6393137D91F4C5FE6625DFB9630C2198D78477C2A7C07C5DD8320BC8EB7C1FDD4C2D65BF3F3059FF9194EA87892C311EA1B1CF9345DF144D82EFF4A3C62EDA8E977535B8472BC33B -20111006170514 2 6 100 8191 2 DC1D85A42DE4C80C1455C33938AC46F508FDBE197DF8FE8BDF59E1C8A231B1624DEDB6646D1DC4261826F11473EF3339E6B5B0303106815477E91C136E9B3EBC68397ED71BF54892DE86E5F72D23EACCB5C3D16565453F58D3DCFA28A812D11A540D1B38C29DA6531CC43F08F655E067A16248391F7AE8C506E02AF15754DAB728C250C13EAD01CFEBFAFF7480D7BF4ACC079244346B781DE51F864C830647165532155A85DA9A3AAE48EA9EF5287208F249E4C54EEF46522F2762EB44CAC8D58929DB658AB4BD9C69EEDAFF63CD7808D59DF9018779240959A43FC2FC40D55C2E12C60CFCA55DD4502BC7E3F799DBDB199CC5DC3B39825A443F33A0CFDBE157251978A986CE9208369360C26E99631E740805A73E24B0B95CFB3F7794E1D874C031FEAC1D5993FD260148BA9CFC24640A4AD34A5AB89838B24D7205E1C595618ED497BACBB4B3278454F04525AFF3FD9FC838851F50B819AF80CDF922255F86F480F9D3F37AD1196446F37801E9B98507228C649D5FF908292CFE5D0392A4E98BB77012C9D13D2CB6B94122526C4BA893A94F0D60ADBE4EDA7117AB65CDE8B3A0ED3E19301C1BA65CEF6B4080E86696F729C876CCDC403B7ED070B1BD11CD114B6FD05FA7FC7323DC5EB03AEF10CD74D9DF3548E8E7895DF418C10E97BA6D08A28EF05BFA9086F35B0A131F91B6B905C01E2CFBB6917694DF3996E4417391127BB032EB2490589B5ACFE46D689C84CAD47A0C4FD47CDAF7174B284AF05518A930E60E95DF7B07F40545EC5DF700587A42493A3BDCDB23AC834A762122C91B1E9EB303EA372D6FCA20A4BA33514B245D109805A00575E60AAA5269F6ED9B32D5794D45127D5273F4CCE7469724ED8DBAD208B501F39A2941C4F487356C6131D3C4EF02DA616F0BF39D114C92054C98FC5AE5AFEE146BBD1466E90BF81352D6B28F40E4411A7AA22D49D824A0972E3F202EDDE7AEAB34D7271CED7529E123A810CED480EAA077CD45AE6F4BBEE477CC78C5D8B54ED2531E60C9516DCB84ABD210277D2E6A1CB2F70914447ED7BE54B7081CB3A0B9FD50BDE2396DACEF196AB03D0FB6A73C0C106630E82E5F58BE2F1A94236A3B3BC1F2704CF4B59D08D1C4CDEA9A3F4C9A4856349A7AA8146F25A1AA335C60F798007FCCA3C53DCC88090B28BAEAAA9E232625A3DEE44E4DE7E0B262B02CAD4C7C03CD866F78A60798037EA9463CDEFB58F85547AF9D9D38D7B5E265F9B111BDC579E352699B766135CC148E054A8F1D22974414B86B31DF58D55AEF1780FF911154ED5B6CA0E16B2764D4E00C3A2489381953649EBCEC78541DC62663E1B38EB3B6CF791B6393137D91F4C5FE6625DFB9630C2198D78477C2A7C07C5DD8320BC8EB7C1FDD4C2D65BF3F3059FF9194EA87892C311EA1B1CF9345DF144D82EFF4A3C62EDA8E977535B84A83002B -20111006194118 2 6 100 8191 2 DC1D85A42DE4C80C1455C33938AC46F508FDBE197DF8FE8BDF59E1C8A231B1624DEDB6646D1DC4261826F11473EF3339E6B5B0303106815477E91C136E9B3EBC68397ED71BF54892DE86E5F72D23EACCB5C3D16565453F58D3DCFA28A812D11A540D1B38C29DA6531CC43F08F655E067A16248391F7AE8C506E02AF15754DAB728C250C13EAD01CFEBFAFF7480D7BF4ACC079244346B781DE51F864C830647165532155A85DA9A3AAE48EA9EF5287208F249E4C54EEF46522F2762EB44CAC8D58929DB658AB4BD9C69EEDAFF63CD7808D59DF9018779240959A43FC2FC40D55C2E12C60CFCA55DD4502BC7E3F799DBDB199CC5DC3B39825A443F33A0CFDBE157251978A986CE9208369360C26E99631E740805A73E24B0B95CFB3F7794E1D874C031FEAC1D5993FD260148BA9CFC24640A4AD34A5AB89838B24D7205E1C595618ED497BACBB4B3278454F04525AFF3FD9FC838851F50B819AF80CDF922255F86F480F9D3F37AD1196446F37801E9B98507228C649D5FF908292CFE5D0392A4E98BB77012C9D13D2CB6B94122526C4BA893A94F0D60ADBE4EDA7117AB65CDE8B3A0ED3E19301C1BA65CEF6B4080E86696F729C876CCDC403B7ED070B1BD11CD114B6FD05FA7FC7323DC5EB03AEF10CD74D9DF3548E8E7895DF418C10E97BA6D08A28EF05BFA9086F35B0A131F91B6B905C01E2CFBB6917694DF3996E4417391127BB032EB2490589B5ACFE46D689C84CAD47A0C4FD47CDAF7174B284AF05518A930E60E95DF7B07F40545EC5DF700587A42493A3BDCDB23AC834A762122C91B1E9EB303EA372D6FCA20A4BA33514B245D109805A00575E60AAA5269F6ED9B32D5794D45127D5273F4CCE7469724ED8DBAD208B501F39A2941C4F487356C6131D3C4EF02DA616F0BF39D114C92054C98FC5AE5AFEE146BBD1466E90BF81352D6B28F40E4411A7AA22D49D824A0972E3F202EDDE7AEAB34D7271CED7529E123A810CED480EAA077CD45AE6F4BBEE477CC78C5D8B54ED2531E60C9516DCB84ABD210277D2E6A1CB2F70914447ED7BE54B7081CB3A0B9FD50BDE2396DACEF196AB03D0FB6A73C0C106630E82E5F58BE2F1A94236A3B3BC1F2704CF4B59D08D1C4CDEA9A3F4C9A4856349A7AA8146F25A1AA335C60F798007FCCA3C53DCC88090B28BAEAAA9E232625A3DEE44E4DE7E0B262B02CAD4C7C03CD866F78A60798037EA9463CDEFB58F85547AF9D9D38D7B5E265F9B111BDC579E352699B766135CC148E054A8F1D22974414B86B31DF58D55AEF1780FF911154ED5B6CA0E16B2764D4E00C3A2489381953649EBCEC78541DC62663E1B38EB3B6CF791B6393137D91F4C5FE6625DFB9630C2198D78477C2A7C07C5DD8320BC8EB7C1FDD4C2D65BF3F3059FF9194EA87892C311EA1B1CF9345DF144D82EFF4A3C62EDA8E977535B84D0AC8C3 +20120705004026 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844A94DCF +20120705004028 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844B1694B +20120705004036 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844E34093 +20120705004039 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F41247 +20120705004040 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F8B39B +20120705004042 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284500D22F +20120705004044 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284504854B +20120705004047 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451642A3 +20120705004049 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451B31D3 +20120705004052 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452B05CB +20120705004053 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452BB06B +20120705004057 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284544D6EF +20120705004101 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428454FBFBF +20120705004103 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284556870F +20120705004104 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A1DCF +20120705004106 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A71F3 +20120705004107 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455C229B +20120705004109 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845624C8F +20120705004111 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845650AD7 +20120705004113 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284572AE77 +20120705004116 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428457F0DE7 +20120705004119 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428458D623F +20120705004121 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598C1BF +20120705004122 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598FF9F +20120705004127 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845B559BF +20120705004129 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845BA77E7 +20120705004131 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C3989F +20120705004132 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C5A23F +20120705004134 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845CAF1DB +20120705004136 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D1CB5B +20120705004137 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D4528F +20120705004139 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845DCBCB3 +20120705004143 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EE91B7 +20120705004144 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EFF1A7 +20120705004145 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F363FB +20120705004146 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F3738B +20120705004148 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F437CF +20120705004150 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284601A3BF +20120705004152 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284603421F +20120705004153 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284605C5B7 +20120705004155 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428460AF7CB +20120705004159 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846266533 +20120705004201 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846287DD3 +20120705004204 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846397273 +20120705004206 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284646FA83 +20120705004207 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846475ED3 +20120705004210 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284651649F +20120705004212 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659876B +20120705004213 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659F8F3 +20120705004214 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465BD413 +20120705004216 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465F222B +20120705004217 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284660995B +20120705004221 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428467B9247 +20120705004227 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468DAF87 +20120705004230 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468E1A13 +20120705004838 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7205887 +20120705004853 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F73B39C7 +20120705004937 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7A3E153 +20120705005002 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7DB4473 +20120705005017 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7F7293F +20120705005025 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F802FE8B +20120705005048 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F836B5D3 +20120705005117 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F878CDEB +20120705005122 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F87AB3EB +20120705005140 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F89EAA43 +20120705005148 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8AA75F3 +20120705005201 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8C2EAAB +20120705005215 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8DEAC73 +20120705005221 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8E3C303 +20120705005231 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8F51EFF +20120705005246 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F9115B97 +20120705005317 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F95737CF +20120705005324 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F960A5F7 +20120705005339 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F97DBAB3 +20120705005353 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F999A9CF +20120705005453 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA253557 +20120705005516 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA597D23 +20120705005521 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA5B9B1B +20120705005600 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAB57F73 +20120705005606 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FABBBAFB +20120705005632 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAF58CB3 +20120705005640 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB01659B +20120705005645 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB04D9E7 +20120705005659 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB205C67 +20120705011229 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DA381EB +20120705011307 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DAEFA5B +20120705011647 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E09B2B7 +20120705011825 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E30C613 +20120705011957 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E5B7E3F +20120705012217 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E9ED607 +20120705012259 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EB4E9E3 +20120705012319 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EBDF313 +20120705012338 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EC9AD5F +20120705012817 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205F79773F +20120705012947 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FB2897B +20120705013020 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FC0CFAB +20120705013559 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20606541A3 +20120705013637 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206078A9DF +20120705013859 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060C181BB +20120705014010 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060DFB1BB +20120705014101 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060F217A3 +20120705014248 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061182263 +20120705014325 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061214FC3 +20120705014539 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206162E447 +20120705014658 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206186D1F3 +20120705014856 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061D0EF73 +20120705015000 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062023BFB +20120705015045 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20621EDDEB +20120705015234 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062752373 +20120705015345 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062B97207 +20120705015734 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20636C6B0F +20120705015750 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063752183 +20120705015806 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20637DAF9B +20120705015900 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063B134BB +20120705015921 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063C148EB +20120705020044 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20640F2047 +20120705020232 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20647E3FEB +20120705020339 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2064C2CC83 +20120705020502 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065162F7B +20120705020512 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065194343 +20120705020523 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20651C2E2B +20120705020541 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206528BA2F +20120705021818 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165EF071CF +20120705022441 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165F6DCFB7 +20120705024326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541660E5F72B +20120705025034 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416617271AB +20120705025525 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661CDD5AF +20120705025705 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661E6A71F +20120705025752 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661EE2413 +20120705030403 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662662DC7 +20120705030432 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416626728EF +20120705030953 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662CA2463 +20120705031728 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416635CAC93 +20120705032458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541663EC109F +20120705032902 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166431CB8F +20120705033016 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166441BDC3 +20120705033652 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664BF1503 +20120705033740 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664C48A73 +20120705034025 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664F440CF +20120705034138 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541665048ECB +20120705034458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416653F1BC7 +20120705040416 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541666BE5B43 +20120705041326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416676F9AD3 +20120705041429 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416677BBDD7 +20120705041928 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667DA5427 +20120705042013 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667E0CDA7 +20120705044833 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A1D45AB +20120705045307 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A71DD37 +20120705050710 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166B8634A3 +20120705051048 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BC572CB +20120705051219 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BDA113F +20120705051634 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166C28FFCB +20120705052331 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166CAA425B +20120705052812 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166D041A0B +20120705053701 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166DA81DB7 +20120705055127 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166EC251D7 +20120705055500 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F01CF6B +20120705055603 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F0EF763 +20120705055831 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F39358B +20120705060133 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F5FDC7B +20120705060444 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8017B3 +20120705060616 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8A763B +20120705074615 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E404D4A9FF +20120705075624 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405259C43 +20120705075814 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4052CF1E3 +20120705082750 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405CAF157 +20120705091841 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40777DB37 +20120705094647 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40863BD9B +20120705113042 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40BE821C7 +20120705113614 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C0EADAB +20120705113856 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C1D4D93 +20120705115824 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40CBE3D6B +20120705122406 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40D792E73 +20120705123711 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40DDA1F9F +20120705124452 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40E149903 +20120705133408 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F205063 +20120705133854 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F36CB23 +20120705140912 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40FF3C14B +20120705151048 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41130009B +20120705154517 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E411EA83DB +20120705155613 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4123EC08F +20120705162202 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4130DF347 +20120705162423 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41319263F +20120705163533 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4136A686F +20120705170312 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4144BD02B +20120705175100 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E415E0D6BB +20120705190344 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E418110983 +20120705191532 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4186E4BE3 +20120705193904 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41933A90B +20120705201440 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A1607FF +20120705202233 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A3C4B5F +20120705204542 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41AFA0127 +20120705205809 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41B59BD9B +20120705213138 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41C73B903 +20120705214528 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41CE1ACFB +20120705215449 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41D2A1E9B +20120705225456 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41F236C7F +20120705231339 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41FB99943 +20120705232933 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4203D8FB3 +20120705233827 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420804A5B +20120705234448 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420AC9D9F +20120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB +20120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B +20120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477 +20120706013826 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B271419A3 +20120706014732 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B273FB1BB +20120706021008 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B27B7E59F +20120705225552 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B29C4E81B +20120705233754 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2AB07037 +20120705234834 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2AE25CBB +20120706024556 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2EDFAA6F +20120705233556 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B30EE83EB +20120706002117 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B31E6F727 +20120705233808 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B37267537 +20120706001148 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B3DF98C1F +20120706013155 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B3FBB98EB +20120706025705 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B418898A7 +20120706022948 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B4707179B +20120705233534 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B4F3D25C7 +20120706014542 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B520205CB +20120706030026 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B539518DB +20120706003519 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B566E0243 +20120706032218 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B59E508EF +20120706033523 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B5A254F5F +20120705235242 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B5B60C48F +20120706022615 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B646A1B3B +20120706032540 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B6594B14F +20120706001843 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B677C3593 +20120705054703 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234453518A0F7 +20120705060217 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445353B291F +20120705100916 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344537DF8F1B +20120705112627 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344538AF7C7B +20120705121419 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445392BB61F +20120705162623 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234453BD5FE03 +20120705171958 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234453C6257EF +20120705222541 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234453FBF1073 +20120705120012 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344544BA2363 +20120705143238 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445464ED33B +20120705175610 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445486B9E93 +20120705143839 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344551AEBB1B +20120705164833 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344553053057 +20120705195911 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344560200E33 +20120705051445 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445620DCB9B +20120705090103 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234456453E2C3 +20120705102457 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234456520F7B3 +20120705045958 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234456CC34FE7 +20120705064048 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234456DBB1643 +20120705100057 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234456FACFC3F +20120705130216 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445716EEFD3 +20120705184211 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344574BD3B0F +20120705075506 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234457918ED6F +20120705111016 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445857E1707 +20120705051124 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234458C6078E3 +20120705054255 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234458CA4E313 +20120705155949 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234459281E7B3 +20120705065517 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE2344597A57CB3 +20120705082307 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445987253DB +20120705182442 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234459E124B2F +20120705184956 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE234459E442F5B +20120705071209 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445A1E0FD83 +20120705155527 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445A6BDA473 +20120705103912 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445ADCE429F +20120705115451 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445AE75FB83 +20120705133531 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445AF5813A3 +20120705144902 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445AFF92FDF +20120705160631 2 6 100 8191 5 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445B0A9AF9F +20120705194100 2 6 100 8191 2 DA2167F01CB32874E032B38C40FEC5F2557C9C4411B3A4B3D38C889A8BEED4EB7EF08A9A1E1EAAEEC22C2A46891D3CA84517FDFCDFA2BACBCDE2FC8EA87182542F5C8D3897B6C8A6DB951256F3DDBA7C5D6E7060925AD1F3046F49D00B433770B412DAA2A74E539EB81E3266DDDA82781BB21B19695FB925FA8BB6D249B5C33401C5D9E5C6B1719A36F1EB36E7CCD28AD98AA74DFD453D343BD189C968EB8F459809E87F77C6BA985B82B960A46660C7A277970E016EBD183CE7D6232F56EB06ECC0931024B9333879EF063F976C3603649AB9DCBE9714753E0A865020C3EF22BABF2F473F771CFC70A7C43FE320640D6E2816E88B6CA501A85A34F88EFF26AD8FFA0D11B0A21CB1A4FC7F90DB97B11BD5367302CBB45A390D2CB28CE83D50156A161D0080FD5F3961872ABC56FBCB973C517F6D7205E6CCF44E22E5DF8793D5037A9E779A52628D258CEA6B45CA4AC604CD69875D51145EE4C3D8856E24F9DBCA0134D54A734320A46A0AF52E20DD604AD465508172D4185C0D5C720B325ABC1760B1680B7BDFBAA1AE845A84AC3C7BBC53CD01C000B2186DC3915A1879224DD703E817C58F5FFCFBDF0189BB4B5033769F49852F3C48A88B88FB659B4AC96EE9DFC1D7E1760194EE4E1B6A8052BA17C827BE8A74C9F3FA7EA3236171F3DF9ACF19C40636825F1C49EFAAB12CEAD24F4585FE7C466FDE7ACF7E1FC91C8D473A8AB12C652AF568227E7CE3421256F83084D8E82DC977309E5B8C73EB8D92B71B9DAF6A53D13539D55C1A67BAC646358352529958AA3599DF0D882B8640ABFF17031C3F246A3E07F86AEB29CEACACF3B3EB931C40D292D09F4B99E08E4C68D811F9425DA30AC456107454AAC470DBD627C3EE2132E7C6FCEB61C2BA1CBE4FE6F07A2A4E398FDFBECC0283E9CF440F9F8F6893D019A98EFE992BA7433951DF341A3B3A8E879B090FB0E11907382853FBD6FA79B5B3FFF4EBE286F92A99D24C548949209867B1116BDBE1F104230EE26CCA0A12602A328B9B7A86D18415881AEFC9527AD4BB563CC330F29DF51199E1E9F0317EE6F3768C0849351FC1F95D47A1DE90484BE923ADC004D8287A90168C1D1491AD9A9B3266A826F966AA964E814F171FF9F3BA755DF83961182D95317844D6064D8BDED2DDB9AB4D74C325C1748036103690D88D85B532B692B74ED199253CB77E3BA57A2369BD9DD3B4FE68A66A1EFE507BA1F1A0164B6EDF397DF550EAC7FA155F7DED564A34DA73BC1F72E2D56CBABADAF3ED6B03C56FE00CA51548604403757ACAE67C71C564D4F688BA44465C7D3FFC84DB2BA142E06A967181CA0806E732134D795AD6E936BB25C00A14FE0DA5A83A7095D0271B380E802CD9E6E601C582EAC20CB6AC0C670108376302BA364FFD30E78D0CAB72BADB15F282CD256BC3B365896D80DC170BE23445B296E223 -- cgit v1.2.1 From c7cea378961d1e2ac5cb59822d910396212ea551 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 31 Jul 2012 02:20:43 +0000 Subject: - jmc@cvs.openbsd.org 2012/07/06 06:38:03 [ssh-keygen.c] missing full stop in usage(); --- ChangeLog | 6 ++++++ ssh-keygen.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1bd4d2c5..885a721f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20120731 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2012/07/06 06:38:03 + [ssh-keygen.c] + missing full stop in usage(); + 20120720 - (dtucker) Import regened moduli file. diff --git a/ssh-keygen.c b/ssh-keygen.c index 57679ee4..a223ddc8 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.215 2012/07/06 00:41:59 dtucker Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.216 2012/07/06 06:38:03 jmc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1889,7 +1889,7 @@ usage(void) fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n"); - fprintf(stderr, " -J number Screen this number of moduli lines\n"); + fprintf(stderr, " -J number Screen this number of moduli lines.\n"); fprintf(stderr, " -j number Start screening moduli at specified line.\n"); fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); fprintf(stderr, " -L Print the contents of a certificate.\n"); -- cgit v1.2.1 From 2ab5e9979b2ba250c763db8fb927f5590ddbd6fe Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 31 Jul 2012 02:21:34 +0000 Subject: - djm@cvs.openbsd.org 2012/07/10 02:19:15 [servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too. --- ChangeLog | 5 +++++ servconf.c | 9 +++++---- servconf.h | 4 ++-- sshd.c | 4 ++-- sshd_config | 4 ++-- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 885a721f..911b4b11 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ - jmc@cvs.openbsd.org 2012/07/06 06:38:03 [ssh-keygen.c] missing full stop in usage(); + - djm@cvs.openbsd.org 2012/07/10 02:19:15 + [servconf.c servconf.h sshd.c sshd_config] + Turn on systrace sandboxing of pre-auth sshd by default for new installs + by shipping a config that overrides the current UsePrivilegeSeparation=yes + default. Make it easier to flip the default in the future by adding too. 20120720 - (dtucker) Import regened moduli file. diff --git a/servconf.c b/servconf.c index eccfbad4..427bdeef 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.227 2012/06/19 18:25:27 markus Exp $ */ +/* $OpenBSD: servconf.c,v 1.228 2012/07/10 02:19:15 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -285,7 +285,7 @@ fill_default_server_options(ServerOptions *options) options->version_addendum = xstrdup(""); /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_ON; + use_privsep = PRIVSEP_NOSANDBOX; #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { @@ -770,8 +770,9 @@ static const struct multistate multistate_gatewayports[] = { { NULL, -1 } }; static const struct multistate multistate_privsep[] = { - { "sandbox", PRIVSEP_SANDBOX }, - { "yes", PRIVSEP_ON }, + { "yes", PRIVSEP_NOSANDBOX }, + { "sandbox", PRIVSEP_ON }, + { "nosandbox", PRIVSEP_NOSANDBOX }, { "no", PRIVSEP_OFF }, { NULL, -1 } }; diff --git a/servconf.h b/servconf.h index c2eeed66..096d596d 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.102 2012/06/19 18:25:28 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.103 2012/07/10 02:19:15 djm Exp $ */ /* * Author: Tatu Ylonen @@ -39,7 +39,7 @@ /* use_privsep */ #define PRIVSEP_OFF 0 #define PRIVSEP_ON 1 -#define PRIVSEP_SANDBOX 2 +#define PRIVSEP_NOSANDBOX 2 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ diff --git a/sshd.c b/sshd.c index 64b846f6..9aff5e8a 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.392 2012/06/30 14:35:09 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -635,7 +635,7 @@ privsep_preauth(Authctxt *authctxt) /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; - if (use_privsep == PRIVSEP_SANDBOX) + if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(); pid = fork(); if (pid == -1) { diff --git a/sshd_config b/sshd_config index ec3ca2af..9424ee2c 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.86 2012/04/12 02:43:55 djm Exp $ +# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -99,7 +99,7 @@ AuthorizedKeysFile .ssh/authorized_keys #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 -- cgit v1.2.1 From 28fe36d1f769f9708fb71bc1292748593846411c Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 31 Jul 2012 02:22:18 +0000 Subject: fix truncated entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 911b4b11..9104217a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too. + prodded markus@ feedback dtucker@ "get it in" deraadt@ 20120720 - (dtucker) Import regened moduli file. -- cgit v1.2.1 From 39731657ca88401402a1b79df4196b3e01a440fd Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 31 Jul 2012 02:22:37 +0000 Subject: - dtucker@cvs.openbsd.org 2012/07/13 01:35:21 [servconf.c] handle long comments in config files better. bz#2025, ok markus --- ChangeLog | 3 +++ servconf.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9104217a..2dafce31 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too. prodded markus@ feedback dtucker@ "get it in" deraadt@ + - dtucker@cvs.openbsd.org 2012/07/13 01:35:21 + [servconf.c] + handle long comments in config files better. bz#2025, ok markus 20120720 - (dtucker) Import regened moduli file. diff --git a/servconf.c b/servconf.c index 427bdeef..ee2e531a 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.228 2012/07/10 02:19:15 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1526,8 +1526,9 @@ process_server_config_line(ServerOptions *options, char *line, void load_server_config(const char *filename, Buffer *conf) { - char line[1024], *cp; + char line[4096], *cp; FILE *f; + int lineno = 0; debug2("%s: filename %s", __func__, filename); if ((f = fopen(filename, "r")) == NULL) { @@ -1536,6 +1537,9 @@ load_server_config(const char *filename, Buffer *conf) } buffer_clear(conf); while (fgets(line, sizeof(line), f)) { + lineno++; + if (strlen(line) == sizeof(line) - 1) + fatal("%s line %d too long", filename, lineno); /* * Trim out comments and strip whitespace * NB - preserve newlines, they are needed to reproduce -- cgit v1.2.1 From ad068d7634c46e99672868fb2fe8ff67510c5cad Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 31 Jul 2012 02:23:16 +0000 Subject: - markus@cvs.openbsd.org 2012/07/22 18:19:21 [version.h] openssh 6.1 --- ChangeLog | 3 +++ version.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2dafce31..752eb474 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - dtucker@cvs.openbsd.org 2012/07/13 01:35:21 [servconf.c] handle long comments in config files better. bz#2025, ok markus + - markus@cvs.openbsd.org 2012/07/22 18:19:21 + [version.h] + openssh 6.1 20120720 - (dtucker) Import regened moduli file. diff --git a/version.h b/version.h index 78983d9d..76adaaff 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.64 2012/02/09 20:00:18 markus Exp $ */ +/* $OpenBSD: version.h,v 1.65 2012/07/22 18:19:21 markus Exp $ */ -#define SSH_VERSION "OpenSSH_6.0" +#define SSH_VERSION "OpenSSH_6.1" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.1 From 1781115ff3d5650d3947b45142c859ce401b1da6 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 22 Aug 2012 11:57:13 +0000 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers --- ChangeLog | 4 ++++ README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 752eb474..6cf3570a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120822 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update version numbers + 20120731 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2012/07/06 06:38:03 diff --git a/README b/README index ad2adc49..81cb922b 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-6.0 for the release notes. +See http://www.openssh.com/txt/release-6.1 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.80 2012/04/20 04:11:04 djm Exp $ +$Id: README,v 1.81 2012/08/22 11:57:13 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 90be57da..9fd07953 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 6.0p1 +%define version 6.1p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.77 2012/04/20 00:58:43 djm Exp $ +$Id: openssh.spec,v 1.78 2012/08/22 11:57:15 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index d4e44d26..f74ad448 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 6.0p1 +%define ver 6.1p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 8d99fb5a..3b8abecc 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.0p1 +Version: 6.1p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.1 From bae0b792694da238640cab55f25bc8c3e4b5b9c7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 28 Aug 2012 09:57:19 +0000 Subject: - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN for compatibility with future mingw-w64 headers. Patch from vinschen at redhat com. --- ChangeLog | 5 +++++ openbsd-compat/bsd-cygwin_util.h | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 6cf3570a..c7f1e2ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120828 + - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN + for compatibility with future mingw-w64 headers. Patch from vinschen at + redhat com. + 20120822 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index d223792d..b4bcd04b 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cygwin_util.h,v 1.14 2012/03/30 03:07:07 djm Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.15 2012/08/28 09:57:19 dtucker Exp $ */ /* * Copyright (c) 2000, 2001, 2011 Corinna Vinschen @@ -36,6 +36,8 @@ #undef ERROR +#define WIN32_LEAN_AND_MEAN + #include #include #include -- cgit v1.2.1 From 2e652d40936f1f05355ced7db7c0f6f026ec8f43 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 29 Aug 2012 00:26:20 +0000 Subject: - (djm) Release openssh-6.1 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index c7f1e2ba..f8e60084 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20120828 + - (djm) Release openssh-6.1 + 20120828 - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN for compatibility with future mingw-w64 headers. Patch from vinschen at -- cgit v1.2.1 From 578c80748c3e83aaf2099c1fd5ddf9001767ff46 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 30 Aug 2012 00:42:47 +0000 Subject: - (dtucker) [moduli] Import new moduli file. --- ChangeLog | 3 + moduli | 397 ++++++++++++++++++++++++++++++-------------------------------- 2 files changed, 198 insertions(+), 202 deletions(-) diff --git a/ChangeLog b/ChangeLog index f8e60084..048cefa5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20120830 + - (dtucker) [moduli] Import new moduli file. + 20120828 - (djm) Release openssh-6.1 diff --git a/moduli b/moduli index 3bb155de..49f76ee9 100644 --- a/moduli +++ b/moduli @@ -1,206 +1,199 @@ -# $OpenBSD: moduli,v 1.7 2012/07/20 00:39:57 dtucker Exp $ +# $OpenBSD: moduli,v 1.8 2012/08/29 05:06:54 dtucker Exp $ # Time Type Tests Tries Size Generator Modulus -20120705004026 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844A94DCF -20120705004028 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844B1694B -20120705004036 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844E34093 -20120705004039 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F41247 -20120705004040 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F8B39B -20120705004042 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284500D22F -20120705004044 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284504854B -20120705004047 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451642A3 -20120705004049 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451B31D3 -20120705004052 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452B05CB -20120705004053 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452BB06B -20120705004057 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284544D6EF -20120705004101 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428454FBFBF -20120705004103 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284556870F -20120705004104 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A1DCF -20120705004106 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A71F3 -20120705004107 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455C229B -20120705004109 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845624C8F -20120705004111 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845650AD7 -20120705004113 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284572AE77 -20120705004116 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428457F0DE7 -20120705004119 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428458D623F -20120705004121 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598C1BF -20120705004122 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598FF9F -20120705004127 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845B559BF -20120705004129 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845BA77E7 -20120705004131 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C3989F -20120705004132 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C5A23F -20120705004134 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845CAF1DB -20120705004136 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D1CB5B -20120705004137 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D4528F -20120705004139 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845DCBCB3 -20120705004143 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EE91B7 -20120705004144 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EFF1A7 -20120705004145 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F363FB -20120705004146 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F3738B -20120705004148 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F437CF -20120705004150 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284601A3BF -20120705004152 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284603421F -20120705004153 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284605C5B7 -20120705004155 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428460AF7CB -20120705004159 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846266533 -20120705004201 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846287DD3 -20120705004204 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846397273 -20120705004206 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284646FA83 -20120705004207 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846475ED3 -20120705004210 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284651649F -20120705004212 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659876B -20120705004213 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659F8F3 -20120705004214 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465BD413 -20120705004216 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465F222B -20120705004217 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284660995B -20120705004221 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428467B9247 -20120705004227 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468DAF87 -20120705004230 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468E1A13 -20120705004838 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7205887 -20120705004853 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F73B39C7 -20120705004937 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7A3E153 -20120705005002 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7DB4473 -20120705005017 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7F7293F -20120705005025 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F802FE8B -20120705005048 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F836B5D3 -20120705005117 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F878CDEB -20120705005122 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F87AB3EB -20120705005140 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F89EAA43 -20120705005148 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8AA75F3 -20120705005201 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8C2EAAB -20120705005215 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8DEAC73 -20120705005221 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8E3C303 -20120705005231 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8F51EFF -20120705005246 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F9115B97 -20120705005317 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F95737CF -20120705005324 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F960A5F7 -20120705005339 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F97DBAB3 -20120705005353 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F999A9CF -20120705005453 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA253557 -20120705005516 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA597D23 -20120705005521 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA5B9B1B -20120705005600 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAB57F73 -20120705005606 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FABBBAFB -20120705005632 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAF58CB3 -20120705005640 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB01659B -20120705005645 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB04D9E7 -20120705005659 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB205C67 -20120705011229 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DA381EB -20120705011307 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DAEFA5B -20120705011647 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E09B2B7 -20120705011825 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E30C613 -20120705011957 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E5B7E3F -20120705012217 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E9ED607 -20120705012259 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EB4E9E3 -20120705012319 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EBDF313 -20120705012338 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EC9AD5F -20120705012817 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205F79773F -20120705012947 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FB2897B -20120705013020 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FC0CFAB -20120705013559 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20606541A3 -20120705013637 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206078A9DF -20120705013859 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060C181BB -20120705014010 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060DFB1BB -20120705014101 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060F217A3 -20120705014248 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061182263 -20120705014325 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061214FC3 -20120705014539 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206162E447 -20120705014658 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206186D1F3 -20120705014856 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061D0EF73 -20120705015000 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062023BFB -20120705015045 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20621EDDEB -20120705015234 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062752373 -20120705015345 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062B97207 -20120705015734 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20636C6B0F -20120705015750 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063752183 -20120705015806 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20637DAF9B -20120705015900 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063B134BB -20120705015921 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063C148EB -20120705020044 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20640F2047 -20120705020232 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20647E3FEB -20120705020339 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2064C2CC83 -20120705020502 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065162F7B -20120705020512 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065194343 -20120705020523 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20651C2E2B -20120705020541 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206528BA2F -20120705021818 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165EF071CF -20120705022441 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165F6DCFB7 -20120705024326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541660E5F72B -20120705025034 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416617271AB -20120705025525 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661CDD5AF -20120705025705 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661E6A71F -20120705025752 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661EE2413 -20120705030403 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662662DC7 -20120705030432 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416626728EF -20120705030953 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662CA2463 -20120705031728 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416635CAC93 -20120705032458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541663EC109F -20120705032902 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166431CB8F -20120705033016 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166441BDC3 -20120705033652 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664BF1503 -20120705033740 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664C48A73 -20120705034025 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664F440CF -20120705034138 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541665048ECB -20120705034458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416653F1BC7 -20120705040416 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541666BE5B43 -20120705041326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416676F9AD3 -20120705041429 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416677BBDD7 -20120705041928 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667DA5427 -20120705042013 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667E0CDA7 -20120705044833 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A1D45AB -20120705045307 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A71DD37 -20120705050710 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166B8634A3 -20120705051048 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BC572CB -20120705051219 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BDA113F -20120705051634 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166C28FFCB -20120705052331 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166CAA425B -20120705052812 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166D041A0B -20120705053701 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166DA81DB7 -20120705055127 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166EC251D7 -20120705055500 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F01CF6B -20120705055603 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F0EF763 -20120705055831 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F39358B -20120705060133 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F5FDC7B -20120705060444 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8017B3 -20120705060616 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8A763B -20120705074615 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E404D4A9FF -20120705075624 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405259C43 -20120705075814 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4052CF1E3 -20120705082750 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405CAF157 -20120705091841 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40777DB37 -20120705094647 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40863BD9B -20120705113042 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40BE821C7 -20120705113614 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C0EADAB -20120705113856 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C1D4D93 -20120705115824 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40CBE3D6B -20120705122406 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40D792E73 -20120705123711 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40DDA1F9F -20120705124452 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40E149903 -20120705133408 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F205063 -20120705133854 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F36CB23 -20120705140912 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40FF3C14B -20120705151048 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41130009B -20120705154517 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E411EA83DB -20120705155613 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4123EC08F -20120705162202 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4130DF347 -20120705162423 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41319263F -20120705163533 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4136A686F -20120705170312 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4144BD02B -20120705175100 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E415E0D6BB -20120705190344 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E418110983 -20120705191532 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4186E4BE3 -20120705193904 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41933A90B -20120705201440 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A1607FF -20120705202233 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A3C4B5F -20120705204542 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41AFA0127 -20120705205809 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41B59BD9B -20120705213138 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41C73B903 -20120705214528 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41CE1ACFB -20120705215449 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41D2A1E9B -20120705225456 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41F236C7F -20120705231339 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41FB99943 -20120705232933 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4203D8FB3 -20120705233827 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420804A5B -20120705234448 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420AC9D9F +20120821044040 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A770E2EC9F +20120821044046 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7711F2C6B +20120821044047 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771225323 +20120821044048 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712507AB +20120821044050 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712A2DB3 +20120821044051 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712CACEF +20120821044053 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7713959C3 +20120821044057 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7715BBA13 +20120821044103 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77191592F +20120821044104 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771938E1F +20120821044106 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771A1E127 +20120821044108 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B3CDFB +20120821044109 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B71913 +20120821044111 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771C2759F +20120821044113 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771CF8ABF +20120821044114 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771D2B49B +20120821044116 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771DF6193 +20120821044117 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771E67E33 +20120821044120 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771FA581B +20120821044121 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772027DDB +20120821044123 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772093F8B +20120821044124 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7720EEF6F +20120821044125 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77216CAD7 +20120821044126 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77219A90B +20120821044129 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7722A0103 +20120821044130 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772343DBF +20120821044133 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772460C3F +20120821044137 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7726A4E0F +20120821044138 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772716D8B +20120821044141 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7728D719B +20120821044143 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77297AA8B +20120821044145 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772A8794B +20120821044147 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772B4D6AB +20120821044149 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BD325F +20120821044150 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BDAE07 +20120821044151 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772C95CE3 +20120821044502 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96361507 +20120821044515 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F965885BF +20120821044519 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F966006C7 +20120821044528 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9674A0EB +20120821044539 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969457F3 +20120821044544 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969BE79B +20120821044606 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96E1E827 +20120821044623 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9714284B +20120821044630 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97231CB7 +20120821044636 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F972E01DF +20120821044647 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974BCED3 +20120821044650 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974C3A43 +20120821044653 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974E8F73 +20120821044701 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9763403B +20120821044705 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9767666B +20120821044708 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9768D81F +20120821044726 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F979FD437 +20120821044729 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A29BC7 +20120821044732 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A56447 +20120821044737 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97AEDBDB +20120821044740 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97B187F3 +20120821044746 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97BC6EE3 +20120821044757 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97DCCDEB +20120821044817 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F981975F7 +20120821044831 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F983EC267 +20120821044841 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F985A032F +20120821044846 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9863B0AB +20120821044852 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F986E5C7F +20120821044911 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98A8FF6B +20120821044917 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98B40E4B +20120821044924 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98C5840F +20120821044940 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98F22CEB +20120821044947 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99040FFF +20120821044954 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99139AE3 +20120821045010 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9940BEFB +20120821045017 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9954379F +20120821045020 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99548C23 +20120821045023 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99562FC3 +20120821045028 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9960CDCF +20120821045038 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F997AC0B3 +20120821045045 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F998D9B6B +20120821045050 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9994BB77 +20120821045059 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC001B +20120821045101 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC5547 +20120821045107 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99B86567 +20120821045110 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99BA2677 +20120821045128 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99EF4523 +20120821045154 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A419DAB +20120821045214 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A7D1E67 +20120821045218 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A826443 +20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 +20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB +20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 +20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F +20120821050118 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682361D5F +20120821050218 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936828ADA17 +20120821050243 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682A8A7CB +20120821050427 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368341AC87 +20120821050515 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936837F8657 +20120821050545 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A3DFD3 +20120821050554 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A9635F +20120821050636 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683DF582B +20120821050648 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683E86803 +20120821050758 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684495A13 +20120821050807 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936844FAB5B +20120821050849 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368486D99B +20120821050916 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684A776A7 +20120821050942 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684C4FF73 +20120821051003 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DB980F +20120821051010 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DD4FBF +20120821051158 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685721537 +20120821051206 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685768253 +20120821051231 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685930F13 +20120821051240 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685987B0B +20120821051324 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685D5E36B +20120821051349 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685F3AB7F +20120821051424 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686206187 +20120821051516 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368668EB4B +20120821051540 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368686EB87 +20120821051622 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686BCCF13 +20120821051703 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686F13B9F +20120821051715 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686FB2D4F +20120821051837 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876ED7DF +20120821051843 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876F05DB +20120821051930 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293687AEDE8F +20120821052131 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293688637CFF +20120821053137 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942284EA9F +20120821053209 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94228B7F67 +20120821053317 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9422A2B3C7 +20120821053841 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94232DEF87 +20120821054039 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942359AB7B +20120821054334 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423A371A7 +20120821054455 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423C1CEEF +20120821054844 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424273F1F +20120821055307 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424987667 +20120821055436 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424B90BAB +20120821055700 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424F6C7CF +20120821060224 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94258ADCEF +20120821060334 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425A1FCEB +20120821060420 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425AEBF43 +20120821060927 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942634C34F +20120821061829 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94272F0D4F +20120821062020 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94275B00B7 +20120821062241 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9427941F5F +20120821063416 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9428D5E367 +20120821063648 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942917E127 +20120821064052 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9429825A2B +20120821064951 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942A74C4EB +20120821065736 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942B4640D3 +20120821071146 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CCD6D1B +20120821071337 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CF9321B +20120821072545 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942E48654F +20120821075022 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9430F1B6A3 +20120821080229 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9432356F63 +20120821081230 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94333D9363 +20120821081746 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C6A7A7 +20120821081811 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C94C93 +20120821084945 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45B27D047 +20120821091240 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45C370A33 +20120821092428 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45CBB9FBB +20120821093047 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45D001E73 +20120821095420 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E104D6F +20120821095624 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E21E2BF +20120821102749 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45F9B1B7B +20120821105854 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4610E205F +20120821110658 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461631FBF +20120821110744 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461635E3B +20120821115206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4636E0DF7 +20120821121256 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4645F38B3 +20120821121421 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46467609B +20120821122649 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA464F87D6B +20120821122854 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46508F94B +20120821125200 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4661CBC5B +20120821130613 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466BC6B33 +20120821131115 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466ED9CC7 +20120821132817 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA467B278B3 +20120821135349 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA468D8351B +20120821141206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA469A817A7 +20120821144909 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46B488EF7 +20120821150021 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46BC5D5E7 +20120821153843 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46D774723 +20120821162006 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46F5488DB +20120821170404 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47157A067 +20120821173305 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472A1E94B +20120821173936 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472E0E57F +20120821174533 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4731F7433 +20120821180053 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA473C7CE3F +20120821180952 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4742A8237 +20120821181124 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA474343C5B +20120821183540 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4754D89DB +20120821183852 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47569B47F +20120821184512 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AC57DB +20120821184603 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AD78CB +20120821184701 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475B0038F +20120821185939 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4763BD72F +20120821190630 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476853BB7 +20120821190945 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476A47843 +20120821195501 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA478A96AEF 20120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB 20120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B 20120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477 -- cgit v1.2.1 From 3957a93f790be53b1b4c2a1888946b5e8993e4f5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 6 Sep 2012 11:18:11 +0000 Subject: - jmc@cvs.openbsd.org 2012/08/15 18:25:50 [ssh-keygen.1] a little more info on certificate validity; requested by Ross L Richardson, and provided by djm --- ChangeLog | 7 +++++++ ssh-keygen.1 | 8 +++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 048cefa5..3b6803b6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20120906 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2012/08/15 18:25:50 + [ssh-keygen.1] + a little more info on certificate validity; + requested by Ross L Richardson, and provided by djm + 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 03f927ed..1d556464 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.110 2012/08/15 18:25:50 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 6 2012 $ +.Dd $Mdocdate: August 15 2012 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -628,7 +628,9 @@ The option allows specification of certificate start and end times. A certificate that is presented at a time outside this range will not be considered valid. -By default, certificates have a maximum validity interval. +By default, certificates are valid from +.Ux +Epoch to the distant future. .Pp For certificates to be used for user or host authentication, the CA public key must be trusted by -- cgit v1.2.1 From fc9bcee370df1185d54a0fbc3d6364cac34d7559 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 6 Sep 2012 11:19:05 +0000 Subject: - dtucker@cvs.openbsd.org 2012/08/17 00:45:45 [clientloop.c clientloop.h mux.c] Force a clean shutdown of ControlMaster client sessions when the ~. escape sequence is used. This means that ~. should now work in mux clients even if the server is no longer responding. Found by tedu, ok djm. --- ChangeLog | 5 +++++ clientloop.c | 4 +++- clientloop.h | 3 ++- mux.c | 4 ++-- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b6803b6..bdaaa0ae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [ssh-keygen.1] a little more info on certificate validity; requested by Ross L Richardson, and provided by djm + - dtucker@cvs.openbsd.org 2012/08/17 00:45:45 + [clientloop.c clientloop.h mux.c] + Force a clean shutdown of ControlMaster client sessions when the ~. escape + sequence is used. This means that ~. should now work in mux clients even + if the server is no longer responding. Found by tedu, ok djm. 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/clientloop.c b/clientloop.c index 1c1a7708..65664cbc 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.240 2012/06/20 04:42:58 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.241 2012/08/17 00:45:45 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1046,6 +1046,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, if (c && c->ctl_chan != -1) { chan_read_failed(c); chan_write_failed(c); + mux_master_session_cleanup_cb(c->self, + NULL); return 0; } else quit_pending = 1; diff --git a/clientloop.h b/clientloop.h index 3bb79487..d2baa032 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.29 2011/09/09 22:46:44 djm Exp $ */ +/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -76,4 +76,5 @@ void muxserver_listen(void); void muxclient(const char *); void mux_exit_message(Channel *, int); void mux_tty_alloc_failed(Channel *); +void mux_master_session_cleanup_cb(int, void *); diff --git a/mux.c b/mux.c index 5e0e65ff..0f1532bb 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.37 2012/08/17 00:45:45 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -188,7 +188,7 @@ static const struct { /* Cleanup callback fired on closure of mux slave _session_ channel */ /* ARGSUSED */ -static void +void mux_master_session_cleanup_cb(int cid, void *unused) { Channel *cc, *c = channel_by_id(cid); -- cgit v1.2.1 From 6defa8d224f39591068e5d4608dcb85342fc74e8 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 6 Sep 2012 11:19:51 +0000 Subject: - djm@cvs.openbsd.org 2012/08/17 01:22:56 [kex.c] add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change --- ChangeLog | 4 ++++ kex.c | 16 +++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index bdaaa0ae..dd287743 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ Force a clean shutdown of ControlMaster client sessions when the ~. escape sequence is used. This means that ~. should now work in mux clients even if the server is no longer responding. Found by tedu, ok djm. + - djm@cvs.openbsd.org 2012/08/17 01:22:56 + [kex.c] + add some comments about better handling first-KEX-follows notifications + from the server. Nothing uses these right now. No binary change 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/kex.c b/kex.c index c65e28f9..f77b3c92 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.87 2012/08/17 01:22:56 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -242,8 +242,18 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) packet_get_char(); for (i = 0; i < PROPOSAL_MAX; i++) xfree(packet_get_string(NULL)); - (void) packet_get_char(); - (void) packet_get_int(); + /* + * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported + * KEX method has the server move first, but a server might be using + * a custom method or one that we otherwise don't support. We should + * be prepared to remember first_kex_follows here so we can eat a + * packet later. + * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means + * for cases where the server *doesn't* go first. I guess we should + * ignore it when it is set for these cases, which is what we do now. + */ + (void) packet_get_char(); /* first_kex_follows */ + (void) packet_get_int(); /* reserved */ packet_check_eom(); kex_kexinit_finish(kex); -- cgit v1.2.1 From 16695860d1ee2201f209234e40cec1e911e48c81 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 6 Sep 2012 11:20:39 +0000 Subject: - djm@cvs.openbsd.org 2012/08/17 01:25:58 [ssh-keygen.c] print details of which host lines were deleted when using "ssh-keygen -R host"; ok markus@ --- ChangeLog | 4 ++++ ssh-keygen.c | 22 +++++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index dd287743..bbc4435d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ [kex.c] add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change + - djm@cvs.openbsd.org 2012/08/17 01:25:58 + [ssh-keygen.c] + print details of which host lines were deleted when using + "ssh-keygen -R host"; ok markus@ 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/ssh-keygen.c b/ssh-keygen.c index a223ddc8..5060276d 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.216 2012/07/06 06:38:03 jmc Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.217 2012/08/17 01:25:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1088,8 +1088,14 @@ do_known_hosts(struct passwd *pw, const char *name) ca ? " (CA key)" : ""); printhost(out, cp, pub, ca, 0); } - if (delete_host && !c && !ca) - printhost(out, cp, pub, ca, 0); + if (delete_host) { + if (!c && !ca) + printhost(out, cp, pub, ca, 0); + else + printf("# Host %s found: " + "line %d type %s\n", name, + num, key_type(pub)); + } } else if (hash_hosts) printhost(out, cp, pub, ca, 0); } else { @@ -1104,8 +1110,14 @@ do_known_hosts(struct passwd *pw, const char *name) printhost(out, name, pub, ca, hash_hosts && !ca); } - if (delete_host && !c && !ca) - printhost(out, cp, pub, ca, 0); + if (delete_host) { + if (!c && !ca) + printhost(out, cp, pub, ca, 0); + else + printf("# Host %s found: " + "line %d type %s\n", name, + num, key_type(pub)); + } } else if (hash_hosts) { for (cp2 = strsep(&cp, ","); cp2 != NULL && *cp2 != '\0'; -- cgit v1.2.1 From 75204dc8e8806583b6332d34280d25d335ebabb0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 6 Sep 2012 11:21:56 +0000 Subject: - djm@cvs.openbsd.org 2012/08/17 01:30:00 [compat.c sshconnect.c] Send client banner immediately, rather than waiting for the server to move first for SSH protocol 2 connections (the default). Patch based on one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@ --- ChangeLog | 5 +++++ compat.c | 4 +++- sshconnect.c | 47 ++++++++++++++++++++++++++++++++++------------- 3 files changed, 42 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index bbc4435d..178d0500 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,11 @@ [ssh-keygen.c] print details of which host lines were deleted when using "ssh-keygen -R host"; ok markus@ + - djm@cvs.openbsd.org 2012/08/17 01:30:00 + [compat.c sshconnect.c] + Send client banner immediately, rather than waiting for the server to + move first for SSH protocol 2 connections (the default). Patch based on + one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@ 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/compat.c b/compat.c index 0dc089fd..f680f4fe 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.79 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -45,6 +45,8 @@ int datafellows = 0; void enable_compat20(void) { + if (compat20) + return; debug("Enabling compatibility mode for protocol 2.0"); compat20 = 1; } diff --git a/sshconnect.c b/sshconnect.c index 0ee72663..3d44b2e4 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.234 2011/05/24 07:15:47 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.235 2012/08/17 01:30:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -429,6 +429,26 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, return 0; } +static void +send_client_banner(int connection_out, int minor1) +{ + char buf[256]; + + /* Send our own protocol version identification. */ + if (compat20) { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + PROTOCOL_MAJOR_1, minor1, SSH_VERSION); + } + if (roaming_atomicio(vwrite, connection_out, client_version_string, + strlen(client_version_string)) != strlen(client_version_string)) + fatal("write: %.100s", strerror(errno)); + chop(client_version_string); + debug("Local version string %.100s", client_version_string); +} + /* * Waits for the server identification string, and sends our own * identification string. @@ -440,7 +460,7 @@ ssh_exchange_identification(int timeout_ms) int remote_major, remote_minor, mismatch; int connection_in = packet_get_connection_in(); int connection_out = packet_get_connection_out(); - int minor1 = PROTOCOL_MINOR_1; + int minor1 = PROTOCOL_MINOR_1, client_banner_sent = 0; u_int i, n; size_t len; int fdsetsz, remaining, rc; @@ -450,6 +470,16 @@ ssh_exchange_identification(int timeout_ms) fdsetsz = howmany(connection_in + 1, NFDBITS) * sizeof(fd_mask); fdset = xcalloc(1, fdsetsz); + /* + * If we are SSH2-only then we can send the banner immediately and + * save a round-trip. + */ + if (options.protocol == SSH_PROTO_2) { + enable_compat20(); + send_client_banner(connection_out, 0); + client_banner_sent = 1; + } + /* Read other side's version identification. */ remaining = timeout_ms; for (n = 0;;) { @@ -552,18 +582,9 @@ ssh_exchange_identification(int timeout_ms) fatal("Protocol major versions differ: %d vs. %d", (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, remote_major); - /* Send our own protocol version identification. */ - snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", - compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, - compat20 ? PROTOCOL_MINOR_2 : minor1, - SSH_VERSION, compat20 ? "\r\n" : "\n"); - if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) - != strlen(buf)) - fatal("write: %.100s", strerror(errno)); - client_version_string = xstrdup(buf); - chop(client_version_string); + if (!client_banner_sent) + send_client_banner(connection_out, minor1); chop(server_version_string); - debug("Local version string %.100s", client_version_string); } /* defaults to 'no' */ -- cgit v1.2.1 From 25305e7dab97124213c2cff5827952e3caffc8f1 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 6 Sep 2012 11:25:37 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/06 04:37:39 [clientloop.c log.c ssh.1 log.h] Add ~v and ~V escape sequences to raise and lower the logging level respectively. Man page help from jmc, ok deraadt jmc --- ChangeLog | 4 ++++ clientloop.c | 30 +++++++++++++++++++++++++++++- log.c | 17 ++++++++++++++++- log.h | 4 +++- ssh.1 | 12 ++++++++++-- 5 files changed, 62 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 178d0500..439893da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,10 @@ Send client banner immediately, rather than waiting for the server to move first for SSH protocol 2 connections (the default). Patch based on one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@ + - dtucker@cvs.openbsd.org 2012/09/06 04:37:39 + [clientloop.c log.c ssh.1 log.h] + Add ~v and ~V escape sequences to raise and lower the logging level + respectively. Man page help from jmc, ok deraadt jmc 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/clientloop.c b/clientloop.c index 65664cbc..0e5c45a9 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.241 2012/08/17 00:45:45 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.242 2012/09/06 04:37:38 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1099,6 +1099,31 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, } continue; + case 'V': + /* FALLTHROUGH */ + case 'v': + if (c && c->ctl_chan != -1) + goto noescape; + if (!log_is_on_stderr()) { + snprintf(string, sizeof string, + "%c%c [Logging to syslog]\r\n", + escape_char, ch); + buffer_append(berr, string, + strlen(string)); + continue; + } + if (ch == 'V' && options.log_level > + SYSLOG_LEVEL_QUIET) + log_change_level(--options.log_level); + if (ch == 'v' && options.log_level < + SYSLOG_LEVEL_DEBUG3) + log_change_level(++options.log_level); + snprintf(string, sizeof string, + "%c%c [LogLevel %s]\r\n", escape_char, ch, + log_level_name(options.log_level)); + buffer_append(berr, string, strlen(string)); + continue; + case '&': if (c && c->ctl_chan != -1) goto noescape; @@ -1175,12 +1200,15 @@ Supported escape sequences:\r\n\ %cB - send a BREAK to the remote system\r\n\ %cC - open a command line\r\n\ %cR - Request rekey (SSH protocol 2 only)\r\n\ + %cV - Increase verbosity (LogLevel)\r\n\ + %cv - Decrease verbosity (LogLevel)\r\n\ %c^Z - suspend ssh\r\n\ %c# - list forwarded connections\r\n\ %c& - background ssh (when waiting for connections to terminate)\r\n\ %c? - this message\r\n\ %c%c - send the escape character by typing it twice\r\n\ (Note that escapes are only recognized immediately after newline.)\r\n", + escape_char, escape_char, escape_char, escape_char, escape_char, escape_char, escape_char, escape_char, diff --git a/log.c b/log.c index ad5a10b4..7f4a1b9c 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.42 2011/06/17 21:44:30 djm Exp $ */ +/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -329,6 +329,21 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) #endif } +void +log_change_level(LogLevel new_log_level) +{ + /* no-op if log_init has not been called */ + if (argv0 == NULL) + return; + log_init(argv0, new_log_level, log_facility, log_on_stderr); +} + +int +log_is_on_stderr(void) +{ + return log_on_stderr; +} + #define MSGBUFSIZ 1024 void diff --git a/log.h b/log.h index 1b8d2142..e3e328b0 100644 --- a/log.h +++ b/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.18 2011/06/17 21:44:30 djm Exp $ */ +/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -49,6 +49,8 @@ typedef enum { typedef void (log_handler_fn)(LogLevel, const char *, void *); void log_init(char *, LogLevel, SyslogFacility, int); +void log_change_level(LogLevel); +int log_is_on_stderr(void); SyslogFacility log_facility_number(char *); const char * log_facility_name(SyslogFacility); diff --git a/ssh.1 b/ssh.1 index eaf5d83d..65342ff8 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.326 2012/06/18 12:17:18 dtucker Exp $ -.Dd $Mdocdate: June 18 2012 $ +.\" $OpenBSD: ssh.1,v 1.327 2012/09/06 04:37:39 dtucker Exp $ +.Dd $Mdocdate: September 6 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -926,6 +926,14 @@ option. .It Cm ~R Request rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it). +.It Cm ~V +Decrease the verbosity +.Pq Ic LogLevel +when errors are being written to stderr. +.It Cm ~v +Increase the verbosit +.Pq Ic LogLevel +when errors are being written to stderr. .El .Sh TCP FORWARDING Forwarding of arbitrary TCP connections over the secure channel can -- cgit v1.2.1 From 76359d725f203cde5cd1e14f3f8f9b069a719937 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 6 Sep 2012 11:26:34 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 [clientloop.c] Make the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. ok markus@ --- ChangeLog | 4 ++++ clientloop.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 439893da..03b16cc2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,10 @@ [clientloop.c log.c ssh.1 log.h] Add ~v and ~V escape sequences to raise and lower the logging level respectively. Man page help from jmc, ok deraadt jmc + - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 + [clientloop.c] + Make the escape command help (~?) context sensitive so that only commands + that will work in the current session are shown. ok markus@ 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/clientloop.c b/clientloop.c index 0e5c45a9..72b1d40f 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.242 2012/09/06 04:37:38 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.243 2012/09/06 06:25:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1200,8 +1200,8 @@ Supported escape sequences:\r\n\ %cB - send a BREAK to the remote system\r\n\ %cC - open a command line\r\n\ %cR - Request rekey (SSH protocol 2 only)\r\n\ - %cV - Increase verbosity (LogLevel)\r\n\ - %cv - Decrease verbosity (LogLevel)\r\n\ + %cV - Decrease verbosity (LogLevel)\r\n\ + %cv - Increase verbosity (LogLevel)\r\n\ %c^Z - suspend ssh\r\n\ %c# - list forwarded connections\r\n\ %c& - background ssh (when waiting for connections to terminate)\r\n\ -- cgit v1.2.1 From ca4e86bfb2fc49530a28aedb2ab0f3f0179f79b1 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Sep 2012 00:44:34 +0000 Subject: =?UTF-8?q?bz#2039:=20add=20acknowledgement=20of=20the=20original?= =?UTF-8?q?=20authors=20of=20the=20ECDSA=20SSHFP=20DNS=20work.=20=20From?= =?UTF-8?q?=20Ond=C5=99ej=20Sur=C3=BD.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 03b16cc2..242ef404 100644 --- a/ChangeLog +++ b/ChangeLog @@ -208,6 +208,7 @@ [dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ + (Original authors OndÅ™ej SurÃ, OndÅ™ej Caletka and Daniel Black) - djm@cvs.openbsd.org 2012/06/01 00:49:35 [PROTOCOL.mux] correct types of port numbers (integers, not strings); bz#2004 from -- cgit v1.2.1 From f5d5e8e7fcade1bdcee805caddab8dbe0d294de6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Sep 2012 01:20:20 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 [clientloop.c] Make the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. ok markus@ (note: previous commit with this description was a mistake on my part while pulling changes from OpenBSD) --- ChangeLog | 11 ++++--- clientloop.c | 103 +++++++++++++++++++++++++++++++++++------------------------ 2 files changed, 69 insertions(+), 45 deletions(-) diff --git a/ChangeLog b/ChangeLog index 242ef404..dead4971 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20120907 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 + [clientloop.c] + Make the escape command help (~?) context sensitive so that only commands + that will work in the current session are shown. ok markus@ + 20120906 - (dtucker) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2012/08/15 18:25:50 @@ -26,10 +33,6 @@ [clientloop.c log.c ssh.1 log.h] Add ~v and ~V escape sequences to raise and lower the logging level respectively. Man page help from jmc, ok deraadt jmc - - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 - [clientloop.c] - Make the escape command help (~?) context sensitive so that only commands - that will work in the current session are shown. ok markus@ 20120830 - (dtucker) [moduli] Import new moduli file. diff --git a/clientloop.c b/clientloop.c index 72b1d40f..07d2c892 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.243 2012/09/06 06:25:41 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.244 2012/09/06 09:50:13 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -996,6 +996,64 @@ out: xfree(fwd.connect_host); } +/* reasons to suppress output of an escape command in help output */ +#define SUPPRESS_NEVER 0 /* never suppress, always show */ +#define SUPPRESS_PROTO1 1 /* don't show in protocol 1 sessions */ +#define SUPPRESS_MUXCLIENT 2 /* don't show in mux client sessions */ +#define SUPPRESS_MUXMASTER 4 /* don't show in mux master sessions */ +#define SUPPRESS_SYSLOG 8 /* don't show when logging to syslog */ +struct escape_help_text { + const char *cmd; + const char *text; + unsigned int flags; +}; +static struct escape_help_text esc_txt[] = { + {".", "terminate session", SUPPRESS_MUXMASTER}, + {".", "terminate connection (and any multiplexed sessions)", + SUPPRESS_MUXCLIENT}, + {"B", "send a BREAK to the remote system", SUPPRESS_PROTO1}, + {"C", "open a command line", SUPPRESS_MUXCLIENT}, + {"R", "request rekey", SUPPRESS_PROTO1}, + {"V", "decrease verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, + {"v", "increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, + {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT}, + {"#", "list forwarded connections", SUPPRESS_NEVER}, + {"&", "background ssh (when waiting for connections to terminate)", + SUPPRESS_MUXCLIENT}, + {"?", "this message", SUPPRESS_NEVER}, +}; + +static void +print_escape_help(Buffer *b, int escape_char, int protocol2, int mux_client, + int using_stderr) +{ + unsigned int i, suppress_flags; + char string[1024]; + + snprintf(string, sizeof string, "%c?\r\n" + "Supported escape sequences:\r\n", escape_char); + buffer_append(b, string, strlen(string)); + + suppress_flags = (protocol2 ? 0 : SUPPRESS_PROTO1) | + (mux_client ? SUPPRESS_MUXCLIENT : 0) | + (mux_client ? 0 : SUPPRESS_MUXMASTER) | + (using_stderr ? 0 : SUPPRESS_SYSLOG); + + for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) { + if (esc_txt[i].flags & suppress_flags) + continue; + snprintf(string, sizeof string, " %c%-2s - %s\r\n", + escape_char, esc_txt[i].cmd, esc_txt[i].text); + buffer_append(b, string, strlen(string)); + } + + snprintf(string, sizeof string, + " %c%c - send the escape character by typing it twice\r\n" + "(Note that escapes are only recognized immediately after " + "newline.)\r\n", escape_char, escape_char); + buffer_append(b, string, strlen(string)); +} + /* * Process the characters one by one, call with c==NULL for proto1 case. */ @@ -1177,46 +1235,9 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, continue; case '?': - if (c && c->ctl_chan != -1) { - snprintf(string, sizeof string, -"%c?\r\n\ -Supported escape sequences:\r\n\ - %c. - terminate session\r\n\ - %cB - send a BREAK to the remote system\r\n\ - %cR - Request rekey (SSH protocol 2 only)\r\n\ - %c# - list forwarded connections\r\n\ - %c? - this message\r\n\ - %c%c - send the escape character by typing it twice\r\n\ -(Note that escapes are only recognized immediately after newline.)\r\n", - escape_char, escape_char, - escape_char, escape_char, - escape_char, escape_char, - escape_char, escape_char); - } else { - snprintf(string, sizeof string, -"%c?\r\n\ -Supported escape sequences:\r\n\ - %c. - terminate connection (and any multiplexed sessions)\r\n\ - %cB - send a BREAK to the remote system\r\n\ - %cC - open a command line\r\n\ - %cR - Request rekey (SSH protocol 2 only)\r\n\ - %cV - Decrease verbosity (LogLevel)\r\n\ - %cv - Increase verbosity (LogLevel)\r\n\ - %c^Z - suspend ssh\r\n\ - %c# - list forwarded connections\r\n\ - %c& - background ssh (when waiting for connections to terminate)\r\n\ - %c? - this message\r\n\ - %c%c - send the escape character by typing it twice\r\n\ -(Note that escapes are only recognized immediately after newline.)\r\n", - escape_char, escape_char, - escape_char, escape_char, - escape_char, escape_char, - escape_char, escape_char, - escape_char, escape_char, - escape_char, escape_char, - escape_char); - } - buffer_append(berr, string, strlen(string)); + print_escape_help(berr, escape_char, compat20, + (c && c->ctl_chan != -1), + log_is_on_stderr()); continue; case '#': -- cgit v1.2.1 From e3f136034bf678b69eb0f39e0e3adfcaa5a8ce2e Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Sep 2012 01:21:03 +0000 Subject: - jmc@cvs.openbsd.org 2012/09/06 13:57:42 [ssh.1] missing letter in previous; --- ChangeLog | 3 +++ ssh.1 | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index dead4971..9fb565c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [clientloop.c] Make the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. ok markus@ + - jmc@cvs.openbsd.org 2012/09/06 13:57:42 + [ssh.1] + missing letter in previous; 20120906 - (dtucker) OpenBSD CVS Sync diff --git a/ssh.1 b/ssh.1 index 65342ff8..b218e11d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.327 2012/09/06 04:37:39 dtucker Exp $ +.\" $OpenBSD: ssh.1,v 1.328 2012/09/06 13:57:42 jmc Exp $ .Dd $Mdocdate: September 6 2012 $ .Dt SSH 1 .Os @@ -931,7 +931,7 @@ Decrease the verbosity .Pq Ic LogLevel when errors are being written to stderr. .It Cm ~v -Increase the verbosit +Increase the verbosity .Pq Ic LogLevel when errors are being written to stderr. .El -- cgit v1.2.1 From f9132b1c70f31d6f9bd951ec946021d11e67d23d Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Sep 2012 01:21:42 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/07 00:30:19 [clientloop.c] Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@ --- ChangeLog | 3 +++ clientloop.c | 11 ++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9fb565c6..b3ec3e2a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ - jmc@cvs.openbsd.org 2012/09/06 13:57:42 [ssh.1] missing letter in previous; + - dtucker@cvs.openbsd.org 2012/09/07 00:30:19 + [clientloop.c] + Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@ 20120906 - (dtucker) OpenBSD CVS Sync diff --git a/clientloop.c b/clientloop.c index 07d2c892..20fa4b9f 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.244 2012/09/06 09:50:13 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.245 2012/09/07 00:30:19 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1114,11 +1114,16 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, case 'Z' - 64: /* XXX support this for mux clients */ if (c && c->ctl_chan != -1) { + char b[16]; noescape: + if (ch == 'Z' - 64) + snprintf(b, sizeof b, "^Z"); + else + snprintf(b, sizeof b, "%c", ch); snprintf(string, sizeof string, - "%c%c escape not available to " + "%c%s escape not available to " "multiplexed sessions\r\n", - escape_char, ch); + escape_char, b); buffer_append(berr, string, strlen(string)); continue; -- cgit v1.2.1 From 92d1cc440dbe5d130bdf2b4ca9760958c3ac4313 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Sep 2012 01:22:24 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/07 01:10:21 [clientloop.c] Merge escape help text for ~v and ~V; ok djm@ --- ChangeLog | 3 +++ clientloop.c | 9 ++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index b3ec3e2a..289dc001 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - dtucker@cvs.openbsd.org 2012/09/07 00:30:19 [clientloop.c] Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@ + - dtucker@cvs.openbsd.org 2012/09/07 01:10:21 + [clientloop.c] + Merge escape help text for ~v and ~V; ok djm@ 20120906 - (dtucker) OpenBSD CVS Sync diff --git a/clientloop.c b/clientloop.c index 20fa4b9f..3de54281 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.245 2012/09/07 00:30:19 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.246 2012/09/07 01:10:21 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1014,8 +1014,7 @@ static struct escape_help_text esc_txt[] = { {"B", "send a BREAK to the remote system", SUPPRESS_PROTO1}, {"C", "open a command line", SUPPRESS_MUXCLIENT}, {"R", "request rekey", SUPPRESS_PROTO1}, - {"V", "decrease verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, - {"v", "increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, + {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT}, {"#", "list forwarded connections", SUPPRESS_NEVER}, {"&", "background ssh (when waiting for connections to terminate)", @@ -1042,13 +1041,13 @@ print_escape_help(Buffer *b, int escape_char, int protocol2, int mux_client, for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) { if (esc_txt[i].flags & suppress_flags) continue; - snprintf(string, sizeof string, " %c%-2s - %s\r\n", + snprintf(string, sizeof string, " %c%-3s - %s\r\n", escape_char, esc_txt[i].cmd, esc_txt[i].text); buffer_append(b, string, strlen(string)); } snprintf(string, sizeof string, - " %c%c - send the escape character by typing it twice\r\n" + " %c%c - send the escape character by typing it twice\r\n" "(Note that escapes are only recognized immediately after " "newline.)\r\n", escape_char, escape_char); buffer_append(b, string, strlen(string)); -- cgit v1.2.1 From c111b1e2c118c25e73f91f4ed34a3f4bd80bd3c1 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Sep 2012 06:38:53 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/07 06:34:21 [clientloop.c] when muxmaster is run with -N, make it shut down gracefully when a client sends it "-O stop" rather than hanging around (bz#1985). ok djm@ --- ChangeLog | 4 ++++ clientloop.c | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 289dc001..1655f764 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ - dtucker@cvs.openbsd.org 2012/09/07 01:10:21 [clientloop.c] Merge escape help text for ~v and ~V; ok djm@ + - dtucker@cvs.openbsd.org 2012/09/07 06:34:21 + [clientloop.c] + when muxmaster is run with -N, make it shut down gracefully when a client + sends it "-O stop" rather than hanging around (bz#1985). ok djm@ 20120906 - (dtucker) OpenBSD CVS Sync diff --git a/clientloop.c b/clientloop.c index 3de54281..56450814 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.246 2012/09/07 01:10:21 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.247 2012/09/07 06:34:21 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2244,10 +2244,10 @@ client_stop_mux(void) if (options.control_path != NULL && muxserver_sock != -1) unlink(options.control_path); /* - * If we are in persist mode, signal that we should close when all - * active channels are closed. + * If we are in persist mode, or don't have a shell, signal that we + * should close when all active channels are closed. */ - if (options.control_persist) { + if (options.control_persist || no_shell_flag) { session_closed = 1; setproctitle("[stopped mux]"); } -- cgit v1.2.1 From 803330e669ab14edff213d1a2b0f6c748cf6eb4d Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Sep 2012 08:08:23 +0000 Subject: Fix author's name for RFC6594 SSHFP change --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1655f764..ab48e38f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -224,7 +224,7 @@ [dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ - (Original authors OndÅ™ej SurÃ, OndÅ™ej Caletka and Daniel Black) + (Original authors OndÅ™ej Surý, OndÅ™ej Caletka and Daniel Black) - djm@cvs.openbsd.org 2012/06/01 00:49:35 [PROTOCOL.mux] correct types of port numbers (integers, not strings); bz#2004 from -- cgit v1.2.1 From 7c903359e00dad58354709ffb3ecf25146aae3da Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 17 Sep 2012 03:25:06 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/13 23:37:36 [servconf.c] Fix comment line length --- ChangeLog | 6 ++++++ servconf.c | 7 ++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ab48e38f..83ec4298 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20120917 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/09/13 23:37:36 + [servconf.c] + Fix comment line length + 20120907 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 diff --git a/servconf.c b/servconf.c index ee2e531a..f4b7dd58 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.230 2012/09/13 23:37:36 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -618,8 +618,9 @@ out: } /* - * All of the attributes on a single Match line are ANDed together, so we need to check every - * attribute and set the result to zero if any attribute does not match. + * All of the attributes on a single Match line are ANDed together, so we need + * to check every * attribute and set the result to zero if any attribute does + * not match. */ static int match_cfg_line(char **condition, int line, struct connection_info *ci) -- cgit v1.2.1 From d6a8eed1b1578396cdff185ba641706f8fff8d81 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 17 Sep 2012 03:25:44 +0000 Subject: - markus@cvs.openbsd.org 2012/09/14 16:51:34 [sshconnect.c] remove unused variable --- ChangeLog | 3 +++ sshconnect.c | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 83ec4298..cd9edf8c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - dtucker@cvs.openbsd.org 2012/09/13 23:37:36 [servconf.c] Fix comment line length + - markus@cvs.openbsd.org 2012/09/14 16:51:34 + [sshconnect.c] + remove unused variable 20120907 - (dtucker) OpenBSD CVS Sync diff --git a/sshconnect.c b/sshconnect.c index 3d44b2e4..07800a65 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.235 2012/08/17 01:30:00 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.236 2012/09/14 16:51:34 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -432,8 +432,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, static void send_client_banner(int connection_out, int minor1) { - char buf[256]; - /* Send our own protocol version identification. */ if (compat20) { xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", -- cgit v1.2.1 From 8f09e9c408bdaf9aadcb8c3f725ff9ece2bdb095 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:41:25 +0000 Subject: - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2012/09/17 09:54:44 [sftp.c] an XXX for later --- ChangeLog | 6 ++++++ sftp.c | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cd9edf8c..31aec897 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20121005 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/09/17 09:54:44 + [sftp.c] + an XXX for later + 20120917 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2012/09/13 23:37:36 diff --git a/sftp.c b/sftp.c index 235c6ad0..217b63a2 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.136 2012/06/22 14:36:33 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.137 2012/09/17 09:54:44 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1917,6 +1917,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) return (-1); } } else { + /* XXX this is wrong wrt quoting */ if (file2 == NULL) snprintf(cmd, sizeof cmd, "get %s", dir); else -- cgit v1.2.1 From 2f7a782cebfebf25c988526a6863a4ae16e8b535 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:42:53 +0000 Subject: - markus@cvs.openbsd.org 2012/09/17 13:04:11 [packet.c] clear old keys on rekeing; ok djm --- ChangeLog | 3 +++ packet.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 31aec897..11e7a92b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - djm@cvs.openbsd.org 2012/09/17 09:54:44 [sftp.c] an XXX for later + - markus@cvs.openbsd.org 2012/09/17 13:04:11 + [packet.c] + clear old keys on rekeing; ok djm 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/packet.c b/packet.c index d0c66fe5..b75c081f 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.176 2012/01/25 19:40:09 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.177 2012/09/17 13:04:11 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -757,6 +757,9 @@ set_newkeys(int mode) mac = &active_state->newkeys[mode]->mac; comp = &active_state->newkeys[mode]->comp; mac_clear(mac); + memset(enc->iv, 0, enc->block_size); + memset(enc->key, 0, enc->key_len); + memset(mac->key, 0, mac->key_len); xfree(enc->name); xfree(enc->iv); xfree(enc->key); -- cgit v1.2.1 From e5e89df5df5cc909cb31ead8c84d93bf10f3e899 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:43:58 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/18 10:36:12 [sftp.c] Add bounds check on sftp tab-completion. Part of a patch from from Jean-Marc Robert via tech@, ok djm --- ChangeLog | 4 ++++ sftp.c | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 11e7a92b..6341bd56 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - markus@cvs.openbsd.org 2012/09/17 13:04:11 [packet.c] clear old keys on rekeing; ok djm + - dtucker@cvs.openbsd.org 2012/09/18 10:36:12 + [sftp.c] + Add bounds check on sftp tab-completion. Part of a patch from from + Jean-Marc Robert via tech@, ok djm 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/sftp.c b/sftp.c index 217b63a2..3c7bc64e 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.137 2012/09/17 09:54:44 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.138 2012/09/18 10:36:12 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -991,6 +991,10 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, state = MA_START; i = j = 0; for (;;) { + if (argc >= sizeof(argv) / sizeof(*argv)){ + error("Too many arguments."); + return NULL; + } if (isspace(arg[i])) { if (state == MA_UNQUOTED) { /* Terminate current argument */ -- cgit v1.2.1 From 076687b658aefae69de914d8cc4bc07998496ac7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:45:01 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/21 10:53:07 [sftp.c] Fix improper handling of absolute paths when PWD is part of the completed path. Patch from Jean-Marc Robert via tech@, ok djm. --- ChangeLog | 4 ++++ sftp.c | 9 ++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6341bd56..9d3a7f58 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,10 @@ [sftp.c] Add bounds check on sftp tab-completion. Part of a patch from from Jean-Marc Robert via tech@, ok djm + - dtucker@cvs.openbsd.org 2012/09/21 10:53:07 + [sftp.c] + Fix improper handling of absolute paths when PWD is part of the completed + path. Patch from Jean-Marc Robert via tech@, ok djm. 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/sftp.c b/sftp.c index 3c7bc64e..9ab4e9f1 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.138 2012/09/18 10:36:12 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.139 2012/09/21 10:53:07 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1699,7 +1699,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, { glob_t g; char *tmp, *tmp2, ins[3]; - u_int i, hadglob, pwdlen, len, tmplen, filelen; + u_int i, hadglob, pwdlen, len, tmplen, filelen, isabs; const LineInfo *lf; /* Glob from "file" location */ @@ -1708,6 +1708,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, else xasprintf(&tmp, "%s*", file); + /* Check if the path is absolute. */ + isabs = tmp[0] == '/'; + memset(&g, 0, sizeof(g)); if (remote != LOCAL) { tmp = make_absolute(tmp, remote_path); @@ -1742,7 +1745,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, goto out; tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); - tmp = path_strip(tmp2, remote_path); + tmp = path_strip(tmp2, isabs ? NULL : remote_path); xfree(tmp2); if (tmp == NULL) -- cgit v1.2.1 From 94345e66ab4efe9025abb20e95b851ba376d90af Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:46:16 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/21 10:55:04 [sftp.c] Fix handling of filenames containing escaped globbing characters and escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm. --- ChangeLog | 4 ++++ sftp.c | 20 ++++++++++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9d3a7f58..6f5072f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ [sftp.c] Fix improper handling of absolute paths when PWD is part of the completed path. Patch from Jean-Marc Robert via tech@, ok djm. + - dtucker@cvs.openbsd.org 2012/09/21 10:55:04 + [sftp.c] + Fix handling of filenames containing escaped globbing characters and + escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm. 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/sftp.c b/sftp.c index 9ab4e9f1..7b91e001 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.139 2012/09/21 10:53:07 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.140 2012/09/21 10:55:04 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1699,7 +1699,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, { glob_t g; char *tmp, *tmp2, ins[3]; - u_int i, hadglob, pwdlen, len, tmplen, filelen, isabs; + u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; const LineInfo *lf; /* Glob from "file" location */ @@ -1754,8 +1754,18 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, tmplen = strlen(tmp); filelen = strlen(file); - if (tmplen > filelen) { - tmp2 = tmp + filelen; + /* Count the number of escaped characters in the input string. */ + cesc = isesc = 0; + for (i = 0; i < filelen; i++) { + if (!isesc && file[i] == '\\' && i + 1 < filelen){ + isesc = 1; + cesc++; + } else + isesc = 0; + } + + if (tmplen > (filelen - cesc)) { + tmp2 = tmp + filelen - cesc; len = strlen(tmp2); /* quote argument on way out */ for (i = 0; i < len; i++) { @@ -1769,6 +1779,8 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, case '\t': case '[': case ' ': + case '#': + case '*': if (quote == '\0' || tmp2[i] == quote) { if (el_insertstr(el, ins) == -1) fatal("el_insertstr " -- cgit v1.2.1 From 385ef7e213988bba433a927f49e90bf2e6cd7ac3 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:50:15 +0000 Subject: - jmc@cvs.openbsd.org 2012/09/26 16:12:13 [ssh.1] last stage of rfc changes, using consistent Rs/Re blocks, and moving the references into a STANDARDS section; --- ChangeLog | 4 +++ ssh.1 | 101 +++++++++++++++++++++++++++++++++++++++++++------------------- 2 files changed, 75 insertions(+), 30 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6f5072f1..c22e569c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,10 @@ [sftp.c] Fix handling of filenames containing escaped globbing characters and escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm. + - jmc@cvs.openbsd.org 2012/09/26 16:12:13 + [ssh.1] + last stage of rfc changes, using consistent Rs/Re blocks, and moving the + references into a STANDARDS section; 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/ssh.1 b/ssh.1 index b218e11d..e9bf3eac 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.328 2012/09/06 13:57:42 jmc Exp $ -.Dd $Mdocdate: September 6 2012 $ +.\" $OpenBSD: ssh.1,v 1.329 2012/09/26 16:12:13 jmc Exp $ +.Dd $Mdocdate: September 26 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -1434,77 +1434,118 @@ if an error occurred. .Xr ssh_config 5 , .Xr ssh-keysign 8 , .Xr sshd 8 +.Sh STANDARDS .Rs +.%A S. Lehtinen +.%A C. Lonvick +.%D January 2006 .%R RFC 4250 -.%T "The Secure Shell (SSH) Protocol Assigned Numbers" -.%D 2006 +.%T The Secure Shell (SSH) Protocol Assigned Numbers .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4251 -.%T "The Secure Shell (SSH) Protocol Architecture" -.%D 2006 +.%T The Secure Shell (SSH) Protocol Architecture .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4252 -.%T "The Secure Shell (SSH) Authentication Protocol" -.%D 2006 +.%T The Secure Shell (SSH) Authentication Protocol .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4253 -.%T "The Secure Shell (SSH) Transport Layer Protocol" -.%D 2006 +.%T The Secure Shell (SSH) Transport Layer Protocol .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4254 -.%T "The Secure Shell (SSH) Connection Protocol" -.%D 2006 +.%T The Secure Shell (SSH) Connection Protocol .Re +.Pp .Rs +.%A J. Schlyter +.%A W. Griffin +.%D January 2006 .%R RFC 4255 -.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" -.%D 2006 +.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints .Re +.Pp .Rs +.%A F. Cusack +.%A M. Forssen +.%D January 2006 .%R RFC 4256 -.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)" -.%D 2006 +.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) .Re +.Pp .Rs +.%A J. Galbraith +.%A P. Remaker +.%D January 2006 .%R RFC 4335 -.%T "The Secure Shell (SSH) Session Channel Break Extension" -.%D 2006 +.%T The Secure Shell (SSH) Session Channel Break Extension .Re +.Pp .Rs +.%A M. Bellare +.%A T. Kohno +.%A C. Namprempre +.%D January 2006 .%R RFC 4344 -.%T "The Secure Shell (SSH) Transport Layer Encryption Modes" -.%D 2006 +.%T The Secure Shell (SSH) Transport Layer Encryption Modes .Re +.Pp .Rs +.%A B. Harris +.%D January 2006 .%R RFC 4345 -.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol" -.%D 2006 +.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol .Re +.Pp .Rs +.%A M. Friedl +.%A N. Provos +.%A W. Simpson +.%D March 2006 .%R RFC 4419 -.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" -.%D 2006 +.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol .Re +.Pp .Rs +.%A J. Galbraith +.%A R. Thayer +.%D November 2006 .%R RFC 4716 -.%T "The Secure Shell (SSH) Public Key File Format" -.%D 2006 +.%T The Secure Shell (SSH) Public Key File Format .Re +.Pp .Rs +.%A D. Stebila +.%A J. Green +.%D December 2009 .%R RFC 5656 -.%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer" -.%D 2009 +.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer .Re +.Pp .Rs -.%T "Hash Visualization: a New Technique to improve Real-World Security" .%A A. Perrig .%A D. Song .%D 1999 -.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" +.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) +.%T Hash Visualization: a New Technique to improve Real-World Security .Re .Sh AUTHORS OpenSSH is a derivative of the original and free -- cgit v1.2.1 From 8c6f196b16c212584e9aa0a9538b73da9216aad4 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:51:59 +0000 Subject: - naddy@cvs.openbsd.org 2012/10/01 13:59:51 [monitor_wrap.c] pasto; ok djm@ --- ChangeLog | 3 +++ monitor_wrap.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c22e569c..544f8d2b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ [ssh.1] last stage of rfc changes, using consistent Rs/Re blocks, and moving the references into a STANDARDS section; + - naddy@cvs.openbsd.org 2012/10/01 13:59:51 + [monitor_wrap.c] + pasto; ok djm@ 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/monitor_wrap.c b/monitor_wrap.c index 1f60658e..c22d0a2a 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.73 2011/06/17 21:44:31 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.74 2012/10/01 13:59:51 naddy Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -621,7 +621,7 @@ mm_send_keystate(struct monitor *monitor) ivlen = packet_get_keyiv_len(MODE_OUT); packet_get_keyiv(MODE_OUT, iv, ivlen); buffer_put_string(&m, iv, ivlen); - ivlen = packet_get_keyiv_len(MODE_OUT); + ivlen = packet_get_keyiv_len(MODE_IN); packet_get_keyiv(MODE_IN, iv, ivlen); buffer_put_string(&m, iv, ivlen); goto skip; -- cgit v1.2.1 From d108efd707127411634cf77909db7b03b12efe37 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 00:52:51 +0000 Subject: - djm@cvs.openbsd.org 2012/10/02 07:07:45 [ssh-keygen.c] fix -z option, broken in revision 1.215 --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 544f8d2b..e4899f36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ - naddy@cvs.openbsd.org 2012/10/01 13:59:51 [monitor_wrap.c] pasto; ok djm@ + - djm@cvs.openbsd.org 2012/10/02 07:07:45 + [ssh-keygen.c] + fix -z option, broken in revision 1.215 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/ssh-keygen.c b/ssh-keygen.c index 5060276d..11d1dd02 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.217 2012/08/17 01:25:58 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.218 2012/10/02 07:07:45 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1975,7 +1975,7 @@ main(int argc, char **argv) } while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:J:j:K:P:" - "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z")) != -1) { + "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; -- cgit v1.2.1 From f4a3e9e60f8ab3996eb8636e8994f500ab0adcf3 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 01:02:39 +0000 Subject: - markus@cvs.openbsd.org 2012/10/04 13:21:50 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] add umac128 variant; ok djm@ at n2k12 (note: further Makefile work is required) --- ChangeLog | 3 +++ mac.c | 15 ++++++++++++++- myproposal.h | 3 ++- ssh.1 | 6 +++--- ssh_config.5 | 6 +++--- sshd.8 | 6 +++--- sshd_config.5 | 6 +++--- umac.h | 8 +++++++- 8 files changed, 38 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index e4899f36..cb28e777 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ - djm@cvs.openbsd.org 2012/10/02 07:07:45 [ssh-keygen.c] fix -z option, broken in revision 1.215 + - markus@cvs.openbsd.org 2012/10/04 13:21:50 + [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] + add umac128 variant; ok djm@ at n2k12 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/mac.c b/mac.c index 9b450e4e..47db127f 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -48,6 +48,7 @@ #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ +#define SSH_UMAC128 3 struct { char *name; @@ -68,6 +69,7 @@ struct { { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, + { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128 }, { NULL, 0, NULL, 0, -1, -1 } }; @@ -122,6 +124,9 @@ mac_init(Mac *mac) case SSH_UMAC: mac->umac_ctx = umac_new(mac->key); return 0; + case SSH_UMAC128: + mac->umac_ctx = umac128_new(mac->key); + return 0; default: return -1; } @@ -151,6 +156,11 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) umac_update(mac->umac_ctx, data, datalen); umac_final(mac->umac_ctx, m, nonce); break; + case SSH_UMAC128: + put_u64(nonce, seqno); + umac128_update(mac->umac_ctx, data, datalen); + umac128_final(mac->umac_ctx, m, nonce); + break; default: fatal("mac_compute: unknown MAC type"); } @@ -163,6 +173,9 @@ mac_clear(Mac *mac) if (mac->type == SSH_UMAC) { if (mac->umac_ctx != NULL) umac_delete(mac->umac_ctx); + } else if (mac->type == SSH_UMAC128) { + if (mac->umac_ctx != NULL) + umac128_delete(mac->umac_ctx); } else if (mac->evp_md != NULL) HMAC_cleanup(&mac->evp_ctx); mac->evp_md = NULL; diff --git a/myproposal.h b/myproposal.h index b9b819c0..996c4076 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.29 2012/06/28 05:07:45 dtucker Exp $ */ +/* $OpenBSD: myproposal.h,v 1.30 2012/10/04 13:21:50 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -86,6 +86,7 @@ "hmac-md5," \ "hmac-sha1," \ "umac-64@openssh.com," \ ++ "umac-128@openssh.com," \ SHA2_HMAC_MODES \ "hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ diff --git a/ssh.1 b/ssh.1 index e9bf3eac..a5576edb 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.329 2012/09/26 16:12:13 jmc Exp $ -.Dd $Mdocdate: September 26 2012 $ +.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -674,7 +674,7 @@ it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, -umac-64, hmac-ripemd160). +umac-64, umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Pp diff --git a/ssh_config.5 b/ssh_config.5 index 36b1af19..d3e801df 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.157 2012/06/29 13:57:25 naddy Exp $ -.Dd $Mdocdate: June 29 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -792,7 +792,7 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent -hmac-md5,hmac-sha1,umac-64@openssh.com, +hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 .Ed diff --git a/sshd.8 b/sshd.8 index a1a74d86..13239783 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $ -.Dd $Mdocdate: June 18 2012 $ +.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSHD 8 .Os .Sh NAME @@ -316,7 +316,7 @@ The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, +(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). .Pp Finally, the server and the client enter an authentication dialog. diff --git a/sshd_config.5 b/sshd_config.5 index 314ecfb0..987558ae 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $ -.Dd $Mdocdate: June 29 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.145 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -656,7 +656,7 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent -hmac-md5,hmac-sha1,umac-64@openssh.com, +hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 .Ed diff --git a/umac.h b/umac.h index 055c705f..6795112a 100644 --- a/umac.h +++ b/umac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */ +/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ /* ----------------------------------------------------------------------- * * umac.h -- C Implementation UMAC Message Authentication @@ -116,6 +116,12 @@ int uhash(uhash_ctx_t ctx, #endif +/* matching umac-128 API, we reuse umac_ctx, since it's opaque */ +struct umac_ctx *umac128_new(u_char key[]); +int umac128_update(struct umac_ctx *ctx, u_char *input, long len); +int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +int umac128_delete(struct umac_ctx *ctx); + #ifdef __cplusplus } #endif -- cgit v1.2.1 From 5b4f0076f82072662db37d97c6f268319a8e8a53 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 01:23:59 +0000 Subject: remove stray '+' from sync --- myproposal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/myproposal.h b/myproposal.h index 996c4076..5e2b9985 100644 --- a/myproposal.h +++ b/myproposal.h @@ -86,7 +86,7 @@ "hmac-md5," \ "hmac-sha1," \ "umac-64@openssh.com," \ -+ "umac-128@openssh.com," \ + "umac-128@openssh.com," \ SHA2_HMAC_MODES \ "hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ -- cgit v1.2.1 From 04ae24fac1bcea2047c002cf385aa0f51a1b4c7f Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 01:38:24 +0000 Subject: - [Makefile umac.c] Add special-case target to build umac128.o. --- ChangeLog | 1 + Makefile.in | 13 ++++++++++--- umac.c | 2 ++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index cb28e777..ef85bec3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ - markus@cvs.openbsd.org 2012/10/04 13:21:50 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] add umac128 variant; ok djm@ at n2k12 + - [Makefile umac.c] Add special-case target to build umac128.o. 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index 566f58fe..a0dc5dcf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.326 2012/04/04 01:27:57 djm Exp $ +# $Id: Makefile.in,v 1.327 2012/10/05 01:38:25 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -70,8 +70,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ - msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ - schnorr.o ssh-pkcs11.o + msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ + jpake.o schnorr.o ssh-pkcs11.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ @@ -195,6 +195,13 @@ $(CONFIGFILES): $(CONFIGFILES_IN) moduli: echo +# special case target for umac128 +umac128.o: umac.c + $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $< \ + -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \ + -Dumac_update=umac128_update -Dumac_final=umac128_final \ + -Dumac_delete=umac128_delete + clean: regressclean rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core survey diff --git a/umac.c b/umac.c index e78d2cc5..e373de5b 100644 --- a/umac.c +++ b/umac.c @@ -52,7 +52,9 @@ /* --- User Switches ---------------------------------------------------- */ /* ---------------------------------------------------------------------- */ +#ifndef UMAC_OUTPUT_LEN #define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */ +#endif /* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */ /* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */ /* #define SSE2 0 Is SSE2 is available? */ -- cgit v1.2.1 From 887e330251ed8e8d3a8fc3cc91acb036190d7a3d Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 01:41:52 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/06 04:11:07 [regress/try-ciphers.sh] Restore missing space. (Id sync only). --- ChangeLog | 3 +++ regress/try-ciphers.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ef85bec3..44c73652 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,9 @@ - markus@cvs.openbsd.org 2012/10/04 13:21:50 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] add umac128 variant; ok djm@ at n2k12 + - dtucker@cvs.openbsd.org 2012/09/06 04:11:07 + [regress/try-ciphers.sh] + Restore missing space. (Id sync only). - [Makefile umac.c] Add special-case target to build umac128.o. 20120917 diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 92586350..0887979d 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.13 2012/06/28 05:07:45 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.14 2012/09/06 04:11:07 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" -- cgit v1.2.1 From 5867273cd978e36da2b4953adc7cf2635f17a25b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 01:43:57 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/09 11:51:25 [multiplex.sh] Add test for ssh -Ostop --- ChangeLog | 3 +++ regress/multiplex.sh | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 44c73652..5d3f058f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ - dtucker@cvs.openbsd.org 2012/09/06 04:11:07 [regress/try-ciphers.sh] Restore missing space. (Id sync only). + - dtucker@cvs.openbsd.org 2012/09/09 11:51:25 + [regress/multiplex.sh] + Add test for ssh -Ostop - [Makefile umac.c] Add special-case target to build umac128.o. 20120917 diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 93e15088..d8c75107 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.13 2012/06/01 00:47:36 djm Exp $ +# $OpenBSD: multiplex.sh,v 1.14 2012/09/09 11:51:25 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -87,4 +87,14 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost || fail "send exit command fa # Wait for master to exit sleep 2 -kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" +kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" + +# Restart master and test -O stop command with master using -N +trace "start master, fork to background" +${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & +MASTER_PID=$! +sleep 5 # Wait for master to start and authenticate +trace "test stop command" +${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost || fail "send stop command failed" +sleep 2 # Wait for master to exit +ps -p $MASTER_PID >/dev/null && fail "stop command failed" -- cgit v1.2.1 From ec4da9ad60318bcde2b574183ad86cb3e7967072 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 01:45:39 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/10 00:49:21 [regress/multiplex.sh] Log -O cmd output to the log file and make logging consistent with the other tests. Test clean shutdown of an existing channel when testing "stop". --- ChangeLog | 5 +++++ regress/multiplex.sh | 23 +++++++++++++++-------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5d3f058f..1c4dba6d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,11 @@ - dtucker@cvs.openbsd.org 2012/09/09 11:51:25 [regress/multiplex.sh] Add test for ssh -Ostop + - dtucker@cvs.openbsd.org 2012/09/10 00:49:21 + [regress/multiplex.sh] + Log -O cmd output to the log file and make logging consistent with the + other tests. Test clean shutdown of an existing channel when testing + "stop". - [Makefile umac.c] Add special-case target to build umac128.o. 20120917 diff --git a/regress/multiplex.sh b/regress/multiplex.sh index d8c75107..9169656d 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.14 2012/09/09 11:51:25 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.15 2012/09/10 00:49:21 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -78,11 +78,13 @@ for s in 0 1 4 5 44; do fi done -trace "test check command" -${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost || fail "check command failed" +verbose "test $tid: cmd check" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \ + || fail "check command failed" -trace "test exit command" -${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost || fail "send exit command failed" +verbose "test $tid: cmd exit" +${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ + || fail "send exit command failed" # Wait for master to exit sleep 2 @@ -94,7 +96,12 @@ trace "start master, fork to background" ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & MASTER_PID=$! sleep 5 # Wait for master to start and authenticate -trace "test stop command" -${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost || fail "send stop command failed" -sleep 2 # Wait for master to exit +verbose "test $tid: cmd stop" +${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" & +SLEEP_PID=$! +${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \ + || fail "send stop command failed" +sleep 12 # Wait for master to exit +wait $SLEEP_PID +[ $! != 0 ] || fail "stop with concurrent command" ps -p $MASTER_PID >/dev/null && fail "stop command failed" -- cgit v1.2.1 From d095e121c2732d95c3b017422c606e6e1aead000 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 02:04:10 +0000 Subject: - dtucker@cvs.openbsd.org 2012/09/10 01:51:19 [regress/multiplex.sh] use -Ocheck and waiting for completions by PID to make multiplexing test less racy and (hopefully) more reliable on slow hardware. --- ChangeLog | 4 ++++ regress/multiplex.sh | 41 +++++++++++++++++++++++++++-------------- 2 files changed, 31 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1c4dba6d..3ed3a283 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,10 @@ Log -O cmd output to the log file and make logging consistent with the other tests. Test clean shutdown of an existing channel when testing "stop". + - dtucker@cvs.openbsd.org 2012/09/10 01:51:19 + [regress/multiplex.sh] + use -Ocheck and waiting for completions by PID to make multiplexing test + less racy and (hopefully) more reliable on slow hardware. - [Makefile umac.c] Add special-case target to build umac128.o. 20120917 diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 9169656d..f93ac9a4 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.15 2012/09/10 00:49:21 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.16 2012/09/10 01:51:19 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -13,14 +13,22 @@ fi DATA=/bin/ls${EXEEXT} COPY=$OBJ/ls.copy +wait_for_mux_master_ready() +{ + for i in 1 2 3 4 5; do + ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \ + >/dev/null 2>&1 && return 0 + sleep $i + done + fatal "mux master never becomes ready" +} + start_sshd trace "start master, fork to background" ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & MASTER_PID=$! - -# Wait for master to start and authenticate -sleep 5 +wait_for_mux_master_ready verbose "test $tid: envpass" trace "env passing over multiplexed connection" @@ -87,21 +95,26 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ || fail "send exit command failed" # Wait for master to exit -sleep 2 - -kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" +wait $MASTER_PID +kill -0 $MASTER_PID >/dev/null && fail "exit command failed" # Restart master and test -O stop command with master using -N -trace "start master, fork to background" +verbose "test $tid: cmd stop" +trace "restart master, fork to background" ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & MASTER_PID=$! -sleep 5 # Wait for master to start and authenticate -verbose "test $tid: cmd stop" -${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" & +wait_for_mux_master_ready + +# start a long-running command then immediately request a stop +${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ + >>$TEST_SSH_LOGFILE 2>&1 & SLEEP_PID=$! ${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \ || fail "send stop command failed" -sleep 12 # Wait for master to exit + +# wait until both long-running command and master have exited. wait $SLEEP_PID -[ $! != 0 ] || fail "stop with concurrent command" -ps -p $MASTER_PID >/dev/null && fail "stop command failed" +[ $! != 0 ] || fail "waiting for concurrent command" +wait $MASTER_PID +[ $! != 0 ] || fail "waiting for master stop" +kill -0 $MASTER_PID >/dev/null && fail "stop command failed" -- cgit v1.2.1 From 42e59962675146dde9be5ec265239f2a9836e412 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 02:11:33 +0000 Subject: - [umac.c] Enforce allowed umac output sizes. From djm@. --- ChangeLog | 1 + umac.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 3ed3a283..eda55cf5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,7 @@ use -Ocheck and waiting for completions by PID to make multiplexing test less racy and (hopefully) more reliable on slow hardware. - [Makefile umac.c] Add special-case target to build umac128.o. + - [umac.c] Enforce allowed umac output sizes. From djm@. 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/umac.c b/umac.c index e373de5b..0567c37f 100644 --- a/umac.c +++ b/umac.c @@ -55,6 +55,12 @@ #ifndef UMAC_OUTPUT_LEN #define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */ #endif + +#if UMAC_OUTPUT_LEN != 4 && UMAC_OUTPUT_LEN != 8 && \ + UMAC_OUTPUT_LEN != 12 && UMAC_OUTPUT_LEN != 16 +# error UMAC_OUTPUT_LEN must be defined to 4, 8, 12 or 16 +#endif + /* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */ /* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */ /* #define SSE2 0 Is SSE2 is available? */ -- cgit v1.2.1 From 4d0b5da34e15209fa5068a39c9fe5f51d170499a Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Oct 2012 05:41:06 +0000 Subject: - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom" --- ChangeLog | 1 + Makefile.in | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index eda55cf5..79665660 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,7 @@ less racy and (hopefully) more reliable on slow hardware. - [Makefile umac.c] Add special-case target to build umac128.o. - [umac.c] Enforce allowed umac output sizes. From djm@. + - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom". 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index a0dc5dcf..e4f9ee19 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.327 2012/10/05 01:38:25 dtucker Exp $ +# $Id: Makefile.in,v 1.328 2012/10/05 05:41:07 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -197,7 +197,7 @@ moduli: # special case target for umac128 umac128.o: umac.c - $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $< \ + $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \ -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \ -Dumac_update=umac128_update -Dumac_final=umac128_final \ -Dumac_delete=umac128_delete -- cgit v1.2.1 From 241cc39b06251100673dbdb1527f60426b095971 Mon Sep 17 00:00:00 2001 From: tim Date: Fri, 19 Oct 2012 04:38:58 +0000 Subject: - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in the generated file as intended. --- ChangeLog | 4 ++++ buildpkg.sh.in | 20 ++++++++++---------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 79665660..5df4094c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20121019 + - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in + the generated file as intended. + 20121005 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2012/09/17 09:54:44 diff --git a/buildpkg.sh.in b/buildpkg.sh.in index 4de9d42e..4b842b3f 100644 --- a/buildpkg.sh.in +++ b/buildpkg.sh.in @@ -337,17 +337,17 @@ then else if [ "\${USE_SYM_LINKS}" = yes ] then - [ "$RCS_D" = yes ] && \ + [ "$RCS_D" = yes ] && \\ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s - [ "$RC1_D" = no ] || \ + [ "$RC1_D" = no ] || \\ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s else - [ "$RCS_D" = yes ] && \ + [ "$RCS_D" = yes ] && \\ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l - [ "$RC1_D" = no ] || \ + [ "$RC1_D" = no ] || \\ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l fi @@ -538,10 +538,10 @@ then PRE_INS_STOP=no POST_INS_START=no # determine if should restart the daemon -if [ -s ${piddir}/sshd.pid ] && \ +if [ -s ${piddir}/sshd.pid ] && \\ /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1 then - ans=\`ckyorn -d n \ + ans=\`ckyorn -d n \\ -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? case \$ans in [y,Y]*) PRE_INS_STOP=yes @@ -552,7 +552,7 @@ then else # determine if we should start sshd - ans=\`ckyorn -d n \ + ans=\`ckyorn -d n \\ -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? case \$ans in [y,Y]*) POST_INS_START=yes ;; @@ -573,7 +573,7 @@ USE_SYM_LINKS=no PRE_INS_STOP=no POST_INS_START=no # Use symbolic links? -ans=\`ckyorn -d n \ +ans=\`ckyorn -d n \\ -p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? case \$ans in [y,Y]*) USE_SYM_LINKS=yes ;; @@ -582,7 +582,7 @@ esac # determine if should restart the daemon if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] then - ans=\`ckyorn -d n \ + ans=\`ckyorn -d n \\ -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? case \$ans in [y,Y]*) PRE_INS_STOP=yes @@ -593,7 +593,7 @@ then else # determine if we should start sshd - ans=\`ckyorn -d n \ + ans=\`ckyorn -d n \\ -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? case \$ans in [y,Y]*) POST_INS_START=yes ;; -- cgit v1.2.1 From c6d847f670f44dcb80140bb219517e7963140ad3 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 30 Oct 2012 21:57:55 +0000 Subject: - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2012/10/05 12:34:39 [sftp.c] fix signed vs unsigned warning; feedback & ok: djm@ --- ChangeLog | 6 ++++++ sftp.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5df4094c..3cd16e48 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20121030 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2012/10/05 12:34:39 + [sftp.c] + fix signed vs unsigned warning; feedback & ok: djm@ + 20121019 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in the generated file as intended. diff --git a/sftp.c b/sftp.c index 7b91e001..6516d1f1 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.140 2012/09/21 10:55:04 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.141 2012/10/05 12:34:39 markus Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -991,7 +991,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, state = MA_START; i = j = 0; for (;;) { - if (argc >= sizeof(argv) / sizeof(*argv)){ + if ((size_t)argc >= sizeof(argv) / sizeof(*argv)){ error("Too many arguments."); return NULL; } -- cgit v1.2.1 From d37062b365d2b52e68552b83f4df8c4966672126 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 30 Oct 2012 21:58:58 +0000 Subject: - djm@cvs.openbsd.org 2012/10/30 21:29:55 [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] [sshd.c sshd_config sshd_config.5] new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@ --- ChangeLog | 10 +++ auth-rsa.c | 4 +- auth.c | 53 ++++++++++----- auth.h | 6 +- auth2-pubkey.c | 206 +++++++++++++++++++++++++++++++++++++++++++++++++++------ servconf.c | 30 ++++++++- servconf.h | 4 +- sshd.c | 11 ++- sshd_config | 5 +- sshd_config.5 | 22 +++++- 10 files changed, 308 insertions(+), 43 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3cd16e48..27ec898b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,16 @@ - markus@cvs.openbsd.org 2012/10/05 12:34:39 [sftp.c] fix signed vs unsigned warning; feedback & ok: djm@ + - djm@cvs.openbsd.org 2012/10/30 21:29:55 + [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] + [sshd.c sshd_config sshd_config.5] + new sshd_config option AuthorizedKeysCommand to support fetching + authorized_keys from a command in addition to (or instead of) from + the filesystem. The command is run as the target server user unless + another specified via a new AuthorizedKeysCommandUser option. + + patch originally by jchadima AT redhat.com, reworked by me; feedback + and ok markus@ 20121019 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in diff --git a/auth-rsa.c b/auth-rsa.c index 4ab46cd5..2c8a7cb3 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -276,6 +276,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) temporarily_use_uid(pw); for (i = 0; !allowed && i < options.num_authkeys_files; i++) { + if (strcasecmp(options.authorized_keys_files[i], "none") == 0) + continue; file = expand_authorized_keys( options.authorized_keys_files[i], pw); allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); diff --git a/auth.c b/auth.c index a8cffd5c..b5e1eefa 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.96 2012/05/13 01:42:32 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.97 2012/10/30 21:29:54 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -409,41 +409,42 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, return host_status; } - /* - * Check a given file for security. This is defined as all components + * Check a given path for security. This is defined as all components * of the path to the file must be owned by either the owner of * of the file or root and no directories must be group or world writable. * * XXX Should any specific check be done for sym links ? * - * Takes an open file descriptor, the file name, a uid and and + * Takes an the file name, its stat information (preferably from fstat() to + * avoid races), the uid of the expected owner, their home directory and an * error buffer plus max size as arguments. * * Returns 0 on success and -1 on failure */ -static int -secure_filename(FILE *f, const char *file, struct passwd *pw, - char *err, size_t errlen) +int +auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, + uid_t uid, char *err, size_t errlen) { - uid_t uid = pw->pw_uid; char buf[MAXPATHLEN], homedir[MAXPATHLEN]; char *cp; int comparehome = 0; struct stat st; - if (realpath(file, buf) == NULL) { - snprintf(err, errlen, "realpath %s failed: %s", file, + if (realpath(name, buf) == NULL) { + snprintf(err, errlen, "realpath %s failed: %s", name, strerror(errno)); return -1; } - if (realpath(pw->pw_dir, homedir) != NULL) + if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL) comparehome = 1; - /* check the open file to avoid races */ - if (fstat(fileno(f), &st) < 0 || - (st.st_uid != 0 && st.st_uid != uid) || - (st.st_mode & 022) != 0) { + if (!S_ISREG(stp->st_mode)) { + snprintf(err, errlen, "%s is not a regular file", buf); + return -1; + } + if ((stp->st_uid != 0 && stp->st_uid != uid) || + (stp->st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for file %s", buf); return -1; @@ -479,6 +480,28 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, return 0; } +/* + * Version of secure_path() that accepts an open file descriptor to + * avoid races. + * + * Returns 0 on success and -1 on failure + */ +static int +secure_filename(FILE *f, const char *file, struct passwd *pw, + char *err, size_t errlen) +{ + char buf[MAXPATHLEN]; + struct stat st; + + /* check the open file to avoid races */ + if (fstat(fileno(f), &st) < 0) { + snprintf(err, errlen, "cannot stat file %s: %s", + buf, strerror(errno)); + return -1; + } + return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen); +} + static FILE * auth_openfile(const char *file, struct passwd *pw, int strict_modes, int log_missing, char *file_type) diff --git a/auth.h b/auth.h index 0d786c4d..06340416 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.69 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.70 2012/10/30 21:29:54 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -120,6 +120,10 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); +struct stat; +int auth_secure_path(const char *, struct stat *, const char *, uid_t, + char *, size_t); + #ifdef KRB5 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 5bccb5d7..ec8f75d5 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -27,9 +27,13 @@ #include #include +#include +#include #include +#include #include +#include #include #include #include @@ -240,7 +244,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) if (strcmp(cp, cert->principals[i]) == 0) { debug3("matched principal \"%.100s\" " "from file \"%s\" on line %lu", - cert->principals[i], file, linenum); + cert->principals[i], file, linenum); if (auth_parse_options(pw, line_opts, file, linenum) != 1) continue; @@ -253,31 +257,22 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) fclose(f); restore_uid(); return 0; -} +} -/* return 1 if user allows given key */ +/* + * Checks whether key is allowed in authorized_keys-format file, + * returns 1 if the key is allowed or 0 otherwise. + */ static int -user_key_allowed2(struct passwd *pw, Key *key, char *file) +check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) { char line[SSH_MAX_PUBKEY_BYTES]; const char *reason; int found_key = 0; - FILE *f; u_long linenum = 0; Key *found; char *fp; - /* Temporarily use the user's uid. */ - temporarily_use_uid(pw); - - debug("trying public key file %s", file); - f = auth_openkeyfile(file, pw, options.strict_modes); - - if (!f) { - restore_uid(); - return 0; - } - found_key = 0; found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); @@ -370,8 +365,6 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) break; } } - restore_uid(); - fclose(f); key_free(found); if (!found_key) debug2("key not found"); @@ -433,7 +426,172 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) return ret; } -/* check whether given key is in .ssh/authorized_keys* */ +/* + * Checks whether key is allowed in file. + * returns 1 if the key is allowed or 0 otherwise. + */ +static int +user_key_allowed2(struct passwd *pw, Key *key, char *file) +{ + FILE *f; + int found_key = 0; + + /* Temporarily use the user's uid. */ + temporarily_use_uid(pw); + + debug("trying public key file %s", file); + if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) { + found_key = check_authkeys_file(f, file, key, pw); + fclose(f); + } + + restore_uid(); + return found_key; +} + +/* + * Checks whether key is allowed in output of command. + * returns 1 if the key is allowed or 0 otherwise. + */ +static int +user_key_command_allowed2(struct passwd *user_pw, Key *key) +{ + FILE *f; + int ok, found_key = 0; + struct passwd *pw; + struct stat st; + int status, devnull, p[2], i; + pid_t pid; + char errmsg[512]; + + if (options.authorized_keys_command == NULL || + options.authorized_keys_command[0] != '/') + return 0; + + /* If no user specified to run commands the default to target user */ + if (options.authorized_keys_command_user == NULL) + pw = user_pw; + else { + pw = getpwnam(options.authorized_keys_command_user); + if (pw == NULL) { + error("AuthorizedKeyCommandUser \"%s\" not found: %s", + options.authorized_keys_command, strerror(errno)); + return 0; + } + } + + temporarily_use_uid(pw); + + if (stat(options.authorized_keys_command, &st) < 0) { + error("Could not stat AuthorizedKeysCommand \"%s\": %s", + options.authorized_keys_command, strerror(errno)); + goto out; + } + if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, + errmsg, sizeof(errmsg)) != 0) { + error("Unsafe AuthorizedKeysCommand: %s", errmsg); + goto out; + } + + if (pipe(p) != 0) { + error("%s: pipe: %s", __func__, strerror(errno)); + goto out; + } + + debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"", + options.authorized_keys_command, pw->pw_name); + + /* + * Don't want to call this in the child, where it can fatal() and + * run cleanup_exit() code. + */ + restore_uid(); + + switch ((pid = fork())) { + case -1: /* error */ + error("%s: fork: %s", __func__, strerror(errno)); + close(p[0]); + close(p[1]); + return 0; + case 0: /* child */ + for (i = 0; i < NSIG; i++) + signal(i, SIG_DFL); + + /* Don't use permanently_set_uid() here to avoid fatal() */ + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { + error("setresgid %u: %s", (u_int)pw->pw_gid, + strerror(errno)); + _exit(1); + } + if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { + error("setresuid %u: %s", (u_int)pw->pw_uid, + strerror(errno)); + _exit(1); + } + + close(p[0]); + if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { + error("%s: open %s: %s", __func__, _PATH_DEVNULL, + strerror(errno)); + _exit(1); + } + if (dup2(devnull, STDIN_FILENO) == -1 || + dup2(p[1], STDOUT_FILENO) == -1 || + dup2(devnull, STDERR_FILENO) == -1) { + error("%s: dup2: %s", __func__, strerror(errno)); + _exit(1); + } + closefrom(STDERR_FILENO + 1); + + execl(options.authorized_keys_command, + options.authorized_keys_command, pw->pw_name, NULL); + + error("AuthorizedKeysCommand %s exec failed: %s", + options.authorized_keys_command, strerror(errno)); + _exit(127); + default: /* parent */ + break; + } + + temporarily_use_uid(pw); + + close(p[1]); + if ((f = fdopen(p[0], "r")) == NULL) { + error("%s: fdopen: %s", __func__, strerror(errno)); + close(p[0]); + /* Don't leave zombie child */ + kill(pid, SIGTERM); + while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) + ; + goto out; + } + ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); + fclose(f); + + while (waitpid(pid, &status, 0) == -1) { + if (errno != EINTR) { + error("%s: waitpid: %s", __func__, strerror(errno)); + goto out; + } + } + if (WIFSIGNALED(status)) { + error("AuthorizedKeysCommand %s exited on signal %d", + options.authorized_keys_command, WTERMSIG(status)); + goto out; + } else if (WEXITSTATUS(status) != 0) { + error("AuthorizedKeysCommand %s returned status %d", + options.authorized_keys_command, WEXITSTATUS(status)); + goto out; + } + found_key = ok; + out: + restore_uid(); + return found_key; +} + +/* + * Check whether key authenticates and authorises the user. + */ int user_key_allowed(struct passwd *pw, Key *key) { @@ -449,9 +607,17 @@ user_key_allowed(struct passwd *pw, Key *key) if (success) return success; + success = user_key_command_allowed2(pw, key); + if (success > 0) + return success; + for (i = 0; !success && i < options.num_authkeys_files; i++) { + + if (strcasecmp(options.authorized_keys_files[i], "none") == 0) + continue; file = expand_authorized_keys( options.authorized_keys_files[i], pw); + success = user_key_allowed2(pw, key, file); xfree(file); } diff --git a/servconf.c b/servconf.c index f4b7dd58..8e69ea5c 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.230 2012/09/13 23:37:36 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.231 2012/10/30 21:29:54 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -135,6 +135,8 @@ initialize_server_options(ServerOptions *options) options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; + options->authorized_keys_command = NULL; + options->authorized_keys_command_user = NULL; options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; @@ -329,6 +331,7 @@ typedef enum { sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sDeprecated, sUnsupported } ServerOpCodes; @@ -453,6 +456,8 @@ static struct { { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1498,6 +1503,25 @@ process_server_config_line(ServerOptions *options, char *line, } return 0; + case sAuthorizedKeysCommand: + len = strspn(cp, WHITESPACE); + if (*activep && options->authorized_keys_command == NULL) { + if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) + fatal("%.200s line %d: AuthorizedKeysCommand " + "must be an absolute path", + filename, linenum); + options->authorized_keys_command = xstrdup(cp + len); + } + return 0; + + case sAuthorizedKeysCommandUser: + charptr = &options->authorized_keys_command_user; + + arg = strdelim(&cp); + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1648,6 +1672,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(zero_knowledge_password_authentication); + M_CP_STROPT(authorized_keys_command); + M_CP_STROPT(authorized_keys_command_user); M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_empty_passwd); @@ -1908,6 +1934,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); dump_cfg_string(sVersionAddendum, o->version_addendum); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff --git a/servconf.h b/servconf.h index 096d596d..0064c9bc 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.103 2012/07/10 02:19:15 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.104 2012/10/30 21:29:55 djm Exp $ */ /* * Author: Tatu Ylonen @@ -166,6 +166,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; char *authorized_principals_file; + char *authorized_keys_command; + char *authorized_keys_command_user; char *version_addendum; /* Appended to SSH banner */ } ServerOptions; diff --git a/sshd.c b/sshd.c index 9aff5e8a..eff0290b 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.394 2012/10/30 21:29:55 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -359,6 +359,15 @@ grace_alarm_handler(int sig) if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) kill(pmonitor->m_pid, SIGALRM); + /* + * Try to kill any processes that we have spawned, E.g. authorized + * keys command helpers. + */ + if (getpgid(0) == getpid()) { + signal(SIGTERM, SIG_IGN); + killpg(0, SIGTERM); + } + /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } diff --git a/sshd_config b/sshd_config index 9424ee2c..3d35bef0 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ +# $OpenBSD: sshd_config,v 1.88 2012/10/30 21:29:55 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -51,6 +51,9 @@ AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 diff --git a/sshd_config.5 b/sshd_config.5 index 987558ae..de8f0f82 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.145 2012/10/04 13:21:50 markus Exp $ -.Dd $Mdocdate: October 4 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.146 2012/10/30 21:29:55 djm Exp $ +.Dd $Mdocdate: October 30 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -151,6 +151,22 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AuthorizedKeysCommand +Specifies a program to be used for lookup of the user's public keys. +The program will be invoked with a single argument of the username +being authenticated, and should produce on standard output zero or +more lines of authorized_keys output (see AUTHORIZED_KEYS in +.Xr sshd 8 ) +If a key supplied by AuthorizedKeysCommand does not successfully authenticate +and authorize the user then public key authentication continues using the usual +.Cm AuthorizedKeysFile +files. +By default, no AuthorizedKeysCommand is run. +.It Cm AuthorizedKeysCommandUser +Specifies the user under whose account the AuthorizedKeysCommand is run. +The default is the user being authenticated. +It is recommended to use a dedicated user that has no other role on the host +than running authorized keys commands. .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. @@ -712,6 +728,8 @@ Available keywords are .Cm AllowTcpForwarding , .Cm AllowUsers , .Cm AuthorizedKeysFile , +.Cm AuthorizedKeysCommand , +.Cm AuthorizedKeysCommandUser , .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , -- cgit v1.2.1 From d4d6e780a92caa1fd72daee7a10a4a2edb94944e Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 4 Nov 2012 11:22:52 +0000 Subject: - OpenBSD CVS Sync - jmc@cvs.openbsd.org 2012/10/31 08:04:50 [sshd_config.5] tweak previous; --- ChangeLog | 6 ++++++ sshd_config.5 | 14 ++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 27ec898b..f1d0580f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20121104 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2012/10/31 08:04:50 + [sshd_config.5] + tweak previous; + 20121030 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2012/10/05 12:34:39 diff --git a/sshd_config.5 b/sshd_config.5 index de8f0f82..3cc901a8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.146 2012/10/30 21:29:55 djm Exp $ -.Dd $Mdocdate: October 30 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.147 2012/10/31 08:04:50 jmc Exp $ +.Dd $Mdocdate: October 31 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -152,11 +152,13 @@ in .Xr ssh_config 5 for more information on patterns. .It Cm AuthorizedKeysCommand -Specifies a program to be used for lookup of the user's public keys. +Specifies a program to be used to look up the user's public keys. The program will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or -more lines of authorized_keys output (see AUTHORIZED_KEYS in -.Xr sshd 8 ) +more lines of authorized_keys output (see +.Sx AUTHORIZED_KEYS +in +.Xr sshd 8 ) . If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual .Cm AuthorizedKeysFile @@ -727,9 +729,9 @@ Available keywords are .Cm AllowGroups , .Cm AllowTcpForwarding , .Cm AllowUsers , -.Cm AuthorizedKeysFile , .Cm AuthorizedKeysCommand , .Cm AuthorizedKeysCommandUser , +.Cm AuthorizedKeysFile , .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , -- cgit v1.2.1 From 98d091cb9beece7d59ef361e2e6476fe5d048d4f Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 4 Nov 2012 11:23:14 +0000 Subject: - djm@cvs.openbsd.org 2012/11/04 10:38:43 [auth2-pubkey.c sshd.c sshd_config.5] Remove default of AuthorizedCommandUser. Administrators are now expected to explicitly specify a user. feedback and ok markus@ --- ChangeLog | 4 ++++ auth2-pubkey.c | 30 +++++++++++++++++------------- sshd.c | 9 ++++++++- sshd_config.5 | 5 ++--- 4 files changed, 31 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index f1d0580f..120c132a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - jmc@cvs.openbsd.org 2012/10/31 08:04:50 [sshd_config.5] tweak previous; + - djm@cvs.openbsd.org 2012/11/04 10:38:43 + [auth2-pubkey.c sshd.c sshd_config.5] + Remove default of AuthorizedCommandUser. Administrators are now expected + to explicitly specify a user. feedback and ok markus@ 20121030 - (djm) OpenBSD CVS Sync diff --git a/auth2-pubkey.c b/auth2-pubkey.c index ec8f75d5..6a621701 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -462,23 +462,27 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) struct stat st; int status, devnull, p[2], i; pid_t pid; - char errmsg[512]; + char *username, errmsg[512]; if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/') return 0; - /* If no user specified to run commands the default to target user */ - if (options.authorized_keys_command_user == NULL) - pw = user_pw; - else { - pw = getpwnam(options.authorized_keys_command_user); - if (pw == NULL) { - error("AuthorizedKeyCommandUser \"%s\" not found: %s", - options.authorized_keys_command, strerror(errno)); - return 0; - } + if (options.authorized_keys_command_user == NULL) { + error("No user for AuthorizedKeysCommand specified, skipping"); + return 0; + } + + username = percent_expand(options.authorized_keys_command_user, + "u", user_pw->pw_name, (char *)NULL); + pw = getpwnam(username); + if (pw == NULL) { + error("AuthorizedKeyCommandUser \"%s\" not found: %s", + options.authorized_keys_command, strerror(errno)); + free(username); + return 0; } + free(username); temporarily_use_uid(pw); @@ -517,6 +521,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) for (i = 0; i < NSIG; i++) signal(i, SIG_DFL); + closefrom(STDERR_FILENO + 1); /* Don't use permanently_set_uid() here to avoid fatal() */ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { error("setresgid %u: %s", (u_int)pw->pw_gid, @@ -541,7 +546,6 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) error("%s: dup2: %s", __func__, strerror(errno)); _exit(1); } - closefrom(STDERR_FILENO + 1); execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL); diff --git a/sshd.c b/sshd.c index eff0290b..4ad1a4bd 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.394 2012/10/30 21:29:55 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1559,6 +1559,13 @@ main(int ac, char **av) if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; + /* Check that options are sensible */ + if (options.authorized_keys_command_user == NULL && + (options.authorized_keys_command != NULL && + strcasecmp(options.authorized_keys_command, "none") != 0)) + fatal("AuthorizedKeysCommand set without " + "AuthorizedKeysCommandUser"); + /* set default channel AF */ channel_set_af(options.address_family); diff --git a/sshd_config.5 b/sshd_config.5 index 3cc901a8..0fb0b837 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.147 2012/10/31 08:04:50 jmc Exp $ -.Dd $Mdocdate: October 31 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.148 2012/11/04 10:38:43 djm Exp $ +.Dd $Mdocdate: November 4 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -166,7 +166,6 @@ files. By default, no AuthorizedKeysCommand is run. .It Cm AuthorizedKeysCommandUser Specifies the user under whose account the AuthorizedKeysCommand is run. -The default is the user being authenticated. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands. .It Cm AuthorizedKeysFile -- cgit v1.2.1 From 39a15d74dc1c291ec826b5cfc1c95baf8bfd3521 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 4 Nov 2012 12:21:40 +0000 Subject: - djm@cvs.openbsd.org 2012/11/04 11:09:15 [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@ --- ChangeLog | 8 +++ auth.h | 7 +- auth1.c | 7 +- auth2.c | 218 +++++++++++++++++++++++++++++++++++++++++++++++++++++----- monitor.c | 35 ++++++++-- servconf.c | 26 ++++++- servconf.h | 7 +- sshd.c | 23 ++++++- sshd_config.5 | 25 ++++++- 9 files changed, 328 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index 120c132a..85c92eb7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,14 @@ [auth2-pubkey.c sshd.c sshd_config.5] Remove default of AuthorizedCommandUser. Administrators are now expected to explicitly specify a user. feedback and ok markus@ + - djm@cvs.openbsd.org 2012/11/04 11:09:15 + [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] + [sshd_config.5] + Support multiple required authentication via an AuthenticationMethods + option. This option lists one or more comma-separated lists of + authentication method names. Successful completion of all the methods in + any list is required for authentication to complete; + feedback and ok markus@ 20121030 - (djm) OpenBSD CVS Sync diff --git a/auth.h b/auth.h index 06340416..8920c7da 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.70 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.71 2012/11/04 11:09:15 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -64,6 +64,8 @@ struct Authctxt { #ifdef BSD_AUTH auth_session_t *as; #endif + char **auth_methods; /* modified from server config */ + u_int num_auth_methods; #ifdef KRB5 krb5_context krb5_ctx; krb5_ccache krb5_fwd_ccache; @@ -152,6 +154,9 @@ void userauth_send_banner(const char *); int auth_root_allowed(char *); char *auth2_read_banner(void); +int auth2_methods_valid(const char *, int); +int auth2_update_methods_lists(Authctxt *, const char *); +int auth2_setup_methods_lists(Authctxt *); void privsep_challenge_enable(void); diff --git a/auth1.c b/auth1.c index cc85aec7..fb37fadf 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.75 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.76 2012/11/04 11:09:15 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -406,6 +406,11 @@ do_authentication(Authctxt *authctxt) authctxt->pw = fakepw(); } + /* Configuration may have changed as a result of Match */ + if (options.num_auth_methods != 0) + fatal("AuthenticationMethods is not supported with SSH " + "protocol 1"); + setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); diff --git a/auth2.c b/auth2.c index b66bef64..8114ec86 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -96,8 +96,10 @@ static void input_service_request(int, u_int32_t, void *); static void input_userauth_request(int, u_int32_t, void *); /* helper */ -static Authmethod *authmethod_lookup(const char *); -static char *authmethods_get(void); +static Authmethod *authmethod_lookup(Authctxt *, const char *); +static char *authmethods_get(Authctxt *authctxt); +static int method_allowed(Authctxt *, const char *); +static int list_starts_with(const char *, const char *); char * auth2_read_banner(void) @@ -255,6 +257,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (use_privsep) mm_inform_authserv(service, style); userauth_banner(); + if (auth2_setup_methods_lists(authctxt) != 0) + packet_disconnect("no authentication methods enabled"); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " @@ -277,7 +281,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) authctxt->server_caused_failure = 0; /* try to authenticate user */ - m = authmethod_lookup(method); + m = authmethod_lookup(authctxt, method); if (m != NULL && authctxt->failures < options.max_authtries) { debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); @@ -293,6 +297,7 @@ void userauth_finish(Authctxt *authctxt, int authenticated, char *method) { char *methods; + int partial = 0; if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", @@ -335,7 +340,13 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) if (authctxt->postponed) return; - /* XXX todo: check if multiple auth methods are needed */ + if (authenticated && options.num_auth_methods != 0) { + if (!auth2_update_methods_lists(authctxt, method)) { + authenticated = 0; + partial = 1; + } + } + if (authenticated == 1) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); @@ -356,34 +367,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } - methods = authmethods_get(); + methods = authmethods_get(authctxt); + debug3("%s: failure partial=%d next methods=\"%s\"", __func__, + partial, methods); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); - packet_put_char(0); /* XXX partial success, unused */ + packet_put_char(partial); packet_send(); packet_write_wait(); xfree(methods); } } +/* + * Checks whether method is allowed by at least one AuthenticationMethods + * methods list. Returns 1 if allowed, or no methods lists configured. + * 0 otherwise. + */ +static int +method_allowed(Authctxt *authctxt, const char *method) +{ + u_int i; + + /* + * NB. authctxt->num_auth_methods might be zero as a result of + * auth2_setup_methods_lists(), so check the configuration. + */ + if (options.num_auth_methods == 0) + return 1; + for (i = 0; i < authctxt->num_auth_methods; i++) { + if (list_starts_with(authctxt->auth_methods[i], method)) + return 1; + } + return 0; +} + static char * -authmethods_get(void) +authmethods_get(Authctxt *authctxt) { Buffer b; char *list; - int i; + u_int i; buffer_init(&b); for (i = 0; authmethods[i] != NULL; i++) { if (strcmp(authmethods[i]->name, "none") == 0) continue; - if (authmethods[i]->enabled != NULL && - *(authmethods[i]->enabled) != 0) { - if (buffer_len(&b) > 0) - buffer_append(&b, ",", 1); - buffer_append(&b, authmethods[i]->name, - strlen(authmethods[i]->name)); - } + if (authmethods[i]->enabled == NULL || + *(authmethods[i]->enabled) == 0) + continue; + if (!method_allowed(authctxt, authmethods[i]->name)) + continue; + if (buffer_len(&b) > 0) + buffer_append(&b, ",", 1); + buffer_append(&b, authmethods[i]->name, + strlen(authmethods[i]->name)); } buffer_append(&b, "\0", 1); list = xstrdup(buffer_ptr(&b)); @@ -392,7 +430,7 @@ authmethods_get(void) } static Authmethod * -authmethod_lookup(const char *name) +authmethod_lookup(Authctxt *authctxt, const char *name) { int i; @@ -400,10 +438,154 @@ authmethod_lookup(const char *name) for (i = 0; authmethods[i] != NULL; i++) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && - strcmp(name, authmethods[i]->name) == 0) + strcmp(name, authmethods[i]->name) == 0 && + method_allowed(authctxt, authmethods[i]->name)) return authmethods[i]; debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); return NULL; } +/* + * Check a comma-separated list of methods for validity. Is need_enable is + * non-zero, then also require that the methods are enabled. + * Returns 0 on success or -1 if the methods list is invalid. + */ +int +auth2_methods_valid(const char *_methods, int need_enable) +{ + char *methods, *omethods, *method; + u_int i, found; + int ret = -1; + + if (*_methods == '\0') { + error("empty authentication method list"); + return -1; + } + omethods = methods = xstrdup(_methods); + while ((method = strsep(&methods, ",")) != NULL) { + for (found = i = 0; !found && authmethods[i] != NULL; i++) { + if (strcmp(method, authmethods[i]->name) != 0) + continue; + if (need_enable) { + if (authmethods[i]->enabled == NULL || + *(authmethods[i]->enabled) == 0) { + error("Disabled method \"%s\" in " + "AuthenticationMethods list \"%s\"", + method, _methods); + goto out; + } + } + found = 1; + break; + } + if (!found) { + error("Unknown authentication method \"%s\" in list", + method); + goto out; + } + } + ret = 0; + out: + free(omethods); + return ret; +} + +/* + * Prune the AuthenticationMethods supplied in the configuration, removing + * any methods lists that include disabled methods. Note that this might + * leave authctxt->num_auth_methods == 0, even when multiple required auth + * has been requested. For this reason, all tests for whether multiple is + * enabled should consult options.num_auth_methods directly. + */ +int +auth2_setup_methods_lists(Authctxt *authctxt) +{ + u_int i; + + if (options.num_auth_methods == 0) + return 0; + debug3("%s: checking methods", __func__); + authctxt->auth_methods = xcalloc(options.num_auth_methods, + sizeof(*authctxt->auth_methods)); + authctxt->num_auth_methods = 0; + for (i = 0; i < options.num_auth_methods; i++) { + if (auth2_methods_valid(options.auth_methods[i], 1) != 0) { + logit("Authentication methods list \"%s\" contains " + "disabled method, skipping", + options.auth_methods[i]); + continue; + } + debug("authentication methods list %d: %s", + authctxt->num_auth_methods, options.auth_methods[i]); + authctxt->auth_methods[authctxt->num_auth_methods++] = + xstrdup(options.auth_methods[i]); + } + if (authctxt->num_auth_methods == 0) { + error("No AuthenticationMethods left after eliminating " + "disabled methods"); + return -1; + } + return 0; +} + +static int +list_starts_with(const char *methods, const char *method) +{ + size_t l = strlen(method); + + if (strncmp(methods, method, l) != 0) + return 0; + if (methods[l] != ',' && methods[l] != '\0') + return 0; + return 1; +} + +/* + * Remove method from the start of a comma-separated list of methods. + * Returns 0 if the list of methods did not start with that method or 1 + * if it did. + */ +static int +remove_method(char **methods, const char *method) +{ + char *omethods = *methods; + size_t l = strlen(method); + + if (!list_starts_with(omethods, method)) + return 0; + *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); + free(omethods); + return 1; +} + +/* + * Called after successful authentication. Will remove the successful method + * from the start of each list in which it occurs. If it was the last method + * in any list, then authentication is deemed successful. + * Returns 1 if the method completed any authentication list or 0 otherwise. + */ +int +auth2_update_methods_lists(Authctxt *authctxt, const char *method) +{ + u_int i, found = 0; + + debug3("%s: updating methods list after \"%s\"", __func__, method); + for (i = 0; i < authctxt->num_auth_methods; i++) { + if (!remove_method(&(authctxt->auth_methods[i]), method)) + continue; + found = 1; + if (*authctxt->auth_methods[i] == '\0') { + debug2("authentication methods list %d complete", i); + return 1; + } + debug3("authentication methods list %d remaining: \"%s\"", + i, authctxt->auth_methods[i]); + } + /* This should not happen, but would be bad if it did */ + if (!found) + fatal("%s: method not in AuthenticationMethods", __func__); + return 0; +} + + diff --git a/monitor.c b/monitor.c index e9802a3f..0adbf3a6 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.118 2012/11/04 11:09:15 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -381,6 +381,21 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) while (!authenticated) { auth_method = "unknown"; authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); + + /* Special handling for multiple required authentications */ + if (options.num_auth_methods != 0) { + if (!compat20) + fatal("AuthenticationMethods is not supported" + "with SSH protocol 1"); + if (authenticated && + !auth2_update_methods_lists(authctxt, + auth_method)) { + debug3("%s: method %s: partial", __func__, + auth_method); + authenticated = 0; + } + } + if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) fatal("%s: unexpected authentication from %d", @@ -401,7 +416,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) } #endif } - if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { auth_log(authctxt, authenticated, auth_method, compat20 ? " ssh2" : ""); @@ -781,7 +795,17 @@ mm_answer_pwnamallow(int sock, Buffer *m) COPY_MATCH_STRING_OPTS(); #undef M_CP_STROPT #undef M_CP_STRARRAYOPT - + + /* Create valid auth method lists */ + if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { + /* + * The monitor will continue long enough to let the child + * run to it's packet_disconnect(), but it must not allow any + * authentication to succeed. + */ + debug("%s: no valid authentication method lists", __func__); + } + debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); mm_request_send(sock, MONITOR_ANS_PWNAM, m); @@ -918,7 +942,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) debug3("%s: sending authenticated: %d", __func__, authok); mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); - auth_method = "bsdauth"; + if (compat20) + auth_method = "keyboard-interactive"; + else + auth_method = "bsdauth"; return (authok != 0); } diff --git a/servconf.c b/servconf.c index 8e69ea5c..b90dba63 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.231 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -48,6 +48,8 @@ #include "groupaccess.h" #include "canohost.h" #include "packet.h" +#include "hostfile.h" +#include "auth.h" static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); @@ -332,6 +334,7 @@ typedef enum { sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, + sAuthenticationMethods, sDeprecated, sUnsupported } ServerOpCodes; @@ -459,6 +462,7 @@ static struct { { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, + { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1522,6 +1526,24 @@ process_server_config_line(ServerOptions *options, char *line, *charptr = xstrdup(arg); break; + case sAuthenticationMethods: + if (*activep && options->num_auth_methods == 0) { + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_auth_methods >= + MAX_AUTH_METHODS) + fatal("%s line %d: " + "too many authentication methods.", + filename, linenum); + if (auth2_methods_valid(arg, 0) != 0) + fatal("%s line %d: invalid " + "authentication method list.", + filename, linenum); + options->auth_methods[ + options->num_auth_methods++] = xstrdup(arg); + } + } + return 0; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1953,6 +1975,8 @@ dump_config(ServerOptions *o) dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); + dump_cfg_strarray_oneline(sAuthenticationMethods, + o->num_auth_methods, o->auth_methods); /* other arguments */ for (i = 0; i < o->num_subsystems; i++) diff --git a/servconf.h b/servconf.h index 0064c9bc..68fcdb76 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.104 2012/10/30 21:29:55 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.105 2012/11/04 11:09:15 djm Exp $ */ /* * Author: Tatu Ylonen @@ -28,6 +28,7 @@ #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ #define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ +#define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */ /* permit_root_login */ #define PERMIT_NOT_SET -1 @@ -170,6 +171,9 @@ typedef struct { char *authorized_keys_command_user; char *version_addendum; /* Appended to SSH banner */ + + u_int num_auth_methods; + char *auth_methods[MAX_AUTH_METHODS]; } ServerOptions; /* Information about the incoming connection as used by Match */ @@ -199,6 +203,7 @@ struct connection_info { M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ M_CP_STRARRAYOPT(accept_env, num_accept_env); \ + M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ } while (0) struct connection_info *get_connection_info(int, int); diff --git a/sshd.c b/sshd.c index 4ad1a4bd..af7ff91b 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.396 2012/11/04 11:09:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1337,6 +1337,7 @@ main(int ac, char **av) int remote_port; char *line; int config_s[2] = { -1 , -1 }; + u_int n; u_int64_t ibytes, obytes; mode_t new_umask; Key *key; @@ -1566,6 +1567,26 @@ main(int ac, char **av) fatal("AuthorizedKeysCommand set without " "AuthorizedKeysCommandUser"); + /* + * Check whether there is any path through configured auth methods. + * Unfortunately it is not possible to verify this generally before + * daemonisation in the presence of Match block, but this catches + * and warns for trivial misconfigurations that could break login. + */ + if (options.num_auth_methods != 0) { + if ((options.protocol & SSH_PROTO_1)) + fatal("AuthenticationMethods is not supported with " + "SSH protocol 1"); + for (n = 0; n < options.num_auth_methods; n++) { + if (auth2_methods_valid(options.auth_methods[n], + 1) == 0) + break; + } + if (n >= options.num_auth_methods) + fatal("AuthenticationMethods cannot be satisfied by " + "enabled authentication methods"); + } + /* set default channel AF */ channel_set_af(options.address_family); diff --git a/sshd_config.5 b/sshd_config.5 index 0fb0b837..05f3374f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.148 2012/11/04 10:38:43 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.149 2012/11/04 11:09:15 djm Exp $ .Dd $Mdocdate: November 4 2012 $ .Dt SSHD_CONFIG 5 .Os @@ -151,6 +151,28 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AuthenticationMethods +Specifies the authentication methods that must be successfully completed +for a user to be granted access. +This option must be followed by one or more comma-separated lists of +authentication method names. +Successful authentication requires completion of every method in at least +one of these lists. +.Pp +For example, an argument of +.Dq publickey,password publickey,keyboard-interactive +would require the user to complete public key authentication, followed by +either password or keyboard interactive authentication. +Only methods that are next in one or more lists are offered at each stage, +so for this example, it would not be possible to attempt password or +keyboard-interactive authentication before public key. +.Pp +This option is only available for SSH protocol 2 and will yield a fatal +error if enabled if protocol 1 is also enabled. +Note that each authentication method listed should also be explicitly enabled +in the configuration. +The default is not to require multiple authentication; successful completion +of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. The program will be invoked with a single argument of the username @@ -728,6 +750,7 @@ Available keywords are .Cm AllowGroups , .Cm AllowTcpForwarding , .Cm AllowUsers , +.Cm AuthenticationMethods , .Cm AuthorizedKeysCommand , .Cm AuthorizedKeysCommandUser , .Cm AuthorizedKeysFile , -- cgit v1.2.1 From 52e5a65f086bd88c3e2f13ca6ab1959c7bfffd9f Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 5 Nov 2012 06:04:37 +0000 Subject: - (dtucker) [uidswap.c openbsd-compat/Makefile.in openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids and gids from uidswap.c to the compat library, which allows it to work with the new setresuid calls in auth2-pubkey. with tim@, ok djm@ --- ChangeLog | 7 +++ openbsd-compat/Makefile.in | 4 +- openbsd-compat/bsd-setres_id.c | 99 +++++++++++++++++++++++++++++++++++++++++ openbsd-compat/bsd-setres_id.h | 24 ++++++++++ openbsd-compat/openbsd-compat.h | 3 +- uidswap.c | 34 -------------- 6 files changed, 134 insertions(+), 37 deletions(-) create mode 100644 openbsd-compat/bsd-setres_id.c create mode 100644 openbsd-compat/bsd-setres_id.h diff --git a/ChangeLog b/ChangeLog index 85c92eb7..8cc7c8e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20121105 + - (dtucker) [uidswap.c openbsd-compat/Makefile.in + openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h + openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids + and gids from uidswap.c to the compat library, which allows it to work with + the new setresuid calls in auth2-pubkey. with tim@, ok djm@ + 20121104 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2012/10/31 08:04:50 diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 196a81d1..992b9743 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.48 2011/11/04 00:25:25 dtucker Exp $ +# $Id: Makefile.in,v 1.49 2012/11/05 06:04:37 dtucker Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o -COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o +COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o diff --git a/openbsd-compat/bsd-setres_id.c b/openbsd-compat/bsd-setres_id.c new file mode 100644 index 00000000..020b214b --- /dev/null +++ b/openbsd-compat/bsd-setres_id.c @@ -0,0 +1,99 @@ +/* $Id: bsd-setres_id.c,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */ + +/* + * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include + +#include +#include + +#include "log.h" + +#if !defined(HAVE_SETRESGID) || defined(BROKEN_SETRESGID) +int +setresgid(gid_t rgid, gid_t egid, gid_t sgid) +{ + int ret = 0, saved_errno; + + if (rgid != sgid) { + errno = ENOSYS; + return -1; + } +#if defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) + if (setregid(rgid, egid) < 0) { + saved_errno = errno; + error("setregid %u: %.100s", rgid, strerror(errno)); + errno = saved_errno; + ret = -1; + } +#else + if (setegid(egid) < 0) { + saved_errno = errno; + error("setegid %u: %.100s", (u_int)egid, strerror(errno)); + errno = saved_errno; + ret = -1; + } + if (setgid(rgid) < 0) { + saved_errno = errno; + error("setgid %u: %.100s", rgid, strerror(errno)); + errno = saved_errno; + ret = -1; + } +#endif + return ret; +} +#endif + +#if !defined(HAVE_SETRESUID) || defined(BROKEN_SETRESUID) +int +setresuid(uid_t ruid, uid_t euid, uid_t suid) +{ + int ret = 0, saved_errno; + + if (ruid != suid) { + errno = ENOSYS; + return -1; + } +#if defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) + if (setreuid(ruid, euid) < 0) { + saved_errno = errno; + error("setreuid %u: %.100s", ruid, strerror(errno)); + errno = saved_errno; + ret = -1; + } +#else + +# ifndef SETEUID_BREAKS_SETUID + if (seteuid(euid) < 0) { + saved_errno = errno; + error("seteuid %u: %.100s", euid, strerror(errno)); + errno = saved_errno; + ret = -1; + } +# endif + if (setuid(ruid) < 0) { + saved_errno = errno; + error("setuid %u: %.100s", ruid, strerror(errno)); + errno = saved_errno; + ret = -1; + } +#endif + return ret; +} +#endif diff --git a/openbsd-compat/bsd-setres_id.h b/openbsd-compat/bsd-setres_id.h new file mode 100644 index 00000000..6c269e0b --- /dev/null +++ b/openbsd-compat/bsd-setres_id.h @@ -0,0 +1,24 @@ +/* $Id: bsd-setres_id.h,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */ + +/* + * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HAVE_SETRESGID +int setresgid(gid_t, gid_t, gid_t); +#endif +#ifndef HAVE_SETRESUID +int setresuid(uid_t, uid_t, uid_t); +#endif diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 807acf62..664cb044 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.52 2011/09/23 01:16:11 djm Exp $ */ +/* $Id: openbsd-compat.h,v 1.53 2012/11/05 06:04:38 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -149,6 +149,7 @@ int writev(int, struct iovec *, int); /* Home grown routines */ #include "bsd-misc.h" +#include "bsd-setres_id.h" #include "bsd-statvfs.h" #include "bsd-waitpid.h" #include "bsd-poll.h" diff --git a/uidswap.c b/uidswap.c index 83764839..cdd7309e 100644 --- a/uidswap.c +++ b/uidswap.c @@ -138,20 +138,8 @@ permanently_drop_suid(uid_t uid) uid_t old_uid = getuid(); debug("permanently_drop_suid: %u", (u_int)uid); -#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) if (setresuid(uid, uid, uid) < 0) fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); -#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) - if (setreuid(uid, uid) < 0) - fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno)); -#else -# ifndef SETEUID_BREAKS_SETUID - if (seteuid(uid) < 0) - fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno)); -# endif - if (setuid(uid) < 0) - fatal("setuid %u: %.100s", (u_int)uid, strerror(errno)); -#endif #ifndef HAVE_CYGWIN /* Try restoration of UID if changed (test clearing of saved uid) */ @@ -220,18 +208,8 @@ permanently_set_uid(struct passwd *pw) debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); -#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) - if (setregid(pw->pw_gid, pw->pw_gid) < 0) - fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -#else - if (setegid(pw->pw_gid) < 0) - fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); - if (setgid(pw->pw_gid) < 0) - fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -#endif #ifdef __APPLE__ /* @@ -243,20 +221,8 @@ permanently_set_uid(struct passwd *pw) pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); #endif -#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) - if (setreuid(pw->pw_uid, pw->pw_uid) < 0) - fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -#else -# ifndef SETEUID_BREAKS_SETUID - if (seteuid(pw->pw_uid) < 0) - fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -# endif - if (setuid(pw->pw_uid) < 0) - fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -#endif #ifndef HAVE_CYGWIN /* Try restoration of GID if changed (test clearing of saved gid) */ -- cgit v1.2.1 From 2966fa65d5addb7c2f5f9715cdc99eab3e407622 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 5 Nov 2012 06:07:43 +0000 Subject: - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that don't have it. Spotted by tim@. --- ChangeLog | 2 ++ auth2-pubkey.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 8cc7c8e7..ae555700 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids and gids from uidswap.c to the compat library, which allows it to work with the new setresuid calls in auth2-pubkey. with tim@, ok djm@ + - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that + don't have it. Spotted by tim@. 20121104 - (djm) OpenBSD CVS Sync diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 6a621701..f9cc6c2c 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -31,7 +31,9 @@ #include #include -#include +#ifdef HAVE_PATHS_H +# include +#endif #include #include #include -- cgit v1.2.1 From 01653f80e154e562454af9b036db0d8a2035c9b9 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 6 Nov 2012 21:35:38 +0000 Subject: - eric@cvs.openbsd.org 2011/11/28 08:46:27 [moduli.5] fix formula ok djm@ --- ChangeLog | 7 +++++++ moduli.5 | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae555700..c754470f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20121107 + - (djm) OpenBSD CVS Sync + - eric@cvs.openbsd.org 2011/11/28 08:46:27 + [moduli.5] + fix formula + ok djm@ + 20121105 - (dtucker) [uidswap.c openbsd-compat/Makefile.in openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h diff --git a/moduli.5 b/moduli.5 index 0e01b941..aa7e0629 100644 --- a/moduli.5 +++ b/moduli.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: moduli.5,v 1.15 2010/10/14 20:41:28 jmc Exp $ +.\" $OpenBSD: moduli.5,v 1.16 2011/11/28 08:46:27 eric Exp $ .\" .\" Copyright (c) 2008 Damien Miller .\" @@ -13,7 +13,7 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd $Mdocdate: October 14 2010 $ +.Dd $Mdocdate: November 28 2011 $ .Dt MODULI 5 .Os .Sh NAME @@ -61,7 +61,7 @@ Unknown, not tested. .It 2 "Safe" prime; (p-1)/2 is also prime. .It 4 -Sophie Germain; (p+1)*2 is also prime. +Sophie Germain; 2p+1 is also prime. .El .Pp Moduli candidates initially produced by -- cgit v1.2.1 From cba512b94d481e01a680113878abd18cd269a6b2 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 6 Nov 2012 21:36:00 +0000 Subject: - jmc@cvs.openbsd.org 2012/09/26 17:34:38 [moduli.5] last stage of rfc changes, using consistent Rs/Re blocks, and moving the references into a STANDARDS section; --- ChangeLog | 4 ++++ moduli.5 | 11 ++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c754470f..24193233 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [moduli.5] fix formula ok djm@ + - jmc@cvs.openbsd.org 2012/09/26 17:34:38 + [moduli.5] + last stage of rfc changes, using consistent Rs/Re blocks, and moving the + references into a STANDARDS section; 20121105 - (dtucker) [uidswap.c openbsd-compat/Makefile.in diff --git a/moduli.5 b/moduli.5 index aa7e0629..ef0de085 100644 --- a/moduli.5 +++ b/moduli.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: moduli.5,v 1.16 2011/11/28 08:46:27 eric Exp $ +.\" $OpenBSD: moduli.5,v 1.17 2012/09/26 17:34:38 jmc Exp $ .\" .\" Copyright (c) 2008 Damien Miller .\" @@ -13,7 +13,7 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd $Mdocdate: November 28 2011 $ +.Dd $Mdocdate: September 26 2012 $ .Dt MODULI 5 .Os .Sh NAME @@ -115,8 +115,13 @@ that best meets the size requirement. .Sh SEE ALSO .Xr ssh-keygen 1 , .Xr sshd 8 +.Sh STANDARDS .Rs +.%A M. Friedl +.%A N. Provos +.%A W. Simpson +.%D March 2006 .%R RFC 4419 -.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" +.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol .%D 2006 .Re -- cgit v1.2.1 From 6c805583837488190b307bf366fc62735c41bc55 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 14 Nov 2012 08:04:02 +0000 Subject: - djm@cvs.openbsd.org 2012/11/14 02:24:27 [auth2-pubkey.c] fix username passed to helper program prepare stdio fds before closefrom() spotted by landry@ --- ChangeLog | 9 +++++++++ auth2-pubkey.c | 32 ++++++++++++++++++-------------- 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 24193233..0c018c29 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20121114 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/11/14 02:24:27 + [auth2-pubkey.c] + fix username passed to helper program + prepare stdio fds before closefrom() + spotted by landry@ + + 20121107 - (djm) OpenBSD CVS Sync - eric@cvs.openbsd.org 2011/11/28 08:46:27 diff --git a/auth2-pubkey.c b/auth2-pubkey.c index f9cc6c2c..70d8996e 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.33 2012/11/14 02:24:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -504,8 +504,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) goto out; } - debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"", - options.authorized_keys_command, pw->pw_name); + debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"", + options.authorized_keys_command, user_pw->pw_name, pw->pw_name); /* * Don't want to call this in the child, where it can fatal() and @@ -523,7 +523,19 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) for (i = 0; i < NSIG; i++) signal(i, SIG_DFL); + if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { + error("%s: open %s: %s", __func__, _PATH_DEVNULL, + strerror(errno)); + _exit(1); + } + /* Keep stderr around a while longer to catch errors */ + if (dup2(devnull, STDIN_FILENO) == -1 || + dup2(p[1], STDOUT_FILENO) == -1) { + error("%s: dup2: %s", __func__, strerror(errno)); + _exit(1); + } closefrom(STDERR_FILENO + 1); + /* Don't use permanently_set_uid() here to avoid fatal() */ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { error("setresgid %u: %s", (u_int)pw->pw_gid, @@ -535,22 +547,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) strerror(errno)); _exit(1); } - - close(p[0]); - if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { - error("%s: open %s: %s", __func__, _PATH_DEVNULL, - strerror(errno)); - _exit(1); - } - if (dup2(devnull, STDIN_FILENO) == -1 || - dup2(p[1], STDOUT_FILENO) == -1 || - dup2(devnull, STDERR_FILENO) == -1) { + /* stdin is pointed to /dev/null at this point */ + if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { error("%s: dup2: %s", __func__, strerror(errno)); _exit(1); } execl(options.authorized_keys_command, - options.authorized_keys_command, pw->pw_name, NULL); + options.authorized_keys_command, user_pw->pw_name, NULL); error("AuthorizedKeysCommand %s exec failed: %s", options.authorized_keys_command, strerror(errno)); -- cgit v1.2.1 From e6b13b8a1b2f87db874cd8079829921b257bdd1f Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 14 Nov 2012 08:04:33 +0000 Subject: - djm@cvs.openbsd.org 2012/11/14 02:32:15 [ssh-keygen.c] allow the full range of unsigned serial numbers; 'fine' deraadt@ --- ChangeLog | 4 +++- ssh-keygen.c | 12 +++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0c018c29..870f0cc8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,7 +5,9 @@ fix username passed to helper program prepare stdio fds before closefrom() spotted by landry@ - + - djm@cvs.openbsd.org 2012/11/14 02:32:15 + [ssh-keygen.c] + allow the full range of unsigned serial numbers; 'fine' deraadt@ 20121107 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.c b/ssh-keygen.c index 11d1dd02..2d8af679 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.218 2012/10/02 07:07:45 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.219 2012/11/14 02:32:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1937,7 +1937,7 @@ main(int argc, char **argv) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; char *checkpoint = NULL; - char out_file[MAXPATHLEN], *rr_hostname = NULL; + char out_file[MAXPATHLEN], *rr_hostname = NULL, *ep; Key *private, *public; struct passwd *pw; struct stat st; @@ -2145,9 +2145,11 @@ main(int argc, char **argv) parse_cert_times(optarg); break; case 'z': - cert_serial = strtonum(optarg, 0, LLONG_MAX, &errstr); - if (errstr) - fatal("Invalid serial number: %s", errstr); + errno = 0; + cert_serial = strtoull(optarg, &ep, 10); + if (*optarg < '0' || *optarg > '9' || *ep != '\0' || + (errno == ERANGE && cert_serial == ULLONG_MAX)) + fatal("Invalid serial number \"%s\"", optarg); break; case '?': default: -- cgit v1.2.1 From 861805262541d9a1d03b98924cdbcada24d6516d Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 22:37:56 +0000 Subject: - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get TAILQ_FOREACH_SAFE needed for upcoming changes. --- ChangeLog | 4 ++++ openbsd-compat/sys-queue.h | 53 ++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 51 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 870f0cc8..09a095f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20121203 + - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get + TAILQ_FOREACH_SAFE needed for upcoming changes. + 20121114 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2012/11/14 02:24:27 diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h index 5cf0587b..28aaaa37 100644 --- a/openbsd-compat/sys-queue.h +++ b/openbsd-compat/sys-queue.h @@ -1,4 +1,4 @@ -/* $OpenBSD: queue.h,v 1.32 2007/04/30 18:42:34 pedro Exp $ */ +/* $OpenBSD: queue.h,v 1.36 2012/04/11 13:29:14 naddy Exp $ */ /* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ /* @@ -202,10 +202,10 @@ struct { \ (var) != SLIST_END(head); \ (var) = SLIST_NEXT(var, field)) -#define SLIST_FOREACH_PREVPTR(var, varp, head, field) \ - for ((varp) = &SLIST_FIRST((head)); \ - ((var) = *(varp)) != SLIST_END(head); \ - (varp) = &SLIST_NEXT((var), field)) +#define SLIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = SLIST_FIRST(head); \ + (var) && ((tvar) = SLIST_NEXT(var, field), 1); \ + (var) = (tvar)) /* * Singly-linked List functions. @@ -224,7 +224,7 @@ struct { \ (head)->slh_first = (elm); \ } while (0) -#define SLIST_REMOVE_NEXT(head, elm, field) do { \ +#define SLIST_REMOVE_AFTER(elm, field) do { \ (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ } while (0) @@ -276,6 +276,11 @@ struct { \ (var)!= LIST_END(head); \ (var) = LIST_NEXT(var, field)) +#define LIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = LIST_FIRST(head); \ + (var) && ((tvar) = LIST_NEXT(var, field), 1); \ + (var) = (tvar)) + /* * List functions. */ @@ -354,6 +359,11 @@ struct { \ (var) != SIMPLEQ_END(head); \ (var) = SIMPLEQ_NEXT(var, field)) +#define SIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = SIMPLEQ_FIRST(head); \ + (var) && ((tvar) = SIMPLEQ_NEXT(var, field), 1); \ + (var) = (tvar)) + /* * Simple queue functions. */ @@ -385,6 +395,12 @@ struct { \ (head)->sqh_last = &(head)->sqh_first; \ } while (0) +#define SIMPLEQ_REMOVE_AFTER(head, elm, field) do { \ + if (((elm)->field.sqe_next = (elm)->field.sqe_next->field.sqe_next) \ + == NULL) \ + (head)->sqh_last = &(elm)->field.sqe_next; \ +} while (0) + /* * Tail queue definitions. */ @@ -422,11 +438,24 @@ struct { \ (var) != TAILQ_END(head); \ (var) = TAILQ_NEXT(var, field)) +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST(head); \ + (var) != TAILQ_END(head) && \ + ((tvar) = TAILQ_NEXT(var, field), 1); \ + (var) = (tvar)) + + #define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ for((var) = TAILQ_LAST(head, headname); \ (var) != TAILQ_END(head); \ (var) = TAILQ_PREV(var, headname, field)) +#define TAILQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \ + for ((var) = TAILQ_LAST(head, headname); \ + (var) != TAILQ_END(head) && \ + ((tvar) = TAILQ_PREV(var, headname, field), 1); \ + (var) = (tvar)) + /* * Tail queue functions. */ @@ -526,11 +555,23 @@ struct { \ (var) != CIRCLEQ_END(head); \ (var) = CIRCLEQ_NEXT(var, field)) +#define CIRCLEQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = CIRCLEQ_FIRST(head); \ + (var) != CIRCLEQ_END(head) && \ + ((tvar) = CIRCLEQ_NEXT(var, field), 1); \ + (var) = (tvar)) + #define CIRCLEQ_FOREACH_REVERSE(var, head, field) \ for((var) = CIRCLEQ_LAST(head); \ (var) != CIRCLEQ_END(head); \ (var) = CIRCLEQ_PREV(var, field)) +#define CIRCLEQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \ + for ((var) = CIRCLEQ_LAST(head, headname); \ + (var) != CIRCLEQ_END(head) && \ + ((tvar) = CIRCLEQ_PREV(var, headname, field), 1); \ + (var) = (tvar)) + /* * Circular queue functions. */ -- cgit v1.2.1 From a6828771bb29200587d185e4cb28e909c9477582 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 22:49:52 +0000 Subject: - djm@cvs.openbsd.org 2012/12/02 20:26:11 [ssh_config.5 sshconnect2.c] Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. ok markus@ --- ChangeLog | 6 ++++++ ssh_config.5 | 6 ++++-- sshconnect2.c | 29 ++++++++++++++++++++++++++--- 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 09a095f1..199bca16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,12 @@ 20121203 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get TAILQ_FOREACH_SAFE needed for upcoming changes. + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2012/12/02 20:26:11 + [ssh_config.5 sshconnect2.c] + Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. + This allows control of which keys are offered from tokens using + IdentityFile. ok markus@ 20121114 - (djm) OpenBSD CVS Sync diff --git a/ssh_config.5 b/ssh_config.5 index d3e801df..09a3cf03 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $ -.Dd $Mdocdate: October 4 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $ +.Dd $Mdocdate: December 2 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -602,6 +602,8 @@ should only use the authentication identity files configured in the files, even if .Xr ssh-agent 1 +or a +.Cm PKCS11Provider offers more identities. The argument to this keyword must be .Dq yes diff --git a/sshconnect2.c b/sshconnect2.c index 7c369d74..6791ea34 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1359,7 +1359,7 @@ load_identity_file(char *filename) static void pubkey_prepare(Authctxt *authctxt) { - Identity *id; + Identity *id, *id2, *tmp; Idlist agent, files, *preferred; Key *key; AuthenticationConnection *ac; @@ -1371,7 +1371,7 @@ pubkey_prepare(Authctxt *authctxt) preferred = &authctxt->keys; TAILQ_INIT(preferred); /* preferred order of keys */ - /* list of keys stored in the filesystem */ + /* list of keys stored in the filesystem and PKCS#11 */ for (i = 0; i < options.num_identity_files; i++) { key = options.identity_keys[i]; if (key && key->type == KEY_RSA1) @@ -1384,6 +1384,29 @@ pubkey_prepare(Authctxt *authctxt) id->filename = xstrdup(options.identity_files[i]); TAILQ_INSERT_TAIL(&files, id, next); } + /* Prefer PKCS11 keys that are explicitly listed */ + TAILQ_FOREACH_SAFE(id, &files, next, tmp) { + if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0) + continue; + found = 0; + TAILQ_FOREACH(id2, &files, next) { + if (id2->key == NULL || + (id2->key->flags & KEY_FLAG_EXT) != 0) + continue; + if (key_equal(id->key, id2->key)) { + TAILQ_REMOVE(&files, id, next); + TAILQ_INSERT_TAIL(preferred, id, next); + found = 1; + break; + } + } + /* If IdentitiesOnly set and key not found then don't use it */ + if (!found && options.identities_only) { + TAILQ_REMOVE(&files, id, next); + bzero(id, sizeof(id)); + free(id); + } + } /* list of keys supported by the agent */ if ((ac = ssh_get_authentication_connection())) { for (key = ssh_get_first_identity(ac, &comment, 2); -- cgit v1.2.1 From 5a44af79bf16af18b9fe4974e065ed8570cc7e43 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 22:50:24 +0000 Subject: - djm@cvs.openbsd.org 2012/12/02 20:42:15 [ssh-add.1 ssh-add.c] make deleting explicit keys "ssh-add -d" symmetric with adding keys - try to delete the corresponding certificate too and respect the -k option to allow deleting of the key only; feedback and ok markus@ --- ChangeLog | 5 +++++ ssh-add.1 | 14 +++++++------- ssh-add.c | 38 +++++++++++++++++++++++++++++++------- 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 199bca16..7cea00cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,11 @@ Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. ok markus@ + - djm@cvs.openbsd.org 2012/12/02 20:42:15 + [ssh-add.1 ssh-add.c] + make deleting explicit keys "ssh-add -d" symmetric with adding keys - + try to delete the corresponding certificate too and respect the -k option + to allow deleting of the key only; feedback and ok markus@ 20121114 - (djm) OpenBSD CVS Sync diff --git a/ssh-add.1 b/ssh-add.1 index aec620de..af93762a 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $ +.\" $OpenBSD: ssh-add.1,v 1.57 2012/12/02 20:42:15 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 18 2011 $ +.Dd $Mdocdate: December 2 2012 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -98,10 +98,10 @@ Deletes all identities from the agent. Instead of adding identities, removes identities from the agent. If .Nm -has been run without arguments, the keys for the default identities will -be removed. +has been run without arguments, the keys for the default identities and +their corresponding certificateswill be removed. Otherwise, the argument list will be interpreted as a list of paths to -public key files and matching keys will be removed from the agent. +public key files to specify keys and certificates to be removed from the agent. If no public key is found at a given path, .Nm will append @@ -111,8 +111,8 @@ and retry. Remove keys provided by the PKCS#11 shared library .Ar pkcs11 . .It Fl k -When loading keys into the agent, load plain private keys only and skip -certificates. +When loading keys into or deleting keys from the agent, process plain private +keys only and skip certificates. .It Fl L Lists public key parameters of all identities currently represented by the agent. diff --git a/ssh-add.c b/ssh-add.c index 738644d2..c8936e5a 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.104 2012/12/02 20:42:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -96,10 +96,10 @@ clear_pass(void) } static int -delete_file(AuthenticationConnection *ac, const char *filename) +delete_file(AuthenticationConnection *ac, const char *filename, int key_only) { - Key *public; - char *comment = NULL; + Key *public = NULL, *cert = NULL; + char *certpath = NULL, *comment = NULL; int ret = -1; public = key_load_public(filename, &comment); @@ -113,8 +113,32 @@ delete_file(AuthenticationConnection *ac, const char *filename) } else fprintf(stderr, "Could not remove identity: %s\n", filename); - key_free(public); - xfree(comment); + if (key_only) + goto out; + + /* Now try to delete the corresponding certificate too */ + free(comment); + xasprintf(&certpath, "%s-cert.pub", filename); + if ((cert = key_load_public(certpath, &comment)) == NULL) + goto out; + if (!key_equal_public(cert, public)) + fatal("Certificate %s does not match private key %s", + certpath, filename); + + if (ssh_remove_identity(ac, cert)) { + fprintf(stderr, "Identity removed: %s (%s)\n", certpath, + comment); + ret = 0; + } else + fprintf(stderr, "Could not remove identity: %s\n", certpath); + + out: + if (cert != NULL) + key_free(cert); + if (public != NULL) + key_free(public); + free(certpath); + free(comment); return ret; } @@ -354,7 +378,7 @@ static int do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) { if (deleting) { - if (delete_file(ac, file) == -1) + if (delete_file(ac, file, key_only) == -1) return -1; } else { if (add_file(ac, file, key_only) == -1) -- cgit v1.2.1 From ab33d4e6f4aca80d3c938fe2e142cdb5ab38d969 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 22:50:54 +0000 Subject: - djm@cvs.openbsd.org 2012/12/02 20:46:11 [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@ --- ChangeLog | 6 ++++++ auth-options.c | 4 ++-- channels.c | 12 +++++------- servconf.c | 18 ++++++++++++++---- servconf.h | 10 ++++++++-- serverloop.c | 19 +++++++++++++------ session.c | 9 ++++++--- sshd_config.5 | 16 ++++++++++++++-- 8 files changed, 68 insertions(+), 26 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7cea00cb..cee03872 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,12 @@ make deleting explicit keys "ssh-add -d" symmetric with adding keys - try to delete the corresponding certificate too and respect the -k option to allow deleting of the key only; feedback and ok markus@ + - djm@cvs.openbsd.org 2012/12/02 20:46:11 + [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] + [sshd_config.5] + make AllowTcpForwarding accept "local" and "remote" in addition to its + current "yes"/"no" to allow the server to specify whether just local or + remote TCP forwarding is enabled. ok markus@ 20121114 - (djm) OpenBSD CVS Sync diff --git a/auth-options.c b/auth-options.c index 0e67bd8c..23d0423e 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -349,7 +349,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto bad_option; } - if (options.allow_tcp_forwarding) + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; diff --git a/channels.c b/channels.c index 7791febd..9cf85a38 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -3165,12 +3165,10 @@ channel_add_adm_permitted_opens(char *host, int port) void channel_disable_adm_local_opens(void) { - if (num_adm_permitted_opens == 0) { - permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); - permitted_adm_opens[num_adm_permitted_opens].host_to_connect - = NULL; - num_adm_permitted_opens = 1; - } + channel_clear_adm_permitted_opens(); + permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); + permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL; + num_adm_permitted_opens = 1; } void diff --git a/servconf.c b/servconf.c index b90dba63..21b371c8 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -250,7 +250,7 @@ fill_default_server_options(ServerOptions *options) if (options->compression == -1) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) - options->allow_tcp_forwarding = 1; + options->allow_tcp_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) @@ -786,6 +786,14 @@ static const struct multistate multistate_privsep[] = { { "no", PRIVSEP_OFF }, { NULL, -1 } }; +static const struct multistate multistate_tcpfwd[] = { + { "yes", FORWARD_ALLOW }, + { "all", FORWARD_ALLOW }, + { "no", FORWARD_DENY }, + { "remote", FORWARD_REMOTE }, + { "local", FORWARD_LOCAL }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1143,7 +1151,8 @@ process_server_config_line(ServerOptions *options, char *line, case sAllowTcpForwarding: intptr = &options->allow_tcp_forwarding; - goto parse_flag; + multistate_ptr = multistate_tcpfwd; + goto parse_multistate; case sAllowAgentForwarding: intptr = &options->allow_agent_forwarding; @@ -1423,7 +1432,6 @@ process_server_config_line(ServerOptions *options, char *line, } if (strcmp(arg, "none") == 0) { if (*activep && n == -1) { - channel_clear_adm_permitted_opens(); options->num_permitted_opens = 1; channel_disable_adm_local_opens(); } @@ -1780,6 +1788,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_compression); case sUsePrivilegeSeparation: return fmt_multistate_int(val, multistate_privsep); + case sAllowTcpForwarding: + return fmt_multistate_int(val, multistate_tcpfwd); case sProtocol: switch (val) { case SSH_PROTO_1: diff --git a/servconf.h b/servconf.h index 68fcdb76..a23ef7f3 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.105 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.106 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen @@ -42,6 +42,12 @@ #define PRIVSEP_ON 1 #define PRIVSEP_NOSANDBOX 2 +/* AllowTCPForwarding */ +#define FORWARD_DENY 0 +#define FORWARD_REMOTE (1) +#define FORWARD_LOCAL (1<<1) +#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ @@ -116,7 +122,7 @@ typedef struct { int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ - int allow_tcp_forwarding; + int allow_tcp_forwarding; /* One of FORWARD_* */ int allow_agent_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; diff --git a/serverloop.c b/serverloop.c index 741c5bef..14e60c6d 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) static Channel * server_request_direct_tcpip(void) { - Channel *c; + Channel *c = NULL; char *target, *originator; u_short target_port, originator_port; @@ -963,9 +963,16 @@ server_request_direct_tcpip(void) debug("server_request_direct_tcpip: originator %s port %d, target %s " "port %d", originator, originator_port, target, target_port); - /* XXX check permission */ - c = channel_connect_to(target, target_port, - "direct-tcpip", "direct-tcpip"); + /* XXX fine grained permissions */ + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && + !no_port_forwarding_flag) { + c = channel_connect_to(target, target_port, + "direct-tcpip", "direct-tcpip"); + } else { + logit("refused local port forward: " + "originator %s port %d, target %s port %d", + originator, originator_port, target, target_port); + } xfree(originator); xfree(target); @@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) listen_address, listen_port); /* check permissions */ - if (!options.allow_tcp_forwarding || + if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || no_port_forwarding_flag || (!want_reply && listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT diff --git a/session.c b/session.c index 65bf2877..643e7fc5 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ +/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -273,7 +273,10 @@ do_authenticated(Authctxt *authctxt) setproctitle("%s", authctxt->pw->pw_name); /* setup the channel layer */ - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + if (no_port_forwarding_flag || + (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) + channel_disable_adm_local_opens(); + else channel_permit_all_opens(); auth_debug_send(); @@ -383,7 +386,7 @@ do_authenticated1(Authctxt *authctxt) debug("Port forwarding not permitted for this authentication."); break; } - if (!options.allow_tcp_forwarding) { + if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) { debug("Port forwarding not permitted."); break; } diff --git a/sshd_config.5 b/sshd_config.5 index 05f3374f..d2c4db55 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.149 2012/11/04 11:09:15 djm Exp $ -.Dd $Mdocdate: November 4 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.150 2012/12/02 20:46:11 djm Exp $ +.Dd $Mdocdate: December 2 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -124,6 +124,18 @@ in for more information on patterns. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. +The available options are +.Dq yes +or +.Dq all +to allow TCP forwarding, +.Dq no +to prevent all TCP forwarding, +.Dq local +to allow local (from the perspective of +.Xr ssh 1 ) forwarding only or +.Dq remote +to allow remote forwarding only. The default is .Dq yes . Note that disabling TCP forwarding does not improve security unless -- cgit v1.2.1 From cb96412cfb3643defe567644706f8ff213b5ba7e Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 22:53:20 +0000 Subject: - djm@cvs.openbsd.org 2012/12/02 20:34:10 [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] [monitor.c monitor.h] Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@ --- ChangeLog | 14 +++++++++++ auth.c | 12 ++++++--- auth.h | 10 +++++--- auth1.c | 8 +++--- auth2-chall.c | 12 ++++----- auth2-gss.c | 8 +++--- auth2-jpake.c | 4 +-- auth2.c | 37 ++++++++++++++------------- monitor.c | 25 +++++++++++++------ monitor.h | 80 +++++++++++++++++++++++++++++++---------------------------- 10 files changed, 123 insertions(+), 87 deletions(-) diff --git a/ChangeLog b/ChangeLog index cee03872..9ed71592 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,20 @@ - djm@cvs.openbsd.org 2012/11/14 02:32:15 [ssh-keygen.c] allow the full range of unsigned serial numbers; 'fine' deraadt@ + - djm@cvs.openbsd.org 2012/12/02 20:34:10 + [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] + [monitor.c monitor.h] + Fixes logging of partial authentication when privsep is enabled + Previously, we recorded "Failed xxx" since we reset authenticated before + calling auth_log() in auth2.c. This adds an explcit "Partial" state. + + Add a "submethod" to auth_log() to report which submethod is used + for keyboard-interactive. + + Fix multiple authentication when one of the methods is + keyboard-interactive. + + ok markus@ 20121107 - (djm) OpenBSD CVS Sync diff --git a/auth.c b/auth.c index b5e1eefa..7bc6f402 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.97 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.98 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -251,7 +251,8 @@ allowed_user(struct passwd * pw) } void -auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) +auth_log(Authctxt *authctxt, int authenticated, int partial, + const char *method, const char *submethod, const char *info) { void (*authlog) (const char *fmt,...) = verbose; char *authmsg; @@ -268,12 +269,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) if (authctxt->postponed) authmsg = "Postponed"; + else if (partial) + authmsg = "Partial"; else authmsg = authenticated ? "Accepted" : "Failed"; - authlog("%s %s for %s%.100s from %.200s port %d%s", + authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", authmsg, method, + submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, authctxt->valid ? "" : "invalid user ", authctxt->user, get_remote_ipaddr(), @@ -303,7 +307,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) * Check whether root logins are disallowed. */ int -auth_root_allowed(char *method) +auth_root_allowed(const char *method) { switch (options.permit_root_login) { case PERMIT_YES: diff --git a/auth.h b/auth.h index 8920c7da..c6fe8472 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.71 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -148,10 +148,12 @@ void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); -void auth_log(Authctxt *, int, char *, char *); -void userauth_finish(Authctxt *, int, char *); +void auth_log(Authctxt *, int, int, const char *, const char *, + const char *); +void userauth_finish(Authctxt *, int, const char *, const char *); +int auth_root_allowed(const char *); + void userauth_send_banner(const char *); -int auth_root_allowed(char *); char *auth2_read_banner(void); int auth2_methods_valid(const char *, int); diff --git a/auth1.c b/auth1.c index fb37fadf..6eea8d81 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.76 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -253,7 +253,8 @@ do_authloop(Authctxt *authctxt) if (options.use_pam && (PRIVSEP(do_pam_account()))) #endif { - auth_log(authctxt, 1, "without authentication", ""); + auth_log(authctxt, 1, 0, "without authentication", + NULL, ""); return; } } @@ -352,7 +353,8 @@ do_authloop(Authctxt *authctxt) skip: /* Log before sending the reply */ - auth_log(authctxt, authenticated, get_authname(type), info); + auth_log(authctxt, authenticated, 0, get_authname(type), + NULL, info); if (client_user != NULL) { xfree(client_user); diff --git a/auth2-chall.c b/auth2-chall.c index e6dbffe2..8fdb3349 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.35 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -283,7 +283,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) KbdintAuthctxt *kbdintctxt; int authenticated = 0, res; u_int i, nresp; - char **response = NULL, *method; + char *devicename = NULL, **response = NULL; if (authctxt == NULL) fatal("input_userauth_info_response: no authctxt"); @@ -329,9 +329,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) /* Failure! */ break; } - - xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name); - + devicename = kbdintctxt->device->name; if (!authctxt->postponed) { if (authenticated) { auth2_challenge_stop(authctxt); @@ -341,8 +339,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) auth2_challenge_start(authctxt); } } - userauth_finish(authctxt, authenticated, method); - xfree(method); + userauth_finish(authctxt, authenticated, "keyboard-interactive", + devicename); } void diff --git a/auth2-gss.c b/auth2-gss.c index 0d59b217..93d576bf 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - userauth_finish(authctxt, 0, "gssapi-with-mic"); + userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); } else { if (send_tok.length != 0) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); @@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); - userauth_finish(authctxt, authenticated, "gssapi-with-mic"); + userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } static void @@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); - userauth_finish(authctxt, authenticated, "gssapi-with-mic"); + userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } Authmethod method_gssapi = { diff --git a/auth2-jpake.c b/auth2-jpake.c index a460e821..ed0eba47 100644 --- a/auth2-jpake.c +++ b/auth2-jpake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -556,7 +556,7 @@ input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt) authctxt->postponed = 0; jpake_free(authctxt->jpake_ctx); authctxt->jpake_ctx = NULL; - userauth_finish(authctxt, authenticated, method_jpake.name); + userauth_finish(authctxt, authenticated, method_jpake.name, NULL); } #endif /* JPAKE */ diff --git a/auth2.c b/auth2.c index 8114ec86..e367a104 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -286,7 +286,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); } - userauth_finish(authctxt, authenticated, method); + userauth_finish(authctxt, authenticated, method, NULL); xfree(service); xfree(user); @@ -294,7 +294,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } void -userauth_finish(Authctxt *authctxt, int authenticated, char *method) +userauth_finish(Authctxt *authctxt, int authenticated, const char *method, + const char *submethod) { char *methods; int partial = 0; @@ -302,6 +303,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); + if (authenticated && authctxt->postponed) + fatal("INTERNAL ERROR: authenticated and postponed"); /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && @@ -312,6 +315,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #endif } + if (authenticated && options.num_auth_methods != 0) { + if (!auth2_update_methods_lists(authctxt, method)) { + authenticated = 0; + partial = 1; + } + } + + /* Log before sending the reply */ + auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); + + if (authctxt->postponed) + return; + #ifdef USE_PAM if (options.use_pam && authenticated) { if (!PRIVSEP(do_pam_account())) { @@ -330,23 +346,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #ifdef _UNICOS if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; - fatal("Access denied for user %s.",authctxt->user); + fatal("Access denied for user %s.", authctxt->user); } #endif /* _UNICOS */ - /* Log before sending the reply */ - auth_log(authctxt, authenticated, method, " ssh2"); - - if (authctxt->postponed) - return; - - if (authenticated && options.num_auth_methods != 0) { - if (!auth2_update_methods_lists(authctxt, method)) { - authenticated = 0; - partial = 1; - } - } - if (authenticated == 1) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); diff --git a/monitor.c b/monitor.c index 0adbf3a6..1cfc4875 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.118 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.119 2012/12/02 20:34:10 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY; static char *hostbased_cuser = NULL; static char *hostbased_chost = NULL; static char *auth_method = "unknown"; +static char *auth_submethod = NULL; static u_int session_id2_len = 0; static u_char *session_id2 = NULL; static pid_t monitor_child_pid; @@ -352,7 +353,7 @@ void monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) { struct mon_table *ent; - int authenticated = 0; + int authenticated = 0, partial = 0; debug3("preauth child monitor started"); @@ -379,7 +380,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) /* The first few requests do not require asynchronous access */ while (!authenticated) { + partial = 0; auth_method = "unknown"; + auth_submethod = NULL; authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); /* Special handling for multiple required authentications */ @@ -393,6 +396,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) debug3("%s: method %s: partial", __func__, auth_method); authenticated = 0; + partial = 1; } } @@ -417,7 +421,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) #endif } if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { - auth_log(authctxt, authenticated, auth_method, + auth_log(authctxt, authenticated, partial, + auth_method, auth_submethod, compat20 ? " ssh2" : ""); if (!authenticated) authctxt->failures++; @@ -943,7 +948,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); if (compat20) - auth_method = "keyboard-interactive"; + auth_method = "keyboard-interactive"; /* XXX auth_submethod */ else auth_method = "bsdauth"; @@ -1084,7 +1089,8 @@ mm_answer_pam_query(int sock, Buffer *m) xfree(prompts); if (echo_on != NULL) xfree(echo_on); - auth_method = "keyboard-interactive/pam"; + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); return (0); } @@ -1113,7 +1119,8 @@ mm_answer_pam_respond(int sock, Buffer *m) buffer_clear(m); buffer_put_int(m, ret); mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); - auth_method = "keyboard-interactive/pam"; + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; if (ret == 0) sshpam_authok = sshpam_ctxt; return (0); @@ -1127,7 +1134,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) (sshpam_device.free_ctx)(sshpam_ctxt); buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); - auth_method = "keyboard-interactive/pam"; + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; return (sshpam_authok == sshpam_ctxt); } #endif @@ -1201,7 +1209,8 @@ mm_answer_keyallowed(int sock, Buffer *m) hostbased_chost = chost; } else { /* Log failed attempt */ - auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); + auth_log(authctxt, 0, 0, auth_method, NULL, + compat20 ? " ssh2" : ""); xfree(blob); xfree(cuser); xfree(chost); diff --git a/monitor.h b/monitor.h index 5e7d552f..2caa4693 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.16 2011/06/17 21:44:31 djm Exp $ */ +/* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */ /* * Copyright 2002 Niels Provos @@ -28,44 +28,48 @@ #ifndef _MONITOR_H_ #define _MONITOR_H_ +/* Please keep *_REQ_* values on even numbers and *_ANS_* on odd numbers */ enum monitor_reqtype { - MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, - MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, - MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, - MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, - MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, - MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, - MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, - MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, - MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, - MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, - MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, - MONITOR_REQ_KEYEXPORT, - MONITOR_REQ_PTY, MONITOR_ANS_PTY, - MONITOR_REQ_PTYCLEANUP, - MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, - MONITOR_REQ_SESSID, - MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, - MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, - MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, - MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, - MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, - MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, - MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, - MONITOR_REQ_PAM_START, - MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, - MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, - MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, - MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, - MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, - MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, - MONITOR_REQ_TERM, - MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, - MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, - MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, - MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, - MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM, + MONITOR_REQ_MODULI = 0, MONITOR_ANS_MODULI = 1, + MONITOR_REQ_FREE = 2, + MONITOR_REQ_AUTHSERV = 4, + MONITOR_REQ_SIGN = 6, MONITOR_ANS_SIGN = 7, + MONITOR_REQ_PWNAM = 8, MONITOR_ANS_PWNAM = 9, + MONITOR_REQ_AUTH2_READ_BANNER = 10, MONITOR_ANS_AUTH2_READ_BANNER = 11, + MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13, + MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15, + MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17, + MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19, + MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21, + MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23, + MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25, + MONITOR_REQ_KEYEXPORT = 26, + MONITOR_REQ_PTY = 28, MONITOR_ANS_PTY = 29, + MONITOR_REQ_PTYCLEANUP = 30, + MONITOR_REQ_SESSKEY = 32, MONITOR_ANS_SESSKEY = 33, + MONITOR_REQ_SESSID = 34, + MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37, + MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39, + MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41, + MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43, + MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45, + MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47, + MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, + MONITOR_REQ_TERM = 50, + MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53, + MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55, + MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, + MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, + MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, + + MONITOR_REQ_PAM_START = 100, + MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, + MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, + MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, + MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, + MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, + MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, + }; struct mm_master; -- cgit v1.2.1 From c568294a73bc866e2204efe0fe46d347b2f30f87 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 23:06:37 +0000 Subject: - dtucker@cvs.openbsd.org 2012/10/05 02:05:30 [regress/multiplex.sh] Use 'kill -0' to test for the presence of a pid since it's more portable --- ChangeLog | 3 +++ regress/multiplex.sh | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9ed71592..51cba6ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ keyboard-interactive. ok markus@ + - dtucker@cvs.openbsd.org 2012/10/05 02:05:30 + [regress/multiplex.sh] + Use 'kill -0' to test for the presence of a pid since it's more portable 20121107 - (djm) OpenBSD CVS Sync diff --git a/regress/multiplex.sh b/regress/multiplex.sh index f93ac9a4..1e6cc760 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.16 2012/09/10 01:51:19 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -96,7 +96,7 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ # Wait for master to exit wait $MASTER_PID -kill -0 $MASTER_PID >/dev/null && fail "exit command failed" +kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" # Restart master and test -O stop command with master using -N verbose "test $tid: cmd stop" @@ -117,4 +117,4 @@ wait $SLEEP_PID [ $! != 0 ] || fail "waiting for concurrent command" wait $MASTER_PID [ $! != 0 ] || fail "waiting for master stop" -kill -0 $MASTER_PID >/dev/null && fail "stop command failed" +kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed" -- cgit v1.2.1 From 479f770f5ad95c7808a3a13c2cc3d0b7e1ec0b9a Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 23:08:25 +0000 Subject: - dtucker@cvs.openbsd.org 2012/10/05 02:20:48 [regress/cipher-speed.sh regress/try-ciphers.sh] Add umac-128@openssh.com to the list of MACs to be tested --- ChangeLog | 3 +++ regress/cipher-speed.sh | 5 +++-- regress/try-ciphers.sh | 5 +++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 51cba6ee..517e9c47 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@ + - dtucker@cvs.openbsd.org 2012/10/05 02:20:48 + [regress/cipher-speed.sh regress/try-ciphers.sh] + Add umac-128@openssh.com to the list of MACs to be tested 20121114 - (djm) OpenBSD CVS Sync diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 5800f4b0..4f26f7e9 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.5 2012/06/28 05:07:45 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.6 2012/10/05 02:20:48 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -16,7 +16,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com + hmac-sha1-96 hmac-md5-96" config_defined HAVE_EVP_SHA256 && macs="$macs hmac-sha2-256 hmac-sha2-512" diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 0887979d..cf601429 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.14 2012/09/06 04:11:07 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.15 2012/10/05 02:20:48 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -7,7 +7,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com + hmac-sha1-96 hmac-md5-96" config_defined HAVE_EVP_SHA256 && macs="$macs hmac-sha2-256 hmac-sha2-512" -- cgit v1.2.1 From 19babf07a42ced1b5ccace27f8322b0ffd291577 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 23:09:04 +0000 Subject: - djm@cvs.openbsd.org 2012/10/19 05:10:42 [regress/cert-userkey.sh] include a serial number when generating certs --- ChangeLog | 3 +++ regress/cert-userkey.sh | 7 +++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 517e9c47..ed4a60c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - dtucker@cvs.openbsd.org 2012/10/05 02:20:48 [regress/cipher-speed.sh regress/try-ciphers.sh] Add umac-128@openssh.com to the list of MACs to be tested + - djm@cvs.openbsd.org 2012/10/19 05:10:42 + [regress/cert-userkey.sh] + include a serial number when generating certs 20121114 - (djm) OpenBSD CVS Sync diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6700db27..aa85cd6c 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.9 2012/10/19 05:10:42 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -22,9 +22,8 @@ for ktype in rsa dsa $ecdsa ; do ${SSHKEYGEN} -q -N '' -t ${ktype} \ -f $OBJ/cert_user_key_${ktype} || \ fail "ssh-keygen of cert_user_key_${ktype} failed" - ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ - "regress user key for $USER" \ - -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || + ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ + -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" # v00 ecdsa certs do not exist test "${ktype}" = "ecdsa" && continue -- cgit v1.2.1 From 7f816e93b65a1d04f75a6f85a1351cb7e3d36ff1 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 23:12:13 +0000 Subject: - djm@cvs.openbsd.org 2012/11/22 22:49:30 [regress/Makefile regress/keys-command.sh] regress for AuthorizedKeysCommand; hints from markus@ --- ChangeLog | 3 +++ regress/Makefile | 5 +++-- regress/keys-command.sh | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 regress/keys-command.sh diff --git a/ChangeLog b/ChangeLog index ed4a60c7..873d81d5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,9 @@ - djm@cvs.openbsd.org 2012/10/19 05:10:42 [regress/cert-userkey.sh] include a serial number when generating certs + - djm@cvs.openbsd.org 2012/11/22 22:49:30 + [regress/Makefile regress/keys-command.sh] + regress for AuthorizedKeysCommand; hints from markus@ 20121114 - (djm) OpenBSD CVS Sync diff --git a/regress/Makefile b/regress/Makefile index f114c27e..dcc80b73 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.58 2011/01/06 22:46:21 djm Exp $ +# $OpenBSD: Makefile,v 1.59 2012/11/22 22:49:30 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -57,7 +57,8 @@ LTESTS= connect \ kextype \ cert-hostkey \ cert-userkey \ - host-expand + host-expand \ + keys-command INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp diff --git a/regress/keys-command.sh b/regress/keys-command.sh new file mode 100644 index 00000000..09f4db4b --- /dev/null +++ b/regress/keys-command.sh @@ -0,0 +1,33 @@ +# $OpenBSD: keys-command.sh,v 1.1 2012/11/22 22:49:30 djm Exp $ +# Placed in the Public Domain. + +tid="authorized keys from command" + +if test -z "$SUDO" ; then + echo "skipped (SUDO not set)" + echo "need SUDO to create file in /var/run, test won't work without" + exit 0 +fi + +# Establish a AuthorizedKeysCommand in /var/run where it will have +# acceptable directory permissions. +KEY_COMMAND="/var/run/keycommand_${LOGNAME}" +cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'" +#!/bin/sh +test "x\$1" -ne "x${LOGNAME}" && exit 1 +exec cat "$OBJ/authorized_keys_${LOGNAME}" +_EOF +$SUDO chmod 0755 "$KEY_COMMAND" + +cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak +( + grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak + echo AuthorizedKeysFile none + echo AuthorizedKeysCommand $KEY_COMMAND + echo AuthorizedKeysCommandUser ${LOGNAME} +) > $OBJ/sshd_proxy + +${SSH} -F $OBJ/ssh_proxy somehost true +if [ $? -ne 0 ]; then + fail "connect failed" +fi -- cgit v1.2.1 From 8d5b36555c074ecb26234a4cdd139a0eb141be13 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 2 Dec 2012 23:13:39 +0000 Subject: - djm@cvs.openbsd.org 2012/12/02 20:47:48 [Makefile regress/forward-control.sh] regress for AllowTcpForwarding local/remote; ok markus@ --- ChangeLog | 3 + regress/Makefile | 9 ++- regress/forward-control.sh | 168 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 177 insertions(+), 3 deletions(-) create mode 100644 regress/forward-control.sh diff --git a/ChangeLog b/ChangeLog index 873d81d5..2e9c4e27 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,9 @@ - djm@cvs.openbsd.org 2012/11/22 22:49:30 [regress/Makefile regress/keys-command.sh] regress for AuthorizedKeysCommand; hints from markus@ + - djm@cvs.openbsd.org 2012/12/02 20:47:48 + [Makefile regress/forward-control.sh] + regress for AllowTcpForwarding local/remote; ok markus@ 20121114 - (djm) OpenBSD CVS Sync diff --git a/regress/Makefile b/regress/Makefile index dcc80b73..c628fb5f 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.59 2012/11/22 22:49:30 djm Exp $ +# $OpenBSD: Makefile,v 1.60 2012/12/02 20:47:48 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -58,7 +58,8 @@ LTESTS= connect \ cert-hostkey \ cert-userkey \ host-expand \ - keys-command + keys-command \ + forward-control INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp @@ -78,7 +79,9 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ known_hosts-cert host_ca_key* cert_host_key* \ putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ key.rsa-* key.dsa-* key.ecdsa-* \ - authorized_principals_${USER} expect actual + authorized_principals_${USER} expect actual ready \ + sshd_proxy.* authorized_keys_${USER}.* + # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/forward-control.sh b/regress/forward-control.sh new file mode 100644 index 00000000..9d000bc7 --- /dev/null +++ b/regress/forward-control.sh @@ -0,0 +1,168 @@ +# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $ +# Placed in the Public Domain. + +tid="sshd control of local and remote forwarding" + +LFWD_PORT=3320 +RFWD_PORT=3321 +CTL=$OBJ/ctl-sock +READY=$OBJ/ready + +wait_for_file_to_appear() { + _path=$1 + _n=0 + while test ! -e $_path ; do + test $_n -eq 1 && trace "waiting for $_path to appear" + _n=`expr $_n + 1` + test $_n -ge 5 && return 1 + sleep 1 + done + return 0 +} + +wait_for_process_to_exit() { + _pid=$1 + _n=0 + while kill -0 $_pid 2>/dev/null ; do + test $_n -eq 1 && trace "waiting for $_pid to exit" + _n=`expr $_n + 1` + test $_n -ge 5 && return 1 + sleep 1 + done + return 0 +} + +# usage: check_lfwd protocol Y|N message +check_lfwd() { + _proto=$1 + _expected=$2 + _message=$3 + rm -f $READY + ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ + -L$LFWD_PORT:127.0.0.1:$PORT \ + -o ExitOnForwardFailure=yes \ + -n host "sleep 60 & echo \$! > $READY ; wait " \ + >/dev/null 2>&1 & + _sshpid=$! + wait_for_file_to_appear $READY || \ + fatal "check_lfwd ssh fail: $_message" + ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \ + -oConnectionAttempts=4 host true >/dev/null 2>&1 + _result=$? + kill $_sshpid `cat $READY` 2>/dev/null + wait_for_process_to_exit $_sshpid + if test "x$_expected" = "xY" -a $_result -ne 0 ; then + fail "check_lfwd failed (expecting success): $_message" + elif test "x$_expected" = "xN" -a $_result -eq 0 ; then + fail "check_lfwd succeeded (expecting failure): $_message" + elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then + fatal "check_lfwd invalid argument \"$_expected\"" + else + verbose "check_lfwd done (expecting $_expected): $_message" + fi +} + +# usage: check_rfwd protocol Y|N message +check_rfwd() { + _proto=$1 + _expected=$2 + _message=$3 + rm -f $READY + ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ + -R$RFWD_PORT:127.0.0.1:$PORT \ + -o ExitOnForwardFailure=yes \ + -n host "sleep 60 & echo \$! > $READY ; wait " \ + >/dev/null 2>&1 & + _sshpid=$! + wait_for_file_to_appear $READY + _result=$? + if test $_result -eq 0 ; then + ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \ + -oConnectionAttempts=4 host true >/dev/null 2>&1 + _result=$? + kill $_sshpid `cat $READY` 2>/dev/null + wait_for_process_to_exit $_sshpid + fi + if test "x$_expected" = "xY" -a $_result -ne 0 ; then + fail "check_rfwd failed (expecting success): $_message" + elif test "x$_expected" = "xN" -a $_result -eq 0 ; then + fail "check_rfwd succeeded (expecting failure): $_message" + elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then + fatal "check_rfwd invalid argument \"$_expected\"" + else + verbose "check_rfwd done (expecting $_expected): $_message" + fi +} + +start_sshd +cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak +cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak + +# Sanity check: ensure the default config allows forwarding +for p in 1 2 ; do + check_lfwd $p Y "proto $p, default configuration" + check_rfwd $p Y "proto $p, default configuration" +done + +# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +all_tests() { + _tcpfwd=$1 + _plain_lfwd=$2 + _plain_rfwd=$3 + _nopermit_lfwd=$4 + _nopermit_rfwd=$5 + _permit_lfwd=$6 + _permit_rfwd=$7 + _badfwd=127.0.0.1:22 + _goodfwd=127.0.0.1:${PORT} + for _proto in 1 2 ; do + cp ${OBJ}/authorized_keys_${USER}.bak \ + ${OBJ}/authorized_keys_${USER} + _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" + # No PermitOpen + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_plain_lfwd "$_prefix" + check_rfwd $_proto $_plain_rfwd "$_prefix" + # PermitOpen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" + check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" + # PermitOpen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd $_goodfwd" ) \ + > ${OBJ}/sshd_proxy + # NB. permitopen via authorized_keys should have same + # success/fail as via sshd_config + # permitopen via authorized_keys that doesn't match + sed "s/^/permitopen=\"$_badfwd\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" + check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" + # permitopen via authorized_keys that does match + sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen" + check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen" + done +} + +# no-permitopen mismatch-permitopen match-permitopen +# AllowTcpForwarding local remote local remote local remote +all_tests yes Y Y N Y Y Y +all_tests local Y N N N Y N +all_tests remote N Y N Y N Y +all_tests no N N N N N N -- cgit v1.2.1 From fd6b03075b6a3e2b05fbf668d773468a185d2379 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 3 Dec 2012 00:25:30 +0000 Subject: - djm@cvs.openbsd.org 2012/12/03 00:14:06 [auth2-chall.c ssh-keygen.c] Fix compilation with -Wall -Werror (trivial type fixes) --- ChangeLog | 3 +++ auth2-chall.c | 5 +++-- ssh-keygen.c | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2e9c4e27..83b13d7d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ - djm@cvs.openbsd.org 2012/12/02 20:47:48 [Makefile regress/forward-control.sh] regress for AllowTcpForwarding local/remote; ok markus@ + - djm@cvs.openbsd.org 2012/12/03 00:14:06 + [auth2-chall.c ssh-keygen.c] + Fix compilation with -Wall -Werror (trivial type fixes) 20121114 - (djm) OpenBSD CVS Sync diff --git a/auth2-chall.c b/auth2-chall.c index 8fdb3349..6505d400 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.35 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -283,7 +283,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) KbdintAuthctxt *kbdintctxt; int authenticated = 0, res; u_int i, nresp; - char *devicename = NULL, **response = NULL; + const char *devicename = NULL; + char **response = NULL; if (authctxt == NULL) fatal("input_userauth_info_response: no authctxt"); diff --git a/ssh-keygen.c b/ssh-keygen.c index 2d8af679..1bbe0b0a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.219 2012/11/14 02:32:15 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.220 2012/12/03 00:14:06 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -104,7 +104,7 @@ char *identity_comment = NULL; char *ca_key_path = NULL; /* Certificate serial number */ -long long cert_serial = 0; +unsigned long long cert_serial = 0; /* Key type when certifying */ u_int cert_key_type = SSH2_CERT_TYPE_USER; -- cgit v1.2.1 From 5d6993c476c441f14b0c576ecf60f2713247af82 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 3 Dec 2012 00:55:53 +0000 Subject: - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation debugging. ok dtucker@ --- ChangeLog | 2 ++ configure.ac | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 83b13d7d..bc3302a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,8 @@ - djm@cvs.openbsd.org 2012/12/03 00:14:06 [auth2-chall.c ssh-keygen.c] Fix compilation with -Wall -Werror (trivial type fixes) + - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation + debugging. ok dtucker@ 20121114 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index a704fc7f..0fa9ba82 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.496 2012/07/06 01:49:29 djm Exp $ +# $Id: configure.ac,v 1.497 2012/12/03 00:55:54 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.496 $) +AC_REVISION($Revision: 1.497 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -155,6 +155,7 @@ AC_ARG_WITH([stackprotect], if test "$GCC" = "yes" || test "$GCC" = "egcs"; then + OSSH_CHECK_CFLAG_COMPILE([-g]) OSSH_CHECK_CFLAG_COMPILE([-Wall]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) -- cgit v1.2.1 From 4d88ea36e8595e6d73c6c73ca8b9c8e996c80009 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 3 Dec 2012 01:35:55 +0000 Subject: - (djm) [configure.ac] Revert previous. configure.ac already does this for us. --- ChangeLog | 2 ++ configure.ac | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc3302a6..36ad9049 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,8 @@ Fix compilation with -Wall -Werror (trivial type fixes) - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation debugging. ok dtucker@ + - (djm) [configure.ac] Revert previous. configure.ac already does this + for us. 20121114 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 0fa9ba82..8b32e40c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.497 2012/12/03 00:55:54 djm Exp $ +# $Id: configure.ac,v 1.498 2012/12/03 01:35:55 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.497 $) +AC_REVISION($Revision: 1.498 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -155,7 +155,6 @@ AC_ARG_WITH([stackprotect], if test "$GCC" = "yes" || test "$GCC" = "egcs"; then - OSSH_CHECK_CFLAG_COMPILE([-g]) OSSH_CHECK_CFLAG_COMPILE([-Wall]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) -- cgit v1.2.1 From db99a75ff37ef118073470c78c5145ac29a18e2a Mon Sep 17 00:00:00 2001 From: tim Date: Tue, 4 Dec 2012 15:50:03 +0000 Subject: 20121205 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. --- ChangeLog | 3 +++ defines.h | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 36ad9049..b572f600 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20121205 + - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. + 20121203 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get TAILQ_FOREACH_SAFE needed for upcoming changes. diff --git a/defines.h b/defines.h index 53f83a14..54de062d 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.169 2012/02/15 04:13:06 tim Exp $ */ +/* $Id: defines.h,v 1.170 2012/12/04 15:50:04 tim Exp $ */ /* Constants */ @@ -283,6 +283,10 @@ typedef unsigned char u_char; # define HAVE_U_CHAR #endif /* HAVE_U_CHAR */ +#ifndef ULLONG_MAX +# define ULLONG_MAX ((unsigned long long)-1) +#endif + #ifndef SIZE_T_MAX #define SIZE_T_MAX ULONG_MAX #endif /* SIZE_T_MAX */ -- cgit v1.2.1 From cc42912e9d04cbbe9509b385d148aa660878ae02 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Dec 2012 02:03:10 +0000 Subject: - dtucker@cvs.openbsd.org 2012/12/06 06:06:54 [regress/keys-command.sh] Fix some problems with the keys-command test: - use string comparison rather than numeric comparison - check for existing KEY_COMMAND file and don't clobber if it exists - clean up KEY_COMMAND file if we do create it. - check that KEY_COMMAND is executable (which it won't be if eg /var/run is mounted noexec). ok djm. --- ChangeLog | 12 ++++++++++++ regress/keys-command.sh | 16 +++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index b572f600..be311814 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +20121207 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/12/06 06:06:54 + [regress/keys-command.sh] + Fix some problems with the keys-command test: + - use string comparison rather than numeric comparison + - check for existing KEY_COMMAND file and don't clobber if it exists + - clean up KEY_COMMAND file if we do create it. + - check that KEY_COMMAND is executable (which it won't be if eg /var/run + is mounted noexec). + ok djm. + 20121205 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. diff --git a/regress/keys-command.sh b/regress/keys-command.sh index 09f4db4b..b595a434 100644 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keys-command.sh,v 1.1 2012/11/22 22:49:30 djm Exp $ +# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $ # Placed in the Public Domain. tid="authorized keys from command" @@ -14,7 +14,7 @@ fi KEY_COMMAND="/var/run/keycommand_${LOGNAME}" cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'" #!/bin/sh -test "x\$1" -ne "x${LOGNAME}" && exit 1 +test "x\$1" != "x${LOGNAME}" && exit 1 exec cat "$OBJ/authorized_keys_${LOGNAME}" _EOF $SUDO chmod 0755 "$KEY_COMMAND" @@ -27,7 +27,13 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak echo AuthorizedKeysCommandUser ${LOGNAME} ) > $OBJ/sshd_proxy -${SSH} -F $OBJ/ssh_proxy somehost true -if [ $? -ne 0 ]; then - fail "connect failed" +if [ -x $KEY_COMMAND ]; then + ${SSH} -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "connect failed" + fi +else + echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" fi + +$SUDO rm -f $KEY_COMMAND -- cgit v1.2.1 From 04044148bc72f1d0efd3d66b105cd46d798883b0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Dec 2012 02:06:13 +0000 Subject: - jmc@cvs.openbsd.org 2012/12/03 08:33:03 [ssh-add.1 sshd_config.5] tweak previous; --- ChangeLog | 3 +++ ssh-add.1 | 6 +++--- sshd_config.5 | 7 ++++--- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index be311814..19dc3340 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - check that KEY_COMMAND is executable (which it won't be if eg /var/run is mounted noexec). ok djm. + - jmc@cvs.openbsd.org 2012/12/03 08:33:03 + [ssh-add.1 sshd_config.5] + tweak previous; 20121205 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. diff --git a/ssh-add.1 b/ssh-add.1 index af93762a..44846b67 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.57 2012/12/02 20:42:15 djm Exp $ +.\" $OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 2 2012 $ +.Dd $Mdocdate: December 3 2012 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -99,7 +99,7 @@ Instead of adding identities, removes identities from the agent. If .Nm has been run without arguments, the keys for the default identities and -their corresponding certificateswill be removed. +their corresponding certificates will be removed. Otherwise, the argument list will be interpreted as a list of paths to public key files to specify keys and certificates to be removed from the agent. If no public key is found at a given path, diff --git a/sshd_config.5 b/sshd_config.5 index d2c4db55..ad3692b3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.150 2012/12/02 20:46:11 djm Exp $ -.Dd $Mdocdate: December 2 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.151 2012/12/03 08:33:03 jmc Exp $ +.Dd $Mdocdate: December 3 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -133,7 +133,8 @@ to allow TCP forwarding, to prevent all TCP forwarding, .Dq local to allow local (from the perspective of -.Xr ssh 1 ) forwarding only or +.Xr ssh 1 ) +forwarding only or .Dq remote to allow remote forwarding only. The default is -- cgit v1.2.1 From c9d8b9c075cf821b2cb1594f0df9406f2b0f1ffc Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Dec 2012 02:07:02 +0000 Subject: - markus@cvs.openbsd.org 2012/12/05 15:42:52 [ssh-add.c] prevent double-free of comment; ok djm@ --- ChangeLog | 3 +++ ssh-add.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 19dc3340..7a3f272e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - jmc@cvs.openbsd.org 2012/12/03 08:33:03 [ssh-add.1 sshd_config.5] tweak previous; + - markus@cvs.openbsd.org 2012/12/05 15:42:52 + [ssh-add.c] + prevent double-free of comment; ok djm@ 20121205 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. diff --git a/ssh-add.c b/ssh-add.c index c8936e5a..00808470 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.104 2012/12/02 20:42:15 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -118,6 +118,7 @@ delete_file(AuthenticationConnection *ac, const char *filename, int key_only) /* Now try to delete the corresponding certificate too */ free(comment); + comment = NULL; xasprintf(&certpath, "%s-cert.pub", filename); if ((cert = key_load_public(certpath, &comment)) == NULL) goto out; -- cgit v1.2.1 From 87031b0ac15b7f94695b06aba1db0e7c03e2b82a Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 7 Dec 2012 02:07:46 +0000 Subject: - dtucker@cvs.openbsd.org 2012/12/07 01:51:35 [serverloop.c] Cast signal to int for logging. A no-op on openbsd (they're always ints) but will prevent warnings in portable. ok djm@ --- ChangeLog | 4 ++++ serverloop.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7a3f272e..85f251ce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ - markus@cvs.openbsd.org 2012/12/05 15:42:52 [ssh-add.c] prevent double-free of comment; ok djm@ + - dtucker@cvs.openbsd.org 2012/12/07 01:51:35 + [serverloop.c] + Cast signal to int for logging. A no-op on openbsd (they're always ints) + but will prevent warnings in portable. ok djm@ 20121205 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. diff --git a/serverloop.c b/serverloop.c index 14e60c6d..e224bd08 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -708,7 +708,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) &nalloc, max_time_milliseconds); if (received_sigterm) { - logit("Exiting on signal %d", received_sigterm); + logit("Exiting on signal %d", (int)received_sigterm); /* Clean up sessions, utmp, etc. */ cleanup_exit(255); } @@ -858,7 +858,7 @@ server_loop2(Authctxt *authctxt) &nalloc, 0); if (received_sigterm) { - logit("Exiting on signal %d", received_sigterm); + logit("Exiting on signal %d", (int)received_sigterm); /* Clean up sessions, utmp, etc. */ cleanup_exit(255); } -- cgit v1.2.1 From fcddf24f32803d4eb018afb05a1c9fddb016ad98 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 11 Dec 2012 23:44:38 +0000 Subject: - markus@cvs.openbsd.org 2012/12/11 22:16:21 [monitor.c] drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@ --- ChangeLog | 7 +++++++ monitor.c | 10 +++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85f251ce..b96329ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20121212 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2012/12/11 22:16:21 + [monitor.c] + drain the log messages after receiving the keystate from the unpriv + child. otherwise it might block while sending. ok djm@ + 20121207 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2012/12/06 06:06:54 diff --git a/monitor.c b/monitor.c index 1cfc4875..8006b833 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.119 2012/12/02 20:34:10 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -438,10 +438,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) #endif } - /* Drain any buffered messages from the child */ - while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) - ; - if (!authctxt->valid) fatal("%s: authenticated invalid user", __func__); if (strcmp(auth_method, "unknown") == 0) @@ -452,6 +448,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) mm_get_keystate(pmonitor); + /* Drain any buffered messages from the child */ + while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) + ; + close(pmonitor->m_sendfd); close(pmonitor->m_log_recvfd); pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; -- cgit v1.2.1 From 920eb7ec2b168c712ddde0b68624d9575ca0bdef Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 11 Dec 2012 23:46:31 +0000 Subject: - markus@cvs.openbsd.org 2012/12/11 22:31:18 [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@ --- ChangeLog | 8 +++++ PROTOCOL | 29 ++++++++++++++- authfile.c | 6 ++-- cipher.c | 22 +++++++++--- cipher.h | 4 +-- kex.h | 3 +- mac.c | 40 ++++++++++++++------- myproposal.h | 11 +++++- packet.c | 113 +++++++++++++++++++++++++++++++++++++++------------------- ssh_config.5 | 13 +++++-- sshd_config.5 | 13 +++++-- 11 files changed, 196 insertions(+), 66 deletions(-) diff --git a/ChangeLog b/ChangeLog index b96329ef..df6d0320 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,14 @@ [monitor.c] drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@ + - markus@cvs.openbsd.org 2012/12/11 22:31:18 + [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] + [packet.c ssh_config.5 sshd_config.5] + add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms + that change the packet format and compute the MAC over the encrypted + message (including the packet size) instead of the plaintext data; + these EtM modes are considered more secure and used by default. + feedback and ok djm@ 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/PROTOCOL b/PROTOCOL index c2819601..834716cc 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -51,6 +51,33 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic curve points encoded using point compression are NOT accepted or generated. +1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms + +OpenSSH supports MAC algorithms, whose names contain "-etm", that +perform the calculations in a different order to that defined in RFC +4253. These variants use the so-called "encrypt then MAC" ordering, +calculating the MAC over the packet ciphertext rather than the +plaintext. This ordering closes a security flaw in the SSH transport +protocol, where decryption of unauthenticated ciphertext provided a +"decryption oracle" that could, in conjunction with cipher flaws, reveal +session plaintext. + +Specifically, the "-etm" MAC algorithms modify the transport protocol +to calculate the MAC over the packet ciphertext and to send the packet +length unencrypted. This is necessary for the transport to obtain the +length of the packet and location of the MAC tag so that it may be +verified without decrypting unauthenticated data. + +As such, the MAC covers: + + mac = MAC(key, sequence_number || encrypted_packet) + +where "encrypted_packet" contains: + + byte padding_length + byte[n1] payload; n1 = packet_length - padding_length - 1 + byte[n2] random padding; n2 = padding_length + 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" @@ -291,4 +318,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ +$OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $ diff --git a/authfile.c b/authfile.c index 7dd44969..d9ee4ca6 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.94 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -150,7 +150,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_ENCRYPT); cipher_crypt(&ciphercontext, cp, - buffer_ptr(&buffer), buffer_len(&buffer)); + buffer_ptr(&buffer), buffer_len(&buffer), 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); @@ -474,7 +474,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_DECRYPT); cipher_crypt(&ciphercontext, cp, - buffer_ptr(©), buffer_len(©)); + buffer_ptr(©), buffer_len(©), 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); buffer_free(©); diff --git a/cipher.c b/cipher.c index bb5c0ac3..2116b55b 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ +/* $OpenBSD: cipher.c,v 1.83 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -273,13 +273,25 @@ cipher_init(CipherContext *cc, Cipher *cipher, } } +/* + * cipher_crypt() operates as following: + * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. + * Theses bytes are treated as additional authenticated data for + * authenticated encryption modes. + * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. + * Both 'aadlen' and 'authlen' can be set to 0. + */ void -cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len, u_int aadlen) { + if (aadlen) + memcpy(dest, src, aadlen); if (len % cc->cipher->block_size) - fatal("cipher_encrypt: bad plaintext length %d", len); - if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) - fatal("evp_crypt: EVP_Cipher failed"); + fatal("%s: bad plaintext length %d", __func__, len); + if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen, + len) < 0) + fatal("%s: EVP_Cipher failed", __func__); } void diff --git a/cipher.h b/cipher.h index 3dd2270b..78972fea 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.37 2009/01/26 09:58:15 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.38 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen @@ -76,7 +76,7 @@ char *cipher_name(int); int ciphers_valid(const char *); void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, const u_char *, u_int, int); -void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); +void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int); void cipher_cleanup(CipherContext *); void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); diff --git a/kex.h b/kex.h index 7373d3c7..03b984cc 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.53 2012/12/11 22:31:18 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -100,6 +100,7 @@ struct Mac { u_char *key; u_int key_len; int type; + int etm; /* Encrypt-then-MAC */ const EVP_MD *evp_md; HMAC_CTX evp_ctx; struct umac_ctx *umac_ctx; diff --git a/mac.c b/mac.c index 47db127f..0ece2e55 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */ +/* $OpenBSD: mac.c,v 1.20 2012/12/11 22:31:18 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -58,19 +58,34 @@ struct { int key_len; /* just for UMAC */ int len; /* just for UMAC */ } macs[] = { - { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, - { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, + /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ + { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, + { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, #ifdef HAVE_EVP_SHA256 - { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, - { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, + { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, + { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, #endif - { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, - { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, - { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, - { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, - { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, - { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128 }, - { NULL, 0, NULL, 0, -1, -1 } + { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 }, + { "hmac-md5-96", SSH_EVP, EVP_md5, 96, 0, 0, 0 }, + { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, + { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, + { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 0 }, + { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 0 }, + + /* Encrypt-then-MAC variants */ + { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 }, + { "hmac-sha1-96-etm@openssh.com", SSH_EVP, EVP_sha1, 96, 0, 0, 1 }, +#ifdef HAVE_EVP_SHA256 + { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 }, + { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 }, +#endif + { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 }, + { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, + { "hmac-ripemd160-tem@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, + { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 }, + { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 }, + + { NULL, 0, NULL, 0, 0, 0, 0 } }; static void @@ -90,6 +105,7 @@ mac_setup_by_id(Mac *mac, int which) } if (macs[which].truncatebits != 0) mac->mac_len = macs[which].truncatebits / 8; + mac->etm = macs[which].etm; } int diff --git a/myproposal.h b/myproposal.h index 5e2b9985..d98f4b05 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.30 2012/10/04 13:21:50 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.31 2012/12/11 22:31:18 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -83,6 +83,15 @@ # define SHA2_HMAC_MODES #endif #define KEX_DEFAULT_MAC \ + "hmac-md5-etm@openssh.com," \ + "hmac-sha1-etm@openssh.com," \ + "umac-64-etm@openssh.com," \ + "umac-128-etm@openssh.com," \ + "hmac-sha2-256-etm@openssh.com," \ + "hmac-sha2-512-etm@openssh.com," \ + "hmac-ripemd160-etm@openssh.com," \ + "hmac-sha1-96-etm@openssh.com," \ + "hmac-md5-96-etm@openssh.com," \ "hmac-md5," \ "hmac-sha1," \ "umac-64@openssh.com," \ diff --git a/packet.c b/packet.c index b75c081f..be890785 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.177 2012/09/17 13:04:11 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.178 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -275,7 +275,7 @@ packet_stop_discard(void) static void packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard) { - if (enc == NULL || !cipher_is_cbc(enc->cipher)) + if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) packet_disconnect("Packet corrupt"); if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled) active_state->packet_discard_mac = mac; @@ -709,7 +709,7 @@ packet_send1(void) buffer_len(&active_state->outgoing_packet)); cipher_crypt(&active_state->send_context, cp, buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet)); + buffer_len(&active_state->outgoing_packet), 0); #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); @@ -845,9 +845,8 @@ static void packet_send2_wrapped(void) { u_char type, *cp, *macbuf = NULL; - u_char padlen, pad; - u_int packet_length = 0; - u_int i, len; + u_char padlen, pad = 0; + u_int i, len, aadlen = 0; u_int32_t rnd = 0; Enc *enc = NULL; Mac *mac = NULL; @@ -860,6 +859,7 @@ packet_send2_wrapped(void) comp = &active_state->newkeys[MODE_OUT]->comp; } block_size = enc ? enc->block_size : 8; + aadlen = mac && mac->enabled && mac->etm ? 4 : 0; cp = buffer_ptr(&active_state->outgoing_packet); type = cp[5]; @@ -892,6 +892,7 @@ packet_send2_wrapped(void) * calc size of padding, alloc space, get random data, * minimum padding is 4 bytes */ + len -= aadlen; /* packet length is not encrypted for EtM modes */ padlen = block_size - (len % block_size); if (padlen < 4) padlen += block_size; @@ -919,29 +920,37 @@ packet_send2_wrapped(void) /* clear padding */ memset(cp, 0, padlen); } - /* packet_length includes payload, padding and padding length field */ - packet_length = buffer_len(&active_state->outgoing_packet) - 4; + /* sizeof (packet_len + pad_len + payload + padding) */ + len = buffer_len(&active_state->outgoing_packet); cp = buffer_ptr(&active_state->outgoing_packet); - put_u32(cp, packet_length); + /* packet_length includes payload, padding and padding length field */ + put_u32(cp, len - 4); cp[4] = padlen; - DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen)); + DBG(debug("send: len %d (includes padlen %d, aadlen %d)", + len, padlen, aadlen)); /* compute MAC over seqnr and packet(length fields, payload, padding) */ - if (mac && mac->enabled) { + if (mac && mac->enabled && !mac->etm) { macbuf = mac_compute(mac, active_state->p_send.seqnr, - buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet)); + buffer_ptr(&active_state->outgoing_packet), len); DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr)); } /* encrypt packet and append to output buffer. */ - cp = buffer_append_space(&active_state->output, - buffer_len(&active_state->outgoing_packet)); + cp = buffer_append_space(&active_state->output, len); cipher_crypt(&active_state->send_context, cp, buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet)); + len - aadlen, aadlen); /* append unencrypted MAC */ - if (mac && mac->enabled) + if (mac && mac->enabled) { + if (mac->etm) { + /* EtM: compute mac over aadlen + cipher text */ + macbuf = mac_compute(mac, + active_state->p_send.seqnr, cp, len); + DBG(debug("done calc MAC(EtM) out #%d", + active_state->p_send.seqnr)); + } buffer_append(&active_state->output, macbuf, mac->mac_len); + } #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); buffer_dump(&active_state->output); @@ -952,8 +961,8 @@ packet_send2_wrapped(void) if (++active_state->p_send.packets == 0) if (!(datafellows & SSH_BUG_NOREKEY)) fatal("XXX too many packets with same key"); - active_state->p_send.blocks += (packet_length + 4) / block_size; - active_state->p_send.bytes += packet_length + 4; + active_state->p_send.blocks += len / block_size; + active_state->p_send.bytes += len; buffer_clear(&active_state->outgoing_packet); if (type == SSH2_MSG_NEWKEYS) @@ -1190,7 +1199,7 @@ packet_read_poll1(void) buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, padded_len); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), padded_len); + buffer_ptr(&active_state->input), padded_len, 0); buffer_consume(&active_state->input, padded_len); @@ -1238,8 +1247,8 @@ static int packet_read_poll2(u_int32_t *seqnr_p) { u_int padlen, need; - u_char *macbuf, *cp, type; - u_int maclen, block_size; + u_char *macbuf = NULL, *cp, type; + u_int maclen, aadlen = 0, block_size; Enc *enc = NULL; Mac *mac = NULL; Comp *comp = NULL; @@ -1254,8 +1263,22 @@ packet_read_poll2(u_int32_t *seqnr_p) } maclen = mac && mac->enabled ? mac->mac_len : 0; block_size = enc ? enc->block_size : 8; + aadlen = mac && mac->enabled && mac->etm ? 4 : 0; - if (active_state->packlen == 0) { + if (aadlen && active_state->packlen == 0) { + if (buffer_len(&active_state->input) < 4) + return SSH_MSG_NONE; + cp = buffer_ptr(&active_state->input); + active_state->packlen = get_u32(cp); + if (active_state->packlen < 1 + 4 || + active_state->packlen > PACKET_MAX_SIZE) { +#ifdef PACKET_DEBUG + buffer_dump(&active_state->input); +#endif + logit("Bad packet length %u.", active_state->packlen); + packet_disconnect("Packet corrupt"); + } + } else if (active_state->packlen == 0) { /* * check if input size is less than the cipher block size, * decrypt first block and extract length of incoming packet @@ -1266,7 +1289,7 @@ packet_read_poll2(u_int32_t *seqnr_p) cp = buffer_append_space(&active_state->incoming_packet, block_size); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), block_size); + buffer_ptr(&active_state->input), block_size, 0); cp = buffer_ptr(&active_state->incoming_packet); active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || @@ -1279,13 +1302,21 @@ packet_read_poll2(u_int32_t *seqnr_p) PACKET_MAX_SIZE); return SSH_MSG_NONE; } - DBG(debug("input: packet len %u", active_state->packlen+4)); buffer_consume(&active_state->input, block_size); } - /* we have a partial packet of block_size bytes */ - need = 4 + active_state->packlen - block_size; - DBG(debug("partial packet %d, need %d, maclen %d", block_size, - need, maclen)); + DBG(debug("input: packet len %u", active_state->packlen+4)); + if (aadlen) { + /* only the payload is encrypted */ + need = active_state->packlen; + } else { + /* + * the payload size and the payload are encrypted, but we + * have a partial packet of block_size bytes + */ + need = 4 + active_state->packlen - block_size; + } + DBG(debug("partial packet: block %d, need %d, maclen %d, aadlen %d", + block_size, need, maclen, aadlen)); if (need % block_size != 0) { logit("padding error: need %d block %d mod %d", need, block_size, need % block_size); @@ -1295,26 +1326,34 @@ packet_read_poll2(u_int32_t *seqnr_p) } /* * check if the entire packet has been received and - * decrypt into incoming_packet + * decrypt into incoming_packet: + * 'aadlen' bytes are unencrypted, but authenticated. + * 'need' bytes are encrypted, followed by + * 'maclen' bytes of message authentication code. */ - if (buffer_len(&active_state->input) < need + maclen) + if (buffer_len(&active_state->input) < aadlen + need + maclen) return SSH_MSG_NONE; #ifdef PACKET_DEBUG fprintf(stderr, "read_poll enc/full: "); buffer_dump(&active_state->input); #endif - cp = buffer_append_space(&active_state->incoming_packet, need); + /* EtM: compute mac over encrypted input */ + if (mac && mac->enabled && mac->etm) + macbuf = mac_compute(mac, active_state->p_read.seqnr, + buffer_ptr(&active_state->input), aadlen + need); + cp = buffer_append_space(&active_state->incoming_packet, aadlen + need); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), need); - buffer_consume(&active_state->input, need); + buffer_ptr(&active_state->input), need, aadlen); + buffer_consume(&active_state->input, aadlen + need); /* * compute MAC over seqnr and packet, * increment sequence number for incoming packet */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, active_state->p_read.seqnr, - buffer_ptr(&active_state->incoming_packet), - buffer_len(&active_state->incoming_packet)); + if (!mac->etm) + macbuf = mac_compute(mac, active_state->p_read.seqnr, + buffer_ptr(&active_state->incoming_packet), + buffer_len(&active_state->incoming_packet)); if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input), mac->mac_len) != 0) { logit("Corrupted MAC on input."); diff --git a/ssh_config.5 b/ssh_config.5 index 09a3cf03..ee466d80 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $ -.Dd $Mdocdate: December 2 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.160 2012/12/11 22:31:18 markus Exp $ +.Dd $Mdocdate: December 11 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -792,8 +792,17 @@ in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. +The algorithms that contain +.Dq -etm +calculate the MAC after encryption (encrypt-then-mac). +These are considered safer and their use recommended. The default is: .Bd -literal -offset indent +hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, +umac-64-etm@openssh.com,umac-128-etm@openssh.com, +hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, +hmac-md5-96-etm@openssh.com, hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 diff --git a/sshd_config.5 b/sshd_config.5 index ad3692b3..0f4aa639 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.151 2012/12/03 08:33:03 jmc Exp $ -.Dd $Mdocdate: December 3 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.152 2012/12/11 22:31:18 markus Exp $ +.Dd $Mdocdate: December 11 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -706,8 +706,17 @@ Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. +The algorithms that contain +.Dq -etm +calculate the MAC after encryption (encrypt-then-mac). +These are considered safer and their use recommended. The default is: .Bd -literal -offset indent +hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, +umac-64-etm@openssh.com,umac-128-etm@openssh.com, +hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, +hmac-md5-96-etm@openssh.com, hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 -- cgit v1.2.1 From bfb94b30c54948eb02b1cf635d2e027f86f23e8a Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 11 Dec 2012 23:46:53 +0000 Subject: - sthen@cvs.openbsd.org 2012/12/11 22:51:45 [mac.c] fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ --- ChangeLog | 3 +++ mac.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index df6d0320..425f7276 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@ + - sthen@cvs.openbsd.org 2012/12/11 22:51:45 + [mac.c] + fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/mac.c b/mac.c index 0ece2e55..e55face4 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.20 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -81,7 +81,7 @@ struct { #endif { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 }, { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, - { "hmac-ripemd160-tem@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, + { "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 }, { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 }, -- cgit v1.2.1 From 25e20bcbbb8c7a4728a7e2128939a4bc32ff7005 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 11 Dec 2012 23:52:07 +0000 Subject: - markus@cvs.openbsd.org 2012/12/11 22:32:56 [regress/try-ciphers.sh] add etm modes --- ChangeLog | 3 +++ regress/try-ciphers.sh | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 425f7276..49ee0eb0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,9 @@ - sthen@cvs.openbsd.org 2012/12/11 22:51:45 [mac.c] fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ + - markus@cvs.openbsd.org 2012/12/11 22:32:56 + [regress/try-ciphers.sh] + add etm modes 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index cf601429..46131f71 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.15 2012/10/05 02:20:48 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.16 2012/12/11 22:32:56 markus Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -8,9 +8,13 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96" + hmac-sha1-96 hmac-md5-96 + hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com + umac-64-etm@openssh.com umac-128-etm@openssh.com + hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com" config_defined HAVE_EVP_SHA256 && - macs="$macs hmac-sha2-256 hmac-sha2-512" + macs="$macs hmac-sha2-256 hmac-sha2-512 + hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" for c in $ciphers; do for m in $macs; do -- cgit v1.2.1 From 257b68305e94d84bfb8fbb3f443bbc7a4e4b1887 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 11 Dec 2012 23:54:37 +0000 Subject: - markus@cvs.openbsd.org 2012/12/11 22:42:11 [regress/Makefile regress/modpipe.c regress/integrity.sh] test the integrity of the packets; with djm@ --- ChangeLog | 3 ++ regress/Makefile | 9 ++-- regress/integrity.sh | 58 ++++++++++++++++++++++++ regress/modpipe.c | 124 +++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 191 insertions(+), 3 deletions(-) create mode 100644 regress/integrity.sh create mode 100755 regress/modpipe.c diff --git a/ChangeLog b/ChangeLog index 49ee0eb0..2fe093da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ - markus@cvs.openbsd.org 2012/12/11 22:32:56 [regress/try-ciphers.sh] add etm modes + - markus@cvs.openbsd.org 2012/12/11 22:42:11 + [regress/Makefile regress/modpipe.c regress/integrity.sh] + test the integrity of the packets; with djm@ 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/regress/Makefile b/regress/Makefile index c628fb5f..2eb2e318 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.60 2012/12/02 20:47:48 djm Exp $ +# $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -59,7 +59,8 @@ LTESTS= connect \ cert-userkey \ host-expand \ keys-command \ - forward-control + forward-control \ + integrity INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp @@ -142,7 +143,9 @@ t9: $(OBJ)/t9.out test "${TEST_SSH_ECC}" != yes || \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null -t-exec: ${LTESTS:=.sh} +modpipe: modpipe.c + +t-exec: modpipe ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ diff --git a/regress/integrity.sh b/regress/integrity.sh new file mode 100644 index 00000000..23135685 --- /dev/null +++ b/regress/integrity.sh @@ -0,0 +1,58 @@ +# $OpenBSD: integrity.sh,v 1.1 2012/12/11 22:42:11 markus Exp $ +# Placed in the Public Domain. + +tid="integrity" + +# start at byte 2300 (i.e. after kex) and corrupt at different offsets +# XXX the test hangs if we modify the low bytes of the packet length +# XXX and ssh tries to read... +tries=10 +startoffset=2300 +macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com + hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512 + hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com + umac-64-etm@openssh.com umac-128-etm@openssh.com + hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com + hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" + +# sshd-command for proxy (see test-exec.sh) +cmd="sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" + +for m in $macs; do + trace "test $tid: mac $m" + elen=0 + epad=0 + emac=0 + ecnt=0 + skip=0 + for off in $(jot $tries $startoffset); do + if [ $((skip--)) -gt 0 ]; then + # avoid modifying the high bytes of the length + continue + fi + # modify output from sshd at offset $off + pxy="proxycommand=$cmd | $OBJ/modpipe -m xor:$off:1" + output=$(${SSH} -m $m -2F $OBJ/ssh_proxy -o "$pxy" \ + 999.999.999.999 true 2>&1) + if [ $? -eq 0 ]; then + fail "ssh -m $m succeeds with bit-flip at $off" + fi + ecnt=$((ecnt+1)) + output=$(echo $output | tr -s '\r\n' '.') + verbose "test $tid: $m @$off $output" + case "$output" in + Bad?packet*) elen=$((elen+1)); skip=2;; + Corrupted?MAC*) emac=$((emac+1)); skip=0;; + padding*) epad=$((epad+1)); skip=0;; + *) fail "unexpected error mac $m at $off";; + esac + done + verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen" + if [ $emac -eq 0 ]; then + fail "$m: no mac errors" + fi + expect=$((ecnt-epad-elen)) + if [ $emac -ne $expect ]; then + fail "$m: expected $expect mac errors, got $emac" + fi +done diff --git a/regress/modpipe.c b/regress/modpipe.c new file mode 100755 index 00000000..439be4c9 --- /dev/null +++ b/regress/modpipe.c @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2012 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: modpipe.c,v 1.1 2012/12/11 23:54:40 djm Exp $ */ + +#include +#include +#include +#include +#include +#include +#include + +static void +usage(void) +{ + fprintf(stderr, "Usage: modpipe [-m modspec ...] < in > out\n"); + fprintf(stderr, "modspec is one of:\n"); + fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n"); + fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n"); + exit(1); +} + +#define MAX_MODIFICATIONS 256 +struct modification { + enum { MOD_XOR, MOD_AND_OR } what; + u_int64_t offset; + u_int8_t m1, m2; +}; + +static void +parse_modification(const char *s, struct modification *m) +{ + char what[16+1]; + int n; + + bzero(m, sizeof(*m)); + if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%hhi%*[:]%hhi", + what, &m->offset, &m->m1, &m->m2)) < 3) + errx(1, "Invalid modification spec \"%s\"", s); + if (strcasecmp(what, "xor") == 0) { + m->what = MOD_XOR; + if (n > 3) + errx(1, "Invalid modification spec \"%s\"", s); + } else if (strcasecmp(what, "andor") == 0) { + m->what = MOD_AND_OR; + if (n != 4) + errx(1, "Invalid modification spec \"%s\"", s); + } else + errx(1, "Invalid modification type \"%s\"", what); +} + +int +main(int argc, char **argv) +{ + int ch; + u_char buf[8192]; + size_t total; + ssize_t r, s, o; + struct modification mods[MAX_MODIFICATIONS]; + u_int i, num_mods = 0; + + while ((ch = getopt(argc, argv, "m:")) != -1) { + switch (ch) { + case 'm': + if (num_mods >= MAX_MODIFICATIONS) + errx(1, "Too many modifications"); + parse_modification(optarg, &(mods[num_mods++])); + break; + default: + usage(); + /* NOTREACHED */ + } + } + for (total = 0;;) { + r = s = read(STDIN_FILENO, buf, sizeof(buf)); + if (r == 0) + return 0; + if (r < 0) { + if (errno == EAGAIN || errno == EINTR) + continue; + err(1, "read"); + } + for (i = 0; i < num_mods; i++) { + if (mods[i].offset < total || + mods[i].offset >= total + s) + continue; + switch (mods[i].what) { + case MOD_XOR: + buf[mods[i].offset - total] ^= mods[i].m1; + break; + case MOD_AND_OR: + buf[mods[i].offset - total] &= mods[i].m1; + buf[mods[i].offset - total] |= mods[i].m2; + break; + } + } + for (o = 0; o < s; o += r) { + r = write(STDOUT_FILENO, buf, s - o); + if (r == 0) + return 0; + if (r < 0) { + if (errno == EAGAIN || errno == EINTR) + continue; + err(1, "write"); + } + } + total += s; + } + return 0; +} -- cgit v1.2.1 From 585ddf927268ad3f4c666eb4684f58d8be56b5a2 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 11 Dec 2012 23:55:32 +0000 Subject: - markus@cvs.openbsd.org 2012/12/11 23:12:13 [try-ciphers.sh] add hmac-ripemd160-etm@openssh.com --- ChangeLog | 3 +++ regress/try-ciphers.sh | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2fe093da..05a3b078 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - markus@cvs.openbsd.org 2012/12/11 22:42:11 [regress/Makefile regress/modpipe.c regress/integrity.sh] test the integrity of the packets; with djm@ + - markus@cvs.openbsd.org 2012/12/11 23:12:13 + [try-ciphers.sh] + add hmac-ripemd160-etm@openssh.com 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 46131f71..2b11b59e 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.16 2012/12/11 22:32:56 markus Exp $ +# $OpenBSD: try-ciphers.sh,v 1.17 2012/12/11 23:12:13 markus Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -11,7 +11,8 @@ macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com - hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com" + hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com + hmac-ripemd160-etm@openssh.com" config_defined HAVE_EVP_SHA256 && macs="$macs hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" -- cgit v1.2.1 From f956ad441cff7bd5686af55392d35794f9e79859 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 12 Dec 2012 00:00:37 +0000 Subject: - (djm) [mac.c] fix merge botch --- ChangeLog | 1 + mac.c | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 05a3b078..ed58d1ce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,7 @@ - markus@cvs.openbsd.org 2012/12/11 23:12:13 [try-ciphers.sh] add hmac-ripemd160-etm@openssh.com + - (djm) [mac.c] fix merge botch 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/mac.c b/mac.c index e55face4..3f2dc6f2 100644 --- a/mac.c +++ b/mac.c @@ -57,6 +57,7 @@ struct { int truncatebits; /* truncate digest if != 0 */ int key_len; /* just for UMAC */ int len; /* just for UMAC */ + int etm; /* Encrypt-then-MAC */ } macs[] = { /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, -- cgit v1.2.1 From 0b012781d333dd1dd3e92241f337e1a4bba623f0 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 12 Dec 2012 01:10:10 +0000 Subject: - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test work on platforms without 'jot' --- regress/Makefile | 8 ++++---- regress/integrity.sh | 7 ++++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index 2eb2e318..63685866 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -81,7 +81,7 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual ready \ - sshd_proxy.* authorized_keys_${USER}.* + sshd_proxy.* authorized_keys_${USER}.* modpipe # Enable all malloc(3) randomisations and checks @@ -143,15 +143,15 @@ t9: $(OBJ)/t9.out test "${TEST_SSH_ECC}" != yes || \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null -modpipe: modpipe.c - -t-exec: modpipe ${LTESTS:=.sh} +t-exec: ${LTESTS:=.sh} modpipe @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done +modpipe: modpipe.c + t-exec-interop: ${INTEROP_TESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ diff --git a/regress/integrity.sh b/regress/integrity.sh index 23135685..f6e5c196 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -18,6 +18,10 @@ macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com # sshd-command for proxy (see test-exec.sh) cmd="sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" +jot() { + awk 'BEGIN { for (i = $2; i < $2 + $1; i++) { printf "%d\n", i } }' +} +set -x for m in $macs; do trace "test $tid: mac $m" elen=0 @@ -26,7 +30,8 @@ for m in $macs; do ecnt=0 skip=0 for off in $(jot $tries $startoffset); do - if [ $((skip--)) -gt 0 ]; then + skip=$((skip - 1)) + if [ $skip -gt 0 ]; then # avoid modifying the high bytes of the length continue fi -- cgit v1.2.1 From 61e24133eea0acc3943b0f565140f595ee8a96a2 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 12 Dec 2012 01:37:32 +0000 Subject: - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip --- ChangeLog | 3 +++ regress/integrity.sh | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ed58d1ce..9473d60c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ [try-ciphers.sh] add hmac-ripemd160-etm@openssh.com - (djm) [mac.c] fix merge botch + - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test + work on platforms without 'jot' + - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/regress/integrity.sh b/regress/integrity.sh index f6e5c196..0185490c 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -19,9 +19,9 @@ macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com cmd="sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" jot() { - awk 'BEGIN { for (i = $2; i < $2 + $1; i++) { printf "%d\n", i } }' + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } }" } -set -x + for m in $macs; do trace "test $tid: mac $m" elen=0 @@ -46,7 +46,7 @@ for m in $macs; do output=$(echo $output | tr -s '\r\n' '.') verbose "test $tid: $m @$off $output" case "$output" in - Bad?packet*) elen=$((elen+1)); skip=2;; + Bad?packet*) elen=$((elen+1)); skip=3;; Corrupted?MAC*) emac=$((emac+1)); skip=0;; padding*) epad=$((epad+1)); skip=0;; *) fail "unexpected error mac $m at $off";; -- cgit v1.2.1 From fb4d75ce29347664066d4e7ee84987bc297b068d Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 12 Dec 2012 01:51:54 +0000 Subject: - (djm) [regress/Makefile] fix t-exec rule --- ChangeLog | 1 + regress/Makefile | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9473d60c..93f2404f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,7 @@ - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test work on platforms without 'jot' - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip + - (djm) [regress/Makefile] fix t-exec rule 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/regress/Makefile b/regress/Makefile index 63685866..af1fa31d 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec -tests: $(REGRESS_TARGETS) +tests: prereq $(REGRESS_TARGETS) # Interop tests are not run by default interop interop-tests: t-exec-interop @@ -143,15 +143,17 @@ t9: $(OBJ)/t9.out test "${TEST_SSH_ECC}" != yes || \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null -t-exec: ${LTESTS:=.sh} modpipe +prereq: modpipe + +modpipe: modpipe.c + +t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done -modpipe: modpipe.c - t-exec-interop: ${INTEROP_TESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ -- cgit v1.2.1 From 06be44527e85c14a3673902e4f6c8b9bb5620038 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 12 Dec 2012 20:18:59 +0000 Subject: - markus@cvs.openbsd.org 2012/12/12 16:45:52 [packet.c] reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert --- ChangeLog | 8 ++++++++ packet.c | 3 ++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 93f2404f..f44c4f1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20121213 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2012/12/12 16:45:52 + [packet.c] + reset incoming_packet buffer for each new packet in EtM-case, too; + this happens if packets are parsed only parially (e.g. ignore + messages sent when su/sudo turn off echo); noted by sthen/millert + 20121212 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2012/12/11 22:16:21 diff --git a/packet.c b/packet.c index be890785..fe379aa4 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.178 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.179 2012/12/12 16:45:52 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1278,6 +1278,7 @@ packet_read_poll2(u_int32_t *seqnr_p) logit("Bad packet length %u.", active_state->packlen); packet_disconnect("Packet corrupt"); } + buffer_clear(&active_state->incoming_packet); } else if (active_state->packlen == 0) { /* * check if input size is less than the cipher block size, -- cgit v1.2.1 From 2550256a09c397e828bc70c6504ebd11af7905e7 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 12 Dec 2012 21:18:56 +0000 Subject: - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our compat code for older OpenSSL --- ChangeLog | 6 ++++++ cipher-ctr.c | 3 +++ cipher.c | 22 +++++++++++++++------- configure.ac | 25 +++++++++++++++++++++++-- 4 files changed, 47 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index f44c4f1c..2c6da413 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,12 @@ reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert + - naddy@cvs.openbsd.org 2012/12/12 16:46:10 + [cipher.c] + use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled + counter mode code; ok djm@ + - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our + compat code for older OpenSSL 20121212 - (djm) OpenBSD CVS Sync diff --git a/cipher-ctr.c b/cipher-ctr.c index 04975b4b..f053abe2 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -16,6 +16,7 @@ */ #include "includes.h" +#ifndef OPENSSL_HAVE_EVPCTR #include #include @@ -144,3 +145,5 @@ evp_aes_128_ctr(void) #endif return (&aes_ctr); } + +#endif /* OPENSSL_HAVE_EVPCTR */ diff --git a/cipher.c b/cipher.c index 2116b55b..d15c226a 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.83 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: cipher.c,v 1.84 2012/12/12 16:46:10 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -54,8 +54,12 @@ extern const EVP_CIPHER *evp_ssh1_bf(void); extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); -extern const EVP_CIPHER *evp_aes_128_ctr(void); +#ifndef OPENSSL_HAVE_EVPCTR +#define EVP_aes_128_ctr evp_aes_128_ctr +#define EVP_aes_192_ctr evp_aes_128_ctr +#define EVP_aes_256_ctr evp_aes_128_ctr extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); +#endif struct Cipher { char *name; @@ -82,9 +86,9 @@ struct Cipher { { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, { "rijndael-cbc@lysator.liu.se", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, EVP_aes_192_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, EVP_aes_256_ctr }, #ifdef USE_CIPHER_ACSS { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, #endif @@ -363,10 +367,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) ssh_rijndael_iv(&cc->evp, 0, iv, len); else #endif +#ifndef OPENSSL_HAVE_EVPCTR if (c->evptype == evp_aes_128_ctr) ssh_aes_ctr_iv(&cc->evp, 0, iv, len); else - memcpy(iv, cc->evp.iv, len); +#endif + memcpy(iv, cc->evp.iv, len); break; case SSH_CIPHER_3DES: ssh1_3des_iv(&cc->evp, 0, iv, 24); @@ -394,10 +400,12 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) ssh_rijndael_iv(&cc->evp, 1, iv, evplen); else #endif +#ifndef OPENSSL_HAVE_EVPCTR if (c->evptype == evp_aes_128_ctr) ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); else - memcpy(cc->evp.iv, iv, evplen); +#endif + memcpy(cc->evp.iv, iv, evplen); break; case SSH_CIPHER_3DES: ssh1_3des_iv(&cc->evp, 1, iv, 24); diff --git a/configure.ac b/configure.ac index 8b32e40c..64c231b7 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.498 2012/12/03 01:35:55 djm Exp $ +# $Id: configure.ac,v 1.499 2012/12/12 21:18:56 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.498 $) +AC_REVISION($Revision: 1.499 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2299,6 +2299,27 @@ AC_LINK_IFELSE( ] ) +# Check for OpenSSL with EVP_aes_*ctr +AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + exit(EVP_aes_128_ctr() == NULL || + EVP_aes_192_cbc() == NULL || + EVP_aes_256_cbc() == NULL); + ]])], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], + [libcrypto has EVP AES CTR]) + ], + [ + AC_MSG_RESULT([no]) + ] +) + AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) AC_LINK_IFELSE( [AC_LANG_PROGRAM([[ -- cgit v1.2.1 From 91cef634ed8e8b879b2474d6b536436575675575 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 12 Dec 2012 21:25:07 +0000 Subject: - (djm) [cipher.c] Fix missing prototype for compat code --- ChangeLog | 1 + cipher.c | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2c6da413..16a6489e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,7 @@ counter mode code; ok djm@ - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our compat code for older OpenSSL + - (djm) [cipher.c] Fix missing prototype for compat code 20121212 - (djm) OpenBSD CVS Sync diff --git a/cipher.c b/cipher.c index d15c226a..aae69c34 100644 --- a/cipher.c +++ b/cipher.c @@ -58,6 +58,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); #define EVP_aes_128_ctr evp_aes_128_ctr #define EVP_aes_192_ctr evp_aes_128_ctr #define EVP_aes_256_ctr evp_aes_128_ctr +extern const EVP_CIPHER *evp_aes_128_ctr(void); extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); #endif -- cgit v1.2.1 From eabef7fc5609b49135a03b222e787e1b53e541d7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 17 Dec 2012 04:59:42 +0000 Subject: - (dtucker) [Makefile.in] Add some scaffolding so that the new regress tests will work with VPATH directories. --- ChangeLog | 4 ++++ Makefile.in | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 16a6489e..86f75642 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20121217 + - (dtucker) [Makefile.in] Add some scaffolding so that the new regress + tests will work with VPATH directories. + 20121213 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2012/12/12 16:45:52 diff --git a/Makefile.in b/Makefile.in index e4f9ee19..8765b7ef 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.328 2012/10/05 05:41:07 dtucker Exp $ +# $Id: Makefile.in,v 1.329 2012/12/17 04:59:43 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -384,6 +384,9 @@ tests interop-tests: $(TARGETS) [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \ + [ -f `pwd`/regress/modpipe.c ] || \ + ln -s `cd $(srcdir) && pwd`/regress/modpipe.c `pwd`/regress/modpipe.c; \ + (cd regress && make prereq); \ TEST_SHELL="@TEST_SHELL@"; \ TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ -- cgit v1.2.1 From d42079bf57d768435937e030c8902e280e09aced Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:54:48 +0000 Subject: - dtucker@cvs.openbsd.org 2012/12/14 05:26:43 [auth.c] use correct string in error message; from rustybsd at gmx.fr --- ChangeLog | 6 ++++++ auth.c | 5 ++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 86f75642..3a84d27e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130109 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2012/12/14 05:26:43 + [auth.c] + use correct string in error message; from rustybsd at gmx.fr + 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress tests will work with VPATH directories. diff --git a/auth.c b/auth.c index 7bc6f402..f5e2d3d2 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.98 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.99 2012/12/14 05:26:43 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -494,13 +494,12 @@ static int secure_filename(FILE *f, const char *file, struct passwd *pw, char *err, size_t errlen) { - char buf[MAXPATHLEN]; struct stat st; /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0) { snprintf(err, errlen, "cannot stat file %s: %s", - buf, strerror(errno)); + file, strerror(errno)); return -1; } return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen); -- cgit v1.2.1 From ac04b3c56f047fa74111dd605c352668073e32ca Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:55:50 +0000 Subject: - djm@cvs.openbsd.org 2013/01/02 00:32:07 [clientloop.c mux.c] channel_setup_local_fwd_listener() returns 0 on failure, not -ve bz#2055 reported by mathieu.lacage AT gmail.com --- ChangeLog | 4 ++++ clientloop.c | 6 +++--- mux.c | 6 +++--- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3a84d27e..3b15b99c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - dtucker@cvs.openbsd.org 2012/12/14 05:26:43 [auth.c] use correct string in error message; from rustybsd at gmx.fr + - djm@cvs.openbsd.org 2013/01/02 00:32:07 + [clientloop.c mux.c] + channel_setup_local_fwd_listener() returns 0 on failure, not -ve + bz#2055 reported by mathieu.lacage AT gmail.com 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/clientloop.c b/clientloop.c index 56450814..c1d1d447 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.247 2012/09/07 06:34:21 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -968,9 +968,9 @@ process_cmdline(void) goto out; } if (local || dynamic) { - if (channel_setup_local_fwd_listener(fwd.listen_host, + if (!channel_setup_local_fwd_listener(fwd.listen_host, fwd.listen_port, fwd.connect_host, - fwd.connect_port, options.gateway_ports) < 0) { + fwd.connect_port, options.gateway_ports)) { logit("Port forwarding failed."); goto out; } diff --git a/mux.c b/mux.c index 0f1532bb..1b24660b 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.37 2012/08/17 00:45:45 dtucker Exp $ */ +/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -738,9 +738,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) } if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { - if (channel_setup_local_fwd_listener(fwd.listen_host, + if (!channel_setup_local_fwd_listener(fwd.listen_host, fwd.listen_port, fwd.connect_host, fwd.connect_port, - options.gateway_ports) < 0) { + options.gateway_ports)) { fail: logit("slave-requested %s failed", fwd_desc); buffer_put_int(r, MUX_S_FAILURE); -- cgit v1.2.1 From 0a94ec96a5e4efaf1f67844b7b57c04b58e18e79 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:56:13 +0000 Subject: - djm@cvs.openbsd.org 2013/01/02 00:33:49 [PROTOCOL.agent] correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED bz#2051 from david AT lechnology.com --- ChangeLog | 4 ++++ PROTOCOL.agent | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b15b99c..35a29d51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ [clientloop.c mux.c] channel_setup_local_fwd_listener() returns 0 on failure, not -ve bz#2055 reported by mathieu.lacage AT gmail.com + - djm@cvs.openbsd.org 2013/01/02 00:33:49 + [PROTOCOL.agent] + correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED + bz#2051 from david AT lechnology.com 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/PROTOCOL.agent b/PROTOCOL.agent index de94d037..3fcaa14d 100644 --- a/PROTOCOL.agent +++ b/PROTOCOL.agent @@ -152,7 +152,7 @@ fully specified using just rsa_q, rsa_p and rsa_e at the cost of extra computation. "key_constraints" may only be present if the request type is -SSH_AGENTC_ADD_RSA_IDENTITY. +SSH_AGENTC_ADD_RSA_ID_CONSTRAINED. The agent will reply with a SSH_AGENT_SUCCESS if the key has been successfully added or a SSH_AGENT_FAILURE if an error occurred. @@ -557,4 +557,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys. SSH_AGENT_CONSTRAIN_LIFETIME 1 SSH_AGENT_CONSTRAIN_CONFIRM 2 -$OpenBSD: PROTOCOL.agent,v 1.6 2010/08/31 11:54:45 djm Exp $ +$OpenBSD: PROTOCOL.agent,v 1.7 2013/01/02 00:33:49 djm Exp $ -- cgit v1.2.1 From a8f2c39191867af889b9649fc69418011463ea14 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:56:45 +0000 Subject: - djm@cvs.openbsd.org 2013/01/03 05:49:36 [servconf.h] add a couple of ServerOptions members that should be copied to the privsep child (for consistency, in this case they happen only to be accessed in the monitor); ok dtucker@ --- ChangeLog | 5 +++++ servconf.h | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 35a29d51..66cc48ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,11 @@ [PROTOCOL.agent] correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED bz#2051 from david AT lechnology.com + - djm@cvs.openbsd.org 2013/01/03 05:49:36 + [servconf.h] + add a couple of ServerOptions members that should be copied to the privsep + child (for consistency, in this case they happen only to be accessed in + the monitor); ok dtucker@ 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/servconf.h b/servconf.h index a23ef7f3..870c7098 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.106 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ /* * Author: Tatu Ylonen @@ -203,6 +203,8 @@ struct connection_info { M_CP_STROPT(trusted_user_ca_keys); \ M_CP_STROPT(revoked_keys_file); \ M_CP_STROPT(authorized_principals_file); \ + M_CP_STROPT(authorized_keys_command); \ + M_CP_STROPT(authorized_keys_command_user); \ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ M_CP_STRARRAYOPT(allow_users, num_allow_users); \ M_CP_STRARRAYOPT(deny_users, num_deny_users); \ -- cgit v1.2.1 From 27bcacb18ef915589f16fcab926326f826c2517a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:57:16 +0000 Subject: - djm@cvs.openbsd.org 2013/01/03 12:49:01 [PROTOCOL] fix description of MAC calculation for EtM modes; ok markus@ --- ChangeLog | 3 +++ PROTOCOL | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 66cc48ba..67d4884d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ add a couple of ServerOptions members that should be copied to the privsep child (for consistency, in this case they happen only to be accessed in the monitor); ok dtucker@ + - djm@cvs.openbsd.org 2013/01/03 12:49:01 + [PROTOCOL] + fix description of MAC calculation for EtM modes; ok markus@ 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/PROTOCOL b/PROTOCOL index 834716cc..eb5d0889 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -70,9 +70,10 @@ verified without decrypting unauthenticated data. As such, the MAC covers: - mac = MAC(key, sequence_number || encrypted_packet) + mac = MAC(key, sequence_number || packet_length || encrypted_packet) -where "encrypted_packet" contains: +where "packet_length" is encoded as a uint32 and "encrypted_packet" +contains: byte padding_length byte[n1] payload; n1 = packet_length - padding_length - 1 @@ -318,4 +319,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $ +$OpenBSD: PROTOCOL,v 1.19 2013/01/03 12:49:01 djm Exp $ -- cgit v1.2.1 From adc106fe45e8b99f0be11d8a52250411819bf4f0 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:57:36 +0000 Subject: - djm@cvs.openbsd.org 2013/01/03 12:54:49 [sftp-server.8 sftp-server.c] allow specification of an alternate start directory for sftp-server(8) "I like this" markus@ --- ChangeLog | 4 ++++ sftp-server.8 | 16 ++++++++++++++-- sftp-server.c | 23 ++++++++++++++++++----- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 67d4884d..ab80dca4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,10 @@ - djm@cvs.openbsd.org 2013/01/03 12:49:01 [PROTOCOL] fix description of MAC calculation for EtM modes; ok markus@ + - djm@cvs.openbsd.org 2013/01/03 12:54:49 + [sftp-server.8 sftp-server.c] + allow specification of an alternate start directory for sftp-server(8) + "I like this" markus@ 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/sftp-server.8 b/sftp-server.8 index bb19c15e..4d15f124 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.19 2010/01/09 03:36:00 jmc Exp $ +.\" $OpenBSD: sftp-server.8,v 1.20 2013/01/03 12:54:49 djm Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 9 2010 $ +.Dd $Mdocdate: January 3 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -31,6 +31,7 @@ .Sh SYNOPSIS .Nm sftp-server .Op Fl ehR +.Op Fl d Ar start_directory .Op Fl f Ar log_facility .Op Fl l Ar log_level .Op Fl u Ar umask @@ -56,6 +57,17 @@ for more information. .Pp Valid options are: .Bl -tag -width Ds +.It Fl d +specifies an alternate starting directory for users. +The pathname may contain the following tokens that are expanded at runtime: +%% is replaced by a literal '%', +%h is replaced by the home directory of the user being authenticated, +and %u is replaced by the username of that user. +The default is to use the user's home directory. +This option is useful in conjunction with the +.Xr sshd_config 5 +.Cm ChrootDirectory +option. .It Fl e Causes .Nm diff --git a/sftp-server.c b/sftp-server.c index 9d01c7d7..c8858147 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.94 2011/06/17 21:46:16 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.95 2013/01/03 12:54:49 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1402,7 +1402,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) int in, out, max, ch, skipargs = 0, log_stderr = 0; ssize_t len, olen, set_size; SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; - char *cp, buf[4*4096]; + char *cp, *homedir = NULL, buf[4*4096]; long mask; extern char *optarg; @@ -1411,7 +1411,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); - while (!skipargs && (ch = getopt(argc, argv, "f:l:u:cehR")) != -1) { + pw = pwcopy(user_pw); + + while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) { switch (ch) { case 'R': readonly = 1; @@ -1436,6 +1438,12 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) if (log_facility == SYSLOG_FACILITY_NOT_SET) error("Invalid log facility \"%s\"", optarg); break; + case 'd': + cp = tilde_expand_filename(optarg, user_pw->pw_uid); + homedir = percent_expand(cp, "d", user_pw->pw_dir, + "u", user_pw->pw_name, (char *)NULL); + free(cp); + break; case 'u': errno = 0; mask = strtol(optarg, &cp, 8); @@ -1463,8 +1471,6 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) } else client_addr = xstrdup("UNKNOWN"); - pw = pwcopy(user_pw); - logit("session opened for local user %s from [%s]", pw->pw_name, client_addr); @@ -1489,6 +1495,13 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) rset = (fd_set *)xmalloc(set_size); wset = (fd_set *)xmalloc(set_size); + if (homedir != NULL) { + if (chdir(homedir) != 0) { + error("chdir to \"%s\" failed: %s", homedir, + strerror(errno)); + } + } + for (;;) { memset(rset, 0, set_size); memset(wset, 0, set_size); -- cgit v1.2.1 From 98e01c1c11363d55a75bb1fc4d829636b56ae986 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:58:00 +0000 Subject: - djm@cvs.openbsd.org 2013/01/03 23:22:58 [ssh-keygen.c] allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... ok markus@ --- ChangeLog | 4 ++++ ssh-keygen.c | 27 +++++++++++++++++++++------ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index ab80dca4..297c08bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ [sftp-server.8 sftp-server.c] allow specification of an alternate start directory for sftp-server(8) "I like this" markus@ + - djm@cvs.openbsd.org 2013/01/03 23:22:58 + [ssh-keygen.c] + allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... + ok markus@ 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/ssh-keygen.c b/ssh-keygen.c index 1bbe0b0a..106f1536 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.220 2012/12/03 00:14:06 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.221 2013/01/03 23:22:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -723,15 +723,30 @@ do_download(struct passwd *pw) #ifdef ENABLE_PKCS11 Key **keys = NULL; int i, nkeys; + enum fp_rep rep; + enum fp_type fptype; + char *fp, *ra; pkcs11_init(0); nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); if (nkeys <= 0) fatal("cannot read public key from pkcs11"); for (i = 0; i < nkeys; i++) { - key_write(keys[i], stdout); + if (print_fingerprint) { + fp = key_fingerprint(keys[i], fptype, rep); + ra = key_fingerprint(keys[i], SSH_FP_MD5, + SSH_FP_RANDOMART); + printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), + fp, key_type(keys[i])); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); + xfree(ra); + xfree(fp); + } else { + key_write(keys[i], stdout); + fprintf(stdout, "\n"); + } key_free(keys[i]); - fprintf(stdout, "\n"); } xfree(keys); pkcs11_terminate(); @@ -2177,7 +2192,7 @@ main(int argc, char **argv) usage(); } if (print_fingerprint && (delete_host || hash_hosts)) { - printf("Cannot use -l with -D or -R.\n"); + printf("Cannot use -l with -H or -R.\n"); usage(); } if (ca_key_path != NULL) { @@ -2189,6 +2204,8 @@ main(int argc, char **argv) do_show_cert(pw); if (delete_host || hash_hosts || find_host) do_known_hosts(pw, rr_hostname); + if (pkcs11provider != NULL) + do_download(pw); if (print_fingerprint || print_bubblebabble) do_fingerprint(pw); if (change_passphrase) @@ -2226,8 +2243,6 @@ main(int argc, char **argv) exit(0); } } - if (pkcs11provider != NULL) - do_download(pw); if (do_gen_candidates) { FILE *out = fopen(out_file, "w"); -- cgit v1.2.1 From 66c05ae302f3b0d4ba1617f78cd9b824688941fc Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 04:58:21 +0000 Subject: - jmc@cvs.openbsd.org 2013/01/04 19:26:38 [sftp-server.8 sftp-server.c] sftp-server.8: add argument name to -d sftp-server.c: add -d to usage() ok djm --- ChangeLog | 5 +++++ sftp-server.8 | 6 +++--- sftp-server.c | 5 +++-- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 297c08bd..0f62953c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,11 @@ [ssh-keygen.c] allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... ok markus@ + - jmc@cvs.openbsd.org 2013/01/04 19:26:38 + [sftp-server.8 sftp-server.c] + sftp-server.8: add argument name to -d + sftp-server.c: add -d to usage() + ok djm 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/sftp-server.8 b/sftp-server.8 index 4d15f124..2fd3df20 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.20 2013/01/03 12:54:49 djm Exp $ +.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 3 2013 $ +.Dd $Mdocdate: January 4 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -57,7 +57,7 @@ for more information. .Pp Valid options are: .Bl -tag -width Ds -.It Fl d +.It Fl d Ar start_directory specifies an alternate starting directory for users. The pathname may contain the following tokens that are expanded at runtime: %% is replaced by a literal '%', diff --git a/sftp-server.c b/sftp-server.c index c8858147..cce074a5 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.95 2013/01/03 12:54:49 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1390,7 +1390,8 @@ sftp_server_usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]\n", + "usage: %s [-ehR] [-d start_directory] [-f log_facility] " + "[-l log_level]\n\t[-u umask]\n", __progname); exit(1); } -- cgit v1.2.1 From 82b625412d061b22aa4673d67f1f38c0ee43dcf2 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 05:12:19 +0000 Subject: - markus@cvs.openbsd.org 2013/01/08 18:49:04 [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] [myproposal.h packet.c ssh_config.5 sshd_config.5] support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@ --- ChangeLog | 5 +++ PROTOCOL | 14 +++++++- authfile.c | 6 ++-- cipher.c | 105 ++++++++++++++++++++++++++++++++++++++++++++------------- cipher.h | 8 +++-- kex.c | 16 ++++++--- kex.h | 3 +- monitor_wrap.c | 39 ++++++++++----------- myproposal.h | 3 +- packet.c | 45 ++++++++++++++----------- ssh_config.5 | 7 ++-- sshd_config.5 | 7 ++-- 12 files changed, 179 insertions(+), 79 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0f62953c..b5812cc7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,11 @@ sftp-server.8: add argument name to -d sftp-server.c: add -d to usage() ok djm + - markus@cvs.openbsd.org 2013/01/08 18:49:04 + [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] + [myproposal.h packet.c ssh_config.5 sshd_config.5] + support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) + ok and feedback djm@ 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/PROTOCOL b/PROTOCOL index eb5d0889..48b3a440 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -79,6 +79,18 @@ contains: byte[n1] payload; n1 = packet_length - padding_length - 1 byte[n2] random padding; n2 = padding_length +1.6 transport: AES-GCM + +OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. +Because of problems with the specification of the key exchange +the behaviour of OpenSSH differs from the RFC as follows: + +AES-GCM is only negotiated as the cipher algorithms +"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as +an MAC algorithm. Additionally, if AES-GCM is selected as the cipher +the exchanged MAC algorithms are ignored and there doesn't have to be +a matching MAC. + 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" @@ -319,4 +331,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.19 2013/01/03 12:49:01 djm Exp $ +$OpenBSD: PROTOCOL,v 1.20 2013/01/08 18:49:04 markus Exp $ diff --git a/authfile.c b/authfile.c index d9ee4ca6..3544d170 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.94 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -150,7 +150,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_ENCRYPT); cipher_crypt(&ciphercontext, cp, - buffer_ptr(&buffer), buffer_len(&buffer), 0); + buffer_ptr(&buffer), buffer_len(&buffer), 0, 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); @@ -474,7 +474,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_DECRYPT); cipher_crypt(&ciphercontext, cp, - buffer_ptr(©), buffer_len(©), 0); + buffer_ptr(©), buffer_len(©), 0, 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); buffer_free(©); diff --git a/cipher.c b/cipher.c index aae69c34..cad8a2f3 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.84 2012/12/12 16:46:10 naddy Exp $ */ +/* $OpenBSD: cipher.c,v 1.85 2013/01/08 18:49:04 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -71,29 +71,38 @@ struct Cipher { u_int cbc_mode; const EVP_CIPHER *(*evptype)(void); } ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, - { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, - - { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, - { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, - { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, - { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, - { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, - { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } + + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, + { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, + + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, + { "blowfish-cbc", + SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, + { "cast128-cbc", + SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, + { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 }, + { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 }, + { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, { "rijndael-cbc@lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, EVP_aes_128_ctr }, - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, EVP_aes_192_ctr }, - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, EVP_aes_256_ctr }, + SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, + { "aes128-gcm@openssh.com", + SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, + { "aes256-gcm@openssh.com", + SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, #ifdef USE_CIPHER_ACSS - { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, + { "acss@openssh.org", + SSH_CIPHER_SSH2, 16, 5, 0, 0, 0, 0, EVP_acss }, #endif - { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; /*--*/ @@ -110,6 +119,18 @@ cipher_keylen(const Cipher *c) return (c->key_len); } +u_int +cipher_authlen(const Cipher *c) +{ + return (c->auth_len); +} + +u_int +cipher_ivlen(const Cipher *c) +{ + return (c->iv_len ? c->iv_len : c->block_size); +} + u_int cipher_get_number(const Cipher *c) { @@ -229,11 +250,12 @@ cipher_init(CipherContext *cc, Cipher *cipher, keylen = 8; } cc->plaintext = (cipher->number == SSH_CIPHER_NONE); + cc->encrypt = do_encrypt; if (keylen < cipher->key_len) fatal("cipher_init: key length %d is insufficient for %s.", keylen, cipher->name); - if (iv != NULL && ivlen < cipher->block_size) + if (iv != NULL && ivlen < cipher_ivlen(cipher)) fatal("cipher_init: iv length %d is insufficient for %s.", ivlen, cipher->name); cc->cipher = cipher; @@ -254,6 +276,11 @@ cipher_init(CipherContext *cc, Cipher *cipher, (do_encrypt == CIPHER_ENCRYPT)) == 0) fatal("cipher_init: EVP_CipherInit failed for %s", cipher->name); + if (cipher_authlen(cipher) && + !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED, + -1, (u_char *)iv)) + fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s", + cipher->name); klen = EVP_CIPHER_CTX_key_length(&cc->evp); if (klen > 0 && keylen != (u_int)klen) { debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); @@ -284,19 +311,49 @@ cipher_init(CipherContext *cc, Cipher *cipher, * Theses bytes are treated as additional authenticated data for * authenticated encryption modes. * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. + * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. + * This tag is written on encryption and verified on decryption. * Both 'aadlen' and 'authlen' can be set to 0. */ void cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, - u_int len, u_int aadlen) + u_int len, u_int aadlen, u_int authlen) { - if (aadlen) + if (authlen) { + u_char lastiv[1]; + + if (authlen != cipher_authlen(cc->cipher)) + fatal("%s: authlen mismatch %d", __func__, authlen); + /* increment IV */ + if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN, + 1, lastiv)) + fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__); + /* set tag on decyption */ + if (!cc->encrypt && + !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG, + authlen, (u_char *)src + aadlen + len)) + fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__); + } + if (aadlen) { + if (authlen && + EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0) + fatal("%s: EVP_Cipher(aad) failed", __func__); memcpy(dest, src, aadlen); + } if (len % cc->cipher->block_size) fatal("%s: bad plaintext length %d", __func__, len); if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen, len) < 0) fatal("%s: EVP_Cipher failed", __func__); + if (authlen) { + /* compute tag (on encrypt) or verify tag (on decrypt) */ + if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) + fatal("%s: EVP_Cipher(finish) failed", __func__); + if (cc->encrypt && + !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG, + authlen, dest + aadlen + len)) + fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__); + } } void diff --git a/cipher.h b/cipher.h index 78972fea..8cb57c3e 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.38 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */ /* * Author: Tatu Ylonen @@ -64,6 +64,7 @@ typedef struct CipherContext CipherContext; struct Cipher; struct CipherContext { int plaintext; + int encrypt; EVP_CIPHER_CTX evp; Cipher *cipher; }; @@ -76,11 +77,14 @@ char *cipher_name(int); int ciphers_valid(const char *); void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, const u_char *, u_int, int); -void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int); +void cipher_crypt(CipherContext *, u_char *, const u_char *, + u_int, u_int, u_int); void cipher_cleanup(CipherContext *); void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); +u_int cipher_authlen(const Cipher *); +u_int cipher_ivlen(const Cipher *); u_int cipher_is_cbc(const Cipher *); u_int cipher_get_number(const Cipher *); diff --git a/kex.c b/kex.c index f77b3c92..57a79dd9 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.87 2012/08/17 01:22:56 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -304,6 +304,7 @@ choose_enc(Enc *enc, char *client, char *server) enc->name = name; enc->enabled = 0; enc->iv = NULL; + enc->iv_len = cipher_ivlen(enc->cipher); enc->key = NULL; enc->key_len = cipher_keylen(enc->cipher); enc->block_size = cipher_blocksize(enc->cipher); @@ -415,7 +416,7 @@ kex_choose_conf(Kex *kex) char **my, **peer; char **cprop, **sprop; int nenc, nmac, ncomp; - u_int mode, ctos, need; + u_int mode, ctos, need, authlen; int first_kex_follows, type; my = kex_buf2prop(&kex->my, NULL); @@ -448,13 +449,16 @@ kex_choose_conf(Kex *kex) nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; - choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]); - choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); + choose_enc(&newkeys->enc, cprop[nenc], sprop[nenc]); + /* ignore mac for authenticated encryption */ + authlen = cipher_authlen(newkeys->enc.cipher); + if (authlen == 0) + choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); debug("kex: %s %s %s %s", ctos ? "client->server" : "server->client", newkeys->enc.name, - newkeys->mac.name, + authlen == 0 ? newkeys->mac.name : "", newkeys->comp.name); } choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); @@ -467,6 +471,8 @@ kex_choose_conf(Kex *kex) need = newkeys->enc.key_len; if (need < newkeys->enc.block_size) need = newkeys->enc.block_size; + if (need < newkeys->enc.iv_len) + need = newkeys->enc.iv_len; if (need < newkeys->mac.key_len) need = newkeys->mac.key_len; } diff --git a/kex.h b/kex.h index 03b984cc..46731fa4 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.53 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -89,6 +89,7 @@ struct Enc { Cipher *cipher; int enabled; u_int key_len; + u_int iv_len; u_int block_size; u_char *key; u_char *iv; diff --git a/monitor_wrap.c b/monitor_wrap.c index c22d0a2a..ea654a73 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.74 2012/10/01 13:59:51 naddy Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -491,25 +491,24 @@ mm_newkeys_from_blob(u_char *blob, int blen) enc->enabled = buffer_get_int(&b); enc->block_size = buffer_get_int(&b); enc->key = buffer_get_string(&b, &enc->key_len); - enc->iv = buffer_get_string(&b, &len); - if (len != enc->block_size) - fatal("%s: bad ivlen: expected %u != %u", __func__, - enc->block_size, len); + enc->iv = buffer_get_string(&b, &enc->iv_len); if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) fatal("%s: bad cipher name %s or pointer %p", __func__, enc->name, enc->cipher); /* Mac structure */ - mac->name = buffer_get_string(&b, NULL); - if (mac->name == NULL || mac_setup(mac, mac->name) == -1) - fatal("%s: can not setup mac %s", __func__, mac->name); - mac->enabled = buffer_get_int(&b); - mac->key = buffer_get_string(&b, &len); - if (len > mac->key_len) - fatal("%s: bad mac key length: %u > %d", __func__, len, - mac->key_len); - mac->key_len = len; + if (cipher_authlen(enc->cipher) == 0) { + mac->name = buffer_get_string(&b, NULL); + if (mac->name == NULL || mac_setup(mac, mac->name) == -1) + fatal("%s: can not setup mac %s", __func__, mac->name); + mac->enabled = buffer_get_int(&b); + mac->key = buffer_get_string(&b, &len); + if (len > mac->key_len) + fatal("%s: bad mac key length: %u > %d", __func__, len, + mac->key_len); + mac->key_len = len; + } /* Comp structure */ comp->type = buffer_get_int(&b); @@ -551,13 +550,15 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) buffer_put_int(&b, enc->enabled); buffer_put_int(&b, enc->block_size); buffer_put_string(&b, enc->key, enc->key_len); - packet_get_keyiv(mode, enc->iv, enc->block_size); - buffer_put_string(&b, enc->iv, enc->block_size); + packet_get_keyiv(mode, enc->iv, enc->iv_len); + buffer_put_string(&b, enc->iv, enc->iv_len); /* Mac structure */ - buffer_put_cstring(&b, mac->name); - buffer_put_int(&b, mac->enabled); - buffer_put_string(&b, mac->key, mac->key_len); + if (cipher_authlen(enc->cipher) == 0) { + buffer_put_cstring(&b, mac->name); + buffer_put_int(&b, mac->enabled); + buffer_put_string(&b, mac->key, mac->key_len); + } /* Comp structure */ buffer_put_int(&b, comp->type); diff --git a/myproposal.h b/myproposal.h index d98f4b05..99d09346 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.31 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.32 2013/01/08 18:49:04 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -73,6 +73,7 @@ #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ + "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" #ifdef HAVE_EVP_SHA256 diff --git a/packet.c b/packet.c index fe379aa4..ae7b04cd 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.179 2012/12/12 16:45:52 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.180 2013/01/08 18:49:04 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -709,7 +709,7 @@ packet_send1(void) buffer_len(&active_state->outgoing_packet)); cipher_crypt(&active_state->send_context, cp, buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet), 0); + buffer_len(&active_state->outgoing_packet), 0, 0); #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); @@ -757,7 +757,7 @@ set_newkeys(int mode) mac = &active_state->newkeys[mode]->mac; comp = &active_state->newkeys[mode]->comp; mac_clear(mac); - memset(enc->iv, 0, enc->block_size); + memset(enc->iv, 0, enc->iv_len); memset(enc->key, 0, enc->key_len); memset(mac->key, 0, mac->key_len); xfree(enc->name); @@ -774,11 +774,11 @@ set_newkeys(int mode) enc = &active_state->newkeys[mode]->enc; mac = &active_state->newkeys[mode]->mac; comp = &active_state->newkeys[mode]->comp; - if (mac_init(mac) == 0) + if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0) mac->enabled = 1; DBG(debug("cipher_init_context: %d", mode)); cipher_init(cc, enc->cipher, enc->key, enc->key_len, - enc->iv, enc->block_size, crypt_type); + enc->iv, enc->iv_len, crypt_type); /* Deleting the keys does not gain extra security */ /* memset(enc->iv, 0, enc->block_size); memset(enc->key, 0, enc->key_len); @@ -846,7 +846,7 @@ packet_send2_wrapped(void) { u_char type, *cp, *macbuf = NULL; u_char padlen, pad = 0; - u_int i, len, aadlen = 0; + u_int i, len, authlen = 0, aadlen = 0; u_int32_t rnd = 0; Enc *enc = NULL; Mac *mac = NULL; @@ -857,9 +857,12 @@ packet_send2_wrapped(void) enc = &active_state->newkeys[MODE_OUT]->enc; mac = &active_state->newkeys[MODE_OUT]->mac; comp = &active_state->newkeys[MODE_OUT]->comp; + /* disable mac for authenticated encryption */ + if ((authlen = cipher_authlen(enc->cipher)) != 0) + mac = NULL; } block_size = enc ? enc->block_size : 8; - aadlen = mac && mac->enabled && mac->etm ? 4 : 0; + aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; cp = buffer_ptr(&active_state->outgoing_packet); type = cp[5]; @@ -936,10 +939,10 @@ packet_send2_wrapped(void) DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr)); } /* encrypt packet and append to output buffer. */ - cp = buffer_append_space(&active_state->output, len); + cp = buffer_append_space(&active_state->output, len + authlen); cipher_crypt(&active_state->send_context, cp, buffer_ptr(&active_state->outgoing_packet), - len - aadlen, aadlen); + len - aadlen, aadlen, authlen); /* append unencrypted MAC */ if (mac && mac->enabled) { if (mac->etm) { @@ -1199,7 +1202,7 @@ packet_read_poll1(void) buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, padded_len); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), padded_len, 0); + buffer_ptr(&active_state->input), padded_len, 0, 0); buffer_consume(&active_state->input, padded_len); @@ -1248,7 +1251,7 @@ packet_read_poll2(u_int32_t *seqnr_p) { u_int padlen, need; u_char *macbuf = NULL, *cp, type; - u_int maclen, aadlen = 0, block_size; + u_int maclen, authlen = 0, aadlen = 0, block_size; Enc *enc = NULL; Mac *mac = NULL; Comp *comp = NULL; @@ -1260,10 +1263,13 @@ packet_read_poll2(u_int32_t *seqnr_p) enc = &active_state->newkeys[MODE_IN]->enc; mac = &active_state->newkeys[MODE_IN]->mac; comp = &active_state->newkeys[MODE_IN]->comp; + /* disable mac for authenticated encryption */ + if ((authlen = cipher_authlen(enc->cipher)) != 0) + mac = NULL; } maclen = mac && mac->enabled ? mac->mac_len : 0; block_size = enc ? enc->block_size : 8; - aadlen = mac && mac->enabled && mac->etm ? 4 : 0; + aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; if (aadlen && active_state->packlen == 0) { if (buffer_len(&active_state->input) < 4) @@ -1290,7 +1296,7 @@ packet_read_poll2(u_int32_t *seqnr_p) cp = buffer_append_space(&active_state->incoming_packet, block_size); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), block_size, 0); + buffer_ptr(&active_state->input), block_size, 0, 0); cp = buffer_ptr(&active_state->incoming_packet); active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || @@ -1316,8 +1322,8 @@ packet_read_poll2(u_int32_t *seqnr_p) */ need = 4 + active_state->packlen - block_size; } - DBG(debug("partial packet: block %d, need %d, maclen %d, aadlen %d", - block_size, need, maclen, aadlen)); + DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d," + " aadlen %d", block_size, need, maclen, authlen, aadlen)); if (need % block_size != 0) { logit("padding error: need %d block %d mod %d", need, block_size, need % block_size); @@ -1329,10 +1335,11 @@ packet_read_poll2(u_int32_t *seqnr_p) * check if the entire packet has been received and * decrypt into incoming_packet: * 'aadlen' bytes are unencrypted, but authenticated. - * 'need' bytes are encrypted, followed by + * 'need' bytes are encrypted, followed by either + * 'authlen' bytes of authentication tag or * 'maclen' bytes of message authentication code. */ - if (buffer_len(&active_state->input) < aadlen + need + maclen) + if (buffer_len(&active_state->input) < aadlen + need + authlen + maclen) return SSH_MSG_NONE; #ifdef PACKET_DEBUG fprintf(stderr, "read_poll enc/full: "); @@ -1344,8 +1351,8 @@ packet_read_poll2(u_int32_t *seqnr_p) buffer_ptr(&active_state->input), aadlen + need); cp = buffer_append_space(&active_state->incoming_packet, aadlen + need); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), need, aadlen); - buffer_consume(&active_state->input, aadlen + need); + buffer_ptr(&active_state->input), need, aadlen, authlen); + buffer_consume(&active_state->input, aadlen + need + authlen); /* * compute MAC over seqnr and packet, * increment sequence number for incoming packet diff --git a/ssh_config.5 b/ssh_config.5 index ee466d80..269529c0 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.160 2012/12/11 22:31:18 markus Exp $ -.Dd $Mdocdate: December 11 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ +.Dd $Mdocdate: January 8 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -204,6 +204,8 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq aes128-gcm@openssh.com , +.Dq aes256-gcm@openssh.com , .Dq arcfour128 , .Dq arcfour256 , .Dq arcfour , @@ -213,6 +215,7 @@ and The default is: .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, +aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour .Ed diff --git a/sshd_config.5 b/sshd_config.5 index 0f4aa639..e7bb0b55 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.152 2012/12/11 22:31:18 markus Exp $ -.Dd $Mdocdate: December 11 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.153 2013/01/08 18:49:04 markus Exp $ +.Dd $Mdocdate: January 8 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -336,6 +336,8 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq aes128-gcm@openssh.com , +.Dq aes256-gcm@openssh.com , .Dq arcfour128 , .Dq arcfour256 , .Dq arcfour , @@ -345,6 +347,7 @@ and The default is: .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, +aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour .Ed -- cgit v1.2.1 From 2ddc94ad211fda6963bf837447e486ed554a4c67 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 05:42:47 +0000 Subject: - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h] Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little cipher compat code to openssl-compat.h --- ChangeLog | 3 +++ cipher.c | 21 ++++----------------- configure.ac | 24 ++++++++++++++++++++++-- openbsd-compat/openssl-compat.h | 26 +++++++++++++++++++++++++- 4 files changed, 54 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index b5812cc7..868158cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [myproposal.h packet.c ssh_config.5 sshd_config.5] support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@ + - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h] + Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little + cipher compat code to openssl-compat.h 20121217 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress diff --git a/cipher.c b/cipher.c index cad8a2f3..e137f359 100644 --- a/cipher.c +++ b/cipher.c @@ -54,25 +54,18 @@ extern const EVP_CIPHER *evp_ssh1_bf(void); extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); -#ifndef OPENSSL_HAVE_EVPCTR -#define EVP_aes_128_ctr evp_aes_128_ctr -#define EVP_aes_192_ctr evp_aes_128_ctr -#define EVP_aes_256_ctr evp_aes_128_ctr -extern const EVP_CIPHER *evp_aes_128_ctr(void); -extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); -#endif struct Cipher { char *name; int number; /* for ssh1 only */ u_int block_size; u_int key_len; + u_int iv_len; /* defaults to block_size */ + u_int auth_len; u_int discard_len; u_int cbc_mode; const EVP_CIPHER *(*evptype)(void); } ciphers[] = { - { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } - { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, @@ -94,10 +87,12 @@ struct Cipher { { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, +#ifdef OPENSSL_HAVE_EVPGCM { "aes128-gcm@openssh.com", SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, { "aes256-gcm@openssh.com", SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, +#endif #ifdef USE_CIPHER_ACSS { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, 0, 0, EVP_acss }, @@ -473,14 +468,6 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) } } -#if OPENSSL_VERSION_NUMBER < 0x00907000L -#define EVP_X_STATE(evp) &(evp).c -#define EVP_X_STATE_LEN(evp) sizeof((evp).c) -#else -#define EVP_X_STATE(evp) (evp).cipher_data -#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size -#endif - int cipher_get_keycontext(const CipherContext *cc, u_char *dat) { diff --git a/configure.ac b/configure.ac index 64c231b7..36761233 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.499 2012/12/12 21:18:56 djm Exp $ +# $Id: configure.ac,v 1.500 2013/01/09 05:42:47 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.499 $) +AC_REVISION($Revision: 1.500 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2320,6 +2320,26 @@ AC_LINK_IFELSE( ] ) +# Check for OpenSSL with EVP_aes_*gcm +AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include + ]], [[ + exit(EVP_aes_128_gcm() == NULL || + EVP_aes_256_gcm() == NULL); + ]])], + [ + AC_MSG_RESULT([yes]) + AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], + [libcrypto has EVP AES GCM]) + ], + [ + AC_MSG_RESULT([no]) + ] +) + AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) AC_LINK_IFELSE( [AC_LANG_PROGRAM([[ diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index a151eff3..28da3be2 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.20 2012/01/17 03:03:39 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.21 2013/01/09 05:42:49 djm Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -63,6 +63,30 @@ extern const EVP_CIPHER *evp_rijndael(void); extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); #endif +#ifndef OPENSSL_HAVE_EVPCTR +#define EVP_aes_128_ctr evp_aes_128_ctr +#define EVP_aes_192_ctr evp_aes_128_ctr +#define EVP_aes_256_ctr evp_aes_128_ctr +extern const EVP_CIPHER *evp_aes_128_ctr(void); +extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); +#endif + +/* Avoid some #ifdef. Code that uses these is unreachable without GCM */ +#if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED) +# define EVP_CTRL_GCM_SET_IV_FIXED -1 +# define EVP_CTRL_GCM_IV_GEN -1 +# define EVP_CTRL_GCM_SET_TAG -1 +# define EVP_CTRL_GCM_GET_TAG -1 +#endif + +#if OPENSSL_VERSION_NUMBER < 0x00907000L +#define EVP_X_STATE(evp) &(evp).c +#define EVP_X_STATE_LEN(evp) sizeof((evp).c) +#else +#define EVP_X_STATE(evp) (evp).cipher_data +#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size +#endif + #if !defined(EVP_CTRL_SET_ACSS_MODE) # if (OPENSSL_VERSION_NUMBER >= 0x00907000L) # define USE_CIPHER_ACSS 1 -- cgit v1.2.1 From 471278501986f3128636a614b6f5f6b5a0eb95e7 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jan 2013 05:44:54 +0000 Subject: - djm@cvs.openbsd.org 2013/01/09 05:40:17 [ssh-keygen.c] correctly initialise fingerprint type for fingerprinting PKCS#11 keys --- ChangeLog | 3 +++ ssh-keygen.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 868158cf..37f114b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [myproposal.h packet.c ssh_config.5 sshd_config.5] support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@ + - djm@cvs.openbsd.org 2013/01/09 05:40:17 + [ssh-keygen.c] + correctly initialise fingerprint type for fingerprinting PKCS#11 keys - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h] Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little cipher compat code to openssl-compat.h diff --git a/ssh-keygen.c b/ssh-keygen.c index 106f1536..a19a2b08 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.221 2013/01/03 23:22:58 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.222 2013/01/09 05:40:17 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -727,6 +727,9 @@ do_download(struct passwd *pw) enum fp_type fptype; char *fp, *ra; + fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + pkcs11_init(0); nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); if (nkeys <= 0) -- cgit v1.2.1 From 0e98541286a3049797b61af284dd6210a2e8fc53 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 12 Jan 2013 11:41:26 +0000 Subject: - djm@cvs.openbsd.org 2013/01/12 11:22:04 [cipher.c] improve error message for integrity failure in AES-GCM modes; ok markus@ --- ChangeLog | 6 ++++++ cipher.c | 10 +++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 37f114b5..3be438c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130112 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/01/12 11:22:04 + [cipher.c] + improve error message for integrity failure in AES-GCM modes; ok markus@ + 20130109 - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2012/12/14 05:26:43 diff --git a/cipher.c b/cipher.c index e137f359..2d307e16 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.85 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: cipher.c,v 1.86 2013/01/12 11:22:04 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -342,8 +342,12 @@ cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, fatal("%s: EVP_Cipher failed", __func__); if (authlen) { /* compute tag (on encrypt) or verify tag (on decrypt) */ - if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) - fatal("%s: EVP_Cipher(finish) failed", __func__); + if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) { + if (cc->encrypt) + fatal("%s: EVP_Cipher(final) failed", __func__); + else + fatal("Decryption integrity check failed"); + } if (cc->encrypt && !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG, authlen, dest + aadlen + len)) -- cgit v1.2.1 From ff45a3eec9c80c772be2b465d6c1f2fc77bade31 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 12 Jan 2013 11:46:26 +0000 Subject: - djm@cvs.openbsd.org 2013/01/12 11:23:53 [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] test AES-GCM modes; feedback markus@ --- ChangeLog | 3 +++ regress/cipher-speed.sh | 11 +++++++++-- regress/integrity.sh | 14 +++++++++++--- regress/try-ciphers.sh | 11 +++++++++-- 4 files changed, 32 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3be438c7..dd847610 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - djm@cvs.openbsd.org 2013/01/12 11:22:04 [cipher.c] improve error message for integrity failure in AES-GCM modes; ok markus@ + - djm@cvs.openbsd.org 2013/01/12 11:23:53 + [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] + test AES-GCM modes; feedback markus@ 20130109 - (djm) OpenBSD CVS Sync diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 4f26f7e9..ed7c6f32 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.6 2012/10/05 02:20:48 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -16,12 +16,14 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" +config_defined OPENSSL_HAVE_EVPGCM && + ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96" config_defined HAVE_EVP_SHA256 && macs="$macs hmac-sha2-256 hmac-sha2-512" -for c in $ciphers; do for m in $macs; do +for c in $ciphers; do n=0; for m in $macs; do trace "proto 2 cipher $c mac $m" for x in $tries; do echon "$c/$m:\t" @@ -34,6 +36,11 @@ for c in $ciphers; do for m in $macs; do fail "ssh -2 failed with mac $m cipher $c" fi done + # No point trying all MACs for GCM since they are ignored. + case $c in + aes*-gcm@openssh.com) test $n -gt 0 && break;; + esac + n=$(($n + 1)) done; done ciphers="3des blowfish" diff --git a/regress/integrity.sh b/regress/integrity.sh index 0185490c..608cde0f 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.1 2012/12/11 22:42:11 markus Exp $ +# $OpenBSD: integrity.sh,v 1.2 2013/01/12 11:23:53 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -14,6 +14,10 @@ macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" +# The following are not MACs, but ciphers with integrated integrity. They are +# handled specially below. +config_defined OPENSSL_HAVE_EVPGCM && + macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" # sshd-command for proxy (see test-exec.sh) cmd="sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" @@ -37,7 +41,11 @@ for m in $macs; do fi # modify output from sshd at offset $off pxy="proxycommand=$cmd | $OBJ/modpipe -m xor:$off:1" - output=$(${SSH} -m $m -2F $OBJ/ssh_proxy -o "$pxy" \ + case $m in + aes*gcm*) macopt="-c $m";; + *) macopt="-m $m";; + esac + output=$(${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 999.999.999.999 true 2>&1) if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" @@ -47,7 +55,7 @@ for m in $macs; do verbose "test $tid: $m @$off $output" case "$output" in Bad?packet*) elen=$((elen+1)); skip=3;; - Corrupted?MAC*) emac=$((emac+1)); skip=0;; + Corrupted?MAC* | Decryption?integrity?check?failed*) padding*) epad=$((epad+1)); skip=0;; *) fail "unexpected error mac $m at $off";; esac diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 2b11b59e..ca285171 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.17 2012/12/11 23:12:13 markus Exp $ +# $OpenBSD: try-ciphers.sh,v 1.18 2013/01/12 11:23:53 djm Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -6,7 +6,8 @@ tid="try ciphers" ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se - aes128-ctr aes192-ctr aes256-ctr" + aes128-ctr aes192-ctr aes256-ctr + aes128-gcm@openssh.com aes256-gcm@openssh.com" macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com @@ -18,6 +19,7 @@ config_defined HAVE_EVP_SHA256 && hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" for c in $ciphers; do + n=0 for m in $macs; do trace "proto 2 cipher $c mac $m" verbose "test $tid: proto 2 cipher $c mac $m" @@ -25,6 +27,11 @@ for c in $ciphers; do if [ $? -ne 0 ]; then fail "ssh -2 failed with mac $m cipher $c" fi + # No point trying all MACs for GCM since they are ignored. + case $c in + aes*-gcm@openssh.com) test $n -gt 0 && break;; + esac + n=$(($n + 1)) done done -- cgit v1.2.1 From 321ad75e611bc74a3b02adc10ccbac9b9b1c2d5f Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 12 Jan 2013 12:10:47 +0000 Subject: - (djm) [regress/integrity.sh] repair botched merge --- ChangeLog | 1 + regress/integrity.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index dd847610..92830553 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ - djm@cvs.openbsd.org 2013/01/12 11:23:53 [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] test AES-GCM modes; feedback markus@ + - (djm) [regress/integrity.sh] repair botched merge 20130109 - (djm) OpenBSD CVS Sync diff --git a/regress/integrity.sh b/regress/integrity.sh index 608cde0f..2b4bfeac 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -56,6 +56,7 @@ for m in $macs; do case "$output" in Bad?packet*) elen=$((elen+1)); skip=3;; Corrupted?MAC* | Decryption?integrity?check?failed*) + emac=$((emac+1)); skip=0;; padding*) epad=$((epad+1)); skip=0;; *) fail "unexpected error mac $m at $off";; esac -- cgit v1.2.1 From 89ec321d35ae9796c2653d56d9cce6bdbc081c3e Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Jan 2013 03:31:57 +0000 Subject: - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] check for GCM support before testing GCM ciphers. --- ChangeLog | 4 ++++ regress/cipher-speed.sh | 4 ++-- regress/integrity.sh | 2 +- regress/try-ciphers.sh | 5 +++-- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 92830553..686fe896 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130117 + - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] + check for GCM support before testing GCM ciphers. + 20130112 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/01/12 11:22:04 diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index ed7c6f32..114191b8 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -16,11 +16,11 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -config_defined OPENSSL_HAVE_EVPGCM && +config_defined OPENSSL_HAVE_EVPGCM && \ ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96" -config_defined HAVE_EVP_SHA256 && +config_defined HAVE_EVP_SHA256 && \ macs="$macs hmac-sha2-256 hmac-sha2-512" for c in $ciphers; do n=0; for m in $macs; do diff --git a/regress/integrity.sh b/regress/integrity.sh index 2b4bfeac..91168fd2 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -16,7 +16,7 @@ macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" # The following are not MACs, but ciphers with integrated integrity. They are # handled specially below. -config_defined OPENSSL_HAVE_EVPGCM && +config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" # sshd-command for proxy (see test-exec.sh) diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index ca285171..ef91085c 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -6,8 +6,9 @@ tid="try ciphers" ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se - aes128-ctr aes192-ctr aes256-ctr - aes128-gcm@openssh.com aes256-gcm@openssh.com" + aes128-ctr aes192-ctr aes256-ctr" +config_defined OPENSSL_HAVE_EVPGCM && \ + ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com -- cgit v1.2.1 From 9e5de2499ec235fa96a743161f65be2add82aea3 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 18 Jan 2013 00:44:04 +0000 Subject: - djm@cvs.openbsd.org 2013/01/17 23:00:01 [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] [krl.c krl.h PROTOCOL.krl] add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@ --- ChangeLog | 11 + Makefile.in | 4 +- PROTOCOL.krl | 164 ++++++++ auth.c | 15 +- key.c | 40 +- key.h | 6 +- krl.c | 1227 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ krl.h | 63 +++ ssh-keygen.1 | 118 +++++- ssh-keygen.c | 257 +++++++++++- sshd_config.5 | 13 +- 11 files changed, 1884 insertions(+), 34 deletions(-) create mode 100644 PROTOCOL.krl create mode 100644 krl.c create mode 100644 krl.h diff --git a/ChangeLog b/ChangeLog index 686fe896..65403d6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +20130118 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/01/17 23:00:01 + [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] + [krl.c krl.h PROTOCOL.krl] + add support for Key Revocation Lists (KRLs). These are a compact way to + represent lists of revoked keys and certificates, taking as little as + a single bit of incremental cost to revoke a certificate by serial number. + KRLs are loaded via the existing RevokedKeys sshd_config option. + feedback and ok markus@ + 20130117 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] check for GCM support before testing GCM ciphers. diff --git a/Makefile.in b/Makefile.in index 8765b7ef..74eeab57 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.329 2012/12/17 04:59:43 dtucker Exp $ +# $Id: Makefile.in,v 1.330 2013/01/18 00:44:04 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o + jpake.o schnorr.o ssh-pkcs11.o krl.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff --git a/PROTOCOL.krl b/PROTOCOL.krl new file mode 100644 index 00000000..e8caa452 --- /dev/null +++ b/PROTOCOL.krl @@ -0,0 +1,164 @@ +This describes the key/certificate revocation list format for OpenSSH. + +1. Overall format + +The KRL consists of a header and zero or more sections. The header is: + +#define KRL_MAGIC 0x5353484b524c0a00ULL /* "SSHKRL\n\0" */ +#define KRL_FORMAT_VERSION 1 + + uint64 KRL_MAGIC + uint32 KRL_FORMAT_VERSION + uint64 krl_version + uint64 generated_date + uint64 flags + string reserved + string comment + +Where "krl_version" is a version number that increases each time the KRL +is modified, "generated_date" is the time in seconds since 1970-01-01 +00:00:00 UTC that the KRL was generated, "comment" is an optional comment +and "reserved" an extension field whose contents are currently ignored. +No "flags" are currently defined. + +Following the header are zero or more sections, each consisting of: + + byte section_type + string section_data + +Where "section_type" indicates the type of the "section_data". An exception +to this is the KRL_SECTION_SIGNATURE section, that has a slightly different +format (see below). + +The available section types are: + +#define KRL_SECTION_CERTIFICATES 1 +#define KRL_SECTION_EXPLICIT_KEY 2 +#define KRL_SECTION_FINGERPRINT_SHA1 3 +#define KRL_SECTION_SIGNATURE 4 + +3. Certificate serial section + +These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by +serial number or key ID. The consist of the CA key that issued the +certificates to be revoked and a reserved field whose contents is currently +ignored. + + string ca_key + string reserved + +Followed by one or more sections: + + byte cert_section_type + string cert_section_data + +The certificate section types are: + +#define KRL_SECTION_CERT_SERIAL_LIST 0x20 +#define KRL_SECTION_CERT_SERIAL_RANGE 0x21 +#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22 +#define KRL_SECTION_CERT_KEY_ID 0x23 + +2.1 Certificate serial list section + +This section is identified as KRL_SECTION_CERT_SERIAL_LIST. It revokes +certificates by listing their serial numbers. The cert_section_data in this +case contains: + + uint64 revoked_cert_serial + uint64 ... + +This section may appear multiple times. + +2.2. Certificate serial range section + +These sections use type KRL_SECTION_CERT_SERIAL_RANGE and hold +a range of serial numbers of certificates: + + uint64 serial_min + uint64 serial_max + +All certificates in the range serial_min <= serial <= serial_max are +revoked. + +This section may appear multiple times. + +2.3. Certificate serial bitmap section + +Bitmap sections use type KRL_SECTION_CERT_SERIAL_BITMAP and revoke keys +by listing their serial number in a bitmap. + + uint64 serial_offset + mpint revoked_keys_bitmap + +A bit set at index N in the bitmap corresponds to revocation of a keys with +serial number (serial_offset + N). + +This section may appear multiple times. + +2.4. Revoked key ID sections + +KRL_SECTION_CERT_KEY_ID sections revoke particular certificate "key +ID" strings. This may be useful in revoking all certificates +associated with a particular identity, e.g. a host or a user. + + string key_id[0] + ... + +This section must contain at least one "key_id". This section may appear +multiple times. + +3. Explicit key sections + +These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys +(not certificates). They are less space efficient than serial numbers, +but are able to revoke plain keys. + + string public_key_blob[0] + .... + +This section must contain at least one "public_key_blob". The blob +must be a raw key (i.e. not a certificate). + +This section may appear multiple times. + +4. SHA1 fingerprint sections + +These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke +plain keys (i.e. not certificates) by listing their SHA1 hashes: + + string public_key_hash[0] + .... + +This section must contain at least one "public_key_hash". The hash blob +is obtained by taking the SHA1 hash of the public key blob. Hashes in +this section must appear in numeric order, treating each hash as a big- +endian integer. + +This section may appear multiple times. + +5. KRL signature sections + +The KRL_SECTION_SIGNATURE section serves a different purpose to the +preceeding ones: to provide cryptographic authentication of a KRL that +is retrieved over a channel that does not provide integrity protection. +Its format is slightly different to the previously-described sections: +in order to simplify the signature generation, it includes as a "body" +two string components instead of one. + + byte KRL_SECTION_SIGNATURE + string signature_key + string signature + +The signature is calculated over the entire KRL from the KRL_MAGIC +to this subsection's "signature_key", including both and using the +signature generation rules appropriate for the type of "signature_key". + +This section must appear last in the KRL. If multiple signature sections +appear, they must appear consecutively at the end of the KRL file. + +Implementations that retrieve KRLs over untrusted channels must verify +signatures. Signature sections are optional for KRLs distributed by +trusted means. + +$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $ diff --git a/auth.c b/auth.c index f5e2d3d2..d978f027 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.99 2012/12/14 05:26:43 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -71,6 +71,7 @@ #endif #include "authfile.h" #include "monitor_wrap.h" +#include "krl.h" /* import */ extern ServerOptions options; @@ -640,7 +641,16 @@ auth_key_is_revoked(Key *key) if (options.revoked_keys_file == NULL) return 0; - + switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { + case 0: + return 0; /* Not revoked */ + case -2: + break; /* Not a KRL */ + default: + goto revoked; + } + debug3("%s: treating %s as a key list", __func__, + options.revoked_keys_file); switch (key_in_file(key, options.revoked_keys_file, 0)) { case 0: /* key not revoked */ @@ -651,6 +661,7 @@ auth_key_is_revoked(Key *key) "authentication"); return 1; case 1: + revoked: /* Key revoked */ key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " diff --git a/key.c b/key.c index 7e909970..4cc5c5d3 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.99 2012/05/23 03:28:28 djm Exp $ */ +/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -55,6 +55,8 @@ #include "misc.h" #include "ssh2.h" +static int to_blob(const Key *, u_char **, u_int *, int); + static struct KeyCert * cert_new(void) { @@ -324,14 +326,15 @@ key_equal(const Key *a, const Key *b) } u_char* -key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) +key_fingerprint_raw(const Key *k, enum fp_type dgst_type, + u_int *dgst_raw_length) { const EVP_MD *md = NULL; EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; u_int len = 0; - int nlen, elen, otype; + int nlen, elen; *dgst_raw_length = 0; @@ -371,10 +374,7 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) case KEY_ECDSA_CERT: case KEY_RSA_CERT: /* We want a fingerprint of the _key_ not of the cert */ - otype = k->type; - k->type = key_type_plain(k->type); - key_to_blob(k, &blob, &len); - k->type = otype; + to_blob(k, &blob, &len, 1); break; case KEY_UNSPEC: return retval; @@ -1587,18 +1587,19 @@ key_from_blob(const u_char *blob, u_int blen) return key; } -int -key_to_blob(const Key *key, u_char **blobp, u_int *lenp) +static int +to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) { Buffer b; - int len; + int len, type; if (key == NULL) { error("key_to_blob: key == NULL"); return 0; } buffer_init(&b); - switch (key->type) { + type = force_plain ? key_type_plain(key->type) : key->type; + switch (type) { case KEY_DSA_CERT_V00: case KEY_RSA_CERT_V00: case KEY_DSA_CERT: @@ -1609,7 +1610,8 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) buffer_len(&key->cert->certblob)); break; case KEY_DSA: - buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_cstring(&b, + key_ssh_name_from_type_nid(type, key->ecdsa_nid)); buffer_put_bignum2(&b, key->dsa->p); buffer_put_bignum2(&b, key->dsa->q); buffer_put_bignum2(&b, key->dsa->g); @@ -1617,14 +1619,16 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) break; #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: - buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_cstring(&b, + key_ssh_name_from_type_nid(type, key->ecdsa_nid)); buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), EC_KEY_get0_public_key(key->ecdsa)); break; #endif case KEY_RSA: - buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_cstring(&b, + key_ssh_name_from_type_nid(type, key->ecdsa_nid)); buffer_put_bignum2(&b, key->rsa->e); buffer_put_bignum2(&b, key->rsa->n); break; @@ -1645,6 +1649,12 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) return len; } +int +key_to_blob(const Key *key, u_char **blobp, u_int *lenp) +{ + return to_blob(key, blobp, lenp, 0); +} + int key_sign( const Key *key, @@ -2024,7 +2034,7 @@ key_cert_check_authority(const Key *k, int want_host, int require_principal, } int -key_cert_is_legacy(Key *k) +key_cert_is_legacy(const Key *k) { switch (k->type) { case KEY_DSA_CERT_V00: diff --git a/key.h b/key.h index 39e5577f..ebdf4567 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.34 2012/05/23 03:28:28 djm Exp $ */ +/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -96,7 +96,7 @@ Key *key_demote(const Key *); int key_equal_public(const Key *, const Key *); int key_equal(const Key *, const Key *); char *key_fingerprint(Key *, enum fp_type, enum fp_rep); -u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); +u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); const char *key_type(const Key *); const char *key_cert_type(const Key *); int key_write(const Key *, FILE *); @@ -114,7 +114,7 @@ int key_certify(Key *, Key *); void key_cert_copy(const Key *, struct Key *); int key_cert_check_authority(const Key *, int, int, const char *, const char **); -int key_cert_is_legacy(Key *); +int key_cert_is_legacy(const Key *); int key_ecdsa_nid_from_name(const char *); int key_curve_name_to_nid(const char *); diff --git a/krl.c b/krl.c new file mode 100644 index 00000000..48505702 --- /dev/null +++ b/krl.c @@ -0,0 +1,1227 @@ +/* + * Copyright (c) 2012 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD: krl.c,v 1.2 2013/01/18 00:24:58 djm Exp $ */ + +#include "includes.h" + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "buffer.h" +#include "key.h" +#include "authfile.h" +#include "err.h" +#include "misc.h" +#include "log.h" +#include "xmalloc.h" + +#include "krl.h" + +/* #define DEBUG_KRL */ +#ifdef DEBUG_KRL +# define KRL_DBG(x) debug3 x +#else +# define KRL_DBG(x) +#endif + +/* + * Trees of revoked serial numbers, key IDs and keys. This allows + * quick searching, querying and producing lists in canonical order. + */ + +/* Tree of serial numbers. XXX make smarter: really need a real sparse bitmap */ +struct revoked_serial { + u_int64_t lo, hi; + RB_ENTRY(revoked_serial) tree_entry; +}; +static int serial_cmp(struct revoked_serial *a, struct revoked_serial *b); +RB_HEAD(revoked_serial_tree, revoked_serial); +RB_GENERATE_STATIC(revoked_serial_tree, revoked_serial, tree_entry, serial_cmp); + +/* Tree of key IDs */ +struct revoked_key_id { + char *key_id; + RB_ENTRY(revoked_key_id) tree_entry; +}; +static int key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b); +RB_HEAD(revoked_key_id_tree, revoked_key_id); +RB_GENERATE_STATIC(revoked_key_id_tree, revoked_key_id, tree_entry, key_id_cmp); + +/* Tree of blobs (used for keys and fingerprints) */ +struct revoked_blob { + u_char *blob; + u_int len; + RB_ENTRY(revoked_blob) tree_entry; +}; +static int blob_cmp(struct revoked_blob *a, struct revoked_blob *b); +RB_HEAD(revoked_blob_tree, revoked_blob); +RB_GENERATE_STATIC(revoked_blob_tree, revoked_blob, tree_entry, blob_cmp); + +/* Tracks revoked certs for a single CA */ +struct revoked_certs { + Key *ca_key; + struct revoked_serial_tree revoked_serials; + struct revoked_key_id_tree revoked_key_ids; + TAILQ_ENTRY(revoked_certs) entry; +}; +TAILQ_HEAD(revoked_certs_list, revoked_certs); + +struct ssh_krl { + u_int64_t krl_version; + u_int64_t generated_date; + u_int64_t flags; + char *comment; + struct revoked_blob_tree revoked_keys; + struct revoked_blob_tree revoked_sha1s; + struct revoked_certs_list revoked_certs; +}; + +/* Return equal if a and b overlap */ +static int +serial_cmp(struct revoked_serial *a, struct revoked_serial *b) +{ + if (a->hi >= b->lo && a->lo <= b->hi) + return 0; + return a->lo < b->lo ? -1 : 1; +} + +static int +key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b) +{ + return strcmp(a->key_id, b->key_id); +} + +static int +blob_cmp(struct revoked_blob *a, struct revoked_blob *b) +{ + int r; + + if (a->len != b->len) { + if ((r = memcmp(a->blob, b->blob, MIN(a->len, b->len))) != 0) + return r; + return a->len > b->len ? 1 : -1; + } else + return memcmp(a->blob, b->blob, a->len); +} + +struct ssh_krl * +ssh_krl_init(void) +{ + struct ssh_krl *krl; + + if ((krl = calloc(1, sizeof(*krl))) == NULL) + return NULL; + RB_INIT(&krl->revoked_keys); + RB_INIT(&krl->revoked_sha1s); + TAILQ_INIT(&krl->revoked_certs); + return krl; +} + +static void +revoked_certs_free(struct revoked_certs *rc) +{ + struct revoked_serial *rs, *trs; + struct revoked_key_id *rki, *trki; + + RB_FOREACH_SAFE(rs, revoked_serial_tree, &rc->revoked_serials, trs) { + RB_REMOVE(revoked_serial_tree, &rc->revoked_serials, rs); + free(rs); + } + RB_FOREACH_SAFE(rki, revoked_key_id_tree, &rc->revoked_key_ids, trki) { + RB_REMOVE(revoked_key_id_tree, &rc->revoked_key_ids, rki); + free(rki->key_id); + free(rki); + } + if (rc->ca_key != NULL) + key_free(rc->ca_key); +} + +void +ssh_krl_free(struct ssh_krl *krl) +{ + struct revoked_blob *rb, *trb; + struct revoked_certs *rc, *trc; + + if (krl == NULL) + return; + + free(krl->comment); + RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_keys, trb) { + RB_REMOVE(revoked_blob_tree, &krl->revoked_keys, rb); + free(rb->blob); + free(rb); + } + RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) { + RB_REMOVE(revoked_blob_tree, &krl->revoked_sha1s, rb); + free(rb->blob); + free(rb); + } + TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) { + TAILQ_REMOVE(&krl->revoked_certs, rc, entry); + revoked_certs_free(rc); + } +} + +void +ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version) +{ + krl->krl_version = version; +} + +void +ssh_krl_set_comment(struct ssh_krl *krl, const char *comment) +{ + free(krl->comment); + if ((krl->comment = strdup(comment)) == NULL) + fatal("%s: strdup", __func__); +} + +/* + * Find the revoked_certs struct for a CA key. If allow_create is set then + * create a new one in the tree if one did not exist already. + */ +static int +revoked_certs_for_ca_key(struct ssh_krl *krl, const Key *ca_key, + struct revoked_certs **rcp, int allow_create) +{ + struct revoked_certs *rc; + + *rcp = NULL; + TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { + if (key_equal(rc->ca_key, ca_key)) { + *rcp = rc; + return 0; + } + } + if (!allow_create) + return 0; + /* If this CA doesn't exist in the list then add it now */ + if ((rc = calloc(1, sizeof(*rc))) == NULL) + return -1; + if ((rc->ca_key = key_from_private(ca_key)) == NULL) { + free(rc); + return -1; + } + RB_INIT(&rc->revoked_serials); + RB_INIT(&rc->revoked_key_ids); + TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); + debug3("%s: new CA %s", __func__, key_type(ca_key)); + *rcp = rc; + return 0; +} + +static int +insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) +{ + struct revoked_serial rs, *ers, *crs, *irs; + + KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi)); + bzero(&rs, sizeof(rs)); + rs.lo = lo; + rs.hi = hi; + ers = RB_NFIND(revoked_serial_tree, rt, &rs); + if (ers == NULL || serial_cmp(ers, &rs) != 0) { + /* No entry matches. Just insert */ + if ((irs = malloc(sizeof(rs))) == NULL) + return -1; + memcpy(irs, &rs, sizeof(*irs)); + ers = RB_INSERT(revoked_serial_tree, rt, irs); + if (ers != NULL) { + KRL_DBG(("%s: bad: ers != NULL", __func__)); + /* Shouldn't happen */ + free(ers); + return -1; + } + ers = irs; + } else { + KRL_DBG(("%s: overlap found %llu:%llu", __func__, + ers->lo, ers->hi)); + /* + * The inserted entry overlaps an existing one. Grow the + * existing entry. + */ + if (ers->lo > lo) + ers->lo = lo; + if (ers->hi < hi) + ers->hi = hi; + } + /* + * The inserted or revised range might overlap or abut adjacent ones; + * coalesce as necessary. + */ + + /* Check predecessors */ + while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) { + KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi)); + if (ers->lo != 0 && crs->hi < ers->lo - 1) + break; + /* This entry overlaps. */ + if (crs->lo < ers->lo) { + ers->lo = crs->lo; + KRL_DBG(("%s: pred extend %llu:%llu", __func__, + ers->lo, ers->hi)); + } + RB_REMOVE(revoked_serial_tree, rt, crs); + free(crs); + } + /* Check successors */ + while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) { + KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi)); + if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1) + break; + /* This entry overlaps. */ + if (crs->hi > ers->hi) { + ers->hi = crs->hi; + KRL_DBG(("%s: succ extend %llu:%llu", __func__, + ers->lo, ers->hi)); + } + RB_REMOVE(revoked_serial_tree, rt, crs); + free(crs); + } + KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi)); + return 0; +} + +int +ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key, + u_int64_t serial) +{ + return ssh_krl_revoke_cert_by_serial_range(krl, ca_key, serial, serial); +} + +int +ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key, + u_int64_t lo, u_int64_t hi) +{ + struct revoked_certs *rc; + + if (lo > hi || lo == 0) + return -1; + if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0) + return -1; + return insert_serial_range(&rc->revoked_serials, lo, hi); +} + +int +ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key, + const char *key_id) +{ + struct revoked_key_id *rki, *erki; + struct revoked_certs *rc; + + if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0) + return -1; + + debug3("%s: revoke %s", __func__, key_id); + if ((rki = calloc(1, sizeof(*rki))) == NULL || + (rki->key_id = strdup(key_id)) == NULL) { + free(rki); + fatal("%s: strdup", __func__); + } + erki = RB_INSERT(revoked_key_id_tree, &rc->revoked_key_ids, rki); + if (erki != NULL) { + free(rki->key_id); + free(rki); + } + return 0; +} + +/* Convert "key" to a public key blob without any certificate information */ +static int +plain_key_blob(const Key *key, u_char **blob, u_int *blen) +{ + Key *kcopy; + int r; + + if ((kcopy = key_from_private(key)) == NULL) + return -1; + if (key_is_cert(kcopy)) { + if (key_drop_cert(kcopy) != 0) { + error("%s: key_drop_cert", __func__); + key_free(kcopy); + return -1; + } + } + r = key_to_blob(kcopy, blob, blen); + free(kcopy); + return r == 0 ? -1 : 0; +} + +/* Revoke a key blob. Ownership of blob is transferred to the tree */ +static int +revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len) +{ + struct revoked_blob *rb, *erb; + + if ((rb = calloc(1, sizeof(*rb))) == NULL) + return -1; + rb->blob = blob; + rb->len = len; + erb = RB_INSERT(revoked_blob_tree, rbt, rb); + if (erb != NULL) { + free(rb->blob); + free(rb); + } + return 0; +} + +int +ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key) +{ + u_char *blob; + u_int len; + + debug3("%s: revoke type %s", __func__, key_type(key)); + if (plain_key_blob(key, &blob, &len) != 0) + return -1; + return revoke_blob(&krl->revoked_keys, blob, len); +} + +int +ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key) +{ + u_char *blob; + u_int len; + + debug3("%s: revoke type %s by sha1", __func__, key_type(key)); + if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL) + return -1; + return revoke_blob(&krl->revoked_sha1s, blob, len); +} + +int +ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key) +{ + if (!key_is_cert(key)) + return ssh_krl_revoke_key_sha1(krl, key); + + if (key_cert_is_legacy(key) || key->cert->serial == 0) { + return ssh_krl_revoke_cert_by_key_id(krl, + key->cert->signature_key, + key->cert->key_id); + } else { + return ssh_krl_revoke_cert_by_serial(krl, + key->cert->signature_key, + key->cert->serial); + } +} + +/* + * Select a copact next section type to emit in a KRL based on the + * current section type, the run length of contiguous revoked serial + * numbers and the gaps from the last and to the next revoked serial. + * Applies a mostly-accurate bit cost model to select the section type + * that will minimise the size of the resultant KRL. + */ +static int +choose_next_state(int current_state, u_int64_t contig, int final, + u_int64_t last_gap, u_int64_t next_gap, int *force_new_section) +{ + int new_state; + u_int64_t cost, cost_list, cost_range, cost_bitmap, cost_bitmap_restart; + + /* + * Avoid unsigned overflows. + * The limits are high enough to avoid confusing the calculations. + */ + contig = MIN(contig, 1ULL<<31); + last_gap = MIN(last_gap, 1ULL<<31); + next_gap = MIN(next_gap, 1ULL<<31); + + /* + * Calculate the cost to switch from the current state to candidates. + * NB. range sections only ever contain a single range, so their + * switching cost is independent of the current_state. + */ + cost_list = cost_bitmap = cost_bitmap_restart = 0; + cost_range = 8; + switch (current_state) { + case KRL_SECTION_CERT_SERIAL_LIST: + cost_bitmap_restart = cost_bitmap = 8 + 64; + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + cost_list = 8; + cost_bitmap_restart = 8 + 64; + break; + case KRL_SECTION_CERT_SERIAL_RANGE: + case 0: + cost_bitmap_restart = cost_bitmap = 8 + 64; + cost_list = 8; + } + + /* Estimate base cost in bits of each section type */ + cost_list += 64 * contig + (final ? 0 : 8+64); + cost_range += (2 * 64) + (final ? 0 : 8+64); + cost_bitmap += last_gap + contig + (final ? 0 : MIN(next_gap, 8+64)); + cost_bitmap_restart += contig + (final ? 0 : MIN(next_gap, 8+64)); + + /* Convert to byte costs for actual comparison */ + cost_list = (cost_list + 7) / 8; + cost_bitmap = (cost_bitmap + 7) / 8; + cost_bitmap_restart = (cost_bitmap_restart + 7) / 8; + cost_range = (cost_range + 7) / 8; + + /* Now pick the best choice */ + *force_new_section = 0; + new_state = KRL_SECTION_CERT_SERIAL_BITMAP; + cost = cost_bitmap; + if (cost_range < cost) { + new_state = KRL_SECTION_CERT_SERIAL_RANGE; + cost = cost_range; + } + if (cost_list < cost) { + new_state = KRL_SECTION_CERT_SERIAL_LIST; + cost = cost_list; + } + if (cost_bitmap_restart < cost) { + new_state = KRL_SECTION_CERT_SERIAL_BITMAP; + *force_new_section = 1; + cost = cost_bitmap_restart; + } + debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" + "list %llu range %llu bitmap %llu new bitmap %llu, " + "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final, + cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state, + *force_new_section ? " restart" : ""); + return new_state; +} + +/* Generate a KRL_SECTION_CERTIFICATES KRL section */ +static int +revoked_certs_generate(struct revoked_certs *rc, Buffer *buf) +{ + int final, force_new_sect, r = -1; + u_int64_t i, contig, gap, last = 0, bitmap_start = 0; + struct revoked_serial *rs, *nrs; + struct revoked_key_id *rki; + int next_state, state = 0; + Buffer sect; + u_char *kblob = NULL; + u_int klen; + BIGNUM *bitmap = NULL; + + /* Prepare CA scope key blob if we have one supplied */ + if (key_to_blob(rc->ca_key, &kblob, &klen) == 0) + return -1; + + buffer_init(§); + + /* Store the header */ + buffer_put_string(buf, kblob, klen); + buffer_put_string(buf, NULL, 0); /* Reserved */ + + free(kblob); + + /* Store the revoked serials. */ + for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); + rs != NULL; + rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { + debug3("%s: serial %llu:%llu state 0x%02x", __func__, + rs->lo, rs->hi, state); + + /* Check contiguous length and gap to next section (if any) */ + nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); + final = nrs == NULL; + gap = nrs == NULL ? 0 : nrs->lo - rs->hi; + contig = 1 + (rs->hi - rs->lo); + + /* Choose next state based on these */ + next_state = choose_next_state(state, contig, final, + state == 0 ? 0 : rs->lo - last, gap, &force_new_sect); + + /* + * If the current section is a range section or has a different + * type to the next section, then finish it off now. + */ + if (state != 0 && (force_new_sect || next_state != state || + state == KRL_SECTION_CERT_SERIAL_RANGE)) { + debug3("%s: finish state 0x%02x", __func__, state); + switch (state) { + case KRL_SECTION_CERT_SERIAL_LIST: + case KRL_SECTION_CERT_SERIAL_RANGE: + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + buffer_put_bignum2(§, bitmap); + BN_free(bitmap); + bitmap = NULL; + break; + } + buffer_put_char(buf, state); + buffer_put_string(buf, + buffer_ptr(§), buffer_len(§)); + } + + /* If we are starting a new section then prepare it now */ + if (next_state != state || force_new_sect) { + debug3("%s: start state 0x%02x", __func__, next_state); + state = next_state; + buffer_clear(§); + switch (state) { + case KRL_SECTION_CERT_SERIAL_LIST: + case KRL_SECTION_CERT_SERIAL_RANGE: + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if ((bitmap = BN_new()) == NULL) + goto out; + bitmap_start = rs->lo; + buffer_put_int64(§, bitmap_start); + break; + } + } + + /* Perform section-specific processing */ + switch (state) { + case KRL_SECTION_CERT_SERIAL_LIST: + for (i = rs->lo; i < contig; i++) + buffer_put_int64(§, rs->lo + i); + break; + case KRL_SECTION_CERT_SERIAL_RANGE: + buffer_put_int64(§, rs->lo); + buffer_put_int64(§, rs->hi); + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if (rs->lo - bitmap_start > INT_MAX) { + error("%s: insane bitmap gap", __func__); + goto out; + } + for (i = 0; i < contig; i++) { + if (BN_set_bit(bitmap, + rs->lo + i - bitmap_start) != 1) + goto out; + } + break; + } + last = rs->hi; + } + /* Flush the remaining section, if any */ + if (state != 0) { + debug3("%s: serial final flush for state 0x%02x", + __func__, state); + switch (state) { + case KRL_SECTION_CERT_SERIAL_LIST: + case KRL_SECTION_CERT_SERIAL_RANGE: + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + buffer_put_bignum2(§, bitmap); + BN_free(bitmap); + bitmap = NULL; + break; + } + buffer_put_char(buf, state); + buffer_put_string(buf, + buffer_ptr(§), buffer_len(§)); + } + debug3("%s: serial done ", __func__); + + /* Now output a section for any revocations by key ID */ + buffer_clear(§); + RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { + debug3("%s: key ID %s", __func__, rki->key_id); + buffer_put_cstring(§, rki->key_id); + } + if (buffer_len(§) != 0) { + buffer_put_char(buf, KRL_SECTION_CERT_KEY_ID); + buffer_put_string(buf, buffer_ptr(§), + buffer_len(§)); + } + r = 0; + out: + if (bitmap != NULL) + BN_free(bitmap); + buffer_free(§); + return r; +} + +int +ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, + u_int nsign_keys) +{ + int r = -1; + struct revoked_certs *rc; + struct revoked_blob *rb; + Buffer sect; + u_char *kblob = NULL, *sblob = NULL; + u_int klen, slen, i; + + if (krl->generated_date == 0) + krl->generated_date = time(NULL); + + buffer_init(§); + + /* Store the header */ + buffer_append(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1); + buffer_put_int(buf, KRL_FORMAT_VERSION); + buffer_put_int64(buf, krl->krl_version); + buffer_put_int64(buf, krl->generated_date); + buffer_put_int64(buf, krl->flags); + buffer_put_string(buf, NULL, 0); + buffer_put_cstring(buf, krl->comment ? krl->comment : ""); + + /* Store sections for revoked certificates */ + TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { + if (revoked_certs_generate(rc, §) != 0) + goto out; + buffer_put_char(buf, KRL_SECTION_CERTIFICATES); + buffer_put_string(buf, buffer_ptr(§), + buffer_len(§)); + } + + /* Finally, output sections for revocations by public key/hash */ + buffer_clear(§); + RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { + debug3("%s: key len %u ", __func__, rb->len); + buffer_put_string(§, rb->blob, rb->len); + } + if (buffer_len(§) != 0) { + buffer_put_char(buf, KRL_SECTION_EXPLICIT_KEY); + buffer_put_string(buf, buffer_ptr(§), + buffer_len(§)); + } + buffer_clear(§); + RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { + debug3("%s: hash len %u ", __func__, rb->len); + buffer_put_string(§, rb->blob, rb->len); + } + if (buffer_len(§) != 0) { + buffer_put_char(buf, KRL_SECTION_FINGERPRINT_SHA1); + buffer_put_string(buf, buffer_ptr(§), + buffer_len(§)); + } + + for (i = 0; i < nsign_keys; i++) { + if (key_to_blob(sign_keys[i], &kblob, &klen) == 0) + goto out; + + debug3("%s: signature key len %u", __func__, klen); + buffer_put_char(buf, KRL_SECTION_SIGNATURE); + buffer_put_string(buf, kblob, klen); + + if (key_sign(sign_keys[i], &sblob, &slen, + buffer_ptr(buf), buffer_len(buf)) == -1) + goto out; + debug3("%s: signature sig len %u", __func__, slen); + buffer_put_string(buf, sblob, slen); + } + + r = 0; + out: + free(kblob); + free(sblob); + buffer_free(§); + return r; +} + +static void +format_timestamp(u_int64_t timestamp, char *ts, size_t nts) +{ + time_t t; + struct tm *tm; + + t = timestamp; + tm = localtime(&t); + *ts = '\0'; + strftime(ts, nts, "%Y%m%dT%H%M%S", tm); +} + +static int +parse_revoked_certs(Buffer *buf, struct ssh_krl *krl) +{ + int ret = -1, nbits; + u_char type, *blob; + u_int blen; + Buffer subsect; + u_int64_t serial, serial_lo, serial_hi; + BIGNUM *bitmap = NULL; + char *key_id = NULL; + Key *ca_key = NULL; + + buffer_init(&subsect); + + if ((blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL || + buffer_get_string_ptr_ret(buf, NULL) == NULL) { /* reserved */ + error("%s: buffer error", __func__); + goto out; + } + if ((ca_key = key_from_blob(blob, blen)) == NULL) + goto out; + + while (buffer_len(buf) > 0) { + if (buffer_get_char_ret(&type, buf) != 0 || + (blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + buffer_clear(&subsect); + buffer_append(&subsect, blob, blen); + debug3("%s: subsection type 0x%02x", __func__, type); + /* buffer_dump(&subsect); */ + + switch (type) { + case KRL_SECTION_CERT_SERIAL_LIST: + while (buffer_len(&subsect) > 0) { + if (buffer_get_int64_ret(&serial, + &subsect) != 0) { + error("%s: buffer error", __func__); + goto out; + } + if (ssh_krl_revoke_cert_by_serial(krl, ca_key, + serial) != 0) { + error("%s: update failed", __func__); + goto out; + } + } + break; + case KRL_SECTION_CERT_SERIAL_RANGE: + if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 || + buffer_get_int64_ret(&serial_hi, &subsect) != 0) { + error("%s: buffer error", __func__); + goto out; + } + if (ssh_krl_revoke_cert_by_serial_range(krl, ca_key, + serial_lo, serial_hi) != 0) { + error("%s: update failed", __func__); + goto out; + } + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if ((bitmap = BN_new()) == NULL) { + error("%s: BN_new", __func__); + goto out; + } + if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 || + buffer_get_bignum2_ret(&subsect, bitmap) != 0) { + error("%s: buffer error", __func__); + goto out; + } + if ((nbits = BN_num_bits(bitmap)) < 0) { + error("%s: bitmap bits < 0", __func__); + goto out; + } + for (serial = 0; serial < (u_int)nbits; serial++) { + if (serial > 0 && serial_lo + serial == 0) { + error("%s: bitmap wraps u64", __func__); + goto out; + } + if (!BN_is_bit_set(bitmap, serial)) + continue; + if (ssh_krl_revoke_cert_by_serial(krl, ca_key, + serial_lo + serial) != 0) { + error("%s: update failed", __func__); + goto out; + } + } + BN_free(bitmap); + bitmap = NULL; + break; + case KRL_SECTION_CERT_KEY_ID: + while (buffer_len(&subsect) > 0) { + if ((key_id = buffer_get_cstring_ret(&subsect, + NULL)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + if (ssh_krl_revoke_cert_by_key_id(krl, ca_key, + key_id) != 0) { + error("%s: update failed", __func__); + goto out; + } + free(key_id); + key_id = NULL; + } + break; + default: + error("Unsupported KRL certificate section %u", type); + goto out; + } + if (buffer_len(&subsect) > 0) { + error("KRL certificate section contains unparsed data"); + goto out; + } + } + + ret = 0; + out: + if (ca_key != NULL) + key_free(ca_key); + if (bitmap != NULL) + BN_free(bitmap); + free(key_id); + buffer_free(&subsect); + return ret; +} + + +/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ +int +ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, + const Key **sign_ca_keys, u_int nsign_ca_keys) +{ + Buffer copy, sect; + struct ssh_krl *krl; + char timestamp[64]; + int ret = -1, r, sig_seen; + Key *key = NULL, **ca_used = NULL; + u_char type, *blob; + u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; + + *krlp = NULL; + if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || + memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { + debug3("%s: not a KRL", __func__); + /* + * Return success but a NULL *krlp here to signal that the + * file might be a simple list of keys. + */ + return 0; + } + + /* Take a copy of the KRL buffer so we can verify its signature later */ + buffer_init(©); + buffer_append(©, buffer_ptr(buf), buffer_len(buf)); + + buffer_init(§); + buffer_consume(©, sizeof(KRL_MAGIC) - 1); + + if ((krl = ssh_krl_init()) == NULL) { + error("%s: alloc failed", __func__); + goto out; + } + + if (buffer_get_int_ret(&format_version, ©) != 0) { + error("%s: KRL truncated", __func__); + goto out; + } + if (format_version != KRL_FORMAT_VERSION) { + error("%s: KRL unsupported format version %u", + __func__, format_version); + goto out; + } + if (buffer_get_int64_ret(&krl->krl_version, ©) != 0 || + buffer_get_int64_ret(&krl->generated_date, ©) != 0 || + buffer_get_int64_ret(&krl->flags, ©) != 0 || + buffer_get_string_ptr_ret(©, NULL) == NULL || /* reserved */ + (krl->comment = buffer_get_cstring_ret(©, NULL)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + + format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); + debug("KRL version %llu generated at %s%s%s", krl->krl_version, + timestamp, *krl->comment ? ": " : "", krl->comment); + + /* + * 1st pass: verify signatures, if any. This is done to avoid + * detailed parsing of data whose provenance is unverified. + */ + sig_seen = 0; + sects_off = buffer_len(buf) - buffer_len(©); + while (buffer_len(©) > 0) { + if (buffer_get_char_ret(&type, ©) != 0 || + (blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + debug3("%s: first pass, section 0x%02x", __func__, type); + if (type != KRL_SECTION_SIGNATURE) { + if (sig_seen) { + error("KRL contains non-signature section " + "after signature"); + goto out; + } + /* Not interested for now. */ + continue; + } + sig_seen = 1; + /* First string component is the signing key */ + if ((key = key_from_blob(blob, blen)) == NULL) { + error("%s: invalid signature key", __func__); + goto out; + } + sig_off = buffer_len(buf) - buffer_len(©); + /* Second string component is the signature itself */ + if ((blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + /* Check signature over entire KRL up to this point */ + if (key_verify(key, blob, blen, + buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { + error("bad signaure on KRL"); + goto out; + } + /* Check if this key has already signed this KRL */ + for (i = 0; i < nca_used; i++) { + if (key_equal(ca_used[i], key)) { + error("KRL signed more than once with " + "the same key"); + goto out; + } + } + /* Record keys used to sign the KRL */ + xrealloc(ca_used, nca_used + 1, sizeof(*ca_used)); + ca_used[nca_used++] = key; + key = NULL; + break; + } + + /* + * 2nd pass: parse and load the KRL, skipping the header to the point + * where the section start. + */ + buffer_append(©, (u_char*)buffer_ptr(buf) + sects_off, + buffer_len(buf) - sects_off); + while (buffer_len(©) > 0) { + if (buffer_get_char_ret(&type, ©) != 0 || + (blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + debug3("%s: second pass, section 0x%02x", __func__, type); + buffer_clear(§); + buffer_append(§, blob, blen); + + switch (type) { + case KRL_SECTION_CERTIFICATES: + if ((r = parse_revoked_certs(§, krl)) != 0) + goto out; + break; + case KRL_SECTION_EXPLICIT_KEY: + case KRL_SECTION_FINGERPRINT_SHA1: + while (buffer_len(§) > 0) { + if ((blob = buffer_get_string_ret(§, + &blen)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + if (type == KRL_SECTION_FINGERPRINT_SHA1 && + blen != 20) { + error("%s: bad SHA1 length", __func__); + goto out; + } + if (revoke_blob( + type == KRL_SECTION_EXPLICIT_KEY ? + &krl->revoked_keys : &krl->revoked_sha1s, + blob, blen) != 0) + goto out; /* revoke_blob frees blob */ + } + break; + case KRL_SECTION_SIGNATURE: + /* Handled above, but still need to stay in synch */ + buffer_clear(§); + if ((blob = buffer_get_string_ptr_ret(§, + &blen)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + break; + default: + error("Unsupported KRL section %u", type); + goto out; + } + if (buffer_len(§) > 0) { + error("KRL section contains unparsed data"); + goto out; + } + } + + /* Check that the key(s) used to sign the KRL weren't revoked */ + sig_seen = 0; + for (i = 0; i < nca_used; i++) { + if (ssh_krl_check_key(krl, ca_used[i]) == 0) + sig_seen = 1; + else { + key_free(ca_used[i]); + ca_used[i] = NULL; + } + } + if (nca_used && !sig_seen) { + error("All keys used to sign KRL were revoked"); + goto out; + } + + /* If we have CA keys, then verify that one was used to sign the KRL */ + if (sig_seen && nsign_ca_keys != 0) { + sig_seen = 0; + for (i = 0; !sig_seen && i < nsign_ca_keys; i++) { + for (j = 0; j < nca_used; j++) { + if (ca_used[j] == NULL) + continue; + if (key_equal(ca_used[j], sign_ca_keys[i])) { + sig_seen = 1; + break; + } + } + } + if (!sig_seen) { + error("KRL not signed with any trusted key"); + goto out; + } + } + + *krlp = krl; + ret = 0; + out: + if (ret != 0) + ssh_krl_free(krl); + for (i = 0; i < nca_used; i++) { + if (ca_used[i] != NULL) + key_free(ca_used[i]); + } + free(ca_used); + if (key != NULL) + key_free(key); + buffer_free(©); + buffer_free(§); + return ret; +} + +/* Checks whether a given key/cert is revoked. Does not check its CA */ +static int +is_key_revoked(struct ssh_krl *krl, const Key *key) +{ + struct revoked_blob rb, *erb; + struct revoked_serial rs, *ers; + struct revoked_key_id rki, *erki; + struct revoked_certs *rc; + + /* Check explicitly revoked hashes first */ + bzero(&rb, sizeof(rb)); + if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL) + return -1; + erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); + free(rb.blob); + if (erb != NULL) { + debug("%s: revoked by key SHA1", __func__); + return -1; + } + + /* Next, explicit keys */ + bzero(&rb, sizeof(rb)); + if (plain_key_blob(key, &rb.blob, &rb.len) != 0) + return -1; + erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); + free(rb.blob); + if (erb != NULL) { + debug("%s: revoked by explicit key", __func__); + return -1; + } + + if (!key_is_cert(key)) + return 0; + + /* Check cert revocation */ + if (revoked_certs_for_ca_key(krl, key->cert->signature_key, + &rc, 0) != 0) + return -1; + if (rc == NULL) + return 0; /* No entry for this CA */ + + /* Check revocation by cert key ID */ + bzero(&rki, sizeof(rki)); + rki.key_id = key->cert->key_id; + erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); + if (erki != NULL) { + debug("%s: revoked by key ID", __func__); + return -1; + } + + /* Legacy cert formats lack serial numbers */ + if (key_cert_is_legacy(key)) + return 0; + + bzero(&rs, sizeof(rs)); + rs.lo = rs.hi = key->cert->serial; + ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); + if (ers != NULL) { + KRL_DBG(("%s: %llu matched %llu:%llu", __func__, + key->cert->serial, ers->lo, ers->hi)); + debug("%s: revoked by serial", __func__); + return -1; + } + KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); + + return 0; +} + +int +ssh_krl_check_key(struct ssh_krl *krl, const Key *key) +{ + int r; + + debug2("%s: checking key", __func__); + if ((r = is_key_revoked(krl, key)) != 0) + return r; + if (key_is_cert(key)) { + debug2("%s: checking CA key", __func__); + if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) + return r; + } + debug3("%s: key okay", __func__); + return 0; +} + +/* Returns 0 on success, -1 on error or key revoked, -2 if path is not a KRL */ +int +ssh_krl_file_contains_key(const char *path, const Key *key) +{ + Buffer krlbuf; + struct ssh_krl *krl; + int revoked, fd; + + if (path == NULL) + return 0; + + if ((fd = open(path, O_RDONLY)) == -1) { + error("open %s: %s", path, strerror(errno)); + error("Revoked keys file not accessible - refusing public key " + "authentication"); + return -1; + } + buffer_init(&krlbuf); + if (!key_load_file(fd, path, &krlbuf)) { + close(fd); + buffer_free(&krlbuf); + error("Revoked keys file not readable - refusing public key " + "authentication"); + return -1; + } + close(fd); + if (ssh_krl_from_blob(&krlbuf, &krl, NULL, 0) != 0) { + buffer_free(&krlbuf); + error("Invalid KRL, refusing public key " + "authentication"); + return -1; + } + buffer_free(&krlbuf); + if (krl == NULL) { + debug3("%s: %s is not a KRL file", __func__, path); + return -2; + } + debug2("%s: checking KRL %s", __func__, path); + revoked = ssh_krl_check_key(krl, key) != 0; + ssh_krl_free(krl); + return revoked ? -1 : 0; +} diff --git a/krl.h b/krl.h new file mode 100644 index 00000000..2c43f5bb --- /dev/null +++ b/krl.h @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2012 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD: krl.h,v 1.2 2013/01/18 00:24:58 djm Exp $ */ + +#ifndef _KRL_H +#define _KRL_H + +/* Functions to manage key revocation lists */ + +#define KRL_MAGIC "SSHKRL\n\0" +#define KRL_FORMAT_VERSION 1 + +/* KRL section types */ +#define KRL_SECTION_CERTIFICATES 1 +#define KRL_SECTION_EXPLICIT_KEY 2 +#define KRL_SECTION_FINGERPRINT_SHA1 3 +#define KRL_SECTION_SIGNATURE 4 + +/* KRL_SECTION_CERTIFICATES subsection types */ +#define KRL_SECTION_CERT_SERIAL_LIST 0x20 +#define KRL_SECTION_CERT_SERIAL_RANGE 0x21 +#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22 +#define KRL_SECTION_CERT_KEY_ID 0x23 + +struct ssh_krl; + +struct ssh_krl *ssh_krl_init(void); +void ssh_krl_free(struct ssh_krl *krl); +void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version); +void ssh_krl_set_sign_key(struct ssh_krl *krl, const Key *sign_key); +void ssh_krl_set_comment(struct ssh_krl *krl, const char *comment); +int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key, + u_int64_t serial); +int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key, + u_int64_t lo, u_int64_t hi); +int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key, + const char *key_id); +int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key); +int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key); +int ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key); +int ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, + u_int nsign_keys); +int ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, + const Key **sign_ca_keys, u_int nsign_ca_keys); +int ssh_krl_check_key(struct ssh_krl *krl, const Key *key); +int ssh_krl_file_contains_key(const char *path, const Key *key); + +#endif /* _KRL_H */ + diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1d556464..52f4b6ea 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.110 2012/08/15 18:25:50 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.111 2013/01/17 23:00:01 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 15 2012 $ +.Dd $Mdocdate: January 17 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -122,6 +122,17 @@ .Op Fl f Ar input_keyfile .Nm ssh-keygen .Fl A +.Nm ssh-keygen +.Fl k +.Fl f Ar krl_file +.Op Fl u +.Op Fl s ca_public +.Op Fl z version_number +.Ar +.Nm ssh-keygen +.Fl Q +.Fl f Ar krl_file +.Ar .Ek .Sh DESCRIPTION .Nm @@ -144,6 +155,13 @@ See the .Sx MODULI GENERATION section for details. .Pp +Finally, +.Nm +can be used to generate and update Key Revocation Lists, and to test whether +given keys have been revoked by one. See the +.Sx KEY REVOCATION LISTS +section for details. +.Pp Normally each user wishing to use SSH with public key authentication runs this once to create the authentication key in @@ -321,6 +339,17 @@ This option allows importing keys from other software, including several commercial SSH implementations. The default import format is .Dq RFC4716 . +.It Fl k +Generate a KRL file. +In this mode, +.Nm +will generate a KRL file at the location specified via the +.Fl f +flag that revokes every key or certificate presented on the command-line. +Keys/certificates to be revoked may be specified by public key file or +using the format described in the +.Sx KEY REVOCATION LISTS +section. .It Fl L Prints the contents of a certificate. .It Fl l @@ -448,6 +477,14 @@ Certify (sign) a public key using the specified CA key. Please see the .Sx CERTIFICATES section for details. +.Pp +When generating a KRL, +.Fl s +specifies a path to a CA public key file used to revoke certificated directly +by key ID or serial number. +See the +.Sx KEY REVOCATION LISTS +section for details. .It Fl T Ar output_file Test DH group exchange candidate primes (generated using the .Fl G @@ -485,6 +522,12 @@ For example: (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), .Dq -1d:20110101 (valid from yesterday to midnight, January 1st, 2011). +.It Fl u +Update a KRL. +When specified with +.Fl k , +keys listed via the command-line are added to the existing KRL rather than +a new KRL being created. .It Fl v Verbose mode. Causes @@ -504,6 +547,10 @@ OpenSSH format file and print an OpenSSH public key to stdout. Specifies a serial number to be embedded in the certificate to distinguish this certificate from others from the same CA. The default serial number is zero. +.Pp +When generating a KRL, the +.Fl z +flag is used to specify a KRL version number. .El .Sh MODULI GENERATION .Nm @@ -638,6 +685,73 @@ public key must be trusted by or .Xr ssh 1 . Please refer to those manual pages for details. +.Sh KEY REVOCATION LISTS +.Nm +is able to manage OpenSSH format Key Revocation Lists (KRLs). +These binary files specify keys or certificates to be revoked using a +compact format; taking as little a one bit per certificate if they are being +revoked by serial number. +.Pp +KRLs may be generated using the +.Fl k +flag. +This option reads one or more files from the command-line and generates a new +KRL. +The files may either contain a KRL specification (see below) or public keys, +listed one per line. +Plain public keys are revoked by listing their hash or contents in the KRL and +certificates revoked by serial number or key ID (if the serial is zero or +not available). +.Pp +Revoking keys using a KRL specification offers explicit control over the +types of record used to revoke keys and may be used to directly revoke +certificates by serial number or key ID without having the complete original +certificate on hand. +A KRL specification consists of lines containing one of the following directives +followed by a colon and some directive-specific information. +.Bl -tag -width Ds +.It Cm serial : Ar serial_number Op -serial_number +Revokes a certificate with the specified serial number. +Serial numbers are 64 bit values, not including zero and may be expressed +in decimal, hex or octal. +If two serial numbers are specified separated by a hyphen, then the range +of serial numbers including and between each is revoked. +The CA key must have been specified on the +.Nm +command-line using the +.Fl s +option. +.It Cm id : Ar key_id +Revokes a certificate with the specified key ID string. +The CA key must have been specified on the +.Nm +command-line using the +.Fl s +option. +.It Cm key : Ar public_key +Revokes the specified key. +In a certificate is listed, then it is revoked as a plain public key. +.It Cm sha1 : Ar public_key +Revokes the specified key by its SHA1 hash. +.El +.Pp +KRLs may be updated using the +.Fl u +flag in addition to +.Fl k . +When this option is specified, keys listed via the command-line are merged into +the KRL, adding to those already there. +.Pp +It is also possible, given a KRL, to test whether it revokes a particular key +(or keys). +The +.Fl Q +flag will query an existing KRL, testing each key specified on the commandline. +If any key listed on the command-line has been revoked (or an error encountered) +then +.Nm +will exit with a non-zero exit status. +A zero exit status will only be returned if no key was revoked. .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.ssh/identity diff --git a/ssh-keygen.c b/ssh-keygen.c index a19a2b08..861b04e2 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.222 2013/01/09 05:40:17 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.223 2013/01/17 23:00:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -48,8 +48,11 @@ #include "match.h" #include "hostfile.h" #include "dns.h" +#include "ssh.h" #include "ssh2.h" #include "ssh-pkcs11.h" +#include "atomicio.h" +#include "krl.h" /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ #define DEFAULT_BITS 2048 @@ -1896,6 +1899,226 @@ do_show_cert(struct passwd *pw) exit(0); } +static void +load_krl(const char *path, struct ssh_krl **krlp) +{ + Buffer krlbuf; + int fd; + + buffer_init(&krlbuf); + if ((fd = open(path, O_RDONLY)) == -1) + fatal("open %s: %s", path, strerror(errno)); + if (!key_load_file(fd, path, &krlbuf)) + fatal("Unable to load KRL"); + close(fd); + /* XXX check sigs */ + if (ssh_krl_from_blob(&krlbuf, krlp, NULL, 0) != 0 || + *krlp == NULL) + fatal("Invalid KRL file"); + buffer_free(&krlbuf); +} + +static void +update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, + struct ssh_krl *krl) +{ + Key *key = NULL; + u_long lnum = 0; + char *path, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES]; + unsigned long long serial, serial2; + int i, was_explicit_key, was_sha1, r; + FILE *krl_spec; + + path = tilde_expand_filename(file, pw->pw_uid); + if (strcmp(path, "-") == 0) { + krl_spec = stdin; + free(path); + path = xstrdup("(standard input)"); + } else if ((krl_spec = fopen(path, "r")) == NULL) + fatal("fopen %s: %s", path, strerror(errno)); + + if (!quiet) + printf("Revoking from %s\n", path); + while (read_keyfile_line(krl_spec, path, line, sizeof(line), + &lnum) == 0) { + was_explicit_key = was_sha1 = 0; + cp = line + strspn(line, " \t"); + /* Trim trailing space, comments and strip \n */ + for (i = 0, r = -1; cp[i] != '\0'; i++) { + if (cp[i] == '#' || cp[i] == '\n') { + cp[i] = '\0'; + break; + } + if (cp[i] == ' ' || cp[i] == '\t') { + /* Remember the start of a span of whitespace */ + if (r == -1) + r = i; + } else + r = -1; + } + if (r != -1) + cp[r] = '\0'; + if (*cp == '\0') + continue; + if (strncasecmp(cp, "serial:", 7) == 0) { + if (ca == NULL) { + fatal("revoking certificated by serial number " + "requires specification of a CA key"); + } + cp += 7; + cp = cp + strspn(cp, " \t"); + errno = 0; + serial = strtoull(cp, &ep, 0); + if (*cp == '\0' || (*ep != '\0' && *ep != '-')) + fatal("%s:%lu: invalid serial \"%s\"", + path, lnum, cp); + if (errno == ERANGE && serial == ULLONG_MAX) + fatal("%s:%lu: serial out of range", + path, lnum); + serial2 = serial; + if (*ep == '-') { + cp = ep + 1; + errno = 0; + serial2 = strtoull(cp, &ep, 0); + if (*cp == '\0' || *ep != '\0') + fatal("%s:%lu: invalid serial \"%s\"", + path, lnum, cp); + if (errno == ERANGE && serial2 == ULLONG_MAX) + fatal("%s:%lu: serial out of range", + path, lnum); + if (serial2 <= serial) + fatal("%s:%lu: invalid serial range " + "%llu:%llu", path, lnum, + (unsigned long long)serial, + (unsigned long long)serial2); + } + if (ssh_krl_revoke_cert_by_serial_range(krl, + ca, serial, serial2) != 0) { + fatal("%s: revoke serial failed", + __func__); + } + } else if (strncasecmp(cp, "id:", 3) == 0) { + if (ca == NULL) { + fatal("revoking certificated by key ID " + "requires specification of a CA key"); + } + cp += 3; + cp = cp + strspn(cp, " \t"); + if (ssh_krl_revoke_cert_by_key_id(krl, ca, cp) != 0) + fatal("%s: revoke key ID failed", __func__); + } else { + if (strncasecmp(cp, "key:", 4) == 0) { + cp += 4; + cp = cp + strspn(cp, " \t"); + was_explicit_key = 1; + } else if (strncasecmp(cp, "sha1:", 5) == 0) { + cp += 5; + cp = cp + strspn(cp, " \t"); + was_sha1 = 1; + } else { + /* + * Just try to process the line as a key. + * Parsing will fail if it isn't. + */ + } + if ((key = key_new(KEY_UNSPEC)) == NULL) + fatal("key_new"); + if (key_read(key, &cp) != 1) + fatal("%s:%lu: invalid key", path, lnum); + if (was_explicit_key) + r = ssh_krl_revoke_key_explicit(krl, key); + else if (was_sha1) + r = ssh_krl_revoke_key_sha1(krl, key); + else + r = ssh_krl_revoke_key(krl, key); + if (r != 0) + fatal("%s: revoke key failed", __func__); + key_free(key); + } + } + if (strcmp(path, "-") != 0) + fclose(krl_spec); +} + +static void +do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) +{ + struct ssh_krl *krl; + struct stat sb; + Key *ca = NULL; + int fd, i; + char *tmp; + Buffer kbuf; + + if (*identity_file == '\0') + fatal("KRL generation requires an output file"); + if (stat(identity_file, &sb) == -1) { + if (errno != ENOENT) + fatal("Cannot access KRL \"%s\": %s", + identity_file, strerror(errno)); + if (updating) + fatal("KRL \"%s\" does not exist", identity_file); + } + if (ca_key_path != NULL) { + tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); + if ((ca = key_load_public(tmp, NULL)) == NULL) + fatal("Cannot load CA public key %s", tmp); + xfree(tmp); + } + + if (updating) + load_krl(identity_file, &krl); + else if ((krl = ssh_krl_init()) == NULL) + fatal("couldn't create KRL"); + + if (cert_serial != 0) + ssh_krl_set_version(krl, cert_serial); + if (identity_comment != NULL) + ssh_krl_set_comment(krl, identity_comment); + + for (i = 0; i < argc; i++) + update_krl_from_file(pw, argv[i], ca, krl); + + buffer_init(&kbuf); + if (ssh_krl_to_blob(krl, &kbuf, NULL, 0) != 0) + fatal("Couldn't generate KRL"); + if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) + fatal("open %s: %s", identity_file, strerror(errno)); + if (atomicio(vwrite, fd, buffer_ptr(&kbuf), buffer_len(&kbuf)) != + buffer_len(&kbuf)) + fatal("write %s: %s", identity_file, strerror(errno)); + close(fd); + buffer_free(&kbuf); + ssh_krl_free(krl); +} + +static void +do_check_krl(struct passwd *pw, int argc, char **argv) +{ + int i, r, ret = 0; + char *comment; + struct ssh_krl *krl; + Key *k; + + if (*identity_file == '\0') + fatal("KRL checking requires an input file"); + load_krl(identity_file, &krl); + for (i = 0; i < argc; i++) { + if ((k = key_load_public(argv[i], &comment)) == NULL) + fatal("Cannot load public key %s", argv[i]); + r = ssh_krl_check_key(krl, k); + printf("%s%s%s%s: %s\n", argv[i], + *comment ? " (" : "", comment, *comment ? ")" : "", + r == 0 ? "ok" : "REVOKED"); + if (r != 0) + ret = 1; + key_free(k); + free(comment); + } + ssh_krl_free(krl); + exit(ret); +} + static void usage(void) { @@ -1922,6 +2145,7 @@ usage(void) fprintf(stderr, " -J number Screen this number of moduli lines.\n"); fprintf(stderr, " -j number Start screening moduli at specified line.\n"); fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); + fprintf(stderr, " -k Generate a KRL file.\n"); fprintf(stderr, " -L Print the contents of a certificate.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); @@ -1931,6 +2155,7 @@ usage(void) fprintf(stderr, " -O option Specify a certificate option.\n"); fprintf(stderr, " -P phrase Provide old passphrase.\n"); fprintf(stderr, " -p Change passphrase of private key file.\n"); + fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n"); fprintf(stderr, " -q Quiet.\n"); fprintf(stderr, " -R hostname Remove host from known_hosts file.\n"); fprintf(stderr, " -r hostname Print DNS resource record.\n"); @@ -1939,6 +2164,7 @@ usage(void) fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); fprintf(stderr, " -t type Specify type of key to create.\n"); fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); + fprintf(stderr, " -u Update KRL rather than creating a new one.\n"); fprintf(stderr, " -v Verbose.\n"); fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -y Read private key file and print public key.\n"); @@ -1955,14 +2181,14 @@ main(int argc, char **argv) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; char *checkpoint = NULL; - char out_file[MAXPATHLEN], *rr_hostname = NULL, *ep; + char out_file[MAXPATHLEN], *ep, *rr_hostname = NULL; Key *private, *public; struct passwd *pw; struct stat st; int opt, type, fd; u_int32_t memory = 0, generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; - int gen_all_hostkeys = 0; + int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; unsigned long start_lineno = 0, lines_to_process = 0; BIGNUM *start = NULL; FILE *f; @@ -1992,8 +2218,8 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:J:j:K:P:" - "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { + while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy" + "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -2072,6 +2298,9 @@ main(int argc, char **argv) case 'N': identity_new_passphrase = optarg; break; + case 'Q': + check_krl = 1; + break; case 'O': add_cert_option(optarg); break; @@ -2090,6 +2319,9 @@ main(int argc, char **argv) cert_key_type = SSH2_CERT_TYPE_HOST; certflags_flags = 0; break; + case 'k': + gen_krl = 1; + break; case 'i': case 'X': /* import key */ @@ -2107,6 +2339,9 @@ main(int argc, char **argv) case 'D': pkcs11provider = optarg; break; + case 'u': + update_krl = 1; + break; case 'v': if (log_level == SYSLOG_LEVEL_INFO) log_level = SYSLOG_LEVEL_DEBUG1; @@ -2182,11 +2417,11 @@ main(int argc, char **argv) argc -= optind; if (ca_key_path != NULL) { - if (argc < 1) { + if (argc < 1 && !gen_krl) { printf("Too few arguments.\n"); usage(); } - } else if (argc > 0) { + } else if (argc > 0 && !gen_krl && !check_krl) { printf("Too many arguments.\n"); usage(); } @@ -2198,6 +2433,14 @@ main(int argc, char **argv) printf("Cannot use -l with -H or -R.\n"); usage(); } + if (gen_krl) { + do_gen_krl(pw, update_krl, argc, argv); + return (0); + } + if (check_krl) { + do_check_krl(pw, argc, argv); + return (0); + } if (ca_key_path != NULL) { if (cert_key_id == NULL) fatal("Must specify key id (-I) when certifying"); diff --git a/sshd_config.5 b/sshd_config.5 index e7bb0b55..c8b814da 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.153 2013/01/08 18:49:04 markus Exp $ -.Dd $Mdocdate: January 8 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.154 2013/01/17 23:00:01 djm Exp $ +.Dd $Mdocdate: January 17 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -994,10 +994,17 @@ The default is .Dq yes . Note that this option applies to protocol version 2 only. .It Cm RevokedKeys -Specifies a list of revoked public keys. +Specifies revoked public keys. Keys listed in this file will be refused for public key authentication. Note that if this file is not readable, then public key authentication will be refused for all users. +Keys may be specified as a text file, listing one public key per line, or as +an OpenSSH Key Revocation List (KRL) as generated by +.Xr ssh-keygen 1 +For more information on KRLs, see the +.Sx KEY REVOCATION LISTS +section in +.Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. -- cgit v1.2.1 From db93f875d20830cb74630a3fc48f3db7188f15ba Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 18 Jan 2013 00:51:56 +0000 Subject: - djm@cvs.openbsd.org 2013/01/18 00:45:29 [regress/Makefile regress/cert-userkey.sh regress/krl.sh] Tests for Key Revocation Lists (KRLs) --- ChangeLog | 4 ++ regress/Makefile | 9 +-- regress/cert-userkey.sh | 22 ++++++- regress/krl.sh | 151 ++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 180 insertions(+), 6 deletions(-) create mode 100644 regress/krl.sh diff --git a/ChangeLog b/ChangeLog index 65403d6e..a45d24b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@ + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/01/18 00:45:29 + [regress/Makefile regress/cert-userkey.sh regress/krl.sh] + Tests for Key Revocation Lists (KRLs) 20130117 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] diff --git a/regress/Makefile b/regress/Makefile index af1fa31d..18f9f124 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $ +# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: prereq $(REGRESS_TARGETS) @@ -60,7 +60,8 @@ LTESTS= connect \ host-expand \ keys-command \ forward-control \ - integrity + integrity \ + krl INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp @@ -77,11 +78,11 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ ls.copy banner.in banner.out empty.in \ scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ - known_hosts-cert host_ca_key* cert_host_key* \ + known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \ putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual ready \ - sshd_proxy.* authorized_keys_${USER}.* modpipe + sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* # Enable all malloc(3) randomisations and checks diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index aa85cd6c..3bba9f8f 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.9 2012/10/19 05:10:42 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -184,14 +184,32 @@ basic_tests() { ( cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" - echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" + echo "RevokedKeys $OBJ/cert_user_key_revoked" echo "$extra_sshd" ) > $OBJ/sshd_proxy + cp $OBJ/cert_user_key_${ktype}.pub \ + $OBJ/cert_user_key_revoked ${SSH} -2i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpecedly" fi + verbose "$tid: ${_prefix} revoked via KRL" + rm $OBJ/cert_user_key_revoked + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ + $OBJ/cert_user_key_${ktype}.pub + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi + verbose "$tid: ${_prefix} empty KRL" + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi done # Revoked CA diff --git a/regress/krl.sh b/regress/krl.sh new file mode 100644 index 00000000..3ee5a906 --- /dev/null +++ b/regress/krl.sh @@ -0,0 +1,151 @@ +# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $ +# Placed in the Public Domain. + +tid="key revocation lists" + +# Do most testing with ssh-keygen; it uses the same verification code as sshd. + +# Old keys will interfere with ssh-keygen. +rm -f $OBJ/revoked-* $OBJ/krl-* + +# Generate a CA key +$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null || + fatal "$SSHKEYGEN CA failed" + +# A specification that revokes some certificates by serial numbers +# The serial pattern is chosen to ensure the KRL includes list, range and +# bitmap sections. +cat << EOF >> $OBJ/revoked-serials +serial: 1-4 +serial: 10 +serial: 15 +serial: 30 +serial: 50 +serial: 999 +# The following sum to 500-799 +serial: 500 +serial: 501 +serial: 502 +serial: 503-600 +serial: 700-797 +serial: 798 +serial: 799 +serial: 599-701 +EOF + +# A specification that revokes some certificated by key ID. +touch $OBJ/revoked-keyid +for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do + # Fill in by-ID revocation spec. + echo "id: revoked $n" >> $OBJ/revoked-keyid +done + +keygen() { + N=$1 + f=$OBJ/revoked-`printf "%04d" $N` + # Vary the keytype. We use mostly ECDSA since this is fastest by far. + keytype=ecdsa + case $N in + 2 | 10 | 510 | 1001) keytype=rsa;; + 4 | 30 | 520 | 1002) keytype=dsa;; + esac + $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ + || fatal "$SSHKEYGEN failed" + # Sign cert + $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ + || fatal "$SSHKEYGEN sign failed" + echo $f +} + +# Generate some keys. +verbose "$tid: generating test keys" +REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" +for n in $REVOKED_SERIALS ; do + f=`keygen $n` + REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" + REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" +done +NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" +NOTREVOKED="" +for n in $NOTREVOKED_SERIALS ; do + NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" + NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" +done + +genkrls() { + OPTS=$1 +$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - /dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +# KRLs from serial/key-id spec need the CA specified. +$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ + >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ + >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" +$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +} + +verbose "$tid: generating KRLs" +genkrls + +check_krl() { + KEY=$1 + KRL=$2 + EXPECT_REVOKED=$3 + TAG=$4 + $SSHKEYGEN -Qf $KRL $KEY >/dev/null + result=$? + if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then + fatal "key $KEY not revoked by KRL $KRL: $TAG" + elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then + fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" + fi +} +test_all() { + FILES=$1 + TAG=$2 + KEYS_RESULT=$3 + ALL_RESULT=$4 + SERIAL_RESULT=$5 + KEYID_RESULT=$6 + CERTS_RESULT=$7 + CA_RESULT=$8 + verbose "$tid: checking revocations for $TAG" + for f in $FILES ; do + check_krl $f $OBJ/krl-empty no "$TAG" + check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" + check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" + check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" + check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" + check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" + check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" + done +} +# keys all serial keyid certs CA +test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no +test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no +test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes +test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes + +# Check update. Results should be identical. +verbose "$tid: testing KRL update" +for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ + $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do + cp -f $OBJ/krl-empty $f + genkrls -u +done +# keys all serial keyid certs CA +test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no +test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no +test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes +test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes -- cgit v1.2.1 From 3efb6388f70c2a4b98e50df7ce37a7ef43b0047b Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 18 Jan 2013 04:32:03 +0000 Subject: - djm@cvs.openbsd.org 2013/01/18 03:00:32 [krl.c] fix KRL generation bug for list sections --- ChangeLog | 4 +++- krl.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a45d24b2..6be8cd46 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,10 +8,12 @@ a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@ - - OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/01/18 00:45:29 [regress/Makefile regress/cert-userkey.sh regress/krl.sh] Tests for Key Revocation Lists (KRLs) + - djm@cvs.openbsd.org 2013/01/18 03:00:32 + [krl.c] + fix KRL generation bug for list sections 20130117 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] diff --git a/krl.c b/krl.c index 48505702..ca2010a7 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.2 2013/01/18 00:24:58 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.3 2013/01/18 03:00:32 djm Exp $ */ #include "includes.h" @@ -595,7 +595,7 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf) /* Perform section-specific processing */ switch (state) { case KRL_SECTION_CERT_SERIAL_LIST: - for (i = rs->lo; i < contig; i++) + for (i = 0; i < contig; i++) buffer_put_int64(§, rs->lo + i); break; case KRL_SECTION_CERT_SERIAL_RANGE: -- cgit v1.2.1 From 31d19037301ecb9533294bbd706bb19394409515 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:31:29 +0000 Subject: - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h] Move prototypes for replacement ciphers to openssl-compat.h; fix EVP prototypes for openssl-1.0.0-fips. --- ChangeLog | 5 +++++ cipher-aes.c | 3 --- cipher-ctr.c | 3 --- openbsd-compat/openssl-compat.h | 12 ++++++------ 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6be8cd46..9132fb7c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130120 + - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h] + Move prototypes for replacement ciphers to openssl-compat.h; fix EVP + prototypes for openssl-1.0.0-fips. + 20130118 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/01/17 23:00:01 diff --git a/cipher-aes.c b/cipher-aes.c index bfda6d2f..07ec7aa5 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -46,9 +46,6 @@ struct ssh_rijndael_ctx u_char r_iv[RIJNDAEL_BLOCKSIZE]; }; -const EVP_CIPHER * evp_rijndael(void); -void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); - static int ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, int enc) diff --git a/cipher-ctr.c b/cipher-ctr.c index f053abe2..d1fe69f5 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -34,9 +34,6 @@ #include #endif -const EVP_CIPHER *evp_aes_128_ctr(void); -void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); - struct ssh_aes_ctr_ctx { AES_KEY aes_ctx; diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 28da3be2..eca62769 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.21 2013/01/09 05:42:49 djm Exp $ */ +/* $Id: openssl-compat.h,v 1.22 2013/01/20 11:31:37 djm Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -40,7 +40,7 @@ # define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) #endif -#if OPENSSL_VERSION_NUMBER < 0x1000000fL +#if OPENSSL_VERSION_NUMBER < 0x10000001L # define LIBCRYPTO_EVP_INL_TYPE unsigned int #else # define LIBCRYPTO_EVP_INL_TYPE size_t @@ -59,16 +59,16 @@ # define EVP_aes_128_cbc evp_rijndael # define EVP_aes_192_cbc evp_rijndael # define EVP_aes_256_cbc evp_rijndael -extern const EVP_CIPHER *evp_rijndael(void); -extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); +const EVP_CIPHER *evp_rijndael(void); +void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); #endif #ifndef OPENSSL_HAVE_EVPCTR #define EVP_aes_128_ctr evp_aes_128_ctr #define EVP_aes_192_ctr evp_aes_128_ctr #define EVP_aes_256_ctr evp_aes_128_ctr -extern const EVP_CIPHER *evp_aes_128_ctr(void); -extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); +const EVP_CIPHER *evp_aes_128_ctr(void); +void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); #endif /* Avoid some #ifdef. Code that uses these is unreachable without GCM */ -- cgit v1.2.1 From a33be7242d2bdf6054a4a0e898f0d8c7e829093f Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:33:02 +0000 Subject: - jmc@cvs.openbsd.org 2013/01/18 07:57:47 [ssh-keygen.1] tweak previous; --- ChangeLog | 4 ++++ ssh-keygen.1 | 31 ++++++++++++++++--------------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9132fb7c..e3a333d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h] Move prototypes for replacement ciphers to openssl-compat.h; fix EVP prototypes for openssl-1.0.0-fips. + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2013/01/18 07:57:47 + [ssh-keygen.1] + tweak previous; 20130118 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 52f4b6ea..ac97678d 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.111 2013/01/17 23:00:01 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.112 2013/01/18 07:57:47 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 17 2013 $ +.Dd $Mdocdate: January 18 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -126,8 +126,8 @@ .Fl k .Fl f Ar krl_file .Op Fl u -.Op Fl s ca_public -.Op Fl z version_number +.Op Fl s Ar ca_public +.Op Fl z Ar version_number .Ar .Nm ssh-keygen .Fl Q @@ -158,7 +158,8 @@ section for details. Finally, .Nm can be used to generate and update Key Revocation Lists, and to test whether -given keys have been revoked by one. See the +given keys have been revoked by one. +See the .Sx KEY REVOCATION LISTS section for details. .Pp @@ -480,7 +481,7 @@ section for details. .Pp When generating a KRL, .Fl s -specifies a path to a CA public key file used to revoke certificated directly +specifies a path to a CA public key file used to revoke certificates directly by key ID or serial number. See the .Sx KEY REVOCATION LISTS @@ -499,6 +500,12 @@ for protocol version 1 and or .Dq rsa for protocol version 2. +.It Fl u +Update a KRL. +When specified with +.Fl k , +keys listed via the command-line are added to the existing KRL rather than +a new KRL being created. .It Fl V Ar validity_interval Specify a validity interval when signing a certificate. A validity interval may consist of a single time, indicating that the @@ -522,12 +529,6 @@ For example: (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), .Dq -1d:20110101 (valid from yesterday to midnight, January 1st, 2011). -.It Fl u -Update a KRL. -When specified with -.Fl k , -keys listed via the command-line are added to the existing KRL rather than -a new KRL being created. .It Fl v Verbose mode. Causes @@ -689,7 +690,7 @@ Please refer to those manual pages for details. .Nm is able to manage OpenSSH format Key Revocation Lists (KRLs). These binary files specify keys or certificates to be revoked using a -compact format; taking as little a one bit per certificate if they are being +compact format, taking as little a one bit per certificate if they are being revoked by serial number. .Pp KRLs may be generated using the @@ -712,7 +713,7 @@ followed by a colon and some directive-specific information. .Bl -tag -width Ds .It Cm serial : Ar serial_number Op -serial_number Revokes a certificate with the specified serial number. -Serial numbers are 64 bit values, not including zero and may be expressed +Serial numbers are 64-bit values, not including zero and may be expressed in decimal, hex or octal. If two serial numbers are specified separated by a hyphen, then the range of serial numbers including and between each is revoked. @@ -730,7 +731,7 @@ command-line using the option. .It Cm key : Ar public_key Revokes the specified key. -In a certificate is listed, then it is revoked as a plain public key. +If a certificate is listed, then it is revoked as a plain public key. .It Cm sha1 : Ar public_key Revokes the specified key by its SHA1 hash. .El -- cgit v1.2.1 From 65cd59cb2b6d0a0abf8458fcfdc7942049f98d12 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:33:23 +0000 Subject: - jmc@cvs.openbsd.org 2013/01/18 07:59:46 [ssh-keygen.c] -u before -V in usage(); --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e3a333d2..be9d5006 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ - jmc@cvs.openbsd.org 2013/01/18 07:57:47 [ssh-keygen.1] tweak previous; + - jmc@cvs.openbsd.org 2013/01/18 07:59:46 + [ssh-keygen.c] + -u before -V in usage(); 20130118 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.c b/ssh-keygen.c index 861b04e2..21c7f25e 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.223 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.224 2013/01/18 07:59:46 jmc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2163,8 +2163,8 @@ usage(void) fprintf(stderr, " -s ca_key Certify keys with CA key.\n"); fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); fprintf(stderr, " -t type Specify type of key to create.\n"); - fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); fprintf(stderr, " -u Update KRL rather than creating a new one.\n"); + fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); fprintf(stderr, " -v Verbose.\n"); fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -y Read private key file and print public key.\n"); -- cgit v1.2.1 From 4830fb7e34b4244d5167d19dd0066086dbf485ef Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:33:44 +0000 Subject: - jmc@cvs.openbsd.org 2013/01/18 08:00:49 [sshd_config.5] tweak previous; --- ChangeLog | 3 +++ sshd_config.5 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index be9d5006..cc5c7f01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - jmc@cvs.openbsd.org 2013/01/18 07:59:46 [ssh-keygen.c] -u before -V in usage(); + - jmc@cvs.openbsd.org 2013/01/18 08:00:49 + [sshd_config.5] + tweak previous; 20130118 - (djm) OpenBSD CVS Sync diff --git a/sshd_config.5 b/sshd_config.5 index c8b814da..d2913c33 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.154 2013/01/17 23:00:01 djm Exp $ -.Dd $Mdocdate: January 17 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.155 2013/01/18 08:00:49 jmc Exp $ +.Dd $Mdocdate: January 18 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1000,7 +1000,7 @@ Note that if this file is not readable, then public key authentication will be refused for all users. Keys may be specified as a text file, listing one public key per line, or as an OpenSSH Key Revocation List (KRL) as generated by -.Xr ssh-keygen 1 +.Xr ssh-keygen 1 . For more information on KRLs, see the .Sx KEY REVOCATION LISTS section in -- cgit v1.2.1 From 47666fb54c8639c50ccfdefb699d96aeb74d223f Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:34:04 +0000 Subject: - jmc@cvs.openbsd.org 2013/01/18 08:39:04 [ssh-keygen.1] add -Q to the options list; ok djm --- ChangeLog | 3 +++ ssh-keygen.1 | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cc5c7f01..f9bdf2ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - jmc@cvs.openbsd.org 2013/01/18 08:00:49 [sshd_config.5] tweak previous; + - jmc@cvs.openbsd.org 2013/01/18 08:39:04 + [ssh-keygen.1] + add -Q to the options list; ok djm 20130118 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.1 b/ssh-keygen.1 index ac97678d..ca0ab353 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.112 2013/01/18 07:57:47 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.113 2013/01/18 08:39:04 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -455,6 +455,8 @@ creating a new private key. The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase. +.It Fl Q +Test whether keys have been revoked in a KRL. .It Fl q Silence .Nm ssh-keygen . -- cgit v1.2.1 From 764d6d1c37a912f891306b002bde48e72f77a806 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:34:46 +0000 Subject: - jmc@cvs.openbsd.org 2013/01/18 21:48:43 [ssh-keygen.1] command-line (adj.) -> command line (n.); --- ChangeLog | 3 +++ ssh-keygen.1 | 16 ++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index f9bdf2ab..1b05af70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,9 @@ - jmc@cvs.openbsd.org 2013/01/18 08:39:04 [ssh-keygen.1] add -Q to the options list; ok djm + - jmc@cvs.openbsd.org 2013/01/18 21:48:43 + [ssh-keygen.1] + command-line (adj.) -> command line (n.); 20130118 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.1 b/ssh-keygen.1 index ca0ab353..9d7a25cf 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.113 2013/01/18 08:39:04 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.114 2013/01/18 21:48:43 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -346,7 +346,7 @@ In this mode, .Nm will generate a KRL file at the location specified via the .Fl f -flag that revokes every key or certificate presented on the command-line. +flag that revokes every key or certificate presented on the command line. Keys/certificates to be revoked may be specified by public key file or using the format described in the .Sx KEY REVOCATION LISTS @@ -506,7 +506,7 @@ for protocol version 2. Update a KRL. When specified with .Fl k , -keys listed via the command-line are added to the existing KRL rather than +keys listed via the command line are added to the existing KRL rather than a new KRL being created. .It Fl V Ar validity_interval Specify a validity interval when signing a certificate. @@ -698,7 +698,7 @@ revoked by serial number. KRLs may be generated using the .Fl k flag. -This option reads one or more files from the command-line and generates a new +This option reads one or more files from the command line and generates a new KRL. The files may either contain a KRL specification (see below) or public keys, listed one per line. @@ -721,14 +721,14 @@ If two serial numbers are specified separated by a hyphen, then the range of serial numbers including and between each is revoked. The CA key must have been specified on the .Nm -command-line using the +command line using the .Fl s option. .It Cm id : Ar key_id Revokes a certificate with the specified key ID string. The CA key must have been specified on the .Nm -command-line using the +command line using the .Fl s option. .It Cm key : Ar public_key @@ -742,7 +742,7 @@ KRLs may be updated using the .Fl u flag in addition to .Fl k . -When this option is specified, keys listed via the command-line are merged into +When this option is specified, keys listed via the command line are merged into the KRL, adding to those already there. .Pp It is also possible, given a KRL, to test whether it revokes a particular key @@ -750,7 +750,7 @@ It is also possible, given a KRL, to test whether it revokes a particular key The .Fl Q flag will query an existing KRL, testing each key specified on the commandline. -If any key listed on the command-line has been revoked (or an error encountered) +If any key listed on the command line has been revoked (or an error encountered) then .Nm will exit with a non-zero exit status. -- cgit v1.2.1 From 39b4954c365d758e4ee7c52b738fd8f9591a5c93 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:35:06 +0000 Subject: - jmc@cvs.openbsd.org 2013/01/19 07:13:25 [ssh-keygen.1] fix some formatting; ok djm --- ChangeLog | 3 +++ ssh-keygen.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1b05af70..518f441d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ - jmc@cvs.openbsd.org 2013/01/18 21:48:43 [ssh-keygen.1] command-line (adj.) -> command line (n.); + - jmc@cvs.openbsd.org 2013/01/19 07:13:25 + [ssh-keygen.1] + fix some formatting; ok djm 20130118 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9d7a25cf..7da73e07 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.114 2013/01/18 21:48:43 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 18 2013 $ +.Dd $Mdocdate: January 19 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -713,7 +713,7 @@ certificate on hand. A KRL specification consists of lines containing one of the following directives followed by a colon and some directive-specific information. .Bl -tag -width Ds -.It Cm serial : Ar serial_number Op -serial_number +.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number Revokes a certificate with the specified serial number. Serial numbers are 64-bit values, not including zero and may be expressed in decimal, hex or octal. -- cgit v1.2.1 From f4b22feb3cdc4dbdd0d746256c0ee3c6dd8f5c84 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:35:31 +0000 Subject: - markus@cvs.openbsd.org 2013/01/19 12:34:55 [krl.c] RB_INSERT does not remove existing elments; ok djm@ --- ChangeLog | 3 +++ krl.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 518f441d..43cedb63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - jmc@cvs.openbsd.org 2013/01/19 07:13:25 [ssh-keygen.1] fix some formatting; ok djm + - markus@cvs.openbsd.org 2013/01/19 12:34:55 + [krl.c] + RB_INSERT does not remove existing elments; ok djm@ 20130118 - (djm) OpenBSD CVS Sync diff --git a/krl.c b/krl.c index ca2010a7..b09f2dc1 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.3 2013/01/18 03:00:32 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.4 2013/01/19 12:34:55 markus Exp $ */ #include "includes.h" @@ -252,7 +252,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) if (ers != NULL) { KRL_DBG(("%s: bad: ers != NULL", __func__)); /* Shouldn't happen */ - free(ers); + free(irs); return -1; } ers = irs; -- cgit v1.2.1 From 65b59d3c138c0fddf5cab3b1a4cbe79769c78e63 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:49:58 +0000 Subject: - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer version. --- ChangeLog | 2 + krl.c | 4 +- openbsd-compat/sys-tree.h | 109 ++++++++++++++++++++++++++++++++++++++-------- 3 files changed, 94 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 43cedb63..7bc6b451 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,8 @@ - markus@cvs.openbsd.org 2013/01/19 12:34:55 [krl.c] RB_INSERT does not remove existing elments; ok djm@ + - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer + version. 20130118 - (djm) OpenBSD CVS Sync diff --git a/krl.c b/krl.c index b09f2dc1..fe22bde2 100644 --- a/krl.c +++ b/krl.c @@ -20,8 +20,8 @@ #include #include -#include -#include +#include +#include #include #include diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h index d4949b5e..058fa3b2 100644 --- a/openbsd-compat/sys-tree.h +++ b/openbsd-compat/sys-tree.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tree.h,v 1.10 2007/10/29 23:49:41 djm Exp $ */ +/* $OpenBSD: tree.h,v 1.13 2011/07/09 00:19:45 pirofti Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -331,7 +331,7 @@ struct { \ } while (0) #ifndef RB_AUGMENT -#define RB_AUGMENT(x) +#define RB_AUGMENT(x) do {} while (0) #endif #define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ @@ -375,21 +375,31 @@ struct { \ } while (0) /* Generates prototypes and inline functions */ -#define RB_PROTOTYPE(name, type, field, cmp) \ -void name##_RB_INSERT_COLOR(struct name *, struct type *); \ -void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ -struct type *name##_RB_REMOVE(struct name *, struct type *); \ -struct type *name##_RB_INSERT(struct name *, struct type *); \ -struct type *name##_RB_FIND(struct name *, struct type *); \ -struct type *name##_RB_NEXT(struct type *); \ -struct type *name##_RB_MINMAX(struct name *, int); - +#define RB_PROTOTYPE(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp,) +#define RB_PROTOTYPE_STATIC(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) +#define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \ +attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \ +attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ +attr struct type *name##_RB_REMOVE(struct name *, struct type *); \ +attr struct type *name##_RB_INSERT(struct name *, struct type *); \ +attr struct type *name##_RB_FIND(struct name *, struct type *); \ +attr struct type *name##_RB_NFIND(struct name *, struct type *); \ +attr struct type *name##_RB_NEXT(struct type *); \ +attr struct type *name##_RB_PREV(struct type *); \ +attr struct type *name##_RB_MINMAX(struct name *, int); \ + \ /* Main rb operation. * Moves node close to the key of elm to top */ -#define RB_GENERATE(name, type, field, cmp) \ -void \ +#define RB_GENERATE(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp,) +#define RB_GENERATE_STATIC(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) +#define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \ +attr void \ name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ { \ struct type *parent, *gparent, *tmp; \ @@ -433,7 +443,7 @@ name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ RB_COLOR(head->rbh_root, field) = RB_BLACK; \ } \ \ -void \ +attr void \ name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ { \ struct type *tmp; \ @@ -509,7 +519,7 @@ name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) RB_COLOR(elm, field) = RB_BLACK; \ } \ \ -struct type * \ +attr struct type * \ name##_RB_REMOVE(struct name *head, struct type *elm) \ { \ struct type *child, *parent, *old = elm; \ @@ -577,7 +587,7 @@ color: \ } \ \ /* Inserts a node into the RB tree */ \ -struct type * \ +attr struct type * \ name##_RB_INSERT(struct name *head, struct type *elm) \ { \ struct type *tmp; \ @@ -608,7 +618,7 @@ name##_RB_INSERT(struct name *head, struct type *elm) \ } \ \ /* Finds the node with the same key as elm */ \ -struct type * \ +attr struct type * \ name##_RB_FIND(struct name *head, struct type *elm) \ { \ struct type *tmp = RB_ROOT(head); \ @@ -625,7 +635,29 @@ name##_RB_FIND(struct name *head, struct type *elm) \ return (NULL); \ } \ \ -struct type * \ +/* Finds the first node greater than or equal to the search key */ \ +attr struct type * \ +name##_RB_NFIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *res = NULL; \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) { \ + res = tmp; \ + tmp = RB_LEFT(tmp, field); \ + } \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (res); \ +} \ + \ +/* ARGSUSED */ \ +attr struct type * \ name##_RB_NEXT(struct type *elm) \ { \ if (RB_RIGHT(elm, field)) { \ @@ -646,7 +678,29 @@ name##_RB_NEXT(struct type *elm) \ return (elm); \ } \ \ -struct type * \ +/* ARGSUSED */ \ +attr struct type * \ +name##_RB_PREV(struct type *elm) \ +{ \ + if (RB_LEFT(elm, field)) { \ + elm = RB_LEFT(elm, field); \ + while (RB_RIGHT(elm, field)) \ + elm = RB_RIGHT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +attr struct type * \ name##_RB_MINMAX(struct name *head, int val) \ { \ struct type *tmp = RB_ROOT(head); \ @@ -667,7 +721,9 @@ name##_RB_MINMAX(struct name *head, int val) \ #define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) #define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) #define RB_FIND(name, x, y) name##_RB_FIND(x, y) +#define RB_NFIND(name, x, y) name##_RB_NFIND(x, y) #define RB_NEXT(name, x, y) name##_RB_NEXT(y) +#define RB_PREV(name, x, y) name##_RB_PREV(y) #define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) #define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) @@ -676,4 +732,19 @@ name##_RB_MINMAX(struct name *head, int val) \ (x) != NULL; \ (x) = name##_RB_NEXT(x)) +#define RB_FOREACH_SAFE(x, name, head, y) \ + for ((x) = RB_MIN(name, head); \ + ((x) != NULL) && ((y) = name##_RB_NEXT(x), 1); \ + (x) = (y)) + +#define RB_FOREACH_REVERSE(x, name, head) \ + for ((x) = RB_MAX(name, head); \ + (x) != NULL; \ + (x) = name##_RB_PREV(x)) + +#define RB_FOREACH_REVERSE_SAFE(x, name, head, y) \ + for ((x) = RB_MAX(name, head); \ + ((x) != NULL) && ((y) = name##_RB_PREV(x), 1); \ + (x) = (y)) + #endif /* _SYS_TREE_H_ */ -- cgit v1.2.1 From 636b3bd8b162c324ccdb0cabb5516a04681bd593 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 20 Jan 2013 11:58:51 +0000 Subject: - (djm) [regress/krl.sh] replacement for jot; most platforms lack it --- ChangeLog | 1 + regress/krl.sh | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 7bc6b451..0e55ed4c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,7 @@ RB_INSERT does not remove existing elments; ok djm@ - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer version. + - (djm) [regress/krl.sh] replacement for jot; most platforms lack it 20130118 - (djm) OpenBSD CVS Sync diff --git a/regress/krl.sh b/regress/krl.sh index 3ee5a906..46a2ad3f 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -33,6 +33,10 @@ serial: 799 serial: 599-701 EOF +jot() { + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } }" +} + # A specification that revokes some certificated by key ID. touch $OBJ/revoked-keyid for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do -- cgit v1.2.1 From a827c1dca2e552287a9d4ce2e49a4d43b3c69b57 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 6 Feb 2013 23:11:05 +0000 Subject: - (djm) [configure.ac] Don't probe seccomp capability of running kernel at configure time; the seccomp sandbox will fall back to rlimit at runtime anyway. Patch from plautrba AT redhat.com in bz#2011 --- ChangeLog | 5 +++++ configure.ac | 9 ++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0e55ed4c..53785de6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20100207 + - (djm) [configure.ac] Don't probe seccomp capability of running kernel + at configure time; the seccomp sandbox will fall back to rlimit at + runtime anyway. Patch from plautrba AT redhat.com in bz#2011 + 20130120 - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h] Move prototypes for replacement ciphers to openssl-compat.h; fix EVP diff --git a/configure.ac b/configure.ac index 36761233..f6110644 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.500 2013/01/09 05:42:47 djm Exp $ +# $Id: configure.ac,v 1.501 2013/02/06 23:11:05 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.500 $) +AC_REVISION($Revision: 1.501 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -128,7 +128,7 @@ AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ fi if test "x$have_seccomp_filter" = "x1" ; then AC_MSG_CHECKING([kernel for seccomp_filter support]) -AC_RUN_IFELSE([AC_LANG_PROGRAM([[ +AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include #include #include @@ -141,8 +141,7 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ AC_MSG_RESULT([no]) # Disable seccomp filter as a target have_seccomp_filter=0 - ], - [ AC_MSG_RESULT([cross-compiling, assuming yes]) ] + ] ) fi -- cgit v1.2.1 From 2d3034af2398caab1ac70a7d570187ce4df3ce53 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 7 Feb 2013 23:49:37 +0000 Subject: - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer; patch from Iain Morgan in bz#2059 --- ChangeLog | 6 +++++- contrib/redhat/sshd.init | 8 ++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 53785de6..6c569b81 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -20100207 +20130208 + - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer; + patch from Iain Morgan in bz#2059 + +20130207 - (djm) [configure.ac] Don't probe seccomp capability of running kernel at configure time; the seccomp sandbox will fall back to rlimit at runtime anyway. Patch from plautrba AT redhat.com in bz#2011 diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index e9a75179..40c8dfd9 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init @@ -29,7 +29,7 @@ do_restart_sanity_check() { $SSHD -t RETVAL=$? - if [ ! "$RETVAL" = 0 ]; then + if [ $RETVAL -ne 0 ]; then failure $"Configuration file or keys are invalid" echo fi @@ -49,7 +49,7 @@ start() echo -n $"Starting $prog:" $SSHD $OPTIONS && success || failure RETVAL=$? - [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd echo } @@ -58,7 +58,7 @@ stop() echo -n $"Stopping $prog:" killproc $SSHD -TERM RETVAL=$? - [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd echo } @@ -87,7 +87,7 @@ case "$1" in condrestart) if [ -f /var/lock/subsys/sshd ] ; then do_restart_sanity_check - if [ "$RETVAL" = 0 ] ; then + if [ $RETVAL -eq 0 ] ; then stop # avoid race sleep 3 -- cgit v1.2.1 From b75cf8028d64d6fdef4553c07320d3025590ce82 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Feb 2013 00:50:09 +0000 Subject: - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows __attribute__ on return values and work around if necessary. ok djm@ --- ChangeLog | 2 ++ configure.ac | 16 ++++++++++++++-- openbsd-compat/sys-tree.h | 5 +++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6c569b81..5e832e7d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130208 - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer; patch from Iain Morgan in bz#2059 + - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows + __attribute__ on return values and work around if necessary. ok djm@ 20130207 - (djm) [configure.ac] Don't probe seccomp capability of running kernel diff --git a/configure.ac b/configure.ac index f6110644..6df09e21 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.501 2013/02/06 23:11:05 djm Exp $ +# $Id: configure.ac,v 1.502 2013/02/08 00:50:09 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.501 $) +AC_REVISION($Revision: 1.502 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -238,6 +238,18 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then fi fi +AC_MSG_CHECKING([if compiler allows __attribute__ on return types]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[ +#include +__attribute__((__unused__)) static void foo(void){return;}]], + [[ exit(0); ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1, + [compiler does not accept __attribute__ on return types]) ] +) + if test "x$no_attrib_nonnull" != "x1" ; then AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) fi diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h index 058fa3b2..7f7546ec 100644 --- a/openbsd-compat/sys-tree.h +++ b/openbsd-compat/sys-tree.h @@ -26,6 +26,11 @@ /* OPENBSD ORIGINAL: sys/sys/tree.h */ +#include "config.h" +#ifdef NO_ATTRIBUTE_ON_RETURN_TYPE +# define __attribute__(x) +#endif + #ifndef _SYS_TREE_H_ #define _SYS_TREE_H_ -- cgit v1.2.1 From 7e1a6dddd9d246c6a6993b15d0d30c417e6152db Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 10 Feb 2013 23:39:12 +0000 Subject: - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old libcrypto that lacks EVP_CIPHER_CTX_ctrl --- ChangeLog | 4 ++++ configure.ac | 15 ++++++++++++--- openbsd-compat/openssl-compat.h | 11 ++++++++++- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5e832e7d..798f5452 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130211 + - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old + libcrypto that lacks EVP_CIPHER_CTX_ctrl + 20130208 - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer; patch from Iain Morgan in bz#2059 diff --git a/configure.ac b/configure.ac index 6df09e21..e96e81e6 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.502 2013/02/08 00:50:09 dtucker Exp $ +# $Id: configure.ac,v 1.503 2013/02/10 23:39:13 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.502 $) +AC_REVISION($Revision: 1.503 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2339,7 +2339,12 @@ AC_LINK_IFELSE( #include ]], [[ exit(EVP_aes_128_gcm() == NULL || - EVP_aes_256_gcm() == NULL); + EVP_aes_256_gcm() == NULL || + EVP_CTRL_GCM_SET_IV_FIXED == 0 || + EVP_CTRL_GCM_IV_GEN == 0 || + EVP_CTRL_GCM_SET_TAG == 0 || + EVP_CTRL_GCM_GET_TAG == 0 || + EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); ]])], [ AC_MSG_RESULT([yes]) @@ -2351,6 +2356,10 @@ AC_LINK_IFELSE( ] ) +AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], + [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], + [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) + AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) AC_LINK_IFELSE( [AC_LANG_PROGRAM([[ diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index eca62769..6c4d68de 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.22 2013/01/20 11:31:37 djm Exp $ */ +/* $Id: openssl-compat.h,v 1.23 2013/02/10 23:39:15 djm Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -79,6 +79,15 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); # define EVP_CTRL_GCM_GET_TAG -1 #endif +/* Replace missing EVP_CIPHER_CTX_ctrl() with something that returns failure */ +#ifndef HAVE_EVP_CIPHER_CTX_CTRL +# ifdef OPENSSL_HAVE_EVPGCM +# error AES-GCM enabled without EVP_CIPHER_CTX_ctrl /* shouldn't happen */ +# else +# define EVP_CIPHER_CTX_ctrl(a,b,c,d) (0) +# endif +#endif + #if OPENSSL_VERSION_NUMBER < 0x00907000L #define EVP_X_STATE(evp) &(evp).c #define EVP_X_STATE_LEN(evp) sizeof((evp).c) -- cgit v1.2.1 From 5b6b16866364b4f2ea049535c707dc896b3375d3 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 11 Feb 2013 23:54:37 +0000 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/01/24 21:45:37 [krl.c] fix handling of (unused) KRL signatures; skip string in correct buffer --- ChangeLog | 6 ++++++ krl.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 798f5452..d663448e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130212 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/01/24 21:45:37 + [krl.c] + fix handling of (unused) KRL signatures; skip string in correct buffer + 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old libcrypto that lacks EVP_CIPHER_CTX_ctrl diff --git a/krl.c b/krl.c index fe22bde2..8e53f46d 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.4 2013/01/19 12:34:55 markus Exp $ */ +/* $OpenBSD: krl.c,v 1.5 2013/01/24 21:45:37 djm Exp $ */ #include "includes.h" @@ -1031,7 +1031,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, case KRL_SECTION_SIGNATURE: /* Handled above, but still need to stay in synch */ buffer_clear(§); - if ((blob = buffer_get_string_ptr_ret(§, + if ((blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { error("%s: buffer error", __func__); goto out; -- cgit v1.2.1 From 450680d0f6566ae518f1d8b16ae42424d5d71741 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 11 Feb 2013 23:54:54 +0000 Subject: - djm@cvs.openbsd.org 2013/01/24 22:08:56 [krl.c] skip serial lookup when cert's serial number is zero --- ChangeLog | 3 +++ krl.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d663448e..87fe12d7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - djm@cvs.openbsd.org 2013/01/24 21:45:37 [krl.c] fix handling of (unused) KRL signatures; skip string in correct buffer + - djm@cvs.openbsd.org 2013/01/24 22:08:56 + [krl.c] + skip serial lookup when cert's serial number is zero 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/krl.c b/krl.c index 8e53f46d..91685267 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.5 2013/01/24 21:45:37 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.6 2013/01/24 22:08:56 djm Exp $ */ #include "includes.h" @@ -1149,7 +1149,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) } /* Legacy cert formats lack serial numbers */ - if (key_cert_is_legacy(key)) + if (key_cert_is_legacy(key) || key->cert->serial == buf0) return 0; bzero(&rs, sizeof(rs)); -- cgit v1.2.1 From a854d955085d8ff6c538f85e7eecb605579bd89f Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 11 Feb 2013 23:55:16 +0000 Subject: - krw@cvs.openbsd.org 2013/01/25 05:00:27 [krl.c] Revert last. Breaks due to likely typo. Let djm@ fix later. ok djm@ via dlg@ --- ChangeLog | 4 ++++ krl.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 87fe12d7..4f8fe971 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - djm@cvs.openbsd.org 2013/01/24 22:08:56 [krl.c] skip serial lookup when cert's serial number is zero + - krw@cvs.openbsd.org 2013/01/25 05:00:27 + [krl.c] + Revert last. Breaks due to likely typo. Let djm@ fix later. + ok djm@ via dlg@ 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/krl.c b/krl.c index 91685267..6d86c209 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.6 2013/01/24 22:08:56 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.7 2013/01/25 05:00:27 krw Exp $ */ #include "includes.h" @@ -1149,7 +1149,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) } /* Legacy cert formats lack serial numbers */ - if (key_cert_is_legacy(key) || key->cert->serial == buf0) + if (key_cert_is_legacy(key)) return 0; bzero(&rs, sizeof(rs)); -- cgit v1.2.1 From fae6fb9ea63f88b998f60b39076b2de569c76c79 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 11 Feb 2013 23:56:42 +0000 Subject: - djm@cvs.openbsd.org 2013/01/25 10:22:19 [krl.c] redo last commit without the vi-vomit that snuck in: skip serial lookup when cert's serial number is zero (now with 100% better comment) --- ChangeLog | 5 +++++ krl.c | 9 ++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4f8fe971..428a93dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,11 @@ [krl.c] Revert last. Breaks due to likely typo. Let djm@ fix later. ok djm@ via dlg@ + - djm@cvs.openbsd.org 2013/01/25 10:22:19 + [krl.c] + redo last commit without the vi-vomit that snuck in: + skip serial lookup when cert's serial number is zero + (now with 100% better comment) 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/krl.c b/krl.c index 6d86c209..e4e1788f 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.7 2013/01/25 05:00:27 krw Exp $ */ +/* $OpenBSD: krl.c,v 1.8 2013/01/25 10:22:19 djm Exp $ */ #include "includes.h" @@ -1148,8 +1148,11 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) return -1; } - /* Legacy cert formats lack serial numbers */ - if (key_cert_is_legacy(key)) + /* + * Legacy cert formats lack serial numbers. Zero serials numbers + * are ignored (it's the default when the CA doesn't specify one). + */ + if (key_cert_is_legacy(key) || key->cert->serial == 0) return 0; bzero(&rs, sizeof(rs)); -- cgit v1.2.1 From be3be500adf130a8105c76cfe69e201f788d9a01 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:00:34 +0000 Subject: - djm@cvs.openbsd.org 2013/01/26 06:11:05 [Makefile.in acss.c acss.h cipher-acss.c cipher.c] [openbsd-compat/openssl-compat.h] remove ACSS, now that it is gone from libcrypto too --- ChangeLog | 4 + Makefile.in | 6 +- acss.c | 267 ---------------------------------------- acss.h | 47 ------- cipher-acss.c | 86 ------------- cipher.c | 10 +- openbsd-compat/openssl-compat.h | 12 +- 7 files changed, 11 insertions(+), 421 deletions(-) delete mode 100644 acss.c delete mode 100644 acss.h delete mode 100644 cipher-acss.c diff --git a/ChangeLog b/ChangeLog index 428a93dd..25fb4b68 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ redo last commit without the vi-vomit that snuck in: skip serial lookup when cert's serial number is zero (now with 100% better comment) + - djm@cvs.openbsd.org 2013/01/26 06:11:05 + [Makefile.in acss.c acss.h cipher-acss.c cipher.c] + [openbsd-compat/openssl-compat.h] + remove ACSS, now that it is gone from libcrypto too 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/Makefile.in b/Makefile.in index 74eeab57..ec3e1f41 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.330 2013/01/18 00:44:04 djm Exp $ +# $Id: Makefile.in,v 1.331 2013/02/12 00:00:34 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -61,8 +61,8 @@ MANFMT=@MANFMT@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ - canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ +LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ + canohost.o channels.o cipher.o cipher-aes.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ log.o match.o md-sha256.o moduli.o nchan.o packet.o \ diff --git a/acss.c b/acss.c deleted file mode 100644 index 86e2c01a..00000000 --- a/acss.c +++ /dev/null @@ -1,267 +0,0 @@ -/* $Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */ -/* - * Copyright (c) 2004 The OpenBSD project - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "includes.h" - -#include - -#include - -#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L) - -#include "acss.h" - -/* decryption sbox */ -static unsigned char sboxdec[] = { - 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76, - 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b, - 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96, - 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b, - 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12, - 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f, - 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90, - 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91, - 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74, - 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75, - 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94, - 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95, - 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10, - 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11, - 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92, - 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f, - 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16, - 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b, - 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6, - 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb, - 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72, - 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f, - 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0, - 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1, - 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14, - 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15, - 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4, - 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5, - 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70, - 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71, - 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2, - 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff -}; - -/* encryption sbox */ -static unsigned char sboxenc[] = { - 0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75, - 0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b, - 0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21, - 0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f, - 0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5, - 0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab, - 0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0, - 0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2, - 0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74, - 0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76, - 0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20, - 0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22, - 0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4, - 0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6, - 0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1, - 0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf, - 0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25, - 0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b, - 0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71, - 0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f, - 0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5, - 0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb, - 0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0, - 0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2, - 0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24, - 0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26, - 0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70, - 0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72, - 0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4, - 0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6, - 0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1, - 0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff -}; - -static unsigned char reverse[] = { - 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, - 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, - 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, - 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, - 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, - 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, - 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, - 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, - 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, - 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, - 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, - 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, - 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, - 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, - 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, - 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, - 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, - 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, - 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, - 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, - 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, - 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, - 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, - 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, - 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, - 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, - 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, - 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, - 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, - 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, - 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, - 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff -}; - -/* - * Two linear feedback shift registers are used: - * - * lfsr17: polynomial of degree 17, primitive modulo 2 (listed in Schneier) - * x^15 + x + 1 - * lfsr25: polynomial of degree 25, not know if primitive modulo 2 - * x^13 + x^5 + x^4 + x^1 + 1 - * - * Output bits are discarded, instead the feedback bits are added to produce - * the cipher stream. Depending on the mode, feedback bytes may be inverted - * bit-wise before addition. - * - * The lfsrs are seeded with bytes from the raw key: - * - * lfsr17: byte 0[0:7] at bit 9 - * byte 1[0:7] at bit 0 - * - * lfsr25: byte 2[0:4] at bit 16 - * byte 2[5:7] at bit 22 - * byte 3[0:7] at bit 8 - * byte 4[0:7] at bit 0 - * - * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in - * lfsr25. - * - */ - -int -acss(ACSS_KEY *key, unsigned long len, const unsigned char *in, - unsigned char *out) -{ - unsigned long i; - unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp; - - lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0; - - /* keystream is sum of lfsrs */ - for (i = 0; i < len; i++) { - lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14); - key->lfsr17 = (key->lfsr17 >> 8) - ^ (lfsr17tmp << 9) - ^ (lfsr17tmp << 12) - ^ (lfsr17tmp << 15); - key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */ - - lfsr25tmp = key->lfsr25 - ^ (key->lfsr25 >> 3) - ^ (key->lfsr25 >> 4) - ^ (key->lfsr25 >> 12); - key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17); - key->lfsr25 &= 0x1ffffff; /* 25 bit LFSR */ - - lfsrsumtmp = key->lfsrsum; - - /* addition */ - switch (key->mode) { - case ACSS_AUTHENTICATE: - case ACSS_DATA: - key->lfsrsum = 0xff & ~(key->lfsr17 >> 9); - key->lfsrsum += key->lfsr25 >> 17; - break; - case ACSS_SESSIONKEY: - key->lfsrsum = key->lfsr17 >> 9; - key->lfsrsum += key->lfsr25 >> 17; - break; - case ACSS_TITLEKEY: - key->lfsrsum = key->lfsr17 >> 9; - key->lfsrsum += 0xff & ~(key->lfsr25 >> 17); - break; - default: - return 1; - } - key->lfsrsum += (lfsrsumtmp >> 8); - - if (key->encrypt) { - out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff]; - } else { - out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff; - } - } - - return 0; -} - -static void -acss_seed(ACSS_KEY *key) -{ - int i; - - /* if available, mangle with subkey */ - if (key->subkey_avilable) { - for (i = 0; i < ACSS_KEYSIZE; i++) - key->seed[i] = reverse[key->data[i] ^ key->subkey[i]]; - } else { - for (i = 0; i < ACSS_KEYSIZE; i++) - key->seed[i] = reverse[key->data[i]]; - } - - /* seed lfsrs */ - key->lfsr17 = key->seed[1] - | (key->seed[0] << 9) - | (1 << 8); /* inject 1 at bit 9 */ - key->lfsr25 = key->seed[4] - | (key->seed[3] << 8) - | ((key->seed[2] & 0x1f) << 16) - | ((key->seed[2] & 0xe0) << 17) - | (1 << 21); /* inject 1 at bit 22 */ - - key->lfsrsum = 0; -} - -void -acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode) -{ - memcpy(key->data, data, sizeof(key->data)); - memset(key->subkey, 0, sizeof(key->subkey)); - - if (enc != -1) - key->encrypt = enc; - key->mode = mode; - key->subkey_avilable = 0; - - acss_seed(key); -} - -void -acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey) -{ - memcpy(key->subkey, subkey, sizeof(key->subkey)); - key->subkey_avilable = 1; - acss_seed(key); -} -#endif diff --git a/acss.h b/acss.h deleted file mode 100644 index 91b48954..00000000 --- a/acss.h +++ /dev/null @@ -1,47 +0,0 @@ -/* $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */ -/* - * Copyright (c) 2004 The OpenBSD project - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef _ACSS_H_ -#define _ACSS_H_ - -/* 40bit key */ -#define ACSS_KEYSIZE 5 - -/* modes of acss */ -#define ACSS_AUTHENTICATE 0 -#define ACSS_SESSIONKEY 1 -#define ACSS_TITLEKEY 2 -#define ACSS_DATA 3 - -typedef struct acss_key_st { - unsigned int lfsr17; /* current state of lfsrs */ - unsigned int lfsr25; - unsigned int lfsrsum; - unsigned char seed[ACSS_KEYSIZE]; - unsigned char data[ACSS_KEYSIZE]; - unsigned char subkey[ACSS_KEYSIZE]; - int encrypt; /* XXX make these bit flags? */ - int mode; - int seeded; - int subkey_avilable; -} ACSS_KEY; - -void acss_setkey(ACSS_KEY *, const unsigned char *, int, int); -void acss_setsubkey(ACSS_KEY *, const unsigned char *); -int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *); - -#endif /* ifndef _ACSS_H_ */ diff --git a/cipher-acss.c b/cipher-acss.c deleted file mode 100644 index e755f92b..00000000 --- a/cipher-acss.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2004 The OpenBSD project - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "includes.h" - -#include - -#include - -#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) - -#include "acss.h" -#include "openbsd-compat/openssl-compat.h" - -#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data) - -typedef struct { - ACSS_KEY ks; -} EVP_ACSS_KEY; - -#define EVP_CTRL_SET_ACSS_MODE 0xff06 -#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07 - -static int -acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) -{ - acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA); - return 1; -} - -static int -acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, - LIBCRYPTO_EVP_INL_TYPE inl) -{ - acss(&data(ctx)->ks,inl,in,out); - return 1; -} - -static int -acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) -{ - switch(type) { - case EVP_CTRL_SET_ACSS_MODE: - data(ctx)->ks.mode = arg; - return 1; - case EVP_CTRL_SET_ACSS_SUBKEY: - acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr); - return 1; - default: - return -1; - } -} - -const EVP_CIPHER * -evp_acss(void) -{ - static EVP_CIPHER acss_cipher; - - memset(&acss_cipher, 0, sizeof(EVP_CIPHER)); - - acss_cipher.nid = NID_undef; - acss_cipher.block_size = 1; - acss_cipher.key_len = 5; - acss_cipher.init = acss_init_key; - acss_cipher.do_cipher = acss_ciph; - acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY); - acss_cipher.ctrl = acss_ctrl; - - return (&acss_cipher); -} -#endif - diff --git a/cipher.c b/cipher.c index 2d307e16..9ca1d006 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.86 2013/01/12 11:22:04 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -92,10 +92,6 @@ struct Cipher { SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, { "aes256-gcm@openssh.com", SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, -#endif -#ifdef USE_CIPHER_ACSS - { "acss@openssh.org", - SSH_CIPHER_SSH2, 16, 5, 0, 0, 0, 0, EVP_acss }, #endif { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; @@ -478,7 +474,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat) Cipher *c = cc->cipher; int plen = 0; - if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { + if (c->evptype == EVP_rc4) { plen = EVP_X_STATE_LEN(cc->evp); if (dat == NULL) return (plen); @@ -493,7 +489,7 @@ cipher_set_keycontext(CipherContext *cc, u_char *dat) Cipher *c = cc->cipher; int plen; - if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { + if (c->evptype == EVP_rc4) { plen = EVP_X_STATE_LEN(cc->evp); memcpy(EVP_X_STATE(cc->evp), dat, plen); } diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 6c4d68de..e7439b4e 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.23 2013/02/10 23:39:15 djm Exp $ */ +/* $Id: openssl-compat.h,v 1.24 2013/02/12 00:00:40 djm Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -96,16 +96,6 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size #endif -#if !defined(EVP_CTRL_SET_ACSS_MODE) -# if (OPENSSL_VERSION_NUMBER >= 0x00907000L) -# define USE_CIPHER_ACSS 1 -extern const EVP_CIPHER *evp_acss(void); -# define EVP_acss evp_acss -# else -# define EVP_acss NULL -# endif -#endif - /* OpenSSL 0.9.8e returns cipher key len not context key len */ #if (OPENSSL_VERSION_NUMBER == 0x0090805fL) # define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) -- cgit v1.2.1 From 8da0d06e590ee0b6f9b969c062da80051a069b70 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:01:39 +0000 Subject: - djm@cvs.openbsd.org 2013/01/27 10:06:12 [krl.c] actually use the xrealloc() return value; spotted by xi.wang AT gmail.com --- ChangeLog | 3 +++ krl.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 25fb4b68..b028fef8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ [Makefile.in acss.c acss.h cipher-acss.c cipher.c] [openbsd-compat/openssl-compat.h] remove ACSS, now that it is gone from libcrypto too + - djm@cvs.openbsd.org 2013/01/27 10:06:12 + [krl.c] + actually use the xrealloc() return value; spotted by xi.wang AT gmail.com 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/krl.c b/krl.c index e4e1788f..5ed7bd7e 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.8 2013/01/25 10:22:19 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.9 2013/01/27 10:06:12 djm Exp $ */ #include "includes.h" @@ -981,7 +981,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, } } /* Record keys used to sign the KRL */ - xrealloc(ca_used, nca_used + 1, sizeof(*ca_used)); + ca_used = xrealloc(ca_used, nca_used + 1, sizeof(*ca_used)); ca_used[nca_used++] = key; key = NULL; break; -- cgit v1.2.1 From 4db0753f76aa4086f9907f159ea11278d65c78c9 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:02:08 +0000 Subject: - dtucker@cvs.openbsd.org 2013/02/06 00:20:42 [servconf.c sshd_config sshd_config.5] Change default of MaxStartups to 10:30:100 to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. Prompted by nion at debian org, ok markus@ --- ChangeLog | 6 ++++++ servconf.c | 8 ++++---- sshd_config | 4 ++-- sshd_config.5 | 6 +++--- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index b028fef8..2d5f1d96 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,12 @@ - djm@cvs.openbsd.org 2013/01/27 10:06:12 [krl.c] actually use the xrealloc() return value; spotted by xi.wang AT gmail.com + - dtucker@cvs.openbsd.org 2013/02/06 00:20:42 + [servconf.c sshd_config sshd_config.5] + Change default of MaxStartups to 10:30:100 to start doing random early + drop at 10 connections up to 100 connections. This will make it harder + to DoS as CPUs have come a long way since the original value was set + back in 2000. Prompted by nion at debian org, ok markus@ 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/servconf.c b/servconf.c index 21b371c8..b2a60fd6 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -256,11 +256,11 @@ fill_default_server_options(ServerOptions *options) if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) - options->max_startups = 10; + options->max_startups = 100; if (options->max_startups_rate == -1) - options->max_startups_rate = 100; /* 100% */ + options->max_startups_rate = 30; /* 30% */ if (options->max_startups_begin == -1) - options->max_startups_begin = options->max_startups; + options->max_startups_begin = 10; if (options->max_authtries == -1) options->max_authtries = DEFAULT_AUTH_FAIL_MAX; if (options->max_sessions == -1) diff --git a/sshd_config b/sshd_config index 3d35bef0..9cd2fddc 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.88 2012/10/30 21:29:55 djm Exp $ +# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none diff --git a/sshd_config.5 b/sshd_config.5 index d2913c33..cfa48069 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.155 2013/01/18 08:00:49 jmc Exp $ -.Dd $Mdocdate: January 18 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ +.Dd $Mdocdate: February 6 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -820,7 +820,7 @@ SSH daemon. Additional connections will be dropped until authentication succeeds or the .Cm LoginGraceTime expires for a connection. -The default is 10. +The default is 10:30:100. .Pp Alternatively, random early drop can be enabled by specifying the three colon separated values -- cgit v1.2.1 From 563728e966c0a24a5f0afa881dea97414df2b361 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:02:27 +0000 Subject: - dtucker@cvs.openbsd.org 2013/02/06 00:22:21 [auth.c] Fix comment, from jfree.e1 at gmail --- ChangeLog | 3 +++ auth.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2d5f1d96..c1d42870 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. Prompted by nion at debian org, ok markus@ + - dtucker@cvs.openbsd.org 2013/02/06 00:22:21 + [auth.c] + Fix comment, from jfree.e1 at gmail 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/auth.c b/auth.c index d978f027..054c7282 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -421,7 +421,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, * * XXX Should any specific check be done for sym links ? * - * Takes an the file name, its stat information (preferably from fstat() to + * Takes a file name, its stat information (preferably from fstat() to * avoid races), the uid of the expected owner, their home directory and an * error buffer plus max size as arguments. * -- cgit v1.2.1 From 8c81d62267365032b5b87539626452e0c4ec29b9 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:02:46 +0000 Subject: - djm@cvs.openbsd.org 2013/02/08 00:41:12 [sftp.c] fix NULL deref when built without libedit and control characters entered as command; debugging and patch from Iain Morgan an Loganaden Velvindron in bz#1956 --- ChangeLog | 5 +++++ sftp.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c1d42870..4084052d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,11 @@ - dtucker@cvs.openbsd.org 2013/02/06 00:22:21 [auth.c] Fix comment, from jfree.e1 at gmail + - djm@cvs.openbsd.org 2013/02/08 00:41:12 + [sftp.c] + fix NULL deref when built without libedit and control characters + entered as command; debugging and patch from Iain Morgan an + Loganaden Velvindron in bz#1956 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/sftp.c b/sftp.c index 6516d1f1..9a53b12b 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.141 2012/10/05 12:34:39 markus Exp $ */ +/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1145,7 +1145,7 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, /* Figure out which command we have */ for (i = 0; cmds[i].c != NULL; i++) { - if (strcasecmp(cmds[i].c, argv[0]) == 0) + if (argv[0] != NULL && strcasecmp(cmds[i].c, argv[0]) == 0) break; } cmdnum = cmds[i].n; -- cgit v1.2.1 From 2a631b998b4810d8e84fd3ee365f9ed2bc68c7a0 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:03:10 +0000 Subject: - markus@cvs.openbsd.org 2013/02/10 21:19:34 [version.h] openssh 6.2 --- ChangeLog | 3 +++ version.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4084052d..07384320 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,9 @@ fix NULL deref when built without libedit and control characters entered as command; debugging and patch from Iain Morgan an Loganaden Velvindron in bz#1956 + - markus@cvs.openbsd.org 2013/02/10 21:19:34 + [version.h] + openssh 6.2 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/version.h b/version.h index 76adaaff..784f707a 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.65 2012/07/22 18:19:21 markus Exp $ */ +/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */ -#define SSH_VERSION "OpenSSH_6.1" +#define SSH_VERSION "OpenSSH_6.2" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.1 From 00e98311f93cb3f84f158ac7b9e19c8abcacae16 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:03:36 +0000 Subject: - djm@cvs.openbsd.org 2013/02/10 23:32:10 [ssh-keygen.c] append to moduli file when screening candidates rather than overwriting. allows resumption of interrupted screen; patch from Christophe Garault in bz#1957; ok dtucker@ --- ChangeLog | 5 +++++ ssh-keygen.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 07384320..1b803f7d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,11 @@ - markus@cvs.openbsd.org 2013/02/10 21:19:34 [version.h] openssh 6.2 + - djm@cvs.openbsd.org 2013/02/10 23:32:10 + [ssh-keygen.c] + append to moduli file when screening candidates rather than overwriting. + allows resumption of interrupted screen; patch from Christophe Garault + in bz#1957; ok dtucker@ 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/ssh-keygen.c b/ssh-keygen.c index 21c7f25e..d1a205e1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.224 2013/01/18 07:59:46 jmc Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2508,7 +2508,7 @@ main(int argc, char **argv) if (do_screen_candidates) { FILE *in; - FILE *out = fopen(out_file, "w"); + FILE *out = fopen(out_file, "a"); if (have_identity && strcmp(identity_file, "-") != 0) { if ((in = fopen(identity_file, "r")) == NULL) { -- cgit v1.2.1 From 30dc60258ed6993f84f344cfa6aaff85646976eb Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:03:58 +0000 Subject: - djm@cvs.openbsd.org 2013/02/10 23:35:24 [packet.c] record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@ --- ChangeLog | 5 +++++ packet.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1b803f7d..6e1a85bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,11 @@ append to moduli file when screening candidates rather than overwriting. allows resumption of interrupted screen; patch from Christophe Garault in bz#1957; ok dtucker@ + - djm@cvs.openbsd.org 2013/02/10 23:35:24 + [packet.c] + record "Received disconnect" messages at ERROR rather than INFO priority, + since they are abnormal and result in a non-zero ssh exit status; patch + from Iain Morgan in bz#2057; ok dtucker@ 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/packet.c b/packet.c index ae7b04cd..9326ddea 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.180 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1460,7 +1460,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) case SSH2_MSG_DISCONNECT: reason = packet_get_int(); msg = packet_get_string(NULL); - logit("Received disconnect from %s: %u: %.400s", + error("Received disconnect from %s: %u: %.400s", get_remote_ipaddr(), reason, msg); xfree(msg); cleanup_exit(255); @@ -1485,7 +1485,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) break; case SSH_MSG_DISCONNECT: msg = packet_get_string(NULL); - logit("Received disconnect from %s: %.400s", + error("Received disconnect from %s: %.400s", get_remote_ipaddr(), msg); cleanup_exit(255); break; -- cgit v1.2.1 From e1817f48773f2cf3dcdd6cfbb1aef59968dba8f5 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:04:48 +0000 Subject: - dtucker@cvs.openbsd.org 2013/02/11 21:21:58 [sshd.c] Add openssl version to debug output similar to the client. ok markus@ --- ChangeLog | 3 +++ sshd.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6e1a85bc..01ba1fe3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,9 @@ record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@ + - dtucker@cvs.openbsd.org 2013/02/11 21:21:58 + [sshd.c] + Add openssl version to debug output similar to the client. ok markus@ 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/sshd.c b/sshd.c index af7ff91b..3e9d1764 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.396 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1596,7 +1596,8 @@ main(int ac, char **av) exit(1); } - debug("sshd version %.100s", SSH_RELEASE); + debug("sshd version %s, %s", SSH_VERSION, + SSLeay_version(SSLEAY_VERSION)); /* Store privilege separation user for later use if required. */ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { -- cgit v1.2.1 From 0c43f8fcb960c45972a6154c6d239ac1bc2d5113 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:16:57 +0000 Subject: - djm@cvs.openbsd.org 2013/02/11 23:58:51 [try-ciphers.sh] remove acss here too --- ChangeLog | 3 +++ regress/try-ciphers.sh | 12 +----------- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 01ba1fe3..e744747e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,9 @@ - dtucker@cvs.openbsd.org 2013/02/11 21:21:58 [sshd.c] Add openssl version to debug output similar to the client. ok markus@ + - djm@cvs.openbsd.org 2013/02/11 23:58:51 + [regress/try-ciphers.sh] + remove acss here too 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index ef91085c..054a1f14 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.18 2013/01/12 11:23:53 djm Exp $ +# $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -51,15 +51,5 @@ then : else -echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy -c=acss@openssh.org -for m in $macs; do - trace "proto 2 $c mac $m" - verbose "test $tid: proto 2 cipher $c mac $m" - ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true - if [ $? -ne 0 ]; then - fail "ssh -2 failed with mac $m cipher $c" - fi -done fi -- cgit v1.2.1 From c8397040cffdec36c0ae812c05104828f375e19c Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 12 Feb 2013 00:31:38 +0000 Subject: - (djm) [regress/try-ciphers.sh] clean up CVS merge botch --- ChangeLog | 1 + regress/try-ciphers.sh | 7 ------- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index e744747e..567bdf29 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,7 @@ - djm@cvs.openbsd.org 2013/02/11 23:58:51 [regress/try-ciphers.sh] remove acss here too + - (djm) [regress/try-ciphers.sh] clean up CVS merge botch 20130211 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 054a1f14..87ec7497 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -46,10 +46,3 @@ for c in $ciphers; do fi done -if ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null -then - : -else - - -fi -- cgit v1.2.1 From c24af79b630bbf8c726bd578271ee86c2c2dbc3a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 13 Feb 2013 23:14:51 +0000 Subject: - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. --- ChangeLog | 3 +++ regress/krl.sh | 10 ++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 567bdf29..f39894df 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20130214 + - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. + 20130212 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/01/24 21:45:37 diff --git a/regress/krl.sh b/regress/krl.sh index 46a2ad3f..1e767f33 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -3,13 +3,19 @@ tid="key revocation lists" +# If we don't support ecdsa keys then this tell will be much slower. +ECDSA=ecdsa +if test "x$TEST_SSH_ECC" != "xyes"; then + $ECDSA=rsa +fi + # Do most testing with ssh-keygen; it uses the same verification code as sshd. # Old keys will interfere with ssh-keygen. rm -f $OBJ/revoked-* $OBJ/krl-* # Generate a CA key -$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null || +$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || fatal "$SSHKEYGEN CA failed" # A specification that revokes some certificates by serial numbers @@ -48,7 +54,7 @@ keygen() { N=$1 f=$OBJ/revoked-`printf "%04d" $N` # Vary the keytype. We use mostly ECDSA since this is fastest by far. - keytype=ecdsa + keytype=$ECDSA case $N in 2 | 10 | 510 | 1001) keytype=rsa;; 4 | 30 | 520 | 1002) keytype=dsa;; -- cgit v1.2.1 From 16c16fd098a01cb381a65e2b6b9e112f8e918180 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 13 Feb 2013 23:31:03 +0000 Subject: - (djm) [regress/krl.sh] typo; found by Iain Morgan --- ChangeLog | 1 + regress/krl.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f39894df..b77f88b0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 20130214 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. + - (djm) [regress/krl.sh] typo; found by Iain Morgan 20130212 - (djm) OpenBSD CVS Sync diff --git a/regress/krl.sh b/regress/krl.sh index 1e767f33..09d26ab5 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -6,7 +6,7 @@ tid="key revocation lists" # If we don't support ecdsa keys then this tell will be much slower. ECDSA=ecdsa if test "x$TEST_SSH_ECC" != "xyes"; then - $ECDSA=rsa + ECDSA=rsa fi # Do most testing with ssh-keygen; it uses the same verification code as sshd. -- cgit v1.2.1 From 25f1c5e02c33dc2b9c1ead73dc1b8412348416cb Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 13 Feb 2013 23:32:33 +0000 Subject: - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by Iain Morgan --- ChangeLog | 3 +++ regress/integrity.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index b77f88b0..c6162496 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20130214 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. - (djm) [regress/krl.sh] typo; found by Iain Morgan + - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead + of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by + Iain Morgan 20130212 - (djm) OpenBSD CVS Sync diff --git a/regress/integrity.sh b/regress/integrity.sh index 91168fd2..bcace97e 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -3,11 +3,11 @@ tid="integrity" -# start at byte 2300 (i.e. after kex) and corrupt at different offsets +# start at byte 2500 (i.e. after kex) and corrupt at different offsets # XXX the test hangs if we modify the low bytes of the packet length # XXX and ssh tries to read... tries=10 -startoffset=2300 +startoffset=2500 macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com -- cgit v1.2.1 From 722cda4809894546d387c0dda2c464cbb348c8f5 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 14 Feb 2013 23:23:44 +0000 Subject: - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from Iain Morgan --- ChangeLog | 4 ++++ contrib/suse/rc.sshd | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index c6162496..997982e6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130215 + - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from + Iain Morgan + 20130214 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. - (djm) [regress/krl.sh] typo; found by Iain Morgan diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd index 4a3bc41d..28f28e41 100644 --- a/contrib/suse/rc.sshd +++ b/contrib/suse/rc.sshd @@ -49,7 +49,7 @@ case "$1" in ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. - startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" + startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" # Remember status and be verbose rc_status -v @@ -59,7 +59,7 @@ case "$1" in ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. - killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd + killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN # Remember status and be verbose rc_status -v @@ -87,7 +87,7 @@ case "$1" in echo -n "Reload service sshd" - killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd + killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN rc_status -v @@ -103,7 +103,7 @@ case "$1" in # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running - checkproc -p $SSHD_PIDFILE /usr/sbin/sshd + checkproc -p $SSHD_PIDFILE $SSHD_BIN rc_status -v ;; -- cgit v1.2.1 From 04df24a233e6118a5265ab43efc5437d1bfe00a8 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 14 Feb 2013 23:28:55 +0000 Subject: - djm@cvs.openbsd.org 2013/02/14 21:35:59 [auth2-pubkey.c] Correct error message that had a typo and was logging the wrong thing; patch from Petr Lautrbach --- ChangeLog | 5 +++++ auth2-pubkey.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 997982e6..2a258466 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,11 @@ 20130215 - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from Iain Morgan + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/14 21:35:59 + [auth2-pubkey.c] + Correct error message that had a typo and was logging the wrong thing; + patch from Petr Lautrbach 20130214 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 70d8996e..3ff6faa8 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.33 2012/11/14 02:24:27 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -479,8 +479,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) "u", user_pw->pw_name, (char *)NULL); pw = getpwnam(username); if (pw == NULL) { - error("AuthorizedKeyCommandUser \"%s\" not found: %s", - options.authorized_keys_command, strerror(errno)); + error("AuthorizedKeysCommandUser \"%s\" not found: %s", + username, strerror(errno)); free(username); return 0; } -- cgit v1.2.1 From 3e7caf17437622cb7fca64200a4a797192d54459 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 15 Feb 2013 00:41:35 +0000 Subject: - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] Use getpgrp() if we don't have getpgid() (old BSDs, maybe others). --- ChangeLog | 2 ++ configure.ac | 6 ++++-- openbsd-compat/bsd-misc.c | 13 +++++++++++++ openbsd-compat/bsd-misc.h | 6 +++++- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2a258466..b4abe75f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130215 - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from Iain Morgan + - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] + Use getpgrp() if we don't have getpgid() (old BSDs, maybe others). - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/14 21:35:59 [auth2-pubkey.c] diff --git a/configure.ac b/configure.ac index e96e81e6..def34fa0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.503 2013/02/10 23:39:13 djm Exp $ +# $Id: configure.ac,v 1.504 2013/02/15 00:41:35 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.503 $) +AC_REVISION($Revision: 1.504 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1550,6 +1550,8 @@ AC_CHECK_FUNCS([ \ getopt \ getpeereid \ getpeerucred \ + getpgid \ + getpgrp \ _getpty \ getrlimit \ getttyent \ diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 3ef373f5..0cff2e42 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -247,3 +247,16 @@ int isblank(int c) return (c == ' ' || c == '\t'); } #endif + +#ifndef HAVE_GETPGID +pid_t +getpgid(pid_t pid) +{ +#ifdef HAVE_GETPGRP + if (pid == 0) + return getpgrp(); +#endif + errno = ESRCH; + return -1; +} +#endif diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index eac5217c..de836738 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.21 2012/07/03 22:50:10 dtucker Exp $ */ +/* $Id: bsd-misc.h,v 1.22 2013/02/15 00:41:36 dtucker Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -102,4 +102,8 @@ mysig_t mysignal(int sig, mysig_t act); int isblank(int); #endif +#ifndef HAVE_GETPGID +pid_t getpgid(pid_t); +#endif + #endif /* _BSD_MISC_H */ -- cgit v1.2.1 From 66f4dd1ea360a4e44583c7f2959074595d5c9329 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 15 Feb 2013 00:50:03 +0000 Subject: spacing --- openbsd-compat/bsd-misc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 0cff2e42..ad524b8b 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -242,7 +242,8 @@ strdup(const char *str) #endif #ifndef HAVE_ISBLANK -int isblank(int c) +int +isblank(int c) { return (c == ' ' || c == '\t'); } -- cgit v1.2.1 From ceedc8b3faacc6c5f62a2381c7f26a80a4183f96 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 15 Feb 2013 01:13:01 +0000 Subject: - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c openbsd-compat/openbsd-compat.h] Add strtoull to compat library for platforms that don't have it. --- ChangeLog | 3 ++ configure.ac | 5 +- openbsd-compat/Makefile.in | 4 +- openbsd-compat/openbsd-compat.h | 6 ++- openbsd-compat/strtoull.c | 110 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 123 insertions(+), 5 deletions(-) create mode 100644 openbsd-compat/strtoull.c diff --git a/ChangeLog b/ChangeLog index b4abe75f..0a5c5059 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ Iain Morgan - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] Use getpgrp() if we don't have getpgid() (old BSDs, maybe others). + - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c + openbsd-compat/openbsd-compat.h] Add strtoull to compat library for + platforms that don't have it. - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/14 21:35:59 [auth2-pubkey.c] diff --git a/configure.ac b/configure.ac index def34fa0..d62323d9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.504 2013/02/15 00:41:35 dtucker Exp $ +# $Id: configure.ac,v 1.505 2013/02/15 01:13:01 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.504 $) +AC_REVISION($Revision: 1.505 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1611,6 +1611,7 @@ AC_CHECK_FUNCS([ \ strtonum \ strtoll \ strtoul \ + strtoull \ swap32 \ sysconf \ tcgetpgrp \ diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 992b9743..e1c3651e 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.49 2012/11/05 06:04:37 dtucker Exp $ +# $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o +OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 664cb044..99cebef7 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.53 2012/11/05 06:04:38 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.54 2013/02/15 01:13:02 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -218,6 +218,10 @@ char *group_from_gid(gid_t, int); int timingsafe_bcmp(const void *, const void *, size_t); #endif +#ifndef HAVE_STRTOULL +unsigned long long strtoull(const char *, char **, int); +#endif + void *xmmap(size_t size); char *xcrypt(const char *password, const char *salt); char *shadow_pw(struct passwd *pw); diff --git a/openbsd-compat/strtoull.c b/openbsd-compat/strtoull.c new file mode 100644 index 00000000..f7c818c5 --- /dev/null +++ b/openbsd-compat/strtoull.c @@ -0,0 +1,110 @@ +/* $OpenBSD: strtoull.c,v 1.5 2005/08/08 08:05:37 espie Exp $ */ +/*- + * Copyright (c) 1992 The Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoull.c */ + +#include "includes.h" +#ifndef HAVE_STRTOULL + +#include + +#include +#include +#include +#include + +/* + * Convert a string to an unsigned long long. + * + * Ignores `locale' stuff. Assumes that the upper and lower case + * alphabets and digits are each contiguous. + */ +unsigned long long +strtoull(const char *nptr, char **endptr, int base) +{ + const char *s; + unsigned long long acc, cutoff; + int c; + int neg, any, cutlim; + + /* + * See strtoq for comments as to the logic used. + */ + s = nptr; + do { + c = (unsigned char) *s++; + } while (isspace(c)); + if (c == '-') { + neg = 1; + c = *s++; + } else { + neg = 0; + if (c == '+') + c = *s++; + } + if ((base == 0 || base == 16) && + c == '0' && (*s == 'x' || *s == 'X')) { + c = s[1]; + s += 2; + base = 16; + } + if (base == 0) + base = c == '0' ? 8 : 10; + + cutoff = ULLONG_MAX / (unsigned long long)base; + cutlim = ULLONG_MAX % (unsigned long long)base; + for (acc = 0, any = 0;; c = (unsigned char) *s++) { + if (isdigit(c)) + c -= '0'; + else if (isalpha(c)) + c -= isupper(c) ? 'A' - 10 : 'a' - 10; + else + break; + if (c >= base) + break; + if (any < 0) + continue; + if (acc > cutoff || (acc == cutoff && c > cutlim)) { + any = -1; + acc = ULLONG_MAX; + errno = ERANGE; + } else { + any = 1; + acc *= (unsigned long long)base; + acc += c; + } + } + if (neg && any > 0) + acc = -acc; + if (endptr != 0) + *endptr = (char *) (any ? s - 1 : nptr); + return (acc); +} +#endif /* !HAVE_STRTOULL */ -- cgit v1.2.1 From 762b4440cf8912413548325d3625cd880789a7a5 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 15 Feb 2013 01:18:32 +0000 Subject: - dtucker@cvs.openbsd.org 2013/02/15 00:21:01 [sshconnect2.c] Warn more loudly if an IdentityFile provided by the user cannot be read. bz #1981, ok djm@ --- ChangeLog | 4 ++++ sshconnect2.c | 19 ++++++++++++------- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0a5c5059..8edb2d88 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ [auth2-pubkey.c] Correct error message that had a typo and was logging the wrong thing; patch from Petr Lautrbach + - dtucker@cvs.openbsd.org 2013/02/15 00:21:01 + [sshconnect2.c] + Warn more loudly if an IdentityFile provided by the user cannot be read. + bz #1981, ok djm@ 20130214 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. diff --git a/sshconnect2.c b/sshconnect2.c index 6791ea34..a306447b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.191 2013/02/15 00:21:01 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -248,6 +248,7 @@ struct identity { char *filename; /* comment for agent-only keys */ int tried; int isprivate; /* key points to the private key */ + int userprovided; }; TAILQ_HEAD(idlist, identity); @@ -312,7 +313,7 @@ void userauth(Authctxt *, char *); static int sign_and_send_pubkey(Authctxt *, Identity *); static void pubkey_prepare(Authctxt *); static void pubkey_cleanup(Authctxt *); -static Key *load_identity_file(char *); +static Key *load_identity_file(char *, int); static Authmethod *authmethod_get(char *authlist); static Authmethod *authmethod_lookup(const char *name); @@ -1186,7 +1187,7 @@ identity_sign(Identity *id, u_char **sigp, u_int *lenp, if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) return (key_sign(id->key, sigp, lenp, data, datalen)); /* load the private key from the file */ - if ((prv = load_identity_file(id->filename)) == NULL) + if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL) return (-1); ret = key_sign(prv, sigp, lenp, data, datalen); key_free(prv); @@ -1311,7 +1312,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) } static Key * -load_identity_file(char *filename) +load_identity_file(char *filename, int userprovided) { Key *private; char prompt[300], *passphrase; @@ -1319,7 +1320,8 @@ load_identity_file(char *filename) struct stat st; if (stat(filename, &st) < 0) { - debug3("no such identity: %s", filename); + (userprovided ? logit : debug3)("no such identity: %s: %s", + filename, strerror(errno)); return NULL; } private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); @@ -1382,6 +1384,7 @@ pubkey_prepare(Authctxt *authctxt) id = xcalloc(1, sizeof(*id)); id->key = key; id->filename = xstrdup(options.identity_files[i]); + id->userprovided = 1; TAILQ_INSERT_TAIL(&files, id, next); } /* Prefer PKCS11 keys that are explicitly listed */ @@ -1446,7 +1449,8 @@ pubkey_prepare(Authctxt *authctxt) TAILQ_INSERT_TAIL(preferred, id, next); } TAILQ_FOREACH(id, preferred, next) { - debug2("key: %s (%p)", id->filename, id->key); + debug2("key: %s (%p),%s", id->filename, id->key, + id->userprovided ? " explicit" : ""); } } @@ -1491,7 +1495,8 @@ userauth_pubkey(Authctxt *authctxt) sent = send_pubkey_test(authctxt, id); } else if (id->key == NULL) { debug("Trying private key: %s", id->filename); - id->key = load_identity_file(id->filename); + id->key = load_identity_file(id->filename, + id->userprovided); if (id->key != NULL) { id->isprivate = 1; sent = sign_and_send_pubkey(authctxt, id); -- cgit v1.2.1 From 9e1e9af4b6bd84c78a07dde37383abc148594820 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 15 Feb 2013 01:20:41 +0000 Subject: - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul, group strto* function prototypes together. --- ChangeLog | 2 ++ openbsd-compat/openbsd-compat.h | 14 +++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8edb2d88..88e4fe26 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c openbsd-compat/openbsd-compat.h] Add strtoull to compat library for platforms that don't have it. + - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul, + group strto* function prototypes together. - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/14 21:35:59 [auth2-pubkey.c] diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 99cebef7..a8c579f4 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.54 2013/02/15 01:13:02 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -190,6 +190,14 @@ int snprintf(char *, size_t, SNPRINTF_CONST char *, ...); long long strtoll(const char *, char **, int); #endif +#ifndef HAVE_STRTOUL +unsigned long strtoul(const char *, char **, int); +#endif + +#ifndef HAVE_STRTOULL +unsigned long long strtoull(const char *, char **, int); +#endif + #ifndef HAVE_STRTONUM long long strtonum(const char *, long long, long long, const char **); #endif @@ -218,10 +226,6 @@ char *group_from_gid(gid_t, int); int timingsafe_bcmp(const void *, const void *, size_t); #endif -#ifndef HAVE_STRTOULL -unsigned long long strtoull(const char *, char **, int); -#endif - void *xmmap(size_t size); char *xcrypt(const char *password, const char *salt); char *shadow_pw(struct passwd *pw); -- cgit v1.2.1 From f6b50918867907da82fade2ad1f19919fb61ff8c Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 15 Feb 2013 03:55:38 +0000 Subject: - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes an argument. Pointed out by djm. --- ChangeLog | 2 ++ openbsd-compat/bsd-misc.c | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 88e4fe26..8dd37b2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ platforms that don't have it. - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul, group strto* function prototypes together. + - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes + an argument. Pointed out by djm. - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/14 21:35:59 [auth2-pubkey.c] diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index ad524b8b..8dc7d02d 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -253,10 +253,13 @@ isblank(int c) pid_t getpgid(pid_t pid) { -#ifdef HAVE_GETPGRP +#if defined(HAVE_GETPGRP) && !defined(GETPGRP_VOID) + return getpgrp(pid); +#elif defined(HAVE_GETPGRP) if (pid == 0) return getpgrp(); #endif + errno = ESRCH; return -1; } -- cgit v1.2.1 From 5d0f8fd78184ba13569ffdc49768012e8953f7cc Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 16 Feb 2013 06:32:31 +0000 Subject: - djm@cvs.openbsd.org 2013/02/16 06:08:45 [integrity.sh] make sure the fuzz offset is actually past the end of KEX for all KEX types. diffie-hellman-group-exchange-sha256 requires an offset around 2700. Noticed via test failures in portable OpenSSH on platforms that lack ECC and this the more byte-frugal ECDH KEX algorithms. --- ChangeLog | 9 +++++++++ regress/integrity.sh | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8dd37b2c..406a609a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20130216 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/16 06:08:45 + [integrity.sh] + make sure the fuzz offset is actually past the end of KEX for all KEX + types. diffie-hellman-group-exchange-sha256 requires an offset around + 2700. Noticed via test failures in portable OpenSSH on platforms that + lack ECC and this the more byte-frugal ECDH KEX algorithms. + 20130215 - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from Iain Morgan diff --git a/regress/integrity.sh b/regress/integrity.sh index bcace97e..d779aa93 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,13 +1,13 @@ -# $OpenBSD: integrity.sh,v 1.2 2013/01/12 11:23:53 djm Exp $ +# $OpenBSD: integrity.sh,v 1.3 2013/02/16 06:08:45 djm Exp $ # Placed in the Public Domain. tid="integrity" -# start at byte 2500 (i.e. after kex) and corrupt at different offsets +# start at byte 2800 (i.e. after kex) and corrupt at different offsets # XXX the test hangs if we modify the low bytes of the packet length # XXX and ssh tries to read... tries=10 -startoffset=2500 +startoffset=2800 macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com -- cgit v1.2.1 From bd6f8c3d1294d44bc7781f9830e5723633f2161c Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 17 Feb 2013 23:18:05 +0000 Subject: - djm@cvs.openbsd.org 2013/02/17 23:16:55 [integrity.sh] make the ssh command generates some output to ensure that there are at least offset+tries bytes in the stream. --- ChangeLog | 7 +++++++ regress/integrity.sh | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 406a609a..6f3a224a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20130217 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/17 23:16:55 + [integrity.sh] + make the ssh command generates some output to ensure that there are at + least offset+tries bytes in the stream. + 20130216 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/16 06:08:45 diff --git a/regress/integrity.sh b/regress/integrity.sh index d779aa93..4d104c14 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.3 2013/02/16 06:08:45 djm Exp $ +# $OpenBSD: integrity.sh,v 1.4 2013/02/17 23:16:55 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -46,7 +46,7 @@ for m in $macs; do *) macopt="-m $m";; esac output=$(${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ - 999.999.999.999 true 2>&1) + 999.999.999.999 'printf "%2048s" " "' 2>&1) if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" fi -- cgit v1.2.1 From 0cbd504b6be925e6b6e3d076e06699d05feee131 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 18 Feb 2013 22:28:32 +0000 Subject: - djm@cvs.openbsd.org 2013/02/18 22:26:47 [integrity.sh] crank the offset yet again; it was still fuzzing KEX one of Darren's portable test hosts at 2800 --- ChangeLog | 7 +++++++ regress/integrity.sh | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6f3a224a..afde4d9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20130219 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/18 22:26:47 + [integrity.sh] + crank the offset yet again; it was still fuzzing KEX one of Darren's + portable test hosts at 2800 + 20130217 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/17 23:16:55 diff --git a/regress/integrity.sh b/regress/integrity.sh index 4d104c14..261e9f9a 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,13 +1,13 @@ -# $OpenBSD: integrity.sh,v 1.4 2013/02/17 23:16:55 djm Exp $ +# $OpenBSD: integrity.sh,v 1.5 2013/02/18 22:26:47 djm Exp $ # Placed in the Public Domain. tid="integrity" -# start at byte 2800 (i.e. after kex) and corrupt at different offsets +# start at byte 2900 (i.e. after kex) and corrupt at different offsets # XXX the test hangs if we modify the low bytes of the packet length # XXX and ssh tries to read... tries=10 -startoffset=2800 +startoffset=2900 macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com -- cgit v1.2.1 From 15892d9f5c069973665b0ff7b12f794170751eff Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 19 Feb 2013 02:15:01 +0000 Subject: - djm@cvs.openbsd.org 2013/02/19 02:14:09 [integrity.sh] oops, forgot to increase the output of the ssh command to ensure that we actually reach $offset --- ChangeLog | 4 ++++ regress/Makefile | 2 ++ regress/integrity.sh | 4 ++-- regress/modpipe.c | 32 ++++++++++++++++++++++++++++++-- 4 files changed, 38 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index afde4d9b..bac8998c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [integrity.sh] crank the offset yet again; it was still fuzzing KEX one of Darren's portable test hosts at 2800 + - djm@cvs.openbsd.org 2013/02/19 02:14:09 + [integrity.sh] + oops, forgot to increase the output of the ssh command to ensure that + we actually reach $offset 20130217 - OpenBSD CVS Sync diff --git a/regress/Makefile b/regress/Makefile index 18f9f124..c3aec43f 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -90,6 +90,8 @@ TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" TEST_SSH_SSHKEYGEN?=ssh-keygen +CPPFLAGS=-I.. + t1: ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv diff --git a/regress/integrity.sh b/regress/integrity.sh index 261e9f9a..0a0146e0 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.5 2013/02/18 22:26:47 djm Exp $ +# $OpenBSD: integrity.sh,v 1.6 2013/02/19 02:14:09 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -46,7 +46,7 @@ for m in $macs; do *) macopt="-m $m";; esac output=$(${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ - 999.999.999.999 'printf "%2048s" " "' 2>&1) + 999.999.999.999 'printf "%4096s" " "' 2>&1) if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" fi diff --git a/regress/modpipe.c b/regress/modpipe.c index 439be4c9..b05915b6 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,16 +14,44 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: modpipe.c,v 1.1 2012/12/11 23:54:40 djm Exp $ */ +/* $Id: modpipe.c,v 1.2 2013/02/19 02:15:08 djm Exp $ */ #include #include #include #include +#include #include -#include #include +static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); +static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); + +static void +err(int r, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + fprintf(stderr, "%s: ", strerror(errno)); + vfprintf(stderr, fmt, args); + fputc('\n', stderr); + va_end(args); + exit(r); +} + +static void +errx(int r, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fputc('\n', stderr); + va_end(args); + exit(r); +} + static void usage(void) { -- cgit v1.2.1 From f837d7ec5d972d5dce409995fb96370ea943bac1 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 19 Feb 2013 03:27:44 +0000 Subject: - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that lack support for SHA2. --- ChangeLog | 2 ++ regress/integrity.sh | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index bac8998c..09d5c130 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ [integrity.sh] oops, forgot to increase the output of the ssh command to ensure that we actually reach $offset + - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that + lack support for SHA2. 20130217 - OpenBSD CVS Sync diff --git a/regress/integrity.sh b/regress/integrity.sh index 0a0146e0..2a93372f 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -9,11 +9,13 @@ tid="integrity" tries=10 startoffset=2900 macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512 + hmac-sha1-96 hmac-md5-96 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com - hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com - hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" + hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com" +config_defined HAVE_EVP_SHA256 && + macs="$macs hmac-sha2-256 hmac-sha2-512 + hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" # The following are not MACs, but ciphers with integrated integrity. They are # handled specially below. config_defined OPENSSL_HAVE_EVPGCM && \ -- cgit v1.2.1 From d3cf109921ff869d78783e71f348c6fb438945d5 Mon Sep 17 00:00:00 2001 From: tim Date: Tue, 19 Feb 2013 19:53:29 +0000 Subject: - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. --- ChangeLog | 3 +++ regress/cipher-speed.sh | 2 +- regress/try-ciphers.sh | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 09d5c130..41d49f6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20130220 + - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. + 20130219 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/18 22:26:47 diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 114191b8..21bf0f2e 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -40,7 +40,7 @@ for c in $ciphers; do n=0; for m in $macs; do case $c in aes*-gcm@openssh.com) test $n -gt 0 && break;; esac - n=$(($n + 1)) + n=`expr $n + 1` done; done ciphers="3des blowfish" diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 87ec7497..084a1457 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -32,7 +32,7 @@ for c in $ciphers; do case $c in aes*-gcm@openssh.com) test $n -gt 0 && break;; esac - n=$(($n + 1)) + n=`expr $n + 1` done done -- cgit v1.2.1 From afea195b8d7065dcbee9a8fd6a54a184db7bf5b1 Mon Sep 17 00:00:00 2001 From: tim Date: Wed, 20 Feb 2013 03:01:51 +0000 Subject: - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded err.h include from krl.c. Additional portability fixes for modpipe. OK djm --- ChangeLog | 4 ++++ Makefile.in | 12 +++++++----- krl.c | 1 - regress/Makefile | 6 +----- regress/modpipe.c | 3 ++- 5 files changed, 14 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 41d49f6b..cf50b468 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 20130220 - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. + - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded + err.h include from krl.c. Additional portability fixes for modpipe. OK djm 20130219 - OpenBSD CVS Sync @@ -13,6 +15,8 @@ we actually reach $offset - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that lack support for SHA2. + - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms + that do not have them. 20130217 - OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index ec3e1f41..44d59444 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.331 2013/02/12 00:00:34 djm Exp $ +# $Id: Makefile.in,v 1.332 2013/02/20 03:01:51 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -379,14 +379,16 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -tests interop-tests: $(TARGETS) +regress/modpipe: $(srcdir)/regress/modpipe.c + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ + $(CC) $(CPPFLAGS) -o $@ $? \ + $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + +tests interop-tests: $(TARGETS) regress/modpipe BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \ - [ -f `pwd`/regress/modpipe.c ] || \ - ln -s `cd $(srcdir) && pwd`/regress/modpipe.c `pwd`/regress/modpipe.c; \ - (cd regress && make prereq); \ TEST_SHELL="@TEST_SHELL@"; \ TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ diff --git a/krl.c b/krl.c index 5ed7bd7e..5a6bd14a 100644 --- a/krl.c +++ b/krl.c @@ -33,7 +33,6 @@ #include "buffer.h" #include "key.h" #include "authfile.h" -#include "err.h" #include "misc.h" #include "log.h" #include "xmalloc.h" diff --git a/regress/Makefile b/regress/Makefile index c3aec43f..779abf4f 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec -tests: prereq $(REGRESS_TARGETS) +tests: $(REGRESS_TARGETS) # Interop tests are not run by default interop interop-tests: t-exec-interop @@ -146,10 +146,6 @@ t9: $(OBJ)/t9.out test "${TEST_SSH_ECC}" != yes || \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null -prereq: modpipe - -modpipe: modpipe.c - t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ diff --git a/regress/modpipe.c b/regress/modpipe.c index b05915b6..1d422988 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: modpipe.c,v 1.2 2013/02/19 02:15:08 djm Exp $ */ +/* $Id: modpipe.c,v 1.3 2013/02/20 03:01:52 tim Exp $ */ #include #include @@ -23,6 +23,7 @@ #include #include #include +#include "openbsd-compat/getopt.c" static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); -- cgit v1.2.1 From a24153e68e729611a9ba5684469d6f0a01ed71e1 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Feb 2013 10:13:27 +0000 Subject: - djm@cvs.openbsd.org 2013/02/20 08:27:50 [regress/integrity.sh regress/modpipe.c] Add an option to modpipe that warns if the modification offset it not reached in it's stream and turn it on for t-integrity. This should catch cases where the session is not fuzzed for being too short (cf. my last "oops" commit) --- ChangeLog | 7 +++++++ regress/modpipe.c | 25 ++++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf50b468..99946236 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,13 @@ - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded err.h include from krl.c. Additional portability fixes for modpipe. OK djm + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/20 08:27:50 + [regress/integrity.sh regress/modpipe.c] + Add an option to modpipe that warns if the modification offset it not + reached in it's stream and turn it on for t-integrity. This should catch + cases where the session is not fuzzed for being too short (cf. my last + "oops" commit) 20130219 - OpenBSD CVS Sync diff --git a/regress/modpipe.c b/regress/modpipe.c index 1d422988..dca92760 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: modpipe.c,v 1.3 2013/02/20 03:01:52 tim Exp $ */ +/* $Id: modpipe.c,v 1.4 2013/02/20 10:13:29 djm Exp $ */ #include #include @@ -56,7 +56,7 @@ errx(int r, const char *fmt, ...) static void usage(void) { - fprintf(stderr, "Usage: modpipe [-m modspec ...] < in > out\n"); + fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n"); fprintf(stderr, "modspec is one of:\n"); fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n"); fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n"); @@ -100,15 +100,18 @@ main(int argc, char **argv) size_t total; ssize_t r, s, o; struct modification mods[MAX_MODIFICATIONS]; - u_int i, num_mods = 0; + u_int i, wflag = 0, num_mods = 0; - while ((ch = getopt(argc, argv, "m:")) != -1) { + while ((ch = getopt(argc, argv, "wm:")) != -1) { switch (ch) { case 'm': if (num_mods >= MAX_MODIFICATIONS) errx(1, "Too many modifications"); parse_modification(optarg, &(mods[num_mods++])); break; + case 'w': + wflag = 1; + break; default: usage(); /* NOTREACHED */ @@ -117,7 +120,7 @@ main(int argc, char **argv) for (total = 0;;) { r = s = read(STDIN_FILENO, buf, sizeof(buf)); if (r == 0) - return 0; + break; if (r < 0) { if (errno == EAGAIN || errno == EINTR) continue; @@ -140,7 +143,7 @@ main(int argc, char **argv) for (o = 0; o < s; o += r) { r = write(STDOUT_FILENO, buf, s - o); if (r == 0) - return 0; + break; if (r < 0) { if (errno == EAGAIN || errno == EINTR) continue; @@ -149,5 +152,13 @@ main(int argc, char **argv) } total += s; } - return 0; + /* Warn if modifications not reached in input stream */ + r = 0; + for (i = 0; wflag && i < num_mods; i++) { + if (mods[i].offset < total) + continue; + r = 1; + fprintf(stderr, "modpipe: warning - mod %u not reached\n", i); + } + return r; } -- cgit v1.2.1 From 172a0ecff9dd4ebe5c8cb13504dd644c329a3ee4 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Feb 2013 10:16:07 +0000 Subject: - djm@cvs.openbsd.org 2013/02/20 08:29:27 [regress/modpipe.c] s/Id/OpenBSD/ in RCS tag --- ChangeLog | 3 +++ regress/modpipe.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 99946236..b527ff05 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ reached in it's stream and turn it on for t-integrity. This should catch cases where the session is not fuzzed for being too short (cf. my last "oops" commit) + - djm@cvs.openbsd.org 2013/02/20 08:29:27 + [regress/modpipe.c] + s/Id/OpenBSD/ in RCS tag 20130219 - OpenBSD CVS Sync diff --git a/regress/modpipe.c b/regress/modpipe.c index dca92760..1f17e41f 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: modpipe.c,v 1.4 2013/02/20 10:13:29 djm Exp $ */ +/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ #include #include -- cgit v1.2.1 From 4c26f33eea9982f55aa6d7ba5ef0071bb160781b Mon Sep 17 00:00:00 2001 From: tim Date: Thu, 21 Feb 2013 05:37:55 +0000 Subject: - (tim) [regress/forward-control.sh] shell portability fix. --- ChangeLog | 3 +++ regress/forward-control.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b527ff05..a87e7fb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20130221 + - (tim) [regress/forward-control.sh] shell portability fix. + 20130220 - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 9d000bc7..ac20bacc 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -11,7 +11,7 @@ READY=$OBJ/ready wait_for_file_to_appear() { _path=$1 _n=0 - while test ! -e $_path ; do + while test ! -f $_path ; do test $_n -eq 1 && trace "waiting for $_path to appear" _n=`expr $_n + 1` test $_n -ge 5 && return 1 -- cgit v1.2.1 From e7041ed896b88cbb2ad6cb40416d28d50086fd16 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 21 Feb 2013 23:39:59 +0000 Subject: - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to ssh(1) since they're not needed. Patch from Pierre Ossman. --- ChangeLog | 4 ++++ Makefile.in | 8 +++++--- configure.ac | 28 ++++++++++++++-------------- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index a87e7fb5..706ec626 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120222 + - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to + ssh(1) since they're not needed. Patch from Pierre Ossman. + 20130221 - (tim) [regress/forward-control.sh] shell portability fix. diff --git a/Makefile.in b/Makefile.in index 44d59444..6067063a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.332 2013/02/20 03:01:51 tim Exp $ +# $Id: Makefile.in,v 1.333 2013/02/21 23:40:00 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -44,6 +44,8 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +K5LIBS=@K5LIBS@ +GSSLIBS=@GSSLIBS@ SSHLIBS=@SSHLIBS@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ @@ -139,10 +141,10 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/configure.ac b/configure.ac index d62323d9..088bcb65 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.505 2013/02/15 01:13:01 dtucker Exp $ +# $Id: configure.ac,v 1.506 2013/02/21 23:40:00 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.505 $) +AC_REVISION($Revision: 1.506 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3624,6 +3624,9 @@ AC_ARG_WITH([kerberos5], [$KRB5ROOT/bin/krb5-config], [$KRB5ROOT/bin:$PATH]) if test -x $KRB5CONF ; then + K5CFLAGS="`$KRB5CONF --cflags`" + K5LIBS="`$KRB5CONF --libs`" + CPPFLAGS="$CPPFLAGS $K5CFLAGS" AC_MSG_CHECKING([for gssapi support]) if $KRB5CONF | grep gssapi >/dev/null ; then @@ -3631,14 +3634,12 @@ AC_ARG_WITH([kerberos5], AC_DEFINE([GSSAPI], [1], [Define this if you want GSSAPI support in the version 2 protocol]) - k5confopts=gssapi + GSSCFLAGS="`$KRB5CONF --cflags gssapi`" + GSSLIBS="`$KRB5CONF --libs gssapi`" + CPPFLAGS="$CPPFLAGS $GSSCFLAGS" else AC_MSG_RESULT([no]) - k5confopts="" fi - K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" - K5LIBS="`$KRB5CONF --libs $k5confopts`" - CPPFLAGS="$CPPFLAGS $K5CFLAGS" AC_MSG_CHECKING([whether we are using Heimdal]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ char *tmp = heimdal_version; ]])], @@ -3670,14 +3671,12 @@ AC_ARG_WITH([kerberos5], AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context], [ AC_DEFINE([GSSAPI]) - K5LIBS="-lgssapi_krb5 $K5LIBS" ], + GSSLIBS="-lgssapi_krb5" ], [ AC_CHECK_LIB([gssapi], [gss_init_sec_context], [ AC_DEFINE([GSSAPI]) - K5LIBS="-lgssapi $K5LIBS" ], - AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), - $K5LIBS) - ], - $K5LIBS) + GSSLIBS="-lgssapi" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail])) + ]) AC_CHECK_HEADER([gssapi.h], , [ unset ac_cv_header_gssapi_h @@ -3705,12 +3704,13 @@ AC_ARG_WITH([kerberos5], AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h]) AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h]) - LIBS="$LIBS $K5LIBS" AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1], [Define this if you want to use libkafs' AFS support])]) fi ] ) +AC_SUBST([GSSLIBS]) +AC_SUBST([K5LIBS]) # Looking for programs, paths and files -- cgit v1.2.1 From cfcc9807a3e593ed451353fc3b0b05585f286050 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 21 Feb 2013 23:43:15 +0000 Subject: - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named libgss too. Patch from Pierre Ossman, ok djm. --- ChangeLog | 4 +++- configure.ac | 10 +++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 706ec626..d67e550c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20120222 - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to - ssh(1) since they're not needed. Patch from Pierre Ossman. + ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. + - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named + libgss too. Patch from Pierre Ossman, ok djm. 20130221 - (tim) [regress/forward-control.sh] shell portability fix. diff --git a/configure.ac b/configure.ac index 088bcb65..6c11f0b9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.506 2013/02/21 23:40:00 dtucker Exp $ +# $Id: configure.ac,v 1.507 2013/02/21 23:43:16 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.506 $) +AC_REVISION($Revision: 1.507 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3675,7 +3675,11 @@ AC_ARG_WITH([kerberos5], [ AC_CHECK_LIB([gssapi], [gss_init_sec_context], [ AC_DEFINE([GSSAPI]) GSSLIBS="-lgssapi" ], - AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail])) + [ AC_CHECK_LIB([gss], [gss_init_sec_context], + [ AC_DEFINE([GSSAPI]) + GSSLIBS="-lgss" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail])) + ]) ]) AC_CHECK_HEADER([gssapi.h], , -- cgit v1.2.1 From 321a50f3345104264d6821e71bc834b9d91e46c5 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 22 Feb 2013 00:37:00 +0000 Subject: - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; ok dtucker --- ChangeLog | 3 ++ configure.ac | 86 +++++++++++++++++++++++++++--------------------- sandbox-seccomp-filter.c | 8 +++++ 3 files changed, 60 insertions(+), 37 deletions(-) diff --git a/ChangeLog b/ChangeLog index d67e550c..c8f85fd8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named libgss too. Patch from Pierre Ossman, ok djm. + - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux + seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; + ok dtucker 20130221 - (tim) [regress/forward-control.sh] shell portability fix. diff --git a/configure.ac b/configure.ac index 6c11f0b9..e526390f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.507 2013/02/21 23:43:16 dtucker Exp $ +# $Id: configure.ac,v 1.508 2013/02/22 00:37:00 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.507 $) +AC_REVISION($Revision: 1.508 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -120,31 +120,6 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ #include #include ]) -if test "x$have_linux_no_new_privs" = "x1" ; then -AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ - #include - #include -]) -fi -if test "x$have_seccomp_filter" = "x1" ; then -AC_MSG_CHECKING([kernel for seccomp_filter support]) -AC_LINK_IFELSE([AC_LANG_PROGRAM([[ - #include - #include - #include - #include - ]], - [[ errno = 0; - prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); - exit(errno == EFAULT ? 0 : 1); ]])], - [ AC_MSG_RESULT([yes]) ], [ - AC_MSG_RESULT([no]) - # Disable seccomp filter as a target - have_seccomp_filter=0 - ] -) -fi - use_stack_protector=1 AC_ARG_WITH([stackprotect], [ --without-stackprotect Don't use compiler's stack protection], [ @@ -321,6 +296,7 @@ AC_CHECK_HEADERS([ \ crypto/sha2.h \ dirent.h \ endian.h \ + elf.h \ features.h \ fcntl.h \ floatingpoint.h \ @@ -700,20 +676,26 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], [], [#include ]) AC_CHECK_FUNCS([prctl]) - have_seccomp_audit_arch=1 + AC_MSG_CHECKING([for seccomp architecture]) + seccomp_audit_arch= case "$host" in x86_64-*) - AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], - [Specify the system call convention in use]) + seccomp_audit_arch=AUDIT_ARCH_X86_64 ;; i*86-*) - AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], - [Specify the system call convention in use]) - ;; - *) - have_seccomp_audit_arch=0 + seccomp_audit_arch=AUDIT_ARCH_I386 ;; + arm*-*) + seccomp_audit_arch=AUDIT_ARCH_ARM + ;; esac + if test "x$seccomp_audit_arch" != "x" ; then + AC_MSG_RESULT(["$seccomp_audit_arch"]) + AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], + [Specify the system call convention in use]) + else + AC_MSG_RESULT([architecture not supported]) + fi ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) @@ -2629,6 +2611,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], [non-privileged user for privilege separation]) AC_SUBST([SSH_PRIVSEP_USER]) +if test "x$have_linux_no_new_privs" = "x1" ; then +AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ + #include + #include +]) +fi +if test "x$have_seccomp_filter" = "x1" ; then +AC_MSG_CHECKING([kernel for seccomp_filter support]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([[ + #include + #include + #include + #include + #include + #include + ]], + [[ int i = $seccomp_audit_arch; + errno = 0; + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); + exit(errno == EFAULT ? 0 : 1); ]])], + [ AC_MSG_RESULT([yes]) ], [ + AC_MSG_RESULT([no]) + # Disable seccomp filter as a target + have_seccomp_filter=0 + ] +) +fi + # Decide which sandbox style to use sandbox_arg="" AC_ARG_WITH([sandbox], @@ -2716,11 +2726,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ elif test "x$sandbox_arg" = "xseccomp_filter" || \ ( test -z "$sandbox_arg" && \ test "x$have_seccomp_filter" = "x1" && \ + test "x$ac_cv_header_elf_h" = "xyes" && \ test "x$ac_cv_header_linux_audit_h" = "xyes" && \ - test "x$have_seccomp_audit_arch" = "x1" && \ + test "x$ac_cv_header_linux_filter_h" = "xyes" && \ + test "x$seccomp_audit_arch" != "x" && \ test "x$have_linux_no_new_privs" = "x1" && \ test "x$ac_cv_func_prctl" = "xyes" ) ; then - test "x$have_seccomp_audit_arch" != "x1" && \ + test "x$seccomp_audit_arch" = "x" && \ AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) test "x$have_linux_no_new_privs" != "x1" && \ AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index ef2b13c4..e1241839 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -44,6 +44,7 @@ #include #include #include +#include #include @@ -90,7 +91,9 @@ static const struct sock_filter preauth_insns[] = { SC_DENY(open, EACCES), SC_ALLOW(getpid), SC_ALLOW(gettimeofday), +#ifdef __NR_time /* not defined on EABI ARM */ SC_ALLOW(time), +#endif SC_ALLOW(read), SC_ALLOW(write), SC_ALLOW(close), @@ -102,7 +105,12 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW(select), #endif SC_ALLOW(madvise), +#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ + SC_ALLOW(mmap2), +#endif +#ifdef __NR_mmap SC_ALLOW(mmap), +#endif SC_ALLOW(munmap), SC_ALLOW(exit_group), #ifdef __NR_rt_sigprocmask -- cgit v1.2.1 From 4adf632d45e40714ac609dabf59b858eb80ae7f5 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 22 Feb 2013 22:12:23 +0000 Subject: - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu. ok tim --- ChangeLog | 5 +++++ configure.ac | 6 +++--- includes.h | 6 ++++-- loginrec.c | 4 ---- mux.c | 4 ---- sftp.c | 4 ---- 6 files changed, 12 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index c8f85fd8..4ec2282d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120223 + - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer + bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu. + ok tim + 20120222 - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. diff --git a/configure.ac b/configure.ac index e526390f..3ea3f8a3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.508 2013/02/22 00:37:00 djm Exp $ +# $Id: configure.ac,v 1.509 2013/02/22 22:12:24 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.508 $) +AC_REVISION($Revision: 1.509 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1163,7 +1163,7 @@ AC_CHECK_FUNCS([utimes], ) dnl Checks for libutil functions -AC_CHECK_HEADERS([libutil.h]) +AC_CHECK_HEADERS([bsd/libutil.h libutil.h]) AC_SEARCH_LIBS([fmt_scaled], [util bsd]) AC_SEARCH_LIBS([login], [util bsd]) AC_SEARCH_LIBS([logout], [util bsd]) diff --git a/includes.h b/includes.h index b4c53d9b..3e206c89 100644 --- a/includes.h +++ b/includes.h @@ -137,8 +137,10 @@ # include #endif -#ifdef HAVE_LIBUTIL_H -# include /* Openpty on FreeBSD at least */ +#if defined(HAVE_BSD_LIBUTIL_H) +# include +#elif defined(HAVE_LIBUTIL_H) +# include #endif #if defined(KRB5) && defined(USE_AFS) diff --git a/loginrec.c b/loginrec.c index 32941c98..f9662fa5 100644 --- a/loginrec.c +++ b/loginrec.c @@ -180,10 +180,6 @@ # include #endif -#ifdef HAVE_LIBUTIL_H -# include -#endif - /** ** prototypes for helper functions in this file **/ diff --git a/mux.c b/mux.c index 1b24660b..1ae0e091 100644 --- a/mux.c +++ b/mux.c @@ -63,10 +63,6 @@ # include #endif -#ifdef HAVE_LIBUTIL_H -# include -#endif - #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "log.h" diff --git a/sftp.c b/sftp.c index 9a53b12b..342ae7ef 100644 --- a/sftp.c +++ b/sftp.c @@ -54,10 +54,6 @@ typedef void EditLine; # include #endif -#ifdef HAVE_LIBUTIL_H -# include -#endif - #include "xmalloc.h" #include "log.h" #include "pathnames.h" -- cgit v1.2.1 From 904aa622625475357762f71bf42cd2a316e05052 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 24 Feb 2013 23:32:27 +0000 Subject: welcome to 2013 --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4ec2282d..3d060e2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,9 +1,9 @@ -20120223 +20130223 - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu. ok tim -20120222 +20130222 - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named -- cgit v1.2.1 From 32ac631357d9b32398373506d63afa885420e73a Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 25 Feb 2013 00:24:44 +0000 Subject: - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed to use Solaris native GSS libs. Patch from Pierre Ossman. --- ChangeLog | 4 ++++ configure.ac | 18 ++++++++++++++++-- ssh-gss.h | 11 ++++++----- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3d060e2c..0d0340f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130225 + - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed + to use Solaris native GSS libs. Patch from Pierre Ossman. + 20130223 - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu. diff --git a/configure.ac b/configure.ac index 3ea3f8a3..f2d67119 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.509 2013/02/22 22:12:24 djm Exp $ +# $Id: configure.ac,v 1.510 2013/02/25 00:24:44 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.509 $) +AC_REVISION($Revision: 1.510 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3722,6 +3722,20 @@ AC_ARG_WITH([kerberos5], AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1], [Define this if you want to use libkafs' AFS support])]) + + AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[ +#ifdef HAVE_GSSAPI_H +# include +#elif defined(HAVE_GSSAPI_GSSAPI_H) +# include +#endif + +#ifdef HAVE_GSSAPI_GENERIC_H +# include +#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) +# include +#endif + ]]) fi ] ) diff --git a/ssh-gss.h b/ssh-gss.h index c29a1b7e..077e13ce 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -42,12 +42,13 @@ # include # endif -/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ +/* Old MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ -#ifndef GSS_C_NT_HOSTBASED_SERVICE -#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name -#endif /* GSS_C_NT_... */ -#endif /* !HEIMDAL */ +# if !HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE +# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +# endif /* !HAVE_DECL_GSS_C_NT_... */ + +# endif /* !HEIMDAL */ #endif /* KRB5 */ /* draft-ietf-secsh-gsskeyex-06 */ -- cgit v1.2.1 From 5ccc8dd744b47f287ad0c407496d57bda74dd87d Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 26 Feb 2013 07:58:06 +0000 Subject: - djm@cvs.openbsd.org 2013/02/20 08:27:50 [integrity.sh] Add an option to modpipe that warns if the modification offset it not reached in it's stream and turn it on for t-integrity. This should catch cases where the session is not fuzzed for being too short (cf. my last "oops" commit) --- ChangeLog | 9 +++++++++ regress/integrity.sh | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0d0340f8..076aca70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20130226 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/02/20 08:27:50 + [integrity.sh] + Add an option to modpipe that warns if the modification offset it not + reached in it's stream and turn it on for t-integrity. This should catch + cases where the session is not fuzzed for being too short (cf. my last + "oops" commit) + 20130225 - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed to use Solaris native GSS libs. Patch from Pierre Ossman. diff --git a/regress/integrity.sh b/regress/integrity.sh index 2a93372f..a57ec87f 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.6 2013/02/19 02:14:09 djm Exp $ +# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -42,7 +42,7 @@ for m in $macs; do continue fi # modify output from sshd at offset $off - pxy="proxycommand=$cmd | $OBJ/modpipe -m xor:$off:1" + pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" case $m in aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; -- cgit v1.2.1 From 142bfbc9397722dc24742da7c390ef35e053d5b6 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 26 Feb 2013 08:41:30 +0000 Subject: - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage for UsePAM=yes configuration --- ChangeLog | 2 ++ regress/integrity.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 076aca70..f363ef2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ reached in it's stream and turn it on for t-integrity. This should catch cases where the session is not fuzzed for being too short (cf. my last "oops" commit) + - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage + for UsePAM=yes configuration 20130225 - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed diff --git a/regress/integrity.sh b/regress/integrity.sh index a57ec87f..78fb5326 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -22,7 +22,7 @@ config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" # sshd-command for proxy (see test-exec.sh) -cmd="sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" +cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" jot() { awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } }" -- cgit v1.2.1 From 95b8f5ad624fa5875a727812972615a6e7259f83 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 26 Feb 2013 23:48:18 +0000 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank version numbers --- ChangeLog | 4 ++++ README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index f363ef2c..4d125e3d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130227 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Crank version numbers + 20130226 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/02/20 08:27:50 diff --git a/README b/README index 81cb922b..21dc6e1f 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-6.1 for the release notes. +See http://www.openssh.com/txt/release-6.2 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.81 2012/08/22 11:57:13 djm Exp $ +$Id: README,v 1.82 2013/02/26 23:48:19 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 9fd07953..196bd790 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 6.1p1 +%define version 6.2p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.78 2012/08/22 11:57:15 djm Exp $ +$Id: openssh.spec,v 1.79 2013/02/26 23:48:20 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index f74ad448..3898c6c9 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 6.1p1 +%define ver 6.2p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 3b8abecc..960feae0 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.1p1 +Version: 6.2p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.1 From f42a7d52ac80e8199a0aa3f870c9c63d614577be Mon Sep 17 00:00:00 2001 From: tim Date: Wed, 27 Feb 2013 03:35:26 +0000 Subject: - (tim) [regress/forward-control.sh] use sh in case login shell is csh. --- ChangeLog | 1 + regress/forward-control.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4d125e3d..c58b0999 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20130227 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank version numbers + - (tim) [regress/forward-control.sh] use sh in case login shell is csh. 20130226 - OpenBSD CVS Sync diff --git a/regress/forward-control.sh b/regress/forward-control.sh index ac20bacc..80687489 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -41,7 +41,7 @@ check_lfwd() { ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ -L$LFWD_PORT:127.0.0.1:$PORT \ -o ExitOnForwardFailure=yes \ - -n host "sleep 60 & echo \$! > $READY ; wait " \ + -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ >/dev/null 2>&1 & _sshpid=$! wait_for_file_to_appear $READY || \ @@ -71,7 +71,7 @@ check_rfwd() { ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ -R$RFWD_PORT:127.0.0.1:$PORT \ -o ExitOnForwardFailure=yes \ - -n host "sleep 60 & echo \$! > $READY ; wait " \ + -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ >/dev/null 2>&1 & _sshpid=$! wait_for_file_to_appear $READY -- cgit v1.2.1 From 1a6c2ae7a67bda40c9ca57f8ca836efbc709742a Mon Sep 17 00:00:00 2001 From: tim Date: Wed, 27 Feb 2013 04:27:29 +0000 Subject: - (tim) [regress/integrity.sh] shell portability fix. --- ChangeLog | 1 + regress/integrity.sh | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index c58b0999..2adfc510 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank version numbers - (tim) [regress/forward-control.sh] use sh in case login shell is csh. + - (tim) [regress/integrity.sh] shell portability fix. 20130226 - OpenBSD CVS Sync diff --git a/regress/integrity.sh b/regress/integrity.sh index 78fb5326..8ed8d080 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -35,8 +35,8 @@ for m in $macs; do emac=0 ecnt=0 skip=0 - for off in $(jot $tries $startoffset); do - skip=$((skip - 1)) + for off in `jot $tries $startoffset`; do + skip=`expr $skip - 1` if [ $skip -gt 0 ]; then # avoid modifying the high bytes of the length continue @@ -47,19 +47,19 @@ for m in $macs; do aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; esac - output=$(${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ - 999.999.999.999 'printf "%4096s" " "' 2>&1) + output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + 999.999.999.999 'printf "%4096s" " "' 2>&1` if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" fi - ecnt=$((ecnt+1)) - output=$(echo $output | tr -s '\r\n' '.') + ecnt=`expr $ecnt + 1` + output=`echo $output | tr -s '\r\n' '.'` verbose "test $tid: $m @$off $output" case "$output" in - Bad?packet*) elen=$((elen+1)); skip=3;; + Bad?packet*) elen=`expr $elen + 1`; skip=3;; Corrupted?MAC* | Decryption?integrity?check?failed*) - emac=$((emac+1)); skip=0;; - padding*) epad=$((epad+1)); skip=0;; + emac=`expr $emac + 1`; skip=0;; + padding*) epad=`expr $epad + 1`; skip=0;; *) fail "unexpected error mac $m at $off";; esac done @@ -67,7 +67,7 @@ for m in $macs; do if [ $emac -eq 0 ]; then fail "$m: no mac errors" fi - expect=$((ecnt-epad-elen)) + expect=`expr $ecnt - $epad - $elen` if [ $emac -ne $expect ]; then fail "$m: expected $expect mac errors, got $emac" fi -- cgit v1.2.1 From 120baceaa3ee90685b31c374ca9cc220150c002e Mon Sep 17 00:00:00 2001 From: tim Date: Wed, 27 Feb 2013 05:49:09 +0000 Subject: - (tim) [regress/integrity.sh] keep old solaris awk from hanging. --- ChangeLog | 1 + regress/integrity.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2adfc510..9c5b1e57 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ [contrib/suse/openssh.spec] Crank version numbers - (tim) [regress/forward-control.sh] use sh in case login shell is csh. - (tim) [regress/integrity.sh] shell portability fix. + - (tim) [regress/integrity.sh] keep old solaris awk from hanging. 20130226 - OpenBSD CVS Sync diff --git a/regress/integrity.sh b/regress/integrity.sh index 8ed8d080..4d46926d 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -25,7 +25,7 @@ config_defined OPENSSL_HAVE_EVPGCM && \ cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } }" + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" } for m in $macs; do -- cgit v1.2.1 From 4963a02eca6a843ea3805f8ec25177e3ab913a16 Mon Sep 17 00:00:00 2001 From: tim Date: Wed, 27 Feb 2013 06:48:31 +0000 Subject: - (tim) [regress/krl.sh] keep old solaris awk from hanging. --- ChangeLog | 1 + regress/krl.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 9c5b1e57..2dcde27c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ - (tim) [regress/forward-control.sh] use sh in case login shell is csh. - (tim) [regress/integrity.sh] shell portability fix. - (tim) [regress/integrity.sh] keep old solaris awk from hanging. + - (tim) [regress/krl.sh] keep old solaris awk from hanging. 20130226 - OpenBSD CVS Sync diff --git a/regress/krl.sh b/regress/krl.sh index 09d26ab5..62a239c3 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -40,7 +40,7 @@ serial: 599-701 EOF jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } }" + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" } # A specification that revokes some certificated by key ID. -- cgit v1.2.1 From 31923387399d06a9e33c4abfbeab78e50e265dd4 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 4 Mar 2013 22:49:00 +0000 Subject: - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for HP/UX. Spotted by Kevin Brott --- ChangeLog | 4 ++++ regress/modpipe.c | 21 ++++++++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2dcde27c..8190c663 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130305 + - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for + HP/UX. Spotted by Kevin Brott + 20130227 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank version numbers diff --git a/regress/modpipe.c b/regress/modpipe.c index 1f17e41f..9629aa80 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -16,6 +16,8 @@ /* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ +#include "includes.h" + #include #include #include @@ -74,20 +76,29 @@ static void parse_modification(const char *s, struct modification *m) { char what[16+1]; - int n; + int n, m1, m2; bzero(m, sizeof(*m)); - if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%hhi%*[:]%hhi", - what, &m->offset, &m->m1, &m->m2)) < 3) + if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", + what, &m->offset, &m1, &m2)) < 3) errx(1, "Invalid modification spec \"%s\"", s); if (strcasecmp(what, "xor") == 0) { - m->what = MOD_XOR; if (n > 3) errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid XOR modification value"); + m->what = MOD_XOR; + m->m1 = m1; } else if (strcasecmp(what, "andor") == 0) { - m->what = MOD_AND_OR; if (n != 4) errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid AND modification value"); + if (m2 < 0 || m2 > 0xff) + errx(1, "Invalid OR modification value"); + m->what = MOD_AND_OR; + m->m1 = m1; + m->m2 = m2; } else errx(1, "Invalid modification type \"%s\"", what); } -- cgit v1.2.1 From f01cb0b53a83ea64da5218eeb4deb534980c7fc9 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 5 Mar 2013 08:57:39 +0000 Subject: - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by Kevin Brott. --- ChangeLog | 2 ++ configure.ac | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8190c663..15f20c8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130305 - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for HP/UX. Spotted by Kevin Brott + - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by + Kevin Brott. 20130227 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/configure.ac b/configure.ac index f2d67119..bd8b21d6 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.510 2013/02/25 00:24:44 dtucker Exp $ +# $Id: configure.ac,v 1.511 2013/03/05 08:57:39 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.510 $) +AC_REVISION($Revision: 1.511 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2744,7 +2744,7 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ - test "x$select_works_with_rlimit" == "xyes" ) ; then + test "x$select_works_with_rlimit" = "xyes" ) ; then test "x$ac_cv_func_setrlimit" != "xyes" && \ AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) test "x$select_works_with_rlimit" != "xyes" && \ -- cgit v1.2.1 From 8f144a46adc22e713bff46c6befb6ff416331008 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 5 Mar 2013 09:02:24 +0000 Subject: add Amit. --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 15f20c8b..31e45f76 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,7 +2,7 @@ - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for HP/UX. Spotted by Kevin Brott - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by - Kevin Brott. + Amit Kulkarni and Kevin Brott. 20130227 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] -- cgit v1.2.1 From 1e70ada86cc71f85552b1551ab01d505ffd32196 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 5 Mar 2013 10:50:09 +0000 Subject: - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin Brott. --- ChangeLog | 3 +++ Makefile.in | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 31e45f76..f3340b6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ HP/UX. Spotted by Kevin Brott - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by Amit Kulkarni and Kevin Brott. + - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure + build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin + Brott. 20130227 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/Makefile.in b/Makefile.in index 6067063a..45509658 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.333 2013/02/21 23:40:00 dtucker Exp $ +# $Id: Makefile.in,v 1.334 2013/03/05 10:50:09 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -37,7 +37,7 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ - -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ + -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" CC=@CC@ LD=@LD@ -- cgit v1.2.1 From 08b71f11009f4b8066dec1f9e23d77f3b55286cf Mon Sep 17 00:00:00 2001 From: tim Date: Tue, 5 Mar 2013 22:23:58 +0000 Subject: - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov. --- ChangeLog | 1 + Makefile.in | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f3340b6e..36a52deb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin Brott. + - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov. 20130227 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/Makefile.in b/Makefile.in index 45509658..38ffbdc3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.334 2013/03/05 10:50:09 dtucker Exp $ +# $Id: Makefile.in,v 1.335 2013/03/05 22:23:59 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -381,7 +381,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -regress/modpipe: $(srcdir)/regress/modpipe.c +regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ $(CC) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -- cgit v1.2.1 From b56e0644fc42fdc5d923e824d5528e2dce3e4f4f Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 6 Mar 2013 03:06:48 +0000 Subject: - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding connection to start so that the test works on slower machines. --- ChangeLog | 4 ++++ regress/forward-control.sh | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 36a52deb..e3d52434 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130306 + - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding + connection to start so that the test works on slower machines. + 20130305 - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for HP/UX. Spotted by Kevin Brott diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 80687489..80ddb416 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -14,7 +14,7 @@ wait_for_file_to_appear() { while test ! -f $_path ; do test $_n -eq 1 && trace "waiting for $_path to appear" _n=`expr $_n + 1` - test $_n -ge 5 && return 1 + test $_n -ge 20 && return 1 sleep 1 done return 0 @@ -26,7 +26,7 @@ wait_for_process_to_exit() { while kill -0 $_pid 2>/dev/null ; do test $_n -eq 1 && trace "waiting for $_pid to exit" _n=`expr $_n + 1` - test $_n -ge 5 && return 1 + test $_n -ge 20 && return 1 sleep 1 done return 0 -- cgit v1.2.1 From 638c20595f2bf970a3074d40c496c5c5cfe43842 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 6 Mar 2013 06:48:48 +0000 Subject: - (dtucker) [configure.ac] test that we can set number of file descriptors to zero with setrlimit before enabling the rlimit sandbox. This affects (at least) HPUX 11.11. --- ChangeLog | 3 +++ configure.ac | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e3d52434..c4042efd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20130306 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding connection to start so that the test works on slower machines. + - (dtucker) [configure.ac] test that we can set number of file descriptors + to zero with setrlimit before enabling the rlimit sandbox. This affects + (at least) HPUX 11.11. 20130305 - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for diff --git a/configure.ac b/configure.ac index bd8b21d6..ccf3373b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.511 2013/03/05 08:57:39 dtucker Exp $ +# $Id: configure.ac,v 1.512 2013/03/06 06:48:48 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.511 $) +AC_REVISION($Revision: 1.512 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2690,6 +2690,32 @@ AC_RUN_IFELSE( [AC_MSG_WARN([cross compiling: assuming yes])] ) +AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#include +#include +#include + ]],[[ + struct rlimit rl_zero; + int fd, r; + fd_set fds; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + r = setrlimit(RLIMIT_NOFILE, &rl_zero); + exit (r == -1 ? 1 : 0); + ]])], + [AC_MSG_RESULT([yes]) + rlimit_nofile_zero_works=yes], + [AC_MSG_RESULT([no]) + rlimit_nofile_zero_works=no], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ @@ -2744,7 +2770,8 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ - test "x$select_works_with_rlimit" = "xyes" ) ; then + test "x$select_works_with_rlimit" = "xyes" && \ + test "x$rlimit_nofile_zero_works" = "xyes" ) ; then test "x$ac_cv_func_setrlimit" != "xyes" && \ AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) test "x$select_works_with_rlimit" != "xyes" && \ -- cgit v1.2.1 From d84cd6b37a752e929a664087b34480082e1738e9 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 7 Mar 2013 01:33:35 +0000 Subject: - (dtucker) [INSTALL] Bump documented autoconf version to what we're currently using. --- ChangeLog | 4 ++++ INSTALL | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c4042efd..0d922d5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130307 + - (dtucker) [INSTALL] Bump documented autoconf version to what we're + currently using. + 20130306 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding connection to start so that the test works on slower machines. diff --git a/INSTALL b/INSTALL index 7c604693..57672304 100644 --- a/INSTALL +++ b/INSTALL @@ -89,7 +89,7 @@ http://nlnetlabs.nl/projects/ldns/ Autoconf: If you modify configure.ac or configure doesn't exist (eg if you checked -the code out of CVS yourself) then you will need autoconf-2.61 to rebuild +the code out of CVS yourself) then you will need autoconf-2.68 to rebuild the automatically generated files by running "autoreconf". Earlier versions may also work but this is not guaranteed. @@ -266,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.87 2011/11/04 00:25:25 dtucker Exp $ +$Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $ -- cgit v1.2.1 From 5e63ca22273192a48054c6445c6af96cf21ae52f Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 7 Mar 2013 09:06:13 +0000 Subject: - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it is was removed in configure.ac rev 1.481 as it was redundant. --- ChangeLog | 2 ++ defines.h | 6 +----- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0d922d5a..a3b27329 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130307 - (dtucker) [INSTALL] Bump documented autoconf version to what we're currently using. + - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it is + was removed in configure.ac rev 1.481 as it was redundant. 20130306 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding diff --git a/defines.h b/defines.h index 54de062d..64515c2f 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.170 2012/12/04 15:50:04 tim Exp $ */ +/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */ /* Constants */ @@ -227,11 +227,7 @@ typedef uint16_t u_int16_t; typedef uint32_t u_int32_t; # define HAVE_U_INTXX_T 1 # else -# if (SIZEOF_CHAR == 1) typedef unsigned char u_int8_t; -# else -# error "8 bit int type not found." -# endif # if (SIZEOF_SHORT_INT == 2) typedef unsigned short int u_int16_t; # else -- cgit v1.2.1 From 2df21eb1d7ec53b8ad385da54cad05c18aa0140c Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 7 Mar 2013 09:14:34 +0000 Subject: remove extra word --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a3b27329..7f21ea92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,7 @@ 20130307 - (dtucker) [INSTALL] Bump documented autoconf version to what we're currently using. - - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it is + - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it was removed in configure.ac rev 1.481 as it was redundant. 20130306 -- cgit v1.2.1 From 79763a9f58c5beadfbc6ed745fbfa1561f45fbf8 Mon Sep 17 00:00:00 2001 From: tim Date: Thu, 7 Mar 2013 15:37:13 +0000 Subject: - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days ago. --- ChangeLog | 2 ++ Makefile.in | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f21ea92..728de6ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ currently using. - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it was removed in configure.ac rev 1.481 as it was redundant. + - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days + ago. 20130306 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding diff --git a/Makefile.in b/Makefile.in index 38ffbdc3..d327787b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.335 2013/03/05 22:23:59 tim Exp $ +# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -386,7 +386,7 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(CC) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -tests interop-tests: $(TARGETS) regress/modpipe +tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ -- cgit v1.2.1 From 076ff40029596fcba88899ce9d48719ff589fc99 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 8 Mar 2013 01:14:22 +0000 Subject: - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a chance to complete on broken systems; ok dtucker@ --- ChangeLog | 2 ++ configure.ac | 9 ++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 728de6ad..3b5b5482 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ was removed in configure.ac rev 1.481 as it was redundant. - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days ago. + - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a + chance to complete on broken systems; ok dtucker@ 20130306 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding diff --git a/configure.ac b/configure.ac index ccf3373b..6005d7c2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.512 2013/03/06 06:48:48 dtucker Exp $ +# $Id: configure.ac,v 1.513 2013/03/08 01:14:23 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.512 $) +AC_REVISION($Revision: 1.513 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2673,6 +2673,7 @@ AC_RUN_IFELSE( struct rlimit rl_zero; int fd, r; fd_set fds; + struct timeval tv; fd = open("/dev/null", O_RDONLY); FD_ZERO(&fds); @@ -2680,7 +2681,9 @@ AC_RUN_IFELSE( rl_zero.rlim_cur = rl_zero.rlim_max = 0; setrlimit(RLIMIT_FSIZE, &rl_zero); setrlimit(RLIMIT_NOFILE, &rl_zero); - r = select(fd+1, &fds, NULL, NULL, NULL); + tv.tv_sec = 1; + tv.tv_usec = 0; + r = select(fd+1, &fds, NULL, NULL, &tv); exit (r == -1 ? 1 : 0); ]])], [AC_MSG_RESULT([yes]) -- cgit v1.2.1 From 455681d817580b8c7004db0b0cd80c76c0e80ddb Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 12 Mar 2013 00:19:40 +0000 Subject: - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] Improve portability of cipher-speed test, based mostly on a patch from Iain Morgan. --- ChangeLog | 5 +++++ regress/Makefile | 2 +- regress/cipher-speed.sh | 9 ++++----- regress/test-exec.sh | 4 ++++ 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b5b5482..859c01ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120312 + - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] + Improve portability of cipher-speed test, based mostly on a patch from + Iain Morgan. + 20130307 - (dtucker) [INSTALL] Bump documented autoconf version to what we're currently using. diff --git a/regress/Makefile b/regress/Makefile index 779abf4f..6ef5d9cc 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -71,7 +71,7 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers USER!= id -un CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ t8.out t8.out.pub t9.out t9.out.pub \ - authorized_keys_${USER} known_hosts pidfile \ + authorized_keys_${USER} known_hosts pidfile testdata \ ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 21bf0f2e..65e5f35e 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -5,12 +5,11 @@ tid="cipher speed" getbytes () { - sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' + sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \ + -e '/copied/s/.*s, \(.* MB.s\).*/\1/p' } tries="1 2" -DATA=/bin/ls -DATA=/bsd ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour @@ -26,7 +25,7 @@ config_defined HAVE_EVP_SHA256 && \ for c in $ciphers; do n=0; for m in $macs; do trace "proto 2 cipher $c mac $m" for x in $tries; do - echon "$c/$m:\t" + printf "%-60s" "$c/$m:" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ exec sh -c \'"dd of=/dev/null obs=32k"\' \ @@ -47,7 +46,7 @@ ciphers="3des blowfish" for c in $ciphers; do trace "proto 1 cipher $c" for x in $tries; do - echon "$c:\t" + printf "%-60s" "$c:" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -1 -c $c somehost \ exec sh -c \'"dd of=/dev/null obs=32k"\' \ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index bdc2c1a4..aa4e6e5c 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -140,6 +140,10 @@ if [ "x$TEST_SSH_LOGFILE" = "x" ]; then TEST_SSH_LOGFILE=/dev/null fi +# Some data for test copies +DATA=$OBJ/testdata +cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP -- cgit v1.2.1 From f51a159decc317dc232f8f88af463290431e5278 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 12 Mar 2013 00:31:05 +0000 Subject: - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin") in addition to root as an owner of system directories on AIX and HP-UX. ok djm@ --- ChangeLog | 3 +++ auth.c | 4 ++-- configure.ac | 6 ++++-- platform.c | 18 +++++++++++++++++- platform.h | 5 ++--- 5 files changed, 28 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 859c01ad..730cdd92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] Improve portability of cipher-speed test, based mostly on a patch from Iain Morgan. + - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin") + in addition to root as an owner of system directories on AIX and HP-UX. + ok djm@ 20130307 - (dtucker) [INSTALL] Bump documented autoconf version to what we're diff --git a/auth.c b/auth.c index 054c7282..6128fa46 100644 --- a/auth.c +++ b/auth.c @@ -448,7 +448,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, snprintf(err, errlen, "%s is not a regular file", buf); return -1; } - if ((stp->st_uid != 0 && stp->st_uid != uid) || + if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || (stp->st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for file %s", buf); @@ -464,7 +464,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, strlcpy(buf, cp, sizeof(buf)); if (stat(buf, &st) < 0 || - (st.st_uid != 0 && st.st_uid != uid) || + (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || (st.st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for directory %s", buf); diff --git a/configure.ac b/configure.ac index 6005d7c2..a49de84e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.513 2013/03/08 01:14:23 djm Exp $ +# $Id: configure.ac,v 1.514 2013/03/12 00:31:05 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.513 $) +AC_REVISION($Revision: 1.514 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -480,6 +480,7 @@ case "$host" in AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], [AIX 5.2 and 5.3 (and presumably newer) require this]) AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) + AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) ;; *-*-cygwin*) check_for_libcrypt_later=1 @@ -565,6 +566,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], [String used in /etc/passwd to denote locked account]) AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) + AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) maildir="/var/mail" LIBS="$LIBS -lsec" AC_CHECK_LIB([xnet], [t_error], , diff --git a/platform.c b/platform.c index a455472b..3262b247 100644 --- a/platform.c +++ b/platform.c @@ -1,4 +1,4 @@ -/* $Id: platform.c,v 1.18 2011/01/11 06:02:25 djm Exp $ */ +/* $Id: platform.c,v 1.19 2013/03/12 00:31:05 dtucker Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -194,3 +194,19 @@ platform_krb5_get_principal_name(const char *pw_name) return NULL; #endif } + +/* + * return 1 if the specified uid is a uid that may own a system directory + * otherwise 0. + */ +int +platform_sys_dir_uid(uid_t uid) +{ + if (uid == 0) + return 1; +#ifdef PLATFORM_SYS_DIR_UID + if (uid == PLATFORM_SYS_DIR_UID) + return 1; +#endif + return 0; +} diff --git a/platform.h b/platform.h index 944d2c34..19f6bfdd 100644 --- a/platform.h +++ b/platform.h @@ -1,4 +1,4 @@ -/* $Id: platform.h,v 1.7 2010/11/05 03:47:01 dtucker Exp $ */ +/* $Id: platform.h,v 1.8 2013/03/12 00:31:05 dtucker Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -29,5 +29,4 @@ void platform_setusercontext(struct passwd *); void platform_setusercontext_post_groups(struct passwd *); char *platform_get_krb5_client(const char *); char *platform_krb5_get_principal_name(const char *); - - +int platform_sys_dir_uid(uid_t); -- cgit v1.2.1 From 55c80f51ba1a4851d729cefa3f1934fac9890a83 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 14 Mar 2013 23:23:07 +0000 Subject: - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform is unable to successfully compile them. Based on patch from des AT des.no --- ChangeLog | 5 +++++ configure.ac | 40 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 730cdd92..635c4cd0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120316 + - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform + is unable to successfully compile them. Based on patch from des AT + des.no + 20120312 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] Improve portability of cipher-speed test, based mostly on a patch from diff --git a/configure.ac b/configure.ac index a49de84e..bf161b25 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.514 2013/03/12 00:31:05 dtucker Exp $ +# $Id: configure.ac,v 1.515 2013/03/14 23:23:07 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.514 $) +AC_REVISION($Revision: 1.515 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -4439,7 +4439,6 @@ if test -n "$conf_wtmp_location"; then [Define if you want to specify the path to your wtmp file]) fi - dnl wtmpx detection AC_MSG_CHECKING([if your system defines WTMPX_FILE]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ @@ -4471,6 +4470,41 @@ if test ! -z "$blibpath" ; then AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) fi +AC_CHECK_MEMBER([struct lastlog.ll_line], [], [ + AC_DEFINE([DISABLE_LASTLOG]) + ], [ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + ]) + +AC_CHECK_MEMBER([struct utmp.ut_line], [], [ + AC_DEFINE([DISABLE_UTMP]) + AC_DEFINE([DISABLE_WTMP]) + ], [ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + ]) + dnl Adding -Werror to CFLAGS early prevents configure tests from running. dnl Add now. CFLAGS="$CFLAGS $werror_flags" -- cgit v1.2.1 From 1aa05621e6be45f04eb749e330b193728be2d5f9 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 14 Mar 2013 23:34:25 +0000 Subject: - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] Add a usleep replacement for platforms that lack it; ok dtucker --- ChangeLog | 2 ++ configure.ac | 5 +++-- openbsd-compat/bsd-misc.c | 11 +++++++++++ openbsd-compat/bsd-misc.h | 6 +++++- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 635c4cd0..9f6fc705 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform is unable to successfully compile them. Based on patch from des AT des.no + - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] + Add a usleep replacement for platforms that lack it; ok dtucker 20120312 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] diff --git a/configure.ac b/configure.ac index bf161b25..907192d6 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.515 2013/03/14 23:23:07 djm Exp $ +# $Id: configure.ac,v 1.516 2013/03/14 23:34:25 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.515 $) +AC_REVISION($Revision: 1.516 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1604,6 +1604,7 @@ AC_CHECK_FUNCS([ \ unsetenv \ updwtmpx \ user_from_uid \ + usleep \ vasprintf \ vhangup \ vsnprintf \ diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 8dc7d02d..d75854e8 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -165,6 +165,17 @@ int nanosleep(const struct timespec *req, struct timespec *rem) } #endif +#if !defined(HAVE_USLEEP) +int usleep(unsigned int useconds) +{ + struct timespec ts; + + ts.tv_sec = useconds / 1000000; + ts.tv_nsec = (useconds % 1000000) * 1000; + return nanosleep(&ts, NULL); +} +#endif + #ifndef HAVE_TCGETPGRP pid_t tcgetpgrp(int fd) diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index de836738..43006637 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.22 2013/02/15 00:41:36 dtucker Exp $ */ +/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -80,6 +80,10 @@ struct timespec { int nanosleep(const struct timespec *, struct timespec *); #endif +#ifndef HAVE_USLEEP +int usleep(unsigned int useconds); +#endif + #ifndef HAVE_TCGETPGRP pid_t tcgetpgrp(int); #endif -- cgit v1.2.1 From bb3923ae246c5744ca0364a91544123ddbac32b0 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 15 Mar 2013 00:22:37 +0000 Subject: - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to occur after UID switch; patch from John Marshall via des AT des.no; ok dtucker@ --- ChangeLog | 3 +++ session.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 9f6fc705..f9f2166b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ des.no - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] Add a usleep replacement for platforms that lack it; ok dtucker + - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to + occur after UID switch; patch from John Marshall via des AT des.no; + ok dtucker@ 20120312 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] diff --git a/session.c b/session.c index 643e7fc5..19eaa20c 100644 --- a/session.c +++ b/session.c @@ -1520,6 +1520,11 @@ do_setusercontext(struct passwd *pw) perror("unable to set user context (setuser)"); exit(1); } + /* + * FreeBSD's setusercontext() will not apply the user's + * own umask setting unless running with the user's UID. + */ + (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); #else /* Permanently switch to the desired uid. */ permanently_set_uid(pw); -- cgit v1.2.1 From a498762e7184096837c5e756dc5a6e27ef341dae Mon Sep 17 00:00:00 2001 From: tim Date: Sun, 17 Mar 2013 03:55:46 +0000 Subject: - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none of the bits the configure test looks for. --- ChangeLog | 4 ++++ configure.ac | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f9f2166b..502d85c3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120317 + - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none + of the bits the configure test looks for. + 20120316 - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform is unable to successfully compile them. Based on patch from des AT diff --git a/configure.ac b/configure.ac index 907192d6..5d835c93 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.516 2013/03/14 23:34:25 djm Exp $ +# $Id: configure.ac,v 1.517 2013/03/17 03:55:47 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.516 $) +AC_REVISION($Revision: 1.517 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -897,6 +897,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_CHECK_FUNCS([getluid setluid]) MANTYPE=man TEST_SHELL=ksh + SKIP_DISABLE_LASTLOG_DEFINE=yes ;; *-*-unicosmk*) AC_DEFINE([NO_SSH_LASTLOG], [1], @@ -4472,7 +4473,9 @@ if test ! -z "$blibpath" ; then fi AC_CHECK_MEMBER([struct lastlog.ll_line], [], [ + if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then AC_DEFINE([DISABLE_LASTLOG]) + fi ], [ #ifdef HAVE_SYS_TYPES_H #include -- cgit v1.2.1 From d21780a80d579df4477f0ef65f1c53cdfc30cf34 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 20 Mar 2013 01:55:14 +0000 Subject: - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's so mark it as broken. Patch from des AT des.no --- ChangeLog | 5 +++++ configure.ac | 5 +++-- log.c | 2 +- openbsd-compat/vis.c | 2 +- openbsd-compat/vis.h | 4 ++-- scp.c | 2 +- sshconnect2.c | 2 +- 7 files changed, 14 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 502d85c3..80429f84 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120318 + - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] + [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's + so mark it as broken. Patch from des AT des.no + 20120317 - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none of the bits the configure test looks for. diff --git a/configure.ac b/configure.ac index 5d835c93..88dd29e9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.517 2013/03/17 03:55:47 tim Exp $ +# $Id: configure.ac,v 1.518 2013/03/20 01:55:15 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.517 $) +AC_REVISION($Revision: 1.518 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -721,6 +721,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_CHECK_HEADER([net/if_tap.h], , AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) + AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) ;; *-*-bsdi*) AC_DEFINE([SETEUID_BREAKS_SETUID]) diff --git a/log.c b/log.c index 7f4a1b9c..d69154a6 100644 --- a/log.c +++ b/log.c @@ -45,7 +45,7 @@ #include #include #include -#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) +#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) # include #endif diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c index 3a087b34..f6f5665c 100644 --- a/openbsd-compat/vis.c +++ b/openbsd-compat/vis.c @@ -31,7 +31,7 @@ /* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ #include "includes.h" -#if !defined(HAVE_STRNVIS) +#if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS) #include #include diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h index 3898a9e7..d1286c99 100644 --- a/openbsd-compat/vis.h +++ b/openbsd-compat/vis.h @@ -35,7 +35,7 @@ /* OPENBSD ORIGINAL: include/vis.h */ #include "includes.h" -#if !defined(HAVE_STRNVIS) +#if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS) #ifndef _VIS_H_ #define _VIS_H_ @@ -92,4 +92,4 @@ ssize_t strnunvis(char *, const char *, size_t) #endif /* !_VIS_H_ */ -#endif /* !HAVE_STRNVIS */ +#endif /* !HAVE_STRNVIS || BROKEN_STRNVIS */ diff --git a/scp.c b/scp.c index 08587b5f..645d7403 100644 --- a/scp.c +++ b/scp.c @@ -103,7 +103,7 @@ #include #include #include -#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) +#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) #include #endif diff --git a/sshconnect2.c b/sshconnect2.c index a306447b..d6af0b94 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -40,7 +40,7 @@ #include #include #include -#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) +#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) #include #endif -- cgit v1.2.1 From 16d6514eef9ee5917e2a07350c9c2efcbafac966 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Mar 2013 23:17:36 +0000 Subject: - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil Hands' greatly revised version. --- ChangeLog | 4 + contrib/ssh-copy-id | 309 ++++++++++++++++++++++++++++++++++++++++++++------ contrib/ssh-copy-id.1 | 251 ++++++++++++++++++++++++++++------------ 3 files changed, 459 insertions(+), 105 deletions(-) diff --git a/ChangeLog b/ChangeLog index 80429f84..d69fd350 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20120322 + - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil + Hands' greatly revised version. + 20120318 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 9451acee..af18a192 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -1,54 +1,293 @@ #!/bin/sh -# Shell script to install your public key on a remote machine -# Takes the remote machine name as an argument. -# Obviously, the remote machine must accept password authentication, -# or one of the other keys in your ssh-agent, for this to work. - -ID_FILE="${HOME}/.ssh/id_rsa.pub" - -if [ "-i" = "$1" ]; then - shift - # check if we have 2 parameters left, if so the first is the new ID file - if [ -n "$2" ]; then - if expr "$1" : ".*\.pub" > /dev/null ; then - ID_FILE="$1" - else - ID_FILE="$1.pub" - fi - shift # and this should leave $1 as the target name +# Copyright (c) 1999-2013 Philip Hands +# 2013 Martin Kletzander +# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= +# 2010 Eric Moret +# 2009 Xr +# 2007 Justin Pryzby +# 2004 Reini Urban +# 2003 Colin Watson +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Shell script to install your public key(s) on a remote machine +# See the ssh-copy-id(1) man page for details + +# check that we have something mildly sane as our shell, or try to find something better +if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0" +then + SANE_SH=${SANE_SH:-/usr/bin/ksh} + if printf 'true ^ false\n' | "$SANE_SH" + then + printf "'%s' seems viable.\n" "$SANE_SH" + exec "$SANE_SH" "$0" "$@" + else + cat <<-EOF + oh dear. + + If you have a more recent shell available, that supports \$(...) etc. + please try setting the environment variable SANE_SH to the path of that + shell, and then retry running this script. If that works, please report + a bug describing your setup, and the shell you used to make it work. + + EOF + printf "%s: ERROR: Less dimwitted shell required.\n" "$0" + exit 1 fi -else - if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then - GET_ID="$GET_ID ssh-add -L" +fi + +DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) + +usage () { + printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 + exit 1 +} + +# escape any single quotes in an argument +quote() { + printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g" +} + +use_id_file() { + local L_ID_FILE="$1" + + if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then + PUB_ID_FILE="$L_ID_FILE" + else + PUB_ID_FILE="$L_ID_FILE.pub" fi + + PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) + + # check that the files are readable + for f in $PUB_ID_FILE $PRIV_ID_FILE ; do + ErrMSG=$( { : < $f ; } 2>&1 ) || { + printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')" + exit 1 + } + done + GET_ID="cat \"$PUB_ID_FILE\"" +} + +if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then + GET_ID="ssh-add -L" fi -if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then - GET_ID="cat \"${ID_FILE}\"" +while test "$#" -gt 0 +do + [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && { + printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0" + usage + } + + OPT= OPTARG= + # implement something like getopt to avoid Solaris pain + case "$1" in + -i?*|-o?*|-p?*) + OPT="$(printf -- "$1"|cut -c1-2)" + OPTARG="$(printf -- "$1"|cut -c3-)" + shift + ;; + -o|-p) + OPT="$1" + OPTARG="$2" + shift 2 + ;; + -i) + OPT="$1" + test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || { + OPTARG="$2" + shift + } + shift + ;; + -n|-h|-\?) + OPT="$1" + OPTARG= + shift + ;; + --) + shift + while test "$#" -gt 0 + do + SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'" + shift + done + break + ;; + -*) + printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1" + usage + ;; + *) + SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'" + shift + continue + ;; + esac + + case "$OPT" in + -i) + SEEN_OPT_I="yes" + use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}" + ;; + -o|-p) + SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'" + ;; + -n) + DRY_RUN=1 + ;; + -h|-\?) + usage + ;; + esac +done + +eval set -- "$SAVEARGS" + +if [ $# != 1 ] ; then + printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2 + usage fi -if [ -z "`eval $GET_ID`" ]; then - echo "$0: ERROR: No identities found" >&2 - exit 1 +# drop trailing colon +USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//') +# tack the hostname onto SSH_OPTS +SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'" +# and populate "$@" for later use (only way to get proper quoting of options) +eval set -- "$SSH_OPTS" + +if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then + use_id_file "$PUB_ID_FILE" fi -if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then - echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 +if [ -z "$(eval $GET_ID)" ] ; then + printf '%s: ERROR: No identities found\n' "$0" >&2 exit 1 fi -# strip any trailing colon -host=`echo $1 | sed 's/:$//'` +# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...) +# and has the side effect of setting $NEW_IDS +populate_new_ids() { + local L_SUCCESS="$1" -{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 + # repopulate "$@" inside this function + eval set -- "$SSH_OPTS" -cat <&2 + NEW_IDS=$( + eval $GET_ID | { + while read ID ; do + printf '%s\n' "$ID" > $L_TMP_ID_FILE - ~/.ssh/authorized_keys + # the next line assumes $PRIV_ID_FILE only set if using a single id file - this + # assumption will break if we implement the possibility of multiple -i options. + # The point being that if file based, ssh needs the private key, which it cannot + # find if only given the contents of the .pub file in an unrelated tmpfile + ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ + -o PreferredAuthentications=publickey \ + -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr $L_TMP_ID_FILE + else + grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || { + sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE + cat >/dev/null #consume the other keys, causing loop to end + } + fi + + cat $L_TMP_ID_FILE + done + } + ) + rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT + + if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then + printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2 + exit 1 + fi + if [ -z "$NEW_IDS" ] ; then + printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2 + exit 0 + fi + printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 +} -to make sure we haven't added extra keys that you weren't expecting. +REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | + sed -ne 's/.*remote software version //p') -EOF +case "$REMOTE_VERSION" in + NetScreen*) + populate_new_ids 1 + for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do + KEY_NO=$(($KEY_NO + 1)) + printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || { + printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2 + continue + } + [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1 + if [ $? = 255 ] ; then + printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2 + else + ADDED=$(($ADDED + 1)) + fi + done + if [ -z "$ADDED" ] ; then + exit 1 + fi + ;; + *) + # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect + populate_new_ids 0 + [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " + umask 077 ; + mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; + if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \ + || exit 1 + ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) + ;; +esac + +if [ "$DRY_RUN" ] ; then + cat <<-EOF + =-=-=-=-=-=-=-= + Would have added the following key(s): + + $NEW_IDS + =-=-=-=-=-=-=-= + EOF +else + cat <<-EOF + + Number of key(s) added: $ADDED + + Now try logging into the machine, with: "ssh $SSH_OPTS" + and check to make sure that only the key(s) you wanted were added. + + EOF +fi +# =-=-=-= diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 index cb15ab24..67a59e49 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1 @@ -1,75 +1,186 @@ .ig \" -*- nroff -*- -Copyright (c) 1999 Philip Hands Computing +Copyright (c) 1999-2013 hands.com Ltd. -Permission is granted to make and distribute verbatim copies of -this manual provided the copyright notice and this permission notice -are preserved on all copies. +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. -Permission is granted to copy and distribute modified versions of this -manual under the conditions for verbatim copying, provided that the -entire resulting derived work is distributed under the terms of a -permission notice identical to this one. - -Permission is granted to copy and distribute translations of this -manual into another language, under the above conditions for modified -versions, except that this permission notice may be included in -translations approved by the Free Software Foundation instead of in -the original English. +THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .. -.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" -.SH NAME -ssh-copy-id \- install your public key in a remote machine's authorized_keys -.SH SYNOPSIS -.B ssh-copy-id [-i [identity_file]] -.I "[user@]machine" +.Dd $Mdocdate: June 17 2010 $ +.Dt SSH-COPY-ID 1 +.Os +.Sh NAME +.Nm ssh-copy-id +.Nd use locally available keys to authorise logins on a remote machine +.Sh SYNOPSIS +.Nm +.Op Fl n +.Op Fl i Op Ar identity_file +.Op Fl p Ar port +.Op Fl o Ar ssh_option +.Op Ar user Ns @ Ns +.Ar hostname +.Nm +.Fl h | Fl ? .br -.SH DESCRIPTION -.BR ssh-copy-id -is a script that uses ssh to log into a remote machine and -append the indicated identity file to that machine's -.B ~/.ssh/authorized_keys -file. -.PP -If the -.B -i -option is given then the identity file (defaults to -.BR ~/.ssh/id_rsa.pub ) -is used, regardless of whether there are any keys in your -.BR ssh-agent . -Otherwise, if this: -.PP -.B " ssh-add -L" -.PP -provides any output, it uses that in preference to the identity file. -.PP -If the -.B -i -option is used, or the -.B ssh-add -produced no output, then it uses the contents of the identity -file. Once it has one or more fingerprints (by whatever means) it -uses ssh to append them to -.B ~/.ssh/authorized_keys -on the remote machine (creating the file, and directory, if necessary.) - -.SH NOTES -This program does not modify the permissions of any -pre-existing files or directories. Therefore, if the remote -.B sshd -has -.B StrictModes -set in its -configuration, then the user's home, -.B ~/.ssh -folder, and -.B ~/.ssh/authorized_keys -file may need to have group writability disabled manually, e.g. via - -.B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys" - -on the remote machine. - -.SH "SEE ALSO" -.BR ssh (1), -.BR ssh-agent (1), -.BR sshd (8) +.Sh DESCRIPTION +.Nm +is a script that uses +.Xr ssh 1 +to log into a remote machine (presumably using a login password, +so password authentication should be enabled, unless you've done some +clever use of multiple identities). It assembles a list of one or more +fingerprints (as described below) and tries to log in with each key, to +see if any of them are already installed (of course, if you are not using +.Xr ssh-agent 1 +this may result in you being repeatedly prompted for pass-phrases). +It then assembles a list of those that failed to log in, and using ssh, +enables logins with those keys on the remote server. By default it adds +the keys by appending them to the remote user's +.Pa ~/.ssh/authorized_keys +(creating the file, and directory, if necessary). It is also capable +of detecting if the remote system is a NetScreen, and using its +.Ql set ssh pka-dsa key ... +command instead. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl i Ar identity_file +Use only the key(s) contained in +.Ar identity_file +(rather than looking for identities via +.Xr ssh-add 1 +or in the +.Ic default_ID_file ) . +If the filename does not end in +.Pa .pub +this is added. If the filename is omitted, the +.Ic default_ID_file +is used. +.Pp +Note that this can be used to ensure that the keys copied have the +comment one prefers and/or extra options applied, by ensuring that the +key file has these set as preferred before the copy is attempted. +.It Fl n +do a dry-run. Instead of installing keys on the remote system simply +prints the key(s) that would have been installed. +.It Fl h , Fl ? +Print Usage summary +.It Fl p Ar port , Fl o Ar ssh_option +These two options are simply passed through untouched, along with their +argument, to allow one to set the port or other +.Xr ssh 1 +options, respectively. +.Pp +Rather than specifying these as command line options, it is often better to use (per-host) settings in +.Xr ssh 1 Ns 's +configuration file: +.Xr ssh_config 5 . +.El +.Pp +Default behaviour without +.Fl i , +is to check if +.Ql ssh-add -L +provides any output, and if so those keys are used. Note that this results in +the comment on the key being the filename that was given to +.Xr ssh-add 1 +when the key was loaded into your +.Xr ssh-agent 1 +rather than the comment contained in that file, which is a bit of a shame. +Otherwise, if +.Xr ssh-add 1 +provides no keys contents of the +.Ic default_ID_file +will be used. +.Pp +The +.Ic default_ID_file +is the most recent file that matches: +.Pa ~/.ssh/id*.pub , +(excluding those that match +.Pa ~/.ssh/*-cert.pub ) +so if you create a key that is not the one you want +.Nm +to use, just use +.Xr touch 1 +on your preferred key's +.Pa .pub +file to reinstate it as the most recent. +.Pp +.Sh EXAMPLES +If you have already installed keys from one system on a lot of remote +hosts, and you then create a new key, on a new client machine, say, +it can be difficult to keep track of which systems on which you've +installed the new key. One way of dealing with this is to load both +the new key and old key(s) into your +.Xr ssh-agent 1 . +Load the new key first, without the +.Fl c +option, then load one or more old keys into the agent, possibly by +ssh-ing to the client machine that has that old key, using the +.Fl A +option to allow agent forwarding: +.Pp +.D1 user@newclient$ ssh-add +.D1 user@newclient$ ssh -A old.client +.D1 user@oldl$ ssh-add -c +.D1 No ... prompt for pass-phrase ... +.D1 user@old$ logoff +.D1 user@newclient$ ssh someserver +.Pp +now, if the new key is installed on the server, you'll be allowed in +unprompted, whereas if you only have the old key(s) enabled, you'll be +asked for confirmation, which is your cue to log back out and run +.Pp +.D1 user@newclient$ ssh-copy-id -i someserver +.Pp +The reason you might want to specify the -i option in this case is to +ensure that the comment on the installed key is the one from the +.Pa .pub +file, rather than just the filename that was loaded into you agent. +It also ensures that only the id you intended is installed, rather than +all the keys that you have in your +.Xr ssh-agent 1 . +Of course, you can specify another id, or use the contents of the +.Xr ssh-agent 1 +as you prefer. +.Pp +Having mentioned +.Xr ssh-add 1 Ns 's +.Fl c +option, you might consider using this whenever using agent forwarding +to avoid your key being hijacked, but it is much better to instead use +.Xr ssh 1 Ns 's +.Ar ProxyCommand +and +.Fl W +option, +to bounce through remote servers while always doing direct end-to-end +authentication. This way the middle hop(s) don't get access to your +.Xr ssh-agent 1 . +A web search for +.Ql ssh proxycommand nc +should prove enlightening (N.B. the modern approach is to use the +.Fl W +option, rather than +.Xr nc 1 ) . +.Sh "SEE ALSO" +.Xr ssh 1 , +.Xr ssh-agent 1 , +.Xr sshd 8 -- cgit v1.2.1 From b1b5ed19b30e5e4ab03a08ac9d7faa7ad41c8e01 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Mar 2013 23:25:22 +0000 Subject: - (djm) Release 6.2p1 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index d69fd350..dbd8b0aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20120322 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil Hands' greatly revised version. + - (djm) Release 6.2p1 20120318 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] -- cgit v1.2.1 From d3b5c85fc68d1fab437e54d863eef9d95a815c5b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 22 Mar 2013 01:49:14 +0000 Subject: - (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype. --- ChangeLog | 1 + configure.ac | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index dbd8b0aa..6c13bb9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil Hands' greatly revised version. - (djm) Release 6.2p1 + - (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype. 20120318 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] diff --git a/configure.ac b/configure.ac index 88dd29e9..5db4b623 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.518 2013/03/20 01:55:15 djm Exp $ +# $Id: configure.ac,v 1.519 2013/03/22 01:49:15 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.518 $) +AC_REVISION($Revision: 1.519 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1120,6 +1120,7 @@ AC_ARG_WITH([zlib-version-check], AC_MSG_CHECKING([for possibly buggy zlib]) AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include +#include #include ]], [[ -- cgit v1.2.1 From c63007022256d61c43c6ed26649efdb543662b9f Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 22 Mar 2013 01:51:09 +0000 Subject: - (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before defining it again. Prevents warnings if someone, eg, sets it in CFLAGS. --- ChangeLog | 2 ++ includes.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 6c13bb9b..ce612d31 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ Hands' greatly revised version. - (djm) Release 6.2p1 - (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype. + - (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before + defining it again. Prevents warnings if someone, eg, sets it in CFLAGS. 20120318 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] diff --git a/includes.h b/includes.h index 3e206c89..07bcd89f 100644 --- a/includes.h +++ b/includes.h @@ -18,7 +18,9 @@ #include "config.h" +#ifndef _GNU_SOURCE #define _GNU_SOURCE /* activate extra prototypes for glibc */ +#endif #include #include /* For CMSG_* */ -- cgit v1.2.1 From a0061f13b8d357dd7afa737b61e10cfa0166b4c7 Mon Sep 17 00:00:00 2001 From: tim Date: Fri, 22 Mar 2013 17:14:32 +0000 Subject: - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit. --- ChangeLog | 3 +++ Makefile.in | 9 ++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce612d31..2b99b570 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20120323 + - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit. + 20120322 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil Hands' greatly revised version. diff --git a/Makefile.in b/Makefile.in index d327787b..62bacd6f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $ +# $Id: Makefile.in,v 1.337 2013/03/22 17:14:33 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -382,15 +382,14 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c - [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile $(CC) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ - [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ - [ -f `pwd`/regress/Makefile ] || \ - ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \ TEST_SHELL="@TEST_SHELL@"; \ TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ -- cgit v1.2.1 From 08807542c0f4cbd83dec96370fc60ee6b390636b Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 1 Apr 2013 01:40:48 +0000 Subject: - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h to avoid conflicting definitions of __int64, adding the required bits. Patch from Corinna Vinschen. --- ChangeLog | 5 +++++ openbsd-compat/bsd-cygwin_util.c | 11 +++-------- openbsd-compat/bsd-cygwin_util.h | 17 +++++++---------- 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2b99b570..9668465b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130401 + - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h + to avoid conflicting definitions of __int64, adding the required bits. + Patch from Corinna Vinschen. + 20120323 - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit. diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index 6befc016..d3d2d913 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2001, 2011 Corinna Vinschen + * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -27,20 +27,15 @@ * binary mode on Windows systems. */ +#define NO_BINARY_OPEN /* Avoid redefining open to binary_open for this file */ #include "includes.h" #ifdef HAVE_CYGWIN -#if defined(open) && open == binary_open -# undef open -#endif - #include - #include -#include +#include #include -#include #include "xmalloc.h" diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index b4bcd04b..372e4195 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -1,7 +1,7 @@ -/* $Id: bsd-cygwin_util.h,v 1.15 2012/08/28 09:57:19 dtucker Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.16 2013/04/01 01:40:49 dtucker Exp $ */ /* - * Copyright (c) 2000, 2001, 2011 Corinna Vinschen + * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,24 +36,21 @@ #undef ERROR -#define WIN32_LEAN_AND_MEAN +/* Avoid including windows headers. */ +typedef void *HANDLE; +#define INVALID_HANDLE_VALUE ((HANDLE) -1) -#include #include #include -/* Make sure _WIN32 isn't defined later in the code, otherwise headers from - other packages might get the wrong idea about the target system. */ -#ifdef _WIN32 -#undef _WIN32 -#endif - int binary_open(const char *, int , ...); int check_ntsec(const char *); char **fetch_windows_environment(void); void free_windows_environment(char **); +#ifndef NO_BINARY_OPEN #define open binary_open +#endif #endif /* HAVE_CYGWIN */ -- cgit v1.2.1 From 4cba70a366cce0da4a1f23849c0ebf49633a3b3b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Apr 2013 00:13:08 +0000 Subject: - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 [readconf.c ssh.c readconf.h sshconnect2.c] Keep track of which IndentityFile options were manually supplied and which were default options, and don't warn if the latter are missing. ok markus@ --- ChangeLog | 8 ++++++++ readconf.c | 55 ++++++++++++++++++++++++++++++------------------------- readconf.h | 4 +++- ssh.c | 9 ++------- sshconnect2.c | 4 ++-- 5 files changed, 45 insertions(+), 35 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9668465b..abcc11ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20130404 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 + [readconf.c ssh.c readconf.h sshconnect2.c] + Keep track of which IndentityFile options were manually supplied and which + were default options, and don't warn if the latter are missing. + ok markus@ + 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h to avoid conflicting definitions of __int64, adding the required bits. diff --git a/readconf.c b/readconf.c index 097bb051..6f978f82 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.194 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: readconf.c,v 1.195 2013/02/17 23:16:57 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -326,6 +326,26 @@ clear_forwardings(Options *options) options->tun_open = SSH_TUNMODE_NO; } +void +add_identity_file(Options *options, const char *dir, const char *filename, + int userprovided) +{ + char *path; + + if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES) + fatal("Too many identity files specified (max %d)", + SSH_MAX_IDENTITY_FILES); + + if (dir == NULL) /* no dir, filename is absolute */ + path = xstrdup(filename); + else + (void)xasprintf(&path, "%.100s%.100s", dir, filename); + + options->identity_file_userprovided[options->num_identity_files] = + userprovided; + options->identity_files[options->num_identity_files++] = path; +} + /* * Returns the number of the token pointed to by cp or oBadOption. */ @@ -586,9 +606,7 @@ parse_yesnoask: if (*intptr >= SSH_MAX_IDENTITY_FILES) fatal("%.200s line %d: Too many identity files specified (max %d).", filename, linenum, SSH_MAX_IDENTITY_FILES); - charptr = &options->identity_files[*intptr]; - *charptr = xstrdup(arg); - *intptr = *intptr + 1; + add_identity_file(options, NULL, arg, 1); } break; @@ -1280,30 +1298,17 @@ fill_default_options(Options * options) options->protocol = SSH_PROTO_2; if (options->num_identity_files == 0) { if (options->protocol & SSH_PROTO_1) { - len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_IDENTITY, 0); } if (options->protocol & SSH_PROTO_2) { - len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA); - - len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_RSA, 0); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_DSA, 0); #ifdef OPENSSL_HAS_ECC - len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_ECDSA, 0); #endif } } diff --git a/readconf.h b/readconf.h index be30ee0e..35f59662 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.91 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.92 2013/02/17 23:16:57 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -96,6 +96,7 @@ typedef struct { int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; + int identity_file_userprovided[SSH_MAX_IDENTITY_FILES]; Key *identity_keys[SSH_MAX_IDENTITY_FILES]; /* Local TCP/IP forward requests. */ @@ -158,5 +159,6 @@ process_config_line(Options *, const char *, char *, const char *, int, int *); void add_local_forward(Options *, const Forward *); void add_remote_forward(Options *, const Forward *); +void add_identity_file(Options *, const char *, const char *, int); #endif /* READCONF_H */ diff --git a/ssh.c b/ssh.c index 3f61eb02..8a7aea09 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.370 2012/07/06 01:47:38 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.371 2013/02/17 23:16:57 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -405,12 +405,7 @@ main(int ac, char **av) strerror(errno)); break; } - if (options.num_identity_files >= - SSH_MAX_IDENTITY_FILES) - fatal("Too many identity files specified " - "(max %d)", SSH_MAX_IDENTITY_FILES); - options.identity_files[options.num_identity_files++] = - xstrdup(optarg); + add_identity_file(&options, NULL, optarg, 1); break; case 'I': #ifdef ENABLE_PKCS11 diff --git a/sshconnect2.c b/sshconnect2.c index d6af0b94..58015c0d 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.191 2013/02/15 00:21:01 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1384,7 +1384,7 @@ pubkey_prepare(Authctxt *authctxt) id = xcalloc(1, sizeof(*id)); id->key = key; id->filename = xstrdup(options.identity_files[i]); - id->userprovided = 1; + id->userprovided = options.identity_file_userprovided[i]; TAILQ_INSERT_TAIL(&files, id, next); } /* Prefer PKCS11 keys that are explicitly listed */ -- cgit v1.2.1 From 78eb34b89b9f3c02a1efd9e37956042770658dcc Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Apr 2013 00:16:52 +0000 Subject: - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 [krl.c] Remove bogus include. ok djm (id sync only) --- ChangeLog | 3 +++ krl.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index abcc11ad..b961c6ce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ Keep track of which IndentityFile options were manually supplied and which were default options, and don't warn if the latter are missing. ok markus@ + - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 + [krl.c] + Remove bogus include. ok djm 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/krl.c b/krl.c index 5a6bd14a..0d9bb541 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.9 2013/01/27 10:06:12 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */ #include "includes.h" -- cgit v1.2.1 From 5c2e554e235af95719a06175d3f96c538546e8cd Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Apr 2013 00:18:35 +0000 Subject: - dtucker@cvs.openbsd.org 2013/02/22 04:45:09 [ssh.c readconf.c readconf.h] Don't complain if IdentityFiles specified in system-wide configs are missing. ok djm, deraadt --- ChangeLog | 4 ++++ readconf.c | 13 +++++++------ readconf.h | 8 ++++++-- ssh.c | 10 ++++++---- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index b961c6ce..259d798e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 [krl.c] Remove bogus include. ok djm + - dtucker@cvs.openbsd.org 2013/02/22 04:45:09 + [ssh.c readconf.c readconf.h] + Don't complain if IdentityFiles specified in system-wide configs are + missing. ok djm, deraadt. 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/readconf.c b/readconf.c index 6f978f82..36265e43 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.195 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -373,7 +373,7 @@ parse_token(const char *cp, const char *filename, int linenum) int process_config_line(Options *options, const char *host, char *line, const char *filename, int linenum, - int *activep) + int *activep, int userconfig) { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; @@ -606,7 +606,7 @@ parse_yesnoask: if (*intptr >= SSH_MAX_IDENTITY_FILES) fatal("%.200s line %d: Too many identity files specified (max %d).", filename, linenum, SSH_MAX_IDENTITY_FILES); - add_identity_file(options, NULL, arg, 1); + add_identity_file(options, NULL, arg, userconfig); } break; @@ -1093,7 +1093,7 @@ parse_int: int read_config_file(const char *filename, const char *host, Options *options, - int checkperm) + int flags) { FILE *f; char line[1024]; @@ -1103,7 +1103,7 @@ read_config_file(const char *filename, const char *host, Options *options, if ((f = fopen(filename, "r")) == NULL) return 0; - if (checkperm) { + if (flags & SSHCONF_CHECKPERM) { struct stat sb; if (fstat(fileno(f), &sb) == -1) @@ -1124,7 +1124,8 @@ read_config_file(const char *filename, const char *host, Options *options, while (fgets(line, sizeof(line), f)) { /* Update line number counter. */ linenum++; - if (process_config_line(options, host, line, filename, linenum, &active) != 0) + if (process_config_line(options, host, line, filename, linenum, + &active, flags & SSHCONF_USERCONF) != 0) bad_options++; } fclose(f); diff --git a/readconf.h b/readconf.h index 35f59662..84164890 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.92 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -149,13 +149,17 @@ typedef struct { #define REQUEST_TTY_YES 2 #define REQUEST_TTY_FORCE 3 +#define SSHCONF_CHECKPERM 1 /* check permissions on config file */ +#define SSHCONF_USERCONF 2 /* user provided config file not system */ + void initialize_options(Options *); void fill_default_options(Options *); int read_config_file(const char *, const char *, Options *, int); int parse_forward(Forward *, const char *, int, int); int -process_config_line(Options *, const char *, char *, const char *, int, int *); +process_config_line(Options *, const char *, char *, const char *, int, int *, + int); void add_local_forward(Options *, const Forward *); void add_remote_forward(Options *, const Forward *); diff --git a/ssh.c b/ssh.c index 8a7aea09..5d3f492f 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.371 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.372 2013/02/22 04:45:09 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -579,7 +579,8 @@ main(int ac, char **av) dummy = 1; line = xstrdup(optarg); if (process_config_line(&options, host ? host : "", - line, "command-line", 0, &dummy) != 0) + line, "command-line", 0, &dummy, SSHCONF_USERCONF) + != 0) exit(255); xfree(line); break; @@ -673,14 +674,15 @@ main(int ac, char **av) * file if the user specifies a config file on the command line. */ if (config != NULL) { - if (!read_config_file(config, host, &options, 0)) + if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); } else { r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); if (r > 0 && (size_t)r < sizeof(buf)) - (void)read_config_file(buf, host, &options, 1); + (void)read_config_file(buf, host, &options, + SSHCONF_CHECKPERM|SSHCONF_USERCONF); /* Read systemwide configuration file after user config. */ (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, -- cgit v1.2.1 From f212a850835ddad7fd4b3e040d9eb9ef90f7b82b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Apr 2013 00:20:00 +0000 Subject: - markus@cvs.openbsd.org 2013/02/22 19:13:56 [sshconnect.c] support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ --- ChangeLog | 3 +++ sshconnect.c | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 259d798e..f53fa055 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ [ssh.c readconf.c readconf.h] Don't complain if IdentityFiles specified in system-wide configs are missing. ok djm, deraadt. + - markus@cvs.openbsd.org 2013/02/22 19:13:56 + [sshconnect.c] + support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/sshconnect.c b/sshconnect.c index 07800a65..cf071128 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.236 2012/09/14 16:51:34 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.237 2013/02/22 19:13:56 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -89,6 +89,13 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) pid_t pid; char *shell, strport[NI_MAXSERV]; + if (!strcmp(proxy_command, "-")) { + packet_set_connection(STDIN_FILENO, STDOUT_FILENO); + packet_set_timeout(options.server_alive_interval, + options.server_alive_count_max); + return 0; + } + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; -- cgit v1.2.1 From 0a1d9ce176f022bc9dc61a1ea16fa2a6f09fb766 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 5 Apr 2013 00:22:26 +0000 Subject: - djm@cvs.openbsd.org 2013/02/22 22:09:01 [ssh.c] Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier version) --- ChangeLog | 4 ++++ ssh.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f53fa055..d7180176 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ - markus@cvs.openbsd.org 2013/02/22 19:13:56 [sshconnect.c] support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ + - djm@cvs.openbsd.org 2013/02/22 22:09:01 + [ssh.c] + Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier + version) 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/ssh.c b/ssh.c index 5d3f492f..5ec89f2c 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.372 2013/02/22 04:45:09 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.373 2013/02/22 22:09:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1536,7 +1536,8 @@ load_public_identity_files(void) fatal("load_public_identity_files: gethostname: %s", strerror(errno)); for (i = 0; i < options.num_identity_files; i++) { - if (n_ids >= SSH_MAX_IDENTITY_FILES) { + if (n_ids >= SSH_MAX_IDENTITY_FILES || + strcasecmp(options.identity_files[i], "none") == 0) { xfree(options.identity_files[i]); continue; } -- cgit v1.2.1 From 592251106951bea6b3b7b6caac82f5772e5f42cc Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Apr 2013 01:26:26 +0000 Subject: - (djm) [config.guess config.sub] Update to last versions before they switch to GPL3. ok dtucker@ --- config.guess | 262 ++++++++++++++++++++++++++++++++--------------------------- config.sub | 190 +++++++++++++++++++++++++++---------------- 2 files changed, 266 insertions(+), 186 deletions(-) diff --git a/config.guess b/config.guess index 78553c4e..b94cde8e 100755 --- a/config.guess +++ b/config.guess @@ -2,9 +2,9 @@ # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012, 2013 Free Software Foundation, Inc. -timestamp='2011-01-23' +timestamp='2012-12-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -17,9 +17,7 @@ timestamp='2011-01-23' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -57,8 +55,8 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free -Software Foundation, Inc. +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, +2012, 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward @@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in fi ;; *) - os=netbsd + os=netbsd ;; esac # The OS release @@ -202,6 +200,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} @@ -224,7 +226,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on @@ -299,12 +301,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in echo s390-ibm-zvmoe exit ;; *:OS400:*:*) - echo powerpc-ibm-os400 + echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; - arm:riscos:*:*|arm:RISCOS:*:*) + arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) @@ -398,23 +400,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit ;; + exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} - exit ;; + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} - exit ;; + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} - exit ;; + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; @@ -484,8 +486,8 @@ EOF echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ @@ -498,7 +500,7 @@ EOF else echo i586-dg-dgux${UNAME_RELEASE} fi - exit ;; + exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; @@ -598,52 +600,52 @@ EOF 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` - sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 - 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 - esac ;; - esac + esac ;; + esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + sed 's/^ //' << EOF >$dummy.c - #define _HPUX_SOURCE - #include - #include + #define _HPUX_SOURCE + #include + #include - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa @@ -734,22 +736,22 @@ EOF exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd - exit ;; + exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi - exit ;; + exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd - exit ;; + exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd - exit ;; + exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd - exit ;; + exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; @@ -773,14 +775,14 @@ EOF exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit ;; + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` - echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} @@ -792,30 +794,35 @@ EOF echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) - case ${UNAME_MACHINE} in - pc98) - echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; + *:MINGW64*:*) + echo ${UNAME_MACHINE}-pc-mingw64 + exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; + i*:MSYS*:*) + echo ${UNAME_MACHINE}-pc-msys + exit ;; i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; @@ -861,6 +868,13 @@ EOF i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -870,7 +884,7 @@ EOF EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; - esac + esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} @@ -882,20 +896,29 @@ EOF then echo ${UNAME_MACHINE}-unknown-linux-gnu else - echo ${UNAME_MACHINE}-unknown-linux-gnueabi + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo ${UNAME_MACHINE}-unknown-linux-gnueabi + else + echo ${UNAME_MACHINE}-unknown-linux-gnueabihf + fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; cris:Linux:*:*) - echo cris-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; crisv32:Linux:*:*) - echo crisv32-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; frv:Linux:*:*) - echo frv-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + hexagon:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:Linux:*:*) LIBC=gnu @@ -937,7 +960,7 @@ EOF test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) - echo or32-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; padre:Linux:*:*) echo sparc-unknown-linux-gnu @@ -963,7 +986,7 @@ EOF echo ${UNAME_MACHINE}-ibm-linux exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu @@ -972,16 +995,16 @@ EOF echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-tilera-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-gnu exit ;; x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -990,11 +1013,11 @@ EOF echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. + # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) @@ -1026,7 +1049,7 @@ EOF fi exit ;; i*86:*:5:[678]*) - # UnixWare 7.x, OpenUNIX and OpenServer 6. + # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; @@ -1054,13 +1077,13 @@ EOF exit ;; pc:*:*:*) # Left here for compatibility: - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i586. + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp - exit ;; + exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; @@ -1095,8 +1118,8 @@ EOF /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4; exit; } ;; + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ @@ -1139,10 +1162,10 @@ EOF echo ns32k-sni-sysv fi exit ;; - PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm @@ -1168,11 +1191,11 @@ EOF exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv${UNAME_RELEASE} else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv${UNAME_RELEASE} fi - exit ;; + exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; @@ -1185,6 +1208,9 @@ EOF BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; + x86_64:Haiku:*:*) + echo x86_64-unknown-haiku + exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; @@ -1240,7 +1266,7 @@ EOF NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; - NSE-?:NONSTOP_KERNEL:*:*) + NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) @@ -1285,13 +1311,13 @@ EOF echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) - UNAME_MACHINE=`(uname -p) 2>/dev/null` + UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; @@ -1309,11 +1335,11 @@ EOF i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; esac -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - eval $set_cc_for_build cat >$dummy.c < printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 - "4" + "4" #else - "" + "" #endif - ); exit (0); + ); exit (0); #endif #endif diff --git a/config.sub b/config.sub index 2d816962..eee8dccb 100755 --- a/config.sub +++ b/config.sub @@ -2,9 +2,9 @@ # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012, 2013 Free Software Foundation, Inc. -timestamp='2011-01-01' +timestamp='2012-12-23' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -21,9 +21,7 @@ timestamp='2011-01-01' # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -76,8 +74,8 @@ version="\ GNU config.sub ($timestamp) Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free -Software Foundation, Inc. +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, +2012, 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -125,13 +123,17 @@ esac maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ + linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; + android-linux) + os=-linux-android + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown + ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] @@ -154,12 +156,12 @@ case $os in -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze) + -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; - -bluegene*) - os=-cnk + -bluegene*) + os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= @@ -175,10 +177,10 @@ case $os in os=-chorusos basic_machine=$1 ;; - -chorusrdb) - os=-chorusrdb + -chorusrdb) + os=-chorusrdb basic_machine=$1 - ;; + ;; -hiux*) os=-hiuxwe2 ;; @@ -223,6 +225,12 @@ case $os in -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; + -lynx*178) + os=-lynxos178 + ;; + -lynx*5) + os=-lynxos5 + ;; -lynx*) os=-lynxos ;; @@ -247,20 +255,27 @@ case $basic_machine in # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ + | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ - | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ + | arc \ + | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ + | avr | avr32 \ + | be32 | be64 \ | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ + | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | mcore | mep | metag \ + | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -286,22 +301,23 @@ case $basic_machine in | nds32 | nds32le | nds32be \ | nios | nios2 \ | ns16k | ns32k \ + | open8 \ | or32 \ | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ + | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ - | rx \ + | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ - | spu | strongarm \ - | tahoe | thumb | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ + | spu \ + | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ - | v850 | v850e \ + | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ - | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ + | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; @@ -314,8 +330,7 @@ case $basic_machine in c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | picochip) - # Motorola 68HC11/12. + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -325,6 +340,21 @@ case $basic_machine in basic_machine=mt-unknown ;; + strongarm | thumb | xscale) + basic_machine=arm-unknown + ;; + xgate) + basic_machine=$basic_machine-unknown + os=-none + ;; + xscaleeb) + basic_machine=armeb-unknown + ;; + + xscaleel) + basic_machine=armel-unknown + ;; + # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. @@ -339,11 +369,13 @@ case $basic_machine in # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ + | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ + | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | clipper-* | craynv-* | cydra-* \ @@ -352,12 +384,15 @@ case $basic_machine in | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -382,24 +417,26 @@ case $basic_machine in | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* \ | none-* | np1-* | ns16k-* | ns32k-* \ + | open8-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ - | romp-* | rs6000-* | rx-* \ + | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ - | tahoe-* | thumb-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile-* | tilegx-* \ + | tile*-* \ | tron-* \ | ubicom32-* \ - | v850-* | v850e-* | vax-* \ + | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ + | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) @@ -424,7 +461,7 @@ case $basic_machine in basic_machine=a29k-amd os=-udi ;; - abacus) + abacus) basic_machine=abacus-unknown ;; adobe68k) @@ -507,7 +544,7 @@ case $basic_machine in basic_machine=c90-cray os=-unicos ;; - cegcc) + cegcc) basic_machine=arm-unknown os=-cegcc ;; @@ -697,7 +734,6 @@ case $basic_machine in i370-ibm* | ibm*) basic_machine=i370-ibm ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 @@ -755,9 +791,13 @@ case $basic_machine in basic_machine=ns32k-utek os=-sysv ;; - microblaze) + microblaze*) basic_machine=microblaze-xilinx ;; + mingw64) + basic_machine=x86_64-pc + os=-mingw64 + ;; mingw32) basic_machine=i386-pc os=-mingw32 @@ -794,10 +834,18 @@ case $basic_machine in ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; + msys) + basic_machine=i386-pc + os=-msys + ;; mvs) basic_machine=i370-ibm os=-mvs ;; + nacl) + basic_machine=le32-unknown + os=-nacl + ;; ncr3000) basic_machine=i486-ncr os=-sysv4 @@ -862,10 +910,10 @@ case $basic_machine in np1) basic_machine=np1-gould ;; - neo-tandem) + neo-tandem) basic_machine=neo-tandem ;; - nse-tandem) + nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) @@ -950,9 +998,10 @@ case $basic_machine in ;; power) basic_machine=power-ibm ;; - ppc) basic_machine=powerpc-unknown + ppc | ppcbe) basic_machine=powerpc-unknown ;; - ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ppc-* | ppcbe-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown @@ -977,7 +1026,11 @@ case $basic_machine in basic_machine=i586-unknown os=-pw32 ;; - rdos) + rdos | rdos64) + basic_machine=x86_64-pc + os=-rdos + ;; + rdos32) basic_machine=i386-pc os=-rdos ;; @@ -1046,6 +1099,9 @@ case $basic_machine in basic_machine=i860-stratus os=-sysv4 ;; + strongarm-* | thumb-*) + basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; sun2) basic_machine=m68000-sun ;; @@ -1102,13 +1158,8 @@ case $basic_machine in basic_machine=t90-cray os=-unicos ;; - # This must be matched before tile*. - tilegx*) - basic_machine=tilegx-unknown - os=-linux-gnu - ;; tile*) - basic_machine=tile-unknown + basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) @@ -1178,6 +1229,9 @@ case $basic_machine in xps | xps100) basic_machine=xps100-honeywell ;; + xscale-* | xscalee[bl]-*) + basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` + ;; ymp) basic_machine=ymp-cray os=-unicos @@ -1275,11 +1329,11 @@ esac if [ x"$os" != x"" ] then case $os in - # First match some system type aliases - # that might get confused with valid system types. + # First match some system type aliases + # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. - -auroraux) - os=-auroraux + -auroraux) + os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` @@ -1309,15 +1363,15 @@ case $os in | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -linux-android* \ - | -linux-newlib* | -linux-uclibc* \ + | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ @@ -1364,7 +1418,7 @@ case $os in -opened*) os=-openedition ;; - -os400*) + -os400*) os=-os400 ;; -wince*) @@ -1413,7 +1467,7 @@ case $os in -sinix*) os=-sysv4 ;; - -tpf*) + -tpf*) os=-tpf ;; -triton*) @@ -1458,8 +1512,8 @@ case $os in -dicos*) os=-dicos ;; - -nacl*) - ;; + -nacl*) + ;; -none) ;; *) @@ -1482,10 +1536,10 @@ else # system, and we'll never get to this point. case $basic_machine in - score-*) + score-*) os=-elf ;; - spu-*) + spu-*) os=-elf ;; *-acorn) @@ -1497,8 +1551,11 @@ case $basic_machine in arm*-semi) os=-aout ;; - c4x-* | tic4x-*) - os=-coff + c4x-* | tic4x-*) + os=-coff + ;; + hexagon-*) + os=-elf ;; tic54x-*) os=-coff @@ -1527,14 +1584,11 @@ case $basic_machine in ;; m68000-sun) os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 ;; m68*-cisco) os=-aout ;; - mep-*) + mep-*) os=-elf ;; mips*-cisco) @@ -1561,7 +1615,7 @@ case $basic_machine in *-ibm) os=-aix ;; - *-knuth) + *-knuth) os=-mmixware ;; *-wec) -- cgit v1.2.1 From 45a8e4937d8b608dba9fd20662782c5ed5091a65 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 18 Apr 2013 11:36:19 +0000 Subject: - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from unused argument warnings (in particular, -fno-builtin-memset) from clang. --- ChangeLog | 6 ++++++ configure.ac | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d7180176..cfd95e44 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130418 + - (djm) [config.guess config.sub] Update to last versions before they switch + to GPL3. ok dtucker@ + - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from + unused argument warnings (in particular, -fno-builtin-memset) from clang. + 20130404 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 diff --git a/configure.ac b/configure.ac index 5db4b623..9777d597 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.519 2013/03/22 01:49:15 dtucker Exp $ +# $Id: configure.ac,v 1.520 2013/04/18 11:36:20 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.519 $) +AC_REVISION($Revision: 1.520 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -137,6 +137,7 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) + OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` -- cgit v1.2.1 From 6c149ed764b63d689065b97cf88d3e03e0843dc8 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 04:25:52 +0000 Subject: - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support platforms, such as Android, that lack struct passwd.pw_gecos. Report and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@ --- ChangeLog | 5 +++++ auth.c | 4 +++- configure.ac | 54 +++++++++++------------------------------------------- misc.c | 8 +++++--- monitor.c | 4 +++- monitor_wrap.c | 4 +++- 6 files changed, 30 insertions(+), 49 deletions(-) diff --git a/ChangeLog b/ChangeLog index cfd95e44..3fd81aa3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130423 + - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support + platforms, such as Android, that lack struct passwd.pw_gecos. Report + and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@ + 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch to GPL3. ok dtucker@ diff --git a/auth.c b/auth.c index 6128fa46..666c493d 100644 --- a/auth.c +++ b/auth.c @@ -721,10 +721,12 @@ fakepw(void) fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS fake.pw_gecos = "NOUSER"; +#endif fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS fake.pw_class = ""; #endif fake.pw_dir = "/nonexist"; diff --git a/configure.ac b/configure.ac index 9777d597..c30d547d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.520 2013/04/18 11:36:20 dtucker Exp $ +# $Id: configure.ac,v 1.521 2013/04/23 04:25:53 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.520 $) +AC_REVISION($Revision: 1.521 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3303,9 +3303,16 @@ OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX]) OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX]) AC_CHECK_MEMBERS([struct stat.st_blksize]) +AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class, +struct passwd.pw_change, struct passwd.pw_expire], +[], [], [[ +#include +#include +]]) + AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state], [Define if we don't have struct __res_state in resolv.h])], -[ +[[ #include #if HAVE_SYS_TYPES_H # include @@ -3313,7 +3320,7 @@ AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [sta #include #include #include -]) +]]) AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], ac_cv_have_ss_family_in_struct_ss, [ @@ -3343,45 +3350,6 @@ if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then [Fields in struct sockaddr_storage]) fi -AC_CACHE_CHECK([for pw_class field in struct passwd], - ac_cv_have_pw_class_in_struct_passwd, [ - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], - [[ struct passwd p; p.pw_class = 0; ]])], - [ ac_cv_have_pw_class_in_struct_passwd="yes" ], - [ ac_cv_have_pw_class_in_struct_passwd="no" - ]) -]) -if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then - AC_DEFINE([HAVE_PW_CLASS_IN_PASSWD], [1], - [Define if your password has a pw_class field]) -fi - -AC_CACHE_CHECK([for pw_expire field in struct passwd], - ac_cv_have_pw_expire_in_struct_passwd, [ - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], - [[ struct passwd p; p.pw_expire = 0; ]])], - [ ac_cv_have_pw_expire_in_struct_passwd="yes" ], - [ ac_cv_have_pw_expire_in_struct_passwd="no" - ]) -]) -if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then - AC_DEFINE([HAVE_PW_EXPIRE_IN_PASSWD], [1], - [Define if your password has a pw_expire field]) -fi - -AC_CACHE_CHECK([for pw_change field in struct passwd], - ac_cv_have_pw_change_in_struct_passwd, [ - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], - [[ struct passwd p; p.pw_change = 0; ]])], - [ ac_cv_have_pw_change_in_struct_passwd="yes" ], - [ ac_cv_have_pw_change_in_struct_passwd="no" - ]) -]) -if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then - AC_DEFINE([HAVE_PW_CHANGE_IN_PASSWD], [1], - [Define if your password has a pw_change field]) -fi - dnl make sure we're using the real structure members and not defines AC_CACHE_CHECK([for msg_accrights field in struct msghdr], ac_cv_have_accrights_in_msghdr, [ diff --git a/misc.c b/misc.c index a7a23dcc..9e287433 100644 --- a/misc.c +++ b/misc.c @@ -206,16 +206,18 @@ pwcopy(struct passwd *pw) copy->pw_name = xstrdup(pw->pw_name); copy->pw_passwd = xstrdup(pw->pw_passwd); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS copy->pw_gecos = xstrdup(pw->pw_gecos); +#endif copy->pw_uid = pw->pw_uid; copy->pw_gid = pw->pw_gid; -#ifdef HAVE_PW_EXPIRE_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE copy->pw_expire = pw->pw_expire; #endif -#ifdef HAVE_PW_CHANGE_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE copy->pw_change = pw->pw_change; #endif -#ifdef HAVE_PW_CLASS_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS copy->pw_class = xstrdup(pw->pw_class); #endif copy->pw_dir = xstrdup(pw->pw_dir); diff --git a/monitor.c b/monitor.c index 8006b833..6560740b 100644 --- a/monitor.c +++ b/monitor.c @@ -778,8 +778,10 @@ mm_answer_pwnamallow(int sock, Buffer *m) buffer_put_string(m, pwent, sizeof(struct passwd)); buffer_put_cstring(m, pwent->pw_name); buffer_put_cstring(m, "*"); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS buffer_put_cstring(m, pwent->pw_gecos); -#ifdef HAVE_PW_CLASS_IN_PASSWD +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS buffer_put_cstring(m, pwent->pw_class); #endif buffer_put_cstring(m, pwent->pw_dir); diff --git a/monitor_wrap.c b/monitor_wrap.c index ea654a73..3304f5bf 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -259,8 +259,10 @@ mm_getpwnamallow(const char *username) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS pw->pw_gecos = buffer_get_string(&m, NULL); -#ifdef HAVE_PW_CLASS_IN_PASSWD +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS pw->pw_class = buffer_get_string(&m, NULL); #endif pw->pw_dir = buffer_get_string(&m, NULL); -- cgit v1.2.1 From 85fb5933d33d8e5a6bc29e009f4180e3964ca966 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:17:12 +0000 Subject: - djm@cvs.openbsd.org 2013/03/06 23:36:53 [readconf.c] g/c unused variable (-Wunused) --- readconf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/readconf.c b/readconf.c index 36265e43..6e708e02 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.197 2013/03/06 23:36:53 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1232,8 +1232,6 @@ initialize_options(Options * options) void fill_default_options(Options * options) { - int len; - if (options->forward_agent == -1) options->forward_agent = 0; if (options->forward_x11 == -1) -- cgit v1.2.1 From 0e7bab9b2ebe00105a3c9234af6fd62b1ad680b3 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:17:53 +0000 Subject: - djm@cvs.openbsd.org 2013/03/07 00:19:59 [auth2-pubkey.c monitor.c] reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@ --- auth2-pubkey.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 3ff6faa8..c28bef7a 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.35 2013/03/07 00:19:59 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt) { Buffer b; Key *key = NULL; - char *pkalg; + char *pkalg, *userstyle; u_char *pkblob, *sig; u_int alen, blen, slen; int have_sig, pktype; @@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - buffer_put_cstring(&b, authctxt->user); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + buffer_put_cstring(&b, userstyle); + free(userstyle); buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : -- cgit v1.2.1 From 12dc3e0fd962d6771a7cca6805262c7b4cafa062 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:18:10 +0000 Subject: - markus@cvs.openbsd.org 2013/03/07 19:27:25 [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5] add submethod support to AuthenticationMethods; ok and freedback djm@ --- auth.h | 5 ++-- auth2-chall.c | 12 ++++++---- auth2.c | 76 ++++++++++++++++++++++++++++++++++++++++++----------------- monitor.c | 39 ++++++++++++++++++------------ 4 files changed, 90 insertions(+), 42 deletions(-) diff --git a/auth.h b/auth.h index c6fe8472..7ff59f1b 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.73 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -157,8 +157,9 @@ void userauth_send_banner(const char *); char *auth2_read_banner(void); int auth2_methods_valid(const char *, int); -int auth2_update_methods_lists(Authctxt *, const char *); +int auth2_update_methods_lists(Authctxt *, const char *, const char *); int auth2_setup_methods_lists(Authctxt *); +int auth2_method_allowed(Authctxt *, const char *, const char *); void privsep_challenge_enable(void); diff --git a/auth2-chall.c b/auth2-chall.c index 6505d400..ed1acdd3 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.37 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -155,7 +155,7 @@ kbdint_free(KbdintAuthctxt *kbdintctxt) } /* get next device */ static int -kbdint_next_device(KbdintAuthctxt *kbdintctxt) +kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) { size_t len; char *t; @@ -169,9 +169,13 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt) if (len == 0) break; - for (i = 0; devices[i]; i++) + for (i = 0; devices[i]; i++) { + if (!auth2_method_allowed(authctxt, + "keyboard-interactive", devices[i]->name)) + continue; if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) kbdintctxt->device = devices[i]; + } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; xfree(t); @@ -221,7 +225,7 @@ auth2_challenge_start(Authctxt *authctxt) debug2("auth2_challenge_start: devices %s", kbdintctxt->devices ? kbdintctxt->devices : ""); - if (kbdint_next_device(kbdintctxt) == 0) { + if (kbdint_next_device(authctxt, kbdintctxt) == 0) { auth2_challenge_stop(authctxt); return 0; } diff --git a/auth2.c b/auth2.c index e367a104..e4448216 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.127 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -98,8 +98,12 @@ static void input_userauth_request(int, u_int32_t, void *); /* helper */ static Authmethod *authmethod_lookup(Authctxt *, const char *); static char *authmethods_get(Authctxt *authctxt); -static int method_allowed(Authctxt *, const char *); -static int list_starts_with(const char *, const char *); + +#define MATCH_NONE 0 /* method or submethod mismatch */ +#define MATCH_METHOD 1 /* method matches (no submethod specified) */ +#define MATCH_BOTH 2 /* method and submethod match */ +#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */ +static int list_starts_with(const char *, const char *, const char *); char * auth2_read_banner(void) @@ -316,7 +320,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, } if (authenticated && options.num_auth_methods != 0) { - if (!auth2_update_methods_lists(authctxt, method)) { + if (!auth2_update_methods_lists(authctxt, method, submethod)) { authenticated = 0; partial = 1; } @@ -387,8 +391,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, * methods list. Returns 1 if allowed, or no methods lists configured. * 0 otherwise. */ -static int -method_allowed(Authctxt *authctxt, const char *method) +int +auth2_method_allowed(Authctxt *authctxt, const char *method, + const char *submethod) { u_int i; @@ -399,7 +404,8 @@ method_allowed(Authctxt *authctxt, const char *method) if (options.num_auth_methods == 0) return 1; for (i = 0; i < authctxt->num_auth_methods; i++) { - if (list_starts_with(authctxt->auth_methods[i], method)) + if (list_starts_with(authctxt->auth_methods[i], method, + submethod) != MATCH_NONE) return 1; } return 0; @@ -419,7 +425,8 @@ authmethods_get(Authctxt *authctxt) if (authmethods[i]->enabled == NULL || *(authmethods[i]->enabled) == 0) continue; - if (!method_allowed(authctxt, authmethods[i]->name)) + if (!auth2_method_allowed(authctxt, authmethods[i]->name, + NULL)) continue; if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); @@ -442,7 +449,8 @@ authmethod_lookup(Authctxt *authctxt, const char *name) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && strcmp(name, authmethods[i]->name) == 0 && - method_allowed(authctxt, authmethods[i]->name)) + auth2_method_allowed(authctxt, + authmethods[i]->name, NULL)) return authmethods[i]; debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); @@ -457,7 +465,7 @@ authmethod_lookup(Authctxt *authctxt, const char *name) int auth2_methods_valid(const char *_methods, int need_enable) { - char *methods, *omethods, *method; + char *methods, *omethods, *method, *p; u_int i, found; int ret = -1; @@ -468,6 +476,8 @@ auth2_methods_valid(const char *_methods, int need_enable) omethods = methods = xstrdup(_methods); while ((method = strsep(&methods, ",")) != NULL) { for (found = i = 0; !found && authmethods[i] != NULL; i++) { + if ((p = strchr(method, ':')) != NULL) + *p = '\0'; if (strcmp(method, authmethods[i]->name) != 0) continue; if (need_enable) { @@ -533,15 +543,30 @@ auth2_setup_methods_lists(Authctxt *authctxt) } static int -list_starts_with(const char *methods, const char *method) +list_starts_with(const char *methods, const char *method, + const char *submethod) { size_t l = strlen(method); + int match; + const char *p; if (strncmp(methods, method, l) != 0) - return 0; - if (methods[l] != ',' && methods[l] != '\0') - return 0; - return 1; + return MATCH_NONE; + p = methods + l; + match = MATCH_METHOD; + if (*p == ':') { + if (!submethod) + return MATCH_PARTIAL; + l = strlen(submethod); + p += 1; + if (strncmp(submethod, p, l)) + return MATCH_NONE; + p += l; + match = MATCH_BOTH; + } + if (*p != ',' && *p != '\0') + return MATCH_NONE; + return match; } /* @@ -550,14 +575,21 @@ list_starts_with(const char *methods, const char *method) * if it did. */ static int -remove_method(char **methods, const char *method) +remove_method(char **methods, const char *method, const char *submethod) { - char *omethods = *methods; + char *omethods = *methods, *p; size_t l = strlen(method); + int match; - if (!list_starts_with(omethods, method)) + match = list_starts_with(omethods, method, submethod); + if (match != MATCH_METHOD && match != MATCH_BOTH) return 0; - *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); + p = omethods + l; + if (submethod && match == MATCH_BOTH) + p += 1 + strlen(submethod); /* include colon */ + if (*p == ',') + p++; + *methods = xstrdup(p); free(omethods); return 1; } @@ -569,13 +601,15 @@ remove_method(char **methods, const char *method) * Returns 1 if the method completed any authentication list or 0 otherwise. */ int -auth2_update_methods_lists(Authctxt *authctxt, const char *method) +auth2_update_methods_lists(Authctxt *authctxt, const char *method, + const char *submethod) { u_int i, found = 0; debug3("%s: updating methods list after \"%s\"", __func__, method); for (i = 0; i < authctxt->num_auth_methods; i++) { - if (!remove_method(&(authctxt->auth_methods[i]), method)) + if (!remove_method(&(authctxt->auth_methods[i]), method, + submethod)) continue; found = 1; if (*authctxt->auth_methods[i] == '\0') { diff --git a/monitor.c b/monitor.c index 6560740b..c0471a17 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.122 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -392,7 +392,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) "with SSH protocol 1"); if (authenticated && !auth2_update_methods_lists(authctxt, - auth_method)) { + auth_method, auth_submethod)) { debug3("%s: method %s: partial", __func__, auth_method); authenticated = 0; @@ -949,9 +949,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) debug3("%s: sending authenticated: %d", __func__, authok); mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); - if (compat20) - auth_method = "keyboard-interactive"; /* XXX auth_submethod */ - else + if (compat20) { + auth_method = "keyboard-interactive"; + auth_submethod = "bsdauth"; + } else auth_method = "bsdauth"; return (authok != 0); @@ -1237,7 +1238,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; - char *p; + char *p, *userstyle; u_int len; int fail = 0; @@ -1262,19 +1263,23 @@ monitor_valid_userblob(u_char *data, u_int datalen) } if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); - if (strcmp(authctxt->user, p) != 0) { + p = buffer_get_cstring(&b, NULL); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + if (strcmp(userstyle, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); + userstyle, p); fail++; } + xfree(userstyle); xfree(p); buffer_skip_string(&b); if (datafellows & SSH_BUG_PKAUTH) { if (!buffer_get_char(&b)) fail++; } else { - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); if (strcmp("publickey", p) != 0) fail++; xfree(p); @@ -1294,7 +1299,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, char *chost) { Buffer b; - char *p; + char *p, *userstyle; u_int len; int fail = 0; @@ -1310,15 +1315,19 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); - if (strcmp(authctxt->user, p) != 0) { + p = buffer_get_cstring(&b, NULL); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + if (strcmp(userstyle, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); + userstyle, p); fail++; } + free(userstyle); xfree(p); buffer_skip_string(&b); /* service */ - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); if (strcmp(p, "hostbased") != 0) fail++; xfree(p); -- cgit v1.2.1 From e637848bb91e626bdb6b79a72c4a659d328bf455 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:18:52 +0000 Subject: - djm@cvs.openbsd.org 2013/04/05 00:14:00 [auth2-gss.c krl.c sshconnect2.c] hush some {unused, printf type} warnings --- auth2-gss.c | 5 +---- krl.c | 17 +++++++++++------ sshconnect2.c | 17 ++++++++++------- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/auth2-gss.c b/auth2-gss.c index 93d576bf..de1bd064 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.19 2013/04/05 00:14:00 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -229,14 +229,11 @@ static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) { Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; int authenticated; if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) fatal("No authentication or GSSAPI context"); - gssctxt = authctxt->methoddata; - /* * We don't need to check the status, because we're only enabled in * the dispatcher once the exchange is complete diff --git a/krl.c b/krl.c index 0d9bb541..7ac6261c 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */ +/* $OpenBSD: krl.c,v 1.11 2013/04/05 00:14:00 djm Exp $ */ #include "includes.h" @@ -502,8 +502,11 @@ choose_next_state(int current_state, u_int64_t contig, int final, } debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" "list %llu range %llu bitmap %llu new bitmap %llu, " - "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final, - cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state, + "selected 0x%02x%s", __func__, (long long unsigned)contig, + (long long unsigned)last_gap, (long long unsigned)next_gap, final, + (long long unsigned)cost_list, (long long unsigned)cost_range, + (long long unsigned)cost_bitmap, + (long long unsigned)cost_bitmap_restart, new_state, *force_new_section ? " restart" : ""); return new_state; } @@ -539,7 +542,8 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf) rs != NULL; rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { debug3("%s: serial %llu:%llu state 0x%02x", __func__, - rs->lo, rs->hi, state); + (long long unsigned)rs->lo, (long long unsigned)rs->hi, + state); /* Check contiguous length and gap to next section (if any) */ nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); @@ -928,8 +932,9 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, } format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); - debug("KRL version %llu generated at %s%s%s", krl->krl_version, - timestamp, *krl->comment ? ": " : "", krl->comment); + debug("KRL version %llu generated at %s%s%s", + (long long unsigned)krl->krl_version, timestamp, + *krl->comment ? ": " : "", krl->comment); /* * 1st pass: verify signatures, if any. This is done to avoid diff --git a/sshconnect2.c b/sshconnect2.c index 58015c0d..c811c365 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.194 2013/04/05 00:14:00 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -540,8 +540,12 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt) partial = packet_get_char(); packet_check_eom(); - if (partial != 0) + if (partial != 0) { logit("Authenticated with partial success."); + /* reset state */ + pubkey_cleanup(authctxt); + pubkey_prepare(authctxt); + } debug("Authentications that can continue: %s", authlist); userauth(authctxt, authlist); @@ -806,7 +810,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) Gssctxt *gssctxt; gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; gss_buffer_desc recv_tok; - OM_uint32 status, ms; + OM_uint32 ms; u_int len; if (authctxt == NULL) @@ -819,7 +823,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) packet_check_eom(); /* Stick it into GSSAPI and see what it says */ - status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + (void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, &recv_tok, &send_tok, NULL); xfree(recv_tok.value); @@ -832,12 +836,11 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) void input_gssapi_error(int type, u_int32_t plen, void *ctxt) { - OM_uint32 maj, min; char *msg; char *lang; - maj=packet_get_int(); - min=packet_get_int(); + /* maj */(void)packet_get_int(); + /* min */(void)packet_get_int(); msg=packet_get_string(NULL); lang=packet_get_string(NULL); -- cgit v1.2.1 From 286de250ea208ae29faad0dbe5cd1365d3047605 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:19:11 +0000 Subject: - djm@cvs.openbsd.org 2013/04/05 00:31:49 [pathnames.h] use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change) --- pathnames.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/pathnames.h b/pathnames.h index c3d9abff..5027fbae 100644 --- a/pathnames.h +++ b/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.22 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: pathnames.h,v 1.23 2013/04/05 00:31:49 djm Exp $ */ /* * Author: Tatu Ylonen @@ -65,18 +65,18 @@ * readable by anyone except the user him/herself, though this does not * contain anything particularly secret. */ -#define _PATH_SSH_USER_HOSTFILE "~/.ssh/known_hosts" +#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts" /* backward compat for protocol 2 */ -#define _PATH_SSH_USER_HOSTFILE2 "~/.ssh/known_hosts2" +#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2" /* * Name of the default file containing client-side authentication key. This * file should only be readable by the user him/herself. */ -#define _PATH_SSH_CLIENT_IDENTITY ".ssh/identity" -#define _PATH_SSH_CLIENT_ID_DSA ".ssh/id_dsa" -#define _PATH_SSH_CLIENT_ID_ECDSA ".ssh/id_ecdsa" -#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa" +#define _PATH_SSH_CLIENT_IDENTITY _PATH_SSH_USER_DIR "/identity" +#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa" +#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa" +#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa" /* * Configuration file in user's home directory. This file need not be @@ -84,7 +84,7 @@ * particularly secret. If the user's home directory resides on an NFS * volume where root is mapped to nobody, this may need to be world-readable. */ -#define _PATH_SSH_USER_CONFFILE ".ssh/config" +#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config" /* * File containing a list of those rsa keys that permit logging in as this @@ -94,10 +94,10 @@ * may need to be world-readable. (This file is read by the daemon which is * running as root.) */ -#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" +#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys" /* backward compat for protocol v2 */ -#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" +#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2" /* * Per-user and system-wide ssh "rc" files. These files are executed with @@ -105,7 +105,7 @@ * passed "proto cookie" as arguments if X11 forwarding with spoofing is in * use. xauth will be run if neither of these exists. */ -#define _PATH_SSH_USER_RC ".ssh/rc" +#define _PATH_SSH_USER_RC _PATH_SSH_USER_DIR "/rc" #define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc" /* -- cgit v1.2.1 From 647e8b73fd9f4451123968af3630f9f7c59a0ca9 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:19:27 +0000 Subject: - djm@cvs.openbsd.org 2013/04/05 00:58:51 [mux.c] cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too (in addition to ones already in OPEN); bz#2079, ok dtucker@ --- mux.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mux.c b/mux.c index 1ae0e091..9f458c4c 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.39 2013/04/05 00:58:51 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -219,7 +219,8 @@ mux_master_control_cleanup_cb(int cid, void *unused) __func__, c->self, c->remote_id); c->remote_id = -1; sc->ctl_chan = -1; - if (sc->type != SSH_CHANNEL_OPEN) { + if (sc->type != SSH_CHANNEL_OPEN && + sc->type != SSH_CHANNEL_OPENING) { debug2("%s: channel %d: not open", __func__, sc->self); chan_mark_dead(sc); } else { -- cgit v1.2.1 From 2fc7a52c9ebdc0a2d0c3f430b99c241cf7b3381b Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:20:43 +0000 Subject: - markus@cvs.openbsd.org 2013/04/06 16:07:00 [channels.c sshd.c] handle ECONNABORTED for accept(); ok deraadt some time ago... --- channels.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/channels.c b/channels.c index 9cf85a38..12db962d 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.320 2013/04/06 16:07:00 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1324,7 +1324,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) { Channel *nc; struct sockaddr_storage addr; - int newsock; + int newsock, oerrno; socklen_t addrlen; char buf[16384], *remote_ipaddr; int remote_port; @@ -1334,12 +1334,16 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) addrlen = sizeof(addr); newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (c->single_connection) { + oerrno = errno; debug2("single_connection: closing X11 listener."); channel_close_fd(&c->sock); chan_mark_dead(c); + errno = oerrno; } if (newsock < 0) { - error("accept: %.100s", strerror(errno)); + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED) + error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) c->notbefore = time(NULL) + 1; return; @@ -1484,7 +1488,9 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) addrlen = sizeof(addr); newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (newsock < 0) { - error("accept: %.100s", strerror(errno)); + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED) + error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) c->notbefore = time(NULL) + 1; return; -- cgit v1.2.1 From f86c70fd572ef38212acca2b036701d0e05894d8 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:21:07 +0000 Subject: - dtucker@cvs.openbsd.org 2013/04/07 02:10:33 [log.c log.h ssh.1 ssh.c sshd.8 sshd.c] Add -E option to ssh and sshd to append debugging logs to a specified file instead of stderr or syslog. ok markus@, man page help jmc@ --- log.c | 20 ++++++++++++++++++-- log.h | 3 ++- ssh.1 | 9 +++++++-- ssh.c | 31 ++++++++++++++++++++++--------- sshd.c | 23 ++++++++++++++++------- 5 files changed, 65 insertions(+), 21 deletions(-) diff --git a/log.c b/log.c index d69154a6..81497a44 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */ +/* $OpenBSD: log.c,v 1.44 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -38,6 +38,7 @@ #include +#include #include #include #include @@ -54,6 +55,7 @@ static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; +static int log_stderr_fd = STDERR_FILENO; static int log_facility = LOG_AUTH; static char *argv0; static log_handler_fn *log_handler; @@ -344,6 +346,20 @@ log_is_on_stderr(void) return log_on_stderr; } +/* redirect what would usually get written to stderr to specified file */ +void +log_redirect_stderr_to(const char *logfile) +{ + int fd; + + if ((fd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0600)) == -1) { + fprintf(stderr, "Couldn't open logfile %s: %s\n", logfile, + strerror(errno)); + exit(1); + } + log_stderr_fd = fd; +} + #define MSGBUFSIZ 1024 void @@ -429,7 +445,7 @@ do_log(LogLevel level, const char *fmt, va_list args) log_handler = tmp_handler; } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); - write(STDERR_FILENO, msgbuf, strlen(msgbuf)); + write(log_stderr_fd, msgbuf, strlen(msgbuf)); } else { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); diff --git a/log.h b/log.h index e3e328b0..ae7df25d 100644 --- a/log.h +++ b/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */ +/* $OpenBSD: log.h,v 1.20 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -51,6 +51,7 @@ typedef void (log_handler_fn)(LogLevel, const char *, void *); void log_init(char *, LogLevel, SyslogFacility, int); void log_change_level(LogLevel); int log_is_on_stderr(void); +void log_redirect_stderr_to(const char *); SyslogFacility log_facility_number(char *); const char * log_facility_name(SyslogFacility); diff --git a/ssh.1 b/ssh.1 index a5576edb..d77494b8 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ -.Dd $Mdocdate: October 4 2012 $ +.\" $OpenBSD: ssh.1,v 1.331 2013/04/07 02:10:33 dtucker Exp $ +.Dd $Mdocdate: April 7 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -47,6 +47,7 @@ .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Oo Ar bind_address : Oc Ns Ar port +.Op Fl E Ar log_file .Op Fl e Ar escape_char .Op Fl F Ar configfile .Op Fl I Ar pkcs11 @@ -217,6 +218,10 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. +.It Fl E Ar log_file +Append debug logs to +.Ar log_file +instead of standard error. .It Fl e Ar escape_char Sets the escape character for sessions with a pty (default: .Ql ~ ) . diff --git a/ssh.c b/ssh.c index 5ec89f2c..cd56f8a7 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.373 2013/02/22 22:09:01 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.375 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -197,8 +197,8 @@ usage(void) { fprintf(stderr, "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" -" [-I pkcs11] [-i identity_file]\n" +" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" +" [-F configfile] [-I pkcs11] [-i identity_file]\n" " [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" @@ -238,7 +238,7 @@ int main(int ac, char **av) { int i, r, opt, exit_status, use_syslog; - char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; + char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; struct stat st; struct passwd *pw; @@ -322,11 +322,12 @@ main(int ac, char **av) /* Parse command-line arguments. */ host = NULL; use_syslog = 0; + logfile = NULL; argv0 = av[0]; again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" - "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { + "ACD:E:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -356,6 +357,9 @@ main(int ac, char **av) case 'y': use_syslog = 1; break; + case 'E': + logfile = xstrdup(optarg); + break; case 'Y': options.forward_x11 = 1; options.forward_x11_trusted = 1; @@ -427,9 +431,8 @@ main(int ac, char **av) } else { if (options.log_level < SYSLOG_LEVEL_DEBUG3) options.log_level++; - break; } - /* FALLTHROUGH */ + break; case 'V': fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); @@ -663,18 +666,28 @@ main(int ac, char **av) /* * Initialize "log" output. Since we are the client all output - * actually goes to stderr. + * goes to stderr unless otherwise specified by -y or -E. */ + if (use_syslog && logfile != NULL) + fatal("Can't specify both -y and -E"); + if (logfile != NULL) { + log_redirect_stderr_to(logfile); + xfree(logfile); + } log_init(argv0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, SYSLOG_FACILITY_USER, !use_syslog); + if (debug_flag) + logit("%s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); + /* * Read per-user configuration file. Ignore the system wide config * file if the user specifies a config file on the command line. */ if (config != NULL) { - if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) + if (strcasecmp(config, "none") != 0 && + !read_config_file(config, host, &options, SSHCONF_USERCONF)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); } else { diff --git a/sshd.c b/sshd.c index 3e9d1764..a0f5c0d2 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.399 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -900,8 +900,9 @@ usage(void) SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" -" [-f config_file] [-g login_grace_time] [-h host_key_file]\n" -" [-k key_gen_time] [-o option] [-p port] [-u len]\n" +" [-E log_file] [-f config_file] [-g login_grace_time]\n" +" [-h host_key_file] [-k key_gen_time] [-o option] [-p port]\n" +" [-u len]\n" ); exit(1); } @@ -1183,8 +1184,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) *newsock = accept(listen_socks[i], (struct sockaddr *)&from, &fromlen); if (*newsock < 0) { - if (errno != EINTR && errno != EAGAIN && - errno != EWOULDBLOCK) + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED && errno != EAGAIN) error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) @@ -1335,7 +1336,7 @@ main(int ac, char **av) int sock_in = -1, sock_out = -1, newsock = -1; const char *remote_ip; int remote_port; - char *line; + char *line, *logfile = NULL; int config_s[2] = { -1 , -1 }; u_int n; u_int64_t ibytes, obytes; @@ -1373,7 +1374,7 @@ main(int ac, char **av) initialize_server_options(&options); /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeiqrtQRT46")) != -1) { + while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeE:iqrtQRT46")) != -1) { switch (opt) { case '4': options.address_family = AF_INET; @@ -1402,6 +1403,9 @@ main(int ac, char **av) case 'D': no_daemon_flag = 1; break; + case 'E': + logfile = xstrdup(optarg); + /* FALLTHROUGH */ case 'e': log_stderr = 1; break; @@ -1499,6 +1503,11 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) { + log_redirect_stderr_to(logfile); + xfree(logfile); + } /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) -- cgit v1.2.1 From fe03df1f834cb1d8b8dae4aa7aa0935a8d1043dd Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:21:24 +0000 Subject: - dtucker@cvs.openbsd.org 2013/04/07 09:40:27 [sshd.8] clarify -e text. suggested by & ok jmc@ --- sshd.8 | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/sshd.8 b/sshd.8 index 13239783..03b77b04 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ -.Dd $Mdocdate: October 4 2012 $ +.\" $OpenBSD: sshd.8,v 1.269 2013/04/07 09:40:27 dtucker Exp $ +.Dd $Mdocdate: April 7 2013 $ .Dt SSHD 8 .Os .Sh NAME @@ -47,6 +47,7 @@ .Op Fl b Ar bits .Op Fl C Ar connection_spec .Op Fl c Ar host_certificate_file +.Op Fl E Ar log_file .Op Fl f Ar config_file .Op Fl g Ar login_grace_time .Op Fl h Ar host_key_file @@ -146,10 +147,12 @@ Multiple .Fl d options increase the debugging level. Maximum is 3. +.It Fl E Ar log_file +Append debug logs to +.Ar log_file +instead of the system log. .It Fl e -When this option is specified, -.Nm -will send the output to the standard error instead of the system log. +Write debug logs to standard error instead of the system log. .It Fl f Ar config_file Specifies the name of the configuration file. The default is -- cgit v1.2.1 From ecf625478db018cf3fb0349573676ef62db3fddb Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:21:40 +0000 Subject: - djm@cvs.openbsd.org 2013/04/11 02:27:50 [packet.c] quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@ --- packet.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/packet.c b/packet.c index 9326ddea..3e835d36 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1460,7 +1460,11 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) case SSH2_MSG_DISCONNECT: reason = packet_get_int(); msg = packet_get_string(NULL); - error("Received disconnect from %s: %u: %.400s", + /* Ignore normal client exit notifications */ + do_log2(active_state->server_side && + reason == SSH2_DISCONNECT_BY_APPLICATION ? + SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, + "Received disconnect from %s: %u: %.400s", get_remote_ipaddr(), reason, msg); xfree(msg); cleanup_exit(255); -- cgit v1.2.1 From 6ada057c57619eac64ff1ea75115779c5ad2b493 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:22:40 +0000 Subject: - djm@cvs.openbsd.org 2013/04/18 02:16:07 [sftp.c] make "sftp -q" do what it says on the sticker: hush everything but errors; --- sftp.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/sftp.c b/sftp.c index 342ae7ef..24396ef3 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.143 2013/04/18 02:16:07 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -76,6 +76,9 @@ int batchmode = 0; /* PID of ssh transport process */ static pid_t sshpid = -1; +/* Suppress diagnositic messages */ +int quiet = 0; + /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; @@ -565,7 +568,8 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, } xfree(tmp); - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); + if (!quiet) + printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, pflag || global_pflag, 1) == -1) @@ -650,7 +654,8 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, } xfree(tmp); - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); + if (!quiet) + printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (upload_dir(conn, g.gl_pathv[i], abs_dst, pflag || global_pflag, 1) == -1) @@ -1335,7 +1340,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, path1 = make_absolute(path1, *pwd); remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i] && !interrupted; i++) { - printf("Removing %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Removing %s\n", g.gl_pathv[i]); err = do_rm(conn, g.gl_pathv[i]); if (err != 0 && err_abort) break; @@ -1431,7 +1437,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, a.perm = n_arg; remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i] && !interrupted; i++) { - printf("Changing mode on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing mode on %s\n", g.gl_pathv[i]); err = do_setstat(conn, g.gl_pathv[i], &a); if (err != 0 && err_abort) break; @@ -1460,10 +1467,14 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, } aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; if (cmdnum == I_CHOWN) { - printf("Changing owner on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing owner on %s\n", + g.gl_pathv[i]); aa->uid = n_arg; } else { - printf("Changing group on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing group on %s\n", + g.gl_pathv[i]); aa->gid = n_arg; } err = do_setstat(conn, g.gl_pathv[i], aa); @@ -1922,7 +1933,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) dir = make_absolute(dir, remote_path); if (remote_is_dir(conn, dir) && file2 == NULL) { - printf("Changing to: %s\n", dir); + if (!quiet) + printf("Changing to: %s\n", dir); snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); if (parse_dispatch_command(conn, cmd, &remote_path, 1) != 0) { @@ -2143,6 +2155,8 @@ main(int argc, char **argv) addargs(&args, "%s", optarg); break; case 'q': + ll = SYSLOG_LEVEL_ERROR; + quiet = 1; showprogress = 0; addargs(&args, "-%c", ch); break; @@ -2178,7 +2192,7 @@ main(int argc, char **argv) (infile = fopen(optarg, "r")) == NULL) fatal("%s (%s).", strerror(errno), optarg); showprogress = 0; - batchmode = 1; + quiet = batchmode = 1; addargs(&args, "-obatchmode yes"); break; case 'p': @@ -2275,7 +2289,7 @@ main(int argc, char **argv) if (conn == NULL) fatal("Couldn't initialise connection to server"); - if (!batchmode) { + if (!quiet) { if (sftp_direct == NULL) fprintf(stderr, "Connected to %s.\n", host); else -- cgit v1.2.1 From a06bf205b92d044e488411bd511e3d908d7299cb Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:23:08 +0000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:00:10 [sshd_config.5] document the requirment that the AuthorizedKeysCommand be owned by root; ok dtucker@ markus@ --- sshd_config.5 | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/sshd_config.5 b/sshd_config.5 index cfa48069..590fb408 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ -.Dd $Mdocdate: February 6 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $ +.Dd $Mdocdate: April 19 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -180,6 +180,20 @@ Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key. .Pp +For keyboard interactive authentication it is also possible to +restrict authentication to a specific device by appending a +colon followed by the device identifier +.Dq bsdauth , +.Dq pam , +or +.Dq skey , +depending on the server configuration. +For example, +.Dq keyboard-interactive:bsdauth +would restrict keyboard interactive authentication to the +.Dq bsdauth +device. +.Pp This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled @@ -188,7 +202,8 @@ The default is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. -The program will be invoked with a single argument of the username +The program must be owned by root and not writable by group or others. +It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see .Sx AUTHORIZED_KEYS -- cgit v1.2.1 From d197691221d07d0039cce222734d48057930f5e1 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:23:25 +0000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:01:00 [ssh-keygen.c] fix some memory leaks; bz#2088 ok dtucker@ --- ssh-keygen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssh-keygen.c b/ssh-keygen.c index d1a205e1..8acbcc49 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.226 2013/04/19 01:01:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2038,6 +2038,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, } if (strcmp(path, "-") != 0) fclose(krl_spec); + free(path); } static void @@ -2090,6 +2091,8 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) close(fd); buffer_free(&kbuf); ssh_krl_free(krl); + if (ca != NULL) + key_free(ca); } static void -- cgit v1.2.1 From 5ed4ba6a52ee7e65538eb5765ce863d61fba2a84 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 05:24:18 +0000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:03:01 [session.c] reintroduce 1.262 without the connection-killing bug: fatal() when ChrootDirectory specified by running without root privileges; ok markus@ --- ChangeLog | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ session.c | 8 +++++++- 2 files changed, 74 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3fd81aa3..0966a11b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,73 @@ - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support platforms, such as Android, that lack struct passwd.pw_gecos. Report and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@ + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/03/05 20:16:09 + [sshconnect2.c] + reset pubkey order on partial success; ok djm@ + - djm@cvs.openbsd.org 2013/03/06 23:35:23 + [session.c] + fatal() when ChrootDirectory specified by running without root privileges; + ok markus@ + - djm@cvs.openbsd.org 2013/03/06 23:36:53 + [readconf.c] + g/c unused variable (-Wunused) + - djm@cvs.openbsd.org 2013/03/07 00:19:59 + [auth2-pubkey.c monitor.c] + reconstruct the original username that was sent by the client, which may + have included a style (e.g. "root:skey") when checking public key + signatures. Fixes public key and hostbased auth when the client specified + a style; ok markus@ + - markus@cvs.openbsd.org 2013/03/07 19:27:25 + [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5] + add submethod support to AuthenticationMethods; ok and freedback djm@ + - djm@cvs.openbsd.org 2013/03/08 06:32:58 + [ssh.c] + allow "ssh -f none ..." ok markus@ + - djm@cvs.openbsd.org 2013/04/05 00:14:00 + [auth2-gss.c krl.c sshconnect2.c] + hush some {unused, printf type} warnings + - djm@cvs.openbsd.org 2013/04/05 00:31:49 + [pathnames.h] + use the existing _PATH_SSH_USER_RC define to construct the other + pathnames; bz#2077, ok dtucker@ (no binary change) + - djm@cvs.openbsd.org 2013/04/05 00:58:51 + [mux.c] + cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too + (in addition to ones already in OPEN); bz#2079, ok dtucker@ + - markus@cvs.openbsd.org 2013/04/06 16:07:00 + [channels.c sshd.c] + handle ECONNABORTED for accept(); ok deraadt some time ago... + - dtucker@cvs.openbsd.org 2013/04/07 02:10:33 + [log.c log.h ssh.1 ssh.c sshd.8 sshd.c] + Add -E option to ssh and sshd to append debugging logs to a specified file + instead of stderr or syslog. ok markus@, man page help jmc@ + - dtucker@cvs.openbsd.org 2013/04/07 09:40:27 + [sshd.8] + clarify -e text. suggested by & ok jmc@ + - djm@cvs.openbsd.org 2013/04/11 02:27:50 + [packet.c] + quiet disconnect notifications on the server from error() back to logit() + if it is a normal client closure; bz#2057 ok+feedback dtucker@ + - dtucker@cvs.openbsd.org 2013/04/17 09:04:09 + [session.c] + revert rev 1.262; it fails because uid is already set here. ok djm@ + - djm@cvs.openbsd.org 2013/04/18 02:16:07 + [sftp.c] + make "sftp -q" do what it says on the sticker: hush everything but errors; + ok dtucker@ + - djm@cvs.openbsd.org 2013/04/19 01:00:10 + [sshd_config.5] + document the requirment that the AuthorizedKeysCommand be owned by root; + ok dtucker@ markus@ + - djm@cvs.openbsd.org 2013/04/19 01:01:00 + [ssh-keygen.c] + fix some memory leaks; bz#2088 ok dtucker@ + - djm@cvs.openbsd.org 2013/04/19 01:03:01 + [session.c] + reintroduce 1.262 without the connection-killing bug: + fatal() when ChrootDirectory specified by running without root privileges; + ok markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/session.c b/session.c index 19eaa20c..4c4461de 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: session.c,v 1.264 2013/04/19 01:03:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1513,6 +1513,9 @@ do_setusercontext(struct passwd *pw) safely_chroot(chroot_path, pw->pw_uid); free(tmp); free(chroot_path); + /* Make sure we don't attempt to chroot again */ + free(options.chroot_directory); + options.chroot_directory = NULL; } #ifdef HAVE_LOGIN_CAP @@ -1529,6 +1532,9 @@ do_setusercontext(struct passwd *pw) /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif + } else if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { + fatal("server lacks privileges to chroot to ChrootDirectory"); } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) -- cgit v1.2.1 From c8ee534743875d29783b029b3a7404ed1fe5347f Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 09:24:32 +0000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:06:50 [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@ --- ChangeLog | 6 ++ authfile.c | 6 +- cipher.c | 55 ++++++++++----- cipher.h | 13 ++-- kex.c | 86 +++++++++++++++-------- kex.h | 16 ++--- kexecdh.c | 20 +----- kexecdhc.c | 7 +- kexecdhs.c | 7 +- key.c | 230 +++++++++++++++++++++++++++---------------------------------- key.h | 7 +- mac.c | 62 +++++++++++------ mac.h | 3 +- packet.c | 6 +- ssh.1 | 21 +++++- ssh.c | 20 +++++- 16 files changed, 314 insertions(+), 251 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0966a11b..3d2950e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,12 @@ reintroduce 1.262 without the connection-killing bug: fatal() when ChrootDirectory specified by running without root privileges; ok markus@ + - djm@cvs.openbsd.org 2013/04/19 01:06:50 + [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] + [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] + add the ability to query supported ciphers, MACs, key type and KEX + algorithms to ssh. Includes some refactoring of KEX and key type handling + to be table-driven; ok markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/authfile.c b/authfile.c index 3544d170..91812bf8 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.96 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -89,7 +89,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, u_char buf[100], *cp; int i, cipher_num; CipherContext ciphercontext; - Cipher *cipher; + const Cipher *cipher; u_int32_t rnd; /* @@ -421,7 +421,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) Buffer decrypted; u_char *cp; CipherContext ciphercontext; - Cipher *cipher; + const Cipher *cipher; Key *prv = NULL; Buffer copy; diff --git a/cipher.c b/cipher.c index 9ca1d006..5e365213 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.88 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -65,7 +65,9 @@ struct Cipher { u_int discard_len; u_int cbc_mode; const EVP_CIPHER *(*evptype)(void); -} ciphers[] = { +}; + +static const struct Cipher ciphers[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, @@ -98,6 +100,27 @@ struct Cipher { /*--*/ +/* Returns a comma-separated list of supported ciphers. */ +char * +cipher_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const Cipher *c; + + for (c = ciphers; c->name != NULL; c++) { + if (c->number != SSH_CIPHER_SSH2) + continue; + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(c->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, c->name, nlen + 1); + rlen += nlen; + } + return ret; +} + u_int cipher_blocksize(const Cipher *c) { @@ -146,20 +169,20 @@ cipher_mask_ssh1(int client) return mask; } -Cipher * +const Cipher * cipher_by_name(const char *name) { - Cipher *c; + const Cipher *c; for (c = ciphers; c->name != NULL; c++) if (strcmp(c->name, name) == 0) return c; return NULL; } -Cipher * +const Cipher * cipher_by_number(int id) { - Cipher *c; + const Cipher *c; for (c = ciphers; c->name != NULL; c++) if (c->number == id) return c; @@ -170,7 +193,7 @@ cipher_by_number(int id) int ciphers_valid(const char *names) { - Cipher *c; + const Cipher *c; char *cipher_list, *cp; char *p; @@ -201,7 +224,7 @@ ciphers_valid(const char *names) int cipher_number(const char *name) { - Cipher *c; + const Cipher *c; if (name == NULL) return -1; for (c = ciphers; c->name != NULL; c++) @@ -213,12 +236,12 @@ cipher_number(const char *name) char * cipher_name(int id) { - Cipher *c = cipher_by_number(id); + const Cipher *c = cipher_by_number(id); return (c==NULL) ? "" : c->name; } void -cipher_init(CipherContext *cc, Cipher *cipher, +cipher_init(CipherContext *cc, const Cipher *cipher, const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, int do_encrypt) { @@ -364,7 +387,7 @@ cipher_cleanup(CipherContext *cc) */ void -cipher_set_key_string(CipherContext *cc, Cipher *cipher, +cipher_set_key_string(CipherContext *cc, const Cipher *cipher, const char *passphrase, int do_encrypt) { MD5_CTX md; @@ -389,7 +412,7 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher, int cipher_get_keyiv_len(const CipherContext *cc) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int ivlen; if (c->number == SSH_CIPHER_3DES) @@ -402,7 +425,7 @@ cipher_get_keyiv_len(const CipherContext *cc) void cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int evplen; switch (c->number) { @@ -438,7 +461,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) void cipher_set_keyiv(CipherContext *cc, u_char *iv) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int evplen = 0; switch (c->number) { @@ -471,7 +494,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) int cipher_get_keycontext(const CipherContext *cc, u_char *dat) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int plen = 0; if (c->evptype == EVP_rc4) { @@ -486,7 +509,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat) void cipher_set_keycontext(CipherContext *cc, u_char *dat) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int plen; if (c->evptype == EVP_rc4) { diff --git a/cipher.h b/cipher.h index 8cb57c3e..b878d50f 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.40 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen @@ -66,21 +66,22 @@ struct CipherContext { int plaintext; int encrypt; EVP_CIPHER_CTX evp; - Cipher *cipher; + const Cipher *cipher; }; u_int cipher_mask_ssh1(int); -Cipher *cipher_by_name(const char *); -Cipher *cipher_by_number(int); +const Cipher *cipher_by_name(const char *); +const Cipher *cipher_by_number(int); int cipher_number(const char *); char *cipher_name(int); int ciphers_valid(const char *); -void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, +char *cipher_alg_list(void); +void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int, const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int, u_int); void cipher_cleanup(CipherContext *); -void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); +void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); u_int cipher_authlen(const Cipher *); diff --git a/kex.c b/kex.c index 57a79dd9..65a227bc 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: kex.c,v 1.89 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -62,6 +62,55 @@ extern const EVP_MD *evp_ssh_sha256(void); static void kex_kexinit_finish(Kex *); static void kex_choose_conf(Kex *); +struct kexalg { + char *name; + int type; + int ec_nid; + const EVP_MD *(*mdfunc)(void); +}; +static const struct kexalg kexalgs[] = { + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 }, + { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 }, + { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 }, +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 }, + { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 }, + { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, + { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, +#endif + { NULL, -1, -1, NULL}, +}; + +char * +kex_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct kexalg *k; + + for (k = kexalgs; k->name != NULL; k++) { + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(k->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, k->name, nlen + 1); + rlen += nlen; + } + return ret; +} + +static const struct kexalg * +kex_alg_by_name(const char *name) +{ + const struct kexalg *k; + + for (k = kexalgs; k->name != NULL; k++) { + if (strcmp(k->name, name) == 0) + return k; + } + return NULL; +} + /* Validate KEX method name list */ int kex_names_valid(const char *names) @@ -73,13 +122,7 @@ kex_names_valid(const char *names) s = cp = xstrdup(names); for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { - if (strcmp(p, KEX_DHGEX_SHA256) != 0 && - strcmp(p, KEX_DHGEX_SHA1) != 0 && - strcmp(p, KEX_DH14) != 0 && - strcmp(p, KEX_DH1) != 0 && - (strncmp(p, KEX_ECDH_SHA2_STEM, - sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 || - kex_ecdh_name_to_nid(p) == -1)) { + if (kex_alg_by_name(p) == NULL) { error("Unsupported KEX algorithm \"%.100s\"", p); xfree(s); return 0; @@ -348,29 +391,16 @@ choose_comp(Comp *comp, char *client, char *server) static void choose_kex(Kex *k, char *client, char *server) { + const struct kexalg *kexalg; + k->name = match_list(client, server, NULL); if (k->name == NULL) fatal("Unable to negotiate a key exchange method"); - if (strcmp(k->name, KEX_DH1) == 0) { - k->kex_type = KEX_DH_GRP1_SHA1; - k->evp_md = EVP_sha1(); - } else if (strcmp(k->name, KEX_DH14) == 0) { - k->kex_type = KEX_DH_GRP14_SHA1; - k->evp_md = EVP_sha1(); - } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) { - k->kex_type = KEX_DH_GEX_SHA1; - k->evp_md = EVP_sha1(); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { - k->kex_type = KEX_DH_GEX_SHA256; - k->evp_md = evp_ssh_sha256(); - } else if (strncmp(k->name, KEX_ECDH_SHA2_STEM, - sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) { - k->kex_type = KEX_ECDH_SHA2; - k->evp_md = kex_ecdh_name_to_evpmd(k->name); -#endif - } else - fatal("bad kex alg %s", k->name); + if ((kexalg = kex_alg_by_name(k->name)) == NULL) + fatal("unsupported kex alg %s", k->name); + k->kex_type = kexalg->type; + k->evp_md = kexalg->mdfunc(); + k->ec_nid = kexalg->ec_nid; } static void diff --git a/kex.h b/kex.h index 46731fa4..680264af 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.55 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -40,8 +40,9 @@ #define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" #define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256" #define KEX_RESUME "resume@appgate.com" -/* The following represents the family of ECDH methods */ -#define KEX_ECDH_SHA2_STEM "ecdh-sha2-" +#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256" +#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384" +#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" #define COMP_NONE 0 #define COMP_ZLIB 1 @@ -86,7 +87,7 @@ typedef struct Newkeys Newkeys; struct Enc { char *name; - Cipher *cipher; + const Cipher *cipher; int enabled; u_int key_len; u_int iv_len; @@ -131,6 +132,7 @@ struct Kex { sig_atomic_t done; int flags; const EVP_MD *evp_md; + int ec_nid; char *client_version_string; char *server_version_string; int (*verify_host_key)(Key *); @@ -141,6 +143,7 @@ struct Kex { }; int kex_names_valid(const char *); +char *kex_alg_list(void); Kex *kex_setup(char *[PROPOSAL_MAX]); void kex_finish(Kex *); @@ -170,11 +173,6 @@ void kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char **, u_int *); -int kex_ecdh_name_to_nid(const char *); -const EVP_MD *kex_ecdh_name_to_evpmd(const char *); -#else -# define kex_ecdh_name_to_nid(x) (-1) -# define kex_ecdh_name_to_evpmd(x) (NULL) #endif void diff --git a/kexecdh.c b/kexecdh.c index f13f69d3..c948fe20 100644 --- a/kexecdh.c +++ b/kexecdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdh.c,v 1.4 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -45,24 +45,6 @@ #include "kex.h" #include "log.h" -int -kex_ecdh_name_to_nid(const char *kexname) -{ - if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1) - fatal("%s: kexname too short \"%s\"", __func__, kexname); - return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); -} - -const EVP_MD * -kex_ecdh_name_to_evpmd(const char *kexname) -{ - int nid = kex_ecdh_name_to_nid(kexname); - - if (nid == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname); - return key_ec_nid_to_evpmd(nid); -} - void kex_ecdh_hash( const EVP_MD *evp_md, diff --git a/kexecdhc.c b/kexecdhc.c index 115d4bf8..04239a47 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -57,11 +57,8 @@ kexecdh_client(Kex *kex) u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; - int curve_nid; - if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); - if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) + if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(client_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); diff --git a/kexecdhs.c b/kexecdhs.c index 8c515dfa..6519abbe 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -59,11 +59,8 @@ kexecdh_server(Kex *kex) u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; - int curve_nid; - if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); - if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) + if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(server_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); diff --git a/key.c b/key.c index 4cc5c5d3..471cd1fc 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: key.c,v 1.101 2013/04/19 01:06:50 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -891,36 +891,6 @@ key_write(const Key *key, FILE *f) return success; } -const char * -key_type(const Key *k) -{ - switch (k->type) { - case KEY_RSA1: - return "RSA1"; - case KEY_RSA: - return "RSA"; - case KEY_DSA: - return "DSA"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - return "ECDSA"; -#endif - case KEY_RSA_CERT_V00: - return "RSA-CERT-V00"; - case KEY_DSA_CERT_V00: - return "DSA-CERT-V00"; - case KEY_RSA_CERT: - return "RSA-CERT"; - case KEY_DSA_CERT: - return "DSA-CERT"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA_CERT: - return "ECDSA-CERT"; -#endif - } - return "unknown"; -} - const char * key_cert_type(const Key *k) { @@ -934,48 +904,59 @@ key_cert_type(const Key *k) } } +struct keytype { + char *name; + char *shortname; + int type; + int nid; + int cert; +}; +static const struct keytype keytypes[] = { + { NULL, "RSA1", KEY_RSA1, 0, 0 }, + { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, + { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, +#ifdef OPENSSL_HAS_ECC + { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, + { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, + { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, +#endif /* OPENSSL_HAS_ECC */ + { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, + { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, +#ifdef OPENSSL_HAS_ECC + { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, + { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_secp384r1, 1 }, + { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_secp521r1, 1 }, +#endif /* OPENSSL_HAS_ECC */ + { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", + KEY_RSA_CERT_V00, 0, 1 }, + { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", + KEY_DSA_CERT_V00, 0, 1 }, + { NULL, NULL, -1, -1, 0 } +}; + +const char * +key_type(const Key *k) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == k->type) + return kt->shortname; + } + return "unknown"; +} + static const char * key_ssh_name_from_type_nid(int type, int nid) { - switch (type) { - case KEY_RSA: - return "ssh-rsa"; - case KEY_DSA: - return "ssh-dss"; - case KEY_RSA_CERT_V00: - return "ssh-rsa-cert-v00@openssh.com"; - case KEY_DSA_CERT_V00: - return "ssh-dss-cert-v00@openssh.com"; - case KEY_RSA_CERT: - return "ssh-rsa-cert-v01@openssh.com"; - case KEY_DSA_CERT: - return "ssh-dss-cert-v01@openssh.com"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - switch (nid) { - case NID_X9_62_prime256v1: - return "ecdsa-sha2-nistp256"; - case NID_secp384r1: - return "ecdsa-sha2-nistp384"; - case NID_secp521r1: - return "ecdsa-sha2-nistp521"; - default: - break; - } - break; - case KEY_ECDSA_CERT: - switch (nid) { - case NID_X9_62_prime256v1: - return "ecdsa-sha2-nistp256-cert-v01@openssh.com"; - case NID_secp384r1: - return "ecdsa-sha2-nistp384-cert-v01@openssh.com"; - case NID_secp521r1: - return "ecdsa-sha2-nistp521-cert-v01@openssh.com"; - default: - break; - } - break; -#endif /* OPENSSL_HAS_ECC */ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) + return kt->name; } return "ssh-unknown"; } @@ -993,6 +974,56 @@ key_ssh_name_plain(const Key *k) k->ecdsa_nid); } +int +key_type_from_name(char *name) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + /* Only allow shortname matches for plain key types */ + if ((kt->name != NULL && strcmp(name, kt->name) == 0) || + (!kt->cert && strcasecmp(kt->shortname, name) == 0)) + return kt->type; + } + debug2("key_type_from_name: unknown key type '%s'", name); + return KEY_UNSPEC; +} + +int +key_ecdsa_nid_from_name(const char *name) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) + continue; + if (kt->name != NULL && strcmp(name, kt->name) == 0) + return kt->nid; + } + debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); + return -1; +} + +char * +key_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->name == NULL) + continue; + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(kt->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, kt->name, nlen + 1); + rlen += nlen; + } + return ret; +} + u_int key_size(const Key *k) { @@ -1247,65 +1278,6 @@ key_from_private(const Key *k) return n; } -int -key_type_from_name(char *name) -{ - if (strcmp(name, "rsa1") == 0) { - return KEY_RSA1; - } else if (strcmp(name, "rsa") == 0) { - return KEY_RSA; - } else if (strcmp(name, "dsa") == 0) { - return KEY_DSA; - } else if (strcmp(name, "ssh-rsa") == 0) { - return KEY_RSA; - } else if (strcmp(name, "ssh-dss") == 0) { - return KEY_DSA; -#ifdef OPENSSL_HAS_ECC - } else if (strcmp(name, "ecdsa") == 0 || - strcmp(name, "ecdsa-sha2-nistp256") == 0 || - strcmp(name, "ecdsa-sha2-nistp384") == 0 || - strcmp(name, "ecdsa-sha2-nistp521") == 0) { - return KEY_ECDSA; -#endif - } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { - return KEY_RSA_CERT_V00; - } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { - return KEY_DSA_CERT_V00; - } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) { - return KEY_RSA_CERT; - } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { - return KEY_DSA_CERT; -#ifdef OPENSSL_HAS_ECC - } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { - return KEY_ECDSA_CERT; -#endif - } - - debug2("key_type_from_name: unknown key type '%s'", name); - return KEY_UNSPEC; -} - -int -key_ecdsa_nid_from_name(const char *name) -{ -#ifdef OPENSSL_HAS_ECC - if (strcmp(name, "ecdsa-sha2-nistp256") == 0 || - strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) - return NID_X9_62_prime256v1; - if (strcmp(name, "ecdsa-sha2-nistp384") == 0 || - strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0) - return NID_secp384r1; - if (strcmp(name, "ecdsa-sha2-nistp521") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) - return NID_secp521r1; -#endif /* OPENSSL_HAS_ECC */ - - debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); - return -1; -} - int key_names_valid2(const char *names) { diff --git a/key.h b/key.h index ebdf4567..f2e058e9 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: key.h,v 1.36 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -118,15 +118,16 @@ int key_cert_is_legacy(const Key *); int key_ecdsa_nid_from_name(const char *); int key_curve_name_to_nid(const char *); -const char * key_curve_nid_to_name(int); +const char *key_curve_nid_to_name(int); u_int key_curve_nid_to_bits(int); int key_ecdsa_bits_to_nid(int); #ifdef OPENSSL_HAS_ECC int key_ecdsa_key_to_nid(EC_KEY *); -const EVP_MD * key_ec_nid_to_evpmd(int nid); +const EVP_MD *key_ec_nid_to_evpmd(int nid); int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); int key_ec_validate_private(const EC_KEY *); #endif +char *key_alg_list(void); Key *key_from_blob(const u_char *, u_int); int key_to_blob(const Key *, u_char **, u_int *); diff --git a/mac.c b/mac.c index 3f2dc6f2..da68803f 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ +/* $OpenBSD: mac.c,v 1.22 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -50,7 +50,7 @@ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ #define SSH_UMAC128 3 -struct { +struct macalg { char *name; int type; const EVP_MD * (*mdfunc)(void); @@ -58,7 +58,9 @@ struct { int key_len; /* just for UMAC */ int len; /* just for UMAC */ int etm; /* Encrypt-then-MAC */ -} macs[] = { +}; + +static const struct macalg macs[] = { /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, @@ -89,38 +91,58 @@ struct { { NULL, 0, NULL, 0, 0, 0, 0 } }; +/* Returns a comma-separated list of supported MACs. */ +char * +mac_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct macalg *m; + + for (m = macs; m->name != NULL; m++) { + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(m->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, m->name, nlen + 1); + rlen += nlen; + } + return ret; +} + static void -mac_setup_by_id(Mac *mac, int which) +mac_setup_by_alg(Mac *mac, const struct macalg *macalg) { int evp_len; - mac->type = macs[which].type; + + mac->type = macalg->type; if (mac->type == SSH_EVP) { - mac->evp_md = (*macs[which].mdfunc)(); + mac->evp_md = macalg->mdfunc(); if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0) fatal("mac %s len %d", mac->name, evp_len); mac->key_len = mac->mac_len = (u_int)evp_len; } else { - mac->mac_len = macs[which].len / 8; - mac->key_len = macs[which].key_len / 8; + mac->mac_len = macalg->len / 8; + mac->key_len = macalg->key_len / 8; mac->umac_ctx = NULL; } - if (macs[which].truncatebits != 0) - mac->mac_len = macs[which].truncatebits / 8; - mac->etm = macs[which].etm; + if (macalg->truncatebits != 0) + mac->mac_len = macalg->truncatebits / 8; + mac->etm = macalg->etm; } int mac_setup(Mac *mac, char *name) { - int i; - - for (i = 0; macs[i].name; i++) { - if (strcmp(name, macs[i].name) == 0) { - if (mac != NULL) - mac_setup_by_id(mac, i); - debug2("mac_setup: found %s", name); - return (0); - } + const struct macalg *m; + + for (m = macs; m->name != NULL; m++) { + if (strcmp(name, m->name) != 0) + continue; + if (mac != NULL) + mac_setup_by_alg(mac, m); + debug2("mac_setup: found %s", name); + return (0); } debug2("mac_setup: unknown %s", name); return (-1); diff --git a/mac.h b/mac.h index 39f564dd..260798ab 100644 --- a/mac.h +++ b/mac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */ +/* $OpenBSD: mac.h,v 1.7 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -24,6 +24,7 @@ */ int mac_valid(const char *); +char *mac_alg_list(void); int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); diff --git a/packet.c b/packet.c index 3e835d36..3c97383e 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.183 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -215,7 +215,7 @@ alloc_session_state(void) void packet_set_connection(int fd_in, int fd_out) { - Cipher *none = cipher_by_name("none"); + const Cipher *none = cipher_by_name("none"); if (none == NULL) fatal("packet_set_connection: cannot load cipher 'none'"); @@ -545,7 +545,7 @@ packet_start_compression(int level) void packet_set_encryption_key(const u_char *key, u_int keylen, int number) { - Cipher *cipher = cipher_by_number(number); + const Cipher *cipher = cipher_by_number(number); if (cipher == NULL) fatal("packet_set_encryption_key: unknown cipher number %d", number); diff --git a/ssh.1 b/ssh.1 index d77494b8..dc7af486 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.331 2013/04/07 02:10:33 dtucker Exp $ -.Dd $Mdocdate: April 7 2013 $ +.\" $OpenBSD: ssh.1,v 1.332 2013/04/19 01:06:50 djm Exp $ +.Dd $Mdocdate: April 19 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -65,6 +65,8 @@ .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Ek +.Nm +.Fl Q Ar protocol_feature .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for @@ -487,6 +489,21 @@ For full details of the options listed below, and their possible values, see Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. +.It Fl Q Ar protocol_feature +Queries +.Nm +for the algorithms supported for the specified version 2 +.Ar protocol_feature . +The queriable features are: +.Dq cipher +(supported symmetric ciphers), +.Dq MAC +(supported message integrity codes), +.Dq KEX +(key exchange algorithms), +.Dq key +(key types). +Protocol features are treated case-insensitively. .It Fl q Quiet mode. Causes most warning and diagnostic messages to be suppressed. diff --git a/ssh.c b/ssh.c index cd56f8a7..b077dc82 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.375 2013/04/07 02:10:33 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.376 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -327,7 +327,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" - "ACD:E:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { + "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -389,6 +389,22 @@ main(int ac, char **av) case 'P': /* deprecated */ options.use_privileged_port = 0; break; + case 'Q': /* deprecated */ + cp = NULL; + if (strcasecmp(optarg, "cipher") == 0) + cp = cipher_alg_list(); + else if (strcasecmp(optarg, "mac") == 0) + cp = mac_alg_list(); + else if (strcasecmp(optarg, "kex") == 0) + cp = kex_alg_list(); + else if (strcasecmp(optarg, "key") == 0) + cp = key_alg_list(); + if (cp == NULL) + fatal("Unsupported query \"%s\"", optarg); + printf("%s\n", cp); + free(cp); + exit(0); + break; case 'a': options.forward_agent = 0; break; -- cgit v1.2.1 From 2392931530b97d4aeb8c59f1b16c3e178299b00a Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 09:25:00 +0000 Subject: - djm@cvs.openbsd.org 2013/04/19 11:10:18 [ssh.c] add -Q to usage; reminded by jmc@ --- ChangeLog | 3 +++ ssh.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3d2950e8..3c2050fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -75,6 +75,9 @@ add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@ + - djm@cvs.openbsd.org 2013/04/19 11:10:18 + [ssh.c] + add -Q to usage; reminded by jmc@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/ssh.c b/ssh.c index b077dc82..534e7c6c 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.376 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.377 2013/04/19 11:10:18 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -199,7 +199,7 @@ usage(void) "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" " [-F configfile] [-I pkcs11] [-i identity_file]\n" -" [-L [bind_address:]port:host:hostport]\n" +" [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" " [-W host:port] [-w local_tun[:remote_tun]]\n" -- cgit v1.2.1 From ba4621d9d18b5c6c224901a64554783696f5ee82 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 09:25:29 +0000 Subject: - djm@cvs.openbsd.org 2013/04/19 12:07:08 [kex.c] remove duplicated list entry pointed out by naddy@ --- ChangeLog | 3 +++ kex.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3c2050fd..6d7d1d22 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,9 @@ - djm@cvs.openbsd.org 2013/04/19 11:10:18 [ssh.c] add -Q to usage; reminded by jmc@ + - djm@cvs.openbsd.org 2013/04/19 12:07:08 + [kex.c] + remove duplicated list entry pointed out by naddy@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/kex.c b/kex.c index 65a227bc..f6e683bd 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.89 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.90 2013/04/19 12:07:08 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * -- cgit v1.2.1 From 8fa8f65ea133abe1cc24b2b60c64f1de55a014c6 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2013 09:25:49 +0000 Subject: - dtucker@cvs.openbsd.org 2013/04/22 01:17:18 [mux.c] typo in debug output: evitval->exitval --- ChangeLog | 3 +++ mux.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6d7d1d22..9865d41b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -81,6 +81,9 @@ - djm@cvs.openbsd.org 2013/04/19 12:07:08 [kex.c] remove duplicated list entry pointed out by naddy@ + - dtucker@cvs.openbsd.org 2013/04/22 01:17:18 + [mux.c] + typo in debug output: evitval->exitval 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/mux.c b/mux.c index 9f458c4c..a6bcbbac 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.39 2013/04/05 00:58:51 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.40 2013/04/22 01:17:18 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -1101,7 +1101,7 @@ mux_exit_message(Channel *c, int exitval) Buffer m; Channel *mux_chan; - debug3("%s: channel %d: exit message, evitval %d", __func__, c->self, + debug3("%s: channel %d: exit message, exitval %d", __func__, c->self, exitval); if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) -- cgit v1.2.1 From 822be025d23369aed256b085608db86c595903d4 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 10 May 2013 03:54:23 +0000 Subject: - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler supports it. Mentioned by Colin Watson in bz#2100, ok djm. --- ChangeLog | 4 ++++ configure.ac | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9865d41b..dbc9679b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130510 + - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler + supports it. Mentioned by Colin Watson in bz#2100, ok djm. + 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support platforms, such as Android, that lack struct passwd.pw_gecos. Report diff --git a/configure.ac b/configure.ac index c30d547d..93c50e08 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.521 2013/04/23 04:25:53 djm Exp $ +# $Id: configure.ac,v 1.522 2013/05/10 03:54:23 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.521 $) +AC_REVISION($Revision: 1.522 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -134,6 +134,7 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) OSSH_CHECK_CFLAG_COMPILE([-Wformat-security]) + OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) -- cgit v1.2.1 From 23afe19cb2070b408a7ea30d4ba9aa68190475a6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 10 May 2013 05:35:26 +0000 Subject: - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to getopt.c. Preprocessed source is identical other than line numbers. --- ChangeLog | 2 ++ openbsd-compat/getopt.c | 58 ++++++++++++++++++++++++++++--------------------- 2 files changed, 35 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index dbc9679b..bbc79973 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler supports it. Mentioned by Colin Watson in bz#2100, ok djm. + - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to + getopt.c. Preprocessed source is identical other than line numbers. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c index 5450e43d..e5e80af0 100644 --- a/openbsd-compat/getopt.c +++ b/openbsd-compat/getopt.c @@ -32,6 +32,14 @@ #include "includes.h" #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) +/* some defines to make it easier to keep the code in sync with upstream */ +/* #define getopt BSDgetopt is in defines.h */ +#define opterr BSDopterr +#define optind BSDoptind +#define optopt BSDoptopt +#define optreset BSDoptreset +#define optarg BSDoptarg + #if defined(LIBC_SCCS) && !defined(lint) static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $"; #endif /* LIBC_SCCS and not lint */ @@ -40,11 +48,11 @@ static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $ #include #include -int BSDopterr = 1, /* if error message should be printed */ - BSDoptind = 1, /* index into parent argv vector */ - BSDoptopt, /* character checked for validity */ - BSDoptreset; /* reset getopt */ -char *BSDoptarg; /* argument associated with option */ +int opterr = 1, /* if error message should be printed */ + optind = 1, /* index into parent argv vector */ + optopt, /* character checked for validity */ + optreset; /* reset getopt */ +char *optarg; /* argument associated with option */ #define BADCH (int)'?' #define BADARG (int)':' @@ -55,7 +63,7 @@ char *BSDoptarg; /* argument associated with option */ * Parse argc/argv argument vector. */ int -BSDgetopt(nargc, nargv, ostr) +getopt(nargc, nargv, ostr) int nargc; char * const *nargv; const char *ostr; @@ -67,57 +75,57 @@ BSDgetopt(nargc, nargv, ostr) if (ostr == NULL) return (-1); - if (BSDoptreset || !*place) { /* update scanning pointer */ - BSDoptreset = 0; - if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') { + if (optreset || !*place) { /* update scanning pointer */ + optreset = 0; + if (optind >= nargc || *(place = nargv[optind]) != '-') { place = EMSG; return (-1); } if (place[1] && *++place == '-') { /* found "--" */ - ++BSDoptind; + ++optind; place = EMSG; return (-1); } } /* option letter okay? */ - if ((BSDoptopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, BSDoptopt))) { + if ((optopt = (int)*place++) == (int)':' || + !(oli = strchr(ostr, optopt))) { /* * if the user didn't specify '-' as an option, * assume it means -1. */ - if (BSDoptopt == (int)'-') + if (optopt == (int)'-') return (-1); if (!*place) - ++BSDoptind; - if (BSDopterr && *ostr != ':') + ++optind; + if (opterr && *ostr != ':') (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, BSDoptopt); + "%s: illegal option -- %c\n", __progname, optopt); return (BADCH); } if (*++oli != ':') { /* don't need argument */ - BSDoptarg = NULL; + optarg = NULL; if (!*place) - ++BSDoptind; + ++optind; } else { /* need an argument */ if (*place) /* no white space */ - BSDoptarg = place; - else if (nargc <= ++BSDoptind) { /* no arg */ + optarg = place; + else if (nargc <= ++optind) { /* no arg */ place = EMSG; if (*ostr == ':') return (BADARG); - if (BSDopterr) + if (opterr) (void)fprintf(stderr, "%s: option requires an argument -- %c\n", - __progname, BSDoptopt); + __progname, optopt); return (BADCH); } else /* white space */ - BSDoptarg = nargv[BSDoptind]; + optarg = nargv[optind]; place = EMSG; - ++BSDoptind; + ++optind; } - return (BSDoptopt); /* dump back option letter */ + return (optopt); /* dump back option letter */ } #endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ -- cgit v1.2.1 From 02b68539ec290231a85167d864cc7b7873ae2fb1 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 10 May 2013 05:38:11 +0000 Subject: - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No portability changes yet. --- ChangeLog | 2 + openbsd-compat/getopt_long.c | 511 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 513 insertions(+) create mode 100644 openbsd-compat/getopt_long.c diff --git a/ChangeLog b/ChangeLog index bbc79973..71c3ea61 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ supports it. Mentioned by Colin Watson in bz#2100, ok djm. - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to getopt.c. Preprocessed source is identical other than line numbers. + - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No + portability changes yet. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c new file mode 100644 index 00000000..e149fe0a --- /dev/null +++ b/openbsd-compat/getopt_long.c @@ -0,0 +1,511 @@ +/* $OpenBSD: getopt_long.c,v 1.25 2011/03/05 22:10:11 guenther Exp $ */ +/* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */ + +/* + * Copyright (c) 2002 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ +/*- + * Copyright (c) 2000 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Dieter Baron and Thomas Klausner. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include + +int opterr = 1; /* if error message should be printed */ +int optind = 1; /* index into parent argv vector */ +int optopt = '?'; /* character checked for validity */ +int optreset; /* reset getopt */ +char *optarg; /* argument associated with option */ + +#define PRINT_ERROR ((opterr) && (*options != ':')) + +#define FLAG_PERMUTE 0x01 /* permute non-options to the end of argv */ +#define FLAG_ALLARGS 0x02 /* treat non-options as args to option "-1" */ +#define FLAG_LONGONLY 0x04 /* operate as getopt_long_only */ + +/* return values */ +#define BADCH (int)'?' +#define BADARG ((*options == ':') ? (int)':' : (int)'?') +#define INORDER (int)1 + +#define EMSG "" + +static int getopt_internal(int, char * const *, const char *, + const struct option *, int *, int); +static int parse_long_options(char * const *, const char *, + const struct option *, int *, int); +static int gcd(int, int); +static void permute_args(int, int, int, char * const *); + +static char *place = EMSG; /* option letter processing */ + +/* XXX: set optreset to 1 rather than these two */ +static int nonopt_start = -1; /* first non option argument (for permute) */ +static int nonopt_end = -1; /* first option after non options (for permute) */ + +/* Error messages */ +static const char recargchar[] = "option requires an argument -- %c"; +static const char recargstring[] = "option requires an argument -- %s"; +static const char ambig[] = "ambiguous option -- %.*s"; +static const char noarg[] = "option doesn't take an argument -- %.*s"; +static const char illoptchar[] = "unknown option -- %c"; +static const char illoptstring[] = "unknown option -- %s"; + +/* + * Compute the greatest common divisor of a and b. + */ +static int +gcd(int a, int b) +{ + int c; + + c = a % b; + while (c != 0) { + a = b; + b = c; + c = a % b; + } + + return (b); +} + +/* + * Exchange the block from nonopt_start to nonopt_end with the block + * from nonopt_end to opt_end (keeping the same order of arguments + * in each block). + */ +static void +permute_args(int panonopt_start, int panonopt_end, int opt_end, + char * const *nargv) +{ + int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos; + char *swap; + + /* + * compute lengths of blocks and number and size of cycles + */ + nnonopts = panonopt_end - panonopt_start; + nopts = opt_end - panonopt_end; + ncycle = gcd(nnonopts, nopts); + cyclelen = (opt_end - panonopt_start) / ncycle; + + for (i = 0; i < ncycle; i++) { + cstart = panonopt_end+i; + pos = cstart; + for (j = 0; j < cyclelen; j++) { + if (pos >= panonopt_end) + pos -= nnonopts; + else + pos += nopts; + swap = nargv[pos]; + /* LINTED const cast */ + ((char **) nargv)[pos] = nargv[cstart]; + /* LINTED const cast */ + ((char **)nargv)[cstart] = swap; + } + } +} + +/* + * parse_long_options -- + * Parse long options in argc/argv argument vector. + * Returns -1 if short_too is set and the option does not match long_options. + */ +static int +parse_long_options(char * const *nargv, const char *options, + const struct option *long_options, int *idx, int short_too) +{ + char *current_argv, *has_equal; + size_t current_argv_len; + int i, match; + + current_argv = place; + match = -1; + + optind++; + + if ((has_equal = strchr(current_argv, '=')) != NULL) { + /* argument found (--option=arg) */ + current_argv_len = has_equal - current_argv; + has_equal++; + } else + current_argv_len = strlen(current_argv); + + for (i = 0; long_options[i].name; i++) { + /* find matching long option */ + if (strncmp(current_argv, long_options[i].name, + current_argv_len)) + continue; + + if (strlen(long_options[i].name) == current_argv_len) { + /* exact match */ + match = i; + break; + } + /* + * If this is a known short option, don't allow + * a partial match of a single character. + */ + if (short_too && current_argv_len == 1) + continue; + + if (match == -1) /* partial match */ + match = i; + else { + /* ambiguous abbreviation */ + if (PRINT_ERROR) + warnx(ambig, (int)current_argv_len, + current_argv); + optopt = 0; + return (BADCH); + } + } + if (match != -1) { /* option found */ + if (long_options[match].has_arg == no_argument + && has_equal) { + if (PRINT_ERROR) + warnx(noarg, (int)current_argv_len, + current_argv); + /* + * XXX: GNU sets optopt to val regardless of flag + */ + if (long_options[match].flag == NULL) + optopt = long_options[match].val; + else + optopt = 0; + return (BADARG); + } + if (long_options[match].has_arg == required_argument || + long_options[match].has_arg == optional_argument) { + if (has_equal) + optarg = has_equal; + else if (long_options[match].has_arg == + required_argument) { + /* + * optional argument doesn't use next nargv + */ + optarg = nargv[optind++]; + } + } + if ((long_options[match].has_arg == required_argument) + && (optarg == NULL)) { + /* + * Missing argument; leading ':' indicates no error + * should be generated. + */ + if (PRINT_ERROR) + warnx(recargstring, + current_argv); + /* + * XXX: GNU sets optopt to val regardless of flag + */ + if (long_options[match].flag == NULL) + optopt = long_options[match].val; + else + optopt = 0; + --optind; + return (BADARG); + } + } else { /* unknown option */ + if (short_too) { + --optind; + return (-1); + } + if (PRINT_ERROR) + warnx(illoptstring, current_argv); + optopt = 0; + return (BADCH); + } + if (idx) + *idx = match; + if (long_options[match].flag) { + *long_options[match].flag = long_options[match].val; + return (0); + } else + return (long_options[match].val); +} + +/* + * getopt_internal -- + * Parse argc/argv argument vector. Called by user level routines. + */ +static int +getopt_internal(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx, int flags) +{ + char *oli; /* option letter list index */ + int optchar, short_too; + static int posixly_correct = -1; + + if (options == NULL) + return (-1); + + /* + * XXX Some GNU programs (like cvs) set optind to 0 instead of + * XXX using optreset. Work around this braindamage. + */ + if (optind == 0) + optind = optreset = 1; + + /* + * Disable GNU extensions if POSIXLY_CORRECT is set or options + * string begins with a '+'. + */ + if (posixly_correct == -1 || optreset) + posixly_correct = (getenv("POSIXLY_CORRECT") != NULL); + if (*options == '-') + flags |= FLAG_ALLARGS; + else if (posixly_correct || *options == '+') + flags &= ~FLAG_PERMUTE; + if (*options == '+' || *options == '-') + options++; + + optarg = NULL; + if (optreset) + nonopt_start = nonopt_end = -1; +start: + if (optreset || !*place) { /* update scanning pointer */ + optreset = 0; + if (optind >= nargc) { /* end of argument vector */ + place = EMSG; + if (nonopt_end != -1) { + /* do permutation, if we have to */ + permute_args(nonopt_start, nonopt_end, + optind, nargv); + optind -= nonopt_end - nonopt_start; + } + else if (nonopt_start != -1) { + /* + * If we skipped non-options, set optind + * to the first of them. + */ + optind = nonopt_start; + } + nonopt_start = nonopt_end = -1; + return (-1); + } + if (*(place = nargv[optind]) != '-' || + (place[1] == '\0' && strchr(options, '-') == NULL)) { + place = EMSG; /* found non-option */ + if (flags & FLAG_ALLARGS) { + /* + * GNU extension: + * return non-option as argument to option 1 + */ + optarg = nargv[optind++]; + return (INORDER); + } + if (!(flags & FLAG_PERMUTE)) { + /* + * If no permutation wanted, stop parsing + * at first non-option. + */ + return (-1); + } + /* do permutation */ + if (nonopt_start == -1) + nonopt_start = optind; + else if (nonopt_end != -1) { + permute_args(nonopt_start, nonopt_end, + optind, nargv); + nonopt_start = optind - + (nonopt_end - nonopt_start); + nonopt_end = -1; + } + optind++; + /* process next argument */ + goto start; + } + if (nonopt_start != -1 && nonopt_end == -1) + nonopt_end = optind; + + /* + * If we have "-" do nothing, if "--" we are done. + */ + if (place[1] != '\0' && *++place == '-' && place[1] == '\0') { + optind++; + place = EMSG; + /* + * We found an option (--), so if we skipped + * non-options, we have to permute. + */ + if (nonopt_end != -1) { + permute_args(nonopt_start, nonopt_end, + optind, nargv); + optind -= nonopt_end - nonopt_start; + } + nonopt_start = nonopt_end = -1; + return (-1); + } + } + + /* + * Check long options if: + * 1) we were passed some + * 2) the arg is not just "-" + * 3) either the arg starts with -- we are getopt_long_only() + */ + if (long_options != NULL && place != nargv[optind] && + (*place == '-' || (flags & FLAG_LONGONLY))) { + short_too = 0; + if (*place == '-') + place++; /* --foo long option */ + else if (*place != ':' && strchr(options, *place) != NULL) + short_too = 1; /* could be short option too */ + + optchar = parse_long_options(nargv, options, long_options, + idx, short_too); + if (optchar != -1) { + place = EMSG; + return (optchar); + } + } + + if ((optchar = (int)*place++) == (int)':' || + (optchar == (int)'-' && *place != '\0') || + (oli = strchr(options, optchar)) == NULL) { + /* + * If the user specified "-" and '-' isn't listed in + * options, return -1 (non-option) as per POSIX. + * Otherwise, it is an unknown option character (or ':'). + */ + if (optchar == (int)'-' && *place == '\0') + return (-1); + if (!*place) + ++optind; + if (PRINT_ERROR) + warnx(illoptchar, optchar); + optopt = optchar; + return (BADCH); + } + if (long_options != NULL && optchar == 'W' && oli[1] == ';') { + /* -W long-option */ + if (*place) /* no space */ + /* NOTHING */; + else if (++optind >= nargc) { /* no arg */ + place = EMSG; + if (PRINT_ERROR) + warnx(recargchar, optchar); + optopt = optchar; + return (BADARG); + } else /* white space */ + place = nargv[optind]; + optchar = parse_long_options(nargv, options, long_options, + idx, 0); + place = EMSG; + return (optchar); + } + if (*++oli != ':') { /* doesn't take argument */ + if (!*place) + ++optind; + } else { /* takes (optional) argument */ + optarg = NULL; + if (*place) /* no white space */ + optarg = place; + else if (oli[1] != ':') { /* arg not optional */ + if (++optind >= nargc) { /* no arg */ + place = EMSG; + if (PRINT_ERROR) + warnx(recargchar, optchar); + optopt = optchar; + return (BADARG); + } else + optarg = nargv[optind]; + } + place = EMSG; + ++optind; + } + /* dump back option letter */ + return (optchar); +} + +/* + * getopt -- + * Parse argc/argv argument vector. + * + * [eventually this will replace the BSD getopt] + */ +int +getopt(int nargc, char * const *nargv, const char *options) +{ + + /* + * We don't pass FLAG_PERMUTE to getopt_internal() since + * the BSD getopt(3) (unlike GNU) has never done this. + * + * Furthermore, since many privileged programs call getopt() + * before dropping privileges it makes sense to keep things + * as simple (and bug-free) as possible. + */ + return (getopt_internal(nargc, nargv, options, NULL, NULL, 0)); +} + +/* + * getopt_long -- + * Parse argc/argv argument vector. + */ +int +getopt_long(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx) +{ + + return (getopt_internal(nargc, nargv, options, long_options, idx, + FLAG_PERMUTE)); +} + +/* + * getopt_long_only -- + * Parse argc/argv argument vector. + */ +int +getopt_long_only(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx) +{ + + return (getopt_internal(nargc, nargv, options, long_options, idx, + FLAG_PERMUTE|FLAG_LONGONLY)); +} -- cgit v1.2.1 From 29a2d2d14b490cdd65951c1b6e5ae94bc562c538 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 10 May 2013 06:28:55 +0000 Subject: - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add portability code to getopt_long.c and switch over Makefile and the ugly hack in modpipe.c. Fixes bz#1448. --- ChangeLog | 4 ++ openbsd-compat/Makefile.in | 4 +- openbsd-compat/getopt.c | 131 ------------------------------------------- openbsd-compat/getopt_long.c | 19 +++++++ regress/modpipe.c | 2 +- 5 files changed, 26 insertions(+), 134 deletions(-) delete mode 100644 openbsd-compat/getopt.c diff --git a/ChangeLog b/ChangeLog index 71c3ea61..e0604abe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ getopt.c. Preprocessed source is identical other than line numbers. - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No portability changes yet. + - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c + openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add + portability code to getopt_long.c and switch over Makefile and the ugly + hack in modpipe.c. Fixes bz#1448. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index e1c3651e..365cf006 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $ +# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o +OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c deleted file mode 100644 index e5e80af0..00000000 --- a/openbsd-compat/getopt.c +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Copyright (c) 1987, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */ - -#include "includes.h" -#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) - -/* some defines to make it easier to keep the code in sync with upstream */ -/* #define getopt BSDgetopt is in defines.h */ -#define opterr BSDopterr -#define optind BSDoptind -#define optopt BSDoptopt -#define optreset BSDoptreset -#define optarg BSDoptarg - -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include - -int opterr = 1, /* if error message should be printed */ - optind = 1, /* index into parent argv vector */ - optopt, /* character checked for validity */ - optreset; /* reset getopt */ -char *optarg; /* argument associated with option */ - -#define BADCH (int)'?' -#define BADARG (int)':' -#define EMSG "" - -/* - * getopt -- - * Parse argc/argv argument vector. - */ -int -getopt(nargc, nargv, ostr) - int nargc; - char * const *nargv; - const char *ostr; -{ - extern char *__progname; - static char *place = EMSG; /* option letter processing */ - char *oli; /* option letter list index */ - - if (ostr == NULL) - return (-1); - - if (optreset || !*place) { /* update scanning pointer */ - optreset = 0; - if (optind >= nargc || *(place = nargv[optind]) != '-') { - place = EMSG; - return (-1); - } - if (place[1] && *++place == '-') { /* found "--" */ - ++optind; - place = EMSG; - return (-1); - } - } /* option letter okay? */ - if ((optopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, optopt))) { - /* - * if the user didn't specify '-' as an option, - * assume it means -1. - */ - if (optopt == (int)'-') - return (-1); - if (!*place) - ++optind; - if (opterr && *ostr != ':') - (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, optopt); - return (BADCH); - } - if (*++oli != ':') { /* don't need argument */ - optarg = NULL; - if (!*place) - ++optind; - } - else { /* need an argument */ - if (*place) /* no white space */ - optarg = place; - else if (nargc <= ++optind) { /* no arg */ - place = EMSG; - if (*ostr == ':') - return (BADARG); - if (opterr) - (void)fprintf(stderr, - "%s: option requires an argument -- %c\n", - __progname, optopt); - return (BADCH); - } - else /* white space */ - optarg = nargv[optind]; - place = EMSG; - ++optind; - } - return (optopt); /* dump back option letter */ -} - -#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c index e149fe0a..6b36d067 100644 --- a/openbsd-compat/getopt_long.c +++ b/openbsd-compat/getopt_long.c @@ -49,7 +49,22 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt_long.c */ +#include "includes.h" + +#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) +#include "log.h" + +/* + * Some defines to make it easier to keep the code in sync with upstream. + * getopt opterr optind optopt optreset optarg are all in defines.h which is + * pulled in by includes.h. + */ +#define warnx logit + +#if 0 #include +#endif #include #include #include @@ -484,6 +499,7 @@ getopt(int nargc, char * const *nargv, const char *options) return (getopt_internal(nargc, nargv, options, NULL, NULL, 0)); } +#if 0 /* * getopt_long -- * Parse argc/argv argument vector. @@ -509,3 +525,6 @@ getopt_long_only(int nargc, char * const *nargv, const char *options, return (getopt_internal(nargc, nargv, options, long_options, idx, FLAG_PERMUTE|FLAG_LONGONLY)); } +#endif + +#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ diff --git a/regress/modpipe.c b/regress/modpipe.c index 9629aa80..3322d1a7 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -25,7 +25,7 @@ #include #include #include -#include "openbsd-compat/getopt.c" +#include "openbsd-compat/getopt_long.c" static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); -- cgit v1.2.1 From 04faa5aab9c878e22a19952dae2f4981cb2e6891 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 10 May 2013 08:08:49 +0000 Subject: - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb in to use it when we're using our own getopt. --- ChangeLog | 3 ++ openbsd-compat/getopt.h | 78 +++++++++++++++++++++++++++++++++++++++++ openbsd-compat/getopt_long.c | 6 ++-- openbsd-compat/openbsd-compat.h | 3 +- 4 files changed, 87 insertions(+), 3 deletions(-) create mode 100644 openbsd-compat/getopt.h diff --git a/ChangeLog b/ChangeLog index e0604abe..650400f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add portability code to getopt_long.c and switch over Makefile and the ugly hack in modpipe.c. Fixes bz#1448. + - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c + openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb + in to use it when we're using our own getopt. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/getopt.h b/openbsd-compat/getopt.h new file mode 100644 index 00000000..0311b078 --- /dev/null +++ b/openbsd-compat/getopt.h @@ -0,0 +1,78 @@ +/* $OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $ */ +/* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */ + +/*- + * Copyright (c) 2000 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Dieter Baron and Thomas Klausner. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _GETOPT_H_ +#define _GETOPT_H_ + +#include + +/* + * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions + */ +#define no_argument 0 +#define required_argument 1 +#define optional_argument 2 + +struct option { + /* name of long option */ + const char *name; + /* + * one of no_argument, required_argument, and optional_argument: + * whether option takes an argument + */ + int has_arg; + /* if not NULL, set *flag to val when option found */ + int *flag; + /* if flag not NULL, value to set *flag to; else return value */ + int val; +}; + +__BEGIN_DECLS +int getopt_long(int, char * const *, const char *, + const struct option *, int *); +int getopt_long_only(int, char * const *, const char *, + const struct option *, int *); +#ifndef _GETOPT_DEFINED_ +#define _GETOPT_DEFINED_ +int getopt(int, char * const *, const char *); +int getsubopt(char **, char * const *, char **); + +extern char *optarg; /* getopt(3) external variables */ +extern int opterr; +extern int optind; +extern int optopt; +extern int optreset; +extern char *suboptarg; /* getsubopt(3) external variable */ +#endif +__END_DECLS + +#endif /* !_GETOPT_H_ */ diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c index 6b36d067..e2894743 100644 --- a/openbsd-compat/getopt_long.c +++ b/openbsd-compat/getopt_long.c @@ -53,7 +53,6 @@ #include "includes.h" #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) -#include "log.h" /* * Some defines to make it easier to keep the code in sync with upstream. @@ -64,11 +63,14 @@ #if 0 #include +#include #endif #include -#include #include #include +#include + +#include "log.h" int opterr = 1; /* if error message should be printed */ int optind = 1; /* index into parent argv vector */ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index a8c579f4..94d172aa 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.56 2013/05/10 08:08:49 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -139,6 +139,7 @@ int getgrouplist(const char *, gid_t, gid_t *, int *); #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) int BSDgetopt(int argc, char * const *argv, const char *opts); +#include "openbsd-compat/getopt.h" #endif #if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0 -- cgit v1.2.1 From 4a33a708196489b9700b6a5379c83a4c1a3740da Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 10 May 2013 08:11:55 +0000 Subject: - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the underlying libraries support them. --- ChangeLog | 2 ++ kex.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 650400f8..d03a4352 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb in to use it when we're using our own getopt. + - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the + underlying libraries support them. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/kex.c b/kex.c index f6e683bd..6b43a6de 100644 --- a/kex.c +++ b/kex.c @@ -72,8 +72,10 @@ static const struct kexalg kexalgs[] = { { KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 }, { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 }, { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 }, -#if OPENSSL_VERSION_NUMBER >= 0x00907000L +#ifdef HAVE_EVP_SHA256 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 }, +#endif +#ifdef OPENSSL_HAS_ECC { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 }, { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, -- cgit v1.2.1 From f0cc80f3d10fa0a7a3ab419d6544892b23b4f5f4 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 10 May 2013 08:53:14 +0000 Subject: - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so we don't get a warning on compilers that *don't* support it. Add -Wno-unknown-warning-option. Move both to the start of the list for maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9. --- ChangeLog | 4 ++++ configure.ac | 9 ++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index d03a4352..94a23fb1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ in to use it when we're using our own getopt. - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the underlying libraries support them. + - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so + we don't get a warning on compilers that *don't* support it. Add + -Wno-unknown-warning-option. Move both to the start of the list for + maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/configure.ac b/configure.ac index 93c50e08..6bcbef63 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.522 2013/05/10 03:54:23 dtucker Exp $ +# $Id: configure.ac,v 1.523 2013/05/10 08:53:14 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.522 $) +AC_REVISION($Revision: 1.523 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -129,6 +129,10 @@ AC_ARG_WITH([stackprotect], if test "$GCC" = "yes" || test "$GCC" = "egcs"; then + OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], + [-Qunused-arguments]) + OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror], + [-Wno-unknown-warning-option]) OSSH_CHECK_CFLAG_COMPILE([-Wall]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) @@ -138,7 +142,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) - OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` -- cgit v1.2.1 From dc00f0620f8919df5af3aba0305cfdefa6cffaeb Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 16 May 2013 01:10:17 +0000 Subject: - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be executed if mktemp failed; bz#2105 ok dtucker@ --- ChangeLog | 4 ++++ contrib/ssh-copy-id | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 94a23fb1..97eccf9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130516 + - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be + executed if mktemp failed; bz#2105 ok dtucker@ + 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler supports it. Mentioned by Colin Watson in bz#2100, ok djm. diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index af18a192..9f2817b6 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -165,6 +165,9 @@ done eval set -- "$SAVEARGS" +if [ $# == 0 ] ; then + usage +fi if [ $# != 1 ] ; then printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2 usage @@ -196,7 +199,11 @@ populate_new_ids() { umask 0177 local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) - trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT + if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then + echo "mktemp failed" 1>&2 + exit 1 + fi + trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 NEW_IDS=$( eval $GET_ID | { -- cgit v1.2.1 From c611b7a5603a24403f281877cfa408df8f8b0b80 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:22:46 +0000 Subject: - tedu@cvs.openbsd.org 2013/04/23 17:49:45 [misc.c] use xasprintf instead of a series of strlcats and strdup. ok djm --- ChangeLog | 4 ++++ misc.c | 21 ++++++++++----------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 97eccf9b..4864be92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be executed if mktemp failed; bz#2105 ok dtucker@ + - (dtucker) OpenBSD CVS Sync + - tedu@cvs.openbsd.org 2013/04/23 17:49:45 + [misc.c] + use xasprintf instead of a series of strlcats and strdup. ok djm 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/misc.c b/misc.c index 9e287433..ee5711d1 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.87 2013/04/23 17:49:45 tedu Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -517,8 +517,8 @@ freeargs(arglist *args) char * tilde_expand_filename(const char *filename, uid_t uid) { - const char *path; - char user[128], ret[MAXPATHLEN]; + const char *path, *sep; + char user[128], *ret; struct passwd *pw; u_int len, slash; @@ -538,22 +538,21 @@ tilde_expand_filename(const char *filename, uid_t uid) } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ fatal("tilde_expand_filename: No such uid %ld", (long)uid); - if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret)) - fatal("tilde_expand_filename: Path too long"); - /* Make sure directory has a trailing '/' */ len = strlen(pw->pw_dir); - if ((len == 0 || pw->pw_dir[len - 1] != '/') && - strlcat(ret, "/", sizeof(ret)) >= sizeof(ret)) - fatal("tilde_expand_filename: Path too long"); + if ((len == 0 || pw->pw_dir[len - 1] != '/')) + sep = "/"; + else + sep = ""; /* Skip leading '/' from specified path */ if (path != NULL) filename = path + 1; - if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret)) + + if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= MAXPATHLEN) fatal("tilde_expand_filename: Path too long"); - return (xstrdup(ret)); + return (ret); } /* -- cgit v1.2.1 From dbdb059be34ef2c090ebc5248d045233e69b9e6e Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:23:52 +0000 Subject: - tedu@cvs.openbsd.org 2013/04/24 16:01:46 [misc.c] remove extra parens noticed by nicm --- ChangeLog | 3 +++ misc.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4864be92..413adfec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ - tedu@cvs.openbsd.org 2013/04/23 17:49:45 [misc.c] use xasprintf instead of a series of strlcats and strdup. ok djm + - tedu@cvs.openbsd.org 2013/04/24 16:01:46 + [misc.c] + remove extra parens noticed by nicm 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/misc.c b/misc.c index ee5711d1..77f4a37a 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.87 2013/04/23 17:49:45 tedu Exp $ */ +/* $OpenBSD: misc.c,v 1.88 2013/04/24 16:01:46 tedu Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -540,7 +540,7 @@ tilde_expand_filename(const char *filename, uid_t uid) /* Make sure directory has a trailing '/' */ len = strlen(pw->pw_dir); - if ((len == 0 || pw->pw_dir[len - 1] != '/')) + if (len == 0 || pw->pw_dir[len - 1] != '/') sep = "/"; else sep = ""; -- cgit v1.2.1 From 483ce04772c36f427de995b7cce78f24bc71652a Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:24:23 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/06 07:35:12 [sftp-server.8] Reference the version of the sftp draft we actually implement. ok djm@ --- ChangeLog | 3 +++ sftp-server.8 | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 413adfec..f322ebb6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ - tedu@cvs.openbsd.org 2013/04/24 16:01:46 [misc.c] remove extra parens noticed by nicm + - dtucker@cvs.openbsd.org 2013/05/06 07:35:12 + [sftp-server.8] + Reference the version of the sftp draft we actually implement. ok djm@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/sftp-server.8 b/sftp-server.8 index 2fd3df20..d35af684 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $ +.\" $OpenBSD: sftp-server.8,v 1.22 2013/05/06 07:35:12 dtucker Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 4 2013 $ +.Dd $Mdocdate: May 6 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -124,8 +124,8 @@ establish a logging socket inside the chroot directory. .%A T. Ylonen .%A S. Lehtinen .%T "SSH File Transfer Protocol" -.%N draft-ietf-secsh-filexfer-00.txt -.%D January 2001 +.%N draft-ietf-secsh-filexfer-02.txt +.%D October 2001 .%O work in progress material .Re .Sh HISTORY -- cgit v1.2.1 From e018c4597f55ae56483edf77f6fd1f2ad4953463 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:25:04 +0000 Subject: - djm@cvs.openbsd.org 2013/05/10 03:40:07 [sshconnect2.c] fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from --- ChangeLog | 3 +++ sshconnect2.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f322ebb6..5baca853 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ - dtucker@cvs.openbsd.org 2013/05/06 07:35:12 [sftp-server.8] Reference the version of the sftp draft we actually implement. ok djm@ + - djm@cvs.openbsd.org 2013/05/10 03:40:07 + [sshconnect2.c] + fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/sshconnect2.c b/sshconnect2.c index c811c365..c01efe38 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.194 2013/04/05 00:14:00 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.195 2013/05/10 03:40:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1409,7 +1409,7 @@ pubkey_prepare(Authctxt *authctxt) /* If IdentitiesOnly set and key not found then don't use it */ if (!found && options.identities_only) { TAILQ_REMOVE(&files, id, next); - bzero(id, sizeof(id)); + bzero(id, sizeof(*id)); free(id); } } -- cgit v1.2.1 From 91b679007f9c3760baf304d0ff4be4e3b419d0e6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:25:40 +0000 Subject: add missing attribution --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 5baca853..375e4d87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,7 @@ - djm@cvs.openbsd.org 2013/05/10 03:40:07 [sshconnect2.c] fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from + Colin Watson 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler -- cgit v1.2.1 From ec8601b37205cece77c72600ffa743c3473e021f Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:26:18 +0000 Subject: - djm@cvs.openbsd.org 2013/05/10 04:08:01 [key.c] memleak in cert_free(), wasn't actually freeing the struct; bz#2096 from shm AT digitalsun.pl --- ChangeLog | 4 ++++ key.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 375e4d87..506faa40 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ [sshconnect2.c] fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from Colin Watson + - djm@cvs.openbsd.org 2013/05/10 04:08:01 + [key.c] + memleak in cert_free(), wasn't actually freeing the struct; + bz#2096 from shm AT digitalsun.pl 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/key.c b/key.c index 471cd1fc..b8c60cb2 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.101 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: key.c,v 1.102 2013/05/10 04:08:01 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -195,6 +195,7 @@ cert_free(struct KeyCert *cert) xfree(cert->principals); if (cert->signature_key != NULL) key_free(cert->signature_key); + xfree(cert); } void -- cgit v1.2.1 From 98af398d9c08e31ed6a8c8110917f1dc55de9643 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:27:14 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/10 10:13:50 [ssh-pkcs11-helper.c] remove unused extern optarg. ok markus@ --- ChangeLog | 3 +++ ssh-pkcs11-helper.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 506faa40..7f424922 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ [key.c] memleak in cert_free(), wasn't actually freeing the struct; bz#2096 from shm AT digitalsun.pl + - dtucker@cvs.openbsd.org 2013/05/10 10:13:50 + [ssh-pkcs11-helper.c] + remove unused extern optarg. ok markus@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index fcb5defc..5c09f122 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.4 2012/07/02 12:13:26 dtucker Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.5 2013/05/10 10:13:50 dtucker Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -274,7 +274,6 @@ main(int argc, char **argv) LogLevel log_level = SYSLOG_LEVEL_ERROR; char buf[4*4096]; - extern char *optarg; extern char *__progname; TAILQ_INIT(&pkcs11_keylist); -- cgit v1.2.1 From 2038667f13ffaf554a11f1f701500fcc0160c522 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:28:16 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 02:00:34 [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c ssh_config.5 packet.h] Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm --- ChangeLog | 6 +++++ clientloop.c | 23 ++++++++++++----- packet.c | 33 +++++++++++++++++++++--- packet.h | 5 ++-- readconf.c | 80 ++++++++++++++++++++++++++++++++++++----------------------- readconf.h | 3 ++- ssh_config | 3 ++- ssh_config.5 | 20 ++++++++++++--- sshconnect2.c | 7 +++--- 9 files changed, 129 insertions(+), 51 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f424922..85a5edcc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,12 @@ - dtucker@cvs.openbsd.org 2013/05/10 10:13:50 [ssh-pkcs11-helper.c] remove unused extern optarg. ok markus@ + - dtucker@cvs.openbsd.org 2013/05/16 02:00:34 + [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c + ssh_config.5 packet.h] + Add an optional second argument to RekeyLimit in the client to allow + rekeying based on elapsed time in addition to amount of traffic. + with djm@ jmc@, ok djm 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/clientloop.c b/clientloop.c index c1d1d447..f1b108fc 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.249 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -583,7 +583,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, { struct timeval tv, *tvp; int timeout_secs; - time_t minwait_secs = 0; + time_t minwait_secs = 0, server_alive_time = 0, now = time(NULL); int ret; /* Add any selections by the channel mechanism. */ @@ -632,12 +632,16 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, */ timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ - if (options.server_alive_interval > 0 && compat20) + if (options.server_alive_interval > 0 && compat20) { timeout_secs = options.server_alive_interval; + server_alive_time = now + options.server_alive_interval; + } + if (options.rekey_interval > 0 && compat20 && !rekeying) + timeout_secs = MIN(timeout_secs, packet_get_rekey_timeout()); set_control_persist_exit_time(); if (control_persist_exit_time > 0) { timeout_secs = MIN(timeout_secs, - control_persist_exit_time - time(NULL)); + control_persist_exit_time - now); if (timeout_secs < 0) timeout_secs = 0; } @@ -669,8 +673,15 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } else if (ret == 0) - server_alive_check(); + } else if (ret == 0) { + /* + * Timeout. Could have been either keepalive or rekeying. + * Keepalive we check here, rekeying is checked in clientloop. + */ + if (server_alive_time != 0 && server_alive_time <= time(NULL)) + server_alive_check(); + } + } static void diff --git a/packet.c b/packet.c index 3c97383e..dd9d26f5 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.183 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.184 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -58,6 +58,7 @@ #include #include #include +#include #include "xmalloc.h" #include "buffer.h" @@ -165,9 +166,14 @@ struct session_state { Newkeys *newkeys[MODE_MAX]; struct packet_state p_read, p_send; + /* Volume-based rekeying */ u_int64_t max_blocks_in, max_blocks_out; u_int32_t rekey_limit; + /* Time-based rekeying */ + time_t rekey_interval; /* how often in seconds */ + time_t rekey_time; /* time of last rekeying */ + /* Session key for protocol v1 */ u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; u_int ssh1_keylen; @@ -1009,6 +1015,7 @@ packet_send2(void) /* after a NEWKEYS message we can send the complete queue */ if (type == SSH2_MSG_NEWKEYS) { active_state->rekeying = 0; + active_state->rekey_time = time(NULL); while ((p = TAILQ_FIRST(&active_state->outgoing))) { type = p->type; debug("dequeue packet: %u", type); @@ -1933,13 +1940,33 @@ packet_need_rekeying(void) (active_state->max_blocks_out && (active_state->p_send.blocks > active_state->max_blocks_out)) || (active_state->max_blocks_in && - (active_state->p_read.blocks > active_state->max_blocks_in)); + (active_state->p_read.blocks > active_state->max_blocks_in)) || + (active_state->rekey_interval != 0 && active_state->rekey_time + + active_state->rekey_interval <= time(NULL)); } void -packet_set_rekey_limit(u_int32_t bytes) +packet_set_rekey_limits(u_int32_t bytes, time_t seconds) { + debug3("rekey after %lld bytes, %d seconds", (long long)bytes, + (int)seconds); active_state->rekey_limit = bytes; + active_state->rekey_interval = seconds; + /* + * We set the time here so that in post-auth privsep slave we count + * from the completion of the authentication. + */ + active_state->rekey_time = time(NULL); +} + +time_t +packet_get_rekey_timeout(void) +{ + time_t seconds; + + seconds = active_state->rekey_time + active_state->rekey_interval - + time(NULL); + return (seconds < 0 ? 0 : seconds); } void diff --git a/packet.h b/packet.h index 09ba0795..bc548f2b 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */ +/* $OpenBSD: packet.h,v 1.58 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -115,7 +115,8 @@ do { \ } while (0) int packet_need_rekeying(void); -void packet_set_rekey_limit(u_int32_t); +void packet_set_rekey_limits(u_int32_t, time_t); +time_t packet_get_rekey_timeout(void); void packet_backup_state(void); void packet_restore_state(void); diff --git a/readconf.c b/readconf.c index 6e708e02..d8898a02 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.197 2013/03/06 23:36:53 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.198 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -562,39 +562,54 @@ parse_yesnoask: case oRekeyLimit: arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing argument.", filename, linenum); - if (arg[0] < '0' || arg[0] > '9') - fatal("%.200s line %d: Bad number.", filename, linenum); - orig = val64 = strtoll(arg, &endofnumber, 10); - if (arg == endofnumber) - fatal("%.200s line %d: Bad number.", filename, linenum); - switch (toupper(*endofnumber)) { - case '\0': - scale = 1; - break; - case 'K': - scale = 1<<10; - break; - case 'M': - scale = 1<<20; - break; - case 'G': - scale = 1<<30; - break; - default: - fatal("%.200s line %d: Invalid RekeyLimit suffix", - filename, linenum); + fatal("%.200s line %d: Missing argument.", filename, + linenum); + if (strcmp(arg, "default") == 0) { + val64 = 0; + } else { + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, + linenum); + orig = val64 = strtoll(arg, &endofnumber, 10); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, + linenum); + switch (toupper(*endofnumber)) { + case '\0': + scale = 1; + break; + case 'K': + scale = 1<<10; + break; + case 'M': + scale = 1<<20; + break; + case 'G': + scale = 1<<30; + break; + default: + fatal("%.200s line %d: Invalid RekeyLimit " + "suffix", filename, linenum); + } + val64 *= scale; + /* detect integer wrap and too-large limits */ + if ((val64 / scale) != orig || val64 > UINT_MAX) + fatal("%.200s line %d: RekeyLimit too large", + filename, linenum); + if (val64 != 0 && val64 < 16) + fatal("%.200s line %d: RekeyLimit too small", + filename, linenum); } - val64 *= scale; - /* detect integer wrap and too-large limits */ - if ((val64 / scale) != orig || val64 > UINT_MAX) - fatal("%.200s line %d: RekeyLimit too large", - filename, linenum); - if (val64 < 16) - fatal("%.200s line %d: RekeyLimit too small", - filename, linenum); if (*activep && options->rekey_limit == -1) options->rekey_limit = (u_int32_t)val64; + if (s != NULL) { /* optional rekey interval present */ + if (strcmp(s, "none") == 0) { + (void)strdelim(&s); /* discard */ + break; + } + intptr = &options->rekey_interval; + goto parse_time; + } break; case oIdentityFile: @@ -1202,6 +1217,7 @@ initialize_options(Options * options) options->no_host_authentication_for_localhost = - 1; options->identities_only = - 1; options->rekey_limit = - 1; + options->rekey_interval = -1; options->verify_host_key_dns = -1; options->server_alive_interval = -1; options->server_alive_count_max = -1; @@ -1337,6 +1353,8 @@ fill_default_options(Options * options) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; if (options->server_alive_interval == -1) diff --git a/readconf.h b/readconf.h index 84164890..e2057309 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.94 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -110,6 +110,7 @@ typedef struct { int enable_ssh_keysign; int64_t rekey_limit; + int rekey_interval; int no_host_authentication_for_localhost; int identities_only; int server_alive_interval; diff --git a/ssh_config b/ssh_config index 18936740..bb408193 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ +# $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -45,3 +45,4 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h diff --git a/ssh_config.5 b/ssh_config.5 index 269529c0..97897e00 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ -.Dd $Mdocdate: January 8 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.162 2013/05/16 02:00:34 dtucker Exp $ +.Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -931,8 +931,9 @@ The default is This option applies to protocol version 2 only. .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted before the -session key is renegotiated. -The argument is the number of bytes, with an optional suffix of +session key is renegotiated, optionally followed a maximum amount of +time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of .Sq K , .Sq M , or @@ -943,6 +944,17 @@ The default is between and .Sq 4G , depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Dq default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over diff --git a/sshconnect2.c b/sshconnect2.c index c01efe38..7b83c591 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.195 2013/05/10 03:40:07 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.196 2013/05/16 02:00:34 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -197,8 +197,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - if (options.rekey_limit) - packet_set_rekey_limit((u_int32_t)options.rekey_limit); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); /* start key exchange */ kex = kex_setup(myproposal); -- cgit v1.2.1 From 7663a4aa873b46e8d655e47ca11c409c09464e46 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:29:28 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 04:09:14 [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page. --- ChangeLog | 5 ++++ monitor.c | 6 ++++- packet.c | 4 ++-- servconf.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---- servconf.h | 5 +++- serverloop.c | 14 +++++++---- sshd.c | 6 ++++- sshd_config | 5 +++- sshd_config.5 | 32 +++++++++++++++++++++++-- 9 files changed, 135 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85a5edcc..186c4324 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,11 @@ Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm + - dtucker@cvs.openbsd.org 2013/05/16 04:09:14 + [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config + sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing + rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man + page. 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/monitor.c b/monitor.c index c0471a17..372c9d04 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.122 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.123 2013/05/16 04:09:13 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1810,6 +1810,10 @@ monitor_apply_keystate(struct monitor *pmonitor) if (options.compression) mm_init_compression(pmonitor->m_zlib); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); + /* Network I/O buffers */ /* XXX inefficient for large buffers, need: buffer_init_from_string */ buffer_clear(packet_get_input()); diff --git a/packet.c b/packet.c index dd9d26f5..a64bbae3 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.184 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: packet.c,v 1.185 2013/05/16 04:09:13 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1966,7 +1966,7 @@ packet_get_rekey_timeout(void) seconds = active_state->rekey_time + active_state->rekey_interval - time(NULL); - return (seconds < 0 ? 0 : seconds); + return (seconds <= 0 ? 1 : seconds); } void diff --git a/servconf.c b/servconf.c index b2a60fd6..4e3026b8 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.235 2013/05/16 04:09:14 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -20,6 +20,7 @@ #include #include +#include #include #include #include @@ -110,6 +111,8 @@ initialize_server_options(ServerOptions *options) options->permit_user_env = -1; options->use_login = -1; options->compression = -1; + options->rekey_limit = -1; + options->rekey_interval = -1; options->allow_tcp_forwarding = -1; options->allow_agent_forwarding = -1; options->num_allow_users = 0; @@ -249,6 +252,10 @@ fill_default_server_options(ServerOptions *options) options->use_login = 0; if (options->compression == -1) options->compression = COMP_DELAYED; + if (options->rekey_limit == -1) + options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) @@ -320,7 +327,7 @@ typedef enum { sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, @@ -422,6 +429,7 @@ static struct { { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, { "uselogin", sUseLogin, SSHCFG_GLOBAL }, { "compression", sCompression, SSHCFG_GLOBAL }, + { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, @@ -800,14 +808,14 @@ process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, struct connection_info *connectinfo) { - char *cp, **charptr, *arg, *p; - int cmdline = 0, *intptr, value, value2, n; + char *cp, **charptr, *arg, *p, *endofnumber; + int cmdline = 0, *intptr, value, value2, n, port, scale; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; ServerOpCodes opcode; - int port; u_int i, flags = 0; size_t len; + long long orig, val64; const struct multistate *multistate_ptr; cp = line; @@ -1118,6 +1126,59 @@ process_server_config_line(ServerOptions *options, char *line, multistate_ptr = multistate_compression; goto parse_multistate; + case sRekeyLimit: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, + linenum); + if (strcmp(arg, "default") == 0) { + val64 = 0; + } else { + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, + linenum); + orig = val64 = strtoll(arg, &endofnumber, 10); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, + linenum); + switch (toupper(*endofnumber)) { + case '\0': + scale = 1; + break; + case 'K': + scale = 1<<10; + break; + case 'M': + scale = 1<<20; + break; + case 'G': + scale = 1<<30; + break; + default: + fatal("%.200s line %d: Invalid RekeyLimit " + "suffix", filename, linenum); + } + val64 *= scale; + /* detect integer wrap and too-large limits */ + if ((val64 / scale) != orig || val64 > UINT_MAX) + fatal("%.200s line %d: RekeyLimit too large", + filename, linenum); + if (val64 != 0 && val64 < 16) + fatal("%.200s line %d: RekeyLimit too small", + filename, linenum); + } + if (*activep && options->rekey_limit == -1) + options->rekey_limit = (u_int32_t)val64; + if (cp != NULL) { /* optional rekey interval present */ + if (strcmp(cp, "none") == 0) { + (void)strdelim(&cp); /* discard */ + break; + } + intptr = &options->rekey_interval; + goto parse_time; + } + break; + case sGatewayPorts: intptr = &options->gateway_ports; multistate_ptr = multistate_gatewayports; @@ -1718,6 +1779,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); + M_CP_INTOPT(rekey_limit); + M_CP_INTOPT(rekey_interval); /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); @@ -2006,5 +2069,7 @@ dump_config(ServerOptions *o) printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); printf("%s\n", iptos2str(o->ip_qos_bulk)); + printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); + channel_print_adm_permitted_opens(); } diff --git a/servconf.h b/servconf.h index 870c7098..fc051bd4 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.108 2013/05/16 04:09:14 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -176,6 +176,9 @@ typedef struct { char *authorized_keys_command; char *authorized_keys_command_user; + int64_t rekey_limit; + int rekey_interval; + char *version_addendum; /* Appended to SSH banner */ u_int num_auth_methods; diff --git a/serverloop.c b/serverloop.c index e224bd08..595899f6 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.165 2013/05/16 04:09:14 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -277,7 +277,7 @@ client_alive_check(void) */ static void wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, - u_int *nallocp, u_int max_time_milliseconds) + u_int *nallocp, u_int64_t max_time_milliseconds) { struct timeval tv, *tvp; int ret; @@ -563,7 +563,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) int wait_status; /* Status returned by wait(). */ pid_t wait_pid; /* pid returned by wait(). */ int waiting_termination = 0; /* Have displayed waiting close message. */ - u_int max_time_milliseconds; + u_int64_t max_time_milliseconds; u_int previous_stdout_buffer_bytes; u_int stdout_buffer_bytes; int type; @@ -826,6 +826,7 @@ server_loop2(Authctxt *authctxt) { fd_set *readset = NULL, *writeset = NULL; int rekeying = 0, max_fd, nalloc = 0; + u_int64_t rekey_timeout_ms = 0; debug("Entering interactive session for SSH2."); @@ -854,8 +855,13 @@ server_loop2(Authctxt *authctxt) if (!rekeying && packet_not_very_much_data_to_write()) channel_output_poll(); + if (options.rekey_interval > 0 && compat20 && !rekeying) + rekey_timeout_ms = packet_get_rekey_timeout() * 1000; + else + rekey_timeout_ms = 0; + wait_until_can_do_something(&readset, &writeset, &max_fd, - &nalloc, 0); + &nalloc, rekey_timeout_ms); if (received_sigterm) { logit("Exiting on signal %d", (int)received_sigterm); diff --git a/sshd.c b/sshd.c index a0f5c0d2..9a8e7b8b 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.399 2013/04/07 02:10:33 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.400 2013/05/16 04:09:14 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2364,6 +2364,10 @@ do_ssh2_kex(void) if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); /* start key exchange */ diff --git a/sshd_config b/sshd_config index 9cd2fddc..b786361d 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -29,6 +29,9 @@ #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH diff --git a/sshd_config.5 b/sshd_config.5 index 590fb408..9e0b3a5c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $ -.Dd $Mdocdate: April 19 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.159 2013/05/16 04:09:14 dtucker Exp $ +.Dd $Mdocdate: May 16 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -814,6 +814,7 @@ Available keywords are .Cm PermitRootLogin , .Cm PermitTunnel , .Cm PubkeyAuthentication , +.Cm RekeyLimit , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , .Cm X11DisplayOffset , @@ -1008,6 +1009,33 @@ Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. +.It Cm RekeyLimit +Specifies the maximum amount of data that may be transmitted before the +session key is renegotiated, optionally followed a maximum amount of +time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of +.Sq K , +.Sq M , +or +.Sq G +to indicate Kilobytes, Megabytes, or Gigabytes, respectively. +The default is between +.Sq 1G +and +.Sq 4G , +depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Dq default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. +This option applies to protocol version 2 only. .It Cm RevokedKeys Specifies revoked public keys. Keys listed in this file will be refused for public key authentication. -- cgit v1.2.1 From 90f0be2464b11ee46f034469d62c737105878622 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:30:03 +0000 Subject: - djm@cvs.openbsd.org 2013/05/16 04:27:50 [ssh_config.5 readconf.h readconf.c] add the ability to ignore specific unrecognised ssh_config options; bz#866; ok markus@ --- ChangeLog | 4 ++++ readconf.c | 35 ++++++++++++++++++++++++++--------- readconf.h | 4 +++- ssh_config.5 | 13 ++++++++++++- 4 files changed, 45 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 186c4324..ae0f8477 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page. + - djm@cvs.openbsd.org 2013/05/16 04:27:50 + [ssh_config.5 readconf.h readconf.c] + add the ability to ignore specific unrecognised ssh_config options; + bz#866; ok markus@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/readconf.c b/readconf.c index d8898a02..51b23a3b 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.198 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.199 2013/05/16 04:27:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -134,8 +134,8 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, - oDeprecated, oUnsupported + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, + oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@ -246,6 +246,7 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, + { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } }; @@ -351,14 +352,17 @@ add_identity_file(Options *options, const char *dir, const char *filename, */ static OpCodes -parse_token(const char *cp, const char *filename, int linenum) +parse_token(const char *cp, const char *filename, int linenum, + const char *ignored_unknown) { - u_int i; + int i; for (i = 0; keywords[i].name; i++) - if (strcasecmp(cp, keywords[i].name) == 0) + if (strcmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - + if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown, + strlen(ignored_unknown), 1) == 1) + return oIgnoredUnknownOption; error("%s: line %d: Bad configuration option: %s", filename, linenum, cp); return oBadOption; @@ -377,7 +381,7 @@ process_config_line(Options *options, const char *host, { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; - u_int *uintptr, max_entries = 0; + u_int i, *uintptr, max_entries = 0; int negated, opcode, *intptr, value, value2, scale; LogLevel *log_level_ptr; long long orig, val64; @@ -400,14 +404,22 @@ process_config_line(Options *options, const char *host, keyword = strdelim(&s); if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') return 0; + /* Match lowercase keyword */ + for (i = 0; i < strlen(keyword); i++) + keyword[i] = tolower(keyword[i]); - opcode = parse_token(keyword, filename, linenum); + opcode = parse_token(keyword, filename, linenum, + options->ignored_unknown); switch (opcode) { case oBadOption: /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + case oIgnoredUnknownOption: + debug("%s line %d: Ignored unknown option \"%s\"", + filename, linenum, keyword); + return 0; case oConnectTimeout: intptr = &options->connection_timeout; parse_time: @@ -1077,6 +1089,10 @@ parse_int: *intptr = value; break; + case oIgnoreUnknown: + charptr = &options->ignored_unknown; + goto parse_string; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1238,6 +1254,7 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; + options->ignored_unknown = NULL; } /* diff --git a/readconf.h b/readconf.h index e2057309..23fc500d 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.94 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */ /* * Author: Tatu Ylonen @@ -137,6 +137,8 @@ typedef struct { int use_roaming; int request_tty; + + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; #define SSHCTL_MASTER_NO 0 diff --git a/ssh_config.5 b/ssh_config.5 index 97897e00..955afe35 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.162 2013/05/16 02:00:34 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.163 2013/05/16 04:27:50 djm Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -597,6 +597,17 @@ The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName specifications). +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. .It Cm IdentitiesOnly Specifies that .Xr ssh 1 -- cgit v1.2.1 From 8cd25bc12614016f246cbb0a433b7eec531891c7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:30:31 +0000 Subject: - jmc@cvs.openbsd.org 2013/05/16 06:28:45 [ssh_config.5] put IgnoreUnknown in the right place; --- ChangeLog | 3 +++ ssh_config.5 | 24 ++++++++++++------------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae0f8477..2eaa2a85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [ssh_config.5 readconf.h readconf.c] add the ability to ignore specific unrecognised ssh_config options; bz#866; ok markus@ + - jmc@cvs.openbsd.org 2013/05/16 06:28:45 + [ssh_config.5] + put IgnoreUnknown in the right place; 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/ssh_config.5 b/ssh_config.5 index 955afe35..003ed68f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.163 2013/05/16 04:27:50 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.164 2013/05/16 06:28:45 jmc Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -597,17 +597,6 @@ The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName specifications). -.It Cm IgnoreUnknown -Specifies a pattern-list of unknown options to be ignored if they are -encountered in configuration parsing. -This may be used to suppress errors if -.Nm -contains options that are unrecognised by -.Xr ssh 1 . -It is recommended that -.Cm IgnoreUnknown -be listed early in the configuration file as it will not be applied -to unknown options that appear before it. .It Cm IdentitiesOnly Specifies that .Xr ssh 1 @@ -668,6 +657,17 @@ Multiple .Cm IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configuration directives). +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. .It Cm IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. Accepted values are -- cgit v1.2.1 From 339ec5cd9d96b80d8f8e8b62544433e093ffa8cd Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:31:29 +0000 Subject: - jmc@cvs.openbsd.org 2013/05/16 06:30:06 [sshd_config.5] oops! avoid Xr to self; --- ChangeLog | 3 +++ sshd_config.5 | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2eaa2a85..e5cc7d5e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - jmc@cvs.openbsd.org 2013/05/16 06:28:45 [ssh_config.5] put IgnoreUnknown in the right place; + - jmc@cvs.openbsd.org 2013/05/16 06:30:06 + [sshd_config.5] + oops! avoid Xr to self; 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/sshd_config.5 b/sshd_config.5 index 9e0b3a5c..18b1d81a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.159 2013/05/16 04:09:14 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.160 2013/05/16 06:30:06 jmc Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSHD_CONFIG 5 .Os @@ -1027,8 +1027,7 @@ depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the .Sx TIME FORMATS -section of -.Xr sshd_config 5 . +section. The default value for .Cm RekeyLimit is -- cgit v1.2.1 From 098f3bac9b58e7673823390974f2fa10914831d2 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:32:29 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 09:08:41 [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c] Fix some "unused result" warnings found via clang and -portable. ok markus@ --- ChangeLog | 4 ++++ log.c | 4 ++-- schnorr.c | 12 +++++++----- scp.c | 4 ++-- serverloop.c | 4 ++-- sftp.c | 4 ++-- sshd.c | 5 +++-- 7 files changed, 22 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index e5cc7d5e..cc59a47d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,10 @@ - jmc@cvs.openbsd.org 2013/05/16 06:30:06 [sshd_config.5] oops! avoid Xr to self; + - dtucker@cvs.openbsd.org 2013/05/16 09:08:41 + [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c] + Fix some "unused result" warnings found via clang and -portable. + ok markus@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/log.c b/log.c index 81497a44..32e1d2e4 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.44 2013/04/07 02:10:33 dtucker Exp $ */ +/* $OpenBSD: log.c,v 1.45 2013/05/16 09:08:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -445,7 +445,7 @@ do_log(LogLevel level, const char *fmt, va_list args) log_handler = tmp_handler; } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); - write(log_stderr_fd, msgbuf, strlen(msgbuf)); + (void)write(log_stderr_fd, msgbuf, strlen(msgbuf)); } else { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); diff --git a/schnorr.c b/schnorr.c index 4d54d688..05c2e775 100644 --- a/schnorr.c +++ b/schnorr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: schnorr.c,v 1.5 2010/12/03 23:49:26 djm Exp $ */ +/* $OpenBSD: schnorr.c,v 1.6 2013/05/16 09:08:41 dtucker Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -488,12 +488,13 @@ debug3_bn(const BIGNUM *n, const char *fmt, ...) { char *out, *h; va_list args; + int ret; out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); + ret = vasprintf(&out, fmt, args); va_end(args); - if (out == NULL) + if (ret == -1 || out == NULL) fatal("%s: vasprintf failed", __func__); if (n == NULL) @@ -513,12 +514,13 @@ debug3_buf(const u_char *buf, u_int len, const char *fmt, ...) char *out, h[65]; u_int i, j; va_list args; + int ret; out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); + ret = vasprintf(&out, fmt, args); va_end(args); - if (out == NULL) + if (ret == -1 || out == NULL) fatal("%s: vasprintf failed", __func__); debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : ""); diff --git a/scp.c b/scp.c index 645d7403..ae3d3880 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.171 2011/09/09 22:37:01 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.172 2013/05/16 09:08:41 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -1325,7 +1325,7 @@ void lostconn(int signo) { if (!iamremote) - write(STDERR_FILENO, "lost connection\n", 16); + (void)write(STDERR_FILENO, "lost connection\n", 16); if (signo) _exit(1); else diff --git a/serverloop.c b/serverloop.c index 595899f6..a61d4ad3 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.165 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.166 2013/05/16 09:08:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -148,7 +148,7 @@ static void notify_parent(void) { if (notify_pipe[1] != -1) - write(notify_pipe[1], "", 1); + (void)write(notify_pipe[1], "", 1); } static void notify_prepare(fd_set *readset) diff --git a/sftp.c b/sftp.c index 24396ef3..12c4958d 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.143 2013/04/18 02:16:07 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.144 2013/05/16 09:08:41 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -218,7 +218,7 @@ cmd_interrupt(int signo) const char msg[] = "\rInterrupt \n"; int olderrno = errno; - write(STDERR_FILENO, msg, sizeof(msg) - 1); + (void)write(STDERR_FILENO, msg, sizeof(msg) - 1); interrupted = 1; errno = olderrno; } diff --git a/sshd.c b/sshd.c index 9a8e7b8b..df9d0d61 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.400 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.401 2013/05/16 09:08:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1815,7 +1815,8 @@ main(int ac, char **av) /* Chdir to the root directory so that the current disk can be unmounted if desired. */ - chdir("/"); + if (chdir("/") == -1) + error("chdir(\"/\"): %s", strerror(errno)); /* ignore SIGPIPE */ signal(SIGPIPE, SIG_IGN); -- cgit v1.2.1 From 86131d93e5a731c99d7b3d2d32518d3472b95c03 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:33:10 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 [readconf.c servconf.c] switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ --- ChangeLog | 3 +++ readconf.c | 35 +++++++---------------------------- servconf.c | 35 +++++++---------------------------- 3 files changed, 17 insertions(+), 56 deletions(-) diff --git a/ChangeLog b/ChangeLog index cc59a47d..845a6a28 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,9 @@ [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c] Fix some "unused result" warnings found via clang and -portable. ok markus@ + - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 + [readconf.c servconf.c] + switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/readconf.c b/readconf.c index 51b23a3b..dccf3ba1 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.199 2013/05/16 04:27:50 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.200 2013/05/16 09:12:31 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -30,6 +30,7 @@ #include #include #include +#include #include "xmalloc.h" #include "ssh.h" @@ -579,33 +580,11 @@ parse_yesnoask: if (strcmp(arg, "default") == 0) { val64 = 0; } else { - if (arg[0] < '0' || arg[0] > '9') - fatal("%.200s line %d: Bad number.", filename, - linenum); - orig = val64 = strtoll(arg, &endofnumber, 10); - if (arg == endofnumber) - fatal("%.200s line %d: Bad number.", filename, - linenum); - switch (toupper(*endofnumber)) { - case '\0': - scale = 1; - break; - case 'K': - scale = 1<<10; - break; - case 'M': - scale = 1<<20; - break; - case 'G': - scale = 1<<30; - break; - default: - fatal("%.200s line %d: Invalid RekeyLimit " - "suffix", filename, linenum); - } - val64 *= scale; - /* detect integer wrap and too-large limits */ - if ((val64 / scale) != orig || val64 > UINT_MAX) + if (scan_scaled(arg, &val64) == -1) + fatal("%.200s line %d: Bad number '%s': %s", + filename, linenum, arg, strerror(errno)); + /* check for too-large or too-small limits */ + if (val64 > UINT_MAX) fatal("%.200s line %d: RekeyLimit too large", filename, linenum); if (val64 != 0 && val64 < 16) diff --git a/servconf.c b/servconf.c index 4e3026b8..14523934 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.235 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.236 2013/05/16 09:12:31 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -30,6 +30,7 @@ #include #include #include +#include #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -1134,33 +1135,11 @@ process_server_config_line(ServerOptions *options, char *line, if (strcmp(arg, "default") == 0) { val64 = 0; } else { - if (arg[0] < '0' || arg[0] > '9') - fatal("%.200s line %d: Bad number.", filename, - linenum); - orig = val64 = strtoll(arg, &endofnumber, 10); - if (arg == endofnumber) - fatal("%.200s line %d: Bad number.", filename, - linenum); - switch (toupper(*endofnumber)) { - case '\0': - scale = 1; - break; - case 'K': - scale = 1<<10; - break; - case 'M': - scale = 1<<20; - break; - case 'G': - scale = 1<<30; - break; - default: - fatal("%.200s line %d: Invalid RekeyLimit " - "suffix", filename, linenum); - } - val64 *= scale; - /* detect integer wrap and too-large limits */ - if ((val64 / scale) != orig || val64 > UINT_MAX) + if (scan_scaled(arg, &val64) == -1) + fatal("%.200s line %d: Bad number '%s': %s", + filename, linenum, arg, strerror(errno)); + /* check for too-large or too-small limits */ + if (val64 > UINT_MAX) fatal("%.200s line %d: RekeyLimit too large", filename, linenum); if (val64 != 0 && val64 < 16) -- cgit v1.2.1 From 5ae6fafa956b53e9b0ecaf75bb3a5564d083e7c6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:47:31 +0000 Subject: - (dtucker) [configure.ac readconf.c servconf.c openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. --- ChangeLog | 2 ++ configure.ac | 7 ++++--- openbsd-compat/openbsd-compat.h | 6 +++++- readconf.c | 2 ++ servconf.c | 2 ++ 5 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 845a6a28..1779aa74 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,8 @@ - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 [readconf.c servconf.c] switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ + - (dtucker) [configure.ac readconf.c servconf.c + openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/configure.ac b/configure.ac index 6bcbef63..7d8adfcb 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.523 2013/05/10 08:53:14 dtucker Exp $ +# $Id: configure.ac,v 1.524 2013/05/16 10:47:32 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.523 $) +AC_REVISION($Revision: 1.524 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1175,12 +1175,13 @@ AC_CHECK_FUNCS([utimes], dnl Checks for libutil functions AC_CHECK_HEADERS([bsd/libutil.h libutil.h]) AC_SEARCH_LIBS([fmt_scaled], [util bsd]) +AC_SEARCH_LIBS([scan_scaled], [util bsd]) AC_SEARCH_LIBS([login], [util bsd]) AC_SEARCH_LIBS([logout], [util bsd]) AC_SEARCH_LIBS([logwtmp], [util bsd]) AC_SEARCH_LIBS([openpty], [util bsd]) AC_SEARCH_LIBS([updwtmp], [util bsd]) -AC_CHECK_FUNCS([fmt_scaled login logout openpty updwtmp logwtmp]) +AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) AC_FUNC_STRFTIME diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 94d172aa..3dbf1f24 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.56 2013/05/10 08:08:49 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.57 2013/05/16 10:47:32 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -111,6 +111,10 @@ char *dirname(const char *path); int fmt_scaled(long long number, char *result); #endif +#ifndef HAVE_SCAN_SCALED +int scan_scaled(char *, long long *); +#endif + #if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) char *inet_ntoa(struct in_addr in); #endif diff --git a/readconf.c b/readconf.c index dccf3ba1..cbc1981a 100644 --- a/readconf.c +++ b/readconf.c @@ -30,7 +30,9 @@ #include #include #include +#ifdef HAVE_UTIL_H #include +#endif #include "xmalloc.h" #include "ssh.h" diff --git a/servconf.c b/servconf.c index 14523934..b2123c6c 100644 --- a/servconf.c +++ b/servconf.c @@ -30,7 +30,9 @@ #include #include #include +#ifdef HAVE_UTIL_H #include +#endif #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -- cgit v1.2.1 From 1d7fcae86a31aebba4e8baf5349005f7e34155fd Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:48:14 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 10:43:34 [servconf.c readconf.c] remove now-unused variables --- ChangeLog | 3 +++ readconf.c | 6 +++--- servconf.c | 6 +++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1779aa74..c1fb0e4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 [readconf.c servconf.c] switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ + - dtucker@cvs.openbsd.org 2013/05/16 10:43:34 + [servconf.c readconf.c] + remove now-unused variables - (dtucker) [configure.ac readconf.c servconf.c openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. diff --git a/readconf.c b/readconf.c index cbc1981a..30c1e83b 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.200 2013/05/16 09:12:31 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.201 2013/05/16 10:43:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -385,9 +385,9 @@ process_config_line(Options *options, const char *host, char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; u_int i, *uintptr, max_entries = 0; - int negated, opcode, *intptr, value, value2, scale; + int negated, opcode, *intptr, value, value2; LogLevel *log_level_ptr; - long long orig, val64; + long long val64; size_t len; Forward fwd; diff --git a/servconf.c b/servconf.c index b2123c6c..d7769447 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.236 2013/05/16 09:12:31 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.237 2013/05/16 10:43:34 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -812,13 +812,13 @@ process_server_config_line(ServerOptions *options, char *line, struct connection_info *connectinfo) { char *cp, **charptr, *arg, *p, *endofnumber; - int cmdline = 0, *intptr, value, value2, n, port, scale; + int cmdline = 0, *intptr, value, value2, n, port; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; ServerOpCodes opcode; u_int i, flags = 0; size_t len; - long long orig, val64; + long long val64; const struct multistate *multistate_ptr; cp = line; -- cgit v1.2.1 From 68fdd215c8e73af27120b6d936aef774e9783b88 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 10:48:57 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 10:44:06 [servconf.c] remove another now-unused variable --- ChangeLog | 3 +++ servconf.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c1fb0e4f..dc9d7f63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -53,6 +53,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 10:43:34 [servconf.c readconf.c] remove now-unused variables + - dtucker@cvs.openbsd.org 2013/05/16 10:44:06 + [servconf.c] + remove another now-unused variable - (dtucker) [configure.ac readconf.c servconf.c openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. diff --git a/servconf.c b/servconf.c index d7769447..90f6d465 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.237 2013/05/16 10:43:34 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.238 2013/05/16 10:44:06 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -811,7 +811,7 @@ process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, struct connection_info *connectinfo) { - char *cp, **charptr, *arg, *p, *endofnumber; + char *cp, **charptr, *arg, *p; int cmdline = 0, *intptr, value, value2, n, port; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; -- cgit v1.2.1 From 068e94f65d2448e9c16c16b494ca1d2e15a962aa Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:07:12 +0000 Subject: - djm@cvs.openbsd.org 2013/03/07 00:20:34 [regress/proxy-connect.sh] repeat test with a style appended to the username --- ChangeLog | 6 ++++++ regress/proxy-connect.sh | 10 +++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index dc9d7f63..98b74282 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ + 20130517 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/03/07 00:20:34 + [regress/proxy-connect.sh] + repeat test with a style appended to the username + 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be executed if mktemp failed; bz#2105 ok dtucker@ diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh index 6a36b251..76e602dd 100644 --- a/regress/proxy-connect.sh +++ b/regress/proxy-connect.sh @@ -1,8 +1,9 @@ -# $OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $ +# $OpenBSD: proxy-connect.sh,v 1.6 2013/03/07 00:20:34 djm Exp $ # Placed in the Public Domain. tid="proxy connect" +verbose "plain username" for p in 1 2; do ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true if [ $? -ne 0 ]; then @@ -16,3 +17,10 @@ for p in 1 2; do fail "bad SSH_CONNECTION" fi done + +verbose "username with style" +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ + fail "ssh proxyconnect protocol $p failed" +done + -- cgit v1.2.1 From 8bcffc74dabf946ea4d9ae01a665b4edc684ca44 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:10:20 +0000 Subject: - dtucker@cvs.openbsd.org 2013/03/23 11:09:43 [test-exec.sh] Only regenerate host keys if they don't exist or if ssh-keygen has changed since they were. Reduces test runtime by 5-30% depending on machine speed. --- ChangeLog | 5 +++++ regress/test-exec.sh | 10 ++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 98b74282..95586e87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ - djm@cvs.openbsd.org 2013/03/07 00:20:34 [regress/proxy-connect.sh] repeat test with a style appended to the username + - dtucker@cvs.openbsd.org 2013/03/23 11:09:43 + [test-exec.sh] + Only regenerate host keys if they don't exist or if ssh-keygen has changed + since they were. Reduces test runtime by 5-30% depending on machine + speed. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/test-exec.sh b/regress/test-exec.sh index aa4e6e5c..29dac3de 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.37 2010/02/24 06:21:56 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.38 2013/03/23 11:09:43 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -309,9 +309,11 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER trace "generate keys" for t in rsa rsa1; do # generate user key - rm -f $OBJ/$t - ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\ - fail "ssh-keygen for $t failed" + if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then + rm -f $OBJ/$t + ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ + fail "ssh-keygen for $t failed" + fi # known hosts file for client ( -- cgit v1.2.1 From c81bf0a5c7e2189f42231c2222829ab5f706e169 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:19:10 +0000 Subject: - dtucker@cvs.openbsd.org 2013/04/06 06:00:22 [regress/rekey.sh regress/test-exec.sh regress/integrity.sh regress/multiplex.sh Makefile regress/cfgmatch.sh] Split the regress log into 3 parts: the debug output from ssh, the debug log from sshd and the output from the client command (ssh, scp or sftp). Somewhat functional now, will become more useful when ssh/sshd -E is added. --- ChangeLog | 8 +++++++- regress/Makefile | 6 +++--- regress/cfgmatch.sh | 4 ++-- regress/integrity.sh | 4 ++-- regress/multiplex.sh | 14 +++++++------- regress/rekey.sh | 6 +++--- regress/test-exec.sh | 33 ++++++++++++++++++++++++--------- 7 files changed, 48 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index 95586e87..14450ac6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,10 +4,16 @@ [regress/proxy-connect.sh] repeat test with a style appended to the username - dtucker@cvs.openbsd.org 2013/03/23 11:09:43 - [test-exec.sh] + [regress/test-exec.sh] Only regenerate host keys if they don't exist or if ssh-keygen has changed since they were. Reduces test runtime by 5-30% depending on machine speed. + - dtucker@cvs.openbsd.org 2013/04/06 06:00:22 + [regress/rekey.sh regress/test-exec.sh regress/integrity.sh + regress/multiplex.sh Makefile regress/cfgmatch.sh] + Split the regress log into 3 parts: the debug output from ssh, the debug + log from sshd and the output from the client command (ssh, scp or sftp). + Somewhat functional now, will become more useful when ssh/sshd -E is added. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/Makefile b/regress/Makefile index 6ef5d9cc..b99bd3e8 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $ +# $OpenBSD: Makefile,v 1.63 2013/04/06 06:00:22 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -82,8 +82,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual ready \ - sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* - + sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ + ssh.log sshd.log regress.log # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 0603fab6..02755d9d 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $ +# $OpenBSD: cfgmatch.sh,v 1.7 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -15,7 +15,7 @@ start_client() rm -f $pidfile ${SSH} -q -$p $fwd "$@" somehost \ exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ - >>$TEST_SSH_LOGFILE 2>&1 & + >>$TEST_REGRESS_LOGFILE 2>&1 & client_pid=$! # Wait for remote end n=0 diff --git a/regress/integrity.sh b/regress/integrity.sh index 4d46926d..1bd330a1 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $ +# $OpenBSD: integrity.sh,v 1.8 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -22,7 +22,7 @@ config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" # sshd-command for proxy (see test-exec.sh) -cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" +cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" jot() { awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 1e6cc760..6491837a 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.18 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -55,13 +55,13 @@ cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}" rm -f ${COPY} trace "sftp transfer over multiplexed connection and check result" echo "get ${DATA} ${COPY}" | \ - ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_SSH_LOGFILE 2>&1 + ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1 test -f ${COPY} || fail "sftp: failed copy ${DATA}" cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" rm -f ${COPY} trace "scp transfer over multiplexed connection and check result" -${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_SSH_LOGFILE 2>&1 +${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1 test -f ${COPY} || fail "scp: failed copy ${DATA}" cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" @@ -87,11 +87,11 @@ for s in 0 1 4 5 44; do done verbose "test $tid: cmd check" -${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \ +${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "check command failed" verbose "test $tid: cmd exit" -${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ +${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "send exit command failed" # Wait for master to exit @@ -107,9 +107,9 @@ wait_for_mux_master_ready # start a long-running command then immediately request a stop ${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ - >>$TEST_SSH_LOGFILE 2>&1 & + >>$TEST_REGRESS_LOGFILE 2>&1 & SLEEP_PID=$! -${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \ +${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "send stop command failed" # wait until both long-running command and master have exited. diff --git a/regress/rekey.sh b/regress/rekey.sh index 3c5f266f..b23cfca7 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,11 +1,11 @@ -# $OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $ +# $OpenBSD: rekey.sh,v 1.2 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" DATA=${OBJ}/data COPY=${OBJ}/copy -LOG=${OBJ}/log +LOG=${TEST_SSH_LOGFILE} rm -f ${COPY} ${LOG} ${DATA} touch ${DATA} @@ -29,4 +29,4 @@ for s in 16 1k 128k 256k; do fail "no rekeying occured" fi done -rm -f ${COPY} ${LOG} ${DATA} +rm -f ${COPY} ${DATA} diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 29dac3de..b02172c0 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.38 2013/03/23 11:09:43 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.39 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -136,9 +136,24 @@ case "$SSHD" in *) SSHD=`which sshd` ;; esac +# Logfiles. +# SSH_LOGFILE should be the debug output of ssh(1) only +# SSHD_LOGFILE should be the debug output of sshd(8) only +# REGRESS_LOGFILE is the output of the test itself stdout and stderr if [ "x$TEST_SSH_LOGFILE" = "x" ]; then - TEST_SSH_LOGFILE=/dev/null + TEST_SSH_LOGFILE=$OBJ/ssh.log fi +if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then + TEST_SSHD_LOGFILE=$OBJ/sshd.log +fi +if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then + TEST_REGRESS_LOGFILE=$OBJ/regress.log +fi + +# truncate logfiles +>$TEST_SSH_LOGFILE +>$TEST_SSHD_LOGFILE +>$TEST_REGRESS_LOGFILE # Some data for test copies DATA=$OBJ/testdata @@ -201,7 +216,7 @@ cleanup () trace () { - echo "trace: $@" >>$TEST_SSH_LOGFILE + echo "trace: $@" >>$TEST_REGRESS_LOGFILE if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then echo "$@" fi @@ -209,7 +224,7 @@ trace () verbose () { - echo "verbose: $@" >>$TEST_SSH_LOGFILE + echo "verbose: $@" >>$TEST_REGRESS_LOGFILE if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then echo "$@" fi @@ -223,14 +238,14 @@ warn () fail () { - echo "FAIL: $@" >>$TEST_SSH_LOGFILE + echo "FAIL: $@" >>$TEST_REGRESS_LOGFILE RESULT=1 echo "$@" } fatal () { - echo "FATAL: $@" >>$TEST_SSH_LOGFILE + echo "FATAL: $@" >>$TEST_REGRESS_LOGFILE echon "FATAL: " fail "$@" cleanup @@ -372,7 +387,7 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy - echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy REGRESS_INTEROP_PUTTY=yes fi @@ -380,7 +395,7 @@ fi # create a proxy version of the client config ( cat $OBJ/ssh_config - echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy + echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy ) > $OBJ/ssh_proxy # check proxy config @@ -390,7 +405,7 @@ start_sshd () { # start sshd $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" - $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSH_LOGFILE 2>&1 + $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSHD_LOGFILE 2>&1 trace "wait for sshd" i=0; -- cgit v1.2.1 From 080c09f4091e99491898db3f1641421a177c93c0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:31:39 +0000 Subject: - dtucker@cvs.openbsd.org 2013/04/07 02:16:03 [regress/Makefile regress/rekey.sh regress/integrity.sh regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and save the output from any failing tests. If a test fails the debug output from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log. --- ChangeLog | 7 +++++++ regress/Makefile | 5 +++-- regress/forwarding.sh | 6 +++--- regress/integrity.sh | 11 ++++++----- regress/rekey.sh | 5 ++--- regress/sshd-log-wrapper.sh | 4 ++-- regress/test-exec.sh | 44 ++++++++++++++++++++++++++++++++++++-------- 7 files changed, 59 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index 14450ac6..bb6787cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,13 @@ Split the regress log into 3 parts: the debug output from ssh, the debug log from sshd and the output from the client command (ssh, scp or sftp). Somewhat functional now, will become more useful when ssh/sshd -E is added. + - dtucker@cvs.openbsd.org 2013/04/07 02:16:03 + [regress/Makefile regress/rekey.sh regress/integrity.sh + regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] + use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and + save the output from any failing tests. If a test fails the debug output + from ssh and sshd for the failing tests (and only the failing tests) should + be available in failed-ssh{,d}.log. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/Makefile b/regress/Makefile index b99bd3e8..4ac5b4d4 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.63 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: Makefile,v 1.64 2013/04/07 02:16:03 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -83,7 +83,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual ready \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ - ssh.log sshd.log regress.log + ssh.log failed-ssh.log sshd.log failed-sshd.log \ + regress.log failed-regress.log ssh-log-wrapper.sh # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/forwarding.sh b/regress/forwarding.sh index f9c367be..6a700307 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.8 2012/06/01 00:47:35 djm Exp $ +# $OpenBSD: forwarding.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -75,7 +75,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>>$TEST_SSH_LOGFILE && \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ fail "local forwarding not cleared" fi sleep 10 @@ -88,7 +88,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>>$TEST_SSH_LOGFILE && \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ fail "remote forwarding not cleared" fi sleep 10 diff --git a/regress/integrity.sh b/regress/integrity.sh index 1bd330a1..3950b7d1 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.8 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -47,14 +47,15 @@ for m in $macs; do aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; esac - output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ - 999.999.999.999 'printf "%4096s" " "' 2>&1` + verbose "test $tid: $m @$off $output" + ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" fi ecnt=`expr $ecnt + 1` - output=`echo $output | tr -s '\r\n' '.'` - verbose "test $tid: $m @$off $output" + output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \ + tr -s '\r\n' '.') case "$output" in Bad?packet*) elen=`expr $elen + 1`; skip=3;; Corrupted?MAC* | Decryption?integrity?check?failed*) diff --git a/regress/rekey.sh b/regress/rekey.sh index b23cfca7..d2542ecd 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.2 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -16,8 +16,7 @@ for s in 16 1k 128k 256k; do rm -f ${COPY} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ - -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \ - 2> ${LOG} + -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh failed" fi diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh index c7a5ef3a..a9386be4 100644 --- a/regress/sshd-log-wrapper.sh +++ b/regress/sshd-log-wrapper.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $ +# $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. # # simple wrapper for sshd proxy mode to catch stderr output @@ -10,4 +10,4 @@ log=$2 shift shift -exec $sshd $@ -e 2>>$log +exec $sshd -E$log $@ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b02172c0..f797ab68 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.39 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.40 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -159,6 +159,15 @@ fi DATA=$OBJ/testdata cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA +# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." +# because sftp and scp don't handle spaces in arguments. +SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh +echo "#!/bin/sh" > $SSHLOGWRAP +echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP + +chmod a+rx $OBJ/ssh-log-wrapper.sh +SSH="$SSHLOGWRAP" + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP @@ -214,9 +223,26 @@ cleanup () fi } +start_debug_log () +{ + echo "trace: $@" >$TEST_REGRESS_LOGFILE + echo "trace: $@" >$TEST_SSH_LOGFILE + echo "trace: $@" >$TEST_SSHD_LOGFILE +} + +save_debug_log () +{ + echo $@ >>$TEST_REGRESS_LOGFILE + echo $@ >>$TEST_SSH_LOGFILE + echo $@ >>$TEST_SSHD_LOGFILE + (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log + (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log + (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log +} + trace () { - echo "trace: $@" >>$TEST_REGRESS_LOGFILE + start_debug_log $@ if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then echo "$@" fi @@ -224,7 +250,7 @@ trace () verbose () { - echo "verbose: $@" >>$TEST_REGRESS_LOGFILE + start_debug_log $@ if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then echo "$@" fi @@ -238,15 +264,16 @@ warn () fail () { - echo "FAIL: $@" >>$TEST_REGRESS_LOGFILE + save_debug_log "FAIL: $@" RESULT=1 echo "$@" + } fatal () { - echo "FATAL: $@" >>$TEST_REGRESS_LOGFILE - echon "FATAL: " + save_debug_log "FATAL: $@" + echo -n "FATAL: " fail "$@" cleanup exit $RESULT @@ -278,7 +305,7 @@ cat << EOF > $OBJ/sshd_config #ListenAddress ::1 PidFile $PIDFILE AuthorizedKeysFile $OBJ/authorized_keys_%u - LogLevel VERBOSE + LogLevel DEBUG3 AcceptEnv _XXX_TEST_* AcceptEnv _XXX_TEST Subsystem sftp $SFTPSERVER @@ -312,6 +339,7 @@ Host * PasswordAuthentication no BatchMode yes StrictHostKeyChecking yes + LogLevel DEBUG3 EOF if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then @@ -405,7 +433,7 @@ start_sshd () { # start sshd $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" - $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSHD_LOGFILE 2>&1 + $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE trace "wait for sshd" i=0; -- cgit v1.2.1 From 43852b862cbb45a3c5cf0d3ed6aae752563d914a Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:35:26 +0000 Subject: - djm@cvs.openbsd.org 2013/04/18 02:46:12 [Makefile regress/sftp-chroot.sh] test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ --- ChangeLog | 3 +++ regress/Makefile | 6 +++++- regress/sftp-chroot.sh | 26 ++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 regress/sftp-chroot.sh diff --git a/ChangeLog b/ChangeLog index bb6787cf..aec54e43 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ save the output from any failing tests. If a test fails the debug output from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log. + - djm@cvs.openbsd.org 2013/04/18 02:46:12 + [Makefile regress/sftp-chroot.sh] + test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/Makefile b/regress/Makefile index 4ac5b4d4..b19c7ae2 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.64 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -8,6 +8,7 @@ interop interop-tests: t-exec-interop clean: for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done + test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} rm -rf $(OBJ).putty distclean: clean @@ -38,6 +39,7 @@ LTESTS= connect \ key-options \ scp \ sftp \ + sftp-chroot \ sftp-cmds \ sftp-badcmds \ sftp-batch \ @@ -86,6 +88,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ regress.log failed-regress.log ssh-log-wrapper.sh +SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} + # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh new file mode 100644 index 00000000..8c07979b --- /dev/null +++ b/regress/sftp-chroot.sh @@ -0,0 +1,26 @@ +# $OpenBSD: sftp-chroot.sh,v 1.1 2013/04/18 02:46:12 djm Exp $ +# Placed in the Public Domain. + +tid="sftp in chroot" + +COPY=${OBJ}/copy +CHROOT=/var/run +FILENAME=testdata_${USER} +PRIVDATA=${CHROOT}/${FILENAME} + +if [ -z "$SUDO" ]; then + fatal "need SUDO to create file in /var/run, test won't work without" +fi + +$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ + fatal "create $PRIVDATA failed" + +start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /" + +verbose "test $tid: get" +rm -f ${COPY} +${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \ + fatal "Fetch ${FILENAME} failed" +cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ" + +$SUDO rm $PRIVDATA -- cgit v1.2.1 From 8860947040bc92e139b12d57351e122898a24296 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:36:20 +0000 Subject: - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 [multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate --- ChangeLog | 5 ++++- regress/multiplex.sh | 20 ++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index aec54e43..3b50d2e5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,8 +22,11 @@ from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log. - djm@cvs.openbsd.org 2013/04/18 02:46:12 - [Makefile regress/sftp-chroot.sh] + [regress/Makefile regress/sftp-chroot.sh] test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ + - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 + [multiplex.sh] + Write mux master logs to regress.log instead of ssh.log to keep separate 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 6491837a..619fec9b 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.18 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.19 2013/04/22 07:23:08 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -25,10 +25,16 @@ wait_for_mux_master_ready() start_sshd -trace "start master, fork to background" -${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & -MASTER_PID=$! -wait_for_mux_master_ready +start_mux_master() +{ + trace "start master, fork to background" + ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \ + -E $TEST_REGRESS_LOGFILE 2>&1 & + MASTER_PID=$! + wait_for_mux_master_ready +} + +start_mux_master verbose "test $tid: envpass" trace "env passing over multiplexed connection" @@ -101,9 +107,7 @@ kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" # Restart master and test -O stop command with master using -N verbose "test $tid: cmd stop" trace "restart master, fork to background" -${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & -MASTER_PID=$! -wait_for_mux_master_ready +start_mux_master # start a long-running command then immediately request a stop ${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ -- cgit v1.2.1 From 6529a9d22ec7a6fb7cbd8400feadbd2cbe6c9f52 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:37:31 +0000 Subject: - dtucker@cvs.openbsd.org 2013/04/22 07:28:53 [multiplex.sh] Add tests for -Oforward and -Ocancel for local and remote forwards --- ChangeLog | 2 +- regress/multiplex.sh | 23 ++++++++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b50d2e5..46f2d5e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,7 +25,7 @@ [regress/Makefile regress/sftp-chroot.sh] test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 - [multiplex.sh] + [regress/multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate 20130516 diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 619fec9b..8389b384 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.19 2013/04/22 07:23:08 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.20 2013/04/22 07:28:53 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -12,6 +12,7 @@ fi DATA=/bin/ls${EXEEXT} COPY=$OBJ/ls.copy +P=3301 # test port wait_for_mux_master_ready() { @@ -96,6 +97,26 @@ verbose "test $tid: cmd check" ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "check command failed" +verbose "test $tid: cmd forward local" +${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \ + || fail "request local forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + || fail "connect to local forward port failed" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \ + || fail "cancel local forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + && fail "local forward port still listening" + +verbose "test $tid: cmd forward remote" +${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \ + || fail "request remote forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + || fail "connect to remote forwarded port failed" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \ + || fail "cancel remote forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + && fail "remote forward port still listening" + verbose "test $tid: cmd exit" ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "send exit command failed" -- cgit v1.2.1 From fd6926642fa2ecfe59a3b8baf3e3f080bde6a60c Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:41:33 +0000 Subject: - djm@cvs.openbsd.org 2013/05/10 03:46:14 [modpipe.c] sync some portability changes from portable OpenSSH (id sync only) --- ChangeLog | 3 +++ regress/modpipe.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 46f2d5e8..5df073c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,9 @@ - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 [regress/multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate + - djm@cvs.openbsd.org 2013/05/10 03:46:14 + [modpipe.c] + sync some portability changes from portable OpenSSH (id sync only) 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/modpipe.c b/regress/modpipe.c index 3322d1a7..85747cf7 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ +/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */ #include "includes.h" -- cgit v1.2.1 From 48f3cbc30652bac3116a4b3d269dc515809c7bf5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:42:34 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 02:10:35 [rekey.sh] Add test for time-based rekeying --- ChangeLog | 3 +++ regress/rekey.sh | 23 +++++++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5df073c9..41a628fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ - djm@cvs.openbsd.org 2013/05/10 03:46:14 [modpipe.c] sync some portability changes from portable OpenSSH (id sync only) + - dtucker@cvs.openbsd.org 2013/05/16 02:10:35 + [rekey.sh] + Add test for time-based rekeying 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index d2542ecd..24d6c965 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.4 2013/05/16 02:10:35 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -13,7 +13,7 @@ dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 for s in 16 1k 128k 256k; do trace "rekeylimit ${s}" - rm -f ${COPY} + rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" @@ -28,4 +28,23 @@ for s in 16 1k 128k 256k; do fail "no rekeying occured" fi done + +for s in 5 10 15 ; do + trace "rekeylimit default ${s}" + rm -f ${COPY} ${LOG} + cat $DATA | \ + ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 5" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + rm -f ${COPY} ${DATA} -- cgit v1.2.1 From aa58f8dbc7ac999efc9aa67395c5fb6bd5ce9a80 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:43:33 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 03:33:30 [regress/rekey.sh] test rekeying when there's no data being transferred --- ChangeLog | 7 +++++-- regress/rekey.sh | 26 +++++++++++++++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 41a628fa..b4400202 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,11 +28,14 @@ [regress/multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate - djm@cvs.openbsd.org 2013/05/10 03:46:14 - [modpipe.c] + [regress/modpipe.c] sync some portability changes from portable OpenSSH (id sync only) - dtucker@cvs.openbsd.org 2013/05/16 02:10:35 - [rekey.sh] + [regress/rekey.sh] Add test for time-based rekeying + - dtucker@cvs.openbsd.org 2013/05/16 03:33:30 + [regress/rekey.sh] + test rekeying when there's no data being transferred 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index 24d6c965..3576a2a0 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.4 2013/05/16 02:10:35 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.5 2013/05/16 03:33:30 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -12,7 +12,7 @@ touch ${DATA} dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 for s in 16 1k 128k 256k; do - trace "rekeylimit ${s}" + verbose "rekeylimit ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ @@ -29,12 +29,12 @@ for s in 16 1k 128k 256k; do fi done -for s in 5 10 15 ; do - trace "rekeylimit default ${s}" +for s in 5 10; do + verbose "rekeylimit default ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ - $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 5" + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" if [ $? -ne 0 ]; then fail "ssh failed" fi @@ -47,4 +47,20 @@ for s in 5 10 15 ; do fi done +for s in 5 10; do + verbose "rekeylimit default ${s} no data" + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "sleep $s;sleep 3" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + rm -f ${COPY} ${DATA} -- cgit v1.2.1 From 7e1f97fbcafff1ff4c29996915fa76666b2de98b Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:44:20 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 04:26:10 [regress/rekey.sh] add server-side rekey test --- ChangeLog | 3 +++ regress/rekey.sh | 24 ++++++++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index b4400202..cff12dd9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 03:33:30 [regress/rekey.sh] test rekeying when there's no data being transferred + - dtucker@cvs.openbsd.org 2013/05/16 04:26:10 + [regress/rekey.sh] + add server-side rekey test 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index 3576a2a0..736da9f9 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.5 2013/05/16 03:33:30 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.6 2013/05/16 04:26:10 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -12,7 +12,7 @@ touch ${DATA} dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 for s in 16 1k 128k 256k; do - verbose "rekeylimit ${s}" + verbose "client rekeylimit ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ @@ -30,7 +30,7 @@ for s in 16 1k 128k 256k; do done for s in 5 10; do - verbose "rekeylimit default ${s}" + verbose "client rekeylimit default ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ @@ -48,7 +48,7 @@ for s in 5 10; do done for s in 5 10; do - verbose "rekeylimit default ${s} no data" + verbose "client rekeylimit default ${s} no data" rm -f ${COPY} ${LOG} ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ $OBJ/ssh_proxy somehost "sleep $s;sleep 3" @@ -63,4 +63,20 @@ for s in 5 10; do fi done +echo "rekeylimit default 5" >>$OBJ/sshd_proxy +for s in 5 10; do + verbose "server rekeylimit default ${s} no data" + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + rm -f ${COPY} ${DATA} -- cgit v1.2.1 From 7d8cb65d3a204228b9740b8d9a8c10cb69c3ba48 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 May 2013 23:45:12 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 [regress/rekey.sh] add tests for RekeyLimit parsing --- ChangeLog | 3 +++ regress/rekey.sh | 35 +++++++++++++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index cff12dd9..aabd6acd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 04:26:10 [regress/rekey.sh] add server-side rekey test + - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 + [regress/rekey.sh] + add tests for RekeyLimit parsing 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index 736da9f9..cefdea53 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,7 +1,7 @@ -# $OpenBSD: rekey.sh,v 1.6 2013/05/16 04:26:10 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.7 2013/05/16 05:48:31 dtucker Exp $ # Placed in the Public Domain. -tid="rekey during transfer data" +tid="rekey" DATA=${OBJ}/data COPY=${OBJ}/copy @@ -79,4 +79,35 @@ for s in 5 10; do fi done +verbose "rekeylimit parsing" +for size in 16 1k 1K 1m 1M 1g 1G; do + for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do + case $size in + 16) bytes=16 ;; + 1k|1K) bytes=1024 ;; + 1m|1M) bytes=1048576 ;; + 1g|1G) bytes=1073741824 ;; + esac + case $time in + 1) seconds=1 ;; + 1m|1M) seconds=60 ;; + 1h|1H) seconds=3600 ;; + 1d|1D) seconds=86400 ;; + 1w|1W) seconds=604800 ;; + esac + + b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $2}'` + s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $3}'` + + if [ "$bytes" != "$b" ]; then + fatal "rekeylimit size: expected $bytes got $b" + fi + if [ "$seconds" != "$s" ]; then + fatal "rekeylimit time: expected $time got $s" + fi + done +done + rm -f ${COPY} ${DATA} -- cgit v1.2.1 From 875ae1641e82f759cbc50d4ed47aaf360aab970d Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 01:23:41 +0000 Subject: - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. --- ChangeLog | 2 ++ regress/bsd.regress.mk | 79 -------------------------------------------------- 2 files changed, 2 insertions(+), 79 deletions(-) delete mode 100644 regress/bsd.regress.mk diff --git a/ChangeLog b/ChangeLog index aabd6acd..61601f6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,8 @@ - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 [regress/rekey.sh] add tests for RekeyLimit parsing + - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it + in portable and it's long gone in openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/bsd.regress.mk b/regress/bsd.regress.mk deleted file mode 100644 index 9b8011a0..00000000 --- a/regress/bsd.regress.mk +++ /dev/null @@ -1,79 +0,0 @@ -# $OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $ -# No man pages for regression tests. -NOMAN= - -# No installation. -install: - -# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG -.if defined(REGRESSTARGETS) && !defined(PROG) -NOPROG= -.endif - -.include - -.MAIN: all -all: regress - -# XXX - Need full path to REGRESSLOG, otherwise there will be much pain. - -REGRESSLOG?=/dev/null -REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///} - -.if defined(PROG) && !empty(PROG) -run-regress-${PROG}: ${PROG} - ./${PROG} -.endif - -.if !defined(REGRESSTARGETS) -REGRESSTARGETS=run-regress-${PROG} -. if defined(REGRESSSKIP) -REGRESSSKIPTARGETS=run-regress-${PROG} -. endif -.endif - -REGRESSSKIPSLOW?=no - -#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS) - -.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS) -REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS} -.endif - -.if defined(REGRESSROOTTARGETS) -ROOTUSER!=id -g -SUDO?= -. if (${ROOTUSER} != 0) && empty(SUDO) -REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS} -. endif -.endif - -REGRESSSKIPTARGETS?= - -regress: -.for RT in ${REGRESSTARGETS} -. if ${REGRESSSKIPTARGETS:M${RT}} - @echo -n "SKIP " >> ${REGRESSLOG} -. else -# XXX - we need a better method to see if a test fails due to timeout or just -# normal failure. -. if !defined(REGRESSMAXTIME) - @if cd ${.CURDIR} && ${MAKE} ${RT}; then \ - echo -n "SUCCESS " >> ${REGRESSLOG} ; \ - else \ - echo -n "FAIL " >> ${REGRESSLOG} ; \ - echo FAILED ; \ - fi -. else - @if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \ - echo -n "SUCCESS " >> ${REGRESSLOG} ; \ - else \ - echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \ - echo FAILED ; \ - fi -. endif -. endif - @echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG} -.endfor - -.PHONY: regress -- cgit v1.2.1 From 051f37e77adfe89a0d2689bd822d3b6034ff7fc0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 03:16:59 +0000 Subject: - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange methods. When the openssl version doesn't support ECDH then next one on the list is DH group exchange, but that causes a bit more traffic which can mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for. --- ChangeLog | 5 +++++ regress/integrity.sh | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/ChangeLog b/ChangeLog index 61601f6b..2f657277 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,11 @@ add tests for RekeyLimit parsing - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. + - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange + methods. When the openssl version doesn't support ECDH then next one on + the list is DH group exchange, but that causes a bit more traffic which can + mean that the tests flip bits in the initial exchange rather than the MACed + traffic and we get different errors to what the tests look for. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/integrity.sh b/regress/integrity.sh index 3950b7d1..2621a002 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -21,6 +21,11 @@ config_defined HAVE_EVP_SHA256 && config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" +# avoid DH group exchange as the extra traffic makes it harder to get the +# offset into the stream right. +echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ + >> $OBJ/ssh_proxy + # sshd-command for proxy (see test-exec.sh) cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" -- cgit v1.2.1 From 62f014a4eaf322e72a49010d42a322c1b610e1df Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 03:28:36 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 00:37:40 [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh regress/ssh-com.sh] replace 'echo -n' with 'printf' since it's more portable also remove "echon" hack. --- ChangeLog | 7 +++++++ regress/agent.sh | 4 ++-- regress/cert-hostkey.sh | 48 ++++++++++++++++++++++++------------------------ regress/cert-userkey.sh | 10 +++++----- regress/cfgmatch.sh | 6 +++--- regress/cipher-speed.sh | 2 +- regress/forcecommand.sh | 8 ++++---- regress/keytype.sh | 4 ++-- regress/proto-version.sh | 4 ++-- regress/ssh-com.sh | 4 ++-- regress/test-exec.sh | 18 +++--------------- 11 files changed, 55 insertions(+), 60 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2f657277..da5495f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,13 @@ - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 [regress/rekey.sh] add tests for RekeyLimit parsing + - dtucker@cvs.openbsd.org 2013/05/17 00:37:40 + [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh + regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh + regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh + regress/ssh-com.sh] + replace 'echo -n' with 'printf' since it's more portable + also remove "echon" hack. - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/agent.sh b/regress/agent.sh index 094cf694..be7d9133 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.7 2007/11/25 15:35:09 jmc Exp $ +# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -19,7 +19,7 @@ else fail "ssh-add -l did not fail with exit code 1" fi trace "overwrite authorized keys" - echon > $OBJ/authorized_keys_$USER + printf '' > $OBJ/authorized_keys_$USER for t in rsa rsa1; do # generate user key for agent rm -f $OBJ/$t-agent diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 6216abd8..35cd3929 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -18,8 +18,8 @@ HOSTS='localhost-with-alias,127.0.0.1,::1' ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ fail "ssh-keygen of host_ca_key failed" ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert @@ -66,25 +66,25 @@ done # Revoked certificates with key present ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_rsa.pub if test "x$TEST_SSH_ECC" = "xyes"; then - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_ecdsa.pub fi - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_dsa.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_rsa_v00.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_dsa_v00.pub ) > $OBJ/known_hosts-cert for privsep in yes no ; do @@ -108,11 +108,11 @@ done # Revoked CA ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do @@ -132,8 +132,8 @@ done # Create a CA key and add it to known hosts ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert @@ -200,7 +200,7 @@ for v in v01 v00 ; do -n $HOSTS $OBJ/cert_host_key_${ktype} || fail "couldn't sign cert_host_key_${ktype}" ( - echon "$HOSTS " + printf "$HOSTS " cat $OBJ/cert_host_key_${ktype}.pub ) > $OBJ/known_hosts-cert ( @@ -220,8 +220,8 @@ done # Wrong certificate ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert for v in v01 v00 ; do diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 3bba9f8f..6018b38f 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -126,7 +126,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do # Wrong principals list verbose "$tid: ${_prefix} wrong principals key option" ( - echon 'cert-authority,principals="gregorsamsa" ' + printf 'cert-authority,principals="gregorsamsa" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -138,7 +138,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do # Correct principals list verbose "$tid: ${_prefix} correct principals key option" ( - echon 'cert-authority,principals="mekmitasdigoat" ' + printf 'cert-authority,principals="mekmitasdigoat" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -154,7 +154,7 @@ basic_tests() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon 'cert-authority ' + printf 'cert-authority ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else @@ -264,7 +264,7 @@ test_one() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon "cert-authority${auth_opt} " + printf "cert-authority${auth_opt} " cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 02755d9d..df4acfe0 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.7 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -75,9 +75,9 @@ for p in 1 2; do done # Retry previous with key option, should also be denied. -echon 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER +printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER -echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER +printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER for p in 1 2; do trace "match permitopen proxy w/key opts proto $p" diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 65e5f35e..07daebe6 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $ +# $OpenBSD: cipher-speed.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index 99e51a60..ba21c0eb 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh @@ -5,9 +5,9 @@ tid="forced command" cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -echon 'command="true" ' >$OBJ/authorized_keys_$USER +printf 'command="true" ' >$OBJ/authorized_keys_$USER cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER -echon 'command="true" ' >>$OBJ/authorized_keys_$USER +printf 'command="true" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER for p in 1 2; do @@ -16,9 +16,9 @@ for p in 1 2; do fail "forced command in key proto $p" done -echon 'command="false" ' >$OBJ/authorized_keys_$USER +printf 'command="false" ' >$OBJ/authorized_keys_$USER cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER -echon 'command="false" ' >>$OBJ/authorized_keys_$USER +printf 'command="false" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy diff --git a/regress/keytype.sh b/regress/keytype.sh index cb40c686..59586bf0 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.1 2010/09/02 16:12:55 markus Exp $ +# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -40,7 +40,7 @@ for ut in $ktypes; do echo IdentityFile $OBJ/key.$ut ) > $OBJ/ssh_proxy ( - echon 'localhost-with-alias,127.0.0.1,::1 ' + printf 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/key.$ht.pub ) > $OBJ/known_hosts cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER diff --git a/regress/proto-version.sh b/regress/proto-version.sh index 1651a69e..b876dd7e 100644 --- a/regress/proto-version.sh +++ b/regress/proto-version.sh @@ -1,4 +1,4 @@ -# $OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="sshd version with different protocol combinations" @@ -8,7 +8,7 @@ check_version () { version=$1 expect=$2 - banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` + banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` case ${banner} in SSH-1.99-*) proto=199 diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh index 7bcd85b6..6c5cfe88 100644 --- a/regress/ssh-com.sh +++ b/regress/ssh-com.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $ +# $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="connect to ssh.com server" @@ -70,7 +70,7 @@ done # convert and append DSA hostkey ( - echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' + printf 'ssh2-localhost-with-alias,127.0.0.1,::1 ' ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub ) >> $OBJ/known_hosts diff --git a/regress/test-exec.sh b/regress/test-exec.sh index f797ab68..0680eaa9 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.40 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.41 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -172,18 +172,6 @@ SSH="$SSHLOGWRAP" export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP -# helper -echon() -{ - if [ "x`echo -n`" = "x" ]; then - echo -n "$@" - elif [ "x`echo '\c'`" = "x" ]; then - echo "$@\c" - else - fatal "Don't know how to echo without newline." - fi -} - have_prog() { saved_IFS="$IFS" @@ -273,7 +261,7 @@ fail () fatal () { save_debug_log "FATAL: $@" - echo -n "FATAL: " + printf "FATAL: " fail "$@" cleanup exit $RESULT @@ -360,7 +348,7 @@ for t in rsa rsa1; do # known hosts file for client ( - echon 'localhost-with-alias,127.0.0.1,::1 ' + printf 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/$t.pub ) >> $OBJ/known_hosts -- cgit v1.2.1 From 008ccabf1beac3f26dab9a525594ab4d224eac69 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 04:44:53 +0000 Subject: sync missing ID --- regress/forcecommand.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index ba21c0eb..44d2b7ff 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $ +# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="forced command" -- cgit v1.2.1 From 9d310f72cc6c86d98c8cc349b6684b4e5260ad4b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 04:46:20 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 01:16:09 [regress/agent-timeout.sh] Pull back some portability changes from -portable: - TIMEOUT is a read-only variable in some shells - not all greps have -q so redirect to /dev/null instead. (ID sync only) --- ChangeLog | 6 ++++++ regress/agent-timeout.sh | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index da5495f5..db23b2e2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,12 @@ regress/ssh-com.sh] replace 'echo -n' with 'printf' since it's more portable also remove "echon" hack. + - dtucker@cvs.openbsd.org 2013/05/17 01:16:09 + [regress/agent-timeout.sh] + Pull back some portability changes from -portable: + - TIMEOUT is a read-only variable in some shells + - not all greps have -q so redirect to /dev/null instead. + (ID sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh index 3a40e7af..68826594 100644 --- a/regress/agent-timeout.sh +++ b/regress/agent-timeout.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $ +# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $ # Placed in the Public Domain. tid="agent timeout test" -- cgit v1.2.1 From 79ad8fdfb391783ce2cd391d1b1ffaf87f731cf2 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 04:47:51 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 [regress/integrity.sh] don't print output from ssh before getting it (it's available in ssh.log) --- ChangeLog | 3 +++ regress/integrity.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index db23b2e2..a12bf335 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,9 @@ - TIMEOUT is a read-only variable in some shells - not all greps have -q so redirect to /dev/null instead. (ID sync only) + - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 + [regress/integrity.sh] + don't print output from ssh before getting it (it's available in ssh.log) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/integrity.sh b/regress/integrity.sh index 2621a002..982eced2 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -52,7 +52,7 @@ for m in $macs; do aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; esac - verbose "test $tid: $m @$off $output" + verbose "test $tid: $m @$off" ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then -- cgit v1.2.1 From 05b54b00cdff1fc81056fea3e1bb027df3a20d56 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 05:32:29 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 04:29:14 [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh regress/multiplex.sh] Move the setting of DATA and COPY into test-exec.sh --- ChangeLog | 10 ++++++++++ regress/cipher-speed.sh | 2 +- regress/conch-ciphers.sh | 5 +---- regress/dynamic-forward.sh | 4 +--- regress/forwarding.sh | 9 ++++----- regress/multiplex.sh | 4 +--- regress/putty-ciphers.sh | 5 +---- regress/putty-kex.sh | 5 +---- regress/putty-transfer.sh | 5 +---- regress/reexec.sh | 8 +++----- regress/rekey.sh | 8 ++------ regress/scp.sh | 4 +--- regress/sftp-badcmds.sh | 4 +--- regress/sftp-batch.sh | 4 +--- regress/sftp-chroot.sh | 4 +--- regress/sftp-cmds.sh | 4 +--- regress/sftp.sh | 5 +---- regress/ssh-com-client.sh | 6 +----- regress/ssh-com-sftp.sh | 4 +--- regress/stderr-after-eof.sh | 6 +----- regress/stderr-data.sh | 6 +----- regress/test-exec.sh | 15 ++++++++++----- regress/transfer.sh | 5 +---- 23 files changed, 47 insertions(+), 85 deletions(-) diff --git a/ChangeLog b/ChangeLog index a12bf335..a0dd182f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,16 @@ - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 [regress/integrity.sh] don't print output from ssh before getting it (it's available in ssh.log) + - dtucker@cvs.openbsd.org 2013/05/17 04:29:14 + [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh + regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh + regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh + regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh + regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh + regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh + regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh + regress/multiplex.sh] + Move the setting of DATA and COPY into test-exec.sh - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 07daebe6..489d9f5f 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh index 5b65cd99..199d863a 100644 --- a/regress/conch-ciphers.sh +++ b/regress/conch-ciphers.sh @@ -1,11 +1,8 @@ -# $OpenBSD: conch-ciphers.sh,v 1.2 2008/06/30 10:43:03 djm Exp $ +# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="conch ciphers" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then echo "conch interop tests not enabled" exit 0 diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index d1ab8059..42fa8acd 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,12 +1,10 @@ -# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" FWDPORT=`expr $PORT + 1` -DATA=/bin/ls${EXEEXT} - if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then proxycmd="nc -x 127.0.0.1:$FWDPORT -X" elif have_prog connect; then diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 6a700307..2ba140fe 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,8 +1,7 @@ -# $OpenBSD: forwarding.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: forwarding.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" -DATA=/bin/ls${EXEEXT} start_sshd @@ -26,9 +25,9 @@ for p in 1 2; do trace "transfer over forwarded channels and check result" ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ - somehost cat $DATA > $OBJ/ls.copy - test -f $OBJ/ls.copy || fail "failed copy $DATA" - cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" + somehost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "failed copy of ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" sleep 10 done diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 8389b384..3e697e69 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.20 2013/04/22 07:28:53 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -10,8 +10,6 @@ if config_defined DISABLE_FD_PASSING ; then exit 0 fi -DATA=/bin/ls${EXEEXT} -COPY=$OBJ/ls.copy P=3301 # test port wait_for_mux_master_ready() diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh index 928ea60d..724a98cc 100644 --- a/regress/putty-ciphers.sh +++ b/regress/putty-ciphers.sh @@ -1,11 +1,8 @@ -# $OpenBSD: putty-ciphers.sh,v 1.3 2008/11/10 02:06:35 djm Exp $ +# $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="putty ciphers" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then echo "putty interop tests not enabled" exit 0 diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh index 293885a8..1844d659 100644 --- a/regress/putty-kex.sh +++ b/regress/putty-kex.sh @@ -1,11 +1,8 @@ -# $OpenBSD: putty-kex.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ +# $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="putty KEX" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then echo "putty interop tests not enabled" exit 0 diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh index 9e1e1550..aec0e04e 100644 --- a/regress/putty-transfer.sh +++ b/regress/putty-transfer.sh @@ -1,11 +1,8 @@ -# $OpenBSD: putty-transfer.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ +# $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="putty transfer data" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then echo "putty interop tests not enabled" exit 0 diff --git a/regress/reexec.sh b/regress/reexec.sh index 9464eb69..5fff62a6 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -1,12 +1,10 @@ -# $OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $ +# $OpenBSD: reexec.sh,v 1.6 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="reexec tests" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy -SSHD_ORIG=$SSHD${EXEEXT} -SSHD_COPY=$OBJ/sshd${EXEEXT} +SSHD_ORIG=$SSHD +SSHD_COPY=$OBJ/sshd # Start a sshd and then delete it start_sshd_copy () diff --git a/regress/rekey.sh b/regress/rekey.sh index cefdea53..8eb7efaf 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,15 +1,11 @@ -# $OpenBSD: rekey.sh,v 1.7 2013/05/16 05:48:31 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="rekey" -DATA=${OBJ}/data -COPY=${OBJ}/copy LOG=${TEST_SSH_LOGFILE} -rm -f ${COPY} ${LOG} ${DATA} -touch ${DATA} -dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 +rm -f ${LOG} for s in 16 1k 128k 256k; do verbose "client rekeylimit ${s}" diff --git a/regress/scp.sh b/regress/scp.sh index c5d412dd..ba5ba887 100644 --- a/regress/scp.sh +++ b/regress/scp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $ +# $OpenBSD: scp.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="scp" @@ -12,8 +12,6 @@ else DIFFOPT="-r" fi -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy COPY2=${OBJ}/copy2 DIR=${COPY}.dd DIR2=${COPY}.dd2 diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh index 08009f26..3dbeb58c 100644 --- a/regress/sftp-badcmds.sh +++ b/regress/sftp-badcmds.sh @@ -1,12 +1,10 @@ -# $OpenBSD: sftp-badcmds.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ +# $OpenBSD: sftp-badcmds.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="sftp invalid commands" -DATA=/bin/ls${EXEEXT} DATA2=/bin/sh${EXEEXT} NONEXIST=/NONEXIST.$$ -COPY=${OBJ}/copy GLOBFILES=`(cd /bin;echo l*)` rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd diff --git a/regress/sftp-batch.sh b/regress/sftp-batch.sh index a51ef078..41011549 100644 --- a/regress/sftp-batch.sh +++ b/regress/sftp-batch.sh @@ -1,10 +1,8 @@ -# $OpenBSD: sftp-batch.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ +# $OpenBSD: sftp-batch.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="sftp batchfile" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy BATCH=${OBJ}/sftp.bb rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 8c07979b..98a364eb 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -1,9 +1,8 @@ -# $OpenBSD: sftp-chroot.sh,v 1.1 2013/04/18 02:46:12 djm Exp $ +# $OpenBSD: sftp-chroot.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="sftp in chroot" -COPY=${OBJ}/copy CHROOT=/var/run FILENAME=testdata_${USER} PRIVDATA=${CHROOT}/${FILENAME} @@ -18,7 +17,6 @@ $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /" verbose "test $tid: get" -rm -f ${COPY} ${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \ fatal "Fetch ${FILENAME} failed" cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ" diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index 2e0300e1..ba5ef066 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-cmds.sh,v 1.12 2012/06/01 00:52:52 djm Exp $ +# $OpenBSD: sftp-cmds.sh,v 1.13 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. # XXX - TODO: @@ -7,8 +7,6 @@ tid="sftp commands" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy # test that these files are readable! for i in `(cd /bin;echo l*)` do diff --git a/regress/sftp.sh b/regress/sftp.sh index f84fa6f4..5f823ee2 100644 --- a/regress/sftp.sh +++ b/regress/sftp.sh @@ -1,11 +1,8 @@ -# $OpenBSD: sftp.sh,v 1.3 2009/08/13 01:11:55 djm Exp $ +# $OpenBSD: sftp.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="basic sftp put/get" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy - SFTPCMDFILE=${OBJ}/batch cat >$SFTPCMDFILE <$SFTPCMDFILE <$TEST_SSHD_LOGFILE >$TEST_REGRESS_LOGFILE -# Some data for test copies -DATA=$OBJ/testdata -cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA - # Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." # because sftp and scp don't handle spaces in arguments. SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh @@ -168,6 +164,15 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP chmod a+rx $OBJ/ssh-log-wrapper.sh SSH="$SSHLOGWRAP" +# Some test data. We make a copy because some tests will overwrite it. +# The tests may assume that $DATA exists and is writable and $COPY does +# not exist. +DATA=$OBJ/data +cat $SSHD $SSHD $SSHD $SSHD >${DATA} +chmod u+w ${DATA} +COPY=$OBJ/copy +rm -f ${COPY} + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP diff --git a/regress/transfer.sh b/regress/transfer.sh index 13ea367d..1ae3ef5b 100644 --- a/regress/transfer.sh +++ b/regress/transfer.sh @@ -1,11 +1,8 @@ -# $OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $ +# $OpenBSD: transfer.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="transfer data" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy - for p in 1 2; do verbose "$tid: proto $p" rm -f ${COPY} -- cgit v1.2.1 From 38d5beca03818c72c8b722a0afb1507a81695236 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 06:03:48 +0000 Subject: - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. --- ChangeLog | 1 + openbsd-compat/getopt.h | 4 ---- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index a0dd182f..a64ea46a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -75,6 +75,7 @@ the list is DH group exchange, but that causes a bit more traffic which can mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for. + - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/openbsd-compat/getopt.h b/openbsd-compat/getopt.h index 0311b078..8eb12447 100644 --- a/openbsd-compat/getopt.h +++ b/openbsd-compat/getopt.h @@ -33,8 +33,6 @@ #ifndef _GETOPT_H_ #define _GETOPT_H_ -#include - /* * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions */ @@ -56,7 +54,6 @@ struct option { int val; }; -__BEGIN_DECLS int getopt_long(int, char * const *, const char *, const struct option *, int *); int getopt_long_only(int, char * const *, const char *, @@ -73,6 +70,5 @@ extern int optopt; extern int optreset; extern char *suboptarg; /* getsubopt(3) external variable */ #endif -__END_DECLS #endif /* !_GETOPT_H_ */ -- cgit v1.2.1 From 300b9b494dc6f27547ceb19726b1cf7473ddd702 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 09:02:28 +0000 Subject: - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. --- ChangeLog | 1 + regress/cfgmatch.sh | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index a64ea46a..e3e3b657 100644 --- a/ChangeLog +++ b/ChangeLog @@ -76,6 +76,7 @@ mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for. - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. + - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index df4acfe0..e5907354 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -40,15 +40,15 @@ stop_client() } cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config -echo "Match user $USER" >>$OBJ/sshd_proxy -echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy echo "Match Address 127.0.0.1" >>$OBJ/sshd_config echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy +echo "Match user $USER" >>$OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy -- cgit v1.2.1 From d378140535a069faf20b18064f2629828602be13 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 09:03:38 +0000 Subject: - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. --- ChangeLog | 1 + regress/agent-getpeereid.sh | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e3e3b657..b02acb2d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -77,6 +77,7 @@ traffic and we get different errors to what the tests look for. - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. + - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index faf654c0..1726c2b9 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -18,7 +18,6 @@ if [ -z "$SUDO" ]; then exit 0 fi - trace "start agent" eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null r=$? -- cgit v1.2.1 From c8bb1c96beec3e8a4f198611e017c6e0edf00199 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 09:17:58 +0000 Subject: - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] Move the jot helper function to portable-specific part of test-exec.sh. --- ChangeLog | 2 ++ regress/integrity.sh | 4 ---- regress/krl.sh | 4 ---- regress/test-exec.sh | 6 ++++++ 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index b02acb2d..620a635f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,8 @@ - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. + - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] + Move the jot helper function to portable-specific part of test-exec.sh. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/integrity.sh b/regress/integrity.sh index 982eced2..1d17fe10 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -29,10 +29,6 @@ echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ # sshd-command for proxy (see test-exec.sh) cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" -jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" -} - for m in $macs; do trace "test $tid: mac $m" elen=0 diff --git a/regress/krl.sh b/regress/krl.sh index 62a239c3..de9cc876 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -39,10 +39,6 @@ serial: 799 serial: 599-701 EOF -jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" -} - # A specification that revokes some certificated by key ID. touch $OBJ/revoked-keyid for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 599b8d9b..910ed4f7 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -177,6 +177,7 @@ rm -f ${COPY} export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP +# Portable specific functions have_prog() { saved_IFS="$IFS" @@ -192,6 +193,11 @@ have_prog() return 1 } +jot() { + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" +} +# End of portable specific functions + cleanup () { if [ -f $PIDFILE ]; then -- cgit v1.2.1 From 68fccfe63c91e7a93c13b7dce8ecc2ed3950456b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 09:28:51 +0000 Subject: - (dtucker) [regress/test-exec.sh] Move the portable-specific functions together and add a couple of missing lines from openbsd. --- ChangeLog | 2 ++ regress/test-exec.sh | 24 +++++++++++++----------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 620a635f..f998c301 100644 --- a/ChangeLog +++ b/ChangeLog @@ -80,6 +80,8 @@ - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] Move the jot helper function to portable-specific part of test-exec.sh. + - (dtucker) [regress/test-exec.sh] Move the portable-specific functions + together and add a couple of missing lines from openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 910ed4f7..69e5042b 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -196,8 +196,20 @@ have_prog() jot() { awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" } + +# Check whether preprocessor symbols are defined in config.h. +config_defined () +{ + str=$1 + while test "x$2" != "x" ; do + str="$str|$2" + shift + done + egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 +} # End of portable specific functions +# helper cleanup () { if [ -f $PIDFILE ]; then @@ -278,17 +290,6 @@ fatal () exit $RESULT } -# Check whether preprocessor symbols are defined in config.h. -config_defined () -{ - str=$1 - while test "x$2" != "x" ; do - str="$str|$2" - shift - done - egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 -} - RESULT=0 PIDFILE=$OBJ/pidfile @@ -336,6 +337,7 @@ Host * ChallengeResponseAuthentication no HostbasedAuthentication no PasswordAuthentication no + RhostsRSAAuthentication no BatchMode yes StrictHostKeyChecking yes LogLevel DEBUG3 -- cgit v1.2.1 From cf38fc2ff1577d8778d0b7c5fc48b316b9e2a1b4 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 09:53:25 +0000 Subject: - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 helper function to the portable part of test-exec.sh. --- ChangeLog | 2 ++ regress/stderr-after-eof.sh | 14 +------------- regress/test-exec.sh | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index f998c301..ec9ab122 100644 --- a/ChangeLog +++ b/ChangeLog @@ -82,6 +82,8 @@ Move the jot helper function to portable-specific part of test-exec.sh. - (dtucker) [regress/test-exec.sh] Move the portable-specific functions together and add a couple of missing lines from openbsd. + - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 + helper function to the portable part of test-exec.sh. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh index 9072db28..218ac6b6 100644 --- a/regress/stderr-after-eof.sh +++ b/regress/stderr-after-eof.sh @@ -3,23 +3,11 @@ tid="stderr data after eof" -if have_prog md5sum; then - CHECKSUM=md5sum -elif have_prog openssl; then - CHECKSUM="openssl md5" -elif have_prog cksum; then - CHECKSUM=cksum -elif have_prog sum; then - CHECKSUM=sum -else - fatal "No checksum program available, aborting $tid test" -fi - # setup data rm -f ${DATA} ${COPY} cp /dev/null ${DATA} for i in 1 2 3 4 5 6; do - (date;echo $i) | $CHECKSUM >> ${DATA} + (date;echo $i) | md5 >> ${DATA} done ${SSH} -2 -F $OBJ/ssh_proxy otherhost \ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 69e5042b..d336e619 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -207,6 +207,20 @@ config_defined () done egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 } + +md5 () { + if have_prog md5sum; then + md5sum + elif have_prog openssl; then + openssl md5 + elif have_prog cksum; then + cksum + elif have_prog sum; then + sum + else + wc -c + fi +} # End of portable specific functions # helper -- cgit v1.2.1 From f554f023d731a77e750a7e551d8f55798a3527ff Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:01:52 +0000 Subject: - (dtucker) [regress/runtests.sh] Remove obsolete test driver script. --- ChangeLog | 1 + regress/runtests.sh | 13 ------------- 2 files changed, 1 insertion(+), 13 deletions(-) delete mode 100755 regress/runtests.sh diff --git a/ChangeLog b/ChangeLog index ec9ab122..26a183cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -84,6 +84,7 @@ together and add a couple of missing lines from openbsd. - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 helper function to the portable part of test-exec.sh. + - (dtucker) [regress/runtests.sh] Remove obsolete test driver script. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/runtests.sh b/regress/runtests.sh deleted file mode 100755 index 9808eb8a..00000000 --- a/regress/runtests.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -TEST_SSH_SSH=../ssh -TEST_SSH_SSHD=../sshd -TEST_SSH_SSHAGENT=../ssh-agent -TEST_SSH_SSHADD=../ssh-add -TEST_SSH_SSHKEYGEN=../ssh-keygen -TEST_SSH_SSHKEYSCAN=../ssh-keyscan -TEST_SSH_SFTP=../sftp -TEST_SSH_SFTPSERVER=../sftp-server - -pmake - -- cgit v1.2.1 From d978a39bde26fd17fe2112552bec619c607004c0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:12:57 +0000 Subject: - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by rev 1.6 which calls wait. --- ChangeLog | 2 ++ regress/cfgmatch.sh | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 26a183cb..f4be9bc9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -85,6 +85,8 @@ - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 helper function to the portable part of test-exec.sh. - (dtucker) [regress/runtests.sh] Remove obsolete test driver script. + - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by + rev 1.6 which calls wait. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index e5907354..80cf2293 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -34,7 +34,6 @@ stop_client() pid=`cat $pidfile` if [ ! -z "$pid" ]; then kill $pid - sleep 1 fi wait } -- cgit v1.2.1 From 19ddab4d9046d7def7cf9b39ed67c22822448bbd Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:39:57 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:16:26 [regress/try-ciphers.sh] use expr for math to keep diffs vs portable down (id sync only) --- ChangeLog | 4 ++++ regress/try-ciphers.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f4be9bc9..72df1360 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,10 @@ regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh regress/multiplex.sh] Move the setting of DATA and COPY into test-exec.sh + - dtucker@cvs.openbsd.org 2013/05/17 10:16:26 + [regress/try-ciphers.sh] + use expr for math to keep diffs vs portable down + (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 084a1457..e17c9f5e 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $ +# $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" -- cgit v1.2.1 From d44ff5a4319c4368fb804696b6d01fc687577ca5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:41:07 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:23:52 [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh] Use SUDO when cat'ing pid files and running the sshd log wrapper so that it works with a restrictive umask and the pid files are not world readable. Changes from -portable. (id sync only) --- ChangeLog | 5 +++++ regress/login-timeout.sh | 2 +- regress/reexec.sh | 2 +- regress/test-exec.sh | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 72df1360..bf1c3b95 100644 --- a/ChangeLog +++ b/ChangeLog @@ -72,6 +72,11 @@ [regress/try-ciphers.sh] use expr for math to keep diffs vs portable down (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:23:52 + [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh] + Use SUDO when cat'ing pid files and running the sshd log wrapper so that + it works with a restrictive umask and the pid files are not world readable. + Changes from -portable. (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index 55fbb324..d73923b9 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh @@ -1,4 +1,4 @@ -# $OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $ +# $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $ # Placed in the Public Domain. tid="connect after login grace timeout" diff --git a/regress/reexec.sh b/regress/reexec.sh index 5fff62a6..433573f0 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: reexec.sh,v 1.6 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: reexec.sh,v 1.7 2013/05/17 10:23:52 dtucker Exp $ # Placed in the Public Domain. tid="reexec tests" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index d336e619..c9a9b64e 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.42 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.43 2013/05/17 10:23:52 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.1 From 6faec87fab276e802f745df7d20607b54c5e70ef Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:42:05 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:24:48 [localcommand.sh] use backticks for portability. (id sync only) --- ChangeLog | 3 +++ regress/localcommand.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index bf1c3b95..fc5c7005 100644 --- a/ChangeLog +++ b/ChangeLog @@ -77,6 +77,9 @@ Use SUDO when cat'ing pid files and running the sshd log wrapper so that it works with a restrictive umask and the pid files are not world readable. Changes from -portable. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:24:48 + [localcommand.sh] + use backticks for portability. (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/localcommand.sh b/regress/localcommand.sh index feade7a9..8a9b5697 100644 --- a/regress/localcommand.sh +++ b/regress/localcommand.sh @@ -1,4 +1,4 @@ -# $OpenBSD: localcommand.sh,v 1.1 2007/10/29 06:57:13 dtucker Exp $ +# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $ # Placed in the Public Domain. tid="localcommand" -- cgit v1.2.1 From a110b432b930b960e23e65254fe7f8a55f0371e8 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:43:13 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:26:26 [regress/sftp-badcmds.sh] remove unused BATCH variable. (id sync only) --- ChangeLog | 5 ++++- regress/sftp-badcmds.sh | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fc5c7005..a582dfc8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,8 +78,11 @@ it works with a restrictive umask and the pid files are not world readable. Changes from -portable. (id sync only) - dtucker@cvs.openbsd.org 2013/05/17 10:24:48 - [localcommand.sh] + [regress/localcommand.sh] use backticks for portability. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:26:26 + [regress/sftp-badcmds.sh] + remove unused BATCH variable. (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh index 3dbeb58c..7f85c4f2 100644 --- a/regress/sftp-badcmds.sh +++ b/regress/sftp-badcmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-badcmds.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: sftp-badcmds.sh,v 1.6 2013/05/17 10:26:26 dtucker Exp $ # Placed in the Public Domain. tid="sftp invalid commands" -- cgit v1.2.1 From e08fc9ccc49e911324b495571c1da107876d35db Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:44:09 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:28:11 [regress/sftp.sh] only compare copied data if sftp succeeds. from portable (id sync only) --- ChangeLog | 3 +++ regress/sftp.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a582dfc8..d3e5253d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -83,6 +83,9 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:26:26 [regress/sftp-badcmds.sh] remove unused BATCH variable. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:28:11 + [regress/sftp.sh] + only compare copied data if sftp succeeds. from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/sftp.sh b/regress/sftp.sh index 5f823ee2..b8e9f752 100644 --- a/regress/sftp.sh +++ b/regress/sftp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: sftp.sh,v 1.5 2013/05/17 10:28:11 dtucker Exp $ # Placed in the Public Domain. tid="basic sftp put/get" -- cgit v1.2.1 From c50fe4b5e707fbbf88efbe96db1920ad5b1a2f44 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:45:06 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:30:07 [regress/test-exec.sh] wait a bit longer for startup and use case for absolute path. from portable (id sync only) --- ChangeLog | 4 ++++ regress/test-exec.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d3e5253d..cbf96d64 100644 --- a/ChangeLog +++ b/ChangeLog @@ -86,6 +86,10 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:28:11 [regress/sftp.sh] only compare copied data if sftp succeeds. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:30:07 + [regress/test-exec.sh] + wait a bit longer for startup and use case for absolute path. + from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/test-exec.sh b/regress/test-exec.sh index c9a9b64e..2eab3234 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.43 2013/05/17 10:23:52 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.44 2013/05/17 10:30:07 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.1 From 670b80b9a5a5bd700841c4536d668cfe0b945e16 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:46:00 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:33:09 [regress/agent-getpeereid.sh] don't redirect stdout from sudo. from portable (id sync only) --- ChangeLog | 3 +++ regress/agent-getpeereid.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cbf96d64..a2ac83dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -90,6 +90,9 @@ [regress/test-exec.sh] wait a bit longer for startup and use case for absolute path. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:33:09 + [regress/agent-getpeereid.sh] + don't redirect stdout from sudo. from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 1726c2b9..d5ae2d6e 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.4 2007/11/25 15:35:09 jmc Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" -- cgit v1.2.1 From e89f9d4dcf3121d343ceda0e09350e75b06902f1 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:47:29 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:34:30 [regress/portnum.sh] use a more portable negated if structure. from portable (id sync only) --- ChangeLog | 3 +++ regress/portnum.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a2ac83dd..edc92e63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -93,6 +93,9 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:33:09 [regress/agent-getpeereid.sh] don't redirect stdout from sudo. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:34:30 + [regress/portnum.sh] + use a more portable negated if structure. from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/portnum.sh b/regress/portnum.sh index 1de0680f..c56b869a 100644 --- a/regress/portnum.sh +++ b/regress/portnum.sh @@ -1,4 +1,4 @@ -# $OpenBSD: portnum.sh,v 1.1 2009/08/13 00:57:17 djm Exp $ +# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $ # Placed in the Public Domain. tid="port number parsing" -- cgit v1.2.1 From 8cf568e00867da23549918ad097824b35bd7e453 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 May 2013 10:48:59 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:35:43 [regress/scp.sh] use a file extention that's not special on some platforms. from portable (id sync only) --- ChangeLog | 4 ++++ regress/scp.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index edc92e63..50054ef0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -96,6 +96,10 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:34:30 [regress/portnum.sh] use a more portable negated if structure. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:35:43 + [regress/scp.sh] + use a file extention that's not special on some platforms. from portable + (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/scp.sh b/regress/scp.sh index ba5ba887..29c5b35d 100644 --- a/regress/scp.sh +++ b/regress/scp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: scp.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: scp.sh,v 1.9 2013/05/17 10:35:43 dtucker Exp $ # Placed in the Public Domain. tid="scp" -- cgit v1.2.1 From a1afbea9d684c06a83d1ac2f81b29e1bf80e2733 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 29 May 2013 22:29:08 +0000 Subject: - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null implementation of endgrent for platforms that don't have it (eg Android). Loosely based on a patch from Nathan Osman, ok djm --- ChangeLog | 4 ++++ configure.ac | 5 +++-- openbsd-compat/bsd-misc.h | 6 +++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 50054ef0..ef4dc705 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ + 20130529 + - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null + implementation of endgrent for platforms that don't have it (eg Android). + Loosely based on a patch from Nathan Osman, ok djm 20130517 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/03/07 00:20:34 diff --git a/configure.ac b/configure.ac index 7d8adfcb..13c05584 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.524 2013/05/16 10:47:32 dtucker Exp $ +# $Id: configure.ac,v 1.525 2013/05/29 22:29:09 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.524 $) +AC_REVISION($Revision: 1.525 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1531,6 +1531,7 @@ AC_CHECK_FUNCS([ \ clock \ closefrom \ dirfd \ + endgrent \ fchmod \ fchown \ freeaddrinfo \ diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index 43006637..9ebd83c3 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */ +/* $Id: bsd-misc.h,v 1.24 2013/05/29 22:29:09 dtucker Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -110,4 +110,8 @@ int isblank(int); pid_t getpgid(pid_t); #endif +#ifndef HAVE_ENDGRENT +# define endgrent() {} +#endif + #endif /* _BSD_MISC_H */ -- cgit v1.2.1 From a5d86ad65a5915225f2863ae07e3f399e254b3ef Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 20:28:03 +0000 Subject: - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to using openssl's DES_crpyt function on platorms that don't have a native one, eg Android. Based on a patch from Nathan Osman. --- ChangeLog | 8 +++++++- configure.ac | 5 +++-- openbsd-compat/xcrypt.c | 7 ++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index ef4dc705..58efd7b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,13 @@ - 20130529 +20130601 + - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to + using openssl's DES_crpyt function on platorms that don't have a native + one, eg Android. Based on a patch from Nathan Osman. + +20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null implementation of endgrent for platforms that don't have it (eg Android). Loosely based on a patch from Nathan Osman, ok djm + 20130517 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/03/07 00:20:34 diff --git a/configure.ac b/configure.ac index 13c05584..c70c504f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.525 2013/05/29 22:29:09 dtucker Exp $ +# $Id: configure.ac,v 1.526 2013/06/01 20:28:04 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.525 $) +AC_REVISION($Revision: 1.526 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2388,6 +2388,7 @@ fi if test "x$check_for_libcrypt_later" = "x1"; then AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) fi +AC_CHECK_FUNCS([crypt DES_crypt]) # Search for SHA256 support in libc and/or OpenSSL AC_CHECK_FUNCS([SHA256_Update EVP_sha256], [TEST_SSH_SHA256=yes], diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c index 6291e288..c8aea461 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c @@ -55,7 +55,12 @@ # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) # include "md5crypt.h" -# endif +# endif + +# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) +# include +# define crypt DES_crypt +# endif char * xcrypt(const char *password, const char *salt) -- cgit v1.2.1 From 61416109e7856e0d90e05821159ef21ae6e6066b Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 21:18:47 +0000 Subject: - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. Based on a patch from Nathan Osman, with help from tim@. --- ChangeLog | 3 +++ configure.ac | 39 +++++++++++++++++++++++++++++++++------ defines.h | 24 +++++++++++------------- 3 files changed, 47 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index 58efd7b1..3fe13dfa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to using openssl's DES_crpyt function on platorms that don't have a native one, eg Android. Based on a patch from Nathan Osman. + - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS + rather than trying to enumerate the plaforms that don't have them. + Based on a patch from Nathan Osman, with help from tim@. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/configure.ac b/configure.ac index c70c504f..d35a19bc 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.526 2013/06/01 20:28:04 dtucker Exp $ +# $Id: configure.ac,v 1.527 2013/06/01 21:18:48 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.526 $) +AC_REVISION($Revision: 1.527 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -979,9 +979,6 @@ mips-sony-bsd|mips-sony-newsos4) *-*-nto-qnx*) AC_DEFINE([USE_PIPES]) AC_DEFINE([NO_X11_UNIX_SOCKETS]) - AC_DEFINE([MISSING_NFDBITS], [1], [Define on *nto-qnx systems]) - AC_DEFINE([MISSING_HOWMANY], [1], [Define on *nto-qnx systems]) - AC_DEFINE([MISSING_FD_MASK], [1], [Define on *nto-qnx systems]) AC_DEFINE([DISABLE_LASTLOG]) AC_DEFINE([SSHD_ACQUIRES_CTTY]) AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken]) @@ -1002,7 +999,6 @@ mips-sony-bsd|mips-sony-newsos4) *-*-lynxos) CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" - AC_DEFINE([MISSING_HOWMANY]) AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation]) ;; esac @@ -1703,6 +1699,37 @@ AC_CHECK_DECLS([offsetof], , , [ #include ]) +# extra bits for select(2) +AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[ +#include +#include +#ifdef HAVE_SYS_SYSMACROS_H +#include +#endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + ]]) +AC_CHECK_TYPES([fd_mask], [], [], [[ +#include +#include +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + ]]) + AC_CHECK_FUNCS([setresuid], [ dnl Some platorms have setresuid that isn't implemented, test for this AC_MSG_CHECKING([if setresuid seems to work]) diff --git a/defines.h b/defines.h index 64515c2f..d5ce52f3 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */ +/* $Id: defines.h,v 1.172 2013/06/01 21:18:48 dtucker Exp $ */ /* Constants */ @@ -171,11 +171,6 @@ enum # define MAP_FAILED ((void *)-1) #endif -/* *-*-nto-qnx doesn't define this constant in the system headers */ -#ifdef MISSING_NFDBITS -# define NFDBITS (8 * sizeof(unsigned long)) -#endif - /* SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but including rpc/rpc.h breaks Solaris 6 @@ -355,11 +350,19 @@ struct winsize { }; #endif -/* *-*-nto-qnx does not define this type in the system headers */ -#ifdef MISSING_FD_MASK +/* bits needed for select that may not be in the system headers */ +#ifndef HAVE_FD_MASK typedef unsigned long int fd_mask; #endif +#if defined(HAVE_DECL_NFDBITS) && HAVE_DECL_NFDBITS == 0 +# define NFDBITS (8 * sizeof(unsigned long)) +#endif + +#if defined(HAVE_DECL_HOWMANY) && HAVE_DECL_HOWMANY == 0 +# define howmany(x,y) (((x)+((y)-1))/(y)) +#endif + /* Paths */ #ifndef _PATH_BSHELL @@ -484,11 +487,6 @@ struct winsize { # define __nonnull__(x) #endif -/* *-*-nto-qnx doesn't define this macro in the system headers */ -#ifdef MISSING_HOWMANY -# define howmany(x,y) (((x)+((y)-1))/(y)) -#endif - #ifndef OSSH_ALIGNBYTES #define OSSH_ALIGNBYTES (sizeof(int) - 1) #endif -- cgit v1.2.1 From c2f0959783c0bd521f1e74528e1c33ce620f34a4 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 21:31:17 +0000 Subject: - djm@cvs.openbsd.org 2013/05/17 00:13:13 [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@ --- ChangeLog | 17 ++++++ addrmatch.c | 6 +-- auth-chall.c | 12 ++--- auth-options.c | 60 +++++++++++----------- auth-rsa.c | 6 +-- auth.c | 16 +++--- auth1.c | 14 +++-- auth2-chall.c | 27 +++++----- auth2-gss.c | 17 +++--- auth2-hostbased.c | 14 ++--- auth2-jpake.c | 24 ++++----- auth2-kbdint.c | 6 +-- auth2-passwd.c | 6 +-- auth2-pubkey.c | 26 +++++----- auth2.c | 17 +++--- authfd.c | 10 ++-- authfile.c | 10 ++-- bufaux.c | 6 +-- bufbn.c | 18 +++---- bufec.c | 6 +-- buffer.c | 4 +- canohost.c | 10 ++-- channels.c | 98 +++++++++++++++-------------------- cipher-3des1.c | 6 +-- cipher.c | 10 ++-- clientloop.c | 55 +++++++++----------- compat.c | 6 +-- dns.c | 10 ++-- groupaccess.c | 5 +- gss-genr.c | 16 +++--- hostfile.c | 16 +++--- jpake.c | 8 +-- kex.c | 18 +++---- kexdhc.c | 8 +-- kexdhs.c | 8 +-- kexecdhc.c | 8 +-- kexecdhs.c | 8 +-- kexgexc.c | 8 +-- kexgexs.c | 8 +-- key.c | 57 +++++++++------------ mac.c | 6 +-- match.c | 15 +++--- misc.c | 12 ++--- moduli.c | 10 ++-- monitor.c | 125 ++++++++++++++++++++++---------------------- monitor_mm.c | 13 ++--- monitor_wrap.c | 30 +++++------ mux.c | 122 +++++++++++++++++++------------------------ packet.c | 30 +++++------ readconf.c | 30 +++++------ readpass.c | 4 +- roaming_client.c | 9 ++-- rsa.c | 10 ++-- schnorr.c | 8 +-- scp.c | 22 ++++---- servconf.c | 9 ++-- serverloop.c | 32 +++++------- session.c | 92 ++++++++++++++------------------- sftp-client.c | 54 +++++++++---------- sftp-common.c | 6 +-- sftp-glob.c | 6 +-- sftp-server.c | 58 ++++++++++----------- sftp.c | 92 ++++++++++++++++----------------- ssh-add.c | 20 ++++---- ssh-agent.c | 63 ++++++++++------------- ssh-dss.c | 10 ++-- ssh-ecdsa.c | 10 ++-- ssh-keygen.c | 104 ++++++++++++++++++------------------- ssh-keyscan.c | 16 +++--- ssh-keysign.c | 20 ++++---- ssh-pkcs11-client.c | 10 ++-- ssh-pkcs11-helper.c | 23 ++++----- ssh-pkcs11.c | 27 +++++----- ssh-rsa.c | 23 ++++----- ssh.c | 44 ++++++++-------- sshconnect.c | 41 ++++++++------- sshconnect1.c | 18 +++---- sshconnect2.c | 145 ++++++++++++++++++++++++---------------------------- sshd.c | 12 ++--- umac.c | 4 +- uuencode.c | 7 +-- xmalloc.c | 10 +--- xmalloc.h | 3 +- 83 files changed, 987 insertions(+), 1103 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fe13dfa..1de8ff83 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,23 @@ - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. Based on a patch from Nathan Osman, with help from tim@. + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/05/17 00:13:13 + [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c + ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c + gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c + auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c + servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c + auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c + sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c + kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c + kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c + monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c + ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c + sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c + ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c + dns.c packet.c readpass.c authfd.c moduli.c] + bye, bye xfree(); ok markus@ 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/addrmatch.c b/addrmatch.c index 388603ca..fb6de92e 100644 --- a/addrmatch.c +++ b/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list) goto foundit; } } - xfree(o); + free(o); return ret; } @@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list) continue; } } - xfree(o); + free(o); return ret; } diff --git a/auth-chall.c b/auth-chall.c index 919b1eaa..bfc51eae 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt) fatal("get_challenge: numprompts < 1"); challenge = xstrdup(prompts[0]); for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); + free(prompts[i]); + free(prompts); + free(name); + free(echo_on); + free(info); return (challenge); } diff --git a/auth-options.c b/auth-options.c index 23d0423e..a8d738ac 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.58 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -72,15 +72,15 @@ auth_clear_options(void) while (custom_environment) { struct envstring *ce = custom_environment; custom_environment = ce->next; - xfree(ce->s); - xfree(ce); + free(ce->s); + free(ce); } if (forced_command) { - xfree(forced_command); + free(forced_command); forced_command = NULL; } if (authorized_principals) { - xfree(authorized_principals); + free(authorized_principals); authorized_principals = NULL; } forced_tun_device = -1; @@ -149,7 +149,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); if (forced_command != NULL) - xfree(forced_command); + free(forced_command); forced_command = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -167,7 +167,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(forced_command); + free(forced_command); forced_command = NULL; goto bad_option; } @@ -180,7 +180,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); if (authorized_principals != NULL) - xfree(authorized_principals); + free(authorized_principals); authorized_principals = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -198,7 +198,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(authorized_principals); + free(authorized_principals); authorized_principals = NULL; goto bad_option; } @@ -232,7 +232,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(s); + free(s); goto bad_option; } s[i] = '\0'; @@ -269,7 +269,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } patterns[i] = '\0'; @@ -277,7 +277,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) switch (match_host_and_ip(remote_host, remote_ip, patterns)) { case 1: - xfree(patterns); + free(patterns); /* Host name matches. */ goto next_option; case -1: @@ -287,7 +287,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) "invalid criteria", file, linenum); /* FALLTHROUGH */ case 0: - xfree(patterns); + free(patterns); logit("Authentication tried for %.100s with " "correct key but not from a permitted " "host (host=%.200s, ip=%.200s).", @@ -323,7 +323,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing " "end quote", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } patterns[i] = '\0'; @@ -337,7 +337,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) auth_debug_add("%.100s, line %lu: " "Bad permitopen specification", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } host = cleanhostname(host); @@ -346,12 +346,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) "<%.100s>", file, linenum, p ? p : ""); auth_debug_add("%.100s, line %lu: " "Bad permitopen port", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) channel_add_permitted_opens(host, port); - xfree(patterns); + free(patterns); goto next_option; } cp = "tunnel=\""; @@ -370,13 +370,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(tun); + free(tun); forced_tun_device = -1; goto bad_option; } tun[i] = '\0'; forced_tun_device = a2tun(tun, NULL); - xfree(tun); + free(tun); if (forced_tun_device == SSH_TUNID_ERR) { debug("%.100s, line %lu: invalid tun device", file, linenum); @@ -484,7 +484,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if (*cert_forced_command != NULL) { error("Certificate has multiple " "force-command options"); - xfree(command); + free(command); goto out; } *cert_forced_command = command; @@ -500,7 +500,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if ((*cert_source_address_done)++) { error("Certificate has multiple " "source-address options"); - xfree(allowed); + free(allowed); goto out; } remote_ip = get_remote_ipaddr(); @@ -508,7 +508,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, allowed)) { case 1: /* accepted */ - xfree(allowed); + free(allowed); break; case 0: /* no match */ @@ -521,12 +521,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, "is not permitted to use this " "certificate for login.", remote_ip); - xfree(allowed); + free(allowed); goto out; case -1: error("Certificate source-address " "contents invalid"); - xfree(allowed); + free(allowed); goto out; } found = 1; @@ -548,8 +548,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, goto out; } buffer_clear(&data); - xfree(name); - xfree(data_blob); + free(name); + free(data_blob); name = data_blob = NULL; } /* successfully parsed all options */ @@ -559,13 +559,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if (ret != 0 && cert_forced_command != NULL && *cert_forced_command != NULL) { - xfree(*cert_forced_command); + free(*cert_forced_command); *cert_forced_command = NULL; } if (name != NULL) - xfree(name); + free(name); if (data_blob != NULL) - xfree(data_blob); + free(data_blob); buffer_free(&data); buffer_free(&c); return ret; @@ -627,7 +627,7 @@ auth_cert_options(Key *k, struct passwd *pw) /* CA-specified forced command supersedes key option */ if (cert_forced_command != NULL) { if (forced_command != NULL) - xfree(forced_command); + free(forced_command); forced_command = cert_forced_command; } return 0; diff --git a/auth-rsa.c b/auth-rsa.c index 2c8a7cb3..748eaae0 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.82 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -281,7 +281,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) file = expand_authorized_keys( options.authorized_keys_files[i], pw); allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); - xfree(file); + free(file); } restore_uid(); @@ -331,7 +331,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(key), fp); - xfree(fp); + free(fp); key_free(key); packet_send_debug("RSA authentication accepted."); diff --git a/auth.c b/auth.c index 666c493d..ac126e6f 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.102 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -165,17 +165,17 @@ allowed_user(struct passwd * pw) if (stat(shell, &st) != 0) { logit("User %.100s not allowed because shell %.100s " "does not exist", pw->pw_name, shell); - xfree(shell); + free(shell); return 0; } if (S_ISREG(st.st_mode) == 0 || (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { logit("User %.100s not allowed because shell %.100s " "is not executable", pw->pw_name, shell); - xfree(shell); + free(shell); return 0; } - xfree(shell); + free(shell); } if (options.num_deny_users > 0 || options.num_allow_users > 0 || @@ -355,7 +355,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw) i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); if (i < 0 || (size_t)i >= sizeof(ret)) fatal("expand_authorized_keys: path too long"); - xfree(file); + free(file); return (xstrdup(ret)); } @@ -397,7 +397,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, load_hostkeys(hostkeys, host, user_hostfile); restore_uid(); } - xfree(user_hostfile); + free(user_hostfile); } host_status = check_key_in_hostkeys(hostkeys, key, &found); if (host_status == HOST_REVOKED) @@ -666,7 +666,7 @@ auth_key_is_revoked(Key *key) key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " "%s key %s ", key_type(key), key_fp); - xfree(key_fp); + free(key_fp); return 1; } fatal("key_in_file returned junk"); @@ -697,7 +697,7 @@ auth_debug_send(void) while (buffer_len(&auth_debug)) { msg = buffer_get_string(&auth_debug, NULL); packet_send_debug("%s", msg); - xfree(msg); + free(msg); } } diff --git a/auth1.c b/auth1.c index 6eea8d81..238b3c9c 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.78 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -130,7 +130,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) authenticated = PRIVSEP(auth_password(authctxt, password)); memset(password, 0, dlen); - xfree(password); + free(password); return (authenticated); } @@ -204,7 +204,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) debug("sending challenge '%s'", challenge); packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); packet_put_cstring(challenge); - xfree(challenge); + free(challenge); packet_send(); packet_write_wait(); @@ -223,7 +223,7 @@ auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) packet_check_eom(); authenticated = verify_response(authctxt, response); memset(response, 'r', dlen); - xfree(response); + free(response); return (authenticated); } @@ -356,10 +356,8 @@ do_authloop(Authctxt *authctxt) auth_log(authctxt, authenticated, 0, get_authname(type), NULL, info); - if (client_user != NULL) { - xfree(client_user); - client_user = NULL; - } + free(client_user); + client_user = NULL; if (authenticated) return; diff --git a/auth2-chall.c b/auth2-chall.c index ed1acdd3..98f3093c 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.37 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.38 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -147,11 +147,9 @@ kbdint_free(KbdintAuthctxt *kbdintctxt) { if (kbdintctxt->device) kbdint_reset_device(kbdintctxt); - if (kbdintctxt->devices) { - xfree(kbdintctxt->devices); - kbdintctxt->devices = NULL; - } - xfree(kbdintctxt); + free(kbdintctxt->devices); + bzero(kbdintctxt, sizeof(*kbdintctxt)); + free(kbdintctxt); } /* get next device */ static int @@ -178,7 +176,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; - xfree(t); + free(t); debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? kbdintctxt->devices : ""); } while (kbdintctxt->devices && !kbdintctxt->device); @@ -272,11 +270,11 @@ send_userauth_info_request(Authctxt *authctxt) packet_write_wait(); for (i = 0; i < kbdintctxt->nreq; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(echo_on); - xfree(name); - xfree(instr); + free(prompts[i]); + free(prompts); + free(echo_on); + free(name); + free(instr); return 1; } @@ -315,10 +313,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) for (i = 0; i < nresp; i++) { memset(response[i], 'r', strlen(response[i])); - xfree(response[i]); + free(response[i]); } - if (response) - xfree(response); + free(response); switch (res) { case 0: diff --git a/auth2-gss.c b/auth2-gss.c index de1bd064..638d8f88 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.19 2013/04/05 00:14:00 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -81,8 +81,7 @@ userauth_gssapi(Authctxt *authctxt) do { mechs--; - if (doid) - xfree(doid); + free(doid); present = 0; doid = packet_get_string(&len); @@ -101,7 +100,7 @@ userauth_gssapi(Authctxt *authctxt) gss_release_oid_set(&ms, &supported); if (!present) { - xfree(doid); + free(doid); authctxt->server_caused_failure = 1; return (0); } @@ -109,7 +108,7 @@ userauth_gssapi(Authctxt *authctxt) if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); - xfree(doid); + free(doid); authctxt->server_caused_failure = 1; return (0); } @@ -122,7 +121,7 @@ userauth_gssapi(Authctxt *authctxt) packet_put_string(doid, len); packet_send(); - xfree(doid); + free(doid); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); @@ -153,7 +152,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok, &flags)); - xfree(recv_tok.value); + free(recv_tok.value); if (GSS_ERROR(maj_status)) { if (send_tok.length != 0) { @@ -208,7 +207,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok, NULL)); - xfree(recv_tok.value); + free(recv_tok.value); /* We can't return anything to the client, even if we wanted to */ dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); @@ -281,7 +280,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) logit("GSSAPI MIC check failed"); buffer_free(&b); - xfree(mic.value); + free(mic.value); authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); diff --git a/auth2-hostbased.c b/auth2-hostbased.c index cdf442f9..e6d05e26 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -128,11 +128,11 @@ done: debug2("userauth_hostbased: authenticated %d", authenticated); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); - xfree(cuser); - xfree(chost); - xfree(sig); + free(pkalg); + free(pkblob); + free(cuser); + free(chost); + free(sig); return authenticated; } @@ -207,7 +207,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, verbose("Accepted %s public key %s from %s@%s", key_type(key), fp, cuser, lookup); } - xfree(fp); + free(fp); } return (host_status == HOST_OK); diff --git a/auth2-jpake.c b/auth2-jpake.c index ed0eba47..78a6b881 100644 --- a/auth2-jpake.c +++ b/auth2-jpake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2-jpake.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -179,7 +179,7 @@ derive_rawsalt(const char *username, u_char *rawsalt, u_int len) __func__, len, digest_len); memcpy(rawsalt, digest, len); bzero(digest, digest_len); - xfree(digest); + free(digest); } /* ASCII an integer [0, 64) for inclusion in a password/salt */ @@ -258,7 +258,7 @@ fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme) makesalt(22, authctxt->user)); *scheme = xstrdup("bcrypt"); } - xfree(style); + free(style); debug3("%s: fake %s salt for user %s: %s", __func__, *scheme, authctxt->user, *salt); } @@ -361,7 +361,7 @@ auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s, JPAKE_DEBUG_BN((*s, "%s: s = ", __func__)); #endif bzero(secret, secret_len); - xfree(secret); + free(secret); } /* @@ -403,12 +403,12 @@ auth2_jpake_start(Authctxt *authctxt) bzero(hash_scheme, strlen(hash_scheme)); bzero(salt, strlen(salt)); - xfree(hash_scheme); - xfree(salt); + free(hash_scheme); + free(salt); bzero(x3_proof, x3_proof_len); bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); + free(x3_proof); + free(x4_proof); /* Expect step 1 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, @@ -455,8 +455,8 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt) bzero(x1_proof, x1_proof_len); bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); + free(x1_proof); + free(x2_proof); if (!use_privsep) JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); @@ -469,7 +469,7 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt) packet_write_wait(); bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); + free(x4_s_proof); /* Expect step 2 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, @@ -510,7 +510,7 @@ input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt) &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len)); bzero(x2_s_proof, x2_s_proof_len); - xfree(x2_s_proof); + free(x2_s_proof); if (!use_privsep) JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); diff --git a/auth2-kbdint.c b/auth2-kbdint.c index fae67da6..c39bdc62 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -56,8 +56,8 @@ userauth_kbdint(Authctxt *authctxt) if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); - xfree(devs); - xfree(lang); + free(devs); + free(lang); return authenticated; } diff --git a/auth2-passwd.c b/auth2-passwd.c index 5f1f3635..21bc5047 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2-passwd.c,v 1.10 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -60,7 +60,7 @@ userauth_passwd(Authctxt *authctxt) /* discard new password from packet */ newpass = packet_get_string(&newlen); memset(newpass, 0, newlen); - xfree(newpass); + free(newpass); } packet_check_eom(); @@ -69,7 +69,7 @@ userauth_passwd(Authctxt *authctxt) else if (PRIVSEP(auth_password(authctxt, password)) == 1) authenticated = 1; memset(password, 0, len); - xfree(password); + free(password); return authenticated; } diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c28bef7a..4c326df7 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.35 2013/03/07 00:19:59 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.36 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -154,7 +154,7 @@ userauth_pubkey(Authctxt *authctxt) buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); - xfree(sig); + free(sig); } else { debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); @@ -182,8 +182,8 @@ done: debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); return authenticated; } @@ -200,7 +200,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert) principal_list, NULL)) != NULL) { debug3("matched principal from key options \"%.100s\"", result); - xfree(result); + free(result); return 1; } } @@ -336,7 +336,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) reason = "Certificate does not contain an " "authorized principal"; fail_reason: - xfree(fp); + free(fp); error("%s", reason); auth_debug_add("%s", reason); continue; @@ -346,13 +346,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) &reason) != 0) goto fail_reason; if (auth_cert_options(key, pw) != 0) { - xfree(fp); + free(fp); continue; } verbose("Accepted certificate ID \"%s\" " "signed by %s CA %s via %s", key->cert->key_id, key_type(found), fp, file); - xfree(fp); + free(fp); found_key = 1; break; } else if (key_equal(found, key)) { @@ -367,7 +367,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); - xfree(fp); + free(fp); break; } } @@ -425,10 +425,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) ret = 1; out: - if (principals_file != NULL) - xfree(principals_file); - if (ca_fp != NULL) - xfree(ca_fp); + free(principals_file); + free(ca_fp); return ret; } @@ -633,7 +631,7 @@ user_key_allowed(struct passwd *pw, Key *key) options.authorized_keys_files[i], pw); success = user_key_allowed2(pw, key, file); - xfree(file); + free(file); } return success; diff --git a/auth2.c b/auth2.c index e4448216..5f136ce0 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.127 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: auth2.c,v 1.128 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -130,7 +130,7 @@ auth2_read_banner(void) close(fd); if (n != len) { - xfree(banner); + free(banner); return (NULL); } banner[n] = '\0'; @@ -166,8 +166,7 @@ userauth_banner(void) userauth_send_banner(banner); done: - if (banner) - xfree(banner); + free(banner); } /* @@ -212,7 +211,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt) debug("bad service request %s", service); packet_disconnect("bad service request %s", service); } - xfree(service); + free(service); } /*ARGSUSED*/ @@ -292,9 +291,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } userauth_finish(authctxt, authenticated, method, NULL); - xfree(service); - xfree(user); - xfree(method); + free(service); + free(user); + free(method); } void @@ -382,7 +381,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, packet_put_char(partial); packet_send(); packet_write_wait(); - xfree(methods); + free(methods); } } diff --git a/authfd.c b/authfd.c index f037e838..775786be 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.86 2011/07/06 18:09:21 tedu Exp $ */ +/* $OpenBSD: authfd.c,v 1.87 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -224,7 +224,7 @@ ssh_close_authentication_connection(AuthenticationConnection *auth) { buffer_free(&auth->identities); close(auth->fd); - xfree(auth); + free(auth); } /* Lock/unlock agent */ @@ -343,7 +343,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio blob = buffer_get_string(&auth->identities, &blen); *comment = buffer_get_string(&auth->identities, NULL); key = key_from_blob(blob, blen); - xfree(blob); + free(blob); break; default: return NULL; @@ -436,7 +436,7 @@ ssh_agent_sign(AuthenticationConnection *auth, buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, data, datalen); buffer_put_int(&msg, flags); - xfree(blob); + free(blob); if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); @@ -612,7 +612,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); buffer_put_string(&msg, blob, blen); - xfree(blob); + free(blob); } else { buffer_free(&msg); return 0; diff --git a/authfile.c b/authfile.c index 91812bf8..63ae16bb 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.96 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.97 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -509,8 +509,8 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) return prv; fail: - if (commentp) - xfree(*commentp); + if (commentp != NULL) + free(*commentp); key_free(prv); return NULL; } @@ -832,10 +832,10 @@ key_load_cert(const char *filename) pub = key_new(KEY_UNSPEC); xasprintf(&file, "%s-cert.pub", filename); if (key_try_load_public(pub, file, NULL) == 1) { - xfree(file); + free(file); return pub; } - xfree(file); + free(file); key_free(pub); return NULL; } diff --git a/bufaux.c b/bufaux.c index 00208ca2..ec8853f8 100644 --- a/bufaux.c +++ b/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.50 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: bufaux.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -181,7 +181,7 @@ buffer_get_string_ret(Buffer *buffer, u_int *length_ptr) /* Get the string. */ if (buffer_get_ret(buffer, value, len) == -1) { error("buffer_get_string_ret: buffer_get failed"); - xfree(value); + free(value); return (NULL); } /* Append a null character to make processing easier. */ @@ -216,7 +216,7 @@ buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr) error("buffer_get_cstring_ret: string contains \\0"); else { bzero(ret, length); - xfree(ret); + free(ret); return NULL; } } diff --git a/bufbn.c b/bufbn.c index 251cd095..1fbfbbcc 100644 --- a/bufbn.c +++ b/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/ +/* $OpenBSD: bufbn.c,v 1.7 2013/05/17 00:13:13 djm Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -69,7 +69,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) if (oi != bin_size) { error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d", oi, bin_size); - xfree(buf); + free(buf); return (-1); } @@ -80,7 +80,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) buffer_append(buffer, buf, oi); memset(buf, 0, bin_size); - xfree(buf); + free(buf); return (0); } @@ -167,13 +167,13 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) if (oi < 0 || (u_int)oi != bytes - 1) { error("buffer_put_bignum2_ret: BN_bn2bin() failed: " "oi %d != bin_size %d", oi, bytes); - xfree(buf); + free(buf); return (-1); } hasnohigh = (buf[1] & 0x80) ? 0 : 1; buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh); memset(buf, 0, bytes); - xfree(buf); + free(buf); return (0); } @@ -197,21 +197,21 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value) if (len > 0 && (bin[0] & 0x80)) { error("buffer_get_bignum2_ret: negative numbers not supported"); - xfree(bin); + free(bin); return (-1); } if (len > 8 * 1024) { error("buffer_get_bignum2_ret: cannot handle BN of size %d", len); - xfree(bin); + free(bin); return (-1); } if (BN_bin2bn(bin, len, value) == NULL) { error("buffer_get_bignum2_ret: BN_bin2bn failed"); - xfree(bin); + free(bin); return (-1); } - xfree(bin); + free(bin); return (0); } diff --git a/bufec.c b/bufec.c index 3dcb4947..6c004897 100644 --- a/bufec.c +++ b/bufec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufec.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: bufec.c,v 1.2 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2010 Damien Miller * @@ -78,7 +78,7 @@ buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve, out: if (buf != NULL) { bzero(buf, len); - xfree(buf); + free(buf); } BN_CTX_free(bnctx); return ret; @@ -131,7 +131,7 @@ buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve, out: BN_CTX_free(bnctx); bzero(buf, len); - xfree(buf); + free(buf); return ret; } diff --git a/buffer.c b/buffer.c index ae970034..007e7f94 100644 --- a/buffer.c +++ b/buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.c,v 1.32 2010/02/09 03:56:28 djm Exp $ */ +/* $OpenBSD: buffer.c,v 1.33 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -50,7 +50,7 @@ buffer_free(Buffer *buffer) if (buffer->alloc > 0) { memset(buffer->buf, 0, buffer->alloc); buffer->alloc = 0; - xfree(buffer->buf); + free(buffer->buf); } } diff --git a/canohost.c b/canohost.c index dabd8a31..69e8e6f6 100644 --- a/canohost.c +++ b/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.66 2010/01/13 01:20:20 dtucker Exp $ */ +/* $OpenBSD: canohost.c,v 1.67 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -41,7 +41,7 @@ static int cached_port = -1; /* * Return the canonical name of the host at the other end of the socket. The - * caller should free the returned string with xfree. + * caller should free the returned string. */ static char * @@ -323,10 +323,8 @@ get_local_name(int fd) void clear_cached_addr(void) { - if (canonical_host_ip != NULL) { - xfree(canonical_host_ip); - canonical_host_ip = NULL; - } + free(canonical_host_ip); + canonical_host_ip = NULL; cached_port = -1; } diff --git a/channels.c b/channels.c index 12db962d..6031394c 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.320 2013/04/06 16:07:00 markus Exp $ */ +/* $OpenBSD: channels.c,v 1.321 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -401,7 +401,7 @@ channel_free(Channel *c) s = channel_open_message(); debug3("channel %d: status: %s", c->self, s); - xfree(s); + free(s); if (c->sock != -1) shutdown(c->sock, SHUT_RDWR); @@ -409,29 +409,23 @@ channel_free(Channel *c) buffer_free(&c->input); buffer_free(&c->output); buffer_free(&c->extended); - if (c->remote_name) { - xfree(c->remote_name); - c->remote_name = NULL; - } - if (c->path) { - xfree(c->path); - c->path = NULL; - } - if (c->listening_addr) { - xfree(c->listening_addr); - c->listening_addr = NULL; - } + free(c->remote_name); + c->remote_name = NULL; + free(c->path); + c->path = NULL; + free(c->listening_addr); + c->listening_addr = NULL; while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { if (cc->abandon_cb != NULL) cc->abandon_cb(c, cc->ctx); TAILQ_REMOVE(&c->status_confirms, cc, entry); bzero(cc, sizeof(*cc)); - xfree(cc); + free(cc); } if (c->filter_cleanup != NULL && c->filter_ctx != NULL) c->filter_cleanup(c->self, c->filter_ctx); channels[c->self] = NULL; - xfree(c); + free(c); } void @@ -1080,10 +1074,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) strlcpy(username, p, sizeof(username)); buffer_consume(&c->input, len); - if (c->path != NULL) { - xfree(c->path); - c->path = NULL; - } + free(c->path); + c->path = NULL; if (need == 1) { /* SOCKS4: one string */ host = inet_ntoa(s4_req.dest_addr); c->path = xstrdup(host); @@ -1216,10 +1208,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) buffer_get(&c->input, (char *)&dest_addr, addrlen); buffer_get(&c->input, (char *)&dest_port, 2); dest_addr[addrlen] = '\0'; - if (c->path != NULL) { - xfree(c->path); - c->path = NULL; - } + free(c->path); + c->path = NULL; if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { if (addrlen >= NI_MAXHOST) { error("channel %d: dynamic request: socks5 hostname " @@ -1379,7 +1369,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) packet_put_cstring(buf); packet_send(); } - xfree(remote_ipaddr); + free(remote_ipaddr); } } @@ -1393,7 +1383,7 @@ port_open_helper(Channel *c, char *rtype) if (remote_port == -1) { /* Fake addr/port to appease peers that validate it (Tectia) */ - xfree(remote_ipaddr); + free(remote_ipaddr); remote_ipaddr = xstrdup("127.0.0.1"); remote_port = 65535; } @@ -1406,7 +1396,7 @@ port_open_helper(Channel *c, char *rtype) rtype, c->listening_port, c->path, c->host_port, remote_ipaddr, remote_port); - xfree(c->remote_name); + free(c->remote_name); c->remote_name = xstrdup(buf); if (compat20) { @@ -1438,7 +1428,7 @@ port_open_helper(Channel *c, char *rtype) packet_put_cstring(c->remote_name); packet_send(); } - xfree(remote_ipaddr); + free(remote_ipaddr); } static void @@ -1691,7 +1681,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) if (c->datagram) { /* ignore truncated writes, datagrams might get lost */ len = write(c->wfd, buf, dlen); - xfree(data); + free(data); if (len < 0 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) return 1; @@ -2225,7 +2215,7 @@ channel_output_poll(void) debug("channel %d: datagram " "too big for channel", c->self); - xfree(data); + free(data); continue; } packet_start(SSH2_MSG_CHANNEL_DATA); @@ -2233,7 +2223,7 @@ channel_output_poll(void) packet_put_string(data, dlen); packet_send(); c->remote_window -= dlen + 4; - xfree(data); + free(data); } continue; } @@ -2405,13 +2395,13 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt) if (data_len > c->local_window) { logit("channel %d: rcvd too much extended_data %d, win %d", c->self, data_len, c->local_window); - xfree(data); + free(data); return; } debug2("channel %d: rcvd ext data %d", c->self, data_len); c->local_window -= data_len; buffer_append(&c->extended, data, data_len); - xfree(data); + free(data); } /* ARGSUSED */ @@ -2577,10 +2567,8 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt) } logit("channel %d: open failed: %s%s%s", id, reason2txt(reason), msg ? ": ": "", msg ? msg : ""); - if (msg != NULL) - xfree(msg); - if (lang != NULL) - xfree(lang); + free(msg); + free(lang); if (c->open_confirm) { debug2("callback start"); c->open_confirm(c->self, 0, c->open_confirm_ctx); @@ -2638,8 +2626,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt) packet_check_eom(); c = channel_connect_to(host, host_port, "connected socket", originator_string); - xfree(originator_string); - xfree(host); + free(originator_string); + free(host); if (c == NULL) { packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(remote_id); @@ -2674,7 +2662,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) cc->cb(type, c, cc->ctx); TAILQ_REMOVE(&c->status_confirms, cc, entry); bzero(cc, sizeof(*cc)); - xfree(cc); + free(cc); } /* -- tcp forwarding */ @@ -3054,7 +3042,7 @@ channel_request_rforward_cancel(const char *host, u_short port) permitted_opens[i].listen_port = 0; permitted_opens[i].port_to_connect = 0; - xfree(permitted_opens[i].host_to_connect); + free(permitted_opens[i].host_to_connect); permitted_opens[i].host_to_connect = NULL; return 0; @@ -3095,7 +3083,7 @@ channel_input_port_forward_request(int is_root, int gateway_ports) host_port, gateway_ports); /* Free the argument string. */ - xfree(hostname); + free(hostname); return (success ? 0 : -1); } @@ -3150,7 +3138,7 @@ channel_update_permitted_opens(int idx, int newport) } else { permitted_opens[idx].listen_port = 0; permitted_opens[idx].port_to_connect = 0; - xfree(permitted_opens[idx].host_to_connect); + free(permitted_opens[idx].host_to_connect); permitted_opens[idx].host_to_connect = NULL; } } @@ -3183,12 +3171,9 @@ channel_clear_permitted_opens(void) int i; for (i = 0; i < num_permitted_opens; i++) - if (permitted_opens[i].host_to_connect != NULL) - xfree(permitted_opens[i].host_to_connect); - if (num_permitted_opens > 0) { - xfree(permitted_opens); - permitted_opens = NULL; - } + free(permitted_opens[i].host_to_connect); + free(permitted_opens); + permitted_opens = NULL; num_permitted_opens = 0; } @@ -3198,12 +3183,9 @@ channel_clear_adm_permitted_opens(void) int i; for (i = 0; i < num_adm_permitted_opens; i++) - if (permitted_adm_opens[i].host_to_connect != NULL) - xfree(permitted_adm_opens[i].host_to_connect); - if (num_adm_permitted_opens > 0) { - xfree(permitted_adm_opens); - permitted_adm_opens = NULL; - } + free(permitted_adm_opens[i].host_to_connect); + free(permitted_adm_opens); + permitted_adm_opens = NULL; num_adm_permitted_opens = 0; } @@ -3297,7 +3279,7 @@ connect_next(struct channel_connect *cctx) static void channel_connect_ctx_free(struct channel_connect *cctx) { - xfree(cctx->host); + free(cctx->host); if (cctx->aitop) freeaddrinfo(cctx->aitop); bzero(cctx, sizeof(*cctx)); @@ -3692,7 +3674,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt) c->remote_id = remote_id; c->force_drain = 1; } - xfree(remote_host); + free(remote_host); if (c == NULL) { /* Send refusal to the remote host. */ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); @@ -3800,7 +3782,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, packet_put_int(screen_number); packet_send(); packet_write_wait(); - xfree(new_data); + free(new_data); } diff --git a/cipher-3des1.c b/cipher-3des1.c index b7aa588c..c8a70244 100644 --- a/cipher-3des1.c +++ b/cipher-3des1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher-3des1.c,v 1.7 2010/10/01 23:05:32 djm Exp $ */ +/* $OpenBSD: cipher-3des1.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. * @@ -94,7 +94,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); return (0); } @@ -135,7 +135,7 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) EVP_CIPHER_CTX_cleanup(&c->k2); EVP_CIPHER_CTX_cleanup(&c->k3); memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/cipher.c b/cipher.c index 5e365213..a2cbe2be 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.88 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -205,14 +205,14 @@ ciphers_valid(const char *names) c = cipher_by_name(p); if (c == NULL || c->number != SSH_CIPHER_SSH2) { debug("bad cipher %s [%s]", p, names); - xfree(cipher_list); + free(cipher_list); return 0; } else { debug3("cipher ok: %s [%s]", p, names); } } debug3("ciphers ok: [%s]", names); - xfree(cipher_list); + free(cipher_list); return 1; } @@ -314,8 +314,8 @@ cipher_init(CipherContext *cc, const Cipher *cipher, cipher->discard_len) == 0) fatal("evp_crypt: EVP_Cipher failed during discard"); memset(discard, 0, cipher->discard_len); - xfree(junk); - xfree(discard); + free(junk); + free(discard); } } diff --git a/clientloop.c b/clientloop.c index f1b108fc..22138560 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.249 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.250 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -393,10 +393,8 @@ client_x11_get_proto(const char *display, const char *xauth_path, unlink(xauthfile); rmdir(xauthdir); } - if (xauthdir) - xfree(xauthdir); - if (xauthfile) - xfree(xauthfile); + free(xauthdir); + free(xauthfile); /* * If we didn't get authentication data, just make up some @@ -552,7 +550,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) if (--gc->ref_count <= 0) { TAILQ_REMOVE(&global_confirms, gc, entry); bzero(gc, sizeof(*gc)); - xfree(gc); + free(gc); } packet_set_alive_timeouts(0); @@ -826,13 +824,13 @@ client_status_confirm(int type, Channel *c, void *ctx) chan_write_failed(c); } } - xfree(cr); + free(cr); } static void client_abandon_status_confirm(Channel *c, void *ctx) { - xfree(ctx); + free(ctx); } void @@ -999,12 +997,9 @@ process_cmdline(void) out: signal(SIGINT, handler); enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); - if (cmd) - xfree(cmd); - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(cmd); + free(fwd.listen_host); + free(fwd.connect_host); } /* reasons to suppress output of an escape command in help output */ @@ -1261,7 +1256,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, buffer_append(berr, string, strlen(string)); s = channel_open_message(); buffer_append(berr, s, strlen(s)); - xfree(s); + free(s); continue; case 'C': @@ -1450,7 +1445,7 @@ client_new_escape_filter_ctx(int escape_char) void client_filter_cleanup(int cid, void *ctx) { - xfree(ctx); + free(ctx); } int @@ -1661,10 +1656,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) } } } - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* Terminate the session. */ @@ -1766,7 +1759,7 @@ client_input_stdout_data(int type, u_int32_t seq, void *ctxt) packet_check_eom(); buffer_append(&stdout_buffer, data, data_len); memset(data, 0, data_len); - xfree(data); + free(data); } static void client_input_stderr_data(int type, u_int32_t seq, void *ctxt) @@ -1776,7 +1769,7 @@ client_input_stderr_data(int type, u_int32_t seq, void *ctxt) packet_check_eom(); buffer_append(&stderr_buffer, data, data_len); memset(data, 0, data_len); - xfree(data); + free(data); } static void client_input_exit_status(int type, u_int32_t seq, void *ctxt) @@ -1856,8 +1849,8 @@ client_request_forwarded_tcpip(const char *request_type, int rchan) c = channel_connect_by_listen_address(listen_port, "forwarded-tcpip", originator_address); - xfree(originator_address); - xfree(listen_address); + free(originator_address); + free(listen_address); return c; } @@ -1891,7 +1884,7 @@ client_request_x11(const char *request_type, int rchan) /* XXX check permission */ debug("client_request_x11: request from %s %d", originator, originator_port); - xfree(originator); + free(originator); sock = x11_connect_display(); if (sock < 0) return NULL; @@ -2018,7 +2011,7 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt) } packet_send(); } - xfree(ctype); + free(ctype); } static void client_input_channel_req(int type, u_int32_t seq, void *ctxt) @@ -2064,7 +2057,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt) packet_put_int(c->remote_id); packet_send(); } - xfree(rtype); + free(rtype); } static void client_input_global_request(int type, u_int32_t seq, void *ctxt) @@ -2083,7 +2076,7 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt) packet_send(); packet_write_wait(); } - xfree(rtype); + free(rtype); } void @@ -2133,7 +2126,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, /* Split */ name = xstrdup(env[i]); if ((val = strchr(name, '=')) == NULL) { - xfree(name); + free(name); continue; } *val++ = '\0'; @@ -2147,7 +2140,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, } if (!matched) { debug3("Ignored env %s", name); - xfree(name); + free(name); continue; } @@ -2156,7 +2149,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, packet_put_cstring(name); packet_put_cstring(val); packet_send(); - xfree(name); + free(name); } } diff --git a/compat.c b/compat.c index f680f4fe..ac353a70 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -204,7 +204,7 @@ proto_spec(const char *spec) break; } } - xfree(s); + free(s); return ret; } @@ -230,7 +230,7 @@ compat_cipher_proposal(char *cipher_prop) buffer_append(&b, "\0", 1); fix_ciphers = xstrdup(buffer_ptr(&b)); buffer_free(&b); - xfree(orig_prop); + free(orig_prop); debug2("Original cipher proposal: %s", cipher_prop); debug2("Compat cipher proposal: %s", fix_ciphers); if (!*fix_ciphers) diff --git a/dns.c b/dns.c index 9e3084ba..630b97ae 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -261,7 +261,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (hostkey_digest_type != dnskey_digest_type) { hostkey_digest_type = dnskey_digest_type; - xfree(hostkey_digest); + free(hostkey_digest); /* Initialize host key parameters */ if (!dns_read_key(&hostkey_algorithm, @@ -281,10 +281,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, hostkey_digest_len) == 0) *flags |= DNS_VERIFY_MATCH; } - xfree(dnskey_digest); + free(dnskey_digest); } - xfree(hostkey_digest); /* from key_fingerprint_raw() */ + free(hostkey_digest); /* from key_fingerprint_raw() */ freerrset(fingerprints); if (*flags & DNS_VERIFY_FOUND) @@ -327,7 +327,7 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) for (i = 0; i < rdata_digest_len; i++) fprintf(f, "%02x", rdata_digest[i]); fprintf(f, "\n"); - xfree(rdata_digest); /* from key_fingerprint_raw() */ + free(rdata_digest); /* from key_fingerprint_raw() */ success = 1; } } diff --git a/groupaccess.c b/groupaccess.c index 2381aeb1..020deace 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */ +/* $OpenBSD: groupaccess.c,v 1.14 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. * @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "xmalloc.h" @@ -122,7 +123,7 @@ ga_free(void) if (ngroups > 0) { for (i = 0; i < ngroups; i++) - xfree(groups_byname[i]); + free(groups_byname[i]); ngroups = 0; xfree(groups_byname); } diff --git a/gss-genr.c b/gss-genr.c index 842f3858..bf164a77 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -59,8 +59,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) { if (ctx->oid != GSS_C_NO_OID) { - xfree(ctx->oid->elements); - xfree(ctx->oid); + free(ctx->oid->elements); + free(ctx->oid); } ctx->oid = xmalloc(sizeof(gss_OID_desc)); ctx->oid->length = len; @@ -83,7 +83,7 @@ ssh_gssapi_error(Gssctxt *ctxt) s = ssh_gssapi_last_error(ctxt, NULL, NULL); debug("%s", s); - xfree(s); + free(s); } char * @@ -164,8 +164,8 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx) if ((*ctx)->name != GSS_C_NO_NAME) gss_release_name(&ms, &(*ctx)->name); if ((*ctx)->oid != GSS_C_NO_OID) { - xfree((*ctx)->oid->elements); - xfree((*ctx)->oid); + free((*ctx)->oid->elements); + free((*ctx)->oid); (*ctx)->oid = GSS_C_NO_OID; } if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) @@ -175,7 +175,7 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx) if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) gss_release_cred(&ms, &(*ctx)->client_creds); - xfree(*ctx); + free(*ctx); *ctx = NULL; } @@ -222,7 +222,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) ssh_gssapi_error(ctx); - xfree(gssbuf.value); + free(gssbuf.value); return (ctx->major); } diff --git a/hostfile.c b/hostfile.c index b6f924b2..69d0d289 100644 --- a/hostfile.c +++ b/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.50 2010/12/04 13:31:37 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -96,7 +96,7 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len) b64salt[b64len] = '\0'; ret = __b64_pton(b64salt, salt, salt_len); - xfree(b64salt); + free(b64salt); if (ret == -1) { debug2("extract_salt: salt decode error"); return (-1); @@ -327,16 +327,14 @@ free_hostkeys(struct hostkeys *hostkeys) u_int i; for (i = 0; i < hostkeys->num_entries; i++) { - xfree(hostkeys->entries[i].host); - xfree(hostkeys->entries[i].file); + free(hostkeys->entries[i].host); + free(hostkeys->entries[i].file); key_free(hostkeys->entries[i].key); bzero(hostkeys->entries + i, sizeof(*hostkeys->entries)); } - if (hostkeys->entries != NULL) - xfree(hostkeys->entries); - hostkeys->entries = NULL; - hostkeys->num_entries = 0; - xfree(hostkeys); + free(hostkeys->entries); + bzero(hostkeys, sizeof(*hostkeys)); + free(hostkeys); } static int diff --git a/jpake.c b/jpake.c index b010dafa..3dd87916 100644 --- a/jpake.c +++ b/jpake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: jpake.c,v 1.7 2012/06/18 11:43:53 dtucker Exp $ */ +/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -106,7 +106,7 @@ jpake_free(struct jpake_ctx *pctx) do { \ if ((v) != NULL) { \ bzero((v), (l)); \ - xfree(v); \ + free(v); \ (v) = NULL; \ (l) = 0; \ } \ @@ -134,7 +134,7 @@ jpake_free(struct jpake_ctx *pctx) #undef JPAKE_BUF_CLEAR_FREE bzero(pctx, sizeof(*pctx)); - xfree(pctx); + free(pctx); } /* dump entire jpake_ctx. NB. includes private values! */ @@ -445,7 +445,7 @@ jpake_check_confirm(const BIGNUM *k, expected_confirm_hash_len) == 0) success = 1; bzero(expected_confirm_hash, expected_confirm_hash_len); - xfree(expected_confirm_hash); + free(expected_confirm_hash); debug3("%s: success = %d", __func__, success); return success; } diff --git a/kex.c b/kex.c index 6b43a6de..54bd1a43 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.90 2013/04/19 12:07:08 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -126,12 +126,12 @@ kex_names_valid(const char *names) (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { error("Unsupported KEX algorithm \"%.100s\"", p); - xfree(s); + free(s); return 0; } } debug3("kex names ok: [%s]", names); - xfree(s); + free(s); return 1; } @@ -191,8 +191,8 @@ kex_prop_free(char **proposal) u_int i; for (i = 0; i < PROPOSAL_MAX; i++) - xfree(proposal[i]); - xfree(proposal); + free(proposal[i]); + free(proposal); } /* ARGSUSED */ @@ -229,7 +229,7 @@ kex_finish(Kex *kex) buffer_clear(&kex->peer); /* buffer_clear(&kex->my); */ kex->flags &= ~KEX_INIT_SENT; - xfree(kex->name); + free(kex->name); kex->name = NULL; } @@ -286,7 +286,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) for (i = 0; i < KEX_COOKIE_LEN; i++) packet_get_char(); for (i = 0; i < PROPOSAL_MAX; i++) - xfree(packet_get_string(NULL)); + free(packet_get_string(NULL)); /* * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported * KEX method has the server move first, but a server might be using @@ -414,7 +414,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server) k->hostkey_type = key_type_from_name(hostkeyalg); if (k->hostkey_type == KEY_UNSPEC) fatal("bad hostkey alg '%s'", hostkeyalg); - xfree(hostkeyalg); + free(hostkeyalg); } static int @@ -468,7 +468,7 @@ kex_choose_conf(Kex *kex) roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL); if (roaming) { kex->roaming = 1; - xfree(roaming); + free(roaming); } } diff --git a/kexdhc.c b/kexdhc.c index 76ceb5dd..ccd137ca 100644 --- a/kexdhc.c +++ b/kexdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexdhc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -125,7 +125,7 @@ kexdh_client(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexdh_client: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); /* calc and verify H */ kex_dh_hash( @@ -139,14 +139,14 @@ kexdh_client(Kex *kex) shared_secret, &hash, &hashlen ); - xfree(server_host_key_blob); + free(server_host_key_blob); BN_clear_free(dh_server_pub); DH_free(dh); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { diff --git a/kexdhs.c b/kexdhs.c index f56e8876..15128632 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -118,7 +118,7 @@ kexdh_server(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexdh_server: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -157,8 +157,8 @@ kexdh_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free DH */ DH_free(dh); diff --git a/kexecdhc.c b/kexecdhc.c index 04239a47..6193836c 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -120,7 +120,7 @@ kexecdh_client(Kex *kex) if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); /* calc and verify H */ kex_ecdh_hash( @@ -136,14 +136,14 @@ kexecdh_client(Kex *kex) shared_secret, &hash, &hashlen ); - xfree(server_host_key_blob); + free(server_host_key_blob); EC_POINT_clear_free(server_public); EC_KEY_free(client_key); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { diff --git a/kexecdhs.c b/kexecdhs.c index 6519abbe..c42dcf44 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -112,7 +112,7 @@ kexecdh_server(Kex *kex) if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); /* calc H */ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -152,8 +152,8 @@ kexecdh_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free server key */ EC_KEY_free(server_key); diff --git a/kexgexc.c b/kexgexc.c index 79552d70..5a3be200 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -163,7 +163,7 @@ kexgex_client(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexgex_client: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); if (datafellows & SSH_OLD_DHGEX) min = max = -1; @@ -186,13 +186,13 @@ kexgex_client(Kex *kex) /* have keys, free DH */ DH_free(dh); - xfree(server_host_key_blob); + free(server_host_key_blob); BN_clear_free(dh_server_pub); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { diff --git a/kexgexs.c b/kexgexs.c index a5e3df7b..a543dda8 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.14 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -155,7 +155,7 @@ kexgex_server(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexgex_server: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -201,8 +201,8 @@ kexgex_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free DH */ DH_free(dh); diff --git a/key.c b/key.c index b8c60cb2..8183ec90 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.102 2013/05/10 04:08:01 djm Exp $ */ +/* $OpenBSD: key.c,v 1.103 2013/05/17 00:13:13 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -187,15 +187,13 @@ cert_free(struct KeyCert *cert) buffer_free(&cert->certblob); buffer_free(&cert->critical); buffer_free(&cert->extensions); - if (cert->key_id != NULL) - xfree(cert->key_id); + free(cert->key_id); for (i = 0; i < cert->nprincipals; i++) - xfree(cert->principals[i]); - if (cert->principals != NULL) - xfree(cert->principals); + free(cert->principals[i]); + free(cert->principals); if (cert->signature_key != NULL) key_free(cert->signature_key); - xfree(cert); + free(cert); } void @@ -239,7 +237,7 @@ key_free(Key *k) k->cert = NULL; } - xfree(k); + free(k); } static int @@ -389,7 +387,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, EVP_DigestUpdate(&ctx, blob, len); EVP_DigestFinal(&ctx, retval, dgst_raw_length); memset(blob, 0, len); - xfree(blob); + free(blob); } else { fatal("key_fingerprint_raw: blob is null"); } @@ -596,7 +594,7 @@ key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) break; } memset(dgst_raw, 0, dgst_raw_len); - xfree(dgst_raw); + free(dgst_raw); return retval; } @@ -741,11 +739,11 @@ key_read(Key *ret, char **cpp) n = uudecode(cp, blob, len); if (n < 0) { error("key_read: uudecode %s failed", cp); - xfree(blob); + free(blob); return -1; } k = key_from_blob(blob, (u_int)n); - xfree(blob); + free(blob); if (k == NULL) { error("key_read: key_from_blob %s failed", cp); return -1; @@ -886,8 +884,8 @@ key_write(const Key *key, FILE *f) fprintf(f, "%s %s", key_ssh_name(key), uu); success = 1; } - xfree(blob); - xfree(uu); + free(blob); + free(uu); return success; } @@ -1292,12 +1290,12 @@ key_names_valid2(const char *names) switch (key_type_from_name(p)) { case KEY_RSA1: case KEY_UNSPEC: - xfree(s); + free(s); return 0; } } debug3("key names ok: [%s]", names); - xfree(s); + free(s); return 1; } @@ -1419,16 +1417,11 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) out: buffer_free(&tmp); - if (principals != NULL) - xfree(principals); - if (critical != NULL) - xfree(critical); - if (exts != NULL) - xfree(exts); - if (sig_key != NULL) - xfree(sig_key); - if (sig != NULL) - xfree(sig); + free(principals); + free(critical); + free(exts); + free(sig_key); + free(sig); return ret; } @@ -1548,10 +1541,8 @@ key_from_blob(const u_char *blob, u_int blen) if (key != NULL && rlen != 0) error("key_from_blob: remaining bytes in key blob %d", rlen); out: - if (ktype != NULL) - xfree(ktype); - if (curve != NULL) - xfree(curve); + free(ktype); + free(curve); #ifdef OPENSSL_HAS_ECC if (q != NULL) EC_POINT_free(q); @@ -1901,7 +1892,7 @@ key_certify(Key *k, Key *ca) default: error("%s: key has incorrect type %s", __func__, key_type(k)); buffer_clear(&k->cert->certblob); - xfree(ca_blob); + free(ca_blob); return -1; } @@ -1937,7 +1928,7 @@ key_certify(Key *k, Key *ca) buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ buffer_put_string(&k->cert->certblob, ca_blob, ca_len); - xfree(ca_blob); + free(ca_blob); /* Sign the whole mess */ if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), @@ -1948,7 +1939,7 @@ key_certify(Key *k, Key *ca) } /* Append signature and we are done */ buffer_put_string(&k->cert->certblob, sig_blob, sig_len); - xfree(sig_blob); + free(sig_blob); return 0; } diff --git a/mac.c b/mac.c index da68803f..907e1978 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.22 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: mac.c,v 1.23 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -235,13 +235,13 @@ mac_valid(const char *names) (p = strsep(&cp, MAC_SEP))) { if (mac_setup(NULL, p) < 0) { debug("bad mac %s [%s]", p, names); - xfree(maclist); + free(maclist); return (0); } else { debug3("mac ok: %s [%s]", p, names); } } debug3("macs ok: [%s]", names); - xfree(maclist); + free(maclist); return (1); } diff --git a/match.c b/match.c index 23894777..7be7d2c5 100644 --- a/match.c +++ b/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */ +/* $OpenBSD: match.c,v 1.28 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -40,6 +40,7 @@ #include #include +#include #include #include "xmalloc.h" @@ -226,14 +227,14 @@ match_user(const char *user, const char *host, const char *ipaddr, if ((ret = match_pattern(user, pat)) == 1) ret = match_host_and_ip(host, ipaddr, p); - xfree(pat); + free(pat); return ret; } /* * Returns first item from client-list that is also supported by server-list, - * caller must xfree() returned string. + * caller must free the returned string. */ #define MAX_PROP 40 #define SEP "," @@ -264,15 +265,15 @@ match_list(const char *client, const char *server, u_int *next) if (next != NULL) *next = (cp == NULL) ? strlen(c) : (u_int)(cp - c); - xfree(c); - xfree(s); + free(c); + free(s); return ret; } } } if (next != NULL) *next = strlen(c); - xfree(c); - xfree(s); + free(c); + free(s); return NULL; } diff --git a/misc.c b/misc.c index 77f4a37a..4aa5fdc8 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.88 2013/04/24 16:01:46 tedu Exp $ */ +/* $OpenBSD: misc.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -253,13 +253,13 @@ a2tun(const char *s, int *remote) *remote = SSH_TUNID_ANY; sp = xstrdup(s); if ((ep = strchr(sp, ':')) == NULL) { - xfree(sp); + free(sp); return (a2tun(s, NULL)); } ep[0] = '\0'; ep++; *remote = a2tun(ep, NULL); tun = a2tun(sp, NULL); - xfree(sp); + free(sp); return (*remote == SSH_TUNID_ERR ? *remote : tun); } @@ -492,7 +492,7 @@ replacearg(arglist *args, u_int which, char *fmt, ...) if (which >= args->num) fatal("replacearg: tried to replace invalid arg %d >= %d", which, args->num); - xfree(args->list[which]); + free(args->list[which]); args->list[which] = cp; } @@ -503,8 +503,8 @@ freeargs(arglist *args) if (args->list != NULL) { for (i = 0; i < args->num; i++) - xfree(args->list[i]); - xfree(args->list); + free(args->list[i]); + free(args->list); args->nalloc = args->num = 0; args->list = NULL; } diff --git a/moduli.c b/moduli.c index 5267bb9a..294ff8fd 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.26 2012/07/06 00:41:59 dtucker Exp $ */ +/* $OpenBSD: moduli.c,v 1.27 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -433,9 +433,9 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) time(&time_stop); - xfree(LargeSieve); - xfree(SmallSieve); - xfree(TinySieve); + free(LargeSieve); + free(SmallSieve); + free(TinySieve); logit("%.24s Found %u candidates", ctime(&time_stop), r); @@ -709,7 +709,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, } time(&time_stop); - xfree(lp); + free(lp); BN_free(p); BN_free(q); BN_CTX_free(ctx); diff --git a/monitor.c b/monitor.c index 372c9d04..132f60df 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.123 2013/05/16 04:09:13 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.124 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -551,7 +551,7 @@ monitor_read_log(struct monitor *pmonitor) do_log2(level, "%s [preauth]", msg); buffer_free(&logmsg); - xfree(msg); + free(msg); return 0; } @@ -642,12 +642,9 @@ static void monitor_reset_key_state(void) { /* reset state */ - if (key_blob != NULL) - xfree(key_blob); - if (hostbased_cuser != NULL) - xfree(hostbased_cuser); - if (hostbased_chost != NULL) - xfree(hostbased_chost); + free(key_blob); + free(hostbased_cuser); + free(hostbased_chost); key_blob = NULL; key_bloblen = 0; key_blobtype = MM_NOKEY; @@ -728,8 +725,8 @@ mm_answer_sign(int sock, Buffer *m) buffer_clear(m); buffer_put_string(m, signature, siglen); - xfree(p); - xfree(signature); + free(p); + free(signature); mm_request_send(sock, MONITOR_ANS_SIGN, m); @@ -760,7 +757,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) authctxt->user = xstrdup(username); setproctitle("%s [priv]", pwent ? username : "unknown"); - xfree(username); + free(username); buffer_clear(m); @@ -840,9 +837,7 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m) banner = auth2_read_banner(); buffer_put_cstring(m, banner != NULL ? banner : ""); mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); - - if (banner != NULL) - xfree(banner); + free(banner); return (0); } @@ -858,7 +853,7 @@ mm_answer_authserv(int sock, Buffer *m) __func__, authctxt->service, authctxt->style); if (strlen(authctxt->style) == 0) { - xfree(authctxt->style); + free(authctxt->style); authctxt->style = NULL; } @@ -878,7 +873,7 @@ mm_answer_authpassword(int sock, Buffer *m) authenticated = options.password_authentication && auth_password(authctxt, passwd); memset(passwd, 0, strlen(passwd)); - xfree(passwd); + free(passwd); buffer_clear(m); buffer_put_int(m, authenticated); @@ -918,10 +913,10 @@ mm_answer_bsdauthquery(int sock, Buffer *m) mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); if (success) { - xfree(name); - xfree(infotxt); - xfree(prompts); - xfree(echo_on); + free(name); + free(infotxt); + free(prompts); + free(echo_on); } return (0); @@ -941,7 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3("%s: <%s> = <%d>", __func__, response, authok); - xfree(response); + free(response); buffer_clear(m); buffer_put_int(m, authok); @@ -1214,9 +1209,9 @@ mm_answer_keyallowed(int sock, Buffer *m) /* Log failed attempt */ auth_log(authctxt, 0, 0, auth_method, NULL, compat20 ? " ssh2" : ""); - xfree(blob); - xfree(cuser); - xfree(chost); + free(blob); + free(cuser); + free(chost); } debug3("%s: key %p is %s", @@ -1259,7 +1254,7 @@ monitor_valid_userblob(u_char *data, u_int datalen) (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - xfree(p); + free(p); } if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -1272,8 +1267,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) userstyle, p); fail++; } - xfree(userstyle); - xfree(p); + free(userstyle); + free(p); buffer_skip_string(&b); if (datafellows & SSH_BUG_PKAUTH) { if (!buffer_get_char(&b)) @@ -1282,7 +1277,7 @@ monitor_valid_userblob(u_char *data, u_int datalen) p = buffer_get_cstring(&b, NULL); if (strcmp("publickey", p) != 0) fail++; - xfree(p); + free(p); if (!buffer_get_char(&b)) fail++; buffer_skip_string(&b); @@ -1311,7 +1306,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - xfree(p); + free(p); if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -1325,12 +1320,12 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, fail++; } free(userstyle); - xfree(p); + free(p); buffer_skip_string(&b); /* service */ p = buffer_get_cstring(&b, NULL); if (strcmp(p, "hostbased") != 0) fail++; - xfree(p); + free(p); buffer_skip_string(&b); /* pkalg */ buffer_skip_string(&b); /* pkblob */ @@ -1340,13 +1335,13 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, p[len - 1] = '\0'; if (strcmp(p, chost) != 0) fail++; - xfree(p); + free(p); /* verify client user */ p = buffer_get_string(&b, NULL); if (strcmp(p, cuser) != 0) fail++; - xfree(p); + free(p); if (buffer_len(&b) != 0) fail++; @@ -1395,9 +1390,9 @@ mm_answer_keyverify(int sock, Buffer *m) __func__, key, (verified == 1) ? "verified" : "unverified"); key_free(key); - xfree(blob); - xfree(signature); - xfree(data); + free(blob); + free(signature); + free(data); auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; @@ -1525,7 +1520,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m) if ((s = session_by_tty(tty)) != NULL) mm_session_close(s); buffer_clear(m); - xfree(tty); + free(tty); return (0); } @@ -1657,7 +1652,7 @@ mm_answer_rsa_challenge(int sock, Buffer *m) monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); - xfree(blob); + free(blob); key_free(key); return (0); } @@ -1689,9 +1684,9 @@ mm_answer_rsa_response(int sock, Buffer *m) fatal("%s: received bad response to challenge", __func__); success = auth_rsa_verify_response(key, ssh1_challenge, response); - xfree(blob); + free(blob); key_free(key); - xfree(response); + free(response); auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; @@ -1785,20 +1780,20 @@ monitor_apply_keystate(struct monitor *pmonitor) packet_set_protocol_flags(child_state.ssh1protoflags); packet_set_encryption_key(child_state.ssh1key, child_state.ssh1keylen, child_state.ssh1cipher); - xfree(child_state.ssh1key); + free(child_state.ssh1key); } /* for rc4 and other stateful ciphers */ packet_set_keycontext(MODE_OUT, child_state.keyout); - xfree(child_state.keyout); + free(child_state.keyout); packet_set_keycontext(MODE_IN, child_state.keyin); - xfree(child_state.keyin); + free(child_state.keyin); if (!compat20) { packet_set_iv(MODE_OUT, child_state.ivout); - xfree(child_state.ivout); + free(child_state.ivout); packet_set_iv(MODE_IN, child_state.ivin); - xfree(child_state.ivin); + free(child_state.ivin); } memcpy(&incoming_stream, &child_state.incoming, @@ -1819,13 +1814,13 @@ monitor_apply_keystate(struct monitor *pmonitor) buffer_clear(packet_get_input()); buffer_append(packet_get_input(), child_state.input, child_state.ilen); memset(child_state.input, 0, child_state.ilen); - xfree(child_state.input); + free(child_state.input); buffer_clear(packet_get_output()); buffer_append(packet_get_output(), child_state.output, child_state.olen); memset(child_state.output, 0, child_state.olen); - xfree(child_state.output); + free(child_state.output); /* Roaming */ if (compat20) @@ -1857,11 +1852,11 @@ mm_get_kex(Buffer *m) blob = buffer_get_string(m, &bloblen); buffer_init(&kex->my); buffer_append(&kex->my, blob, bloblen); - xfree(blob); + free(blob); blob = buffer_get_string(m, &bloblen); buffer_init(&kex->peer); buffer_append(&kex->peer, blob, bloblen); - xfree(blob); + free(blob); kex->done = 1; kex->flags = buffer_get_int(m); kex->client_version_string = buffer_get_string(m, NULL); @@ -1904,12 +1899,12 @@ mm_get_keystate(struct monitor *pmonitor) blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); - xfree(blob); + free(blob); debug3("%s: Waiting for second key", __func__); blob = buffer_get_string(&m, &bloblen); current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); - xfree(blob); + free(blob); /* Now get sequence numbers for the packets */ seqnr = buffer_get_int(&m); @@ -1934,13 +1929,13 @@ mm_get_keystate(struct monitor *pmonitor) if (plen != sizeof(child_state.outgoing)) fatal("%s: bad request size", __func__); memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); - xfree(p); + free(p); p = buffer_get_string(&m, &plen); if (plen != sizeof(child_state.incoming)) fatal("%s: bad request size", __func__); memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); - xfree(p); + free(p); /* Network I/O buffers */ debug3("%s: Getting Network I/O buffers", __func__); @@ -2062,7 +2057,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) major = ssh_gssapi_server_ctx(&gsscontext, &goid); - xfree(goid.elements); + free(goid.elements); buffer_clear(m); buffer_put_int(m, major); @@ -2087,7 +2082,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); - xfree(in.value); + free(in.value); buffer_clear(m); buffer_put_int(m, major); @@ -2119,8 +2114,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); - xfree(gssbuf.value); - xfree(mic.value); + free(gssbuf.value); + free(mic.value); buffer_clear(m); buffer_put_int(m, ret); @@ -2190,8 +2185,8 @@ mm_answer_jpake_step1(int sock, Buffer *m) bzero(x3_proof, x3_proof_len); bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); + free(x3_proof); + free(x4_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0); @@ -2220,8 +2215,8 @@ mm_answer_jpake_get_pwdata(int sock, Buffer *m) bzero(hash_scheme, strlen(hash_scheme)); bzero(salt, strlen(salt)); - xfree(hash_scheme); - xfree(salt); + free(hash_scheme); + free(salt); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1); @@ -2260,8 +2255,8 @@ mm_answer_jpake_step2(int sock, Buffer *m) bzero(x1_proof, x1_proof_len); bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); + free(x1_proof); + free(x2_proof); buffer_clear(m); @@ -2272,7 +2267,7 @@ mm_answer_jpake_step2(int sock, Buffer *m) mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); + free(x4_s_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); @@ -2340,7 +2335,7 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m) JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__)); bzero(peer_confirm_hash, peer_confirm_hash_len); - xfree(peer_confirm_hash); + free(peer_confirm_hash); buffer_clear(m); buffer_put_int(m, authenticated); diff --git a/monitor_mm.c b/monitor_mm.c index faf9f3dc..ee7bad4b 100644 --- a/monitor_mm.c +++ b/monitor_mm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */ +/* $OpenBSD: monitor_mm.c,v 1.17 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -35,6 +35,7 @@ #include #include +#include #include #include "xmalloc.h" @@ -124,7 +125,7 @@ mm_freelist(struct mm_master *mmalloc, struct mmtree *head) next = RB_NEXT(mmtree, head, mms); RB_REMOVE(mmtree, head, mms); if (mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mmalloc, mms); } @@ -147,7 +148,7 @@ mm_destroy(struct mm_master *mm) __func__); #endif if (mm->mmalloc == NULL) - xfree(mm); + free(mm); else mm_free(mm->mmalloc, mm); } @@ -198,7 +199,7 @@ mm_malloc(struct mm_master *mm, size_t size) if (mms->size == 0) { RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } @@ -254,7 +255,7 @@ mm_free(struct mm_master *mm, void *address) prev->size += mms->size; RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } else @@ -278,7 +279,7 @@ mm_free(struct mm_master *mm, void *address) RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } diff --git a/monitor_wrap.c b/monitor_wrap.c index 3304f5bf..b1870fcb 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.76 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -288,7 +288,7 @@ out: #undef M_CP_STRARRAYOPT copy_set_server_options(&options, newopts, 1); - xfree(newopts); + free(newopts); buffer_free(&m); @@ -314,7 +314,7 @@ mm_auth2_read_banner(void) /* treat empty banner as missing banner */ if (strlen(banner) == 0) { - xfree(banner); + free(banner); banner = NULL; } return (banner); @@ -407,7 +407,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) buffer_put_cstring(&m, user ? user : ""); buffer_put_cstring(&m, host ? host : ""); buffer_put_string(&m, blob, len); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); @@ -450,7 +450,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); @@ -619,7 +619,7 @@ mm_send_keystate(struct monitor *monitor) keylen = packet_get_encryption_key(key); buffer_put_string(&m, key, keylen); memset(key, 0, keylen); - xfree(key); + free(key); ivlen = packet_get_keyiv_len(MODE_OUT); packet_get_keyiv(MODE_OUT, iv, ivlen); @@ -642,13 +642,13 @@ mm_send_keystate(struct monitor *monitor) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); - xfree(blob); + free(blob); if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); - xfree(blob); + free(blob); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); buffer_put_int(&m, seqnr); @@ -668,13 +668,13 @@ mm_send_keystate(struct monitor *monitor) p = xmalloc(plen+1); packet_get_keycontext(MODE_OUT, p); buffer_put_string(&m, p, plen); - xfree(p); + free(p); plen = packet_get_keycontext(MODE_IN, NULL); p = xmalloc(plen+1); packet_get_keycontext(MODE_IN, p); buffer_put_string(&m, p, plen); - xfree(p); + free(p); /* Compression state */ debug3("%s: Sending compression state", __func__); @@ -736,10 +736,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) buffer_free(&m); strlcpy(namebuf, p, namebuflen); /* Possible truncation */ - xfree(p); + free(p); buffer_append(&loginmsg, msg, strlen(msg)); - xfree(msg); + free(msg); if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) @@ -1109,7 +1109,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) if ((key = key_from_blob(blob, blen)) == NULL) fatal("%s: key_from_blob failed", __func__); *rkey = key; - xfree(blob); + free(blob); } buffer_free(&m); @@ -1136,7 +1136,7 @@ mm_auth_rsa_generate_challenge(Key *key) buffer_init(&m); buffer_put_string(&m, blob, blen); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); @@ -1165,7 +1165,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) buffer_init(&m); buffer_put_string(&m, blob, blen); buffer_put_string(&m, response, 16); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); diff --git a/mux.c b/mux.c index a6bcbbac..6c55db98 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.40 2013/04/22 01:17:18 dtucker Exp $ */ +/* $OpenBSD: mux.c,v 1.41 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -287,13 +287,12 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r) char *value = buffer_get_string_ret(m, NULL); if (name == NULL || value == NULL) { - if (name != NULL) - xfree(name); + free(name); goto malf; } debug2("Unrecognised slave extension \"%s\"", name); - xfree(name); - xfree(value); + free(name); + free(value); } state->hello_rcvd = 1; return 0; @@ -324,21 +323,17 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) (cctx->term = buffer_get_string_ret(m, &len)) == NULL || (cmd = buffer_get_string_ret(m, &len)) == NULL) { malf: - if (cmd != NULL) - xfree(cmd); - if (reserved != NULL) - xfree(reserved); + free(cmd); + free(reserved); for (j = 0; j < env_len; j++) - xfree(cctx->env[j]); - if (env_len > 0) - xfree(cctx->env); - if (cctx->term != NULL) - xfree(cctx->term); - xfree(cctx); + free(cctx->env[j]); + free(cctx->env); + free(cctx->term); + free(cctx); error("%s: malformed message", __func__); return -1; } - xfree(reserved); + free(reserved); reserved = NULL; while (buffer_len(m) > 0) { @@ -346,7 +341,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) if ((cp = buffer_get_string_ret(m, &len)) == NULL) goto malf; if (!env_permitted(cp)) { - xfree(cp); + free(cp); continue; } cctx->env = xrealloc(cctx->env, env_len + 2, @@ -367,7 +362,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_init(&cctx->cmd); buffer_append(&cctx->cmd, cmd, strlen(cmd)); - xfree(cmd); + free(cmd); cmd = NULL; /* Gather fds from client */ @@ -378,12 +373,11 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) for (j = 0; j < i; j++) close(new_fd[j]); for (j = 0; j < env_len; j++) - xfree(cctx->env[j]); - if (env_len > 0) - xfree(cctx->env); - xfree(cctx->term); + free(cctx->env[j]); + free(cctx->env); + free(cctx->term); buffer_free(&cctx->cmd); - xfree(cctx); + free(cctx); /* prepare reply */ buffer_put_int(r, MUX_S_FAILURE); @@ -408,14 +402,14 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) close(new_fd[0]); close(new_fd[1]); close(new_fd[2]); - xfree(cctx->term); + free(cctx->term); if (env_len != 0) { for (i = 0; i < env_len; i++) - xfree(cctx->env[i]); - xfree(cctx->env); + free(cctx->env[i]); + free(cctx->env); } buffer_free(&cctx->cmd); - xfree(cctx); + free(cctx); return 0; } @@ -620,7 +614,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) buffer_put_int(&out, MUX_S_FAILURE); buffer_put_int(&out, fctx->rid); buffer_put_cstring(&out, failmsg); - xfree(failmsg); + free(failmsg); out: buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out)); buffer_free(&out); @@ -649,11 +643,11 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) } if (*fwd.listen_host == '\0') { - xfree(fwd.listen_host); + free(fwd.listen_host); fwd.listen_host = NULL; } if (*fwd.connect_host == '\0') { - xfree(fwd.connect_host); + free(fwd.connect_host); fwd.connect_host = NULL; } @@ -664,10 +658,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) ftype != MUX_FWD_DYNAMIC) { logit("%s: invalid forwarding type %u", __func__, ftype); invalid: - if (fwd.listen_host) - xfree(fwd.listen_host); - if (fwd.connect_host) - xfree(fwd.connect_host); + free(fwd.listen_host); + free(fwd.connect_host); buffer_put_int(r, MUX_S_FAILURE); buffer_put_int(r, rid); buffer_put_cstring(r, "Invalid forwarding request"); @@ -769,13 +761,10 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_int(r, MUX_S_OK); buffer_put_int(r, rid); out: - if (fwd_desc != NULL) - xfree(fwd_desc); + free(fwd_desc); if (freefwd) { - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(fwd.listen_host); + free(fwd.connect_host); } return ret; } @@ -801,11 +790,11 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) } if (*fwd.listen_host == '\0') { - xfree(fwd.listen_host); + free(fwd.listen_host); fwd.listen_host = NULL; } if (*fwd.connect_host == '\0') { - xfree(fwd.connect_host); + free(fwd.connect_host); fwd.connect_host = NULL; } @@ -862,10 +851,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_int(r, MUX_S_OK); buffer_put_int(r, rid); - if (found_fwd->listen_host != NULL) - xfree(found_fwd->listen_host); - if (found_fwd->connect_host != NULL) - xfree(found_fwd->connect_host); + free(found_fwd->listen_host); + free(found_fwd->connect_host); found_fwd->listen_host = found_fwd->connect_host = NULL; found_fwd->listen_port = found_fwd->connect_port = 0; } else { @@ -874,12 +861,9 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_cstring(r, error_reason); } out: - if (fwd_desc != NULL) - xfree(fwd_desc); - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(fwd_desc); + free(fwd.listen_host); + free(fwd.connect_host); return ret; } @@ -896,14 +880,12 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || (chost = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&cport, m) != 0) { - if (reserved != NULL) - xfree(reserved); - if (chost != NULL) - xfree(chost); + free(reserved); + free(chost); error("%s: malformed message", __func__); return -1; } - xfree(reserved); + free(reserved); debug2("%s: channel %d: request stdio fwd to %s:%u", __func__, c->self, chost, cport); @@ -915,7 +897,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) __func__, i); for (j = 0; j < i; j++) close(new_fd[j]); - xfree(chost); + free(chost); /* prepare reply */ buffer_put_int(r, MUX_S_FAILURE); @@ -939,7 +921,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) cleanup: close(new_fd[0]); close(new_fd[1]); - xfree(chost); + free(chost); return 0; } @@ -1001,7 +983,7 @@ process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r) if (mux_listener_channel != NULL) { channel_free(mux_listener_channel); client_stop_mux(); - xfree(options.control_path); + free(options.control_path); options.control_path = NULL; mux_listener_channel = NULL; muxserver_sock = -1; @@ -1198,8 +1180,8 @@ muxserver_listen(void) close(muxserver_sock); muxserver_sock = -1; } - xfree(orig_control_path); - xfree(options.control_path); + free(orig_control_path); + free(options.control_path); options.control_path = NULL; options.control_master = SSHCTL_MASTER_NO; return; @@ -1224,7 +1206,7 @@ muxserver_listen(void) goto disable_mux_master; } unlink(options.control_path); - xfree(options.control_path); + free(options.control_path); options.control_path = orig_control_path; set_nonblock(muxserver_sock); @@ -1309,13 +1291,13 @@ mux_session_confirm(int id, int success, void *arg) cc->mux_pause = 0; /* start processing messages again */ c->open_confirm_ctx = NULL; buffer_free(&cctx->cmd); - xfree(cctx->term); + free(cctx->term); if (cctx->env != NULL) { for (i = 0; cctx->env[i] != NULL; i++) - xfree(cctx->env[i]); - xfree(cctx->env); + free(cctx->env[i]); + free(cctx->env); } - xfree(cctx); + free(cctx); } /* ** Multiplexing client support */ @@ -1499,8 +1481,8 @@ mux_client_hello_exchange(int fd) char *value = buffer_get_string(&m, NULL); debug2("Unrecognised master extension \"%s\"", name); - xfree(name); - xfree(value); + free(name); + free(value); } buffer_free(&m); return 0; @@ -1609,7 +1591,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd) fwd_desc = format_forward(ftype, fwd); debug("Requesting %s %s", cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); - xfree(fwd_desc); + free(fwd_desc); buffer_init(&m); buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD); diff --git a/packet.c b/packet.c index a64bbae3..84ebd81d 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.185 2013/05/16 04:09:13 dtucker Exp $ */ +/* $OpenBSD: packet.c,v 1.186 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -766,13 +766,13 @@ set_newkeys(int mode) memset(enc->iv, 0, enc->iv_len); memset(enc->key, 0, enc->key_len); memset(mac->key, 0, mac->key_len); - xfree(enc->name); - xfree(enc->iv); - xfree(enc->key); - xfree(mac->name); - xfree(mac->key); - xfree(comp->name); - xfree(active_state->newkeys[mode]); + free(enc->name); + free(enc->iv); + free(enc->key); + free(mac->name); + free(mac->key); + free(comp->name); + free(active_state->newkeys[mode]); } active_state->newkeys[mode] = kex_get_newkeys(mode); if (active_state->newkeys[mode] == NULL) @@ -1023,7 +1023,7 @@ packet_send2(void) memcpy(&active_state->outgoing_packet, &p->payload, sizeof(Buffer)); TAILQ_REMOVE(&active_state->outgoing, p, next); - xfree(p); + free(p); packet_send2_wrapped(); } } @@ -1073,7 +1073,7 @@ packet_read_seqnr(u_int32_t *seqnr_p) packet_check_eom(); /* If we got a packet, return it. */ if (type != SSH_MSG_NONE) { - xfree(setp); + free(setp); return type; } /* @@ -1460,9 +1460,9 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) packet_get_char(); msg = packet_get_string(NULL); debug("Remote: %.900s", msg); - xfree(msg); + free(msg); msg = packet_get_string(NULL); - xfree(msg); + free(msg); break; case SSH2_MSG_DISCONNECT: reason = packet_get_int(); @@ -1473,7 +1473,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, "Received disconnect from %s: %u: %.400s", get_remote_ipaddr(), reason, msg); - xfree(msg); + free(msg); cleanup_exit(255); break; case SSH2_MSG_UNIMPLEMENTED: @@ -1492,7 +1492,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) case SSH_MSG_DEBUG: msg = packet_get_string(NULL); debug("Remote: %.900s", msg); - xfree(msg); + free(msg); break; case SSH_MSG_DISCONNECT: msg = packet_get_string(NULL); @@ -1780,7 +1780,7 @@ packet_write_wait(void) } packet_write_poll(); } - xfree(setp); + free(setp); } /* Returns true if there is buffered data to write to the connection. */ diff --git a/readconf.c b/readconf.c index 30c1e83b..45cf910f 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.201 2013/05/16 10:43:34 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.202 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -308,22 +308,20 @@ clear_forwardings(Options *options) int i; for (i = 0; i < options->num_local_forwards; i++) { - if (options->local_forwards[i].listen_host != NULL) - xfree(options->local_forwards[i].listen_host); - xfree(options->local_forwards[i].connect_host); + free(options->local_forwards[i].listen_host); + free(options->local_forwards[i].connect_host); } if (options->num_local_forwards > 0) { - xfree(options->local_forwards); + free(options->local_forwards); options->local_forwards = NULL; } options->num_local_forwards = 0; for (i = 0; i < options->num_remote_forwards; i++) { - if (options->remote_forwards[i].listen_host != NULL) - xfree(options->remote_forwards[i].listen_host); - xfree(options->remote_forwards[i].connect_host); + free(options->remote_forwards[i].listen_host); + free(options->remote_forwards[i].connect_host); } if (options->num_remote_forwards > 0) { - xfree(options->remote_forwards); + free(options->remote_forwards); options->remote_forwards = NULL; } options->num_remote_forwards = 0; @@ -1456,7 +1454,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) i = 0; /* failure */ } - xfree(p); + free(p); if (dynamicfwd) { if (!(i == 1 || i == 2)) @@ -1482,13 +1480,9 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) return (i); fail_free: - if (fwd->connect_host != NULL) { - xfree(fwd->connect_host); - fwd->connect_host = NULL; - } - if (fwd->listen_host != NULL) { - xfree(fwd->listen_host); - fwd->listen_host = NULL; - } + free(fwd->connect_host); + fwd->connect_host = NULL; + free(fwd->listen_host); + fwd->listen_host = NULL; return (0); } diff --git a/readpass.c b/readpass.c index 599c8ef9..e37d3115 100644 --- a/readpass.c +++ b/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.48 2010/12/15 00:49:27 djm Exp $ */ +/* $OpenBSD: readpass.c,v 1.49 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -186,7 +186,7 @@ ask_permission(const char *fmt, ...) if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0) allowed = 1; - xfree(p); + free(p); } return (allowed); diff --git a/roaming_client.c b/roaming_client.c index 48009d78..81c49682 100644 --- a/roaming_client.c +++ b/roaming_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: roaming_client.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -187,10 +187,10 @@ roaming_resume(void) debug("server doesn't allow resume"); goto fail; } - xfree(str); + free(str); for (i = 1; i < PROPOSAL_MAX; i++) { /* kex algorithm taken care of so start with i=1 and not 0 */ - xfree(packet_get_string(&len)); + free(packet_get_string(&len)); } i = packet_get_char(); /* first_kex_packet_follows */ if (i && (c = strchr(kexlist, ','))) @@ -226,8 +226,7 @@ roaming_resume(void) return 0; fail: - if (kexlist) - xfree(kexlist); + free(kexlist); if (packet_get_connection_in() == packet_get_connection_out()) close(packet_get_connection_in()); else { diff --git a/rsa.c b/rsa.c index bec1d190..a9ee6b0e 100644 --- a/rsa.c +++ b/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: rsa.c,v 1.30 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -96,8 +96,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) memset(outbuf, 0, olen); memset(inbuf, 0, ilen); - xfree(outbuf); - xfree(inbuf); + free(outbuf); + free(inbuf); } int @@ -122,8 +122,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) } memset(outbuf, 0, olen); memset(inbuf, 0, ilen); - xfree(outbuf); - xfree(inbuf); + free(outbuf); + free(inbuf); return len; } diff --git a/schnorr.c b/schnorr.c index 05c2e775..9549dcf0 100644 --- a/schnorr.c +++ b/schnorr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: schnorr.c,v 1.6 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: schnorr.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -102,7 +102,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, out: buffer_free(&b); bzero(digest, digest_len); - xfree(digest); + free(digest); digest_len = 0; if (success == 0) return h; @@ -573,7 +573,7 @@ modp_group_free(struct modp_group *grp) if (grp->q != NULL) BN_clear_free(grp->q); bzero(grp, sizeof(*grp)); - xfree(grp); + free(grp); } /* main() function for self-test */ @@ -608,7 +608,7 @@ schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q, if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4, sig, siglen) != 0) fatal("%s: verify should have failed (bit error)", __func__); - xfree(sig); + free(sig); BN_free(g_x); BN_CTX_free(bn_ctx); } diff --git a/scp.c b/scp.c index ae3d3880..32e9d00b 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.172 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -578,7 +578,7 @@ toremote(char *targ, int argc, char **argv) } if (tuser != NULL && !okname(tuser)) { - xfree(arg); + free(arg); return; } @@ -605,13 +605,13 @@ toremote(char *targ, int argc, char **argv) *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) exit(1); - (void) xfree(bp); + free(bp); host = cleanhostname(thost); xasprintf(&bp, "%s -t %s%s", cmd, *targ == '-' ? "-- " : "", targ); if (do_cmd2(host, tuser, bp, remin, remout) < 0) exit(1); - (void) xfree(bp); + free(bp); (void) close(remin); (void) close(remout); remin = remout = -1; @@ -662,12 +662,12 @@ toremote(char *targ, int argc, char **argv) exit(1); if (response() < 0) exit(1); - (void) xfree(bp); + free(bp); } source(1, argv + i); } } - xfree(arg); + free(arg); } void @@ -711,11 +711,11 @@ tolocal(int argc, char **argv) xasprintf(&bp, "%s -f %s%s", cmd, *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) { - (void) xfree(bp); + free(bp); ++errs; continue; } - xfree(bp); + free(bp); sink(1, argv + argc - 1); (void) close(remin); remin = remout = -1; @@ -1023,8 +1023,7 @@ sink(int argc, char **argv) need = strlen(targ) + strlen(cp) + 250; if (need > cursize) { - if (namebuf) - xfree(namebuf); + free(namebuf); namebuf = xmalloc(need); cursize = need; } @@ -1063,8 +1062,7 @@ sink(int argc, char **argv) } if (mod_flag) (void) chmod(vect[0], mode); - if (vect[0]) - xfree(vect[0]); + free(vect[0]); continue; } omode = mode; diff --git a/servconf.c b/servconf.c index 90f6d465..36b8efec 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.238 2013/05/16 10:44:06 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.239 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -520,7 +520,7 @@ derelativise_path(const char *path) if (getcwd(cwd, sizeof(cwd)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); - xfree(expanded); + free(expanded); return ret; } @@ -1713,8 +1713,7 @@ int server_match_spec_complete(struct connection_info *ci) } while (0) #define M_CP_STROPT(n) do {\ if (src->n != NULL) { \ - if (dst->n != NULL) \ - xfree(dst->n); \ + free(dst->n); \ dst->n = src->n; \ } \ } while(0) @@ -1798,7 +1797,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, linenum++, &active, connectinfo) != 0) bad_options++; } - xfree(obuf); + free(obuf); if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); diff --git a/serverloop.c b/serverloop.c index a61d4ad3..7c250b22 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.166 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.167 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -694,7 +694,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) /* Display list of open channels. */ cp = channel_open_message(); buffer_append(&stderr_buffer, cp, strlen(cp)); - xfree(cp); + free(cp); } } max_fd = MAX(connection_in, connection_out); @@ -722,10 +722,8 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) /* Process output to the client and to program stdin. */ process_output(writeset); } - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* Cleanup and termination code. */ @@ -885,10 +883,8 @@ server_loop2(Authctxt *authctxt) } collect_children(); - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* free all channels, no more reads and writes */ channel_free_all(); @@ -923,7 +919,7 @@ server_input_stdin_data(int type, u_int32_t seq, void *ctxt) packet_check_eom(); buffer_append(&stdin_buffer, data, data_len); memset(data, 0, data_len); - xfree(data); + free(data); } static void @@ -980,8 +976,8 @@ server_request_direct_tcpip(void) originator, originator_port, target, target_port); } - xfree(originator); - xfree(target); + free(originator); + free(target); return c; } @@ -1110,7 +1106,7 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt) } packet_send(); } - xfree(ctype); + free(ctype); } static void @@ -1155,7 +1151,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) listen_address, listen_port, &allocated_listen_port, options.gateway_ports); } - xfree(listen_address); + free(listen_address); } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { char *cancel_address; u_short cancel_port; @@ -1167,7 +1163,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) success = channel_cancel_rport_listener(cancel_address, cancel_port); - xfree(cancel_address); + free(cancel_address); } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { no_more_sessions = 1; success = 1; @@ -1180,7 +1176,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) packet_send(); packet_write_wait(); } - xfree(rtype); + free(rtype); } static void @@ -1212,7 +1208,7 @@ server_input_channel_req(int type, u_int32_t seq, void *ctxt) packet_put_int(c->remote_id); packet_send(); } - xfree(rtype); + free(rtype); } static void diff --git a/session.c b/session.c index 4c4461de..f47cc178 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.264 2013/04/19 01:03:01 djm Exp $ */ +/* $OpenBSD: session.c,v 1.265 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -199,7 +199,7 @@ auth_input_request_forwarding(struct passwd * pw) packet_send_debug("Agent forwarding disabled: " "mkdtemp() failed: %.100s", strerror(errno)); restore_uid(); - xfree(auth_sock_dir); + free(auth_sock_dir); auth_sock_dir = NULL; goto authsock_err; } @@ -244,11 +244,10 @@ auth_input_request_forwarding(struct passwd * pw) return 1; authsock_err: - if (auth_sock_name != NULL) - xfree(auth_sock_name); + free(auth_sock_name); if (auth_sock_dir != NULL) { rmdir(auth_sock_dir); - xfree(auth_sock_dir); + free(auth_sock_dir); } if (sock != -1) close(sock); @@ -364,8 +363,8 @@ do_authenticated1(Authctxt *authctxt) packet_check_eom(); success = session_setup_x11fwd(s); if (!success) { - xfree(s->auth_proto); - xfree(s->auth_data); + free(s->auth_proto); + free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } @@ -412,7 +411,7 @@ do_authenticated1(Authctxt *authctxt) if (do_exec(s, command) != 0) packet_disconnect( "command execution failed"); - xfree(command); + free(command); } else { if (do_exec(s, NULL) != 0) packet_disconnect( @@ -977,7 +976,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, break; if (env[i]) { /* Reuse the slot. */ - xfree(env[i]); + free(env[i]); } else { /* New variable. Expand if necessary. */ envsize = *envsizep; @@ -1219,8 +1218,8 @@ do_setup_env(Session *s, const char *shell) child_set_env(&env, &envsize, str, str + i + 1); } custom_environment = ce->next; - xfree(ce->s); - xfree(ce); + free(ce->s); + free(ce); } } @@ -1232,7 +1231,7 @@ do_setup_env(Session *s, const char *shell) laddr = get_local_ipaddr(packet_get_connection_in()); snprintf(buf, sizeof buf, "%.50s %d %.50s %d", get_remote_ipaddr(), get_remote_port(), laddr, get_local_port()); - xfree(laddr); + free(laddr); child_set_env(&env, &envsize, "SSH_CONNECTION", buf); if (s->ttyfd != -1) @@ -1403,7 +1402,7 @@ do_nologin(struct passwd *pw) #endif if (stat(nl, &sb) == -1) { if (nl != def_nl) - xfree(nl); + free(nl); return; } @@ -2054,7 +2053,7 @@ session_pty_req(Session *s) s->ypixel = packet_get_int(); if (strcmp(s->term, "") == 0) { - xfree(s->term); + free(s->term); s->term = NULL; } @@ -2062,8 +2061,7 @@ session_pty_req(Session *s) debug("Allocating pty."); if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) { - if (s->term) - xfree(s->term); + free(s->term); s->term = NULL; s->ptyfd = -1; s->ttyfd = -1; @@ -2124,7 +2122,7 @@ session_subsystem_req(Session *s) logit("subsystem request for %.100s failed, subsystem not found", subsys); - xfree(subsys); + free(subsys); return success; } @@ -2146,8 +2144,8 @@ session_x11_req(Session *s) success = session_setup_x11fwd(s); if (!success) { - xfree(s->auth_proto); - xfree(s->auth_data); + free(s->auth_proto); + free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } @@ -2169,7 +2167,7 @@ session_exec_req(Session *s) char *command = packet_get_string(&len); packet_check_eom(); success = do_exec(s, command) == 0; - xfree(command); + free(command); return success; } @@ -2215,8 +2213,8 @@ session_env_req(Session *s) debug2("Ignoring env request %s: disallowed name", name); fail: - xfree(name); - xfree(val); + free(name); + free(val); return (0); } @@ -2398,24 +2396,16 @@ session_close_single_x11(int id, void *arg) if (s->x11_chanids[i] != id) session_close_x11(s->x11_chanids[i]); } - xfree(s->x11_chanids); + free(s->x11_chanids); s->x11_chanids = NULL; - if (s->display) { - xfree(s->display); - s->display = NULL; - } - if (s->auth_proto) { - xfree(s->auth_proto); - s->auth_proto = NULL; - } - if (s->auth_data) { - xfree(s->auth_data); - s->auth_data = NULL; - } - if (s->auth_display) { - xfree(s->auth_display); - s->auth_display = NULL; - } + free(s->display); + s->display = NULL; + free(s->auth_proto); + s->auth_proto = NULL; + free(s->auth_data); + s->auth_data = NULL; + free(s->auth_display); + s->auth_display = NULL; } static void @@ -2477,24 +2467,18 @@ session_close(Session *s) debug("session_close: session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) session_pty_cleanup(s); - if (s->term) - xfree(s->term); - if (s->display) - xfree(s->display); - if (s->x11_chanids) - xfree(s->x11_chanids); - if (s->auth_display) - xfree(s->auth_display); - if (s->auth_data) - xfree(s->auth_data); - if (s->auth_proto) - xfree(s->auth_proto); + free(s->term); + free(s->display); + free(s->x11_chanids); + free(s->auth_display); + free(s->auth_data); + free(s->auth_proto); if (s->env != NULL) { for (i = 0; i < s->num_env; i++) { - xfree(s->env[i].name); - xfree(s->env[i].val); + free(s->env[i].name); + free(s->env[i].val); } - xfree(s->env); + free(s->env); } session_proctitle(s); session_unused(s->self); diff --git a/sftp-client.c b/sftp-client.c index 85f2bd44..038e1c34 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.97 2012/07/02 12:13:26 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.98 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -394,8 +394,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, } else { debug2("Unrecognised server extension \"%s\"", name); } - xfree(name); - xfree(value); + free(name); + free(value); } buffer_free(&msg); @@ -509,7 +509,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, error("Couldn't read directory: %s", fx2txt(status)); do_close(conn, handle, handle_len); - xfree(handle); + free(handle); buffer_free(&msg); return(status); } @@ -552,14 +552,14 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, (*dir)[++ents] = NULL; } next: - xfree(filename); - xfree(longname); + free(filename); + free(longname); } } buffer_free(&msg); do_close(conn, handle, handle_len); - xfree(handle); + free(handle); /* Don't return partial matches on interrupt */ if (interrupted && dir != NULL && *dir != NULL) { @@ -582,11 +582,11 @@ void free_sftp_dirents(SFTP_DIRENT **s) int i; for (i = 0; s[i]; i++) { - xfree(s[i]->filename); - xfree(s[i]->longname); - xfree(s[i]); + free(s[i]->filename); + free(s[i]->longname); + free(s[i]); } - xfree(s); + free(s); } int @@ -760,7 +760,7 @@ do_realpath(struct sftp_conn *conn, char *path) debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename, (unsigned long)a->size); - xfree(longname); + free(longname); buffer_free(&msg); @@ -907,7 +907,7 @@ do_readlink(struct sftp_conn *conn, char *path) debug3("SSH_FXP_READLINK %s -> %s", path, filename); - xfree(longname); + free(longname); buffer_free(&msg); @@ -1057,7 +1057,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, local_path, strerror(errno)); do_close(conn, handle, handle_len); buffer_free(&msg); - xfree(handle); + free(handle); return(-1); } @@ -1121,7 +1121,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, read_error = 1; max_req = 0; TAILQ_REMOVE(&requests, req, tq); - xfree(req); + free(req); num_req--; break; case SSH2_FXP_DATA: @@ -1140,11 +1140,11 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, max_req = 0; } progress_counter += len; - xfree(data); + free(data); if (len == req->len) { TAILQ_REMOVE(&requests, req, tq); - xfree(req); + free(req); num_req--; } else { /* Resend the request for the missing data */ @@ -1220,7 +1220,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, } close(local_fd); buffer_free(&msg); - xfree(handle); + free(handle); return(status); } @@ -1292,8 +1292,8 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, } else logit("%s: not a regular file\n", new_src); - xfree(new_dst); - xfree(new_src); + free(new_dst); + free(new_src); } if (pflag) { @@ -1329,7 +1329,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst, ret = download_dir_internal(conn, src_canon, dst, dirattrib, pflag, printflag, 0); - xfree(src_canon); + free(src_canon); return ret; } @@ -1481,7 +1481,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, debug3("In write loop, ack for %u %u bytes at %lld", ack->id, ack->len, (long long)ack->offset); ++ackid; - xfree(ack); + free(ack); } offset += len; if (offset < 0) @@ -1491,7 +1491,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, if (showprogress) stop_progress_meter(); - xfree(data); + free(data); if (status != SSH2_FX_OK) { error("Couldn't write to remote file \"%s\": %s", @@ -1511,7 +1511,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, if (do_close(conn, handle, handle_len) != SSH2_FX_OK) status = -1; - xfree(handle); + free(handle); return status; } @@ -1597,8 +1597,8 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, } } else logit("%s: not a regular file\n", filename); - xfree(new_dst); - xfree(new_src); + free(new_dst); + free(new_src); } do_setstat(conn, dst, &a); @@ -1620,7 +1620,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag, } ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0); - xfree(dst_canon); + free(dst_canon); return ret; } diff --git a/sftp-common.c b/sftp-common.c index a042875c..413efc20 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.c,v 1.23 2010/01/15 09:24:23 markus Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -128,8 +128,8 @@ decode_attrib(Buffer *b) type = buffer_get_string(b, NULL); data = buffer_get_string(b, NULL); debug3("Got file attribute \"%s\"", type); - xfree(type); - xfree(data); + free(type); + free(data); } } return &a; diff --git a/sftp-glob.c b/sftp-glob.c index 06bf157c..79b7bdb2 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-glob.c,v 1.23 2011/10/04 14:17:32 djm Exp $ */ +/* $OpenBSD: sftp-glob.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -51,7 +51,7 @@ fudge_opendir(const char *path) r = xmalloc(sizeof(*r)); if (do_readdir(cur.conn, (char *)path, &r->dir)) { - xfree(r); + free(r); return(NULL); } @@ -103,7 +103,7 @@ static void fudge_closedir(struct SFTP_OPENDIR *od) { free_sftp_dirents(od->dir); - xfree(od); + free(od); } static int diff --git a/sftp-server.c b/sftp-server.c index cce074a5..285f21aa 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.97 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -319,11 +319,11 @@ handle_close(int handle) if (handle_is_ok(handle, HANDLE_FILE)) { ret = close(handles[handle].fd); - xfree(handles[handle].name); + free(handles[handle].name); handle_unused(handle); } else if (handle_is_ok(handle, HANDLE_DIR)) { ret = closedir(handles[handle].dirp); - xfree(handles[handle].name); + free(handles[handle].name); handle_unused(handle); } else { errno = ENOENT; @@ -367,7 +367,7 @@ get_handle(void) handle = get_string(&hlen); if (hlen < 256) val = handle_from_string(handle, hlen); - xfree(handle); + free(handle); return val; } @@ -450,7 +450,7 @@ send_handle(u_int32_t id, int handle) handle_to_string(handle, &string, &hlen); debug("request %u: sent handle handle %d", id, handle); send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen); - xfree(string); + free(string); } static void @@ -578,7 +578,7 @@ process_open(void) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(name); + free(name); } static void @@ -679,7 +679,7 @@ process_write(void) } } send_status(id, status); - xfree(data); + free(data); } static void @@ -705,7 +705,7 @@ process_do_stat(int do_lstat) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(name); + free(name); } static void @@ -807,7 +807,7 @@ process_setstat(void) status = errno_to_portable(errno); } send_status(id, status); - xfree(name); + free(name); } static void @@ -904,7 +904,7 @@ process_opendir(void) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(path); + free(path); } static void @@ -953,13 +953,13 @@ process_readdir(void) if (count > 0) { send_names(id, count, stats); for (i = 0; i < count; i++) { - xfree(stats[i].name); - xfree(stats[i].long_name); + free(stats[i].name); + free(stats[i].long_name); } } else { send_status(id, SSH2_FX_EOF); } - xfree(stats); + free(stats); } } @@ -982,7 +982,7 @@ process_remove(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(name); + free(name); } static void @@ -1007,7 +1007,7 @@ process_mkdir(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(name); + free(name); } static void @@ -1028,7 +1028,7 @@ process_rmdir(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(name); + free(name); } static void @@ -1041,7 +1041,7 @@ process_realpath(void) id = get_int(); path = get_string(NULL); if (path[0] == '\0') { - xfree(path); + free(path); path = xstrdup("."); } debug3("request %u: realpath", id); @@ -1054,7 +1054,7 @@ process_realpath(void) s.name = s.long_name = resolvedname; send_names(id, 1, &s); } - xfree(path); + free(path); } static void @@ -1115,8 +1115,8 @@ process_rename(void) status = SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1141,7 +1141,7 @@ process_readlink(void) s.name = s.long_name = buf; send_names(id, 1, &s); } - xfree(path); + free(path); } static void @@ -1164,8 +1164,8 @@ process_symlink(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1185,8 +1185,8 @@ process_extended_posix_rename(u_int32_t id) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1203,7 +1203,7 @@ process_extended_statvfs(u_int32_t id) send_status(id, errno_to_portable(errno)); else send_statvfs(id, &st); - xfree(path); + free(path); } static void @@ -1242,8 +1242,8 @@ process_extended_hardlink(u_int32_t id) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1264,7 +1264,7 @@ process_extended(void) process_extended_hardlink(id); else send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ - xfree(request); + free(request); } /* stolen from ssh-agent */ diff --git a/sftp.c b/sftp.c index 12c4958d..a723fa64 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.144 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.145 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -309,7 +309,7 @@ local_do_ls(const char *args) /* XXX: quoting - rip quoting code from ftp? */ snprintf(buf, len, _PATH_LS " %s", args); local_do_shell(buf); - xfree(buf); + free(buf); } } @@ -340,7 +340,7 @@ make_absolute(char *p, char *pwd) /* Derelativise */ if (p && p[0] != '/') { abs_str = path_append(pwd, p); - xfree(p); + free(p); return(abs_str); } else return(p); @@ -550,7 +550,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); - xfree(tmp); + free(tmp); err = -1; goto out; } @@ -566,7 +566,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, } else { abs_dst = xstrdup(filename); } - xfree(tmp); + free(tmp); if (!quiet) printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); @@ -579,12 +579,12 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, pflag || global_pflag) == -1) err = -1; } - xfree(abs_dst); + free(abs_dst); abs_dst = NULL; } out: - xfree(abs_src); + free(abs_src); globfree(&g); return(err); } @@ -636,7 +636,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); - xfree(tmp); + free(tmp); err = -1; goto out; } @@ -652,7 +652,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, } else { abs_dst = make_absolute(xstrdup(filename), pwd); } - xfree(tmp); + free(tmp); if (!quiet) printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); @@ -668,10 +668,8 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, } out: - if (abs_dst) - xfree(abs_dst); - if (tmp_dst) - xfree(tmp_dst); + free(abs_dst); + free(tmp_dst); globfree(&g); return(err); } @@ -719,7 +717,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) /* Add any subpath that also needs to be counted */ tmp = path_strip(path, strip_path); m += strlen(tmp); - xfree(tmp); + free(tmp); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) width = ws.ws_col; @@ -745,7 +743,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) tmp = path_append(path, d[n]->filename); fname = path_strip(tmp, strip_path); - xfree(tmp); + free(tmp); if (lflag & LS_LONG_VIEW) { if (lflag & (LS_NUMERIC_VIEW|LS_SI_UNITS)) { @@ -757,7 +755,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) lname = ls_file(fname, &sb, 1, (lflag & LS_SI_UNITS)); printf("%s\n", lname); - xfree(lname); + free(lname); } else printf("%s\n", d[n]->longname); } else { @@ -769,7 +767,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) c++; } - xfree(fname); + free(fname); } if (!(lflag & LS_LONG_VIEW) && (c != 1)) @@ -839,7 +837,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, lname = ls_file(fname, g.gl_statv[i], 1, (lflag & LS_SI_UNITS)); printf("%s\n", lname); - xfree(lname); + free(lname); } else { printf("%-*s", colspace, fname); if (c >= columns) { @@ -848,7 +846,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, } else c++; } - xfree(fname); + free(fname); } if (!(lflag & LS_LONG_VIEW) && (c != 1)) @@ -1365,24 +1363,24 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, break; } if ((aa = do_stat(conn, tmp, 0)) == NULL) { - xfree(tmp); + free(tmp); err = 1; break; } if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { error("Can't change directory: Can't check target"); - xfree(tmp); + free(tmp); err = 1; break; } if (!S_ISDIR(aa->perm)) { error("Can't change directory: \"%s\" is not " "a directory", tmp); - xfree(tmp); + free(tmp); err = 1; break; } - xfree(*pwd); + free(*pwd); *pwd = tmp; break; case I_LS: @@ -1515,10 +1513,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, if (g.gl_pathc) globfree(&g); - if (path1) - xfree(path1); - if (path2) - xfree(path2); + free(path1); + free(path2); /* If an unignored error occurs in batch mode we should abort. */ if (err_abort && err != 0) @@ -1628,8 +1624,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, complete_display(list, 0); for (y = 0; list[y] != NULL; y++) - xfree(list[y]); - xfree(list); + free(list[y]); + free(list); return count; } @@ -1642,7 +1638,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, list[count] = NULL; if (count == 0) { - xfree(list); + free(list); return 0; } @@ -1652,8 +1648,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, complete_display(list, 0); for (y = 0; list[y]; y++) - xfree(list[y]); - xfree(list); + free(list[y]); + free(list); if (tmp != NULL) { tmplen = strlen(tmp); @@ -1674,7 +1670,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (y > 0 && el_insertstr(el, argterm) == -1) fatal("el_insertstr failed."); } - xfree(tmp); + free(tmp); } return count; @@ -1738,7 +1734,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (tmp[tmplen] == '/') pwdlen = tmplen + 1; /* track last seen '/' */ } - xfree(tmp); + free(tmp); if (g.gl_matchc == 0) goto out; @@ -1753,7 +1749,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); tmp = path_strip(tmp2, isabs ? NULL : remote_path); - xfree(tmp2); + free(tmp2); if (tmp == NULL) goto out; @@ -1815,7 +1811,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (i > 0 && el_insertstr(el, ins) == -1) fatal("el_insertstr failed."); } - xfree(tmp); + free(tmp); out: globfree(&g); @@ -1841,7 +1837,7 @@ complete(EditLine *el, int ch) memcpy(line, lf->buffer, cursor); line[cursor] = '\0'; argv = makeargv(line, &carg, 1, "e, &terminated); - xfree(line); + free(line); /* Get all the arguments on the line */ len = lf->lastchar - lf->buffer; @@ -1853,7 +1849,7 @@ complete(EditLine *el, int ch) /* Ensure cursor is at EOL or a argument boundary */ if (line[cursor] != ' ' && line[cursor] != '\0' && line[cursor] != '\n') { - xfree(line); + free(line); return ret; } @@ -1881,7 +1877,7 @@ complete(EditLine *el, int ch) ret = CC_REDISPLAY; } - xfree(line); + free(line); return ret; } #endif /* USE_LIBEDIT */ @@ -1938,9 +1934,9 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); if (parse_dispatch_command(conn, cmd, &remote_path, 1) != 0) { - xfree(dir); - xfree(remote_path); - xfree(conn); + free(dir); + free(remote_path); + free(conn); return (-1); } } else { @@ -1953,12 +1949,12 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) err = parse_dispatch_command(conn, cmd, &remote_path, 1); - xfree(dir); - xfree(remote_path); - xfree(conn); + free(dir); + free(remote_path); + free(conn); return (err); } - xfree(dir); + free(dir); } setlinebuf(stdout); @@ -2016,8 +2012,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) if (err != 0) break; } - xfree(remote_path); - xfree(conn); + free(remote_path); + free(conn); #ifdef USE_LIBEDIT if (el != NULL) diff --git a/ssh-add.c b/ssh-add.c index 00808470..5e8166f6 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.106 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -90,7 +90,7 @@ clear_pass(void) { if (pass) { memset(pass, 0, strlen(pass)); - xfree(pass); + free(pass); pass = NULL; } } @@ -215,7 +215,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) pass = read_passphrase(msg, RP_ALLOW_STDIN); if (strcmp(pass, "") == 0) { clear_pass(); - xfree(comment); + free(comment); buffer_free(&keyblob); return -1; } @@ -282,8 +282,8 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) fprintf(stderr, "The user must confirm each use of the key\n"); out: if (certpath != NULL) - xfree(certpath); - xfree(comment); + free(certpath); + free(comment); key_free(private); return ret; @@ -308,7 +308,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) add ? "add" : "remove", id); ret = -1; } - xfree(pin); + free(pin); return ret; } @@ -330,14 +330,14 @@ list_identities(AuthenticationConnection *ac, int do_fp) SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); - xfree(fp); + free(fp); } else { if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); } key_free(key); - xfree(comment); + free(comment); } } if (!had_identities) { @@ -363,7 +363,7 @@ lock_agent(AuthenticationConnection *ac, int lock) passok = 0; } memset(p2, 0, strlen(p2)); - xfree(p2); + free(p2); } if (passok && ssh_lock_agent(ac, lock, p1)) { fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un"); @@ -371,7 +371,7 @@ lock_agent(AuthenticationConnection *ac, int lock) } else fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un"); memset(p1, 0, strlen(p1)); - xfree(p1); + free(p1); return (ret); } diff --git a/ssh-agent.c b/ssh-agent.c index b9498e6e..3f94851e 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.172 2011/06/03 01:37:40 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -172,10 +172,9 @@ static void free_identity(Identity *id) { key_free(id->key); - if (id->provider != NULL) - xfree(id->provider); - xfree(id->comment); - xfree(id); + free(id->provider); + free(id->comment); + free(id); } /* return matching private key for given public key */ @@ -203,7 +202,7 @@ confirm_key(Identity *id) if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", id->comment, p)) ret = 0; - xfree(p); + free(p); return (ret); } @@ -230,7 +229,7 @@ process_request_identities(SocketEntry *e, int version) u_int blen; key_to_blob(id->key, &blob, &blen); buffer_put_string(&msg, blob, blen); - xfree(blob); + free(blob); } buffer_put_cstring(&msg, id->comment); } @@ -348,10 +347,9 @@ process_sign_request2(SocketEntry *e) buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg)); buffer_free(&msg); - xfree(data); - xfree(blob); - if (signature != NULL) - xfree(signature); + free(data); + free(blob); + free(signature); datafellows = odatafellows; } @@ -378,7 +376,7 @@ process_remove_identity(SocketEntry *e, int version) case 2: blob = buffer_get_string(&e->request, &blen); key = key_from_blob(blob, blen); - xfree(blob); + free(blob); break; } if (key != NULL) { @@ -509,7 +507,7 @@ process_add_identity(SocketEntry *e, int version) cert = buffer_get_string(&e->request, &len); if ((k = key_from_blob(cert, len)) == NULL) fatal("Certificate parse failed"); - xfree(cert); + free(cert); key_add_private(k); buffer_get_bignum2(&e->request, k->dsa->priv_key); break; @@ -520,7 +518,7 @@ process_add_identity(SocketEntry *e, int version) curve = buffer_get_string(&e->request, NULL); if (k->ecdsa_nid != key_curve_name_to_nid(curve)) fatal("%s: curve names mismatch", __func__); - xfree(curve); + free(curve); k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); if (k->ecdsa == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", @@ -551,7 +549,7 @@ process_add_identity(SocketEntry *e, int version) cert = buffer_get_string(&e->request, &len); if ((k = key_from_blob(cert, len)) == NULL) fatal("Certificate parse failed"); - xfree(cert); + free(cert); key_add_private(k); if ((exponent = BN_new()) == NULL) fatal("%s: BN_new failed", __func__); @@ -583,7 +581,7 @@ process_add_identity(SocketEntry *e, int version) cert = buffer_get_string(&e->request, &len); if ((k = key_from_blob(cert, len)) == NULL) fatal("Certificate parse failed"); - xfree(cert); + free(cert); key_add_private(k); buffer_get_bignum2(&e->request, k->rsa->d); buffer_get_bignum2(&e->request, k->rsa->iqmp); @@ -591,11 +589,11 @@ process_add_identity(SocketEntry *e, int version) buffer_get_bignum2(&e->request, k->rsa->q); break; default: - xfree(type_name); + free(type_name); buffer_clear(&e->request); goto send; } - xfree(type_name); + free(type_name); break; } /* enable blinding */ @@ -613,7 +611,7 @@ process_add_identity(SocketEntry *e, int version) } comment = buffer_get_string(&e->request, NULL); if (k == NULL) { - xfree(comment); + free(comment); goto send; } while (buffer_len(&e->request)) { @@ -627,7 +625,7 @@ process_add_identity(SocketEntry *e, int version) default: error("process_add_identity: " "Unknown constraint type %d", type); - xfree(comment); + free(comment); key_free(k); goto send; } @@ -643,7 +641,7 @@ process_add_identity(SocketEntry *e, int version) tab->nentries++; } else { key_free(k); - xfree(id->comment); + free(id->comment); } id->comment = comment; id->death = death; @@ -665,7 +663,7 @@ process_lock_agent(SocketEntry *e, int lock) if (locked && !lock && strcmp(passwd, lock_passwd) == 0) { locked = 0; memset(lock_passwd, 0, strlen(lock_passwd)); - xfree(lock_passwd); + free(lock_passwd); lock_passwd = NULL; success = 1; } else if (!locked && lock) { @@ -674,7 +672,7 @@ process_lock_agent(SocketEntry *e, int lock) success = 1; } memset(passwd, 0, strlen(passwd)); - xfree(passwd); + free(passwd); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, @@ -747,12 +745,9 @@ process_add_smartcard_key(SocketEntry *e) keys[i] = NULL; } send: - if (pin) - xfree(pin); - if (provider) - xfree(provider); - if (keys) - xfree(keys); + free(pin); + free(provider); + free(keys); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); @@ -768,7 +763,7 @@ process_remove_smartcard_key(SocketEntry *e) provider = buffer_get_string(&e->request, NULL); pin = buffer_get_string(&e->request, NULL); - xfree(pin); + free(pin); for (version = 1; version < 3; version++) { tab = idtab_lookup(version); @@ -786,7 +781,7 @@ process_remove_smartcard_key(SocketEntry *e) else error("process_remove_smartcard_key:" " pkcs11_del_provider failed"); - xfree(provider); + free(provider); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); @@ -951,10 +946,8 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); if (*fdrp == NULL || sz > *nallocp) { - if (*fdrp) - xfree(*fdrp); - if (*fdwp) - xfree(*fdwp); + free(*fdrp); + free(*fdwp); *fdrp = xmalloc(sz); *fdwp = xmalloc(sz); *nallocp = sz; diff --git a/ssh-dss.c b/ssh-dss.c index ede5e21e..322ec9fd 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.27 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -137,17 +137,17 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, if (strcmp("ssh-dss", ktype) != 0) { error("ssh_dss_verify: cannot handle type %s", ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("ssh_dss_verify: " "remaining bytes in signature %d", rlen); - xfree(sigblob); + free(sigblob); return -1; } } @@ -169,7 +169,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, /* clean up */ memset(sigblob, 0, len); - xfree(sigblob); + free(sigblob); /* sha1 the data */ EVP_DigestInit(&md, evp_md); diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 085468ee..76633894 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa.c,v 1.5 2012/01/08 13:17:11 miod Exp $ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -119,16 +119,16 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, if (strcmp(key_ssh_name_plain(key), ktype) != 0) { error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("%s: remaining bytes in signature %d", __func__, rlen); - xfree(sigblob); + free(sigblob); return -1; } @@ -149,7 +149,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, /* clean up */ memset(sigblob, 0, len); - xfree(sigblob); + free(sigblob); /* hash the data */ EVP_DigestInit(&md, evp_md); diff --git a/ssh-keygen.c b/ssh-keygen.c index 8acbcc49..f2438747 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.226 2013/04/19 01:01:00 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.227 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -252,7 +252,7 @@ load_identity(char *filename) RP_ALLOW_STDIN); prv = key_load_private(filename, pass, NULL); memset(pass, 0, strlen(pass)); - xfree(pass); + free(pass); } return prv; } @@ -288,7 +288,7 @@ do_convert_to_ssh2(struct passwd *pw, Key *k) dump_base64(stdout, blob, len); fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); key_free(k); - xfree(blob); + free(blob); exit(0); } @@ -415,12 +415,12 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) debug("ignore (%d %d %d %d)", i1, i2, i3, i4); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); - xfree(cipher); + free(cipher); buffer_free(&b); - xfree(type); + free(type); return NULL; } - xfree(cipher); + free(cipher); if (strstr(type, "dsa")) { ktype = KEY_DSA; @@ -428,11 +428,11 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) ktype = KEY_RSA; } else { buffer_free(&b); - xfree(type); + free(type); return NULL; } key = key_new_private(ktype); - xfree(type); + free(type); switch (key->type) { case KEY_DSA: @@ -475,7 +475,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) /* try the key */ key_sign(key, &sig, &slen, data, sizeof(data)); key_verify(key, sig, slen, data, sizeof(data)); - xfree(sig); + free(sig); return key; } @@ -746,15 +746,15 @@ do_download(struct passwd *pw) fp, key_type(keys[i])); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } else { key_write(keys[i], stdout); fprintf(stdout, "\n"); } key_free(keys[i]); } - xfree(keys); + free(keys); pkcs11_terminate(); exit(0); #else @@ -791,13 +791,13 @@ do_fingerprint(struct passwd *pw) if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); key_free(public); - xfree(comment); - xfree(ra); - xfree(fp); + free(comment); + free(ra); + free(fp); exit(0); } if (comment) { - xfree(comment); + free(comment); comment = NULL; } @@ -856,8 +856,8 @@ do_fingerprint(struct passwd *pw) comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); key_free(public); invalid = 0; } @@ -980,8 +980,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash) key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } else { if (hash && (name = host_hash(name, NULL, 0)) == NULL) fatal("hash_host failed"); @@ -1007,7 +1007,7 @@ do_known_hosts(struct passwd *pw, const char *name) if (strlcpy(identity_file, cp, sizeof(identity_file)) >= sizeof(identity_file)) fatal("Specified known hosts path too long"); - xfree(cp); + free(cp); have_identity = 1; } if ((in = fopen(identity_file, "r")) == NULL) @@ -1238,7 +1238,7 @@ do_change_passphrase(struct passwd *pw) private = key_load_private(identity_file, old_passphrase, &comment); memset(old_passphrase, 0, strlen(old_passphrase)); - xfree(old_passphrase); + free(old_passphrase); if (private == NULL) { printf("Bad passphrase.\n"); exit(1); @@ -1261,30 +1261,30 @@ do_change_passphrase(struct passwd *pw) if (strcmp(passphrase1, passphrase2) != 0) { memset(passphrase1, 0, strlen(passphrase1)); memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase1); - xfree(passphrase2); + free(passphrase1); + free(passphrase2); printf("Pass phrases do not match. Try again.\n"); exit(1); } /* Destroy the other copy. */ memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase2); + free(passphrase2); } /* Save the file using the new passphrase. */ if (!key_save_private(private, identity_file, passphrase1, comment)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); key_free(private); - xfree(comment); + free(comment); exit(1); } /* Destroy the passphrase and the copy of the key in memory. */ memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); key_free(private); /* Destroys contents */ - xfree(comment); + free(comment); printf("Your identification has been saved with the new passphrase.\n"); exit(0); @@ -1312,11 +1312,11 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname) if (public != NULL) { export_dns_rr(hname, public, stdout, print_generic); key_free(public); - xfree(comment); + free(comment); return 1; } if (comment) - xfree(comment); + free(comment); printf("failed to read v2 public key from %s.\n", fname); exit(1); @@ -1354,7 +1354,7 @@ do_change_comment(struct passwd *pw) private = key_load_private(identity_file, passphrase, &comment); if (private == NULL) { memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); printf("Bad passphrase.\n"); exit(1); } @@ -1385,13 +1385,13 @@ do_change_comment(struct passwd *pw) if (!key_save_private(private, identity_file, passphrase, new_comment)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); key_free(private); - xfree(comment); + free(comment); exit(1); } memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); public = key_from_private(private); key_free(private); @@ -1412,7 +1412,7 @@ do_change_comment(struct passwd *pw) fprintf(f, " %s\n", new_comment); fclose(f); - xfree(comment); + free(comment); printf("The comment in your key file has been changed.\n"); exit(0); @@ -1529,7 +1529,7 @@ load_pkcs11_key(char *path) } key_free(keys[i]); } - xfree(keys); + free(keys); key_free(public); return private; #else @@ -1573,7 +1573,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) fatal("No PKCS#11 key matching %s found", ca_key_path); } else if ((ca = load_identity(tmp)) == NULL) fatal("Couldn't load CA key \"%s\"", tmp); - xfree(tmp); + free(tmp); for (i = 0; i < argc; i++) { /* Split list of principals */ @@ -1586,7 +1586,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) if (*(plist[n] = xstrdup(cp)) == '\0') fatal("Empty principal name"); } - xfree(otmp); + free(otmp); } tmp = tilde_expand_filename(argv[i], pw->pw_uid); @@ -1624,7 +1624,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) *cp = '\0'; xasprintf(&out, "%s-cert.pub", tmp); - xfree(tmp); + free(tmp); if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) fatal("Could not open \"%s\" for writing: %s", out, @@ -1647,7 +1647,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) } key_free(public); - xfree(out); + free(out); } pkcs11_terminate(); exit(0); @@ -1744,7 +1744,7 @@ parse_cert_times(char *timespec) if (cert_valid_to <= cert_valid_from) fatal("Empty certificate validity interval"); - xfree(from); + free(from); } static void @@ -1822,13 +1822,13 @@ show_options(const Buffer *optbuf, int v00, int in_critical) strcmp(name, "source-address") == 0)) { data = buffer_get_string(&option, NULL); printf(" %s\n", data); - xfree(data); + free(data); } else { printf(" UNKNOWN OPTION (len %u)\n", buffer_len(&option)); buffer_clear(&option); } - xfree(name); + free(name); if (buffer_len(&option) != 0) fatal("Option corrupt: extra data at end"); } @@ -2064,7 +2064,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); if ((ca = key_load_public(tmp, NULL)) == NULL) fatal("Cannot load CA public key %s", tmp); - xfree(tmp); + free(tmp); } if (updating) @@ -2602,14 +2602,14 @@ passphrase_again: */ memset(passphrase1, 0, strlen(passphrase1)); memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase1); - xfree(passphrase2); + free(passphrase1); + free(passphrase2); printf("Passphrases do not match. Try again.\n"); goto passphrase_again; } /* Clear the other copy of the passphrase. */ memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase2); + free(passphrase2); } if (identity_comment) { @@ -2623,12 +2623,12 @@ passphrase_again: if (!key_save_private(private, identity_file, passphrase1, comment)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); exit(1); } /* Clear the passphrase. */ memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); /* Clear the private key and the random number generator. */ key_free(private); @@ -2663,8 +2663,8 @@ passphrase_again: printf("%s %s\n", fp, comment); printf("The key's randomart image is:\n"); printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } key_free(public); diff --git a/ssh-keyscan.c b/ssh-keyscan.c index c9de130f..8b807c10 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.86 2012/04/11 13:34:17 djm Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.87 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -263,7 +263,7 @@ keygrab_ssh2(con *c) exit(1); } nonfatal_fatal = 0; - xfree(c->c_kex); + free(c->c_kex); c->c_kex = NULL; packet_close(); @@ -329,7 +329,7 @@ conalloc(char *iname, char *oname, int keytype) do { name = xstrsep(&namelist, ","); if (!name) { - xfree(namebase); + free(namebase); return (-1); } } while ((s = tcpconnect(name)) < 0); @@ -363,10 +363,10 @@ confree(int s) if (s >= maxfd || fdcon[s].c_status == CS_UNUSED) fatal("confree: attempt to free bad fdno %d", s); close(s); - xfree(fdcon[s].c_namebase); - xfree(fdcon[s].c_output_name); + free(fdcon[s].c_namebase); + free(fdcon[s].c_output_name); if (fdcon[s].c_status == CS_KEYS) - xfree(fdcon[s].c_data); + free(fdcon[s].c_data); fdcon[s].c_status = CS_UNUSED; fdcon[s].c_keytype = 0; TAILQ_REMOVE(&tq, &fdcon[s], c_link); @@ -553,8 +553,8 @@ conloop(void) } else if (FD_ISSET(i, r)) conread(i); } - xfree(r); - xfree(e); + free(r); + free(e); c = TAILQ_FIRST(&tq); while (c && (c->c_tv.tv_sec < now.tv_sec || diff --git a/ssh-keysign.c b/ssh-keysign.c index 1deb7e14..9a6653c7 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.36 2011/02/16 00:31:14 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.37 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -78,7 +78,7 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, p = buffer_get_string(&b, &len); if (len != 20 && len != 32) fail++; - xfree(p); + free(p); if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -90,13 +90,13 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, p = buffer_get_string(&b, NULL); if (strcmp("ssh-connection", p) != 0) fail++; - xfree(p); + free(p); /* method */ p = buffer_get_string(&b, NULL); if (strcmp("hostbased", p) != 0) fail++; - xfree(p); + free(p); /* pubkey */ pkalg = buffer_get_string(&b, NULL); @@ -109,8 +109,8 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, fail++; else if (key->type != pktype) fail++; - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); /* client host name, handle trailing dot */ p = buffer_get_string(&b, &len); @@ -121,14 +121,14 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, fail++; else if (strncasecmp(host, p, len - 1) != 0) fail++; - xfree(p); + free(p); /* local user */ p = buffer_get_string(&b, NULL); if (strcmp(pw->pw_name, p) != 0) fail++; - xfree(p); + free(p); /* end of message */ if (buffer_len(&b) != 0) @@ -233,7 +233,7 @@ main(int argc, char **argv) data = buffer_get_string(&b, &dlen); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); - xfree(host); + free(host); found = 0; for (i = 0; i < NUM_KEYTYPES; i++) { @@ -248,7 +248,7 @@ main(int argc, char **argv) if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) fatal("key_sign failed"); - xfree(data); + free(data); /* send reply */ buffer_clear(&b); diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index 82b11daf..6c9f9d2c 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-client.c,v 1.3 2012/01/16 20:34:09 miod Exp $ */ +/* $OpenBSD: ssh-pkcs11-client.c,v 1.4 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -121,7 +121,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, from, flen); buffer_put_int(&msg, 0); - xfree(blob); + free(blob); send_msg(&msg); buffer_clear(&msg); @@ -131,7 +131,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, memcpy(to, signature, slen); ret = slen; } - xfree(signature); + free(signature); } buffer_free(&msg); return (ret); @@ -205,11 +205,11 @@ pkcs11_add_provider(char *name, char *pin, Key ***keysp) *keysp = xcalloc(nkeys, sizeof(Key *)); for (i = 0; i < nkeys; i++) { blob = buffer_get_string(&msg, &blen); - xfree(buffer_get_string(&msg, NULL)); + free(buffer_get_string(&msg, NULL)); k = key_from_blob(blob, blen); wrap_key(k->rsa); (*keysp)[i] = k; - xfree(blob); + free(blob); } } else { nkeys = -1; diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 5c09f122..39b2e7c5 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.5 2013/05/10 10:13:50 dtucker Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -79,7 +79,7 @@ del_keys_by_name(char *name) nxt = TAILQ_NEXT(ki, next); if (!strcmp(ki->providername, name)) { TAILQ_REMOVE(&pkcs11_keylist, ki, next); - xfree(ki->providername); + free(ki->providername); key_free(ki->key); free(ki); } @@ -130,15 +130,15 @@ process_add(void) key_to_blob(keys[i], &blob, &blen); buffer_put_string(&msg, blob, blen); buffer_put_cstring(&msg, name); - xfree(blob); + free(blob); add_key(keys[i], name); } - xfree(keys); + free(keys); } else { buffer_put_char(&msg, SSH_AGENT_FAILURE); } - xfree(pin); - xfree(name); + free(pin); + free(name); send_msg(&msg); buffer_free(&msg); } @@ -157,8 +157,8 @@ process_del(void) buffer_put_char(&msg, SSH_AGENT_SUCCESS); else buffer_put_char(&msg, SSH_AGENT_FAILURE); - xfree(pin); - xfree(name); + free(pin); + free(name); send_msg(&msg); buffer_free(&msg); } @@ -195,10 +195,9 @@ process_sign(void) } else { buffer_put_char(&msg, SSH_AGENT_FAILURE); } - xfree(data); - xfree(blob); - if (signature != NULL) - xfree(signature); + free(data); + free(blob); + free(signature); send_msg(&msg); buffer_free(&msg); } diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 1f4c1c8e..a17326ba 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -120,9 +120,9 @@ pkcs11_provider_unref(struct pkcs11_provider *p) if (--p->refcount <= 0) { if (p->valid) error("pkcs11_provider_unref: %p still valid", p); - xfree(p->slotlist); - xfree(p->slotinfo); - xfree(p); + free(p->slotlist); + free(p->slotinfo); + free(p); } } @@ -180,9 +180,8 @@ pkcs11_rsa_finish(RSA *rsa) rv = k11->orig_finish(rsa); if (k11->provider) pkcs11_provider_unref(k11->provider); - if (k11->keyid) - xfree(k11->keyid); - xfree(k11); + free(k11->keyid); + free(k11); } return (rv); } @@ -266,11 +265,11 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, return (-1); /* bail out */ if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) != CKR_OK) { - xfree(pin); + free(pin); error("C_Login failed: %lu", rv); return (-1); } - xfree(pin); + free(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid; @@ -470,7 +469,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, } } for (i = 0; i < 3; i++) - xfree(attribs[i].pValue); + free(attribs[i].pValue); } if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK) error("C_FindObjectsFinal failed: %lu", rv); @@ -579,11 +578,9 @@ fail: if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK) error("C_Finalize failed: %lu", rv); if (p) { - if (p->slotlist) - xfree(p->slotlist); - if (p->slotinfo) - xfree(p->slotinfo); - xfree(p); + free(p->slotlist); + free(p->slotinfo); + free(p); } if (handle) dlclose(handle); diff --git a/ssh-rsa.c b/ssh-rsa.c index c6355fa0..30f96abc 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.45 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.46 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -72,7 +72,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, error("ssh_rsa_sign: RSA_sign failed: %s", ERR_error_string(ecode, NULL)); - xfree(sig); + free(sig); return -1; } if (len < slen) { @@ -82,7 +82,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, memset(sig, 0, diff); } else if (len > slen) { error("ssh_rsa_sign: slen %u slen2 %u", slen, len); - xfree(sig); + free(sig); return -1; } /* encode signature */ @@ -98,7 +98,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, } buffer_free(&b); memset(sig, 's', slen); - xfree(sig); + free(sig); return 0; } @@ -131,23 +131,23 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, if (strcmp("ssh-rsa", ktype) != 0) { error("ssh_rsa_verify: cannot handle type %s", ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("ssh_rsa_verify: remaining bytes in signature %d", rlen); - xfree(sigblob); + free(sigblob); return -1; } /* RSA_verify expects a signature of RSA_size */ modlen = RSA_size(key->rsa); if (len > modlen) { error("ssh_rsa_verify: len %u > modlen %u", len, modlen); - xfree(sigblob); + free(sigblob); return -1; } else if (len < modlen) { u_int diff = modlen - len; @@ -161,7 +161,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); - xfree(sigblob); + free(sigblob); return -1; } EVP_DigestInit(&md, evp_md); @@ -171,7 +171,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); memset(digest, 'd', sizeof(digest)); memset(sigblob, 's', len); - xfree(sigblob); + free(sigblob); debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); return ret; } @@ -262,7 +262,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, } ret = 1; done: - if (decrypted) - xfree(decrypted); + free(decrypted); return ret; } diff --git a/ssh.c b/ssh.c index 534e7c6c..0e96c921 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.377 2013/04/19 11:10:18 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.378 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -226,7 +226,7 @@ tilde_expand_paths(char **paths, u_int num_paths) for (i = 0; i < num_paths; i++) { cp = tilde_expand_filename(paths[i], original_real_uid); - xfree(paths[i]); + free(paths[i]); paths[i] = cp; } } @@ -473,7 +473,7 @@ main(int ac, char **av) if (parse_forward(&fwd, optarg, 1, 0)) { stdio_forward_host = fwd.listen_host; stdio_forward_port = fwd.listen_port; - xfree(fwd.connect_host); + free(fwd.connect_host); } else { fprintf(stderr, "Bad stdio forwarding specification '%s'\n", @@ -601,7 +601,7 @@ main(int ac, char **av) line, "command-line", 0, &dummy, SSHCONF_USERCONF) != 0) exit(255); - xfree(line); + free(line); break; case 's': subsystem_flag = 1; @@ -688,7 +688,7 @@ main(int ac, char **av) fatal("Can't specify both -y and -E"); if (logfile != NULL) { log_redirect_stderr_to(logfile); - xfree(logfile); + free(logfile); } log_init(argv0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, @@ -778,7 +778,7 @@ main(int ac, char **av) "p", portstr, "u", pw->pw_name, "L", shorthost, (char *)NULL); debug3("expanded LocalCommand: %s", options.local_command); - xfree(cp); + free(cp); } /* force lowercase for hostkey matching */ @@ -790,24 +790,24 @@ main(int ac, char **av) if (options.proxy_command != NULL && strcmp(options.proxy_command, "none") == 0) { - xfree(options.proxy_command); + free(options.proxy_command); options.proxy_command = NULL; } if (options.control_path != NULL && strcmp(options.control_path, "none") == 0) { - xfree(options.control_path); + free(options.control_path); options.control_path = NULL; } if (options.control_path != NULL) { cp = tilde_expand_filename(options.control_path, original_real_uid); - xfree(options.control_path); + free(options.control_path); options.control_path = percent_expand(cp, "h", host, "l", thishost, "n", host_arg, "r", options.user, "p", portstr, "u", pw->pw_name, "L", shorthost, (char *)NULL); - xfree(cp); + free(cp); } if (muxclient_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); @@ -958,13 +958,11 @@ main(int ac, char **av) sensitive_data.keys[i] = NULL; } } - xfree(sensitive_data.keys); + free(sensitive_data.keys); } for (i = 0; i < options.num_identity_files; i++) { - if (options.identity_files[i]) { - xfree(options.identity_files[i]); - options.identity_files[i] = NULL; - } + free(options.identity_files[i]); + options.identity_files[i] = NULL; if (options.identity_keys[i]) { key_free(options.identity_keys[i]); options.identity_keys[i] = NULL; @@ -1554,7 +1552,7 @@ load_public_identity_files(void) xstrdup(options.pkcs11_provider); /* XXX */ n_ids++; } - xfree(keys); + free(keys); } #endif /* ENABLE_PKCS11 */ if ((pw = getpwuid(original_real_uid)) == NULL) @@ -1567,7 +1565,7 @@ load_public_identity_files(void) for (i = 0; i < options.num_identity_files; i++) { if (n_ids >= SSH_MAX_IDENTITY_FILES || strcasecmp(options.identity_files[i], "none") == 0) { - xfree(options.identity_files[i]); + free(options.identity_files[i]); continue; } cp = tilde_expand_filename(options.identity_files[i], @@ -1575,11 +1573,11 @@ load_public_identity_files(void) filename = percent_expand(cp, "d", pwdir, "u", pwname, "l", thishost, "h", host, "r", options.user, (char *)NULL); - xfree(cp); + free(cp); public = key_load_public(filename, NULL); debug("identity file %s type %d", filename, public ? public->type : -1); - xfree(options.identity_files[i]); + free(options.identity_files[i]); identity_files[n_ids] = filename; identity_keys[n_ids] = public; @@ -1592,14 +1590,14 @@ load_public_identity_files(void) debug("identity file %s type %d", cp, public ? public->type : -1); if (public == NULL) { - xfree(cp); + free(cp); continue; } if (!key_is_cert(public)) { debug("%s: key %s type %s is not a certificate", __func__, cp, key_type(public)); key_free(public); - xfree(cp); + free(cp); continue; } identity_keys[n_ids] = public; @@ -1612,9 +1610,9 @@ load_public_identity_files(void) memcpy(options.identity_keys, identity_keys, sizeof(identity_keys)); bzero(pwname, strlen(pwname)); - xfree(pwname); + free(pwname); bzero(pwdir, strlen(pwdir)); - xfree(pwdir); + free(pwdir); } static void diff --git a/sshconnect.c b/sshconnect.c index cf071128..483eb85a 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.237 2013/02/22 19:13:56 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.238 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -112,7 +112,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) xasprintf(&tmp, "exec %s", proxy_command); command_string = percent_expand(tmp, "h", host, "p", strport, "r", options.user, (char *)NULL); - xfree(tmp); + free(tmp); /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) @@ -166,7 +166,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) close(pout[1]); /* Free the command name. */ - xfree(command_string); + free(command_string); /* Set the connection file descriptors. */ packet_set_connection(pout[0], pin[1]); @@ -315,7 +315,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, fatal("Bogus return (%d) from select()", rc); } - xfree(fdset); + free(fdset); done: if (result == 0 && *timeoutp > 0) { @@ -534,7 +534,7 @@ ssh_exchange_identification(int timeout_ms) debug("ssh_exchange_identification: %s", buf); } server_version_string = xstrdup(buf); - xfree(fdset); + free(fdset); /* * Check that the versions match. In future this might accept @@ -610,8 +610,7 @@ confirm(const char *prompt) ret = 0; if (p && strncasecmp(p, "yes", 3) == 0) ret = 1; - if (p) - xfree(p); + free(p); if (ret != -1) return ret; } @@ -835,8 +834,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, ra = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_RANDOMART); logit("Host key fingerprint is %s\n%s\n", fp, ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } break; case HOST_NEW: @@ -896,8 +895,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, options.visual_host_key ? "\n" : "", options.visual_host_key ? ra : "", msg2); - xfree(ra); - xfree(fp); + free(ra); + free(fp); if (!confirm(msg)) goto fail; } @@ -1098,8 +1097,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, } } - xfree(ip); - xfree(host); + free(ip); + free(host); if (host_hostkeys != NULL) free_hostkeys(host_hostkeys); if (ip_hostkeys != NULL) @@ -1121,8 +1120,8 @@ fail: } if (raw_key != NULL) key_free(raw_key); - xfree(ip); - xfree(host); + free(ip); + free(host); if (host_hostkeys != NULL) free_hostkeys(host_hostkeys); if (ip_hostkeys != NULL) @@ -1139,7 +1138,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); debug("Server host key: %s %s", key_type(host_key), fp); - xfree(fp); + free(fp); /* XXX certs are not yet supported for DNS */ if (!key_is_cert(host_key) && options.verify_host_key_dns && @@ -1204,7 +1203,7 @@ ssh_login(Sensitive *sensitive, const char *orighost, ssh_kex(host, hostaddr); ssh_userauth1(local_user, server_user, host, sensitive); } - xfree(local_user); + free(local_user); } void @@ -1222,7 +1221,7 @@ ssh_put_password(char *password) strlcpy(padded, password, size); packet_put_string(padded, size); memset(padded, 0, size); - xfree(padded); + free(padded); } /* print all known host keys for a given host, but skip keys of given type */ @@ -1249,8 +1248,8 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) key_type(found->key), fp); if (options.visual_host_key) logit("%s", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); ret = 1; } return ret; @@ -1273,7 +1272,7 @@ warn_changed_key(Key *host_key) key_type(host_key), fp); error("Please contact your system administrator."); - xfree(fp); + free(fp); } /* diff --git a/sshconnect1.c b/sshconnect1.c index fd07bbf7..d285e23c 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.71 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -84,7 +84,7 @@ try_agent_authentication(void) /* Try this identity. */ debug("Trying RSA authentication via agent with '%.100s'", comment); - xfree(comment); + free(comment); /* Tell the server that we are willing to authenticate using this key. */ packet_start(SSH_CMSG_AUTH_RSA); @@ -231,7 +231,7 @@ try_rsa_authentication(int idx) */ if (type == SSH_SMSG_FAILURE) { debug("Server refused our key."); - xfree(comment); + free(comment); return 0; } /* Otherwise, the server should respond with a challenge. */ @@ -270,14 +270,14 @@ try_rsa_authentication(int idx) quit = 1; } memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); } } /* We no longer need the comment. */ - xfree(comment); + free(comment); if (private == NULL) { if (!options.batch_mode && perm_ok) @@ -412,7 +412,7 @@ try_challenge_response_authentication(void) packet_check_eom(); snprintf(prompt, sizeof prompt, "%s%s", challenge, strchr(challenge, '\n') ? "" : "\nResponse: "); - xfree(challenge); + free(challenge); if (i != 0) error("Permission denied, please try again."); if (options.cipher == SSH_CIPHER_NONE) @@ -420,13 +420,13 @@ try_challenge_response_authentication(void) "Response will be transmitted in clear text."); response = read_passphrase(prompt, 0); if (strcmp(response, "") == 0) { - xfree(response); + free(response); break; } packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); ssh_put_password(response); memset(response, 0, strlen(response)); - xfree(response); + free(response); packet_send(); packet_write_wait(); type = packet_read(); @@ -459,7 +459,7 @@ try_password_authentication(char *prompt) packet_start(SSH_CMSG_AUTH_PASSWORD); ssh_put_password(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); packet_send(); packet_write_wait(); diff --git a/sshconnect2.c b/sshconnect2.c index 7b83c591..19ed3459 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.196 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.197 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -146,10 +146,10 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) if (*first != '\0') debug3("%s: prefer hostkeyalgs: %s", __func__, first); - xfree(first); - xfree(last); - xfree(hostname); - xfree(oavail); + free(first); + free(last); + free(hostname); + free(oavail); free_hostkeys(hostkeys); return ret; @@ -384,7 +384,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, if (packet_remaining() > 0) { char *reply = packet_get_string(NULL); debug2("service_accept: %s", reply); - xfree(reply); + free(reply); } else { debug2("buggy server: service_accept w/o service"); } @@ -431,15 +431,12 @@ userauth(Authctxt *authctxt, char *authlist) if (authctxt->method != NULL && authctxt->method->cleanup != NULL) authctxt->method->cleanup(authctxt); - if (authctxt->methoddata) { - xfree(authctxt->methoddata); - authctxt->methoddata = NULL; - } + free(authctxt->methoddata); + authctxt->methoddata = NULL; if (authlist == NULL) { authlist = authctxt->authlist; } else { - if (authctxt->authlist) - xfree(authctxt->authlist); + free(authctxt->authlist); authctxt->authlist = authlist; } for (;;) { @@ -487,10 +484,10 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt) msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH); fprintf(stderr, "%s", msg); - xfree(msg); + free(msg); } - xfree(raw); - xfree(lang); + free(raw); + free(lang); } /* ARGSUSED */ @@ -501,16 +498,12 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt) if (authctxt == NULL) fatal("input_userauth_success: no authentication context"); - if (authctxt->authlist) { - xfree(authctxt->authlist); - authctxt->authlist = NULL; - } + free(authctxt->authlist); + authctxt->authlist = NULL; if (authctxt->method != NULL && authctxt->method->cleanup != NULL) authctxt->method->cleanup(authctxt); - if (authctxt->methoddata) { - xfree(authctxt->methoddata); - authctxt->methoddata = NULL; - } + free(authctxt->methoddata); + authctxt->methoddata = NULL; authctxt->success = 1; /* break out */ } @@ -599,7 +592,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) } fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); debug2("input_userauth_pk_ok: fp %s", fp); - xfree(fp); + free(fp); /* * search keys in the reverse order, because last candidate has been @@ -615,8 +608,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) done: if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); /* try another method if we did not send a packet */ if (sent == 0) @@ -754,7 +747,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) if (oidlen <= 2 || oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen - 2) { - xfree(oidv); + free(oidv); debug("Badly encoded mechanism OID received"); userauth(authctxt, NULL); return; @@ -765,7 +758,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) packet_check_eom(); - xfree(oidv); + free(oidv); if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { /* Start again with next method on list */ @@ -794,7 +787,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) status = process_gssapi_token(ctxt, &recv_tok); - xfree(recv_tok.value); + free(recv_tok.value); if (GSS_ERROR(status)) { /* Start again with the next method in the list */ @@ -827,7 +820,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) (void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, &recv_tok, &send_tok, NULL); - xfree(recv_tok.value); + free(recv_tok.value); gss_release_buffer(&ms, &send_tok); /* Server will be returning a failed packet after this one */ @@ -848,8 +841,8 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) packet_check_eom(); debug("Server GSSAPI Error:\n%s", msg); - xfree(msg); - xfree(lang); + free(msg); + free(lang); } #endif /* GSSAPI */ @@ -890,7 +883,7 @@ userauth_passwd(Authctxt *authctxt) packet_put_char(0); packet_put_cstring(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); packet_add_padding(64); packet_send(); @@ -923,8 +916,8 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) lang = packet_get_string(NULL); if (strlen(info) > 0) logit("%s", info); - xfree(info); - xfree(lang); + free(info); + free(lang); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); @@ -936,7 +929,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) password = read_passphrase(prompt, 0); packet_put_cstring(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); password = NULL; while (password == NULL) { snprintf(prompt, sizeof(prompt), @@ -953,16 +946,16 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) retype = read_passphrase(prompt, 0); if (strcmp(password, retype) != 0) { memset(password, 0, strlen(password)); - xfree(password); + free(password); logit("Mismatch; try again, EOF to quit."); password = NULL; } memset(retype, 0, strlen(retype)); - xfree(retype); + free(retype); } packet_put_cstring(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); packet_add_padding(64); packet_send(); @@ -1017,13 +1010,13 @@ jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme, bzero(password, strlen(password)); bzero(crypted, strlen(crypted)); - xfree(password); - xfree(crypted); + free(password); + free(crypted); if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL) fatal("%s: BN_bin2bn (secret)", __func__); bzero(secret, secret_len); - xfree(secret); + free(secret); return ret; } @@ -1061,8 +1054,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt) pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt); bzero(crypt_scheme, strlen(crypt_scheme)); bzero(salt, strlen(salt)); - xfree(crypt_scheme); - xfree(salt); + free(crypt_scheme); + free(salt); JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__)); /* Calculate step 2 values */ @@ -1077,8 +1070,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt) bzero(x3_proof, x3_proof_len); bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); + free(x3_proof); + free(x4_proof); JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); @@ -1089,7 +1082,7 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt) packet_send(); bzero(x2_s_proof, x2_s_proof_len); - xfree(x2_s_proof); + free(x2_s_proof); /* Expect step 2 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, @@ -1129,7 +1122,7 @@ input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt) &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len); bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); + free(x4_s_proof); JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); @@ -1211,7 +1204,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); - xfree(fp); + free(fp); if (key_to_blob(id->key, &blob, &bloblen) == 0) { /* we cannot handle this key */ @@ -1246,7 +1239,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) ret = identity_sign(id, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { - xfree(blob); + free(blob); buffer_free(&b); return 0; } @@ -1266,11 +1259,11 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) buffer_put_cstring(&b, key_ssh_name(id->key)); buffer_put_string(&b, blob, bloblen); } - xfree(blob); + free(blob); /* append signature */ buffer_put_string(&b, signature, slen); - xfree(signature); + free(signature); /* skip session id and packet type */ if (buffer_len(&b) < skip + 1) @@ -1310,7 +1303,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) if (!(datafellows & SSH_BUG_PKAUTH)) packet_put_cstring(key_ssh_name(id->key)); packet_put_string(blob, bloblen); - xfree(blob); + free(blob); packet_send(); return 1; } @@ -1347,7 +1340,7 @@ load_identity_file(char *filename, int userprovided) quit = 1; } memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); @@ -1424,7 +1417,7 @@ pubkey_prepare(Authctxt *authctxt) /* agent keys from the config file are preferred */ if (key_equal(key, id->key)) { key_free(key); - xfree(comment); + free(comment); TAILQ_REMOVE(&files, id, next); TAILQ_INSERT_TAIL(preferred, id, next); id->ac = ac; @@ -1470,9 +1463,8 @@ pubkey_cleanup(Authctxt *authctxt) TAILQ_REMOVE(&authctxt->keys, id, next); if (id->key) key_free(id->key); - if (id->filename) - xfree(id->filename); - xfree(id); + free(id->filename); + free(id); } } @@ -1570,9 +1562,9 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt) logit("%s", name); if (strlen(inst) > 0) logit("%s", inst); - xfree(name); - xfree(inst); - xfree(lang); + free(name); + free(inst); + free(lang); num_prompts = packet_get_int(); /* @@ -1593,8 +1585,8 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt) packet_put_cstring(response); memset(response, 0, strlen(response)); - xfree(response); - xfree(prompt); + free(response); + free(prompt); } packet_check_eom(); /* done with parsing incoming message. */ @@ -1714,12 +1706,12 @@ userauth_hostbased(Authctxt *authctxt) if (p == NULL) { error("userauth_hostbased: cannot get local ipaddr/name"); key_free(private); - xfree(blob); + free(blob); return 0; } xasprintf(&chost, "%s.", p); debug2("userauth_hostbased: chost %s", chost); - xfree(p); + free(p); service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; @@ -1748,9 +1740,9 @@ userauth_hostbased(Authctxt *authctxt) buffer_free(&b); if (ok != 0) { error("key_sign failed"); - xfree(chost); - xfree(pkalg); - xfree(blob); + free(chost); + free(pkalg); + free(blob); return 0; } packet_start(SSH2_MSG_USERAUTH_REQUEST); @@ -1763,10 +1755,10 @@ userauth_hostbased(Authctxt *authctxt) packet_put_cstring(authctxt->local_user); packet_put_string(signature, slen); memset(signature, 's', slen); - xfree(signature); - xfree(chost); - xfree(pkalg); - xfree(blob); + free(signature); + free(chost); + free(pkalg); + free(blob); packet_send(); return 1; @@ -1821,8 +1813,8 @@ userauth_jpake(Authctxt *authctxt) bzero(x1_proof, x1_proof_len); bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); + free(x1_proof); + free(x2_proof); /* Expect step 1 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, @@ -1899,8 +1891,7 @@ authmethod_get(char *authlist) if (supported == NULL || strcmp(authlist, supported) != 0) { debug3("start over, passed a different list %s", authlist); - if (supported != NULL) - xfree(supported); + free(supported); supported = xstrdup(authlist); preferred = options.preferred_authentications; debug3("preferred %s", preferred); @@ -1921,7 +1912,7 @@ authmethod_get(char *authlist) authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); debug("Next authentication method: %s", name); - xfree(name); + free(name); return current; } } diff --git a/sshd.c b/sshd.c index df9d0d61..069e95ff 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.401 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.402 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -973,7 +973,7 @@ recv_rexec_state(int fd, Buffer *conf) cp = buffer_get_string(&m, &len); if (conf != NULL) buffer_append(conf, cp, len + 1); - xfree(cp); + free(cp); if (buffer_get_int(&m)) { if (sensitive_data.server_key != NULL) @@ -1135,7 +1135,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) if (received_sighup) sighup_restart(); if (fdset != NULL) - xfree(fdset); + free(fdset); fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask)); @@ -1484,7 +1484,7 @@ main(int ac, char **av) if (process_server_config_line(&options, line, "command-line", 0, NULL, NULL) != 0) exit(1); - xfree(line); + free(line); break; case '?': default: @@ -1506,7 +1506,7 @@ main(int ac, char **av) /* If requested, redirect the logs to the specified logfile. */ if (logfile != NULL) { log_redirect_stderr_to(logfile); - xfree(logfile); + free(logfile); } /* * Force logging to stderr until we have loaded the private host @@ -2307,7 +2307,7 @@ do_ssh1_kex(void) MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); MD5_Final(session_key + 16, &md); memset(buf, 0, bytes); - xfree(buf); + free(buf); for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; } diff --git a/umac.c b/umac.c index 0567c37f..fb66b809 100644 --- a/umac.c +++ b/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.4 2011/10/19 10:39:48 djm Exp $ */ +/* $OpenBSD: umac.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -1209,7 +1209,7 @@ int umac_delete(struct umac_ctx *ctx) if (ctx) { if (ALLOC_BOUNDARY) ctx = (struct umac_ctx *)ctx->free_ptr; - xfree(ctx); + free(ctx); } return (1); } diff --git a/uuencode.c b/uuencode.c index 09d80d2f..294c7430 100644 --- a/uuencode.c +++ b/uuencode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.c,v 1.26 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: uuencode.c,v 1.27 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -29,6 +29,7 @@ #include #include #include +#include #include "xmalloc.h" #include "uuencode.h" @@ -67,7 +68,7 @@ uudecode(const char *src, u_char *target, size_t targsize) /* and remove trailing whitespace because __b64_pton needs this */ *p = '\0'; len = __b64_pton(encoded, target, targsize); - xfree(encoded); + free(encoded); return len; } @@ -90,5 +91,5 @@ dump_base64(FILE *fp, const u_char *data, u_int len) } if (i % 70 != 69) fprintf(fp, "\n"); - xfree(buf); + free(buf); } diff --git a/xmalloc.c b/xmalloc.c index 9985b4cc..92f781fd 100644 --- a/xmalloc.c +++ b/xmalloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: xmalloc.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -73,14 +73,6 @@ xrealloc(void *ptr, size_t nmemb, size_t size) return new_ptr; } -void -xfree(void *ptr) -{ - if (ptr == NULL) - fatal("xfree: NULL pointer given as argument"); - free(ptr); -} - char * xstrdup(const char *str) { diff --git a/xmalloc.h b/xmalloc.h index fb217a45..261dfd61 100644 --- a/xmalloc.h +++ b/xmalloc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: xmalloc.h,v 1.14 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen @@ -19,7 +19,6 @@ void *xmalloc(size_t); void *xcalloc(size_t, size_t); void *xrealloc(void *, size_t, size_t); -void xfree(void *); char *xstrdup(const char *); int xasprintf(char **, const char *, ...) __attribute__((__format__ (printf, 2, 3))) -- cgit v1.2.1 From 9234291d23faeb70125c9344e3cd4afe8eb1a260 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 21:32:00 +0000 Subject: - djm@cvs.openbsd.org 2013/05/19 02:38:28 [auth2-pubkey.c] fix failure to recognise cert-authority keys if a key of a different type appeared in authorized_keys before it; ok markus@ --- ChangeLog | 4 ++++ auth2-pubkey.c | 39 +++++++++++++++++++++++++++++++-------- 2 files changed, 35 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1de8ff83..c08e210b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,10 @@ ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@ + - djm@cvs.openbsd.org 2013/05/19 02:38:28 + [auth2-pubkey.c] + fix failure to recognise cert-authority keys if a key of a different type + appeared in authorized_keys before it; ok markus@ 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 4c326df7..45306f83 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.36 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -147,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif + pubkey_auth_info(authctxt, key); + /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && @@ -187,6 +189,26 @@ done: return authenticated; } +void +pubkey_auth_info(Authctxt *authctxt, const Key *key) +{ + char *fp; + + if (key_is_cert(key)) { + fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); + auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s", + key_type(key), key->cert->key_id, + (unsigned long long)key->cert->serial, + key_type(key->cert->signature_key), fp); + free(fp); + } else { + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + auth_info(authctxt, "%s %s", key_type(key), fp); + free(fp); + } +} + static int match_principals_option(const char *principal_list, struct KeyCert *cert) { @@ -280,11 +302,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) char *fp; found_key = 0; - found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); + found = NULL; while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL; - + if (found != NULL) + key_free(found); + found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); auth_clear_options(); /* Skip leading whitespace, empty and comment lines. */ @@ -362,16 +386,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) if (key_is_cert_authority) continue; found_key = 1; - debug("matching key found: file %s, line %lu", - file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(found), fp); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(found), fp); free(fp); break; } } - key_free(found); + if (found != NULL) + key_free(found); if (!found_key) debug2("key not found"); return found_key; -- cgit v1.2.1 From 2d1838493e4d5589a1ccbb8df2d1957198ca0d42 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 21:41:51 +0000 Subject: - djm@cvs.openbsd.org 2013/05/19 02:42:42 [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h] Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too. Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@ --- ChangeLog | 9 +++++++++ auth-rsa.c | 16 ++++++++-------- auth.c | 30 ++++++++++++++++++++++++++---- auth.h | 10 +++++++--- auth1.c | 35 ++++++++++++++++------------------- auth2.c | 4 ++-- key.c | 4 ++-- key.h | 4 ++-- monitor.c | 9 ++++----- 9 files changed, 76 insertions(+), 45 deletions(-) diff --git a/ChangeLog b/ChangeLog index c08e210b..d772486f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,15 @@ [auth2-pubkey.c] fix failure to recognise cert-authority keys if a key of a different type appeared in authorized_keys before it; ok markus@ + - djm@cvs.openbsd.org 2013/05/19 02:42:42 + [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h] + Standardise logging of supplemental information during userauth. Keys + and ruser is now logged in the auth success/failure message alongside + the local username, remote host/port and protocol in use. Certificates + contents and CA are logged too. + Pushing all logging onto a single line simplifies log analysis as it is + no longer necessary to relate information scattered across multiple log + entries. "I like it" markus@ 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/auth-rsa.c b/auth-rsa.c index 748eaae0..92f0ad75 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.82 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.83 2013/05/19 02:42:42 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -164,7 +164,7 @@ static int rsa_key_allowed_in_file(struct passwd *pw, char *file, const BIGNUM *client_n, Key **rkey) { - char line[SSH_MAX_PUBKEY_BYTES]; + char *fp, line[SSH_MAX_PUBKEY_BYTES]; int allowed = 0; u_int bits; FILE *f; @@ -232,6 +232,11 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits); + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(key), fp); + free(fp); + /* Never accept a revoked key */ if (auth_key_is_revoked(key)) break; @@ -298,7 +303,6 @@ int auth_rsa(Authctxt *authctxt, BIGNUM *client_n) { Key *key; - char *fp; struct passwd *pw = authctxt->pw; /* no user given */ @@ -328,11 +332,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) * options; this will be reset if the options cause the * authentication to be rejected. */ - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(key), fp); - free(fp); - key_free(key); + pubkey_auth_info(authctxt, key); packet_send_debug("RSA authentication accepted."); return (1); diff --git a/auth.c b/auth.c index ac126e6f..9a36f1da 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.102 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -72,6 +72,7 @@ #include "authfile.h" #include "monitor_wrap.h" #include "krl.h" +#include "compat.h" /* import */ extern ServerOptions options; @@ -251,9 +252,26 @@ allowed_user(struct passwd * pw) return 1; } +void +auth_info(Authctxt *authctxt, const char *fmt, ...) +{ + va_list ap; + int i; + + free(authctxt->info); + authctxt->info = NULL; + + va_start(ap, fmt); + i = vasprintf(&authctxt->info, fmt, ap); + va_end(ap); + + if (i < 0 || authctxt->info == NULL) + fatal("vasprintf failed"); +} + void auth_log(Authctxt *authctxt, int authenticated, int partial, - const char *method, const char *submethod, const char *info) + const char *method, const char *submethod) { void (*authlog) (const char *fmt,...) = verbose; char *authmsg; @@ -275,7 +293,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, else authmsg = authenticated ? "Accepted" : "Failed"; - authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", + authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", authmsg, method, submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, @@ -283,7 +301,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, authctxt->user, get_remote_ipaddr(), get_remote_port(), - info); + compat20 ? "ssh2" : "ssh1", + authctxt->info != NULL ? ": " : "", + authctxt->info != NULL ? authctxt->info : ""); + free(authctxt->info); + authctxt->info = NULL; #ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && !authctxt->postponed && diff --git a/auth.h b/auth.h index 7ff59f1b..a406e139 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.73 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.74 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -60,6 +60,7 @@ struct Authctxt { struct passwd *pw; /* set if 'valid' */ char *style; void *kbdintctxt; + char *info; /* Extra info for next auth_log */ void *jpake_ctx; #ifdef BSD_AUTH auth_session_t *as; @@ -121,6 +122,7 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); +void pubkey_auth_info(Authctxt *, const Key *); struct stat; int auth_secure_path(const char *, struct stat *, const char *, uid_t, @@ -148,8 +150,10 @@ void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); -void auth_log(Authctxt *, int, int, const char *, const char *, - const char *); +void auth_info(Authctxt *authctxt, const char *, ...) + __attribute__((__format__ (printf, 2, 3))) + __attribute__((__nonnull__ (2))); +void auth_log(Authctxt *, int, int, const char *, const char *); void userauth_finish(Authctxt *, int, const char *, const char *); int auth_root_allowed(const char *); diff --git a/auth1.c b/auth1.c index 238b3c9c..3518fb1c 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.78 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -45,11 +45,11 @@ extern ServerOptions options; extern Buffer loginmsg; -static int auth1_process_password(Authctxt *, char *, size_t); -static int auth1_process_rsa(Authctxt *, char *, size_t); -static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t); -static int auth1_process_tis_challenge(Authctxt *, char *, size_t); -static int auth1_process_tis_response(Authctxt *, char *, size_t); +static int auth1_process_password(Authctxt *); +static int auth1_process_rsa(Authctxt *); +static int auth1_process_rhosts_rsa(Authctxt *); +static int auth1_process_tis_challenge(Authctxt *); +static int auth1_process_tis_response(Authctxt *); static char *client_user = NULL; /* Used to fill in remote user for PAM */ @@ -57,7 +57,7 @@ struct AuthMethod1 { int type; char *name; int *enabled; - int (*method)(Authctxt *, char *, size_t); ++ int (*method)(Authctxt *); }; const struct AuthMethod1 auth1_methods[] = { @@ -112,7 +112,7 @@ get_authname(int type) /*ARGSUSED*/ static int -auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_password(Authctxt *authctxt) { int authenticated = 0; char *password; @@ -137,7 +137,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_rsa(Authctxt *authctxt) { int authenticated = 0; BIGNUM *n; @@ -155,7 +155,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_rhosts_rsa(Authctxt *authctxt) { int keybits, authenticated = 0; u_int bits; @@ -187,14 +187,14 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) client_host_key); key_free(client_host_key); - snprintf(info, infolen, " ruser %.100s", client_user); + auth_info(authctxt, "ruser %.100s", client_user); return (authenticated); } /*ARGSUSED*/ static int -auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_tis_challenge(Authctxt *authctxt) { char *challenge; @@ -213,7 +213,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_tis_response(Authctxt *authctxt) { int authenticated = 0; char *response; @@ -236,7 +236,6 @@ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; - char info[1024]; int prev = 0, type = 0; const struct AuthMethod1 *meth; @@ -254,7 +253,7 @@ do_authloop(Authctxt *authctxt) #endif { auth_log(authctxt, 1, 0, "without authentication", - NULL, ""); + NULL); return; } } @@ -268,7 +267,6 @@ do_authloop(Authctxt *authctxt) /* default to fail */ authenticated = 0; - info[0] = '\0'; /* Get a packet from the client. */ prev = type; @@ -298,7 +296,7 @@ do_authloop(Authctxt *authctxt) goto skip; } - authenticated = meth->method(authctxt, info, sizeof(info)); + authenticated = meth->method(authctxt); if (authenticated == -1) continue; /* "postponed" */ @@ -353,8 +351,7 @@ do_authloop(Authctxt *authctxt) skip: /* Log before sending the reply */ - auth_log(authctxt, authenticated, 0, get_authname(type), - NULL, info); + auth_log(authctxt, authenticated, 0, get_authname(type), NULL); free(client_user); client_user = NULL; diff --git a/auth2.c b/auth2.c index 5f136ce0..f0cab8cc 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.128 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -326,7 +326,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, } /* Log before sending the reply */ - auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); + auth_log(authctxt, authenticated, partial, method, submethod); if (authctxt->postponed) return; diff --git a/key.c b/key.c index 8183ec90..55ee7899 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.103 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -569,7 +569,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k) } char * -key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) +key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) { char *retval = NULL; u_char *dgst_raw; diff --git a/key.h b/key.h index f2e058e9..17358ae1 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.36 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: key.h,v 1.37 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -95,7 +95,7 @@ void key_free(Key *); Key *key_demote(const Key *); int key_equal_public(const Key *, const Key *); int key_equal(const Key *, const Key *); -char *key_fingerprint(Key *, enum fp_type, enum fp_rep); +char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); const char *key_type(const Key *); const char *key_cert_type(const Key *); diff --git a/monitor.c b/monitor.c index 132f60df..6acb2025 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.124 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.125 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -422,8 +422,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) } if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { auth_log(authctxt, authenticated, partial, - auth_method, auth_submethod, - compat20 ? " ssh2" : ""); + auth_method, auth_submethod); if (!authenticated) authctxt->failures++; } @@ -1168,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m) case MM_USERKEY: allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); + pubkey_auth_info(authctxt, key); auth_method = "publickey"; if (options.pubkey_authentication && allowed != 1) auth_clear_options(); @@ -1207,8 +1207,7 @@ mm_answer_keyallowed(int sock, Buffer *m) hostbased_chost = chost; } else { /* Log failed attempt */ - auth_log(authctxt, 0, 0, auth_method, NULL, - compat20 ? " ssh2" : ""); + auth_log(authctxt, 0, 0, auth_method, NULL); free(blob); free(cuser); free(chost); -- cgit v1.2.1 From fd769b9caf9391378e871752da49b2a2a246636f Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 21:43:59 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/31 12:28:10 [ssh-agent.c] Use time_t where appropriate. ok djm --- ChangeLog | 3 +++ ssh-agent.c | 21 ++++++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index d772486f..5689f03d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@ + - dtucker@cvs.openbsd.org 2013/05/31 12:28:10 + [ssh-agent.c] + Use time_t where appropriate. ok djm 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/ssh-agent.c b/ssh-agent.c index 3f94851e..0fd9e0bb 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.174 2013/05/31 12:28:10 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -106,7 +106,7 @@ typedef struct identity { Key *key; char *comment; char *provider; - u_int death; + time_t death; u_int confirm; } Identity; @@ -134,8 +134,8 @@ char *lock_passwd = NULL; extern char *__progname; -/* Default lifetime (0 == forever) */ -static int lifetime = 0; +/* Default lifetime in seconds (0 == forever) */ +static long lifetime = 0; static void close_socket(SocketEntry *e) @@ -428,10 +428,10 @@ process_remove_all_identities(SocketEntry *e, int version) } /* removes expired keys and returns number of seconds until the next expiry */ -static u_int +static time_t reaper(void) { - u_int deadline = 0, now = time(NULL); + time_t deadline = 0, now = time(NULL); Identity *id, *nxt; int version; Idtab *tab; @@ -463,8 +463,9 @@ process_add_identity(SocketEntry *e, int version) { Idtab *tab = idtab_lookup(version); Identity *id; - int type, success = 0, death = 0, confirm = 0; + int type, success = 0, confirm = 0; char *type_name, *comment; + time_t death = 0; Key *k = NULL; #ifdef OPENSSL_HAS_ECC BIGNUM *exponent; @@ -699,7 +700,8 @@ static void process_add_smartcard_key(SocketEntry *e) { char *provider = NULL, *pin; - int i, type, version, count = 0, success = 0, death = 0, confirm = 0; + int i, type, version, count = 0, success = 0, confirm = 0; + time_t death = 0; Key **keys = NULL, *k; Identity *id; Idtab *tab; @@ -926,9 +928,10 @@ static int prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, struct timeval **tvpp) { - u_int i, sz, deadline; + u_int i, sz; int n = 0; static struct timeval tv; + time_t deadline; for (i = 0; i < sockets_alloc; i++) { switch (sockets[i].type) { -- cgit v1.2.1 From a18f8b30bbebe90764f1873317b21072b46651c0 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 21:46:16 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/01 13:15:52 [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c channels.c sandbox-systrace.c] Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@. --- ChangeLog | 6 ++++++ channels.c | 12 ++++++------ clientloop.c | 14 +++++++------- misc.c | 13 ++++++++++++- misc.h | 3 ++- packet.c | 10 +++++----- progressmeter.c | 6 +++--- sandbox-systrace.c | 3 ++- ssh-agent.c | 12 ++++++------ 9 files changed, 49 insertions(+), 30 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5689f03d..891db12a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,12 @@ - dtucker@cvs.openbsd.org 2013/05/31 12:28:10 [ssh-agent.c] Use time_t where appropriate. ok djm + - dtucker@cvs.openbsd.org 2013/06/01 13:15:52 + [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c + channels.c sandbox-systrace.c] + Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like + keepalives and rekeying will work properly over clock steps. Suggested by + markus@, "looks good" djm@. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/channels.c b/channels.c index 6031394c..d50a4a29 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.321 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.322 2013/06/01 13:15:51 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1335,7 +1335,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) errno != ECONNABORTED) error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } set_nodelay(newsock); @@ -1482,7 +1482,7 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) errno != ECONNABORTED) error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } set_nodelay(newsock); @@ -1518,7 +1518,7 @@ channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) error("accept from auth socket: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } nc = channel_new("accepted auth socket", @@ -1922,7 +1922,7 @@ channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) &addrlen)) == -1) { error("%s accept: %s", __func__, strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } @@ -2085,7 +2085,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, channel_handler_init(); did_init = 1; } - now = time(NULL); + now = monotime(); if (unpause_secs != NULL) *unpause_secs = 0; for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { diff --git a/clientloop.c b/clientloop.c index 22138560..4b071eb9 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.250 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.251 2013/06/01 13:15:51 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -273,7 +273,7 @@ set_control_persist_exit_time(void) control_persist_exit_time = 0; } else if (control_persist_exit_time <= 0) { /* a client connection has recently closed */ - control_persist_exit_time = time(NULL) + + control_persist_exit_time = monotime() + (time_t)options.control_persist_timeout; debug2("%s: schedule exit in %d seconds", __func__, options.control_persist_timeout); @@ -356,7 +356,7 @@ client_x11_get_proto(const char *display, const char *xauth_path, if (system(cmd) == 0) generated = 1; if (x11_refuse_time == 0) { - now = time(NULL) + 1; + now = monotime() + 1; if (UINT_MAX - timeout < now) x11_refuse_time = UINT_MAX; else @@ -581,7 +581,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, { struct timeval tv, *tvp; int timeout_secs; - time_t minwait_secs = 0, server_alive_time = 0, now = time(NULL); + time_t minwait_secs = 0, server_alive_time = 0, now = monotime(); int ret; /* Add any selections by the channel mechanism. */ @@ -676,7 +676,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, * Timeout. Could have been either keepalive or rekeying. * Keepalive we check here, rekeying is checked in clientloop. */ - if (server_alive_time != 0 && server_alive_time <= time(NULL)) + if (server_alive_time != 0 && server_alive_time <= monotime()) server_alive_check(); } @@ -1650,7 +1650,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) * connections, then quit. */ if (control_persist_exit_time > 0) { - if (time(NULL) >= control_persist_exit_time) { + if (monotime() >= control_persist_exit_time) { debug("ControlPersist timeout expired"); break; } @@ -1868,7 +1868,7 @@ client_request_x11(const char *request_type, int rchan) "malicious server."); return NULL; } - if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) { + if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) { verbose("Rejected X11 connection after ForwardX11Timeout " "expired"); return NULL; diff --git a/misc.c b/misc.c index 4aa5fdc8..cd45e9ec 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.90 2013/06/01 13:15:52 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -854,6 +854,17 @@ ms_to_timeval(struct timeval *tv, int ms) tv->tv_usec = (ms % 1000) * 1000; } +time_t +monotime(void) +{ + struct timespec ts; + + if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) + fatal("clock_gettime: %s", strerror(errno)); + + return (ts.tv_sec); +} + void bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen) { diff --git a/misc.h b/misc.h index f3142a95..fceb3065 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.48 2011/03/29 18:54:17 stevesk Exp $ */ +/* $OpenBSD: misc.h,v 1.49 2013/06/01 13:15:52 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -35,6 +35,7 @@ char *tohex(const void *, size_t); void sanitise_stdfd(void); void ms_subtract_diff(struct timeval *, int *); void ms_to_timeval(struct timeval *, int); +time_t monotime(void); void sock_set_v6only(int); struct passwd *pwcopy(struct passwd *); diff --git a/packet.c b/packet.c index 84ebd81d..b25395d4 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.186 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.187 2013/06/01 13:15:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1015,7 +1015,7 @@ packet_send2(void) /* after a NEWKEYS message we can send the complete queue */ if (type == SSH2_MSG_NEWKEYS) { active_state->rekeying = 0; - active_state->rekey_time = time(NULL); + active_state->rekey_time = monotime(); while ((p = TAILQ_FIRST(&active_state->outgoing))) { type = p->type; debug("dequeue packet: %u", type); @@ -1942,7 +1942,7 @@ packet_need_rekeying(void) (active_state->max_blocks_in && (active_state->p_read.blocks > active_state->max_blocks_in)) || (active_state->rekey_interval != 0 && active_state->rekey_time + - active_state->rekey_interval <= time(NULL)); + active_state->rekey_interval <= monotime()); } void @@ -1956,7 +1956,7 @@ packet_set_rekey_limits(u_int32_t bytes, time_t seconds) * We set the time here so that in post-auth privsep slave we count * from the completion of the authentication. */ - active_state->rekey_time = time(NULL); + active_state->rekey_time = monotime(); } time_t @@ -1965,7 +1965,7 @@ packet_get_rekey_timeout(void) time_t seconds; seconds = active_state->rekey_time + active_state->rekey_interval - - time(NULL); + monotime(); return (seconds <= 0 ? 1 : seconds); } diff --git a/progressmeter.c b/progressmeter.c index 0f95222d..0e570e41 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.38 2013/06/01 13:15:52 dtucker Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * @@ -131,7 +131,7 @@ refresh_progress_meter(void) transferred = *counter - cur_pos; cur_pos = *counter; - now = time(NULL); + now = monotime(); bytes_left = end_pos - cur_pos; if (bytes_left > 0) @@ -249,7 +249,7 @@ update_progress_meter(int ignore) void start_progress_meter(char *f, off_t filesize, off_t *ctr) { - start = last_update = time(NULL); + start = last_update = monotime(); file = f; end_pos = filesize; cur_pos = 0; diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 2d16a627..cc0db46c 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.6 2012/06/30 14:35:09 markus Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.7 2013/06/01 13:15:52 dtucker Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -57,6 +57,7 @@ static const struct sandbox_policy preauth_policy[] = { { SYS_exit, SYSTR_POLICY_PERMIT }, { SYS_getpid, SYSTR_POLICY_PERMIT }, { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, + { SYS_clock_gettime, SYSTR_POLICY_PERMIT }, { SYS_madvise, SYSTR_POLICY_PERMIT }, { SYS_mmap, SYSTR_POLICY_PERMIT }, { SYS_mprotect, SYSTR_POLICY_PERMIT }, diff --git a/ssh-agent.c b/ssh-agent.c index 0fd9e0bb..f5e5873a 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.174 2013/05/31 12:28:10 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.175 2013/06/01 13:15:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -431,7 +431,7 @@ process_remove_all_identities(SocketEntry *e, int version) static time_t reaper(void) { - time_t deadline = 0, now = time(NULL); + time_t deadline = 0, now = monotime(); Identity *id, *nxt; int version; Idtab *tab; @@ -618,7 +618,7 @@ process_add_identity(SocketEntry *e, int version) while (buffer_len(&e->request)) { switch ((type = buffer_get_char(&e->request))) { case SSH_AGENT_CONSTRAIN_LIFETIME: - death = time(NULL) + buffer_get_int(&e->request); + death = monotime() + buffer_get_int(&e->request); break; case SSH_AGENT_CONSTRAIN_CONFIRM: confirm = 1; @@ -633,7 +633,7 @@ process_add_identity(SocketEntry *e, int version) } success = 1; if (lifetime && !death) - death = time(NULL) + lifetime; + death = monotime() + lifetime; if ((id = lookup_identity(k, version)) == NULL) { id = xcalloc(1, sizeof(Identity)); id->key = k; @@ -712,7 +712,7 @@ process_add_smartcard_key(SocketEntry *e) while (buffer_len(&e->request)) { switch ((type = buffer_get_char(&e->request))) { case SSH_AGENT_CONSTRAIN_LIFETIME: - death = time(NULL) + buffer_get_int(&e->request); + death = monotime() + buffer_get_int(&e->request); break; case SSH_AGENT_CONSTRAIN_CONFIRM: confirm = 1; @@ -724,7 +724,7 @@ process_add_smartcard_key(SocketEntry *e) } } if (lifetime && !death) - death = time(NULL) + lifetime; + death = monotime() + lifetime; count = pkcs11_add_provider(provider, pin, &keys); for (i = 0; i < count; i++) { -- cgit v1.2.1 From 552d27841395d48635e11c25480244dd35b3676c Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 21:52:21 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/01 20:59:25 [scp.c sftp-client.c] Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch from Nathan Osman via bz#2113. ok deraadt. (note: corrected bug number from 2085) --- ChangeLog | 4 ++++ scp.c | 4 ++-- sftp-client.c | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 891db12a..c64a4046 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,10 @@ Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@. + - dtucker@cvs.openbsd.org 2013/06/01 20:59:25 + [scp.c sftp-client.c] + Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch + from Nathan Osman via bz#2085. ok deraadt. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/scp.c b/scp.c index 32e9d00b..b75d97bb 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.174 2013/06/01 20:59:25 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -1066,7 +1066,7 @@ sink(int argc, char **argv) continue; } omode = mode; - mode |= S_IWRITE; + mode |= S_IWUSR; if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); continue; diff --git a/sftp-client.c b/sftp-client.c index 038e1c34..fc60dd80 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.98 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.99 2013/06/01 20:59:25 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1051,7 +1051,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, } local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, - mode | S_IWRITE); + mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); -- cgit v1.2.1 From 9015b96762cda36dd098909d314abf14acce0c99 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 22:01:24 +0000 Subject: Remove stray '+' accidentally introduced in sync --- auth1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth1.c b/auth1.c index 3518fb1c..f1ac5981 100644 --- a/auth1.c +++ b/auth1.c @@ -57,7 +57,7 @@ struct AuthMethod1 { int type; char *name; int *enabled; -+ int (*method)(Authctxt *); + int (*method)(Authctxt *); }; const struct AuthMethod1 auth1_methods[] = { -- cgit v1.2.1 From f1542066e1823de5a60fdace2257cdf0ec2f50a7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 22:07:31 +0000 Subject: - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c openbsd-compat/port-linux.c] Replace portable-specific instances of xfree with the equivalent calls to free. --- ChangeLog | 6 +++++ auth-chall.c | 10 ++++---- auth-krb5.c | 3 +-- auth-pam.c | 44 ++++++++++++++++-------------------- cipher-aes.c | 2 +- cipher-ctr.c | 2 +- groupaccess.c | 4 ++-- loginrec.c | 2 +- monitor.c | 20 ++++++++-------- monitor_wrap.c | 4 ++-- openbsd-compat/bsd-cygwin_util.c | 2 +- openbsd-compat/getrrsetbyname-ldns.c | 1 - openbsd-compat/port-aix.c | 10 ++++---- openbsd-compat/port-linux.c | 12 ++++------ session.c | 8 +++---- sshd.c | 2 +- sshlogin.c | 2 +- uidswap.c | 6 ++--- 18 files changed, 66 insertions(+), 74 deletions(-) diff --git a/ChangeLog b/ChangeLog index c64a4046..7f4323e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,12 @@ [scp.c sftp-client.c] Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch from Nathan Osman via bz#2085. ok deraadt. + - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c + groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c + sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c + openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c + openbsd-compat/port-linux.c] Replace portable-specific instances of xfree + with the equivalent calls to free. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/auth-chall.c b/auth-chall.c index bfc51eae..0005aa88 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response) authenticated = 1; for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); + free(prompts[i]); + free(prompts); + free(name); + free(echo_on); + free(info); break; } device->free_ctx(authctxt->kbdintctxt); diff --git a/auth-krb5.c b/auth-krb5.c index 922c66c6..ff1462ad 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -181,8 +181,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) out: restore_uid(); - if (platform_client != NULL) - xfree(platform_client); + free(platform_client); if (problem) { if (ccache) diff --git a/auth-pam.c b/auth-pam.c index 675006e6..d51318b3 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); buffer_free(&buffer); return (PAM_CONV_ERR); } @@ -586,10 +585,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } @@ -693,7 +691,7 @@ sshpam_init_ctx(Authctxt *authctxt) /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); - xfree(ctxt); + free(ctxt); return (NULL); } ctxt->pam_psock = socks[0]; @@ -703,7 +701,7 @@ sshpam_init_ctx(Authctxt *authctxt) strerror(errno)); close(socks[0]); close(socks[1]); - xfree(ctxt); + free(ctxt); return (NULL); } cleanup_ctxt = ctxt; @@ -742,7 +740,7 @@ sshpam_query(void *ctx, char **name, char **info, strlcpy(**prompts + plen, msg, len - plen); plen += mlen; **echo_on = (type == PAM_PROMPT_ECHO_ON); - xfree(msg); + free(msg); return (0); case PAM_ERROR_MSG: case PAM_TEXT_INFO: @@ -753,7 +751,7 @@ sshpam_query(void *ctx, char **name, char **info, plen += mlen; strlcat(**prompts + plen, "\n", len - plen); plen++; - xfree(msg); + free(msg); break; case PAM_ACCT_EXPIRED: sshpam_account_status = 0; @@ -766,7 +764,7 @@ sshpam_query(void *ctx, char **name, char **info, *num = 0; **echo_on = 0; ctxt->pam_done = -1; - xfree(msg); + free(msg); return 0; } /* FALLTHROUGH */ @@ -776,7 +774,7 @@ sshpam_query(void *ctx, char **name, char **info, debug("PAM: %s", **prompts); buffer_append(&loginmsg, **prompts, strlen(**prompts)); - xfree(**prompts); + free(**prompts); **prompts = NULL; } if (type == PAM_SUCCESS) { @@ -790,7 +788,7 @@ sshpam_query(void *ctx, char **name, char **info, *num = 0; **echo_on = 0; ctxt->pam_done = 1; - xfree(msg); + free(msg); return (0); } error("PAM: %s for %s%.100s from %.100s", msg, @@ -801,7 +799,7 @@ sshpam_query(void *ctx, char **name, char **info, default: *num = 0; **echo_on = 0; - xfree(msg); + free(msg); ctxt->pam_done = -1; return (-1); } @@ -852,7 +850,7 @@ sshpam_free_ctx(void *ctxtp) debug3("PAM: %s entering", __func__); sshpam_thread_cleanup(); - xfree(ctxt); + free(ctxt); /* * We don't call sshpam_cleanup() here because we may need the PAM * handle at a later stage, e.g. when setting up a session. It's @@ -1006,10 +1004,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } @@ -1081,7 +1078,7 @@ do_pam_putenv(char *name, char *value) snprintf(compound, len, "%s=%s", name, value); ret = pam_putenv(sshpam_handle, compound); - xfree(compound); + free(compound); #endif return (ret); @@ -1108,8 +1105,8 @@ free_pam_environment(char **env) return; for (envp = env; *envp; envp++) - xfree(*envp); - xfree(env); + free(*envp); + free(env); } /* @@ -1165,10 +1162,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } diff --git a/cipher-aes.c b/cipher-aes.c index 07ec7aa5..8b101727 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -120,7 +120,7 @@ ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx) if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/cipher-ctr.c b/cipher-ctr.c index d1fe69f5..ea0f9b3b 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -104,7 +104,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/groupaccess.c b/groupaccess.c index 020deace..1eab10b1 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -69,7 +69,7 @@ ga_init(const char *user, gid_t base) for (i = 0, j = 0; i < ngroups; i++) if ((gr = getgrgid(groups_bygid[i])) != NULL) groups_byname[j++] = xstrdup(gr->gr_name); - xfree(groups_bygid); + free(groups_bygid); return (ngroups = j); } @@ -125,6 +125,6 @@ ga_free(void) for (i = 0; i < ngroups; i++) free(groups_byname[i]); ngroups = 0; - xfree(groups_byname); + free(groups_byname); } } diff --git a/loginrec.c b/loginrec.c index f9662fa5..59e8a44e 100644 --- a/loginrec.c +++ b/loginrec.c @@ -347,7 +347,7 @@ logininfo *login_alloc_entry(pid_t pid, const char *username, void login_free_entry(struct logininfo *li) { - xfree(li); + free(li); } diff --git a/monitor.c b/monitor.c index 6acb2025..7286126f 100644 --- a/monitor.c +++ b/monitor.c @@ -988,7 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *m) skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); - xfree(response); + free(response); buffer_clear(m); buffer_put_int(m, authok); @@ -1073,19 +1073,17 @@ mm_answer_pam_query(int sock, Buffer *m) buffer_clear(m); buffer_put_int(m, ret); buffer_put_cstring(m, name); - xfree(name); + free(name); buffer_put_cstring(m, info); - xfree(info); + free(info); buffer_put_int(m, num); for (i = 0; i < num; ++i) { buffer_put_cstring(m, prompts[i]); - xfree(prompts[i]); + free(prompts[i]); buffer_put_int(m, echo_on[i]); } - if (prompts != NULL) - xfree(prompts); - if (echo_on != NULL) - xfree(echo_on); + free(prompts); + free(echo_on); auth_method = "keyboard-interactive"; auth_submethod = "pam"; mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); @@ -1108,8 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer *m) resp[i] = buffer_get_string(m, NULL); ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); for (i = 0; i < num; ++i) - xfree(resp[i]); - xfree(resp); + free(resp[i]); + free(resp); } else { ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); } @@ -1764,7 +1762,7 @@ mm_answer_audit_command(int socket, Buffer *m) cmd = buffer_get_string(m, &len); /* sanity check command, if so how? */ audit_run_command(cmd); - xfree(cmd); + free(cmd); return (0); } #endif /* SSH_AUDIT_EVENTS */ diff --git a/monitor_wrap.c b/monitor_wrap.c index b1870fcb..88ff6833 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -805,7 +805,7 @@ mm_do_pam_account(void) ret = buffer_get_int(&m); msg = buffer_get_string(&m, NULL); buffer_append(&loginmsg, msg, strlen(msg)); - xfree(msg); + free(msg); buffer_free(&m); @@ -1035,7 +1035,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt, mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); - xfree(challenge); + free(challenge); return (0); } diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index d3d2d913..267e77a1 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -97,7 +97,7 @@ fetch_windows_environment(void) void free_windows_environment(char **p) { - xfree(p); + free(p); } #endif /* HAVE_CYGWIN */ diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c index 19666346..343720f1 100644 --- a/openbsd-compat/getrrsetbyname-ldns.c +++ b/openbsd-compat/getrrsetbyname-ldns.c @@ -58,7 +58,6 @@ #define malloc(x) (xmalloc(x)) #define calloc(x, y) (xcalloc((x),(y))) -#define free(x) (xfree(x)) int getrrsetbyname(const char *hostname, unsigned int rdclass, diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 0bdefbf6..8da367d4 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -86,7 +86,7 @@ aix_usrinfo(struct passwd *pw) fatal("Couldn't set usrinfo: %s", strerror(errno)); debug3("AIX/UsrInfo: set len %d", i); - xfree(cp); + free(cp); } # ifdef WITH_AIXAUTHENTICATE @@ -215,16 +215,14 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) default: /* user can't change(2) or other error (-1) */ logit("Password can't be changed for user %s: %.100s", name, msg); - if (msg) - xfree(msg); + free(msg); authsuccess = 0; } aix_restoreauthdb(); } - if (authmsg != NULL) - xfree(authmsg); + free(authmsg); return authsuccess; } @@ -269,7 +267,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg) if (!permitted) logit("Login restricted for %s: %.100s", pw->pw_name, msg); - xfree(msg); + free(msg); return permitted; } diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index aba75387..4637a7a3 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */ +/* $Id: port-linux.c,v 1.18 2013/06/01 22:07:32 dtucker Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -96,10 +96,8 @@ ssh_selinux_getctxbyname(char *pwname) } #ifdef HAVE_GETSEUSERBYNAME - if (sename != NULL) - xfree(sename); - if (lvl != NULL) - xfree(lvl); + free(sename); + free(lvl); #endif return sc; @@ -217,8 +215,8 @@ ssh_selinux_change_context(const char *newname) if (setcon(newctx) < 0) switchlog("%s: setcon %s from %s failed with %s", __func__, newctx, oldctx, strerror(errno)); - xfree(oldctx); - xfree(newctx); + free(oldctx); + free(newctx); } void diff --git a/session.c b/session.c index f47cc178..1424825c 100644 --- a/session.c +++ b/session.c @@ -1092,8 +1092,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) umask((mode_t)mask); for (i = 0; tmpenv[i] != NULL; i++) - xfree(tmpenv[i]); - xfree(tmpenv); + free(tmpenv[i]); + free(tmpenv); } #endif /* HAVE_ETC_DEFAULT_LOGIN */ @@ -1109,7 +1109,7 @@ copy_environment(char **source, char ***env, u_int *envsize) for(i = 0; source[i] != NULL; i++) { var_name = xstrdup(source[i]); if ((var_val = strstr(var_name, "=")) == NULL) { - xfree(var_name); + free(var_name); continue; } *var_val++ = '\0'; @@ -1117,7 +1117,7 @@ copy_environment(char **source, char ***env, u_int *envsize) debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); - xfree(var_name); + free(var_name); } } diff --git a/sshd.c b/sshd.c index 069e95ff..c0ba420a 100644 --- a/sshd.c +++ b/sshd.c @@ -1616,7 +1616,7 @@ main(int ac, char **av) } else { memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd)); privsep_pw = pwcopy(privsep_pw); - xfree(privsep_pw->pw_passwd); + free(privsep_pw->pw_passwd); privsep_pw->pw_passwd = xstrdup("*"); } endpwent(); diff --git a/sshlogin.c b/sshlogin.c index 54629f74..2688d8d7 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -97,7 +97,7 @@ store_lastlog_message(const char *user, uid_t uid) time_string = sys_auth_get_lastlogin_msg(user, uid); if (time_string != NULL) { buffer_append(&loginmsg, time_string, strlen(time_string)); - xfree(time_string); + free(time_string); } # else last_login_time = get_last_login_time(uid, user, hostname, diff --git a/uidswap.c b/uidswap.c index cdd7309e..26d17f93 100644 --- a/uidswap.c +++ b/uidswap.c @@ -90,8 +90,7 @@ temporarily_use_uid(struct passwd *pw) if (getgroups(saved_egroupslen, saved_egroups) < 0) fatal("getgroups: %.100s", strerror(errno)); } else { /* saved_egroupslen == 0 */ - if (saved_egroups != NULL) - xfree(saved_egroups); + free(saved_egroups); } /* set and save the user's groups */ @@ -109,8 +108,7 @@ temporarily_use_uid(struct passwd *pw) if (getgroups(user_groupslen, user_groups) < 0) fatal("getgroups: %.100s", strerror(errno)); } else { /* user_groupslen == 0 */ - if (user_groups) - xfree(user_groups); + free(user_groups); } } /* Set the effective uid to the given (unprivileged) uid. */ -- cgit v1.2.1 From 0c6bfc0ad4e91f2ce7289954e81a079f1e10348d Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 22:18:31 +0000 Subject: - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall back to time(NULL) if we can't find it anywhere. --- ChangeLog | 2 ++ configure.ac | 7 +++++-- misc.c | 4 ++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f4323e0..50ce1b73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,8 @@ openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c openbsd-compat/port-linux.c] Replace portable-specific instances of xfree with the equivalent calls to free. + - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall + back to time(NULL) if we can't find it anywhere. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/configure.ac b/configure.ac index d35a19bc..1b64d11a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.527 2013/06/01 21:18:48 dtucker Exp $ +# $Id: configure.ac,v 1.528 2013/06/01 22:18:32 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.527 $) +AC_REVISION($Revision: 1.528 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1648,6 +1648,9 @@ const char *gai_strerror(int); AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1], [Some systems put nanosleep outside of libc])]) +AC_SEARCH_LIBS([clock_gettime], [rt], + [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])]) + dnl Make sure prototypes are defined for these before using them. AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])]) AC_CHECK_DECL([strsep], diff --git a/misc.c b/misc.c index cd45e9ec..fd745444 100644 --- a/misc.c +++ b/misc.c @@ -857,12 +857,16 @@ ms_to_timeval(struct timeval *tv, int ms) time_t monotime(void) { +#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC) struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) fatal("clock_gettime: %s", strerror(errno)); return (ts.tv_sec); +#else + return time(NULL); +#endif } void -- cgit v1.2.1 From 2754757243b9f1a62c6cd7c624f8ccd42eb37a57 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 22:37:05 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/01 22:34:50 [sftp-client.c] Update progressmeter when data is acked, not when it's sent. bz#2108, from Debian via Colin Watson, ok djm@ --- ChangeLog | 4 ++++ sftp-client.c | 10 ++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 50ce1b73..cfb38233 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,10 @@ [scp.c sftp-client.c] Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch from Nathan Osman via bz#2085. ok deraadt. + - dtucker@cvs.openbsd.org 2013/06/01 22:34:50 + [sftp-client.c] + Update progressmeter when data is acked, not when it's sent. bz#2108, from + Debian via Colin Watson, ok djm@ - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c diff --git a/sftp-client.c b/sftp-client.c index fc60dd80..ab035c71 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.99 2013/06/01 20:59:25 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.100 2013/06/01 22:34:50 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1340,7 +1340,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, int local_fd; int status = SSH2_FX_OK; u_int handle_len, id, type; - off_t offset; + off_t offset, progress_counter; char *handle, *data; Buffer msg; struct stat sb; @@ -1408,9 +1408,10 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, data = xmalloc(conn->transfer_buflen); /* Read from local and write to remote */ - offset = 0; + offset = progress_counter = 0; if (showprogress) - start_progress_meter(local_path, sb.st_size, &offset); + start_progress_meter(local_path, sb.st_size, + &progress_counter); for (;;) { int len; @@ -1481,6 +1482,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, debug3("In write loop, ack for %u %u bytes at %lld", ack->id, ack->len, (long long)ack->offset); ++ackid; + progress_counter += ack->len; free(ack); } offset += len; -- cgit v1.2.1 From 21fd08f951cb0b2bb2e5b85239bb6fd2915efe74 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 23:11:19 +0000 Subject: fix typo --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cfb38233..3d012984 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to - using openssl's DES_crpyt function on platorms that don't have a native + using openssl's DES_crypt function on platorms that don't have a native one, eg Android. Based on a patch from Nathan Osman. - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. -- cgit v1.2.1 From 887b4925c3080aab2f51a98ab7c041430c076f0b Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 1 Jun 2013 23:17:09 +0000 Subject: - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday. --- ChangeLog | 1 + sandbox-seccomp-filter.c | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 3d012984..1ec48c23 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,7 @@ with the equivalent calls to free. - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall back to time(NULL) if we can't find it anywhere. + - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index e1241839..cc146530 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -91,6 +91,7 @@ static const struct sock_filter preauth_insns[] = { SC_DENY(open, EACCES), SC_ALLOW(getpid), SC_ALLOW(gettimeofday), + SC_ALLOW(clock_gettime), #ifdef __NR_time /* not defined on EABI ARM */ SC_ALLOW(time), #endif -- cgit v1.2.1 From 0009a115163edafbe151e532b05568277d9dbe25 Mon Sep 17 00:00:00 2001 From: tim Date: Sun, 2 Jun 2013 01:38:23 +0000 Subject: 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy linking regress/modpipe. --- ChangeLog | 4 ++++ Makefile.in | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1ec48c23..058579f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130602 + - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy + linking regress/modpipe. + 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to using openssl's DES_crypt function on platorms that don't have a native diff --git a/Makefile.in b/Makefile.in index 62bacd6f..438baaca 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.337 2013/03/22 17:14:33 tim Exp $ +# $Id: Makefile.in,v 1.338 2013/06/02 01:38:23 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -386,7 +386,7 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c [ -f `pwd`/regress/Makefile ] || \ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile $(CC) $(CPPFLAGS) -o $@ $? \ - $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ -- cgit v1.2.1 From ac9f301d3c9977479da3076d0962770ce450fd5d Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 2 Jun 2013 13:46:24 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 13:33:05 [progressmeter.c] Add misc.h for monotime prototype. (id sync only) --- ChangeLog | 4 ++++ progressmeter.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 058579f5..0a66555b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy linking regress/modpipe. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/02 13:33:05 + [progressmeter.c] + Add misc.h for monotime prototype. (ID sync only). 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/progressmeter.c b/progressmeter.c index 0e570e41..332bd3c9 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.38 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.39 2013/06/02 13:33:05 dtucker Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * -- cgit v1.2.1 From 0455253e571c3485061dd05f2cbd94ed22bed175 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 2 Jun 2013 13:47:11 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 13:35:58 [ssh-agent.c] Make parent_alive_interval time_t to avoid signed/unsigned comparison --- ChangeLog | 3 +++ ssh-agent.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0a66555b..03a2e3ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ - dtucker@cvs.openbsd.org 2013/06/02 13:33:05 [progressmeter.c] Add misc.h for monotime prototype. (ID sync only). + - dtucker@cvs.openbsd.org 2013/06/02 13:35:58 + [ssh-agent.c] + Make parent_alive_interval time_t to avoid signed/unsigned comparison 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/ssh-agent.c b/ssh-agent.c index f5e5873a..27df4f47 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.175 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.176 2013/06/02 13:35:58 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -122,7 +122,7 @@ int max_fd = 0; /* pid of shell == parent of agent */ pid_t parent_pid = -1; -u_int parent_alive_interval = 0; +time_t parent_alive_interval = 0; /* pathname and directory for AUTH_SOCKET */ char socket_name[MAXPATHLEN]; -- cgit v1.2.1 From 6f447548b430b320140b1751f0c0e77fab015323 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 2 Jun 2013 15:59:13 +0000 Subject: - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms to prevent noise from configure. Patch from Nathan Osman. --- ChangeLog | 2 ++ configure.ac | 10 +++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 03a2e3ad..aaba117b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ - dtucker@cvs.openbsd.org 2013/06/02 13:35:58 [ssh-agent.c] Make parent_alive_interval time_t to avoid signed/unsigned comparison + - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms + to prevent noise from configure. Patch from Nathan Osman. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index 1b64d11a..13524272 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.528 2013/06/01 22:18:32 dtucker Exp $ +# $Id: configure.ac,v 1.529 2013/06/02 15:59:13 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.528 $) +AC_REVISION($Revision: 1.529 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -348,7 +348,6 @@ AC_CHECK_HEADERS([ \ sys/sysmacros.h \ sys/time.h \ sys/timers.h \ - sys/un.h \ time.h \ tmpdir.h \ ttyent.h \ @@ -386,6 +385,11 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [ #include ]) +# Android requires sys/socket.h to be included before sys/un.h +AC_CHECK_HEADERS([sys/un.h], [], [], [ +#include +]) + # Messages for features tested for in target-specific section SIA_MSG="no" SPC_MSG="no" -- cgit v1.2.1 From 5c71feacf4ee13ff2f58e508b29e33983ca0b639 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 2 Jun 2013 16:03:25 +0000 Subject: - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android. Patch from Nathan Osman. --- ChangeLog | 4 +++- configure.ac | 8 ++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index aaba117b..329560a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,7 +9,9 @@ [ssh-agent.c] Make parent_alive_interval time_t to avoid signed/unsigned comparison - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms - to prevent noise from configure. Patch from Nathan Osman. + to prevent noise from configure. Patch from Nathan Osman. (bz#2114). + - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android. + Patch from Nathan Osman. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index 13524272..d6c57864 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.529 2013/06/02 15:59:13 dtucker Exp $ +# $Id: configure.ac,v 1.530 2013/06/02 16:03:26 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.529 $) +AC_REVISION($Revision: 1.530 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -491,6 +491,10 @@ case "$host" in AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) ;; +*-*-android*) + AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp]) + AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp]) + ;; *-*-cygwin*) check_for_libcrypt_later=1 LIBS="$LIBS /usr/lib/textreadmode.o" -- cgit v1.2.1 From fbf28e5c3eccb9b0f628c32a9a9d87584ab6abed Mon Sep 17 00:00:00 2001 From: tim Date: Sun, 2 Jun 2013 21:05:48 +0000 Subject: - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we need a shell that can handle "[ file1 -nt file2 ]". Rather than keep dealing with shell portability issues in regression tests, we let configure find us a capable shell on those platforms with an old /bin/sh. --- ChangeLog | 4 ++++ configure.ac | 10 ++++++---- regress/Makefile | 4 ++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 329560a6..ccbb790b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ to prevent noise from configure. Patch from Nathan Osman. (bz#2114). - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android. Patch from Nathan Osman. + - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we + need a shell that can handle "[ file1 -nt file2 ]". Rather than keep + dealing with shell portability issues in regression tests, we let + configure find us a capable shell on those platforms with an old /bin/sh. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index d6c57864..b8a610d5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.530 2013/06/02 16:03:26 dtucker Exp $ +# $Id: configure.ac,v 1.531 2013/06/02 21:05:49 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.530 $) +AC_REVISION($Revision: 1.531 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -812,6 +812,7 @@ mips-sony-bsd|mips-sony-newsos4) SP_MSG="yes" ], ) ], ) + TEST_SHELL=$SHELL # let configure find us a capable shell ;; *-*-sunos4*) CPPFLAGS="$CPPFLAGS -DSUNOS4" @@ -855,6 +856,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_SETREGID]) AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd]) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) + TEST_SHELL=$SHELL # let configure find us a capable shell ;; # UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) @@ -866,10 +868,10 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_SETREUID]) AC_DEFINE([BROKEN_SETREGID]) AC_DEFINE([PASSWD_NEEDS_USERNAME]) + TEST_SHELL=$SHELL # let configure find us a capable shell case "$host" in *-*-sysv5SCO_SV*) # SCO OpenServer 6.x maildir=/var/spool/mail - TEST_SHELL=/u95/bin/sh AC_DEFINE([BROKEN_LIBIAF], [1], [ia_uinfo routines not supported by OS yet]) AC_DEFINE([BROKEN_UPDWTMPX]) @@ -910,7 +912,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([PASSWD_NEEDS_USERNAME]) AC_CHECK_FUNCS([getluid setluid]) MANTYPE=man - TEST_SHELL=ksh + TEST_SHELL=$SHELL # let configure find us a capable shell SKIP_DISABLE_LASTLOG_DEFINE=yes ;; *-*-unicosmk*) diff --git a/regress/Makefile b/regress/Makefile index b19c7ae2..ab2a6ae7 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -155,14 +155,14 @@ t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ - (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done t-exec-interop: ${INTEROP_TESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ - (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done # Not run by default -- cgit v1.2.1 From c55cccf026a8ef6fb875ac5928f8e9cc2084bec5 Mon Sep 17 00:00:00 2001 From: tim Date: Sun, 2 Jun 2013 21:31:27 +0000 Subject: - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. feedback and ok dtucker --- ChangeLog | 2 ++ aclocal.m4 | 13 ++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ccbb790b..80f0fb4e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,8 @@ need a shell that can handle "[ file1 -nt file2 ]". Rather than keep dealing with shell portability issues in regression tests, we let configure find us a capable shell on those platforms with an old /bin/sh. + - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. + feedback and ok dtucker 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/aclocal.m4 b/aclocal.m4 index 9bdea5ec..1b3bed79 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $ +dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -14,8 +14,15 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ _define_flag="$2" test "x$_define_flag" = "x" && _define_flag="$1" AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], - [ AC_MSG_RESULT([yes]) - CFLAGS="$saved_CFLAGS $_define_flag"], + [ +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" +else + AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $_define_flag" +fi], [ AC_MSG_RESULT([no]) CFLAGS="$saved_CFLAGS" ] ) -- cgit v1.2.1 From c6103f0f010ab0bf825850a29edff384cde13d96 Mon Sep 17 00:00:00 2001 From: tim Date: Sun, 2 Jun 2013 22:13:09 +0000 Subject: - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker --- ChangeLog | 1 + regress/sftp-chroot.sh | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 80f0fb4e..4345d995 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,7 @@ configure find us a capable shell on those platforms with an old /bin/sh. - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. feedback and ok dtucker + - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 98a364eb..03b9bc6d 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -8,7 +8,8 @@ FILENAME=testdata_${USER} PRIVDATA=${CHROOT}/${FILENAME} if [ -z "$SUDO" ]; then - fatal "need SUDO to create file in /var/run, test won't work without" + echo "skipped: need SUDO to create file in /var/run, test won't work without" + exit 0 fi $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ -- cgit v1.2.1 From c30236b068670fe2f6c5640fababa07b1a3555b6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 2 Jun 2013 23:30:44 +0000 Subject: - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h. --- ChangeLog | 1 + configure.ac | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4345d995..4b1536bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,7 @@ - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. feedback and ok dtucker - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker + - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index b8a610d5..6f82c3fb 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.531 2013/06/02 21:05:49 tim Exp $ +# $Id: configure.ac,v 1.532 2013/06/02 23:30:45 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.531 $) +AC_REVISION($Revision: 1.532 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -388,6 +388,7 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [ # Android requires sys/socket.h to be included before sys/un.h AC_CHECK_HEADERS([sys/un.h], [], [], [ #include +#include ]) # Messages for features tested for in target-specific section -- cgit v1.2.1 From 64f0f0c944b4c97147144769c7bf050c7f25e96f Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 4 Jun 2013 02:55:24 +0000 Subject: - (dtucker) [configure.ac] Some other platforms need sys/types.h before sys/socket.h. --- ChangeLog | 2 ++ configure.ac | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4b1536bf..555fede3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,8 @@ feedback and ok dtucker - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h. + - (dtucker) [configure.ac] Some other platforms need sys/types.h before + sys/socket.h. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index 6f82c3fb..2cd910cf 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.532 2013/06/02 23:30:45 dtucker Exp $ +# $Id: configure.ac,v 1.533 2013/06/04 02:55:24 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.532 $) +AC_REVISION($Revision: 1.533 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -387,8 +387,8 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [ # Android requires sys/socket.h to be included before sys/un.h AC_CHECK_HEADERS([sys/un.h], [], [], [ -#include #include +#include ]) # Messages for features tested for in target-specific section -- cgit v1.2.1 From d2452b785acbd9448e9f4b7e3be190215e9d4752 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 05:04:00 +0000 Subject: - (dtucker) Enable sha256 kex methods based on the presence of the necessary functions, not from the openssl version. --- ChangeLog | 4 ++++ myproposal.h | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 555fede3..ad5b66a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130605 + - (dtucker) Enable sha256 kex methods based on the presence of the necessary + functions, not from the openssl version. + 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy linking regress/modpipe. diff --git a/myproposal.h b/myproposal.h index 99d09346..f13c7485 100644 --- a/myproposal.h +++ b/myproposal.h @@ -46,7 +46,7 @@ #endif /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ -#if OPENSSL_VERSION_NUMBER >= 0x00907000L +#ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," #else -- cgit v1.2.1 From 9197cfc50f8b07de45d7258bc05247b345374c1b Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 12:48:44 +0000 Subject: - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test. Patch from cjwatson at debian. --- ChangeLog | 6 ++++-- contrib/ssh-copy-id | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ad5b66a7..00c74c3e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130605 - - (dtucker) Enable sha256 kex methods based on the presence of the necessary - functions, not from the openssl version. + - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of + the necessary functions, not from the openssl version. + - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test. + Patch from cjwatson at debian. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 9f2817b6..ae88e995 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -165,7 +165,7 @@ done eval set -- "$SAVEARGS" -if [ $# == 0 ] ; then +if [ $# = 0 ] ; then usage fi if [ $# != 1 ] ; then -- cgit v1.2.1 From cbe01eb3ea672711bdbeac5b8af72a817a3e962b Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 15:59:13 +0000 Subject: - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the forwarding test is extremely slow copying data on some machines so switch back to copying the much smaller ls binary until we can figure out why this is. --- ChangeLog | 4 ++++ regress/forwarding.sh | 2 ++ 2 files changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 00c74c3e..e64bf0e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ the necessary functions, not from the openssl version. - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test. Patch from cjwatson at debian. + - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the + forwarding test is extremely slow copying data on some machines so switch + back to copying the much smaller ls binary until we can figure out why + this is. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 2ba140fe..1c408603 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -3,6 +3,8 @@ tid="local and remote forwarding" +DATA=/bin/ls${EXEEXT} + start_sshd base=33 -- cgit v1.2.1 From 146fc5d239a930968f735e2222082359ce0d50a5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 19:12:35 +0000 Subject: - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building modpipe in case there's anything in there we need. --- ChangeLog | 2 ++ Makefile.in | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e64bf0e7..6509548b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ forwarding test is extremely slow copying data on some machines so switch back to copying the much smaller ls binary until we can figure out why this is. + - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building + modpipe in case there's anything in there we need. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/Makefile.in b/Makefile.in index 438baaca..d6f6a792 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.338 2013/06/02 01:38:23 tim Exp $ +# $Id: Makefile.in,v 1.339 2013/06/05 19:12:35 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -385,7 +385,7 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c [ -d `pwd`/regress ] || mkdir -p `pwd`/regress [ -f `pwd`/regress/Makefile ] || \ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile - $(CC) $(CPPFLAGS) -o $@ $? \ + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) -- cgit v1.2.1 From d06ad53ac71104ad18da89935b5043aed2e0ddc5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:09:10 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 21:01:51 [channels.h] typo in comment --- ChangeLog | 4 ++++ channels.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6509548b..588fcf6d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ this is. - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building modpipe in case there's anything in there we need. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/02 21:01:51 + [channels.h] + typo in comment 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/channels.h b/channels.h index d75b800f..a11b6227 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.112 2013/06/02 21:01:51 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -110,7 +110,7 @@ struct Channel { * channels are delayed until the first call * to a matching pre-select handler. * this way post-select handlers are not - * accidenly called if a FD gets reused */ + * accidentally called if a FD gets reused */ Buffer input; /* data read from socket, to be sent over * encrypted connection */ Buffer output; /* data received over encrypted connection for -- cgit v1.2.1 From 6264b925e8872a1e29f6f131a9440323485584a5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:11:40 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 23:36:29 [clientloop.h clientloop.c mux.c] No need for the mux cleanup callback to be visible so restore it to static and call it through the detach_user function pointer. ok djm@ --- ChangeLog | 4 ++++ clientloop.c | 6 +++--- clientloop.h | 3 +-- mux.c | 4 ++-- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 588fcf6d..40b15c14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ - dtucker@cvs.openbsd.org 2013/06/02 21:01:51 [channels.h] typo in comment + - dtucker@cvs.openbsd.org 2013/06/02 23:36:29 + [clientloop.h clientloop.c mux.c] + No need for the mux cleanup callback to be visible so restore it to static + and call it through the detach_user function pointer. ok djm@ 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/clientloop.c b/clientloop.c index 4b071eb9..6a296358 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.251 2013/06/01 13:15:51 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.252 2013/06/02 23:36:29 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1109,8 +1109,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, if (c && c->ctl_chan != -1) { chan_read_failed(c); chan_write_failed(c); - mux_master_session_cleanup_cb(c->self, - NULL); + if (c->detach_user) + c->detach_user(c->self, NULL); return 0; } else quit_pending = 1; diff --git a/clientloop.h b/clientloop.h index d2baa032..338d4518 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */ +/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -76,5 +76,4 @@ void muxserver_listen(void); void muxclient(const char *); void mux_exit_message(Channel *, int); void mux_tty_alloc_failed(Channel *); -void mux_master_session_cleanup_cb(int, void *); diff --git a/mux.c b/mux.c index 6c55db98..31566be2 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.41 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.42 2013/06/02 23:36:29 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -184,7 +184,7 @@ static const struct { /* Cleanup callback fired on closure of mux slave _session_ channel */ /* ARGSUSED */ -void +static void mux_master_session_cleanup_cb(int cid, void *unused) { Channel *cc, *c = channel_by_id(cid); -- cgit v1.2.1 From 2452f7a1c636d749709d54c31177cb5b43c7e999 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:12:37 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/03 00:03:18 [mac.c] force the MAC output to be 64-bit aligned so umac won't see unaligned accesses on strict-alignment architectures. bz#2101, patch from tomas.kuthan at oracle.com, ok djm@ --- ChangeLog | 5 +++++ mac.c | 19 +++++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 40b15c14..5aa24bd4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,11 @@ [clientloop.h clientloop.c mux.c] No need for the mux cleanup callback to be visible so restore it to static and call it through the detach_user function pointer. ok djm@ + - dtucker@cvs.openbsd.org 2013/06/03 00:03:18 + [mac.c] + force the MAC output to be 64-bit aligned so umac won't see unaligned + accesses on strict-alignment architectures. bz#2101, patch from + tomas.kuthan at oracle.com, ok djm@ 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/mac.c b/mac.c index 907e1978..c4dfb501 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.23 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: mac.c,v 1.24 2013/06/03 00:03:18 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -174,12 +174,15 @@ mac_init(Mac *mac) u_char * mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) { - static u_char m[EVP_MAX_MD_SIZE]; + static union { + u_char m[EVP_MAX_MD_SIZE]; + u_int64_t for_align; + } u; u_char b[4], nonce[8]; - if (mac->mac_len > sizeof(m)) + if (mac->mac_len > sizeof(u)) fatal("mac_compute: mac too long %u %lu", - mac->mac_len, (u_long)sizeof(m)); + mac->mac_len, (u_long)sizeof(u)); switch (mac->type) { case SSH_EVP: @@ -188,22 +191,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); HMAC_Update(&mac->evp_ctx, b, sizeof(b)); HMAC_Update(&mac->evp_ctx, data, datalen); - HMAC_Final(&mac->evp_ctx, m, NULL); + HMAC_Final(&mac->evp_ctx, u.m, NULL); break; case SSH_UMAC: put_u64(nonce, seqno); umac_update(mac->umac_ctx, data, datalen); - umac_final(mac->umac_ctx, m, nonce); + umac_final(mac->umac_ctx, u.m, nonce); break; case SSH_UMAC128: put_u64(nonce, seqno); umac128_update(mac->umac_ctx, data, datalen); - umac128_final(mac->umac_ctx, m, nonce); + umac128_final(mac->umac_ctx, u.m, nonce); break; default: fatal("mac_compute: unknown MAC type"); } - return (m); + return (u.m); } void -- cgit v1.2.1 From 1c1c80f6b65bfa33ec83cec7ddcddf7d29eea77a Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:16:04 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/04 19:12:23 [scp.c] use MAXPATHLEN for buffer size instead of fixed value. ok markus --- ChangeLog | 3 +++ scp.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5aa24bd4..0e9c2675 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ force the MAC output to be 64-bit aligned so umac won't see unaligned accesses on strict-alignment architectures. bz#2101, patch from tomas.kuthan at oracle.com, ok djm@ + - dtucker@cvs.openbsd.org 2013/06/04 19:12:23 + [scp.c] + use MAXPATHLEN for buffer size instead of fixed value. ok markus 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/scp.c b/scp.c index b75d97bb..9b5959d4 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.174 2013/06/01 20:59:25 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.175 2013/06/04 19:12:23 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -850,7 +850,7 @@ rsource(char *name, struct stat *statp) { DIR *dirp; struct dirent *dp; - char *last, *vect[1], path[1100]; + char *last, *vect[1], path[MAXPATHLEN]; if (!(dirp = opendir(name))) { run_err("%s: %s", name, strerror(errno)); -- cgit v1.2.1 From fb1fa51a0e787d8631a373af097c1f159d9af788 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:19:09 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/04 20:42:36 [sftp.c] Make sftp's libedit interface marginally multibyte aware by building up the quoted string by character instead of by byte. Prevents failures when linked against a libedit built with wide character support (bz#1990). "looks ok" djm --- ChangeLog | 6 ++++++ sftp.c | 16 +++++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0e9c2675..aab923a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,12 @@ - dtucker@cvs.openbsd.org 2013/06/04 19:12:23 [scp.c] use MAXPATHLEN for buffer size instead of fixed value. ok markus + - dtucker@cvs.openbsd.org 2013/06/04 20:42:36 + [sftp.c] + Make sftp's libedit interface marginally multibyte aware by building up + the quoted string by character instead of by byte. Prevents failures + when linked against a libedit built with wide character support (bz#1990). + "looks ok" djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/sftp.c b/sftp.c index a723fa64..0c90fd1e 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.145 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.146 2013/06/04 20:42:36 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -38,6 +38,7 @@ #ifdef HAVE_LIBGEN_H #include #endif +#include #ifdef USE_LIBEDIT #include #else @@ -1701,8 +1702,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, char *file, int remote, int lastarg, char quote, int terminated) { glob_t g; - char *tmp, *tmp2, ins[3]; + char *tmp, *tmp2, ins[8]; u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; + int clen; const LineInfo *lf; /* Glob from "file" location */ @@ -1771,10 +1773,13 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, tmp2 = tmp + filelen - cesc; len = strlen(tmp2); /* quote argument on way out */ - for (i = 0; i < len; i++) { + for (i = 0; i < len; i += clen) { + if ((clen = mblen(tmp2 + i, len - i)) < 0 || + (size_t)clen > sizeof(ins) - 2) + fatal("invalid multibyte character"); ins[0] = '\\'; - ins[1] = tmp2[i]; - ins[2] = '\0'; + memcpy(ins + 1, tmp2 + i, clen); + ins[clen + 1] = '\0'; switch (tmp2[i]) { case '\'': case '"': @@ -2120,6 +2125,7 @@ main(int argc, char **argv) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); + setlocale(LC_CTYPE, ""); __progname = ssh_get_progname(argv[0]); memset(&args, '\0', sizeof(args)); -- cgit v1.2.1 From 72b5f7d8f51efb1a68f4d54fa75cab08252f4bed Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:20:13 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 02:07:29 [mux.c] fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967, ok djm --- ChangeLog | 4 ++++ mux.c | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aab923a7..70c094e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,10 @@ the quoted string by character instead of by byte. Prevents failures when linked against a libedit built with wide character support (bz#1990). "looks ok" djm + - dtucker@cvs.openbsd.org 2013/06/05 02:07:29 + [mux.c] + fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967, + ok djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/mux.c b/mux.c index 31566be2..314ee8cd 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.42 2013/06/02 23:36:29 dtucker Exp $ */ +/* $OpenBSD: mux.c,v 1.43 2013/06/05 02:07:29 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -288,6 +288,7 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r) if (name == NULL || value == NULL) { free(name); + free(value); goto malf; } debug2("Unrecognised slave extension \"%s\"", name); @@ -1427,7 +1428,9 @@ mux_client_read_packet(int fd, Buffer *m) buffer_init(&queue); if (mux_client_read(fd, &queue, 4) != 0) { if ((oerrno = errno) == EPIPE) - debug3("%s: read header failed: %s", __func__, strerror(errno)); + debug3("%s: read header failed: %s", __func__, + strerror(errno)); + buffer_free(&queue); errno = oerrno; return -1; } @@ -1435,6 +1438,7 @@ mux_client_read_packet(int fd, Buffer *m) if (mux_client_read(fd, &queue, need) != 0) { oerrno = errno; debug3("%s: read body failed: %s", __func__, strerror(errno)); + buffer_free(&queue); errno = oerrno; return -1; } -- cgit v1.2.1 From 9e79cbe4e73b63b54ea6c562dd7fbdb258fa377c Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:21:14 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 02:27:50 [sshd.c] When running sshd -D, close stderr unless we have explicitly requesting logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch so, err, ok dtucker. --- ChangeLog | 5 +++++ sshd.c | 6 ++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 70c094e1..27f0cfcf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,11 @@ [mux.c] fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967, ok djm + - dtucker@cvs.openbsd.org 2013/06/05 02:27:50 + [sshd.c] + When running sshd -D, close stderr unless we have explicitly requesting + logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch + so, err, ok dtucker. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/sshd.c b/sshd.c index c0ba420a..1306a62a 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.402 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.403 2013/06/05 02:27:50 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1024,7 +1024,9 @@ server_accept_inetd(int *sock_in, int *sock_out) if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { dup2(fd, STDIN_FILENO); dup2(fd, STDOUT_FILENO); - if (fd > STDOUT_FILENO) + if (!log_stderr) + dup2(fd, STDERR_FILENO); + if (fd > (log_stderr ? STDERR_FILENO : STDOUT_FILENO)) close(fd); } debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); -- cgit v1.2.1 From 2322500c389d375bddfd2e6e163ed0a21656b94f Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:22:05 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 12:52:38 [sshconnect2.c] Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm --- ChangeLog | 3 +++ sshconnect2.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 27f0cfcf..43a6e7d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ When running sshd -D, close stderr unless we have explicitly requesting logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch so, err, ok dtucker. + - dtucker@cvs.openbsd.org 2013/06/05 12:52:38 + [sshconnect2.c] + Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/sshconnect2.c b/sshconnect2.c index 19ed3459..70e3cd8c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.197 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.198 2013/06/05 12:52:38 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1322,8 +1322,11 @@ load_identity_file(char *filename, int userprovided) return NULL; } private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); - if (!perm_ok) + if (!perm_ok) { + if (private != NULL) + key_free(private); return NULL; + } if (private == NULL) { if (options.batch_mode) return NULL; @@ -1915,6 +1918,7 @@ authmethod_get(char *authlist) free(name); return current; } + free(name); } } -- cgit v1.2.1 From 1d1f785d76f9b86151b9d28a1bb640f5dc88107a Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:22:46 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 22:00:28 [readconf.c] plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm --- ChangeLog | 3 +++ readconf.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 43a6e7d1..90ce8610 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - dtucker@cvs.openbsd.org 2013/06/05 12:52:38 [sshconnect2.c] Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm + - dtucker@cvs.openbsd.org 2013/06/05 22:00:28 + [readconf.c] + plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/readconf.c b/readconf.c index 45cf910f..7c1c795f 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.202 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.203 2013/06/05 22:00:28 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -820,6 +820,8 @@ parse_int: else if (opcode == oRemoteForward) add_remote_forward(options, &fwd); } + free(fwd.connect_host); + free(fwd.listen_host); break; case oClearAllForwardings: -- cgit v1.2.1 From c34b3f90d594b5c38d29c847a38fa3c63dcbb248 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 5 Jun 2013 22:30:20 +0000 Subject: - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for platforms that don't have multibyte character support (specifically, mblen). --- ChangeLog | 3 +++ configure.ac | 6 ++++-- openbsd-compat/openbsd-compat.h | 7 ++++++- sftp.c | 4 +++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 90ce8610..66e07fc6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ - dtucker@cvs.openbsd.org 2013/06/05 22:00:28 [readconf.c] plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm + - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for + platforms that don't have multibyte character support (specifically, + mblen). 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/configure.ac b/configure.ac index 2cd910cf..bce5d7b1 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.533 2013/06/04 02:55:24 dtucker Exp $ +# $Id: configure.ac,v 1.534 2013/06/05 22:30:21 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.533 $) +AC_REVISION($Revision: 1.534 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -310,6 +310,7 @@ AC_CHECK_HEADERS([ \ ia.h \ iaf.h \ limits.h \ + locale.h \ login.h \ maillock.h \ ndir.h \ @@ -1563,6 +1564,7 @@ AC_CHECK_FUNCS([ \ inet_ntop \ innetgr \ login_getcapbool \ + mblen \ md5_crypt \ memmove \ mkdtemp \ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 3dbf1f24..392fa38d 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.57 2013/05/16 10:47:32 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.58 2013/06/05 22:30:21 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -207,6 +207,11 @@ unsigned long long strtoull(const char *, char **, int); long long strtonum(const char *, long long, long long, const char **); #endif +/* multibyte character support */ +#ifndef HAVE_MBLEN +# define mblen(x, y) 1 +#endif + #if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF) # include #endif diff --git a/sftp.c b/sftp.c index 0c90fd1e..f50a4bb6 100644 --- a/sftp.c +++ b/sftp.c @@ -38,7 +38,9 @@ #ifdef HAVE_LIBGEN_H #include #endif -#include +#ifdef HAVE_LOCALE_H +# include +#endif #ifdef USE_LIBEDIT #include #else -- cgit v1.2.1 From 49c2f5c4cb3a0bb43ffdc0fa2806418f83dd8a38 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 10 Jun 2013 03:07:11 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/07 15:37:52 [channels.c channels.h clientloop.c] Add an "ABANDONED" channel state and use for mux sessions that are disconnected via the ~. escape sequence. Channels in this state will be able to close if the server responds, but do not count as active channels. This means that if you ~. all of the mux clients when using ControlPersist on a broken network, the backgrounded mux master will exit when the Control Persist time expires rather than hanging around indefinitely. bz#1917, also reported and tested by tedu@. ok djm@ markus@. --- ChangeLog | 12 ++++++++++++ channels.c | 8 ++++++-- channels.h | 5 +++-- clientloop.c | 5 ++++- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 66e07fc6..a9a8cbce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +20130610 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/07 15:37:52 + [channels.c channels.h clientloop.c] + Add an "ABANDONED" channel state and use for mux sessions that are + disconnected via the ~. escape sequence. Channels in this state will + be able to close if the server responds, but do not count as active channels. + This means that if you ~. all of the mux clients when using ControlPersist + on a broken network, the backgrounded mux master will exit when the + Control Persist time expires rather than hanging around indefinitely. + bz#1917, also reported and tested by tedu@. ok djm@ markus@. + 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of the necessary functions, not from the openssl version. diff --git a/channels.c b/channels.c index d50a4a29..b48e6aeb 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.322 2013/06/01 13:15:51 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.323 2013/06/07 15:37:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -213,6 +213,7 @@ channel_lookup(int id) case SSH_CHANNEL_OPEN: case SSH_CHANNEL_INPUT_DRAINING: case SSH_CHANNEL_OUTPUT_DRAINING: + case SSH_CHANNEL_ABANDONED: return (c); } logit("Non-public channel %d, type %d.", id, c->type); @@ -530,6 +531,7 @@ channel_still_open(void) case SSH_CHANNEL_DYNAMIC: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: continue; case SSH_CHANNEL_LARVAL: if (!compat20) @@ -575,6 +577,7 @@ channel_find_open(void) case SSH_CHANNEL_OPENING: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: continue; case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_AUTH_SOCKET: @@ -622,6 +625,7 @@ channel_open_message(void) case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: case SSH_CHANNEL_MUX_CLIENT: case SSH_CHANNEL_MUX_LISTENER: continue; @@ -2491,7 +2495,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) if (c == NULL) packet_disconnect("Received close confirmation for " "out-of-range channel %d.", id); - if (c->type != SSH_CHANNEL_CLOSED) + if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED) packet_disconnect("Received close confirmation for " "non-closed channel %d (type %d).", id, c->type); channel_free(c); diff --git a/channels.h b/channels.h index a11b6227..ffd58072 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.112 2013/06/02 21:01:51 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -55,7 +55,8 @@ #define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ #define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */ #define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */ -#define SSH_CHANNEL_MAX_TYPE 17 +#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */ +#define SSH_CHANNEL_MAX_TYPE 18 #define CHANNEL_CANCEL_PORT_STATIC -1 diff --git a/clientloop.c b/clientloop.c index 6a296358..7c1f8abb 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.252 2013/06/02 23:36:29 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.253 2013/06/07 15:37:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1111,6 +1111,9 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, chan_write_failed(c); if (c->detach_user) c->detach_user(c->self, NULL); + c->type = SSH_CHANNEL_ABANDONED; + buffer_clear(&c->input); + chan_ibuf_empty(c); return 0; } else quit_pending = 1; -- cgit v1.2.1 From c85450f2a0d0163837fed823c18f133b0fe85f32 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 11 Jun 2013 01:26:10 +0000 Subject: - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. --- ChangeLog | 2 ++ Makefile.in | 9 ++++++--- configure.ac | 24 ++++++++++++++++++++---- fixalgorithms | 26 ++++++++++++++++++++++++++ 4 files changed, 54 insertions(+), 7 deletions(-) create mode 100755 fixalgorithms diff --git a/ChangeLog b/ChangeLog index a9a8cbce..a7ab9a69 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,8 @@ on a broken network, the backgrounded mux master will exit when the Control Persist time expires rather than hanging around indefinitely. bz#1917, also reported and tested by tedu@. ok djm@ markus@. + - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported + algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/Makefile.in b/Makefile.in index d6f6a792..92c95a92 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.339 2013/06/05 19:12:35 dtucker Exp $ +# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -121,6 +121,8 @@ PATHSUBS = \ -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' FIXPATHSCMD = $(SED) $(PATHSUBS) +FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ + @UNSUPPORTED_ALGORITHMS@ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) @@ -184,9 +186,10 @@ $(MANPAGES): $(MANPAGES_IN) manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ fi; \ if test "$(MANTYPE)" = "man"; then \ - $(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \ + $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ else \ - $(FIXPATHSCMD) $${manpage} > $@; \ + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \ fi $(CONFIGFILES): $(CONFIGFILES_IN) diff --git a/configure.ac b/configure.ac index bce5d7b1..e6ec2768 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.534 2013/06/05 22:30:21 dtucker Exp $ +# $Id: configure.ac,v 1.535 2013/06/11 01:26:10 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.534 $) +AC_REVISION($Revision: 1.535 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2394,6 +2394,8 @@ AC_LINK_IFELSE( ], [ AC_MSG_RESULT([no]) + unsupported_algorithms="$unsupported_cipers \ + aes128-gcm@openssh.com aes256-gcm@openssh.com" ] ) @@ -2434,8 +2436,15 @@ fi AC_CHECK_FUNCS([crypt DES_crypt]) # Search for SHA256 support in libc and/or OpenSSL -AC_CHECK_FUNCS([SHA256_Update EVP_sha256], [TEST_SSH_SHA256=yes], - [TEST_SSH_SHA256=no]) +AC_CHECK_FUNCS([SHA256_Update EVP_sha256], + [TEST_SSH_SHA256=yes], + [TEST_SSH_SHA256=no + unsupported_algorithms="$unsupported_algorithms \ + hmac-sha2-256 hmac-sha2-512 \ + diffie-hellman-group-exchange-sha256 \ + hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" + ] +) AC_SUBST([TEST_SSH_SHA256]) # Check complete ECC support in OpenSSL @@ -2466,6 +2475,12 @@ AC_LINK_IFELSE( AC_MSG_RESULT([no]) TEST_SSH_ECC=no COMMENT_OUT_ECC="#no ecc#" + unsupported_algorithms="$unsupported_algorithms \ + ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ + ecdsa-sha2-nistp256-cert-v01@openssh.com \ + ecdsa-sha2-nistp384-cert-v01@openssh.com \ + ecdsa-sha2-nistp521-cert-v01@openssh.com \ + ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" ] ) AC_SUBST([TEST_SSH_ECC]) @@ -4541,6 +4556,7 @@ else fi AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) +AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ diff --git a/fixalgorithms b/fixalgorithms new file mode 100755 index 00000000..115dce81 --- /dev/null +++ b/fixalgorithms @@ -0,0 +1,26 @@ +#!/bin/sh +# +# fixciphers - remove unsupported ciphers from man pages. +# Usage: fixpaths /path/to/sed cipher1 [cipher2] outfile +# +# Author: Darren Tucker (dtucker at zip com.au). Placed in the public domain. + +die() { + echo $* + exit -1 +} + +SED=$1 +shift + +for c in $*; do + subs="$subs -e /.Dq.$c.*$/d" + subs="$subs -e s/$c,//g" +done + +# now remove any entirely empty lines +subs="$subs -e /^$/d" + +${SED} $subs + +exit 0 -- cgit v1.2.1 From 6257aefee044717ffe0a4252a0c0f51e61f93b57 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 11 Jun 2013 01:47:24 +0000 Subject: - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have the required OpenSSL support. Patch from naddy at freebsd. --- ChangeLog | 2 ++ myproposal.h | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a7ab9a69..6805e8a1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ bz#1917, also reported and tested by tedu@. ok djm@ markus@. - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. + - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have + the required OpenSSL support. Patch from naddy at freebsd. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/myproposal.h b/myproposal.h index f13c7485..276108bf 100644 --- a/myproposal.h +++ b/myproposal.h @@ -45,6 +45,13 @@ # define HOSTKEY_ECDSA_METHODS #endif +#ifdef OPENSSL_HAVE_EVPGCM +# define AESGCM_CIPHER_MODES \ + "aes128-gcm@openssh.com,aes256-gcm@openssh.com," +#else +# define AESGCM_CIPHER_MODES +#endif + /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ #ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ @@ -73,7 +80,7 @@ #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ - "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ + AESGCM_CIPHER_MODES \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" #ifdef HAVE_EVP_SHA256 -- cgit v1.2.1 From 20c710a710190e6aa9deafd71b506889f77179fb Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 11 Jun 2013 02:10:02 +0000 Subject: - (dtucker) [myproposal.h] Make the conditional algorithm support consistent and add some comments so it's clear what goes where. --- ChangeLog | 2 ++ myproposal.h | 17 +++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6805e8a1..526a0510 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have the required OpenSSL support. Patch from naddy at freebsd. + - (dtucker) [myproposal.h] Make the conditional algorithm support consistent + and add some comments so it's clear what goes where. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/myproposal.h b/myproposal.h index 276108bf..4e913e3c 100644 --- a/myproposal.h +++ b/myproposal.h @@ -26,6 +26,8 @@ #include +/* conditional algorithm support */ + #ifdef OPENSSL_HAS_ECC # define KEX_ECDH_METHODS \ "ecdh-sha2-nistp256," \ @@ -52,12 +54,15 @@ # define AESGCM_CIPHER_MODES #endif -/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ #ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," +#define SHA2_HMAC_MODES \ + "hmac-sha2-256," \ + "hmac-sha2-512," #else # define KEX_SHA256_METHODS +# define SHA2_HMAC_MODES #endif # define KEX_DEFAULT_KEX \ @@ -77,19 +82,15 @@ "ssh-rsa," \ "ssh-dss" +/* the actual algorithms */ + #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ AESGCM_CIPHER_MODES \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" -#ifdef HAVE_EVP_SHA256 -#define SHA2_HMAC_MODES \ - "hmac-sha2-256," \ - "hmac-sha2-512," -#else -# define SHA2_HMAC_MODES -#endif + #define KEX_DEFAULT_MAC \ "hmac-md5-etm@openssh.com," \ "hmac-sha1-etm@openssh.com," \ -- cgit v1.2.1 From f61dbfe8158c97389375df448b1255f4506f783a Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 2 Jul 2013 10:06:46 +0000 Subject: - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config contrib/cygwin/ssh-user-config] Modernizes and improve readability of the Cygwin README file (which hasn't been updated for ages), drop unsupported OSes from the ssh-host-config help text, and drop an unneeded option from ssh-user-config. Patch from vinschen at redhat com. --- ChangeLog | 7 ++ contrib/cygwin/README | 212 +++++++---------------------------------- contrib/cygwin/ssh-host-config | 4 +- contrib/cygwin/ssh-user-config | 6 -- 4 files changed, 42 insertions(+), 187 deletions(-) diff --git a/ChangeLog b/ChangeLog index 526a0510..54b4677c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20130702 + - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config + contrib/cygwin/ssh-user-config] Modernizes and improve readability of + the Cygwin README file (which hasn't been updated for ages), drop + unsupported OSes from the ssh-host-config help text, and drop an + unneeded option from ssh-user-config. Patch from vinschen at redhat com. + 20130610 - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/06/07 15:37:52 diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 5f911e92..2562b618 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might not run on older versions. Please check http://cygwin.com/ for information about current Cygwin releases. -Build instructions are at the end of the file. - -=========================================================================== -Important change since 3.7.1p2-2: - -The ssh-host-config file doesn't create the /etc/ssh_config and -/etc/sshd_config files from builtin here-scripts anymore, but it uses -skeleton files installed in /etc/defaults/etc. - -Also it now tries hard to create appropriate permissions on files. -Same applies for ssh-user-config. - -After creating the sshd service with ssh-host-config, it's advisable to -call ssh-user-config for all affected users, also already exising user -configurations. In the latter case, file and directory permissions are -checked and changed, if requireed to match the host configuration. - -Important note for Windows 2003 Server users: ---------------------------------------------- - -2003 Server has a funny new feature. When starting services under SYSTEM -account, these services have nearly all user rights which SYSTEM holds... -except for the "Create a token object" right, which is needed to allow -public key authentication :-( - -There's no way around this, except for creating a substitute account which -has the appropriate privileges. Basically, this account should be member -of the administrators group, plus it should have the following user rights: - - Create a token object - Logon as a service - Replace a process level token - Increase Quota - -The ssh-host-config script asks you, if it should create such an account, -called "sshd_server". If you say "no" here, you're on your own. Please -follow the instruction in ssh-host-config exactly if possible. Note that -ssh-user-config sets the permissions on 2003 Server machines dependent of -whether a sshd_server account exists or not. -=========================================================================== - -=========================================================================== -Important change since 3.4p1-2: - -This version adds privilege separation as default setting, see -/usr/doc/openssh/README.privsep. According to that document the -privsep feature requires a non-privileged account called 'sshd'. - -The new ssh-host-config file which is part of this version asks -to create 'sshd' as local user if you want to use privilege -separation. If you confirm, it creates that NT user and adds -the necessary entry to /etc/passwd. - -On 9x/Me systems the script just sets UsePrivilegeSeparation to "no" -since that feature doesn't make any sense on a system which doesn't -differ between privileged and unprivileged users. - -The new ssh-host-config script also adds the /var/empty directory -needed by privilege separation. When creating the /var/empty directory -by yourself, please note that in contrast to the README.privsep document -the owner sshould not be "root" but the user which is running sshd. So, -in the standard configuration this is SYSTEM. The ssh-host-config script -chowns /var/empty accordingly. -=========================================================================== - -=========================================================================== -Important change since 3.0.1p1-2: - -This version introduces the ability to register sshd as service on -Windows 9x/Me systems. This is done only when the options -D and/or --d are not given. -=========================================================================== - -=========================================================================== -Important change since 2.9p2: - -Since Cygwin is able to switch user context without password beginning -with version 1.3.2, OpenSSH now allows to do so when it's running under -a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to -allow that feature. -=========================================================================== - -=========================================================================== -Important change since 2.3.0p1: - -When using `ntea' or `ntsec' you now have to care for the ownership -and permission bits of your host key files and your private key files. -The host key files have to be owned by the NT account which starts -sshd. The user key files have to be owned by the user. The permission -bits of the private key files (host and user) have to be at least -rw------- (0600)! - -Note that this is forced under `ntsec' only if the files are on a NTFS -filesystem (which is recommended) due to the lack of any basic security -features of the FAT/FAT32 filesystems. -=========================================================================== +================== +Host configuration +================== If you are installing OpenSSH the first time, you can generate global config -files and server keys by running +files and server keys, as well as installing sshd as a service, by running /usr/bin/ssh-host-config Note that this binary archive doesn't contain default config files in /etc. That files are only created if ssh-host-config is started. -If you are updating your installation you may run the above ssh-host-config -as well to move your configuration files to the new location and to -erase the files at the old location. - To support testing and unattended installation ssh-host-config got some options: @@ -123,16 +26,25 @@ Options: --no -n Answer all questions with "no" automatically. --cygwin -c Use "options" as value for CYGWIN environment var. --port -p sshd listens on port n. - --pwd -w Use "pwd" as password for user 'sshd_server'. + --user -u privileged user for service, default 'cyg_server'. + --pwd -w Use "pwd" as password for privileged user. + --privileged On Windows XP, require privileged user + instead of LocalSystem for sshd service. -Additionally ssh-host-config now asks if it should install sshd as a -service when running under NT/W2K. This requires cygrunsrv installed. +Installing sshd as daemon via ssh-host-config is recommended. -You can create the private and public keys for a user now by running +Alternatively you can start sshd via inetd, if you have the inetutils +package installed. Just run ssh-host-config, but answer "no" when asked +to install sshd as service. The ssh-host-config script also adds the +required lines to /etc/inetd.conf and /etc/services. - /usr/bin/ssh-user-config +================== +User configuration +================== + +Any user can simplify creating the own private and public keys by running -under the users account. + /usr/bin/ssh-user-config To support testing and unattended installation ssh-user-config got some options as well: @@ -144,88 +56,30 @@ Options: --no -n Answer all questions with "no" automatically. --passphrase -p word Use "word" as passphrase automatically. -Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd -(results in very slow deamon startup!) or from the command line (recommended -on 9X/ME). - -If you start sshd as deamon via cygrunsrv.exe you MUST give the -"-D" option to sshd. Otherwise the service can't get started at all. - -If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the -following line to your inetd.conf file: - -ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i - -Moreover you'll have to add the following line to your -${SYSTEMROOT}/system32/drivers/etc/services file: - - ssh 22/tcp #SSH daemon - Please note that OpenSSH does never use the value of $HOME to search for the users configuration files! It always uses the value of the pw_dir field in /etc/passwd as the home directory. If no home diretory is set in /etc/passwd, the root directory is used instead! -You may use all features of the CYGWIN=ntsec setting the same -way as they are used by Cygwin's login(1) port: - - The pw_gecos field may contain an additional field, that begins - with (upper case!) "U-", followed by the domain and the username - separated by a backslash. - CAUTION: The SID _must_ remain the _last_ field in pw_gecos! - BTW: The field separator in pw_gecos is the comma. - The username in pw_name itself may be any nice name: - - domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... - - Now you may use `domuser' as your login name with telnet! - This is possible additionally for local users, if you don't like - your NT login name ;-) You only have to leave out the domain: - - locuser::1104:513:John Doe,U-user,S-1-5-21-... - -Note that the CYGWIN=ntsec setting is required for public key authentication. - -SSH2 server and user keys are generated by the `ssh-*-config' scripts -as well. - -If you want to build from source, the following options to -configure are used for the Cygwin binary distribution: - - --prefix=/usr \ - --sysconfdir=/etc \ - --libexecdir='${sbindir}' \ - --localstatedir=/var \ - --datadir='${prefix}/share' \ - --mandir='${datadir}/man' \ - --infodir='${datadir}/info' - --with-tcp-wrappers - --with-libedit - -If you want to create a Cygwin package, equivalent to the one -in the Cygwin binary distribution, install like this: - - mkdir /tmp/cygwin-ssh - cd ${builddir} - make install DESTDIR=/tmp/cygwin-ssh - cd ${srcdir}/contrib/cygwin - make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh - cd /tmp/cygwin-ssh - find * \! -type d | tar cvjfT my-openssh.tar.bz2 - - -You must have installed the following packages to be able to build OpenSSH: - -- zlib -- openssl-devel +================ +Building OpenSSH +================ -If you want to build with --with-tcp-wrappers, you also need the package +Building from source is easy. Just unpack the source archive, cd to that +directory, and call cygport: -- tcp_wrappers + cygport openssh.cygport almostall -If you want to build with --with-libedit, you also need the package +You must have installed the following packages to be able to build OpenSSH +with the aforementioned cygport script: -- libedit-devel + zlib + crypt + openssl-devel + libwrap-devel + libedit-devel + libkrb5-devel Please send requests, error reports etc. to cygwin@cygwin.com. diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 3c9046f5..c542d5cb 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -606,9 +606,9 @@ do echo " --no -n Answer all questions with \"no\" automatically." echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." echo " --port -p sshd listens on port n." - echo " --user -u privileged user for service." + echo " --user -u privileged user for service, default 'cyg_server'." echo " --pwd -w Use \"pwd\" as password for privileged user." - echo " --privileged On Windows NT/2k/XP, require privileged user" + echo " --privileged On Windows XP, require privileged user" echo " instead of LocalSystem for sshd service." echo exit 1 diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index 027ae603..8708b7a5 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config @@ -222,10 +222,6 @@ do shift ;; - --privileged ) - csih_FORCE_PRIVILEGED_USER=yes - ;; - *) echo "usage: ${PROGNAME} [OPTION]..." echo @@ -236,8 +232,6 @@ do echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." echo " --passphrase -p word Use \"word\" as passphrase automatically." - echo " --privileged On Windows NT/2k/XP, assume privileged user" - echo " instead of LocalSystem for sshd service." echo exit 1 ;; -- cgit v1.2.1 From 92da36a54bc72ec08dedcf28793e2dd48f4f76ee Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:09:04 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 [readconf.c] revert 1.203 while we investigate crashes reported by okan@ --- ChangeLog | 6 ++++++ readconf.c | 4 +--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 54b4677c..a843af0b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130718 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 + [readconf.c] + revert 1.203 while we investigate crashes reported by okan@ + 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config contrib/cygwin/ssh-user-config] Modernizes and improve readability of diff --git a/readconf.c b/readconf.c index 7c1c795f..1464430a 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.203 2013/06/05 22:00:28 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -820,8 +820,6 @@ parse_int: else if (opcode == oRemoteForward) add_remote_forward(options, &fwd); } - free(fwd.connect_host); - free(fwd.listen_host); break; case oClearAllForwardings: -- cgit v1.2.1 From 8854e12c6c566b935bef1be5297c9fe3928617d2 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:09:25 +0000 Subject: - guenther@cvs.openbsd.org 2013/06/17 04:48:42 [scp.c] Handle time_t values as long long's when formatting them and when parsing them from remote servers. Improve error checking in parsing of 'T' lines. ok dtucker@ deraadt@ --- ChangeLog | 6 ++++++ scp.c | 63 ++++++++++++++++++++++++++++++++++++++------------------------- 2 files changed, 44 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index a843af0b..111a2f36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,12 @@ - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 [readconf.c] revert 1.203 while we investigate crashes reported by okan@ + - guenther@cvs.openbsd.org 2013/06/17 04:48:42 + [scp.c] + Handle time_t values as long long's when formatting them and when + parsing them from remote servers. + Improve error checking in parsing of 'T' lines. + ok dtucker@ deraadt@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.c b/scp.c index 9b5959d4..ca7948f6 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.175 2013/06/04 19:12:23 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.176 2013/06/17 04:48:42 guenther Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -550,6 +550,24 @@ scpio(void *_cnt, size_t s) return 0; } +static int +do_times(int fd, int verb, const struct stat *sb) +{ + /* strlen(2^64) == 20; strlen(10^6) == 7 */ + char buf[(20 + 7 + 2) * 2 + 2]; + + (void)snprintf(buf, sizeof(buf), "T%llu 0 %llu 0\n", + (unsigned long long) (sb->st_mtime < 0 ? 0 : sb->st_mtime), + (unsigned long long) (sb->st_atime < 0 ? 0 : sb->st_atime)); + if (verb) { + fprintf(stderr, "File mtime %lld atime %lld\n", + (long long)sb->st_mtime, (long long)sb->st_atime); + fprintf(stderr, "Sending file timestamps: %s", buf); + } + (void) atomicio(vwrite, fd, buf, strlen(buf)); + return (response()); +} + void toremote(char *targ, int argc, char **argv) { @@ -774,21 +792,7 @@ syserr: run_err("%s: %s", name, strerror(errno)); ++last; curfile = last; if (pflag) { - /* - * Make it compatible with possible future - * versions expecting microseconds. - */ - (void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n", - (u_long) (stb.st_mtime < 0 ? 0 : stb.st_mtime), - (u_long) (stb.st_atime < 0 ? 0 : stb.st_atime)); - if (verbose_mode) { - fprintf(stderr, "File mtime %ld atime %ld\n", - (long)stb.st_mtime, (long)stb.st_atime); - fprintf(stderr, "Sending file timestamps: %s", - buf); - } - (void) atomicio(vwrite, remout, buf, strlen(buf)); - if (response() < 0) + if (do_times(remout, verbose_mode, &stb) < 0) goto next; } #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) @@ -862,11 +866,7 @@ rsource(char *name, struct stat *statp) else last++; if (pflag) { - (void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n", - (u_long) statp->st_mtime, - (u_long) statp->st_atime); - (void) atomicio(vwrite, remout, path, strlen(path)); - if (response() < 0) { + if (do_times(remout, verbose_mode, statp) < 0) { closedir(dirp); return; } @@ -912,6 +912,7 @@ sink(int argc, char **argv) int amt, exists, first, ofd; mode_t mode, omode, mask; off_t size, statbytes; + unsigned long long ull; int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; struct timeval tv[2]; @@ -970,17 +971,29 @@ sink(int argc, char **argv) if (*cp == 'T') { setimes++; cp++; - mtime.tv_sec = strtol(cp, &cp, 10); + if (!isdigit((unsigned char)*cp)) + SCREWUP("mtime.sec not present"); + ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); + if ((time_t)ull < 0 || (time_t)ull != ull) + setimes = 0; /* out of range */ + mtime.tv_sec = ull; mtime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != ' ') + if (!cp || *cp++ != ' ' || mtime.tv_usec < 0 || + mtime.tv_usec > 999999) SCREWUP("mtime.usec not delimited"); - atime.tv_sec = strtol(cp, &cp, 10); + if (!isdigit((unsigned char)*cp)) + SCREWUP("atime.sec not present"); + ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); + if ((time_t)ull < 0 || (time_t)ull != ull) + setimes = 0; /* out of range */ + atime.tv_sec = ull; atime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != '\0') + if (!cp || *cp++ != '\0' || atime.tv_usec < 0 || + atime.tv_usec > 999999) SCREWUP("atime.usec not delimited"); (void) atomicio(vwrite, remout, "", 1); continue; -- cgit v1.2.1 From c9228cb73cf74cc7bb15758ba4316909609bb61a Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:09:44 +0000 Subject: - markus@cvs.openbsd.org 2013/06/20 19:15:06 [krl.c] don't leak the rdata blob on errors; ok djm@ --- ChangeLog | 3 +++ krl.c | 19 +++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 111a2f36..e0781041 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ parsing them from remote servers. Improve error checking in parsing of 'T' lines. ok dtucker@ deraadt@ + - markus@cvs.openbsd.org 2013/06/20 19:15:06 + [krl.c] + don't leak the rdata blob on errors; ok djm@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/krl.c b/krl.c index 7ac6261c..bd6d3780 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.11 2013/04/05 00:14:00 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.12 2013/06/20 19:15:06 markus Exp $ */ #include "includes.h" @@ -887,9 +887,10 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, char timestamp[64]; int ret = -1, r, sig_seen; Key *key = NULL, **ca_used = NULL; - u_char type, *blob; - u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; + u_char type, *blob, *rdata = NULL; + u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used; + nca_used = 0; *krlp = NULL; if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { @@ -1015,21 +1016,22 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, case KRL_SECTION_EXPLICIT_KEY: case KRL_SECTION_FINGERPRINT_SHA1: while (buffer_len(§) > 0) { - if ((blob = buffer_get_string_ret(§, - &blen)) == NULL) { + if ((rdata = buffer_get_string_ret(§, + &rlen)) == NULL) { error("%s: buffer error", __func__); goto out; } if (type == KRL_SECTION_FINGERPRINT_SHA1 && - blen != 20) { + rlen != 20) { error("%s: bad SHA1 length", __func__); goto out; } if (revoke_blob( type == KRL_SECTION_EXPLICIT_KEY ? &krl->revoked_keys : &krl->revoked_sha1s, - blob, blen) != 0) - goto out; /* revoke_blob frees blob */ + rdata, rlen) != 0) + goto out; + rdata = NULL; /* revoke_blob frees blob */ } break; case KRL_SECTION_SIGNATURE: @@ -1095,6 +1097,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, key_free(ca_used[i]); } free(ca_used); + free(rdata); if (key != NULL) key_free(key); buffer_free(©); -- cgit v1.2.1 From 73c71f6dc34b26b32ca1ac944c180c38ff88b572 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:10:09 +0000 Subject: - djm@cvs.openbsd.org 2013/06/21 00:34:49 [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@ --- ChangeLog | 4 ++++ auth-rsa.c | 4 ++-- auth.h | 5 +++-- auth2-hostbased.c | 6 +++++- auth2-pubkey.c | 28 +++++++++++++++++++++------- monitor.c | 7 +++++-- 6 files changed, 40 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index e0781041..f8e2c685 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ - markus@cvs.openbsd.org 2013/06/20 19:15:06 [krl.c] don't leak the rdata blob on errors; ok djm@ + - djm@cvs.openbsd.org 2013/06/21 00:34:49 + [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] + for hostbased authentication, print the client host and user on + the auth success/failure line; bz#2064, ok dtucker@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/auth-rsa.c b/auth-rsa.c index 92f0ad75..b7a03fdc 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.83 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.84 2013/06/21 00:34:49 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -332,7 +332,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) * options; this will be reset if the options cause the * authentication to be rejected. */ - pubkey_auth_info(authctxt, key); + pubkey_auth_info(authctxt, key, NULL); packet_send_debug("RSA authentication accepted."); return (1); diff --git a/auth.h b/auth.h index a406e139..caf44adc 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.74 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.75 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -122,7 +122,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); -void pubkey_auth_info(Authctxt *, const Key *); +void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) + __attribute__((__format__ (printf, 3, 4))); struct stat; int auth_secure_path(const char *, struct stat *, const char *, uid_t, diff --git a/auth2-hostbased.c b/auth2-hostbased.c index e6d05e26..a344dcc1 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -116,6 +116,10 @@ userauth_hostbased(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif + + pubkey_auth_info(authctxt, key, + "client user \"%.100s\", client host \"%.100s\"", cuser, chost); + /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 45306f83..2b3ecb10 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -147,7 +147,7 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif - pubkey_auth_info(authctxt, key); + pubkey_auth_info(authctxt, key, NULL); /* test for correct signature */ authenticated = 0; @@ -190,23 +190,37 @@ done: } void -pubkey_auth_info(Authctxt *authctxt, const Key *key) +pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) { - char *fp; + char *fp, *extra; + va_list ap; + int i; + + extra = NULL; + if (fmt != NULL) { + va_start(ap, fmt); + i = vasprintf(&extra, fmt, ap); + va_end(ap); + if (i < 0 || extra == NULL) + fatal("%s: vasprintf failed", __func__); + } if (key_is_cert(key)) { fp = key_fingerprint(key->cert->signature_key, SSH_FP_MD5, SSH_FP_HEX); - auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s", + auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", key_type(key), key->cert->key_id, (unsigned long long)key->cert->serial, - key_type(key->cert->signature_key), fp); + key_type(key->cert->signature_key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); } else { fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - auth_info(authctxt, "%s %s", key_type(key), fp); + auth_info(authctxt, "%s %s%s%s", key_type(key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); } + free(extra); } static int diff --git a/monitor.c b/monitor.c index 7286126f..0516f60a 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.125 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.126 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1165,7 +1165,7 @@ mm_answer_keyallowed(int sock, Buffer *m) case MM_USERKEY: allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); - pubkey_auth_info(authctxt, key); + pubkey_auth_info(authctxt, key, NULL); auth_method = "publickey"; if (options.pubkey_authentication && allowed != 1) auth_clear_options(); @@ -1174,6 +1174,9 @@ mm_answer_keyallowed(int sock, Buffer *m) allowed = options.hostbased_authentication && hostbased_key_allowed(authctxt->pw, cuser, chost, key); + pubkey_auth_info(authctxt, key, + "client user \"%.100s\", client host \"%.100s\"", + cuser, chost); auth_method = "hostbased"; break; case MM_RSAHOSTKEY: -- cgit v1.2.1 From 522059c395152262692cb535e99f565b9f2cc29c Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:10:29 +0000 Subject: - djm@cvs.openbsd.org 2013/06/21 00:37:49 [ssh_config.5] explicitly mention that IdentitiesOnly can be used with IdentityFile to control which keys are offered from an agent. --- ChangeLog | 4 ++++ ssh_config.5 | 13 ++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f8e2c685..4b8a8259 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@ + - djm@cvs.openbsd.org 2013/06/21 00:37:49 + [ssh_config.5] + explicitly mention that IdentitiesOnly can be used with IdentityFile + to control which keys are offered from an agent. 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh_config.5 b/ssh_config.5 index 003ed68f..86906a48 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.164 2013/05/16 06:28:45 jmc Exp $ -.Dd $Mdocdate: May 16 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $ +.Dd $Mdocdate: June 21 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -628,7 +628,9 @@ and .Pa ~/.ssh/id_rsa for protocol version 2. Additionally, any identities represented by the authentication agent -will be used for authentication. +will be used for authentication unless +.Cm IdentitiesOnly +is set. .Xr ssh 1 will try to load certificate information from the filename obtained by appending @@ -657,6 +659,11 @@ Multiple .Cm IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configuration directives). +.Pp +.Cm IdentityFile +may be used in conjunction with +.Cm IdentitiesOnly +to select which identities in an agent are offered during authentication. .It Cm IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. -- cgit v1.2.1 From 50cb2c4c8818ac8d03903bd251ca0326a760f8a7 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:10:49 +0000 Subject: - djm@cvs.openbsd.org 2013/06/21 05:42:32 [dh.c] sprinkle in some error() to explain moduli(5) parse failures --- ChangeLog | 3 +++ dh.c | 74 ++++++++++++++++++++++++++++++++++++++++----------------------- 2 files changed, 50 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4b8a8259..10de1077 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ [ssh_config.5] explicitly mention that IdentitiesOnly can be used with IdentityFile to control which keys are offered from an agent. + - djm@cvs.openbsd.org 2013/06/21 05:42:32 + [dh.c] + sprinkle in some error() to explain moduli(5) parse failures 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/dh.c b/dh.c index d943ca1e..a7d0e3ab 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: dh.c,v 1.50 2013/06/21 05:42:32 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -48,6 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) const char *errstr = NULL; long long n; + dhg->p = dhg-> g = NULL; cp = line; if ((arg = strdelim(&cp)) == NULL) return 0; @@ -59,66 +60,85 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) /* time */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; arg = strsep(&cp, " "); /* type */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; /* Ensure this is a safe prime */ n = strtonum(arg, 0, 5, &errstr); - if (errstr != NULL || n != MODULI_TYPE_SAFE) + if (errstr != NULL || n != MODULI_TYPE_SAFE) { + error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE); goto fail; + } arg = strsep(&cp, " "); /* tests */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; /* Ensure prime has been tested and is not composite */ n = strtonum(arg, 0, 0x1f, &errstr); if (errstr != NULL || - (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) + (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) { + error("moduli:%d: invalid moduli tests flag", linenum); goto fail; + } arg = strsep(&cp, " "); /* tries */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; n = strtonum(arg, 0, 1<<30, &errstr); - if (errstr != NULL || n == 0) + if (errstr != NULL || n == 0) { + error("moduli:%d: invalid primality trial count", linenum); goto fail; + } strsize = strsep(&cp, " "); /* size */ if (cp == NULL || *strsize == '\0' || (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 || - errstr) + errstr) { + error("moduli:%d: invalid prime length", linenum); goto fail; + } /* The whole group is one bit larger */ dhg->size++; gen = strsep(&cp, " "); /* gen */ if (cp == NULL || *gen == '\0') - goto fail; + goto truncated; prime = strsep(&cp, " "); /* prime */ - if (cp != NULL || *prime == '\0') + if (cp != NULL || *prime == '\0') { + truncated: + error("moduli:%d: truncated", linenum); goto fail; + } if ((dhg->g = BN_new()) == NULL) fatal("parse_prime: BN_new failed"); if ((dhg->p = BN_new()) == NULL) fatal("parse_prime: BN_new failed"); - if (BN_hex2bn(&dhg->g, gen) == 0) - goto failclean; - - if (BN_hex2bn(&dhg->p, prime) == 0) - goto failclean; - - if (BN_num_bits(dhg->p) != dhg->size) - goto failclean; - - if (BN_is_zero(dhg->g) || BN_is_one(dhg->g)) - goto failclean; + if (BN_hex2bn(&dhg->g, gen) == 0) { + error("moduli:%d: could not parse generator value", linenum); + goto fail; + } + if (BN_hex2bn(&dhg->p, prime) == 0) { + error("moduli:%d: could not parse prime value", linenum); + goto fail; + } + if (BN_num_bits(dhg->p) != dhg->size) { + error("moduli:%d: prime has wrong size: actual %d listed %d", + linenum, BN_num_bits(dhg->p), dhg->size - 1); + goto fail; + } + if (BN_cmp(dhg->g, BN_value_one()) <= 0) { + error("moduli:%d: generator is invalid", linenum); + goto fail; + } - return (1); + return 1; - failclean: - BN_clear_free(dhg->g); - BN_clear_free(dhg->p); fail: + if (dhg->g != NULL) + BN_clear_free(dhg->g); + if (dhg->p != NULL) + BN_clear_free(dhg->p); + dhg->g = dhg->p = NULL; error("Bad prime description in line %d", linenum); - return (0); + return 0; } DH * -- cgit v1.2.1 From afbc1e38ea311c4e9ff6b56f1ed5f0d41bde6c44 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:11:07 +0000 Subject: - djm@cvs.openbsd.org 2013/06/21 05:43:10 [scp.c] make this -Wsign-compare clean after time_t conversion --- ChangeLog | 3 +++ scp.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 10de1077..86da2761 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ - djm@cvs.openbsd.org 2013/06/21 05:42:32 [dh.c] sprinkle in some error() to explain moduli(5) parse failures + - djm@cvs.openbsd.org 2013/06/21 05:43:10 + [scp.c] + make this -Wsign-compare clean after time_t conversion 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.c b/scp.c index ca7948f6..958faf3f 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.176 2013/06/17 04:48:42 guenther Exp $ */ +/* $OpenBSD: scp.c,v 1.177 2013/06/21 05:43:10 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -976,7 +976,7 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); - if ((time_t)ull < 0 || (time_t)ull != ull) + if ((time_t)ull < 0 || ull > LLONG_MAX) setimes = 0; /* out of range */ mtime.tv_sec = ull; mtime.tv_usec = strtol(cp, &cp, 10); @@ -988,7 +988,7 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); - if ((time_t)ull < 0 || (time_t)ull != ull) + if ((time_t)ull < 0 || ull > LLONG_MAX) setimes = 0; /* out of range */ atime.tv_sec = ull; atime.tv_usec = strtol(cp, &cp, 10); -- cgit v1.2.1 From f08e680edf004014cd64105c1c2ace3eb37de3cc Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:11:25 +0000 Subject: - djm@cvs.openbsd.org 2013/06/22 06:31:57 [scp.c] improved time_t overflow check suggested by guenther@ --- ChangeLog | 3 +++ scp.c | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 86da2761..1502ec87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - djm@cvs.openbsd.org 2013/06/21 05:43:10 [scp.c] make this -Wsign-compare clean after time_t conversion + - djm@cvs.openbsd.org 2013/06/22 06:31:57 + [scp.c] + improved time_t overflow check suggested by guenther@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.c b/scp.c index 958faf3f..28ded5e9 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.177 2013/06/21 05:43:10 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.178 2013/06/22 06:31:57 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -976,7 +976,8 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); - if ((time_t)ull < 0 || ull > LLONG_MAX) + if ((time_t)ull < 0 || + (unsigned long long)(time_t)ull != ull) setimes = 0; /* out of range */ mtime.tv_sec = ull; mtime.tv_usec = strtol(cp, &cp, 10); @@ -988,7 +989,8 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); - if ((time_t)ull < 0 || ull > LLONG_MAX) + if ((time_t)ull < 0 || + (unsigned long long)(time_t)ull != ull) setimes = 0; /* out of range */ atime.tv_sec = ull; atime.tv_usec = strtol(cp, &cp, 10); -- cgit v1.2.1 From e58039af7468a6b84216853058013eb11d757d6a Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:11:50 +0000 Subject: - jmc@cvs.openbsd.org 2013/06/27 14:05:37 [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] do not use Sx for sections outwith the man page - ingo informs me that stuff like html will render with broken links; issue reported by Eric S. Raymond, via djm --- ChangeLog | 5 +++++ ssh-keygen.1 | 7 +++---- ssh.1 | 12 ++++-------- ssh_config.5 | 14 +++++--------- sshd.8 | 8 +++----- sshd_config.5 | 41 ++++++++++++----------------------------- 6 files changed, 32 insertions(+), 55 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1502ec87..9cabcb46 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,11 @@ - djm@cvs.openbsd.org 2013/06/22 06:31:57 [scp.c] improved time_t overflow check suggested by guenther@ + - jmc@cvs.openbsd.org 2013/06/27 14:05:37 + [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] + do not use Sx for sections outwith the man page - ingo informs me that + stuff like html will render with broken links; + issue reported by Eric S. Raymond, via djm 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 7da73e07..0d55854e 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 19 2013 $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -516,8 +516,7 @@ of two times separated by a colon to indicate an explicit time interval. The start time may be specified as a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting of a minus sign followed by a relative time in the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character. diff --git a/ssh.1 b/ssh.1 index dc7af486..3cb4254e 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.332 2013/04/19 01:06:50 djm Exp $ -.Dd $Mdocdate: April 19 2013 $ +.\" $OpenBSD: ssh.1,v 1.333 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -754,9 +754,7 @@ implements public key authentication protocol automatically, using one of the DSA, ECDSA or RSA algorithms. Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. -The -.Sx HISTORY -section of +The HISTORY section of .Xr ssl 8 contains a brief discussion of the DSA and RSA algorithms. .Pp @@ -812,9 +810,7 @@ instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. -See the -.Sx CERTIFICATES -section of +See the CERTIFICATES section of .Xr ssh-keygen 1 for more information. .Pp diff --git a/ssh_config.5 b/ssh_config.5 index 86906a48..5d76c6d2 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $ -.Dd $Mdocdate: June 21 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -474,8 +474,7 @@ option is also enabled. .It Cm ForwardX11Timeout Specify a timeout for untrusted X11 forwarding using the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . X11 connections received by .Xr ssh 1 @@ -964,8 +963,7 @@ and depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . The default value for .Cm RekeyLimit @@ -1251,9 +1249,7 @@ The default is .Dq no . Note that this option applies to protocol version 2 only. .Pp -See also -.Sx VERIFYING HOST KEYS -in +See also VERIFYING HOST KEYS in .Xr ssh 1 . .It Cm VisualHostKey If this flag is set to diff --git a/sshd.8 b/sshd.8 index 03b77b04..b0c7ab6b 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.269 2013/04/07 09:40:27 dtucker Exp $ -.Dd $Mdocdate: April 7 2013 $ +.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSHD 8 .Os .Sh NAME @@ -567,9 +567,7 @@ is enabled. Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .Pp diff --git a/sshd_config.5 b/sshd_config.5 index 18b1d81a..3807c0f3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.160 2013/05/16 06:30:06 jmc Exp $ -.Dd $Mdocdate: May 16 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.161 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AllowTcpForwarding @@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AuthenticationMethods @@ -205,9 +201,7 @@ Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or -more lines of authorized_keys output (see -.Sx AUTHORIZED_KEYS -in +more lines of authorized_keys output (see AUTHORIZED_KEYS in .Xr sshd 8 ) . If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual @@ -222,7 +216,7 @@ than running authorized keys commands. Specifies the file that contains the public keys that can be used for user authentication. The format is described in the -.Sx AUTHORIZED_KEYS FILE FORMAT +AUTHORIZED_KEYS FILE FORMAT section of .Xr sshd 8 . .Cm AuthorizedKeysFile @@ -246,9 +240,7 @@ When using certificates signed by a key listed in this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described -in -.Sx AUTHORIZED_KEYS FILE FORMAT -in +in AUTHORIZED_KEYS FILE FORMAT in .Xr sshd 8 ) . Empty lines and comments starting with .Ql # @@ -426,9 +418,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm DenyUsers @@ -447,9 +437,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm ForceCommand @@ -761,8 +749,7 @@ and .Cm Address . The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the -.Sx PATTERNS -section of +PATTERNS section of .Xr ssh_config 5 . .Pp The patterns in an @@ -1043,9 +1030,7 @@ be refused for all users. Keys may be specified as a text file, listing one public key per line, or as an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . -For more information on KRLs, see the -.Sx KEY REVOCATION LISTS -section in +For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together @@ -1134,9 +1119,7 @@ listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using .Cm TrustedUserCAKeys . -For more details on certificates, see the -.Sx CERTIFICATES -section in +For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . .It Cm UseDNS Specifies whether -- cgit v1.2.1 From 98c017df3a7843736521058971917e83bbaeb6d4 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:12:06 +0000 Subject: - markus@cvs.openbsd.org 2013/07/02 12:31:43 [dh.c] remove extra whitespace --- ChangeLog | 3 +++ dh.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9cabcb46..5d4855d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ do not use Sx for sections outwith the man page - ingo informs me that stuff like html will render with broken links; issue reported by Eric S. Raymond, via djm + - markus@cvs.openbsd.org 2013/07/02 12:31:43 + [dh.c] + remove extra whitespace 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/dh.c b/dh.c index a7d0e3ab..449dd385 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.50 2013/06/21 05:42:32 djm Exp $ */ +/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -48,7 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) const char *errstr = NULL; long long n; - dhg->p = dhg-> g = NULL; + dhg->p = dhg->g = NULL; cp = line; if ((arg = strdelim(&cp)) == NULL) return 0; -- cgit v1.2.1 From 08d6ecbd13e227636dd01fdbe03ef304875df1c4 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:12:44 +0000 Subject: - djm@cvs.openbsd.org 2013/07/12 00:19:59 [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ --- ChangeLog | 4 ++++ auth-options.c | 8 +++++--- auth-rsa.c | 7 +++---- bufaux.c | 8 ++++---- buffer.h | 4 ++-- channels.c | 7 ++++--- hostfile.c | 17 ++++++++++------- hostfile.h | 4 ++-- mux.c | 19 +++++++++++++------ packet.c | 11 ++++++----- packet.h | 4 ++-- roaming_common.c | 4 ++-- serverloop.c | 5 +++-- 13 files changed, 60 insertions(+), 42 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5d4855d6..aa66e3b0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,10 @@ - markus@cvs.openbsd.org 2013/07/02 12:31:43 [dh.c] remove extra whitespace + - djm@cvs.openbsd.org 2013/07/12 00:19:59 + [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] + [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] + fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/auth-options.c b/auth-options.c index a8d738ac..80d59ee9 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.58 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -432,7 +432,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, { char *command, *allowed; const char *remote_ip; - u_char *name = NULL, *data_blob = NULL; + char *name = NULL; + u_char *data_blob = NULL; u_int nlen, dlen, clen; Buffer c, data; int ret = -1, found; @@ -550,7 +551,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, buffer_clear(&data); free(name); free(data_blob); - name = data_blob = NULL; + name = NULL; + data_blob = NULL; } /* successfully parsed all options */ ret = 0; diff --git a/auth-rsa.c b/auth-rsa.c index b7a03fdc..545aa496 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.84 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -165,8 +165,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, const BIGNUM *client_n, Key **rkey) { char *fp, line[SSH_MAX_PUBKEY_BYTES]; - int allowed = 0; - u_int bits; + int allowed = 0, bits; FILE *f; u_long linenum = 0; Key *key; @@ -227,7 +226,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, /* check the real bits */ keybits = BN_num_bits(key->rsa->n); - if (keybits < 0 || bits != (u_int)keybits) + if (keybits < 0 || bits != keybits) logit("Warning: %s, line %lu: keysize mismatch: " "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits); diff --git a/bufaux.c b/bufaux.c index ec8853f8..de5b3ca1 100644 --- a/bufaux.c +++ b/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: bufaux.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -285,7 +285,7 @@ buffer_put_cstring(Buffer *buffer, const char *s) * Returns a character from the buffer (0 - 255). */ int -buffer_get_char_ret(char *ret, Buffer *buffer) +buffer_get_char_ret(u_char *ret, Buffer *buffer) { if (buffer_get_ret(buffer, ret, 1) == -1) { error("buffer_get_char_ret: buffer_get_ret failed"); @@ -297,11 +297,11 @@ buffer_get_char_ret(char *ret, Buffer *buffer) int buffer_get_char(Buffer *buffer) { - char ch; + u_char ch; if (buffer_get_char_ret(&ch, buffer) == -1) fatal("buffer_get_char: buffer error"); - return (u_char) ch; + return ch; } /* diff --git a/buffer.h b/buffer.h index e2a9dd10..4fa2ca11 100644 --- a/buffer.h +++ b/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.21 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.22 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen @@ -84,7 +84,7 @@ int buffer_get_int64_ret(u_int64_t *, Buffer *); void *buffer_get_string_ret(Buffer *, u_int *); char *buffer_get_cstring_ret(Buffer *, u_int *); void *buffer_get_string_ptr_ret(Buffer *, u_int *); -int buffer_get_char_ret(char *, Buffer *); +int buffer_get_char_ret(u_char *, Buffer *); #ifdef OPENSSL_HAS_ECC #include diff --git a/channels.c b/channels.c index b48e6aeb..9e87bfb9 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.323 2013/06/07 15:37:52 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.324 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1139,7 +1139,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) u_int8_t atyp; } s5_req, s5_rsp; u_int16_t dest_port; - u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; + char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; + u_char *p; u_int have, need, i, found, nmethods, addrlen, af; debug2("channel %d: decode socks5", c->self); @@ -1209,7 +1210,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) buffer_consume(&c->input, sizeof(s5_req)); if (s5_req.atyp == SSH_SOCKS5_DOMAIN) buffer_consume(&c->input, 1); /* host string length */ - buffer_get(&c->input, (char *)&dest_addr, addrlen); + buffer_get(&c->input, &dest_addr, addrlen); buffer_get(&c->input, (char *)&dest_port, 2); dest_addr[addrlen] = '\0'; free(c->path); diff --git a/hostfile.c b/hostfile.c index 69d0d289..2ff4c48b 100644 --- a/hostfile.c +++ b/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -64,7 +64,7 @@ struct hostkeys { }; static int -extract_salt(const char *s, u_int l, char *salt, size_t salt_len) +extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len) { char *p, *b64salt; u_int b64len; @@ -115,7 +115,8 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) { const EVP_MD *md = EVP_sha1(); HMAC_CTX mac_ctx; - char salt[256], result[256], uu_salt[512], uu_result[512]; + u_char salt[256], result[256]; + char uu_salt[512], uu_result[512]; static char encoded[1024]; u_int i, len; @@ -133,7 +134,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) } HMAC_Init(&mac_ctx, salt, len, md); - HMAC_Update(&mac_ctx, host, strlen(host)); + HMAC_Update(&mac_ctx, (u_char *)host, strlen(host)); HMAC_Final(&mac_ctx, result, NULL); HMAC_cleanup(&mac_ctx); @@ -153,7 +154,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) */ int -hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) +hostfile_read_key(char **cpp, int *bitsp, Key *ret) { char *cp; @@ -170,8 +171,10 @@ hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) /* Return results. */ *cpp = cp; - if (bitsp != NULL) - *bitsp = key_size(ret); + if (bitsp != NULL) { + if ((*bitsp = key_size(ret)) <= 0) + return 0; + } return 1; } diff --git a/hostfile.h b/hostfile.h index d84d422f..679c034f 100644 --- a/hostfile.h +++ b/hostfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.h,v 1.19 2010/11/29 23:45:51 djm Exp $ */ +/* $OpenBSD: hostfile.h,v 1.20 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen @@ -40,7 +40,7 @@ HostStatus check_key_in_hostkeys(struct hostkeys *, Key *, int lookup_key_in_hostkeys_by_type(struct hostkeys *, int, const struct hostkey_entry **); -int hostfile_read_key(char **, u_int *, Key *); +int hostfile_read_key(char **, int *, Key *); int add_host_to_hostfile(const char *, const char *, const Key *, int); #define HASH_MAGIC "|1|" diff --git a/mux.c b/mux.c index 314ee8cd..882fa61b 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.43 2013/06/05 02:07:29 dtucker Exp $ */ +/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -630,19 +630,22 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) Forward fwd; char *fwd_desc = NULL; u_int ftype; + u_int lport, cport; int i, ret = 0, freefwd = 1; fwd.listen_host = fwd.connect_host = NULL; if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.listen_port, m) != 0 || + buffer_get_int_ret(&lport, m) != 0 || (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.connect_port, m) != 0) { + buffer_get_int_ret(&cport, m) != 0 || + lport > 65535 || cport > 65535) { error("%s: malformed message", __func__); ret = -1; goto out; } - + fwd.listen_port = lport; + fwd.connect_port = cport; if (*fwd.listen_host == '\0') { free(fwd.listen_host); fwd.listen_host = NULL; @@ -778,17 +781,21 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) const char *error_reason = NULL; u_int ftype; int i, listen_port, ret = 0; + u_int lport, cport; fwd.listen_host = fwd.connect_host = NULL; if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.listen_port, m) != 0 || + buffer_get_int_ret(&lport, m) != 0 || (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.connect_port, m) != 0) { + buffer_get_int_ret(&cport, m) != 0 || + lport > 65535 || cport > 65535) { error("%s: malformed message", __func__); ret = -1; goto out; } + fwd.listen_port = lport; + fwd.connect_port = cport; if (*fwd.listen_host == '\0') { free(fwd.listen_host); diff --git a/packet.c b/packet.c index b25395d4..0d27e759 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.187 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: packet.c,v 1.188 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1048,7 +1048,7 @@ packet_send(void) int packet_read_seqnr(u_int32_t *seqnr_p) { - int type, len, ret, ms_remain, cont; + int type, len, ret, cont, ms_remain = 0; fd_set *setp; char buf[8192]; struct timeval timeout, start, *timeoutp = NULL; @@ -1487,6 +1487,8 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) } else { type = packet_read_poll1(); switch (type) { + case SSH_MSG_NONE: + return SSH_MSG_NONE; case SSH_MSG_IGNORE: break; case SSH_MSG_DEBUG: @@ -1501,8 +1503,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) cleanup_exit(255); break; default: - if (type) - DBG(debug("received packet type %d", type)); + DBG(debug("received packet type %d", type)); return type; } } @@ -1739,7 +1740,7 @@ void packet_write_wait(void) { fd_set *setp; - int ret, ms_remain; + int ret, ms_remain = 0; struct timeval start, timeout, *timeoutp = NULL; setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, diff --git a/packet.h b/packet.h index bc548f2b..f8edf851 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.58 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */ /* * Author: Tatu Ylonen @@ -71,7 +71,7 @@ void *packet_get_raw(u_int *length_ptr); void *packet_get_string(u_int *length_ptr); char *packet_get_cstring(u_int *length_ptr); void *packet_get_string_ptr(u_int *length_ptr); -void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); +void packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2))); void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); void set_newkeys(int mode); diff --git a/roaming_common.c b/roaming_common.c index 8d0b6054..50d6177d 100644 --- a/roaming_common.c +++ b/roaming_common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: roaming_common.c,v 1.10 2013/07/12 00:19:59 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -227,7 +227,7 @@ calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) { const EVP_MD *md = EVP_sha1(); EVP_MD_CTX ctx; - char hash[EVP_MAX_MD_SIZE]; + u_char hash[EVP_MAX_MD_SIZE]; Buffer b; buffer_init(&b); diff --git a/serverloop.c b/serverloop.c index 7c250b22..ccbad617 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.167 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.168 2013/07/12 00:19:59 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -823,7 +823,8 @@ void server_loop2(Authctxt *authctxt) { fd_set *readset = NULL, *writeset = NULL; - int rekeying = 0, max_fd, nalloc = 0; + int rekeying = 0, max_fd; + u_int nalloc = 0; u_int64_t rekey_timeout_ms = 0; debug("Entering interactive session for SSH2."); -- cgit v1.2.1 From 58aab0dffbf73ccfbc9d019fce4d8bf45c9913b7 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:13:02 +0000 Subject: - djm@cvs.openbsd.org 2013/07/12 00:20:00 [sftp.c ssh-keygen.c ssh-pkcs11.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ --- ChangeLog | 3 +++ sftp.c | 5 +++-- ssh-keygen.c | 7 ++++--- ssh-pkcs11.c | 12 ++++++------ 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index aa66e3b0..9db3bb0f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,9 @@ [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ + - djm@cvs.openbsd.org 2013/07/12 00:20:00 + [sftp.c ssh-keygen.c ssh-pkcs11.c] + fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/sftp.c b/sftp.c index f50a4bb6..f0daaefa 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.146 2013/06/04 20:42:36 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.147 2013/07/12 00:20:00 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1830,7 +1830,8 @@ static unsigned char complete(EditLine *el, int ch) { char **argv, *line, quote; - u_int argc, carg, cursor, len, terminated, ret = CC_ERROR; + int argc, carg; + u_int cursor, len, terminated, ret = CC_ERROR; const LineInfo *lf; struct complete_ctx *complete_ctx; diff --git a/ssh-keygen.c b/ssh-keygen.c index f2438747..504ebaf7 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.227 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.228 2013/07/12 00:20:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -524,7 +524,7 @@ do_convert_from_ssh2(struct passwd *pw, Key **k, int *private) fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); encoded[0] = '\0'; while ((blen = get_line(fp, line, sizeof(line))) != -1) { - if (line[blen - 1] == '\\') + if (blen > 0 && line[blen - 1] == '\\') escaped++; if (strncmp(line, "----", 4) == 0 || strstr(line, ": ") != NULL) { @@ -1797,7 +1797,8 @@ add_cert_option(char *opt) static void show_options(const Buffer *optbuf, int v00, int in_critical) { - u_char *name, *data; + char *name; + u_char *data; u_int dlen; Buffer options, option; diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index a17326ba..618c0752 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.8 2013/07/12 00:20:00 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -263,8 +263,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) - != CKR_OK) { + if ((rv = f->C_Login(si->session, CKU_USER, + (u_char *)pin, strlen(pin))) != CKR_OK) { free(pin); error("C_Login failed: %lu", rv); return (-1); @@ -328,7 +328,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, /* remove trailing spaces */ static void -rmspace(char *buf, size_t len) +rmspace(u_char *buf, size_t len) { size_t i; @@ -366,8 +366,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) return (-1); } if (login_required && pin) { - if ((rv = f->C_Login(session, CKU_USER, pin, strlen(pin))) - != CKR_OK) { + if ((rv = f->C_Login(session, CKU_USER, + (u_char *)pin, strlen(pin))) != CKR_OK) { error("C_Login failed: %lu", rv); if ((rv = f->C_CloseSession(session)) != CKR_OK) error("C_CloseSession failed: %lu", rv); -- cgit v1.2.1 From c650b909f08265b40b113294520ad03c9f772029 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:13:19 +0000 Subject: - djm@cvs.openbsd.org 2013/07/12 00:43:50 [misc.c] in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when errno == 0. Avoids confusing error message in some broken resolver cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker --- ChangeLog | 5 +++++ misc.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9db3bb0f..bcb297ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,11 @@ - djm@cvs.openbsd.org 2013/07/12 00:20:00 [sftp.c ssh-keygen.c ssh-pkcs11.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ + - djm@cvs.openbsd.org 2013/07/12 00:43:50 + [misc.c] + in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when + errno == 0. Avoids confusing error message in some broken resolver + cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/misc.c b/misc.c index fd745444..2bdfb650 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.90 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.91 2013/07/12 00:43:50 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -127,7 +127,7 @@ unset_nonblock(int fd) const char * ssh_gai_strerror(int gaierr) { - if (gaierr == EAI_SYSTEM) + if (gaierr == EAI_SYSTEM && errno != 0) return strerror(errno); return gai_strerror(gaierr); } -- cgit v1.2.1 From 6dd13462ac06a972d030c53c1dc38df797d639fd Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:13:37 +0000 Subject: - djm@cvs.openbsd.org 2013/07/12 05:42:03 [ssh-keygen.c] do_print_resource_record() can never be called with a NULL filename, so don't attempt (and bungle) asking for one if it has not been specified bz#2127 ok dtucker@ --- ChangeLog | 5 +++++ ssh-keygen.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bcb297ee..2c025826 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,11 @@ in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when errno == 0. Avoids confusing error message in some broken resolver cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker + - djm@cvs.openbsd.org 2013/07/12 05:42:03 + [ssh-keygen.c] + do_print_resource_record() can never be called with a NULL filename, so + don't attempt (and bungle) asking for one if it has not been specified + bz#2127 ok dtucker@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh-keygen.c b/ssh-keygen.c index 504ebaf7..1edc965d 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.228 2013/07/12 00:20:00 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.229 2013/07/12 05:42:03 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1301,7 +1301,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname) struct stat st; if (fname == NULL) - ask_filename(pw, "Enter file in which the key is"); + fatal("%s: no filename", __func__); if (stat(fname, &st) < 0) { if (errno == ENOENT) return 0; -- cgit v1.2.1 From 32a58fbe094cefe945f2e6760663e254b8162962 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:13:55 +0000 Subject: - djm@cvs.openbsd.org 2013/07/12 05:48:55 [ssh.c] set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ --- ChangeLog | 3 +++ ssh.c | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2c025826..21d35b37 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,9 @@ do_print_resource_record() can never be called with a NULL filename, so don't attempt (and bungle) asking for one if it has not been specified bz#2127 ok dtucker@ + - djm@cvs.openbsd.org 2013/07/12 05:48:55 + [ssh.c] + set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh.c b/ssh.c index 0e96c921..a9b0a708 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.378 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.379 2013/07/12 05:48:55 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1480,6 +1480,11 @@ ssh_session2(void) if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) id = ssh_session2_open(); + else { + packet_set_interactive( + options.control_master == SSHCTL_MASTER_NO, + options.ip_qos_interactive, options.ip_qos_bulk); + } /* If we don't expect to open a new session, then disallow it */ if (options.control_master == SSHCTL_MASTER_NO && -- cgit v1.2.1 From 64af6c464cc65a28dece808d4d2b391fb7a88d02 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:14:13 +0000 Subject: - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] use .Mt for email addresses; from Jan Stary ; ok jmc@ --- ChangeLog | 3 +++ scp.1 | 8 ++++---- sftp-server.8 | 6 +++--- ssh-keyscan.1 | 8 ++++---- ssh-keysign.8 | 6 +++--- ssh-pkcs11-helper.8 | 6 +++--- 6 files changed, 20 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 21d35b37..09d24ce1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -57,6 +57,9 @@ - djm@cvs.openbsd.org 2013/07/12 05:48:55 [ssh.c] set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ + - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 + [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] + use .Mt for email addresses; from Jan Stary ; ok jmc@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.1 b/scp.1 index 734b97bb..c83012c9 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.58 2011/09/05 07:01:44 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.59 2013/07/16 00:07:52 schwarze Exp $ .\" -.Dd $Mdocdate: September 5 2011 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SCP 1 .Os .Sh NAME @@ -235,5 +235,5 @@ is based on the program in BSD source code from the Regents of the University of California. .Sh AUTHORS -.An Timo Rinne Aq tri@iki.fi -.An Tatu Ylonen Aq ylo@cs.hut.fi +.An Timo Rinne Aq Mt tri@iki.fi +.An Tatu Ylonen Aq Mt ylo@cs.hut.fi diff --git a/sftp-server.8 b/sftp-server.8 index d35af684..cc925b96 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.22 2013/05/06 07:35:12 dtucker Exp $ +.\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 6 2013 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -133,4 +133,4 @@ establish a logging socket inside the chroot directory. first appeared in .Ox 2.8 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index f2b0fc8f..c35ea05e 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.30 2012/04/11 13:34:17 djm Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.31 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: April 11 2012 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -164,9 +164,9 @@ $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e .Xr sshd 8 .Sh AUTHORS .An -nosplit -.An David Mazieres Aq dm@lcs.mit.edu +.An David Mazieres Aq Mt dm@lcs.mit.edu wrote the initial version, and -.An Wayne Davison Aq wayned@users.sourceforge.net +.An Wayne Davison Aq Mt wayned@users.sourceforge.net added support for protocol version 2. .Sh BUGS It generates "Connection closed by remote host" messages on the consoles diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 5e09e027..5e0b2d23 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.12 2010/08/31 11:54:45 djm Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.13 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 31 2010 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SSH-KEYSIGN 8 .Os .Sh NAME @@ -88,4 +88,4 @@ information corresponding with the private keys above. first appeared in .Ox 3.2 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org diff --git a/ssh-pkcs11-helper.8 b/ssh-pkcs11-helper.8 index 9bdaadc0..3728c4e4 100644 --- a/ssh-pkcs11-helper.8 +++ b/ssh-pkcs11-helper.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.3 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.4 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 10 2010 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SSH-PKCS11-HELPER 8 .Os .Sh NAME @@ -40,4 +40,4 @@ is not intended to be invoked by the user, but from first appeared in .Ox 4.7 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org -- cgit v1.2.1 From d2d854af06e9fa2d8dcad5ef8d0e26472d401631 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 18 Jul 2013 06:14:34 +0000 Subject: - djm@cvs.openbsd.org 2013/07/18 01:12:26 [ssh.1] be more exact wrt perms for ~/.ssh/config; bz#2078 --- ChangeLog | 3 +++ ssh.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 09d24ce1..9530ef55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,9 @@ - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] use .Mt for email addresses; from Jan Stary ; ok jmc@ + - djm@cvs.openbsd.org 2013/07/18 01:12:26 + [ssh.1] + be more exact wrt perms for ~/.ssh/config; bz#2078 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh.1 b/ssh.1 index 3cb4254e..62292cc0 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.333 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: ssh.1,v 1.334 2013/07/18 01:12:26 djm Exp $ +.Dd $Mdocdate: July 18 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -1337,7 +1337,7 @@ This is the per-user configuration file. The file format and configuration options are described in .Xr ssh_config 5 . Because of the potential for abuse, this file must have strict permissions: -read/write for the user, and not accessible by others. +read/write for the user, and not writable by others. .Pp .It Pa ~/.ssh/environment Contains additional definitions for environment variables; see -- cgit v1.2.1 From 96019572a47bb490d75563505aaf91946d2ea89d Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 20 Jul 2013 03:21:53 +0000 Subject: - markus@cvs.openbsd.org 2013/07/19 07:37:48 [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] [servconf.h session.c sshd.c sshd_config.5] add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@ --- auth.h | 4 ++- kex.h | 3 ++- kexdhs.c | 10 +++---- kexecdhs.c | 10 +++---- kexgexs.c | 11 +++----- monitor.c | 18 ++++++++++--- servconf.c | 18 +++++++++++-- servconf.h | 3 ++- session.c | 10 ++++++- sshd.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++------ sshd_config.5 | 16 ++++++++++-- 11 files changed, 144 insertions(+), 42 deletions(-) diff --git a/auth.h b/auth.h index caf44adc..80f08986 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.75 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.76 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -198,10 +198,12 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *, /* hostkey handling */ Key *get_hostkey_by_index(int); +Key *get_hostkey_public_by_index(int); Key *get_hostkey_public_by_type(int); Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); int ssh1_session_key(BIGNUM *); +void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff --git a/kex.h b/kex.h index 680264af..9f1e1adb 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.55 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -139,6 +139,7 @@ struct Kex { Key *(*load_host_public_key)(int); Key *(*load_host_private_key)(int); int (*host_key_index)(Key *); + void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int); void (*kex[KEX_MAX])(Kex *); }; diff --git a/kexdhs.c b/kexdhs.c index 15128632..269d8090 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.14 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -80,9 +80,6 @@ kexdh_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); /* key, cert */ if ((dh_client_pub = BN_new()) == NULL) @@ -144,9 +141,8 @@ kexdh_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, - hashlen)) < 0) - fatal("kexdh_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/kexecdhs.c b/kexecdhs.c index c42dcf44..3a580aac 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.5 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -78,9 +78,6 @@ kexecdh_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); debug("expecting SSH2_MSG_KEX_ECDH_INIT"); packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); @@ -139,9 +136,8 @@ kexecdh_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, - hash, hashlen)) < 0) - fatal("kexdh_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/kexgexs.c b/kexgexs.c index a543dda8..4e473fc7 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.16 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -68,10 +68,6 @@ kexgex_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); - type = packet_read(); switch (type) { @@ -187,9 +183,8 @@ kexgex_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, - hashlen)) < 0) - fatal("kexgex_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/monitor.c b/monitor.c index 0516f60a..44dff98c 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.126 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.127 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -97,6 +97,7 @@ #include "ssh2.h" #include "jpake.h" #include "roaming.h" +#include "authfd.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; @@ -686,6 +687,8 @@ mm_answer_moduli(int sock, Buffer *m) return (0); } +extern AuthenticationConnection *auth_conn; + int mm_answer_sign(int sock, Buffer *m) { @@ -714,10 +717,16 @@ mm_answer_sign(int sock, Buffer *m) memcpy(session_id2, p, session_id2_len); } - if ((key = get_hostkey_by_index(keyid)) == NULL) + if ((key = get_hostkey_by_index(keyid)) != NULL) { + if (key_sign(key, &signature, &siglen, p, datlen) < 0) + fatal("%s: key_sign failed", __func__); + } else if ((key = get_hostkey_public_by_index(keyid)) != NULL && + auth_conn != NULL) { + if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p, + datlen) < 0) + fatal("%s: ssh_agent_sign failed", __func__); + } else fatal("%s: no hostkey from index %d", __func__, keyid); - if (key_sign(key, &signature, &siglen, p, datlen) < 0) - fatal("%s: key_sign failed", __func__); debug3("%s: signature %p(%u)", __func__, signature, siglen); @@ -1864,6 +1873,7 @@ mm_get_kex(Buffer *m) kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; + kex->sign = sshd_hostkey_sign; return (kex); } diff --git a/servconf.c b/servconf.c index 36b8efec..747edde6 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.239 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -79,6 +79,7 @@ initialize_server_options(ServerOptions *options) options->address_family = -1; options->num_host_key_files = 0; options->num_host_cert_files = 0; + options->host_key_agent = NULL; options->pid_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; @@ -344,7 +345,7 @@ typedef enum { sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, + sAuthenticationMethods, sHostKeyAgent, sDeprecated, sUnsupported } ServerOpCodes; @@ -369,6 +370,7 @@ static struct { { "port", sPort, SSHCFG_GLOBAL }, { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ + { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, @@ -978,6 +980,17 @@ process_server_config_line(ServerOptions *options, char *line, } break; + case sHostKeyAgent: + charptr = &options->host_key_agent; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing socket name.", + filename, linenum); + if (*activep && *charptr == NULL) + *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? + xstrdup(arg) : derelativise_path(arg); + break; + case sHostCertificate: intptr = &options->num_host_cert_files; if (*intptr >= MAX_HOSTKEYS) @@ -2011,6 +2024,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sVersionAddendum, o->version_addendum); dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); + dump_cfg_string(sHostKeyAgent, o->host_key_agent); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff --git a/servconf.h b/servconf.h index fc051bd4..98aad8ba 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.108 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */ /* * Author: Tatu Ylonen @@ -65,6 +65,7 @@ typedef struct { int num_host_key_files; /* Number of files for host keys. */ char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ int num_host_cert_files; /* Number of files for host certs. */ + char *host_key_agent; /* ssh-agent socket for host keys. */ char *pid_file; /* Where to put our pid */ int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time diff --git a/session.c b/session.c index 1424825c..d4b57bdf 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.265 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: session.c,v 1.266 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -80,6 +80,7 @@ #include "hostfile.h" #include "auth.h" #include "auth-options.h" +#include "authfd.h" #include "pathnames.h" #include "log.h" #include "servconf.h" @@ -1589,6 +1590,13 @@ launch_login(struct passwd *pw, const char *hostname) static void child_close_fds(void) { + extern AuthenticationConnection *auth_conn; + + if (auth_conn) { + ssh_close_authentication_connection(auth_conn); + auth_conn = NULL; + } + if (packet_get_connection_in() == packet_get_connection_out()) close(packet_get_connection_in()); else { diff --git a/sshd.c b/sshd.c index 1306a62a..174cc7a4 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.403 2013/06/05 02:27:50 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.404 2013/07/19 07:37:48 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -106,6 +106,7 @@ #include "canohost.h" #include "hostfile.h" #include "auth.h" +#include "authfd.h" #include "misc.h" #include "msg.h" #include "dispatch.h" @@ -194,6 +195,10 @@ char *server_version_string = NULL; /* for rekeying XXX fixme */ Kex *xxx_kex; +/* Daemon's agent connection */ +AuthenticationConnection *auth_conn = NULL; +int have_agent = 0; + /* * Any really sensitive data in the application is contained in this * structure. The idea is that this structure could be locked into memory so @@ -206,6 +211,7 @@ struct { Key *server_key; /* ephemeral server key */ Key *ssh1_host_key; /* ssh1 host key */ Key **host_keys; /* all private host keys */ + Key **host_pubkeys; /* all public host keys */ Key **host_certificates; /* all public host certificates */ int have_ssh1_key; int have_ssh2_key; @@ -653,6 +659,8 @@ privsep_preauth(Authctxt *authctxt) debug2("Network child is on pid %ld", (long)pid); pmonitor->m_pid = pid; + if (have_agent) + auth_conn = ssh_get_authentication_connection(); if (box != NULL) ssh_sandbox_parent_preauth(box, pid); monitor_child_preauth(authctxt, pmonitor); @@ -766,6 +774,8 @@ list_hostkey_types(void) buffer_init(&b); for (i = 0; i < options.num_host_key_files; i++) { key = sensitive_data.host_keys[i]; + if (key == NULL) + key = sensitive_data.host_pubkeys[i]; if (key == NULL) continue; switch (key->type) { @@ -819,6 +829,8 @@ get_hostkey_by_type(int type, int need_private) break; default: key = sensitive_data.host_keys[i]; + if (key == NULL && !need_private) + key = sensitive_data.host_pubkeys[i]; break; } if (key != NULL && key->type == type) @@ -848,6 +860,14 @@ get_hostkey_by_index(int ind) return (sensitive_data.host_keys[ind]); } +Key * +get_hostkey_public_by_index(int ind) +{ + if (ind < 0 || ind >= options.num_host_key_files) + return (NULL); + return (sensitive_data.host_pubkeys[ind]); +} + int get_hostkey_index(Key *key) { @@ -860,6 +880,8 @@ get_hostkey_index(Key *key) } else { if (key == sensitive_data.host_keys[i]) return (i); + if (key == sensitive_data.host_pubkeys[i]) + return (i); } } return (-1); @@ -1344,6 +1366,8 @@ main(int ac, char **av) u_int64_t ibytes, obytes; mode_t new_umask; Key *key; + Key *pubkey; + int keytype; Authctxt *authctxt; struct connection_info *connection_info = get_connection_info(0, 0); @@ -1623,22 +1647,45 @@ main(int ac, char **av) } endpwent(); - /* load private host keys */ + /* load host keys */ sensitive_data.host_keys = xcalloc(options.num_host_key_files, sizeof(Key *)); - for (i = 0; i < options.num_host_key_files; i++) + sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files, + sizeof(Key *)); + for (i = 0; i < options.num_host_key_files; i++) { sensitive_data.host_keys[i] = NULL; + sensitive_data.host_pubkeys[i] = NULL; + } + + if (options.host_key_agent) { + if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME)) + setenv(SSH_AUTHSOCKET_ENV_NAME, + options.host_key_agent, 1); + have_agent = ssh_agent_present(); + } for (i = 0; i < options.num_host_key_files; i++) { key = key_load_private(options.host_key_files[i], "", NULL); + pubkey = key_load_public(options.host_key_files[i], NULL); sensitive_data.host_keys[i] = key; - if (key == NULL) { + sensitive_data.host_pubkeys[i] = pubkey; + + if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 && + have_agent) { + debug("will rely on agent for hostkey %s", + options.host_key_files[i]); + keytype = pubkey->type; + } else if (key != NULL) { + keytype = key->type; + } else { error("Could not load host key: %s", options.host_key_files[i]); sensitive_data.host_keys[i] = NULL; + sensitive_data.host_pubkeys[i] = NULL; continue; } - switch (key->type) { + + switch (keytype) { case KEY_RSA1: sensitive_data.ssh1_host_key = key; sensitive_data.have_ssh1_key = 1; @@ -1649,8 +1696,8 @@ main(int ac, char **av) sensitive_data.have_ssh2_key = 1; break; } - debug("private host key: #%d type %d %s", i, key->type, - key_type(key)); + debug("private host key: #%d type %d %s", i, keytype, + key_type(key ? key : pubkey)); } if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); @@ -2020,9 +2067,11 @@ main(int ac, char **av) buffer_init(&loginmsg); auth_debug_reset(); - if (use_privsep) + if (use_privsep) { if (privsep_preauth(authctxt) == 1) goto authenticated; + } else if (compat20 && have_agent) + auth_conn = ssh_get_authentication_connection(); /* perform the key exchange */ /* authenticate user and start session */ @@ -2336,6 +2385,23 @@ do_ssh1_kex(void) packet_write_wait(); } +void +sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen, + u_char *data, u_int dlen) +{ + if (privkey) { + if (PRIVSEP(key_sign(privkey, signature, slen, data, dlen) < 0)) + fatal("%s: key_sign failed", __func__); + } else if (use_privsep) { + if (mm_key_sign(pubkey, signature, slen, data, dlen) < 0) + fatal("%s: pubkey_sign failed", __func__); + } else { + if (ssh_agent_sign(auth_conn, pubkey, signature, slen, data, + dlen)) + fatal("%s: ssh_agent_sign failed", __func__); + } +} + /* * SSH2 key exchange: diffie-hellman-group1-sha1 */ @@ -2386,6 +2452,7 @@ do_ssh2_kex(void) kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; + kex->sign = sshd_hostkey_sign; xxx_kex = kex; diff --git a/sshd_config.5 b/sshd_config.5 index 3807c0f3..3abac6c1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.161 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $ +.Dd $Mdocdate: July 19 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -546,6 +546,18 @@ keys are used for version 1 and or .Dq rsa are used for version 2 of the SSH protocol. +It is also possible to specify public host key files instead. +In this case operations on the private key will be delegated +to an +.Xr ssh-agent 1 . +.It Cm HostKeyAgent +Identifies the UNIX-domain socket used to communicate +with an agent that has access to the private host keys. +If +.Dq SSH_AUTH_SOCK +is specified, the location of the socket will be read from the +.Ev SSH_AUTH_SOCK +environment variable. .It Cm IgnoreRhosts Specifies that .Pa .rhosts -- cgit v1.2.1 From 8b46313e0f8a2dea29d728a6303bf501d83500ce Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 20 Jul 2013 03:22:14 +0000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:43:46 [umac.c] use a union to ensure correct alignment; ok deraadt --- umac.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/umac.c b/umac.c index fb66b809..60514a24 100644 --- a/umac.c +++ b/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: umac.c,v 1.6 2013/07/20 01:43:46 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -254,19 +254,21 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) #elif (UMAC_OUTPUT_LEN > 8) #define LOW_BIT_MASK 0 #endif - - UINT8 tmp_nonce_lo[4]; + union { + UINT8 tmp_nonce_lo[4]; + UINT32 align; + } t; #if LOW_BIT_MASK != 0 int ndx = nonce[7] & LOW_BIT_MASK; #endif - *(UINT32 *)tmp_nonce_lo = ((UINT32 *)nonce)[1]; - tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ + *(UINT32 *)t.tmp_nonce_lo = ((UINT32 *)nonce)[1]; + t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ - if ( (((UINT32 *)tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || + if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) { ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; - ((UINT32 *)pc->nonce)[1] = ((UINT32 *)tmp_nonce_lo)[0]; + ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0]; aes_encryption(pc->nonce, pc->cache, pc->prf_key); } -- cgit v1.2.1 From cd51788caa01ecae730ac055d625670964047db0 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 20 Jul 2013 03:22:32 +0000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:44:37 [ssh-keygen.c ssh.c] More useful error message on missing current user in /etc/passwd --- ssh-keygen.c | 4 ++-- ssh.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ssh-keygen.c b/ssh-keygen.c index 1edc965d..03c444d4 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.229 2013/07/12 05:42:03 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.230 2013/07/20 01:44:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2214,7 +2214,7 @@ main(int argc, char **argv) /* we need this for the home * directory. */ pw = getpwuid(getuid()); if (!pw) { - printf("You don't exist, go away!\n"); + printf("No user exists for uid %lu\n", (u_long)getuid()); exit(1); } if (gethostname(hostname, sizeof(hostname)) < 0) { diff --git a/ssh.c b/ssh.c index a9b0a708..30e65338 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.379 2013/07/12 05:48:55 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.380 2013/07/20 01:44:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -299,7 +299,7 @@ main(int ac, char **av) /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { - logit("You don't exist, go away!"); + logit("No user exists for uid %lu", (u_long)original_real_uid); exit(255); } /* Take a copy of the returned structure. */ -- cgit v1.2.1 From 74e36ec261e562facae7a22208cf54cbc5fe0008 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 20 Jul 2013 03:22:49 +0000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:50:20 [ssh-agent.c] call cleanup_handler on SIGINT when in debug mode to ensure sockets are cleaned up on manual exit; bz#2120 --- ssh-agent.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ssh-agent.c b/ssh-agent.c index 27df4f47..c3b11729 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.176 2013/06/02 13:35:58 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.177 2013/07/20 01:50:20 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1344,9 +1344,8 @@ skip: if (ac > 0) parent_alive_interval = 10; idtab_init(); - if (!d_flag) - signal(SIGINT, SIG_IGN); signal(SIGPIPE, SIG_IGN); + signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); signal(SIGHUP, cleanup_handler); signal(SIGTERM, cleanup_handler); nalloc = 0; -- cgit v1.2.1 From 9478d681e6b49deb3596595fadd51ee71eedd7ba Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 20 Jul 2013 03:35:45 +0000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:55:13 [auth-krb5.c gss-serv-krb5.c gss-serv.c] fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@ --- ChangeLog | 22 ++++++++++++++++++++++ auth-krb5.c | 21 +++++++++++++-------- gss-serv-krb5.c | 44 +++++++++++++++++++++++++------------------- gss-serv.c | 4 ++-- 4 files changed, 62 insertions(+), 29 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9530ef55..dc2f73bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,25 @@ +20130720 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/07/19 07:37:48 + [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] + [servconf.h session.c sshd.c sshd_config.5] + add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, + or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 + ok djm@ + - djm@cvs.openbsd.org 2013/07/20 01:43:46 + [umac.c] + use a union to ensure correct alignment; ok deraadt + - djm@cvs.openbsd.org 2013/07/20 01:44:37 + [ssh-keygen.c ssh.c] + More useful error message on missing current user in /etc/passwd + - djm@cvs.openbsd.org 2013/07/20 01:50:20 + [ssh-agent.c] + call cleanup_handler on SIGINT when in debug mode to ensure sockets + are cleaned up on manual exit; bz#2120 + - djm@cvs.openbsd.org 2013/07/20 01:55:13 + [auth-krb5.c gss-serv-krb5.c gss-serv.c] + fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@ + 20130718 - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 diff --git a/auth-krb5.c b/auth-krb5.c index ff1462ad..43ee9272 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */ /* * Kerberos v5 authentication and ticket-passing routines. * @@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) krb5_ccache ccache = NULL; int len; char *client, *platform_client; + const char *errmsg; /* get platform-specific kerberos client principal name (if it exists) */ platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name); @@ -96,7 +97,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; #ifdef HEIMDAL - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); + problem = krb5_cc_new_unique(authctxt->krb5_ctx, + krb5_mcc_ops.prefix, NULL, &ccache); if (problem) goto out; @@ -115,8 +117,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_new_unique(authctxt->krb5_ctx, + krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache); if (problem) goto out; @@ -187,10 +189,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (ccache) krb5_cc_destroy(authctxt->krb5_ctx, ccache); - if (authctxt->krb5_ctx != NULL && problem!=-1) - debug("Kerberos password authentication failed: %s", - krb5_get_err_text(authctxt->krb5_ctx, problem)); - else + if (authctxt->krb5_ctx != NULL && problem!=-1) { + errmsg = krb5_get_error_message(authctxt->krb5_ctx, + problem); + debug("Kerberos password authentication failed: %s", + errmsg); + krb5_free_error_message(authctxt->krb5_ctx, errmsg); + } else debug("Kerberos password authentication failed: %d", problem); diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 5a625acb..87f26831 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -48,12 +48,11 @@ extern ServerOptions options; #ifdef HEIMDAL # include -#else -# ifdef HAVE_GSSAPI_KRB5_H -# include -# elif HAVE_GSSAPI_GSSAPI_KRB5_H -# include -# endif +#endif +#ifdef HAVE_GSSAPI_KRB5_H +# include +#elif HAVE_GSSAPI_GSSAPI_KRB5_H +# include #endif static krb5_context krb_context = NULL; @@ -87,14 +86,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) { krb5_principal princ; int retval; + const char *errmsg; if (ssh_gssapi_krb5_init() == 0) return 0; if ((retval = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { - logit("krb5_parse_name(): %.100s", - krb5_get_err_text(krb_context, retval)); + errmsg = krb5_get_error_message(krb_context, retval); + logit("krb5_parse_name(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return 0; } if (krb5_kuserok(krb_context, princ, name)) { @@ -120,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_principal princ; OM_uint32 maj_status, min_status; int len; + const char *errmsg; if (client->creds == NULL) { debug("No credentials stored"); @@ -130,30 +132,34 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) return; #ifdef HEIMDAL - if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { - logit("krb5_cc_gen_new(): %.100s", - krb5_get_err_text(krb_context, problem)); + if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix, + NULL, &ccache)) != 0) { + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_cc_new_unique(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } #else if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { - logit("ssh_krb5_cc_gen(): %.100s", - krb5_get_err_text(krb_context, problem)); + errmsg = krb5_get_error_message(krb_context, problem); + logit("ssh_krb5_cc_gen(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } #endif /* #ifdef HEIMDAL */ if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { - logit("krb5_parse_name(): %.100s", - krb5_get_err_text(krb_context, problem)); - krb5_cc_destroy(krb_context, ccache); + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_parse_name(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { - logit("krb5_cc_initialize(): %.100s", - krb5_get_err_text(krb_context, problem)); + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_cc_initialize(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); krb5_free_principal(krb_context, princ); krb5_cc_destroy(krb_context, ccache); return; diff --git a/gss-serv.c b/gss-serv.c index c719c130..95348e25 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -50,7 +50,7 @@ static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; ssh_gssapi_mech gssapi_null_mech = { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; -- cgit v1.2.1 From e18973a9c2c4a36f32d5966fa7868c35eb5c1f35 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 01:52:48 +0000 Subject: - djm@cvs.openbsd.org 2013/07/20 22:20:42 [krl.c] fix verification error in (as-yet usused) KRL signature checking path --- ChangeLog | 6 ++++++ krl.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc2f73bd..f6dcc0c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130725 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/07/20 22:20:42 + [krl.c] + fix verification error in (as-yet usused) KRL signature checking path + 20130720 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2013/07/19 07:37:48 diff --git a/krl.c b/krl.c index bd6d3780..b2d0354f 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.12 2013/06/20 19:15:06 markus Exp $ */ +/* $OpenBSD: krl.c,v 1.13 2013/07/20 22:20:42 djm Exp $ */ #include "includes.h" @@ -973,7 +973,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, } /* Check signature over entire KRL up to this point */ if (key_verify(key, blob, blen, - buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { + buffer_ptr(buf), buffer_len(buf) - sig_off) != 1) { error("bad signaure on KRL"); goto out; } -- cgit v1.2.1 From 39b527295ca6766e307c2eec73d6700dff8ac788 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 01:55:20 +0000 Subject: - djm@cvs.openbsd.org 2013/07/22 05:00:17 [umac.c] make MAC key, data to be hashed and nonce for final hash const; checked with -Wcast-qual --- ChangeLog | 4 ++++ umac.c | 62 +++++++++++++++++++++++++++++++------------------------------- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/ChangeLog b/ChangeLog index f6dcc0c0..480c9988 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - djm@cvs.openbsd.org 2013/07/20 22:20:42 [krl.c] fix verification error in (as-yet usused) KRL signature checking path + - djm@cvs.openbsd.org 2013/07/22 05:00:17 + [umac.c] + make MAC key, data to be hashed and nonce for final hash const; + checked with -Wcast-qual 20130720 - (djm) OpenBSD CVS Sync diff --git a/umac.c b/umac.c index 60514a24..99416a51 100644 --- a/umac.c +++ b/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.6 2013/07/20 01:43:46 djm Exp $ */ +/* $OpenBSD: umac.c,v 1.7 2013/07/22 05:00:17 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -132,13 +132,13 @@ typedef unsigned int UWORD; /* Register */ /* ---------------------------------------------------------------------- */ #if HAVE_SWAP32 -#define LOAD_UINT32_REVERSED(p) (swap32(*(UINT32 *)(p))) +#define LOAD_UINT32_REVERSED(p) (swap32(*(const UINT32 *)(p))) #define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v)) #else /* HAVE_SWAP32 */ -static UINT32 LOAD_UINT32_REVERSED(void *ptr) +static UINT32 LOAD_UINT32_REVERSED(const void *ptr) { - UINT32 temp = *(UINT32 *)ptr; + UINT32 temp = *(const UINT32 *)ptr; temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 ) | ((temp & 0x0000FF00) << 8 ) | (temp << 24); return (UINT32)temp; @@ -159,7 +159,7 @@ static void STORE_UINT32_REVERSED(void *ptr, UINT32 x) */ #if (__LITTLE_ENDIAN__) -#define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr)) +#define LOAD_UINT32_LITTLE(ptr) (*(const UINT32 *)(ptr)) #define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x) #else #define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr) @@ -184,7 +184,7 @@ typedef AES_KEY aes_int_key[1]; #define aes_encryption(in,out,int_key) \ AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key) #define aes_key_setup(key,int_key) \ - AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key) + AES_set_encrypt_key((const u_char *)(key),UMAC_KEY_LEN*8,int_key) /* The user-supplied UMAC key is stretched using AES in a counter * mode to supply all random bits needed by UMAC. The kdf function takes @@ -240,7 +240,7 @@ static void pdf_init(pdf_ctx *pc, aes_int_key prf_key) aes_encryption(pc->nonce, pc->cache, pc->prf_key); } -static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) +static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8]) { /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes * of the AES output. If last time around we returned the ndx-1st @@ -261,13 +261,13 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) #if LOW_BIT_MASK != 0 int ndx = nonce[7] & LOW_BIT_MASK; #endif - *(UINT32 *)t.tmp_nonce_lo = ((UINT32 *)nonce)[1]; + *(UINT32 *)t.tmp_nonce_lo = ((const UINT32 *)nonce)[1]; t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || - (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) + (((const UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) { - ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; + ((UINT32 *)pc->nonce)[0] = ((const UINT32 *)nonce)[0]; ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0]; aes_encryption(pc->nonce, pc->cache, pc->prf_key); } @@ -335,7 +335,7 @@ typedef struct { #if (UMAC_OUTPUT_LEN == 4) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* NH hashing primitive. Previous (partial) hash result is loaded and * then stored via hp pointer. The length of the data pointed at by "dp", * "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key @@ -345,7 +345,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7; @@ -370,7 +370,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 8) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 16 bytes of hash-state per call. */ @@ -378,7 +378,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11; @@ -417,7 +417,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 12) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 24 bytes of hash-state per call. */ @@ -425,7 +425,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2,h3; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11,k12,k13,k14,k15; @@ -472,7 +472,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 16) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 24 bytes of hash-state per call. */ @@ -480,7 +480,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2,h3,h4; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11,k12,k13,k14,k15, @@ -541,7 +541,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) /* ---------------------------------------------------------------------- */ -static void nh_transform(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) +static void nh_transform(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes) /* This function is a wrapper for the primitive NH hash functions. It takes * as argument "hc" the current hash context and a buffer which must be a * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset @@ -616,7 +616,7 @@ static void nh_init(nh_ctx *hc, aes_int_key prf_key) /* ---------------------------------------------------------------------- */ -static void nh_update(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) +static void nh_update(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes) /* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */ /* even multiple of HASH_BUF_BYTES. */ { @@ -711,7 +711,7 @@ static void nh_final(nh_ctx *hc, UINT8 *result) /* ---------------------------------------------------------------------- */ -static void nh(nh_ctx *hc, UINT8 *buf, UINT32 padded_len, +static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len, UINT32 unpadded_len, UINT8 *result) /* All-in-one nh_update() and nh_final() equivalent. * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is @@ -1049,7 +1049,7 @@ static int uhash_free(uhash_ctx_t ctx) #endif /* ---------------------------------------------------------------------- */ -static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) +static int uhash_update(uhash_ctx_t ctx, const u_char *input, long len) /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and * hash each one with NH, calling the polyhash on each NH output. */ @@ -1059,7 +1059,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) UINT8 *nh_result = (UINT8 *)&result_buf; if (ctx->msg_len + len <= L1_KEY_LEN) { - nh_update(&ctx->hash, (UINT8 *)input, len); + nh_update(&ctx->hash, (const UINT8 *)input, len); ctx->msg_len += len; } else { @@ -1074,7 +1074,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* bytes to complete the current nh_block. */ if (bytes_hashed) { bytes_remaining = (L1_KEY_LEN - bytes_hashed); - nh_update(&ctx->hash, (UINT8 *)input, bytes_remaining); + nh_update(&ctx->hash, (const UINT8 *)input, bytes_remaining); nh_final(&ctx->hash, nh_result); ctx->msg_len += bytes_remaining; poly_hash(ctx,(UINT32 *)nh_result); @@ -1084,7 +1084,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* Hash directly from input stream if enough bytes */ while (len >= L1_KEY_LEN) { - nh(&ctx->hash, (UINT8 *)input, L1_KEY_LEN, + nh(&ctx->hash, (const UINT8 *)input, L1_KEY_LEN, L1_KEY_LEN, nh_result); ctx->msg_len += L1_KEY_LEN; len -= L1_KEY_LEN; @@ -1095,7 +1095,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* pass remaining < L1_KEY_LEN bytes of input data to NH */ if (len) { - nh_update(&ctx->hash, (UINT8 *)input, len); + nh_update(&ctx->hash, (const UINT8 *)input, len); ctx->msg_len += len; } } @@ -1218,7 +1218,7 @@ int umac_delete(struct umac_ctx *ctx) /* ---------------------------------------------------------------------- */ -struct umac_ctx *umac_new(u_char key[]) +struct umac_ctx *umac_new(const u_char key[]) /* Dynamically allocate a umac_ctx struct, initialize variables, * generate subkeys from key. Align to 16-byte boundary. */ @@ -1235,7 +1235,7 @@ struct umac_ctx *umac_new(u_char key[]) ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add); } ctx->free_ptr = octx; - aes_key_setup(key,prf_key); + aes_key_setup(key, prf_key); pdf_init(&ctx->pdf, prf_key); uhash_init(&ctx->hash, prf_key); } @@ -1245,18 +1245,18 @@ struct umac_ctx *umac_new(u_char key[]) /* ---------------------------------------------------------------------- */ -int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]) +int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]) /* Incorporate any pending data, pad, and generate tag */ { uhash_final(&ctx->hash, (u_char *)tag); - pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); + pdf_gen_xor(&ctx->pdf, (const UINT8 *)nonce, (UINT8 *)tag); return (1); } /* ---------------------------------------------------------------------- */ -int umac_update(struct umac_ctx *ctx, u_char *input, long len) +int umac_update(struct umac_ctx *ctx, const u_char *input, long len) /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */ /* hash each one, calling the PDF on the hashed output whenever the hash- */ /* output buffer is full. */ -- cgit v1.2.1 From 5440309ccbbabcda7178f9482343bc2c8c71963c Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 01:55:39 +0000 Subject: - djm@cvs.openbsd.org 2013/07/22 12:20:02 [umac.h] oops, forgot to commit corresponding header change; spotted by jsg and jasper --- ChangeLog | 4 ++++ umac.h | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 480c9988..c67a10a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ [umac.c] make MAC key, data to be hashed and nonce for final hash const; checked with -Wcast-qual + - djm@cvs.openbsd.org 2013/07/22 12:20:02 + [umac.h] + oops, forgot to commit corresponding header change; + spotted by jsg and jasper 20130720 - (djm) OpenBSD CVS Sync diff --git a/umac.h b/umac.h index 6795112a..7fb770f8 100644 --- a/umac.h +++ b/umac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ +/* $OpenBSD: umac.h,v 1.3 2013/07/22 12:20:02 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.h -- C Implementation UMAC Message Authentication @@ -52,7 +52,7 @@ extern "C" { #endif -struct umac_ctx *umac_new(u_char key[]); +struct umac_ctx *umac_new(const u_char key[]); /* Dynamically allocate a umac_ctx struct, initialize variables, * generate subkeys from key. */ @@ -62,10 +62,10 @@ int umac_reset(struct umac_ctx *ctx); /* Reset a umac_ctx to begin authenicating a new message */ #endif -int umac_update(struct umac_ctx *ctx, u_char *input, long len); +int umac_update(struct umac_ctx *ctx, const u_char *input, long len); /* Incorporate len bytes pointed to by input into context ctx */ -int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]); /* Incorporate any pending data and the ctr value, and return tag. * This function returns error code if ctr < 0. */ @@ -117,9 +117,9 @@ int uhash(uhash_ctx_t ctx, #endif /* matching umac-128 API, we reuse umac_ctx, since it's opaque */ -struct umac_ctx *umac128_new(u_char key[]); -int umac128_update(struct umac_ctx *ctx, u_char *input, long len); -int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +struct umac_ctx *umac128_new(const u_char key[]); +int umac128_update(struct umac_ctx *ctx, const u_char *input, long len); +int umac128_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]); int umac128_delete(struct umac_ctx *ctx); #ifdef __cplusplus -- cgit v1.2.1 From 0f421cd7fdb2872c22b09971c0ed6ab476a869d6 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 01:55:52 +0000 Subject: - djm@cvs.openbsd.org 2013/07/25 00:29:10 [ssh.c] daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure it is fully detached from its controlling terminal. based on debugging --- ChangeLog | 4 ++++ ssh.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c67a10a9..f799663f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ [umac.h] oops, forgot to commit corresponding header change; spotted by jsg and jasper + - djm@cvs.openbsd.org 2013/07/25 00:29:10 + [ssh.c] + daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure + it is fully detached from its controlling terminal. based on debugging 20130720 - (djm) OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index 30e65338..87233bc9 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.380 2013/07/20 01:44:37 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.381 2013/07/25 00:29:10 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1022,6 +1022,7 @@ control_persist_detach(void) if (devnull > STDERR_FILENO) close(devnull); } + daemon(1, 1); setproctitle("%s [mux]", options.control_path); } -- cgit v1.2.1 From e7ade137ee38d80fab57f304a601969aca093720 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 01:56:52 +0000 Subject: - djm@cvs.openbsd.org 2013/07/25 00:56:52 [sftp-client.c sftp-client.h sftp.1 sftp.c] sftp support for resuming partial downloads; patch mostly by Loganaden Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ --- ChangeLog | 4 ++++ sftp-client.c | 75 ++++++++++++++++++++++++++++++++++++++++------------------ sftp-client.h | 6 ++--- sftp.1 | 28 ++++++++++++++++++---- sftp.c | 76 +++++++++++++++++++++++++++++++++++++++-------------------- 5 files changed, 133 insertions(+), 56 deletions(-) diff --git a/ChangeLog b/ChangeLog index f799663f..9552a9b8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ [ssh.c] daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure it is fully detached from its controlling terminal. based on debugging + - djm@cvs.openbsd.org 2013/07/25 00:56:52 + [sftp-client.c sftp-client.h sftp.1 sftp.c] + sftp support for resuming partial downloads; patch mostly by Loganaden + Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ 20130720 - (djm) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index ab035c71..cb4efd3e 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.100 2013/06/01 22:34:50 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.101 2013/07/25 00:56:51 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -112,7 +112,7 @@ send_msg(struct sftp_conn *conn, Buffer *m) iov[1].iov_len = buffer_len(m); if (atomiciov6(writev, conn->fd_out, iov, 2, - conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != + conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != buffer_len(m) + sizeof(mlen)) fatal("Couldn't send packet: %s", strerror(errno)); @@ -988,16 +988,17 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset, int do_download(struct sftp_conn *conn, char *remote_path, char *local_path, - Attrib *a, int pflag) + Attrib *a, int pflag, int resume) { Attrib junk; Buffer msg; char *handle; - int local_fd, status = 0, write_error; - int read_error, write_errno; - u_int64_t offset, size; + int local_fd = -1, status = 0, write_error; + int read_error, write_errno, reordered = 0; + u_int64_t offset = 0, size, highwater; u_int handle_len, mode, type, id, buflen, num_req, max_req; off_t progress_counter; + struct stat st; struct request { u_int id; u_int len; @@ -1050,21 +1051,36 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, + local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? : O_TRUNC), mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); - do_close(conn, handle, handle_len); - buffer_free(&msg); - free(handle); - return(-1); + goto fail; + } + offset = highwater = 0; + if (resume) { + if (fstat(local_fd, &st) == -1) { + error("Unable to stat local file \"%s\": %s", + local_path, strerror(errno)); + goto fail; + } + if ((size_t)st.st_size > size) { + error("Unable to resume download of \"%s\": " + "local file is larger than remote", local_path); + fail: + do_close(conn, handle, handle_len); + buffer_free(&msg); + free(handle); + return -1; + } + offset = highwater = st.st_size; } /* Read from remote and write to local */ - write_error = read_error = write_errno = num_req = offset = 0; + write_error = read_error = write_errno = num_req = 0; max_req = 1; - progress_counter = 0; + progress_counter = offset; if (showprogress && size != 0) start_progress_meter(remote_path, size, &progress_counter); @@ -1139,6 +1155,10 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, write_error = 1; max_req = 0; } + else if (!reordered && req->offset <= highwater) + highwater = req->offset + len; + else if (!reordered && req->offset > highwater) + reordered = 1; progress_counter += len; free(data); @@ -1187,7 +1207,15 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, /* Sanity check */ if (TAILQ_FIRST(&requests) != NULL) fatal("Transfer complete, but requests still in queue"); - + /* Truncate at highest contiguous point to avoid holes on interrupt */ + if (read_error || write_error || interrupted) { + if (reordered && resume) { + error("Unable to resume download of \"%s\": " + "server reordered requests", local_path); + } + debug("truncating at %llu", (unsigned long long)highwater); + ftruncate(local_fd, highwater); + } if (read_error) { error("Couldn't read from remote file \"%s\" : %s", remote_path, fx2txt(status)); @@ -1199,7 +1227,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, do_close(conn, handle, handle_len); } else { status = do_close(conn, handle, handle_len); - + if (interrupted) + status = -1; /* Override umask and utimes if asked */ #ifdef HAVE_FCHMOD if (pflag && fchmod(local_fd, mode) == -1) @@ -1227,7 +1256,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, static int download_dir_internal(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag, int depth) + Attrib *dirattrib, int pflag, int printflag, int depth, int resume) { int i, ret = 0; SFTP_DIRENT **dir_entries; @@ -1280,11 +1309,11 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, continue; if (download_dir_internal(conn, new_src, new_dst, &(dir_entries[i]->a), pflag, printflag, - depth + 1) == -1) + depth + 1, resume) == -1) ret = -1; } else if (S_ISREG(dir_entries[i]->a.perm) ) { if (do_download(conn, new_src, new_dst, - &(dir_entries[i]->a), pflag) == -1) { + &(dir_entries[i]->a), pflag, resume) == -1) { error("Download of file %s to %s failed", new_src, new_dst); ret = -1; @@ -1317,7 +1346,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int download_dir(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag) + Attrib *dirattrib, int pflag, int printflag, int resume) { char *src_canon; int ret; @@ -1328,7 +1357,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst, } ret = download_dir_internal(conn, src_canon, dst, - dirattrib, pflag, printflag, 0); + dirattrib, pflag, printflag, 0, resume); free(src_canon); return ret; } @@ -1553,7 +1582,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, a.perm &= 01777; if (!pflag) a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; - + status = do_mkdir(conn, dst, &a, 0); /* * we lack a portable status for errno EEXIST, @@ -1563,7 +1592,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, if (status != SSH2_FX_OK) { if (status != SSH2_FX_FAILURE) return -1; - if (do_stat(conn, dst, 0) == NULL) + if (do_stat(conn, dst, 0) == NULL) return -1; } @@ -1571,7 +1600,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, error("Failed to open dir \"%s\": %s", src, strerror(errno)); return -1; } - + while (((dp = readdir(dirp)) != NULL) && !interrupted) { if (dp->d_ino == 0) continue; diff --git a/sftp-client.h b/sftp-client.h index aef54ef4..111a998c 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.20 2010/12/04 00:18:01 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.21 2013/07/25 00:56:51 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -106,13 +106,13 @@ int do_symlink(struct sftp_conn *, char *, char *); * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ -int do_download(struct sftp_conn *, char *, char *, Attrib *, int); +int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int); /* * Recursively download 'remote_directory' to 'local_directory'. Preserve * times if 'pflag' is set */ -int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int); +int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int); /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times diff --git a/sftp.1 b/sftp.1 index bcb47214..2577fe87 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.91 2011/09/05 05:56:13 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.92 2013/07/25 00:56:51 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 5 2011 $ +.Dd $Mdocdate: July 25 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -129,7 +129,7 @@ may be used to indicate standard input. .Nm will abort if any of the following commands fail: -.Ic get , put , rename , ln , +.Ic get , put , reget , rename , ln , .Ic rm , mkdir , chdir , ls , .Ic lchdir , chmod , chown , .Ic chgrp , lpwd , df , symlink , @@ -343,7 +343,7 @@ extension. Quit .Nm sftp . .It Xo Ic get -.Op Fl Ppr +.Op Fl aPpr .Ar remote-path .Op Ar local-path .Xc @@ -363,6 +363,14 @@ is specified, then .Ar local-path must specify a directory. .Pp +If the +.Fl a +flag is specified, then attempt to resume partial transfers of existing files. +Note that resumption assumes that any partial copy of the local file matches +the remote copy. +If the remote file differs from the partial local copy then the resultant file +is likely to be corrupt. +.Pp If either the .Fl P or @@ -503,6 +511,18 @@ Display remote working directory. .It Ic quit Quit .Nm sftp . +.It Xo Ic reget +.Op Fl Ppr +.Ar remote-path +.Op Ar local-path +.Xc +Resume download of +.Ar remote-path . +Equivalent to +.Ic get +with the +.Fl a +flag set. .It Ic rename Ar oldpath Ar newpath Rename remote file from .Ar oldpath diff --git a/sftp.c b/sftp.c index f0daaefa..969328de 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.147 2013/07/12 00:20:00 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.148 2013/07/25 00:56:52 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -88,6 +88,9 @@ int showprogress = 1; /* When this option is set, we always recursively download/upload directories */ int global_rflag = 0; +/* When this option is set, we resume download if possible */ +int global_aflag = 0; + /* When this option is set, the file transfers will always preserve times */ int global_pflag = 0; @@ -151,6 +154,7 @@ extern char *__progname; #define I_SYMLINK 21 #define I_VERSION 22 #define I_PROGRESS 23 +#define I_REGET 26 struct CMD { const char *c; @@ -190,6 +194,7 @@ static const struct CMD cmds[] = { { "put", I_PUT, LOCAL }, { "pwd", I_PWD, REMOTE }, { "quit", I_QUIT, NOARGS }, + { "reget", I_REGET, REMOTE }, { "rename", I_RENAME, REMOTE }, { "rm", I_RM, REMOTE }, { "rmdir", I_RMDIR, REMOTE }, @@ -239,6 +244,7 @@ help(void) " filesystem containing 'path'\n" "exit Quit sftp\n" "get [-Ppr] remote [local] Download file\n" + "reget remote [local] Resume download file\n" "help Display this help text\n" "lcd path Change local directory to 'path'\n" "lls [ls-options [path]] Display local directory listing\n" @@ -350,8 +356,8 @@ make_absolute(char *p, char *pwd) } static int -parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, - int *rflag) +parse_getput_flags(const char *cmd, char **argv, int argc, + int *aflag, int *pflag, int *rflag) { extern int opterr, optind, optopt, optreset; int ch; @@ -359,9 +365,12 @@ parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, optind = optreset = 1; opterr = 0; - *rflag = *pflag = 0; - while ((ch = getopt(argc, argv, "PpRr")) != -1) { + *aflag = *rflag = *pflag = 0; + while ((ch = getopt(argc, argv, "aPpRr")) != -1) { switch (ch) { + case 'a': + *aflag = 1; + break; case 'p': case 'P': *pflag = 1; @@ -519,7 +528,7 @@ pathname_is_dir(char *pathname) static int process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, - int pflag, int rflag) + int pflag, int rflag, int resume) { char *abs_src = NULL; char *abs_dst = NULL; @@ -571,15 +580,18 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, } free(tmp); - if (!quiet) + resume |= global_aflag; + if (!quiet && resume) + printf("Resuming %s to %s\n", g.gl_pathv[i], abs_dst); + else if (!quiet && !resume) printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { - if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag, 1) == -1) + if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, + pflag || global_pflag, 1, resume) == -1) err = -1; } else { if (do_download(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag) == -1) + pflag || global_pflag, resume) == -1) err = -1; } free(abs_dst); @@ -1118,8 +1130,9 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, } static int -parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, - int *hflag, int *sflag, unsigned long *n_arg, char **path1, char **path2) +parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, + int *pflag, int *rflag, int *sflag, unsigned long *n_arg, + char **path1, char **path2) { const char *cmd, *cp = *cpp; char *cp2, **argv; @@ -1163,14 +1176,15 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, } /* Get arguments and parse flags */ - *lflag = *pflag = *rflag = *hflag = *n_arg = 0; + *aflag = *lflag = *pflag = *rflag = *hflag = *n_arg = 0; *path1 = *path2 = NULL; optidx = 1; switch (cmdnum) { case I_GET: + case I_REGET: case I_PUT: if ((optidx = parse_getput_flags(cmd, argv, argc, - pflag, rflag)) == -1) + aflag, pflag, rflag)) == -1) return -1; /* Get first pathname (mandatory) */ if (argc - optidx < 1) { @@ -1185,6 +1199,11 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, /* Destination is not globbed */ undo_glob_escape(*path2); } + if (*aflag && cmdnum == I_PUT) { + /* XXX implement resume for uploads */ + error("Resume is not supported for uploads"); + return -1; + } break; case I_LINK: if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1) @@ -1293,7 +1312,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, int err_abort) { char *path1, *path2, *tmp; - int pflag = 0, rflag = 0, lflag = 0, iflag = 0, hflag = 0, sflag = 0; + int aflag = 0, hflag = 0, iflag = 0, lflag = 0, pflag = 0; + int rflag = 0, sflag = 0; int cmdnum, i; unsigned long n_arg = 0; Attrib a, *aa; @@ -1302,9 +1322,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, glob_t g; path1 = path2 = NULL; - cmdnum = parse_args(&cmd, &pflag, &rflag, &lflag, &iflag, &hflag, - &sflag, &n_arg, &path1, &path2); - + cmdnum = parse_args(&cmd, &aflag, &hflag, &iflag, &lflag, &pflag, + &rflag, &sflag, &n_arg, &path1, &path2); if (iflag != 0) err_abort = 0; @@ -1319,8 +1338,12 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, /* Unrecognized command */ err = -1; break; + case I_REGET: + aflag = 1; + /* FALLTHROUGH */ case I_GET: - err = process_get(conn, path1, path2, *pwd, pflag, rflag); + err = process_get(conn, path1, path2, *pwd, pflag, + rflag, aflag); break; case I_PUT: err = process_put(conn, path1, path2, *pwd, pflag, rflag); @@ -1949,12 +1972,10 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) } } else { /* XXX this is wrong wrt quoting */ - if (file2 == NULL) - snprintf(cmd, sizeof cmd, "get %s", dir); - else - snprintf(cmd, sizeof cmd, "get %s %s", dir, - file2); - + snprintf(cmd, sizeof cmd, "get%s %s%s%s", + global_aflag ? " -a" : "", dir, + file2 == NULL ? "" : " ", + file2 == NULL ? "" : file2); err = parse_dispatch_command(conn, cmd, &remote_path, 1); free(dir); @@ -2143,7 +2164,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, - "1246hpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { + "1246ahpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ case '4': @@ -2183,6 +2204,9 @@ main(int argc, char **argv) case '2': sshver = 2; break; + case 'a': + global_aflag = 1; + break; case 'B': copy_buffer_len = strtol(optarg, &cp, 10); if (copy_buffer_len == 0 || *cp != '\0') -- cgit v1.2.1 From 6016924961a1741455262677e0109c18e4890dd8 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 01:57:15 +0000 Subject: - djm@cvs.openbsd.org 2013/07/25 00:57:37 [version.h] openssh-6.3 for release --- ChangeLog | 4 ++++ version.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9552a9b8..2c219725 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,10 @@ [sftp-client.c sftp-client.h sftp.1 sftp.c] sftp support for resuming partial downloads; patch mostly by Loganaden Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ + "Just be careful" deraadt@ + - djm@cvs.openbsd.org 2013/07/25 00:57:37 + [version.h] + openssh-6.3 for release 20130720 - (djm) OpenBSD CVS Sync diff --git a/version.h b/version.h index 784f707a..f6ec0ee3 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */ +/* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */ -#define SSH_VERSION "OpenSSH_6.2" +#define SSH_VERSION "OpenSSH_6.3" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.1 From 459d5294881652e4053621113274f5feaab61345 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 02:08:07 +0000 Subject: - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 [regress/test-exec.sh] use ssh and sshd as testdata since it needs to be >256k for the rekey test --- ChangeLog | 3 +++ regress/test-exec.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2c219725..5daedfa4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ - djm@cvs.openbsd.org 2013/07/25 00:57:37 [version.h] openssh-6.3 for release + - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 + [regress/test-exec.sh] + use ssh and sshd as testdata since it needs to be >256k for the rekey test 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 2eab3234..6e1c28c8 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.44 2013/05/17 10:30:07 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.45 2013/05/30 20:12:32 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.1 From 0d9a1e6fe77e135b8d41d08721c4646546246de7 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 02:08:46 +0000 Subject: - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 [regress/forwarding.sh] Add test for forward config parsing --- ChangeLog | 3 +++ regress/forwarding.sh | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5daedfa4..841988bb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 [regress/test-exec.sh] use ssh and sshd as testdata since it needs to be >256k for the rekey test + - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 + [regress/forwarding.sh] + Add test for forward config parsing 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 1c408603..ca48b40a 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -104,3 +104,18 @@ for p in 2; do fail "stdio forwarding proto $p" fi done + +echo "LocalForward ${base}01 127.0.0.1:$PORT" >> ssh_config +echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> ssh_config +for p in 1 2; do + trace "config file: start forwarding, fork to background" + ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10 + + trace "config file: transfer over forwarded channels and check result" + ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ + somehost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "failed copy of ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + + wait +done -- cgit v1.2.1 From f6bd9dd2898f856bce746e8ae32a1d32fab0f112 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 02:11:18 +0000 Subject: - djm@cvs.openbsd.org 2013/06/21 02:26:26 [regress/sftp-cmds.sh regress/test-exec.sh] unbreak sftp-cmds for renamed test data (s/ls/data/) --- ChangeLog | 3 +++ regress/sftp-cmds.sh | 10 +++++----- regress/test-exec.sh | 5 +++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 841988bb..9ba32587 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,9 @@ - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 [regress/forwarding.sh] Add test for forward config parsing + - djm@cvs.openbsd.org 2013/06/21 02:26:26 + [regress/sftp-cmds.sh regress/test-exec.sh] + unbreak sftp-cmds for renamed test data (s/ls/data/) 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index ba5ef066..aad7fcac 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-cmds.sh,v 1.13 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: sftp-cmds.sh,v 1.14 2013/06/21 02:26:26 djm Exp $ # Placed in the Public Domain. # XXX - TODO: @@ -106,7 +106,7 @@ rm -f ${COPY}.dd/* verbose "$tid: get to directory" echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to directory" @@ -120,7 +120,7 @@ rm -f ${COPY}.dd/* verbose "$tid: get to local dir" (echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to local dir" @@ -154,7 +154,7 @@ rm -f ${COPY}.dd/* verbose "$tid: put to directory" echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to directory" @@ -168,7 +168,7 @@ rm -f ${COPY}.dd/* verbose "$tid: put to local dir" (echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to local dir" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 6e1c28c8..eee44626 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.45 2013/05/30 20:12:32 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -167,7 +167,8 @@ SSH="$SSHLOGWRAP" # Some test data. We make a copy because some tests will overwrite it. # The tests may assume that $DATA exists and is writable and $COPY does # not exist. -DATA=$OBJ/data +DATANAME=data +DATA=$OBJ/${DATANAME} cat $SSHD $SSHD $SSHD $SSHD >${DATA} chmod u+w ${DATA} COPY=$OBJ/copy -- cgit v1.2.1 From e4dbbeac3f0d84ab557c41fe4a66569886ad1eff Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 25 Jul 2013 02:34:00 +0000 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers --- README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README b/README index 21dc6e1f..ece2dba1 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-6.2 for the release notes. +See http://www.openssh.com/txt/release-6.3 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.82 2013/02/26 23:48:19 djm Exp $ +$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 196bd790..b460bfff 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 6.2p1 +%define version 6.3p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.79 2013/02/26 23:48:20 djm Exp $ +$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 3898c6c9..d1191f4e 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 6.2p1 +%define ver 6.3p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 960feae0..2866039d 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.2p1 +Version: 6.3p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.1 From 622a7ca018a004d86f628049aab488c067ad5513 Mon Sep 17 00:00:00 2001 From: tim Date: Thu, 25 Jul 2013 22:40:00 +0000 Subject: - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on Solaris and UnixWare. Feedback and OK djm@ --- ChangeLog | 2 ++ sftp-client.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 9ba32587..741fe7cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,8 @@ - djm@cvs.openbsd.org 2013/06/21 02:26:26 [regress/sftp-cmds.sh regress/test-exec.sh] unbreak sftp-cmds for renamed test data (s/ls/data/) + - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on + Solaris and UnixWare. Feedback and OK djm@ 20130720 - (djm) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index cb4efd3e..f4f1970b 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1051,7 +1051,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? : O_TRUNC), + local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? 0 : O_TRUNC), mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", -- cgit v1.2.1 From 89e056a0515b243c3aa3ae66d53d34742ac44ad8 Mon Sep 17 00:00:00 2001 From: tim Date: Thu, 25 Jul 2013 23:03:16 +0000 Subject: - (tim) [regress/forwarding.sh] Fix for building outside read only source tree. --- ChangeLog | 1 + regress/forwarding.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 741fe7cf..5af298a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,7 @@ unbreak sftp-cmds for renamed test data (s/ls/data/) - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on Solaris and UnixWare. Feedback and OK djm@ + - (tim) [regress/forwarding.sh] Fix for building outside read only source tree. 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/forwarding.sh b/regress/forwarding.sh index ca48b40a..94873f22 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -105,8 +105,8 @@ for p in 2; do fi done -echo "LocalForward ${base}01 127.0.0.1:$PORT" >> ssh_config -echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> ssh_config +echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config +echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config for p in 1 2; do trace "config file: start forwarding, fork to background" ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10 -- cgit v1.2.1 From cbe342a579f9d3d0bc16f2288d10a66efaf205bb Mon Sep 17 00:00:00 2001 From: tim Date: Fri, 26 Jul 2013 01:41:40 +0000 Subject: more correct comment for last commit --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5af298a4..b7a09812 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,7 +34,7 @@ unbreak sftp-cmds for renamed test data (s/ls/data/) - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on Solaris and UnixWare. Feedback and OK djm@ - - (tim) [regress/forwarding.sh] Fix for building outside read only source tree. + - (tim) [regress/forwarding.sh] Fix for building outside source tree. 20130720 - (djm) OpenBSD CVS Sync -- cgit v1.2.1 From c2ea88fbd9fc116c34eaed565867042670407fc7 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 1 Aug 2013 04:29:20 +0000 Subject: - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- blocking connecting socket will clear any stored errno that might otherwise have been retrievable via getsockopt(). A hack to limit writes to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap it in an #ifdef. Diagnosis and patch from Ivo Raisr. --- ChangeLog | 7 +++++++ channels.c | 3 +++ channels.h | 2 ++ 3 files changed, 12 insertions(+) diff --git a/ChangeLog b/ChangeLog index b7a09812..3b79b5d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20130801 + - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- + blocking connecting socket will clear any stored errno that might + otherwise have been retrievable via getsockopt(). A hack to limit writes + to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap + it in an #ifdef. Diagnosis and patch from Ivo Raisr. + 20130725 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/07/20 22:20:42 diff --git a/channels.c b/channels.c index 9e87bfb9..281df380 100644 --- a/channels.c +++ b/channels.c @@ -248,7 +248,10 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, if ((c->isatty = is_tty) != 0) debug2("channel %d: rfd %d isatty", c->self, c->rfd); +#ifdef _AIX + /* XXX: Later AIX versions can't push as much data to tty */ c->wfd_isatty = is_tty || isatty(c->wfd); +#endif /* enable nonblocking mode */ if (nonblock) { diff --git a/channels.h b/channels.h index ffd58072..4fab9d7c 100644 --- a/channels.h +++ b/channels.h @@ -103,7 +103,9 @@ struct Channel { int sock; /* sock fd */ int ctl_chan; /* control channel (multiplexed connections) */ int isatty; /* rfd is a tty */ +#ifdef _AIX int wfd_isatty; /* wfd is a tty */ +#endif int client_tty; /* (client) TTY has been requested */ int force_drain; /* force close on iEOF */ time_t notbefore; /* Pause IO until deadline (time_t) */ -- cgit v1.2.1 From 100b9f156bb80a18b1cf14e9ac462b842d847e75 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 1 Aug 2013 04:34:16 +0000 Subject: - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134 --- ChangeLog | 1 + sshlogin.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3b79b5d2..fdce7056 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ otherwise have been retrievable via getsockopt(). A hack to limit writes to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap it in an #ifdef. Diagnosis and patch from Ivo Raisr. + - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134 20130725 - (djm) OpenBSD CVS Sync diff --git a/sshlogin.h b/sshlogin.h index 500d3fef..52119a97 100644 --- a/sshlogin.h +++ b/sshlogin.h @@ -15,7 +15,7 @@ void record_login(pid_t, const char *, const char *, uid_t, const char *, struct sockaddr *, socklen_t); void record_logout(pid_t, const char *, const char *); -time_t get_last_login_time(uid_t, const char *, char *, u_int); +time_t get_last_login_time(uid_t, const char *, char *, size_t); #ifdef LOGIN_NEEDS_UTMPX void record_utmp_only(pid_t, const char *, const char *, const char *, -- cgit v1.2.1 From 54706ec3e7ad81821476b9fac6333f18ef48b344 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 4 Aug 2013 11:48:41 +0000 Subject: - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support for building with older Heimdal versions. ok djm. --- ChangeLog | 4 ++++ auth-krb5.c | 9 +++++++++ configure.ac | 9 +++++++-- openbsd-compat/bsd-misc.h | 10 +++++++++- 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index fdce7056..997c5b54 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130804 + - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support + for building with older Heimdal versions. ok djm. + 20130801 - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- blocking connecting socket will clear any stored errno that might diff --git a/auth-krb5.c b/auth-krb5.c index 43ee9272..7c83f597 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -97,8 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; #ifdef HEIMDAL +# ifdef HAVE_KRB5_CC_NEW_UNIQUE problem = krb5_cc_new_unique(authctxt->krb5_ctx, krb5_mcc_ops.prefix, NULL, &ccache); +# else + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); +# endif if (problem) goto out; @@ -117,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; +# ifdef HAVE_KRB5_CC_NEW_UNIQUE problem = krb5_cc_new_unique(authctxt->krb5_ctx, krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache); +# else + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, + &authctxt->krb5_fwd_ccache); +# endif if (problem) goto out; diff --git a/configure.ac b/configure.ac index e6ec2768..4a1b5033 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.535 2013/06/11 01:26:10 dtucker Exp $ +# $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.535 $) +AC_REVISION($Revision: 1.536 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3806,6 +3806,11 @@ AC_ARG_WITH([kerberos5], # include #endif ]]) + saved_LIBS="$LIBS" + LIBS="$LIBS $K5LIBS" + AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message]) + LIBS="$saved_LIBS" + fi ] ) diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index 9ebd83c3..65c18ec2 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.24 2013/05/29 22:29:09 dtucker Exp $ */ +/* $Id: bsd-misc.h,v 1.25 2013/08/04 11:48:41 dtucker Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -114,4 +114,12 @@ pid_t getpgid(pid_t); # define endgrent() {} #endif +#ifndef HAVE_KRB5_GET_ERROR_MESSAGE +# define krb5_get_error_message krb5_get_err_text +#endif + +#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE +# define krb5_free_error_message(a,b) while(0) +#endif + #endif /* _BSD_MISC_H */ -- cgit v1.2.1 From c5837d60ef23920bd831f3ae125d79e2a654b252 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 8 Aug 2013 00:58:49 +0000 Subject: - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, run "make clean" before a complete regress run. ok djm. --- ChangeLog | 5 +++++ regress/Makefile | 2 +- regress/test-exec.sh | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 997c5b54..3ca13ebe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130808 + - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt + since some platforms (eg really old FreeBSD) don't have it. Instead, + run "make clean" before a complete regress run. ok djm. + 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support for building with older Heimdal versions. ok djm. diff --git a/regress/Makefile b/regress/Makefile index ab2a6ae7..3d1b669e 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec -tests: $(REGRESS_TARGETS) +tests: clean $(REGRESS_TARGETS) # Interop tests are not run by default interop interop-tests: t-exec-interop diff --git a/regress/test-exec.sh b/regress/test-exec.sh index eee44626..9e66f926 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -368,7 +368,7 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER trace "generate keys" for t in rsa rsa1; do # generate user key - if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then + if [ ! -f $OBJ/$t ]; then rm -f $OBJ/$t ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ fail "ssh-keygen for $t failed" -- cgit v1.2.1 From da806347b932efc9f08ea92bd122577d186bb1fe Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 8 Aug 2013 01:52:37 +0000 Subject: - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime( CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the CLOCK_MONOTONIC define but don't actually support it. Found and tested by Kevin Brott, ok djm. --- ChangeLog | 4 ++++ misc.c | 15 ++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3ca13ebe..2813200a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, run "make clean" before a complete regress run. ok djm. + - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime( + CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the + CLOCK_MONOTONIC define but don't actually support it. Found and tested + by Kevin Brott, ok djm. 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support diff --git a/misc.c b/misc.c index 2bdfb650..85c40421 100644 --- a/misc.c +++ b/misc.c @@ -854,19 +854,24 @@ ms_to_timeval(struct timeval *tv, int ms) tv->tv_usec = (ms % 1000) * 1000; } +#define clock_gettime(a,b) -1 + time_t monotime(void) { #if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC) struct timespec ts; + static int gettime_failed = 0; - if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) - fatal("clock_gettime: %s", strerror(errno)); + if (!gettime_failed) { + if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) + return (ts.tv_sec); + debug3("clock_gettime: %s", strerror(errno)); + gettime_failed = 1; + } +#endif - return (ts.tv_sec); -#else return time(NULL); -#endif } void -- cgit v1.2.1 From d3cede47177bd7147918bc3ce093b223708601ae Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 8 Aug 2013 02:50:06 +0000 Subject: - (dtucker) [misc.c] Remove define added for fallback testing that was mistakenly included in the previous commit. --- ChangeLog | 2 ++ misc.c | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2813200a..40e1812d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the CLOCK_MONOTONIC define but don't actually support it. Found and tested by Kevin Brott, ok djm. + - (dtucker) [misc.c] Remove define added for fallback testing that was + mistakenly included in the previous commit. 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support diff --git a/misc.c b/misc.c index 85c40421..c3c80994 100644 --- a/misc.c +++ b/misc.c @@ -854,8 +854,6 @@ ms_to_timeval(struct timeval *tv, int ms) tv->tv_usec = (ms % 1000) * 1000; } -#define clock_gettime(a,b) -1 - time_t monotime(void) { -- cgit v1.2.1 From 4a6dbb94f66e701e60311b60a2659730cf09c726 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 8 Aug 2013 07:02:12 +0000 Subject: - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt removal. The "make clean" removes modpipe which is built by the top-level directory before running the tests. Spotted by tim@ --- ChangeLog | 3 +++ regress/Makefile | 2 +- regress/test-exec.sh | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 40e1812d..12429fd5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ by Kevin Brott, ok djm. - (dtucker) [misc.c] Remove define added for fallback testing that was mistakenly included in the previous commit. + - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt + removal. The "make clean" removes modpipe which is built by the top-level + directory before running the tests. Spotted by tim@ 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support diff --git a/regress/Makefile b/regress/Makefile index 3d1b669e..ab2a6ae7 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec -tests: clean $(REGRESS_TARGETS) +tests: $(REGRESS_TARGETS) # Interop tests are not run by default interop interop-tests: t-exec-interop diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 9e66f926..eee44626 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -368,7 +368,7 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER trace "generate keys" for t in rsa rsa1; do # generate user key - if [ ! -f $OBJ/$t ]; then + if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then rm -f $OBJ/$t ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ fail "ssh-keygen for $t failed" -- cgit v1.2.1 From a375290d4bf9021e741c9f2b124fd76fcb812908 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:38:51 +0000 Subject: - djm@cvs.openbsd.org 2013/08/06 23:03:49 [sftp.c] fix some whitespace at EOL make list of commands an enum rather than a long list of defines add -a to usage() --- ChangeLog | 8 +++++ sftp.c | 106 ++++++++++++++++++++++++++++++++------------------------------ 2 files changed, 62 insertions(+), 52 deletions(-) diff --git a/ChangeLog b/ChangeLog index 12429fd5..913716bb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20130821 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/08/06 23:03:49 + [sftp.c] + fix some whitespace at EOL + make list of commands an enum rather than a long list of defines + add -a to usage() + 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, diff --git a/sftp.c b/sftp.c index 969328de..c68fb2cf 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.148 2013/07/25 00:56:52 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.149 2013/08/06 23:03:49 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -129,32 +129,34 @@ extern char *__progname; #define SORT_FLAGS (LS_NAME_SORT|LS_TIME_SORT|LS_SIZE_SORT) /* Commands for interactive mode */ -#define I_CHDIR 1 -#define I_CHGRP 2 -#define I_CHMOD 3 -#define I_CHOWN 4 -#define I_DF 24 -#define I_GET 5 -#define I_HELP 6 -#define I_LCHDIR 7 -#define I_LINK 25 -#define I_LLS 8 -#define I_LMKDIR 9 -#define I_LPWD 10 -#define I_LS 11 -#define I_LUMASK 12 -#define I_MKDIR 13 -#define I_PUT 14 -#define I_PWD 15 -#define I_QUIT 16 -#define I_RENAME 17 -#define I_RM 18 -#define I_RMDIR 19 -#define I_SHELL 20 -#define I_SYMLINK 21 -#define I_VERSION 22 -#define I_PROGRESS 23 -#define I_REGET 26 +enum sftp_command { + I_CHDIR = 1, + I_CHGRP, + I_CHMOD, + I_CHOWN, + I_DF, + I_GET, + I_HELP, + I_LCHDIR, + I_LINK, + I_LLS, + I_LMKDIR, + I_LPWD, + I_LS, + I_LUMASK, + I_MKDIR, + I_PUT, + I_PWD, + I_QUIT, + I_RENAME, + I_RM, + I_RMDIR, + I_SHELL, + I_SYMLINK, + I_VERSION, + I_PROGRESS, + I_REGET, +}; struct CMD { const char *c; @@ -647,7 +649,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, error("stat %s: %s", g.gl_pathv[i], strerror(errno)); continue; } - + tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); @@ -975,7 +977,7 @@ undo_glob_escape(char *s) * * If "lastquote" is not NULL, the quoting character used for the last * argument is placed in *lastquote ("\0", "'" or "\""). - * + * * If "terminated" is not NULL, *terminated will be set to 1 when the * last argument's quote has been properly terminated or 0 otherwise. * This parameter is only of use if "sloppy" is set. @@ -1024,7 +1026,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, state = q; if (lastquote != NULL) *lastquote = arg[i]; - } else if (state == MA_UNQUOTED) + } else if (state == MA_UNQUOTED) state = q; else if (state == q) state = MA_UNQUOTED; @@ -1567,7 +1569,7 @@ complete_display(char **list, u_int len) char *tmp; /* Count entries for sort and find longest */ - for (y = 0; list[y]; y++) + for (y = 0; list[y]; y++) m = MAX(m, strlen(list[y])); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) @@ -1612,8 +1614,8 @@ complete_ambiguous(const char *word, char **list, size_t count) for (y = 1; list[y]; y++) { u_int x; - for (x = 0; x < matchlen; x++) - if (list[0][x] != list[y][x]) + for (x = 0; x < matchlen; x++) + if (list[0][x] != list[y][x]) break; matchlen = x; @@ -1625,7 +1627,7 @@ complete_ambiguous(const char *word, char **list, size_t count) tmp[matchlen] = '\0'; return tmp; } - } + } return xstrdup(word); } @@ -1645,12 +1647,12 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (cmd == NULL) { for (y = 0; cmds[y].c; y++) list[count++] = xstrdup(cmds[y].c); - + list[count] = NULL; complete_display(list, 0); - for (y = 0; list[y] != NULL; y++) - free(list[y]); + for (y = 0; list[y] != NULL; y++) + free(list[y]); free(list); return count; } @@ -1658,7 +1660,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, /* Prepare subset of commands that start with "cmd" */ cmdlen = strlen(cmd); for (y = 0; cmds[y].c; y++) { - if (!strncasecmp(cmd, cmds[y].c, cmdlen)) + if (!strncasecmp(cmd, cmds[y].c, cmdlen)) list[count++] = xstrdup(cmds[y].c); } list[count] = NULL; @@ -1673,8 +1675,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (count > 1) complete_display(list, 0); - for (y = 0; list[y]; y++) - free(list[y]); + for (y = 0; list[y]; y++) + free(list[y]); free(list); if (tmp != NULL) { @@ -1714,7 +1716,7 @@ complete_is_remote(char *cmd) { return -1; for (i = 0; cmds[i].c; i++) { - if (!strncasecmp(cmd, cmds[i].c, strlen(cmds[i].c))) + if (!strncasecmp(cmd, cmds[i].c, strlen(cmds[i].c))) return cmds[i].t; } @@ -1731,7 +1733,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; int clen; const LineInfo *lf; - + /* Glob from "file" location */ if (file == NULL) tmp = xstrdup("*"); @@ -1745,9 +1747,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (remote != LOCAL) { tmp = make_absolute(tmp, remote_path); remote_glob(conn, tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); - } else + } else glob(tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); - + /* Determine length of pwd so we can trim completion display */ for (hadglob = tmplen = pwdlen = 0; tmp[tmplen] != 0; tmplen++) { /* Terminate counting on first unescaped glob metacharacter */ @@ -1763,7 +1765,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, } free(tmp); - if (g.gl_matchc == 0) + if (g.gl_matchc == 0) goto out; if (g.gl_matchc > 1) @@ -1796,7 +1798,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (tmplen > (filelen - cesc)) { tmp2 = tmp + filelen - cesc; - len = strlen(tmp2); + len = strlen(tmp2); /* quote argument on way out */ for (i = 0; i < len; i += clen) { if ((clen = mblen(tmp2 + i, len - i)) < 0 || @@ -1852,7 +1854,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, static unsigned char complete(EditLine *el, int ch) { - char **argv, *line, quote; + char **argv, *line, quote; int argc, carg; u_int cursor, len, terminated, ret = CC_ERROR; const LineInfo *lf; @@ -1891,7 +1893,7 @@ complete(EditLine *el, int ch) } else if (carg == 1 && cursor > 0 && line[cursor - 1] != ' ') { /* Handle the command parsing */ if (complete_cmd_parse(el, argv[0], argc == carg, - quote, terminated) != 0) + quote, terminated) != 0) ret = CC_REDISPLAY; } else if (carg >= 1) { /* Handle file parsing */ @@ -1904,11 +1906,11 @@ complete(EditLine *el, int ch) if (remote != 0 && complete_match(el, complete_ctx->conn, *complete_ctx->remote_pathp, filematch, - remote, carg == argc, quote, terminated) != 0) + remote, carg == argc, quote, terminated) != 0) ret = CC_REDISPLAY; } - free(line); + free(line); return ret; } #endif /* USE_LIBEDIT */ @@ -1942,7 +1944,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) el_source(el, NULL); /* Tab Completion */ - el_set(el, EL_ADDFN, "ftp-complete", + el_set(el, EL_ADDFN, "ftp-complete", "Context sensitive argument completion", complete); complete_ctx.conn = conn; complete_ctx.remote_pathp = &remote_path; @@ -2116,7 +2118,7 @@ usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-1246Cpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" + "usage: %s [-1246Capqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" " [-D sftp_server_path] [-F ssh_config] " "[-i identity_file] [-l limit]\n" " [-o ssh_option] [-P port] [-R num_requests] " -- cgit v1.2.1 From 562cfce511a07cdb8f40d5268bf4dfb495b75140 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:39:39 +0000 Subject: - djm@cvs.openbsd.org 2013/08/06 23:05:01 [sftp.1] document top-level -a option (the -a option to 'get' was already documented) --- ChangeLog | 4 ++++ sftp.1 | 15 ++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 913716bb..d7f5a59c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ fix some whitespace at EOL make list of commands an enum rather than a long list of defines add -a to usage() + - djm@cvs.openbsd.org 2013/08/06 23:05:01 + [sftp.1] + document top-level -a option (the -a option to 'get' was already + documented) 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.1 b/sftp.1 index 2577fe87..e75a81a7 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.92 2013/07/25 00:56:51 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.93 2013/08/06 23:05:01 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 25 2013 $ +.Dd $Mdocdate: August 6 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -31,7 +31,7 @@ .Sh SYNOPSIS .Nm sftp .Bk -words -.Op Fl 1246Cpqrv +.Op Fl 1246Capqrv .Op Fl B Ar buffer_size .Op Fl b Ar batchfile .Op Fl c Ar cipher @@ -114,6 +114,11 @@ uses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 32768 bytes. +.It Fl a +Attempt to continue interrupted downloads rather than overwriting existing +partial or complete copies of files. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. .It Fl b Ar batchfile Batch mode reads a series of commands from an input .Ar batchfile @@ -368,8 +373,8 @@ If the flag is specified, then attempt to resume partial transfers of existing files. Note that resumption assumes that any partial copy of the local file matches the remote copy. -If the remote file differs from the partial local copy then the resultant file -is likely to be corrupt. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. .Pp If either the .Fl P -- cgit v1.2.1 From ce69054da96baf14b576683f8de79c2abe35bf5e Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:40:01 +0000 Subject: - djm@cvs.openbsd.org 2013/08/06 23:06:01 [servconf.c] add cast to avoid format warning; from portable --- ChangeLog | 3 +++ servconf.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d7f5a59c..5f753198 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ [sftp.1] document top-level -a option (the -a option to 'get' was already documented) + - djm@cvs.openbsd.org 2013/08/06 23:06:01 + [servconf.c] + add cast to avoid format warning; from portable 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/servconf.c b/servconf.c index 747edde6..c761ff01 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: servconf.c,v 1.241 2013/08/06 23:06:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2063,7 +2063,8 @@ dump_config(ServerOptions *o) printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); printf("%s\n", iptos2str(o->ip_qos_bulk)); - printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); + printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, + o->rekey_interval); channel_print_adm_permitted_opens(); } -- cgit v1.2.1 From 2fddf1319b256820c0ca60876455f63f8d214f4a Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:40:21 +0000 Subject: - jmc@cvs.openbsd.org 2013/08/07 06:24:51 [sftp.1 sftp.c] sort -a; --- ChangeLog | 3 +++ sftp.1 | 16 ++++++++-------- sftp.c | 4 ++-- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5f753198..295c42ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - djm@cvs.openbsd.org 2013/08/06 23:06:01 [servconf.c] add cast to avoid format warning; from portable + - jmc@cvs.openbsd.org 2013/08/07 06:24:51 + [sftp.1 sftp.c] + sort -a; 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.1 b/sftp.1 index e75a81a7..85d64a7f 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.93 2013/08/06 23:05:01 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.94 2013/08/07 06:24:51 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 6 2013 $ +.Dd $Mdocdate: August 7 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -31,7 +31,7 @@ .Sh SYNOPSIS .Nm sftp .Bk -words -.Op Fl 1246Capqrv +.Op Fl 1246aCpqrv .Op Fl B Ar buffer_size .Op Fl b Ar batchfile .Op Fl c Ar cipher @@ -107,6 +107,11 @@ to use IPv4 addresses only. Forces .Nm to use IPv6 addresses only. +.It Fl a +Attempt to continue interrupted downloads rather than overwriting existing +partial or complete copies of files. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. .It Fl B Ar buffer_size Specify the size of the buffer that .Nm @@ -114,11 +119,6 @@ uses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 32768 bytes. -.It Fl a -Attempt to continue interrupted downloads rather than overwriting existing -partial or complete copies of files. -If the remote file contents differ from the partial local copy then the -resultant file is likely to be corrupt. .It Fl b Ar batchfile Batch mode reads a series of commands from an input .Ar batchfile diff --git a/sftp.c b/sftp.c index c68fb2cf..4e1a026f 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.149 2013/08/06 23:03:49 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.150 2013/08/07 06:24:51 jmc Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2118,7 +2118,7 @@ usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-1246Capqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" + "usage: %s [-1246aCpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" " [-D sftp_server_path] [-F ssh_config] " "[-i identity_file] [-l limit]\n" " [-o ssh_option] [-P port] [-R num_requests] " -- cgit v1.2.1 From 87fe242ca80eb649281f9403543cfd35d7a9ae62 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:40:44 +0000 Subject: - djm@cvs.openbsd.org 2013/08/08 04:52:04 [sftp.c] fix two year old regression: symlinking a file would incorrectly canonicalise the target path. bz#2129 report from delphij AT freebsd.org --- ChangeLog | 4 ++++ sftp.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 295c42ab..16bb10b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ - jmc@cvs.openbsd.org 2013/08/07 06:24:51 [sftp.1 sftp.c] sort -a; + - djm@cvs.openbsd.org 2013/08/08 04:52:04 + [sftp.c] + fix two year old regression: symlinking a file would incorrectly + canonicalise the target path. bz#2129 report from delphij AT freebsd.org 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.c b/sftp.c index 4e1a026f..6f16f7cc 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.150 2013/08/07 06:24:51 jmc Exp $ */ +/* $OpenBSD: sftp.c,v 1.151 2013/08/08 04:52:04 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1358,7 +1358,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, case I_SYMLINK: sflag = 1; case I_LINK: - path1 = make_absolute(path1, *pwd); + if (!sflag) + path1 = make_absolute(path1, *pwd); path2 = make_absolute(path2, *pwd); err = (sflag ? do_symlink : do_hardlink)(conn, path1, path2); break; -- cgit v1.2.1 From 47e9415454e7abe1c8ec2f9b7f06f0850e7cceb8 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:41:15 +0000 Subject: - djm@cvs.openbsd.org 2013/08/08 05:04:03 [sftp-client.c sftp-client.h sftp.c] add a "-l" flag for the rename command to force it to use the silly standard SSH_FXP_RENAME command instead of the POSIX-rename- like posix-rename@openssh.com extension. intended for use in regress tests, so no documentation. --- ChangeLog | 6 ++++++ sftp-client.c | 12 +++++++----- sftp-client.h | 4 ++-- sftp.c | 35 ++++++++++++++++++++++++++++++++--- 4 files changed, 47 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 16bb10b4..cd46b83a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,7 +19,13 @@ [sftp.c] fix two year old regression: symlinking a file would incorrectly canonicalise the target path. bz#2129 report from delphij AT freebsd.org + - djm@cvs.openbsd.org 2013/08/08 05:04:03 + [sftp-client.c sftp-client.h sftp.c] + add a "-l" flag for the rename command to force it to use the silly + standard SSH_FXP_RENAME command instead of the POSIX-rename- like + posix-rename@openssh.com extension. + intended for use in regress tests, so no documentation. 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, diff --git a/sftp-client.c b/sftp-client.c index f4f1970b..0eeb73c8 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.101 2013/07/25 00:56:51 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.102 2013/08/08 05:04:03 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -768,16 +768,18 @@ do_realpath(struct sftp_conn *conn, char *path) } int -do_rename(struct sftp_conn *conn, char *oldpath, char *newpath) +do_rename(struct sftp_conn *conn, char *oldpath, char *newpath, + int force_legacy) { Buffer msg; u_int status, id; + int use_ext = (conn->exts & SFTP_EXT_POSIX_RENAME) && !force_legacy; buffer_init(&msg); /* Send rename request */ id = conn->msg_id++; - if ((conn->exts & SFTP_EXT_POSIX_RENAME)) { + if (use_ext) { buffer_put_char(&msg, SSH2_FXP_EXTENDED); buffer_put_int(&msg, id); buffer_put_cstring(&msg, "posix-rename@openssh.com"); @@ -789,8 +791,8 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath) buffer_put_cstring(&msg, newpath); send_msg(conn, &msg); debug3("Sent message %s \"%s\" -> \"%s\"", - (conn->exts & SFTP_EXT_POSIX_RENAME) ? "posix-rename@openssh.com" : - "SSH2_FXP_RENAME", oldpath, newpath); + use_ext ? "posix-rename@openssh.com" : "SSH2_FXP_RENAME", + oldpath, newpath); buffer_free(&msg); status = get_status(conn, id); diff --git a/sftp-client.h b/sftp-client.h index 111a998c..dc54cfe3 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.21 2013/07/25 00:56:51 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.22 2013/08/08 05:04:03 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -92,7 +92,7 @@ char *do_realpath(struct sftp_conn *, char *); int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int); /* Rename 'oldpath' to 'newpath' */ -int do_rename(struct sftp_conn *, char *, char *); +int do_rename(struct sftp_conn *, char *, char *m, int force_legacy); /* Link 'oldpath' to 'newpath' */ int do_hardlink(struct sftp_conn *, char *, char *); diff --git a/sftp.c b/sftp.c index 6f16f7cc..66ab2b0d 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.151 2013/08/08 04:52:04 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.152 2013/08/08 05:04:03 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -414,6 +414,30 @@ parse_link_flags(const char *cmd, char **argv, int argc, int *sflag) return optind; } +static int +parse_rename_flags(const char *cmd, char **argv, int argc, int *lflag) +{ + extern int opterr, optind, optopt, optreset; + int ch; + + optind = optreset = 1; + opterr = 0; + + *lflag = 0; + while ((ch = getopt(argc, argv, "l")) != -1) { + switch (ch) { + case 'l': + *lflag = 1; + break; + default: + error("%s: Invalid flag -%c", cmd, optopt); + return -1; + } + } + + return optind; +} + static int parse_ls_flags(char **argv, int argc, int *lflag) { @@ -1210,8 +1234,13 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, case I_LINK: if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1) return -1; - case I_SYMLINK: + goto parse_two_paths; case I_RENAME: + if ((optidx = parse_rename_flags(cmd, argv, argc, lflag)) == -1) + return -1; + goto parse_two_paths; + case I_SYMLINK: + parse_two_paths: if (argc - optidx < 2) { error("You must specify two paths after a %s " "command.", cmd); @@ -1353,7 +1382,7 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, case I_RENAME: path1 = make_absolute(path1, *pwd); path2 = make_absolute(path2, *pwd); - err = do_rename(conn, path1, path2); + err = do_rename(conn, path1, path2, lflag); break; case I_SYMLINK: sflag = 1; -- cgit v1.2.1 From 04b362dc850aeb6335def3e5c820e0286642b29f Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:41:46 +0000 Subject: - djm@cvs.openbsd.org 2013/08/09 03:37:25 [sftp.c] do getopt parsing for all sftp commands (with an empty optstring for commands without arguments) to ensure consistent behaviour --- ChangeLog | 5 +++++ sftp.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cd46b83a..f78dce6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,11 @@ posix-rename@openssh.com extension. intended for use in regress tests, so no documentation. + - djm@cvs.openbsd.org 2013/08/09 03:37:25 + [sftp.c] + do getopt parsing for all sftp commands (with an empty optstring for + commands without arguments) to ensure consistent behaviour + 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, diff --git a/sftp.c b/sftp.c index 66ab2b0d..1ddfef6b 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.152 2013/08/08 05:04:03 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.153 2013/08/09 03:37:25 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -518,6 +518,26 @@ parse_df_flags(const char *cmd, char **argv, int argc, int *hflag, int *iflag) return optind; } +static int +parse_no_flags(const char *cmd, char **argv, int argc) +{ + extern int opterr, optind, optopt, optreset; + int ch; + + optind = optreset = 1; + opterr = 0; + + while ((ch = getopt(argc, argv, "")) != -1) { + switch (ch) { + default: + error("%s: Invalid flag -%c", cmd, optopt); + return -1; + } + } + + return optind; +} + static int is_dir(char *path) { @@ -1240,6 +1260,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, return -1; goto parse_two_paths; case I_SYMLINK: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; parse_two_paths: if (argc - optidx < 2) { error("You must specify two paths after a %s " @@ -1258,6 +1280,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, case I_CHDIR: case I_LCHDIR: case I_LMKDIR: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; /* Get pathname (mandatory) */ if (argc - optidx < 1) { error("You must specify a path after a %s command.", @@ -1299,6 +1323,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, base = 8; case I_CHOWN: case I_CHGRP: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; /* Get numeric arg (mandatory) */ if (argc - optidx < 1) goto need_num_arg; @@ -1329,6 +1355,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, case I_HELP: case I_VERSION: case I_PROGRESS: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; break; default: fatal("Command not implemented"); -- cgit v1.2.1 From ab3c54a600a445302c3da7e950aad5cd42e9e421 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:42:12 +0000 Subject: - djm@cvs.openbsd.org 2013/08/09 03:39:13 [sftp-client.c] two problems found by a to-be-committed regress test: 1) msg_id was not being initialised so was starting at a random value from the heap (harmless, but confusing). 2) some error conditions were not being propagated back to the caller --- ChangeLog | 6 ++++++ sftp-client.c | 8 +++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f78dce6e..7e486302 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,12 @@ [sftp.c] do getopt parsing for all sftp commands (with an empty optstring for commands without arguments) to ensure consistent behaviour + - djm@cvs.openbsd.org 2013/08/09 03:39:13 + [sftp-client.c] + two problems found by a to-be-committed regress test: 1) msg_id was not + being initialised so was starting at a random value from the heap + (harmless, but confusing). 2) some error conditions were not being + propagated back to the caller 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp-client.c b/sftp-client.c index 0eeb73c8..f2ce9deb 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.102 2013/08/08 05:04:03 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.103 2013/08/09 03:39:13 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -337,7 +337,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, Buffer msg; struct sftp_conn *ret; - ret = xmalloc(sizeof(*ret)); + ret = xcalloc(1, sizeof(*ret)); + ret->msg_id = 1; ret->fd_in = fd_in; ret->fd_out = fd_out; ret->transfer_buflen = transfer_buflen; @@ -1221,6 +1222,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, if (read_error) { error("Couldn't read from remote file \"%s\" : %s", remote_path, fx2txt(status)); + status = -1; do_close(conn, handle, handle_len); } else if (write_error) { error("Couldn't write to \"%s\": %s", local_path, @@ -1229,7 +1231,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, do_close(conn, handle, handle_len); } else { status = do_close(conn, handle, handle_len); - if (interrupted) + if (interrupted || status != SSH2_FX_OK) status = -1; /* Override umask and utimes if asked */ #ifdef HAVE_FCHMOD -- cgit v1.2.1 From 1e009f87acc97371e2ff5b3ec2fa0be81a2575fb Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:42:35 +0000 Subject: - djm@cvs.openbsd.org 2013/08/09 03:56:42 [sftp.c] enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; matching ksh's relatively recent change. --- ChangeLog | 4 ++++ sftp.c | 7 ++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7e486302..2c8b45a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,10 @@ being initialised so was starting at a random value from the heap (harmless, but confusing). 2) some error conditions were not being propagated back to the caller + - djm@cvs.openbsd.org 2013/08/09 03:56:42 + [sftp.c] + enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; + matching ksh's relatively recent change. 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.c b/sftp.c index 1ddfef6b..e2114406 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.153 2013/08/09 03:37:25 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.154 2013/08/09 03:56:42 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2008,6 +2008,11 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) complete_ctx.remote_pathp = &remote_path; el_set(el, EL_CLIENTDATA, (void*)&complete_ctx); el_set(el, EL_BIND, "^I", "ftp-complete", NULL); + /* enable ctrl-left-arrow and ctrl-right-arrow */ + el_set(el, EL_BIND, "\\e[1;5C", "em-next-word", NULL); + el_set(el, EL_BIND, "\\e[5C", "em-next-word", NULL); + el_set(el, EL_BIND, "\\e[1;5D", "ed-prev-word", NULL); + el_set(el, EL_BIND, "\\e\\e[D", "ed-prev-word", NULL); } #endif /* USE_LIBEDIT */ -- cgit v1.2.1 From 44f198c729577ff3d2427e51a7751b1f0d8d25f0 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:42:58 +0000 Subject: - djm@cvs.openbsd.org 2013/08/13 18:32:08 [ssh-keygen.c] typo in error message; from Stephan Rickauer --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2c8b45a3..2945ee79 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ [sftp.c] enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; matching ksh's relatively recent change. + - djm@cvs.openbsd.org 2013/08/13 18:32:08 + [ssh-keygen.c] + typo in error message; from Stephan Rickauer 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/ssh-keygen.c b/ssh-keygen.c index 03c444d4..6ba64b73 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.230 2013/07/20 01:44:37 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.231 2013/08/13 18:32:08 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1963,7 +1963,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, continue; if (strncasecmp(cp, "serial:", 7) == 0) { if (ca == NULL) { - fatal("revoking certificated by serial number " + fatal("revoking certificates by serial number " "requires specification of a CA key"); } cp += 7; -- cgit v1.2.1 From d6aff06e924deb78c466355d88d77f3fde5c9893 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:43:27 +0000 Subject: - djm@cvs.openbsd.org 2013/08/13 18:33:08 [ssh-keygen.c] another of the same typo --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2945ee79..0199afda 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - djm@cvs.openbsd.org 2013/08/13 18:32:08 [ssh-keygen.c] typo in error message; from Stephan Rickauer + - djm@cvs.openbsd.org 2013/08/13 18:33:08 + [ssh-keygen.c] + another of the same typo 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/ssh-keygen.c b/ssh-keygen.c index 6ba64b73..6ee8145a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.231 2013/08/13 18:32:08 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.232 2013/08/13 18:33:08 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2000,7 +2000,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, } } else if (strncasecmp(cp, "id:", 3) == 0) { if (ca == NULL) { - fatal("revoking certificated by key ID " + fatal("revoking certificates by key ID " "requires specification of a CA key"); } cp += 3; -- cgit v1.2.1 From d0cb9e743c8ed7d3b8ff8759985f9215cf332805 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:43:49 +0000 Subject: - jmc@cvs.openbsd.org 2013/08/14 08:39:27 [scp.1 ssh.1] some Bx/Ox conversion; From: Jan Stary --- ChangeLog | 4 ++++ scp.1 | 9 +++++---- ssh.1 | 11 +++++++---- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0199afda..a3ac3d53 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,10 @@ - djm@cvs.openbsd.org 2013/08/13 18:33:08 [ssh-keygen.c] another of the same typo + - jmc@cvs.openbsd.org 2013/08/14 08:39:27 + [scp.1 ssh.1] + some Bx/Ox conversion; + From: Jan Stary 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/scp.1 b/scp.1 index c83012c9..595db326 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.59 2013/07/16 00:07:52 schwarze Exp $ +.\" $OpenBSD: scp.1,v 1.60 2013/08/14 08:39:27 jmc Exp $ .\" -.Dd $Mdocdate: July 16 2013 $ +.Dd $Mdocdate: August 14 2013 $ .Dt SCP 1 .Os .Sh NAME @@ -232,8 +232,9 @@ debugging connection, authentication, and configuration problems. .Nm is based on the .Xr rcp 1 -program in BSD source code from the Regents of the University of -California. +program in +.Bx +source code from the Regents of the University of California. .Sh AUTHORS .An Timo Rinne Aq Mt tri@iki.fi .An Tatu Ylonen Aq Mt ylo@cs.hut.fi diff --git a/ssh.1 b/ssh.1 index 62292cc0..09c9dbcb 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.334 2013/07/18 01:12:26 djm Exp $ -.Dd $Mdocdate: July 18 2013 $ +.\" $OpenBSD: ssh.1,v 1.335 2013/08/14 08:39:27 jmc Exp $ +.Dd $Mdocdate: August 14 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -827,9 +827,12 @@ text, and prompts for a response. Protocol 2 allows multiple challenges and responses; protocol 1 is restricted to just one challenge/response. Examples of challenge-response authentication include -BSD Authentication (see +.Bx +Authentication (see .Xr login.conf 5 ) -and PAM (some non-OpenBSD systems). +and PAM (some +.Pf non- Ox +systems). .Pp Finally, if other authentication methods fail, .Nm -- cgit v1.2.1 From bf40dd8c93f053ab1cd28f46bad35ea9b3948c75 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:44:24 +0000 Subject: - djm@cvs.openbsd.org 2013/08/20 00:11:38 [readconf.c readconf.h ssh_config.5 sshconnect.c] Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@ --- ChangeLog | 8 ++++ readconf.c | 12 +++++- readconf.h | 4 +- ssh_config.5 | 12 +++++- sshconnect.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++--------- 5 files changed, 137 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index a3ac3d53..6b0afa72 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,14 @@ [scp.1 ssh.1] some Bx/Ox conversion; From: Jan Stary + - djm@cvs.openbsd.org 2013/08/20 00:11:38 + [readconf.c readconf.h ssh_config.5 sshconnect.c] + Add a ssh_config ProxyUseFDPass option that supports the use of + ProxyCommands that establish a connection and then pass a connected + file descriptor back to ssh(1). This allows the ProxyCommand to exit + rather than have to shuffle data back and forth and enables ssh to use + getpeername, etc. to obtain address information just like it does with + regular directly-connected sockets. ok markus@ 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/readconf.c b/readconf.c index 1464430a..7450081c 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.205 2013/08/20 00:11:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -137,7 +137,7 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -249,6 +249,7 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, + { "proxyusefdpass", oProxyUseFdpass }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -1072,6 +1073,10 @@ parse_int: charptr = &options->ignored_unknown; goto parse_string; + case oProxyUseFdpass: + intptr = &options->proxy_use_fdpass; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1233,6 +1238,7 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; + options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; } @@ -1385,6 +1391,8 @@ fill_default_options(Options * options) options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; + if (options->proxy_use_fdpass == -1) + options->proxy_use_fdpass = 0; /* options->local_command should not be set by default */ /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index 23fc500d..ca4a042a 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.96 2013/08/20 00:11:38 djm Exp $ */ /* * Author: Tatu Ylonen @@ -138,6 +138,8 @@ typedef struct { int request_tty; + int proxy_use_fdpass; + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; diff --git a/ssh_config.5 b/ssh_config.5 index 5d76c6d2..e89d694c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.167 2013/08/20 00:11:38 djm Exp $ +.Dd $Mdocdate: August 20 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -937,6 +937,14 @@ For example, the following directive would connect via an HTTP proxy at .Bd -literal -offset 3n ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed +.It Cm ProxyUseFdpass +Specifies that the a +.Cm ProxyCommand +will pass a connected file descriptor back to +.Nm ssh +instead of continuing to execute and pass data. +The default is +.Dq no . .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be diff --git a/sshconnect.c b/sshconnect.c index 483eb85a..76bb5cda 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.238 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.239 2013/08/20 00:11:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -59,6 +59,7 @@ #include "misc.h" #include "dns.h" #include "roaming.h" +#include "monitor_fdpass.h" #include "ssh2.h" #include "version.h" @@ -78,16 +79,113 @@ extern uid_t original_effective_uid; static int show_other_keys(struct hostkeys *, Key *); static void warn_changed_key(Key *); +/* Expand a proxy command */ +static char * +expand_proxy_command(const char *proxy_command, const char *user, + const char *host, int port) +{ + char *tmp, *ret, strport[NI_MAXSERV]; + + snprintf(strport, sizeof strport, "%hu", port); + xasprintf(&tmp, "exec %s", proxy_command); + ret = percent_expand(tmp, "h", host, "p", strport, + "r", options.user, (char *)NULL); + free(tmp); + return ret; +} + +/* + * Connect to the given ssh server using a proxy command that passes a + * a connected fd back to us. + */ +static int +ssh_proxy_fdpass_connect(const char *host, u_short port, + const char *proxy_command) +{ + char *command_string; + int sp[2], sock; + pid_t pid; + char *shell; + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0) + fatal("Could not create socketpair to communicate with " + "proxy dialer: %.100s", strerror(errno)); + + command_string = expand_proxy_command(proxy_command, options.user, + host, port); + debug("Executing proxy dialer command: %.500s", command_string); + + /* Fork and execute the proxy command. */ + if ((pid = fork()) == 0) { + char *argv[10]; + + /* Child. Permanently give up superuser privileges. */ + permanently_drop_suid(original_real_uid); + + close(sp[1]); + /* Redirect stdin and stdout. */ + if (sp[0] != 0) { + if (dup2(sp[0], 0) < 0) + perror("dup2 stdin"); + } + if (sp[0] != 1) { + if (dup2(sp[0], 1) < 0) + perror("dup2 stdout"); + } + if (sp[0] >= 2) + close(sp[0]); + + /* + * Stderr is left as it is so that error messages get + * printed on the user's terminal. + */ + argv[0] = shell; + argv[1] = "-c"; + argv[2] = command_string; + argv[3] = NULL; + + /* + * Execute the proxy command. + * Note that we gave up any extra privileges above. + */ + execv(argv[0], argv); + perror(argv[0]); + exit(1); + } + /* Parent. */ + if (pid < 0) + fatal("fork failed: %.100s", strerror(errno)); + close(sp[0]); + free(command_string); + + if ((sock = mm_receive_fd(sp[1])) == -1) + fatal("proxy dialer did not pass back a connection"); + + while (waitpid(pid, NULL, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + + /* Set the connection file descriptors. */ + packet_set_connection(sock, sock); + packet_set_timeout(options.server_alive_interval, + options.server_alive_count_max); + + return 0; +} + /* * Connect to the given ssh server using a proxy command. */ static int ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) { - char *command_string, *tmp; + char *command_string; int pin[2], pout[2]; pid_t pid; - char *shell, strport[NI_MAXSERV]; + char *shell; if (!strcmp(proxy_command, "-")) { packet_set_connection(STDIN_FILENO, STDOUT_FILENO); @@ -96,29 +194,19 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) return 0; } + if (options.proxy_use_fdpass) + return ssh_proxy_fdpass_connect(host, port, proxy_command); + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; - /* Convert the port number into a string. */ - snprintf(strport, sizeof strport, "%hu", port); - - /* - * Build the final command string in the buffer by making the - * appropriate substitutions to the given proxy command. - * - * Use "exec" to avoid "sh -c" processes on some platforms - * (e.g. Solaris) - */ - xasprintf(&tmp, "exec %s", proxy_command); - command_string = percent_expand(tmp, "h", host, "p", strport, - "r", options.user, (char *)NULL); - free(tmp); - /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) fatal("Could not create pipes to communicate with the proxy: %.100s", strerror(errno)); + command_string = expand_proxy_command(proxy_command, options.user, + host, port); debug("Executing proxy command: %.500s", command_string); /* Fork and execute the proxy command. */ -- cgit v1.2.1 From 35f8d87cf02bbd0eab8213fa68ea4bc1b9bfc103 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 20 Aug 2013 16:44:58 +0000 Subject: - jmc@cvs.openbsd.org 2013/08/20 06:56:07 [ssh.1 ssh_config.5] some proxyusefdpass tweaks; --- ChangeLog | 3 +++ ssh.1 | 5 +++-- ssh_config.5 | 6 +++--- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6b0afa72..e39f68a5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,9 @@ rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@ + - jmc@cvs.openbsd.org 2013/08/20 06:56:07 + [ssh.1 ssh_config.5] + some proxyusefdpass tweaks; 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/ssh.1 b/ssh.1 index 09c9dbcb..22765401 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.335 2013/08/14 08:39:27 jmc Exp $ -.Dd $Mdocdate: August 14 2013 $ +.\" $OpenBSD: ssh.1,v 1.336 2013/08/20 06:56:07 jmc Exp $ +.Dd $Mdocdate: August 20 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -465,6 +465,7 @@ For full details of the options listed below, and their possible values, see .It PreferredAuthentications .It Protocol .It ProxyCommand +.It ProxyUseFdpass .It PubkeyAuthentication .It RekeyLimit .It RemoteForward diff --git a/ssh_config.5 b/ssh_config.5 index e89d694c..9ddd6b8a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.167 2013/08/20 00:11:38 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.168 2013/08/20 06:56:07 jmc Exp $ .Dd $Mdocdate: August 20 2013 $ .Dt SSH_CONFIG 5 .Os @@ -938,10 +938,10 @@ For example, the following directive would connect via an HTTP proxy at ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed .It Cm ProxyUseFdpass -Specifies that the a +Specifies that .Cm ProxyCommand will pass a connected file descriptor back to -.Nm ssh +.Xr ssh 1 instead of continuing to execute and pass data. The default is .Dq no . -- cgit v1.2.1 From 7e47783b59e52a3aacac70ac7a991b678b275ef5 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 28 Aug 2013 02:49:43 +0000 Subject: - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we start to use them in the future. --- ChangeLog | 5 +++++ openbsd-compat/bsd-snprintf.c | 40 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e39f68a5..97881822 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130828 + - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the + 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we + start to use them in the future. + 20130821 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/08/06 23:03:49 diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c index 41d2be23..308078e0 100644 --- a/openbsd-compat/bsd-snprintf.c +++ b/openbsd-compat/bsd-snprintf.c @@ -160,6 +160,8 @@ #define DP_C_LONG 2 #define DP_C_LDOUBLE 3 #define DP_C_LLONG 4 +#define DP_C_SIZE 5 +#define DP_C_INTMAX 6 #define char_to_int(p) ((p)- '0') #ifndef MAX @@ -182,7 +184,7 @@ static int dopr(char *buffer, size_t maxlen, const char *format, static int fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, int min, int max); static int fmtint(char *buffer, size_t *currlen, size_t maxlen, - LLONG value, int base, int min, int max, int flags); + intmax_t value, int base, int min, int max, int flags); static int fmtfp(char *buffer, size_t *currlen, size_t maxlen, LDOUBLE fvalue, int min, int max, int flags); @@ -190,7 +192,7 @@ static int dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) { char ch; - LLONG value; + intmax_t value; LDOUBLE fvalue; char *strvalue; int min; @@ -287,6 +289,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) cflags = DP_C_SHORT; ch = *format++; break; + case 'j': + cflags = DP_C_INTMAX; + ch = *format++; + break; case 'l': cflags = DP_C_LONG; ch = *format++; @@ -299,6 +305,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) cflags = DP_C_LDOUBLE; ch = *format++; break; + case 'z': + cflags = DP_C_SIZE; + ch = *format++; + break; default: break; } @@ -314,6 +324,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = va_arg (args, long int); else if (cflags == DP_C_LLONG) value = va_arg (args, LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, ssize_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, intmax_t); else value = va_arg (args, int); if (fmtint(buffer, &currlen, maxlen, @@ -328,6 +342,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (long)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -342,6 +360,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (LLONG)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -358,6 +380,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (LLONG)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -416,6 +442,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) (long) strvalue, 16, min, max, flags) == -1) return -1; break; +#if we_dont_want_this_in_openssh case 'n': if (cflags == DP_C_SHORT) { short int *num; @@ -429,12 +456,21 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) LLONG *num; num = va_arg (args, LLONG *); *num = (LLONG)currlen; + } else if (cflags == DP_C_SIZE) { + ssize_t *num; + num = va_arg (args, ssize_t *); + *num = (ssize_t)currlen; + } else if (cflags == DP_C_INTMAX) { + intmax_t *num; + num = va_arg (args, intmax_t *); + *num = (intmax_t)currlen; } else { int *num; num = va_arg (args, int *); *num = currlen; } break; +#endif case '%': DOPR_OUTCH(buffer, currlen, maxlen, ch); break; -- cgit v1.2.1 From 2ea3e15b4cb1fdcdf060ecc44ba04a1749d0254b Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 28 Aug 2013 04:00:54 +0000 Subject: - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits until we have configure support. --- ChangeLog | 2 ++ openbsd-compat/bsd-snprintf.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 97881822..0ddb0a35 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we start to use them in the future. + - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits + until we have configure support. 20130821 - (djm) OpenBSD CVS Sync diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c index 308078e0..975991e7 100644 --- a/openbsd-compat/bsd-snprintf.c +++ b/openbsd-compat/bsd-snprintf.c @@ -344,8 +344,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned LLONG); else if (cflags == DP_C_SIZE) value = va_arg (args, size_t); +#ifdef notyet else if (cflags == DP_C_INTMAX) value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -362,8 +364,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (LLONG)va_arg (args, unsigned LLONG); else if (cflags == DP_C_SIZE) value = va_arg (args, size_t); +#ifdef notyet else if (cflags == DP_C_INTMAX) value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -382,8 +386,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (LLONG)va_arg (args, unsigned LLONG); else if (cflags == DP_C_SIZE) value = va_arg (args, size_t); +#ifdef notyet else if (cflags == DP_C_INTMAX) value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, -- cgit v1.2.1 From 2aa5d08343c5b1401b5c94015a54fe73ca94ed01 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:40:51 +0000 Subject: add marker for 6.3p1 release at the point of the last included change --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 0ddb0a35..d13a23fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -82,6 +82,7 @@ - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt removal. The "make clean" removes modpipe which is built by the top-level directory before running the tests. Spotted by tim@ + - (djm) Release 6.3p1 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support -- cgit v1.2.1 From 6c57456d0639a41e62ec5958a242bafc00856d71 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:44:37 +0000 Subject: - djm@cvs.openbsd.org 2013/08/22 19:02:21 [sshd.c] Stir PRNG after post-accept fork. The child gets a different PRNG state anyway via rexec and explicit privsep reseeds, but it's good to be sure. ok markus@ --- ChangeLog | 8 ++++++++ sshd.c | 8 +++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d13a23fd..a8d6c274 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20130914 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/08/22 19:02:21 + [sshd.c] + Stir PRNG after post-accept fork. The child gets a different PRNG state + anyway via rexec and explicit privsep reseeds, but it's good to be sure. + ok markus@ + 20130828 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we diff --git a/sshd.c b/sshd.c index 174cc7a4..cddc87e8 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.404 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.405 2013/08/22 19:02:21 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -613,6 +613,7 @@ privsep_preauth_child(void) arc4random_stir(); arc4random_buf(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd)); + bzero(rnd, sizeof(rnd)); /* Demote the private keys to public keys. */ demote_sensitive_data(); @@ -747,6 +748,7 @@ privsep_postauth(Authctxt *authctxt) arc4random_stir(); arc4random_buf(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd)); + bzero(rnd, sizeof(rnd)); /* Drop privileges */ do_setusercontext(authctxt->pw); @@ -1139,6 +1141,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) struct sockaddr_storage from; socklen_t fromlen; pid_t pid; + u_char rnd[256]; /* setup fd set for accept */ fdset = NULL; @@ -1339,6 +1342,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) * from that of the child */ arc4random_stir(); + arc4random_buf(rnd, sizeof(rnd)); + RAND_seed(rnd, sizeof(rnd)); + bzero(rnd, sizeof(rnd)); } /* child process check (or debug mode) */ -- cgit v1.2.1 From a58895d17bc06295013d69abf05f681379585199 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:45:03 +0000 Subject: - mikeb@cvs.openbsd.org 2013/08/28 12:34:27 [ssh-keygen.c] improve batch processing a bit by making use of the quite flag a bit more often and exit with a non zero code if asked to find a hostname in a known_hosts file and it wasn't there; originally from reyk@, ok djm --- ChangeLog | 6 ++++++ ssh-keygen.c | 25 +++++++++++++++---------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index a8d6c274..67ea2804 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,12 @@ Stir PRNG after post-accept fork. The child gets a different PRNG state anyway via rexec and explicit privsep reseeds, but it's good to be sure. ok markus@ + - mikeb@cvs.openbsd.org 2013/08/28 12:34:27 + [ssh-keygen.c] + improve batch processing a bit by making use of the quite flag a bit + more often and exit with a non zero code if asked to find a hostname + in a known_hosts file and it wasn't there; + originally from reyk@, ok djm 20130828 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the diff --git a/ssh-keygen.c b/ssh-keygen.c index 6ee8145a..9c19f00d 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.232 2013/08/13 18:33:08 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.233 2013/08/28 12:34:27 mikeb Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1001,6 +1001,7 @@ do_known_hosts(struct passwd *pw, const char *name) char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; int ca; + int found_key = 0; if (!have_identity) { cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); @@ -1103,11 +1104,13 @@ do_known_hosts(struct passwd *pw, const char *name) } c = (strcmp(cp2, cp) == 0); if (find_host && c) { - printf("# Host %s found: " - "line %d type %s%s\n", name, - num, key_type(pub), - ca ? " (CA key)" : ""); + if (!quiet) + printf("# Host %s found: " + "line %d type %s%s\n", name, + num, key_type(pub), + ca ? " (CA key)" : ""); printhost(out, cp, pub, ca, 0); + found_key = 1; } if (delete_host) { if (!c && !ca) @@ -1124,12 +1127,14 @@ do_known_hosts(struct passwd *pw, const char *name) c = (match_hostname(name, cp, strlen(cp)) == 1); if (find_host && c) { - printf("# Host %s found: " - "line %d type %s%s\n", name, - num, key_type(pub), - ca ? " (CA key)" : ""); + if (!quiet) + printf("# Host %s found: " + "line %d type %s%s\n", name, + num, key_type(pub), + ca ? " (CA key)" : ""); printhost(out, name, pub, ca, hash_hosts && !ca); + found_key = 1; } if (delete_host) { if (!c && !ca) @@ -1205,7 +1210,7 @@ do_known_hosts(struct passwd *pw, const char *name) } } - exit(0); + exit (find_host && !found_key); } /* -- cgit v1.2.1 From 91ac0b889ddeef707f5d3d2bcd22c7c9775e716e Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:45:32 +0000 Subject: - djm@cvs.openbsd.org 2013/08/31 00:13:54 [sftp.c] make ^w match ksh behaviour (delete previous word instead of entire line) --- ChangeLog | 3 +++ sftp.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 67ea2804..b17401d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ more often and exit with a non zero code if asked to find a hostname in a known_hosts file and it wasn't there; originally from reyk@, ok djm + - djm@cvs.openbsd.org 2013/08/31 00:13:54 + [sftp.c] + make ^w match ksh behaviour (delete previous word instead of entire line) 20130828 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the diff --git a/sftp.c b/sftp.c index e2114406..f7b488ae 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.154 2013/08/09 03:56:42 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.155 2013/08/31 00:13:54 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2013,6 +2013,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) el_set(el, EL_BIND, "\\e[5C", "em-next-word", NULL); el_set(el, EL_BIND, "\\e[1;5D", "ed-prev-word", NULL); el_set(el, EL_BIND, "\\e\\e[D", "ed-prev-word", NULL); + /* make ^w match ksh behaviour */ + el_set(el, EL_BIND, "^w", "ed-delete-prev-word", NULL); } #endif /* USE_LIBEDIT */ -- cgit v1.2.1 From dac7ea6703c331dfa6479cdb153941f9ad277ac6 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:47:00 +0000 Subject: - deraadt@cvs.openbsd.org 2013/09/02 22:00:34 [ssh-keygen.c sshconnect1.c sshd.c] All the instances of arc4random_stir() are bogus, since arc4random() does this itself, inside itself, and has for a very long time.. Actually, this was probably reducing the entropy available. ok djm ID SYNC ONLY for portable; we don't trust other arc4random implementations to do this right. --- ChangeLog | 8 ++++++++ ssh-keygen.c | 2 +- sshconnect1.c | 2 +- sshd.c | 2 +- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b17401d6..f963980f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,14 @@ - djm@cvs.openbsd.org 2013/08/31 00:13:54 [sftp.c] make ^w match ksh behaviour (delete previous word instead of entire line) + - deraadt@cvs.openbsd.org 2013/09/02 22:00:34 + [ssh-keygen.c sshconnect1.c sshd.c] + All the instances of arc4random_stir() are bogus, since arc4random() + does this itself, inside itself, and has for a very long time.. Actually, + this was probably reducing the entropy available. + ok djm + ID SYNC ONLY for portable; we don't trust other arc4random implementations + to do this right. 20130828 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the diff --git a/ssh-keygen.c b/ssh-keygen.c index 9c19f00d..b8d55452 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.233 2013/08/28 12:34:27 mikeb Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.234 2013/09/02 22:00:34 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland diff --git a/sshconnect1.c b/sshconnect1.c index d285e23c..f4b89077 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.71 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.72 2013/09/02 22:00:34 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland diff --git a/sshd.c b/sshd.c index cddc87e8..3efe170e 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.405 2013/08/22 19:02:21 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.406 2013/09/02 22:00:34 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -- cgit v1.2.1 From e66500c7bb1223de271f5aad1e853016ef073b1b Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:48:55 +0000 Subject: - sthen@cvs.openbsd.org 2013/09/07 13:53:11 [sshd_config] Remove commented-out kerberos/gssapi config options from sample config, kerberos support is currently not enabled in ssh in OpenBSD. Discussed with various people; ok deraadt@ ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular --- ChangeLog | 6 ++++++ sshd_config | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f963980f..ee7c6690 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,12 @@ ok djm ID SYNC ONLY for portable; we don't trust other arc4random implementations to do this right. + - sthen@cvs.openbsd.org 2013/09/07 13:53:11 + [sshd_config] + Remove commented-out kerberos/gssapi config options from sample config, + kerberos support is currently not enabled in ssh in OpenBSD. Discussed with + various people; ok deraadt@ + ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular 20130828 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the diff --git a/sshd_config b/sshd_config index b786361d..8d8eeea3 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.91 2013/09/07 13:53:11 sthen Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. -- cgit v1.2.1 From b81a26f45560f0827c43645857a2a07f2b7f3473 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:49:19 +0000 Subject: - djm@cvs.openbsd.org 2013/09/12 01:41:12 [clientloop.c] fix connection crash when sending break (~B) on ControlPersist'd session; ok dtucker@ --- ChangeLog | 4 ++++ clientloop.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ee7c6690..b12c307c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,10 @@ kerberos support is currently not enabled in ssh in OpenBSD. Discussed with various people; ok deraadt@ ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular + - djm@cvs.openbsd.org 2013/09/12 01:41:12 + [clientloop.c] + fix connection crash when sending break (~B) on ControlPersist'd session; + ok dtucker@ 20130828 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the diff --git a/clientloop.c b/clientloop.c index 7c1f8abb..45a55e0e 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.253 2013/06/07 15:37:52 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.254 2013/09/12 01:41:12 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1153,7 +1153,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, "%cB\r\n", escape_char); buffer_append(berr, string, strlen(string)); - channel_request_start(session_ident, + channel_request_start(c->self, "break", 0); packet_put_int(1000); packet_send(); -- cgit v1.2.1 From 98a5025b1ffd458850ab080a092d2a674e087392 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 13 Sep 2013 23:49:43 +0000 Subject: - djm@cvs.openbsd.org 2013/09/13 06:54:34 [channels.c] avoid unaligned access in code that reused a buffer to send a struct in_addr in a reply; simpler just use use buffer_put_int(); from portable; spotted by and ok dtucker@ --- ChangeLog | 5 +++++ channels.c | 5 ++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b12c307c..57721f8d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,11 @@ [clientloop.c] fix connection crash when sending break (~B) on ControlPersist'd session; ok dtucker@ + - djm@cvs.openbsd.org 2013/09/13 06:54:34 + [channels.c] + avoid unaligned access in code that reused a buffer to send a + struct in_addr in a reply; simpler just use use buffer_put_int(); + from portable; spotted by and ok dtucker@ 20130828 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the diff --git a/channels.c b/channels.c index 281df380..698fa6da 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.324 2013/07/12 00:19:58 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.325 2013/09/13 06:54:34 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1239,11 +1239,10 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) s5_rsp.command = SSH_SOCKS5_SUCCESS; s5_rsp.reserved = 0; /* ignored */ s5_rsp.atyp = SSH_SOCKS5_IPV4; - ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; dest_port = 0; /* ignored */ buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); - buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); + buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */ buffer_append(&c->output, &dest_port, sizeof(dest_port)); return 1; } -- cgit v1.2.1 From d706da3fb7a1eedb03d6b8633b99a43663e31e8b Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 18 Sep 2013 05:09:38 +0000 Subject: - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu. --- ChangeLog | 3 +++ sshd_config | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 57721f8d..df824977 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20130918 + - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu. + 20130914 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/08/22 19:02:21 diff --git a/sshd_config b/sshd_config index 8d8eeea3..dbda7491 100644 --- a/sshd_config +++ b/sshd_config @@ -84,8 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass -- cgit v1.2.1 From f9d626e75abfb9e93f3a2a13e3a28ed68b560f3c Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 22 Sep 2013 09:02:40 +0000 Subject: - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart. Patch from Matthew Ife. --- ChangeLog | 5 +++++ platform.c | 10 +++++++++- platform.h | 3 ++- sshd.c | 1 + 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index df824977..c7a7146f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130922 + - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj + setting when handling SIGHUP to maintain behaviour over retart. Patch + from Matthew Ife. + 20130918 - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu. diff --git a/platform.c b/platform.c index 3262b247..6d896c22 100644 --- a/platform.c +++ b/platform.c @@ -1,4 +1,4 @@ -/* $Id: platform.c,v 1.19 2013/03/12 00:31:05 dtucker Exp $ */ +/* $Id: platform.c,v 1.20 2013/09/22 09:02:40 dtucker Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -54,6 +54,14 @@ platform_pre_fork(void) #endif } +void +platform_pre_restart(void) +{ +#ifdef LINUX_OOM_ADJUST + oom_adjust_restore(); +#endif +} + void platform_post_fork_parent(pid_t child_pid) { diff --git a/platform.h b/platform.h index 19f6bfdd..1c7a45d8 100644 --- a/platform.h +++ b/platform.h @@ -1,4 +1,4 @@ -/* $Id: platform.h,v 1.8 2013/03/12 00:31:05 dtucker Exp $ */ +/* $Id: platform.h,v 1.9 2013/09/22 09:02:40 dtucker Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -22,6 +22,7 @@ void platform_pre_listen(void); void platform_pre_fork(void); +void platform_pre_restart(void); void platform_post_fork_parent(pid_t child_pid); void platform_post_fork_child(void); int platform_privileged_uidswap(void); diff --git a/sshd.c b/sshd.c index 3efe170e..7e3b60f9 100644 --- a/sshd.c +++ b/sshd.c @@ -315,6 +315,7 @@ static void sighup_restart(void) { logit("Received SIGHUP; restarting."); + platform_pre_restart(); close_listen_socks(); close_startup_pipes(); alarm(0); /* alarm timer persists across exec */ -- cgit v1.2.1 From 2a3b557ff88b6cda426849ccc82953533847213c Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 8 Oct 2013 22:33:08 +0000 Subject: correct incorrect years in datestamps; from des --- ChangeLog | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index c7a7146f..0d8152f0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -765,10 +765,10 @@ to avoid conflicting definitions of __int64, adding the required bits. Patch from Corinna Vinschen. -20120323 +20130323 - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit. -20120322 +20130322 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil Hands' greatly revised version. - (djm) Release 6.2p1 @@ -776,16 +776,16 @@ - (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before defining it again. Prevents warnings if someone, eg, sets it in CFLAGS. -20120318 +20130318 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's so mark it as broken. Patch from des AT des.no -20120317 +20130317 - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none of the bits the configure test looks for. -20120316 +20130316 - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform is unable to successfully compile them. Based on patch from des AT des.no @@ -795,7 +795,7 @@ occur after UID switch; patch from John Marshall via des AT des.no; ok dtucker@ -20120312 +20130312 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] Improve portability of cipher-speed test, based mostly on a patch from Iain Morgan. -- cgit v1.2.1 From 8b2d8c61fb9ff6eff9c2fea99177d80543db867c Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 8 Oct 2013 23:42:32 +0000 Subject: - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull in OpenBSD implementation of arc4random, shortly to replace the existing bsd-arc4random.c --- ChangeLog | 5 + openbsd-compat/arc4random.c | 261 ++++++++++++++++++++++++++++++++++++++++ openbsd-compat/chacha_private.h | 222 ++++++++++++++++++++++++++++++++++ 3 files changed, 488 insertions(+) create mode 100644 openbsd-compat/arc4random.c create mode 100644 openbsd-compat/chacha_private.h diff --git a/ChangeLog b/ChangeLog index 0d8152f0..34b6d17f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20131009 + - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull + in OpenBSD implementation of arc4random, shortly to replace the existing + bsd-arc4random.c + 20130922 - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart. Patch diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c new file mode 100644 index 00000000..356e2318 --- /dev/null +++ b/openbsd-compat/arc4random.c @@ -0,0 +1,261 @@ +/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */ + +/* + * Copyright (c) 1996, David Mazieres + * Copyright (c) 2008, Damien Miller + * Copyright (c) 2013, Markus Friedl + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * ChaCha based random number generator for OpenBSD. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "thread_private.h" + +#define KEYSTREAM_ONLY +#include "chacha_private.h" + +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +#define KEYSZ 32 +#define IVSZ 8 +#define BLOCKSZ 64 +#define RSBUFSZ (16*BLOCKSZ) +static int rs_initialized; +static pid_t rs_stir_pid; +static chacha_ctx rs; /* chacha context for random keystream */ +static u_char rs_buf[RSBUFSZ]; /* keystream blocks */ +static size_t rs_have; /* valid bytes at end of rs_buf */ +static size_t rs_count; /* bytes till reseed */ + +static inline void _rs_rekey(u_char *dat, size_t datlen); + +static inline void +_rs_init(u_char *buf, size_t n) +{ + if (n < KEYSZ + IVSZ) + return; + chacha_keysetup(&rs, buf, KEYSZ * 8, 0); + chacha_ivsetup(&rs, buf + KEYSZ); +} + +static void +_rs_stir(void) +{ + int mib[2]; + size_t len; + u_char rnd[KEYSZ + IVSZ]; + + mib[0] = CTL_KERN; + mib[1] = KERN_ARND; + + len = sizeof(rnd); + sysctl(mib, 2, rnd, &len, NULL, 0); + + if (!rs_initialized) { + rs_initialized = 1; + _rs_init(rnd, sizeof(rnd)); + } else + _rs_rekey(rnd, sizeof(rnd)); + memset(rnd, 0, sizeof(rnd)); + + /* invalidate rs_buf */ + rs_have = 0; + memset(rs_buf, 0, RSBUFSZ); + + rs_count = 1600000; +} + +static inline void +_rs_stir_if_needed(size_t len) +{ + pid_t pid = getpid(); + + if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) { + rs_stir_pid = pid; + _rs_stir(); + } else + rs_count -= len; +} + +static inline void +_rs_rekey(u_char *dat, size_t datlen) +{ +#ifndef KEYSTREAM_ONLY + memset(rs_buf, 0,RSBUFSZ); +#endif + /* fill rs_buf with the keystream */ + chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ); + /* mix in optional user provided data */ + if (dat) { + size_t i, m; + + m = MIN(datlen, KEYSZ + IVSZ); + for (i = 0; i < m; i++) + rs_buf[i] ^= dat[i]; + } + /* immediately reinit for backtracking resistance */ + _rs_init(rs_buf, KEYSZ + IVSZ); + memset(rs_buf, 0, KEYSZ + IVSZ); + rs_have = RSBUFSZ - KEYSZ - IVSZ; +} + +static inline void +_rs_random_buf(void *_buf, size_t n) +{ + u_char *buf = (u_char *)_buf; + size_t m; + + _rs_stir_if_needed(n); + while (n > 0) { + if (rs_have > 0) { + m = MIN(n, rs_have); + memcpy(buf, rs_buf + RSBUFSZ - rs_have, m); + memset(rs_buf + RSBUFSZ - rs_have, 0, m); + buf += m; + n -= m; + rs_have -= m; + } + if (rs_have == 0) + _rs_rekey(NULL, 0); + } +} + +static inline void +_rs_random_u32(u_int32_t *val) +{ + _rs_stir_if_needed(sizeof(*val)); + if (rs_have < sizeof(*val)) + _rs_rekey(NULL, 0); + memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val)); + memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val)); + rs_have -= sizeof(*val); + return; +} + +void +arc4random_stir(void) +{ + _ARC4_LOCK(); + _rs_stir(); + _ARC4_UNLOCK(); +} + +void +arc4random_addrandom(u_char *dat, int datlen) +{ + int m; + + _ARC4_LOCK(); + if (!rs_initialized) + _rs_stir(); + while (datlen > 0) { + m = MIN(datlen, KEYSZ + IVSZ); + _rs_rekey(dat, m); + dat += m; + datlen -= m; + } + _ARC4_UNLOCK(); +} + +u_int32_t +arc4random(void) +{ + u_int32_t val; + + _ARC4_LOCK(); + _rs_random_u32(&val); + _ARC4_UNLOCK(); + return val; +} + +void +arc4random_buf(void *buf, size_t n) +{ + _ARC4_LOCK(); + _rs_random_buf(buf, n); + _ARC4_UNLOCK(); +} + +/* + * Calculate a uniformly distributed random number less than upper_bound + * avoiding "modulo bias". + * + * Uniformity is achieved by generating new random numbers until the one + * returned is outside the range [0, 2**32 % upper_bound). This + * guarantees the selected random number will be inside + * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) + * after reduction modulo upper_bound. + */ +u_int32_t +arc4random_uniform(u_int32_t upper_bound) +{ + u_int32_t r, min; + + if (upper_bound < 2) + return 0; + + /* 2**32 % x == (2**32 - x) % x */ + min = -upper_bound % upper_bound; + + /* + * This could theoretically loop forever but each retry has + * p > 0.5 (worst case, usually far better) of selecting a + * number inside the range we need, so it should rarely need + * to re-roll. + */ + for (;;) { + r = arc4random(); + if (r >= min) + break; + } + + return r % upper_bound; +} + +#if 0 +/*-------- Test code for i386 --------*/ +#include +#include +int +main(int argc, char **argv) +{ + const int iter = 1000000; + int i; + pctrval v; + + v = rdtsc(); + for (i = 0; i < iter; i++) + arc4random(); + v = rdtsc() - v; + v /= iter; + + printf("%qd cycles\n", v); + exit(0); +} +#endif diff --git a/openbsd-compat/chacha_private.h b/openbsd-compat/chacha_private.h new file mode 100644 index 00000000..7c3680fa --- /dev/null +++ b/openbsd-compat/chacha_private.h @@ -0,0 +1,222 @@ +/* +chacha-merged.c version 20080118 +D. J. Bernstein +Public domain. +*/ + +/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */ + +typedef unsigned char u8; +typedef unsigned int u32; + +typedef struct +{ + u32 input[16]; /* could be compressed */ +} chacha_ctx; + +#define U8C(v) (v##U) +#define U32C(v) (v##U) + +#define U8V(v) ((u8)(v) & U8C(0xFF)) +#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) + +#define ROTL32(v, n) \ + (U32V((v) << (n)) | ((v) >> (32 - (n)))) + +#define U8TO32_LITTLE(p) \ + (((u32)((p)[0]) ) | \ + ((u32)((p)[1]) << 8) | \ + ((u32)((p)[2]) << 16) | \ + ((u32)((p)[3]) << 24)) + +#define U32TO8_LITTLE(p, v) \ + do { \ + (p)[0] = U8V((v) ); \ + (p)[1] = U8V((v) >> 8); \ + (p)[2] = U8V((v) >> 16); \ + (p)[3] = U8V((v) >> 24); \ + } while (0) + +#define ROTATE(v,c) (ROTL32(v,c)) +#define XOR(v,w) ((v) ^ (w)) +#define PLUS(v,w) (U32V((v) + (w))) +#define PLUSONE(v) (PLUS((v),1)) + +#define QUARTERROUND(a,b,c,d) \ + a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ + a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); + +static const char sigma[16] = "expand 32-byte k"; +static const char tau[16] = "expand 16-byte k"; + +static void +chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits) +{ + const char *constants; + + x->input[4] = U8TO32_LITTLE(k + 0); + x->input[5] = U8TO32_LITTLE(k + 4); + x->input[6] = U8TO32_LITTLE(k + 8); + x->input[7] = U8TO32_LITTLE(k + 12); + if (kbits == 256) { /* recommended */ + k += 16; + constants = sigma; + } else { /* kbits == 128 */ + constants = tau; + } + x->input[8] = U8TO32_LITTLE(k + 0); + x->input[9] = U8TO32_LITTLE(k + 4); + x->input[10] = U8TO32_LITTLE(k + 8); + x->input[11] = U8TO32_LITTLE(k + 12); + x->input[0] = U8TO32_LITTLE(constants + 0); + x->input[1] = U8TO32_LITTLE(constants + 4); + x->input[2] = U8TO32_LITTLE(constants + 8); + x->input[3] = U8TO32_LITTLE(constants + 12); +} + +static void +chacha_ivsetup(chacha_ctx *x,const u8 *iv) +{ + x->input[12] = 0; + x->input[13] = 0; + x->input[14] = U8TO32_LITTLE(iv + 0); + x->input[15] = U8TO32_LITTLE(iv + 4); +} + +static void +chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) +{ + u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + u8 *ctarget = NULL; + u8 tmp[64]; + u_int i; + + if (!bytes) return; + + j0 = x->input[0]; + j1 = x->input[1]; + j2 = x->input[2]; + j3 = x->input[3]; + j4 = x->input[4]; + j5 = x->input[5]; + j6 = x->input[6]; + j7 = x->input[7]; + j8 = x->input[8]; + j9 = x->input[9]; + j10 = x->input[10]; + j11 = x->input[11]; + j12 = x->input[12]; + j13 = x->input[13]; + j14 = x->input[14]; + j15 = x->input[15]; + + for (;;) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) tmp[i] = m[i]; + m = tmp; + ctarget = c; + c = tmp; + } + x0 = j0; + x1 = j1; + x2 = j2; + x3 = j3; + x4 = j4; + x5 = j5; + x6 = j6; + x7 = j7; + x8 = j8; + x9 = j9; + x10 = j10; + x11 = j11; + x12 = j12; + x13 = j13; + x14 = j14; + x15 = j15; + for (i = 20;i > 0;i -= 2) { + QUARTERROUND( x0, x4, x8,x12) + QUARTERROUND( x1, x5, x9,x13) + QUARTERROUND( x2, x6,x10,x14) + QUARTERROUND( x3, x7,x11,x15) + QUARTERROUND( x0, x5,x10,x15) + QUARTERROUND( x1, x6,x11,x12) + QUARTERROUND( x2, x7, x8,x13) + QUARTERROUND( x3, x4, x9,x14) + } + x0 = PLUS(x0,j0); + x1 = PLUS(x1,j1); + x2 = PLUS(x2,j2); + x3 = PLUS(x3,j3); + x4 = PLUS(x4,j4); + x5 = PLUS(x5,j5); + x6 = PLUS(x6,j6); + x7 = PLUS(x7,j7); + x8 = PLUS(x8,j8); + x9 = PLUS(x9,j9); + x10 = PLUS(x10,j10); + x11 = PLUS(x11,j11); + x12 = PLUS(x12,j12); + x13 = PLUS(x13,j13); + x14 = PLUS(x14,j14); + x15 = PLUS(x15,j15); + +#ifndef KEYSTREAM_ONLY + x0 = XOR(x0,U8TO32_LITTLE(m + 0)); + x1 = XOR(x1,U8TO32_LITTLE(m + 4)); + x2 = XOR(x2,U8TO32_LITTLE(m + 8)); + x3 = XOR(x3,U8TO32_LITTLE(m + 12)); + x4 = XOR(x4,U8TO32_LITTLE(m + 16)); + x5 = XOR(x5,U8TO32_LITTLE(m + 20)); + x6 = XOR(x6,U8TO32_LITTLE(m + 24)); + x7 = XOR(x7,U8TO32_LITTLE(m + 28)); + x8 = XOR(x8,U8TO32_LITTLE(m + 32)); + x9 = XOR(x9,U8TO32_LITTLE(m + 36)); + x10 = XOR(x10,U8TO32_LITTLE(m + 40)); + x11 = XOR(x11,U8TO32_LITTLE(m + 44)); + x12 = XOR(x12,U8TO32_LITTLE(m + 48)); + x13 = XOR(x13,U8TO32_LITTLE(m + 52)); + x14 = XOR(x14,U8TO32_LITTLE(m + 56)); + x15 = XOR(x15,U8TO32_LITTLE(m + 60)); +#endif + + j12 = PLUSONE(j12); + if (!j12) { + j13 = PLUSONE(j13); + /* stopping at 2^70 bytes per nonce is user's responsibility */ + } + + U32TO8_LITTLE(c + 0,x0); + U32TO8_LITTLE(c + 4,x1); + U32TO8_LITTLE(c + 8,x2); + U32TO8_LITTLE(c + 12,x3); + U32TO8_LITTLE(c + 16,x4); + U32TO8_LITTLE(c + 20,x5); + U32TO8_LITTLE(c + 24,x6); + U32TO8_LITTLE(c + 28,x7); + U32TO8_LITTLE(c + 32,x8); + U32TO8_LITTLE(c + 36,x9); + U32TO8_LITTLE(c + 40,x10); + U32TO8_LITTLE(c + 44,x11); + U32TO8_LITTLE(c + 48,x12); + U32TO8_LITTLE(c + 52,x13); + U32TO8_LITTLE(c + 56,x14); + U32TO8_LITTLE(c + 60,x15); + + if (bytes <= 64) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) ctarget[i] = c[i]; + } + x->input[12] = j12; + x->input[13] = j13; + return; + } + bytes -= 64; + c += 64; +#ifndef KEYSTREAM_ONLY + m += 64; +#endif + } +} -- cgit v1.2.1 From 30d5a80684a66f2ec59c02ba51ee9d910512ba92 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 8 Oct 2013 23:44:47 +0000 Subject: - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c] [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@, tested tim@ --- ChangeLog | 4 ++ openbsd-compat/Makefile.in | 4 +- openbsd-compat/arc4random.c | 59 ++++++++++++---- openbsd-compat/bsd-arc4random.c | 150 ---------------------------------------- 4 files changed, 52 insertions(+), 165 deletions(-) delete mode 100644 openbsd-compat/bsd-arc4random.c diff --git a/ChangeLog b/ChangeLog index 34b6d17f..78578cf1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull in OpenBSD implementation of arc4random, shortly to replace the existing bsd-arc4random.c + - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c] + [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random + implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@, + tested tim@ 20130922 - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 365cf006..a5f4a266 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $ +# $Id: Makefile.in,v 1.52 2013/10/08 23:44:49 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o -COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o +COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c index 356e2318..eac073cc 100644 --- a/openbsd-compat/arc4random.c +++ b/openbsd-compat/arc4random.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */ + /* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */ /* @@ -22,16 +24,19 @@ * ChaCha based random number generator for OpenBSD. */ -#include -#include +#include "includes.h" + #include #include #include #include -#include -#include -#include -#include "thread_private.h" + +#ifndef HAVE_ARC4RANDOM + +#include +#include + +#include "log.h" #define KEYSTREAM_ONLY #include "chacha_private.h" @@ -42,6 +47,10 @@ #define inline #endif /* !__GNUC__ */ +/* OpenSSH isn't multithreaded */ +#define _ARC4_LOCK() +#define _ARC4_UNLOCK() + #define KEYSZ 32 #define IVSZ 8 #define BLOCKSZ 64 @@ -67,15 +76,11 @@ _rs_init(u_char *buf, size_t n) static void _rs_stir(void) { - int mib[2]; - size_t len; u_char rnd[KEYSZ + IVSZ]; - mib[0] = CTL_KERN; - mib[1] = KERN_ARND; - - len = sizeof(rnd); - sysctl(mib, 2, rnd, &len, NULL, 0); + if (RAND_bytes(rnd, sizeof(rnd)) <= 0) + fatal("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); if (!rs_initialized) { rs_initialized = 1; @@ -194,6 +199,11 @@ arc4random(void) return val; } +/* + * If we are providing arc4random, then we can provide a more efficient + * arc4random_buf(). + */ +# ifndef HAVE_ARC4RANDOM_BUF void arc4random_buf(void *buf, size_t n) { @@ -201,7 +211,29 @@ arc4random_buf(void *buf, size_t n) _rs_random_buf(buf, n); _ARC4_UNLOCK(); } +# endif /* !HAVE_ARC4RANDOM_BUF */ +#endif /* !HAVE_ARC4RANDOM */ + +/* arc4random_buf() that uses platform arc4random() */ +#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) +void +arc4random_buf(void *_buf, size_t n) +{ + size_t i; + u_int32_t r = 0; + char *buf = (char *)_buf; + + for (i = 0; i < n; i++) { + if (i % 4 == 0) + r = arc4random(); + buf[i] = r & 0xff; + r >>= 8; + } + i = r = 0; +} +#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ +#ifndef HAVE_ARC4RANDOM_UNIFORM /* * Calculate a uniformly distributed random number less than upper_bound * avoiding "modulo bias". @@ -237,6 +269,7 @@ arc4random_uniform(u_int32_t upper_bound) return r % upper_bound; } +#endif /* !HAVE_ARC4RANDOM_UNIFORM */ #if 0 /*-------- Test code for i386 --------*/ diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c deleted file mode 100644 index d7c58625..00000000 --- a/openbsd-compat/bsd-arc4random.c +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright (c) 1999,2000,2004 Damien Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "includes.h" - -#include - -#include -#include -#include - -#include "log.h" - -#ifndef HAVE_ARC4RANDOM - -#include -#include -#include - -/* Size of key to use */ -#define SEED_SIZE 20 - -/* Number of bytes to reseed after */ -#define REKEY_BYTES (1 << 24) - -static int rc4_ready = 0; -static RC4_KEY rc4; - -unsigned int -arc4random(void) -{ - unsigned int r = 0; - static int first_time = 1; - - if (rc4_ready <= 0) { - if (first_time) - seed_rng(); - first_time = 0; - arc4random_stir(); - } - - RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r); - - rc4_ready -= sizeof(r); - - return(r); -} - -void -arc4random_stir(void) -{ - unsigned char rand_buf[SEED_SIZE]; - int i; - - memset(&rc4, 0, sizeof(rc4)); - if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0) - fatal("Couldn't obtain random bytes (error %ld)", - ERR_get_error()); - RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); - - /* - * Discard early keystream, as per recommendations in: - * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps - */ - for(i = 0; i <= 256; i += sizeof(rand_buf)) - RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf); - - memset(rand_buf, 0, sizeof(rand_buf)); - - rc4_ready = REKEY_BYTES; -} -#endif /* !HAVE_ARC4RANDOM */ - -#ifndef HAVE_ARC4RANDOM_BUF -void -arc4random_buf(void *_buf, size_t n) -{ - size_t i; - u_int32_t r = 0; - char *buf = (char *)_buf; - - for (i = 0; i < n; i++) { - if (i % 4 == 0) - r = arc4random(); - buf[i] = r & 0xff; - r >>= 8; - } - i = r = 0; -} -#endif /* !HAVE_ARC4RANDOM_BUF */ - -#ifndef HAVE_ARC4RANDOM_UNIFORM -/* - * Calculate a uniformly distributed random number less than upper_bound - * avoiding "modulo bias". - * - * Uniformity is achieved by generating new random numbers until the one - * returned is outside the range [0, 2**32 % upper_bound). This - * guarantees the selected random number will be inside - * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) - * after reduction modulo upper_bound. - */ -u_int32_t -arc4random_uniform(u_int32_t upper_bound) -{ - u_int32_t r, min; - - if (upper_bound < 2) - return 0; - -#if (ULONG_MAX > 0xffffffffUL) - min = 0x100000000UL % upper_bound; -#else - /* Calculate (2**32 % upper_bound) avoiding 64-bit math */ - if (upper_bound > 0x80000000) - min = 1 + ~upper_bound; /* 2**32 - upper_bound */ - else { - /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */ - min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound; - } -#endif - - /* - * This could theoretically loop forever but each retry has - * p > 0.5 (worst case, usually far better) of selecting a - * number inside the range we need, so it should rarely need - * to re-roll. - */ - for (;;) { - r = arc4random(); - if (r >= min) - break; - } - - return r % upper_bound; -} -#endif /* !HAVE_ARC4RANDOM_UNIFORM */ -- cgit v1.2.1 From 02691061171b9f1bc0b2b8e6a68761eb2e76bfb5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 9 Oct 2013 23:24:11 +0000 Subject: - sthen@cvs.openbsd.org 2013/09/16 11:35:43 [ssh_config] Remove gssapi config parts from ssh_config, as was already done for sshd_config. Req by/ok ajacoutot@ ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular --- ChangeLog | 8 ++++++++ ssh_config | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 78578cf1..73fc2e18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20131010 + - (dtucker) OpenBSD CVS Sync + - sthen@cvs.openbsd.org 2013/09/16 11:35:43 + [ssh_config] + Remove gssapi config parts from ssh_config, as was already done for + sshd_config. Req by/ok ajacoutot@ + ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular + 20131009 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull in OpenBSD implementation of arc4random, shortly to replace the existing diff --git a/ssh_config b/ssh_config index bb408193..03a228fb 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $ +# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for -- cgit v1.2.1 From 06150a4b016122fcee8c9126052a24f2bc130819 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 9 Oct 2013 23:25:09 +0000 Subject: - djm@cvs.openbsd.org 2013/09/19 00:24:52 [progressmeter.c] store the initial file offset so the progress meter doesn't freak out when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@ --- ChangeLog | 4 ++++ progressmeter.c | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 73fc2e18..5e9eabb4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ Remove gssapi config parts from ssh_config, as was already done for sshd_config. Req by/ok ajacoutot@ ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular + - djm@cvs.openbsd.org 2013/09/19 00:24:52 + [progressmeter.c] + store the initial file offset so the progress meter doesn't freak out + when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@` 20131009 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull diff --git a/progressmeter.c b/progressmeter.c index 332bd3c9..bbbc7066 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.39 2013/06/02 13:33:05 dtucker Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.40 2013/09/19 00:24:52 djm Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * @@ -66,6 +66,7 @@ static void update_progress_meter(int); static time_t start; /* start progress */ static time_t last_update; /* last progress update */ static char *file; /* name of the file being transferred */ +static off_t start_pos; /* initial position of transfer */ static off_t end_pos; /* ending position of transfer */ static off_t cur_pos; /* transfer position as of last refresh */ static volatile off_t *counter; /* progress counter */ @@ -129,7 +130,7 @@ refresh_progress_meter(void) int i, len; int file_len; - transferred = *counter - cur_pos; + transferred = *counter - (cur_pos ? cur_pos : start_pos); cur_pos = *counter; now = monotime(); bytes_left = end_pos - cur_pos; @@ -139,7 +140,7 @@ refresh_progress_meter(void) else { elapsed = now - start; /* Calculate true total speed when done */ - transferred = end_pos; + transferred = end_pos - start_pos; bytes_per_second = 0; } @@ -251,6 +252,7 @@ start_progress_meter(char *f, off_t filesize, off_t *ctr) { start = last_update = monotime(); file = f; + start_pos = *ctr; end_pos = filesize; cur_pos = 0; counter = ctr; -- cgit v1.2.1 From 5903532ae476ba291a8d047ed807cf38cf48a5f6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 9 Oct 2013 23:26:21 +0000 Subject: - djm@cvs.openbsd.org 2013/09/19 00:49:12 [sftp-client.c] fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan --- ChangeLog | 3 +++ sftp-client.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5e9eabb4..5b49df51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ [progressmeter.c] store the initial file offset so the progress meter doesn't freak out when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@` + - djm@cvs.openbsd.org 2013/09/19 00:49:12 + [sftp-client.c] + fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan 20131009 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull diff --git a/sftp-client.c b/sftp-client.c index f2ce9deb..eb893080 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.103 2013/08/09 03:39:13 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.104 2013/09/19 00:49:12 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1643,8 +1643,8 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, } int -upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag, - int pflag) +upload_dir(struct sftp_conn *conn, char *src, char *dst, int pflag, + int printflag) { char *dst_canon; int ret; -- cgit v1.2.1 From 5d4fb50a8b4612f844246f61b38e78a4232b1f39 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 9 Oct 2013 23:27:21 +0000 Subject: - djm@cvs.openbsd.org 2013/09/19 01:24:46 [channels.c] bz#1297 - tell the client (via packet_send_debug) when their preferred listen address has been overridden by the server's GatewayPorts; ok dtucker@ --- ChangeLog | 5 +++++ channels.c | 16 ++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5b49df51..2a56ccfc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,11 @@ - djm@cvs.openbsd.org 2013/09/19 00:49:12 [sftp-client.c] fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan + - djm@cvs.openbsd.org 2013/09/19 01:24:46 + [channels.c] + bz#1297 - tell the client (via packet_send_debug) when their preferred + listen address has been overridden by the server's GatewayPorts; + ok dtucker@ 20131009 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull diff --git a/channels.c b/channels.c index 698fa6da..d227379d 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.325 2013/09/13 06:54:34 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.326 2013/09/19 01:24:46 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2710,8 +2710,20 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp, if (((datafellows & SSH_OLD_FORWARD_ADDR) && strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || - (!is_client && gateway_ports == 1)) + (!is_client && gateway_ports == 1)) { wildcard = 1; + /* + * Notify client if they requested a specific listen + * address and it was overridden. + */ + if (*listen_addr != '\0' && + strcmp(listen_addr, "0.0.0.0") != 0 && + strcmp(listen_addr, "*") != 0) { + packet_send_debug("Forwarding listen address " + "\"%s\" overridden by server " + "GatewayPorts", listen_addr); + } + } else if (strcmp(listen_addr, "localhost") != 0) addr = listen_addr; } -- cgit v1.2.1 From d64169e1bb4374a7d9d24e68d182a7e6f5f747b9 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 9 Oct 2013 23:28:07 +0000 Subject: - djm@cvs.openbsd.org 2013/09/19 01:26:29 [sshconnect.c] bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from swp AT swp.pp.ru; ok dtucker@ --- ChangeLog | 4 ++++ sshconnect.c | 51 ++++++++++++++++++++++++++------------------------- 2 files changed, 30 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2a56ccfc..6152abb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,10 @@ bz#1297 - tell the client (via packet_send_debug) when their preferred listen address has been overridden by the server's GatewayPorts; ok dtucker@ + - djm@cvs.openbsd.org 2013/09/19 01:26:29 + [sshconnect.c] + bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from + swp AT swp.pp.ru; ok dtucker@ 20131009 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull diff --git a/sshconnect.c b/sshconnect.c index 76bb5cda..aee38198 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.239 2013/08/20 00:11:38 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.240 2013/09/19 01:26:29 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -282,34 +282,18 @@ ssh_kill_proxy_command(void) static int ssh_create_socket(int privileged, struct addrinfo *ai) { - int sock, gaierr; + int sock, r, gaierr; struct addrinfo hints, *res; - /* - * If we are running as root and want to connect to a privileged - * port, bind our own socket to a privileged port. - */ - if (privileged) { - int p = IPPORT_RESERVED - 1; - PRIV_START; - sock = rresvport_af(&p, ai->ai_family); - PRIV_END; - if (sock < 0) - error("rresvport: af=%d %.100s", ai->ai_family, - strerror(errno)); - else - debug("Allocated local port %d.", p); - return sock; - } sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); if (sock < 0) { - error("socket: %.100s", strerror(errno)); + error("socket: %s", strerror(errno)); return -1; } fcntl(sock, F_SETFD, FD_CLOEXEC); /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL) + if (options.bind_address == NULL && !privileged) return sock; memset(&hints, 0, sizeof(hints)); @@ -324,11 +308,28 @@ ssh_create_socket(int privileged, struct addrinfo *ai) close(sock); return -1; } - if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { - error("bind: %s: %s", options.bind_address, strerror(errno)); - close(sock); - freeaddrinfo(res); - return -1; + /* + * If we are running as root and want to connect to a privileged + * port, bind our own socket to a privileged port. + */ + if (privileged) { + PRIV_START; + r = bindresvport_sa(sock, res->ai_addr); + PRIV_END; + if (r < 0) { + error("bindresvport_sa: af=%d %s", ai->ai_family, + strerror(errno)); + goto fail; + } + } else { + if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { + error("bind: %s: %s", options.bind_address, + strerror(errno)); + fail: + close(sock); + freeaddrinfo(res); + return -1; + } } freeaddrinfo(res); return sock; -- cgit v1.2.1 From ab3e6632dd18a952545785d2c62e9e606cf85549 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 9 Oct 2013 23:32:39 +0000 Subject: - dtucker@cvs.openbsd.org 2013/10/08 11:42:13 [dh.c dh.h] Increase the size of the Diffie-Hellman groups requested for a each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC4419. Pointed out by Peter Backes, ok djm@. --- ChangeLog | 6 ++++++ dh.c | 17 ++++++++++------- dh.h | 3 ++- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6152abb5..5eb73c9f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,12 @@ [sshconnect.c] bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from swp AT swp.pp.ru; ok dtucker@ + - dtucker@cvs.openbsd.org 2013/10/08 11:42:13 + [dh.c dh.h] + Increase the size of the Diffie-Hellman groups requested for a each + symmetric key size. New values from NIST Special Publication 800-57 with + the upper limit specified by RFC4419. Pointed out by Peter Backes, ok + djm@. 20131009 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull diff --git a/dh.c b/dh.c index 449dd385..d33af1fa 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */ +/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -352,17 +352,20 @@ dh_new_group14(void) /* * Estimates the group order for a Diffie-Hellman group that has an - * attack complexity approximately the same as O(2**bits). Estimate - * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) + * attack complexity approximately the same as O(2**bits). + * Values from NIST Special Publication 800-57: Recommendation for Key + * Management Part 1 (rev 3) limited by the recommended maximum value + * from RFC4419 section 3. */ int dh_estimate(int bits) { - + if (bits <= 112) + return 2048; if (bits <= 128) - return (1024); /* O(2**86) */ + return 3072; if (bits <= 192) - return (2048); /* O(2**116) */ - return (4096); /* O(2**156) */ + return 7680; + return 8192; } diff --git a/dh.h b/dh.h index dfc1480e..48f7b68e 100644 --- a/dh.h +++ b/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */ +/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. @@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *); int dh_estimate(int); +/* Min and max values from RFC4419. */ #define DH_GRP_MIN 1024 #define DH_GRP_MAX 8192 -- cgit v1.2.1 From 41cfd08d792e17a35b0f0995ad0ecfe9b921832f Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 00:55:57 +0000 Subject: - djm@cvs.openbsd.org 2013/10/09 23:42:17 [sftp-server.8 sftp-server.c] Add ability to whitelist and/or blacklist sftp protocol requests by name. Refactor dispatch loop and consolidate read-only mode checks. Make global variables static, since sftp-server is linked into sshd(8). ok dtucker@ --- ChangeLog | 9 ++ sftp-server.8 | 38 +++++- sftp-server.c | 403 +++++++++++++++++++++++++++++++--------------------------- 3 files changed, 258 insertions(+), 192 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5eb73c9f..2ab5a2cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20131015 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/09 23:42:17 + [sftp-server.8 sftp-server.c] + Add ability to whitelist and/or blacklist sftp protocol requests by name. + Refactor dispatch loop and consolidate read-only mode checks. + Make global variables static, since sftp-server is linked into sshd(8). + ok dtucker@ + 20131010 - (dtucker) OpenBSD CVS Sync - sthen@cvs.openbsd.org 2013/09/16 11:35:43 diff --git a/sftp-server.8 b/sftp-server.8 index cc925b96..d7604b28 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $ +.\" $OpenBSD: sftp-server.8,v 1.24 2013/10/09 23:42:17 djm Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 16 2013 $ +.Dd $Mdocdate: October 9 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -30,11 +30,15 @@ .Nd SFTP server subsystem .Sh SYNOPSIS .Nm sftp-server +.Bk -words .Op Fl ehR .Op Fl d Ar start_directory .Op Fl f Ar log_facility .Op Fl l Ar log_level .Op Fl u Ar umask +.Ek +.Nm +.Fl Q Ar protocol_feature .Sh DESCRIPTION .Nm is a program that speaks the server side of SFTP protocol @@ -93,6 +97,36 @@ performs on behalf of the client. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. The default is ERROR. +.It Fl P Ar blacklisted_requests +Specify a comma-separated list of sftp protocol requests that are banned by +the server. +.Nm +will reply to any blacklisted request with a failure. +The +.Fl Q +flag allows querying +.Nm +to determine the supported request types. +If both a blacklist and a whitelist are specified, then the blacklist is +applied before the whitelist. +.It Fl p Ar whitelisted_requests +Specify a comma-separated list of sftp protocol requests that are permitted +by the server. +All request types that are not on the whitelist will be logged and replied +to with a failure message. +.Pp +Care must be taken when using this feature to ensure that requests made +implicitly by sftp clients are permitted. +.It Fl Q Ar protocol_feature +Query protocol features supported by +.Nm . +At present the only feature that may be queried is +.Dq requests , +that may be used for whitelisting or blacklisting (flags +.Fl p +and +.Fl P +respectively.) .It Fl R Places this instance of .Nm diff --git a/sftp-server.c b/sftp-server.c index 285f21aa..ca8335ec 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.97 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.98 2013/10/09 23:42:17 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -46,6 +46,7 @@ #include "buffer.h" #include "log.h" #include "misc.h" +#include "match.h" #include "uidswap.h" #include "sftp.h" @@ -57,24 +58,29 @@ #define get_string(lenp) buffer_get_string(&iqueue, lenp); /* Our verbosity */ -LogLevel log_level = SYSLOG_LEVEL_ERROR; +static LogLevel log_level = SYSLOG_LEVEL_ERROR; /* Our client */ -struct passwd *pw = NULL; -char *client_addr = NULL; +static struct passwd *pw = NULL; +static char *client_addr = NULL; /* input and output queue */ -Buffer iqueue; -Buffer oqueue; +static Buffer iqueue; +static Buffer oqueue; /* Version of client */ -u_int version; +static u_int version; + +/* SSH2_FXP_INIT received */ +static int init_done; /* Disable writes */ -int readonly; +static int readonly; -/* portable attributes, etc. */ +/* Requests that are allowed/denied */ +static char *request_whitelist, *request_blacklist; +/* portable attributes, etc. */ typedef struct Stat Stat; struct Stat { @@ -83,6 +89,100 @@ struct Stat { Attrib attrib; }; +/* Packet handlers */ +static void process_open(u_int32_t id); +static void process_close(u_int32_t id); +static void process_read(u_int32_t id); +static void process_write(u_int32_t id); +static void process_stat(u_int32_t id); +static void process_lstat(u_int32_t id); +static void process_fstat(u_int32_t id); +static void process_setstat(u_int32_t id); +static void process_fsetstat(u_int32_t id); +static void process_opendir(u_int32_t id); +static void process_readdir(u_int32_t id); +static void process_remove(u_int32_t id); +static void process_mkdir(u_int32_t id); +static void process_rmdir(u_int32_t id); +static void process_realpath(u_int32_t id); +static void process_rename(u_int32_t id); +static void process_readlink(u_int32_t id); +static void process_symlink(u_int32_t id); +static void process_extended_posix_rename(u_int32_t id); +static void process_extended_statvfs(u_int32_t id); +static void process_extended_fstatvfs(u_int32_t id); +static void process_extended_hardlink(u_int32_t id); +static void process_extended(u_int32_t id); + +struct sftp_handler { + const char *name; /* user-visible name for fine-grained perms */ + const char *ext_name; /* extended request name */ + u_int type; /* packet type, for non extended packets */ + void (*handler)(u_int32_t); + int does_write; /* if nonzero, banned for readonly mode */ +}; + +struct sftp_handler handlers[] = { + /* NB. SSH2_FXP_OPEN does the readonly check in the handler itself */ + { "open", NULL, SSH2_FXP_OPEN, process_open, 0 }, + { "close", NULL, SSH2_FXP_CLOSE, process_close, 0 }, + { "read", NULL, SSH2_FXP_READ, process_read, 0 }, + { "write", NULL, SSH2_FXP_WRITE, process_write, 1 }, + { "lstat", NULL, SSH2_FXP_LSTAT, process_lstat, 0 }, + { "fstat", NULL, SSH2_FXP_FSTAT, process_fstat, 0 }, + { "setstat", NULL, SSH2_FXP_SETSTAT, process_setstat, 1 }, + { "fsetstat", NULL, SSH2_FXP_FSETSTAT, process_fsetstat, 1 }, + { "opendir", NULL, SSH2_FXP_OPENDIR, process_opendir, 0 }, + { "readdir", NULL, SSH2_FXP_READDIR, process_readdir, 0 }, + { "remove", NULL, SSH2_FXP_REMOVE, process_remove, 1 }, + { "mkdir", NULL, SSH2_FXP_MKDIR, process_mkdir, 1 }, + { "rmdir", NULL, SSH2_FXP_RMDIR, process_rmdir, 1 }, + { "realpath", NULL, SSH2_FXP_REALPATH, process_realpath, 0 }, + { "stat", NULL, SSH2_FXP_STAT, process_stat, 0 }, + { "rename", NULL, SSH2_FXP_RENAME, process_rename, 1 }, + { "readlink", NULL, SSH2_FXP_READLINK, process_readlink, 0 }, + { "symlink", NULL, SSH2_FXP_SYMLINK, process_symlink, 1 }, + { NULL, NULL, 0, NULL, 0 } +}; + +/* SSH2_FXP_EXTENDED submessages */ +struct sftp_handler extended_handlers[] = { + { "posix-rename", "posix-rename@openssh.com", 0, + process_extended_posix_rename, 1 }, + { "statvfs", "statvfs@openssh.com", 0, process_extended_statvfs, 0 }, + { "fstatvfs", "fstatvfs@openssh.com", 0, process_extended_fstatvfs, 0 }, + { "hardlink", "hardlink@openssh.com", 0, process_extended_hardlink, 1 }, + { NULL, NULL, 0, NULL, 0 } +}; + +static int +request_permitted(struct sftp_handler *h) +{ + char *result; + + if (readonly && h->does_write) { + verbose("Refusing %s request in read-only mode", h->name); + return 0; + } + if (request_blacklist != NULL && + ((result = match_list(h->name, request_blacklist, NULL))) != NULL) { + free(result); + verbose("Refusing blacklisted %s request", h->name); + return 0; + } + if (request_whitelist != NULL && + ((result = match_list(h->name, request_whitelist, NULL))) != NULL) { + free(result); + debug2("Permitting whitelisted %s request", h->name); + return 1; + } + if (request_whitelist != NULL) { + verbose("Refusing non-whitelisted %s request", h->name); + return 0; + } + return 1; +} + static int errno_to_portable(int unixerrno) { @@ -543,14 +643,13 @@ process_init(void) } static void -process_open(void) +process_open(u_int32_t id) { - u_int32_t id, pflags; + u_int32_t pflags; Attrib *a; char *name; int handle, fd, flags, mode, status = SSH2_FX_FAILURE; - id = get_int(); name = get_string(NULL); pflags = get_int(); /* portable flags */ debug3("request %u: open flags %d", id, pflags); @@ -560,9 +659,11 @@ process_open(void) logit("open \"%s\" flags %s mode 0%o", name, string_from_portable(pflags), mode); if (readonly && - ((flags & O_ACCMODE) == O_WRONLY || (flags & O_ACCMODE) == O_RDWR)) - status = SSH2_FX_PERMISSION_DENIED; - else { + ((flags & O_ACCMODE) == O_WRONLY || + (flags & O_ACCMODE) == O_RDWR)) { + verbose("Refusing open request in read-only mode"); + status = SSH2_FX_PERMISSION_DENIED; + } else { fd = open(name, flags, mode); if (fd < 0) { status = errno_to_portable(errno); @@ -582,12 +683,10 @@ process_open(void) } static void -process_close(void) +process_close(u_int32_t id) { - u_int32_t id; int handle, ret, status = SSH2_FX_FAILURE; - id = get_int(); handle = get_handle(); debug3("request %u: close handle %u", id, handle); handle_log_close(handle, NULL); @@ -597,14 +696,13 @@ process_close(void) } static void -process_read(void) +process_read(u_int32_t id) { char buf[64*1024]; - u_int32_t id, len; + u_int32_t len; int handle, fd, ret, status = SSH2_FX_FAILURE; u_int64_t off; - id = get_int(); handle = get_handle(); off = get_int64(); len = get_int(); @@ -638,15 +736,13 @@ process_read(void) } static void -process_write(void) +process_write(u_int32_t id) { - u_int32_t id; u_int64_t off; u_int len; int handle, fd, ret, status; char *data; - id = get_int(); handle = get_handle(); off = get_int64(); data = get_string(&len); @@ -657,8 +753,6 @@ process_write(void) if (fd < 0) status = SSH2_FX_FAILURE; - else if (readonly) - status = SSH2_FX_PERMISSION_DENIED; else { if (lseek(fd, off, SEEK_SET) < 0) { status = errno_to_portable(errno); @@ -683,15 +777,13 @@ process_write(void) } static void -process_do_stat(int do_lstat) +process_do_stat(u_int32_t id, int do_lstat) { Attrib a; struct stat st; - u_int32_t id; char *name; int ret, status = SSH2_FX_FAILURE; - id = get_int(); name = get_string(NULL); debug3("request %u: %sstat", id, do_lstat ? "l" : ""); verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name); @@ -709,26 +801,24 @@ process_do_stat(int do_lstat) } static void -process_stat(void) +process_stat(u_int32_t id) { - process_do_stat(0); + process_do_stat(id, 0); } static void -process_lstat(void) +process_lstat(u_int32_t id) { - process_do_stat(1); + process_do_stat(id, 1); } static void -process_fstat(void) +process_fstat(u_int32_t id) { Attrib a; struct stat st; - u_int32_t id; int fd, ret, handle, status = SSH2_FX_FAILURE; - id = get_int(); handle = get_handle(); debug("request %u: fstat \"%s\" (handle %u)", id, handle_to_name(handle), handle); @@ -760,21 +850,15 @@ attrib_to_tv(const Attrib *a) } static void -process_setstat(void) +process_setstat(u_int32_t id) { Attrib *a; - u_int32_t id; char *name; int status = SSH2_FX_OK, ret; - id = get_int(); name = get_string(NULL); a = get_attrib(); debug("request %u: setstat name \"%s\"", id, name); - if (readonly) { - status = SSH2_FX_PERMISSION_DENIED; - a->flags = 0; - } if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { logit("set \"%s\" size %llu", name, (unsigned long long)a->size); @@ -811,22 +895,18 @@ process_setstat(void) } static void -process_fsetstat(void) +process_fsetstat(u_int32_t id) { Attrib *a; - u_int32_t id; int handle, fd, ret; int status = SSH2_FX_OK; - id = get_int(); handle = get_handle(); a = get_attrib(); debug("request %u: fsetstat handle %d", id, handle); fd = handle_to_fd(handle); if (fd < 0) status = SSH2_FX_FAILURE; - else if (readonly) - status = SSH2_FX_PERMISSION_DENIED; else { char *name = handle_to_name(handle); @@ -878,14 +958,12 @@ process_fsetstat(void) } static void -process_opendir(void) +process_opendir(u_int32_t id) { DIR *dirp = NULL; char *path; int handle, status = SSH2_FX_FAILURE; - u_int32_t id; - id = get_int(); path = get_string(NULL); debug3("request %u: opendir", id); logit("opendir \"%s\"", path); @@ -908,15 +986,13 @@ process_opendir(void) } static void -process_readdir(void) +process_readdir(u_int32_t id) { DIR *dirp; struct dirent *dp; char *path; int handle; - u_int32_t id; - id = get_int(); handle = get_handle(); debug("request %u: readdir \"%s\" (handle %d)", id, handle_to_name(handle), handle); @@ -964,81 +1040,61 @@ process_readdir(void) } static void -process_remove(void) +process_remove(u_int32_t id) { char *name; - u_int32_t id; int status = SSH2_FX_FAILURE; int ret; - id = get_int(); name = get_string(NULL); debug3("request %u: remove", id); logit("remove name \"%s\"", name); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = unlink(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = unlink(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(name); } static void -process_mkdir(void) +process_mkdir(u_int32_t id) { Attrib *a; - u_int32_t id; char *name; int ret, mode, status = SSH2_FX_FAILURE; - id = get_int(); name = get_string(NULL); a = get_attrib(); mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm & 07777 : 0777; debug3("request %u: mkdir", id); logit("mkdir name \"%s\" mode 0%o", name, mode); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = mkdir(name, mode); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = mkdir(name, mode); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(name); } static void -process_rmdir(void) +process_rmdir(u_int32_t id) { - u_int32_t id; char *name; int ret, status; - id = get_int(); name = get_string(NULL); debug3("request %u: rmdir", id); logit("rmdir name \"%s\"", name); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = rmdir(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = rmdir(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(name); } static void -process_realpath(void) +process_realpath(u_int32_t id) { char resolvedname[MAXPATHLEN]; - u_int32_t id; char *path; - id = get_int(); path = get_string(NULL); if (path[0] == '\0') { free(path); @@ -1058,22 +1114,18 @@ process_realpath(void) } static void -process_rename(void) +process_rename(u_int32_t id) { - u_int32_t id; char *oldpath, *newpath; int status; struct stat sb; - id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); debug3("request %u: rename", id); logit("rename old \"%s\" new \"%s\"", oldpath, newpath); status = SSH2_FX_FAILURE; - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else if (lstat(oldpath, &sb) == -1) + if (lstat(oldpath, &sb) == -1) status = errno_to_portable(errno); else if (S_ISREG(sb.st_mode)) { /* Race-free rename of regular files */ @@ -1120,14 +1172,12 @@ process_rename(void) } static void -process_readlink(void) +process_readlink(u_int32_t id) { - u_int32_t id; int len; char buf[MAXPATHLEN]; char *path; - id = get_int(); path = get_string(NULL); debug3("request %u: readlink", id); verbose("readlink \"%s\"", path); @@ -1145,24 +1195,18 @@ process_readlink(void) } static void -process_symlink(void) +process_symlink(u_int32_t id) { - u_int32_t id; char *oldpath, *newpath; int ret, status; - id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); debug3("request %u: symlink", id); logit("symlink old \"%s\" new \"%s\"", oldpath, newpath); /* this will fail if 'newpath' exists */ - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = symlink(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = symlink(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(oldpath); free(newpath); @@ -1178,12 +1222,8 @@ process_extended_posix_rename(u_int32_t id) newpath = get_string(NULL); debug3("request %u: posix-rename", id); logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = rename(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = rename(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(oldpath); free(newpath); @@ -1235,35 +1275,33 @@ process_extended_hardlink(u_int32_t id) newpath = get_string(NULL); debug3("request %u: hardlink", id); logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath); - if (readonly) - status = SSH2_FX_PERMISSION_DENIED; - else { - ret = link(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + ret = link(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(oldpath); free(newpath); } static void -process_extended(void) +process_extended(u_int32_t id) { - u_int32_t id; char *request; + u_int i; - id = get_int(); request = get_string(NULL); - if (strcmp(request, "posix-rename@openssh.com") == 0) - process_extended_posix_rename(id); - else if (strcmp(request, "statvfs@openssh.com") == 0) - process_extended_statvfs(id); - else if (strcmp(request, "fstatvfs@openssh.com") == 0) - process_extended_fstatvfs(id); - else if (strcmp(request, "hardlink@openssh.com") == 0) - process_extended_hardlink(id); - else + for (i = 0; extended_handlers[i].handler != NULL; i++) { + if (strcmp(request, extended_handlers[i].ext_name) == 0) { + if (!request_permitted(&extended_handlers[i])) + send_status(id, SSH2_FX_PERMISSION_DENIED); + else + extended_handlers[i].handler(id); + break; + } + } + if (extended_handlers[i].handler == NULL) { + error("Unknown extended request \"%.100s\"", request); send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ + } free(request); } @@ -1272,11 +1310,9 @@ process_extended(void) static void process(void) { - u_int msg_len; - u_int buf_len; - u_int consumed; - u_int type; + u_int msg_len, buf_len, consumed, type, i; u_char *cp; + u_int32_t id; buf_len = buffer_len(&iqueue); if (buf_len < 5) @@ -1293,70 +1329,35 @@ process(void) buffer_consume(&iqueue, 4); buf_len -= 4; type = buffer_get_char(&iqueue); + switch (type) { case SSH2_FXP_INIT: process_init(); - break; - case SSH2_FXP_OPEN: - process_open(); - break; - case SSH2_FXP_CLOSE: - process_close(); - break; - case SSH2_FXP_READ: - process_read(); - break; - case SSH2_FXP_WRITE: - process_write(); - break; - case SSH2_FXP_LSTAT: - process_lstat(); - break; - case SSH2_FXP_FSTAT: - process_fstat(); - break; - case SSH2_FXP_SETSTAT: - process_setstat(); - break; - case SSH2_FXP_FSETSTAT: - process_fsetstat(); - break; - case SSH2_FXP_OPENDIR: - process_opendir(); - break; - case SSH2_FXP_READDIR: - process_readdir(); - break; - case SSH2_FXP_REMOVE: - process_remove(); - break; - case SSH2_FXP_MKDIR: - process_mkdir(); - break; - case SSH2_FXP_RMDIR: - process_rmdir(); - break; - case SSH2_FXP_REALPATH: - process_realpath(); - break; - case SSH2_FXP_STAT: - process_stat(); - break; - case SSH2_FXP_RENAME: - process_rename(); - break; - case SSH2_FXP_READLINK: - process_readlink(); - break; - case SSH2_FXP_SYMLINK: - process_symlink(); + init_done = 1; break; case SSH2_FXP_EXTENDED: - process_extended(); + if (!init_done) + fatal("Received extended request before init"); + id = get_int(); + process_extended(id); break; default: - error("Unknown message %d", type); - break; + if (!init_done) + fatal("Received %u request before init", type); + id = get_int(); + for (i = 0; handlers[i].handler != NULL; i++) { + if (type == handlers[i].type) { + if (!request_permitted(&handlers[i])) { + send_status(id, + SSH2_FX_PERMISSION_DENIED); + } else { + handlers[i].handler(id); + } + break; + } + } + if (handlers[i].handler == NULL) + error("Unknown message %u", type); } /* discard the remaining bytes from the current packet */ if (buf_len < buffer_len(&iqueue)) { @@ -1365,7 +1366,7 @@ process(void) } consumed = buf_len - buffer_len(&iqueue); if (msg_len < consumed) { - error("msg_len %d < consumed %d", msg_len, consumed); + error("msg_len %u < consumed %u", msg_len, consumed); sftp_server_cleanup_exit(255); } if (msg_len > consumed) @@ -1400,7 +1401,7 @@ int sftp_server_main(int argc, char **argv, struct passwd *user_pw) { fd_set *rset, *wset; - int in, out, max, ch, skipargs = 0, log_stderr = 0; + int i, in, out, max, ch, skipargs = 0, log_stderr = 0; ssize_t len, olen, set_size; SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; char *cp, *homedir = NULL, buf[4*4096]; @@ -1414,8 +1415,20 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) pw = pwcopy(user_pw); - while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) { + while (!skipargs && (ch = getopt(argc, argv, + "d:f:l:P:p:Q:u:cehR")) != -1) { switch (ch) { + case 'Q': + if (strcasecmp(optarg, "requests") != 0) { + fprintf(stderr, "Invalid query type\n"); + exit(1); + } + for (i = 0; handlers[i].handler != NULL; i++) + printf("%s\n", handlers[i].name); + for (i = 0; extended_handlers[i].handler != NULL; i++) + printf("%s\n", extended_handlers[i].name); + exit(0); + break; case 'R': readonly = 1; break; @@ -1445,6 +1458,16 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) "u", user_pw->pw_name, (char *)NULL); free(cp); break; + case 'p': + if (request_whitelist != NULL) + fatal("Permitted requests already set"); + request_whitelist = xstrdup(optarg); + break; + case 'P': + if (request_blacklist != NULL) + fatal("Refused requests already set"); + request_blacklist = xstrdup(optarg); + break; case 'u': errno = 0; mask = strtol(optarg, &cp, 8); -- cgit v1.2.1 From b7ae2aa6eb973805644ebf68e9be7c0040bcefc7 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 00:56:25 +0000 Subject: - djm@cvs.openbsd.org 2013/10/10 00:53:25 [sftp-server.c] add -Q, -P and -p to usage() before jmc@ catches me --- ChangeLog | 3 +++ sftp-server.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2ab5a2cb..b67c1bc2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ Refactor dispatch loop and consolidate read-only mode checks. Make global variables static, since sftp-server is linked into sshd(8). ok dtucker@ + - djm@cvs.openbsd.org 2013/10/10 00:53:25 + [sftp-server.c] + add -Q, -P and -p to usage() before jmc@ catches me 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/sftp-server.c b/sftp-server.c index ca8335ec..52278148 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.98 2013/10/09 23:42:17 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.99 2013/10/10 00:53:25 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1392,7 +1392,8 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-u umask]\n", + "[-l log_level]\n\t[-p request_whitelist] [-P request_blacklist] " + "[-Q feature] [-u umask]\n", __progname); exit(1); } -- cgit v1.2.1 From 093b9a60336017d571b8a60dc18dd8b725093882 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 00:56:47 +0000 Subject: - djm@cvs.openbsd.org 2013/10/10 01:43:03 [sshd.c] bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly updated; ok dtucker@ --- ChangeLog | 4 ++++ sshd.c | 11 +++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index b67c1bc2..ee3ede1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ - djm@cvs.openbsd.org 2013/10/10 00:53:25 [sftp-server.c] add -Q, -P and -p to usage() before jmc@ catches me + - djm@cvs.openbsd.org 2013/10/10 01:43:03 + [sshd.c] + bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly + updated; ok dtucker@ 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/sshd.c b/sshd.c index 7e3b60f9..287706d4 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.406 2013/09/02 22:00:34 deraadt Exp $ */ +/* $OpenBSD: sshd.c,v 1.407 2013/10/10 01:43:03 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1940,13 +1940,14 @@ main(int ac, char **av) dup2(STDIN_FILENO, STDOUT_FILENO); if (startup_pipe == -1) close(REEXEC_STARTUP_PIPE_FD); - else + else if (startup_pipe != REEXEC_STARTUP_PIPE_FD) { dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD); + close(startup_pipe); + startup_pipe = REEXEC_STARTUP_PIPE_FD; + } dup2(config_s[1], REEXEC_CONFIG_PASS_FD); close(config_s[1]); - if (startup_pipe != -1) - close(startup_pipe); execv(rexec_argv[0], rexec_argv); @@ -1957,8 +1958,6 @@ main(int ac, char **av) options.log_facility, log_stderr); /* Clean up fds */ - startup_pipe = REEXEC_STARTUP_PIPE_FD; - close(config_s[1]); close(REEXEC_CONFIG_PASS_FD); newsock = sock_out = sock_in = dup(STDIN_FILENO); if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { -- cgit v1.2.1 From d5a84c5a28f7e6ddcd6bbdd7979313122260d2f0 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:05:58 +0000 Subject: - djm@cvs.openbsd.org 2013/10/11 02:45:36 [sftp-client.c] rename flag arguments to be more clear and consistent. reorder some internal function arguments to make adding additional flags easier. no functional change --- ChangeLog | 6 +++++ sftp-client.c | 73 +++++++++++++++++++++++++++++++---------------------------- 2 files changed, 44 insertions(+), 35 deletions(-) diff --git a/ChangeLog b/ChangeLog index ee3ede1b..3e60d045 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,12 @@ [sshd.c] bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly updated; ok dtucker@ + - djm@cvs.openbsd.org 2013/10/11 02:45:36 + [sftp-client.c] + rename flag arguments to be more clear and consistent. + reorder some internal function arguments to make adding additional flags + easier. + no functional change 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index eb893080..e815499f 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.104 2013/09/19 00:49:12 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.105 2013/10/11 02:45:36 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -448,7 +448,7 @@ do_close(struct sftp_conn *conn, char *handle, u_int handle_len) static int -do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, +do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, SFTP_DIRENT ***dir) { Buffer msg; @@ -530,7 +530,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, longname = buffer_get_string(&msg, NULL); a = decode_attrib(&msg); - if (printflag) + if (print_flag) printf("%s\n", longname); /* @@ -606,7 +606,7 @@ do_rm(struct sftp_conn *conn, char *path) } int -do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag) +do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag) { u_int status, id; @@ -615,7 +615,7 @@ do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag) strlen(path), a); status = get_status(conn, id); - if (status != SSH2_FX_OK && printflag) + if (status != SSH2_FX_OK && print_flag) error("Couldn't create directory: %s", fx2txt(status)); return(status); @@ -991,7 +991,7 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset, int do_download(struct sftp_conn *conn, char *remote_path, char *local_path, - Attrib *a, int pflag, int resume) + Attrib *a, int preserve_flag, int resume_flag) { Attrib junk; Buffer msg; @@ -1054,15 +1054,15 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? 0 : O_TRUNC), - mode | S_IWUSR); + local_fd = open(local_path, + O_WRONLY | O_CREAT | (resume_flag ? 0 : O_TRUNC), mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); goto fail; } offset = highwater = 0; - if (resume) { + if (resume_flag) { if (fstat(local_fd, &st) == -1) { error("Unable to stat local file \"%s\": %s", local_path, strerror(errno)); @@ -1212,7 +1212,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, fatal("Transfer complete, but requests still in queue"); /* Truncate at highest contiguous point to avoid holes on interrupt */ if (read_error || write_error || interrupted) { - if (reordered && resume) { + if (reordered && resume_flag) { error("Unable to resume download of \"%s\": " "server reordered requests", local_path); } @@ -1235,13 +1235,14 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, status = -1; /* Override umask and utimes if asked */ #ifdef HAVE_FCHMOD - if (pflag && fchmod(local_fd, mode) == -1) + if (preserve_flag && fchmod(local_fd, mode) == -1) #else - if (pflag && chmod(local_path, mode) == -1) + if (preserve_flag && chmod(local_path, mode) == -1) #endif /* HAVE_FCHMOD */ error("Couldn't set mode on \"%s\": %s", local_path, strerror(errno)); - if (pflag && (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) { + if (preserve_flag && + (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) { struct timeval tv[2]; tv[0].tv_sec = a->atime; tv[1].tv_sec = a->mtime; @@ -1259,8 +1260,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, } static int -download_dir_internal(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag, int depth, int resume) +download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, + Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag) { int i, ret = 0; SFTP_DIRENT **dir_entries; @@ -1281,7 +1282,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, error("\"%s\" is not a directory", src); return -1; } - if (printflag) + if (print_flag) printf("Retrieving %s\n", src); if (dirattrib->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) @@ -1312,12 +1313,12 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, strcmp(filename, "..") == 0) continue; if (download_dir_internal(conn, new_src, new_dst, - &(dir_entries[i]->a), pflag, printflag, - depth + 1, resume) == -1) + depth + 1, &(dir_entries[i]->a), preserve_flag, + print_flag, resume_flag) == -1) ret = -1; } else if (S_ISREG(dir_entries[i]->a.perm) ) { if (do_download(conn, new_src, new_dst, - &(dir_entries[i]->a), pflag, resume) == -1) { + &(dir_entries[i]->a), preserve_flag, resume_flag) == -1) { error("Download of file %s to %s failed", new_src, new_dst); ret = -1; @@ -1329,7 +1330,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, free(new_src); } - if (pflag) { + if (preserve_flag) { if (dirattrib->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { struct timeval tv[2]; tv[0].tv_sec = dirattrib->atime; @@ -1350,7 +1351,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int download_dir(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag, int resume) + Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag) { char *src_canon; int ret; @@ -1360,15 +1361,15 @@ download_dir(struct sftp_conn *conn, char *src, char *dst, return -1; } - ret = download_dir_internal(conn, src_canon, dst, - dirattrib, pflag, printflag, 0, resume); + ret = download_dir_internal(conn, src_canon, dst, 0, + dirattrib, preserve_flag, print_flag, resume_flag); free(src_canon); return ret; } int do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, - int pflag) + int preserve_flag) { int local_fd; int status = SSH2_FX_OK; @@ -1412,7 +1413,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID; a.perm &= 0777; - if (!pflag) + if (!preserve_flag) a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; buffer_init(&msg); @@ -1541,7 +1542,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, } /* Override umask and utimes if asked */ - if (pflag) + if (preserve_flag) do_fsetstat(conn, handle, handle_len, &a); if (do_close(conn, handle, handle_len) != SSH2_FX_OK) @@ -1552,8 +1553,8 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, } static int -upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, - int pflag, int printflag, int depth) +upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, + int preserve_flag, int print_flag) { int ret = 0, status; DIR *dirp; @@ -1576,7 +1577,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, error("\"%s\" is not a directory", src); return -1; } - if (printflag) + if (print_flag) printf("Entering %s\n", src); attrib_clear(&a); @@ -1584,7 +1585,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID; a.perm &= 01777; - if (!pflag) + if (!preserve_flag) a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; status = do_mkdir(conn, dst, &a, 0); @@ -1622,10 +1623,11 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, continue; if (upload_dir_internal(conn, new_src, new_dst, - pflag, printflag, depth + 1) == -1) + depth + 1, preserve_flag, print_flag) == -1) ret = -1; } else if (S_ISREG(sb.st_mode)) { - if (do_upload(conn, new_src, new_dst, pflag) == -1) { + if (do_upload(conn, new_src, new_dst, + preserve_flag) == -1) { error("Uploading of file %s to %s failed!", new_src, new_dst); ret = -1; @@ -1643,8 +1645,8 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, } int -upload_dir(struct sftp_conn *conn, char *src, char *dst, int pflag, - int printflag) +upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag, + int print_flag) { char *dst_canon; int ret; @@ -1654,7 +1656,8 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int pflag, return -1; } - ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0); + ret = upload_dir_internal(conn, src, dst_canon, preserve_flag, + print_flag, 0); free(dst_canon); return ret; } -- cgit v1.2.1 From c7eb89ce05745a4422f3bf7bd0c89a4d458f9107 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:06:27 +0000 Subject: - djm@cvs.openbsd.org 2013/10/11 02:52:23 [sftp-client.c] missed one arg reorder --- ChangeLog | 3 +++ sftp-client.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3e60d045..c54737a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ reorder some internal function arguments to make adding additional flags easier. no functional change + - djm@cvs.openbsd.org 2013/10/11 02:52:23 + [sftp-client.c] + missed one arg reorder 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index e815499f..573623b9 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.105 2013/10/11 02:45:36 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.106 2013/10/11 02:52:23 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1656,8 +1656,8 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag, return -1; } - ret = upload_dir_internal(conn, src, dst_canon, preserve_flag, - print_flag, 0); + ret = upload_dir_internal(conn, src, dst_canon, 0, preserve_flag, + print_flag); free(dst_canon); return ret; } -- cgit v1.2.1 From c13db649461a00bb824a96fa4b3926d335b19e5e Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:06:45 +0000 Subject: - djm@cvs.openbsd.org 2013/10/11 02:53:45 [sftp-client.h] obsolete comment --- ChangeLog | 3 +++ sftp-client.h | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c54737a6..83b9b886 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ - djm@cvs.openbsd.org 2013/10/11 02:52:23 [sftp-client.c] missed one arg reorder + - djm@cvs.openbsd.org 2013/10/11 02:53:45 + [sftp-client.h] + obsolete comment 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/sftp-client.h b/sftp-client.h index dc54cfe3..bcdd407c 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.22 2013/08/08 05:04:03 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.23 2013/10/11 02:53:45 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -100,8 +100,6 @@ int do_hardlink(struct sftp_conn *, char *, char *); /* Rename 'oldpath' to 'newpath' */ int do_symlink(struct sftp_conn *, char *, char *); -/* XXX: add callbacks to do_download/do_upload so we can do progress meter */ - /* * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set -- cgit v1.2.1 From 8a059cde9e7b4d8b571fc8e5a54128102e932789 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:07:05 +0000 Subject: - jmc@cvs.openbsd.org 2013/10/14 14:18:56 [sftp-server.8 sftp-server.c] tweak previous; ok djm --- ChangeLog | 4 ++++ sftp-server.8 | 24 ++++++++++++------------ sftp-server.c | 9 +++++---- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index 83b9b886..3adcac5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,10 @@ - djm@cvs.openbsd.org 2013/10/11 02:53:45 [sftp-client.h] obsolete comment + - jmc@cvs.openbsd.org 2013/10/14 14:18:56 + [sftp-server.8 sftp-server.c] + tweak previous; + ok djm 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/sftp-server.8 b/sftp-server.8 index d7604b28..1e0b277b 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.24 2013/10/09 23:42:17 djm Exp $ +.\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 9 2013 $ +.Dd $Mdocdate: October 14 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -35,6 +35,8 @@ .Op Fl d Ar start_directory .Op Fl f Ar log_facility .Op Fl l Ar log_level +.Op Fl P Ar blacklisted_requests +.Op Fl p Ar whitelisted_requests .Op Fl u Ar umask .Ek .Nm @@ -98,35 +100,33 @@ DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. The default is ERROR. .It Fl P Ar blacklisted_requests -Specify a comma-separated list of sftp protocol requests that are banned by +Specify a comma-separated list of SFTP protocol requests that are banned by the server. .Nm will reply to any blacklisted request with a failure. The .Fl Q -flag allows querying -.Nm -to determine the supported request types. +flag can be used to determine the supported request types. If both a blacklist and a whitelist are specified, then the blacklist is applied before the whitelist. .It Fl p Ar whitelisted_requests -Specify a comma-separated list of sftp protocol requests that are permitted +Specify a comma-separated list of SFTP protocol requests that are permitted by the server. All request types that are not on the whitelist will be logged and replied to with a failure message. .Pp Care must be taken when using this feature to ensure that requests made -implicitly by sftp clients are permitted. +implicitly by SFTP clients are permitted. .It Fl Q Ar protocol_feature Query protocol features supported by .Nm . At present the only feature that may be queried is .Dq requests , -that may be used for whitelisting or blacklisting (flags -.Fl p -and +which may be used for black or whitelisting (flags .Fl P -respectively.) +and +.Fl p +respectively). .It Fl R Places this instance of .Nm diff --git a/sftp-server.c b/sftp-server.c index 52278148..b62bd351 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.99 2013/10/10 00:53:25 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.100 2013/10/14 14:18:56 jmc Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1392,9 +1392,10 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-p request_whitelist] [-P request_blacklist] " - "[-Q feature] [-u umask]\n", - __progname); + "[-l log_level]\n\t[-P blacklisted_requests] " + "[-p whitelisted_requests] [-u umask]\n" + " %s -Q protocol_feature\n", + __progname, __progname); exit(1); } -- cgit v1.2.1 From cd828fdcbb09eb4e7fca51977bc7eb0df1df72a1 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:12:02 +0000 Subject: - djm@cvs.openbsd.org 2013/10/14 21:20:52 [session.c session.h] Add logging of session starts in a useful format; ok markus@ feedback and ok dtucker@ --- ChangeLog | 4 ++++ session.c | 52 ++++++++++++++++++++++++++++++++++++++-------------- session.h | 3 ++- 3 files changed, 44 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3adcac5c..5f704f1f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ [sftp-server.8 sftp-server.c] tweak previous; ok djm + - djm@cvs.openbsd.org 2013/10/14 21:20:52 + [session.c session.h] + Add logging of session starts in a useful format; ok markus@ feedback and + ok dtucker@ 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/session.c b/session.c index d4b57bdf..6e48a2fa 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.266 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: session.c,v 1.267 2013/10/14 21:20:52 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -794,27 +794,50 @@ int do_exec(Session *s, const char *command) { int ret; + const char *forced = NULL; + char session_type[1024], *tty = NULL; if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if (IS_INTERNAL_SFTP(command)) { - s->is_subsystem = s->is_subsystem ? - SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; - } else if (s->is_subsystem) - s->is_subsystem = SUBSYSTEM_EXT; - debug("Forced command (config) '%.900s'", command); + forced = "(config)"; } else if (forced_command) { original_command = command; command = forced_command; + forced = "(key-option)"; + } + if (forced != NULL) { if (IS_INTERNAL_SFTP(command)) { s->is_subsystem = s->is_subsystem ? SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; } else if (s->is_subsystem) s->is_subsystem = SUBSYSTEM_EXT; - debug("Forced command (key option) '%.900s'", command); + snprintf(session_type, sizeof(session_type), + "forced-command %s '%.900s'", forced, command); + } else if (s->is_subsystem) { + snprintf(session_type, sizeof(session_type), + "subsystem '%.900s'", s->subsys); + } else if (command == NULL) { + snprintf(session_type, sizeof(session_type), "shell"); + } else { + /* NB. we don't log unforced commands to preserve privacy */ + snprintf(session_type, sizeof(session_type), "command"); } + if (s->ttyfd != -1) { + tty = s->tty; + if (strncmp(tty, "/dev/", 5) == 0) + tty += 5; + } + + verbose("Starting session: %s%s%s for %s from %.200s port %d", + session_type, + tty == NULL ? "" : " on ", + tty == NULL ? "" : tty, + s->pw->pw_name, + get_remote_ipaddr(), + get_remote_port()); + #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); @@ -2100,15 +2123,16 @@ session_subsystem_req(Session *s) struct stat st; u_int len; int success = 0; - char *prog, *cmd, *subsys = packet_get_string(&len); + char *prog, *cmd; u_int i; + s->subsys = packet_get_string(&len); packet_check_eom(); - logit("subsystem request for %.100s by user %s", subsys, + debug2("subsystem request for %.100s by user %s", s->subsys, s->pw->pw_name); for (i = 0; i < options.num_subsystems; i++) { - if (strcmp(subsys, options.subsystem_name[i]) == 0) { + if (strcmp(s->subsys, options.subsystem_name[i]) == 0) { prog = options.subsystem_command[i]; cmd = options.subsystem_args[i]; if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) { @@ -2127,10 +2151,9 @@ session_subsystem_req(Session *s) } if (!success) - logit("subsystem request for %.100s failed, subsystem not found", - subsys); + logit("subsystem request for %.100s by user %s failed, " + "subsystem not found", s->subsys, s->pw->pw_name); - free(subsys); return success; } @@ -2481,6 +2504,7 @@ session_close(Session *s) free(s->auth_display); free(s->auth_data); free(s->auth_proto); + free(s->subsys); if (s->env != NULL) { for (i = 0; i < s->num_env; i++) { free(s->env[i].name); diff --git a/session.h b/session.h index cbb8e3a3..6a2f35e4 100644 --- a/session.h +++ b/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ +/* $OpenBSD: session.h,v 1.31 2013/10/14 21:20:52 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -55,6 +55,7 @@ struct Session { int chanid; int *x11_chanids; int is_subsystem; + char *subsys; u_int num_env; struct { char *name; -- cgit v1.2.1 From 922d4e02e6133fe525ea8d27aeae0c4c05daee6c Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:13:05 +0000 Subject: - djm@cvs.openbsd.org 2013/10/14 22:22:05 [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] add a "Match" keyword to ssh_config that allows matching on hostname, user and result of arbitrary commands. "nice work" markus@ --- ChangeLog | 4 ++ readconf.c | 227 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---- readconf.h | 12 ++-- ssh-keysign.c | 4 +- ssh.c | 22 +++--- ssh_config.5 | 52 +++++++++++++- 6 files changed, 287 insertions(+), 34 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5f704f1f..2b0ca0b8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ [session.c session.h] Add logging of session starts in a useful format; ok markus@ feedback and ok dtucker@ + - djm@cvs.openbsd.org 2013/10/14 22:22:05 + [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] + add a "Match" keyword to ssh_config that allows matching on hostname, + user and result of arbitrary commands. "nice work" markus@ 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index 7450081c..f7b912ef 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.205 2013/08/20 00:11:37 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.206 2013/10/14 22:22:02 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -24,7 +25,10 @@ #include #include +#include #include +#include +#include #include #include #include @@ -47,6 +51,7 @@ #include "buffer.h" #include "kex.h" #include "mac.h" +#include "uidswap.h" /* Format of the configuration file: @@ -115,12 +120,13 @@ typedef enum { oBadOption, + oHost, oMatch, oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, oGatewayPorts, oExitOnForwardFailure, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, - oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, + oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, @@ -194,6 +200,7 @@ static struct { { "localforward", oLocalForward }, { "user", oUser }, { "host", oHost }, + { "match", oMatch }, { "escapechar", oEscapeChar }, { "globalknownhostsfile", oGlobalKnownHostsFile }, { "globalknownhostsfile2", oDeprecated }, @@ -349,10 +356,188 @@ add_identity_file(Options *options, const char *dir, const char *filename, options->identity_files[options->num_identity_files++] = path; } +int +default_ssh_port(void) +{ + static int port; + struct servent *sp; + + if (port == 0) { + sp = getservbyname(SSH_SERVICE_NAME, "tcp"); + port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; + } + return port; +} + /* - * Returns the number of the token pointed to by cp or oBadOption. + * Execute a command in a shell. + * Return its exit status or -1 on abnormal exit. */ +static int +execute_in_shell(const char *cmd) +{ + char *shell, *command_string; + pid_t pid; + int devnull, status; + extern uid_t original_real_uid; + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + /* + * Use "exec" to avoid "sh -c" processes on some platforms + * (e.g. Solaris) + */ + xasprintf(&command_string, "exec %s", cmd); + + /* Need this to redirect subprocess stdin/out */ + if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) + fatal("open(/dev/null): %s", strerror(errno)); + + debug("Executing command: '%.500s'", cmd); + + /* Fork and execute the command. */ + if ((pid = fork()) == 0) { + char *argv[4]; + + /* Child. Permanently give up superuser privileges. */ + permanently_drop_suid(original_real_uid); + + /* Redirect child stdin and stdout. Leave stderr */ + if (dup2(devnull, STDIN_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (dup2(devnull, STDOUT_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (devnull > STDERR_FILENO) + close(devnull); + closefrom(STDERR_FILENO + 1); + + argv[0] = shell; + argv[1] = "-c"; + argv[2] = command_string; + argv[3] = NULL; + + execv(argv[0], argv); + error("Unable to execute '%.100s': %s", cmd, strerror(errno)); + /* Die with signal to make this error apparent to parent. */ + signal(SIGTERM, SIG_DFL); + kill(getpid(), SIGTERM); + _exit(1); + } + /* Parent. */ + if (pid < 0) + fatal("%s: fork: %.100s", __func__, strerror(errno)); + + close(devnull); + free(command_string); + + while (waitpid(pid, &status, 0) == -1) { + if (errno != EINTR && errno != EAGAIN) + fatal("%s: waitpid: %s", __func__, strerror(errno)); + } + if (!WIFEXITED(status)) { + error("command '%.100s' exited abnormally", cmd); + return -1; + } + debug3("command returned status %d", WEXITSTATUS(status)); + return WEXITSTATUS(status); +} + +/* + * Parse and execute a Match directive. + */ +static int +match_cfg_line(Options *options, char **condition, struct passwd *pw, + const char *host_arg, const char *filename, int linenum) +{ + char *arg, *attrib, *cmd, *cp = *condition; + const char *ruser, *host; + int r, port, result = 1; + size_t len; + char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; + + /* + * Configuration is likely to be incomplete at this point so we + * must be prepared to use default values. + */ + port = options->port <= 0 ? default_ssh_port() : options->port; + ruser = options->user == NULL ? pw->pw_name : options->user; + host = options->hostname == NULL ? host_arg : options->hostname; + + debug3("checking match for '%s' host %s", cp, host); + while ((attrib = strdelim(&cp)) && *attrib != '\0') { + if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { + error("Missing Match criteria for %s", attrib); + return -1; + } + len = strlen(arg); + if (strcasecmp(attrib, "host") == 0) { + if (match_hostname(host, arg, len) != 1) + result = 0; + else + debug("%.200s line %d: matched 'Host %.100s' ", + filename, linenum, host); + } else if (strcasecmp(attrib, "originalhost") == 0) { + if (match_hostname(host_arg, arg, len) != 1) + result = 0; + else + debug("%.200s line %d: matched " + "'OriginalHost %.100s' ", + filename, linenum, host_arg); + } else if (strcasecmp(attrib, "user") == 0) { + if (match_pattern_list(ruser, arg, len, 0) != 1) + result = 0; + else + debug("%.200s line %d: matched 'User %.100s' ", + filename, linenum, ruser); + } else if (strcasecmp(attrib, "localuser") == 0) { + if (match_pattern_list(pw->pw_name, arg, len, 0) != 1) + result = 0; + else + debug("%.200s line %d: matched " + "'LocalUser %.100s' ", + filename, linenum, pw->pw_name); + } else if (strcasecmp(attrib, "command") == 0) { + if (gethostname(thishost, sizeof(thishost)) == -1) + fatal("gethostname: %s", strerror(errno)); + strlcpy(shorthost, thishost, sizeof(shorthost)); + shorthost[strcspn(thishost, ".")] = '\0'; + snprintf(portstr, sizeof(portstr), "%d", port); + + cmd = percent_expand(arg, + "L", shorthost, + "d", pw->pw_dir, + "h", host, + "l", thishost, + "n", host_arg, + "p", portstr, + "r", ruser, + "u", pw->pw_name, + (char *)NULL); + r = execute_in_shell(cmd); + if (r == -1) { + fatal("%.200s line %d: match command '%.100s' " + "error", filename, linenum, cmd); + } else if (r == 0) { + debug("%.200s line %d: matched " + "'Command \"%.100s\"' ", + filename, linenum, cmd); + } else + result = 0; + free(cmd); + } else { + error("Unsupported Match attribute %s", attrib); + return -1; + } + } + debug3("match %sfound", result ? "" : "not "); + *condition = cp; + return result; +} + +/* + * Returns the number of the token pointed to by cp or oBadOption. + */ static OpCodes parse_token(const char *cp, const char *filename, int linenum, const char *ignored_unknown) @@ -375,21 +560,24 @@ parse_token(const char *cp, const char *filename, int linenum, * only sets those values that have not already been set. */ #define WHITESPACE " \t\r\n" - int -process_config_line(Options *options, const char *host, - char *line, const char *filename, int linenum, - int *activep, int userconfig) +process_config_line(Options *options, struct passwd *pw, const char *host, + char *line, const char *filename, int linenum, int *activep, int userconfig) { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; u_int i, *uintptr, max_entries = 0; - int negated, opcode, *intptr, value, value2; + int negated, opcode, *intptr, value, value2, cmdline = 0; LogLevel *log_level_ptr; long long val64; size_t len; Forward fwd; + if (activep == NULL) { /* We are processing a command line directive */ + cmdline = 1; + activep = &cmdline; + } + /* Strip trailing whitespace */ for (len = strlen(line) - 1; len > 0; len--) { if (strchr(WHITESPACE, line[len]) == NULL) @@ -828,6 +1016,9 @@ parse_int: goto parse_flag; case oHost: + if (cmdline) + fatal("Host directive not supported as a command-line " + "option"); *activep = 0; arg2 = NULL; while ((arg = strdelim(&s)) != NULL && *arg != '\0') { @@ -854,6 +1045,18 @@ parse_int: /* Avoid garbage check below, as strdelim is done. */ return 0; + case oMatch: + if (cmdline) + fatal("Host directive not supported as a command-line " + "option"); + value = match_cfg_line(options, &s, pw, host, + filename, linenum); + if (value < 0) + fatal("%.200s line %d: Bad Match condition", filename, + linenum); + *activep = value; + break; + case oEscapeChar: intptr = &options->escape_char; arg = strdelim(&s); @@ -1107,8 +1310,8 @@ parse_int: */ int -read_config_file(const char *filename, const char *host, Options *options, - int flags) +read_config_file(const char *filename, struct passwd *pw, const char *host, + Options *options, int flags) { FILE *f; char line[1024]; @@ -1139,8 +1342,8 @@ read_config_file(const char *filename, const char *host, Options *options, while (fgets(line, sizeof(line), f)) { /* Update line number counter. */ linenum++; - if (process_config_line(options, host, line, filename, linenum, - &active, flags & SSHCONF_USERCONF) != 0) + if (process_config_line(options, pw, host, line, filename, + linenum, &active, flags & SSHCONF_USERCONF) != 0) bad_options++; } fclose(f); diff --git a/readconf.h b/readconf.h index ca4a042a..cde8b524 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.96 2013/08/20 00:11:38 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.97 2013/10/14 22:22:03 djm Exp $ */ /* * Author: Tatu Ylonen @@ -159,12 +159,12 @@ typedef struct { void initialize_options(Options *); void fill_default_options(Options *); -int read_config_file(const char *, const char *, Options *, int); +int process_config_line(Options *, struct passwd *, const char *, char *, + const char *, int, int *, int); +int read_config_file(const char *, struct passwd *, const char *, + Options *, int); int parse_forward(Forward *, const char *, int, int); - -int -process_config_line(Options *, const char *, char *, const char *, int, int *, - int); +int default_ssh_port(void); void add_local_forward(Options *, const Forward *); void add_remote_forward(Options *, const Forward *); diff --git a/ssh-keysign.c b/ssh-keysign.c index 9a6653c7..b67ed1ea 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.37 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.38 2013/10/14 22:22:04 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -187,7 +187,7 @@ main(int argc, char **argv) /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); - (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", &options, 0); fill_default_options(&options); if (options.enable_ssh_keysign != 1) fatal("ssh-keysign not enabled in %s", diff --git a/ssh.c b/ssh.c index 87233bc9..13f384a9 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.381 2013/07/25 00:29:10 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.382 2013/10/14 22:22:04 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -242,7 +242,7 @@ main(int ac, char **av) char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; struct stat st; struct passwd *pw; - int dummy, timeout_ms; + int timeout_ms; extern int optind, optreset; extern char *optarg; @@ -595,10 +595,9 @@ main(int ac, char **av) options.request_tty = REQUEST_TTY_NO; break; case 'o': - dummy = 1; line = xstrdup(optarg); - if (process_config_line(&options, host ? host : "", - line, "command-line", 0, &dummy, SSHCONF_USERCONF) + if (process_config_line(&options, pw, host ? host : "", + line, "command-line", 0, NULL, SSHCONF_USERCONF) != 0) exit(255); free(line); @@ -703,18 +702,19 @@ main(int ac, char **av) */ if (config != NULL) { if (strcasecmp(config, "none") != 0 && - !read_config_file(config, host, &options, SSHCONF_USERCONF)) + !read_config_file(config, pw, host, &options, + SSHCONF_USERCONF)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); } else { r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); if (r > 0 && (size_t)r < sizeof(buf)) - (void)read_config_file(buf, host, &options, + (void)read_config_file(buf, pw, host, &options, SSHCONF_CHECKPERM|SSHCONF_USERCONF); /* Read systemwide configuration file after user config. */ - (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, + (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, host, &options, 0); } @@ -752,10 +752,8 @@ main(int ac, char **av) options.user = xstrdup(pw->pw_name); /* Get default port if port has not been set. */ - if (options.port == 0) { - sp = getservbyname(SSH_SERVICE_NAME, "tcp"); - options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; - } + if (options.port == 0) + options.port = default_ssh_port(); /* preserve host name given on command line for %n expansion */ host_arg = host; diff --git a/ssh_config.5 b/ssh_config.5 index 9ddd6b8a..f35f468f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.168 2013/08/20 06:56:07 jmc Exp $ -.Dd $Mdocdate: August 20 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.169 2013/10/14 22:22:05 djm Exp $ +.Dd $Mdocdate: October 14 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -100,6 +100,8 @@ keywords are case-insensitive and arguments are case-sensitive): .It Cm Host Restricts the following declarations (up to the next .Cm Host +or +.Cm Match keyword) to be only for those hosts that match one of the patterns given after the keyword. If more than one pattern is provided, they should be separated by whitespace. @@ -124,6 +126,52 @@ matches. See .Sx PATTERNS for more information on patterns. +.It Cm Match +Restricts the following declarations (up to the next +.Cm Host +or +.Cm Match +keyword) to be used only when the conditions following the +.Cm Match +keyword are satisfied. +Match conditions are specified using one or more keyword/criteria pairs. +The available keywords are: +.Cm command , +.Cm host , +.Cm originalhost , +.Cm user , +and +.Cm localuser . +.Pp +The criteria for the +.Cm command +keyword is a path to a command that is executed. +If the command returns a zero exit status then the condition is considered true. +Commands containing whitespace characters must be quoted. +.Pp +The other keywords' criteria must be single entries or comma-separated +lists and may use the wildcard and negation operators described in the +.Sx PATTERNS +section. +The criteria for the +.Cm host +keyword are matched against the target hostname, after any substitution +by the +.Cm Hostname +option. +The +.Cm originalhost +keyword matches against the hostname as it was specified on the command-line. +The +.Cm user +keyword matches against the target username on the remote host. +The +.Cm localuser +keyword matches against the name of the local user running +.Xr ssh 1 +(this keyword may be useful in system-wide +.Nm +files). .It Cm AddressFamily Specifies which address family to use when connecting. Valid arguments are -- cgit v1.2.1 From df242871bc4ebe07439e1ba960a885871a221156 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:14:12 +0000 Subject: - djm@cvs.openbsd.org 2013/10/14 23:28:23 [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c] refactor client config code a little: add multistate option partsing to readconf.c, similar to servconf.c's existing code. move checking of options that accept "none" as an argument to readconf.c add a lowercase() function and use it instead of explicit tolower() in loops part of a larger diff that was ok markus@ --- ChangeLog | 9 +++ canohost.c | 13 ++-- misc.c | 10 ++- misc.h | 4 +- readconf.c | 199 ++++++++++++++++++++++++++++------------------------------ sftp-server.c | 25 ++++++-- ssh.c | 28 +++------ 7 files changed, 149 insertions(+), 139 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2b0ca0b8..91a6b649 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,15 @@ [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] add a "Match" keyword to ssh_config that allows matching on hostname, user and result of arbitrary commands. "nice work" markus@ + - djm@cvs.openbsd.org 2013/10/14 23:28:23 + [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c] + refactor client config code a little: + add multistate option partsing to readconf.c, similar to servconf.c's + existing code. + move checking of options that accept "none" as an argument to readconf.c + add a lowercase() function and use it instead of explicit tolower() in + loops + part of a larger diff that was ok markus@ 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/canohost.c b/canohost.c index 69e8e6f6..a8eeb0e3 100644 --- a/canohost.c +++ b/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.67 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: canohost.c,v 1.68 2013/10/14 23:28:22 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -48,7 +48,6 @@ static char * get_remote_hostname(int sock, int use_dns) { struct sockaddr_storage from; - int i; socklen_t fromlen; struct addrinfo hints, *ai, *aitop; char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; @@ -99,13 +98,9 @@ get_remote_hostname(int sock, int use_dns) return xstrdup(ntop); } - /* - * Convert it to all lowercase (which is expected by the rest - * of this software). - */ - for (i = 0; name[i]; i++) - if (isupper(name[i])) - name[i] = (char)tolower(name[i]); + /* Names are stores in lowercase. */ + lowercase(name); + /* * Map it back to an IP address and check that the given * address actually is an address of this host. This is diff --git a/misc.c b/misc.c index c3c80994..e4c8c323 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.91 2013/07/12 00:43:50 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.92 2013/10/14 23:28:23 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -43,6 +43,7 @@ #include #include +#include #include #include #include @@ -1017,6 +1018,13 @@ iptos2str(int iptos) snprintf(iptos_str, sizeof iptos_str, "0x%02x", iptos); return iptos_str; } + +void +lowercase(char *s) +{ + for (; *s; s++) + *s = tolower((u_char)*s); +} void sock_set_v6only(int s) { diff --git a/misc.h b/misc.h index fceb3065..d4df619c 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.49 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: misc.h,v 1.50 2013/10/14 23:28:23 djm Exp $ */ /* * Author: Tatu Ylonen @@ -36,6 +36,8 @@ void sanitise_stdfd(void); void ms_subtract_diff(struct timeval *, int *); void ms_to_timeval(struct timeval *, int); time_t monotime(void); +void lowercase(char *s); + void sock_set_v6only(int); struct passwd *pwcopy(struct passwd *); diff --git a/readconf.c b/readconf.c index f7b912ef..9340effd 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.206 2013/10/14 22:22:02 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.207 2013/10/14 23:28:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -555,6 +555,61 @@ parse_token(const char *cp, const char *filename, int linenum, return oBadOption; } +/* Multistate option parsing */ +struct multistate { + char *key; + int value; +}; +static const struct multistate multistate_flag[] = { + { "true", 1 }, + { "false", 0 }, + { "yes", 1 }, + { "no", 0 }, + { NULL, -1 } +}; +static const struct multistate multistate_yesnoask[] = { + { "true", 1 }, + { "false", 0 }, + { "yes", 1 }, + { "no", 0 }, + { "ask", 2 }, + { NULL, -1 } +}; +static const struct multistate multistate_addressfamily[] = { + { "inet", AF_INET }, + { "inet6", AF_INET6 }, + { "any", AF_UNSPEC }, + { NULL, -1 } +}; +static const struct multistate multistate_controlmaster[] = { + { "true", SSHCTL_MASTER_YES }, + { "yes", SSHCTL_MASTER_YES }, + { "false", SSHCTL_MASTER_NO }, + { "no", SSHCTL_MASTER_NO }, + { "auto", SSHCTL_MASTER_AUTO }, + { "ask", SSHCTL_MASTER_ASK }, + { "autoask", SSHCTL_MASTER_AUTO_ASK }, + { NULL, -1 } +}; +static const struct multistate multistate_tunnel[] = { + { "ethernet", SSH_TUNMODE_ETHERNET }, + { "point-to-point", SSH_TUNMODE_POINTOPOINT }, + { "true", SSH_TUNMODE_DEFAULT }, + { "yes", SSH_TUNMODE_DEFAULT }, + { "false", SSH_TUNMODE_NO }, + { "no", SSH_TUNMODE_NO }, + { NULL, -1 } +}; +static const struct multistate multistate_requesttty[] = { + { "true", REQUEST_TTY_YES }, + { "yes", REQUEST_TTY_YES }, + { "false", REQUEST_TTY_NO }, + { "no", REQUEST_TTY_NO }, + { "force", REQUEST_TTY_FORCE }, + { "auto", REQUEST_TTY_AUTO }, + { NULL, -1 } +}; + /* * Processes a single option line as used in the configuration files. This * only sets those values that have not already been set. @@ -572,6 +627,7 @@ process_config_line(Options *options, struct passwd *pw, const char *host, long long val64; size_t len; Forward fwd; + const struct multistate *multistate_ptr; if (activep == NULL) { /* We are processing a command line directive */ cmdline = 1; @@ -595,8 +651,7 @@ process_config_line(Options *options, struct passwd *pw, const char *host, if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') return 0; /* Match lowercase keyword */ - for (i = 0; i < strlen(keyword); i++) - keyword[i] = tolower(keyword[i]); + lowercase(keyword); opcode = parse_token(keyword, filename, linenum, options->ignored_unknown); @@ -626,17 +681,23 @@ parse_time: case oForwardAgent: intptr = &options->forward_agent; -parse_flag: + parse_flag: + multistate_ptr = multistate_flag; + parse_multistate: arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing yes/no argument.", filename, linenum); - value = 0; /* To avoid compiler warning... */ - if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) - value = 1; - else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) - value = 0; - else - fatal("%.200s line %d: Bad yes/no argument.", filename, linenum); + fatal("%s line %d: missing argument.", + filename, linenum); + value = -1; + for (i = 0; multistate_ptr[i].key != NULL; i++) { + if (strcasecmp(arg, multistate_ptr[i].key) == 0) { + value = multistate_ptr[i].value; + break; + } + } + if (value == -1) + fatal("%s line %d: unsupported option \"%s\".", + filename, linenum, arg); if (*activep && *intptr == -1) *intptr = value; break; @@ -719,27 +780,13 @@ parse_flag: case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; - goto parse_yesnoask; + multistate_ptr = multistate_yesnoask; + goto parse_multistate; case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; -parse_yesnoask: - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing yes/no/ask argument.", - filename, linenum); - value = 0; /* To avoid compiler warning... */ - if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) - value = 1; - else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) - value = 0; - else if (strcmp(arg, "ask") == 0) - value = 2; - else - fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_yesnoask; + goto parse_multistate; case oCompression: intptr = &options->compression; @@ -1080,22 +1127,9 @@ parse_int: break; case oAddressFamily: - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%s line %d: missing address family.", - filename, linenum); intptr = &options->address_family; - if (strcasecmp(arg, "inet") == 0) - value = AF_INET; - else if (strcasecmp(arg, "inet6") == 0) - value = AF_INET6; - else if (strcasecmp(arg, "any") == 0) - value = AF_UNSPEC; - else - fatal("Unsupported AddressFamily \"%s\"", arg); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_addressfamily; + goto parse_multistate; case oEnableSSHKeysign: intptr = &options->enable_ssh_keysign; @@ -1134,27 +1168,8 @@ parse_int: case oControlMaster: intptr = &options->control_master; - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing ControlMaster argument.", - filename, linenum); - value = 0; /* To avoid compiler warning... */ - if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) - value = SSHCTL_MASTER_YES; - else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) - value = SSHCTL_MASTER_NO; - else if (strcmp(arg, "auto") == 0) - value = SSHCTL_MASTER_AUTO; - else if (strcmp(arg, "ask") == 0) - value = SSHCTL_MASTER_ASK; - else if (strcmp(arg, "autoask") == 0) - value = SSHCTL_MASTER_AUTO_ASK; - else - fatal("%.200s line %d: Bad ControlMaster argument.", - filename, linenum); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_controlmaster; + goto parse_multistate; case oControlPersist: /* no/false/yes/true, or a time spec */ @@ -1186,25 +1201,8 @@ parse_int: case oTunnel: intptr = &options->tun_open; - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%s line %d: Missing yes/point-to-point/" - "ethernet/no argument.", filename, linenum); - value = 0; /* silence compiler */ - if (strcasecmp(arg, "ethernet") == 0) - value = SSH_TUNMODE_ETHERNET; - else if (strcasecmp(arg, "point-to-point") == 0) - value = SSH_TUNMODE_POINTOPOINT; - else if (strcasecmp(arg, "yes") == 0) - value = SSH_TUNMODE_DEFAULT; - else if (strcasecmp(arg, "no") == 0) - value = SSH_TUNMODE_NO; - else - fatal("%s line %d: Bad yes/point-to-point/ethernet/" - "no argument: %s", filename, linenum, arg); - if (*activep) - *intptr = value; - break; + multistate_ptr = multistate_tunnel; + goto parse_multistate; case oTunnelDevice: arg = strdelim(&s); @@ -1253,24 +1251,9 @@ parse_int: goto parse_flag; case oRequestTTY: - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%s line %d: missing argument.", - filename, linenum); intptr = &options->request_tty; - if (strcasecmp(arg, "yes") == 0) - value = REQUEST_TTY_YES; - else if (strcasecmp(arg, "no") == 0) - value = REQUEST_TTY_NO; - else if (strcasecmp(arg, "force") == 0) - value = REQUEST_TTY_FORCE; - else if (strcasecmp(arg, "auto") == 0) - value = REQUEST_TTY_AUTO; - else - fatal("Unsupported RequestTTY \"%s\"", arg); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_requesttty; + goto parse_multistate; case oIgnoreUnknown: charptr = &options->ignored_unknown; @@ -1596,8 +1579,16 @@ fill_default_options(Options * options) options->request_tty = REQUEST_TTY_AUTO; if (options->proxy_use_fdpass == -1) options->proxy_use_fdpass = 0; - /* options->local_command should not be set by default */ - /* options->proxy_command should not be set by default */ +#define CLEAR_ON_NONE(v) \ + do { \ + if (v != NULL && strcasecmp(v, "none") == 0) { \ + free(v); \ + v = NULL; \ + } \ + } while(0) + CLEAR_ON_NONE(options->local_command); + CLEAR_ON_NONE(options->proxy_command); + CLEAR_ON_NONE(options->control_path); /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ /* options->host_key_alias should not be set by default */ diff --git a/sftp-server.c b/sftp-server.c index b62bd351..3056c454 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.100 2013/10/14 14:18:56 jmc Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.101 2013/10/14 23:28:23 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -230,6 +230,8 @@ flags_from_portable(int pflags) } else if (pflags & SSH2_FXF_WRITE) { flags = O_WRONLY; } + if (pflags & SSH2_FXF_APPEND) + flags |= O_APPEND; if (pflags & SSH2_FXF_CREAT) flags |= O_CREAT; if (pflags & SSH2_FXF_TRUNC) @@ -256,6 +258,8 @@ string_from_portable(int pflags) PAPPEND("READ") if (pflags & SSH2_FXF_WRITE) PAPPEND("WRITE") + if (pflags & SSH2_FXF_APPEND) + PAPPEND("APPEND") if (pflags & SSH2_FXF_CREAT) PAPPEND("CREATE") if (pflags & SSH2_FXF_TRUNC) @@ -279,6 +283,7 @@ struct Handle { int use; DIR *dirp; int fd; + int flags; char *name; u_int64_t bytes_read, bytes_write; int next_unused; @@ -302,7 +307,7 @@ static void handle_unused(int i) } static int -handle_new(int use, const char *name, int fd, DIR *dirp) +handle_new(int use, const char *name, int fd, int flags, DIR *dirp) { int i; @@ -320,6 +325,7 @@ handle_new(int use, const char *name, int fd, DIR *dirp) handles[i].use = use; handles[i].dirp = dirp; handles[i].fd = fd; + handles[i].flags = flags; handles[i].name = xstrdup(name); handles[i].bytes_read = handles[i].bytes_write = 0; @@ -382,6 +388,14 @@ handle_to_fd(int handle) return -1; } +static int +handle_to_flags(int handle) +{ + if (handle_is_ok(handle, HANDLE_FILE)) + return handles[handle].flags; + return 0; +} + static void handle_update_read(int handle, ssize_t bytes) { @@ -668,7 +682,7 @@ process_open(u_int32_t id) if (fd < 0) { status = errno_to_portable(errno); } else { - handle = handle_new(HANDLE_FILE, name, fd, NULL); + handle = handle_new(HANDLE_FILE, name, fd, flags, NULL); if (handle < 0) { close(fd); } else { @@ -754,7 +768,8 @@ process_write(u_int32_t id) if (fd < 0) status = SSH2_FX_FAILURE; else { - if (lseek(fd, off, SEEK_SET) < 0) { + if (!(handle_to_flags(handle) & O_APPEND) && + lseek(fd, off, SEEK_SET) < 0) { status = errno_to_portable(errno); error("process_write: seek failed"); } else { @@ -971,7 +986,7 @@ process_opendir(u_int32_t id) if (dirp == NULL) { status = errno_to_portable(errno); } else { - handle = handle_new(HANDLE_DIR, path, 0, dirp); + handle = handle_new(HANDLE_DIR, path, 0, 0, dirp); if (handle < 0) { closedir(dirp); } else { diff --git a/ssh.c b/ssh.c index 13f384a9..5aa5dcc8 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.382 2013/10/14 22:22:04 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.383 2013/10/14 23:28:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -723,6 +723,14 @@ main(int ac, char **av) channel_set_af(options.address_family); + /* Tidy and check options */ + if (options.host_key_alias != NULL) + lowercase(options.host_key_alias); + if (options.proxy_command != NULL && + strcmp(options.proxy_command, "-") == 0 && + options.proxy_use_fdpass) + fatal("ProxyCommand=- and ProxyUseFDPass are incompatible"); + /* reinit */ log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog); @@ -779,24 +787,6 @@ main(int ac, char **av) free(cp); } - /* force lowercase for hostkey matching */ - if (options.host_key_alias != NULL) { - for (p = options.host_key_alias; *p; p++) - if (isupper(*p)) - *p = (char)tolower(*p); - } - - if (options.proxy_command != NULL && - strcmp(options.proxy_command, "none") == 0) { - free(options.proxy_command); - options.proxy_command = NULL; - } - if (options.control_path != NULL && - strcmp(options.control_path, "none") == 0) { - free(options.control_path); - options.control_path = NULL; - } - if (options.control_path != NULL) { cp = tilde_expand_filename(options.control_path, original_real_uid); -- cgit v1.2.1 From 88cedcde30406df6d0df85f14a7f11e21424843d Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:14:49 +0000 Subject: - djm@cvs.openbsd.org 2013/10/14 23:31:01 [ssh.c] whitespace at EOL; pointed out by markus@ --- ChangeLog | 3 +++ ssh.c | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 91a6b649..37493faf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ add a lowercase() function and use it instead of explicit tolower() in loops part of a larger diff that was ok markus@ + - djm@cvs.openbsd.org 2013/10/14 23:31:01 + [ssh.c] + whitespace at EOL; pointed out by markus@ 20131010 - (dtucker) OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index 5aa5dcc8..8dfc9bc1 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.383 2013/10/14 23:28:23 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.384 2013/10/14 23:31:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -807,7 +807,7 @@ main(int ac, char **av) /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, - options.tcp_keep_alive, + options.tcp_keep_alive, #ifdef HAVE_CYGWIN options.use_privileged_port, #else @@ -1079,7 +1079,7 @@ ssh_init_stdio_forwarding(void) if (stdio_forward_host == NULL) return; - if (!compat20) + if (!compat20) fatal("stdio forwarding require Protocol 2"); debug3("%s: %s:%d", __func__, stdio_forward_host, stdio_forward_port); @@ -1251,7 +1251,7 @@ ssh_session(void) char *proto, *data; /* Get reasonable local authentication information. */ client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, + options.forward_x11_trusted, options.forward_x11_timeout, &proto, &data); /* Request forwarding with authentication spoofing. */ -- cgit v1.2.1 From a3427782f66b44ab630228490be12d1e00352e2a Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 15 Oct 2013 01:20:37 +0000 Subject: - [ssh.c] g/c unused variable. --- ssh.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/ssh.c b/ssh.c index 8dfc9bc1..ad6ae0f4 100644 --- a/ssh.c +++ b/ssh.c @@ -245,8 +245,6 @@ main(int ac, char **av) int timeout_ms; extern int optind, optreset; extern char *optarg; - - struct servent *sp; Forward fwd; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ -- cgit v1.2.1 From 6182e9ce8034118b95a09984ba0eef0d82d5b690 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:31:40 +0000 Subject: - [ssh.c] g/c unused variable. --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 37493faf..ddf25d34 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,7 @@ - djm@cvs.openbsd.org 2013/10/14 23:31:01 [ssh.c] whitespace at EOL; pointed out by markus@ + - [ssh.c] g/c unused variable. 20131010 - (dtucker) OpenBSD CVS Sync -- cgit v1.2.1 From e2d02c57a75300b5e96e8f9c7502aa9577953239 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:39:00 +0000 Subject: - jmc@cvs.openbsd.org 2013/10/15 14:10:25 [ssh.1 ssh_config.5] tweak previous; --- ChangeLog | 6 ++++++ ssh.1 | 5 +++-- ssh_config.5 | 6 +++--- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index ddf25d34..255a3e02 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20131017 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2013/10/15 14:10:25 + [ssh.1 ssh_config.5] + tweak previous; + 20131015 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/10/09 23:42:17 diff --git a/ssh.1 b/ssh.1 index 22765401..8091aecf 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.336 2013/08/20 06:56:07 jmc Exp $ -.Dd $Mdocdate: August 20 2013 $ +.\" $OpenBSD: ssh.1,v 1.337 2013/10/15 14:10:25 jmc Exp $ +.Dd $Mdocdate: October 15 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -456,6 +456,7 @@ For full details of the options listed below, and their possible values, see .It LocalForward .It LogLevel .It MACs +.It Match .It NoHostAuthenticationForLocalhost .It NumberOfPasswordPrompts .It PasswordAuthentication diff --git a/ssh_config.5 b/ssh_config.5 index f35f468f..3eaaa536 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.169 2013/10/14 22:22:05 djm Exp $ -.Dd $Mdocdate: October 14 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.170 2013/10/15 14:10:25 jmc Exp $ +.Dd $Mdocdate: October 15 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -126,7 +126,7 @@ matches. See .Sx PATTERNS for more information on patterns. -.It Cm Match +.It Cm Match Restricts the following declarations (up to the next .Cm Host or -- cgit v1.2.1 From 6adb89faf87799e383c1a165b44c7707db216a29 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:47:23 +0000 Subject: - djm@cvs.openbsd.org 2013/10/16 02:31:47 [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] [sshconnect.c sshconnect.h] Implement client-side hostname canonicalisation to allow an explicit search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@ --- ChangeLog | 10 +++ readconf.c | 113 +++++++++++++++++++++++++++++++++- readconf.h | 22 ++++++- roaming_client.c | 8 +-- ssh.1 | 9 ++- ssh.c | 183 ++++++++++++++++++++++++++++++++++++++++++++++++++----- ssh_config.5 | 75 ++++++++++++++++++++++- sshconnect.c | 74 +++++++++------------- sshconnect.h | 8 +-- 9 files changed, 426 insertions(+), 76 deletions(-) diff --git a/ChangeLog b/ChangeLog index 255a3e02..c765bcea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,16 @@ - jmc@cvs.openbsd.org 2013/10/15 14:10:25 [ssh.1 ssh_config.5] tweak previous; + - djm@cvs.openbsd.org 2013/10/16 02:31:47 + [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] + [sshconnect.c sshconnect.h] + Implement client-side hostname canonicalisation to allow an explicit + search path of domain suffixes to use to convert unqualified host names + to fully-qualified ones for host key matching. + This is particularly useful for host certificates, which would otherwise + need to list unqualified names alongside fully-qualified ones (and this + causes a number of problems). + "looks fine" markus@ 20131015 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index 9340effd..de8eb7cd 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.207 2013/10/14 23:28:23 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.208 2013/10/16 02:31:45 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -144,6 +144,8 @@ typedef enum { oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oCanonicalDomains, oCanonicaliseHostname, oCanonicaliseMaxDots, + oCanonicaliseFallbackLocal, oCanonicalisePermittedCNAMEs, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -257,6 +259,11 @@ static struct { { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, { "proxyusefdpass", oProxyUseFdpass }, + { "canonicaldomains", oCanonicalDomains }, + { "canonicalisefallbacklocal", oCanonicaliseFallbackLocal }, + { "canonicalisehostname", oCanonicaliseHostname }, + { "canonicalisemaxdots", oCanonicaliseMaxDots }, + { "canonicalisepermittedcnames", oCanonicalisePermittedCNAMEs }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -535,6 +542,34 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, return result; } +/* Check and prepare a domain name: removes trailing '.' and lowercases */ +static void +valid_domain(char *name, const char *filename, int linenum) +{ + size_t i, l = strlen(name); + u_char c, last = '\0'; + + if (l == 0) + fatal("%s line %d: empty hostname suffix", filename, linenum); + if (!isalpha((u_char)name[0]) && !isdigit((u_char)name[0])) + fatal("%s line %d: hostname suffix \"%.100s\" " + "starts with invalid character", filename, linenum, name); + for (i = 0; i < l; i++) { + c = tolower((u_char)name[i]); + name[i] = (char)c; + if (last == '.' && c == '.') + fatal("%s line %d: hostname suffix \"%.100s\" contains " + "consecutive separators", filename, linenum, name); + if (c != '.' && c != '-' && !isalnum(c) && + c != '_') /* technically invalid, but common */ + fatal("%s line %d: hostname suffix \"%.100s\" contains " + "invalid characters", filename, linenum, name); + last = c; + } + if (name[l - 1] == '.') + name[l - 1] = '\0'; +} + /* * Returns the number of the token pointed to by cp or oBadOption. */ @@ -609,6 +644,14 @@ static const struct multistate multistate_requesttty[] = { { "auto", REQUEST_TTY_AUTO }, { NULL, -1 } }; +static const struct multistate multistate_canonicalisehostname[] = { + { "true", SSH_CANONICALISE_YES }, + { "false", SSH_CANONICALISE_NO }, + { "yes", SSH_CANONICALISE_YES }, + { "no", SSH_CANONICALISE_NO }, + { "always", SSH_CANONICALISE_ALWAYS }, + { NULL, -1 } +}; /* * Processes a single option line as used in the configuration files. This @@ -628,6 +671,7 @@ process_config_line(Options *options, struct passwd *pw, const char *host, size_t len; Forward fwd; const struct multistate *multistate_ptr; + struct allowed_cname *cname; if (activep == NULL) { /* We are processing a command line directive */ cmdline = 1; @@ -1263,6 +1307,62 @@ parse_int: intptr = &options->proxy_use_fdpass; goto parse_flag; + case oCanonicalDomains: + value = options->num_canonical_domains != 0; + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + valid_domain(arg, filename, linenum); + if (!*activep || value) + continue; + if (options->num_canonical_domains >= MAX_CANON_DOMAINS) + fatal("%s line %d: too many hostname suffixes.", + filename, linenum); + options->canonical_domains[ + options->num_canonical_domains++] = xstrdup(arg); + } + break; + + case oCanonicalisePermittedCNAMEs: + value = options->num_permitted_cnames != 0; + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + /* Either '*' for everything or 'list:list' */ + if (strcmp(arg, "*") == 0) + arg2 = arg; + else { + lowercase(arg); + if ((arg2 = strchr(arg, ':')) == NULL || + arg2[1] == '\0') { + fatal("%s line %d: " + "Invalid permitted CNAME \"%s\"", + filename, linenum, arg); + } + *arg2 = '\0'; + arg2++; + } + if (!*activep || value) + continue; + if (options->num_permitted_cnames >= MAX_CANON_DOMAINS) + fatal("%s line %d: too many permitted CNAMEs.", + filename, linenum); + cname = options->permitted_cnames + + options->num_permitted_cnames++; + cname->source_list = xstrdup(arg); + cname->target_list = xstrdup(arg2); + } + break; + + case oCanonicaliseHostname: + intptr = &options->canonicalise_hostname; + multistate_ptr = multistate_canonicalisehostname; + goto parse_multistate; + + case oCanonicaliseMaxDots: + intptr = &options->canonicalise_max_dots; + goto parse_int; + + case oCanonicaliseFallbackLocal: + intptr = &options->canonicalise_fallback_local; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1426,6 +1526,11 @@ initialize_options(Options * options) options->request_tty = -1; options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; + options->num_canonical_domains = 0; + options->num_permitted_cnames = 0; + options->canonicalise_max_dots = -1; + options->canonicalise_fallback_local = -1; + options->canonicalise_hostname = -1; } /* @@ -1579,6 +1684,12 @@ fill_default_options(Options * options) options->request_tty = REQUEST_TTY_AUTO; if (options->proxy_use_fdpass == -1) options->proxy_use_fdpass = 0; + if (options->canonicalise_max_dots == -1) + options->canonicalise_max_dots = 1; + if (options->canonicalise_fallback_local == -1) + options->canonicalise_fallback_local = 1; + if (options->canonicalise_hostname == -1) + options->canonicalise_hostname = SSH_CANONICALISE_NO; #define CLEAR_ON_NONE(v) \ do { \ if (v != NULL && strcasecmp(v, "none") == 0) { \ diff --git a/readconf.h b/readconf.h index cde8b524..4a210897 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.97 2013/10/14 22:22:03 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.98 2013/10/16 02:31:46 djm Exp $ */ /* * Author: Tatu Ylonen @@ -29,7 +29,13 @@ typedef struct { /* Data structure for representing option data. */ #define MAX_SEND_ENV 256 -#define SSH_MAX_HOSTS_FILES 256 +#define SSH_MAX_HOSTS_FILES 32 +#define MAX_CANON_DOMAINS 32 + +struct allowed_cname { + char *source_list; + char *target_list; +}; typedef struct { int forward_agent; /* Forward authentication agent. */ @@ -140,9 +146,21 @@ typedef struct { int proxy_use_fdpass; + int num_canonical_domains; + char *canonical_domains[MAX_CANON_DOMAINS]; + int canonicalise_hostname; + int canonicalise_max_dots; + int canonicalise_fallback_local; + int num_permitted_cnames; + struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; +#define SSH_CANONICALISE_NO 0 +#define SSH_CANONICALISE_YES 1 +#define SSH_CANONICALISE_ALWAYS 2 + #define SSHCTL_MASTER_NO 0 #define SSHCTL_MASTER_YES 1 #define SSHCTL_MASTER_AUTO 2 diff --git a/roaming_client.c b/roaming_client.c index 81c49682..2fb62312 100644 --- a/roaming_client.c +++ b/roaming_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_client.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: roaming_client.c,v 1.6 2013/10/16 02:31:46 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -259,10 +259,10 @@ wait_for_roaming_reconnect(void) if (c != '\n' && c != '\r') continue; - if (ssh_connect(host, &hostaddr, options.port, + if (ssh_connect(host, NULL, &hostaddr, options.port, options.address_family, 1, &timeout_ms, - options.tcp_keep_alive, options.use_privileged_port, - options.proxy_command) == 0 && roaming_resume() == 0) { + options.tcp_keep_alive, options.use_privileged_port) == 0 && + roaming_resume() == 0) { packet_restore_state(); reenter_guard = 0; fprintf(stderr, "[connection resumed]\n"); diff --git a/ssh.1 b/ssh.1 index 8091aecf..d9e2cb65 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.337 2013/10/15 14:10:25 jmc Exp $ -.Dd $Mdocdate: October 15 2013 $ +.\" $OpenBSD: ssh.1,v 1.338 2013/10/16 02:31:46 djm Exp $ +.Dd $Mdocdate: October 16 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -417,6 +417,11 @@ For full details of the options listed below, and their possible values, see .It AddressFamily .It BatchMode .It BindAddress +.It CanonicalDomains +.It CanonicaliseFallbackLocal +.It CanonicaliseHostname +.It CanonicaliseMaxDots +.It CanonicalisePermittedCNAMEs .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher diff --git a/ssh.c b/ssh.c index ad6ae0f4..230591b3 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.384 2013/10/14 23:31:01 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.385 2013/10/16 02:31:46 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -231,6 +231,134 @@ tilde_expand_paths(char **paths, u_int num_paths) } } +static struct addrinfo * +resolve_host(const char *name, u_int port, int logerr, char *cname, size_t clen) +{ + char strport[NI_MAXSERV]; + struct addrinfo hints, *res; + int gaierr, loglevel = SYSLOG_LEVEL_DEBUG1; + + snprintf(strport, sizeof strport, "%u", port); + bzero(&hints, sizeof(hints)); + hints.ai_family = options.address_family; + hints.ai_socktype = SOCK_STREAM; + if (cname != NULL) + hints.ai_flags = AI_CANONNAME; + if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) { + if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA)) + loglevel = SYSLOG_LEVEL_ERROR; + do_log2(loglevel, "%s: Could not resolve hostname %.100s: %s", + __progname, name, ssh_gai_strerror(gaierr)); + return NULL; + } + if (cname != NULL && res->ai_canonname != NULL) { + if (strlcpy(cname, res->ai_canonname, clen) >= clen) { + error("%s: host \"%s\" cname \"%s\" too long (max %lu)", + __func__, name, res->ai_canonname, (u_long)clen); + if (clen > 0) + *cname = '\0'; + } + } + return res; +} + +/* + * Check whether the cname is a permitted replacement for the hostname + * and perform the replacement if it is. + */ +static int +check_follow_cname(char **namep, const char *cname) +{ + int i; + struct allowed_cname *rule; + + if (*cname == '\0' || options.num_permitted_cnames == 0 || + strcmp(*namep, cname) == 0) + return 0; + if (options.canonicalise_hostname == SSH_CANONICALISE_NO) + return 0; + /* + * Don't attempt to canonicalise names that will be interpreted by + * a proxy unless the user specifically requests so. + */ + if (options.proxy_command != NULL && + options.canonicalise_hostname != SSH_CANONICALISE_ALWAYS) + return 0; + debug3("%s: check \"%s\" CNAME \"%s\"", __func__, *namep, cname); + for (i = 0; i < options.num_permitted_cnames; i++) { + rule = options.permitted_cnames + i; + if (match_pattern_list(*namep, rule->source_list, + strlen(rule->source_list), 1) != 1 || + match_pattern_list(cname, rule->target_list, + strlen(rule->target_list), 1) != 1) + continue; + verbose("Canonicalised DNS aliased hostname " + "\"%s\" => \"%s\"", *namep, cname); + free(*namep); + *namep = xstrdup(cname); + return 1; + } + return 0; +} + +/* + * Attempt to resolve the supplied hostname after applying the user's + * canonicalisation rules. Returns the address list for the host or NULL + * if no name was found after canonicalisation. + */ +static struct addrinfo * +resolve_canonicalise(char **hostp, u_int port) +{ + int i, ndots; + char *cp, *fullhost, cname_target[NI_MAXHOST]; + struct addrinfo *addrs; + + if (options.canonicalise_hostname == SSH_CANONICALISE_NO) + return NULL; + /* + * Don't attempt to canonicalise names that will be interpreted by + * a proxy unless the user specifically requests so. + */ + if (options.proxy_command != NULL && + options.canonicalise_hostname != SSH_CANONICALISE_ALWAYS) + return NULL; + /* Don't apply canonicalisation to sufficiently-qualified hostnames */ + ndots = 0; + for (cp = *hostp; *cp != '\0'; cp++) { + if (*cp == '.') + ndots++; + } + if (ndots > options.canonicalise_max_dots) { + debug3("%s: not canonicalising hostname \"%s\" (max dots %d)", + __func__, *hostp, options.canonicalise_max_dots); + return NULL; + } + /* Attempt each supplied suffix */ + for (i = 0; i < options.num_canonical_domains; i++) { + *cname_target = '\0'; + xasprintf(&fullhost, "%s.%s.", *hostp, + options.canonical_domains[i]); + if ((addrs = resolve_host(fullhost, options.port, 0, + cname_target, sizeof(cname_target))) == NULL) { + free(fullhost); + continue; + } + /* Remove trailing '.' */ + fullhost[strlen(fullhost) - 1] = '\0'; + /* Follow CNAME if requested */ + if (!check_follow_cname(&fullhost, cname_target)) { + debug("Canonicalised hostname \"%s\" => \"%s\"", + *hostp, fullhost); + } + free(*hostp); + *hostp = fullhost; + return addrs; + } + if (!options.canonicalise_fallback_local) + fatal("%s: Could not resolve host \"%s\"", __progname, host); + return NULL; +} + /* * Main program for the ssh client. */ @@ -240,12 +368,14 @@ main(int ac, char **av) int i, r, opt, exit_status, use_syslog; char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; + char cname[NI_MAXHOST]; struct stat st; struct passwd *pw; int timeout_ms; extern int optind, optreset; extern char *optarg; Forward fwd; + struct addrinfo *addrs = NULL; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -630,9 +760,9 @@ main(int ac, char **av) usage(); options.user = p; *cp = '\0'; - host = ++cp; + host = xstrdup(++cp); } else - host = *av; + host = xstrdup(*av); if (ac > 1) { optind = optreset = 1; goto again; @@ -644,6 +774,9 @@ main(int ac, char **av) if (!host) usage(); + lowercase(host); + host_arg = xstrdup(host); + OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); @@ -728,6 +861,10 @@ main(int ac, char **av) strcmp(options.proxy_command, "-") == 0 && options.proxy_use_fdpass) fatal("ProxyCommand=- and ProxyUseFDPass are incompatible"); +#ifndef HAVE_CYGWIN + if (original_effective_uid != 0) + options.use_privileged_port = 0; +#endif /* reinit */ log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog); @@ -762,10 +899,26 @@ main(int ac, char **av) options.port = default_ssh_port(); /* preserve host name given on command line for %n expansion */ - host_arg = host; if (options.hostname != NULL) { - host = percent_expand(options.hostname, + cp = percent_expand(options.hostname, "h", host, (char *)NULL); + free(host); + host = cp; + } + + /* If canonicalisation requested then try to apply it */ + if (options.canonicalise_hostname != SSH_CANONICALISE_NO) + addrs = resolve_canonicalise(&host, options.port); + /* + * If canonicalisation not requested, or if it failed then try to + * resolve the bare hostname name using the system resolver's usual + * search rules. + */ + if (addrs == NULL) { + if ((addrs = resolve_host(host, options.port, 1, + cname, sizeof(cname))) == NULL) + cleanup_exit(255); /* resolve_host logs the error */ + check_follow_cname(&host, cname); } if (gethostname(thishost, sizeof(thishost)) == -1) @@ -803,16 +956,15 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, - options.address_family, options.connection_attempts, &timeout_ms, - options.tcp_keep_alive, -#ifdef HAVE_CYGWIN - options.use_privileged_port, -#else - original_effective_uid == 0 && options.use_privileged_port, -#endif - options.proxy_command) != 0) - exit(255); + if (ssh_connect(host, addrs, &hostaddr, options.port, + options.address_family, options.connection_attempts, + &timeout_ms, options.tcp_keep_alive, + options.use_privileged_port) != 0) + exit(255); + + freeaddrinfo(addrs); + packet_set_timeout(options.server_alive_interval, + options.server_alive_count_max); if (timeout_ms > 0) debug3("timeout: %d ms remain after connect", timeout_ms); @@ -1621,4 +1773,3 @@ main_sigchld_handler(int sig) signal(sig, main_sigchld_handler); errno = save_errno; } - diff --git a/ssh_config.5 b/ssh_config.5 index 3eaaa536..3c1f87be 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.170 2013/10/15 14:10:25 jmc Exp $ -.Dd $Mdocdate: October 15 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.171 2013/10/16 02:31:46 djm Exp $ +.Dd $Mdocdate: October 16 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -200,6 +200,77 @@ Note that this option does not work if .Cm UsePrivilegedPort is set to .Dq yes . +.It Cm CanonicalDomains +when +.Cm CanonicaliseHostname +is enabled, this option specifies the list of domain suffixes in which to +search for the specified destination host. +.It Cm CanonicaliseFallbackLocal +specified whether to fail with an error when hostname canonicalisation fails. +The default of +.Dq no +will attempt to lookup the unqualified hostname using the system resolver's +search rules. +A value of +.Dq yes +will cause +.Xr ssh 1 +to fail instantly if +.Cm CanonicaliseHostname +is enabled and the target hostname cannot be found in any of the domains +specified by +.Cm CanonicalDomains . +.It Cm CanonicaliseHostname +controls whether explicit hostname canonicalisation is performed. +The default +.Dq no +is not to perform any name rewriting and let the system resolver handle all +hostname lookups. +If set to +.Dq yes +then, for connections that do not use a +.Cm ProxyCommand , +.Xr ssh 1 +will attempt to canonicalise the hostname specified on the command line +using the +.Cm CanonicalDomains +suffixes and +.Cm CanonicalisePermittedCNAMEs +rules. +If +.Cm CanonicaliseHostname +is set to +.Dq always , +then canonicalisation is applied to proxied connections to. +.It Cm CanonicaliseMaxDots +specifies the maximum number of dot characters in a hostname name before +canonicalisation is disabled. +The default of +.Dq 1 +allows a single dot (i.e. hostname.subdomain) +.It Cm CanonicalisePermittedCNAMEs +specifies rules to determine whether CNAMEs should be followed when +canonicalising hostnames. +The rules consist of one or more arguments of +.Sm off +.Ar source_domain_list : Ar target_domain_list +.Sm on +where +.Ar source_domain_list +is a pattern-list of domains that are may follow CNAMEs in canonicalisation +and +.Ar target_domain_list +is a pattern-list of domains that they may resove to. +.Pp +For example, +.Dq *.a.example.com:*.b.example.com,*.c.example.com +will allow hostnames matching +.Dq *.a.example.com +to be canonicalised to names in the +.Dq *.b.example.com +or +.Dq *.c.example.com +domains. .It Cm ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. The argument to this keyword must be diff --git a/sshconnect.c b/sshconnect.c index aee38198..3cdc4614 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.240 2013/09/19 01:26:29 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.241 2013/10/16 02:31:46 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -86,7 +86,7 @@ expand_proxy_command(const char *proxy_command, const char *user, { char *tmp, *ret, strport[NI_MAXSERV]; - snprintf(strport, sizeof strport, "%hu", port); + snprintf(strport, sizeof strport, "%d", port); xasprintf(&tmp, "exec %s", proxy_command); ret = percent_expand(tmp, "h", host, "p", strport, "r", options.user, (char *)NULL); @@ -170,8 +170,6 @@ ssh_proxy_fdpass_connect(const char *host, u_short port, /* Set the connection file descriptors. */ packet_set_connection(sock, sock); - packet_set_timeout(options.server_alive_interval, - options.server_alive_count_max); return 0; } @@ -187,16 +185,6 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) pid_t pid; char *shell; - if (!strcmp(proxy_command, "-")) { - packet_set_connection(STDIN_FILENO, STDOUT_FILENO); - packet_set_timeout(options.server_alive_interval, - options.server_alive_count_max); - return 0; - } - - if (options.proxy_use_fdpass) - return ssh_proxy_fdpass_connect(host, port, proxy_command); - if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; @@ -258,8 +246,6 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) /* Set the connection file descriptors. */ packet_set_connection(pout[0], pin[1]); - packet_set_timeout(options.server_alive_interval, - options.server_alive_count_max); /* Indicate OK return */ return 0; @@ -429,33 +415,18 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, * and %p substituted for host and port, respectively) to use to contact * the daemon. */ -int -ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int family, int connection_attempts, int *timeout_ms, - int want_keepalive, int needpriv, const char *proxy_command) +static int +ssh_connect_direct(const char *host, struct addrinfo *aitop, + struct sockaddr_storage *hostaddr, u_short port, int family, + int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) { - int gaierr; int on = 1; int sock = -1, attempt; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; - struct addrinfo hints, *ai, *aitop; + struct addrinfo *ai; debug2("ssh_connect: needpriv %d", needpriv); - /* If a proxy command is given, connect using it. */ - if (proxy_command != NULL) - return ssh_proxy_connect(host, port, proxy_command); - - /* No proxy command. */ - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = family; - hints.ai_socktype = SOCK_STREAM; - snprintf(strport, sizeof strport, "%u", port); - if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) - fatal("%s: Could not resolve hostname %.100s: %s", __progname, - host, ssh_gai_strerror(gaierr)); - for (attempt = 0; attempt < connection_attempts; attempt++) { if (attempt > 0) { /* Sleep a moment before retrying. */ @@ -467,7 +438,8 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, * sequence until the connection succeeds. */ for (ai = aitop; ai; ai = ai->ai_next) { - if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + if (ai->ai_family != AF_INET && + ai->ai_family != AF_INET6) continue; if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), @@ -500,8 +472,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, break; /* Successful connection. */ } - freeaddrinfo(aitop); - /* Return failure if we didn't get a successful connection. */ if (sock == -1) { error("ssh: connect to host %s port %s: %s", @@ -519,12 +489,28 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, /* Set the connection. */ packet_set_connection(sock, sock); - packet_set_timeout(options.server_alive_interval, - options.server_alive_count_max); return 0; } +int +ssh_connect(const char *host, struct addrinfo *addrs, + struct sockaddr_storage *hostaddr, u_short port, int family, + int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) +{ + if (options.proxy_command == NULL) { + return ssh_connect_direct(host, addrs, hostaddr, port, family, + connection_attempts, timeout_ms, want_keepalive, needpriv); + } else if (strcmp(options.proxy_command, "-") == 0) { + packet_set_connection(STDIN_FILENO, STDOUT_FILENO); + return 0; /* Always succeeds */ + } else if (options.proxy_use_fdpass) { + return ssh_proxy_fdpass_connect(host, port, + options.proxy_command); + } + return ssh_proxy_connect(host, port, options.proxy_command); +} + static void send_client_banner(int connection_out, int minor1) { @@ -1265,7 +1251,7 @@ void ssh_login(Sensitive *sensitive, const char *orighost, struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms) { - char *host, *cp; + char *host; char *server_user, *local_user; local_user = xstrdup(pw->pw_name); @@ -1273,9 +1259,7 @@ ssh_login(Sensitive *sensitive, const char *orighost, /* Convert the user-supplied hostname into all lowercase. */ host = xstrdup(orighost); - for (cp = host; *cp; cp++) - if (isupper(*cp)) - *cp = (char)tolower(*cp); + lowercase(host); /* Exchange protocol version identification strings with the server. */ ssh_exchange_identification(timeout_ms); diff --git a/sshconnect.h b/sshconnect.h index fd7f7f7c..0ea6e99f 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.27 2010/11/29 23:45:51 djm Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.28 2013/10/16 02:31:47 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -31,9 +31,9 @@ struct Sensitive { int external_keysign; }; -int -ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, - int *, int, int, const char *); +struct addrinfo; +int ssh_connect(const char *, struct addrinfo *, struct sockaddr_storage *, + u_short, int, int, int *, int, int); void ssh_kill_proxy_command(void); void ssh_login(Sensitive *, const char *, struct sockaddr *, u_short, -- cgit v1.2.1 From 61754f2bf95346e917a1c008c9c220decb97929a Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:47:51 +0000 Subject: - jmc@cvs.openbsd.org 2013/10/16 06:42:25 [ssh_config.5] tweak previous; --- ChangeLog | 3 +++ ssh_config.5 | 38 ++++++++++++++++++-------------------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index c765bcea..38082e9c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@ + - jmc@cvs.openbsd.org 2013/10/16 06:42:25 + [ssh_config.5] + tweak previous; 20131015 - (djm) OpenBSD CVS Sync diff --git a/ssh_config.5 b/ssh_config.5 index 3c1f87be..2c0e6655 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.171 2013/10/16 02:31:46 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.172 2013/10/16 06:42:25 jmc Exp $ .Dd $Mdocdate: October 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -201,15 +201,15 @@ Note that this option does not work if is set to .Dq yes . .It Cm CanonicalDomains -when +When .Cm CanonicaliseHostname is enabled, this option specifies the list of domain suffixes in which to search for the specified destination host. .It Cm CanonicaliseFallbackLocal -specified whether to fail with an error when hostname canonicalisation fails. -The default of -.Dq no -will attempt to lookup the unqualified hostname using the system resolver's +Specifies whether to fail with an error when hostname canonicalisation fails. +The default, +.Dq no , +will attempt to look up the unqualified hostname using the system resolver's search rules. A value of .Dq yes @@ -221,9 +221,9 @@ is enabled and the target hostname cannot be found in any of the domains specified by .Cm CanonicalDomains . .It Cm CanonicaliseHostname -controls whether explicit hostname canonicalisation is performed. -The default -.Dq no +Controls whether explicit hostname canonicalisation is performed. +The default, +.Dq no , is not to perform any name rewriting and let the system resolver handle all hostname lookups. If set to @@ -241,26 +241,24 @@ If .Cm CanonicaliseHostname is set to .Dq always , -then canonicalisation is applied to proxied connections to. +then canonicalisation is applied to proxied connections too. .It Cm CanonicaliseMaxDots -specifies the maximum number of dot characters in a hostname name before +Specifies the maximum number of dot characters in a hostname before canonicalisation is disabled. -The default of -.Dq 1 -allows a single dot (i.e. hostname.subdomain) +The default, +.Dq 1 , +allows a single dot (i.e. hostname.subdomain). .It Cm CanonicalisePermittedCNAMEs -specifies rules to determine whether CNAMEs should be followed when +Specifies rules to determine whether CNAMEs should be followed when canonicalising hostnames. The rules consist of one or more arguments of -.Sm off -.Ar source_domain_list : Ar target_domain_list -.Sm on +.Ar source_domain_list : Ns Ar target_domain_list , where .Ar source_domain_list -is a pattern-list of domains that are may follow CNAMEs in canonicalisation +is a pattern-list of domains that may follow CNAMEs in canonicalisation, and .Ar target_domain_list -is a pattern-list of domains that they may resove to. +is a pattern-list of domains that they may resolve to. .Pp For example, .Dq *.a.example.com:*.b.example.com,*.c.example.com -- cgit v1.2.1 From 8b75c6f8000879c7ecda8263fae1376ee01d5879 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:48:13 +0000 Subject: - djm@cvs.openbsd.org 2013/10/16 22:49:39 [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] s/canonicalise/canonicalize/ for consistency with existing spelling, e.g. authorized_keys; pointed out by naddy@ --- ChangeLog | 4 ++++ readconf.c | 50 +++++++++++++++++++++++++------------------------- readconf.h | 8 ++++---- ssh.1 | 10 +++++----- ssh.c | 32 ++++++++++++++++---------------- ssh_config.5 | 24 ++++++++++++------------ 6 files changed, 66 insertions(+), 62 deletions(-) diff --git a/ChangeLog b/ChangeLog index 38082e9c..6935b5ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ - jmc@cvs.openbsd.org 2013/10/16 06:42:25 [ssh_config.5] tweak previous; + - djm@cvs.openbsd.org 2013/10/16 22:49:39 + [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] + s/canonicalise/canonicalize/ for consistency with existing spelling, + e.g. authorized_keys; pointed out by naddy@ 20131015 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index de8eb7cd..fb77fa9d 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.208 2013/10/16 02:31:45 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.209 2013/10/16 22:49:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -144,8 +144,8 @@ typedef enum { oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, - oCanonicalDomains, oCanonicaliseHostname, oCanonicaliseMaxDots, - oCanonicaliseFallbackLocal, oCanonicalisePermittedCNAMEs, + oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, + oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -260,10 +260,10 @@ static struct { { "requesttty", oRequestTTY }, { "proxyusefdpass", oProxyUseFdpass }, { "canonicaldomains", oCanonicalDomains }, - { "canonicalisefallbacklocal", oCanonicaliseFallbackLocal }, - { "canonicalisehostname", oCanonicaliseHostname }, - { "canonicalisemaxdots", oCanonicaliseMaxDots }, - { "canonicalisepermittedcnames", oCanonicalisePermittedCNAMEs }, + { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, + { "canonicalizehostname", oCanonicalizeHostname }, + { "canonicalizemaxdots", oCanonicalizeMaxDots }, + { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -644,7 +644,7 @@ static const struct multistate multistate_requesttty[] = { { "auto", REQUEST_TTY_AUTO }, { NULL, -1 } }; -static const struct multistate multistate_canonicalisehostname[] = { +static const struct multistate multistate_canonicalizehostname[] = { { "true", SSH_CANONICALISE_YES }, { "false", SSH_CANONICALISE_NO }, { "yes", SSH_CANONICALISE_YES }, @@ -1321,7 +1321,7 @@ parse_int: } break; - case oCanonicalisePermittedCNAMEs: + case oCanonicalizePermittedCNAMEs: value = options->num_permitted_cnames != 0; while ((arg = strdelim(&s)) != NULL && *arg != '\0') { /* Either '*' for everything or 'list:list' */ @@ -1350,17 +1350,17 @@ parse_int: } break; - case oCanonicaliseHostname: - intptr = &options->canonicalise_hostname; - multistate_ptr = multistate_canonicalisehostname; + case oCanonicalizeHostname: + intptr = &options->canonicalize_hostname; + multistate_ptr = multistate_canonicalizehostname; goto parse_multistate; - case oCanonicaliseMaxDots: - intptr = &options->canonicalise_max_dots; + case oCanonicalizeMaxDots: + intptr = &options->canonicalize_max_dots; goto parse_int; - case oCanonicaliseFallbackLocal: - intptr = &options->canonicalise_fallback_local; + case oCanonicalizeFallbackLocal: + intptr = &options->canonicalize_fallback_local; goto parse_flag; case oDeprecated: @@ -1528,9 +1528,9 @@ initialize_options(Options * options) options->ignored_unknown = NULL; options->num_canonical_domains = 0; options->num_permitted_cnames = 0; - options->canonicalise_max_dots = -1; - options->canonicalise_fallback_local = -1; - options->canonicalise_hostname = -1; + options->canonicalize_max_dots = -1; + options->canonicalize_fallback_local = -1; + options->canonicalize_hostname = -1; } /* @@ -1684,12 +1684,12 @@ fill_default_options(Options * options) options->request_tty = REQUEST_TTY_AUTO; if (options->proxy_use_fdpass == -1) options->proxy_use_fdpass = 0; - if (options->canonicalise_max_dots == -1) - options->canonicalise_max_dots = 1; - if (options->canonicalise_fallback_local == -1) - options->canonicalise_fallback_local = 1; - if (options->canonicalise_hostname == -1) - options->canonicalise_hostname = SSH_CANONICALISE_NO; + if (options->canonicalize_max_dots == -1) + options->canonicalize_max_dots = 1; + if (options->canonicalize_fallback_local == -1) + options->canonicalize_fallback_local = 1; + if (options->canonicalize_hostname == -1) + options->canonicalize_hostname = SSH_CANONICALISE_NO; #define CLEAR_ON_NONE(v) \ do { \ if (v != NULL && strcasecmp(v, "none") == 0) { \ diff --git a/readconf.h b/readconf.h index 4a210897..2d7ea9fc 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.98 2013/10/16 02:31:46 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.99 2013/10/16 22:49:38 djm Exp $ */ /* * Author: Tatu Ylonen @@ -148,9 +148,9 @@ typedef struct { int num_canonical_domains; char *canonical_domains[MAX_CANON_DOMAINS]; - int canonicalise_hostname; - int canonicalise_max_dots; - int canonicalise_fallback_local; + int canonicalize_hostname; + int canonicalize_max_dots; + int canonicalize_fallback_local; int num_permitted_cnames; struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; diff --git a/ssh.1 b/ssh.1 index d9e2cb65..6369fc28 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.338 2013/10/16 02:31:46 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.339 2013/10/16 22:49:38 djm Exp $ .Dd $Mdocdate: October 16 2013 $ .Dt SSH 1 .Os @@ -418,10 +418,10 @@ For full details of the options listed below, and their possible values, see .It BatchMode .It BindAddress .It CanonicalDomains -.It CanonicaliseFallbackLocal -.It CanonicaliseHostname -.It CanonicaliseMaxDots -.It CanonicalisePermittedCNAMEs +.It CanonicalizeFallbackLocal +.It CanonicalizeHostname +.It CanonicalizeMaxDots +.It CanonicalizePermittedCNAMEs .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher diff --git a/ssh.c b/ssh.c index 230591b3..6581e57b 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.385 2013/10/16 02:31:46 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.386 2013/10/16 22:49:39 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -275,14 +275,14 @@ check_follow_cname(char **namep, const char *cname) if (*cname == '\0' || options.num_permitted_cnames == 0 || strcmp(*namep, cname) == 0) return 0; - if (options.canonicalise_hostname == SSH_CANONICALISE_NO) + if (options.canonicalize_hostname == SSH_CANONICALISE_NO) return 0; /* - * Don't attempt to canonicalise names that will be interpreted by + * Don't attempt to canonicalize names that will be interpreted by * a proxy unless the user specifically requests so. */ if (options.proxy_command != NULL && - options.canonicalise_hostname != SSH_CANONICALISE_ALWAYS) + options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS) return 0; debug3("%s: check \"%s\" CNAME \"%s\"", __func__, *namep, cname); for (i = 0; i < options.num_permitted_cnames; i++) { @@ -292,7 +292,7 @@ check_follow_cname(char **namep, const char *cname) match_pattern_list(cname, rule->target_list, strlen(rule->target_list), 1) != 1) continue; - verbose("Canonicalised DNS aliased hostname " + verbose("Canonicalized DNS aliased hostname " "\"%s\" => \"%s\"", *namep, cname); free(*namep); *namep = xstrdup(cname); @@ -307,20 +307,20 @@ check_follow_cname(char **namep, const char *cname) * if no name was found after canonicalisation. */ static struct addrinfo * -resolve_canonicalise(char **hostp, u_int port) +resolve_canonicalize(char **hostp, u_int port) { int i, ndots; char *cp, *fullhost, cname_target[NI_MAXHOST]; struct addrinfo *addrs; - if (options.canonicalise_hostname == SSH_CANONICALISE_NO) + if (options.canonicalize_hostname == SSH_CANONICALISE_NO) return NULL; /* - * Don't attempt to canonicalise names that will be interpreted by + * Don't attempt to canonicalize names that will be interpreted by * a proxy unless the user specifically requests so. */ if (options.proxy_command != NULL && - options.canonicalise_hostname != SSH_CANONICALISE_ALWAYS) + options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS) return NULL; /* Don't apply canonicalisation to sufficiently-qualified hostnames */ ndots = 0; @@ -328,9 +328,9 @@ resolve_canonicalise(char **hostp, u_int port) if (*cp == '.') ndots++; } - if (ndots > options.canonicalise_max_dots) { - debug3("%s: not canonicalising hostname \"%s\" (max dots %d)", - __func__, *hostp, options.canonicalise_max_dots); + if (ndots > options.canonicalize_max_dots) { + debug3("%s: not canonicalizing hostname \"%s\" (max dots %d)", + __func__, *hostp, options.canonicalize_max_dots); return NULL; } /* Attempt each supplied suffix */ @@ -347,14 +347,14 @@ resolve_canonicalise(char **hostp, u_int port) fullhost[strlen(fullhost) - 1] = '\0'; /* Follow CNAME if requested */ if (!check_follow_cname(&fullhost, cname_target)) { - debug("Canonicalised hostname \"%s\" => \"%s\"", + debug("Canonicalized hostname \"%s\" => \"%s\"", *hostp, fullhost); } free(*hostp); *hostp = fullhost; return addrs; } - if (!options.canonicalise_fallback_local) + if (!options.canonicalize_fallback_local) fatal("%s: Could not resolve host \"%s\"", __progname, host); return NULL; } @@ -907,8 +907,8 @@ main(int ac, char **av) } /* If canonicalisation requested then try to apply it */ - if (options.canonicalise_hostname != SSH_CANONICALISE_NO) - addrs = resolve_canonicalise(&host, options.port); + if (options.canonicalize_hostname != SSH_CANONICALISE_NO) + addrs = resolve_canonicalize(&host, options.port); /* * If canonicalisation not requested, or if it failed then try to * resolve the bare hostname name using the system resolver's usual diff --git a/ssh_config.5 b/ssh_config.5 index 2c0e6655..586db6b9 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.172 2013/10/16 06:42:25 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.173 2013/10/16 22:49:39 djm Exp $ .Dd $Mdocdate: October 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -202,10 +202,10 @@ is set to .Dq yes . .It Cm CanonicalDomains When -.Cm CanonicaliseHostname +.Cm CanonicalizeHostname is enabled, this option specifies the list of domain suffixes in which to search for the specified destination host. -.It Cm CanonicaliseFallbackLocal +.It Cm CanonicalizeFallbackLocal Specifies whether to fail with an error when hostname canonicalisation fails. The default, .Dq no , @@ -216,11 +216,11 @@ A value of will cause .Xr ssh 1 to fail instantly if -.Cm CanonicaliseHostname +.Cm CanonicalizeHostname is enabled and the target hostname cannot be found in any of the domains specified by .Cm CanonicalDomains . -.It Cm CanonicaliseHostname +.It Cm CanonicalizeHostname Controls whether explicit hostname canonicalisation is performed. The default, .Dq no , @@ -231,26 +231,26 @@ If set to then, for connections that do not use a .Cm ProxyCommand , .Xr ssh 1 -will attempt to canonicalise the hostname specified on the command line +will attempt to canonicalize the hostname specified on the command line using the .Cm CanonicalDomains suffixes and -.Cm CanonicalisePermittedCNAMEs +.Cm CanonicalizePermittedCNAMEs rules. If -.Cm CanonicaliseHostname +.Cm CanonicalizeHostname is set to .Dq always , then canonicalisation is applied to proxied connections too. -.It Cm CanonicaliseMaxDots +.It Cm CanonicalizeMaxDots Specifies the maximum number of dot characters in a hostname before canonicalisation is disabled. The default, .Dq 1 , allows a single dot (i.e. hostname.subdomain). -.It Cm CanonicalisePermittedCNAMEs +.It Cm CanonicalizePermittedCNAMEs Specifies rules to determine whether CNAMEs should be followed when -canonicalising hostnames. +canonicalizing hostnames. The rules consist of one or more arguments of .Ar source_domain_list : Ns Ar target_domain_list , where @@ -264,7 +264,7 @@ For example, .Dq *.a.example.com:*.b.example.com,*.c.example.com will allow hostnames matching .Dq *.a.example.com -to be canonicalised to names in the +to be canonicalized to names in the .Dq *.b.example.com or .Dq *.c.example.com -- cgit v1.2.1 From b00805a6ccf159c57cb3ba9da4e3dc86a771c5f2 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:48:31 +0000 Subject: - djm@cvs.openbsd.org 2013/10/16 22:58:01 [ssh.c ssh_config.5] one I missed in previous: s/isation/ization/ --- ChangeLog | 3 +++ ssh.c | 12 ++++++------ ssh_config.5 | 14 +++++++------- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6935b5ca..0accc41e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] s/canonicalise/canonicalize/ for consistency with existing spelling, e.g. authorized_keys; pointed out by naddy@ + - djm@cvs.openbsd.org 2013/10/16 22:58:01 + [ssh.c ssh_config.5] + one I missed in previous: s/isation/ization/ 20131015 - (djm) OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index 6581e57b..93539072 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.386 2013/10/16 22:49:39 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.387 2013/10/16 22:58:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -303,8 +303,8 @@ check_follow_cname(char **namep, const char *cname) /* * Attempt to resolve the supplied hostname after applying the user's - * canonicalisation rules. Returns the address list for the host or NULL - * if no name was found after canonicalisation. + * canonicalization rules. Returns the address list for the host or NULL + * if no name was found after canonicalization. */ static struct addrinfo * resolve_canonicalize(char **hostp, u_int port) @@ -322,7 +322,7 @@ resolve_canonicalize(char **hostp, u_int port) if (options.proxy_command != NULL && options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS) return NULL; - /* Don't apply canonicalisation to sufficiently-qualified hostnames */ + /* Don't apply canonicalization to sufficiently-qualified hostnames */ ndots = 0; for (cp = *hostp; *cp != '\0'; cp++) { if (*cp == '.') @@ -906,11 +906,11 @@ main(int ac, char **av) host = cp; } - /* If canonicalisation requested then try to apply it */ + /* If canonicalization requested then try to apply it */ if (options.canonicalize_hostname != SSH_CANONICALISE_NO) addrs = resolve_canonicalize(&host, options.port); /* - * If canonicalisation not requested, or if it failed then try to + * If canonicalization not requested, or if it failed then try to * resolve the bare hostname name using the system resolver's usual * search rules. */ diff --git a/ssh_config.5 b/ssh_config.5 index 586db6b9..c99678f6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.173 2013/10/16 22:49:39 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.174 2013/10/16 22:58:01 djm Exp $ .Dd $Mdocdate: October 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -206,7 +206,7 @@ When is enabled, this option specifies the list of domain suffixes in which to search for the specified destination host. .It Cm CanonicalizeFallbackLocal -Specifies whether to fail with an error when hostname canonicalisation fails. +Specifies whether to fail with an error when hostname canonicalization fails. The default, .Dq no , will attempt to look up the unqualified hostname using the system resolver's @@ -221,7 +221,7 @@ is enabled and the target hostname cannot be found in any of the domains specified by .Cm CanonicalDomains . .It Cm CanonicalizeHostname -Controls whether explicit hostname canonicalisation is performed. +Controls whether explicit hostname canonicalization is performed. The default, .Dq no , is not to perform any name rewriting and let the system resolver handle all @@ -241,10 +241,10 @@ If .Cm CanonicalizeHostname is set to .Dq always , -then canonicalisation is applied to proxied connections too. +then canonicalization is applied to proxied connections too. .It Cm CanonicalizeMaxDots Specifies the maximum number of dot characters in a hostname before -canonicalisation is disabled. +canonicalization is disabled. The default, .Dq 1 , allows a single dot (i.e. hostname.subdomain). @@ -255,7 +255,7 @@ The rules consist of one or more arguments of .Ar source_domain_list : Ns Ar target_domain_list , where .Ar source_domain_list -is a pattern-list of domains that may follow CNAMEs in canonicalisation, +is a pattern-list of domains that may follow CNAMEs in canonicalization, and .Ar target_domain_list is a pattern-list of domains that they may resolve to. @@ -1423,7 +1423,7 @@ Patterns within pattern-lists may be negated by preceding them with an exclamation mark .Pq Sq !\& . For example, -to allow a key to be used from anywhere within an organisation +to allow a key to be used from anywhere within an organization except from the .Dq dialup pool, -- cgit v1.2.1 From 9b2138cec07df5a688419a2f3ecfc0f01d03d292 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:48:52 +0000 Subject: - djm@cvs.openbsd.org 2013/10/17 00:30:13 [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c] fsync@openssh.com protocol extension for sftp-server client support to allow calling fsync() faster successful transfer patch mostly by imorgan AT nas.nasa.gov; bz#1798 "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@ --- ChangeLog | 6 +++++ PROTOCOL | 16 +++++++++++- sftp-client.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++------------ sftp-client.h | 14 +++++++---- sftp-server.c | 24 +++++++++++++++++- sftp.1 | 29 +++++++++++++++++---- sftp.c | 65 +++++++++++++++++++++++++++++------------------ 7 files changed, 182 insertions(+), 53 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0accc41e..537f9f56 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,12 @@ - djm@cvs.openbsd.org 2013/10/16 22:58:01 [ssh.c ssh_config.5] one I missed in previous: s/isation/ization/ + - djm@cvs.openbsd.org 2013/10/17 00:30:13 + [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c] + fsync@openssh.com protocol extension for sftp-server + client support to allow calling fsync() faster successful transfer + patch mostly by imorgan AT nas.nasa.gov; bz#1798 + "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@ 20131015 - (djm) OpenBSD CVS Sync diff --git a/PROTOCOL b/PROTOCOL index 48b3a440..0363314c 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -331,4 +331,18 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.20 2013/01/08 18:49:04 markus Exp $ +10. sftp: Extension request "fsync@openssh.com" + +This request asks the server to call fsync(2) on an open file handle. + + uint32 id + string "fsync@openssh.com" + string handle + +One receiving this request, a server will call fsync(handle_fd) and will +respond with a SSH_FXP_STATUS message. + +This extension is advertised in the SSH_FXP_VERSION hello with version +"1". + +$OpenBSD: PROTOCOL,v 1.21 2013/10/17 00:30:13 djm Exp $ diff --git a/sftp-client.c b/sftp-client.c index 573623b9..91955262 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.106 2013/10/11 02:52:23 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.107 2013/10/17 00:30:13 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -76,6 +76,7 @@ struct sftp_conn { #define SFTP_EXT_STATVFS 0x00000002 #define SFTP_EXT_FSTATVFS 0x00000004 #define SFTP_EXT_HARDLINK 0x00000008 +#define SFTP_EXT_FSYNC 0x00000010 u_int exts; u_int64_t limit_kbps; struct bwlimit bwlimit_in, bwlimit_out; @@ -388,6 +389,10 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, strcmp(value, "1") == 0) { ret->exts |= SFTP_EXT_HARDLINK; known = 1; + } else if (strcmp(name, "fsync@openssh.com") == 0 && + strcmp(value, "1") == 0) { + ret->exts |= SFTP_EXT_FSYNC; + known = 1; } if (known) { debug2("Server supports extension \"%s\" revision %s", @@ -743,7 +748,7 @@ do_realpath(struct sftp_conn *conn, char *path) if (type == SSH2_FXP_STATUS) { u_int status = buffer_get_int(&msg); - error("Couldn't canonicalise: %s", fx2txt(status)); + error("Couldn't canonicalize: %s", fx2txt(status)); buffer_free(&msg); return NULL; } else if (type != SSH2_FXP_NAME) @@ -869,6 +874,36 @@ do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath) return(status); } +int +do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len) +{ + Buffer msg; + u_int status, id; + + /* Silently return if the extension is not supported */ + if ((conn->exts & SFTP_EXT_FSYNC) == 0) + return -1; + + buffer_init(&msg); + + /* Send fsync request */ + id = conn->msg_id++; + + buffer_put_char(&msg, SSH2_FXP_EXTENDED); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, "fsync@openssh.com"); + buffer_put_string(&msg, handle, handle_len); + send_msg(conn, &msg); + debug3("Sent message fsync@openssh.com I:%u", id); + buffer_free(&msg); + + status = get_status(conn, id); + if (status != SSH2_FX_OK) + error("Couldn't sync file: %s", fx2txt(status)); + + return status; +} + #ifdef notyet char * do_readlink(struct sftp_conn *conn, char *path) @@ -991,7 +1026,7 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset, int do_download(struct sftp_conn *conn, char *remote_path, char *local_path, - Attrib *a, int preserve_flag, int resume_flag) + Attrib *a, int preserve_flag, int resume_flag, int fsync_flag) { Attrib junk; Buffer msg; @@ -1251,6 +1286,12 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, error("Can't set times on \"%s\": %s", local_path, strerror(errno)); } + if (fsync_flag) { + debug("syncing \"%s\"", local_path); + if (fsync(local_fd) == -1) + error("Couldn't sync file \"%s\": %s", + local_path, strerror(errno)); + } } close(local_fd); buffer_free(&msg); @@ -1261,7 +1302,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, static int download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, - Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag) + Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag, + int fsync_flag) { int i, ret = 0; SFTP_DIRENT **dir_entries; @@ -1314,11 +1356,12 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, continue; if (download_dir_internal(conn, new_src, new_dst, depth + 1, &(dir_entries[i]->a), preserve_flag, - print_flag, resume_flag) == -1) + print_flag, resume_flag, fsync_flag) == -1) ret = -1; } else if (S_ISREG(dir_entries[i]->a.perm) ) { if (do_download(conn, new_src, new_dst, - &(dir_entries[i]->a), preserve_flag, resume_flag) == -1) { + &(dir_entries[i]->a), preserve_flag, + resume_flag, fsync_flag) == -1) { error("Download of file %s to %s failed", new_src, new_dst); ret = -1; @@ -1351,25 +1394,26 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, int download_dir(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag) + Attrib *dirattrib, int preserve_flag, int print_flag, + int resume_flag, int fsync_flag) { char *src_canon; int ret; if ((src_canon = do_realpath(conn, src)) == NULL) { - error("Unable to canonicalise path \"%s\"", src); + error("Unable to canonicalize path \"%s\"", src); return -1; } ret = download_dir_internal(conn, src_canon, dst, 0, - dirattrib, preserve_flag, print_flag, resume_flag); + dirattrib, preserve_flag, print_flag, resume_flag, fsync_flag); free(src_canon); return ret; } int do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, - int preserve_flag) + int preserve_flag, int fsync_flag) { int local_fd; int status = SSH2_FX_OK; @@ -1545,6 +1589,9 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, if (preserve_flag) do_fsetstat(conn, handle, handle_len, &a); + if (fsync_flag) + (void)do_fsync(conn, handle, handle_len); + if (do_close(conn, handle, handle_len) != SSH2_FX_OK) status = -1; free(handle); @@ -1554,7 +1601,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, static int upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, - int preserve_flag, int print_flag) + int preserve_flag, int print_flag, int fsync_flag) { int ret = 0, status; DIR *dirp; @@ -1623,11 +1670,12 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, continue; if (upload_dir_internal(conn, new_src, new_dst, - depth + 1, preserve_flag, print_flag) == -1) + depth + 1, preserve_flag, print_flag, + fsync_flag) == -1) ret = -1; } else if (S_ISREG(sb.st_mode)) { if (do_upload(conn, new_src, new_dst, - preserve_flag) == -1) { + preserve_flag, fsync_flag) == -1) { error("Uploading of file %s to %s failed!", new_src, new_dst); ret = -1; @@ -1646,18 +1694,19 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, int upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag, - int print_flag) + int print_flag, int fsync_flag) { char *dst_canon; int ret; if ((dst_canon = do_realpath(conn, dst)) == NULL) { - error("Unable to canonicalise path \"%s\"", dst); + error("Unable to canonicalize path \"%s\"", dst); return -1; } ret = upload_dir_internal(conn, src, dst_canon, 0, preserve_flag, - print_flag); + print_flag, fsync_flag); + free(dst_canon); return ret; } diff --git a/sftp-client.h b/sftp-client.h index bcdd407c..ba92ad01 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.23 2013/10/11 02:53:45 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.24 2013/10/17 00:30:13 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -100,29 +100,33 @@ int do_hardlink(struct sftp_conn *, char *, char *); /* Rename 'oldpath' to 'newpath' */ int do_symlink(struct sftp_conn *, char *, char *); +/* Call fsync() on open file 'handle' */ +int do_fsync(struct sftp_conn *conn, char *, u_int); + /* * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ -int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int); +int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int, int); /* * Recursively download 'remote_directory' to 'local_directory'. Preserve * times if 'pflag' is set */ -int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int); +int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, + int, int, int); /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times * if 'pflag' is set */ -int do_upload(struct sftp_conn *, char *, char *, int); +int do_upload(struct sftp_conn *, char *, char *, int, int); /* * Recursively upload 'local_directory' to 'remote_directory'. Preserve * times if 'pflag' is set */ -int upload_dir(struct sftp_conn *, char *, char *, int, int); +int upload_dir(struct sftp_conn *, char *, char *, int, int, int); /* Concatenate paths, taking care of slashes. Caller must free result. */ char *path_append(char *, char *); diff --git a/sftp-server.c b/sftp-server.c index 3056c454..ad158f8e 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.101 2013/10/14 23:28:23 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.102 2013/10/17 00:30:13 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -112,6 +112,7 @@ static void process_extended_posix_rename(u_int32_t id); static void process_extended_statvfs(u_int32_t id); static void process_extended_fstatvfs(u_int32_t id); static void process_extended_hardlink(u_int32_t id); +static void process_extended_fsync(u_int32_t id); static void process_extended(u_int32_t id); struct sftp_handler { @@ -152,6 +153,7 @@ struct sftp_handler extended_handlers[] = { { "statvfs", "statvfs@openssh.com", 0, process_extended_statvfs, 0 }, { "fstatvfs", "fstatvfs@openssh.com", 0, process_extended_fstatvfs, 0 }, { "hardlink", "hardlink@openssh.com", 0, process_extended_hardlink, 1 }, + { "fsync", "fsync@openssh.com", 0, process_extended_fsync, 1 }, { NULL, NULL, 0, NULL, 0 } }; @@ -652,6 +654,9 @@ process_init(void) /* hardlink extension */ buffer_put_cstring(&msg, "hardlink@openssh.com"); buffer_put_cstring(&msg, "1"); /* version */ + /* fsync extension */ + buffer_put_cstring(&msg, "fsync@openssh.com"); + buffer_put_cstring(&msg, "1"); /* version */ send_msg(&msg); buffer_free(&msg); } @@ -1297,6 +1302,23 @@ process_extended_hardlink(u_int32_t id) free(newpath); } +static void +process_extended_fsync(u_int32_t id) +{ + int handle, fd, ret, status = SSH2_FX_OP_UNSUPPORTED; + + handle = get_handle(); + debug3("request %u: fsync (handle %u)", id, handle); + verbose("fsync \"%s\"", handle_to_name(handle)); + if ((fd = handle_to_fd(handle)) < 0) + status = SSH2_FX_NO_SUCH_FILE; + else if (handle_is_ok(handle, HANDLE_FILE)) { + ret = fsync(fd); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + } + send_status(id, status); +} + static void process_extended(u_int32_t id) { diff --git a/sftp.1 b/sftp.1 index 85d64a7f..9809bec6 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.94 2013/08/07 06:24:51 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.95 2013/10/17 00:30:13 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 7 2013 $ +.Dd $Mdocdate: October 17 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -31,7 +31,7 @@ .Sh SYNOPSIS .Nm sftp .Bk -words -.Op Fl 1246aCpqrv +.Op Fl 1246aCfpqrv .Op Fl B Ar buffer_size .Op Fl b Ar batchfile .Op Fl c Ar cipher @@ -164,6 +164,10 @@ per-user configuration file for .Xr ssh 1 . This option is directly passed to .Xr ssh 1 . +.It Fl f +Requests that files be flushed to disk immediately after transfer. +When uploading files, this feature is only enabled if the server +implements the "fsync@openssh.com" extension. .It Fl i Ar identity_file Selects the file from which the identity (private key) for public key authentication is read. @@ -348,7 +352,7 @@ extension. Quit .Nm sftp . .It Xo Ic get -.Op Fl aPpr +.Op Fl afPpr .Ar remote-path .Op Ar local-path .Xc @@ -376,6 +380,13 @@ the remote copy. If the remote file contents differ from the partial local copy then the resultant file is likely to be corrupt. .Pp +If the +.Fl f +flag is specified, then +.Xr fsync 2 +will ba called after the file transfer has completed to flush the file +to disk. +.Pp If either the .Fl P or @@ -479,7 +490,7 @@ Create remote directory specified by .It Ic progress Toggle display of progress meter. .It Xo Ic put -.Op Fl Ppr +.Op Fl fPpr .Ar local-path .Op Ar remote-path .Xc @@ -498,6 +509,14 @@ is specified, then .Ar remote-path must specify a directory. .Pp +If the +.Fl f +flag is specified, then a request will be sent to the server to call +.Xr fsync 2 +after the file has been transferred. +Note that this is only supported by servers that implement +the "fsync@openssh.com" extension. +.Pp If either the .Fl P or diff --git a/sftp.c b/sftp.c index f7b488ae..c316e1ed 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.155 2013/08/31 00:13:54 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.156 2013/10/17 00:30:13 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -94,6 +94,9 @@ int global_aflag = 0; /* When this option is set, the file transfers will always preserve times */ int global_pflag = 0; +/* When this option is set, transfers will have fsync() called on each file */ +int global_fflag = 0; + /* SIGINT received during command processing */ volatile sig_atomic_t interrupted = 0; @@ -359,7 +362,7 @@ make_absolute(char *p, char *pwd) static int parse_getput_flags(const char *cmd, char **argv, int argc, - int *aflag, int *pflag, int *rflag) + int *aflag, int *fflag, int *pflag, int *rflag) { extern int opterr, optind, optopt, optreset; int ch; @@ -367,12 +370,15 @@ parse_getput_flags(const char *cmd, char **argv, int argc, optind = optreset = 1; opterr = 0; - *aflag = *rflag = *pflag = 0; - while ((ch = getopt(argc, argv, "aPpRr")) != -1) { + *aflag = *fflag = *rflag = *pflag = 0; + while ((ch = getopt(argc, argv, "afPpRr")) != -1) { switch (ch) { case 'a': *aflag = 1; break; + case 'f': + *fflag = 1; + break; case 'p': case 'P': *pflag = 1; @@ -574,7 +580,7 @@ pathname_is_dir(char *pathname) static int process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, - int pflag, int rflag, int resume) + int pflag, int rflag, int resume, int fflag) { char *abs_src = NULL; char *abs_dst = NULL; @@ -633,11 +639,13 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag, 1, resume) == -1) + pflag || global_pflag, 1, resume, + fflag || global_fflag) == -1) err = -1; } else { if (do_download(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag, resume) == -1) + pflag || global_pflag, resume, + fflag || global_fflag) == -1) err = -1; } free(abs_dst); @@ -652,7 +660,7 @@ out: static int process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, - int pflag, int rflag) + int pflag, int rflag, int fflag) { char *tmp_dst = NULL; char *abs_dst = NULL; @@ -719,11 +727,13 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (upload_dir(conn, g.gl_pathv[i], abs_dst, - pflag || global_pflag, 1) == -1) + pflag || global_pflag, 1, + fflag || global_fflag) == -1) err = -1; } else { if (do_upload(conn, g.gl_pathv[i], abs_dst, - pflag || global_pflag) == -1) + pflag || global_pflag, + fflag || global_fflag) == -1) err = -1; } } @@ -1176,9 +1186,9 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, } static int -parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, - int *pflag, int *rflag, int *sflag, unsigned long *n_arg, - char **path1, char **path2) +parse_args(const char **cpp, int *ignore_errors, int *aflag, int *fflag, + int *hflag, int *iflag, int *lflag, int *pflag, int *rflag, int *sflag, + unsigned long *n_arg, char **path1, char **path2) { const char *cmd, *cp = *cpp; char *cp2, **argv; @@ -1190,9 +1200,9 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, cp = cp + strspn(cp, WHITESPACE); /* Check for leading '-' (disable error processing) */ - *iflag = 0; + *ignore_errors = 0; if (*cp == '-') { - *iflag = 1; + *ignore_errors = 1; cp++; cp = cp + strspn(cp, WHITESPACE); } @@ -1222,7 +1232,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, } /* Get arguments and parse flags */ - *aflag = *lflag = *pflag = *rflag = *hflag = *n_arg = 0; + *aflag = *fflag = *hflag = *iflag = *lflag = *pflag = 0; + *rflag = *sflag = 0; *path1 = *path2 = NULL; optidx = 1; switch (cmdnum) { @@ -1230,7 +1241,7 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, case I_REGET: case I_PUT: if ((optidx = parse_getput_flags(cmd, argv, argc, - aflag, pflag, rflag)) == -1) + aflag, fflag, pflag, rflag)) == -1) return -1; /* Get first pathname (mandatory) */ if (argc - optidx < 1) { @@ -1371,8 +1382,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, int err_abort) { char *path1, *path2, *tmp; - int aflag = 0, hflag = 0, iflag = 0, lflag = 0, pflag = 0; - int rflag = 0, sflag = 0; + int ignore_errors = 0, aflag = 0, fflag = 0, hflag = 0, iflag = 0; + int lflag = 0, pflag = 0, rflag = 0, sflag = 0; int cmdnum, i; unsigned long n_arg = 0; Attrib a, *aa; @@ -1381,9 +1392,9 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, glob_t g; path1 = path2 = NULL; - cmdnum = parse_args(&cmd, &aflag, &hflag, &iflag, &lflag, &pflag, - &rflag, &sflag, &n_arg, &path1, &path2); - if (iflag != 0) + cmdnum = parse_args(&cmd, &ignore_errors, &aflag, &fflag, &hflag, + &iflag, &lflag, &pflag, &rflag, &sflag, &n_arg, &path1, &path2); + if (ignore_errors != 0) err_abort = 0; memset(&g, 0, sizeof(g)); @@ -1402,10 +1413,11 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, /* FALLTHROUGH */ case I_GET: err = process_get(conn, path1, path2, *pwd, pflag, - rflag, aflag); + rflag, aflag, fflag); break; case I_PUT: - err = process_put(conn, path1, path2, *pwd, pflag, rflag); + err = process_put(conn, path1, path2, *pwd, pflag, + rflag, fflag); break; case I_RENAME: path1 = make_absolute(path1, *pwd); @@ -2231,7 +2243,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, - "1246ahpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { + "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ case '4': @@ -2291,6 +2303,9 @@ main(int argc, char **argv) quiet = batchmode = 1; addargs(&args, "-obatchmode yes"); break; + case 'f': + global_fflag = 1; + break; case 'p': global_pflag = 1; break; -- cgit v1.2.1 From 77f77b82f8f546c28b071a015442b2c6577ba386 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 00:57:23 +0000 Subject: - djm@cvs.openbsd.org 2013/10/17 00:46:49 [ssh.c] rearrange check to reduce diff against -portable (Id sync only) --- ChangeLog | 4 ++++ ssh.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 537f9f56..732fdc2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ client support to allow calling fsync() faster successful transfer patch mostly by imorgan AT nas.nasa.gov; bz#1798 "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@ + - djm@cvs.openbsd.org 2013/10/17 00:46:49 + [ssh.c] + rearrange check to reduce diff against -portable + (Id sync only) 20131015 - (djm) OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index 93539072..835f4822 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.387 2013/10/16 22:58:01 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.388 2013/10/17 00:46:49 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -- cgit v1.2.1 From ae9f7fbbe82b18b91adc960b7b81395fc2efe6fc Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 22:05:41 +0000 Subject: - djm@cvs.openbsd.org 2013/10/09 23:44:14 [regress/Makefile regress/sftp-perm.sh] regression test for sftp request white/blacklisting and readonly mode. --- ChangeLog | 6 ++ regress/Makefile | 4 +- regress/sftp-perm.sh | 269 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 278 insertions(+), 1 deletion(-) create mode 100644 regress/sftp-perm.sh diff --git a/ChangeLog b/ChangeLog index 732fdc2c..09ba997f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20131018 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/09 23:44:14 + [regress/Makefile regress/sftp-perm.sh] + regression test for sftp request white/blacklisting and readonly mode. + 20131017 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2013/10/15 14:10:25 diff --git a/regress/Makefile b/regress/Makefile index ab2a6ae7..4c64b576 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -44,6 +44,7 @@ LTESTS= connect \ sftp-badcmds \ sftp-batch \ sftp-glob \ + sftp-perm \ reconfigure \ dynamic-forward \ forwarding \ @@ -86,7 +87,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ authorized_principals_${USER} expect actual ready \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ - regress.log failed-regress.log ssh-log-wrapper.sh + regress.log failed-regress.log ssh-log-wrapper.sh \ + sftp-server.sh sftp-server.log sftp.log SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} diff --git a/regress/sftp-perm.sh b/regress/sftp-perm.sh new file mode 100644 index 00000000..3448740b --- /dev/null +++ b/regress/sftp-perm.sh @@ -0,0 +1,269 @@ +# $OpenBSD: sftp-perm.sh,v 1.2 2013/10/17 22:00:18 djm Exp $ +# Placed in the Public Domain. + +tid="sftp permissions" + +SERVER_LOG=${OBJ}/sftp-server.log +CLIENT_LOG=${OBJ}/sftp.log +TEST_SFTP_SERVER=${OBJ}/sftp-server.sh + +prepare_server() { + printf "#!/bin/sh\nexec $SFTPSERVER -el debug3 $* 2>$SERVER_LOG\n" \ + > $TEST_SFTP_SERVER + chmod a+x $TEST_SFTP_SERVER +} + +run_client() { + echo "$@" | ${SFTP} -D ${TEST_SFTP_SERVER} -vvvb - >$CLIENT_LOG 2>&1 +} + +prepare_files() { + _prep="$1" + rm -f ${COPY} ${COPY}.1 + test -d ${COPY}.dd && { rmdir ${COPY}.dd || fatal "rmdir ${COPY}.dd"; } + test -z "$_prep" && return + sh -c "$_prep" || fail "preparation failed: \"$_prep\"" +} + +postcondition() { + _title="$1" + _check="$2" + test -z "$_check" && return + sh -c "$_check" || fail "postcondition check failed: $_title" +} + +ro_test() { + _desc=$1 + _cmd="$2" + _prep="$3" + _expect_success_post="$4" + _expect_fail_post="$5" + verbose "$tid: read-only $_desc" + # Plain (no options, mostly to test that _cmd is good) + prepare_files "$_prep" + prepare_server + run_client "$_cmd" || fail "plain $_desc failed" + postcondition "$_desc no-readonly" "$_expect_success_post" + # Read-only enabled + prepare_files "$_prep" + prepare_server -R + run_client "$_cmd" && fail "read-only $_desc succeeded" + postcondition "$_desc readonly" "$_expect_fail_post" +} + +perm_test() { + _op=$1 + _whitelist_ops=$2 + _cmd="$3" + _prep="$4" + _expect_success_post="$5" + _expect_fail_post="$6" + verbose "$tid: explicit $_op" + # Plain (no options, mostly to test that _cmd is good) + prepare_files "$_prep" + prepare_server + run_client "$_cmd" || fail "plain $_op failed" + postcondition "$_op no white/blacklists" "$_expect_success_post" + # Whitelist + prepare_files "$_prep" + prepare_server -p $_op,$_whitelist_ops + run_client "$_cmd" || fail "whitelisted $_op failed" + postcondition "$_op whitelisted" "$_expect_success_post" + # Blacklist + prepare_files "$_prep" + prepare_server -P $_op + run_client "$_cmd" && fail "blacklisted $_op succeeded" + postcondition "$_op blacklisted" "$_expect_fail_post" + # Whitelist with op missing. + prepare_files "$_prep" + prepare_server -p $_whitelist_ops + run_client "$_cmd" && fail "no whitelist $_op succeeded" + postcondition "$_op not in whitelist" "$_expect_fail_post" +} + +ro_test \ + "upload" \ + "put $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "test ! -f $COPY" + +ro_test \ + "setstat" \ + "chmod 0700 $COPY" \ + "touch $COPY; chmod 0400 $COPY" \ + "test -x $COPY" \ + "test ! -x $COPY" + +ro_test \ + "rm" \ + "rm $COPY" \ + "touch $COPY" \ + "test ! -f $COPY" \ + "test -f $COPY" + +ro_test \ + "mkdir" \ + "mkdir ${COPY}.dd" \ + "" \ + "test -d ${COPY}.dd" \ + "test ! -d ${COPY}.dd" + +ro_test \ + "rmdir" \ + "rmdir ${COPY}.dd" \ + "mkdir ${COPY}.dd" \ + "test ! -d ${COPY}.dd" \ + "test -d ${COPY}.dd" + +ro_test \ + "posix-rename" \ + "rename $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +ro_test \ + "oldrename" \ + "rename -l $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +ro_test \ + "symlink" \ + "ln -s $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -h ${COPY}.1" \ + "test ! -h ${COPY}.1" + +ro_test \ + "hardlink" \ + "ln $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1" \ + "test ! -f ${COPY}.1" + +# Test explicit permissions + +perm_test \ + "open" \ + "realpath,stat,lstat,read,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "read" \ + "realpath,stat,lstat,open,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "write" \ + "realpath,stat,lstat,open,close" \ + "put $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "lstat" \ + "realpath,stat,open,read,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "opendir" \ + "realpath,readdir,stat,lstat" \ + "ls -ln $OBJ" + +perm_test \ + "readdir" \ + "realpath,opendir,stat,lstat" \ + "ls -ln $OBJ" + +perm_test \ + "setstat" \ + "realpath,stat,lstat" \ + "chmod 0700 $COPY" \ + "touch $COPY; chmod 0400 $COPY" \ + "test -x $COPY" \ + "test ! -x $COPY" + +perm_test \ + "remove" \ + "realpath,stat,lstat" \ + "rm $COPY" \ + "touch $COPY" \ + "test ! -f $COPY" \ + "test -f $COPY" + +perm_test \ + "mkdir" \ + "realpath,stat,lstat" \ + "mkdir ${COPY}.dd" \ + "" \ + "test -d ${COPY}.dd" \ + "test ! -d ${COPY}.dd" + +perm_test \ + "rmdir" \ + "realpath,stat,lstat" \ + "rmdir ${COPY}.dd" \ + "mkdir ${COPY}.dd" \ + "test ! -d ${COPY}.dd" \ + "test -d ${COPY}.dd" + +perm_test \ + "posix-rename" \ + "realpath,stat,lstat" \ + "rename $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +perm_test \ + "rename" \ + "realpath,stat,lstat" \ + "rename -l $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +perm_test \ + "symlink" \ + "realpath,stat,lstat" \ + "ln -s $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -h ${COPY}.1" \ + "test ! -h ${COPY}.1" + +perm_test \ + "hardlink" \ + "realpath,stat,lstat" \ + "ln $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1" \ + "test ! -f ${COPY}.1" + +perm_test \ + "statvfs" \ + "realpath,stat,lstat" \ + "df /" + +# XXX need good tests for: +# fstat +# fsetstat +# realpath +# stat +# readlink +# fstatvfs + +rm -rf ${COPY} ${COPY}.1 ${COPY}.dd + -- cgit v1.2.1 From 6e245dc7c193a99413627d2c83ab305620df0edd Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 23:17:17 +0000 Subject: - jmc@cvs.openbsd.org 2013/10/17 07:35:48 [sftp.1 sftp.c] tweak previous; --- ChangeLog | 3 +++ sftp.1 | 4 ++-- sftp.c | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 09ba997f..3f0f0f5d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - djm@cvs.openbsd.org 2013/10/09 23:44:14 [regress/Makefile regress/sftp-perm.sh] regression test for sftp request white/blacklisting and readonly mode. + - jmc@cvs.openbsd.org 2013/10/17 07:35:48 + [sftp.1 sftp.c] + tweak previous; 20131017 - (djm) OpenBSD CVS Sync diff --git a/sftp.1 b/sftp.1 index 9809bec6..c5e30504 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.95 2013/10/17 00:30:13 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.96 2013/10/17 07:35:48 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -384,7 +384,7 @@ If the .Fl f flag is specified, then .Xr fsync 2 -will ba called after the file transfer has completed to flush the file +will be called after the file transfer has completed to flush the file to disk. .Pp If either the diff --git a/sftp.c b/sftp.c index c316e1ed..abc689e8 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.156 2013/10/17 00:30:13 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.157 2013/10/17 07:35:48 jmc Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2195,7 +2195,7 @@ usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-1246aCpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" + "usage: %s [-1246aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" " [-D sftp_server_path] [-F ssh_config] " "[-i identity_file] [-l limit]\n" " [-o ssh_option] [-P port] [-R num_requests] " -- cgit v1.2.1 From e1b5346a5bb1b0fe5499c6483c590a2317ced380 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 17 Oct 2013 23:17:36 +0000 Subject: - djm@cvs.openbsd.org 2013/10/17 22:08:04 [sshd.c] include remote port in bad banner message; bz#2162 --- ChangeLog | 3 +++ sshd.c | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f0f0f5d..a9f564ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ - jmc@cvs.openbsd.org 2013/10/17 07:35:48 [sftp.1 sftp.c] tweak previous; + - djm@cvs.openbsd.org 2013/10/17 22:08:04 + [sshd.c] + include remote port in bad banner message; bz#2162 20131017 - (djm) OpenBSD CVS Sync diff --git a/sshd.c b/sshd.c index 287706d4..b6f03d5a 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.407 2013/10/10 01:43:03 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.408 2013/10/17 22:08:04 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -483,8 +483,9 @@ sshd_exchange_identification(int sock_in, int sock_out) (void) atomicio(vwrite, sock_out, s, strlen(s)); close(sock_in); close(sock_out); - logit("Bad protocol version identification '%.100s' from %s", - client_version_string, get_remote_ipaddr()); + logit("Bad protocol version identification '%.100s' " + "from %s port %d", client_version_string, + get_remote_ipaddr(), get_remote_port()); cleanup_exit(255); } debug("Client protocol version %d.%d; client software version %.100s", -- cgit v1.2.1 From fe756c9503985557471b074bea303e960d821109 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 05:29:12 +0000 Subject: - djm@cvs.openbsd.org 2013/10/20 04:39:28 [ssh_config.5] document % expansions performed by "Match command ..." --- ChangeLog | 6 ++++++ ssh_config.5 | 24 +++++++++++++++++++++--- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a9f564ee..eac2a97a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20131023 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/20 04:39:28 + [ssh_config.5] + document % expansions performed by "Match command ..." + 20131018 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/10/09 23:44:14 diff --git a/ssh_config.5 b/ssh_config.5 index c99678f6..3e9524dc 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.174 2013/10/16 22:58:01 djm Exp $ -.Dd $Mdocdate: October 16 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.175 2013/10/20 04:39:28 djm Exp $ +.Dd $Mdocdate: October 20 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -148,6 +148,24 @@ The criteria for the keyword is a path to a command that is executed. If the command returns a zero exit status then the condition is considered true. Commands containing whitespace characters must be quoted. +The following character sequences in the command will be expanded prior to +execution: +.Ql %L +will be substituted by the first component of the local host name, +.Ql %l +will be substituted by the local host name (including any domain name), +.Ql %h +will be substituted by the target host name, +.Ql %n +will be substituted by the original target host name +specified on the command line, +.Ql %p +the destination port, +.Ql %r +by the remote login username, and +.Ql %u +by the username of the user running +.Xr ssh 1 . .Pp The other keywords' criteria must be single entries or comma-separated lists and may use the wildcard and negation operators described in the @@ -444,7 +462,7 @@ will be substituted by the target host name, will be substituted by the original target host name specified on the command line, .Ql %p -the port, +the destination port, .Ql %r by the remote login username, and .Ql %u -- cgit v1.2.1 From 69b0ec77e73a9e3875dac68b240fab7021452f41 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 05:29:40 +0000 Subject: - djm@cvs.openbsd.org 2013/10/20 06:19:28 [readconf.c ssh_config.5] rename "command" subclause of the recently-added "Match" keyword to "exec"; it's shorter, clearer in intent and we might want to add the ability to match against the command being executed at the remote end in the future. --- ChangeLog | 6 ++++++ readconf.c | 8 ++++---- ssh_config.5 | 10 +++++----- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index eac2a97a..ac04cf21 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,12 @@ - djm@cvs.openbsd.org 2013/10/20 04:39:28 [ssh_config.5] document % expansions performed by "Match command ..." + - djm@cvs.openbsd.org 2013/10/20 06:19:28 + [readconf.c ssh_config.5] + rename "command" subclause of the recently-added "Match" keyword to + "exec"; it's shorter, clearer in intent and we might want to add the + ability to match against the command being executed at the remote end in + the future. 20131018 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index fb77fa9d..bd13d417 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.209 2013/10/16 22:49:38 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.210 2013/10/20 06:19:27 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -504,7 +504,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, debug("%.200s line %d: matched " "'LocalUser %.100s' ", filename, linenum, pw->pw_name); - } else if (strcasecmp(attrib, "command") == 0) { + } else if (strcasecmp(attrib, "exec") == 0) { if (gethostname(thishost, sizeof(thishost)) == -1) fatal("gethostname: %s", strerror(errno)); strlcpy(shorthost, thishost, sizeof(shorthost)); @@ -523,11 +523,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, (char *)NULL); r = execute_in_shell(cmd); if (r == -1) { - fatal("%.200s line %d: match command '%.100s' " + fatal("%.200s line %d: match exec '%.100s' " "error", filename, linenum, cmd); } else if (r == 0) { debug("%.200s line %d: matched " - "'Command \"%.100s\"' ", + "'exec \"%.100s\"' ", filename, linenum, cmd); } else result = 0; diff --git a/ssh_config.5 b/ssh_config.5 index 3e9524dc..b60dc1a5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.175 2013/10/20 04:39:28 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.176 2013/10/20 06:19:28 djm Exp $ .Dd $Mdocdate: October 20 2013 $ .Dt SSH_CONFIG 5 .Os @@ -136,7 +136,7 @@ keyword) to be used only when the conditions following the keyword are satisfied. Match conditions are specified using one or more keyword/criteria pairs. The available keywords are: -.Cm command , +.Cm exec , .Cm host , .Cm originalhost , .Cm user , @@ -144,8 +144,8 @@ and .Cm localuser . .Pp The criteria for the -.Cm command -keyword is a path to a command that is executed. +.Cm exec +keyword is command that is executed under the user's shell.. If the command returns a zero exit status then the condition is considered true. Commands containing whitespace characters must be quoted. The following character sequences in the command will be expanded prior to @@ -158,7 +158,7 @@ will be substituted by the local host name (including any domain name), will be substituted by the target host name, .Ql %n will be substituted by the original target host name -specified on the command line, +specified on the command-line, .Ql %p the destination port, .Ql %r -- cgit v1.2.1 From f0fbe01097136f905c45b127c5183b4306edb60c Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 05:29:59 +0000 Subject: - djm@cvs.openbsd.org 2013/10/20 09:51:26 [scp.1 sftp.1] add canonicalisation options to -o lists --- ChangeLog | 3 +++ scp.1 | 9 +++++++-- sftp.1 | 9 +++++++-- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index ac04cf21..1b920b19 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ "exec"; it's shorter, clearer in intent and we might want to add the ability to match against the command being executed at the remote end in the future. + - djm@cvs.openbsd.org 2013/10/20 09:51:26 + [scp.1 sftp.1] + add canonicalisation options to -o lists 20131018 - (djm) OpenBSD CVS Sync diff --git a/scp.1 b/scp.1 index 595db326..3b67cff0 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.60 2013/08/14 08:39:27 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.61 2013/10/20 09:51:26 djm Exp $ .\" -.Dd $Mdocdate: August 14 2013 $ +.Dd $Mdocdate: October 20 2013 $ .Dt SCP 1 .Os .Sh NAME @@ -130,6 +130,11 @@ For full details of the options listed below, and their possible values, see .It AddressFamily .It BatchMode .It BindAddress +.It CanonicalDomains +.It CanonicalizeFallbackLocal +.It CanonicalizeHostname +.It CanonicalizeMaxDots +.It CanonicalizePermittedCNAMEs .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher diff --git a/sftp.1 b/sftp.1 index c5e30504..a700c2ad 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.96 2013/10/17 07:35:48 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.97 2013/10/20 09:51:26 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 17 2013 $ +.Dd $Mdocdate: October 20 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -193,6 +193,11 @@ For full details of the options listed below, and their possible values, see .It AddressFamily .It BatchMode .It BindAddress +.It CanonicalDomains +.It CanonicalizeFallbackLocal +.It CanonicalizeHostname +.It CanonicalizeMaxDots +.It CanonicalizePermittedCNAMEs .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher -- cgit v1.2.1 From 9d78f5666b851e1a9a64bd235307f664b0fcff31 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 05:30:25 +0000 Subject: - jmc@cvs.openbsd.org 2013/10/20 18:00:13 [ssh_config.5] tweak the "exec" description, as worded by djm; --- ChangeLog | 3 +++ ssh_config.5 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1b920b19..eceb85b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - djm@cvs.openbsd.org 2013/10/20 09:51:26 [scp.1 sftp.1] add canonicalisation options to -o lists + - jmc@cvs.openbsd.org 2013/10/20 18:00:13 + [ssh_config.5] + tweak the "exec" description, as worded by djm; 20131018 - (djm) OpenBSD CVS Sync diff --git a/ssh_config.5 b/ssh_config.5 index b60dc1a5..4161a662 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.176 2013/10/20 06:19:28 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.177 2013/10/20 18:00:13 jmc Exp $ .Dd $Mdocdate: October 20 2013 $ .Dt SSH_CONFIG 5 .Os @@ -143,9 +143,9 @@ The available keywords are: and .Cm localuser . .Pp -The criteria for the +The .Cm exec -keyword is command that is executed under the user's shell.. +keyword executes the specified command under the user's shell. If the command returns a zero exit status then the condition is considered true. Commands containing whitespace characters must be quoted. The following character sequences in the command will be expanded prior to -- cgit v1.2.1 From fad65a795d4454ca255fca25f12da5e990e274fd Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 05:30:51 +0000 Subject: - djm@cvs.openbsd.org 2013/10/23 03:03:07 [readconf.c] Hostname may have %h sequences that should be expanded prior to Match evaluation; spotted by Iain Morgan --- ChangeLog | 4 ++++ readconf.c | 20 ++++++++++++++------ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index eceb85b4..b0bdf5c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ - jmc@cvs.openbsd.org 2013/10/20 18:00:13 [ssh_config.5] tweak the "exec" description, as worded by djm; + - djm@cvs.openbsd.org 2013/10/23 03:03:07 + [readconf.c] + Hostname may have %h sequences that should be expanded prior to Match + evaluation; spotted by Iain Morgan 20131018 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index bd13d417..dad24900 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.210 2013/10/20 06:19:27 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.211 2013/10/23 03:03:07 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -457,8 +457,8 @@ static int match_cfg_line(Options *options, char **condition, struct passwd *pw, const char *host_arg, const char *filename, int linenum) { - char *arg, *attrib, *cmd, *cp = *condition; - const char *ruser, *host; + char *arg, *attrib, *cmd, *cp = *condition, *host; + const char *ruser; int r, port, result = 1; size_t len; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; @@ -469,13 +469,18 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, */ port = options->port <= 0 ? default_ssh_port() : options->port; ruser = options->user == NULL ? pw->pw_name : options->user; - host = options->hostname == NULL ? host_arg : options->hostname; + if (options->hostname != NULL) { + host = percent_expand(options->hostname, + "h", host_arg, (char *)NULL); + } else + host = xstrdup(host_arg); debug3("checking match for '%s' host %s", cp, host); while ((attrib = strdelim(&cp)) && *attrib != '\0') { if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { error("Missing Match criteria for %s", attrib); - return -1; + result = -1; + goto out; } len = strlen(arg); if (strcasecmp(attrib, "host") == 0) { @@ -534,11 +539,14 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, free(cmd); } else { error("Unsupported Match attribute %s", attrib); - return -1; + result = -1; + goto out; } } debug3("match %sfound", result ? "" : "not "); *condition = cp; + out: + free(host); return result; } -- cgit v1.2.1 From 63464a808f9d22c7a8a0fdba2e6a6e7167adf0bb Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 05:31:10 +0000 Subject: - djm@cvs.openbsd.org 2013/10/23 03:05:19 [readconf.c ssh.c] comment --- ChangeLog | 3 +++ readconf.c | 3 ++- ssh.c | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index b0bdf5c6..85cc3ec6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ [readconf.c] Hostname may have %h sequences that should be expanded prior to Match evaluation; spotted by Iain Morgan + - djm@cvs.openbsd.org 2013/10/23 03:05:19 + [readconf.c ssh.c] + comment 20131018 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index dad24900..f1866678 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.211 2013/10/23 03:03:07 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.212 2013/10/23 03:05:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -470,6 +470,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, port = options->port <= 0 ? default_ssh_port() : options->port; ruser = options->user == NULL ? pw->pw_name : options->user; if (options->hostname != NULL) { + /* NB. Please keep in sync with ssh.c:main() */ host = percent_expand(options->hostname, "h", host_arg, (char *)NULL); } else diff --git a/ssh.c b/ssh.c index 835f4822..11fdb309 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.388 2013/10/17 00:46:49 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.389 2013/10/23 03:05:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -900,6 +900,7 @@ main(int ac, char **av) /* preserve host name given on command line for %n expansion */ if (options.hostname != NULL) { + /* NB. Please keep in sync with readconf.c:match_cfg_line() */ cp = percent_expand(options.hostname, "h", host, (char *)NULL); free(host); -- cgit v1.2.1 From e76254f1dd4932a4bd85fa2f42f0ffd35926cc0b Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 05:31:31 +0000 Subject: - djm@cvs.openbsd.org 2013/10/23 04:16:22 [ssh-keygen.c] Make code match documentation: relative-specified certificate expiry time should be relative to current time and not the validity start time. Reported by Petr Lautrbach; ok deraadt@ --- ChangeLog | 5 +++++ ssh-keygen.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85cc3ec6..a4af4e89 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,11 @@ - djm@cvs.openbsd.org 2013/10/23 03:05:19 [readconf.c ssh.c] comment + - djm@cvs.openbsd.org 2013/10/23 04:16:22 + [ssh-keygen.c] + Make code match documentation: relative-specified certificate expiry time + should be relative to current time and not the validity start time. + Reported by Petr Lautrbach; ok deraadt@ 20131018 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.c b/ssh-keygen.c index b8d55452..b664a5f1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.234 2013/09/02 22:00:34 deraadt Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.235 2013/10/23 04:16:22 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1743,7 +1743,7 @@ parse_cert_times(char *timespec) cert_valid_from = parse_absolute_time(from); if (*to == '-' || *to == '+') - cert_valid_to = parse_relative_time(to, cert_valid_from); + cert_valid_to = parse_relative_time(to, now); else cert_valid_to = parse_absolute_time(to); -- cgit v1.2.1 From a3952c61e3b3f0fd467beb12f6374bf3928ca5b1 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Oct 2013 23:53:02 +0000 Subject: - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check rather than full client name which may be of form user@REALM; patch from Miguel Sanders; ok dtucker@ --- ChangeLog | 5 +++++ auth-krb5.c | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a4af4e89..26b5c5d7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20131024 + - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check + rather than full client name which may be of form user@REALM; + patch from Miguel Sanders; ok dtucker@ + 20131023 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/10/20 04:39:28 diff --git a/auth-krb5.c b/auth-krb5.c index 7c83f597..6c62bdf5 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -157,7 +157,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, + authctxt->pw->pw_name)) { problem = -1; goto out; } -- cgit v1.2.1 From 259e517dd175b7e4cc2877214aad975a1cd150b8 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 24 Oct 2013 10:01:26 +0000 Subject: - dtucker@cvs.openbsd.org 2013/10/23 05:40:58 [servconf.c] fix comment --- ChangeLog | 4 ++++ servconf.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 26b5c5d7..69dd5f85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check rather than full client name which may be of form user@REALM; patch from Miguel Sanders; ok dtucker@ + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/10/23 05:40:58 + [servconf.c] + fix comment 20131023 - (djm) OpenBSD CVS Sync diff --git a/servconf.c b/servconf.c index c761ff01..100d38d9 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.241 2013/08/06 23:06:01 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.242 2013/10/23 05:40:58 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -641,7 +641,7 @@ out: /* * All of the attributes on a single Match line are ANDed together, so we need - * to check every * attribute and set the result to zero if any attribute does + * to check every attribute and set the result to zero if any attribute does * not match. */ static int -- cgit v1.2.1 From 726d83953b83c54c8b480a5a4b3a86bca8e32230 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 24 Oct 2013 10:02:02 +0000 Subject: - djm@cvs.openbsd.org 2013/10/23 23:35:32 [sshd.c] include local address and port in "Connection from ..." message (only shown at loglevel>=verbose) --- ChangeLog | 4 ++++ sshd.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 69dd5f85..788816c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - dtucker@cvs.openbsd.org 2013/10/23 05:40:58 [servconf.c] fix comment + - djm@cvs.openbsd.org 2013/10/23 23:35:32 + [sshd.c] + include local address and port in "Connection from ..." message (only + shown at loglevel>=verbose) 20131023 - (djm) OpenBSD CVS Sync diff --git a/sshd.c b/sshd.c index b6f03d5a..c9ead2e7 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.408 2013/10/17 22:08:04 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.409 2013/10/23 23:35:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2040,7 +2040,9 @@ main(int ac, char **av) #endif /* LIBWRAP */ /* Log the connection. */ - verbose("Connection from %.500s port %d", remote_ip, remote_port); + verbose("Connection from %s port %d on %s port %d", + remote_ip, remote_port, + get_local_ipaddr(sock_in), get_local_port()); /* * We don't want to listen forever unless the other side -- cgit v1.2.1 From 86ceb5bb49e1696bf21f29ab093799353c274553 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 24 Oct 2013 10:02:26 +0000 Subject: - dtucker@cvs.openbsd.org 2013/10/24 00:49:49 [moduli.c] Periodically print progress and, if possible, expected time to completion when screening moduli for DH groups. ok deraadt djm --- ChangeLog | 4 +++ moduli.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 96 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 788816c9..95040392 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,10 @@ [sshd.c] include local address and port in "Connection from ..." message (only shown at loglevel>=verbose) + - dtucker@cvs.openbsd.org 2013/10/24 00:49:49 + [moduli.c] + Periodically print progress and, if possible, expected time to completion + when screening moduli for DH groups. ok deraadt djm 20131023 - (djm) OpenBSD CVS Sync diff --git a/moduli.c b/moduli.c index 294ff8fd..bb4dd7be 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.27 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: moduli.c,v 1.28 2013/10/24 00:49:49 dtucker Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -56,6 +56,7 @@ #include "xmalloc.h" #include "dh.h" #include "log.h" +#include "misc.h" #include "openbsd-compat/openssl-compat.h" @@ -488,6 +489,79 @@ read_checkpoint(char *cpfile) return lineno; } +static unsigned long +count_lines(FILE *f) +{ + unsigned long count = 0; + char lp[QLINESIZE + 1]; + + if (fseek(f, 0, SEEK_SET) != 0) { + debug("input file is not seekable"); + return ULONG_MAX; + } + while (fgets(lp, QLINESIZE + 1, f) != NULL) + count++; + rewind(f); + debug("input file has %lu lines", count); + return count; +} + +static char * +fmt_time(time_t seconds) +{ + int day, hr, min; + static char buf[128]; + + min = (seconds / 60) % 60; + hr = (seconds / 60 / 60) % 24; + day = seconds / 60 / 60 / 24; + if (day > 0) + snprintf(buf, sizeof buf, "%dd %d:%02d", day, hr, min); + else + snprintf(buf, sizeof buf, "%d:%02d", hr, min); + return buf; +} + +static void +print_progress(unsigned long start_lineno, unsigned long current_lineno, + unsigned long end_lineno) +{ + static time_t time_start, time_prev; + time_t time_now, elapsed; + unsigned long num_to_process, processed, remaining, percent, eta; + double time_per_line; + char *eta_str; + + time_now = monotime(); + if (time_start == 0) { + time_start = time_prev = time_now; + return; + } + /* print progress after 1m then once per 5m */ + if (time_now - time_prev < 5 * 60) + return; + time_prev = time_now; + elapsed = time_now - time_start; + processed = current_lineno - start_lineno; + remaining = end_lineno - current_lineno; + num_to_process = end_lineno - start_lineno; + time_per_line = (double)elapsed / processed; + /* if we don't know how many we're processing just report count+time */ + time(&time_now); + if (end_lineno == ULONG_MAX) { + logit("%.24s processed %lu in %s", ctime(&time_now), + processed, fmt_time(elapsed)); + return; + } + percent = 100 * processed / num_to_process; + eta = time_per_line * remaining; + eta_str = xstrdup(fmt_time(eta)); + logit("%.24s processed %lu of %lu (%lu%%) in %s, ETA %s", + ctime(&time_now), processed, num_to_process, percent, + fmt_time(elapsed), eta_str); + free(eta_str); +} + /* * perform a Miller-Rabin primality test * on the list of candidates @@ -512,6 +586,11 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, return (-1); } + if (num_lines == 0) + end_lineno = count_lines(in); + else + end_lineno = start_lineno + num_lines; + time(&time_start); if ((p = BN_new()) == NULL) @@ -526,26 +605,25 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, if (checkpoint_file != NULL) last_processed = read_checkpoint(checkpoint_file); - if (start_lineno > last_processed) - last_processed = start_lineno; - if (num_lines == 0) - end_lineno = ULONG_MAX; + last_processed = start_lineno = MAX(last_processed, start_lineno); + if (end_lineno == ULONG_MAX) + debug("process from line %lu from pipe", last_processed); else - end_lineno = last_processed + num_lines; - debug2("process line %lu to line %lu", last_processed, end_lineno); + debug("process from line %lu to line %lu", last_processed, + end_lineno); res = 0; lp = xmalloc(QLINESIZE + 1); while (fgets(lp, QLINESIZE + 1, in) != NULL && count_in < end_lineno) { count_in++; - if (checkpoint_file != NULL) { - if (count_in <= last_processed) { - debug3("skipping line %u, before checkpoint", - count_in); - continue; - } - write_checkpoint(checkpoint_file, count_in); + if (count_in <= last_processed) { + debug3("skipping line %u, before checkpoint or " + "specified start line", count_in); + continue; } + if (checkpoint_file != NULL) + write_checkpoint(checkpoint_file, count_in); + print_progress(start_lineno, count_in, end_lineno); if (strlen(lp) < 14 || *lp == '!' || *lp == '#') { debug2("%10u: comment or short line", count_in); continue; -- cgit v1.2.1 From 2f4cfdf1c00513f82de1f9f3662a875ea328144e Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 24 Oct 2013 10:02:56 +0000 Subject: - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 [readconf.c servconf.c ssh_config.5 sshd_config.5] Disallow empty Match statements and add "Match all" which matches everything. ok djm, man page help jmc@ --- ChangeLog | 4 ++++ readconf.c | 22 ++++++++++++++++++++-- servconf.c | 19 +++++++++++++++++-- ssh_config.5 | 9 ++++++--- sshd_config.5 | 8 +++++--- 5 files changed, 52 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 95040392..8dcff45d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ [moduli.c] Periodically print progress and, if possible, expected time to completion when screening moduli for DH groups. ok deraadt djm + - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 + [readconf.c servconf.c ssh_config.5 sshd_config.5] + Disallow empty Match statements and add "Match all" which matches + everything. ok djm, man page help jmc@ 20131023 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index f1866678..63c0ba19 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.212 2013/10/23 03:05:19 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.213 2013/10/24 00:51:48 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -459,7 +459,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, { char *arg, *attrib, *cmd, *cp = *condition, *host; const char *ruser; - int r, port, result = 1; + int r, port, result = 1, attributes = 0; size_t len; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; @@ -478,6 +478,19 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, debug3("checking match for '%s' host %s", cp, host); while ((attrib = strdelim(&cp)) && *attrib != '\0') { + attributes++; + if (strcasecmp(attrib, "all") == 0) { + if (attributes != 1 || + ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { + error("'all' cannot be combined with other " + "Match attributes"); + result = -1; + goto out; + } + *condition = cp; + result = 1; + goto out; + } if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { error("Missing Match criteria for %s", attrib); result = -1; @@ -544,6 +557,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, goto out; } } + if (attributes == 0) { + error("One or more attributes required for Match"); + result = -1; + goto out; + } debug3("match %sfound", result ? "" : "not "); *condition = cp; out: diff --git a/servconf.c b/servconf.c index 100d38d9..82146723 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.242 2013/10/23 05:40:58 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -647,7 +647,7 @@ out: static int match_cfg_line(char **condition, int line, struct connection_info *ci) { - int result = 1, port; + int result = 1, attributes = 0, port; char *arg, *attrib, *cp = *condition; size_t len; @@ -661,6 +661,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) ci->laddress ? ci->laddress : "(null)", ci->lport); while ((attrib = strdelim(&cp)) && *attrib != '\0') { + attributes++; + if (strcasecmp(attrib, "all") == 0) { + if (attributes != 1 || + ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { + error("'all' cannot be combined with other " + "Match attributes"); + return -1; + } + *condition = cp; + return 1; + } if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { error("Missing Match criteria for %s", attrib); return -1; @@ -754,6 +765,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) return -1; } } + if (attributes == 0) { + error("One or more attributes required for Match"); + return -1; + } if (ci != NULL) debug3("match %sfound", result ? "" : "not "); *condition = cp; diff --git a/ssh_config.5 b/ssh_config.5 index 4161a662..3ef49461 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.177 2013/10/20 18:00:13 jmc Exp $ -.Dd $Mdocdate: October 20 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.178 2013/10/24 00:51:48 dtucker Exp $ +.Dd $Mdocdate: October 24 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -134,7 +134,10 @@ or keyword) to be used only when the conditions following the .Cm Match keyword are satisfied. -Match conditions are specified using one or more keyword/criteria pairs. +Match conditions are specified using one or more keyword/criteria pairs +or the single token +.Cm all +which matches all criteria. The available keywords are: .Cm exec , .Cm host , diff --git a/sshd_config.5 b/sshd_config.5 index 3abac6c1..0536cc3c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $ -.Dd $Mdocdate: July 19 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $ +.Dd $Mdocdate: October 24 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -750,7 +750,9 @@ line or the end of the file. .Pp The arguments to .Cm Match -are one or more criteria-pattern pairs. +are one or more criteria-pattern pairs or the single token +.Cm All +which matches all criteria. The available criteria are .Cm User , .Cm Group , -- cgit v1.2.1 From 717f20128957de31a8cdda9345fcf06bba88def0 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 24 Oct 2013 10:03:17 +0000 Subject: - djm@cvs.openbsd.org 2013/10/24 08:19:36 [ssh.c] fix bug introduced in hostname canonicalisation commit: don't try to resolve hostnames when a ProxyCommand is set unless the user has forced canonicalisation; spotted by Iain Morgan --- ChangeLog | 5 +++++ ssh.c | 8 +++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8dcff45d..b4bbea16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,11 @@ [readconf.c servconf.c ssh_config.5 sshd_config.5] Disallow empty Match statements and add "Match all" which matches everything. ok djm, man page help jmc@ + - djm@cvs.openbsd.org 2013/10/24 08:19:36 + [ssh.c] + fix bug introduced in hostname canonicalisation commit: don't try to + resolve hostnames when a ProxyCommand is set unless the user has forced + canonicalisation; spotted by Iain Morgan 20131023 - (djm) OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index 11fdb309..81921a10 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.389 2013/10/23 03:05:19 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.390 2013/10/24 08:19:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -913,9 +913,11 @@ main(int ac, char **av) /* * If canonicalization not requested, or if it failed then try to * resolve the bare hostname name using the system resolver's usual - * search rules. + * search rules. Skip the lookup if a ProxyCommand is being used + * unless the user has specifically requested canonicalisation. */ - if (addrs == NULL) { + if (addrs == NULL && (options.proxy_command == NULL || + options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) { if ((addrs = resolve_host(host, options.port, 1, cname, sizeof(cname))) == NULL) cleanup_exit(255); /* resolve_host logs the error */ -- cgit v1.2.1 From b0bd990e56cdd37d58ac1cad9feff629b400a711 Mon Sep 17 00:00:00 2001 From: tim Date: Thu, 24 Oct 2013 19:22:49 +0000 Subject: - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd" --- ChangeLog | 1 + regress/sftp-perm.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b4bbea16..e396e470 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ fix bug introduced in hostname canonicalisation commit: don't try to resolve hostnames when a ProxyCommand is set unless the user has forced canonicalisation; spotted by Iain Morgan + - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd" 20131023 - (djm) OpenBSD CVS Sync diff --git a/regress/sftp-perm.sh b/regress/sftp-perm.sh index 3448740b..304ca0ac 100644 --- a/regress/sftp-perm.sh +++ b/regress/sftp-perm.sh @@ -29,7 +29,7 @@ postcondition() { _title="$1" _check="$2" test -z "$_check" && return - sh -c "$_check" || fail "postcondition check failed: $_title" + ${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title" } ro_test() { -- cgit v1.2.1 From 9e9285d06082cef571b88c6ee41f34a96295ef9c Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 25 Oct 2013 23:05:47 +0000 Subject: - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove unnecessary arc4random_stir() calls. The only ones left are to ensure that the PRNG gets a different state after fork() for platforms that have broken the API. --- ssh-keygen.c | 5 ----- ssh-keysign.c | 1 - sshconnect1.c | 3 --- sshd.c | 4 ---- 4 files changed, 13 deletions(-) diff --git a/ssh-keygen.c b/ssh-keygen.c index b664a5f1..678dafe8 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -910,7 +910,6 @@ do_gen_all_hostkeys(struct passwd *pw) } printf("%s ", key_types[i].key_type_display); fflush(stdout); - arc4random_stir(); type = key_type_from_name(key_types[i].key_type); strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); bits = 0; @@ -932,7 +931,6 @@ do_gen_all_hostkeys(struct passwd *pw) continue; } key_free(private); - arc4random_stir(); strlcat(identity_file, ".pub", sizeof(identity_file)); fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd == -1) { @@ -2543,8 +2541,6 @@ main(int argc, char **argv) return (0); } - arc4random_stir(); - if (key_type_name == NULL) key_type_name = "rsa"; @@ -2638,7 +2634,6 @@ passphrase_again: /* Clear the private key and the random number generator. */ key_free(private); - arc4random_stir(); if (!quiet) printf("Your identification has been saved in %s.\n", identity_file); diff --git a/ssh-keysign.c b/ssh-keysign.c index b67ed1ea..518373bf 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -179,7 +179,6 @@ main(int argc, char **argv) permanently_set_uid(pw); seed_rng(); - arc4random_stir(); #ifdef DEBUG_SSH_KEYSIGN log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); diff --git a/sshconnect1.c b/sshconnect1.c index f4b89077..7bd6cb01 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -542,9 +542,6 @@ ssh_kex(char *host, struct sockaddr *hostaddr) derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id); - /* Generate a session key. */ - arc4random_stir(); - /* * Generate an encryption key for the session. The key is a 256 bit * random number, interpreted as a 32-byte key, with the least diff --git a/sshd.c b/sshd.c index c9ead2e7..d4349f61 100644 --- a/sshd.c +++ b/sshd.c @@ -398,7 +398,6 @@ generate_ephemeral_server_key(void) verbose("RSA key generation complete."); arc4random_buf(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); - arc4random_stir(); } /*ARGSUSED*/ @@ -1867,9 +1866,6 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); - /* Initialize the random number generator. */ - arc4random_stir(); - /* Chdir to the root directory so that the current disk can be unmounted if desired. */ if (chdir("/") == -1) -- cgit v1.2.1 From e5271712ea6f2632859eb7e9b74e562aebb2e7be Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 25 Oct 2013 23:07:56 +0000 Subject: - djm@cvs.openbsd.org 2013/10/25 23:04:51 [ssh.c] fix crash when using ProxyCommand caused by previous commit - was calling freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@ --- ChangeLog | 13 +++++++++++++ ssh.c | 6 ++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e396e470..4519a922 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +20131026 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/25 23:04:51 + [ssh.c] + fix crash when using ProxyCommand caused by previous commit - was calling + freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@ + +20131025 + - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove + unnecessary arc4random_stir() calls. The only ones left are to ensure + that the PRNG gets a different state after fork() for platforms that + have broken the API. + 20131024 - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check rather than full client name which may be of form user@REALM; diff --git a/ssh.c b/ssh.c index 81921a10..ef94591b 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.390 2013/10/24 08:19:36 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.391 2013/10/25 23:04:51 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -965,7 +965,9 @@ main(int ac, char **av) options.use_privileged_port) != 0) exit(255); - freeaddrinfo(addrs); + if (addrs != NULL) + freeaddrinfo(addrs); + packet_set_timeout(options.server_alive_interval, options.server_alive_count_max); -- cgit v1.2.1 From 12af12886d4d629f7822ed1c39fc368851148568 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 30 Oct 2013 11:19:47 +0000 Subject: - djm@cvs.openbsd.org 2013/10/29 09:42:11 [key.c key.h] fix potential stack exhaustion caused by nested certificates; report by Mateusz Kocielski; ok dtucker@ markus@ --- ChangeLog | 7 +++++++ key.c | 45 +++++++++++++++++++++++++++++---------------- key.h | 3 ++- 3 files changed, 38 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4519a922..54f7b004 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20131030 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/29 09:42:11 + [key.c key.h] + fix potential stack exhaustion caused by nested certificates; + report by Mateusz Kocielski; ok dtucker@ markus@ + 20131026 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/10/25 23:04:51 diff --git a/key.c b/key.c index 55ee7899..90f0a017 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: key.c,v 1.105 2013/10/29 09:42:11 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -56,6 +56,7 @@ #include "ssh2.h" static int to_blob(const Key *, u_char **, u_int *, int); +static Key *key_from_blob2(const u_char *, u_int, int); static struct KeyCert * cert_new(void) @@ -1023,6 +1024,18 @@ key_alg_list(void) return ret; } +int +key_type_is_cert(int type) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == type) + return kt->cert; + } + return 0; +} + u_int key_size(const Key *k) { @@ -1387,8 +1400,8 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) } buffer_clear(&tmp); - if ((key->cert->signature_key = key_from_blob(sig_key, - sklen)) == NULL) { + if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0)) + == NULL) { error("%s: Signature key invalid", __func__); goto out; } @@ -1425,8 +1438,8 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) return ret; } -Key * -key_from_blob(const u_char *blob, u_int blen) +static Key * +key_from_blob2(const u_char *blob, u_int blen, int allow_cert) { Buffer b; int rlen, type; @@ -1452,7 +1465,10 @@ key_from_blob(const u_char *blob, u_int blen) if (key_type_plain(type) == KEY_ECDSA) nid = key_ecdsa_nid_from_name(ktype); #endif - + if (!allow_cert && key_type_is_cert(type)) { + error("key_from_blob: certificate not allowed in this context"); + goto out; + } switch (type) { case KEY_RSA_CERT: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ @@ -1551,6 +1567,12 @@ key_from_blob(const u_char *blob, u_int blen) return key; } +Key * +key_from_blob(const u_char *blob, u_int blen) +{ + return key_from_blob2(blob, blen, 1); +} + static int to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) { @@ -1747,16 +1769,7 @@ key_is_cert(const Key *k) { if (k == NULL) return 0; - switch (k->type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT: - case KEY_DSA_CERT: - case KEY_ECDSA_CERT: - return 1; - default: - return 0; - } + return key_type_is_cert(k->type); } /* Return the cert-less equivalent to a certified key type */ diff --git a/key.h b/key.h index 17358ae1..8a78a828 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.37 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: key.h,v 1.38 2013/10/29 09:42:11 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -107,6 +107,7 @@ Key *key_generate(int, u_int); Key *key_from_private(const Key *); int key_type_from_name(char *); int key_is_cert(const Key *); +int key_type_is_cert(int); int key_type_plain(int); int key_to_certified(Key *, int); int key_drop_cert(Key *); -- cgit v1.2.1 From d6595073c049f97070e8e5c0208d39f2bb4c1123 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 30 Oct 2013 11:21:50 +0000 Subject: - djm@cvs.openbsd.org 2013/10/29 09:48:02 [servconf.c servconf.h session.c sshd_config sshd_config.5] shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@ --- ChangeLog | 5 +++++ servconf.c | 14 ++++++++++++-- servconf.h | 3 ++- session.c | 4 ++-- sshd_config | 4 +++- sshd_config.5 | 11 +++++++++-- 6 files changed, 33 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 54f7b004..84283a3e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [key.c key.h] fix potential stack exhaustion caused by nested certificates; report by Mateusz Kocielski; ok dtucker@ markus@ + - djm@cvs.openbsd.org 2013/10/29 09:48:02 + [servconf.c servconf.h session.c sshd_config sshd_config.5] + shd_config PermitTTY to disallow TTY allocation, mirroring the + longstanding no-pty authorized_keys option; + bz#2070, patch from Teran McKinney; ok markus@ 20131026 - (djm) OpenBSD CVS Sync diff --git a/servconf.c b/servconf.c index 82146723..0f1bdd09 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.244 2013/10/29 09:48:02 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options) options->x11_forwarding = -1; options->x11_display_offset = -1; options->x11_use_localhost = -1; + options->permit_tty = -1; options->xauth_location = NULL; options->strict_modes = -1; options->tcp_keep_alive = -1; @@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options) options->x11_use_localhost = 1; if (options->xauth_location == NULL) options->xauth_location = _PATH_XAUTH; + if (options->permit_tty == -1) + options->permit_tty = 1; if (options->strict_modes == -1) options->strict_modes = 1; if (options->tcp_keep_alive == -1) @@ -329,7 +332,7 @@ typedef enum { sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, - sStrictModes, sEmptyPasswd, sTCPKeepAlive, + sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -462,6 +465,7 @@ static struct { { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, { "acceptenv", sAcceptEnv, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, + { "permittty", sPermitTTY, SSHCFG_ALL }, { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, @@ -1132,6 +1136,10 @@ process_server_config_line(ServerOptions *options, char *line, charptr = &options->xauth_location; goto parse_filename; + case sPermitTTY: + intptr = &options->permit_tty; + goto parse_flag; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; @@ -1783,6 +1791,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_use_localhost); + M_CP_INTOPT(permit_tty); M_CP_INTOPT(max_sessions); M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); @@ -2013,6 +2022,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); + dump_cfg_fmtint(sPermitTTY, o->permit_tty); dump_cfg_fmtint(sStrictModes, o->strict_modes); dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); diff --git a/servconf.h b/servconf.h index 98aad8ba..2d4b6ecb 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.110 2013/10/29 09:48:02 djm Exp $ */ /* * Author: Tatu Ylonen @@ -82,6 +82,7 @@ typedef struct { * searching at */ int x11_use_localhost; /* If true, use localhost for fake X11 server. */ char *xauth_location; /* Location of xauth program */ + int permit_tty; /* If false, deny pty allocation */ int strict_modes; /* If true, require string home dir modes. */ int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ diff --git a/session.c b/session.c index 6e48a2fa..a0a0c2d9 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.267 2013/10/14 21:20:52 djm Exp $ */ +/* $OpenBSD: session.c,v 1.268 2013/10/29 09:48:02 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2062,7 +2062,7 @@ session_pty_req(Session *s) u_int len; int n_bytes; - if (no_pty_flag) { + if (no_pty_flag || !options.permit_tty) { debug("Allocating a pty not permitted for this authentication."); return 0; } diff --git a/sshd_config b/sshd_config index dbda7491..235459af 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.91 2013/09/07 13:53:11 sthen Exp $ +# $OpenBSD: sshd_config,v 1.92 2013/10/29 09:48:02 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -101,6 +101,7 @@ AuthorizedKeysFile .ssh/authorized_keys #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes @@ -127,4 +128,5 @@ Subsystem sftp /usr/libexec/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server diff --git a/sshd_config.5 b/sshd_config.5 index 0536cc3c..c3e30e61 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $ -.Dd $Mdocdate: October 24 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.164 2013/10/29 09:48:02 djm Exp $ +.Dd $Mdocdate: October 29 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -813,6 +813,7 @@ Available keywords are .Cm PermitEmptyPasswords , .Cm PermitOpen , .Cm PermitRootLogin , +.Cm PermitTTY , .Cm PermitTunnel , .Cm PubkeyAuthentication , .Cm RekeyLimit , @@ -942,6 +943,12 @@ and .Dq ethernet . The default is .Dq no . +.It Cm PermitTTY +Specifies whether +.Xr pty 7 +allocation is permitted. +The default is +.Dq yes . .It Cm PermitUserEnvironment Specifies whether .Pa ~/.ssh/environment -- cgit v1.2.1 From 867fc59009647b0445d2c7922fcd9fc44d570406 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 30 Oct 2013 11:31:06 +0000 Subject: - jmc@cvs.openbsd.org 2013/10/29 18:49:32 [sshd_config.5] pty(4), not pty(7); --- ChangeLog | 3 +++ sshd_config.5 | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 84283a3e..b4c02856 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@ + - jmc@cvs.openbsd.org 2013/10/29 18:49:32 + [sshd_config.5] + pty(4), not pty(7); 20131026 - (djm) OpenBSD CVS Sync diff --git a/sshd_config.5 b/sshd_config.5 index c3e30e61..bcfcc9c3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.164 2013/10/29 09:48:02 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.165 2013/10/29 18:49:32 jmc Exp $ .Dd $Mdocdate: October 29 2013 $ .Dt SSHD_CONFIG 5 .Os @@ -945,7 +945,7 @@ The default is .Dq no . .It Cm PermitTTY Specifies whether -.Xr pty 7 +.Xr pty 4 allocation is permitted. The default is .Dq yes . -- cgit v1.2.1 From 399a4ce0652195202675d9f307969a32218ece2c Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 3 Nov 2013 05:30:47 +0000 Subject: - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep. From OpenSMTPD where it prevents "implicit declaration" warnings (it's a no-op in OpenSSH). From chl at openbsd. --- openbsd-compat/bsd-misc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index d75854e8..65e80039 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include "xmalloc.h" -- cgit v1.2.1 From 313140ccdb3713cc34585c3d50b86e3a1cb01283 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 3 Nov 2013 06:20:35 +0000 Subject: - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd vsnprintf. From eric at openbsd via chl@. --- openbsd-compat/setproctitle.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openbsd-compat/setproctitle.c b/openbsd-compat/setproctitle.c index 2965f689..a69db22a 100644 --- a/openbsd-compat/setproctitle.c +++ b/openbsd-compat/setproctitle.c @@ -125,6 +125,7 @@ setproctitle(const char *fmt, ...) va_list ap; char buf[1024], ptitle[1024]; size_t len; + int r; extern char *__progname; #if SPT_TYPE == SPT_PSTAT union pstun pst; @@ -137,13 +138,16 @@ setproctitle(const char *fmt, ...) strlcpy(buf, __progname, sizeof(buf)); + r = -1; va_start(ap, fmt); if (fmt != NULL) { len = strlcat(buf, ": ", sizeof(buf)); if (len < sizeof(buf)) - vsnprintf(buf + len, sizeof(buf) - len , fmt, ap); + r = vsnprintf(buf + len, sizeof(buf) - len , fmt, ap); } va_end(ap); + if (r == -1 || (size_t)r >= sizeof(buf) - len) + return; strnvis(ptitle, buf, sizeof(ptitle), VIS_CSTYLE|VIS_NL|VIS_TAB|VIS_OCTAL); -- cgit v1.2.1 From 493059bced949854d4e7a50c3c7ec87451db24c7 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 3 Nov 2013 21:26:53 +0000 Subject: - markus@cvs.openbsd.org 2013/11/02 21:59:15 [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@ --- myproposal.h | 3 +- smult_curve25519_ref.c | 265 +++++++++++++++++++++++++++++++++++++++++++++++++ ssh-keyscan.c | 3 +- sshconnect2.c | 3 +- sshd.c | 3 +- 5 files changed, 273 insertions(+), 4 deletions(-) create mode 100644 smult_curve25519_ref.c diff --git a/myproposal.h b/myproposal.h index 4e913e3c..0820749a 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.32 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.33 2013/11/02 21:59:15 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -66,6 +66,7 @@ #endif # define KEX_DEFAULT_KEX \ + "curve25519-sha256@libssh.org," \ KEX_ECDH_METHODS \ KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha1," \ diff --git a/smult_curve25519_ref.c b/smult_curve25519_ref.c new file mode 100644 index 00000000..2e69934d --- /dev/null +++ b/smult_curve25519_ref.c @@ -0,0 +1,265 @@ +/* $OpenBSD: smult_curve25519_ref.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* +version 20081011 +Matthew Dempsky +Public domain. +Derived from public domain code by D. J. Bernstein. +*/ + +int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *); + +static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) +{ + unsigned int j; + unsigned int u; + u = 0; + for (j = 0;j < 31;++j) { u += a[j] + b[j]; out[j] = u & 255; u >>= 8; } + u += a[31] + b[31]; out[31] = u; +} + +static void sub(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) +{ + unsigned int j; + unsigned int u; + u = 218; + for (j = 0;j < 31;++j) { + u += a[j] + 65280 - b[j]; + out[j] = u & 255; + u >>= 8; + } + u += a[31] - b[31]; + out[31] = u; +} + +static void squeeze(unsigned int a[32]) +{ + unsigned int j; + unsigned int u; + u = 0; + for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u & 127; + u = 19 * (u >> 7); + for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u; +} + +static const unsigned int minusp[32] = { + 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128 +} ; + +static void freeze(unsigned int a[32]) +{ + unsigned int aorig[32]; + unsigned int j; + unsigned int negative; + + for (j = 0;j < 32;++j) aorig[j] = a[j]; + add(a,a,minusp); + negative = -((a[31] >> 7) & 1); + for (j = 0;j < 32;++j) a[j] ^= negative & (aorig[j] ^ a[j]); +} + +static void mult(unsigned int out[32],const unsigned int a[32],const unsigned int b[32]) +{ + unsigned int i; + unsigned int j; + unsigned int u; + + for (i = 0;i < 32;++i) { + u = 0; + for (j = 0;j <= i;++j) u += a[j] * b[i - j]; + for (j = i + 1;j < 32;++j) u += 38 * a[j] * b[i + 32 - j]; + out[i] = u; + } + squeeze(out); +} + +static void mult121665(unsigned int out[32],const unsigned int a[32]) +{ + unsigned int j; + unsigned int u; + + u = 0; + for (j = 0;j < 31;++j) { u += 121665 * a[j]; out[j] = u & 255; u >>= 8; } + u += 121665 * a[31]; out[31] = u & 127; + u = 19 * (u >> 7); + for (j = 0;j < 31;++j) { u += out[j]; out[j] = u & 255; u >>= 8; } + u += out[j]; out[j] = u; +} + +static void square(unsigned int out[32],const unsigned int a[32]) +{ + unsigned int i; + unsigned int j; + unsigned int u; + + for (i = 0;i < 32;++i) { + u = 0; + for (j = 0;j < i - j;++j) u += a[j] * a[i - j]; + for (j = i + 1;j < i + 32 - j;++j) u += 38 * a[j] * a[i + 32 - j]; + u *= 2; + if ((i & 1) == 0) { + u += a[i / 2] * a[i / 2]; + u += 38 * a[i / 2 + 16] * a[i / 2 + 16]; + } + out[i] = u; + } + squeeze(out); +} + +static void select(unsigned int p[64],unsigned int q[64],const unsigned int r[64],const unsigned int s[64],unsigned int b) +{ + unsigned int j; + unsigned int t; + unsigned int bminus1; + + bminus1 = b - 1; + for (j = 0;j < 64;++j) { + t = bminus1 & (r[j] ^ s[j]); + p[j] = s[j] ^ t; + q[j] = r[j] ^ t; + } +} + +static void mainloop(unsigned int work[64],const unsigned char e[32]) +{ + unsigned int xzm1[64]; + unsigned int xzm[64]; + unsigned int xzmb[64]; + unsigned int xzm1b[64]; + unsigned int xznb[64]; + unsigned int xzn1b[64]; + unsigned int a0[64]; + unsigned int a1[64]; + unsigned int b0[64]; + unsigned int b1[64]; + unsigned int c1[64]; + unsigned int r[32]; + unsigned int s[32]; + unsigned int t[32]; + unsigned int u[32]; + unsigned int j; + unsigned int b; + int pos; + + for (j = 0;j < 32;++j) xzm1[j] = work[j]; + xzm1[32] = 1; + for (j = 33;j < 64;++j) xzm1[j] = 0; + + xzm[0] = 1; + for (j = 1;j < 64;++j) xzm[j] = 0; + + for (pos = 254;pos >= 0;--pos) { + b = e[pos / 8] >> (pos & 7); + b &= 1; + select(xzmb,xzm1b,xzm,xzm1,b); + add(a0,xzmb,xzmb + 32); + sub(a0 + 32,xzmb,xzmb + 32); + add(a1,xzm1b,xzm1b + 32); + sub(a1 + 32,xzm1b,xzm1b + 32); + square(b0,a0); + square(b0 + 32,a0 + 32); + mult(b1,a1,a0 + 32); + mult(b1 + 32,a1 + 32,a0); + add(c1,b1,b1 + 32); + sub(c1 + 32,b1,b1 + 32); + square(r,c1 + 32); + sub(s,b0,b0 + 32); + mult121665(t,s); + add(u,t,b0); + mult(xznb,b0,b0 + 32); + mult(xznb + 32,s,u); + square(xzn1b,c1); + mult(xzn1b + 32,r,work); + select(xzm,xzm1,xznb,xzn1b,b); + } + + for (j = 0;j < 64;++j) work[j] = xzm[j]; +} + +static void recip(unsigned int out[32],const unsigned int z[32]) +{ + unsigned int z2[32]; + unsigned int z9[32]; + unsigned int z11[32]; + unsigned int z2_5_0[32]; + unsigned int z2_10_0[32]; + unsigned int z2_20_0[32]; + unsigned int z2_50_0[32]; + unsigned int z2_100_0[32]; + unsigned int t0[32]; + unsigned int t1[32]; + int i; + + /* 2 */ square(z2,z); + /* 4 */ square(t1,z2); + /* 8 */ square(t0,t1); + /* 9 */ mult(z9,t0,z); + /* 11 */ mult(z11,z9,z2); + /* 22 */ square(t0,z11); + /* 2^5 - 2^0 = 31 */ mult(z2_5_0,t0,z9); + + /* 2^6 - 2^1 */ square(t0,z2_5_0); + /* 2^7 - 2^2 */ square(t1,t0); + /* 2^8 - 2^3 */ square(t0,t1); + /* 2^9 - 2^4 */ square(t1,t0); + /* 2^10 - 2^5 */ square(t0,t1); + /* 2^10 - 2^0 */ mult(z2_10_0,t0,z2_5_0); + + /* 2^11 - 2^1 */ square(t0,z2_10_0); + /* 2^12 - 2^2 */ square(t1,t0); + /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^20 - 2^0 */ mult(z2_20_0,t1,z2_10_0); + + /* 2^21 - 2^1 */ square(t0,z2_20_0); + /* 2^22 - 2^2 */ square(t1,t0); + /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^40 - 2^0 */ mult(t0,t1,z2_20_0); + + /* 2^41 - 2^1 */ square(t1,t0); + /* 2^42 - 2^2 */ square(t0,t1); + /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { square(t1,t0); square(t0,t1); } + /* 2^50 - 2^0 */ mult(z2_50_0,t0,z2_10_0); + + /* 2^51 - 2^1 */ square(t0,z2_50_0); + /* 2^52 - 2^2 */ square(t1,t0); + /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^100 - 2^0 */ mult(z2_100_0,t1,z2_50_0); + + /* 2^101 - 2^1 */ square(t1,z2_100_0); + /* 2^102 - 2^2 */ square(t0,t1); + /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { square(t1,t0); square(t0,t1); } + /* 2^200 - 2^0 */ mult(t1,t0,z2_100_0); + + /* 2^201 - 2^1 */ square(t0,t1); + /* 2^202 - 2^2 */ square(t1,t0); + /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { square(t0,t1); square(t1,t0); } + /* 2^250 - 2^0 */ mult(t0,t1,z2_50_0); + + /* 2^251 - 2^1 */ square(t1,t0); + /* 2^252 - 2^2 */ square(t0,t1); + /* 2^253 - 2^3 */ square(t1,t0); + /* 2^254 - 2^4 */ square(t0,t1); + /* 2^255 - 2^5 */ square(t1,t0); + /* 2^255 - 21 */ mult(out,t1,z11); +} + +int crypto_scalarmult_curve25519(unsigned char *q, + const unsigned char *n, + const unsigned char *p) +{ + unsigned int work[96]; + unsigned char e[32]; + unsigned int i; + for (i = 0;i < 32;++i) e[i] = n[i]; + e[0] &= 248; + e[31] &= 127; + e[31] |= 64; + for (i = 0;i < 32;++i) work[i] = p[i]; + mainloop(work,e); + recip(work + 32,work + 32); + mult(work + 64,work,work + 32); + freeze(work + 64); + for (i = 0;i < 32;++i) q[i] = work[64 + i]; + return 0; +} diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 8b807c10..c5f658d7 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.87 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.88 2013/11/02 21:59:15 markus Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -254,6 +254,7 @@ keygrab_ssh2(con *c) c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client; + c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client; c->c_kex->verify_host_key = hostjump; if (!(j = setjmp(kexjmp))) { diff --git a/sshconnect2.c b/sshconnect2.c index 70e3cd8c..1f6160e8 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.198 2013/06/05 12:52:38 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.199 2013/11/02 21:59:15 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -208,6 +208,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; kex->kex[KEX_ECDH_SHA2] = kexecdh_client; + kex->kex[KEX_C25519_SHA256] = kexc25519_client; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->verify_host_key=&verify_host_key_callback; diff --git a/sshd.c b/sshd.c index d4349f61..8a62fc1a 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.409 2013/10/23 23:35:32 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.410 2013/11/02 21:59:15 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2451,6 +2451,7 @@ do_ssh2_kex(void) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -- cgit v1.2.1 From 9f4ba86b39be3a0e0f97c5ce7323d8aff064a93a Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 3 Nov 2013 21:37:51 +0000 Subject: - markus@cvs.openbsd.org 2013/11/02 22:24:24 [kexdhs.c kexecdhs.c] no need to include ssh-gss.h --- kexdhs.c | 6 +----- kexecdhs.c | 7 +------ 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/kexdhs.c b/kexdhs.c index 269d8090..39b9aba5 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.14 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.16 2013/11/02 22:24:24 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -42,10 +42,6 @@ #include "packet.h" #include "dh.h" #include "ssh2.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" void kexdh_server(Kex *kex) diff --git a/kexecdhs.c b/kexecdhs.c index 3a580aac..431fd2c2 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.5 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.7 2013/11/02 22:24:24 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -37,12 +37,7 @@ #include "kex.h" #include "log.h" #include "packet.h" -#include "dh.h" #include "ssh2.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" #ifdef OPENSSL_HAS_ECC -- cgit v1.2.1 From eed617960fdf81ea44a599a3eb96c575678ca972 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 3 Nov 2013 21:55:44 +0000 Subject: - markus@cvs.openbsd.org 2013/11/02 22:39:19 [ssh_config.5 sshd_config.5] the default kex is now curve25519-sha256@libssh.org --- ssh_config.5 | 5 +++-- sshd_config.5 | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index 3ef49461..8809568a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.178 2013/10/24 00:51:48 dtucker Exp $ -.Dd $Mdocdate: October 24 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.179 2013/11/02 22:39:19 markus Exp $ +.Dd $Mdocdate: November 2 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -873,6 +873,7 @@ Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent +curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diff --git a/sshd_config.5 b/sshd_config.5 index bcfcc9c3..02c45a7d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.165 2013/10/29 18:49:32 jmc Exp $ -.Dd $Mdocdate: October 29 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.166 2013/11/02 22:39:19 markus Exp $ +.Dd $Mdocdate: November 2 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -651,6 +651,7 @@ The default is Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is +.Dq curve25519-sha256@libssh.org , .Dq ecdh-sha2-nistp256 , .Dq ecdh-sha2-nistp384 , .Dq ecdh-sha2-nistp521 , -- cgit v1.2.1 From 48cd522bf46f68eb1c6dcc286122023c7ccf58fe Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 3 Nov 2013 22:05:18 +0000 Subject: - djm@cvs.openbsd.org 2013/11/03 10:37:19 [roaming_common.c] fix a couple of function definitions foo() -> foo(void) (-Wold-style-definition) --- roaming_common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roaming_common.c b/roaming_common.c index 50d6177d..86b3372e 100644 --- a/roaming_common.c +++ b/roaming_common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_common.c,v 1.10 2013/07/12 00:19:59 djm Exp $ */ +/* $OpenBSD: roaming_common.c,v 1.11 2013/11/03 10:37:19 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -49,7 +49,7 @@ int roaming_enabled = 0; int resume_in_progress = 0; int -get_snd_buf_size() +get_snd_buf_size(void) { int fd = packet_get_connection_out(); int optval; @@ -61,7 +61,7 @@ get_snd_buf_size() } int -get_recv_buf_size() +get_recv_buf_size(void) { int fd = packet_get_connection_in(); int optval; -- cgit v1.2.1 From 9f64bcfe080ad9529f9e16cef9e8822380c0abb8 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 4 Nov 2013 11:59:28 +0000 Subject: - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from KEX/curve25519 change --- kexc25519.c | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ kexc25519c.c | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ kexc25519s.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 378 insertions(+) create mode 100644 kexc25519.c create mode 100644 kexc25519c.c create mode 100644 kexc25519s.c diff --git a/kexc25519.c b/kexc25519.c new file mode 100644 index 00000000..348a7d50 --- /dev/null +++ b/kexc25519.c @@ -0,0 +1,127 @@ +/* $OpenBSD: kexc25519.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* + * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. + * Copyright (c) 2013 Aris Adamantiadis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include + +#include +#include + +#include +#include + +#include "buffer.h" +#include "ssh2.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "log.h" + +extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE], + const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE]) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 3, CURVE25519_SIZE))); + +void +kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) +{ + static const u_char basepoint[CURVE25519_SIZE] = {9}; + + arc4random_buf(key, CURVE25519_SIZE); + crypto_scalarmult_curve25519(pub, key, basepoint); +} + +BIGNUM * +kexc25519_shared_key(const u_char key[CURVE25519_SIZE], + const u_char pub[CURVE25519_SIZE]) +{ + u_char shared_key[CURVE25519_SIZE]; + BIGNUM *shared_secret; + + crypto_scalarmult_curve25519(shared_key, key, pub); +#ifdef DEBUG_KEXECDH + dump_digest("shared secret", shared_key, CURVE25519_SIZE); +#endif + if ((shared_secret = BN_new()) == NULL) + fatal("%s: BN_new failed", __func__); + if (BN_bin2bn(shared_key, sizeof(shared_key), shared_secret) == NULL) + fatal("%s: BN_bin2bn failed", __func__); + memset(shared_key, 0, CURVE25519_SIZE); /* XXX explicit_bzero() */ + return (shared_secret); +} + +void +kex_c25519_hash( + const EVP_MD *evp_md, + char *client_version_string, + char *server_version_string, + char *ckexinit, int ckexinitlen, + char *skexinit, int skexinitlen, + u_char *serverhostkeyblob, int sbloblen, + const u_char client_dh_pub[CURVE25519_SIZE], + const u_char server_dh_pub[CURVE25519_SIZE], + const BIGNUM *shared_secret, + u_char **hash, u_int *hashlen) +{ + Buffer b; + EVP_MD_CTX md; + static u_char digest[EVP_MAX_MD_SIZE]; + + buffer_init(&b); + buffer_put_cstring(&b, client_version_string); + buffer_put_cstring(&b, server_version_string); + + /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ + buffer_put_int(&b, ckexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, ckexinit, ckexinitlen); + buffer_put_int(&b, skexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, skexinit, skexinitlen); + + buffer_put_string(&b, serverhostkeyblob, sbloblen); + buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE); + buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE); + buffer_put_bignum2(&b, shared_secret); + +#ifdef DEBUG_KEX + buffer_dump(&b); +#endif + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); + EVP_DigestFinal(&md, digest, NULL); + + buffer_free(&b); + +#ifdef DEBUG_KEX + dump_digest("hash", digest, EVP_MD_size(evp_md)); +#endif + *hash = digest; + *hashlen = EVP_MD_size(evp_md); +} diff --git a/kexc25519c.c b/kexc25519c.c new file mode 100644 index 00000000..f741566c --- /dev/null +++ b/kexc25519c.c @@ -0,0 +1,128 @@ +/* $OpenBSD: kexc25519c.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. + * Copyright (c) 2013 Aris Adamantiadis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include + +#include +#include +#include + +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "log.h" +#include "packet.h" +#include "ssh2.h" + +void +kexc25519_client(Kex *kex) +{ + BIGNUM *shared_secret; + Key *server_host_key; + u_char client_key[CURVE25519_SIZE]; + u_char client_pubkey[CURVE25519_SIZE]; + u_char *server_pubkey = NULL; + u_char *server_host_key_blob = NULL, *signature = NULL; + u_char *hash; + u_int slen, sbloblen, hashlen; + + kexc25519_keygen(client_key, client_pubkey); + + packet_start(SSH2_MSG_KEX_ECDH_INIT); + packet_put_string(client_pubkey, sizeof(client_pubkey)); + packet_send(); + debug("sending SSH2_MSG_KEX_ECDH_INIT"); + +#ifdef DEBUG_KEXECDH + dump_digest("client private key:", client_key, sizeof(client_key)); +#endif + + debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); + packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY); + + /* hostkey */ + server_host_key_blob = packet_get_string(&sbloblen); + server_host_key = key_from_blob(server_host_key_blob, sbloblen); + if (server_host_key == NULL) + fatal("cannot decode server_host_key_blob"); + if (server_host_key->type != kex->hostkey_type) + fatal("type mismatch for decoded server_host_key_blob"); + if (kex->verify_host_key == NULL) + fatal("cannot verify server_host_key"); + if (kex->verify_host_key(server_host_key) == -1) + fatal("server_host_key verification failed"); + + /* Q_S, server public key */ + server_pubkey = packet_get_string(&slen); + if (slen != CURVE25519_SIZE) + fatal("Incorrect size for server Curve25519 pubkey: %d", slen); + +#ifdef DEBUG_KEXECDH + dump_digest("server public key:", server_pubkey, CURVE25519_SIZE); +#endif + + /* signed H */ + signature = packet_get_string(&slen); + packet_check_eom(); + + shared_secret = kexc25519_shared_key(client_key, server_pubkey); + + /* calc and verify H */ + kex_c25519_hash( + kex->evp_md, + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->my), buffer_len(&kex->my), + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + server_host_key_blob, sbloblen, + client_pubkey, + server_pubkey, + shared_secret, + &hash, &hashlen + ); + free(server_host_key_blob); + free(server_pubkey); + if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) + fatal("key_verify failed for server_host_key"); + key_free(server_host_key); + free(signature); + + /* save session id */ + if (kex->session_id == NULL) { + kex->session_id_len = hashlen; + kex->session_id = xmalloc(kex->session_id_len); + memcpy(kex->session_id, hash, kex->session_id_len); + } + + kex_derive_keys(kex, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); + kex_finish(kex); +} diff --git a/kexc25519s.c b/kexc25519s.c new file mode 100644 index 00000000..784841b8 --- /dev/null +++ b/kexc25519s.c @@ -0,0 +1,123 @@ +/* $OpenBSD: kexc25519s.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. + * Copyright (c) 2013 Aris Adamantiadis. All rights reserved. + * + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include +#include + +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "log.h" +#include "packet.h" +#include "ssh2.h" + +void +kexc25519_server(Kex *kex) +{ + BIGNUM *shared_secret; + Key *server_host_private, *server_host_public; + u_char *server_host_key_blob = NULL, *signature = NULL; + u_char server_key[CURVE25519_SIZE]; + u_char *client_pubkey = NULL; + u_char server_pubkey[CURVE25519_SIZE]; + u_char *hash; + u_int slen, sbloblen, hashlen; + + /* generate private key */ + kexc25519_keygen(server_key, server_pubkey); +#ifdef DEBUG_KEXECDH + dump_digest("server private key:", server_key, sizeof(server_key)); +#endif + + if (kex->load_host_public_key == NULL || + kex->load_host_private_key == NULL) + fatal("Cannot load hostkey"); + server_host_public = kex->load_host_public_key(kex->hostkey_type); + if (server_host_public == NULL) + fatal("Unsupported hostkey type %d", kex->hostkey_type); + server_host_private = kex->load_host_private_key(kex->hostkey_type); + + debug("expecting SSH2_MSG_KEX_ECDH_INIT"); + packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); + client_pubkey = packet_get_string(&slen); + if (slen != CURVE25519_SIZE) + fatal("Incorrect size for server Curve25519 pubkey: %d", slen); + packet_check_eom(); + +#ifdef DEBUG_KEXECDH + dump_digest("client public key:", client_pubkey, CURVE25519_SIZE); +#endif + + shared_secret = kexc25519_shared_key(server_key, client_pubkey); + + /* calc H */ + key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); + kex_c25519_hash( + kex->evp_md, + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + buffer_ptr(&kex->my), buffer_len(&kex->my), + server_host_key_blob, sbloblen, + client_pubkey, + server_pubkey, + shared_secret, + &hash, &hashlen + ); + + /* save session id := H */ + if (kex->session_id == NULL) { + kex->session_id_len = hashlen; + kex->session_id = xmalloc(kex->session_id_len); + memcpy(kex->session_id, hash, kex->session_id_len); + } + + /* sign H */ + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); + + /* destroy_sensitive_data(); */ + + /* send server hostkey, ECDH pubkey 'Q_S' and signed H */ + packet_start(SSH2_MSG_KEX_ECDH_REPLY); + packet_put_string(server_host_key_blob, sbloblen); + packet_put_string(server_pubkey, sizeof(server_pubkey)); + packet_put_string(signature, slen); + packet_send(); + + free(signature); + free(server_host_key_blob); + /* have keys, free server key */ + free(client_pubkey); + kex_derive_keys(kex, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); + kex_finish(kex); +} -- cgit v1.2.1 -- cgit v1.2.1 From bd98cd67842f51b5a7d389903e40b6bd6516d3e7 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 7 Nov 2013 02:28:16 +0000 Subject: - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms that lack it but have arc4random_uniform() --- defines.h | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/defines.h b/defines.h index d5ce52f3..b014f349 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.172 2013/06/01 21:18:48 dtucker Exp $ */ +/* $Id: defines.h,v 1.174 2013/11/07 02:28:16 djm Exp $ */ /* Constants */ @@ -269,6 +269,14 @@ typedef unsigned long long int u_int64_t; # endif #endif +#ifndef HAVE_INTMAX_T +typedef long long intmax_t; +#endif + +#ifndef HAVE_UINTMAX_T +typedef unsigned long long uintmax_t; +#endif + #ifndef HAVE_U_CHAR typedef unsigned char u_char; # define HAVE_U_CHAR @@ -802,4 +810,13 @@ struct winsize { # endif #endif +/* + * Platforms that have arc4random_uniform() and not arc4random_stir() + * shouldn't need the latter. + */ +#if defined(HAVE_ARC4RANDOM) && defined(HAVE_ARC4RANDOM_UNIFORM) && \ + !defined(HAVE_ARC4RANDOM_STIR) +# define arc4random_stir() +#endif + #endif /* _DEFINES_H */ -- cgit v1.2.1 From 1ec6213b0df778868743aa0b3f333b75155e9ea8 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 7 Nov 2013 02:32:52 +0000 Subject: - markus@cvs.openbsd.org 2013/11/04 11:51:16 [monitor.c] fix rekeying for KEX_C25519_SHA256; noted by dtucker@ RCSID sync only; I thought this was a merge botch and fixed it already --- monitor.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/monitor.c b/monitor.c index 44dff98c..03baf1ea 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.127 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.128 2013/11/04 11:51:16 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1855,6 +1855,7 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -- cgit v1.2.1 From feb47ba5a55e970ec3e02bf0f60ff3786dccd8aa Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 7 Nov 2013 02:38:36 +0000 Subject: - djm@cvs.openbsd.org 2013/11/06 23:05:59 [ssh-pkcs11.c] from portable: s/true/true_val/ to avoid name collisions on dump platforms RCSID sync only --- ssh-pkcs11.c | 136 ++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 101 insertions(+), 35 deletions(-) diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 618c0752..9941e94e 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.8 2013/07/12 00:20:00 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.10 2013/11/06 23:05:59 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -31,6 +31,8 @@ #include "openbsd-compat/sys-queue.h" +#include + #define CRYPTOKI_COMPAT #include "pkcs11.h" @@ -225,7 +227,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, CK_OBJECT_HANDLE obj; CK_ULONG tlen = 0; CK_RV rv; - CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; + CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; CK_BBOOL true_val = CK_TRUE; CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 @@ -238,8 +240,6 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, char *pin, prompt[1024]; int rval = -1; - /* some compilers complain about non-constant initializer so we - use NULL in CK_ATTRIBUTE above and set the values here */ key_filter[0].pValue = &private_key_class; key_filter[2].pValue = &true_val; @@ -384,36 +384,75 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) * add 'wrapped' public keys to the 'keysp' array and increment nkeys. * keysp points to an (possibly empty) array with *nkeys keys. */ +static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, + CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *) + __attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE)))); + static int -pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, - int *nkeys) +pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, + Key ***keysp, int *nkeys) { - Key *key; - RSA *rsa; - int i; - CK_RV rv; - CK_OBJECT_HANDLE obj; - CK_ULONG nfound; - CK_SESSION_HANDLE session; - CK_FUNCTION_LIST *f; - CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; CK_ATTRIBUTE pubkey_filter[] = { { CKA_CLASS, NULL, sizeof(pubkey_class) } }; - CK_ATTRIBUTE attribs[] = { + CK_ATTRIBUTE cert_filter[] = { + { CKA_CLASS, NULL, sizeof(cert_class) } + }; + CK_ATTRIBUTE pubkey_attribs[] = { { CKA_ID, NULL, 0 }, { CKA_MODULUS, NULL, 0 }, { CKA_PUBLIC_EXPONENT, NULL, 0 } }; - - /* some compilers complain about non-constant initializer so we - use NULL in CK_ATTRIBUTE above and set the value here */ + CK_ATTRIBUTE cert_attribs[] = { + { CKA_ID, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_VALUE, NULL, 0 } + }; pubkey_filter[0].pValue = &pubkey_class; + cert_filter[0].pValue = &cert_class; + + if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, + keysp, nkeys) < 0 || + pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, + keysp, nkeys) < 0) + return (-1); + return (0); +} + +static int +pkcs11_key_included(Key ***keysp, int *nkeys, Key *key) +{ + int i; + + for (i = 0; i < *nkeys; i++) + if (key_equal(key, *keysp[i])) + return (1); + return (0); +} + +static int +pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, + CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], + Key ***keysp, int *nkeys) +{ + Key *key; + RSA *rsa; + X509 *x509; + EVP_PKEY *evp; + int i; + const u_char *cp; + CK_RV rv; + CK_OBJECT_HANDLE obj; + CK_ULONG nfound; + CK_SESSION_HANDLE session; + CK_FUNCTION_LIST *f; f = p->function_list; session = p->slotinfo[slotidx].session; /* setup a filter the looks for public keys */ - if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) { + if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) { error("C_FindObjectsInit failed: %lu", rv); return (-1); } @@ -441,32 +480,59 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, /* allocate buffers for attributes */ for (i = 0; i < 3; i++) attribs[i].pValue = xmalloc(attribs[i].ulValueLen); - /* retrieve ID, modulus and public exponent of RSA key */ + /* + * retrieve ID, modulus and public exponent of RSA key, + * or ID, subject and value for certificates. + */ + rsa = NULL; if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); - } else if ((rsa = RSA_new()) == NULL) { - error("RSA_new failed"); + } else if (attribs[1].type == CKA_MODULUS ) { + if ((rsa = RSA_new()) == NULL) { + error("RSA_new failed"); + } else { + rsa->n = BN_bin2bn(attribs[1].pValue, + attribs[1].ulValueLen, NULL); + rsa->e = BN_bin2bn(attribs[2].pValue, + attribs[2].ulValueLen, NULL); + } } else { - rsa->n = BN_bin2bn(attribs[1].pValue, - attribs[1].ulValueLen, NULL); - rsa->e = BN_bin2bn(attribs[2].pValue, - attribs[2].ulValueLen, NULL); - if (rsa->n && rsa->e && - pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { - key = key_new(KEY_UNSPEC); - key->rsa = rsa; - key->type = KEY_RSA; - key->flags |= KEY_FLAG_EXT; + cp = attribs[2].pValue; + if ((x509 = X509_new()) == NULL) { + error("X509_new failed"); + } else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen) + == NULL) { + error("d2i_X509 failed"); + } else if ((evp = X509_get_pubkey(x509)) == NULL || + evp->type != EVP_PKEY_RSA || + evp->pkey.rsa == NULL) { + debug("X509_get_pubkey failed or no rsa"); + } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) + == NULL) { + error("RSAPublicKey_dup"); + } + if (x509) + X509_free(x509); + } + if (rsa && rsa->n && rsa->e && + pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { + key = key_new(KEY_UNSPEC); + key->rsa = rsa; + key->type = KEY_RSA; + key->flags |= KEY_FLAG_EXT; + if (pkcs11_key_included(keysp, nkeys, key)) { + key_free(key); + } else { /* expand key array and add key */ *keysp = xrealloc(*keysp, *nkeys + 1, sizeof(Key *)); (*keysp)[*nkeys] = key; *nkeys = *nkeys + 1; debug("have %d keys", *nkeys); - } else { - RSA_free(rsa); } + } else if (rsa) { + RSA_free(rsa); } for (i = 0; i < 3; i++) free(attribs[i].pValue); -- cgit v1.2.1 From f2e4f1cb0deb1bf4f6ca51016ad7a53ee98b20e6 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 7 Nov 2013 03:50:09 +0000 Subject: - djm@cvs.openbsd.org 2013/10/09 23:44:14 [regress/Makefile] (ID sync only) regression test for sftp request white/blacklisting and readonly mode. --- regress/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regress/Makefile b/regress/Makefile index 4c64b576..eca634a6 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ +# $OpenBSD: Makefile,v 1.66 2013/10/09 23:44:14 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) -- cgit v1.2.1 From 9dcb66fae837f178afa2cfb02357b637fe82b4e9 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 7 Nov 2013 04:21:20 +0000 Subject: - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] Use ssh -Q instead of hardcoding lists of ciphers or MACs. --- regress/cipher-speed.sh | 15 ++------------- regress/integrity.sh | 14 +++----------- regress/try-ciphers.sh | 22 +++------------------- 3 files changed, 8 insertions(+), 43 deletions(-) diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 489d9f5f..8ff9b322 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -11,18 +11,7 @@ getbytes () tries="1 2" -ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc - arcfour128 arcfour256 arcfour - aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se - aes128-ctr aes192-ctr aes256-ctr" -config_defined OPENSSL_HAVE_EVPGCM && \ - ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96" -config_defined HAVE_EVP_SHA256 && \ - macs="$macs hmac-sha2-256 hmac-sha2-512" - -for c in $ciphers; do n=0; for m in $macs; do +for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do trace "proto 2 cipher $c mac $m" for x in $tries; do printf "%-60s" "$c/$m:" diff --git a/regress/integrity.sh b/regress/integrity.sh index 1d17fe10..de2b8d05 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -8,18 +8,10 @@ tid="integrity" # XXX and ssh tries to read... tries=10 startoffset=2900 -macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96 - hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com - umac-64-etm@openssh.com umac-128-etm@openssh.com - hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com" -config_defined HAVE_EVP_SHA256 && - macs="$macs hmac-sha2-256 hmac-sha2-512 - hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" +macs=`${SSH} -Q mac` # The following are not MACs, but ciphers with integrated integrity. They are # handled specially below. -config_defined OPENSSL_HAVE_EVPGCM && \ - macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" +macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`" # avoid DH group exchange as the extra traffic makes it harder to get the # offset into the stream right. diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index e17c9f5e..48584329 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,27 +1,11 @@ -# $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" -ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc - arcfour128 arcfour256 arcfour - aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se - aes128-ctr aes192-ctr aes256-ctr" -config_defined OPENSSL_HAVE_EVPGCM && \ - ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96 - hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com - umac-64-etm@openssh.com umac-128-etm@openssh.com - hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com - hmac-ripemd160-etm@openssh.com" -config_defined HAVE_EVP_SHA256 && - macs="$macs hmac-sha2-256 hmac-sha2-512 - hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" - -for c in $ciphers; do +for c in `${SSH} -Q cipher`; do n=0 - for m in $macs; do + for m in `${SSH} -Q mac`; do trace "proto 2 cipher $c mac $m" verbose "test $tid: proto 2 cipher $c mac $m" ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true -- cgit v1.2.1 From 0880dc8481ae68b2caa49cf88dec3306a1facfab Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 7 Nov 2013 04:32:37 +0000 Subject: - dtucker@cvs.openbsd.org 2013/11/07 04:26:56 [regress/kextype.sh] trailing space --- regress/kextype.sh | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/regress/kextype.sh b/regress/kextype.sh index 79c0817b..8c2ac09d 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $ +# $OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $ # Placed in the Public Domain. tid="login with different key exchange algorithms" @@ -7,18 +7,8 @@ TIME=/usr/bin/time cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -if test "$TEST_SSH_ECC" = "yes"; then - kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521" -fi -if test "$TEST_SSH_SHA256" = "yes"; then - kextypes="$kextypes diffie-hellman-group-exchange-sha256" -fi -kextypes="$kextypes diffie-hellman-group-exchange-sha1" -kextypes="$kextypes diffie-hellman-group14-sha1" -kextypes="$kextypes diffie-hellman-group1-sha1" - tries="1 2 3 4" -for k in $kextypes; do +for k in `${SSH} -Q kex`; do verbose "kex $k" for i in $tries; do ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true -- cgit v1.2.1 From c4560cad4faf6c0c415960bcf4f6f5770520fa30 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 7 Nov 2013 11:33:48 +0000 Subject: - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment variable. It's no longer used now that we get the supported MACs from ssh -Q. --- Makefile.in | 9 ++++----- configure.ac | 17 ++++++++++------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/Makefile.in b/Makefile.in index 92c95a92..242a9bd5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $ +# $Id: Makefile.in,v 1.343 2013/11/07 11:33:48 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -73,7 +73,8 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o + jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ + kexc25519.o kexc25519c.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ @@ -87,7 +88,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ - auth-krb5.o \ + kexc25519s.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ @@ -408,7 +409,6 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) TEST_SSH_CONCH="conch"; \ TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ - TEST_SSH_SHA256="@TEST_SSH_SHA256@" ; \ cd $(srcdir)/regress || exit $$?; \ $(MAKE) \ .OBJDIR="$${BUILDDIR}/regress" \ @@ -431,7 +431,6 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ TEST_SSH_ECC="$${TEST_SSH_ECC}" \ - TEST_SSH_SHA256="$${TEST_SSH_SHA256}" \ EXEEXT="$(EXEEXT)" \ $@ && echo all tests passed diff --git a/configure.ac b/configure.ac index 4a1b5033..31972cf9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $ +# $Id: configure.ac,v 1.539 2013/11/07 11:33:48 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.536 $) +AC_REVISION($Revision: 1.539 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1528,6 +1528,7 @@ dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ arc4random \ arc4random_buf \ + arc4random_stir \ arc4random_uniform \ asprintf \ b64_ntop \ @@ -2436,16 +2437,13 @@ fi AC_CHECK_FUNCS([crypt DES_crypt]) # Search for SHA256 support in libc and/or OpenSSL -AC_CHECK_FUNCS([SHA256_Update EVP_sha256], - [TEST_SSH_SHA256=yes], - [TEST_SSH_SHA256=no - unsupported_algorithms="$unsupported_algorithms \ +AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , + [unsupported_algorithms="$unsupported_algorithms \ hmac-sha2-256 hmac-sha2-512 \ diffie-hellman-group-exchange-sha256 \ hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" ] ) -AC_SUBST([TEST_SSH_SHA256]) # Check complete ECC support in OpenSSL AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) @@ -3137,6 +3135,11 @@ if test "x$ac_cv_have_u_char" = "xyes" ; then AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) fi +AC_CHECK_TYPES([intmax_t, uintmax_t], , , [ +#include +#include +]) + TYPE_SOCKLEN_T AC_CHECK_TYPES([sig_atomic_t], , , [#include ]) -- cgit v1.2.1 From e75a88d4996edb1063d72dfe99077e5ed1a69247 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Nov 2013 01:11:47 +0000 Subject: - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 [regress/rekey.sh] Rekey less frequently during tests to speed them up --- regress/rekey.sh | 57 +++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 13 deletions(-) diff --git a/regress/rekey.sh b/regress/rekey.sh index 8eb7efaf..6095da8d 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.12 2013/11/08 01:06:14 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -7,34 +7,65 @@ LOG=${TEST_SSH_LOGFILE} rm -f ${LOG} -for s in 16 1k 128k 256k; do - verbose "client rekeylimit ${s}" +# Test rekeying based on data volume only. +# Arguments will be passed to ssh. +ssh_data_rekeying() +{ rm -f ${COPY} ${LOG} - cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit=$s \ - -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \ + "cat > ${COPY}" if [ $? -ne 0 ]; then - fail "ssh failed" + fail "ssh failed ($@)" fi - cmp $DATA ${COPY} || fail "corrupted copy" + cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" n=`grep 'NEWKEYS sent' ${LOG} | wc -l` n=`expr $n - 1` trace "$n rekeying(s)" if [ $n -lt 1 ]; then - fail "no rekeying occured" + fail "no rekeying occured ($@)" fi +} + +opts="" +for i in `${SSH} -Q kex`; do + opts="$opts KexAlgorithms=$i" +done +for i in `${SSH} -Q cipher`; do + opts="$opts Ciphers=$i" +done +for i in `${SSH} -Q mac`; do + opts="$opts MACs=$i" +done + +for opt in $opts; do + verbose "client rekey $opt" + ssh_data_rekeying -oRekeyLimit=256k -o$opt +done + +# GCM is magical so test with all KexAlgorithms +if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then + for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do + for kex in `${SSH} -Q kex`; do + verbose "client rekey $c $kex" + ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex + done + done +fi + +for s in 16 1k 128k 256k; do + verbose "client rekeylimit ${s}" + ssh_data_rekeying -oCompression=no -oRekeyLimit=$s done for s in 5 10; do verbose "client rekeylimit default ${s}" rm -f ${COPY} ${LOG} - cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ - $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" + ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" if [ $? -ne 0 ]; then fail "ssh failed" fi - cmp $DATA ${COPY} || fail "corrupted copy" + cmp ${DATA} ${COPY} || fail "corrupted copy" n=`grep 'NEWKEYS sent' ${LOG} | wc -l` n=`expr $n - 1` trace "$n rekeying(s)" -- cgit v1.2.1 From 002e7373dbfc9a4d37fcff973ad3b4caa0936ace Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 8 Nov 2013 01:16:50 +0000 Subject: - dtucker@cvs.openbsd.org 2013/11/07 11:58:27 [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@ --- cipher.c | 8 ++++---- cipher.h | 4 ++-- kex.c | 7 ++++--- kex.h | 21 +++++++++++++++++++-- mac.c | 8 ++++---- mac.h | 4 ++-- servconf.c | 9 ++++++--- ssh.c | 8 ++++---- 8 files changed, 45 insertions(+), 24 deletions(-) diff --git a/cipher.c b/cipher.c index a2cbe2be..54315f48 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.90 2013/11/07 11:58:27 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -100,9 +100,9 @@ static const struct Cipher ciphers[] = { /*--*/ -/* Returns a comma-separated list of supported ciphers. */ +/* Returns a list of supported ciphers separated by the specified char. */ char * -cipher_alg_list(void) +cipher_alg_list(char sep) { char *ret = NULL; size_t nlen, rlen = 0; @@ -112,7 +112,7 @@ cipher_alg_list(void) if (c->number != SSH_CIPHER_SSH2) continue; if (ret != NULL) - ret[rlen++] = '\n'; + ret[rlen++] = sep; nlen = strlen(c->name); ret = xrealloc(ret, 1, rlen + nlen + 2); memcpy(ret + rlen, c->name, nlen + 1); diff --git a/cipher.h b/cipher.h index b878d50f..46502348 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.40 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: cipher.h,v 1.41 2013/11/07 11:58:27 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -75,7 +75,7 @@ const Cipher *cipher_by_number(int); int cipher_number(const char *); char *cipher_name(int); int ciphers_valid(const char *); -char *cipher_alg_list(void); +char *cipher_alg_list(char); void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int, const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, diff --git a/kex.c b/kex.c index 54bd1a43..0b139dc6 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.93 2013/11/07 11:58:27 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -80,11 +80,12 @@ static const struct kexalg kexalgs[] = { { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, #endif + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, EVP_sha256 }, { NULL, -1, -1, NULL}, }; char * -kex_alg_list(void) +kex_alg_list(char sep) { char *ret = NULL; size_t nlen, rlen = 0; @@ -92,7 +93,7 @@ kex_alg_list(void) for (k = kexalgs; k->name != NULL; k++) { if (ret != NULL) - ret[rlen++] = '\n'; + ret[rlen++] = sep; nlen = strlen(k->name); ret = xrealloc(ret, 1, rlen + nlen + 2); memcpy(ret + rlen, k->name, nlen + 1); diff --git a/kex.h b/kex.h index 9f1e1adb..800a6923 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.58 2013/11/07 11:58:27 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -43,6 +43,7 @@ #define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256" #define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384" #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" +#define KEX_CURVE25519_SHA256 "curve25519-sha256@libssh.org" #define COMP_NONE 0 #define COMP_ZLIB 1 @@ -74,6 +75,7 @@ enum kex_exchange { KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, + KEX_C25519_SHA256, KEX_MAX }; @@ -144,7 +146,7 @@ struct Kex { }; int kex_names_valid(const char *); -char *kex_alg_list(void); +char *kex_alg_list(char); Kex *kex_setup(char *[PROPOSAL_MAX]); void kex_finish(Kex *); @@ -161,6 +163,8 @@ void kexgex_client(Kex *); void kexgex_server(Kex *); void kexecdh_client(Kex *); void kexecdh_server(Kex *); +void kexc25519_client(Kex *); +void kexc25519_server(Kex *); void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, @@ -175,6 +179,19 @@ kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char **, u_int *); #endif +void +kex_c25519_hash(const EVP_MD *, char *, char *, char *, int, + char *, int, u_char *, int, const u_char *, const u_char *, + const BIGNUM *, u_char **, u_int *); + +#define CURVE25519_SIZE 32 +void kexc25519_keygen(u_char[CURVE25519_SIZE], u_char[CURVE25519_SIZE]) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); +BIGNUM *kexc25519_shared_key(const u_char[CURVE25519_SIZE], + const u_char[CURVE25519_SIZE]) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); void derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); diff --git a/mac.c b/mac.c index c4dfb501..c71b6a74 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.24 2013/06/03 00:03:18 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.25 2013/11/07 11:58:27 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -91,9 +91,9 @@ static const struct macalg macs[] = { { NULL, 0, NULL, 0, 0, 0, 0 } }; -/* Returns a comma-separated list of supported MACs. */ +/* Returns a list of supported MACs separated by the specified char. */ char * -mac_alg_list(void) +mac_alg_list(char sep) { char *ret = NULL; size_t nlen, rlen = 0; @@ -101,7 +101,7 @@ mac_alg_list(void) for (m = macs; m->name != NULL; m++) { if (ret != NULL) - ret[rlen++] = '\n'; + ret[rlen++] = sep; nlen = strlen(m->name); ret = xrealloc(ret, 1, rlen + nlen + 2); memcpy(ret + rlen, m->name, nlen + 1); diff --git a/mac.h b/mac.h index 260798ab..fbe18c46 100644 --- a/mac.h +++ b/mac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.h,v 1.7 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: mac.h,v 1.8 2013/11/07 11:58:27 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -24,7 +24,7 @@ */ int mac_valid(const char *); -char *mac_alg_list(void); +char *mac_alg_list(char); int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); diff --git a/servconf.c b/servconf.c index 0f1bdd09..3593223f 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.244 2013/10/29 09:48:02 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.245 2013/11/07 11:58:27 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2037,8 +2037,9 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); - dump_cfg_string(sCiphers, o->ciphers); - dump_cfg_string(sMacs, o->macs); + dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : + cipher_alg_list(',')); + dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); dump_cfg_string(sBanner, o->banner); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); @@ -2050,6 +2051,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); dump_cfg_string(sHostKeyAgent, o->host_key_agent); + dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : + kex_alg_list(',')); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff --git a/ssh.c b/ssh.c index ef94591b..e2c43634 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.391 2013/10/25 23:04:51 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.392 2013/11/07 11:58:27 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -520,11 +520,11 @@ main(int ac, char **av) case 'Q': /* deprecated */ cp = NULL; if (strcasecmp(optarg, "cipher") == 0) - cp = cipher_alg_list(); + cp = cipher_alg_list('\n'); else if (strcasecmp(optarg, "mac") == 0) - cp = mac_alg_list(); + cp = mac_alg_list('\n'); else if (strcasecmp(optarg, "kex") == 0) - cp = kex_alg_list(); + cp = kex_alg_list('\n'); else if (strcasecmp(optarg, "key") == 0) cp = key_alg_list(); if (cp == NULL) -- cgit v1.2.1 From 515f4906729d2aad60d0eaa6f3b0cacb800364e6 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 8 Nov 2013 05:48:13 +0000 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers following release. --- ChangeLog | 108 +++++++++++++++++++++++++++++++++++++++++++ README | 4 +- contrib/caldera/openssh.spec | 4 +- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 114 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index b4c02856..753ad2be 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,111 @@ +20131108 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 + [regress/rekey.sh] + Rekey less frequently during tests to speed them up + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/07 11:58:27 + [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] + Output the effective values of Ciphers, MACs and KexAlgorithms when + the default has not been overridden. ok markus@ + - djm@cvs.openbsd.org 2013/11/08 00:39:15 + [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c] + [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c] + [sftp-client.c sftp-glob.c] + use calloc for all structure allocations; from markus@ + - djm@cvs.openbsd.org 2013/11/08 01:38:11 + [version.h] + openssh-6.4 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update version numbers following release. + +20131107 + - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) + that got lost in recent merge. + - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff + - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these + - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms + that lack it but have arc4random_uniform() + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/11/04 11:51:16 + [monitor.c] + fix rekeying for KEX_C25519_SHA256; noted by dtucker@ + RCSID sync only; I thought this was a merge botch and fixed it already + - markus@cvs.openbsd.org 2013/11/06 16:52:11 + [monitor_wrap.c] + fix rekeying for AES-GCM modes; ok deraadt + - djm@cvs.openbsd.org 2013/11/06 23:05:59 + [ssh-pkcs11.c] + from portable: s/true/true_val/ to avoid name collisions on dump platforms + RCSID sync only + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/09 23:44:14 + [regress/Makefile] (ID sync only) + regression test for sftp request white/blacklisting and readonly mode. + - markus@cvs.openbsd.org 2013/11/02 22:39:53 + [regress/kextype.sh] + add curve25519-sha256@libssh.org + - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 + [regress/rekey.sh] + Test rekeying with all KexAlgorithms. + - dtucker@cvs.openbsd.org 2013/11/07 00:12:05 + [regress/rekey.sh] + Test rekeying for every Cipher, MAC and KEX, plus test every KEX with + the GCM ciphers. + - dtucker@cvs.openbsd.org 2013/11/07 01:12:51 + [regress/rekey.sh] + Factor out the data transfer rekey tests + - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 + [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] + Use ssh -Q instead of hardcoding lists of ciphers or MACs. + - dtucker@cvs.openbsd.org 2013/11/07 03:55:41 + [regress/kextype.sh] + Use ssh -Q to get kex types instead of a static list. + - dtucker@cvs.openbsd.org 2013/11/07 04:26:56 + [regress/kextype.sh] + trailing space + - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment + variable. It's no longer used now that we get the supported MACs from + ssh -Q. + +20131104 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/11/02 20:03:54 + [ssh-pkcs11.c] + support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys; + fixes bz#1908; based on patch from Laurent Barbe; ok djm + - markus@cvs.openbsd.org 2013/11/02 21:59:15 + [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] + use curve25519 for default key exchange (curve25519-sha256@libssh.org); + initial patch from Aris Adamantiadis; ok djm@ + - markus@cvs.openbsd.org 2013/11/02 22:10:15 + [kexdhs.c kexecdhs.c] + no need to include monitor_wrap.h + - markus@cvs.openbsd.org 2013/11/02 22:24:24 + [kexdhs.c kexecdhs.c] + no need to include ssh-gss.h + - markus@cvs.openbsd.org 2013/11/02 22:34:01 + [auth-options.c] + no need to include monitor_wrap.h and ssh-gss.h + - markus@cvs.openbsd.org 2013/11/02 22:39:19 + [ssh_config.5 sshd_config.5] + the default kex is now curve25519-sha256@libssh.org + - djm@cvs.openbsd.org 2013/11/03 10:37:19 + [roaming_common.c] + fix a couple of function definitions foo() -> foo(void) + (-Wold-style-definition) + - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from + KEX/curve25519 change + +20131103 + - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep. + From OpenSMTPD where it prevents "implicit declaration" warnings (it's + a no-op in OpenSSH). From chl at openbsd. + - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd + vsnprintf. From eric at openbsd via chl@. + - (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t + for platforms that don't have them. + 20131030 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/10/29 09:42:11 diff --git a/README b/README index ece2dba1..41a97fdc 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-6.3 for the release notes. +See http://www.openssh.com/txt/release-6.4 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $ +$Id: README,v 1.84 2013/11/08 05:48:13 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index b460bfff..c483692a 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 6.3p1 +%define version 6.4p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $ +$Id: openssh.spec,v 1.81 2013/11/08 05:48:15 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index d1191f4e..29a38ded 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 6.3p1 +%define ver 6.4p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 2866039d..3a612bd2 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.3p1 +Version: 6.4p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.1 From 5dd26c5124c1e05ed2eb6de1b8edcac845312c38 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Nov 2013 07:54:38 +0000 Subject: - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of arc4random_stir for platforms that have arc4random but don't have arc4random_stir (right now this is only OpenBSD -current). --- ChangeLog | 3 +++ openbsd-compat/openbsd-compat.h | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 753ad2be..08bfbef9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ openssh-6.4 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers following release. + - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of + arc4random_stir for platforms that have arc4random but don't have + arc4random_stir (right now this is only OpenBSD -current). 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 392fa38d..cb007f01 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.58 2013/06/05 22:30:21 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.59 2013/11/08 07:54:39 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -161,9 +161,13 @@ int writev(int, struct iovec *, int); #ifndef HAVE_GETPEEREID int getpeereid(int , uid_t *, gid_t *); -#endif +#endif -#ifndef HAVE_ARC4RANDOM +#ifdef HAVE_ARC4RANDOM +# ifndef HAVE_ARC4RANDOM_STIR +# define arc4random_stir() +# endif +#else unsigned int arc4random(void); void arc4random_stir(void); #endif /* !HAVE_ARC4RANDOM */ -- cgit v1.2.1 From feecc51700f5057335ae76d2fb447f7b722d895f Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Nov 2013 08:50:32 +0000 Subject: - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have EVP_sha256. --- ChangeLog | 2 ++ kex.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 08bfbef9..1c236246 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,8 @@ - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of arc4random_stir for platforms that have arc4random but don't have arc4random_stir (right now this is only OpenBSD -current). + - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have + EVP_sha256. 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/kex.c b/kex.c index 0b139dc6..59cb448c 100644 --- a/kex.c +++ b/kex.c @@ -80,7 +80,9 @@ static const struct kexalg kexalgs[] = { { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, #endif +#ifdef HAVE_EVP_SHA256 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, EVP_sha256 }, +#endif { NULL, -1, -1, NULL}, }; -- cgit v1.2.1 From 2b43449dba17597d56b4289d06ffa761dbb4c81b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Nov 2013 10:10:04 +0000 Subject: - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. --- ChangeLog | 1 + myproposal.h | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1c236246..e7d934fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ arc4random_stir (right now this is only OpenBSD -current). - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have EVP_sha256. + - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/myproposal.h b/myproposal.h index 0820749a..56f8c4a8 100644 --- a/myproposal.h +++ b/myproposal.h @@ -57,16 +57,19 @@ #ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," +#define KEX_CURVE25519_METHODS \ + "curve25519-sha256@libssh.org," #define SHA2_HMAC_MODES \ "hmac-sha2-256," \ "hmac-sha2-512," #else # define KEX_SHA256_METHODS +# define KEX_CURVE25519_METHODS # define SHA2_HMAC_MODES #endif # define KEX_DEFAULT_KEX \ - "curve25519-sha256@libssh.org," \ + KEX_CURVE25519_METHODS \ KEX_ECDH_METHODS \ KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha1," \ -- cgit v1.2.1 From cf3cf77764bc57b1459b7f0589d2c61840e0df6c Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Nov 2013 10:12:58 +0000 Subject: - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile warnings. --- ChangeLog | 2 ++ openbsd-compat/bsd-poll.c | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e7d934fd..b2f77678 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,8 @@ - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have EVP_sha256. - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. + - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile + warnings. 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/openbsd-compat/bsd-poll.c b/openbsd-compat/bsd-poll.c index f899d7a2..c7ef8277 100644 --- a/openbsd-compat/bsd-poll.c +++ b/openbsd-compat/bsd-poll.c @@ -1,4 +1,4 @@ -/* $Id: bsd-poll.c,v 1.4 2008/08/29 21:32:38 dtucker Exp $ */ +/* $Id: bsd-poll.c,v 1.5 2013/11/08 10:12:58 dtucker Exp $ */ /* * Copyright (c) 2004, 2005, 2007 Darren Tucker (dtucker at zip com au). @@ -19,12 +19,15 @@ #include "includes.h" #if !defined(HAVE_POLL) +#include +#include #ifdef HAVE_SYS_SELECT_H # include #endif -#include #include +#include +#include #include "bsd-poll.h" /* -- cgit v1.2.1 From 67b8f1bce88093fa1bb5116ee532029b1e2144eb Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Nov 2013 13:17:41 +0000 Subject: - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform and pass in TEST_ENV. Unknown options cause stderr to get polluted and the stderr-data test to fail. --- ChangeLog | 3 +++ Makefile.in | 3 ++- configure.ac | 11 ++++++++--- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index b2f77678..72c53f70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile warnings. + - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform + and pass in TEST_ENV. Unknown options cause stderr to get polluted + and the stderr-data test to fail. 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/Makefile.in b/Makefile.in index 242a9bd5..e1c68c00 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.343 2013/11/07 11:33:48 dtucker Exp $ +# $Id: Makefile.in,v 1.344 2013/11/08 13:17:41 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -416,6 +416,7 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR="$${BUILDDIR}" \ OBJ="$${BUILDDIR}/regress/" \ PATH="$${BUILDDIR}:$${PATH}" \ + TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \ TEST_SHELL="$${TEST_SHELL}" \ TEST_SSH_SSH="$${TEST_SSH_SSH}" \ TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \ diff --git a/configure.ac b/configure.ac index 31972cf9..e31147c2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.539 2013/11/07 11:33:48 dtucker Exp $ +# $Id: configure.ac,v 1.540 2013/11/08 13:17:41 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.539 $) +AC_REVISION($Revision: 1.540 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -563,6 +563,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" + TEST_MALLOC_OPTIONS="AFGJPRX" ;; *-*-haiku*) LIBS="$LIBS -lbsd " @@ -728,6 +729,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) + TEST_MALLOC_OPTIONS="AJRX" ;; *-*-freebsd*) check_for_libcrypt_later=1 @@ -736,7 +738,8 @@ mips-sony-bsd|mips-sony-newsos4) AC_CHECK_HEADER([net/if_tap.h], , AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) - AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) + AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) + TEST_MALLOC_OPTIONS="AJRX" ;; *-*-bsdi*) AC_DEFINE([SETEUID_BREAKS_SETUID]) @@ -759,6 +762,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], [syslog_r function is safe to use in in a signal handler]) + TEST_MALLOC_OPTIONS="AFGJPRX" ;; *-*-solaris*) if test "x$withval" != "xno" ; then @@ -4564,6 +4568,7 @@ else fi AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) +AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS]) AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) AC_EXEEXT -- cgit v1.2.1 From 081d08ef8267efa9e6875264a834632be6c10a35 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 8 Nov 2013 13:19:22 +0000 Subject: - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation: rather than testing and generating each key, call ssh-keygen -A. Patch from vinschen at redhat.com. --- ChangeLog | 5 +++- contrib/cygwin/ssh-host-config | 52 ++---------------------------------------- 2 files changed, 6 insertions(+), 51 deletions(-) diff --git a/ChangeLog b/ChangeLog index 72c53f70..7372ad23 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,8 +27,11 @@ - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile warnings. - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform - and pass in TEST_ENV. Unknown options cause stderr to get polluted + and pass in TEST_ENV. use stderr to get polluted and the stderr-data test to fail. + - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation: + rather than testing and generating each key, call ssh-keygen -A. + Patch from vinschen at redhat.com. 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index c542d5cb..05efd3b3 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -67,54 +67,6 @@ user_account= password_value= opt_force=no -# ====================================================================== -# Routine: create_host_keys -# ====================================================================== -create_host_keys() { - local ret=0 - - if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] - then - csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" - if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null - then - csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" - let ++ret - fi - fi - - if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] - then - csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" - if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null - then - csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" - let ++ret - fi - fi - - if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] - then - csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" - if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null - then - csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" - let ++ret - fi - fi - - if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] - then - csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" - if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null - then - csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" - let ++ret - fi - fi - return $ret -} # --- End of create_host_keys --- # - # ====================================================================== # Routine: update_services_file # ====================================================================== @@ -719,8 +671,8 @@ then let ++warning_cnt fi -# host keys -create_host_keys || let warning_cnt+=$? +# generate missing host keys +/usr/bin/ssh-keygen -A || let warning_cnt+=$? # handle ssh_config csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt -- cgit v1.2.1 From 3e2ae47aa50b02af97d54725b336dda1989f09f7 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 9 Nov 2013 05:55:03 +0000 Subject: - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 [regress/test-exec.sh regress/rekey.sh] Use smaller test data files to speed up tests. Grow test datafiles where necessary for a specific test. --- ChangeLog | 12 ++++++++++++ regress/rekey.sh | 4 +++- regress/test-exec.sh | 21 +++++++++++++++++---- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7372ad23..a6360197 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20131109 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 + [regress/test-exec.sh regress/rekey.sh] + Use smaller test data files to speed up tests. Grow test datafiles + where necessary for a specific test. + 20131108 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 @@ -32,6 +39,11 @@ - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation: rather than testing and generating each key, call ssh-keygen -A. Patch from vinschen at redhat.com. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 + [regress/test-exec.sh regress/rekey.sh] + Use smaller test data files to speed up tests. Grow test datafiles + where necessary for a specific test. 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/regress/rekey.sh b/regress/rekey.sh index 6095da8d..fe81f0c3 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.12 2013/11/08 01:06:14 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -26,6 +26,8 @@ ssh_data_rekeying() fi } +increase_datafile_size 300 + opts="" for i in `${SSH} -Q kex`; do opts="$opts KexAlgorithms=$i" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index eee44626..aac8aa5c 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.47 2013/11/09 05:41:34 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -133,7 +133,12 @@ fi # Path to sshd must be absolute for rexec case "$SSHD" in /*) ;; -*) SSHD=`which sshd` ;; +*) SSHD=`which $SSHD` ;; +esac + +case "$SSHAGENT" in +/*) ;; +*) SSHAGENT=`which $SSHAGENT` ;; esac # Logfiles. @@ -166,14 +171,22 @@ SSH="$SSHLOGWRAP" # Some test data. We make a copy because some tests will overwrite it. # The tests may assume that $DATA exists and is writable and $COPY does -# not exist. +# not exist. Tests requiring larger data files can call increase_datafile_size +# [kbytes] to ensure the file is at least that large. DATANAME=data DATA=$OBJ/${DATANAME} -cat $SSHD $SSHD $SSHD $SSHD >${DATA} +cat ${SSHAGENT} >${DATA} chmod u+w ${DATA} COPY=$OBJ/copy rm -f ${COPY} +increase_datafile_size() +{ + while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do + cat ${SSHAGENT} >>${DATA} + done +} + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP -- cgit v1.2.1 From 058c31d933129f6484b6d51623d102874a1ce394 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 9 Nov 2013 07:39:25 +0000 Subject: - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the latter actually works before using it. Fedora (at least) has NID_secp521r1 that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). --- ChangeLog | 4 ++ configure.ac | 122 +++++++++++++++++++++++++++++++++++++++++++++++++---------- kex.c | 2 + key.c | 14 +++++++ myproposal.h | 12 ++++++ 5 files changed, 133 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index a6360197..c8f24958 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [regress/test-exec.sh regress/rekey.sh] Use smaller test data files to speed up tests. Grow test datafiles where necessary for a specific test. + - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of + NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the + latter actually works before using it. Fedora (at least) has NID_secp521r1 + that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). 20131108 - (dtucker) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index e31147c2..5d4793ca 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.540 2013/11/08 13:17:41 dtucker Exp $ +# $Id: configure.ac,v 1.541 2013/11/09 07:39:25 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.540 $) +AC_REVISION($Revision: 1.541 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2450,7 +2450,49 @@ AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , ) # Check complete ECC support in OpenSSL -AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) +AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + ]], [[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + const EVP_MD *m = EVP_sha256(); /* We need this too */ + ]])], + [ AC_MSG_RESULT([yes]) + enable_nistp256=1 ], + [ AC_MSG_RESULT([no]) ] +) + +AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + ]], [[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); + const EVP_MD *m = EVP_sha384(); /* We need this too */ + ]])], + [ AC_MSG_RESULT([yes]) + enable_nistp384=1 ], + [ AC_MSG_RESULT([no]) ] +) + +AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) AC_LINK_IFELSE( [AC_LANG_PROGRAM([[ #include @@ -2466,25 +2508,63 @@ AC_LINK_IFELSE( EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); const EVP_MD *m = EVP_sha512(); /* We need this too */ ]])], - [ - AC_MSG_RESULT([yes]) - AC_DEFINE([OPENSSL_HAS_ECC], [1], - [libcrypto includes complete ECC support]) - TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" - ], - [ - AC_MSG_RESULT([no]) - TEST_SSH_ECC=no - COMMENT_OUT_ECC="#no ecc#" - unsupported_algorithms="$unsupported_algorithms \ - ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ - ecdsa-sha2-nistp256-cert-v01@openssh.com \ - ecdsa-sha2-nistp384-cert-v01@openssh.com \ - ecdsa-sha2-nistp521-cert-v01@openssh.com \ - ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" - ] + [ AC_MSG_RESULT([yes]) + AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include +#include + ]],[[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ + exit(e == NULL || m == NULL); + ]])], + [ AC_MSG_RESULT([yes]) + enable_nistp521=1 ], + [ AC_MSG_RESULT([no]) ], + [ AC_MSG_WARN([cross-compiling, assuming yes]) + enable_nistp521=1 ] + ]) + AC_MSG_RESULT([no]) ) + +COMMENT_OUT_ECC="#no ecc#" +TEST_SSH_ECC=no + +if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ + x$enable_nistp521 = x1; then + AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) +fi +if test x$enable_nistp256 = x1; then + AC_DEFINE([OPENSSL_HAS_NISTP256], [1], + [libcrypto has NID_X9_62_prime256v1]) + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ + ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" +fi +if test x$enable_nistp384 = x1; then + AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ + ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" +fi +if test x$enable_nistp521 = x1; then + AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ + ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" +fi + AC_SUBST([TEST_SSH_ECC]) AC_SUBST([COMMENT_OUT_ECC]) diff --git a/kex.c b/kex.c index 59cb448c..b38bae0f 100644 --- a/kex.c +++ b/kex.c @@ -78,7 +78,9 @@ static const struct kexalg kexalgs[] = { #ifdef OPENSSL_HAS_ECC { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 }, { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, +# ifdef OPENSSL_HAS_NISTP521 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, +# endif #endif #ifdef HAVE_EVP_SHA256 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, EVP_sha256 }, diff --git a/key.c b/key.c index 90f0a017..bc84953f 100644 --- a/key.c +++ b/key.c @@ -918,7 +918,9 @@ static const struct keytype keytypes[] = { #ifdef OPENSSL_HAS_ECC { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, +# ifdef OPENSSL_HAS_NISTP521 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, +# endif #endif /* OPENSSL_HAS_ECC */ { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, @@ -927,8 +929,10 @@ static const struct keytype keytypes[] = { KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", KEY_ECDSA_CERT, NID_secp384r1, 1 }, +# ifdef OPENSSL_HAS_NISTP521 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", KEY_ECDSA_CERT, NID_secp521r1, 1 }, +# endif #endif /* OPENSSL_HAS_ECC */ { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", KEY_RSA_CERT_V00, 0, 1 }, @@ -1100,8 +1104,10 @@ key_ecdsa_bits_to_nid(int bits) return NID_X9_62_prime256v1; case 384: return NID_secp384r1; +# ifdef HAVE_OPENSSL_NISTP521 case 521: return NID_secp521r1; +# endif #endif default: return -1; @@ -1116,7 +1122,9 @@ key_ecdsa_key_to_nid(EC_KEY *k) int nids[] = { NID_X9_62_prime256v1, NID_secp384r1, +# ifdef OPENSSL_HAS_NISTP521 NID_secp521r1, +# endif -1 }; int nid; @@ -2031,8 +2039,10 @@ key_curve_name_to_nid(const char *name) return NID_X9_62_prime256v1; else if (strcmp(name, "nistp384") == 0) return NID_secp384r1; +# ifdef OPENSSL_HAS_NISTP521 else if (strcmp(name, "nistp521") == 0) return NID_secp521r1; +# endif #endif debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); @@ -2048,8 +2058,10 @@ key_curve_nid_to_bits(int nid) return 256; case NID_secp384r1: return 384; +# ifdef OPENSSL_NAS_NISTP521 case NID_secp521r1: return 521; +# endif #endif default: error("%s: unsupported EC curve nid %d", __func__, nid); @@ -2065,8 +2077,10 @@ key_curve_nid_to_name(int nid) return "nistp256"; else if (nid == NID_secp384r1) return "nistp384"; +# ifdef OPENSSL_HAS_NISTP521 else if (nid == NID_secp521r1) return "nistp521"; +# endif #endif error("%s: unsupported EC curve nid %d", __func__, nid); return NULL; diff --git a/myproposal.h b/myproposal.h index 56f8c4a8..8da2ac91 100644 --- a/myproposal.h +++ b/myproposal.h @@ -29,6 +29,7 @@ /* conditional algorithm support */ #ifdef OPENSSL_HAS_ECC +#ifdef OPENSSL_HAS_NISTP521 # define KEX_ECDH_METHODS \ "ecdh-sha2-nistp256," \ "ecdh-sha2-nistp384," \ @@ -42,6 +43,17 @@ "ecdsa-sha2-nistp384," \ "ecdsa-sha2-nistp521," #else +# define KEX_ECDH_METHODS \ + "ecdh-sha2-nistp256," \ + "ecdh-sha2-nistp384," +# define HOSTKEY_ECDSA_CERT_METHODS \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp384-cert-v01@openssh.com," +# define HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," +#endif +#else # define KEX_ECDH_METHODS # define HOSTKEY_ECDSA_CERT_METHODS # define HOSTKEY_ECDSA_METHODS -- cgit v1.2.1 From 0bfc576f3feb38b82f5634a0df90f6814be8d523 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 9 Nov 2013 11:02:31 +0000 Subject: - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test. --- ChangeLog | 1 + configure.ac | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index c8f24958..142f14cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the latter actually works before using it. Fedora (at least) has NID_secp521r1 that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). + - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test. 20131108 - (dtucker) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 5d4793ca..20a8cd42 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.541 2013/11/09 07:39:25 dtucker Exp $ +# $Id: configure.ac,v 1.542 2013/11/09 11:02:31 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.541 $) +AC_REVISION($Revision: 1.542 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2526,9 +2526,9 @@ AC_LINK_IFELSE( [ AC_MSG_RESULT([yes]) enable_nistp521=1 ], [ AC_MSG_RESULT([no]) ], - [ AC_MSG_WARN([cross-compiling, assuming yes]) + [ AC_MSG_WARN([cross-compiling: assuming yes]) enable_nistp521=1 ] - ]) + )], AC_MSG_RESULT([no]) ) -- cgit v1.2.1 From 2687acdf73f0ce39e4fb157ffcb08186eab8fe92 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 9 Nov 2013 11:32:51 +0000 Subject: - (dtucker) [configure.ac] Add missing "test". --- ChangeLog | 1 + configure.ac | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 142f14cf..3f9cfae0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,7 @@ latter actually works before using it. Fedora (at least) has NID_secp521r1 that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test. + - (dtucker) [configure.ac] Add missing "test". 20131108 - (dtucker) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 20a8cd42..f3fe43d7 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.542 2013/11/09 11:02:31 dtucker Exp $ +# $Id: configure.ac,v 1.543 2013/11/09 11:32:51 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.542 $) +AC_REVISION($Revision: 1.543 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2536,7 +2536,7 @@ COMMENT_OUT_ECC="#no ecc#" TEST_SSH_ECC=no if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ - x$enable_nistp521 = x1; then + test x$enable_nistp521 = x1; then AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) fi if test x$enable_nistp256 = x1; then -- cgit v1.2.1 From f478dea269bbcd1fdf4900c06183e3288569078a Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 10 Nov 2013 01:38:42 +0000 Subject: - (dtucker) [key.c] Check for the correct defines for NID_secp521r1. --- ChangeLog | 1 + key.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f9cfae0..e22ac3cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,7 @@ that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test. - (dtucker) [configure.ac] Add missing "test". + - (dtucker) [key.c] Check for the correct defines for NID_secp521r1. 20131108 - (dtucker) OpenBSD CVS Sync diff --git a/key.c b/key.c index bc84953f..b20bcda5 100644 --- a/key.c +++ b/key.c @@ -1104,7 +1104,7 @@ key_ecdsa_bits_to_nid(int bits) return NID_X9_62_prime256v1; case 384: return NID_secp384r1; -# ifdef HAVE_OPENSSL_NISTP521 +# ifdef OPENSSL_HAS_NISTP521 case 521: return NID_secp521r1; # endif @@ -2058,7 +2058,7 @@ key_curve_nid_to_bits(int nid) return 256; case NID_secp384r1: return 384; -# ifdef OPENSSL_NAS_NISTP521 +# ifdef OPENSSL_HAS_NISTP521 case NID_secp521r1: return 521; # endif -- cgit v1.2.1 From e241d777dae2a59bbe18a356bf93cef5dc92444c Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 10 Nov 2013 09:25:22 +0000 Subject: - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by querying the ones that are compiled in. --- ChangeLog | 4 ++++ regress/keytype.sh | 10 +++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e22ac3cd..3fd51a6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20131110 + - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by + querying the ones that are compiled in. + 20131109 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 diff --git a/regress/keytype.sh b/regress/keytype.sh index 59586bf0..65436b2c 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -12,9 +12,13 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak ktypes="dsa-1024 rsa-2048 rsa-3072" -if test "$TEST_SSH_ECC" = "yes"; then - ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521" -fi +for i in `$SSH -Q key`; do + case "$i" in + ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; + ecdsa-sha2-nistp384) ktype="$ktype ecdsa-384" ;; + ecdsa-sha2-nistp521) ktype="$ktype ecdsa-521" ;; + esac +done for kt in $ktypes; do rm -f $OBJ/key.$kt -- cgit v1.2.1 From 738f3f20964e85ab60555fdfeb15bf2d03994875 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 02:55:43 +0000 Subject: - dtucker@cvs.openbsd.org 2013/11/08 11:15:19 [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c] [uidswap.c] Include stdlib.h for free() as per the man page. --- ChangeLog | 6 ++++++ bufaux.c | 3 ++- bufbn.c | 3 ++- buffer.c | 3 ++- sftp-client.c | 13 +++++++------ sftp-common.c | 3 ++- sftp-glob.c | 5 +++-- uidswap.c | 3 ++- 8 files changed, 26 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fd51a6b..eb78c12e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20131121 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/08 11:15:19 + [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c] + [uidswap.c] Include stdlib.h for free() as per the man page. + 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by querying the ones that are compiled in. diff --git a/bufaux.c b/bufaux.c index de5b3ca1..3e70b8d9 100644 --- a/bufaux.c +++ b/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */ +/* $OpenBSD: bufaux.c,v 1.53 2013/11/08 11:15:19 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,6 +45,7 @@ #include #include +#include #include "xmalloc.h" #include "buffer.h" diff --git a/bufbn.c b/bufbn.c index 1fbfbbcc..2ebc80a2 100644 --- a/bufbn.c +++ b/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.7 2013/05/17 00:13:13 djm Exp $*/ +/* $OpenBSD: bufbn.c,v 1.8 2013/11/08 11:15:19 dtucker Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,6 +45,7 @@ #include #include +#include #include "xmalloc.h" #include "buffer.h" diff --git a/buffer.c b/buffer.c index 007e7f94..9e7c40a5 100644 --- a/buffer.c +++ b/buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.c,v 1.33 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: buffer.c,v 1.34 2013/11/08 11:15:19 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -19,6 +19,7 @@ #include #include #include +#include #include "xmalloc.h" #include "buffer.h" diff --git a/sftp-client.c b/sftp-client.c index 91955262..9ecded04 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.107 2013/10/17 00:30:13 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.109 2013/11/08 11:15:19 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -42,6 +42,7 @@ #include #include #include +#include #include #include @@ -477,7 +478,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, if (dir) { ents = 0; - *dir = xmalloc(sizeof(**dir)); + *dir = xcalloc(1, sizeof(**dir)); (*dir)[0] = NULL; } @@ -551,7 +552,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, if (dir) { *dir = xrealloc(*dir, ents + 2, sizeof(**dir)); - (*dir)[ents] = xmalloc(sizeof(***dir)); + (*dir)[ents] = xcalloc(1, sizeof(***dir)); (*dir)[ents]->filename = xstrdup(filename); (*dir)[ents]->longname = xstrdup(longname); memcpy(&(*dir)[ents]->a, a, sizeof(*a)); @@ -570,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, /* Don't return partial matches on interrupt */ if (interrupted && dir != NULL && *dir != NULL) { free_sftp_dirents(*dir); - *dir = xmalloc(sizeof(**dir)); + *dir = xcalloc(1, sizeof(**dir)); **dir = NULL; } @@ -1143,7 +1144,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, (unsigned long long)offset, (unsigned long long)offset + buflen - 1, num_req, max_req); - req = xmalloc(sizeof(*req)); + req = xcalloc(1, sizeof(*req)); req->id = conn->msg_id++; req->len = buflen; req->offset = offset; @@ -1512,7 +1513,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, strerror(errno)); if (len != 0) { - ack = xmalloc(sizeof(*ack)); + ack = xcalloc(1, sizeof(*ack)); ack->id = ++id; ack->offset = offset; ack->len = len; diff --git a/sftp-common.c b/sftp-common.c index 413efc20..88bf51bc 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.25 2013/11/08 11:15:19 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include diff --git a/sftp-glob.c b/sftp-glob.c index 79b7bdb2..d85aecc9 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-glob.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sftp-glob.c,v 1.26 2013/11/08 11:15:19 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -23,6 +23,7 @@ #endif #include +#include #include #include "xmalloc.h" @@ -48,7 +49,7 @@ fudge_opendir(const char *path) { struct SFTP_OPENDIR *r; - r = xmalloc(sizeof(*r)); + r = xcalloc(1, sizeof(*r)); if (do_readdir(cur.conn, (char *)path, &r->dir)) { free(r); diff --git a/uidswap.c b/uidswap.c index 26d17f93..23217ba5 100644 --- a/uidswap.c +++ b/uidswap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.c,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: uidswap.c,v 1.36 2013/11/08 11:15:19 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -20,6 +20,7 @@ #include #include #include +#include #include -- cgit v1.2.1 From c3c497daf88506d93327a5dcff2d3cf18a87148f Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 02:56:06 +0000 Subject: - markus@cvs.openbsd.org 2013/11/13 13:48:20 [ssh-pkcs11.c] add missing braces found by pedro --- ChangeLog | 3 +++ ssh-pkcs11.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index eb78c12e..381b2a96 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - dtucker@cvs.openbsd.org 2013/11/08 11:15:19 [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c] [uidswap.c] Include stdlib.h for free() as per the man page. + - markus@cvs.openbsd.org 2013/11/13 13:48:20 + [ssh-pkcs11.c] + add missing braces found by pedro 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 9941e94e..c49cbf42 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.10 2013/11/06 23:05:59 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.11 2013/11/13 13:48:20 markus Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -427,7 +427,7 @@ pkcs11_key_included(Key ***keysp, int *nkeys, Key *key) int i; for (i = 0; i < *nkeys; i++) - if (key_equal(key, *keysp[i])) + if (key_equal(key, (*keysp)[i])) return (1); return (0); } -- cgit v1.2.1 From 646b738776001d27b385d32fcd0cc101add67e73 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 02:56:28 +0000 Subject: - djm@cvs.openbsd.org 2013/11/20 02:19:01 [sshd.c] delay closure of in/out fds until after "Bad protocol version identification..." message, as get_remote_ipaddr/get_remote_port require them open. --- ChangeLog | 5 +++++ sshd.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 381b2a96..f3903120 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,11 @@ - markus@cvs.openbsd.org 2013/11/13 13:48:20 [ssh-pkcs11.c] add missing braces found by pedro + - djm@cvs.openbsd.org 2013/11/20 02:19:01 + [sshd.c] + delay closure of in/out fds until after "Bad protocol version + identification..." message, as get_remote_ipaddr/get_remote_port + require them open. 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/sshd.c b/sshd.c index 8a62fc1a..a53deab3 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.410 2013/11/02 21:59:15 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.411 2013/11/20 02:19:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -480,11 +480,11 @@ sshd_exchange_identification(int sock_in, int sock_out) &remote_major, &remote_minor, remote_version) != 3) { s = "Protocol mismatch.\n"; (void) atomicio(vwrite, sock_out, s, strlen(s)); - close(sock_in); - close(sock_out); logit("Bad protocol version identification '%.100s' " "from %s port %d", client_version_string, get_remote_ipaddr(), get_remote_port()); + close(sock_in); + close(sock_out); cleanup_exit(255); } debug("Client protocol version %d.%d; client software version %.100s", -- cgit v1.2.1 From f9444cadf2ab75ef3b39a4c3abf6005d412f1755 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 02:56:49 +0000 Subject: - deraadt@cvs.openbsd.org 2013/11/20 20:53:10 [scp.c] unsigned casts for ctype macros where neccessary ok guenther millert markus --- ChangeLog | 4 ++++ scp.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f3903120..253e0227 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ delay closure of in/out fds until after "Bad protocol version identification..." message, as get_remote_ipaddr/get_remote_port require them open. + - deraadt@cvs.openbsd.org 2013/11/20 20:53:10 + [scp.c] + unsigned casts for ctype macros where neccessary + ok guenther millert markus 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/scp.c b/scp.c index 28ded5e9..18d3b1dc 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.178 2013/06/22 06:31:57 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.179 2013/11/20 20:53:10 deraadt Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -1023,7 +1023,7 @@ sink(int argc, char **argv) if (*cp++ != ' ') SCREWUP("mode not delimited"); - for (size = 0; isdigit(*cp);) + for (size = 0; isdigit((unsigned char)*cp);) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') SCREWUP("size not delimited"); @@ -1287,7 +1287,7 @@ okname(char *cp0) c = (int)*cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c)) { + if (!isalpha(c) && !isdigit((unsigned char)c)) { switch (c) { case '\'': case '"': -- cgit v1.2.1 From b7824dcb34637676d6e30b6439a1b0ecd513a871 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 02:57:15 +0000 Subject: - deraadt@cvs.openbsd.org 2013/11/20 20:54:10 [canohost.c clientloop.c match.c readconf.c sftp.c] unsigned casts for ctype macros where neccessary ok guenther millert markus --- ChangeLog | 4 ++++ canohost.c | 3 +-- clientloop.c | 14 +++++++------- match.c | 6 +++--- readconf.c | 4 ++-- sftp.c | 4 ++-- 6 files changed, 19 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index 253e0227..cb4dae30 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ [scp.c] unsigned casts for ctype macros where neccessary ok guenther millert markus + - deraadt@cvs.openbsd.org 2013/11/20 20:54:10 + [canohost.c clientloop.c match.c readconf.c sftp.c] + unsigned casts for ctype macros where neccessary + ok guenther millert markus 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/canohost.c b/canohost.c index a8eeb0e3..2e5a0b86 100644 --- a/canohost.c +++ b/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.68 2013/10/14 23:28:22 djm Exp $ */ +/* $OpenBSD: canohost.c,v 1.69 2013/11/20 20:54:10 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -20,7 +20,6 @@ #include #include -#include #include #include #include diff --git a/clientloop.c b/clientloop.c index 45a55e0e..f30c8b6b 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.254 2013/09/12 01:41:12 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.256 2013/11/20 20:54:10 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -289,7 +289,7 @@ client_x11_display_valid(const char *display) dlen = strlen(display); for (i = 0; i < dlen; i++) { - if (!isalnum(display[i]) && + if (!isalnum((u_char)display[i]) && strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) { debug("Invalid character '%c' in DISPLAY", display[i]); return 0; @@ -837,7 +837,7 @@ void client_expect_confirm(int id, const char *request, enum confirm_action action) { - struct channel_reply_ctx *cr = xmalloc(sizeof(*cr)); + struct channel_reply_ctx *cr = xcalloc(1, sizeof(*cr)); cr->request_type = request; cr->action = action; @@ -860,7 +860,7 @@ client_register_global_confirm(global_confirm_cb *cb, void *ctx) return; } - gc = xmalloc(sizeof(*gc)); + gc = xcalloc(1, sizeof(*gc)); gc->cb = cb; gc->ctx = ctx; gc->ref_count = 1; @@ -884,7 +884,7 @@ process_cmdline(void) cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); if (s == NULL) goto out; - while (isspace(*s)) + while (isspace((u_char)*s)) s++; if (*s == '-') s++; /* Skip cmdline '-', if any */ @@ -938,7 +938,7 @@ process_cmdline(void) goto out; } - while (isspace(*++s)) + while (isspace((u_char)*++s)) ; /* XXX update list of forwards in options */ @@ -1438,7 +1438,7 @@ client_new_escape_filter_ctx(int escape_char) { struct escape_filter_ctx *ret; - ret = xmalloc(sizeof(*ret)); + ret = xcalloc(1, sizeof(*ret)); ret->escape_pending = 0; ret->escape_char = escape_char; return (void *)ret; diff --git a/match.c b/match.c index 7be7d2c5..c35e3289 100644 --- a/match.c +++ b/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.28 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: match.c,v 1.29 2013/11/20 20:54:10 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -141,8 +141,8 @@ match_pattern_list(const char *string, const char *pattern, u_int len, for (subi = 0; i < len && subi < sizeof(sub) - 1 && pattern[i] != ','; subi++, i++) - sub[subi] = dolower && isupper(pattern[i]) ? - (char)tolower(pattern[i]) : pattern[i]; + sub[subi] = dolower && isupper((u_char)pattern[i]) ? + tolower((u_char)pattern[i]) : pattern[i]; /* If subpattern too long, return failure (no match). */ if (subi >= sizeof(sub) - 1) return 0; diff --git a/readconf.c b/readconf.c index 63c0ba19..0e1030d0 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.213 2013/10/24 00:51:48 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.214 2013/11/20 20:54:10 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1753,7 +1753,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) cp = p = xstrdup(fwdspec); /* skip leading spaces */ - while (isspace(*cp)) + while (isspace((u_char)*cp)) cp++; for (i = 0; i < 4; ++i) diff --git a/sftp.c b/sftp.c index abc689e8..ad1f8c84 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.157 2013/10/17 07:35:48 jmc Exp $ */ +/* $OpenBSD: sftp.c,v 1.158 2013/11/20 20:54:10 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1065,7 +1065,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, error("Too many arguments."); return NULL; } - if (isspace(arg[i])) { + if (isspace((unsigned char)arg[i])) { if (state == MA_UNQUOTED) { /* Terminate current argument */ argvs[j++] = '\0'; -- cgit v1.2.1 From 1a42fdee8baa9f2666c1b94071ea991ffb68e298 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 03:12:23 +0000 Subject: - djm@cvs.openbsd.org 2013/11/21 00:45:44 [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@ --- ChangeLog | 17 ++++ Makefile.in | 4 +- PROTOCOL | 7 +- PROTOCOL.chacha20poly1305 | 105 ++++++++++++++++++++++ authfile.c | 6 +- chacha.c | 219 ++++++++++++++++++++++++++++++++++++++++++++++ chacha.h | 35 ++++++++ cipher-chachapoly.c | 114 ++++++++++++++++++++++++ cipher-chachapoly.h | 41 +++++++++ cipher.c | 65 ++++++++++++-- cipher.h | 11 ++- dh.c | 38 +++----- myproposal.h | 3 +- packet.c | 26 +++--- poly1305.c | 158 +++++++++++++++++++++++++++++++++ poly1305.h | 22 +++++ servconf.c | 4 +- ssh.1 | 6 +- ssh.c | 6 +- ssh_config.5 | 18 +++- sshd_config.5 | 18 +++- 21 files changed, 854 insertions(+), 69 deletions(-) create mode 100644 PROTOCOL.chacha20poly1305 create mode 100644 chacha.c create mode 100644 chacha.h create mode 100644 cipher-chachapoly.c create mode 100644 cipher-chachapoly.h create mode 100644 poly1305.c create mode 100644 poly1305.h diff --git a/ChangeLog b/ChangeLog index cb4dae30..28186e89 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,23 @@ [canohost.c clientloop.c match.c readconf.c sftp.c] unsigned casts for ctype macros where neccessary ok guenther millert markus + - djm@cvs.openbsd.org 2013/11/21 00:45:44 + [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] + [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] + [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] + [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport + cipher "chacha20-poly1305@openssh.com" that combines Daniel + Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an + authenticated encryption mode. + + Inspired by and similar to Adam Langley's proposal for TLS: + http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 + but differs in layout used for the MAC calculation and the use of a + second ChaCha20 instance to separately encrypt packet lengths. + Details are in the PROTOCOL.chacha20poly1305 file. + + Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC + ok markus@ naddy@ 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/Makefile.in b/Makefile.in index e1c68c00..91f39d4f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.344 2013/11/08 13:17:41 dtucker Exp $ +# $Id: Makefile.in,v 1.345 2013/11/21 03:12:23 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -74,7 +74,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ - kexc25519.o kexc25519c.o + kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff --git a/PROTOCOL b/PROTOCOL index 0363314c..cace97f8 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -91,6 +91,11 @@ an MAC algorithm. Additionally, if AES-GCM is selected as the cipher the exchanged MAC algorithms are ignored and there doesn't have to be a matching MAC. +1.7 transport: chacha20-poly1305@openssh.com authenticated encryption + +OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 +as described in PROTOCOL.chacha20poly1305. + 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" @@ -345,4 +350,4 @@ respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.21 2013/10/17 00:30:13 djm Exp $ +$OpenBSD: PROTOCOL,v 1.22 2013/11/21 00:45:43 djm Exp $ diff --git a/PROTOCOL.chacha20poly1305 b/PROTOCOL.chacha20poly1305 new file mode 100644 index 00000000..c4b723af --- /dev/null +++ b/PROTOCOL.chacha20poly1305 @@ -0,0 +1,105 @@ +This document describes the chacha20-poly1305@openssh.com authenticated +encryption cipher supported by OpenSSH. + +Background +---------- + +ChaCha20 is a stream cipher designed by Daniel Bernstein and described +in [1]. It operates by permuting 128 fixed bits, 128 or 256 bits of key, +a 64 bit nonce and a 64 bit counter into 64 bytes of output. This output +is used as a keystream, with any unused bytes simply discarded. + +Poly1305[2], also by Daniel Bernstein, is a one-time Carter-Wegman MAC +that computes a 128 bit integrity tag given a message and a single-use +256 bit secret key. + +The chacha20-poly1305@openssh.com combines these two primitives into an +authenticated encryption mode. The construction used is based on that +proposed for TLS by Adam Langley in [3], but differs in the layout of +data passed to the MAC and in the addition of encyption of the packet +lengths. + +Negotiation +----------- + +The chacha20-poly1305@openssh.com offers both encryption and +authentication. As such, no separate MAC is required. If the +chacha20-poly1305@openssh.com cipher is selected in key exchange, +the offered MAC algorithms are ignored and no MAC is required to be +negotiated. + +Detailed Construction +--------------------- + +The chacha20-poly1305@openssh.com cipher requires 512 bits of key +material as output from the SSH key exchange. This forms two 256 bit +keys (K_1 and K_2), used by two separate instances of chacha20. + +The instance keyed by K_1 is a stream cipher that is used only +to encrypt the 4 byte packet length field. The second instance, +keyed by K_2, is used in conjunction with poly1305 to build an AEAD +(Authenticated Encryption with Associated Data) that is used to encrypt +and authenticate the entire packet. + +Two separate cipher instances are used here so as to keep the packet +lengths confidential but not create an oracle for the packet payload +cipher by decrypting and using the packet length prior to checking +the MAC. By using an independently-keyed cipher instance to encrypt the +length, an active attacker seeking to exploit the packet input handling +as a decryption oracle can learn nothing about the payload contents or +its MAC (assuming key derivation, ChaCha20 and Poly1306 are secure). + +The AEAD is constructed as follows: for each packet, generate a Poly1305 +key by taking the first 256 bits of ChaCha20 stream output generated +using K_2, an IV consisting of the packet sequence number encoded as an +uint64 under the SSH wire encoding rules and a ChaCha20 block counter of +zero. The K_2 ChaCha20 block counter is then set to the little-endian +encoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and this instance is used +for encryption of the packet payload. + +Packet Handling +--------------- + +When receiving a packet, the length must be decrypted first. When 4 +bytes of ciphertext length have been received, they may be decrypted +using the K_1 key, a nonce consisting of the packet sequence number +encoded as a uint64 under the usual SSH wire encoding and a zero block +counter to obtain the plaintext length. + +Once the entire packet has been received, the MAC MUST be checked +before decryption. A per-packet Poly1305 key is generated as described +above and the MAC tag calculated using Poly1305 with this key over the +ciphertext of the packet length and the payload together. The calculated +MAC is then compared in constant time with the one appended to the +packet and the packet decrypted using ChaCha20 as described above (with +K_2, the packet sequence number as nonce and a starting block counter of +1). + +To send a packet, first encode the 4 byte length and encrypt it using +K_1. Encrypt the packet payload (using K_2) and append it to the +encrypted length. Finally, calculate a MAC tag and append it. + +Rekeying +-------- + +ChaCha20 must never reuse a {key, nonce} for encryption nor may it be +used to encrypt more than 2^70 bytes under the same {key, nonce}. The +SSH Transport protocol (RFC4253) recommends a far more conservative +rekeying every 1GB of data sent or received. If this recommendation +is followed, then chacha20-poly1305@openssh.com requires no special +handling in this area. + +References +---------- + +[1] "ChaCha, a variant of Salsa20", Daniel Bernstein + http://cr.yp.to/chacha/chacha-20080128.pdf + +[2] "The Poly1305-AES message-authentication code", Daniel Bernstein + http://cr.yp.to/mac/poly1305-20050329.pdf + +[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley + http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 + +$OpenBSD: PROTOCOL.chacha20poly1305,v 1.1 2013/11/21 00:45:43 djm Exp $ + diff --git a/authfile.c b/authfile.c index 63ae16bb..d0c1089e 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.97 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.98 2013/11/21 00:45:43 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -149,7 +149,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_ENCRYPT); - cipher_crypt(&ciphercontext, cp, + cipher_crypt(&ciphercontext, 0, cp, buffer_ptr(&buffer), buffer_len(&buffer), 0, 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); @@ -473,7 +473,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_DECRYPT); - cipher_crypt(&ciphercontext, cp, + cipher_crypt(&ciphercontext, 0, cp, buffer_ptr(©), buffer_len(©), 0, 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); diff --git a/chacha.c b/chacha.c new file mode 100644 index 00000000..a84c25ea --- /dev/null +++ b/chacha.c @@ -0,0 +1,219 @@ +/* +chacha-merged.c version 20080118 +D. J. Bernstein +Public domain. +*/ + +#include "includes.h" + +#include "chacha.h" + +/* $OpenBSD: chacha.c,v 1.1 2013/11/21 00:45:44 djm Exp $ */ + +typedef unsigned char u8; +typedef unsigned int u32; + +typedef struct chacha_ctx chacha_ctx; + +#define U8C(v) (v##U) +#define U32C(v) (v##U) + +#define U8V(v) ((u8)(v) & U8C(0xFF)) +#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) + +#define ROTL32(v, n) \ + (U32V((v) << (n)) | ((v) >> (32 - (n)))) + +#define U8TO32_LITTLE(p) \ + (((u32)((p)[0]) ) | \ + ((u32)((p)[1]) << 8) | \ + ((u32)((p)[2]) << 16) | \ + ((u32)((p)[3]) << 24)) + +#define U32TO8_LITTLE(p, v) \ + do { \ + (p)[0] = U8V((v) ); \ + (p)[1] = U8V((v) >> 8); \ + (p)[2] = U8V((v) >> 16); \ + (p)[3] = U8V((v) >> 24); \ + } while (0) + +#define ROTATE(v,c) (ROTL32(v,c)) +#define XOR(v,w) ((v) ^ (w)) +#define PLUS(v,w) (U32V((v) + (w))) +#define PLUSONE(v) (PLUS((v),1)) + +#define QUARTERROUND(a,b,c,d) \ + a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ + a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); + +static const char sigma[16] = "expand 32-byte k"; +static const char tau[16] = "expand 16-byte k"; + +void +chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits) +{ + const char *constants; + + x->input[4] = U8TO32_LITTLE(k + 0); + x->input[5] = U8TO32_LITTLE(k + 4); + x->input[6] = U8TO32_LITTLE(k + 8); + x->input[7] = U8TO32_LITTLE(k + 12); + if (kbits == 256) { /* recommended */ + k += 16; + constants = sigma; + } else { /* kbits == 128 */ + constants = tau; + } + x->input[8] = U8TO32_LITTLE(k + 0); + x->input[9] = U8TO32_LITTLE(k + 4); + x->input[10] = U8TO32_LITTLE(k + 8); + x->input[11] = U8TO32_LITTLE(k + 12); + x->input[0] = U8TO32_LITTLE(constants + 0); + x->input[1] = U8TO32_LITTLE(constants + 4); + x->input[2] = U8TO32_LITTLE(constants + 8); + x->input[3] = U8TO32_LITTLE(constants + 12); +} + +void +chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter) +{ + x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0); + x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4); + x->input[14] = U8TO32_LITTLE(iv + 0); + x->input[15] = U8TO32_LITTLE(iv + 4); +} + +void +chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) +{ + u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + u8 *ctarget = NULL; + u8 tmp[64]; + u_int i; + + if (!bytes) return; + + j0 = x->input[0]; + j1 = x->input[1]; + j2 = x->input[2]; + j3 = x->input[3]; + j4 = x->input[4]; + j5 = x->input[5]; + j6 = x->input[6]; + j7 = x->input[7]; + j8 = x->input[8]; + j9 = x->input[9]; + j10 = x->input[10]; + j11 = x->input[11]; + j12 = x->input[12]; + j13 = x->input[13]; + j14 = x->input[14]; + j15 = x->input[15]; + + for (;;) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) tmp[i] = m[i]; + m = tmp; + ctarget = c; + c = tmp; + } + x0 = j0; + x1 = j1; + x2 = j2; + x3 = j3; + x4 = j4; + x5 = j5; + x6 = j6; + x7 = j7; + x8 = j8; + x9 = j9; + x10 = j10; + x11 = j11; + x12 = j12; + x13 = j13; + x14 = j14; + x15 = j15; + for (i = 20;i > 0;i -= 2) { + QUARTERROUND( x0, x4, x8,x12) + QUARTERROUND( x1, x5, x9,x13) + QUARTERROUND( x2, x6,x10,x14) + QUARTERROUND( x3, x7,x11,x15) + QUARTERROUND( x0, x5,x10,x15) + QUARTERROUND( x1, x6,x11,x12) + QUARTERROUND( x2, x7, x8,x13) + QUARTERROUND( x3, x4, x9,x14) + } + x0 = PLUS(x0,j0); + x1 = PLUS(x1,j1); + x2 = PLUS(x2,j2); + x3 = PLUS(x3,j3); + x4 = PLUS(x4,j4); + x5 = PLUS(x5,j5); + x6 = PLUS(x6,j6); + x7 = PLUS(x7,j7); + x8 = PLUS(x8,j8); + x9 = PLUS(x9,j9); + x10 = PLUS(x10,j10); + x11 = PLUS(x11,j11); + x12 = PLUS(x12,j12); + x13 = PLUS(x13,j13); + x14 = PLUS(x14,j14); + x15 = PLUS(x15,j15); + + x0 = XOR(x0,U8TO32_LITTLE(m + 0)); + x1 = XOR(x1,U8TO32_LITTLE(m + 4)); + x2 = XOR(x2,U8TO32_LITTLE(m + 8)); + x3 = XOR(x3,U8TO32_LITTLE(m + 12)); + x4 = XOR(x4,U8TO32_LITTLE(m + 16)); + x5 = XOR(x5,U8TO32_LITTLE(m + 20)); + x6 = XOR(x6,U8TO32_LITTLE(m + 24)); + x7 = XOR(x7,U8TO32_LITTLE(m + 28)); + x8 = XOR(x8,U8TO32_LITTLE(m + 32)); + x9 = XOR(x9,U8TO32_LITTLE(m + 36)); + x10 = XOR(x10,U8TO32_LITTLE(m + 40)); + x11 = XOR(x11,U8TO32_LITTLE(m + 44)); + x12 = XOR(x12,U8TO32_LITTLE(m + 48)); + x13 = XOR(x13,U8TO32_LITTLE(m + 52)); + x14 = XOR(x14,U8TO32_LITTLE(m + 56)); + x15 = XOR(x15,U8TO32_LITTLE(m + 60)); + + j12 = PLUSONE(j12); + if (!j12) { + j13 = PLUSONE(j13); + /* stopping at 2^70 bytes per nonce is user's responsibility */ + } + + U32TO8_LITTLE(c + 0,x0); + U32TO8_LITTLE(c + 4,x1); + U32TO8_LITTLE(c + 8,x2); + U32TO8_LITTLE(c + 12,x3); + U32TO8_LITTLE(c + 16,x4); + U32TO8_LITTLE(c + 20,x5); + U32TO8_LITTLE(c + 24,x6); + U32TO8_LITTLE(c + 28,x7); + U32TO8_LITTLE(c + 32,x8); + U32TO8_LITTLE(c + 36,x9); + U32TO8_LITTLE(c + 40,x10); + U32TO8_LITTLE(c + 44,x11); + U32TO8_LITTLE(c + 48,x12); + U32TO8_LITTLE(c + 52,x13); + U32TO8_LITTLE(c + 56,x14); + U32TO8_LITTLE(c + 60,x15); + + if (bytes <= 64) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) ctarget[i] = c[i]; + } + x->input[12] = j12; + x->input[13] = j13; + return; + } + bytes -= 64; + c += 64; + m += 64; + } +} diff --git a/chacha.h b/chacha.h new file mode 100644 index 00000000..4ef42cc7 --- /dev/null +++ b/chacha.h @@ -0,0 +1,35 @@ +/* $OpenBSD: chacha.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */ + +/* +chacha-merged.c version 20080118 +D. J. Bernstein +Public domain. +*/ + +#ifndef CHACHA_H +#define CHACHA_H + +#include + +struct chacha_ctx { + u_int input[16]; +}; + +#define CHACHA_MINKEYLEN 16 +#define CHACHA_NONCELEN 8 +#define CHACHA_CTRLEN 8 +#define CHACHA_STATELEN (CHACHA_NONCELEN+CHACHA_CTRLEN) +#define CHACHA_BLOCKLEN 64 + +void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits) + __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN))); +void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv, const u_char *ctr) + __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN))) + __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN))); +void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m, + u_char *c, u_int bytes) + __attribute__((__bounded__(__buffer__, 2, 4))) + __attribute__((__bounded__(__buffer__, 3, 4))); + +#endif /* CHACHA_H */ + diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c new file mode 100644 index 00000000..20628ab5 --- /dev/null +++ b/cipher-chachapoly.c @@ -0,0 +1,114 @@ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD: cipher-chachapoly.c,v 1.2 2013/11/21 02:50:00 djm Exp $ */ + +#include "includes.h" + +#include +#include /* needed for log.h */ +#include +#include /* needed for misc.h */ + +#include "log.h" +#include "misc.h" +#include "cipher-chachapoly.h" + +void chachapoly_init(struct chachapoly_ctx *ctx, + const u_char *key, u_int keylen) +{ + if (keylen != (32 + 32)) /* 2 x 256 bit keys */ + fatal("%s: invalid keylen %u", __func__, keylen); + chacha_keysetup(&ctx->main_ctx, key, 256); + chacha_keysetup(&ctx->header_ctx, key + 32, 256); +} + +/* + * chachapoly_crypt() operates as following: + * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. + * Theses bytes are treated as additional authenticated data. + * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. + * Use POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the + * authentication tag. + * This tag is written on encryption and verified on decryption. + * Both 'aadlen' and 'authlen' can be set to 0. + */ +int +chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, + const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt) +{ + u_char seqbuf[8]; + u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB. little-endian */ + u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; + int r = -1; + + /* + * Run ChaCha20 once to generate the Poly1305 key. The IV is the + * packet sequence number. + */ + bzero(poly_key, sizeof(poly_key)); + put_u64(seqbuf, seqnr); + chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL); + chacha_encrypt_bytes(&ctx->main_ctx, + poly_key, poly_key, sizeof(poly_key)); + /* Set Chacha's block counter to 1 */ + chacha_ivsetup(&ctx->main_ctx, seqbuf, one); + + /* If decrypting, check tag before anything else */ + if (!do_encrypt) { + const u_char *tag = src + aadlen + len; + + poly1305_auth(expected_tag, src, aadlen + len, poly_key); + if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) + goto out; + } + /* Crypt additional data */ + if (aadlen) { + chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); + chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen); + } + chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen, + dest + aadlen, len); + + /* If encrypting, calculate and append tag */ + if (do_encrypt) { + poly1305_auth(dest + aadlen + len, dest, aadlen + len, + poly_key); + } + r = 0; + + out: + bzero(expected_tag, sizeof(expected_tag)); + bzero(seqbuf, sizeof(seqbuf)); + bzero(poly_key, sizeof(poly_key)); + return r; +} + +int +chachapoly_get_length(struct chachapoly_ctx *ctx, + u_int *plenp, u_int seqnr, const u_char *cp, u_int len) +{ + u_char buf[4], seqbuf[8]; + + if (len < 4) + return -1; /* Insufficient length */ + put_u64(seqbuf, seqnr); + chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); + chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4); + *plenp = get_u32(buf); + return 0; +} + diff --git a/cipher-chachapoly.h b/cipher-chachapoly.h new file mode 100644 index 00000000..1628693b --- /dev/null +++ b/cipher-chachapoly.h @@ -0,0 +1,41 @@ +/* $OpenBSD: cipher-chachapoly.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */ + +/* + * Copyright (c) Damien Miller 2013 + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#ifndef CHACHA_POLY_AEAD_H +#define CHACHA_POLY_AEAD_H + +#include +#include "chacha.h" +#include "poly1305.h" + +#define CHACHA_KEYLEN 32 /* Only 256 bit keys used here */ + +struct chachapoly_ctx { + struct chacha_ctx main_ctx, header_ctx; +}; + +void chachapoly_init(struct chachapoly_ctx *cpctx, + const u_char *key, u_int keylen) + __attribute__((__bounded__(__buffer__, 2, 3))); +int chachapoly_crypt(struct chachapoly_ctx *cpctx, u_int seqnr, + u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen, + int do_encrypt); +int chachapoly_get_length(struct chachapoly_ctx *cpctx, + u_int *plenp, u_int seqnr, const u_char *cp, u_int len) + __attribute__((__bounded__(__buffer__, 4, 5))); + +#endif /* CHACHA_POLY_AEAD_H */ diff --git a/cipher.c b/cipher.c index 54315f48..c4aec392 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.90 2013/11/07 11:58:27 dtucker Exp $ */ +/* $OpenBSD: cipher.c,v 1.91 2013/11/21 00:45:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -43,9 +43,11 @@ #include #include +#include #include "xmalloc.h" #include "log.h" +#include "misc.h" #include "cipher.h" /* compatibility with old or broken OpenSSL versions */ @@ -63,7 +65,9 @@ struct Cipher { u_int iv_len; /* defaults to block_size */ u_int auth_len; u_int discard_len; - u_int cbc_mode; + u_int flags; +#define CFLAG_CBC (1<<0) +#define CFLAG_CHACHAPOLY (1<<1) const EVP_CIPHER *(*evptype)(void); }; @@ -95,6 +99,8 @@ static const struct Cipher ciphers[] = { { "aes256-gcm@openssh.com", SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, #endif + { "chacha20-poly1305@openssh.com", + SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL }, { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; @@ -102,7 +108,7 @@ static const struct Cipher ciphers[] = { /* Returns a list of supported ciphers separated by the specified char. */ char * -cipher_alg_list(char sep) +cipher_alg_list(char sep, int auth_only) { char *ret = NULL; size_t nlen, rlen = 0; @@ -111,6 +117,8 @@ cipher_alg_list(char sep) for (c = ciphers; c->name != NULL; c++) { if (c->number != SSH_CIPHER_SSH2) continue; + if (auth_only && c->auth_len == 0) + continue; if (ret != NULL) ret[rlen++] = sep; nlen = strlen(c->name); @@ -142,7 +150,12 @@ cipher_authlen(const Cipher *c) u_int cipher_ivlen(const Cipher *c) { - return (c->iv_len ? c->iv_len : c->block_size); + /* + * Default is cipher block size, except for chacha20+poly1305 that + * needs no IV. XXX make iv_len == -1 default? + */ + return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ? + c->iv_len : c->block_size; } u_int @@ -154,7 +167,7 @@ cipher_get_number(const Cipher *c) u_int cipher_is_cbc(const Cipher *c) { - return (c->cbc_mode); + return (c->flags & CFLAG_CBC) != 0; } u_int @@ -274,8 +287,11 @@ cipher_init(CipherContext *cc, const Cipher *cipher, ivlen, cipher->name); cc->cipher = cipher; + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + chachapoly_init(&cc->cp_ctx, key, keylen); + return; + } type = (*cipher->evptype)(); - EVP_CIPHER_CTX_init(&cc->evp); #ifdef SSH_OLD_EVP if (type->key_len > 0 && type->key_len != keylen) { @@ -330,9 +346,15 @@ cipher_init(CipherContext *cc, const Cipher *cipher, * Both 'aadlen' and 'authlen' can be set to 0. */ void -cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, +cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen) { + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + if (chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len, aadlen, + authlen, cc->encrypt) != 0) + fatal("Decryption integrity check failed"); + return; + } if (authlen) { u_char lastiv[1]; @@ -374,10 +396,26 @@ cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, } } +/* Extract the packet length, including any decryption necessary beforehand */ +int +cipher_get_length(CipherContext *cc, u_int *plenp, u_int seqnr, + const u_char *cp, u_int len) +{ + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr, + cp, len); + if (len < 4) + return -1; + *plenp = get_u32(cp); + return 0; +} + void cipher_cleanup(CipherContext *cc) { - if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + bzero(&cc->cp_ctx, sizeof(&cc->cp_ctx)); + else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); } @@ -417,6 +455,8 @@ cipher_get_keyiv_len(const CipherContext *cc) if (c->number == SSH_CIPHER_3DES) ivlen = 24; + else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + ivlen = 0; else ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); return (ivlen); @@ -428,6 +468,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) const Cipher *c = cc->cipher; int evplen; + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + if (len != 0) + fatal("%s: wrong iv length %d != %d", __func__, len, 0); + return; + } + switch (c->number) { case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: @@ -464,6 +510,9 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) const Cipher *c = cc->cipher; int evplen = 0; + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + return; + switch (c->number) { case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: diff --git a/cipher.h b/cipher.h index 46502348..4e837a75 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.41 2013/11/07 11:58:27 dtucker Exp $ */ +/* $OpenBSD: cipher.h,v 1.42 2013/11/21 00:45:44 djm Exp $ */ /* * Author: Tatu Ylonen @@ -38,6 +38,8 @@ #define CIPHER_H #include +#include "cipher-chachapoly.h" + /* * Cipher types for SSH-1. New types can be added, but old types should not * be removed for compatibility. The maximum allowed value is 31. @@ -66,6 +68,7 @@ struct CipherContext { int plaintext; int encrypt; EVP_CIPHER_CTX evp; + struct chachapoly_ctx cp_ctx; /* XXX union with evp? */ const Cipher *cipher; }; @@ -75,11 +78,13 @@ const Cipher *cipher_by_number(int); int cipher_number(const char *); char *cipher_name(int); int ciphers_valid(const char *); -char *cipher_alg_list(char); +char *cipher_alg_list(char, int); void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int, const u_char *, u_int, int); -void cipher_crypt(CipherContext *, u_char *, const u_char *, +void cipher_crypt(CipherContext *, u_int, u_char *, const u_char *, u_int, u_int, u_int); +int cipher_get_length(CipherContext *, u_int *, u_int, + const u_char *, u_int); void cipher_cleanup(CipherContext *); void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); diff --git a/dh.c b/dh.c index d33af1fa..3331cda6 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */ +/* $OpenBSD: dh.c,v 1.53 2013/11/21 00:45:44 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -254,33 +254,19 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) void dh_gen_key(DH *dh, int need) { - int i, bits_set, tries = 0; + int pbits; - if (need < 0) - fatal("dh_gen_key: need < 0"); + if (need <= 0) + fatal("%s: need <= 0", __func__); if (dh->p == NULL) - fatal("dh_gen_key: dh->p == NULL"); - if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) - fatal("dh_gen_key: group too small: %d (2*need %d)", - BN_num_bits(dh->p), 2*need); - do { - if (dh->priv_key != NULL) - BN_clear_free(dh->priv_key); - if ((dh->priv_key = BN_new()) == NULL) - fatal("dh_gen_key: BN_new failed"); - /* generate a 2*need bits random private exponent */ - if (!BN_rand(dh->priv_key, 2*need, 0, 0)) - fatal("dh_gen_key: BN_rand failed"); - if (DH_generate_key(dh) == 0) - fatal("DH_generate_key"); - for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++) - if (BN_is_bit_set(dh->priv_key, i)) - bits_set++; - debug2("dh_gen_key: priv key bits set: %d/%d", - bits_set, BN_num_bits(dh->priv_key)); - if (tries++ > 10) - fatal("dh_gen_key: too many bad keys: giving up"); - } while (!dh_pub_is_valid(dh, dh->pub_key)); + fatal("%s: dh->p == NULL", __func__); + if ((pbits = BN_num_bits(dh->p)) <= 0) + fatal("%s: bits(p) <= 0", __func__); + dh->length = MIN(need * 2, pbits - 1); + if (DH_generate_key(dh) == 0) + fatal("%s: key generation failed", __func__); + if (!dh_pub_is_valid(dh, dh->pub_key)) + fatal("%s: generated invalid key", __func__); } DH * diff --git a/myproposal.h b/myproposal.h index 8da2ac91..71dbc997 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.33 2013/11/02 21:59:15 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.34 2013/11/21 00:45:44 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -104,6 +104,7 @@ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ AESGCM_CIPHER_MODES \ + "chacha20-poly1305@openssh.com," \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" diff --git a/packet.c b/packet.c index 0d27e759..029bb4c9 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.188 2013/07/12 00:19:58 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.190 2013/11/21 00:45:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -713,7 +713,7 @@ packet_send1(void) buffer_append(&active_state->output, buf, 4); cp = buffer_append_space(&active_state->output, buffer_len(&active_state->outgoing_packet)); - cipher_crypt(&active_state->send_context, cp, + cipher_crypt(&active_state->send_context, 0, cp, buffer_ptr(&active_state->outgoing_packet), buffer_len(&active_state->outgoing_packet), 0, 0); @@ -946,8 +946,8 @@ packet_send2_wrapped(void) } /* encrypt packet and append to output buffer. */ cp = buffer_append_space(&active_state->output, len + authlen); - cipher_crypt(&active_state->send_context, cp, - buffer_ptr(&active_state->outgoing_packet), + cipher_crypt(&active_state->send_context, active_state->p_send.seqnr, + cp, buffer_ptr(&active_state->outgoing_packet), len - aadlen, aadlen, authlen); /* append unencrypted MAC */ if (mac && mac->enabled) { @@ -996,7 +996,7 @@ packet_send2(void) (type == SSH2_MSG_SERVICE_REQUEST) || (type == SSH2_MSG_SERVICE_ACCEPT)) { debug("enqueue packet: %u", type); - p = xmalloc(sizeof(*p)); + p = xcalloc(1, sizeof(*p)); p->type = type; memcpy(&p->payload, &active_state->outgoing_packet, sizeof(Buffer)); @@ -1208,7 +1208,7 @@ packet_read_poll1(void) /* Decrypt data to incoming_packet. */ buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, padded_len); - cipher_crypt(&active_state->receive_context, cp, + cipher_crypt(&active_state->receive_context, 0, cp, buffer_ptr(&active_state->input), padded_len, 0, 0); buffer_consume(&active_state->input, padded_len); @@ -1279,10 +1279,12 @@ packet_read_poll2(u_int32_t *seqnr_p) aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; if (aadlen && active_state->packlen == 0) { - if (buffer_len(&active_state->input) < 4) + if (cipher_get_length(&active_state->receive_context, + &active_state->packlen, + active_state->p_read.seqnr, + buffer_ptr(&active_state->input), + buffer_len(&active_state->input)) != 0) return SSH_MSG_NONE; - cp = buffer_ptr(&active_state->input); - active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || active_state->packlen > PACKET_MAX_SIZE) { #ifdef PACKET_DEBUG @@ -1302,7 +1304,8 @@ packet_read_poll2(u_int32_t *seqnr_p) buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, block_size); - cipher_crypt(&active_state->receive_context, cp, + cipher_crypt(&active_state->receive_context, + active_state->p_read.seqnr, cp, buffer_ptr(&active_state->input), block_size, 0, 0); cp = buffer_ptr(&active_state->incoming_packet); active_state->packlen = get_u32(cp); @@ -1357,7 +1360,8 @@ packet_read_poll2(u_int32_t *seqnr_p) macbuf = mac_compute(mac, active_state->p_read.seqnr, buffer_ptr(&active_state->input), aadlen + need); cp = buffer_append_space(&active_state->incoming_packet, aadlen + need); - cipher_crypt(&active_state->receive_context, cp, + cipher_crypt(&active_state->receive_context, + active_state->p_read.seqnr, cp, buffer_ptr(&active_state->input), need, aadlen, authlen); buffer_consume(&active_state->input, aadlen + need + authlen); /* diff --git a/poly1305.c b/poly1305.c new file mode 100644 index 00000000..059cc60f --- /dev/null +++ b/poly1305.c @@ -0,0 +1,158 @@ +/* + * Public Domain poly1305 from Andrew M. + * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna + */ + +/* $OpenBSD: poly1305.c,v 1.2 2013/11/21 02:50:00 djm Exp $ */ + +#include "includes.h" + +#include +#include + +#include "poly1305.h" + +#define mul32x32_64(a,b) ((uint64_t)(a) * (b)) + +#define U8TO32_LE(p) \ + (((uint32_t)((p)[0])) | \ + ((uint32_t)((p)[1]) << 8) | \ + ((uint32_t)((p)[2]) << 16) | \ + ((uint32_t)((p)[3]) << 24)) + +#define U32TO8_LE(p, v) \ + do { \ + (p)[0] = (uint8_t)((v)); \ + (p)[1] = (uint8_t)((v) >> 8); \ + (p)[2] = (uint8_t)((v) >> 16); \ + (p)[3] = (uint8_t)((v) >> 24); \ + } while (0) + +void +poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen, const unsigned char key[POLY1305_KEYLEN]) { + uint32_t t0,t1,t2,t3; + uint32_t h0,h1,h2,h3,h4; + uint32_t r0,r1,r2,r3,r4; + uint32_t s1,s2,s3,s4; + uint32_t b, nb; + size_t j; + uint64_t t[5]; + uint64_t f0,f1,f2,f3; + uint32_t g0,g1,g2,g3,g4; + uint64_t c; + unsigned char mp[16]; + + /* clamp key */ + t0 = U8TO32_LE(key+0); + t1 = U8TO32_LE(key+4); + t2 = U8TO32_LE(key+8); + t3 = U8TO32_LE(key+12); + + /* precompute multipliers */ + r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6; + r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12; + r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18; + r3 = t2 & 0x3f03fff; t3 >>= 8; + r4 = t3 & 0x00fffff; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + /* init state */ + h0 = 0; + h1 = 0; + h2 = 0; + h3 = 0; + h4 = 0; + + /* full blocks */ + if (inlen < 16) goto poly1305_donna_atmost15bytes; +poly1305_donna_16bytes: + m += 16; + inlen -= 16; + + t0 = U8TO32_LE(m-16); + t1 = U8TO32_LE(m-12); + t2 = U8TO32_LE(m-8); + t3 = U8TO32_LE(m-4); + + h0 += t0 & 0x3ffffff; + h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; + h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; + h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; + h4 += (t3 >> 8) | (1 << 24); + + +poly1305_donna_mul: + t[0] = mul32x32_64(h0,r0) + mul32x32_64(h1,s4) + mul32x32_64(h2,s3) + mul32x32_64(h3,s2) + mul32x32_64(h4,s1); + t[1] = mul32x32_64(h0,r1) + mul32x32_64(h1,r0) + mul32x32_64(h2,s4) + mul32x32_64(h3,s3) + mul32x32_64(h4,s2); + t[2] = mul32x32_64(h0,r2) + mul32x32_64(h1,r1) + mul32x32_64(h2,r0) + mul32x32_64(h3,s4) + mul32x32_64(h4,s3); + t[3] = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4); + t[4] = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0); + + h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26); + t[1] += c; h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26); + t[2] += b; h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26); + t[3] += b; h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26); + t[4] += b; h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26); + h0 += b * 5; + + if (inlen >= 16) goto poly1305_donna_16bytes; + + /* final bytes */ +poly1305_donna_atmost15bytes: + if (!inlen) goto poly1305_donna_finish; + + for (j = 0; j < inlen; j++) mp[j] = m[j]; + mp[j++] = 1; + for (; j < 16; j++) mp[j] = 0; + inlen = 0; + + t0 = U8TO32_LE(mp+0); + t1 = U8TO32_LE(mp+4); + t2 = U8TO32_LE(mp+8); + t3 = U8TO32_LE(mp+12); + + h0 += t0 & 0x3ffffff; + h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; + h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; + h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; + h4 += (t3 >> 8); + + goto poly1305_donna_mul; + +poly1305_donna_finish: + b = h0 >> 26; h0 = h0 & 0x3ffffff; + h1 += b; b = h1 >> 26; h1 = h1 & 0x3ffffff; + h2 += b; b = h2 >> 26; h2 = h2 & 0x3ffffff; + h3 += b; b = h3 >> 26; h3 = h3 & 0x3ffffff; + h4 += b; b = h4 >> 26; h4 = h4 & 0x3ffffff; + h0 += b * 5; b = h0 >> 26; h0 = h0 & 0x3ffffff; + h1 += b; + + g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; + g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; + g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; + g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff; + g4 = h4 + b - (1 << 26); + + b = (g4 >> 31) - 1; + nb = ~b; + h0 = (h0 & nb) | (g0 & b); + h1 = (h1 & nb) | (g1 & b); + h2 = (h2 & nb) | (g2 & b); + h3 = (h3 & nb) | (g3 & b); + h4 = (h4 & nb) | (g4 & b); + + f0 = ((h0 ) | (h1 << 26)) + (uint64_t)U8TO32_LE(&key[16]); + f1 = ((h1 >> 6) | (h2 << 20)) + (uint64_t)U8TO32_LE(&key[20]); + f2 = ((h2 >> 12) | (h3 << 14)) + (uint64_t)U8TO32_LE(&key[24]); + f3 = ((h3 >> 18) | (h4 << 8)) + (uint64_t)U8TO32_LE(&key[28]); + + U32TO8_LE(&out[ 0], f0); f1 += (f0 >> 32); + U32TO8_LE(&out[ 4], f1); f2 += (f1 >> 32); + U32TO8_LE(&out[ 8], f2); f3 += (f2 >> 32); + U32TO8_LE(&out[12], f3); +} diff --git a/poly1305.h b/poly1305.h new file mode 100644 index 00000000..a31fb742 --- /dev/null +++ b/poly1305.h @@ -0,0 +1,22 @@ +/* $OpenBSD: poly1305.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */ + +/* + * Public Domain poly1305 from Andrew M. + * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna + */ + +#ifndef POLY1305_H +#define POLY1305_H + +#include + +#define POLY1305_KEYLEN 32 +#define POLY1305_TAGLEN 16 + +void poly1305_auth(u_char out[POLY1305_TAGLEN], const u_char *m, size_t inlen, + const u_char key[POLY1305_KEYLEN]) + __attribute__((__bounded__(__minbytes__, 1, POLY1305_TAGLEN))) + __attribute__((__bounded__(__buffer__, 2, 3))) + __attribute__((__bounded__(__minbytes__, 4, POLY1305_KEYLEN))); + +#endif /* POLY1305_H */ diff --git a/servconf.c b/servconf.c index 3593223f..cb21bd22 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.245 2013/11/07 11:58:27 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.246 2013/11/21 00:45:44 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2038,7 +2038,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : - cipher_alg_list(',')); + cipher_alg_list(',', 0)); dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); dump_cfg_string(sBanner, o->banner); dump_cfg_string(sForceCommand, o->adm_forced_command); diff --git a/ssh.1 b/ssh.1 index 6369fc28..73e20869 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.339 2013/10/16 22:49:38 djm Exp $ -.Dd $Mdocdate: October 16 2013 $ +.\" $OpenBSD: ssh.1,v 1.340 2013/11/21 00:45:44 djm Exp $ +.Dd $Mdocdate: November 21 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -504,6 +504,8 @@ for the algorithms supported for the specified version 2 The queriable features are: .Dq cipher (supported symmetric ciphers), +.Dq cipher-auth +(supported symmetric ciphers that support authenticated encryption), .Dq MAC (supported message integrity codes), .Dq KEX diff --git a/ssh.c b/ssh.c index e2c43634..58becd70 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.392 2013/11/07 11:58:27 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.393 2013/11/21 00:45:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -520,7 +520,9 @@ main(int ac, char **av) case 'Q': /* deprecated */ cp = NULL; if (strcasecmp(optarg, "cipher") == 0) - cp = cipher_alg_list('\n'); + cp = cipher_alg_list('\n', 0); + else if (strcasecmp(optarg, "cipher-auth") == 0) + cp = cipher_alg_list('\n', 1); else if (strcasecmp(optarg, "mac") == 0) cp = mac_alg_list('\n'); else if (strcasecmp(optarg, "kex") == 0) diff --git a/ssh_config.5 b/ssh_config.5 index 8809568a..9dbc76ca 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.179 2013/11/02 22:39:19 markus Exp $ -.Dd $Mdocdate: November 2 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.180 2013/11/21 00:45:44 djm Exp $ +.Dd $Mdocdate: November 21 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -334,7 +334,8 @@ The default is Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. -The supported ciphers are +The supported ciphers are: +.Pp .Dq 3des-cbc , .Dq aes128-cbc , .Dq aes192-cbc , @@ -348,15 +349,24 @@ The supported ciphers are .Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , +.Dq cast128-cbc , and -.Dq cast128-cbc . +.Dq chacha20-poly1305@openssh.com . +.Pp The default is: +.Pp .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, +chacha20-poly1305@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour .Ed +.Pp +The list of available ciphers may also be obtained using the +.Fl Q +option of +.Xr ssh 1 . .It Cm ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be diff --git a/sshd_config.5 b/sshd_config.5 index 02c45a7d..b9864fff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.166 2013/11/02 22:39:19 markus Exp $ -.Dd $Mdocdate: November 2 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.167 2013/11/21 00:45:44 djm Exp $ +.Dd $Mdocdate: November 21 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -335,7 +335,8 @@ The default is not to .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. -The supported ciphers are +The supported ciphers are: +.Pp .Dq 3des-cbc , .Dq aes128-cbc , .Dq aes192-cbc , @@ -349,15 +350,24 @@ The supported ciphers are .Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , +.Dq cast128-cbc , and -.Dq cast128-cbc . +.Dq chacha20-poly1305@openssh.com . +.Pp The default is: +.Pp .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, +chacha20-poly1305@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour .Ed +.Pp +The list of available ciphers may also be obtained using the +.Fl Q +option of +.Xr ssh 1 . .It Cm ClientAliveCountMax Sets the number of client alive messages (see below) which may be sent without -- cgit v1.2.1 From 91a641759d8230467eef7d3d39ce944f465a2564 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 03:24:11 +0000 Subject: - naddy@cvs.openbsd.org 2013/11/18 05:09:32 [regress/forward-control.sh] bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) to successfully run this; ok djm@ (ID sync only; our timeouts are already longer) --- regress/forward-control.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 80ddb416..7f7d105e 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $ +# $OpenBSD: forward-control.sh,v 1.2 2013/11/18 05:09:32 naddy Exp $ # Placed in the Public Domain. tid="sshd control of local and remote forwarding" -- cgit v1.2.1 From 0bac295675be423972bcaf80a2b99fe772b3b593 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 03:24:46 +0000 Subject: - djm@cvs.openbsd.org 2013/11/21 03:15:46 [regress/krl.sh] add some reminders for additional tests that I'd like to implement --- regress/krl.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/regress/krl.sh b/regress/krl.sh index de9cc876..09246371 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $ +# $OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -101,6 +101,9 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ >/dev/null || fatal "$SSHKEYGEN KRL failed" } +## XXX dump with trace and grep for set cert serials +## XXX test ranges near (u64)-1, etc. + verbose "$tid: generating KRLs" genkrls -- cgit v1.2.1 From 3589a3c999a3a6b4a4c5c3fd164aec74e106a5ed Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 03:25:16 +0000 Subject: - djm@cvs.openbsd.org 2013/11/21 03:16:47 [regress/modpipe.c] use unsigned long long instead of u_int64_t here to avoid warnings on some systems portable OpenSSH is built on. --- regress/modpipe.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/regress/modpipe.c b/regress/modpipe.c index 85747cf7..e854f9e0 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */ +/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */ #include "includes.h" @@ -68,7 +68,7 @@ usage(void) #define MAX_MODIFICATIONS 256 struct modification { enum { MOD_XOR, MOD_AND_OR } what; - u_int64_t offset; + unsigned long long offset; u_int8_t m1, m2; }; @@ -79,7 +79,7 @@ parse_modification(const char *s, struct modification *m) int n, m1, m2; bzero(m, sizeof(*m)); - if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", + if ((n = sscanf(s, "%16[^:]%*[:]%llu%*[:]%i%*[:]%i", what, &m->offset, &m1, &m2)) < 3) errx(1, "Invalid modification spec \"%s\"", s); if (strcasecmp(what, "xor") == 0) { -- cgit v1.2.1 From a240c522cbed51fcf80ac0d8b7a3f2434f0a334d Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 21 Nov 2013 03:26:18 +0000 Subject: - djm@cvs.openbsd.org 2013/11/21 03:18:51 [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] [regress/try-ciphers.sh] use new "ssh -Q cipher-auth" query to obtain lists of authenticated encryption ciphers instead of specifying them manually; ensures that the new chacha20poly1305@openssh.com mode is tested; ok markus@ and naddy@ as part of the diff to add chacha20poly1305@openssh.com --- ChangeLog | 20 ++++++++++++++++++++ regress/cipher-speed.sh | 10 +++++----- regress/integrity.sh | 14 ++++++++------ regress/rekey.sh | 12 ++++++------ regress/try-ciphers.sh | 11 ++++++----- 5 files changed, 45 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 28186e89..8cf8a20a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,26 @@ Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@ + - naddy@cvs.openbsd.org 2013/11/18 05:09:32 + [regress/forward-control.sh] + bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) + to successfully run this; ok djm@ + - djm@cvs.openbsd.org 2013/11/21 03:15:46 + [regress/krl.sh] + add some reminders for additional tests that I'd like to implement + - djm@cvs.openbsd.org 2013/11/21 03:16:47 + [regress/modpipe.c] + use unsigned long long instead of u_int64_t here to avoid warnings + on some systems portable OpenSSH is built on. + - djm@cvs.openbsd.org 2013/11/21 03:18:51 + [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] + [regress/try-ciphers.sh] + use new "ssh -Q cipher-auth" query to obtain lists of authenticated + encryption ciphers instead of specifying them manually; ensures that + the new chacha20poly1305@openssh.com mode is tested; + + ok markus@ and naddy@ as part of the diff to add + chacha20poly1305@openssh.com 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 8ff9b322..a6d53a78 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -24,10 +24,10 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do fail "ssh -2 failed with mac $m cipher $c" fi done - # No point trying all MACs for GCM since they are ignored. - case $c in - aes*-gcm@openssh.com) test $n -gt 0 && break;; - esac + # No point trying all MACs for AEAD ciphers since they are ignored. + if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + break + fi n=`expr $n + 1` done; done diff --git a/regress/integrity.sh b/regress/integrity.sh index de2b8d05..852d8269 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -11,7 +11,7 @@ startoffset=2900 macs=`${SSH} -Q mac` # The following are not MACs, but ciphers with integrated integrity. They are # handled specially below. -macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`" +macs="$macs `${SSH} -Q cipher-auth`" # avoid DH group exchange as the extra traffic makes it harder to get the # offset into the stream right. @@ -36,12 +36,14 @@ for m in $macs; do fi # modify output from sshd at offset $off pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" - case $m in - aes*gcm*) macopt="-c $m";; - *) macopt="-m $m";; - esac + if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then + macopt="-c $m" + else + macopt="-m $m -c aes128-ctr" + fi verbose "test $tid: $m @$off" ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + -oServerAliveInterval=1 -oServerAliveCountMax=30 \ 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" diff --git a/regress/rekey.sh b/regress/rekey.sh index fe81f0c3..cf9401ea 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="rekey" @@ -44,9 +44,9 @@ for opt in $opts; do ssh_data_rekeying -oRekeyLimit=256k -o$opt done -# GCM is magical so test with all KexAlgorithms -if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then - for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do +# AEAD ciphers are magical so test with all KexAlgorithms +if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then + for c in `${SSH} -Q cipher-auth`; do for kex in `${SSH} -Q kex`; do verbose "client rekey $c $kex" ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex @@ -131,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do awk '/rekeylimit/{print $3}'` if [ "$bytes" != "$b" ]; then - fatal "rekeylimit size: expected $bytes got $b" + fatal "rekeylimit size: expected $bytes bytes got $b" fi if [ "$seconds" != "$s" ]; then - fatal "rekeylimit time: expected $time got $s" + fatal "rekeylimit time: expected $time seconds got $s" fi done done diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 48584329..ac34cedb 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -12,10 +12,11 @@ for c in `${SSH} -Q cipher`; do if [ $? -ne 0 ]; then fail "ssh -2 failed with mac $m cipher $c" fi - # No point trying all MACs for GCM since they are ignored. - case $c in - aes*-gcm@openssh.com) test $n -gt 0 && break;; - esac + # No point trying all MACs for AEAD ciphers since they + # are ignored. + if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + break + fi n=`expr $n + 1` done done -- cgit v1.2.1 From f3dae38249a2bf2114bfe51d30e04f398454933d Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:18:43 +0000 Subject: - jmc@cvs.openbsd.org 2013/11/21 08:05:09 [ssh_config.5 sshd_config.5] no need for .Pp before displays; --- ChangeLog | 6 ++++++ ssh_config.5 | 3 +-- sshd_config.5 | 3 +-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8cf8a20a..9f2fb101 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20131205 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2013/11/21 08:05:09 + [ssh_config.5 sshd_config.5] + no need for .Pp before displays; + 20131121 - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/11/08 11:15:19 diff --git a/ssh_config.5 b/ssh_config.5 index 9dbc76ca..0e6fd862 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.180 2013/11/21 00:45:44 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.181 2013/11/21 08:05:09 jmc Exp $ .Dd $Mdocdate: November 21 2013 $ .Dt SSH_CONFIG 5 .Os @@ -354,7 +354,6 @@ and .Dq chacha20-poly1305@openssh.com . .Pp The default is: -.Pp .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, diff --git a/sshd_config.5 b/sshd_config.5 index b9864fff..0418c86e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.167 2013/11/21 00:45:44 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.168 2013/11/21 08:05:09 jmc Exp $ .Dd $Mdocdate: November 21 2013 $ .Dt SSHD_CONFIG 5 .Os @@ -355,7 +355,6 @@ and .Dq chacha20-poly1305@openssh.com . .Pp The default is: -.Pp .Bd -literal -offset 3n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, -- cgit v1.2.1 From c933ec5c46f980faf390845afa1c0c9d1b57b7f9 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:19:54 +0000 Subject: - deraadt@cvs.openbsd.org 2013/11/25 18:04:21 [ssh.1 ssh.c] improve -Q usage and such. One usage change is that the option is now case-sensitive ok dtucker markus djm --- ChangeLog | 5 +++++ ssh.1 | 24 +++++++++++------------- ssh.c | 20 ++++++++++---------- 3 files changed, 26 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f2fb101..71f5dfe3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ - jmc@cvs.openbsd.org 2013/11/21 08:05:09 [ssh_config.5 sshd_config.5] no need for .Pp before displays; + - deraadt@cvs.openbsd.org 2013/11/25 18:04:21 + [ssh.1 ssh.c] + improve -Q usage and such. One usage change is that the option is now + case-sensitive + ok dtucker markus djm 20131121 - (djm) OpenBSD CVS Sync diff --git a/ssh.1 b/ssh.1 index 73e20869..842affbd 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.340 2013/11/21 00:45:44 djm Exp $ -.Dd $Mdocdate: November 21 2013 $ +.\" $OpenBSD: ssh.1,v 1.341 2013/11/25 18:04:21 deraadt Exp $ +.Dd $Mdocdate: November 25 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -60,13 +60,13 @@ .Op Fl p Ar port .Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport .Op Fl S Ar ctl_path +.Op Fl Q Ar cipher | Ar cipher-auth | Ar mac | Ar kex | Ar key .Op Fl W Ar host : Ns Ar port .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Ek .Nm -.Fl Q Ar protocol_feature .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for @@ -496,23 +496,21 @@ For full details of the options listed below, and their possible values, see Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. -.It Fl Q Ar protocol_feature +.It Fl Q Ar cipher | Ar cipher-auth | Ar mac | Ar kex | Ar key Queries .Nm -for the algorithms supported for the specified version 2 -.Ar protocol_feature . -The queriable features are: -.Dq cipher +for the algorithms supported for the specified version 2. +The available features are: +.Ar cipher (supported symmetric ciphers), -.Dq cipher-auth +.Ar cipher-auth (supported symmetric ciphers that support authenticated encryption), -.Dq MAC +.Ar mac (supported message integrity codes), -.Dq KEX +.Ar kex (key exchange algorithms), -.Dq key +.Ar key (key types). -Protocol features are treated case-insensitively. .It Fl q Quiet mode. Causes most warning and diagnostic messages to be suppressed. diff --git a/ssh.c b/ssh.c index 58becd70..ea5d6edc 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.393 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.394 2013/11/25 18:04:21 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -199,9 +199,9 @@ usage(void) "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" " [-F configfile] [-I pkcs11] [-i identity_file]\n" -" [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n" -" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" -" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" +" [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" +" [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport]\n" +" [-S ctl_path] [-Q cipher | cipher-auth | mac | kex | key]\n" " [-W host:port] [-w local_tun[:remote_tun]]\n" " [user@]hostname [command]\n" ); @@ -517,17 +517,17 @@ main(int ac, char **av) case 'P': /* deprecated */ options.use_privileged_port = 0; break; - case 'Q': /* deprecated */ + case 'Q': cp = NULL; - if (strcasecmp(optarg, "cipher") == 0) + if (strcmp(optarg, "cipher") == 0) cp = cipher_alg_list('\n', 0); - else if (strcasecmp(optarg, "cipher-auth") == 0) + else if (strcmp(optarg, "cipher-auth") == 0) cp = cipher_alg_list('\n', 1); - else if (strcasecmp(optarg, "mac") == 0) + else if (strcmp(optarg, "mac") == 0) cp = mac_alg_list('\n'); - else if (strcasecmp(optarg, "kex") == 0) + else if (strcmp(optarg, "kex") == 0) cp = kex_alg_list('\n'); - else if (strcasecmp(optarg, "key") == 0) + else if (strcmp(optarg, "key") == 0) cp = key_alg_list(); if (cp == NULL) fatal("Unsupported query \"%s\"", optarg); -- cgit v1.2.1 From 7d2cb0254c86ec8b03671e6355048a0c83f795a4 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:20:52 +0000 Subject: - jmc@cvs.openbsd.org 2013/11/26 12:14:54 [ssh.1 ssh.c] - put -Q in the right place - Ar was a poor choice for the arguments to -Q. i've chosen an admittedly equally poor Cm, at least consistent with the rest of the docs. also no need for multiple instances - zap a now redundant Nm - usage() sync --- ChangeLog | 8 ++++++++ ssh.1 | 9 ++++----- ssh.c | 10 +++++----- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 71f5dfe3..f23acac1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,14 @@ improve -Q usage and such. One usage change is that the option is now case-sensitive ok dtucker markus djm + - jmc@cvs.openbsd.org 2013/11/26 12:14:54 + [ssh.1 ssh.c] + - put -Q in the right place + - Ar was a poor choice for the arguments to -Q. i've chosen an + admittedly equally poor Cm, at least consistent with the rest + of the docs. also no need for multiple instances + - zap a now redundant Nm + - usage() sync 20131121 - (djm) OpenBSD CVS Sync diff --git a/ssh.1 b/ssh.1 index 842affbd..fc56997f 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.341 2013/11/25 18:04:21 deraadt Exp $ -.Dd $Mdocdate: November 25 2013 $ +.\" $OpenBSD: ssh.1,v 1.342 2013/11/26 12:14:54 jmc Exp $ +.Dd $Mdocdate: November 26 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -58,15 +58,14 @@ .Op Fl O Ar ctl_cmd .Op Fl o Ar option .Op Fl p Ar port +.Op Fl Q Cm cipher | cipher-auth | mac | kex | key .Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport .Op Fl S Ar ctl_path -.Op Fl Q Ar cipher | Ar cipher-auth | Ar mac | Ar kex | Ar key .Op Fl W Ar host : Ns Ar port .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Ek -.Nm .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for @@ -496,7 +495,7 @@ For full details of the options listed below, and their possible values, see Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. -.It Fl Q Ar cipher | Ar cipher-auth | Ar mac | Ar kex | Ar key +.It Fl Q Cm cipher | cipher-auth | mac | kex | key Queries .Nm for the algorithms supported for the specified version 2. diff --git a/ssh.c b/ssh.c index ea5d6edc..6c8cd731 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.394 2013/11/25 18:04:21 deraadt Exp $ */ +/* $OpenBSD: ssh.c,v 1.395 2013/11/26 12:14:54 jmc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -200,10 +200,10 @@ usage(void) " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" " [-F configfile] [-I pkcs11] [-i identity_file]\n" " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" -" [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport]\n" -" [-S ctl_path] [-Q cipher | cipher-auth | mac | kex | key]\n" -" [-W host:port] [-w local_tun[:remote_tun]]\n" -" [user@]hostname [command]\n" +" [-O ctl_cmd] [-o option] [-p port]\n" +" [-Q cipher | cipher-auth | mac | kex | key]\n" +" [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]\n" +" [-w local_tun[:remote_tun]] [user@]hostname [command]\n" ); exit(255); } -- cgit v1.2.1 From 7033bd81c4b265942f19d260c239a0ede1723501 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:22:03 +0000 Subject: - deraadt@cvs.openbsd.org 2013/11/26 19:15:09 [pkcs11.h] cleanup 1 << 31 idioms. Resurrection of this issue pointed out by Eitan Adler ok markus for ssh, implies same change in kerberosV --- ChangeLog | 4 ++++ pkcs11.h | 18 +++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index f23acac1..65cc0466 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ of the docs. also no need for multiple instances - zap a now redundant Nm - usage() sync + - deraadt@cvs.openbsd.org 2013/11/26 19:15:09 + [pkcs11.h] + cleanup 1 << 31 idioms. Resurrection of this issue pointed out by + Eitan Adler ok markus for ssh, implies same change in kerberosV 20131121 - (djm) OpenBSD CVS Sync diff --git a/pkcs11.h b/pkcs11.h index 2cde5b3f..b01d58f9 100644 --- a/pkcs11.h +++ b/pkcs11.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs11.h,v 1.2 2010/02/24 06:12:53 djm Exp $ */ +/* $OpenBSD: pkcs11.h,v 1.3 2013/11/26 19:15:09 deraadt Exp $ */ /* pkcs11.h Copyright 2006, 2007 g10 Code GmbH Copyright 2006 Andreas Jellinghaus @@ -319,7 +319,7 @@ typedef unsigned long ck_object_class_t; #define CKO_HW_FEATURE (5) #define CKO_DOMAIN_PARAMETERS (6) #define CKO_MECHANISM (7) -#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKO_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_hw_feature_type_t; @@ -327,7 +327,7 @@ typedef unsigned long ck_hw_feature_type_t; #define CKH_MONOTONIC_COUNTER (1) #define CKH_CLOCK (2) #define CKH_USER_INTERFACE (3) -#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKH_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_key_type_t; @@ -357,14 +357,14 @@ typedef unsigned long ck_key_type_t; #define CKK_AES (0x1f) #define CKK_BLOWFISH (0x20) #define CKK_TWOFISH (0x21) -#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKK_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_certificate_type_t; #define CKC_X_509 (0) #define CKC_X_509_ATTR_CERT (1) #define CKC_WTLS (2) -#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKC_VENDOR_DEFINED (1U << 31) typedef unsigned long ck_attribute_type_t; @@ -453,7 +453,7 @@ typedef unsigned long ck_attribute_type_t; #define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211) #define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212) #define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600) -#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKA_VENDOR_DEFINED (1U << 31) struct ck_attribute @@ -672,7 +672,7 @@ typedef unsigned long ck_mechanism_type_t; #define CKM_DSA_PARAMETER_GEN (0x2000) #define CKM_DH_PKCS_PARAMETER_GEN (0x2001) #define CKM_X9_42_DH_PARAMETER_GEN (0x2002) -#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKM_VENDOR_DEFINED (1U << 31) struct ck_mechanism @@ -703,7 +703,7 @@ struct ck_mechanism_info #define CKF_WRAP (1 << 17) #define CKF_UNWRAP (1 << 18) #define CKF_DERIVE (1 << 19) -#define CKF_EXTENSION ((unsigned long) (1 << 31)) +#define CKF_EXTENSION (1U << 31) /* Flags for C_WaitForSlotEvent. */ @@ -1179,7 +1179,7 @@ struct ck_c_initialize_args #define CKR_MUTEX_BAD (0x1a0) #define CKR_MUTEX_NOT_LOCKED (0x1a1) #define CKR_FUNCTION_REJECTED (0x200) -#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31)) +#define CKR_VENDOR_DEFINED (1U << 31) -- cgit v1.2.1 From f501d38be34a0194602c19b7e8c7c9a0f3d5bedd Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:22:39 +0000 Subject: - djm@cvs.openbsd.org 2013/12/01 23:19:05 [PROTOCOL] mention curve25519-sha256@libssh.org key exchange algorithm --- ChangeLog | 3 +++ PROTOCOL | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 65cc0466..336cb2af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ [pkcs11.h] cleanup 1 << 31 idioms. Resurrection of this issue pointed out by Eitan Adler ok markus for ssh, implies same change in kerberosV + - djm@cvs.openbsd.org 2013/12/01 23:19:05 + [PROTOCOL] + mention curve25519-sha256@libssh.org key exchange algorithm 20131121 - (djm) OpenBSD CVS Sync diff --git a/PROTOCOL b/PROTOCOL index cace97f8..4a5088f9 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -96,6 +96,12 @@ a matching MAC. OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 as described in PROTOCOL.chacha20poly1305. +1.8 transport: curve25519-sha256@libssh.org key exchange algorithm + +OpenSSH supports the use of ECDH in Curve25519 for key exchange as +described at: +http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 + 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" @@ -350,4 +356,4 @@ respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.22 2013/11/21 00:45:43 djm Exp $ +$OpenBSD: PROTOCOL,v 1.23 2013/12/01 23:19:05 djm Exp $ -- cgit v1.2.1 From d7919f36aea54c470837cd4b785abb8a1212304d Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:22:57 +0000 Subject: - djm@cvs.openbsd.org 2013/12/02 02:50:27 [PROTOCOL.chacha20poly1305] typo; from Jon Cave --- ChangeLog | 3 +++ PROTOCOL.chacha20poly1305 | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 336cb2af..1aa9e80e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ - djm@cvs.openbsd.org 2013/12/01 23:19:05 [PROTOCOL] mention curve25519-sha256@libssh.org key exchange algorithm + - djm@cvs.openbsd.org 2013/12/02 02:50:27 + [PROTOCOL.chacha20poly1305] + typo; from Jon Cave 20131121 - (djm) OpenBSD CVS Sync diff --git a/PROTOCOL.chacha20poly1305 b/PROTOCOL.chacha20poly1305 index c4b723af..9cf73a92 100644 --- a/PROTOCOL.chacha20poly1305 +++ b/PROTOCOL.chacha20poly1305 @@ -47,7 +47,7 @@ cipher by decrypting and using the packet length prior to checking the MAC. By using an independently-keyed cipher instance to encrypt the length, an active attacker seeking to exploit the packet input handling as a decryption oracle can learn nothing about the payload contents or -its MAC (assuming key derivation, ChaCha20 and Poly1306 are secure). +its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure). The AEAD is constructed as follows: for each packet, generate a Poly1305 key by taking the first 256 bits of ChaCha20 stream output generated @@ -101,5 +101,5 @@ References [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 -$OpenBSD: PROTOCOL.chacha20poly1305,v 1.1 2013/11/21 00:45:43 djm Exp $ +$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $ -- cgit v1.2.1 From 98880fe7a6ea45ecded62443a1cfda231498193f Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:23:21 +0000 Subject: - djm@cvs.openbsd.org 2013/12/02 02:56:17 [ssh-pkcs11-helper.c] use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC --- ChangeLog | 3 +++ ssh-pkcs11-helper.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1aa9e80e..ef9ad851 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - djm@cvs.openbsd.org 2013/12/02 02:50:27 [PROTOCOL.chacha20poly1305] typo; from Jon Cave + - djm@cvs.openbsd.org 2013/12/02 02:56:17 + [ssh-pkcs11-helper.c] + use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC 20131121 - (djm) OpenBSD CVS Sync diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 39b2e7c5..b7c52beb 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.7 2013/12/02 02:56:17 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -127,7 +127,8 @@ process_add(void) buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER); buffer_put_int(&msg, nkeys); for (i = 0; i < nkeys; i++) { - key_to_blob(keys[i], &blob, &blen); + if (key_to_blob(keys[i], &blob, &blen) == 0) + continue; buffer_put_string(&msg, blob, blen); buffer_put_cstring(&msg, name); free(blob); -- cgit v1.2.1 From 381ce9f44a3d171ac545da1365bb582bae27be6c Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:25:51 +0000 Subject: - djm@cvs.openbsd.org 2013/12/02 03:09:22 [key.c] make key_to_blob() return a NULL blob on failure; part of bz#2175 from Loganaden Velvindron @ AfriNIC --- ChangeLog | 4 ++++ key.c | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ef9ad851..365af323 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ - djm@cvs.openbsd.org 2013/12/02 02:56:17 [ssh-pkcs11-helper.c] use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC + - djm@cvs.openbsd.org 2013/12/02 03:09:22 + [key.c] + make key_to_blob() return a NULL blob on failure; part of + bz#2175 from Loganaden Velvindron @ AfriNIC 20131121 - (djm) OpenBSD CVS Sync diff --git a/key.c b/key.c index b20bcda5..3ee2d61a 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.105 2013/10/29 09:42:11 djm Exp $ */ +/* $OpenBSD: key.c,v 1.106 2013/12/02 03:09:22 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1587,6 +1587,10 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) Buffer b; int len, type; + if (blobp != NULL) + *blobp = NULL; + if (lenp != NULL) + *lenp = 0; if (key == NULL) { error("key_to_blob: key == NULL"); return 0; -- cgit v1.2.1 From 5dfd82f93597c9e28b19434356a1570d8de3a019 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:26:14 +0000 Subject: - djm@cvs.openbsd.org 2013/12/02 03:13:14 [cipher.c] correct bzero of chacha20+poly1305 key context. bz#2177 from Loganaden Velvindron @ AfriNIC Also make it a memset for consistency with the rest of cipher.c --- ChangeLog | 6 ++++++ cipher.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 365af323..a7fd1d0b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,12 @@ [key.c] make key_to_blob() return a NULL blob on failure; part of bz#2175 from Loganaden Velvindron @ AfriNIC + - djm@cvs.openbsd.org 2013/12/02 03:13:14 + [cipher.c] + correct bzero of chacha20+poly1305 key context. bz#2177 from + Loganaden Velvindron @ AfriNIC + + Also make it a memset for consistency with the rest of cipher.c 20131121 - (djm) OpenBSD CVS Sync diff --git a/cipher.c b/cipher.c index c4aec392..fbb73014 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.91 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.92 2013/12/02 03:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -414,7 +414,7 @@ void cipher_cleanup(CipherContext *cc) { if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) - bzero(&cc->cp_ctx, sizeof(&cc->cp_ctx)); + memset(&cc->cp_ctx, 0, sizeof(cc->cp_ctx)); else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); } -- cgit v1.2.1 From a8e92d31019bbb99cae6f14a3128ab6e82888980 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 4 Dec 2013 23:26:32 +0000 Subject: - djm@cvs.openbsd.org 2013/12/04 04:20:01 [sftp-client.c] bz#2171: don't leak local_fd on error; from Loganaden Velvindron @ AfriNIC --- ChangeLog | 4 ++++ sftp-client.c | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a7fd1d0b..2d3ec03a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,10 @@ Loganaden Velvindron @ AfriNIC Also make it a memset for consistency with the rest of cipher.c + - djm@cvs.openbsd.org 2013/12/04 04:20:01 + [sftp-client.c] + bz#2171: don't leak local_fd on error; from Loganaden Velvindron @ + AfriNIC 20131121 - (djm) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index 9ecded04..246e9498 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.109 2013/11/08 11:15:19 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.110 2013/12/04 04:20:01 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1111,6 +1111,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, do_close(conn, handle, handle_len); buffer_free(&msg); free(handle); + if (local_fd != -1) + close(local_fd); return -1; } offset = highwater = st.st_size; -- cgit v1.2.1 From d4961d721e9871ab434f37b06f0ae7634873b249 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 5 Dec 2013 00:00:16 +0000 Subject: - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct -L location for libedit. Patch from Serge van den Boom. --- ChangeLog | 2 ++ configure.ac | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2d3ec03a..9f29954a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,8 @@ [sftp-client.c] bz#2171: don't leak local_fd on error; from Loganaden Velvindron @ AfriNIC + - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct + -L location for libedit. Patch from Serge van den Boom. 20131121 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index f3fe43d7..c691200b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.543 2013/11/09 11:32:51 dtucker Exp $ +# $Id: configure.ac,v 1.544 2013/12/05 00:00:16 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.543 $) +AC_REVISION($Revision: 1.544 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1446,7 +1446,7 @@ AC_ARG_WITH([libedit], fi fi if test "x$use_pkgconfig_for_libedit" = "xyes"; then - LIBEDIT=`$PKGCONFIG --libs-only-l libedit` + LIBEDIT=`$PKGCONFIG --libs libedit` CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" else LIBEDIT="-ledit -lcurses" -- cgit v1.2.1 From e9ec7df9386f486bd5e0992f5044deb714a80c53 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 5 Dec 2013 03:07:27 +0000 Subject: - djm@cvs.openbsd.org 2013/12/05 01:16:41 [servconf.c servconf.h] bz#2161 - fix AuthorizedKeysCommand inside a Match block and rearrange things so the same error is harder to make next time; with and ok dtucker@ --- ChangeLog | 5 +++++ servconf.c | 41 ++++++++++++++++++++--------------------- servconf.h | 5 ++++- 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f29954a..410ae1b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,11 @@ [sftp-client.c] bz#2171: don't leak local_fd on error; from Loganaden Velvindron @ AfriNIC + - djm@cvs.openbsd.org 2013/12/05 01:16:41 + [servconf.c servconf.h] + bz#2161 - fix AuthorizedKeysCommand inside a Match block and + rearrange things so the same error is harder to make next time; + with and ok dtucker@ - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct -L location for libedit. Patch from Serge van den Boom. diff --git a/servconf.c b/servconf.c index cb21bd22..6db89f7c 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.246 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.247 2013/12/05 01:16:41 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1742,24 +1742,6 @@ int server_match_spec_complete(struct connection_info *ci) return 0; /* partial */ } -/* Helper macros */ -#define M_CP_INTOPT(n) do {\ - if (src->n != -1) \ - dst->n = src->n; \ -} while (0) -#define M_CP_STROPT(n) do {\ - if (src->n != NULL) { \ - free(dst->n); \ - dst->n = src->n; \ - } \ -} while(0) -#define M_CP_STRARRAYOPT(n, num_n) do {\ - if (src->num_n != 0) { \ - for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ - dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ - } \ -} while(0) - /* * Copy any supported values that are set. * @@ -1770,6 +1752,11 @@ int server_match_spec_complete(struct connection_info *ci) void copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { +#define M_CP_INTOPT(n) do {\ + if (src->n != -1) \ + dst->n = src->n; \ +} while (0) + M_CP_INTOPT(password_authentication); M_CP_INTOPT(gss_authentication); M_CP_INTOPT(rsa_authentication); @@ -1779,8 +1766,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(zero_knowledge_password_authentication); - M_CP_STROPT(authorized_keys_command); - M_CP_STROPT(authorized_keys_command_user); M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_empty_passwd); @@ -1799,6 +1784,20 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); + /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ +#define M_CP_STROPT(n) do {\ + if (src->n != NULL && dst->n != src->n) { \ + free(dst->n); \ + dst->n = src->n; \ + } \ +} while(0) +#define M_CP_STRARRAYOPT(n, num_n) do {\ + if (src->num_n != 0) { \ + for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ + dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ + } \ +} while(0) + /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); diff --git a/servconf.h b/servconf.h index 2d4b6ecb..8812c5aa 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.110 2013/10/29 09:48:02 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.111 2013/12/05 01:16:41 djm Exp $ */ /* * Author: Tatu Ylonen @@ -202,6 +202,9 @@ struct connection_info { * Match sub-config and the main config, and must be sent from the * privsep slave to the privsep master. We use a macro to ensure all * the options are copied and the copies are done in the correct order. + * + * NB. an option must appear in servconf.c:copy_set_server_options() or + * COPY_MATCH_STRING_OPTS here but never both. */ #define COPY_MATCH_STRING_OPTS() do { \ M_CP_STROPT(banner); \ -- cgit v1.2.1 From f11affb961774ab0a62e7204b111a03bc53334c0 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Dec 2013 23:31:08 +0000 Subject: - djm@cvs.openbsd.org 2013/12/05 22:59:45 [sftp-client.c] fix memory leak in error path in do_readdir(); pointed out by Loganaden Velvindron @ AfriNIC in bz#2163 --- ChangeLog | 7 +++++++ sftp-client.c | 42 +++++++++++++++++++++--------------------- 2 files changed, 28 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 410ae1b9..7c812e51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20131207 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/12/05 22:59:45 + [sftp-client.c] + fix memory leak in error path in do_readdir(); pointed out by + Loganaden Velvindron @ AfriNIC in bz#2163 + 20131205 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2013/11/21 08:05:09 diff --git a/sftp-client.c b/sftp-client.c index 246e9498..1eb82108 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.110 2013/12/04 04:20:01 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.111 2013/12/05 22:59:45 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -460,6 +460,10 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, Buffer msg; u_int count, type, id, handle_len, i, expected_id, ents = 0; char *handle; + int status = SSH2_FX_FAILURE; + + if (dir) + *dir = NULL; id = conn->msg_id++; @@ -506,20 +510,12 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, fatal("ID mismatch (%u != %u)", id, expected_id); if (type == SSH2_FXP_STATUS) { - int status = buffer_get_int(&msg); - + status = buffer_get_int(&msg); debug3("Received SSH2_FXP_STATUS %d", status); - - if (status == SSH2_FX_EOF) { + if (status == SSH2_FX_EOF) break; - } else { - error("Couldn't read directory: %s", - fx2txt(status)); - do_close(conn, handle, handle_len); - free(handle); - buffer_free(&msg); - return(status); - } + error("Couldn't read directory: %s", fx2txt(status)); + goto out; } else if (type != SSH2_FXP_NAME) fatal("Expected SSH2_FXP_NAME(%u) packet, got %u", SSH2_FXP_NAME, type); @@ -547,10 +543,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, if (strchr(filename, '/') != NULL) { error("Server sent suspect path \"%s\" " "during readdir of \"%s\"", filename, path); - goto next; - } - - if (dir) { + } else if (dir) { *dir = xrealloc(*dir, ents + 2, sizeof(**dir)); (*dir)[ents] = xcalloc(1, sizeof(***dir)); (*dir)[ents]->filename = xstrdup(filename); @@ -558,24 +551,29 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, memcpy(&(*dir)[ents]->a, a, sizeof(*a)); (*dir)[++ents] = NULL; } - next: free(filename); free(longname); } } + status = 0; + out: buffer_free(&msg); do_close(conn, handle, handle_len); free(handle); - /* Don't return partial matches on interrupt */ - if (interrupted && dir != NULL && *dir != NULL) { + if (status != 0 && dir != NULL) { + /* Don't return results on error */ + free_sftp_dirents(*dir); + *dir = NULL; + } else if (interrupted && dir != NULL && *dir != NULL) { + /* Don't return partial matches on interrupt */ free_sftp_dirents(*dir); *dir = xcalloc(1, sizeof(**dir)); **dir = NULL; } - return 0; + return status; } int @@ -588,6 +586,8 @@ void free_sftp_dirents(SFTP_DIRENT **s) { int i; + if (s == NULL) + return; for (i = 0; s[i]; i++) { free(s[i]->filename); free(s[i]->longname); -- cgit v1.2.1 From 68e3b47b27c4567058306f50be07d3007e438b5f Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Dec 2013 23:31:37 +0000 Subject: - djm@cvs.openbsd.org 2013/12/06 03:40:51 [ssh-keygen.c] remove duplicated character ('g') in getopt() string; document the (few) remaining option characters so we don't have to rummage next time. --- ChangeLog | 5 +++++ ssh-keygen.c | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7c812e51..f5e06c9e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [sftp-client.c] fix memory leak in error path in do_readdir(); pointed out by Loganaden Velvindron @ AfriNIC in bz#2163 + - djm@cvs.openbsd.org 2013/12/06 03:40:51 + [ssh-keygen.c] + remove duplicated character ('g') in getopt() string; + document the (few) remaining option characters so we don't have to + rummage next time. 20131205 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.c b/ssh-keygen.c index 678dafe8..e5e2f2f6 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.235 2013/10/23 04:16:22 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.236 2013/12/06 03:40:51 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2225,8 +2225,9 @@ main(int argc, char **argv) exit(1); } + /* Remaining characters: EUYZdow */ while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy" - "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { + "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:j:m:n:r:s:t:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; -- cgit v1.2.1 From 1bc6943f5b4c529f9962d440aa4db4acea1d2a4f Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Dec 2013 23:40:26 +0000 Subject: - markus@cvs.openbsd.org 2013/12/06 13:30:08 [authfd.c key.c key.h ssh-agent.c] move private key (de)serialization to key.c; ok djm --- ChangeLog | 3 + authfd.c | 59 ++----------------- key.c | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- key.h | 5 +- ssh-agent.c | 133 ++++------------------------------------- 5 files changed, 214 insertions(+), 179 deletions(-) diff --git a/ChangeLog b/ChangeLog index f5e06c9e..0db8ab44 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ remove duplicated character ('g') in getopt() string; document the (few) remaining option characters so we don't have to rummage next time. + - markus@cvs.openbsd.org 2013/12/06 13:30:08 + [authfd.c key.c key.h ssh-agent.c] + move private key (de)serialization to key.c; ok djm 20131205 - (djm) OpenBSD CVS Sync diff --git a/authfd.c b/authfd.c index 775786be..2cda8b30 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.87 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: authfd.c,v 1.89 2013/12/06 13:30:08 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,8 +42,8 @@ #include #include - #include + #include #include #include @@ -206,7 +206,7 @@ ssh_get_authentication_connection(void) if (sock < 0) return NULL; - auth = xmalloc(sizeof(*auth)); + auth = xcalloc(1, sizeof(*auth)); auth->fd = sock; buffer_init(&auth->identities); auth->howmany = 0; @@ -474,58 +474,7 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) static void ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) { - buffer_put_cstring(b, key_ssh_name(key)); - switch (key->type) { - case KEY_RSA: - buffer_put_bignum2(b, key->rsa->n); - buffer_put_bignum2(b, key->rsa->e); - buffer_put_bignum2(b, key->rsa->d); - buffer_put_bignum2(b, key->rsa->iqmp); - buffer_put_bignum2(b, key->rsa->p); - buffer_put_bignum2(b, key->rsa->q); - break; - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) - fatal("%s: no cert/certblob", __func__); - buffer_put_string(b, buffer_ptr(&key->cert->certblob), - buffer_len(&key->cert->certblob)); - buffer_put_bignum2(b, key->rsa->d); - buffer_put_bignum2(b, key->rsa->iqmp); - buffer_put_bignum2(b, key->rsa->p); - buffer_put_bignum2(b, key->rsa->q); - break; - case KEY_DSA: - buffer_put_bignum2(b, key->dsa->p); - buffer_put_bignum2(b, key->dsa->q); - buffer_put_bignum2(b, key->dsa->g); - buffer_put_bignum2(b, key->dsa->pub_key); - buffer_put_bignum2(b, key->dsa->priv_key); - break; - case KEY_DSA_CERT_V00: - case KEY_DSA_CERT: - if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) - fatal("%s: no cert/certblob", __func__); - buffer_put_string(b, buffer_ptr(&key->cert->certblob), - buffer_len(&key->cert->certblob)); - buffer_put_bignum2(b, key->dsa->priv_key); - break; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); - buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), - EC_KEY_get0_public_key(key->ecdsa)); - buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); - break; - case KEY_ECDSA_CERT: - if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) - fatal("%s: no cert/certblob", __func__); - buffer_put_string(b, buffer_ptr(&key->cert->certblob), - buffer_len(&key->cert->certblob)); - buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); - break; -#endif - } + key_private_serialize(key, b); buffer_put_cstring(b, comment); } diff --git a/key.c b/key.c index 3ee2d61a..0282e082 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.106 2013/12/02 03:09:22 djm Exp $ */ +/* $OpenBSD: key.c,v 1.107 2013/12/06 13:30:08 markus Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2276,3 +2276,194 @@ key_dump_ec_key(const EC_KEY *key) } #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ #endif /* OPENSSL_HAS_ECC */ + +void +key_private_serialize(const Key *key, Buffer *b) +{ + buffer_put_cstring(b, key_ssh_name(key)); + switch (key->type) { + case KEY_RSA: + buffer_put_bignum2(b, key->rsa->n); + buffer_put_bignum2(b, key->rsa->e); + buffer_put_bignum2(b, key->rsa->d); + buffer_put_bignum2(b, key->rsa->iqmp); + buffer_put_bignum2(b, key->rsa->p); + buffer_put_bignum2(b, key->rsa->q); + break; + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_bignum2(b, key->rsa->d); + buffer_put_bignum2(b, key->rsa->iqmp); + buffer_put_bignum2(b, key->rsa->p); + buffer_put_bignum2(b, key->rsa->q); + break; + case KEY_DSA: + buffer_put_bignum2(b, key->dsa->p); + buffer_put_bignum2(b, key->dsa->q); + buffer_put_bignum2(b, key->dsa->g); + buffer_put_bignum2(b, key->dsa->pub_key); + buffer_put_bignum2(b, key->dsa->priv_key); + break; + case KEY_DSA_CERT_V00: + case KEY_DSA_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_bignum2(b, key->dsa->priv_key); + break; +#ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: + buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); + buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), + EC_KEY_get0_public_key(key->ecdsa)); + buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); + break; + case KEY_ECDSA_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); + break; +#endif /* OPENSSL_HAS_ECC */ + } +} + +Key * +key_private_deserialize(Buffer *blob) +{ + char *type_name; + Key *k = NULL; + u_char *cert; + u_int len; + int type; +#ifdef OPENSSL_HAS_ECC + char *curve; + BIGNUM *exponent; + EC_POINT *q; +#endif + + type_name = buffer_get_string(blob, NULL); + type = key_type_from_name(type_name); + switch (type) { + case KEY_DSA: + k = key_new_private(type); + buffer_get_bignum2(blob, k->dsa->p); + buffer_get_bignum2(blob, k->dsa->q); + buffer_get_bignum2(blob, k->dsa->g); + buffer_get_bignum2(blob, k->dsa->pub_key); + buffer_get_bignum2(blob, k->dsa->priv_key); + break; + case KEY_DSA_CERT_V00: + case KEY_DSA_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + buffer_get_bignum2(blob, k->dsa->priv_key); + break; +#ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: + k = key_new_private(type); + k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); + curve = buffer_get_string(blob, NULL); + if (k->ecdsa_nid != key_curve_name_to_nid(curve)) + fatal("%s: curve names mismatch", __func__); + free(curve); + k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); + if (k->ecdsa == NULL) + fatal("%s: EC_KEY_new_by_curve_name failed", + __func__); + q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); + if (q == NULL) + fatal("%s: BN_new failed", __func__); + if ((exponent = BN_new()) == NULL) + fatal("%s: BN_new failed", __func__); + buffer_get_ecpoint(blob, + EC_KEY_get0_group(k->ecdsa), q); + buffer_get_bignum2(blob, exponent); + if (EC_KEY_set_public_key(k->ecdsa, q) != 1) + fatal("%s: EC_KEY_set_public_key failed", + __func__); + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) + fatal("%s: EC_KEY_set_private_key failed", + __func__); + if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), + EC_KEY_get0_public_key(k->ecdsa)) != 0) + fatal("%s: bad ECDSA public key", __func__); + if (key_ec_validate_private(k->ecdsa) != 0) + fatal("%s: bad ECDSA private key", __func__); + BN_clear_free(exponent); + EC_POINT_free(q); + break; + case KEY_ECDSA_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + if ((exponent = BN_new()) == NULL) + fatal("%s: BN_new failed", __func__); + buffer_get_bignum2(blob, exponent); + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) + fatal("%s: EC_KEY_set_private_key failed", + __func__); + if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), + EC_KEY_get0_public_key(k->ecdsa)) != 0 || + key_ec_validate_private(k->ecdsa) != 0) + fatal("%s: bad ECDSA key", __func__); + BN_clear_free(exponent); + break; +#endif + case KEY_RSA: + k = key_new_private(type); + buffer_get_bignum2(blob, k->rsa->n); + buffer_get_bignum2(blob, k->rsa->e); + buffer_get_bignum2(blob, k->rsa->d); + buffer_get_bignum2(blob, k->rsa->iqmp); + buffer_get_bignum2(blob, k->rsa->p); + buffer_get_bignum2(blob, k->rsa->q); + + /* Generate additional parameters */ + rsa_generate_additional_parameters(k->rsa); + break; + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + buffer_get_bignum2(blob, k->rsa->d); + buffer_get_bignum2(blob, k->rsa->iqmp); + buffer_get_bignum2(blob, k->rsa->p); + buffer_get_bignum2(blob, k->rsa->q); + break; + default: + free(type_name); + buffer_clear(blob); + return NULL; + } + free(type_name); + + /* enable blinding */ + switch (k->type) { + case KEY_RSA: + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + case KEY_RSA1: + if (RSA_blinding_on(k->rsa, NULL) != 1) { + error("%s: RSA_blinding_on failed", __func__); + key_free(k); + return NULL; + } + break; + } + return k; +} diff --git a/key.h b/key.h index 8a78a828..efa71176 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.38 2013/10/29 09:42:11 djm Exp $ */ +/* $OpenBSD: key.h,v 1.39 2013/12/06 13:30:08 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -151,4 +151,7 @@ void key_dump_ec_point(const EC_GROUP *, const EC_POINT *); void key_dump_ec_key(const EC_KEY *); #endif +void key_private_serialize(const Key *, Buffer *); +Key *key_private_deserialize(Buffer *); + #endif diff --git a/ssh-agent.c b/ssh-agent.c index c3b11729..0196f8f6 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.177 2013/07/20 01:50:20 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.178 2013/12/06 13:30:08 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -464,16 +464,9 @@ process_add_identity(SocketEntry *e, int version) Idtab *tab = idtab_lookup(version); Identity *id; int type, success = 0, confirm = 0; - char *type_name, *comment; + char *comment; time_t death = 0; Key *k = NULL; -#ifdef OPENSSL_HAS_ECC - BIGNUM *exponent; - EC_POINT *q; - char *curve; -#endif - u_char *cert; - u_int len; switch (version) { case 1: @@ -490,125 +483,21 @@ process_add_identity(SocketEntry *e, int version) /* Generate additional parameters */ rsa_generate_additional_parameters(k->rsa); - break; - case 2: - type_name = buffer_get_string(&e->request, NULL); - type = key_type_from_name(type_name); - switch (type) { - case KEY_DSA: - k = key_new_private(type); - buffer_get_bignum2(&e->request, k->dsa->p); - buffer_get_bignum2(&e->request, k->dsa->q); - buffer_get_bignum2(&e->request, k->dsa->g); - buffer_get_bignum2(&e->request, k->dsa->pub_key); - buffer_get_bignum2(&e->request, k->dsa->priv_key); - break; - case KEY_DSA_CERT_V00: - case KEY_DSA_CERT: - cert = buffer_get_string(&e->request, &len); - if ((k = key_from_blob(cert, len)) == NULL) - fatal("Certificate parse failed"); - free(cert); - key_add_private(k); - buffer_get_bignum2(&e->request, k->dsa->priv_key); - break; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - k = key_new_private(type); - k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); - curve = buffer_get_string(&e->request, NULL); - if (k->ecdsa_nid != key_curve_name_to_nid(curve)) - fatal("%s: curve names mismatch", __func__); - free(curve); - k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); - if (k->ecdsa == NULL) - fatal("%s: EC_KEY_new_by_curve_name failed", - __func__); - q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); - if (q == NULL) - fatal("%s: BN_new failed", __func__); - if ((exponent = BN_new()) == NULL) - fatal("%s: BN_new failed", __func__); - buffer_get_ecpoint(&e->request, - EC_KEY_get0_group(k->ecdsa), q); - buffer_get_bignum2(&e->request, exponent); - if (EC_KEY_set_public_key(k->ecdsa, q) != 1) - fatal("%s: EC_KEY_set_public_key failed", - __func__); - if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) - fatal("%s: EC_KEY_set_private_key failed", - __func__); - if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), - EC_KEY_get0_public_key(k->ecdsa)) != 0) - fatal("%s: bad ECDSA public key", __func__); - if (key_ec_validate_private(k->ecdsa) != 0) - fatal("%s: bad ECDSA private key", __func__); - BN_clear_free(exponent); - EC_POINT_free(q); - break; - case KEY_ECDSA_CERT: - cert = buffer_get_string(&e->request, &len); - if ((k = key_from_blob(cert, len)) == NULL) - fatal("Certificate parse failed"); - free(cert); - key_add_private(k); - if ((exponent = BN_new()) == NULL) - fatal("%s: BN_new failed", __func__); - buffer_get_bignum2(&e->request, exponent); - if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) - fatal("%s: EC_KEY_set_private_key failed", - __func__); - if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), - EC_KEY_get0_public_key(k->ecdsa)) != 0 || - key_ec_validate_private(k->ecdsa) != 0) - fatal("%s: bad ECDSA key", __func__); - BN_clear_free(exponent); - break; -#endif /* OPENSSL_HAS_ECC */ - case KEY_RSA: - k = key_new_private(type); - buffer_get_bignum2(&e->request, k->rsa->n); - buffer_get_bignum2(&e->request, k->rsa->e); - buffer_get_bignum2(&e->request, k->rsa->d); - buffer_get_bignum2(&e->request, k->rsa->iqmp); - buffer_get_bignum2(&e->request, k->rsa->p); - buffer_get_bignum2(&e->request, k->rsa->q); - - /* Generate additional parameters */ - rsa_generate_additional_parameters(k->rsa); - break; - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - cert = buffer_get_string(&e->request, &len); - if ((k = key_from_blob(cert, len)) == NULL) - fatal("Certificate parse failed"); - free(cert); - key_add_private(k); - buffer_get_bignum2(&e->request, k->rsa->d); - buffer_get_bignum2(&e->request, k->rsa->iqmp); - buffer_get_bignum2(&e->request, k->rsa->p); - buffer_get_bignum2(&e->request, k->rsa->q); - break; - default: - free(type_name); - buffer_clear(&e->request); - goto send; - } - free(type_name); - break; - } - /* enable blinding */ - switch (k->type) { - case KEY_RSA: - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - case KEY_RSA1: + + /* enable blinding */ if (RSA_blinding_on(k->rsa, NULL) != 1) { error("process_add_identity: RSA_blinding_on failed"); key_free(k); goto send; } break; + case 2: + k = key_private_deserialize(&e->request); + if (k == NULL) { + buffer_clear(&e->request); + goto send; + } + break; } comment = buffer_get_string(&e->request, NULL); if (k == NULL) { -- cgit v1.2.1 From 89b12f794f90dd428f052bf33dc8f128742c8e22 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 6 Dec 2013 23:41:55 +0000 Subject: - markus@cvs.openbsd.org 2013/12/06 13:34:54 [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@ --- ChangeLog | 5 + PROTOCOL.key | 68 +++++++++++ authfile.c | 371 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- authfile.h | 5 +- cipher.c | 18 +-- cipher.h | 4 +- key.c | 3 +- packet.c | 27 +++-- ssh-agent.c | 3 +- ssh-keygen.c | 51 +++++--- 10 files changed, 505 insertions(+), 50 deletions(-) create mode 100644 PROTOCOL.key diff --git a/ChangeLog b/ChangeLog index 0db8ab44..76854907 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,11 @@ - markus@cvs.openbsd.org 2013/12/06 13:30:08 [authfd.c key.c key.h ssh-agent.c] move private key (de)serialization to key.c; ok djm + - markus@cvs.openbsd.org 2013/12/06 13:34:54 + [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] + [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by + default; details in PROTOCOL.key; feedback and lots help from djm; + ok djm@ 20131205 - (djm) OpenBSD CVS Sync diff --git a/PROTOCOL.key b/PROTOCOL.key new file mode 100644 index 00000000..959bd7ae --- /dev/null +++ b/PROTOCOL.key @@ -0,0 +1,68 @@ +This document describes the private key format for OpenSSH. + +1. Overall format + +The key consists of a header, a list of public keys, and +an encrypted list of matching private keys. + +#define AUTH_MAGIC "openssh-key-v1" + + byte[] AUTH_MAGIC + string ciphername + string kdfname + string kdfoptions + int number of keys N + string publickey1 + string publickey2 + ... + string publickeyN + string encrypted, padded list of private keys + +2. KDF options for kdfname "bcrypt" + +The options: + + string salt + uint32 rounds + +are concatenated and represented as a string. + +3. Unencrypted list of N private keys + +The list of privatekey/comment pairs is padded with the +bytes 1, 2, 3, ... until the total length is a multiple +of the cipher block size. + + uint32 checkint + uint32 checkint + string privatekey1 + string comment1 + string privatekey2 + string comment2 + ... + string privatekeyN + string commentN + char 1 + char 2 + char 3 + ... + char padlen % 255 + +Before the key is encrypted, a random integer is assigned +to both checkint fields so successful decryption can be +quickly checked by verifying that both checkint fields +hold the same value. + +4. Encryption + +The KDF is used to derive a key, IV (and other values required by +the cipher) from the passphrase. These values are then used to +encrypt the unencrypted list of private keys. + +5. No encryption + +For unencrypted keys the cipher "none" and the KDF "none" +are used with empty passphrases. The options if the KDF "none" +are the empty string. + +$OpenBSD: PROTOCOL.key,v 1.1 2013/12/06 13:34:54 markus Exp $ diff --git a/authfile.c b/authfile.c index d0c1089e..e38a3dd1 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.98 2013/11/21 00:45:43 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.99 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -13,7 +13,7 @@ * called by a name other than "ssh" or "Secure Shell". * * - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -58,6 +58,8 @@ #include #include +#include + #include "xmalloc.h" #include "cipher.h" #include "buffer.h" @@ -68,6 +70,16 @@ #include "rsa.h" #include "misc.h" #include "atomicio.h" +#include "uuencode.h" + +/* openssh private key file format */ +#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" +#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" +#define KDFNAME "bcrypt" +#define AUTH_MAGIC "openssh-key-v1" +#define SALT_LEN 16 +#define DEFAULT_CIPHERNAME "aes256-cbc" +#define DEFAULT_ROUNDS 16 #define MAX_KEY_FILE_SIZE (1024 * 1024) @@ -75,6 +87,333 @@ static const char authfile_id_string[] = "SSH PRIVATE KEY FILE FORMAT 1.1\n"; +static int +key_private_to_blob2(Key *prv, Buffer *blob, const char *passphrase, + const char *comment, const char *ciphername, int rounds) +{ + u_char *key, *cp, salt[SALT_LEN]; + size_t keylen, ivlen, blocksize, authlen; + u_int len, check; + int i, n; + const Cipher *c; + Buffer encoded, b, kdf; + CipherContext ctx; + const char *kdfname = KDFNAME; + + if (rounds <= 0) + rounds = DEFAULT_ROUNDS; + if (passphrase == NULL || !strlen(passphrase)) { + ciphername = "none"; + kdfname = "none"; + } else if (ciphername == NULL) + ciphername = DEFAULT_CIPHERNAME; + else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) + fatal("invalid cipher"); + + if ((c = cipher_by_name(ciphername)) == NULL) + fatal("unknown cipher name"); + buffer_init(&kdf); + blocksize = cipher_blocksize(c); + keylen = cipher_keylen(c); + ivlen = cipher_ivlen(c); + authlen = cipher_authlen(c); + key = xcalloc(1, keylen + ivlen); + if (strcmp(kdfname, "none") != 0) { + arc4random_buf(salt, SALT_LEN); + if (bcrypt_pbkdf(passphrase, strlen(passphrase), + salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) + fatal("bcrypt_pbkdf failed"); + buffer_put_string(&kdf, salt, SALT_LEN); + buffer_put_int(&kdf, rounds); + } + cipher_init(&ctx, c, key, keylen, key + keylen , ivlen, 1); + memset(key, 0, keylen + ivlen); + free(key); + + buffer_init(&encoded); + buffer_append(&encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC)); + buffer_put_cstring(&encoded, ciphername); + buffer_put_cstring(&encoded, kdfname); + buffer_put_string(&encoded, buffer_ptr(&kdf), buffer_len(&kdf)); + buffer_put_int(&encoded, 1); /* number of keys */ + key_to_blob(prv, &cp, &len); /* public key */ + buffer_put_string(&encoded, cp, len); + + memset(cp, 0, len); + free(cp); + + buffer_free(&kdf); + + /* set up the buffer that will be encrypted */ + buffer_init(&b); + + /* Random check bytes */ + check = arc4random(); + buffer_put_int(&b, check); + buffer_put_int(&b, check); + + /* append private key and comment*/ + key_private_serialize(prv, &b); + buffer_put_cstring(&b, comment); + + /* padding */ + i = 0; + while (buffer_len(&b) % blocksize) + buffer_put_char(&b, ++i & 0xff); + + /* length */ + buffer_put_int(&encoded, buffer_len(&b)); + + /* encrypt */ + cp = buffer_append_space(&encoded, buffer_len(&b) + authlen); + if (cipher_crypt(&ctx, 0, cp, buffer_ptr(&b), buffer_len(&b), 0, + authlen) != 0) + fatal("%s: cipher_crypt failed", __func__); + buffer_free(&b); + cipher_cleanup(&ctx); + + /* uuencode */ + len = 2 * buffer_len(&encoded); + cp = xmalloc(len); + n = uuencode(buffer_ptr(&encoded), buffer_len(&encoded), + (char *)cp, len); + if (n < 0) + fatal("%s: uuencode", __func__); + + buffer_clear(blob); + buffer_append(blob, MARK_BEGIN, sizeof(MARK_BEGIN) - 1); + for (i = 0; i < n; i++) { + buffer_put_char(blob, cp[i]); + if (i % 70 == 69) + buffer_put_char(blob, '\n'); + } + if (i % 70 != 69) + buffer_put_char(blob, '\n'); + buffer_append(blob, MARK_END, sizeof(MARK_END) - 1); + free(cp); + + return buffer_len(blob); +} + +static Key * +key_parse_private2(Buffer *blob, int type, const char *passphrase, + char **commentp) +{ + u_char *key = NULL, *cp, *salt = NULL, pad, last; + char *comment = NULL, *ciphername = NULL, *kdfname = NULL, *kdfp; + u_int keylen = 0, ivlen, blocksize, slen, klen, len, rounds, nkeys; + u_int check1, check2, m1len, m2len; + size_t authlen; + const Cipher *c; + Buffer b, encoded, copy, kdf; + CipherContext ctx; + Key *k = NULL; + int dlen, ret, i; + + buffer_init(&b); + buffer_init(&kdf); + buffer_init(&encoded); + buffer_init(©); + + /* uudecode */ + m1len = sizeof(MARK_BEGIN) - 1; + m2len = sizeof(MARK_END) - 1; + cp = buffer_ptr(blob); + len = buffer_len(blob); + if (len < m1len || memcmp(cp, MARK_BEGIN, m1len)) { + debug("%s: missing begin marker", __func__); + goto out; + } + cp += m1len; + len -= m1len; + while (len) { + if (*cp != '\n' && *cp != '\r') + buffer_put_char(&encoded, *cp); + last = *cp; + len--; + cp++; + if (last == '\n') { + if (len >= m2len && !memcmp(cp, MARK_END, m2len)) { + buffer_put_char(&encoded, '\0'); + break; + } + } + } + if (!len) { + debug("%s: no end marker", __func__); + goto out; + } + len = buffer_len(&encoded); + if ((cp = buffer_append_space(©, len)) == NULL) { + error("%s: buffer_append_space", __func__); + goto out; + } + if ((dlen = uudecode(buffer_ptr(&encoded), cp, len)) < 0) { + error("%s: uudecode failed", __func__); + goto out; + } + if ((u_int)dlen > len) { + error("%s: crazy uudecode length %d > %u", __func__, dlen, len); + goto out; + } + buffer_consume_end(©, len - dlen); + if (buffer_len(©) < sizeof(AUTH_MAGIC) || + memcmp(buffer_ptr(©), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { + error("%s: bad magic", __func__); + goto out; + } + buffer_consume(©, sizeof(AUTH_MAGIC)); + + ciphername = buffer_get_cstring_ret(©, NULL); + if (ciphername == NULL || + (c = cipher_by_name(ciphername)) == NULL) { + error("%s: unknown cipher name", __func__); + goto out; + } + if ((passphrase == NULL || !strlen(passphrase)) && + strcmp(ciphername, "none") != 0) { + /* passphrase required */ + goto out; + } + kdfname = buffer_get_cstring_ret(©, NULL); + if (kdfname == NULL || + (!strcmp(kdfname, "none") && !strcmp(kdfname, "bcrypt"))) { + error("%s: unknown kdf name", __func__); + goto out; + } + if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { + error("%s: cipher %s requires kdf", __func__, ciphername); + goto out; + } + /* kdf options */ + kdfp = buffer_get_string_ptr_ret(©, &klen); + if (kdfp == NULL) { + error("%s: kdf options not set", __func__); + goto out; + } + if (klen > 0) { + if ((cp = buffer_append_space(&kdf, klen)) == NULL) { + error("%s: kdf alloc failed", __func__); + goto out; + } + memcpy(cp, kdfp, klen); + } + /* number of keys */ + if (buffer_get_int_ret(&nkeys, ©) < 0) { + error("%s: key counter missing", __func__); + goto out; + } + if (nkeys != 1) { + error("%s: only one key supported", __func__); + goto out; + } + /* pubkey */ + if ((cp = buffer_get_string_ret(©, &len)) == NULL) { + error("%s: pubkey not found", __func__); + goto out; + } + free(cp); /* XXX check pubkey against decrypted private key */ + + /* size of encrypted key blob */ + len = buffer_get_int(©); + blocksize = cipher_blocksize(c); + authlen = cipher_authlen(c); + if (len < blocksize) { + error("%s: encrypted data too small", __func__); + goto out; + } + if (len % blocksize) { + error("%s: length not multiple of blocksize", __func__); + goto out; + } + + /* setup key */ + keylen = cipher_keylen(c); + ivlen = cipher_ivlen(c); + key = xcalloc(1, keylen + ivlen); + if (!strcmp(kdfname, "bcrypt")) { + if ((salt = buffer_get_string_ret(&kdf, &slen)) == NULL) { + error("%s: salt not set", __func__); + goto out; + } + if (buffer_get_int_ret(&rounds, &kdf) < 0) { + error("%s: rounds not set", __func__); + goto out; + } + if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, + key, keylen + ivlen, rounds) < 0) { + error("%s: bcrypt_pbkdf failed", __func__); + goto out; + } + } + + cp = buffer_append_space(&b, len); + cipher_init(&ctx, c, key, keylen, key + keylen, ivlen, 0); + ret = cipher_crypt(&ctx, 0, cp, buffer_ptr(©), len, 0, authlen); + cipher_cleanup(&ctx); + buffer_consume(©, len); + + /* fail silently on decryption errors */ + if (ret != 0) { + debug("%s: decrypt failed", __func__); + goto out; + } + + if (buffer_len(©) != 0) { + error("%s: key blob has trailing data (len = %u)", __func__, + buffer_len(©)); + goto out; + } + + /* check bytes */ + if (buffer_get_int_ret(&check1, &b) < 0 || + buffer_get_int_ret(&check2, &b) < 0) { + error("check bytes missing"); + goto out; + } + if (check1 != check2) { + debug("%s: decrypt failed: 0x%08x != 0x%08x", __func__, + check1, check2); + goto out; + } + + k = key_private_deserialize(&b); + + /* comment */ + comment = buffer_get_cstring_ret(&b, NULL); + + i = 0; + while (buffer_len(&b)) { + if (buffer_get_char_ret(&pad, &b) == -1 || + pad != (++i & 0xff)) { + error("%s: bad padding", __func__); + key_free(k); + k = NULL; + goto out; + } + } + + if (k && commentp) { + *commentp = comment; + comment = NULL; + } + + /* XXX decode pubkey and check against private */ + out: + free(ciphername); + free(kdfname); + free(salt); + free(comment); + if (key) + memset(key, 0, keylen + ivlen); + free(key); + buffer_free(&encoded); + buffer_free(©); + buffer_free(&kdf); + buffer_free(&b); + return k; +} + /* * Serialises the authentication (private) key to a blob, encrypting it with * passphrase. The identification of the blob (lowest 64 bits of n) will @@ -149,8 +488,9 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_ENCRYPT); - cipher_crypt(&ciphercontext, 0, cp, - buffer_ptr(&buffer), buffer_len(&buffer), 0, 0); + if (cipher_crypt(&ciphercontext, 0, cp, + buffer_ptr(&buffer), buffer_len(&buffer), 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); @@ -239,7 +579,8 @@ key_save_private_blob(Buffer *keybuf, const char *filename) /* Serialise "key" to buffer "blob" */ static int key_private_to_blob(Key *key, Buffer *blob, const char *passphrase, - const char *comment) + const char *comment, int force_new_format, const char *new_format_cipher, + int new_format_rounds) { switch (key->type) { case KEY_RSA1: @@ -247,6 +588,10 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase, case KEY_DSA: case KEY_ECDSA: case KEY_RSA: + if (force_new_format) { + return key_private_to_blob2(key, blob, passphrase, + comment, new_format_cipher, new_format_rounds); + } return key_private_pem_to_blob(key, blob, passphrase, comment); default: error("%s: cannot save key type %d", __func__, key->type); @@ -256,13 +601,15 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase, int key_save_private(Key *key, const char *filename, const char *passphrase, - const char *comment) + const char *comment, int force_new_format, const char *new_format_cipher, + int new_format_rounds) { Buffer keyblob; int success = 0; buffer_init(&keyblob); - if (!key_private_to_blob(key, &keyblob, passphrase, comment)) + if (!key_private_to_blob(key, &keyblob, passphrase, comment, + force_new_format, new_format_cipher, new_format_rounds)) goto out; if (!key_save_private_blob(&keyblob, filename)) goto out; @@ -473,8 +820,9 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_DECRYPT); - cipher_crypt(&ciphercontext, 0, cp, - buffer_ptr(©), buffer_len(©), 0, 0); + if (cipher_crypt(&ciphercontext, 0, cp, + buffer_ptr(©), buffer_len(©), 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); buffer_free(©); @@ -641,6 +989,8 @@ static Key * key_parse_private_type(Buffer *blob, int type, const char *passphrase, char **commentp) { + Key *k; + switch (type) { case KEY_RSA1: return key_parse_private_rsa1(blob, passphrase, commentp); @@ -648,6 +998,8 @@ key_parse_private_type(Buffer *blob, int type, const char *passphrase, case KEY_ECDSA: case KEY_RSA: case KEY_UNSPEC: + if ((k = key_parse_private2(blob, type, passphrase, commentp))) + return k; return key_parse_private_pem(blob, type, passphrase, commentp); default: error("%s: cannot parse key type %d", __func__, type); @@ -943,4 +1295,3 @@ key_in_file(Key *key, const char *filename, int strict_type) fclose(f); return ret; } - diff --git a/authfile.h b/authfile.h index 78349beb..8ba1c2db 100644 --- a/authfile.h +++ b/authfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.h,v 1.16 2011/05/04 21:15:29 djm Exp $ */ +/* $OpenBSD: authfile.h,v 1.17 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen @@ -15,7 +15,8 @@ #ifndef AUTHFILE_H #define AUTHFILE_H -int key_save_private(Key *, const char *, const char *, const char *); +int key_save_private(Key *, const char *, const char *, const char *, + int, const char *, int); int key_load_file(int, const char *, Buffer *); Key *key_load_cert(const char *); Key *key_load_public(const char *, char **); diff --git a/cipher.c b/cipher.c index fbb73014..76e6c596 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.92 2013/12/02 03:13:14 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.93 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -344,17 +344,16 @@ cipher_init(CipherContext *cc, const Cipher *cipher, * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. * This tag is written on encryption and verified on decryption. * Both 'aadlen' and 'authlen' can be set to 0. + * cipher_crypt() returns 0 on success and -1 if the decryption integrity + * check fails. */ -void +int cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen) { - if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { - if (chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len, aadlen, - authlen, cc->encrypt) != 0) - fatal("Decryption integrity check failed"); - return; - } + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) + return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len, + aadlen, authlen, cc->encrypt); if (authlen) { u_char lastiv[1]; @@ -387,13 +386,14 @@ cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src, if (cc->encrypt) fatal("%s: EVP_Cipher(final) failed", __func__); else - fatal("Decryption integrity check failed"); + return -1; } if (cc->encrypt && !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG, authlen, dest + aadlen + len)) fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__); } + return 0; } /* Extract the packet length, including any decryption necessary beforehand */ diff --git a/cipher.h b/cipher.h index 4e837a75..d7824561 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.42 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: cipher.h,v 1.43 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen @@ -81,7 +81,7 @@ int ciphers_valid(const char *); char *cipher_alg_list(char, int); void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int, const u_char *, u_int, int); -void cipher_crypt(CipherContext *, u_int, u_char *, const u_char *, +int cipher_crypt(CipherContext *, u_int, u_char *, const u_char *, u_int, u_int, u_int); int cipher_get_length(CipherContext *, u_int *, u_int, const u_char *, u_int); diff --git a/key.c b/key.c index 0282e082..c09f43f1 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.107 2013/12/06 13:30:08 markus Exp $ */ +/* $OpenBSD: key.c,v 1.108 2013/12/06 13:34:54 markus Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1892,6 +1892,7 @@ key_certify(Key *k, Key *ca) if (!key_cert_is_legacy(k)) buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); + /* XXX this substantially duplicates to_blob(); refactor */ switch (k->type) { case KEY_DSA_CERT_V00: case KEY_DSA_CERT: diff --git a/packet.c b/packet.c index 029bb4c9..6cf7edbb 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.190 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.191 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -713,9 +713,10 @@ packet_send1(void) buffer_append(&active_state->output, buf, 4); cp = buffer_append_space(&active_state->output, buffer_len(&active_state->outgoing_packet)); - cipher_crypt(&active_state->send_context, 0, cp, + if (cipher_crypt(&active_state->send_context, 0, cp, buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet), 0, 0); + buffer_len(&active_state->outgoing_packet), 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); @@ -946,9 +947,10 @@ packet_send2_wrapped(void) } /* encrypt packet and append to output buffer. */ cp = buffer_append_space(&active_state->output, len + authlen); - cipher_crypt(&active_state->send_context, active_state->p_send.seqnr, + if (cipher_crypt(&active_state->send_context, active_state->p_send.seqnr, cp, buffer_ptr(&active_state->outgoing_packet), - len - aadlen, aadlen, authlen); + len - aadlen, aadlen, authlen) != 0) + fatal("%s: cipher_crypt failed", __func__); /* append unencrypted MAC */ if (mac && mac->enabled) { if (mac->etm) { @@ -1208,8 +1210,9 @@ packet_read_poll1(void) /* Decrypt data to incoming_packet. */ buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, padded_len); - cipher_crypt(&active_state->receive_context, 0, cp, - buffer_ptr(&active_state->input), padded_len, 0, 0); + if (cipher_crypt(&active_state->receive_context, 0, cp, + buffer_ptr(&active_state->input), padded_len, 0, 0) != 0) + fatal("%s: cipher_crypt failed", __func__); buffer_consume(&active_state->input, padded_len); @@ -1304,9 +1307,10 @@ packet_read_poll2(u_int32_t *seqnr_p) buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, block_size); - cipher_crypt(&active_state->receive_context, + if (cipher_crypt(&active_state->receive_context, active_state->p_read.seqnr, cp, - buffer_ptr(&active_state->input), block_size, 0, 0); + buffer_ptr(&active_state->input), block_size, 0, 0) != 0) + fatal("Decryption integrity check failed"); cp = buffer_ptr(&active_state->incoming_packet); active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || @@ -1360,9 +1364,10 @@ packet_read_poll2(u_int32_t *seqnr_p) macbuf = mac_compute(mac, active_state->p_read.seqnr, buffer_ptr(&active_state->input), aadlen + need); cp = buffer_append_space(&active_state->incoming_packet, aadlen + need); - cipher_crypt(&active_state->receive_context, + if (cipher_crypt(&active_state->receive_context, active_state->p_read.seqnr, cp, - buffer_ptr(&active_state->input), need, aadlen, authlen); + buffer_ptr(&active_state->input), need, aadlen, authlen) != 0) + fatal("Decryption integrity check failed"); buffer_consume(&active_state->input, aadlen + need + authlen); /* * compute MAC over seqnr and packet, diff --git a/ssh-agent.c b/ssh-agent.c index 0196f8f6..579ee384 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.178 2013/12/06 13:30:08 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.179 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -484,7 +484,6 @@ process_add_identity(SocketEntry *e, int version) /* Generate additional parameters */ rsa_generate_additional_parameters(k->rsa); - /* enable blinding */ if (RSA_blinding_on(k->rsa, NULL) != 1) { error("process_add_identity: RSA_blinding_on failed"); key_free(k); diff --git a/ssh-keygen.c b/ssh-keygen.c index e5e2f2f6..533eed29 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.236 2013/12/06 03:40:51 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.237 2013/12/06 13:34:54 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -150,6 +150,18 @@ char *key_type_name = NULL; /* Load key from this PKCS#11 provider */ char *pkcs11provider = NULL; +/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ +int use_new_format = 0; + +/* Cipher for new-format private keys */ +char *new_format_cipher = NULL; + +/* + * Number of KDF rounds to derive new format keys / + * number of primality trials when screening moduli. + */ +int rounds = 0; + /* argv0 */ extern char *__progname; @@ -923,7 +935,8 @@ do_gen_all_hostkeys(struct passwd *pw) public = key_from_private(private); snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); - if (!key_save_private(private, identity_file, "", comment)) { + if (!key_save_private(private, identity_file, "", comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); key_free(private); key_free(public); @@ -1275,7 +1288,8 @@ do_change_passphrase(struct passwd *pw) } /* Save the file using the new passphrase. */ - if (!key_save_private(private, identity_file, passphrase1, comment)) { + if (!key_save_private(private, identity_file, passphrase1, comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); free(passphrase1); @@ -1385,7 +1399,8 @@ do_change_comment(struct passwd *pw) } /* Save the file using the new passphrase. */ - if (!key_save_private(private, identity_file, passphrase, new_comment)) { + if (!key_save_private(private, identity_file, passphrase, new_comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase, 0, strlen(passphrase)); free(passphrase); @@ -2132,7 +2147,7 @@ usage(void) fprintf(stderr, "usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); - fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); + fprintf(stderr, " -a number Number of KDF rounds for new key format or moduli primality tests.\n"); fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); fprintf(stderr, " -b bits Number of bits in the key to create.\n"); fprintf(stderr, " -C comment Provide new comment.\n"); @@ -2160,6 +2175,7 @@ usage(void) fprintf(stderr, " -N phrase Provide new passphrase.\n"); fprintf(stderr, " -n name,... User/host principal names to include in certificate\n"); fprintf(stderr, " -O option Specify a certificate option.\n"); + fprintf(stderr, " -o Enforce new private key format.\n"); fprintf(stderr, " -P phrase Provide old passphrase.\n"); fprintf(stderr, " -p Change passphrase of private key file.\n"); fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n"); @@ -2176,6 +2192,7 @@ usage(void) fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -y Read private key file and print public key.\n"); fprintf(stderr, " -z serial Specify a serial number.\n"); + fprintf(stderr, " -Z cipher Specify a cipher for new private key format.\n"); exit(1); } @@ -2193,7 +2210,7 @@ main(int argc, char **argv) struct passwd *pw; struct stat st; int opt, type, fd; - u_int32_t memory = 0, generator_wanted = 0, trials = 100; + u_int32_t memory = 0, generator_wanted = 0; int do_gen_candidates = 0, do_screen_candidates = 0; int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; unsigned long start_lineno = 0, lines_to_process = 0; @@ -2225,9 +2242,9 @@ main(int argc, char **argv) exit(1); } - /* Remaining characters: EUYZdow */ - while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy" - "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:j:m:n:r:s:t:z:")) != -1) { + /* Remaining characters: EUYdw */ + while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" + "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -2285,6 +2302,9 @@ main(int argc, char **argv) case 'n': cert_principals = optarg; break; + case 'o': + use_new_format = 1; + break; case 'p': change_passphrase = 1; break; @@ -2312,6 +2332,9 @@ main(int argc, char **argv) case 'O': add_cert_option(optarg); break; + case 'Z': + new_format_cipher = optarg; + break; case 'C': identity_comment = optarg; break; @@ -2370,9 +2393,9 @@ main(int argc, char **argv) optarg, errstr); break; case 'a': - trials = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); + rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr); if (errstr) - fatal("Invalid number of trials: %s (%s)", + fatal("Invalid number: %s (%s)", optarg, errstr); break; case 'M': @@ -2531,7 +2554,8 @@ main(int argc, char **argv) fatal("Couldn't open moduli file \"%s\": %s", out_file, strerror(errno)); } - if (prime_test(in, out, trials, generator_wanted, checkpoint, + if (prime_test(in, out, rounds == 0 ? 100 : rounds, + generator_wanted, checkpoint, start_lineno, lines_to_process) != 0) fatal("modulus screening failed"); return (0); @@ -2623,7 +2647,8 @@ passphrase_again: } /* Save the key with the given passphrase and comment. */ - if (!key_save_private(private, identity_file, passphrase1, comment)) { + if (!key_save_private(private, identity_file, passphrase1, comment, + use_new_format, new_format_cipher, rounds)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); free(passphrase1); -- cgit v1.2.1 From 9071049d24b6330789bc40577922c175daa802cb Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 00:24:01 +0000 Subject: - markus@cvs.openbsd.org 2013/12/06 13:39:49 [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@ --- authfd.c | 4 +- authfile.c | 10 ++++- crypto_api.h | 43 ++++++++++++++++++ key.h | 13 +++++- myproposal.h | 4 +- pathnames.h | 4 +- readconf.c | 4 +- servconf.c | 4 +- ssh-agent.c | 3 +- ssh-ed25519.c | 141 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ssh-keygen.c | 11 +++-- ssh-keyscan.1 | 5 ++- ssh-keyscan.c | 16 ++++--- ssh-keysign.c | 5 ++- ssh.c | 17 +++++-- ssh_config.5 | 6 +-- sshd.c | 6 ++- 17 files changed, 267 insertions(+), 29 deletions(-) create mode 100644 crypto_api.h create mode 100644 ssh-ed25519.c diff --git a/authfd.c b/authfd.c index 2cda8b30..0971cee3 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.89 2013/12/06 13:30:08 markus Exp $ */ +/* $OpenBSD: authfd.c,v 1.90 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -508,6 +508,8 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, case KEY_DSA_CERT_V00: case KEY_ECDSA: case KEY_ECDSA_CERT: + case KEY_ED25519: + case KEY_ED25519_CERT: type = constrained ? SSH2_AGENTC_ADD_ID_CONSTRAINED : SSH2_AGENTC_ADD_IDENTITY; diff --git a/authfile.c b/authfile.c index e38a3dd1..b0fc23e6 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.99 2013/12/06 13:34:54 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.100 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -50,6 +50,8 @@ /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" +#include "crypto_api.h" + #include #include #include @@ -593,6 +595,9 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase, comment, new_format_cipher, new_format_rounds); } return key_private_pem_to_blob(key, blob, passphrase, comment); + case KEY_ED25519: + return key_private_to_blob2(key, blob, passphrase, + comment, new_format_cipher, new_format_rounds); default: error("%s: cannot save key type %d", __func__, key->type); return 0; @@ -997,6 +1002,9 @@ key_parse_private_type(Buffer *blob, int type, const char *passphrase, case KEY_DSA: case KEY_ECDSA: case KEY_RSA: + return key_parse_private_pem(blob, type, passphrase, commentp); + case KEY_ED25519: + return key_parse_private2(blob, type, passphrase, commentp); case KEY_UNSPEC: if ((k = key_parse_private2(blob, type, passphrase, commentp))) return k; diff --git a/crypto_api.h b/crypto_api.h new file mode 100644 index 00000000..633463dc --- /dev/null +++ b/crypto_api.h @@ -0,0 +1,43 @@ +/* $OpenBSD: crypto_api.h,v 1.1 2013/12/06 13:39:49 markus Exp $ */ + +/* Placed in the public domain. */ + +#ifndef crypto_api_h +#define crypto_api_h + +#include +#include + +typedef int32_t crypto_int32; +typedef uint32_t crypto_uint32; + +#define randombytes(buf, buf_len) arc4random_buf((buf), (buf_len)) + +#define crypto_hashblocks_sha512_STATEBYTES 64U +#define crypto_hashblocks_sha512_BLOCKBYTES 128U + +int crypto_hashblocks_sha512(unsigned char *, const unsigned char *, + unsigned long long); + +#define crypto_hash_sha512_BYTES 64U + +int crypto_hash_sha512(unsigned char *, const unsigned char *, + unsigned long long); + +int crypto_verify_32(const unsigned char *, const unsigned char *); + +#define crypto_sign_BYTES crypto_sign_ed25519_BYTES +#define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES +#define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES + +#define crypto_sign_ed25519_SECRETKEYBYTES 64U +#define crypto_sign_ed25519_PUBLICKEYBYTES 32U +#define crypto_sign_ed25519_BYTES 64U + +int crypto_sign_ed25519(unsigned char *, unsigned long long *, + const unsigned char *, unsigned long long, const unsigned char *); +int crypto_sign_ed25519_open(unsigned char *, unsigned long long *, + const unsigned char *, unsigned long long, const unsigned char *); +int crypto_sign_ed25519_keypair(unsigned char *, unsigned char *); + +#endif /* crypto_api_h */ diff --git a/key.h b/key.h index efa71176..6a049d27 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.39 2013/12/06 13:30:08 markus Exp $ */ +/* $OpenBSD: key.h,v 1.40 2013/12/06 13:39:49 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -39,9 +39,11 @@ enum types { KEY_RSA, KEY_DSA, KEY_ECDSA, + KEY_ED25519, KEY_RSA_CERT, KEY_DSA_CERT, KEY_ECDSA_CERT, + KEY_ED25519_CERT, KEY_RSA_CERT_V00, KEY_DSA_CERT_V00, KEY_UNSPEC @@ -86,8 +88,13 @@ struct Key { void *ecdsa; #endif struct KeyCert *cert; + u_char *ed25519_sk; + u_char *ed25519_pk; }; +#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES +#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES + Key *key_new(int); void key_add_private(Key *); Key *key_new_private(int); @@ -128,7 +135,7 @@ const EVP_MD *key_ec_nid_to_evpmd(int nid); int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); int key_ec_validate_private(const EC_KEY *); #endif -char *key_alg_list(void); +char *key_alg_list(int, int); Key *key_from_blob(const u_char *, u_int); int key_to_blob(const Key *, u_char **, u_int *); @@ -145,6 +152,8 @@ int ssh_ecdsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); +int ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int); +int ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int); #if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK)) void key_dump_ec_point(const EC_GROUP *, const EC_POINT *); diff --git a/myproposal.h b/myproposal.h index 71dbc997..3a0f5aea 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.34 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -90,11 +90,13 @@ #define KEX_DEFAULT_PK_ALG \ HOSTKEY_ECDSA_CERT_METHODS \ + "ssh-ed25519-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ "ssh-dss-cert-v01@openssh.com," \ "ssh-rsa-cert-v00@openssh.com," \ "ssh-dss-cert-v00@openssh.com," \ HOSTKEY_ECDSA_METHODS \ + "ssh-ed25519," \ "ssh-rsa," \ "ssh-dss" diff --git a/pathnames.h b/pathnames.h index 5027fbae..ec89fc66 100644 --- a/pathnames.h +++ b/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.23 2013/04/05 00:31:49 djm Exp $ */ +/* $OpenBSD: pathnames.h,v 1.24 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen @@ -39,6 +39,7 @@ #define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key" #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" +#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" #define _PATH_DH_MODULI SSHDIR "/moduli" /* Backwards compatibility */ @@ -77,6 +78,7 @@ #define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa" #define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa" #define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa" +#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519" /* * Configuration file in user's home directory. This file need not be diff --git a/readconf.c b/readconf.c index 0e1030d0..08e16852 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.214 2013/11/20 20:54:10 deraadt Exp $ */ +/* $OpenBSD: readconf.c,v 1.215 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1645,6 +1645,8 @@ fill_default_options(Options * options) add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); #endif + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_ED25519, 0); } } if (options->escape_char == -1) diff --git a/servconf.c b/servconf.c index 6db89f7c..9bcd05bf 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.247 2013/12/05 01:16:41 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -180,6 +180,8 @@ fill_default_server_options(ServerOptions *options) options->host_key_files[options->num_host_key_files++] = _PATH_HOST_ECDSA_KEY_FILE; #endif + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_ED25519_KEY_FILE; } } /* No certificates by default */ diff --git a/ssh-agent.c b/ssh-agent.c index 579ee384..8210a8e3 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.179 2013/12/06 13:34:54 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.180 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -484,6 +484,7 @@ process_add_identity(SocketEntry *e, int version) /* Generate additional parameters */ rsa_generate_additional_parameters(k->rsa); + /* enable blinding */ if (RSA_blinding_on(k->rsa, NULL) != 1) { error("process_add_identity: RSA_blinding_on failed"); key_free(k); diff --git a/ssh-ed25519.c b/ssh-ed25519.c new file mode 100644 index 00000000..c03c1634 --- /dev/null +++ b/ssh-ed25519.c @@ -0,0 +1,141 @@ +/* $OpenBSD: ssh-ed25519.c,v 1.1 2013/12/06 13:39:49 markus Exp $ */ +/* + * Copyright (c) 2013 Markus Friedl + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "crypto_api.h" + +#include +#include + +#include "xmalloc.h" +#include "log.h" +#include "buffer.h" +#include "key.h" +#include "ssh.h" + +int +ssh_ed25519_sign(const Key *key, u_char **sigp, u_int *lenp, + const u_char *data, u_int datalen) +{ + u_char *sig; + u_int slen, len; + unsigned long long smlen; + int ret; + Buffer b; + + if (key == NULL || key_type_plain(key->type) != KEY_ED25519 || + key->ed25519_sk == NULL) { + error("%s: no ED25519 key", __func__); + return -1; + } + smlen = slen = datalen + crypto_sign_ed25519_BYTES; + sig = xmalloc(slen); + + if ((ret = crypto_sign_ed25519(sig, &smlen, data, datalen, + key->ed25519_sk)) != 0 || smlen <= datalen) { + error("%s: crypto_sign_ed25519 failed: %d", __func__, ret); + free(sig); + return -1; + } + /* encode signature */ + buffer_init(&b); + buffer_put_cstring(&b, "ssh-ed25519"); + buffer_put_string(&b, sig, smlen - datalen); + len = buffer_len(&b); + if (lenp != NULL) + *lenp = len; + if (sigp != NULL) { + *sigp = xmalloc(len); + memcpy(*sigp, buffer_ptr(&b), len); + } + buffer_free(&b); + memset(sig, 's', slen); + free(sig); + + return 0; +} + +int +ssh_ed25519_verify(const Key *key, const u_char *signature, u_int signaturelen, + const u_char *data, u_int datalen) +{ + Buffer b; + char *ktype; + u_char *sigblob, *sm, *m; + u_int len; + unsigned long long smlen, mlen; + int rlen, ret; + + if (key == NULL || key_type_plain(key->type) != KEY_ED25519 || + key->ed25519_pk == NULL) { + error("%s: no ED25519 key", __func__); + return -1; + } + buffer_init(&b); + buffer_append(&b, signature, signaturelen); + ktype = buffer_get_cstring(&b, NULL); + if (strcmp("ssh-ed25519", ktype) != 0) { + error("%s: cannot handle type %s", __func__, ktype); + buffer_free(&b); + free(ktype); + return -1; + } + free(ktype); + sigblob = buffer_get_string(&b, &len); + rlen = buffer_len(&b); + buffer_free(&b); + if (rlen != 0) { + error("%s: remaining bytes in signature %d", __func__, rlen); + free(sigblob); + return -1; + } + if (len > crypto_sign_ed25519_BYTES) { + error("%s: len %u > crypto_sign_ed25519_BYTES %u", __func__, + len, crypto_sign_ed25519_BYTES); + free(sigblob); + return -1; + } + smlen = len + datalen; + sm = xmalloc(smlen); + memcpy(sm, sigblob, len); + memcpy(sm+len, data, datalen); + mlen = smlen; + m = xmalloc(mlen); + if ((ret = crypto_sign_ed25519_open(m, &mlen, sm, smlen, + key->ed25519_pk)) != 0) { + debug2("%s: crypto_sign_ed25519_open failed: %d", + __func__, ret); + } + if (ret == 0 && mlen != datalen) { + debug2("%s: crypto_sign_ed25519_open " + "mlen != datalen (%llu != %u)", __func__, mlen, datalen); + ret = -1; + } + /* XXX compare 'm' and 'data' ? */ + + memset(sigblob, 's', len); + memset(sm, 'S', smlen); + memset(m, 'm', smlen); /* NB. mlen may be invalid if ret != 0 */ + free(sigblob); + free(sm); + free(m); + debug("%s: signature %scorrect", __func__, (ret != 0) ? "in" : ""); + + /* translate return code carefully */ + return (ret == 0) ? 1 : -1; +} diff --git a/ssh-keygen.c b/ssh-keygen.c index 533eed29..eae83a46 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.237 2013/12/06 13:34:54 markus Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.238 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -197,7 +197,7 @@ type_bits_valid(int type, u_int32_t *bitsp) } if (type == KEY_DSA && *bitsp != 1024) fatal("DSA keys must be 1024 bits"); - else if (type != KEY_ECDSA && *bitsp < 768) + else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) fatal("Key must at least be 768 bits"); else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) fatal("Invalid ECDSA key length - valid lengths are " @@ -233,6 +233,10 @@ ask_filename(struct passwd *pw, const char *prompt) case KEY_RSA: name = _PATH_SSH_CLIENT_ID_RSA; break; + case KEY_ED25519: + case KEY_ED25519_CERT: + name = _PATH_SSH_CLIENT_ID_ED25519; + break; default: fprintf(stderr, "bad key type\n"); exit(1); @@ -896,6 +900,7 @@ do_gen_all_hostkeys(struct passwd *pw) #ifdef OPENSSL_HAS_ECC { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, #endif + { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, { NULL, NULL, NULL } }; @@ -1611,7 +1616,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) if ((public = key_load_public(tmp, &comment)) == NULL) fatal("%s: unable to open \"%s\"", __func__, tmp); if (public->type != KEY_RSA && public->type != KEY_DSA && - public->type != KEY_ECDSA) + public->type != KEY_ECDSA && public->type != KEY_ED25519) fatal("%s: key \"%s\" type %s cannot be certified", __func__, tmp, key_type(public)); diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index c35ea05e..79dd6aa1 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.31 2013/07/16 00:07:52 schwarze Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.32 2013/12/06 13:39:49 markus Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: July 16 2013 $ +.Dd $Mdocdate: December 6 2013 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -137,6 +137,7 @@ is either .Dq ecdsa-sha2-nistp256 , .Dq ecdsa-sha2-nistp384 , .Dq ecdsa-sha2-nistp521 , +.Dq ssh-ed25519 , .Dq ssh-dss or .Dq ssh-rsa . diff --git a/ssh-keyscan.c b/ssh-keyscan.c index c5f658d7..8d0a6b8d 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.88 2013/11/02 21:59:15 markus Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.89 2013/12/06 13:39:49 markus Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -56,6 +56,7 @@ int ssh_port = SSH_DEFAULT_PORT; #define KT_DSA 2 #define KT_RSA 4 #define KT_ECDSA 8 +#define KT_ED25519 16 int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */ @@ -245,9 +246,11 @@ keygrab_ssh2(con *c) packet_set_connection(c->c_fd, c->c_fd); enable_compat20(); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? - "ssh-dss" : (c->c_keytype == KT_RSA ? "ssh-rsa" : - "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + c->c_keytype == KT_DSA ? "ssh-dss" : + (c->c_keytype == KT_RSA ? "ssh-rsa" : + (c->c_keytype == KT_ED25519 ? "ssh-ed25519" : + "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")); c->c_kex = kex_setup(myproposal); c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; @@ -575,7 +578,7 @@ do_host(char *host) if (name == NULL) return; - for (j = KT_RSA1; j <= KT_ECDSA; j *= 2) { + for (j = KT_RSA1; j <= KT_ED25519; j *= 2) { if (get_keytypes & j) { while (ncon >= MAXCON) conloop(); @@ -682,6 +685,9 @@ main(int argc, char **argv) case KEY_RSA: get_keytypes |= KT_RSA; break; + case KEY_ED25519: + get_keytypes |= KT_ED25519; + break; case KEY_UNSPEC: fatal("unknown key type %s", tname); } diff --git a/ssh-keysign.c b/ssh-keysign.c index 518373bf..6bde8ad1 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.38 2013/10/14 22:22:04 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.39 2013/12/06 13:39:49 markus Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -150,7 +150,7 @@ main(int argc, char **argv) { Buffer b; Options options; -#define NUM_KEYTYPES 3 +#define NUM_KEYTYPES 4 Key *keys[NUM_KEYTYPES], *key = NULL; struct passwd *pw; int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; @@ -169,6 +169,7 @@ main(int argc, char **argv) i = 0; key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); original_real_uid = getuid(); /* XXX readconf.c needs this */ diff --git a/ssh.c b/ssh.c index 6c8cd731..543a3baf 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.395 2013/11/26 12:14:54 jmc Exp $ */ +/* $OpenBSD: ssh.c,v 1.396 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -528,7 +528,11 @@ main(int ac, char **av) else if (strcmp(optarg, "kex") == 0) cp = kex_alg_list('\n'); else if (strcmp(optarg, "key") == 0) - cp = key_alg_list(); + cp = key_alg_list(0, 0); + else if (strcmp(optarg, "key-cert") == 0) + cp = key_alg_list(1, 0); + else if (strcmp(optarg, "key-plain") == 0) + cp = key_alg_list(0, 1); if (cp == NULL) fatal("Unsupported query \"%s\"", optarg); printf("%s\n", cp); @@ -989,7 +993,7 @@ main(int ac, char **av) sensitive_data.external_keysign = 0; if (options.rhosts_rsa_authentication || options.hostbased_authentication) { - sensitive_data.nkeys = 7; + sensitive_data.nkeys = 8; sensitive_data.keys = xcalloc(sensitive_data.nkeys, sizeof(Key)); for (i = 0; i < sensitive_data.nkeys; i++) @@ -1014,13 +1018,16 @@ main(int ac, char **av) #endif sensitive_data.keys[6] = key_load_private_type(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); + sensitive_data.keys[7] = key_load_private_type(KEY_ED25519, + _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL); PRIV_END; if (options.hostbased_authentication == 1 && sensitive_data.keys[0] == NULL && sensitive_data.keys[4] == NULL && sensitive_data.keys[5] == NULL && - sensitive_data.keys[6] == NULL) { + sensitive_data.keys[6] == NULL && + sensitive_data.keys[7] == NULL) { sensitive_data.keys[1] = key_load_cert( _PATH_HOST_DSA_KEY_FILE); #ifdef OPENSSL_HAS_ECC @@ -1037,6 +1044,8 @@ main(int ac, char **av) #endif sensitive_data.keys[6] = key_load_public( _PATH_HOST_RSA_KEY_FILE, NULL); + sensitive_data.keys[7] = key_load_public( + _PATH_HOST_ED25519_KEY_FILE, NULL); sensitive_data.external_keysign = 1; } } diff --git a/ssh_config.5 b/ssh_config.5 index 0e6fd862..43455342 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.181 2013/11/21 08:05:09 jmc Exp $ -.Dd $Mdocdate: November 21 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.182 2013/12/06 13:39:49 markus Exp $ +.Dd $Mdocdate: December 6 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -721,7 +721,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-rsa,ssh-dss +ssh-ed25519,ssh-rsa,ssh-dss .Ed .Pp If hostkeys are known for the destination host then this default is modified diff --git a/sshd.c b/sshd.c index a53deab3..786d9ff9 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.411 2013/11/20 02:19:01 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.412 2013/12/06 13:39:49 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -785,6 +785,7 @@ list_hostkey_types(void) case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); p = key_ssh_name(key); @@ -801,6 +802,7 @@ list_hostkey_types(void) case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: + case KEY_ED25519_CERT: if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); p = key_ssh_name(key); @@ -828,6 +830,7 @@ get_hostkey_by_type(int type, int need_private) case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: + case KEY_ED25519_CERT: key = sensitive_data.host_certificates[i]; break; default: @@ -1700,6 +1703,7 @@ main(int ac, char **av) case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: sensitive_data.have_ssh2_key = 1; break; } -- cgit v1.2.1 From 8ab4dc97da5432c487be96d4b1575995a836c248 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 00:24:30 +0000 Subject: - jmc@cvs.openbsd.org 2013/12/06 15:29:07 [sshd.8] missing comma; --- sshd.8 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sshd.8 b/sshd.8 index b0c7ab6b..62615bf6 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: sshd.8,v 1.272 2013/12/06 15:29:07 jmc Exp $ +.Dd $Mdocdate: December 6 2013 $ .Dt SSHD 8 .Os .Sh NAME @@ -494,6 +494,7 @@ For protocol version 2 the keytype is .Dq ecdsa-sha2-nistp256 , .Dq ecdsa-sha2-nistp384 , .Dq ecdsa-sha2-nistp521 , +.Dq ssh-ed25519 , .Dq ssh-dss or .Dq ssh-rsa . -- cgit v1.2.1 From 224ba735d9c7de1fddeb52a470f4049efddae3eb Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 00:27:47 +0000 Subject: - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents --- blocks.c | 243 ++++++++++++++++ ed25519.c | 139 +++++++++ fe25519.c | 331 +++++++++++++++++++++ fe25519.h | 66 +++++ ge25519.c | 315 ++++++++++++++++++++ ge25519.h | 39 +++ ge25519_base.data | 854 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ hash.c | 74 +++++ sc25519.c | 302 +++++++++++++++++++ sc25519.h | 76 +++++ verify.c | 44 +++ 11 files changed, 2483 insertions(+) create mode 100644 blocks.c create mode 100644 ed25519.c create mode 100644 fe25519.c create mode 100644 fe25519.h create mode 100644 ge25519.c create mode 100644 ge25519.h create mode 100644 ge25519_base.data create mode 100644 hash.c create mode 100644 sc25519.c create mode 100644 sc25519.h create mode 100644 verify.c diff --git a/blocks.c b/blocks.c new file mode 100644 index 00000000..8e698c4a --- /dev/null +++ b/blocks.c @@ -0,0 +1,243 @@ +/* $OpenBSD: blocks.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_hashblocks/sha512/ref/blocks.c */ + +#include "crypto_api.h" + +typedef unsigned long long uint64; + +static uint64 load_bigendian(const unsigned char *x) +{ + return + (uint64) (x[7]) \ + | (((uint64) (x[6])) << 8) \ + | (((uint64) (x[5])) << 16) \ + | (((uint64) (x[4])) << 24) \ + | (((uint64) (x[3])) << 32) \ + | (((uint64) (x[2])) << 40) \ + | (((uint64) (x[1])) << 48) \ + | (((uint64) (x[0])) << 56) + ; +} + +static void store_bigendian(unsigned char *x,uint64 u) +{ + x[7] = u; u >>= 8; + x[6] = u; u >>= 8; + x[5] = u; u >>= 8; + x[4] = u; u >>= 8; + x[3] = u; u >>= 8; + x[2] = u; u >>= 8; + x[1] = u; u >>= 8; + x[0] = u; +} + +#define SHR(x,c) ((x) >> (c)) +#define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c)))) + +#define Ch(x,y,z) ((x & y) ^ (~x & z)) +#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) +#define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39)) +#define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41)) +#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7)) +#define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6)) + +#define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; + +#define EXPAND \ + M(w0 ,w14,w9 ,w1 ) \ + M(w1 ,w15,w10,w2 ) \ + M(w2 ,w0 ,w11,w3 ) \ + M(w3 ,w1 ,w12,w4 ) \ + M(w4 ,w2 ,w13,w5 ) \ + M(w5 ,w3 ,w14,w6 ) \ + M(w6 ,w4 ,w15,w7 ) \ + M(w7 ,w5 ,w0 ,w8 ) \ + M(w8 ,w6 ,w1 ,w9 ) \ + M(w9 ,w7 ,w2 ,w10) \ + M(w10,w8 ,w3 ,w11) \ + M(w11,w9 ,w4 ,w12) \ + M(w12,w10,w5 ,w13) \ + M(w13,w11,w6 ,w14) \ + M(w14,w12,w7 ,w15) \ + M(w15,w13,w8 ,w0 ) + +#define F(w,k) \ + T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \ + T2 = Sigma0(a) + Maj(a,b,c); \ + h = g; \ + g = f; \ + f = e; \ + e = d + T1; \ + d = c; \ + c = b; \ + b = a; \ + a = T1 + T2; + +int crypto_hashblocks_sha512(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen) +{ + uint64 state[8]; + uint64 a; + uint64 b; + uint64 c; + uint64 d; + uint64 e; + uint64 f; + uint64 g; + uint64 h; + uint64 T1; + uint64 T2; + + a = load_bigendian(statebytes + 0); state[0] = a; + b = load_bigendian(statebytes + 8); state[1] = b; + c = load_bigendian(statebytes + 16); state[2] = c; + d = load_bigendian(statebytes + 24); state[3] = d; + e = load_bigendian(statebytes + 32); state[4] = e; + f = load_bigendian(statebytes + 40); state[5] = f; + g = load_bigendian(statebytes + 48); state[6] = g; + h = load_bigendian(statebytes + 56); state[7] = h; + + while (inlen >= 128) { + uint64 w0 = load_bigendian(in + 0); + uint64 w1 = load_bigendian(in + 8); + uint64 w2 = load_bigendian(in + 16); + uint64 w3 = load_bigendian(in + 24); + uint64 w4 = load_bigendian(in + 32); + uint64 w5 = load_bigendian(in + 40); + uint64 w6 = load_bigendian(in + 48); + uint64 w7 = load_bigendian(in + 56); + uint64 w8 = load_bigendian(in + 64); + uint64 w9 = load_bigendian(in + 72); + uint64 w10 = load_bigendian(in + 80); + uint64 w11 = load_bigendian(in + 88); + uint64 w12 = load_bigendian(in + 96); + uint64 w13 = load_bigendian(in + 104); + uint64 w14 = load_bigendian(in + 112); + uint64 w15 = load_bigendian(in + 120); + + F(w0 ,0x428a2f98d728ae22ULL) + F(w1 ,0x7137449123ef65cdULL) + F(w2 ,0xb5c0fbcfec4d3b2fULL) + F(w3 ,0xe9b5dba58189dbbcULL) + F(w4 ,0x3956c25bf348b538ULL) + F(w5 ,0x59f111f1b605d019ULL) + F(w6 ,0x923f82a4af194f9bULL) + F(w7 ,0xab1c5ed5da6d8118ULL) + F(w8 ,0xd807aa98a3030242ULL) + F(w9 ,0x12835b0145706fbeULL) + F(w10,0x243185be4ee4b28cULL) + F(w11,0x550c7dc3d5ffb4e2ULL) + F(w12,0x72be5d74f27b896fULL) + F(w13,0x80deb1fe3b1696b1ULL) + F(w14,0x9bdc06a725c71235ULL) + F(w15,0xc19bf174cf692694ULL) + + EXPAND + + F(w0 ,0xe49b69c19ef14ad2ULL) + F(w1 ,0xefbe4786384f25e3ULL) + F(w2 ,0x0fc19dc68b8cd5b5ULL) + F(w3 ,0x240ca1cc77ac9c65ULL) + F(w4 ,0x2de92c6f592b0275ULL) + F(w5 ,0x4a7484aa6ea6e483ULL) + F(w6 ,0x5cb0a9dcbd41fbd4ULL) + F(w7 ,0x76f988da831153b5ULL) + F(w8 ,0x983e5152ee66dfabULL) + F(w9 ,0xa831c66d2db43210ULL) + F(w10,0xb00327c898fb213fULL) + F(w11,0xbf597fc7beef0ee4ULL) + F(w12,0xc6e00bf33da88fc2ULL) + F(w13,0xd5a79147930aa725ULL) + F(w14,0x06ca6351e003826fULL) + F(w15,0x142929670a0e6e70ULL) + + EXPAND + + F(w0 ,0x27b70a8546d22ffcULL) + F(w1 ,0x2e1b21385c26c926ULL) + F(w2 ,0x4d2c6dfc5ac42aedULL) + F(w3 ,0x53380d139d95b3dfULL) + F(w4 ,0x650a73548baf63deULL) + F(w5 ,0x766a0abb3c77b2a8ULL) + F(w6 ,0x81c2c92e47edaee6ULL) + F(w7 ,0x92722c851482353bULL) + F(w8 ,0xa2bfe8a14cf10364ULL) + F(w9 ,0xa81a664bbc423001ULL) + F(w10,0xc24b8b70d0f89791ULL) + F(w11,0xc76c51a30654be30ULL) + F(w12,0xd192e819d6ef5218ULL) + F(w13,0xd69906245565a910ULL) + F(w14,0xf40e35855771202aULL) + F(w15,0x106aa07032bbd1b8ULL) + + EXPAND + + F(w0 ,0x19a4c116b8d2d0c8ULL) + F(w1 ,0x1e376c085141ab53ULL) + F(w2 ,0x2748774cdf8eeb99ULL) + F(w3 ,0x34b0bcb5e19b48a8ULL) + F(w4 ,0x391c0cb3c5c95a63ULL) + F(w5 ,0x4ed8aa4ae3418acbULL) + F(w6 ,0x5b9cca4f7763e373ULL) + F(w7 ,0x682e6ff3d6b2b8a3ULL) + F(w8 ,0x748f82ee5defb2fcULL) + F(w9 ,0x78a5636f43172f60ULL) + F(w10,0x84c87814a1f0ab72ULL) + F(w11,0x8cc702081a6439ecULL) + F(w12,0x90befffa23631e28ULL) + F(w13,0xa4506cebde82bde9ULL) + F(w14,0xbef9a3f7b2c67915ULL) + F(w15,0xc67178f2e372532bULL) + + EXPAND + + F(w0 ,0xca273eceea26619cULL) + F(w1 ,0xd186b8c721c0c207ULL) + F(w2 ,0xeada7dd6cde0eb1eULL) + F(w3 ,0xf57d4f7fee6ed178ULL) + F(w4 ,0x06f067aa72176fbaULL) + F(w5 ,0x0a637dc5a2c898a6ULL) + F(w6 ,0x113f9804bef90daeULL) + F(w7 ,0x1b710b35131c471bULL) + F(w8 ,0x28db77f523047d84ULL) + F(w9 ,0x32caab7b40c72493ULL) + F(w10,0x3c9ebe0a15c9bebcULL) + F(w11,0x431d67c49c100d4cULL) + F(w12,0x4cc5d4becb3e42b6ULL) + F(w13,0x597f299cfc657e2aULL) + F(w14,0x5fcb6fab3ad6faecULL) + F(w15,0x6c44198c4a475817ULL) + + a += state[0]; + b += state[1]; + c += state[2]; + d += state[3]; + e += state[4]; + f += state[5]; + g += state[6]; + h += state[7]; + + state[0] = a; + state[1] = b; + state[2] = c; + state[3] = d; + state[4] = e; + state[5] = f; + state[6] = g; + state[7] = h; + + in += 128; + inlen -= 128; + } + + store_bigendian(statebytes + 0,state[0]); + store_bigendian(statebytes + 8,state[1]); + store_bigendian(statebytes + 16,state[2]); + store_bigendian(statebytes + 24,state[3]); + store_bigendian(statebytes + 32,state[4]); + store_bigendian(statebytes + 40,state[5]); + store_bigendian(statebytes + 48,state[6]); + store_bigendian(statebytes + 56,state[7]); + + return inlen; +} diff --git a/ed25519.c b/ed25519.c new file mode 100644 index 00000000..c7c861bb --- /dev/null +++ b/ed25519.c @@ -0,0 +1,139 @@ +/* $OpenBSD: ed25519.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c */ + +#include "crypto_api.h" + +#include "ge25519.h" + +static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) +{ + unsigned long long i; + + for (i = 0;i < 32;++i) playground[i] = sm[i]; + for (i = 32;i < 64;++i) playground[i] = pk[i-32]; + for (i = 64;i < smlen;++i) playground[i] = sm[i]; + + crypto_hash_sha512(hram,playground,smlen); +} + + +int crypto_sign_ed25519_keypair( + unsigned char *pk, + unsigned char *sk + ) +{ + sc25519 scsk; + ge25519 gepk; + unsigned char extsk[64]; + int i; + + randombytes(sk, 32); + crypto_hash_sha512(extsk, sk, 32); + extsk[0] &= 248; + extsk[31] &= 127; + extsk[31] |= 64; + + sc25519_from32bytes(&scsk,extsk); + + ge25519_scalarmult_base(&gepk, &scsk); + ge25519_pack(pk, &gepk); + for(i=0;i<32;i++) + sk[32 + i] = pk[i]; + return 0; +} + +int crypto_sign_ed25519( + unsigned char *sm,unsigned long long *smlen, + const unsigned char *m,unsigned long long mlen, + const unsigned char *sk + ) +{ + sc25519 sck, scs, scsk; + ge25519 ger; + unsigned char r[32]; + unsigned char s[32]; + unsigned char extsk[64]; + unsigned long long i; + unsigned char hmg[crypto_hash_sha512_BYTES]; + unsigned char hram[crypto_hash_sha512_BYTES]; + + crypto_hash_sha512(extsk, sk, 32); + extsk[0] &= 248; + extsk[31] &= 127; + extsk[31] |= 64; + + *smlen = mlen+64; + for(i=0;i>= 31; /* 1: yes; 0: no */ + return x; +} + +static crypto_uint32 ge(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */ +{ + unsigned int x = a; + x -= (unsigned int) b; /* 0..65535: yes; 4294901761..4294967295: no */ + x >>= 31; /* 0: yes; 1: no */ + x ^= 1; /* 1: yes; 0: no */ + return x; +} + +static crypto_uint32 times19(crypto_uint32 a) +{ + return (a << 4) + (a << 1) + a; +} + +static crypto_uint32 times38(crypto_uint32 a) +{ + return (a << 5) + (a << 2) + (a << 1); +} + +static void reduce_add_sub(fe25519 *r) +{ + crypto_uint32 t; + int i,rep; + + for(rep=0;rep<4;rep++) + { + t = r->v[31] >> 7; + r->v[31] &= 127; + t = times19(t); + r->v[0] += t; + for(i=0;i<31;i++) + { + t = r->v[i] >> 8; + r->v[i+1] += t; + r->v[i] &= 255; + } + } +} + +static void reduce_mul(fe25519 *r) +{ + crypto_uint32 t; + int i,rep; + + for(rep=0;rep<2;rep++) + { + t = r->v[31] >> 7; + r->v[31] &= 127; + t = times19(t); + r->v[0] += t; + for(i=0;i<31;i++) + { + t = r->v[i] >> 8; + r->v[i+1] += t; + r->v[i] &= 255; + } + } +} + +/* reduction modulo 2^255-19 */ +void fe25519_freeze(fe25519 *r) +{ + int i; + crypto_uint32 m = equal(r->v[31],127); + for(i=30;i>0;i--) + m &= equal(r->v[i],255); + m &= ge(r->v[0],237); + + m = -m; + + r->v[31] -= m&127; + for(i=30;i>0;i--) + r->v[i] -= m&255; + r->v[0] -= m&237; +} + +void fe25519_unpack(fe25519 *r, const unsigned char x[32]) +{ + int i; + for(i=0;i<32;i++) r->v[i] = x[i]; + r->v[31] &= 127; +} + +/* Assumes input x being reduced below 2^255 */ +void fe25519_pack(unsigned char r[32], const fe25519 *x) +{ + int i; + fe25519 y = *x; + fe25519_freeze(&y); + for(i=0;i<32;i++) + r[i] = y.v[i]; +} + +int fe25519_iszero(const fe25519 *x) +{ + int i; + int r; + fe25519 t = *x; + fe25519_freeze(&t); + r = equal(t.v[0],0); + for(i=1;i<32;i++) + r &= equal(t.v[i],0); + return r; +} + +int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y) +{ + int i; + fe25519 t1 = *x; + fe25519 t2 = *y; + fe25519_freeze(&t1); + fe25519_freeze(&t2); + for(i=0;i<32;i++) + if(t1.v[i] != t2.v[i]) return 0; + return 1; +} + +void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b) +{ + int i; + crypto_uint32 mask = b; + mask = -mask; + for(i=0;i<32;i++) r->v[i] ^= mask & (x->v[i] ^ r->v[i]); +} + +unsigned char fe25519_getparity(const fe25519 *x) +{ + fe25519 t = *x; + fe25519_freeze(&t); + return t.v[0] & 1; +} + +void fe25519_setone(fe25519 *r) +{ + int i; + r->v[0] = 1; + for(i=1;i<32;i++) r->v[i]=0; +} + +void fe25519_setzero(fe25519 *r) +{ + int i; + for(i=0;i<32;i++) r->v[i]=0; +} + +void fe25519_neg(fe25519 *r, const fe25519 *x) +{ + fe25519 t; + int i; + for(i=0;i<32;i++) t.v[i]=x->v[i]; + fe25519_setzero(r); + fe25519_sub(r, r, &t); +} + +void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i; + for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i]; + reduce_add_sub(r); +} + +void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i; + crypto_uint32 t[32]; + t[0] = x->v[0] + 0x1da; + t[31] = x->v[31] + 0xfe; + for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe; + for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i]; + reduce_add_sub(r); +} + +void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i,j; + crypto_uint32 t[63]; + for(i=0;i<63;i++)t[i] = 0; + + for(i=0;i<32;i++) + for(j=0;j<32;j++) + t[i+j] += x->v[i] * y->v[j]; + + for(i=32;i<63;i++) + r->v[i-32] = t[i-32] + times38(t[i]); + r->v[31] = t[31]; /* result now in r[0]...r[31] */ + + reduce_mul(r); +} + +void fe25519_square(fe25519 *r, const fe25519 *x) +{ + fe25519_mul(r, x, x); +} + +void fe25519_invert(fe25519 *r, const fe25519 *x) +{ + fe25519 z2; + fe25519 z9; + fe25519 z11; + fe25519 z2_5_0; + fe25519 z2_10_0; + fe25519 z2_20_0; + fe25519 z2_50_0; + fe25519 z2_100_0; + fe25519 t0; + fe25519 t1; + int i; + + /* 2 */ fe25519_square(&z2,x); + /* 4 */ fe25519_square(&t1,&z2); + /* 8 */ fe25519_square(&t0,&t1); + /* 9 */ fe25519_mul(&z9,&t0,x); + /* 11 */ fe25519_mul(&z11,&z9,&z2); + /* 22 */ fe25519_square(&t0,&z11); + /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9); + + /* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0); + /* 2^7 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^8 - 2^3 */ fe25519_square(&t0,&t1); + /* 2^9 - 2^4 */ fe25519_square(&t1,&t0); + /* 2^10 - 2^5 */ fe25519_square(&t0,&t1); + /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0); + + /* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0); + /* 2^12 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0); + + /* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0); + /* 2^22 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0); + + /* 2^41 - 2^1 */ fe25519_square(&t1,&t0); + /* 2^42 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); } + /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0); + + /* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0); + /* 2^52 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0); + + /* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0); + /* 2^102 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); } + /* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0); + + /* 2^201 - 2^1 */ fe25519_square(&t0,&t1); + /* 2^202 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0); + + /* 2^251 - 2^1 */ fe25519_square(&t1,&t0); + /* 2^252 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^253 - 2^3 */ fe25519_square(&t1,&t0); + /* 2^254 - 2^4 */ fe25519_square(&t0,&t1); + /* 2^255 - 2^5 */ fe25519_square(&t1,&t0); + /* 2^255 - 21 */ fe25519_mul(r,&t1,&z11); +} + +void fe25519_pow2523(fe25519 *r, const fe25519 *x) +{ + fe25519 z2; + fe25519 z9; + fe25519 z11; + fe25519 z2_5_0; + fe25519 z2_10_0; + fe25519 z2_20_0; + fe25519 z2_50_0; + fe25519 z2_100_0; + fe25519 t; + int i; + + /* 2 */ fe25519_square(&z2,x); + /* 4 */ fe25519_square(&t,&z2); + /* 8 */ fe25519_square(&t,&t); + /* 9 */ fe25519_mul(&z9,&t,x); + /* 11 */ fe25519_mul(&z11,&z9,&z2); + /* 22 */ fe25519_square(&t,&z11); + /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9); + + /* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0); + /* 2^10 - 2^5 */ for (i = 1;i < 5;i++) { fe25519_square(&t,&t); } + /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0); + + /* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0); + /* 2^20 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } + /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0); + + /* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0); + /* 2^40 - 2^20 */ for (i = 1;i < 20;i++) { fe25519_square(&t,&t); } + /* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0); + + /* 2^41 - 2^1 */ fe25519_square(&t,&t); + /* 2^50 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } + /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0); + + /* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0); + /* 2^100 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } + /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0); + + /* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0); + /* 2^200 - 2^100 */ for (i = 1;i < 100;i++) { fe25519_square(&t,&t); } + /* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0); + + /* 2^201 - 2^1 */ fe25519_square(&t,&t); + /* 2^250 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } + /* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0); + + /* 2^251 - 2^1 */ fe25519_square(&t,&t); + /* 2^252 - 2^2 */ fe25519_square(&t,&t); + /* 2^252 - 3 */ fe25519_mul(r,&t,x); +} diff --git a/fe25519.h b/fe25519.h new file mode 100644 index 00000000..9d9a114b --- /dev/null +++ b/fe25519.h @@ -0,0 +1,66 @@ +/* $OpenBSD: fe25519.h,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/fe25519.h */ + +#ifndef FE25519_H +#define FE25519_H + +#include "crypto_api.h" + +#define fe25519 crypto_sign_ed25519_ref_fe25519 +#define fe25519_freeze crypto_sign_ed25519_ref_fe25519_freeze +#define fe25519_unpack crypto_sign_ed25519_ref_fe25519_unpack +#define fe25519_pack crypto_sign_ed25519_ref_fe25519_pack +#define fe25519_iszero crypto_sign_ed25519_ref_fe25519_iszero +#define fe25519_iseq_vartime crypto_sign_ed25519_ref_fe25519_iseq_vartime +#define fe25519_cmov crypto_sign_ed25519_ref_fe25519_cmov +#define fe25519_setone crypto_sign_ed25519_ref_fe25519_setone +#define fe25519_setzero crypto_sign_ed25519_ref_fe25519_setzero +#define fe25519_neg crypto_sign_ed25519_ref_fe25519_neg +#define fe25519_getparity crypto_sign_ed25519_ref_fe25519_getparity +#define fe25519_add crypto_sign_ed25519_ref_fe25519_add +#define fe25519_sub crypto_sign_ed25519_ref_fe25519_sub +#define fe25519_mul crypto_sign_ed25519_ref_fe25519_mul +#define fe25519_square crypto_sign_ed25519_ref_fe25519_square +#define fe25519_invert crypto_sign_ed25519_ref_fe25519_invert +#define fe25519_pow2523 crypto_sign_ed25519_ref_fe25519_pow2523 + +typedef struct +{ + crypto_uint32 v[32]; +} +fe25519; + +void fe25519_freeze(fe25519 *r); + +void fe25519_unpack(fe25519 *r, const unsigned char x[32]); + +void fe25519_pack(unsigned char r[32], const fe25519 *x); + +int fe25519_iszero(const fe25519 *x); + +int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y); + +void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b); + +void fe25519_setone(fe25519 *r); + +void fe25519_setzero(fe25519 *r); + +void fe25519_neg(fe25519 *r, const fe25519 *x); + +unsigned char fe25519_getparity(const fe25519 *x); + +void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_square(fe25519 *r, const fe25519 *x); + +void fe25519_invert(fe25519 *r, const fe25519 *x); + +void fe25519_pow2523(fe25519 *r, const fe25519 *x); + +#endif diff --git a/ge25519.c b/ge25519.c new file mode 100644 index 00000000..204eebf4 --- /dev/null +++ b/ge25519.c @@ -0,0 +1,315 @@ +/* $OpenBSD: ge25519.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c */ + +#include "fe25519.h" +#include "sc25519.h" +#include "ge25519.h" + +/* + * Arithmetic on the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 + * with d = -(121665/121666) = 37095705934669439343138083508754565189542113879843219016388785533085940283555 + * Base point: (15112221349535400772501151409588531511454012693041857206046113283949847762202,46316835694926478169428394003475163141307993866256225615783033603165251855960); + */ + +/* d */ +static const fe25519 ge25519_ecd = {{0xA3, 0x78, 0x59, 0x13, 0xCA, 0x4D, 0xEB, 0x75, 0xAB, 0xD8, 0x41, 0x41, 0x4D, 0x0A, 0x70, 0x00, + 0x98, 0xE8, 0x79, 0x77, 0x79, 0x40, 0xC7, 0x8C, 0x73, 0xFE, 0x6F, 0x2B, 0xEE, 0x6C, 0x03, 0x52}}; +/* 2*d */ +static const fe25519 ge25519_ec2d = {{0x59, 0xF1, 0xB2, 0x26, 0x94, 0x9B, 0xD6, 0xEB, 0x56, 0xB1, 0x83, 0x82, 0x9A, 0x14, 0xE0, 0x00, + 0x30, 0xD1, 0xF3, 0xEE, 0xF2, 0x80, 0x8E, 0x19, 0xE7, 0xFC, 0xDF, 0x56, 0xDC, 0xD9, 0x06, 0x24}}; +/* sqrt(-1) */ +static const fe25519 ge25519_sqrtm1 = {{0xB0, 0xA0, 0x0E, 0x4A, 0x27, 0x1B, 0xEE, 0xC4, 0x78, 0xE4, 0x2F, 0xAD, 0x06, 0x18, 0x43, 0x2F, + 0xA7, 0xD7, 0xFB, 0x3D, 0x99, 0x00, 0x4D, 0x2B, 0x0B, 0xDF, 0xC1, 0x4F, 0x80, 0x24, 0x83, 0x2B}}; + +#define ge25519_p3 ge25519 + +typedef struct +{ + fe25519 x; + fe25519 z; + fe25519 y; + fe25519 t; +} ge25519_p1p1; + +typedef struct +{ + fe25519 x; + fe25519 y; + fe25519 z; +} ge25519_p2; + +typedef struct +{ + fe25519 x; + fe25519 y; +} ge25519_aff; + + +/* Packed coordinates of the base point */ +const ge25519 ge25519_base = {{{0x1A, 0xD5, 0x25, 0x8F, 0x60, 0x2D, 0x56, 0xC9, 0xB2, 0xA7, 0x25, 0x95, 0x60, 0xC7, 0x2C, 0x69, + 0x5C, 0xDC, 0xD6, 0xFD, 0x31, 0xE2, 0xA4, 0xC0, 0xFE, 0x53, 0x6E, 0xCD, 0xD3, 0x36, 0x69, 0x21}}, + {{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0xA3, 0xDD, 0xB7, 0xA5, 0xB3, 0x8A, 0xDE, 0x6D, 0xF5, 0x52, 0x51, 0x77, 0x80, 0x9F, 0xF0, 0x20, + 0x7D, 0xE3, 0xAB, 0x64, 0x8E, 0x4E, 0xEA, 0x66, 0x65, 0x76, 0x8B, 0xD7, 0x0F, 0x5F, 0x87, 0x67}}}; + +/* Multiples of the base point in affine representation */ +static const ge25519_aff ge25519_base_multiples_affine[425] = { +#include "ge25519_base.data" +}; + +static void p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p) +{ + fe25519_mul(&r->x, &p->x, &p->t); + fe25519_mul(&r->y, &p->y, &p->z); + fe25519_mul(&r->z, &p->z, &p->t); +} + +static void p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p) +{ + p1p1_to_p2((ge25519_p2 *)r, p); + fe25519_mul(&r->t, &p->x, &p->y); +} + +static void ge25519_mixadd2(ge25519_p3 *r, const ge25519_aff *q) +{ + fe25519 a,b,t1,t2,c,d,e,f,g,h,qt; + fe25519_mul(&qt, &q->x, &q->y); + fe25519_sub(&a, &r->y, &r->x); /* A = (Y1-X1)*(Y2-X2) */ + fe25519_add(&b, &r->y, &r->x); /* B = (Y1+X1)*(Y2+X2) */ + fe25519_sub(&t1, &q->y, &q->x); + fe25519_add(&t2, &q->y, &q->x); + fe25519_mul(&a, &a, &t1); + fe25519_mul(&b, &b, &t2); + fe25519_sub(&e, &b, &a); /* E = B-A */ + fe25519_add(&h, &b, &a); /* H = B+A */ + fe25519_mul(&c, &r->t, &qt); /* C = T1*k*T2 */ + fe25519_mul(&c, &c, &ge25519_ec2d); + fe25519_add(&d, &r->z, &r->z); /* D = Z1*2 */ + fe25519_sub(&f, &d, &c); /* F = D-C */ + fe25519_add(&g, &d, &c); /* G = D+C */ + fe25519_mul(&r->x, &e, &f); + fe25519_mul(&r->y, &h, &g); + fe25519_mul(&r->z, &g, &f); + fe25519_mul(&r->t, &e, &h); +} + +static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q) +{ + fe25519 a, b, c, d, t; + + fe25519_sub(&a, &p->y, &p->x); /* A = (Y1-X1)*(Y2-X2) */ + fe25519_sub(&t, &q->y, &q->x); + fe25519_mul(&a, &a, &t); + fe25519_add(&b, &p->x, &p->y); /* B = (Y1+X1)*(Y2+X2) */ + fe25519_add(&t, &q->x, &q->y); + fe25519_mul(&b, &b, &t); + fe25519_mul(&c, &p->t, &q->t); /* C = T1*k*T2 */ + fe25519_mul(&c, &c, &ge25519_ec2d); + fe25519_mul(&d, &p->z, &q->z); /* D = Z1*2*Z2 */ + fe25519_add(&d, &d, &d); + fe25519_sub(&r->x, &b, &a); /* E = B-A */ + fe25519_sub(&r->t, &d, &c); /* F = D-C */ + fe25519_add(&r->z, &d, &c); /* G = D+C */ + fe25519_add(&r->y, &b, &a); /* H = B+A */ +} + +/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */ +static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p) +{ + fe25519 a,b,c,d; + fe25519_square(&a, &p->x); + fe25519_square(&b, &p->y); + fe25519_square(&c, &p->z); + fe25519_add(&c, &c, &c); + fe25519_neg(&d, &a); + + fe25519_add(&r->x, &p->x, &p->y); + fe25519_square(&r->x, &r->x); + fe25519_sub(&r->x, &r->x, &a); + fe25519_sub(&r->x, &r->x, &b); + fe25519_add(&r->z, &d, &b); + fe25519_sub(&r->t, &r->z, &c); + fe25519_sub(&r->y, &d, &b); +} + +/* Constant-time version of: if(b) r = p */ +static void cmov_aff(ge25519_aff *r, const ge25519_aff *p, unsigned char b) +{ + fe25519_cmov(&r->x, &p->x, b); + fe25519_cmov(&r->y, &p->y, b); +} + +static unsigned char equal(signed char b,signed char c) +{ + unsigned char ub = b; + unsigned char uc = c; + unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ + crypto_uint32 y = x; /* 0: yes; 1..255: no */ + y -= 1; /* 4294967295: yes; 0..254: no */ + y >>= 31; /* 1: yes; 0: no */ + return y; +} + +static unsigned char negative(signed char b) +{ + unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ + x >>= 63; /* 1: yes; 0: no */ + return x; +} + +static void choose_t(ge25519_aff *t, unsigned long long pos, signed char b) +{ + /* constant time */ + fe25519 v; + *t = ge25519_base_multiples_affine[5*pos+0]; + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+1],equal(b,1) | equal(b,-1)); + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+2],equal(b,2) | equal(b,-2)); + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+3],equal(b,3) | equal(b,-3)); + cmov_aff(t, &ge25519_base_multiples_affine[5*pos+4],equal(b,-4)); + fe25519_neg(&v, &t->x); + fe25519_cmov(&t->x, &v, negative(b)); +} + +static void setneutral(ge25519 *r) +{ + fe25519_setzero(&r->x); + fe25519_setone(&r->y); + fe25519_setone(&r->z); + fe25519_setzero(&r->t); +} + +/* ******************************************************************** + * EXPORTED FUNCTIONS + ******************************************************************** */ + +/* return 0 on success, -1 otherwise */ +int ge25519_unpackneg_vartime(ge25519_p3 *r, const unsigned char p[32]) +{ + unsigned char par; + fe25519 t, chk, num, den, den2, den4, den6; + fe25519_setone(&r->z); + par = p[31] >> 7; + fe25519_unpack(&r->y, p); + fe25519_square(&num, &r->y); /* x = y^2 */ + fe25519_mul(&den, &num, &ge25519_ecd); /* den = dy^2 */ + fe25519_sub(&num, &num, &r->z); /* x = y^2-1 */ + fe25519_add(&den, &r->z, &den); /* den = dy^2+1 */ + + /* Computation of sqrt(num/den) */ + /* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */ + fe25519_square(&den2, &den); + fe25519_square(&den4, &den2); + fe25519_mul(&den6, &den4, &den2); + fe25519_mul(&t, &den6, &num); + fe25519_mul(&t, &t, &den); + + fe25519_pow2523(&t, &t); + /* 2. computation of r->x = t * num * den^3 */ + fe25519_mul(&t, &t, &num); + fe25519_mul(&t, &t, &den); + fe25519_mul(&t, &t, &den); + fe25519_mul(&r->x, &t, &den); + + /* 3. Check whether sqrt computation gave correct result, multiply by sqrt(-1) if not: */ + fe25519_square(&chk, &r->x); + fe25519_mul(&chk, &chk, &den); + if (!fe25519_iseq_vartime(&chk, &num)) + fe25519_mul(&r->x, &r->x, &ge25519_sqrtm1); + + /* 4. Now we have one of the two square roots, except if input was not a square */ + fe25519_square(&chk, &r->x); + fe25519_mul(&chk, &chk, &den); + if (!fe25519_iseq_vartime(&chk, &num)) + return -1; + + /* 5. Choose the desired square root according to parity: */ + if(fe25519_getparity(&r->x) != (1-par)) + fe25519_neg(&r->x, &r->x); + + fe25519_mul(&r->t, &r->x, &r->y); + return 0; +} + +void ge25519_pack(unsigned char r[32], const ge25519_p3 *p) +{ + fe25519 tx, ty, zi; + fe25519_invert(&zi, &p->z); + fe25519_mul(&tx, &p->x, &zi); + fe25519_mul(&ty, &p->y, &zi); + fe25519_pack(r, &ty); + r[31] ^= fe25519_getparity(&tx) << 7; +} + +int ge25519_isneutral_vartime(const ge25519_p3 *p) +{ + int ret = 1; + if(!fe25519_iszero(&p->x)) ret = 0; + if(!fe25519_iseq_vartime(&p->y, &p->z)) ret = 0; + return ret; +} + +/* computes [s1]p1 + [s2]p2 */ +void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3 *p1, const sc25519 *s1, const ge25519_p3 *p2, const sc25519 *s2) +{ + ge25519_p1p1 tp1p1; + ge25519_p3 pre[16]; + unsigned char b[127]; + int i; + + /* precomputation s2 s1 */ + setneutral(pre); /* 00 00 */ + pre[1] = *p1; /* 00 01 */ + dbl_p1p1(&tp1p1,(ge25519_p2 *)p1); p1p1_to_p3( &pre[2], &tp1p1); /* 00 10 */ + add_p1p1(&tp1p1,&pre[1], &pre[2]); p1p1_to_p3( &pre[3], &tp1p1); /* 00 11 */ + pre[4] = *p2; /* 01 00 */ + add_p1p1(&tp1p1,&pre[1], &pre[4]); p1p1_to_p3( &pre[5], &tp1p1); /* 01 01 */ + add_p1p1(&tp1p1,&pre[2], &pre[4]); p1p1_to_p3( &pre[6], &tp1p1); /* 01 10 */ + add_p1p1(&tp1p1,&pre[3], &pre[4]); p1p1_to_p3( &pre[7], &tp1p1); /* 01 11 */ + dbl_p1p1(&tp1p1,(ge25519_p2 *)p2); p1p1_to_p3( &pre[8], &tp1p1); /* 10 00 */ + add_p1p1(&tp1p1,&pre[1], &pre[8]); p1p1_to_p3( &pre[9], &tp1p1); /* 10 01 */ + dbl_p1p1(&tp1p1,(ge25519_p2 *)&pre[5]); p1p1_to_p3(&pre[10], &tp1p1); /* 10 10 */ + add_p1p1(&tp1p1,&pre[3], &pre[8]); p1p1_to_p3(&pre[11], &tp1p1); /* 10 11 */ + add_p1p1(&tp1p1,&pre[4], &pre[8]); p1p1_to_p3(&pre[12], &tp1p1); /* 11 00 */ + add_p1p1(&tp1p1,&pre[1],&pre[12]); p1p1_to_p3(&pre[13], &tp1p1); /* 11 01 */ + add_p1p1(&tp1p1,&pre[2],&pre[12]); p1p1_to_p3(&pre[14], &tp1p1); /* 11 10 */ + add_p1p1(&tp1p1,&pre[3],&pre[12]); p1p1_to_p3(&pre[15], &tp1p1); /* 11 11 */ + + sc25519_2interleave2(b,s1,s2); + + /* scalar multiplication */ + *r = pre[b[126]]; + for(i=125;i>=0;i--) + { + dbl_p1p1(&tp1p1, (ge25519_p2 *)r); + p1p1_to_p2((ge25519_p2 *) r, &tp1p1); + dbl_p1p1(&tp1p1, (ge25519_p2 *)r); + if(b[i]!=0) + { + p1p1_to_p3(r, &tp1p1); + add_p1p1(&tp1p1, r, &pre[b[i]]); + } + if(i != 0) p1p1_to_p2((ge25519_p2 *)r, &tp1p1); + else p1p1_to_p3(r, &tp1p1); + } +} + +void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s) +{ + signed char b[85]; + int i; + ge25519_aff t; + sc25519_window3(b,s); + + choose_t((ge25519_aff *)r, 0, b[0]); + fe25519_setone(&r->z); + fe25519_mul(&r->t, &r->x, &r->y); + for(i=1;i<85;i++) + { + choose_t(&t, (unsigned long long) i, b[i]); + ge25519_mixadd2(r, &t); + } +} diff --git a/ge25519.h b/ge25519.h new file mode 100644 index 00000000..505bc2c8 --- /dev/null +++ b/ge25519.h @@ -0,0 +1,39 @@ +/* $OpenBSD: ge25519.h,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/ge25519.h */ + +#ifndef GE25519_H +#define GE25519_H + +#include "fe25519.h" +#include "sc25519.h" + +#define ge25519 crypto_sign_ed25519_ref_ge25519 +#define ge25519_base crypto_sign_ed25519_ref_ge25519_base +#define ge25519_unpackneg_vartime crypto_sign_ed25519_ref_unpackneg_vartime +#define ge25519_pack crypto_sign_ed25519_ref_pack +#define ge25519_isneutral_vartime crypto_sign_ed25519_ref_isneutral_vartime +#define ge25519_double_scalarmult_vartime crypto_sign_ed25519_ref_double_scalarmult_vartime +#define ge25519_scalarmult_base crypto_sign_ed25519_ref_scalarmult_base + +typedef struct +{ + fe25519 x; + fe25519 y; + fe25519 z; + fe25519 t; +} ge25519; + +const ge25519 ge25519_base; + +int ge25519_unpackneg_vartime(ge25519 *r, const unsigned char p[32]); + +void ge25519_pack(unsigned char r[32], const ge25519 *p); + +int ge25519_isneutral_vartime(const ge25519 *p); + +void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const sc25519 *s1, const ge25519 *p2, const sc25519 *s2); + +void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s); + +#endif diff --git a/ge25519_base.data b/ge25519_base.data new file mode 100644 index 00000000..d05e0bd0 --- /dev/null +++ b/ge25519_base.data @@ -0,0 +1,854 @@ +/* $OpenBSD: ge25519_base.data,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/ge25519_base.data */ + +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21}} , + {{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}}}, +{{{0x0e, 0xce, 0x43, 0x28, 0x4e, 0xa1, 0xc5, 0x83, 0x5f, 0xa4, 0xd7, 0x15, 0x45, 0x8e, 0x0d, 0x08, 0xac, 0xe7, 0x33, 0x18, 0x7d, 0x3b, 0x04, 0x3d, 0x6c, 0x04, 0x5a, 0x9f, 0x4c, 0x38, 0xab, 0x36}} , + {{0xc9, 0xa3, 0xf8, 0x6a, 0xae, 0x46, 0x5f, 0x0e, 0x56, 0x51, 0x38, 0x64, 0x51, 0x0f, 0x39, 0x97, 0x56, 0x1f, 0xa2, 0xc9, 0xe8, 0x5e, 0xa2, 0x1d, 0xc2, 0x29, 0x23, 0x09, 0xf3, 0xcd, 0x60, 0x22}}}, +{{{0x5c, 0xe2, 0xf8, 0xd3, 0x5f, 0x48, 0x62, 0xac, 0x86, 0x48, 0x62, 0x81, 0x19, 0x98, 0x43, 0x63, 0x3a, 0xc8, 0xda, 0x3e, 0x74, 0xae, 0xf4, 0x1f, 0x49, 0x8f, 0x92, 0x22, 0x4a, 0x9c, 0xae, 0x67}} , + {{0xd4, 0xb4, 0xf5, 0x78, 0x48, 0x68, 0xc3, 0x02, 0x04, 0x03, 0x24, 0x67, 0x17, 0xec, 0x16, 0x9f, 0xf7, 0x9e, 0x26, 0x60, 0x8e, 0xa1, 0x26, 0xa1, 0xab, 0x69, 0xee, 0x77, 0xd1, 0xb1, 0x67, 0x12}}}, +{{{0x70, 0xf8, 0xc9, 0xc4, 0x57, 0xa6, 0x3a, 0x49, 0x47, 0x15, 0xce, 0x93, 0xc1, 0x9e, 0x73, 0x1a, 0xf9, 0x20, 0x35, 0x7a, 0xb8, 0xd4, 0x25, 0x83, 0x46, 0xf1, 0xcf, 0x56, 0xdb, 0xa8, 0x3d, 0x20}} , + {{0x2f, 0x11, 0x32, 0xca, 0x61, 0xab, 0x38, 0xdf, 0xf0, 0x0f, 0x2f, 0xea, 0x32, 0x28, 0xf2, 0x4c, 0x6c, 0x71, 0xd5, 0x80, 0x85, 0xb8, 0x0e, 0x47, 0xe1, 0x95, 0x15, 0xcb, 0x27, 0xe8, 0xd0, 0x47}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xc8, 0x84, 0xa5, 0x08, 0xbc, 0xfd, 0x87, 0x3b, 0x99, 0x8b, 0x69, 0x80, 0x7b, 0xc6, 0x3a, 0xeb, 0x93, 0xcf, 0x4e, 0xf8, 0x5c, 0x2d, 0x86, 0x42, 0xb6, 0x71, 0xd7, 0x97, 0x5f, 0xe1, 0x42, 0x67}} , + {{0xb4, 0xb9, 0x37, 0xfc, 0xa9, 0x5b, 0x2f, 0x1e, 0x93, 0xe4, 0x1e, 0x62, 0xfc, 0x3c, 0x78, 0x81, 0x8f, 0xf3, 0x8a, 0x66, 0x09, 0x6f, 0xad, 0x6e, 0x79, 0x73, 0xe5, 0xc9, 0x00, 0x06, 0xd3, 0x21}}}, +{{{0xf8, 0xf9, 0x28, 0x6c, 0x6d, 0x59, 0xb2, 0x59, 0x74, 0x23, 0xbf, 0xe7, 0x33, 0x8d, 0x57, 0x09, 0x91, 0x9c, 0x24, 0x08, 0x15, 0x2b, 0xe2, 0xb8, 0xee, 0x3a, 0xe5, 0x27, 0x06, 0x86, 0xa4, 0x23}} , + {{0xeb, 0x27, 0x67, 0xc1, 0x37, 0xab, 0x7a, 0xd8, 0x27, 0x9c, 0x07, 0x8e, 0xff, 0x11, 0x6a, 0xb0, 0x78, 0x6e, 0xad, 0x3a, 0x2e, 0x0f, 0x98, 0x9f, 0x72, 0xc3, 0x7f, 0x82, 0xf2, 0x96, 0x96, 0x70}}}, +{{{0x81, 0x6b, 0x88, 0xe8, 0x1e, 0xc7, 0x77, 0x96, 0x0e, 0xa1, 0xa9, 0x52, 0xe0, 0xd8, 0x0e, 0x61, 0x9e, 0x79, 0x2d, 0x95, 0x9c, 0x8d, 0x96, 0xe0, 0x06, 0x40, 0x5d, 0x87, 0x28, 0x5f, 0x98, 0x70}} , + {{0xf1, 0x79, 0x7b, 0xed, 0x4f, 0x44, 0xb2, 0xe7, 0x08, 0x0d, 0xc2, 0x08, 0x12, 0xd2, 0x9f, 0xdf, 0xcd, 0x93, 0x20, 0x8a, 0xcf, 0x33, 0xca, 0x6d, 0x89, 0xb9, 0x77, 0xc8, 0x93, 0x1b, 0x4e, 0x60}}}, +{{{0x26, 0x4f, 0x7e, 0x97, 0xf6, 0x40, 0xdd, 0x4f, 0xfc, 0x52, 0x78, 0xf9, 0x90, 0x31, 0x03, 0xe6, 0x7d, 0x56, 0x39, 0x0b, 0x1d, 0x56, 0x82, 0x85, 0xf9, 0x1a, 0x42, 0x17, 0x69, 0x6c, 0xcf, 0x39}} , + {{0x69, 0xd2, 0x06, 0x3a, 0x4f, 0x39, 0x2d, 0xf9, 0x38, 0x40, 0x8c, 0x4c, 0xe7, 0x05, 0x12, 0xb4, 0x78, 0x8b, 0xf8, 0xc0, 0xec, 0x93, 0xde, 0x7a, 0x6b, 0xce, 0x2c, 0xe1, 0x0e, 0xa9, 0x34, 0x44}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x0b, 0xa4, 0x3c, 0xb0, 0x0f, 0x7a, 0x51, 0xf1, 0x78, 0xd6, 0xd9, 0x6a, 0xfd, 0x46, 0xe8, 0xb8, 0xa8, 0x79, 0x1d, 0x87, 0xf9, 0x90, 0xf2, 0x9c, 0x13, 0x29, 0xf8, 0x0b, 0x20, 0x64, 0xfa, 0x05}} , + {{0x26, 0x09, 0xda, 0x17, 0xaf, 0x95, 0xd6, 0xfb, 0x6a, 0x19, 0x0d, 0x6e, 0x5e, 0x12, 0xf1, 0x99, 0x4c, 0xaa, 0xa8, 0x6f, 0x79, 0x86, 0xf4, 0x72, 0x28, 0x00, 0x26, 0xf9, 0xea, 0x9e, 0x19, 0x3d}}}, +{{{0x87, 0xdd, 0xcf, 0xf0, 0x5b, 0x49, 0xa2, 0x5d, 0x40, 0x7a, 0x23, 0x26, 0xa4, 0x7a, 0x83, 0x8a, 0xb7, 0x8b, 0xd2, 0x1a, 0xbf, 0xea, 0x02, 0x24, 0x08, 0x5f, 0x7b, 0xa9, 0xb1, 0xbe, 0x9d, 0x37}} , + {{0xfc, 0x86, 0x4b, 0x08, 0xee, 0xe7, 0xa0, 0xfd, 0x21, 0x45, 0x09, 0x34, 0xc1, 0x61, 0x32, 0x23, 0xfc, 0x9b, 0x55, 0x48, 0x53, 0x99, 0xf7, 0x63, 0xd0, 0x99, 0xce, 0x01, 0xe0, 0x9f, 0xeb, 0x28}}}, +{{{0x47, 0xfc, 0xab, 0x5a, 0x17, 0xf0, 0x85, 0x56, 0x3a, 0x30, 0x86, 0x20, 0x28, 0x4b, 0x8e, 0x44, 0x74, 0x3a, 0x6e, 0x02, 0xf1, 0x32, 0x8f, 0x9f, 0x3f, 0x08, 0x35, 0xe9, 0xca, 0x16, 0x5f, 0x6e}} , + {{0x1c, 0x59, 0x1c, 0x65, 0x5d, 0x34, 0xa4, 0x09, 0xcd, 0x13, 0x9c, 0x70, 0x7d, 0xb1, 0x2a, 0xc5, 0x88, 0xaf, 0x0b, 0x60, 0xc7, 0x9f, 0x34, 0x8d, 0xd6, 0xb7, 0x7f, 0xea, 0x78, 0x65, 0x8d, 0x77}}}, +{{{0x56, 0xa5, 0xc2, 0x0c, 0xdd, 0xbc, 0xb8, 0x20, 0x6d, 0x57, 0x61, 0xb5, 0xfb, 0x78, 0xb5, 0xd4, 0x49, 0x54, 0x90, 0x26, 0xc1, 0xcb, 0xe9, 0xe6, 0xbf, 0xec, 0x1d, 0x4e, 0xed, 0x07, 0x7e, 0x5e}} , + {{0xc7, 0xf6, 0x6c, 0x56, 0x31, 0x20, 0x14, 0x0e, 0xa8, 0xd9, 0x27, 0xc1, 0x9a, 0x3d, 0x1b, 0x7d, 0x0e, 0x26, 0xd3, 0x81, 0xaa, 0xeb, 0xf5, 0x6b, 0x79, 0x02, 0xf1, 0x51, 0x5c, 0x75, 0x55, 0x0f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x0a, 0x34, 0xcd, 0x82, 0x3c, 0x33, 0x09, 0x54, 0xd2, 0x61, 0x39, 0x30, 0x9b, 0xfd, 0xef, 0x21, 0x26, 0xd4, 0x70, 0xfa, 0xee, 0xf9, 0x31, 0x33, 0x73, 0x84, 0xd0, 0xb3, 0x81, 0xbf, 0xec, 0x2e}} , + {{0xe8, 0x93, 0x8b, 0x00, 0x64, 0xf7, 0x9c, 0xb8, 0x74, 0xe0, 0xe6, 0x49, 0x48, 0x4d, 0x4d, 0x48, 0xb6, 0x19, 0xa1, 0x40, 0xb7, 0xd9, 0x32, 0x41, 0x7c, 0x82, 0x37, 0xa1, 0x2d, 0xdc, 0xd2, 0x54}}}, +{{{0x68, 0x2b, 0x4a, 0x5b, 0xd5, 0xc7, 0x51, 0x91, 0x1d, 0xe1, 0x2a, 0x4b, 0xc4, 0x47, 0xf1, 0xbc, 0x7a, 0xb3, 0xcb, 0xc8, 0xb6, 0x7c, 0xac, 0x90, 0x05, 0xfd, 0xf3, 0xf9, 0x52, 0x3a, 0x11, 0x6b}} , + {{0x3d, 0xc1, 0x27, 0xf3, 0x59, 0x43, 0x95, 0x90, 0xc5, 0x96, 0x79, 0xf5, 0xf4, 0x95, 0x65, 0x29, 0x06, 0x9c, 0x51, 0x05, 0x18, 0xda, 0xb8, 0x2e, 0x79, 0x7e, 0x69, 0x59, 0x71, 0x01, 0xeb, 0x1a}}}, +{{{0x15, 0x06, 0x49, 0xb6, 0x8a, 0x3c, 0xea, 0x2f, 0x34, 0x20, 0x14, 0xc3, 0xaa, 0xd6, 0xaf, 0x2c, 0x3e, 0xbd, 0x65, 0x20, 0xe2, 0x4d, 0x4b, 0x3b, 0xeb, 0x9f, 0x4a, 0xc3, 0xad, 0xa4, 0x3b, 0x60}} , + {{0xbc, 0x58, 0xe6, 0xc0, 0x95, 0x2a, 0x2a, 0x81, 0x9a, 0x7a, 0xf3, 0xd2, 0x06, 0xbe, 0x48, 0xbc, 0x0c, 0xc5, 0x46, 0xe0, 0x6a, 0xd4, 0xac, 0x0f, 0xd9, 0xcc, 0x82, 0x34, 0x2c, 0xaf, 0xdb, 0x1f}}}, +{{{0xf7, 0x17, 0x13, 0xbd, 0xfb, 0xbc, 0xd2, 0xec, 0x45, 0xb3, 0x15, 0x31, 0xe9, 0xaf, 0x82, 0x84, 0x3d, 0x28, 0xc6, 0xfc, 0x11, 0xf5, 0x41, 0xb5, 0x8b, 0xd3, 0x12, 0x76, 0x52, 0xe7, 0x1a, 0x3c}} , + {{0x4e, 0x36, 0x11, 0x07, 0xa2, 0x15, 0x20, 0x51, 0xc4, 0x2a, 0xc3, 0x62, 0x8b, 0x5e, 0x7f, 0xa6, 0x0f, 0xf9, 0x45, 0x85, 0x6c, 0x11, 0x86, 0xb7, 0x7e, 0xe5, 0xd7, 0xf9, 0xc3, 0x91, 0x1c, 0x05}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xea, 0xd6, 0xde, 0x29, 0x3a, 0x00, 0xb9, 0x02, 0x59, 0xcb, 0x26, 0xc4, 0xba, 0x99, 0xb1, 0x97, 0x2f, 0x8e, 0x00, 0x92, 0x26, 0x4f, 0x52, 0xeb, 0x47, 0x1b, 0x89, 0x8b, 0x24, 0xc0, 0x13, 0x7d}} , + {{0xd5, 0x20, 0x5b, 0x80, 0xa6, 0x80, 0x20, 0x95, 0xc3, 0xe9, 0x9f, 0x8e, 0x87, 0x9e, 0x1e, 0x9e, 0x7a, 0xc7, 0xcc, 0x75, 0x6c, 0xa5, 0xf1, 0x91, 0x1a, 0xa8, 0x01, 0x2c, 0xab, 0x76, 0xa9, 0x59}}}, +{{{0xde, 0xc9, 0xb1, 0x31, 0x10, 0x16, 0xaa, 0x35, 0x14, 0x6a, 0xd4, 0xb5, 0x34, 0x82, 0x71, 0xd2, 0x4a, 0x5d, 0x9a, 0x1f, 0x53, 0x26, 0x3c, 0xe5, 0x8e, 0x8d, 0x33, 0x7f, 0xff, 0xa9, 0xd5, 0x17}} , + {{0x89, 0xaf, 0xf6, 0xa4, 0x64, 0xd5, 0x10, 0xe0, 0x1d, 0xad, 0xef, 0x44, 0xbd, 0xda, 0x83, 0xac, 0x7a, 0xa8, 0xf0, 0x1c, 0x07, 0xf9, 0xc3, 0x43, 0x6c, 0x3f, 0xb7, 0xd3, 0x87, 0x22, 0x02, 0x73}}}, +{{{0x64, 0x1d, 0x49, 0x13, 0x2f, 0x71, 0xec, 0x69, 0x87, 0xd0, 0x42, 0xee, 0x13, 0xec, 0xe3, 0xed, 0x56, 0x7b, 0xbf, 0xbd, 0x8c, 0x2f, 0x7d, 0x7b, 0x9d, 0x28, 0xec, 0x8e, 0x76, 0x2f, 0x6f, 0x08}} , + {{0x22, 0xf5, 0x5f, 0x4d, 0x15, 0xef, 0xfc, 0x4e, 0x57, 0x03, 0x36, 0x89, 0xf0, 0xeb, 0x5b, 0x91, 0xd6, 0xe2, 0xca, 0x01, 0xa5, 0xee, 0x52, 0xec, 0xa0, 0x3c, 0x8f, 0x33, 0x90, 0x5a, 0x94, 0x72}}}, +{{{0x8a, 0x4b, 0xe7, 0x38, 0xbc, 0xda, 0xc2, 0xb0, 0x85, 0xe1, 0x4a, 0xfe, 0x2d, 0x44, 0x84, 0xcb, 0x20, 0x6b, 0x2d, 0xbf, 0x11, 0x9c, 0xd7, 0xbe, 0xd3, 0x3e, 0x5f, 0xbf, 0x68, 0xbc, 0xa8, 0x07}} , + {{0x01, 0x89, 0x28, 0x22, 0x6a, 0x78, 0xaa, 0x29, 0x03, 0xc8, 0x74, 0x95, 0x03, 0x3e, 0xdc, 0xbd, 0x07, 0x13, 0xa8, 0xa2, 0x20, 0x2d, 0xb3, 0x18, 0x70, 0x42, 0xfd, 0x7a, 0xc4, 0xd7, 0x49, 0x72}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x02, 0xff, 0x32, 0x2b, 0x5c, 0x93, 0x54, 0x32, 0xe8, 0x57, 0x54, 0x1a, 0x8b, 0x33, 0x60, 0x65, 0xd3, 0x67, 0xa4, 0xc1, 0x26, 0xc4, 0xa4, 0x34, 0x1f, 0x9b, 0xa7, 0xa9, 0xf4, 0xd9, 0x4f, 0x5b}} , + {{0x46, 0x8d, 0xb0, 0x33, 0x54, 0x26, 0x5b, 0x68, 0xdf, 0xbb, 0xc5, 0xec, 0xc2, 0xf9, 0x3c, 0x5a, 0x37, 0xc1, 0x8e, 0x27, 0x47, 0xaa, 0x49, 0x5a, 0xf8, 0xfb, 0x68, 0x04, 0x23, 0xd1, 0xeb, 0x40}}}, +{{{0x65, 0xa5, 0x11, 0x84, 0x8a, 0x67, 0x9d, 0x9e, 0xd1, 0x44, 0x68, 0x7a, 0x34, 0xe1, 0x9f, 0xa3, 0x54, 0xcd, 0x07, 0xca, 0x79, 0x1f, 0x54, 0x2f, 0x13, 0x70, 0x4e, 0xee, 0xa2, 0xfa, 0xe7, 0x5d}} , + {{0x36, 0xec, 0x54, 0xf8, 0xce, 0xe4, 0x85, 0xdf, 0xf6, 0x6f, 0x1d, 0x90, 0x08, 0xbc, 0xe8, 0xc0, 0x92, 0x2d, 0x43, 0x6b, 0x92, 0xa9, 0x8e, 0xab, 0x0a, 0x2e, 0x1c, 0x1e, 0x64, 0x23, 0x9f, 0x2c}}}, +{{{0xa7, 0xd6, 0x2e, 0xd5, 0xcc, 0xd4, 0xcb, 0x5a, 0x3b, 0xa7, 0xf9, 0x46, 0x03, 0x1d, 0xad, 0x2b, 0x34, 0x31, 0x90, 0x00, 0x46, 0x08, 0x82, 0x14, 0xc4, 0xe0, 0x9c, 0xf0, 0xe3, 0x55, 0x43, 0x31}} , + {{0x60, 0xd6, 0xdd, 0x78, 0xe6, 0xd4, 0x22, 0x42, 0x1f, 0x00, 0xf9, 0xb1, 0x6a, 0x63, 0xe2, 0x92, 0x59, 0xd1, 0x1a, 0xb7, 0x00, 0x54, 0x29, 0xc9, 0xc1, 0xf6, 0x6f, 0x7a, 0xc5, 0x3c, 0x5f, 0x65}}}, +{{{0x27, 0x4f, 0xd0, 0x72, 0xb1, 0x11, 0x14, 0x27, 0x15, 0x94, 0x48, 0x81, 0x7e, 0x74, 0xd8, 0x32, 0xd5, 0xd1, 0x11, 0x28, 0x60, 0x63, 0x36, 0x32, 0x37, 0xb5, 0x13, 0x1c, 0xa0, 0x37, 0xe3, 0x74}} , + {{0xf1, 0x25, 0x4e, 0x11, 0x96, 0x67, 0xe6, 0x1c, 0xc2, 0xb2, 0x53, 0xe2, 0xda, 0x85, 0xee, 0xb2, 0x9f, 0x59, 0xf3, 0xba, 0xbd, 0xfa, 0xcf, 0x6e, 0xf9, 0xda, 0xa4, 0xb3, 0x02, 0x8f, 0x64, 0x08}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x34, 0x94, 0xf2, 0x64, 0x54, 0x47, 0x37, 0x07, 0x40, 0x8a, 0x20, 0xba, 0x4a, 0x55, 0xd7, 0x3f, 0x47, 0xba, 0x25, 0x23, 0x14, 0xb0, 0x2c, 0xe8, 0x55, 0xa8, 0xa6, 0xef, 0x51, 0xbd, 0x6f, 0x6a}} , + {{0x71, 0xd6, 0x16, 0x76, 0xb2, 0x06, 0xea, 0x79, 0xf5, 0xc4, 0xc3, 0x52, 0x7e, 0x61, 0xd1, 0xe1, 0xad, 0x70, 0x78, 0x1d, 0x16, 0x11, 0xf8, 0x7c, 0x2b, 0xfc, 0x55, 0x9f, 0x52, 0xf8, 0xf5, 0x16}}}, +{{{0x34, 0x96, 0x9a, 0xf6, 0xc5, 0xe0, 0x14, 0x03, 0x24, 0x0e, 0x4c, 0xad, 0x9e, 0x9a, 0x70, 0x23, 0x96, 0xb2, 0xf1, 0x2e, 0x9d, 0xc3, 0x32, 0x9b, 0x54, 0xa5, 0x73, 0xde, 0x88, 0xb1, 0x3e, 0x24}} , + {{0xf6, 0xe2, 0x4c, 0x1f, 0x5b, 0xb2, 0xaf, 0x82, 0xa5, 0xcf, 0x81, 0x10, 0x04, 0xef, 0xdb, 0xa2, 0xcc, 0x24, 0xb2, 0x7e, 0x0b, 0x7a, 0xeb, 0x01, 0xd8, 0x52, 0xf4, 0x51, 0x89, 0x29, 0x79, 0x37}}}, +{{{0x74, 0xde, 0x12, 0xf3, 0x68, 0xb7, 0x66, 0xc3, 0xee, 0x68, 0xdc, 0x81, 0xb5, 0x55, 0x99, 0xab, 0xd9, 0x28, 0x63, 0x6d, 0x8b, 0x40, 0x69, 0x75, 0x6c, 0xcd, 0x5c, 0x2a, 0x7e, 0x32, 0x7b, 0x29}} , + {{0x02, 0xcc, 0x22, 0x74, 0x4d, 0x19, 0x07, 0xc0, 0xda, 0xb5, 0x76, 0x51, 0x2a, 0xaa, 0xa6, 0x0a, 0x5f, 0x26, 0xd4, 0xbc, 0xaf, 0x48, 0x88, 0x7f, 0x02, 0xbc, 0xf2, 0xe1, 0xcf, 0xe9, 0xdd, 0x15}}}, +{{{0xed, 0xb5, 0x9a, 0x8c, 0x9a, 0xdd, 0x27, 0xf4, 0x7f, 0x47, 0xd9, 0x52, 0xa7, 0xcd, 0x65, 0xa5, 0x31, 0x22, 0xed, 0xa6, 0x63, 0x5b, 0x80, 0x4a, 0xad, 0x4d, 0xed, 0xbf, 0xee, 0x49, 0xb3, 0x06}} , + {{0xf8, 0x64, 0x8b, 0x60, 0x90, 0xe9, 0xde, 0x44, 0x77, 0xb9, 0x07, 0x36, 0x32, 0xc2, 0x50, 0xf5, 0x65, 0xdf, 0x48, 0x4c, 0x37, 0xaa, 0x68, 0xab, 0x9a, 0x1f, 0x3e, 0xff, 0x89, 0x92, 0xa0, 0x07}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x7d, 0x4f, 0x9c, 0x19, 0xc0, 0x4a, 0x31, 0xec, 0xf9, 0xaa, 0xeb, 0xb2, 0x16, 0x9c, 0xa3, 0x66, 0x5f, 0xd1, 0xd4, 0xed, 0xb8, 0x92, 0x1c, 0xab, 0xda, 0xea, 0xd9, 0x57, 0xdf, 0x4c, 0x2a, 0x48}} , + {{0x4b, 0xb0, 0x4e, 0x6e, 0x11, 0x3b, 0x51, 0xbd, 0x6a, 0xfd, 0xe4, 0x25, 0xa5, 0x5f, 0x11, 0x3f, 0x98, 0x92, 0x51, 0x14, 0xc6, 0x5f, 0x3c, 0x0b, 0xa8, 0xf7, 0xc2, 0x81, 0x43, 0xde, 0x91, 0x73}}}, +{{{0x3c, 0x8f, 0x9f, 0x33, 0x2a, 0x1f, 0x43, 0x33, 0x8f, 0x68, 0xff, 0x1f, 0x3d, 0x73, 0x6b, 0xbf, 0x68, 0xcc, 0x7d, 0x13, 0x6c, 0x24, 0x4b, 0xcc, 0x4d, 0x24, 0x0d, 0xfe, 0xde, 0x86, 0xad, 0x3b}} , + {{0x79, 0x51, 0x81, 0x01, 0xdc, 0x73, 0x53, 0xe0, 0x6e, 0x9b, 0xea, 0x68, 0x3f, 0x5c, 0x14, 0x84, 0x53, 0x8d, 0x4b, 0xc0, 0x9f, 0x9f, 0x89, 0x2b, 0x8c, 0xba, 0x86, 0xfa, 0xf2, 0xcd, 0xe3, 0x2d}}}, +{{{0x06, 0xf9, 0x29, 0x5a, 0xdb, 0x3d, 0x84, 0x52, 0xab, 0xcc, 0x6b, 0x60, 0x9d, 0xb7, 0x4a, 0x0e, 0x36, 0x63, 0x91, 0xad, 0xa0, 0x95, 0xb0, 0x97, 0x89, 0x4e, 0xcf, 0x7d, 0x3c, 0xe5, 0x7c, 0x28}} , + {{0x2e, 0x69, 0x98, 0xfd, 0xc6, 0xbd, 0xcc, 0xca, 0xdf, 0x9a, 0x44, 0x7e, 0x9d, 0xca, 0x89, 0x6d, 0xbf, 0x27, 0xc2, 0xf8, 0xcd, 0x46, 0x00, 0x2b, 0xb5, 0x58, 0x4e, 0xb7, 0x89, 0x09, 0xe9, 0x2d}}}, +{{{0x54, 0xbe, 0x75, 0xcb, 0x05, 0xb0, 0x54, 0xb7, 0xe7, 0x26, 0x86, 0x4a, 0xfc, 0x19, 0xcf, 0x27, 0x46, 0xd4, 0x22, 0x96, 0x5a, 0x11, 0xe8, 0xd5, 0x1b, 0xed, 0x71, 0xc5, 0x5d, 0xc8, 0xaf, 0x45}} , + {{0x40, 0x7b, 0x77, 0x57, 0x49, 0x9e, 0x80, 0x39, 0x23, 0xee, 0x81, 0x0b, 0x22, 0xcf, 0xdb, 0x7a, 0x2f, 0x14, 0xb8, 0x57, 0x8f, 0xa1, 0x39, 0x1e, 0x77, 0xfc, 0x0b, 0xa6, 0xbf, 0x8a, 0x0c, 0x6c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x77, 0x3a, 0xd4, 0xd8, 0x27, 0xcf, 0xe8, 0xa1, 0x72, 0x9d, 0xca, 0xdd, 0x0d, 0x96, 0xda, 0x79, 0xed, 0x56, 0x42, 0x15, 0x60, 0xc7, 0x1c, 0x6b, 0x26, 0x30, 0xf6, 0x6a, 0x95, 0x67, 0xf3, 0x0a}} , + {{0xc5, 0x08, 0xa4, 0x2b, 0x2f, 0xbd, 0x31, 0x81, 0x2a, 0xa6, 0xb6, 0xe4, 0x00, 0x91, 0xda, 0x3d, 0xb2, 0xb0, 0x96, 0xce, 0x8a, 0xd2, 0x8d, 0x70, 0xb3, 0xd3, 0x34, 0x01, 0x90, 0x8d, 0x10, 0x21}}}, +{{{0x33, 0x0d, 0xe7, 0xba, 0x4f, 0x07, 0xdf, 0x8d, 0xea, 0x7d, 0xa0, 0xc5, 0xd6, 0xb1, 0xb0, 0xe5, 0x57, 0x1b, 0x5b, 0xf5, 0x45, 0x13, 0x14, 0x64, 0x5a, 0xeb, 0x5c, 0xfc, 0x54, 0x01, 0x76, 0x2b}} , + {{0x02, 0x0c, 0xc2, 0xaf, 0x96, 0x36, 0xfe, 0x4a, 0xe2, 0x54, 0x20, 0x6a, 0xeb, 0xb2, 0x9f, 0x62, 0xd7, 0xce, 0xa2, 0x3f, 0x20, 0x11, 0x34, 0x37, 0xe0, 0x42, 0xed, 0x6f, 0xf9, 0x1a, 0xc8, 0x7d}}}, +{{{0xd8, 0xb9, 0x11, 0xe8, 0x36, 0x3f, 0x42, 0xc1, 0xca, 0xdc, 0xd3, 0xf1, 0xc8, 0x23, 0x3d, 0x4f, 0x51, 0x7b, 0x9d, 0x8d, 0xd8, 0xe4, 0xa0, 0xaa, 0xf3, 0x04, 0xd6, 0x11, 0x93, 0xc8, 0x35, 0x45}} , + {{0x61, 0x36, 0xd6, 0x08, 0x90, 0xbf, 0xa7, 0x7a, 0x97, 0x6c, 0x0f, 0x84, 0xd5, 0x33, 0x2d, 0x37, 0xc9, 0x6a, 0x80, 0x90, 0x3d, 0x0a, 0xa2, 0xaa, 0xe1, 0xb8, 0x84, 0xba, 0x61, 0x36, 0xdd, 0x69}}}, +{{{0x6b, 0xdb, 0x5b, 0x9c, 0xc6, 0x92, 0xbc, 0x23, 0xaf, 0xc5, 0xb8, 0x75, 0xf8, 0x42, 0xfa, 0xd6, 0xb6, 0x84, 0x94, 0x63, 0x98, 0x93, 0x48, 0x78, 0x38, 0xcd, 0xbb, 0x18, 0x34, 0xc3, 0xdb, 0x67}} , + {{0x96, 0xf3, 0x3a, 0x09, 0x56, 0xb0, 0x6f, 0x7c, 0x51, 0x1e, 0x1b, 0x39, 0x48, 0xea, 0xc9, 0x0c, 0x25, 0xa2, 0x7a, 0xca, 0xe7, 0x92, 0xfc, 0x59, 0x30, 0xa3, 0x89, 0x85, 0xdf, 0x6f, 0x43, 0x38}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x79, 0x84, 0x44, 0x19, 0xbd, 0xe9, 0x54, 0xc4, 0xc0, 0x6e, 0x2a, 0xa8, 0xa8, 0x9b, 0x43, 0xd5, 0x71, 0x22, 0x5f, 0xdc, 0x01, 0xfa, 0xdf, 0xb3, 0xb8, 0x47, 0x4b, 0x0a, 0xa5, 0x44, 0xea, 0x29}} , + {{0x05, 0x90, 0x50, 0xaf, 0x63, 0x5f, 0x9d, 0x9e, 0xe1, 0x9d, 0x38, 0x97, 0x1f, 0x6c, 0xac, 0x30, 0x46, 0xb2, 0x6a, 0x19, 0xd1, 0x4b, 0xdb, 0xbb, 0x8c, 0xda, 0x2e, 0xab, 0xc8, 0x5a, 0x77, 0x6c}}}, +{{{0x2b, 0xbe, 0xaf, 0xa1, 0x6d, 0x2f, 0x0b, 0xb1, 0x8f, 0xe3, 0xe0, 0x38, 0xcd, 0x0b, 0x41, 0x1b, 0x4a, 0x15, 0x07, 0xf3, 0x6f, 0xdc, 0xb8, 0xe9, 0xde, 0xb2, 0xa3, 0x40, 0x01, 0xa6, 0x45, 0x1e}} , + {{0x76, 0x0a, 0xda, 0x8d, 0x2c, 0x07, 0x3f, 0x89, 0x7d, 0x04, 0xad, 0x43, 0x50, 0x6e, 0xd2, 0x47, 0xcb, 0x8a, 0xe6, 0x85, 0x1a, 0x24, 0xf3, 0xd2, 0x60, 0xfd, 0xdf, 0x73, 0xa4, 0x0d, 0x73, 0x0e}}}, +{{{0xfd, 0x67, 0x6b, 0x71, 0x9b, 0x81, 0x53, 0x39, 0x39, 0xf4, 0xb8, 0xd5, 0xc3, 0x30, 0x9b, 0x3b, 0x7c, 0xa3, 0xf0, 0xd0, 0x84, 0x21, 0xd6, 0xbf, 0xb7, 0x4c, 0x87, 0x13, 0x45, 0x2d, 0xa7, 0x55}} , + {{0x5d, 0x04, 0xb3, 0x40, 0x28, 0x95, 0x2d, 0x30, 0x83, 0xec, 0x5e, 0xe4, 0xff, 0x75, 0xfe, 0x79, 0x26, 0x9d, 0x1d, 0x36, 0xcd, 0x0a, 0x15, 0xd2, 0x24, 0x14, 0x77, 0x71, 0xd7, 0x8a, 0x1b, 0x04}}}, +{{{0x5d, 0x93, 0xc9, 0xbe, 0xaa, 0x90, 0xcd, 0x9b, 0xfb, 0x73, 0x7e, 0xb0, 0x64, 0x98, 0x57, 0x44, 0x42, 0x41, 0xb1, 0xaf, 0xea, 0xc1, 0xc3, 0x22, 0xff, 0x60, 0x46, 0xcb, 0x61, 0x81, 0x70, 0x61}} , + {{0x0d, 0x82, 0xb9, 0xfe, 0x21, 0xcd, 0xc4, 0xf5, 0x98, 0x0c, 0x4e, 0x72, 0xee, 0x87, 0x49, 0xf8, 0xa1, 0x95, 0xdf, 0x8f, 0x2d, 0xbd, 0x21, 0x06, 0x7c, 0x15, 0xe8, 0x12, 0x6d, 0x93, 0xd6, 0x38}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x91, 0xf7, 0x51, 0xd9, 0xef, 0x7d, 0x42, 0x01, 0x13, 0xe9, 0xb8, 0x7f, 0xa6, 0x49, 0x17, 0x64, 0x21, 0x80, 0x83, 0x2c, 0x63, 0x4c, 0x60, 0x09, 0x59, 0x91, 0x92, 0x77, 0x39, 0x51, 0xf4, 0x48}} , + {{0x60, 0xd5, 0x22, 0x83, 0x08, 0x2f, 0xff, 0x99, 0x3e, 0x69, 0x6d, 0x88, 0xda, 0xe7, 0x5b, 0x52, 0x26, 0x31, 0x2a, 0xe5, 0x89, 0xde, 0x68, 0x90, 0xb6, 0x22, 0x5a, 0xbd, 0xd3, 0x85, 0x53, 0x31}}}, +{{{0xd8, 0xce, 0xdc, 0xf9, 0x3c, 0x4b, 0xa2, 0x1d, 0x2c, 0x2f, 0x36, 0xbe, 0x7a, 0xfc, 0xcd, 0xbc, 0xdc, 0xf9, 0x30, 0xbd, 0xff, 0x05, 0xc7, 0xe4, 0x8e, 0x17, 0x62, 0xf8, 0x4d, 0xa0, 0x56, 0x79}} , + {{0x82, 0xe7, 0xf6, 0xba, 0x53, 0x84, 0x0a, 0xa3, 0x34, 0xff, 0x3c, 0xa3, 0x6a, 0xa1, 0x37, 0xea, 0xdd, 0xb6, 0x95, 0xb3, 0x78, 0x19, 0x76, 0x1e, 0x55, 0x2f, 0x77, 0x2e, 0x7f, 0xc1, 0xea, 0x5e}}}, +{{{0x83, 0xe1, 0x6e, 0xa9, 0x07, 0x33, 0x3e, 0x83, 0xff, 0xcb, 0x1c, 0x9f, 0xb1, 0xa3, 0xb4, 0xc9, 0xe1, 0x07, 0x97, 0xff, 0xf8, 0x23, 0x8f, 0xce, 0x40, 0xfd, 0x2e, 0x5e, 0xdb, 0x16, 0x43, 0x2d}} , + {{0xba, 0x38, 0x02, 0xf7, 0x81, 0x43, 0x83, 0xa3, 0x20, 0x4f, 0x01, 0x3b, 0x8a, 0x04, 0x38, 0x31, 0xc6, 0x0f, 0xc8, 0xdf, 0xd7, 0xfa, 0x2f, 0x88, 0x3f, 0xfc, 0x0c, 0x76, 0xc4, 0xa6, 0x45, 0x72}}}, +{{{0xbb, 0x0c, 0xbc, 0x6a, 0xa4, 0x97, 0x17, 0x93, 0x2d, 0x6f, 0xde, 0x72, 0x10, 0x1c, 0x08, 0x2c, 0x0f, 0x80, 0x32, 0x68, 0x27, 0xd4, 0xab, 0xdd, 0xc5, 0x58, 0x61, 0x13, 0x6d, 0x11, 0x1e, 0x4d}} , + {{0x1a, 0xb9, 0xc9, 0x10, 0xfb, 0x1e, 0x4e, 0xf4, 0x84, 0x4b, 0x8a, 0x5e, 0x7b, 0x4b, 0xe8, 0x43, 0x8c, 0x8f, 0x00, 0xb5, 0x54, 0x13, 0xc5, 0x5c, 0xb6, 0x35, 0x4e, 0x9d, 0xe4, 0x5b, 0x41, 0x6d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x15, 0x7d, 0x12, 0x48, 0x82, 0x14, 0x42, 0xcd, 0x32, 0xd4, 0x4b, 0xc1, 0x72, 0x61, 0x2a, 0x8c, 0xec, 0xe2, 0xf8, 0x24, 0x45, 0x94, 0xe3, 0xbe, 0xdd, 0x67, 0xa8, 0x77, 0x5a, 0xae, 0x5b, 0x4b}} , + {{0xcb, 0x77, 0x9a, 0x20, 0xde, 0xb8, 0x23, 0xd9, 0xa0, 0x0f, 0x8c, 0x7b, 0xa5, 0xcb, 0xae, 0xb6, 0xec, 0x42, 0x67, 0x0e, 0x58, 0xa4, 0x75, 0x98, 0x21, 0x71, 0x84, 0xb3, 0xe0, 0x76, 0x94, 0x73}}}, +{{{0xdf, 0xfc, 0x69, 0x28, 0x23, 0x3f, 0x5b, 0xf8, 0x3b, 0x24, 0x37, 0xf3, 0x1d, 0xd5, 0x22, 0x6b, 0xd0, 0x98, 0xa8, 0x6c, 0xcf, 0xff, 0x06, 0xe1, 0x13, 0xdf, 0xb9, 0xc1, 0x0c, 0xa9, 0xbf, 0x33}} , + {{0xd9, 0x81, 0xda, 0xb2, 0x4f, 0x82, 0x9d, 0x43, 0x81, 0x09, 0xf1, 0xd2, 0x01, 0xef, 0xac, 0xf4, 0x2d, 0x7d, 0x01, 0x09, 0xf1, 0xff, 0xa5, 0x9f, 0xe5, 0xca, 0x27, 0x63, 0xdb, 0x20, 0xb1, 0x53}}}, +{{{0x67, 0x02, 0xe8, 0xad, 0xa9, 0x34, 0xd4, 0xf0, 0x15, 0x81, 0xaa, 0xc7, 0x4d, 0x87, 0x94, 0xea, 0x75, 0xe7, 0x4c, 0x94, 0x04, 0x0e, 0x69, 0x87, 0xe7, 0x51, 0x91, 0x10, 0x03, 0xc7, 0xbe, 0x56}} , + {{0x32, 0xfb, 0x86, 0xec, 0x33, 0x6b, 0x2e, 0x51, 0x2b, 0xc8, 0xfa, 0x6c, 0x70, 0x47, 0x7e, 0xce, 0x05, 0x0c, 0x71, 0xf3, 0xb4, 0x56, 0xa6, 0xdc, 0xcc, 0x78, 0x07, 0x75, 0xd0, 0xdd, 0xb2, 0x6a}}}, +{{{0xc6, 0xef, 0xb9, 0xc0, 0x2b, 0x22, 0x08, 0x1e, 0x71, 0x70, 0xb3, 0x35, 0x9c, 0x7a, 0x01, 0x92, 0x44, 0x9a, 0xf6, 0xb0, 0x58, 0x95, 0xc1, 0x9b, 0x02, 0xed, 0x2d, 0x7c, 0x34, 0x29, 0x49, 0x44}} , + {{0x45, 0x62, 0x1d, 0x2e, 0xff, 0x2a, 0x1c, 0x21, 0xa4, 0x25, 0x7b, 0x0d, 0x8c, 0x15, 0x39, 0xfc, 0x8f, 0x7c, 0xa5, 0x7d, 0x1e, 0x25, 0xa3, 0x45, 0xd6, 0xab, 0xbd, 0xcb, 0xc5, 0x5e, 0x78, 0x77}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd0, 0xd3, 0x42, 0xed, 0x1d, 0x00, 0x3c, 0x15, 0x2c, 0x9c, 0x77, 0x81, 0xd2, 0x73, 0xd1, 0x06, 0xd5, 0xc4, 0x7f, 0x94, 0xbb, 0x92, 0x2d, 0x2c, 0x4b, 0x45, 0x4b, 0xe9, 0x2a, 0x89, 0x6b, 0x2b}} , + {{0xd2, 0x0c, 0x88, 0xc5, 0x48, 0x4d, 0xea, 0x0d, 0x4a, 0xc9, 0x52, 0x6a, 0x61, 0x79, 0xe9, 0x76, 0xf3, 0x85, 0x52, 0x5c, 0x1b, 0x2c, 0xe1, 0xd6, 0xc4, 0x0f, 0x18, 0x0e, 0x4e, 0xf6, 0x1c, 0x7f}}}, +{{{0xb4, 0x04, 0x2e, 0x42, 0xcb, 0x1f, 0x2b, 0x11, 0x51, 0x7b, 0x08, 0xac, 0xaa, 0x3e, 0x9e, 0x52, 0x60, 0xb7, 0xc2, 0x61, 0x57, 0x8c, 0x84, 0xd5, 0x18, 0xa6, 0x19, 0xfc, 0xb7, 0x75, 0x91, 0x1b}} , + {{0xe8, 0x68, 0xca, 0x44, 0xc8, 0x38, 0x38, 0xcc, 0x53, 0x0a, 0x32, 0x35, 0xcc, 0x52, 0xcb, 0x0e, 0xf7, 0xc5, 0xe7, 0xec, 0x3d, 0x85, 0xcc, 0x58, 0xe2, 0x17, 0x47, 0xff, 0x9f, 0xa5, 0x30, 0x17}}}, +{{{0xe3, 0xae, 0xc8, 0xc1, 0x71, 0x75, 0x31, 0x00, 0x37, 0x41, 0x5c, 0x0e, 0x39, 0xda, 0x73, 0xa0, 0xc7, 0x97, 0x36, 0x6c, 0x5b, 0xf2, 0xee, 0x64, 0x0a, 0x3d, 0x89, 0x1e, 0x1d, 0x49, 0x8c, 0x37}} , + {{0x4c, 0xe6, 0xb0, 0xc1, 0xa5, 0x2a, 0x82, 0x09, 0x08, 0xad, 0x79, 0x9c, 0x56, 0xf6, 0xf9, 0xc1, 0xd7, 0x7c, 0x39, 0x7f, 0x93, 0xca, 0x11, 0x55, 0xbf, 0x07, 0x1b, 0x82, 0x29, 0x69, 0x95, 0x5c}}}, +{{{0x87, 0xee, 0xa6, 0x56, 0x9e, 0xc2, 0x9a, 0x56, 0x24, 0x42, 0x85, 0x4d, 0x98, 0x31, 0x1e, 0x60, 0x4d, 0x87, 0x85, 0x04, 0xae, 0x46, 0x12, 0xf9, 0x8e, 0x7f, 0xe4, 0x7f, 0xf6, 0x1c, 0x37, 0x01}} , + {{0x73, 0x4c, 0xb6, 0xc5, 0xc4, 0xe9, 0x6c, 0x85, 0x48, 0x4a, 0x5a, 0xac, 0xd9, 0x1f, 0x43, 0xf8, 0x62, 0x5b, 0xee, 0x98, 0x2a, 0x33, 0x8e, 0x79, 0xce, 0x61, 0x06, 0x35, 0xd8, 0xd7, 0xca, 0x71}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x72, 0xd3, 0xae, 0xa6, 0xca, 0x8f, 0xcd, 0xcc, 0x78, 0x8e, 0x19, 0x4d, 0xa7, 0xd2, 0x27, 0xe9, 0xa4, 0x3c, 0x16, 0x5b, 0x84, 0x80, 0xf9, 0xd0, 0xcc, 0x6a, 0x1e, 0xca, 0x1e, 0x67, 0xbd, 0x63}} , + {{0x7b, 0x6e, 0x2a, 0xd2, 0x87, 0x48, 0xff, 0xa1, 0xca, 0xe9, 0x15, 0x85, 0xdc, 0xdb, 0x2c, 0x39, 0x12, 0x91, 0xa9, 0x20, 0xaa, 0x4f, 0x29, 0xf4, 0x15, 0x7a, 0xd2, 0xf5, 0x32, 0xcc, 0x60, 0x04}}}, +{{{0xe5, 0x10, 0x47, 0x3b, 0xfa, 0x90, 0xfc, 0x30, 0xb5, 0xea, 0x6f, 0x56, 0x8f, 0xfb, 0x0e, 0xa7, 0x3b, 0xc8, 0xb2, 0xff, 0x02, 0x7a, 0x33, 0x94, 0x93, 0x2a, 0x03, 0xe0, 0x96, 0x3a, 0x6c, 0x0f}} , + {{0x5a, 0x63, 0x67, 0xe1, 0x9b, 0x47, 0x78, 0x9f, 0x38, 0x79, 0xac, 0x97, 0x66, 0x1d, 0x5e, 0x51, 0xee, 0x24, 0x42, 0xe8, 0x58, 0x4b, 0x8a, 0x03, 0x75, 0x86, 0x37, 0x86, 0xe2, 0x97, 0x4e, 0x3d}}}, +{{{0x3f, 0x75, 0x8e, 0xb4, 0xff, 0xd8, 0xdd, 0xd6, 0x37, 0x57, 0x9d, 0x6d, 0x3b, 0xbd, 0xd5, 0x60, 0x88, 0x65, 0x9a, 0xb9, 0x4a, 0x68, 0x84, 0xa2, 0x67, 0xdd, 0x17, 0x25, 0x97, 0x04, 0x8b, 0x5e}} , + {{0xbb, 0x40, 0x5e, 0xbc, 0x16, 0x92, 0x05, 0xc4, 0xc0, 0x4e, 0x72, 0x90, 0x0e, 0xab, 0xcf, 0x8a, 0xed, 0xef, 0xb9, 0x2d, 0x3b, 0xf8, 0x43, 0x5b, 0xba, 0x2d, 0xeb, 0x2f, 0x52, 0xd2, 0xd1, 0x5a}}}, +{{{0x40, 0xb4, 0xab, 0xe6, 0xad, 0x9f, 0x46, 0x69, 0x4a, 0xb3, 0x8e, 0xaa, 0xea, 0x9c, 0x8a, 0x20, 0x16, 0x5d, 0x8c, 0x13, 0xbd, 0xf6, 0x1d, 0xc5, 0x24, 0xbd, 0x90, 0x2a, 0x1c, 0xc7, 0x13, 0x3b}} , + {{0x54, 0xdc, 0x16, 0x0d, 0x18, 0xbe, 0x35, 0x64, 0x61, 0x52, 0x02, 0x80, 0xaf, 0x05, 0xf7, 0xa6, 0x42, 0xd3, 0x8f, 0x2e, 0x79, 0x26, 0xa8, 0xbb, 0xb2, 0x17, 0x48, 0xb2, 0x7a, 0x0a, 0x89, 0x14}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x20, 0xa8, 0x88, 0xe3, 0x91, 0xc0, 0x6e, 0xbb, 0x8a, 0x27, 0x82, 0x51, 0x83, 0xb2, 0x28, 0xa9, 0x83, 0xeb, 0xa6, 0xa9, 0x4d, 0x17, 0x59, 0x22, 0x54, 0x00, 0x50, 0x45, 0xcb, 0x48, 0x4b, 0x18}} , + {{0x33, 0x7c, 0xe7, 0x26, 0xba, 0x4d, 0x32, 0xfe, 0x53, 0xf4, 0xfa, 0x83, 0xe3, 0xa5, 0x79, 0x66, 0x73, 0xef, 0x80, 0x23, 0x68, 0xc2, 0x60, 0xdd, 0xa9, 0x33, 0xdc, 0x03, 0x7a, 0xe0, 0xe0, 0x3e}}}, +{{{0x34, 0x5c, 0x13, 0xfb, 0xc0, 0xe3, 0x78, 0x2b, 0x54, 0x58, 0x22, 0x9b, 0x76, 0x81, 0x7f, 0x93, 0x9c, 0x25, 0x3c, 0xd2, 0xe9, 0x96, 0x21, 0x26, 0x08, 0xf5, 0xed, 0x95, 0x11, 0xae, 0x04, 0x5a}} , + {{0xb9, 0xe8, 0xc5, 0x12, 0x97, 0x1f, 0x83, 0xfe, 0x3e, 0x94, 0x99, 0xd4, 0x2d, 0xf9, 0x52, 0x59, 0x5c, 0x82, 0xa6, 0xf0, 0x75, 0x7e, 0xe8, 0xec, 0xcc, 0xac, 0x18, 0x21, 0x09, 0x67, 0x66, 0x67}}}, +{{{0xb3, 0x40, 0x29, 0xd1, 0xcb, 0x1b, 0x08, 0x9e, 0x9c, 0xb7, 0x53, 0xb9, 0x3b, 0x71, 0x08, 0x95, 0x12, 0x1a, 0x58, 0xaf, 0x7e, 0x82, 0x52, 0x43, 0x4f, 0x11, 0x39, 0xf4, 0x93, 0x1a, 0x26, 0x05}} , + {{0x6e, 0x44, 0xa3, 0xf9, 0x64, 0xaf, 0xe7, 0x6d, 0x7d, 0xdf, 0x1e, 0xac, 0x04, 0xea, 0x3b, 0x5f, 0x9b, 0xe8, 0x24, 0x9d, 0x0e, 0xe5, 0x2e, 0x3e, 0xdf, 0xa9, 0xf7, 0xd4, 0x50, 0x71, 0xf0, 0x78}}}, +{{{0x3e, 0xa8, 0x38, 0xc2, 0x57, 0x56, 0x42, 0x9a, 0xb1, 0xe2, 0xf8, 0x45, 0xaa, 0x11, 0x48, 0x5f, 0x17, 0xc4, 0x54, 0x27, 0xdc, 0x5d, 0xaa, 0xdd, 0x41, 0xbc, 0xdf, 0x81, 0xb9, 0x53, 0xee, 0x52}} , + {{0xc3, 0xf1, 0xa7, 0x6d, 0xb3, 0x5f, 0x92, 0x6f, 0xcc, 0x91, 0xb8, 0x95, 0x05, 0xdf, 0x3c, 0x64, 0x57, 0x39, 0x61, 0x51, 0xad, 0x8c, 0x38, 0x7b, 0xc8, 0xde, 0x00, 0x34, 0xbe, 0xa1, 0xb0, 0x7e}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x25, 0x24, 0x1d, 0x8a, 0x67, 0x20, 0xee, 0x42, 0xeb, 0x38, 0xed, 0x0b, 0x8b, 0xcd, 0x46, 0x9d, 0x5e, 0x6b, 0x1e, 0x24, 0x9d, 0x12, 0x05, 0x1a, 0xcc, 0x05, 0x4e, 0x92, 0x38, 0xe1, 0x1f, 0x50}} , + {{0x4e, 0xee, 0x1c, 0x91, 0xe6, 0x11, 0xbd, 0x8e, 0x55, 0x1a, 0x18, 0x75, 0x66, 0xaf, 0x4d, 0x7b, 0x0f, 0xae, 0x6d, 0x85, 0xca, 0x82, 0x58, 0x21, 0x9c, 0x18, 0xe0, 0xed, 0xec, 0x22, 0x80, 0x2f}}}, +{{{0x68, 0x3b, 0x0a, 0x39, 0x1d, 0x6a, 0x15, 0x57, 0xfc, 0xf0, 0x63, 0x54, 0xdb, 0x39, 0xdb, 0xe8, 0x5c, 0x64, 0xff, 0xa0, 0x09, 0x4f, 0x3b, 0xb7, 0x32, 0x60, 0x99, 0x94, 0xfd, 0x94, 0x82, 0x2d}} , + {{0x24, 0xf6, 0x5a, 0x44, 0xf1, 0x55, 0x2c, 0xdb, 0xea, 0x7c, 0x84, 0x7c, 0x01, 0xac, 0xe3, 0xfd, 0xc9, 0x27, 0xc1, 0x5a, 0xb9, 0xde, 0x4f, 0x5a, 0x90, 0xdd, 0xc6, 0x67, 0xaa, 0x6f, 0x8a, 0x3a}}}, +{{{0x78, 0x52, 0x87, 0xc9, 0x97, 0x63, 0xb1, 0xdd, 0x54, 0x5f, 0xc1, 0xf8, 0xf1, 0x06, 0xa6, 0xa8, 0xa3, 0x88, 0x82, 0xd4, 0xcb, 0xa6, 0x19, 0xdd, 0xd1, 0x11, 0x87, 0x08, 0x17, 0x4c, 0x37, 0x2a}} , + {{0xa1, 0x0c, 0xf3, 0x08, 0x43, 0xd9, 0x24, 0x1e, 0x83, 0xa7, 0xdf, 0x91, 0xca, 0xbd, 0x69, 0x47, 0x8d, 0x1b, 0xe2, 0xb9, 0x4e, 0xb5, 0xe1, 0x76, 0xb3, 0x1c, 0x93, 0x03, 0xce, 0x5f, 0xb3, 0x5a}}}, +{{{0x1d, 0xda, 0xe4, 0x61, 0x03, 0x50, 0xa9, 0x8b, 0x68, 0x18, 0xef, 0xb2, 0x1c, 0x84, 0x3b, 0xa2, 0x44, 0x95, 0xa3, 0x04, 0x3b, 0xd6, 0x99, 0x00, 0xaf, 0x76, 0x42, 0x67, 0x02, 0x7d, 0x85, 0x56}} , + {{0xce, 0x72, 0x0e, 0x29, 0x84, 0xb2, 0x7d, 0xd2, 0x45, 0xbe, 0x57, 0x06, 0xed, 0x7f, 0xcf, 0xed, 0xcd, 0xef, 0x19, 0xd6, 0xbc, 0x15, 0x79, 0x64, 0xd2, 0x18, 0xe3, 0x20, 0x67, 0x3a, 0x54, 0x0b}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x52, 0xfd, 0x04, 0xc5, 0xfb, 0x99, 0xe7, 0xe8, 0xfb, 0x8c, 0xe1, 0x42, 0x03, 0xef, 0x9d, 0xd9, 0x9e, 0x4d, 0xf7, 0x80, 0xcf, 0x2e, 0xcc, 0x9b, 0x45, 0xc9, 0x7b, 0x7a, 0xbc, 0x37, 0xa8, 0x52}} , + {{0x96, 0x11, 0x41, 0x8a, 0x47, 0x91, 0xfe, 0xb6, 0xda, 0x7a, 0x54, 0x63, 0xd1, 0x14, 0x35, 0x05, 0x86, 0x8c, 0xa9, 0x36, 0x3f, 0xf2, 0x85, 0x54, 0x4e, 0x92, 0xd8, 0x85, 0x01, 0x46, 0xd6, 0x50}}}, +{{{0x53, 0xcd, 0xf3, 0x86, 0x40, 0xe6, 0x39, 0x42, 0x95, 0xd6, 0xcb, 0x45, 0x1a, 0x20, 0xc8, 0x45, 0x4b, 0x32, 0x69, 0x04, 0xb1, 0xaf, 0x20, 0x46, 0xc7, 0x6b, 0x23, 0x5b, 0x69, 0xee, 0x30, 0x3f}} , + {{0x70, 0x83, 0x47, 0xc0, 0xdb, 0x55, 0x08, 0xa8, 0x7b, 0x18, 0x6d, 0xf5, 0x04, 0x5a, 0x20, 0x0c, 0x4a, 0x8c, 0x60, 0xae, 0xae, 0x0f, 0x64, 0x55, 0x55, 0x2e, 0xd5, 0x1d, 0x53, 0x31, 0x42, 0x41}}}, +{{{0xca, 0xfc, 0x88, 0x6b, 0x96, 0x78, 0x0a, 0x8b, 0x83, 0xdc, 0xbc, 0xaf, 0x40, 0xb6, 0x8d, 0x7f, 0xef, 0xb4, 0xd1, 0x3f, 0xcc, 0xa2, 0x74, 0xc9, 0xc2, 0x92, 0x55, 0x00, 0xab, 0xdb, 0xbf, 0x4f}} , + {{0x93, 0x1c, 0x06, 0x2d, 0x66, 0x65, 0x02, 0xa4, 0x97, 0x18, 0xfd, 0x00, 0xe7, 0xab, 0x03, 0xec, 0xce, 0xc1, 0xbf, 0x37, 0xf8, 0x13, 0x53, 0xa5, 0xe5, 0x0c, 0x3a, 0xa8, 0x55, 0xb9, 0xff, 0x68}}}, +{{{0xe4, 0xe6, 0x6d, 0x30, 0x7d, 0x30, 0x35, 0xc2, 0x78, 0x87, 0xf9, 0xfc, 0x6b, 0x5a, 0xc3, 0xb7, 0x65, 0xd8, 0x2e, 0xc7, 0xa5, 0x0c, 0xc6, 0xdc, 0x12, 0xaa, 0xd6, 0x4f, 0xc5, 0x38, 0xbc, 0x0e}} , + {{0xe2, 0x3c, 0x76, 0x86, 0x38, 0xf2, 0x7b, 0x2c, 0x16, 0x78, 0x8d, 0xf5, 0xa4, 0x15, 0xda, 0xdb, 0x26, 0x85, 0xa0, 0x56, 0xdd, 0x1d, 0xe3, 0xb3, 0xfd, 0x40, 0xef, 0xf2, 0xd9, 0xa1, 0xb3, 0x04}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xdb, 0x49, 0x0e, 0xe6, 0x58, 0x10, 0x7a, 0x52, 0xda, 0xb5, 0x7d, 0x37, 0x6a, 0x3e, 0xa1, 0x78, 0xce, 0xc7, 0x1c, 0x24, 0x23, 0xdb, 0x7d, 0xfb, 0x8c, 0x8d, 0xdc, 0x30, 0x67, 0x69, 0x75, 0x3b}} , + {{0xa9, 0xea, 0x6d, 0x16, 0x16, 0x60, 0xf4, 0x60, 0x87, 0x19, 0x44, 0x8c, 0x4a, 0x8b, 0x3e, 0xfb, 0x16, 0x00, 0x00, 0x54, 0xa6, 0x9e, 0x9f, 0xef, 0xcf, 0xd9, 0xd2, 0x4c, 0x74, 0x31, 0xd0, 0x34}}}, +{{{0xa4, 0xeb, 0x04, 0xa4, 0x8c, 0x8f, 0x71, 0x27, 0x95, 0x85, 0x5d, 0x55, 0x4b, 0xb1, 0x26, 0x26, 0xc8, 0xae, 0x6a, 0x7d, 0xa2, 0x21, 0xca, 0xce, 0x38, 0xab, 0x0f, 0xd0, 0xd5, 0x2b, 0x6b, 0x00}} , + {{0xe5, 0x67, 0x0c, 0xf1, 0x3a, 0x9a, 0xea, 0x09, 0x39, 0xef, 0xd1, 0x30, 0xbc, 0x33, 0xba, 0xb1, 0x6a, 0xc5, 0x27, 0x08, 0x7f, 0x54, 0x80, 0x3d, 0xab, 0xf6, 0x15, 0x7a, 0xc2, 0x40, 0x73, 0x72}}}, +{{{0x84, 0x56, 0x82, 0xb6, 0x12, 0x70, 0x7f, 0xf7, 0xf0, 0xbd, 0x5b, 0xa9, 0xd5, 0xc5, 0x5f, 0x59, 0xbf, 0x7f, 0xb3, 0x55, 0x22, 0x02, 0xc9, 0x44, 0x55, 0x87, 0x8f, 0x96, 0x98, 0x64, 0x6d, 0x15}} , + {{0xb0, 0x8b, 0xaa, 0x1e, 0xec, 0xc7, 0xa5, 0x8f, 0x1f, 0x92, 0x04, 0xc6, 0x05, 0xf6, 0xdf, 0xa1, 0xcc, 0x1f, 0x81, 0xf5, 0x0e, 0x9c, 0x57, 0xdc, 0xe3, 0xbb, 0x06, 0x87, 0x1e, 0xfe, 0x23, 0x6c}}}, +{{{0xd8, 0x2b, 0x5b, 0x16, 0xea, 0x20, 0xf1, 0xd3, 0x68, 0x8f, 0xae, 0x5b, 0xd0, 0xa9, 0x1a, 0x19, 0xa8, 0x36, 0xfb, 0x2b, 0x57, 0x88, 0x7d, 0x90, 0xd5, 0xa6, 0xf3, 0xdc, 0x38, 0x89, 0x4e, 0x1f}} , + {{0xcc, 0x19, 0xda, 0x9b, 0x3b, 0x43, 0x48, 0x21, 0x2e, 0x23, 0x4d, 0x3d, 0xae, 0xf8, 0x8c, 0xfc, 0xdd, 0xa6, 0x74, 0x37, 0x65, 0xca, 0xee, 0x1a, 0x19, 0x8e, 0x9f, 0x64, 0x6f, 0x0c, 0x8b, 0x5a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x25, 0xb9, 0xc2, 0xf0, 0x72, 0xb8, 0x15, 0x16, 0xcc, 0x8d, 0x3c, 0x6f, 0x25, 0xed, 0xf4, 0x46, 0x2e, 0x0c, 0x60, 0x0f, 0xe2, 0x84, 0x34, 0x55, 0x89, 0x59, 0x34, 0x1b, 0xf5, 0x8d, 0xfe, 0x08}} , + {{0xf8, 0xab, 0x93, 0xbc, 0x44, 0xba, 0x1b, 0x75, 0x4b, 0x49, 0x6f, 0xd0, 0x54, 0x2e, 0x63, 0xba, 0xb5, 0xea, 0xed, 0x32, 0x14, 0xc9, 0x94, 0xd8, 0xc5, 0xce, 0xf4, 0x10, 0x68, 0xe0, 0x38, 0x27}}}, +{{{0x74, 0x1c, 0x14, 0x9b, 0xd4, 0x64, 0x61, 0x71, 0x5a, 0xb6, 0x21, 0x33, 0x4f, 0xf7, 0x8e, 0xba, 0xa5, 0x48, 0x9a, 0xc7, 0xfa, 0x9a, 0xf0, 0xb4, 0x62, 0xad, 0xf2, 0x5e, 0xcc, 0x03, 0x24, 0x1a}} , + {{0xf5, 0x76, 0xfd, 0xe4, 0xaf, 0xb9, 0x03, 0x59, 0xce, 0x63, 0xd2, 0x3b, 0x1f, 0xcd, 0x21, 0x0c, 0xad, 0x44, 0xa5, 0x97, 0xac, 0x80, 0x11, 0x02, 0x9b, 0x0c, 0xe5, 0x8b, 0xcd, 0xfb, 0x79, 0x77}}}, +{{{0x15, 0xbe, 0x9a, 0x0d, 0xba, 0x38, 0x72, 0x20, 0x8a, 0xf5, 0xbe, 0x59, 0x93, 0x79, 0xb7, 0xf6, 0x6a, 0x0c, 0x38, 0x27, 0x1a, 0x60, 0xf4, 0x86, 0x3b, 0xab, 0x5a, 0x00, 0xa0, 0xce, 0x21, 0x7d}} , + {{0x6c, 0xba, 0x14, 0xc5, 0xea, 0x12, 0x9e, 0x2e, 0x82, 0x63, 0xce, 0x9b, 0x4a, 0xe7, 0x1d, 0xec, 0xf1, 0x2e, 0x51, 0x1c, 0xf4, 0xd0, 0x69, 0x15, 0x42, 0x9d, 0xa3, 0x3f, 0x0e, 0xbf, 0xe9, 0x5c}}}, +{{{0xe4, 0x0d, 0xf4, 0xbd, 0xee, 0x31, 0x10, 0xed, 0xcb, 0x12, 0x86, 0xad, 0xd4, 0x2f, 0x90, 0x37, 0x32, 0xc3, 0x0b, 0x73, 0xec, 0x97, 0x85, 0xa4, 0x01, 0x1c, 0x76, 0x35, 0xfe, 0x75, 0xdd, 0x71}} , + {{0x11, 0xa4, 0x88, 0x9f, 0x3e, 0x53, 0x69, 0x3b, 0x1b, 0xe0, 0xf7, 0xba, 0x9b, 0xad, 0x4e, 0x81, 0x5f, 0xb5, 0x5c, 0xae, 0xbe, 0x67, 0x86, 0x37, 0x34, 0x8e, 0x07, 0x32, 0x45, 0x4a, 0x67, 0x39}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x90, 0x70, 0x58, 0x20, 0x03, 0x1e, 0x67, 0xb2, 0xc8, 0x9b, 0x58, 0xc5, 0xb1, 0xeb, 0x2d, 0x4a, 0xde, 0x82, 0x8c, 0xf2, 0xd2, 0x14, 0xb8, 0x70, 0x61, 0x4e, 0x73, 0xd6, 0x0b, 0x6b, 0x0d, 0x30}} , + {{0x81, 0xfc, 0x55, 0x5c, 0xbf, 0xa7, 0xc4, 0xbd, 0xe2, 0xf0, 0x4b, 0x8f, 0xe9, 0x7d, 0x99, 0xfa, 0xd3, 0xab, 0xbc, 0xc7, 0x83, 0x2b, 0x04, 0x7f, 0x0c, 0x19, 0x43, 0x03, 0x3d, 0x07, 0xca, 0x40}}}, +{{{0xf9, 0xc8, 0xbe, 0x8c, 0x16, 0x81, 0x39, 0x96, 0xf6, 0x17, 0x58, 0xc8, 0x30, 0x58, 0xfb, 0xc2, 0x03, 0x45, 0xd2, 0x52, 0x76, 0xe0, 0x6a, 0x26, 0x28, 0x5c, 0x88, 0x59, 0x6a, 0x5a, 0x54, 0x42}} , + {{0x07, 0xb5, 0x2e, 0x2c, 0x67, 0x15, 0x9b, 0xfb, 0x83, 0x69, 0x1e, 0x0f, 0xda, 0xd6, 0x29, 0xb1, 0x60, 0xe0, 0xb2, 0xba, 0x69, 0xa2, 0x9e, 0xbd, 0xbd, 0xe0, 0x1c, 0xbd, 0xcd, 0x06, 0x64, 0x70}}}, +{{{0x41, 0xfa, 0x8c, 0xe1, 0x89, 0x8f, 0x27, 0xc8, 0x25, 0x8f, 0x6f, 0x5f, 0x55, 0xf8, 0xde, 0x95, 0x6d, 0x2f, 0x75, 0x16, 0x2b, 0x4e, 0x44, 0xfd, 0x86, 0x6e, 0xe9, 0x70, 0x39, 0x76, 0x97, 0x7e}} , + {{0x17, 0x62, 0x6b, 0x14, 0xa1, 0x7c, 0xd0, 0x79, 0x6e, 0xd8, 0x8a, 0xa5, 0x6d, 0x8c, 0x93, 0xd2, 0x3f, 0xec, 0x44, 0x8d, 0x6e, 0x91, 0x01, 0x8c, 0x8f, 0xee, 0x01, 0x8f, 0xc0, 0xb4, 0x85, 0x0e}}}, +{{{0x02, 0x3a, 0x70, 0x41, 0xe4, 0x11, 0x57, 0x23, 0xac, 0xe6, 0xfc, 0x54, 0x7e, 0xcd, 0xd7, 0x22, 0xcb, 0x76, 0x9f, 0x20, 0xce, 0xa0, 0x73, 0x76, 0x51, 0x3b, 0xa4, 0xf8, 0xe3, 0x62, 0x12, 0x6c}} , + {{0x7f, 0x00, 0x9c, 0x26, 0x0d, 0x6f, 0x48, 0x7f, 0x3a, 0x01, 0xed, 0xc5, 0x96, 0xb0, 0x1f, 0x4f, 0xa8, 0x02, 0x62, 0x27, 0x8a, 0x50, 0x8d, 0x9a, 0x8b, 0x52, 0x0f, 0x1e, 0xcf, 0x41, 0x38, 0x19}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xf5, 0x6c, 0xd4, 0x2f, 0x0f, 0x69, 0x0f, 0x87, 0x3f, 0x61, 0x65, 0x1e, 0x35, 0x34, 0x85, 0xba, 0x02, 0x30, 0xac, 0x25, 0x3d, 0xe2, 0x62, 0xf1, 0xcc, 0xe9, 0x1b, 0xc2, 0xef, 0x6a, 0x42, 0x57}} , + {{0x34, 0x1f, 0x2e, 0xac, 0xd1, 0xc7, 0x04, 0x52, 0x32, 0x66, 0xb2, 0x33, 0x73, 0x21, 0x34, 0x54, 0xf7, 0x71, 0xed, 0x06, 0xb0, 0xff, 0xa6, 0x59, 0x6f, 0x8a, 0x4e, 0xfb, 0x02, 0xb0, 0x45, 0x6b}}}, +{{{0xf5, 0x48, 0x0b, 0x03, 0xc5, 0x22, 0x7d, 0x80, 0x08, 0x53, 0xfe, 0x32, 0xb1, 0xa1, 0x8a, 0x74, 0x6f, 0xbd, 0x3f, 0x85, 0xf4, 0xcf, 0xf5, 0x60, 0xaf, 0x41, 0x7e, 0x3e, 0x46, 0xa3, 0x5a, 0x20}} , + {{0xaa, 0x35, 0x87, 0x44, 0x63, 0x66, 0x97, 0xf8, 0x6e, 0x55, 0x0c, 0x04, 0x3e, 0x35, 0x50, 0xbf, 0x93, 0x69, 0xd2, 0x8b, 0x05, 0x55, 0x99, 0xbe, 0xe2, 0x53, 0x61, 0xec, 0xe8, 0x08, 0x0b, 0x32}}}, +{{{0xb3, 0x10, 0x45, 0x02, 0x69, 0x59, 0x2e, 0x97, 0xd9, 0x64, 0xf8, 0xdb, 0x25, 0x80, 0xdc, 0xc4, 0xd5, 0x62, 0x3c, 0xed, 0x65, 0x91, 0xad, 0xd1, 0x57, 0x81, 0x94, 0xaa, 0xa1, 0x29, 0xfc, 0x68}} , + {{0xdd, 0xb5, 0x7d, 0xab, 0x5a, 0x21, 0x41, 0x53, 0xbb, 0x17, 0x79, 0x0d, 0xd1, 0xa8, 0x0c, 0x0c, 0x20, 0x88, 0x09, 0xe9, 0x84, 0xe8, 0x25, 0x11, 0x67, 0x7a, 0x8b, 0x1a, 0xe4, 0x5d, 0xe1, 0x5d}}}, +{{{0x37, 0xea, 0xfe, 0x65, 0x3b, 0x25, 0xe8, 0xe1, 0xc2, 0xc5, 0x02, 0xa4, 0xbe, 0x98, 0x0a, 0x2b, 0x61, 0xc1, 0x9b, 0xe2, 0xd5, 0x92, 0xe6, 0x9e, 0x7d, 0x1f, 0xca, 0x43, 0x88, 0x8b, 0x2c, 0x59}} , + {{0xe0, 0xb5, 0x00, 0x1d, 0x2a, 0x6f, 0xaf, 0x79, 0x86, 0x2f, 0xa6, 0x5a, 0x93, 0xd1, 0xfe, 0xae, 0x3a, 0xee, 0xdb, 0x7c, 0x61, 0xbe, 0x7c, 0x01, 0xf9, 0xfe, 0x52, 0xdc, 0xd8, 0x52, 0xa3, 0x42}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x22, 0xaf, 0x13, 0x37, 0xbd, 0x37, 0x71, 0xac, 0x04, 0x46, 0x63, 0xac, 0xa4, 0x77, 0xed, 0x25, 0x38, 0xe0, 0x15, 0xa8, 0x64, 0x00, 0x0d, 0xce, 0x51, 0x01, 0xa9, 0xbc, 0x0f, 0x03, 0x1c, 0x04}} , + {{0x89, 0xf9, 0x80, 0x07, 0xcf, 0x3f, 0xb3, 0xe9, 0xe7, 0x45, 0x44, 0x3d, 0x2a, 0x7c, 0xe9, 0xe4, 0x16, 0x5c, 0x5e, 0x65, 0x1c, 0xc7, 0x7d, 0xc6, 0x7a, 0xfb, 0x43, 0xee, 0x25, 0x76, 0x46, 0x72}}}, +{{{0x02, 0xa2, 0xed, 0xf4, 0x8f, 0x6b, 0x0b, 0x3e, 0xeb, 0x35, 0x1a, 0xd5, 0x7e, 0xdb, 0x78, 0x00, 0x96, 0x8a, 0xa0, 0xb4, 0xcf, 0x60, 0x4b, 0xd4, 0xd5, 0xf9, 0x2d, 0xbf, 0x88, 0xbd, 0x22, 0x62}} , + {{0x13, 0x53, 0xe4, 0x82, 0x57, 0xfa, 0x1e, 0x8f, 0x06, 0x2b, 0x90, 0xba, 0x08, 0xb6, 0x10, 0x54, 0x4f, 0x7c, 0x1b, 0x26, 0xed, 0xda, 0x6b, 0xdd, 0x25, 0xd0, 0x4e, 0xea, 0x42, 0xbb, 0x25, 0x03}}}, +{{{0x51, 0x16, 0x50, 0x7c, 0xd5, 0x5d, 0xf6, 0x99, 0xe8, 0x77, 0x72, 0x4e, 0xfa, 0x62, 0xcb, 0x76, 0x75, 0x0c, 0xe2, 0x71, 0x98, 0x92, 0xd5, 0xfa, 0x45, 0xdf, 0x5c, 0x6f, 0x1e, 0x9e, 0x28, 0x69}} , + {{0x0d, 0xac, 0x66, 0x6d, 0xc3, 0x8b, 0xba, 0x16, 0xb5, 0xe2, 0xa0, 0x0d, 0x0c, 0xbd, 0xa4, 0x8e, 0x18, 0x6c, 0xf2, 0xdc, 0xf9, 0xdc, 0x4a, 0x86, 0x25, 0x95, 0x14, 0xcb, 0xd8, 0x1a, 0x04, 0x0f}}}, +{{{0x97, 0xa5, 0xdb, 0x8b, 0x2d, 0xaa, 0x42, 0x11, 0x09, 0xf2, 0x93, 0xbb, 0xd9, 0x06, 0x84, 0x4e, 0x11, 0xa8, 0xa0, 0x25, 0x2b, 0xa6, 0x5f, 0xae, 0xc4, 0xb4, 0x4c, 0xc8, 0xab, 0xc7, 0x3b, 0x02}} , + {{0xee, 0xc9, 0x29, 0x0f, 0xdf, 0x11, 0x85, 0xed, 0xce, 0x0d, 0x62, 0x2c, 0x8f, 0x4b, 0xf9, 0x04, 0xe9, 0x06, 0x72, 0x1d, 0x37, 0x20, 0x50, 0xc9, 0x14, 0xeb, 0xec, 0x39, 0xa7, 0x97, 0x2b, 0x4d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x69, 0xd1, 0x39, 0xbd, 0xfb, 0x33, 0xbe, 0xc4, 0xf0, 0x5c, 0xef, 0xf0, 0x56, 0x68, 0xfc, 0x97, 0x47, 0xc8, 0x72, 0xb6, 0x53, 0xa4, 0x0a, 0x98, 0xa5, 0xb4, 0x37, 0x71, 0xcf, 0x66, 0x50, 0x6d}} , + {{0x17, 0xa4, 0x19, 0x52, 0x11, 0x47, 0xb3, 0x5c, 0x5b, 0xa9, 0x2e, 0x22, 0xb4, 0x00, 0x52, 0xf9, 0x57, 0x18, 0xb8, 0xbe, 0x5a, 0xe3, 0xab, 0x83, 0xc8, 0x87, 0x0a, 0x2a, 0xd8, 0x8c, 0xbb, 0x54}}}, +{{{0xa9, 0x62, 0x93, 0x85, 0xbe, 0xe8, 0x73, 0x4a, 0x0e, 0xb0, 0xb5, 0x2d, 0x94, 0x50, 0xaa, 0xd3, 0xb2, 0xea, 0x9d, 0x62, 0x76, 0x3b, 0x07, 0x34, 0x4e, 0x2d, 0x70, 0xc8, 0x9a, 0x15, 0x66, 0x6b}} , + {{0xc5, 0x96, 0xca, 0xc8, 0x22, 0x1a, 0xee, 0x5f, 0xe7, 0x31, 0x60, 0x22, 0x83, 0x08, 0x63, 0xce, 0xb9, 0x32, 0x44, 0x58, 0x5d, 0x3a, 0x9b, 0xe4, 0x04, 0xd5, 0xef, 0x38, 0xef, 0x4b, 0xdd, 0x19}}}, +{{{0x4d, 0xc2, 0x17, 0x75, 0xa1, 0x68, 0xcd, 0xc3, 0xc6, 0x03, 0x44, 0xe3, 0x78, 0x09, 0x91, 0x47, 0x3f, 0x0f, 0xe4, 0x92, 0x58, 0xfa, 0x7d, 0x1f, 0x20, 0x94, 0x58, 0x5e, 0xbc, 0x19, 0x02, 0x6f}} , + {{0x20, 0xd6, 0xd8, 0x91, 0x54, 0xa7, 0xf3, 0x20, 0x4b, 0x34, 0x06, 0xfa, 0x30, 0xc8, 0x6f, 0x14, 0x10, 0x65, 0x74, 0x13, 0x4e, 0xf0, 0x69, 0x26, 0xce, 0xcf, 0x90, 0xf4, 0xd0, 0xc5, 0xc8, 0x64}}}, +{{{0x26, 0xa2, 0x50, 0x02, 0x24, 0x72, 0xf1, 0xf0, 0x4e, 0x2d, 0x93, 0xd5, 0x08, 0xe7, 0xae, 0x38, 0xf7, 0x18, 0xa5, 0x32, 0x34, 0xc2, 0xf0, 0xa6, 0xec, 0xb9, 0x61, 0x7b, 0x64, 0x99, 0xac, 0x71}} , + {{0x25, 0xcf, 0x74, 0x55, 0x1b, 0xaa, 0xa9, 0x38, 0x41, 0x40, 0xd5, 0x95, 0x95, 0xab, 0x1c, 0x5e, 0xbc, 0x41, 0x7e, 0x14, 0x30, 0xbe, 0x13, 0x89, 0xf4, 0xe5, 0xeb, 0x28, 0xc0, 0xc2, 0x96, 0x3a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2b, 0x77, 0x45, 0xec, 0x67, 0x76, 0x32, 0x4c, 0xb9, 0xdf, 0x25, 0x32, 0x6b, 0xcb, 0xe7, 0x14, 0x61, 0x43, 0xee, 0xba, 0x9b, 0x71, 0xef, 0xd2, 0x48, 0x65, 0xbb, 0x1b, 0x8a, 0x13, 0x1b, 0x22}} , + {{0x84, 0xad, 0x0c, 0x18, 0x38, 0x5a, 0xba, 0xd0, 0x98, 0x59, 0xbf, 0x37, 0xb0, 0x4f, 0x97, 0x60, 0x20, 0xb3, 0x9b, 0x97, 0xf6, 0x08, 0x6c, 0xa4, 0xff, 0xfb, 0xb7, 0xfa, 0x95, 0xb2, 0x51, 0x79}}}, +{{{0x28, 0x5c, 0x3f, 0xdb, 0x6b, 0x18, 0x3b, 0x5c, 0xd1, 0x04, 0x28, 0xde, 0x85, 0x52, 0x31, 0xb5, 0xbb, 0xf6, 0xa9, 0xed, 0xbe, 0x28, 0x4f, 0xb3, 0x7e, 0x05, 0x6a, 0xdb, 0x95, 0x0d, 0x1b, 0x1c}} , + {{0xd5, 0xc5, 0xc3, 0x9a, 0x0a, 0xd0, 0x31, 0x3e, 0x07, 0x36, 0x8e, 0xc0, 0x8a, 0x62, 0xb1, 0xca, 0xd6, 0x0e, 0x1e, 0x9d, 0xef, 0xab, 0x98, 0x4d, 0xbb, 0x6c, 0x05, 0xe0, 0xe4, 0x5d, 0xbd, 0x57}}}, +{{{0xcc, 0x21, 0x27, 0xce, 0xfd, 0xa9, 0x94, 0x8e, 0xe1, 0xab, 0x49, 0xe0, 0x46, 0x26, 0xa1, 0xa8, 0x8c, 0xa1, 0x99, 0x1d, 0xb4, 0x27, 0x6d, 0x2d, 0xc8, 0x39, 0x30, 0x5e, 0x37, 0x52, 0xc4, 0x6e}} , + {{0xa9, 0x85, 0xf4, 0xe7, 0xb0, 0x15, 0x33, 0x84, 0x1b, 0x14, 0x1a, 0x02, 0xd9, 0x3b, 0xad, 0x0f, 0x43, 0x6c, 0xea, 0x3e, 0x0f, 0x7e, 0xda, 0xdd, 0x6b, 0x4c, 0x7f, 0x6e, 0xd4, 0x6b, 0xbf, 0x0f}}}, +{{{0x47, 0x9f, 0x7c, 0x56, 0x7c, 0x43, 0x91, 0x1c, 0xbb, 0x4e, 0x72, 0x3e, 0x64, 0xab, 0xa0, 0xa0, 0xdf, 0xb4, 0xd8, 0x87, 0x3a, 0xbd, 0xa8, 0x48, 0xc9, 0xb8, 0xef, 0x2e, 0xad, 0x6f, 0x84, 0x4f}} , + {{0x2d, 0x2d, 0xf0, 0x1b, 0x7e, 0x2a, 0x6c, 0xf8, 0xa9, 0x6a, 0xe1, 0xf0, 0x99, 0xa1, 0x67, 0x9a, 0xd4, 0x13, 0xca, 0xca, 0xba, 0x27, 0x92, 0xaa, 0xa1, 0x5d, 0x50, 0xde, 0xcc, 0x40, 0x26, 0x0a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x9f, 0x3e, 0xf2, 0xb2, 0x90, 0xce, 0xdb, 0x64, 0x3e, 0x03, 0xdd, 0x37, 0x36, 0x54, 0x70, 0x76, 0x24, 0xb5, 0x69, 0x03, 0xfc, 0xa0, 0x2b, 0x74, 0xb2, 0x05, 0x0e, 0xcc, 0xd8, 0x1f, 0x6a, 0x1f}} , + {{0x19, 0x5e, 0x60, 0x69, 0x58, 0x86, 0xa0, 0x31, 0xbd, 0x32, 0xe9, 0x2c, 0x5c, 0xd2, 0x85, 0xba, 0x40, 0x64, 0xa8, 0x74, 0xf8, 0x0e, 0x1c, 0xb3, 0xa9, 0x69, 0xe8, 0x1e, 0x40, 0x64, 0x99, 0x77}}}, +{{{0x6c, 0x32, 0x4f, 0xfd, 0xbb, 0x5c, 0xbb, 0x8d, 0x64, 0x66, 0x4a, 0x71, 0x1f, 0x79, 0xa3, 0xad, 0x8d, 0xf9, 0xd4, 0xec, 0xcf, 0x67, 0x70, 0xfa, 0x05, 0x4a, 0x0f, 0x6e, 0xaf, 0x87, 0x0a, 0x6f}} , + {{0xc6, 0x36, 0x6e, 0x6c, 0x8c, 0x24, 0x09, 0x60, 0xbe, 0x26, 0xd2, 0x4c, 0x5e, 0x17, 0xca, 0x5f, 0x1d, 0xcc, 0x87, 0xe8, 0x42, 0x6a, 0xcb, 0xcb, 0x7d, 0x92, 0x05, 0x35, 0x81, 0x13, 0x60, 0x6b}}}, +{{{0xf4, 0x15, 0xcd, 0x0f, 0x0a, 0xaf, 0x4e, 0x6b, 0x51, 0xfd, 0x14, 0xc4, 0x2e, 0x13, 0x86, 0x74, 0x44, 0xcb, 0x66, 0x6b, 0xb6, 0x9d, 0x74, 0x56, 0x32, 0xac, 0x8d, 0x8e, 0x8c, 0x8c, 0x8c, 0x39}} , + {{0xca, 0x59, 0x74, 0x1a, 0x11, 0xef, 0x6d, 0xf7, 0x39, 0x5c, 0x3b, 0x1f, 0xfa, 0xe3, 0x40, 0x41, 0x23, 0x9e, 0xf6, 0xd1, 0x21, 0xa2, 0xbf, 0xad, 0x65, 0x42, 0x6b, 0x59, 0x8a, 0xe8, 0xc5, 0x7f}}}, +{{{0x64, 0x05, 0x7a, 0x84, 0x4a, 0x13, 0xc3, 0xf6, 0xb0, 0x6e, 0x9a, 0x6b, 0x53, 0x6b, 0x32, 0xda, 0xd9, 0x74, 0x75, 0xc4, 0xba, 0x64, 0x3d, 0x3b, 0x08, 0xdd, 0x10, 0x46, 0xef, 0xc7, 0x90, 0x1f}} , + {{0x7b, 0x2f, 0x3a, 0xce, 0xc8, 0xa1, 0x79, 0x3c, 0x30, 0x12, 0x44, 0x28, 0xf6, 0xbc, 0xff, 0xfd, 0xf4, 0xc0, 0x97, 0xb0, 0xcc, 0xc3, 0x13, 0x7a, 0xb9, 0x9a, 0x16, 0xe4, 0xcb, 0x4c, 0x34, 0x63}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x07, 0x4e, 0xd3, 0x2d, 0x09, 0x33, 0x0e, 0xd2, 0x0d, 0xbe, 0x3e, 0xe7, 0xe4, 0xaa, 0xb7, 0x00, 0x8b, 0xe8, 0xad, 0xaa, 0x7a, 0x8d, 0x34, 0x28, 0xa9, 0x81, 0x94, 0xc5, 0xe7, 0x42, 0xac, 0x47}} , + {{0x24, 0x89, 0x7a, 0x8f, 0xb5, 0x9b, 0xf0, 0xc2, 0x03, 0x64, 0xd0, 0x1e, 0xf5, 0xa4, 0xb2, 0xf3, 0x74, 0xe9, 0x1a, 0x16, 0xfd, 0xcb, 0x15, 0xea, 0xeb, 0x10, 0x6c, 0x35, 0xd1, 0xc1, 0xa6, 0x28}}}, +{{{0xcc, 0xd5, 0x39, 0xfc, 0xa5, 0xa4, 0xad, 0x32, 0x15, 0xce, 0x19, 0xe8, 0x34, 0x2b, 0x1c, 0x60, 0x91, 0xfc, 0x05, 0xa9, 0xb3, 0xdc, 0x80, 0x29, 0xc4, 0x20, 0x79, 0x06, 0x39, 0xc0, 0xe2, 0x22}} , + {{0xbb, 0xa8, 0xe1, 0x89, 0x70, 0x57, 0x18, 0x54, 0x3c, 0xf6, 0x0d, 0x82, 0x12, 0x05, 0x87, 0x96, 0x06, 0x39, 0xe3, 0xf8, 0xb3, 0x95, 0xe5, 0xd7, 0x26, 0xbf, 0x09, 0x5a, 0x94, 0xf9, 0x1c, 0x63}}}, +{{{0x2b, 0x8c, 0x2d, 0x9a, 0x8b, 0x84, 0xf2, 0x56, 0xfb, 0xad, 0x2e, 0x7f, 0xb7, 0xfc, 0x30, 0xe1, 0x35, 0x89, 0xba, 0x4d, 0xa8, 0x6d, 0xce, 0x8c, 0x8b, 0x30, 0xe0, 0xda, 0x29, 0x18, 0x11, 0x17}} , + {{0x19, 0xa6, 0x5a, 0x65, 0x93, 0xc3, 0xb5, 0x31, 0x22, 0x4f, 0xf3, 0xf6, 0x0f, 0xeb, 0x28, 0xc3, 0x7c, 0xeb, 0xce, 0x86, 0xec, 0x67, 0x76, 0x6e, 0x35, 0x45, 0x7b, 0xd8, 0x6b, 0x92, 0x01, 0x65}}}, +{{{0x3d, 0xd5, 0x9a, 0x64, 0x73, 0x36, 0xb1, 0xd6, 0x86, 0x98, 0x42, 0x3f, 0x8a, 0xf1, 0xc7, 0xf5, 0x42, 0xa8, 0x9c, 0x52, 0xa8, 0xdc, 0xf9, 0x24, 0x3f, 0x4a, 0xa1, 0xa4, 0x5b, 0xe8, 0x62, 0x1a}} , + {{0xc5, 0xbd, 0xc8, 0x14, 0xd5, 0x0d, 0xeb, 0xe1, 0xa5, 0xe6, 0x83, 0x11, 0x09, 0x00, 0x1d, 0x55, 0x83, 0x51, 0x7e, 0x75, 0x00, 0x81, 0xb9, 0xcb, 0xd8, 0xc5, 0xe5, 0xa1, 0xd9, 0x17, 0x6d, 0x1f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xea, 0xf9, 0xe4, 0xe9, 0xe1, 0x52, 0x3f, 0x51, 0x19, 0x0d, 0xdd, 0xd9, 0x9d, 0x93, 0x31, 0x87, 0x23, 0x09, 0xd5, 0x83, 0xeb, 0x92, 0x09, 0x76, 0x6e, 0xe3, 0xf8, 0xc0, 0xa2, 0x66, 0xb5, 0x36}} , + {{0x3a, 0xbb, 0x39, 0xed, 0x32, 0x02, 0xe7, 0x43, 0x7a, 0x38, 0x14, 0x84, 0xe3, 0x44, 0xd2, 0x5e, 0x94, 0xdd, 0x78, 0x89, 0x55, 0x4c, 0x73, 0x9e, 0xe1, 0xe4, 0x3e, 0x43, 0xd0, 0x4a, 0xde, 0x1b}}}, +{{{0xb2, 0xe7, 0x8f, 0xe3, 0xa3, 0xc5, 0xcb, 0x72, 0xee, 0x79, 0x41, 0xf8, 0xdf, 0xee, 0x65, 0xc5, 0x45, 0x77, 0x27, 0x3c, 0xbd, 0x58, 0xd3, 0x75, 0xe2, 0x04, 0x4b, 0xbb, 0x65, 0xf3, 0xc8, 0x0f}} , + {{0x24, 0x7b, 0x93, 0x34, 0xb5, 0xe2, 0x74, 0x48, 0xcd, 0xa0, 0x0b, 0x92, 0x97, 0x66, 0x39, 0xf4, 0xb0, 0xe2, 0x5d, 0x39, 0x6a, 0x5b, 0x45, 0x17, 0x78, 0x1e, 0xdb, 0x91, 0x81, 0x1c, 0xf9, 0x16}}}, +{{{0x16, 0xdf, 0xd1, 0x5a, 0xd5, 0xe9, 0x4e, 0x58, 0x95, 0x93, 0x5f, 0x51, 0x09, 0xc3, 0x2a, 0xc9, 0xd4, 0x55, 0x48, 0x79, 0xa4, 0xa3, 0xb2, 0xc3, 0x62, 0xaa, 0x8c, 0xe8, 0xad, 0x47, 0x39, 0x1b}} , + {{0x46, 0xda, 0x9e, 0x51, 0x3a, 0xe6, 0xd1, 0xa6, 0xbb, 0x4d, 0x7b, 0x08, 0xbe, 0x8c, 0xd5, 0xf3, 0x3f, 0xfd, 0xf7, 0x44, 0x80, 0x2d, 0x53, 0x4b, 0xd0, 0x87, 0x68, 0xc1, 0xb5, 0xd8, 0xf7, 0x07}}}, +{{{0xf4, 0x10, 0x46, 0xbe, 0xb7, 0xd2, 0xd1, 0xce, 0x5e, 0x76, 0xa2, 0xd7, 0x03, 0xdc, 0xe4, 0x81, 0x5a, 0xf6, 0x3c, 0xde, 0xae, 0x7a, 0x9d, 0x21, 0x34, 0xa5, 0xf6, 0xa9, 0x73, 0xe2, 0x8d, 0x60}} , + {{0xfa, 0x44, 0x71, 0xf6, 0x41, 0xd8, 0xc6, 0x58, 0x13, 0x37, 0xeb, 0x84, 0x0f, 0x96, 0xc7, 0xdc, 0xc8, 0xa9, 0x7a, 0x83, 0xb2, 0x2f, 0x31, 0xb1, 0x1a, 0xd8, 0x98, 0x3f, 0x11, 0xd0, 0x31, 0x3b}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x81, 0xd5, 0x34, 0x16, 0x01, 0xa3, 0x93, 0xea, 0x52, 0x94, 0xec, 0x93, 0xb7, 0x81, 0x11, 0x2d, 0x58, 0xf9, 0xb5, 0x0a, 0xaa, 0x4f, 0xf6, 0x2e, 0x3f, 0x36, 0xbf, 0x33, 0x5a, 0xe7, 0xd1, 0x08}} , + {{0x1a, 0xcf, 0x42, 0xae, 0xcc, 0xb5, 0x77, 0x39, 0xc4, 0x5b, 0x5b, 0xd0, 0x26, 0x59, 0x27, 0xd0, 0x55, 0x71, 0x12, 0x9d, 0x88, 0x3d, 0x9c, 0xea, 0x41, 0x6a, 0xf0, 0x50, 0x93, 0x93, 0xdd, 0x47}}}, +{{{0x6f, 0xc9, 0x51, 0x6d, 0x1c, 0xaa, 0xf5, 0xa5, 0x90, 0x3f, 0x14, 0xe2, 0x6e, 0x8e, 0x64, 0xfd, 0xac, 0xe0, 0x4e, 0x22, 0xe5, 0xc1, 0xbc, 0x29, 0x0a, 0x6a, 0x9e, 0xa1, 0x60, 0xcb, 0x2f, 0x0b}} , + {{0xdc, 0x39, 0x32, 0xf3, 0xa1, 0x44, 0xe9, 0xc5, 0xc3, 0x78, 0xfb, 0x95, 0x47, 0x34, 0x35, 0x34, 0xe8, 0x25, 0xde, 0x93, 0xc6, 0xb4, 0x76, 0x6d, 0x86, 0x13, 0xc6, 0xe9, 0x68, 0xb5, 0x01, 0x63}}}, +{{{0x1f, 0x9a, 0x52, 0x64, 0x97, 0xd9, 0x1c, 0x08, 0x51, 0x6f, 0x26, 0x9d, 0xaa, 0x93, 0x33, 0x43, 0xfa, 0x77, 0xe9, 0x62, 0x9b, 0x5d, 0x18, 0x75, 0xeb, 0x78, 0xf7, 0x87, 0x8f, 0x41, 0xb4, 0x4d}} , + {{0x13, 0xa8, 0x82, 0x3e, 0xe9, 0x13, 0xad, 0xeb, 0x01, 0xca, 0xcf, 0xda, 0xcd, 0xf7, 0x6c, 0xc7, 0x7a, 0xdc, 0x1e, 0x6e, 0xc8, 0x4e, 0x55, 0x62, 0x80, 0xea, 0x78, 0x0c, 0x86, 0xb9, 0x40, 0x51}}}, +{{{0x27, 0xae, 0xd3, 0x0d, 0x4c, 0x8f, 0x34, 0xea, 0x7d, 0x3c, 0xe5, 0x8a, 0xcf, 0x5b, 0x92, 0xd8, 0x30, 0x16, 0xb4, 0xa3, 0x75, 0xff, 0xeb, 0x27, 0xc8, 0x5c, 0x6c, 0xc2, 0xee, 0x6c, 0x21, 0x0b}} , + {{0xc3, 0xba, 0x12, 0x53, 0x2a, 0xaa, 0x77, 0xad, 0x19, 0x78, 0x55, 0x8a, 0x2e, 0x60, 0x87, 0xc2, 0x6e, 0x91, 0x38, 0x91, 0x3f, 0x7a, 0xc5, 0x24, 0x8f, 0x51, 0xc5, 0xde, 0xb0, 0x53, 0x30, 0x56}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x02, 0xfe, 0x54, 0x12, 0x18, 0xca, 0x7d, 0xa5, 0x68, 0x43, 0xa3, 0x6d, 0x14, 0x2a, 0x6a, 0xa5, 0x8e, 0x32, 0xe7, 0x63, 0x4f, 0xe3, 0xc6, 0x44, 0x3e, 0xab, 0x63, 0xca, 0x17, 0x86, 0x74, 0x3f}} , + {{0x1e, 0x64, 0xc1, 0x7d, 0x52, 0xdc, 0x13, 0x5a, 0xa1, 0x9c, 0x4e, 0xee, 0x99, 0x28, 0xbb, 0x4c, 0xee, 0xac, 0xa9, 0x1b, 0x89, 0xa2, 0x38, 0x39, 0x7b, 0xc4, 0x0f, 0x42, 0xe6, 0x89, 0xed, 0x0f}}}, +{{{0xf3, 0x3c, 0x8c, 0x80, 0x83, 0x10, 0x8a, 0x37, 0x50, 0x9c, 0xb4, 0xdf, 0x3f, 0x8c, 0xf7, 0x23, 0x07, 0xd6, 0xff, 0xa0, 0x82, 0x6c, 0x75, 0x3b, 0xe4, 0xb5, 0xbb, 0xe4, 0xe6, 0x50, 0xf0, 0x08}} , + {{0x62, 0xee, 0x75, 0x48, 0x92, 0x33, 0xf2, 0xf4, 0xad, 0x15, 0x7a, 0xa1, 0x01, 0x46, 0xa9, 0x32, 0x06, 0x88, 0xb6, 0x36, 0x47, 0x35, 0xb9, 0xb4, 0x42, 0x85, 0x76, 0xf0, 0x48, 0x00, 0x90, 0x38}}}, +{{{0x51, 0x15, 0x9d, 0xc3, 0x95, 0xd1, 0x39, 0xbb, 0x64, 0x9d, 0x15, 0x81, 0xc1, 0x68, 0xd0, 0xb6, 0xa4, 0x2c, 0x7d, 0x5e, 0x02, 0x39, 0x00, 0xe0, 0x3b, 0xa4, 0xcc, 0xca, 0x1d, 0x81, 0x24, 0x10}} , + {{0xe7, 0x29, 0xf9, 0x37, 0xd9, 0x46, 0x5a, 0xcd, 0x70, 0xfe, 0x4d, 0x5b, 0xbf, 0xa5, 0xcf, 0x91, 0xf4, 0xef, 0xee, 0x8a, 0x29, 0xd0, 0xe7, 0xc4, 0x25, 0x92, 0x8a, 0xff, 0x36, 0xfc, 0xe4, 0x49}}}, +{{{0xbd, 0x00, 0xb9, 0x04, 0x7d, 0x35, 0xfc, 0xeb, 0xd0, 0x0b, 0x05, 0x32, 0x52, 0x7a, 0x89, 0x24, 0x75, 0x50, 0xe1, 0x63, 0x02, 0x82, 0x8e, 0xe7, 0x85, 0x0c, 0xf2, 0x56, 0x44, 0x37, 0x83, 0x25}} , + {{0x8f, 0xa1, 0xce, 0xcb, 0x60, 0xda, 0x12, 0x02, 0x1e, 0x29, 0x39, 0x2a, 0x03, 0xb7, 0xeb, 0x77, 0x40, 0xea, 0xc9, 0x2b, 0x2c, 0xd5, 0x7d, 0x7e, 0x2c, 0xc7, 0x5a, 0xfd, 0xff, 0xc4, 0xd1, 0x62}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x1d, 0x88, 0x98, 0x5b, 0x4e, 0xfc, 0x41, 0x24, 0x05, 0xe6, 0x50, 0x2b, 0xae, 0x96, 0x51, 0xd9, 0x6b, 0x72, 0xb2, 0x33, 0x42, 0x98, 0x68, 0xbb, 0x10, 0x5a, 0x7a, 0x8c, 0x9d, 0x07, 0xb4, 0x05}} , + {{0x2f, 0x61, 0x9f, 0xd7, 0xa8, 0x3f, 0x83, 0x8c, 0x10, 0x69, 0x90, 0xe6, 0xcf, 0xd2, 0x63, 0xa3, 0xe4, 0x54, 0x7e, 0xe5, 0x69, 0x13, 0x1c, 0x90, 0x57, 0xaa, 0xe9, 0x53, 0x22, 0x43, 0x29, 0x23}}}, +{{{0xe5, 0x1c, 0xf8, 0x0a, 0xfd, 0x2d, 0x7e, 0xf5, 0xf5, 0x70, 0x7d, 0x41, 0x6b, 0x11, 0xfe, 0xbe, 0x99, 0xd1, 0x55, 0x29, 0x31, 0xbf, 0xc0, 0x97, 0x6c, 0xd5, 0x35, 0xcc, 0x5e, 0x8b, 0xd9, 0x69}} , + {{0x8e, 0x4e, 0x9f, 0x25, 0xf8, 0x81, 0x54, 0x2d, 0x0e, 0xd5, 0x54, 0x81, 0x9b, 0xa6, 0x92, 0xce, 0x4b, 0xe9, 0x8f, 0x24, 0x3b, 0xca, 0xe0, 0x44, 0xab, 0x36, 0xfe, 0xfb, 0x87, 0xd4, 0x26, 0x3e}}}, +{{{0x0f, 0x93, 0x9c, 0x11, 0xe7, 0xdb, 0xf1, 0xf0, 0x85, 0x43, 0x28, 0x15, 0x37, 0xdd, 0xde, 0x27, 0xdf, 0xad, 0x3e, 0x49, 0x4f, 0xe0, 0x5b, 0xf6, 0x80, 0x59, 0x15, 0x3c, 0x85, 0xb7, 0x3e, 0x12}} , + {{0xf5, 0xff, 0xcc, 0xf0, 0xb4, 0x12, 0x03, 0x5f, 0xc9, 0x84, 0xcb, 0x1d, 0x17, 0xe0, 0xbc, 0xcc, 0x03, 0x62, 0xa9, 0x8b, 0x94, 0xa6, 0xaa, 0x18, 0xcb, 0x27, 0x8d, 0x49, 0xa6, 0x17, 0x15, 0x07}}}, +{{{0xd9, 0xb6, 0xd4, 0x9d, 0xd4, 0x6a, 0xaf, 0x70, 0x07, 0x2c, 0x10, 0x9e, 0xbd, 0x11, 0xad, 0xe4, 0x26, 0x33, 0x70, 0x92, 0x78, 0x1c, 0x74, 0x9f, 0x75, 0x60, 0x56, 0xf4, 0x39, 0xa8, 0xa8, 0x62}} , + {{0x3b, 0xbf, 0x55, 0x35, 0x61, 0x8b, 0x44, 0x97, 0xe8, 0x3a, 0x55, 0xc1, 0xc8, 0x3b, 0xfd, 0x95, 0x29, 0x11, 0x60, 0x96, 0x1e, 0xcb, 0x11, 0x9d, 0xc2, 0x03, 0x8a, 0x1b, 0xc6, 0xd6, 0x45, 0x3d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x7e, 0x0e, 0x50, 0xb2, 0xcc, 0x0d, 0x6b, 0xa6, 0x71, 0x5b, 0x42, 0xed, 0xbd, 0xaf, 0xac, 0xf0, 0xfc, 0x12, 0xa2, 0x3f, 0x4e, 0xda, 0xe8, 0x11, 0xf3, 0x23, 0xe1, 0x04, 0x62, 0x03, 0x1c, 0x4e}} , + {{0xc8, 0xb1, 0x1b, 0x6f, 0x73, 0x61, 0x3d, 0x27, 0x0d, 0x7d, 0x7a, 0x25, 0x5f, 0x73, 0x0e, 0x2f, 0x93, 0xf6, 0x24, 0xd8, 0x4f, 0x90, 0xac, 0xa2, 0x62, 0x0a, 0xf0, 0x61, 0xd9, 0x08, 0x59, 0x6a}}}, +{{{0x6f, 0x2d, 0x55, 0xf8, 0x2f, 0x8e, 0xf0, 0x18, 0x3b, 0xea, 0xdd, 0x26, 0x72, 0xd1, 0xf5, 0xfe, 0xe5, 0xb8, 0xe6, 0xd3, 0x10, 0x48, 0x46, 0x49, 0x3a, 0x9f, 0x5e, 0x45, 0x6b, 0x90, 0xe8, 0x7f}} , + {{0xd3, 0x76, 0x69, 0x33, 0x7b, 0xb9, 0x40, 0x70, 0xee, 0xa6, 0x29, 0x6b, 0xdd, 0xd0, 0x5d, 0x8d, 0xc1, 0x3e, 0x4a, 0xea, 0x37, 0xb1, 0x03, 0x02, 0x03, 0x35, 0xf1, 0x28, 0x9d, 0xff, 0x00, 0x13}}}, +{{{0x7a, 0xdb, 0x12, 0xd2, 0x8a, 0x82, 0x03, 0x1b, 0x1e, 0xaf, 0xf9, 0x4b, 0x9c, 0xbe, 0xae, 0x7c, 0xe4, 0x94, 0x2a, 0x23, 0xb3, 0x62, 0x86, 0xe7, 0xfd, 0x23, 0xaa, 0x99, 0xbd, 0x2b, 0x11, 0x6c}} , + {{0x8d, 0xa6, 0xd5, 0xac, 0x9d, 0xcc, 0x68, 0x75, 0x7f, 0xc3, 0x4d, 0x4b, 0xdd, 0x6c, 0xbb, 0x11, 0x5a, 0x60, 0xe5, 0xbd, 0x7d, 0x27, 0x8b, 0xda, 0xb4, 0x95, 0xf6, 0x03, 0x27, 0xa4, 0x92, 0x3f}}}, +{{{0x22, 0xd6, 0xb5, 0x17, 0x84, 0xbf, 0x12, 0xcc, 0x23, 0x14, 0x4a, 0xdf, 0x14, 0x31, 0xbc, 0xa1, 0xac, 0x6e, 0xab, 0xfa, 0x57, 0x11, 0x53, 0xb3, 0x27, 0xe6, 0xf9, 0x47, 0x33, 0x44, 0x34, 0x1e}} , + {{0x79, 0xfc, 0xa6, 0xb4, 0x0b, 0x35, 0x20, 0xc9, 0x4d, 0x22, 0x84, 0xc4, 0xa9, 0x20, 0xec, 0x89, 0x94, 0xba, 0x66, 0x56, 0x48, 0xb9, 0x87, 0x7f, 0xca, 0x1e, 0x06, 0xed, 0xa5, 0x55, 0x59, 0x29}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x56, 0xe1, 0xf5, 0xf1, 0xd5, 0xab, 0xa8, 0x2b, 0xae, 0x89, 0xf3, 0xcf, 0x56, 0x9f, 0xf2, 0x4b, 0x31, 0xbc, 0x18, 0xa9, 0x06, 0x5b, 0xbe, 0xb4, 0x61, 0xf8, 0xb2, 0x06, 0x9c, 0x81, 0xab, 0x4c}} , + {{0x1f, 0x68, 0x76, 0x01, 0x16, 0x38, 0x2b, 0x0f, 0x77, 0x97, 0x92, 0x67, 0x4e, 0x86, 0x6a, 0x8b, 0xe5, 0xe8, 0x0c, 0xf7, 0x36, 0x39, 0xb5, 0x33, 0xe6, 0xcf, 0x5e, 0xbd, 0x18, 0xfb, 0x10, 0x1f}}}, +{{{0x83, 0xf0, 0x0d, 0x63, 0xef, 0x53, 0x6b, 0xb5, 0x6b, 0xf9, 0x83, 0xcf, 0xde, 0x04, 0x22, 0x9b, 0x2c, 0x0a, 0xe0, 0xa5, 0xd8, 0xc7, 0x9c, 0xa5, 0xa3, 0xf6, 0x6f, 0xcf, 0x90, 0x6b, 0x68, 0x7c}} , + {{0x33, 0x15, 0xd7, 0x7f, 0x1a, 0xd5, 0x21, 0x58, 0xc4, 0x18, 0xa5, 0xf0, 0xcc, 0x73, 0xa8, 0xfd, 0xfa, 0x18, 0xd1, 0x03, 0x91, 0x8d, 0x52, 0xd2, 0xa3, 0xa4, 0xd3, 0xb1, 0xea, 0x1d, 0x0f, 0x00}}}, +{{{0xcc, 0x48, 0x83, 0x90, 0xe5, 0xfd, 0x3f, 0x84, 0xaa, 0xf9, 0x8b, 0x82, 0x59, 0x24, 0x34, 0x68, 0x4f, 0x1c, 0x23, 0xd9, 0xcc, 0x71, 0xe1, 0x7f, 0x8c, 0xaf, 0xf1, 0xee, 0x00, 0xb6, 0xa0, 0x77}} , + {{0xf5, 0x1a, 0x61, 0xf7, 0x37, 0x9d, 0x00, 0xf4, 0xf2, 0x69, 0x6f, 0x4b, 0x01, 0x85, 0x19, 0x45, 0x4d, 0x7f, 0x02, 0x7c, 0x6a, 0x05, 0x47, 0x6c, 0x1f, 0x81, 0x20, 0xd4, 0xe8, 0x50, 0x27, 0x72}}}, +{{{0x2c, 0x3a, 0xe5, 0xad, 0xf4, 0xdd, 0x2d, 0xf7, 0x5c, 0x44, 0xb5, 0x5b, 0x21, 0xa3, 0x89, 0x5f, 0x96, 0x45, 0xca, 0x4d, 0xa4, 0x21, 0x99, 0x70, 0xda, 0xc4, 0xc4, 0xa0, 0xe5, 0xf4, 0xec, 0x0a}} , + {{0x07, 0x68, 0x21, 0x65, 0xe9, 0x08, 0xa0, 0x0b, 0x6a, 0x4a, 0xba, 0xb5, 0x80, 0xaf, 0xd0, 0x1b, 0xc5, 0xf5, 0x4b, 0x73, 0x50, 0x60, 0x2d, 0x71, 0x69, 0x61, 0x0e, 0xc0, 0x20, 0x40, 0x30, 0x19}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd0, 0x75, 0x57, 0x3b, 0xeb, 0x5c, 0x14, 0x56, 0x50, 0xc9, 0x4f, 0xb8, 0xb8, 0x1e, 0xa3, 0xf4, 0xab, 0xf5, 0xa9, 0x20, 0x15, 0x94, 0x82, 0xda, 0x96, 0x1c, 0x9b, 0x59, 0x8c, 0xff, 0xf4, 0x51}} , + {{0xc1, 0x3a, 0x86, 0xd7, 0xb0, 0x06, 0x84, 0x7f, 0x1b, 0xbd, 0xd4, 0x07, 0x78, 0x80, 0x2e, 0xb1, 0xb4, 0xee, 0x52, 0x38, 0xee, 0x9a, 0xf9, 0xf6, 0xf3, 0x41, 0x6e, 0xd4, 0x88, 0x95, 0xac, 0x35}}}, +{{{0x41, 0x97, 0xbf, 0x71, 0x6a, 0x9b, 0x72, 0xec, 0xf3, 0xf8, 0x6b, 0xe6, 0x0e, 0x6c, 0x69, 0xa5, 0x2f, 0x68, 0x52, 0xd8, 0x61, 0x81, 0xc0, 0x63, 0x3f, 0xa6, 0x3c, 0x13, 0x90, 0xe6, 0x8d, 0x56}} , + {{0xe8, 0x39, 0x30, 0x77, 0x23, 0xb1, 0xfd, 0x1b, 0x3d, 0x3e, 0x74, 0x4d, 0x7f, 0xae, 0x5b, 0x3a, 0xb4, 0x65, 0x0e, 0x3a, 0x43, 0xdc, 0xdc, 0x41, 0x47, 0xe6, 0xe8, 0x92, 0x09, 0x22, 0x48, 0x4c}}}, +{{{0x85, 0x57, 0x9f, 0xb5, 0xc8, 0x06, 0xb2, 0x9f, 0x47, 0x3f, 0xf0, 0xfa, 0xe6, 0xa9, 0xb1, 0x9b, 0x6f, 0x96, 0x7d, 0xf9, 0xa4, 0x65, 0x09, 0x75, 0x32, 0xa6, 0x6c, 0x7f, 0x47, 0x4b, 0x2f, 0x4f}} , + {{0x34, 0xe9, 0x59, 0x93, 0x9d, 0x26, 0x80, 0x54, 0xf2, 0xcc, 0x3c, 0xc2, 0x25, 0x85, 0xe3, 0x6a, 0xc1, 0x62, 0x04, 0xa7, 0x08, 0x32, 0x6d, 0xa1, 0x39, 0x84, 0x8a, 0x3b, 0x87, 0x5f, 0x11, 0x13}}}, +{{{0xda, 0x03, 0x34, 0x66, 0xc4, 0x0c, 0x73, 0x6e, 0xbc, 0x24, 0xb5, 0xf9, 0x70, 0x81, 0x52, 0xe9, 0xf4, 0x7c, 0x23, 0xdd, 0x9f, 0xb8, 0x46, 0xef, 0x1d, 0x22, 0x55, 0x7d, 0x71, 0xc4, 0x42, 0x33}} , + {{0xc5, 0x37, 0x69, 0x5b, 0xa8, 0xc6, 0x9d, 0xa4, 0xfc, 0x61, 0x6e, 0x68, 0x46, 0xea, 0xd7, 0x1c, 0x67, 0xd2, 0x7d, 0xfa, 0xf1, 0xcc, 0x54, 0x8d, 0x36, 0x35, 0xc9, 0x00, 0xdf, 0x6c, 0x67, 0x50}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x9a, 0x4d, 0x42, 0x29, 0x5d, 0xa4, 0x6b, 0x6f, 0xa8, 0x8a, 0x4d, 0x91, 0x7b, 0xd2, 0xdf, 0x36, 0xef, 0x01, 0x22, 0xc5, 0xcc, 0x8d, 0xeb, 0x58, 0x3d, 0xb3, 0x50, 0xfc, 0x8b, 0x97, 0x96, 0x33}} , + {{0x93, 0x33, 0x07, 0xc8, 0x4a, 0xca, 0xd0, 0xb1, 0xab, 0xbd, 0xdd, 0xa7, 0x7c, 0xac, 0x3e, 0x45, 0xcb, 0xcc, 0x07, 0x91, 0xbf, 0x35, 0x9d, 0xcb, 0x7d, 0x12, 0x3c, 0x11, 0x59, 0x13, 0xcf, 0x5c}}}, +{{{0x45, 0xb8, 0x41, 0xd7, 0xab, 0x07, 0x15, 0x00, 0x8e, 0xce, 0xdf, 0xb2, 0x43, 0x5c, 0x01, 0xdc, 0xf4, 0x01, 0x51, 0x95, 0x10, 0x5a, 0xf6, 0x24, 0x24, 0xa0, 0x19, 0x3a, 0x09, 0x2a, 0xaa, 0x3f}} , + {{0xdc, 0x8e, 0xeb, 0xc6, 0xbf, 0xdd, 0x11, 0x7b, 0xe7, 0x47, 0xe6, 0xce, 0xe7, 0xb6, 0xc5, 0xe8, 0x8a, 0xdc, 0x4b, 0x57, 0x15, 0x3b, 0x66, 0xca, 0x89, 0xa3, 0xfd, 0xac, 0x0d, 0xe1, 0x1d, 0x7a}}}, +{{{0x89, 0xef, 0xbf, 0x03, 0x75, 0xd0, 0x29, 0x50, 0xcb, 0x7d, 0xd6, 0xbe, 0xad, 0x5f, 0x7b, 0x00, 0x32, 0xaa, 0x98, 0xed, 0x3f, 0x8f, 0x92, 0xcb, 0x81, 0x56, 0x01, 0x63, 0x64, 0xa3, 0x38, 0x39}} , + {{0x8b, 0xa4, 0xd6, 0x50, 0xb4, 0xaa, 0x5d, 0x64, 0x64, 0x76, 0x2e, 0xa1, 0xa6, 0xb3, 0xb8, 0x7c, 0x7a, 0x56, 0xf5, 0x5c, 0x4e, 0x84, 0x5c, 0xfb, 0xdd, 0xca, 0x48, 0x8b, 0x48, 0xb9, 0xba, 0x34}}}, +{{{0xc5, 0xe3, 0xe8, 0xae, 0x17, 0x27, 0xe3, 0x64, 0x60, 0x71, 0x47, 0x29, 0x02, 0x0f, 0x92, 0x5d, 0x10, 0x93, 0xc8, 0x0e, 0xa1, 0xed, 0xba, 0xa9, 0x96, 0x1c, 0xc5, 0x76, 0x30, 0xcd, 0xf9, 0x30}} , + {{0x95, 0xb0, 0xbd, 0x8c, 0xbc, 0xa7, 0x4f, 0x7e, 0xfd, 0x4e, 0x3a, 0xbf, 0x5f, 0x04, 0x79, 0x80, 0x2b, 0x5a, 0x9f, 0x4f, 0x68, 0x21, 0x19, 0x71, 0xc6, 0x20, 0x01, 0x42, 0xaa, 0xdf, 0xae, 0x2c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x90, 0x6e, 0x7e, 0x4b, 0x71, 0x93, 0xc0, 0x72, 0xed, 0xeb, 0x71, 0x24, 0x97, 0x26, 0x9c, 0xfe, 0xcb, 0x3e, 0x59, 0x19, 0xa8, 0x0f, 0x75, 0x7d, 0xbe, 0x18, 0xe6, 0x96, 0x1e, 0x95, 0x70, 0x60}} , + {{0x89, 0x66, 0x3e, 0x1d, 0x4c, 0x5f, 0xfe, 0xc0, 0x04, 0x43, 0xd6, 0x44, 0x19, 0xb5, 0xad, 0xc7, 0x22, 0xdc, 0x71, 0x28, 0x64, 0xde, 0x41, 0x38, 0x27, 0x8f, 0x2c, 0x6b, 0x08, 0xb8, 0xb8, 0x7b}}}, +{{{0x3d, 0x70, 0x27, 0x9d, 0xd9, 0xaf, 0xb1, 0x27, 0xaf, 0xe3, 0x5d, 0x1e, 0x3a, 0x30, 0x54, 0x61, 0x60, 0xe8, 0xc3, 0x26, 0x3a, 0xbc, 0x7e, 0xf5, 0x81, 0xdd, 0x64, 0x01, 0x04, 0xeb, 0xc0, 0x1e}} , + {{0xda, 0x2c, 0xa4, 0xd1, 0xa1, 0xc3, 0x5c, 0x6e, 0x32, 0x07, 0x1f, 0xb8, 0x0e, 0x19, 0x9e, 0x99, 0x29, 0x33, 0x9a, 0xae, 0x7a, 0xed, 0x68, 0x42, 0x69, 0x7c, 0x07, 0xb3, 0x38, 0x2c, 0xf6, 0x3d}}}, +{{{0x64, 0xaa, 0xb5, 0x88, 0x79, 0x65, 0x38, 0x8c, 0x94, 0xd6, 0x62, 0x37, 0x7d, 0x64, 0xcd, 0x3a, 0xeb, 0xff, 0xe8, 0x81, 0x09, 0xc7, 0x6a, 0x50, 0x09, 0x0d, 0x28, 0x03, 0x0d, 0x9a, 0x93, 0x0a}} , + {{0x42, 0xa3, 0xf1, 0xc5, 0xb4, 0x0f, 0xd8, 0xc8, 0x8d, 0x15, 0x31, 0xbd, 0xf8, 0x07, 0x8b, 0xcd, 0x08, 0x8a, 0xfb, 0x18, 0x07, 0xfe, 0x8e, 0x52, 0x86, 0xef, 0xbe, 0xec, 0x49, 0x52, 0x99, 0x08}}}, +{{{0x0f, 0xa9, 0xd5, 0x01, 0xaa, 0x48, 0x4f, 0x28, 0x66, 0x32, 0x1a, 0xba, 0x7c, 0xea, 0x11, 0x80, 0x17, 0x18, 0x9b, 0x56, 0x88, 0x25, 0x06, 0x69, 0x12, 0x2c, 0xea, 0x56, 0x69, 0x41, 0x24, 0x19}} , + {{0xde, 0x21, 0xf0, 0xda, 0x8a, 0xfb, 0xb1, 0xb8, 0xcd, 0xc8, 0x6a, 0x82, 0x19, 0x73, 0xdb, 0xc7, 0xcf, 0x88, 0xeb, 0x96, 0xee, 0x6f, 0xfb, 0x06, 0xd2, 0xcd, 0x7d, 0x7b, 0x12, 0x28, 0x8e, 0x0c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x93, 0x44, 0x97, 0xce, 0x28, 0xff, 0x3a, 0x40, 0xc4, 0xf5, 0xf6, 0x9b, 0xf4, 0x6b, 0x07, 0x84, 0xfb, 0x98, 0xd8, 0xec, 0x8c, 0x03, 0x57, 0xec, 0x49, 0xed, 0x63, 0xb6, 0xaa, 0xff, 0x98, 0x28}} , + {{0x3d, 0x16, 0x35, 0xf3, 0x46, 0xbc, 0xb3, 0xf4, 0xc6, 0xb6, 0x4f, 0xfa, 0xf4, 0xa0, 0x13, 0xe6, 0x57, 0x45, 0x93, 0xb9, 0xbc, 0xd6, 0x59, 0xe7, 0x77, 0x94, 0x6c, 0xab, 0x96, 0x3b, 0x4f, 0x09}}}, +{{{0x5a, 0xf7, 0x6b, 0x01, 0x12, 0x4f, 0x51, 0xc1, 0x70, 0x84, 0x94, 0x47, 0xb2, 0x01, 0x6c, 0x71, 0xd7, 0xcc, 0x17, 0x66, 0x0f, 0x59, 0x5d, 0x5d, 0x10, 0x01, 0x57, 0x11, 0xf5, 0xdd, 0xe2, 0x34}} , + {{0x26, 0xd9, 0x1f, 0x5c, 0x58, 0xac, 0x8b, 0x03, 0xd2, 0xc3, 0x85, 0x0f, 0x3a, 0xc3, 0x7f, 0x6d, 0x8e, 0x86, 0xcd, 0x52, 0x74, 0x8f, 0x55, 0x77, 0x17, 0xb7, 0x8e, 0xb7, 0x88, 0xea, 0xda, 0x1b}}}, +{{{0xb6, 0xea, 0x0e, 0x40, 0x93, 0x20, 0x79, 0x35, 0x6a, 0x61, 0x84, 0x5a, 0x07, 0x6d, 0xf9, 0x77, 0x6f, 0xed, 0x69, 0x1c, 0x0d, 0x25, 0x76, 0xcc, 0xf0, 0xdb, 0xbb, 0xc5, 0xad, 0xe2, 0x26, 0x57}} , + {{0xcf, 0xe8, 0x0e, 0x6b, 0x96, 0x7d, 0xed, 0x27, 0xd1, 0x3c, 0xa9, 0xd9, 0x50, 0xa9, 0x98, 0x84, 0x5e, 0x86, 0xef, 0xd6, 0xf0, 0xf8, 0x0e, 0x89, 0x05, 0x2f, 0xd9, 0x5f, 0x15, 0x5f, 0x73, 0x79}}}, +{{{0xc8, 0x5c, 0x16, 0xfe, 0xed, 0x9f, 0x26, 0x56, 0xf6, 0x4b, 0x9f, 0xa7, 0x0a, 0x85, 0xfe, 0xa5, 0x8c, 0x87, 0xdd, 0x98, 0xce, 0x4e, 0xc3, 0x58, 0x55, 0xb2, 0x7b, 0x3d, 0xd8, 0x6b, 0xb5, 0x4c}} , + {{0x65, 0x38, 0xa0, 0x15, 0xfa, 0xa7, 0xb4, 0x8f, 0xeb, 0xc4, 0x86, 0x9b, 0x30, 0xa5, 0x5e, 0x4d, 0xea, 0x8a, 0x9a, 0x9f, 0x1a, 0xd8, 0x5b, 0x53, 0x14, 0x19, 0x25, 0x63, 0xb4, 0x6f, 0x1f, 0x5d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xac, 0x8f, 0xbc, 0x1e, 0x7d, 0x8b, 0x5a, 0x0b, 0x8d, 0xaf, 0x76, 0x2e, 0x71, 0xe3, 0x3b, 0x6f, 0x53, 0x2f, 0x3e, 0x90, 0x95, 0xd4, 0x35, 0x14, 0x4f, 0x8c, 0x3c, 0xce, 0x57, 0x1c, 0x76, 0x49}} , + {{0xa8, 0x50, 0xe1, 0x61, 0x6b, 0x57, 0x35, 0xeb, 0x44, 0x0b, 0x0c, 0x6e, 0xf9, 0x25, 0x80, 0x74, 0xf2, 0x8f, 0x6f, 0x7a, 0x3e, 0x7f, 0x2d, 0xf3, 0x4e, 0x09, 0x65, 0x10, 0x5e, 0x03, 0x25, 0x32}}}, +{{{0xa9, 0x60, 0xdc, 0x0f, 0x64, 0xe5, 0x1d, 0xe2, 0x8d, 0x4f, 0x79, 0x2f, 0x0e, 0x24, 0x02, 0x00, 0x05, 0x77, 0x43, 0x25, 0x3d, 0x6a, 0xc7, 0xb7, 0xbf, 0x04, 0x08, 0x65, 0xf4, 0x39, 0x4b, 0x65}} , + {{0x96, 0x19, 0x12, 0x6b, 0x6a, 0xb7, 0xe3, 0xdc, 0x45, 0x9b, 0xdb, 0xb4, 0xa8, 0xae, 0xdc, 0xa8, 0x14, 0x44, 0x65, 0x62, 0xce, 0x34, 0x9a, 0x84, 0x18, 0x12, 0x01, 0xf1, 0xe2, 0x7b, 0xce, 0x50}}}, +{{{0x41, 0x21, 0x30, 0x53, 0x1b, 0x47, 0x01, 0xb7, 0x18, 0xd8, 0x82, 0x57, 0xbd, 0xa3, 0x60, 0xf0, 0x32, 0xf6, 0x5b, 0xf0, 0x30, 0x88, 0x91, 0x59, 0xfd, 0x90, 0xa2, 0xb9, 0x55, 0x93, 0x21, 0x34}} , + {{0x97, 0x67, 0x9e, 0xeb, 0x6a, 0xf9, 0x6e, 0xd6, 0x73, 0xe8, 0x6b, 0x29, 0xec, 0x63, 0x82, 0x00, 0xa8, 0x99, 0x1c, 0x1d, 0x30, 0xc8, 0x90, 0x52, 0x90, 0xb6, 0x6a, 0x80, 0x4e, 0xff, 0x4b, 0x51}}}, +{{{0x0f, 0x7d, 0x63, 0x8c, 0x6e, 0x5c, 0xde, 0x30, 0xdf, 0x65, 0xfa, 0x2e, 0xb0, 0xa3, 0x25, 0x05, 0x54, 0xbd, 0x25, 0xba, 0x06, 0xae, 0xdf, 0x8b, 0xd9, 0x1b, 0xea, 0x38, 0xb3, 0x05, 0x16, 0x09}} , + {{0xc7, 0x8c, 0xbf, 0x64, 0x28, 0xad, 0xf8, 0xa5, 0x5a, 0x6f, 0xc9, 0xba, 0xd5, 0x7f, 0xd5, 0xd6, 0xbd, 0x66, 0x2f, 0x3d, 0xaa, 0x54, 0xf6, 0xba, 0x32, 0x22, 0x9a, 0x1e, 0x52, 0x05, 0xf4, 0x1d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xaa, 0x1f, 0xbb, 0xeb, 0xfe, 0xe4, 0x87, 0xfc, 0xb1, 0x2c, 0xb7, 0x88, 0xf4, 0xc6, 0xb9, 0xf5, 0x24, 0x46, 0xf2, 0xa5, 0x9f, 0x8f, 0x8a, 0x93, 0x70, 0x69, 0xd4, 0x56, 0xec, 0xfd, 0x06, 0x46}} , + {{0x4e, 0x66, 0xcf, 0x4e, 0x34, 0xce, 0x0c, 0xd9, 0xa6, 0x50, 0xd6, 0x5e, 0x95, 0xaf, 0xe9, 0x58, 0xfa, 0xee, 0x9b, 0xb8, 0xa5, 0x0f, 0x35, 0xe0, 0x43, 0x82, 0x6d, 0x65, 0xe6, 0xd9, 0x00, 0x0f}}}, +{{{0x7b, 0x75, 0x3a, 0xfc, 0x64, 0xd3, 0x29, 0x7e, 0xdd, 0x49, 0x9a, 0x59, 0x53, 0xbf, 0xb4, 0xa7, 0x52, 0xb3, 0x05, 0xab, 0xc3, 0xaf, 0x16, 0x1a, 0x85, 0x42, 0x32, 0xa2, 0x86, 0xfa, 0x39, 0x43}} , + {{0x0e, 0x4b, 0xa3, 0x63, 0x8a, 0xfe, 0xa5, 0x58, 0xf1, 0x13, 0xbd, 0x9d, 0xaa, 0x7f, 0x76, 0x40, 0x70, 0x81, 0x10, 0x75, 0x99, 0xbb, 0xbe, 0x0b, 0x16, 0xe9, 0xba, 0x62, 0x34, 0xcc, 0x07, 0x6d}}}, +{{{0xc3, 0xf1, 0xc6, 0x93, 0x65, 0xee, 0x0b, 0xbc, 0xea, 0x14, 0xf0, 0xc1, 0xf8, 0x84, 0x89, 0xc2, 0xc9, 0xd7, 0xea, 0x34, 0xca, 0xa7, 0xc4, 0x99, 0xd5, 0x50, 0x69, 0xcb, 0xd6, 0x21, 0x63, 0x7c}} , + {{0x99, 0xeb, 0x7c, 0x31, 0x73, 0x64, 0x67, 0x7f, 0x0c, 0x66, 0xaa, 0x8c, 0x69, 0x91, 0xe2, 0x26, 0xd3, 0x23, 0xe2, 0x76, 0x5d, 0x32, 0x52, 0xdf, 0x5d, 0xc5, 0x8f, 0xb7, 0x7c, 0x84, 0xb3, 0x70}}}, +{{{0xeb, 0x01, 0xc7, 0x36, 0x97, 0x4e, 0xb6, 0xab, 0x5f, 0x0d, 0x2c, 0xba, 0x67, 0x64, 0x55, 0xde, 0xbc, 0xff, 0xa6, 0xec, 0x04, 0xd3, 0x8d, 0x39, 0x56, 0x5e, 0xee, 0xf8, 0xe4, 0x2e, 0x33, 0x62}} , + {{0x65, 0xef, 0xb8, 0x9f, 0xc8, 0x4b, 0xa7, 0xfd, 0x21, 0x49, 0x9b, 0x92, 0x35, 0x82, 0xd6, 0x0a, 0x9b, 0xf2, 0x79, 0xf1, 0x47, 0x2f, 0x6a, 0x7e, 0x9f, 0xcf, 0x18, 0x02, 0x3c, 0xfb, 0x1b, 0x3e}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2f, 0x8b, 0xc8, 0x40, 0x51, 0xd1, 0xac, 0x1a, 0x0b, 0xe4, 0xa9, 0xa2, 0x42, 0x21, 0x19, 0x2f, 0x7b, 0x97, 0xbf, 0xf7, 0x57, 0x6d, 0x3f, 0x3d, 0x4f, 0x0f, 0xe2, 0xb2, 0x81, 0x00, 0x9e, 0x7b}} , + {{0x8c, 0x85, 0x2b, 0xc4, 0xfc, 0xf1, 0xab, 0xe8, 0x79, 0x22, 0xc4, 0x84, 0x17, 0x3a, 0xfa, 0x86, 0xa6, 0x7d, 0xf9, 0xf3, 0x6f, 0x03, 0x57, 0x20, 0x4d, 0x79, 0xf9, 0x6e, 0x71, 0x54, 0x38, 0x09}}}, +{{{0x40, 0x29, 0x74, 0xa8, 0x2f, 0x5e, 0xf9, 0x79, 0xa4, 0xf3, 0x3e, 0xb9, 0xfd, 0x33, 0x31, 0xac, 0x9a, 0x69, 0x88, 0x1e, 0x77, 0x21, 0x2d, 0xf3, 0x91, 0x52, 0x26, 0x15, 0xb2, 0xa6, 0xcf, 0x7e}} , + {{0xc6, 0x20, 0x47, 0x6c, 0xa4, 0x7d, 0xcb, 0x63, 0xea, 0x5b, 0x03, 0xdf, 0x3e, 0x88, 0x81, 0x6d, 0xce, 0x07, 0x42, 0x18, 0x60, 0x7e, 0x7b, 0x55, 0xfe, 0x6a, 0xf3, 0xda, 0x5c, 0x8b, 0x95, 0x10}}}, +{{{0x62, 0xe4, 0x0d, 0x03, 0xb4, 0xd7, 0xcd, 0xfa, 0xbd, 0x46, 0xdf, 0x93, 0x71, 0x10, 0x2c, 0xa8, 0x3b, 0xb6, 0x09, 0x05, 0x70, 0x84, 0x43, 0x29, 0xa8, 0x59, 0xf5, 0x8e, 0x10, 0xe4, 0xd7, 0x20}} , + {{0x57, 0x82, 0x1c, 0xab, 0xbf, 0x62, 0x70, 0xe8, 0xc4, 0xcf, 0xf0, 0x28, 0x6e, 0x16, 0x3c, 0x08, 0x78, 0x89, 0x85, 0x46, 0x0f, 0xf6, 0x7f, 0xcf, 0xcb, 0x7e, 0xb8, 0x25, 0xe9, 0x5a, 0xfa, 0x03}}}, +{{{0xfb, 0x95, 0x92, 0x63, 0x50, 0xfc, 0x62, 0xf0, 0xa4, 0x5e, 0x8c, 0x18, 0xc2, 0x17, 0x24, 0xb7, 0x78, 0xc2, 0xa9, 0xe7, 0x6a, 0x32, 0xd6, 0x29, 0x85, 0xaf, 0xcb, 0x8d, 0x91, 0x13, 0xda, 0x6b}} , + {{0x36, 0x0a, 0xc2, 0xb6, 0x4b, 0xa5, 0x5d, 0x07, 0x17, 0x41, 0x31, 0x5f, 0x62, 0x46, 0xf8, 0x92, 0xf9, 0x66, 0x48, 0x73, 0xa6, 0x97, 0x0d, 0x7d, 0x88, 0xee, 0x62, 0xb1, 0x03, 0xa8, 0x3f, 0x2c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x4a, 0xb1, 0x70, 0x8a, 0xa9, 0xe8, 0x63, 0x79, 0x00, 0xe2, 0x25, 0x16, 0xca, 0x4b, 0x0f, 0xa4, 0x66, 0xad, 0x19, 0x9f, 0x88, 0x67, 0x0c, 0x8b, 0xc2, 0x4a, 0x5b, 0x2b, 0x6d, 0x95, 0xaf, 0x19}} , + {{0x8b, 0x9d, 0xb6, 0xcc, 0x60, 0xb4, 0x72, 0x4f, 0x17, 0x69, 0x5a, 0x4a, 0x68, 0x34, 0xab, 0xa1, 0x45, 0x32, 0x3c, 0x83, 0x87, 0x72, 0x30, 0x54, 0x77, 0x68, 0xae, 0xfb, 0xb5, 0x8b, 0x22, 0x5e}}}, +{{{0xf1, 0xb9, 0x87, 0x35, 0xc5, 0xbb, 0xb9, 0xcf, 0xf5, 0xd6, 0xcd, 0xd5, 0x0c, 0x7c, 0x0e, 0xe6, 0x90, 0x34, 0xfb, 0x51, 0x42, 0x1e, 0x6d, 0xac, 0x9a, 0x46, 0xc4, 0x97, 0x29, 0x32, 0xbf, 0x45}} , + {{0x66, 0x9e, 0xc6, 0x24, 0xc0, 0xed, 0xa5, 0x5d, 0x88, 0xd4, 0xf0, 0x73, 0x97, 0x7b, 0xea, 0x7f, 0x42, 0xff, 0x21, 0xa0, 0x9b, 0x2f, 0x9a, 0xfd, 0x53, 0x57, 0x07, 0x84, 0x48, 0x88, 0x9d, 0x52}}}, +{{{0xc6, 0x96, 0x48, 0x34, 0x2a, 0x06, 0xaf, 0x94, 0x3d, 0xf4, 0x1a, 0xcf, 0xf2, 0xc0, 0x21, 0xc2, 0x42, 0x5e, 0xc8, 0x2f, 0x35, 0xa2, 0x3e, 0x29, 0xfa, 0x0c, 0x84, 0xe5, 0x89, 0x72, 0x7c, 0x06}} , + {{0x32, 0x65, 0x03, 0xe5, 0x89, 0xa6, 0x6e, 0xb3, 0x5b, 0x8e, 0xca, 0xeb, 0xfe, 0x22, 0x56, 0x8b, 0x5d, 0x14, 0x4b, 0x4d, 0xf9, 0xbe, 0xb5, 0xf5, 0xe6, 0x5c, 0x7b, 0x8b, 0xf4, 0x13, 0x11, 0x34}}}, +{{{0x07, 0xc6, 0x22, 0x15, 0xe2, 0x9c, 0x60, 0xa2, 0x19, 0xd9, 0x27, 0xae, 0x37, 0x4e, 0xa6, 0xc9, 0x80, 0xa6, 0x91, 0x8f, 0x12, 0x49, 0xe5, 0x00, 0x18, 0x47, 0xd1, 0xd7, 0x28, 0x22, 0x63, 0x39}} , + {{0xe8, 0xe2, 0x00, 0x7e, 0xf2, 0x9e, 0x1e, 0x99, 0x39, 0x95, 0x04, 0xbd, 0x1e, 0x67, 0x7b, 0xb2, 0x26, 0xac, 0xe6, 0xaa, 0xe2, 0x46, 0xd5, 0xe4, 0xe8, 0x86, 0xbd, 0xab, 0x7c, 0x55, 0x59, 0x6f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x24, 0x64, 0x6e, 0x9b, 0x35, 0x71, 0x78, 0xce, 0x33, 0x03, 0x21, 0x33, 0x36, 0xf1, 0x73, 0x9b, 0xb9, 0x15, 0x8b, 0x2c, 0x69, 0xcf, 0x4d, 0xed, 0x4f, 0x4d, 0x57, 0x14, 0x13, 0x82, 0xa4, 0x4d}} , + {{0x65, 0x6e, 0x0a, 0xa4, 0x59, 0x07, 0x17, 0xf2, 0x6b, 0x4a, 0x1f, 0x6e, 0xf6, 0xb5, 0xbc, 0x62, 0xe4, 0xb6, 0xda, 0xa2, 0x93, 0xbc, 0x29, 0x05, 0xd2, 0xd2, 0x73, 0x46, 0x03, 0x16, 0x40, 0x31}}}, +{{{0x4c, 0x73, 0x6d, 0x15, 0xbd, 0xa1, 0x4d, 0x5c, 0x13, 0x0b, 0x24, 0x06, 0x98, 0x78, 0x1c, 0x5b, 0xeb, 0x1f, 0x18, 0x54, 0x43, 0xd9, 0x55, 0x66, 0xda, 0x29, 0x21, 0xe8, 0xb8, 0x3c, 0x42, 0x22}} , + {{0xb4, 0xcd, 0x08, 0x6f, 0x15, 0x23, 0x1a, 0x0b, 0x22, 0xed, 0xd1, 0xf1, 0xa7, 0xc7, 0x73, 0x45, 0xf3, 0x9e, 0xce, 0x76, 0xb7, 0xf6, 0x39, 0xb6, 0x8e, 0x79, 0xbe, 0xe9, 0x9b, 0xcf, 0x7d, 0x62}}}, +{{{0x92, 0x5b, 0xfc, 0x72, 0xfd, 0xba, 0xf1, 0xfd, 0xa6, 0x7c, 0x95, 0xe3, 0x61, 0x3f, 0xe9, 0x03, 0xd4, 0x2b, 0xd4, 0x20, 0xd9, 0xdb, 0x4d, 0x32, 0x3e, 0xf5, 0x11, 0x64, 0xe3, 0xb4, 0xbe, 0x32}} , + {{0x86, 0x17, 0x90, 0xe7, 0xc9, 0x1f, 0x10, 0xa5, 0x6a, 0x2d, 0x39, 0xd0, 0x3b, 0xc4, 0xa6, 0xe9, 0x59, 0x13, 0xda, 0x1a, 0xe6, 0xa0, 0xb9, 0x3c, 0x50, 0xb8, 0x40, 0x7c, 0x15, 0x36, 0x5a, 0x42}}}, +{{{0xb4, 0x0b, 0x32, 0xab, 0xdc, 0x04, 0x51, 0x55, 0x21, 0x1e, 0x0b, 0x75, 0x99, 0x89, 0x73, 0x35, 0x3a, 0x91, 0x2b, 0xfe, 0xe7, 0x49, 0xea, 0x76, 0xc1, 0xf9, 0x46, 0xb9, 0x53, 0x02, 0x23, 0x04}} , + {{0xfc, 0x5a, 0x1e, 0x1d, 0x74, 0x58, 0x95, 0xa6, 0x8f, 0x7b, 0x97, 0x3e, 0x17, 0x3b, 0x79, 0x2d, 0xa6, 0x57, 0xef, 0x45, 0x02, 0x0b, 0x4d, 0x6e, 0x9e, 0x93, 0x8d, 0x2f, 0xd9, 0x9d, 0xdb, 0x04}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xc0, 0xd7, 0x56, 0x97, 0x58, 0x91, 0xde, 0x09, 0x4f, 0x9f, 0xbe, 0x63, 0xb0, 0x83, 0x86, 0x43, 0x5d, 0xbc, 0xe0, 0xf3, 0xc0, 0x75, 0xbf, 0x8b, 0x8e, 0xaa, 0xf7, 0x8b, 0x64, 0x6e, 0xb0, 0x63}} , + {{0x16, 0xae, 0x8b, 0xe0, 0x9b, 0x24, 0x68, 0x5c, 0x44, 0xc2, 0xd0, 0x08, 0xb7, 0x7b, 0x62, 0xfd, 0x7f, 0xd8, 0xd4, 0xb7, 0x50, 0xfd, 0x2c, 0x1b, 0xbf, 0x41, 0x95, 0xd9, 0x8e, 0xd8, 0x17, 0x1b}}}, +{{{0x86, 0x55, 0x37, 0x8e, 0xc3, 0x38, 0x48, 0x14, 0xb5, 0x97, 0xd2, 0xa7, 0x54, 0x45, 0xf1, 0x35, 0x44, 0x38, 0x9e, 0xf1, 0x1b, 0xb6, 0x34, 0x00, 0x3c, 0x96, 0xee, 0x29, 0x00, 0xea, 0x2c, 0x0b}} , + {{0xea, 0xda, 0x99, 0x9e, 0x19, 0x83, 0x66, 0x6d, 0xe9, 0x76, 0x87, 0x50, 0xd1, 0xfd, 0x3c, 0x60, 0x87, 0xc6, 0x41, 0xd9, 0x8e, 0xdb, 0x5e, 0xde, 0xaa, 0x9a, 0xd3, 0x28, 0xda, 0x95, 0xea, 0x47}}}, +{{{0xd0, 0x80, 0xba, 0x19, 0xae, 0x1d, 0xa9, 0x79, 0xf6, 0x3f, 0xac, 0x5d, 0x6f, 0x96, 0x1f, 0x2a, 0xce, 0x29, 0xb2, 0xff, 0x37, 0xf1, 0x94, 0x8f, 0x0c, 0xb5, 0x28, 0xba, 0x9a, 0x21, 0xf6, 0x66}} , + {{0x02, 0xfb, 0x54, 0xb8, 0x05, 0xf3, 0x81, 0x52, 0x69, 0x34, 0x46, 0x9d, 0x86, 0x76, 0x8f, 0xd7, 0xf8, 0x6a, 0x66, 0xff, 0xe6, 0xa7, 0x90, 0xf7, 0x5e, 0xcd, 0x6a, 0x9b, 0x55, 0xfc, 0x9d, 0x48}}}, +{{{0xbd, 0xaa, 0x13, 0xe6, 0xcd, 0x45, 0x4a, 0xa4, 0x59, 0x0a, 0x64, 0xb1, 0x98, 0xd6, 0x34, 0x13, 0x04, 0xe6, 0x97, 0x94, 0x06, 0xcb, 0xd4, 0x4e, 0xbb, 0x96, 0xcd, 0xd1, 0x57, 0xd1, 0xe3, 0x06}} , + {{0x7a, 0x6c, 0x45, 0x27, 0xc4, 0x93, 0x7f, 0x7d, 0x7c, 0x62, 0x50, 0x38, 0x3a, 0x6b, 0xb5, 0x88, 0xc6, 0xd9, 0xf1, 0x78, 0x19, 0xb9, 0x39, 0x93, 0x3d, 0xc9, 0xe0, 0x9c, 0x3c, 0xce, 0xf5, 0x72}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x24, 0xea, 0x23, 0x7d, 0x56, 0x2c, 0xe2, 0x59, 0x0e, 0x85, 0x60, 0x04, 0x88, 0x5a, 0x74, 0x1e, 0x4b, 0xef, 0x13, 0xda, 0x4c, 0xff, 0x83, 0x45, 0x85, 0x3f, 0x08, 0x95, 0x2c, 0x20, 0x13, 0x1f}} , + {{0x48, 0x5f, 0x27, 0x90, 0x5c, 0x02, 0x42, 0xad, 0x78, 0x47, 0x5c, 0xb5, 0x7e, 0x08, 0x85, 0x00, 0xfa, 0x7f, 0xfd, 0xfd, 0xe7, 0x09, 0x11, 0xf2, 0x7e, 0x1b, 0x38, 0x6c, 0x35, 0x6d, 0x33, 0x66}}}, +{{{0x93, 0x03, 0x36, 0x81, 0xac, 0xe4, 0x20, 0x09, 0x35, 0x4c, 0x45, 0xb2, 0x1e, 0x4c, 0x14, 0x21, 0xe6, 0xe9, 0x8a, 0x7b, 0x8d, 0xfe, 0x1e, 0xc6, 0x3e, 0xc1, 0x35, 0xfa, 0xe7, 0x70, 0x4e, 0x1d}} , + {{0x61, 0x2e, 0xc2, 0xdd, 0x95, 0x57, 0xd1, 0xab, 0x80, 0xe8, 0x63, 0x17, 0xb5, 0x48, 0xe4, 0x8a, 0x11, 0x9e, 0x72, 0xbe, 0x85, 0x8d, 0x51, 0x0a, 0xf2, 0x9f, 0xe0, 0x1c, 0xa9, 0x07, 0x28, 0x7b}}}, +{{{0xbb, 0x71, 0x14, 0x5e, 0x26, 0x8c, 0x3d, 0xc8, 0xe9, 0x7c, 0xd3, 0xd6, 0xd1, 0x2f, 0x07, 0x6d, 0xe6, 0xdf, 0xfb, 0x79, 0xd6, 0x99, 0x59, 0x96, 0x48, 0x40, 0x0f, 0x3a, 0x7b, 0xb2, 0xa0, 0x72}} , + {{0x4e, 0x3b, 0x69, 0xc8, 0x43, 0x75, 0x51, 0x6c, 0x79, 0x56, 0xe4, 0xcb, 0xf7, 0xa6, 0x51, 0xc2, 0x2c, 0x42, 0x0b, 0xd4, 0x82, 0x20, 0x1c, 0x01, 0x08, 0x66, 0xd7, 0xbf, 0x04, 0x56, 0xfc, 0x02}}}, +{{{0x24, 0xe8, 0xb7, 0x60, 0xae, 0x47, 0x80, 0xfc, 0xe5, 0x23, 0xe7, 0xc2, 0xc9, 0x85, 0xe6, 0x98, 0xa0, 0x29, 0x4e, 0xe1, 0x84, 0x39, 0x2d, 0x95, 0x2c, 0xf3, 0x45, 0x3c, 0xff, 0xaf, 0x27, 0x4c}} , + {{0x6b, 0xa6, 0xf5, 0x4b, 0x11, 0xbd, 0xba, 0x5b, 0x9e, 0xc4, 0xa4, 0x51, 0x1e, 0xbe, 0xd0, 0x90, 0x3a, 0x9c, 0xc2, 0x26, 0xb6, 0x1e, 0xf1, 0x95, 0x7d, 0xc8, 0x6d, 0x52, 0xe6, 0x99, 0x2c, 0x5f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x85, 0xe0, 0x24, 0x32, 0xb4, 0xd1, 0xef, 0xfc, 0x69, 0xa2, 0xbf, 0x8f, 0x72, 0x2c, 0x95, 0xf6, 0xe4, 0x6e, 0x7d, 0x90, 0xf7, 0x57, 0x81, 0xa0, 0xf7, 0xda, 0xef, 0x33, 0x07, 0xe3, 0x6b, 0x78}} , + {{0x36, 0x27, 0x3e, 0xc6, 0x12, 0x07, 0xab, 0x4e, 0xbe, 0x69, 0x9d, 0xb3, 0xbe, 0x08, 0x7c, 0x2a, 0x47, 0x08, 0xfd, 0xd4, 0xcd, 0x0e, 0x27, 0x34, 0x5b, 0x98, 0x34, 0x2f, 0x77, 0x5f, 0x3a, 0x65}}}, +{{{0x13, 0xaa, 0x2e, 0x4c, 0xf0, 0x22, 0xb8, 0x6c, 0xb3, 0x19, 0x4d, 0xeb, 0x6b, 0xd0, 0xa4, 0xc6, 0x9c, 0xdd, 0xc8, 0x5b, 0x81, 0x57, 0x89, 0xdf, 0x33, 0xa9, 0x68, 0x49, 0x80, 0xe4, 0xfe, 0x21}} , + {{0x00, 0x17, 0x90, 0x30, 0xe9, 0xd3, 0x60, 0x30, 0x31, 0xc2, 0x72, 0x89, 0x7a, 0x36, 0xa5, 0xbd, 0x39, 0x83, 0x85, 0x50, 0xa1, 0x5d, 0x6c, 0x41, 0x1d, 0xb5, 0x2c, 0x07, 0x40, 0x77, 0x0b, 0x50}}}, +{{{0x64, 0x34, 0xec, 0xc0, 0x9e, 0x44, 0x41, 0xaf, 0xa0, 0x36, 0x05, 0x6d, 0xea, 0x30, 0x25, 0x46, 0x35, 0x24, 0x9d, 0x86, 0xbd, 0x95, 0xf1, 0x6a, 0x46, 0xd7, 0x94, 0x54, 0xf9, 0x3b, 0xbd, 0x5d}} , + {{0x77, 0x5b, 0xe2, 0x37, 0xc7, 0xe1, 0x7c, 0x13, 0x8c, 0x9f, 0x7b, 0x7b, 0x2a, 0xce, 0x42, 0xa3, 0xb9, 0x2a, 0x99, 0xa8, 0xc0, 0xd8, 0x3c, 0x86, 0xb0, 0xfb, 0xe9, 0x76, 0x77, 0xf7, 0xf5, 0x56}}}, +{{{0xdf, 0xb3, 0x46, 0x11, 0x6e, 0x13, 0xb7, 0x28, 0x4e, 0x56, 0xdd, 0xf1, 0xac, 0xad, 0x58, 0xc3, 0xf8, 0x88, 0x94, 0x5e, 0x06, 0x98, 0xa1, 0xe4, 0x6a, 0xfb, 0x0a, 0x49, 0x5d, 0x8a, 0xfe, 0x77}} , + {{0x46, 0x02, 0xf5, 0xa5, 0xaf, 0xc5, 0x75, 0x6d, 0xba, 0x45, 0x35, 0x0a, 0xfe, 0xc9, 0xac, 0x22, 0x91, 0x8d, 0x21, 0x95, 0x33, 0x03, 0xc0, 0x8a, 0x16, 0xf3, 0x39, 0xe0, 0x01, 0x0f, 0x53, 0x3c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x34, 0x75, 0x37, 0x1f, 0x34, 0x4e, 0xa9, 0x1d, 0x68, 0x67, 0xf8, 0x49, 0x98, 0x96, 0xfc, 0x4c, 0x65, 0x97, 0xf7, 0x02, 0x4a, 0x52, 0x6c, 0x01, 0xbd, 0x48, 0xbb, 0x1b, 0xed, 0xa4, 0xe2, 0x53}} , + {{0x59, 0xd5, 0x9b, 0x5a, 0xa2, 0x90, 0xd3, 0xb8, 0x37, 0x4c, 0x55, 0x82, 0x28, 0x08, 0x0f, 0x7f, 0xaa, 0x81, 0x65, 0xe0, 0x0c, 0x52, 0xc9, 0xa3, 0x32, 0x27, 0x64, 0xda, 0xfd, 0x34, 0x23, 0x5a}}}, +{{{0xb5, 0xb0, 0x0c, 0x4d, 0xb3, 0x7b, 0x23, 0xc8, 0x1f, 0x8a, 0x39, 0x66, 0xe6, 0xba, 0x4c, 0x10, 0x37, 0xca, 0x9c, 0x7c, 0x05, 0x9e, 0xff, 0xc0, 0xf8, 0x8e, 0xb1, 0x8f, 0x6f, 0x67, 0x18, 0x26}} , + {{0x4b, 0x41, 0x13, 0x54, 0x23, 0x1a, 0xa4, 0x4e, 0xa9, 0x8b, 0x1e, 0x4b, 0xfc, 0x15, 0x24, 0xbb, 0x7e, 0xcb, 0xb6, 0x1e, 0x1b, 0xf5, 0xf2, 0xc8, 0x56, 0xec, 0x32, 0xa2, 0x60, 0x5b, 0xa0, 0x2a}}}, +{{{0xa4, 0x29, 0x47, 0x86, 0x2e, 0x92, 0x4f, 0x11, 0x4f, 0xf3, 0xb2, 0x5c, 0xd5, 0x3e, 0xa6, 0xb9, 0xc8, 0xe2, 0x33, 0x11, 0x1f, 0x01, 0x8f, 0xb0, 0x9b, 0xc7, 0xa5, 0xff, 0x83, 0x0f, 0x1e, 0x28}} , + {{0x1d, 0x29, 0x7a, 0xa1, 0xec, 0x8e, 0xb5, 0xad, 0xea, 0x02, 0x68, 0x60, 0x74, 0x29, 0x1c, 0xa5, 0xcf, 0xc8, 0x3b, 0x7d, 0x8b, 0x2b, 0x7c, 0xad, 0xa4, 0x40, 0x17, 0x51, 0x59, 0x7c, 0x2e, 0x5d}}}, +{{{0x0a, 0x6c, 0x4f, 0xbc, 0x3e, 0x32, 0xe7, 0x4a, 0x1a, 0x13, 0xc1, 0x49, 0x38, 0xbf, 0xf7, 0xc2, 0xd3, 0x8f, 0x6b, 0xad, 0x52, 0xf7, 0xcf, 0xbc, 0x27, 0xcb, 0x40, 0x67, 0x76, 0xcd, 0x6d, 0x56}} , + {{0xe5, 0xb0, 0x27, 0xad, 0xbe, 0x9b, 0xf2, 0xb5, 0x63, 0xde, 0x3a, 0x23, 0x95, 0xb7, 0x0a, 0x7e, 0xf3, 0x9e, 0x45, 0x6f, 0x19, 0x39, 0x75, 0x8f, 0x39, 0x3d, 0x0f, 0xc0, 0x9f, 0xf1, 0xe9, 0x51}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x88, 0xaa, 0x14, 0x24, 0x86, 0x94, 0x11, 0x12, 0x3e, 0x1a, 0xb5, 0xcc, 0xbb, 0xe0, 0x9c, 0xd5, 0x9c, 0x6d, 0xba, 0x58, 0x72, 0x8d, 0xfb, 0x22, 0x7b, 0x9f, 0x7c, 0x94, 0x30, 0xb3, 0x51, 0x21}} , + {{0xf6, 0x74, 0x3d, 0xf2, 0xaf, 0xd0, 0x1e, 0x03, 0x7c, 0x23, 0x6b, 0xc9, 0xfc, 0x25, 0x70, 0x90, 0xdc, 0x9a, 0xa4, 0xfb, 0x49, 0xfc, 0x3d, 0x0a, 0x35, 0x38, 0x6f, 0xe4, 0x7e, 0x50, 0x01, 0x2a}}}, +{{{0xd6, 0xe3, 0x96, 0x61, 0x3a, 0xfd, 0xef, 0x9b, 0x1f, 0x90, 0xa4, 0x24, 0x14, 0x5b, 0xc8, 0xde, 0x50, 0xb1, 0x1d, 0xaf, 0xe8, 0x55, 0x8a, 0x87, 0x0d, 0xfe, 0xaa, 0x3b, 0x82, 0x2c, 0x8d, 0x7b}} , + {{0x85, 0x0c, 0xaf, 0xf8, 0x83, 0x44, 0x49, 0xd9, 0x45, 0xcf, 0xf7, 0x48, 0xd9, 0x53, 0xb4, 0xf1, 0x65, 0xa0, 0xe1, 0xc3, 0xb3, 0x15, 0xed, 0x89, 0x9b, 0x4f, 0x62, 0xb3, 0x57, 0xa5, 0x45, 0x1c}}}, +{{{0x8f, 0x12, 0xea, 0xaf, 0xd1, 0x1f, 0x79, 0x10, 0x0b, 0xf6, 0xa3, 0x7b, 0xea, 0xac, 0x8b, 0x57, 0x32, 0x62, 0xe7, 0x06, 0x12, 0x51, 0xa0, 0x3b, 0x43, 0x5e, 0xa4, 0x20, 0x78, 0x31, 0xce, 0x0d}} , + {{0x84, 0x7c, 0xc2, 0xa6, 0x91, 0x23, 0xce, 0xbd, 0xdc, 0xf9, 0xce, 0xd5, 0x75, 0x30, 0x22, 0xe6, 0xf9, 0x43, 0x62, 0x0d, 0xf7, 0x75, 0x9d, 0x7f, 0x8c, 0xff, 0x7d, 0xe4, 0x72, 0xac, 0x9f, 0x1c}}}, +{{{0x88, 0xc1, 0x99, 0xd0, 0x3c, 0x1c, 0x5d, 0xb4, 0xef, 0x13, 0x0f, 0x90, 0xb9, 0x36, 0x2f, 0x95, 0x95, 0xc6, 0xdc, 0xde, 0x0a, 0x51, 0xe2, 0x8d, 0xf3, 0xbc, 0x51, 0xec, 0xdf, 0xb1, 0xa2, 0x5f}} , + {{0x2e, 0x68, 0xa1, 0x23, 0x7d, 0x9b, 0x40, 0x69, 0x85, 0x7b, 0x42, 0xbf, 0x90, 0x4b, 0xd6, 0x40, 0x2f, 0xd7, 0x52, 0x52, 0xb2, 0x21, 0xde, 0x64, 0xbd, 0x88, 0xc3, 0x6d, 0xa5, 0xfa, 0x81, 0x3f}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xfb, 0xfd, 0x47, 0x7b, 0x8a, 0x66, 0x9e, 0x79, 0x2e, 0x64, 0x82, 0xef, 0xf7, 0x21, 0xec, 0xf6, 0xd8, 0x86, 0x09, 0x31, 0x7c, 0xdd, 0x03, 0x6a, 0x58, 0xa0, 0x77, 0xb7, 0x9b, 0x8c, 0x87, 0x1f}} , + {{0x55, 0x47, 0xe4, 0xa8, 0x3d, 0x55, 0x21, 0x34, 0xab, 0x1d, 0xae, 0xe0, 0xf4, 0xea, 0xdb, 0xc5, 0xb9, 0x58, 0xbf, 0xc4, 0x2a, 0x89, 0x31, 0x1a, 0xf4, 0x2d, 0xe1, 0xca, 0x37, 0x99, 0x47, 0x59}}}, +{{{0xc7, 0xca, 0x63, 0xc1, 0x49, 0xa9, 0x35, 0x45, 0x55, 0x7e, 0xda, 0x64, 0x32, 0x07, 0x50, 0xf7, 0x32, 0xac, 0xde, 0x75, 0x58, 0x9b, 0x11, 0xb2, 0x3a, 0x1f, 0xf5, 0xf7, 0x79, 0x04, 0xe6, 0x08}} , + {{0x46, 0xfa, 0x22, 0x4b, 0xfa, 0xe1, 0xfe, 0x96, 0xfc, 0x67, 0xba, 0x67, 0x97, 0xc4, 0xe7, 0x1b, 0x86, 0x90, 0x5f, 0xee, 0xf4, 0x5b, 0x11, 0xb2, 0xcd, 0xad, 0xee, 0xc2, 0x48, 0x6c, 0x2b, 0x1b}}}, +{{{0xe3, 0x39, 0x62, 0xb4, 0x4f, 0x31, 0x04, 0xc9, 0xda, 0xd5, 0x73, 0x51, 0x57, 0xc5, 0xb8, 0xf3, 0xa3, 0x43, 0x70, 0xe4, 0x61, 0x81, 0x84, 0xe2, 0xbb, 0xbf, 0x4f, 0x9e, 0xa4, 0x5e, 0x74, 0x06}} , + {{0x29, 0xac, 0xff, 0x27, 0xe0, 0x59, 0xbe, 0x39, 0x9c, 0x0d, 0x83, 0xd7, 0x10, 0x0b, 0x15, 0xb7, 0xe1, 0xc2, 0x2c, 0x30, 0x73, 0x80, 0x3a, 0x7d, 0x5d, 0xab, 0x58, 0x6b, 0xc1, 0xf0, 0xf4, 0x22}}}, +{{{0xfe, 0x7f, 0xfb, 0x35, 0x7d, 0xc6, 0x01, 0x23, 0x28, 0xc4, 0x02, 0xac, 0x1f, 0x42, 0xb4, 0x9d, 0xfc, 0x00, 0x94, 0xa5, 0xee, 0xca, 0xda, 0x97, 0x09, 0x41, 0x77, 0x87, 0x5d, 0x7b, 0x87, 0x78}} , + {{0xf5, 0xfb, 0x90, 0x2d, 0x81, 0x19, 0x9e, 0x2f, 0x6d, 0x85, 0x88, 0x8c, 0x40, 0x5c, 0x77, 0x41, 0x4d, 0x01, 0x19, 0x76, 0x60, 0xe8, 0x4c, 0x48, 0xe4, 0x33, 0x83, 0x32, 0x6c, 0xb4, 0x41, 0x03}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xff, 0x10, 0xc2, 0x09, 0x4f, 0x6e, 0xf4, 0xd2, 0xdf, 0x7e, 0xca, 0x7b, 0x1c, 0x1d, 0xba, 0xa3, 0xb6, 0xda, 0x67, 0x33, 0xd4, 0x87, 0x36, 0x4b, 0x11, 0x20, 0x05, 0xa6, 0x29, 0xc1, 0x87, 0x17}} , + {{0xf6, 0x96, 0xca, 0x2f, 0xda, 0x38, 0xa7, 0x1b, 0xfc, 0xca, 0x7d, 0xfe, 0x08, 0x89, 0xe2, 0x47, 0x2b, 0x6a, 0x5d, 0x4b, 0xfa, 0xa1, 0xb4, 0xde, 0xb6, 0xc2, 0x31, 0x51, 0xf5, 0xe0, 0xa4, 0x0b}}}, +{{{0x5c, 0xe5, 0xc6, 0x04, 0x8e, 0x2b, 0x57, 0xbe, 0x38, 0x85, 0x23, 0xcb, 0xb7, 0xbe, 0x4f, 0xa9, 0xd3, 0x6e, 0x12, 0xaa, 0xd5, 0xb2, 0x2e, 0x93, 0x29, 0x9a, 0x4a, 0x88, 0x18, 0x43, 0xf5, 0x01}} , + {{0x50, 0xfc, 0xdb, 0xa2, 0x59, 0x21, 0x8d, 0xbd, 0x7e, 0x33, 0xae, 0x2f, 0x87, 0x1a, 0xd0, 0x97, 0xc7, 0x0d, 0x4d, 0x63, 0x01, 0xef, 0x05, 0x84, 0xec, 0x40, 0xdd, 0xa8, 0x0a, 0x4f, 0x70, 0x0b}}}, +{{{0x41, 0x69, 0x01, 0x67, 0x5c, 0xd3, 0x8a, 0xc5, 0xcf, 0x3f, 0xd1, 0x57, 0xd1, 0x67, 0x3e, 0x01, 0x39, 0xb5, 0xcb, 0x81, 0x56, 0x96, 0x26, 0xb6, 0xc2, 0xe7, 0x5c, 0xfb, 0x63, 0x97, 0x58, 0x06}} , + {{0x0c, 0x0e, 0xf3, 0xba, 0xf0, 0xe5, 0xba, 0xb2, 0x57, 0x77, 0xc6, 0x20, 0x9b, 0x89, 0x24, 0xbe, 0xf2, 0x9c, 0x8a, 0xba, 0x69, 0xc1, 0xf1, 0xb0, 0x4f, 0x2a, 0x05, 0x9a, 0xee, 0x10, 0x7e, 0x36}}}, +{{{0x3f, 0x26, 0xe9, 0x40, 0xe9, 0x03, 0xad, 0x06, 0x69, 0x91, 0xe0, 0xd1, 0x89, 0x60, 0x84, 0x79, 0xde, 0x27, 0x6d, 0xe6, 0x76, 0xbd, 0xea, 0xe6, 0xae, 0x48, 0xc3, 0x67, 0xc0, 0x57, 0xcd, 0x2f}} , + {{0x7f, 0xc1, 0xdc, 0xb9, 0xc7, 0xbc, 0x86, 0x3d, 0x55, 0x4b, 0x28, 0x7a, 0xfb, 0x4d, 0xc7, 0xf8, 0xbc, 0x67, 0x2a, 0x60, 0x4d, 0x8f, 0x07, 0x0b, 0x1a, 0x17, 0xbf, 0xfa, 0xac, 0xa7, 0x3d, 0x1a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x91, 0x3f, 0xed, 0x5e, 0x18, 0x78, 0x3f, 0x23, 0x2c, 0x0d, 0x8c, 0x44, 0x00, 0xe8, 0xfb, 0xe9, 0x8e, 0xd6, 0xd1, 0x36, 0x58, 0x57, 0x9e, 0xae, 0x4b, 0x5c, 0x0b, 0x07, 0xbc, 0x6b, 0x55, 0x2b}} , + {{0x6f, 0x4d, 0x17, 0xd7, 0xe1, 0x84, 0xd9, 0x78, 0xb1, 0x90, 0xfd, 0x2e, 0xb3, 0xb5, 0x19, 0x3f, 0x1b, 0xfa, 0xc0, 0x68, 0xb3, 0xdd, 0x00, 0x2e, 0x89, 0xbd, 0x7e, 0x80, 0x32, 0x13, 0xa0, 0x7b}}}, +{{{0x1a, 0x6f, 0x40, 0xaf, 0x44, 0x44, 0xb0, 0x43, 0x8f, 0x0d, 0xd0, 0x1e, 0xc4, 0x0b, 0x19, 0x5d, 0x8e, 0xfe, 0xc1, 0xf3, 0xc5, 0x5c, 0x91, 0xf8, 0x04, 0x4e, 0xbe, 0x90, 0xb4, 0x47, 0x5c, 0x3f}} , + {{0xb0, 0x3b, 0x2c, 0xf3, 0xfe, 0x32, 0x71, 0x07, 0x3f, 0xaa, 0xba, 0x45, 0x60, 0xa8, 0x8d, 0xea, 0x54, 0xcb, 0x39, 0x10, 0xb4, 0xf2, 0x8b, 0xd2, 0x14, 0x82, 0x42, 0x07, 0x8e, 0xe9, 0x7c, 0x53}}}, +{{{0xb0, 0xae, 0xc1, 0x8d, 0xc9, 0x8f, 0xb9, 0x7a, 0x77, 0xef, 0xba, 0x79, 0xa0, 0x3c, 0xa8, 0xf5, 0x6a, 0xe2, 0x3f, 0x5d, 0x00, 0xe3, 0x4b, 0x45, 0x24, 0x7b, 0x43, 0x78, 0x55, 0x1d, 0x2b, 0x1e}} , + {{0x01, 0xb8, 0xd6, 0x16, 0x67, 0xa0, 0x15, 0xb9, 0xe1, 0x58, 0xa4, 0xa7, 0x31, 0x37, 0x77, 0x2f, 0x8b, 0x12, 0x9f, 0xf4, 0x3f, 0xc7, 0x36, 0x66, 0xd2, 0xa8, 0x56, 0xf7, 0x7f, 0x74, 0xc6, 0x41}}}, +{{{0x5d, 0xf8, 0xb4, 0xa8, 0x30, 0xdd, 0xcc, 0x38, 0xa5, 0xd3, 0xca, 0xd8, 0xd1, 0xf8, 0xb2, 0x31, 0x91, 0xd4, 0x72, 0x05, 0x57, 0x4a, 0x3b, 0x82, 0x4a, 0xc6, 0x68, 0x20, 0xe2, 0x18, 0x41, 0x61}} , + {{0x19, 0xd4, 0x8d, 0x47, 0x29, 0x12, 0x65, 0xb0, 0x11, 0x78, 0x47, 0xb5, 0xcb, 0xa3, 0xa5, 0xfa, 0x05, 0x85, 0x54, 0xa9, 0x33, 0x97, 0x8d, 0x2b, 0xc2, 0xfe, 0x99, 0x35, 0x28, 0xe5, 0xeb, 0x63}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xb1, 0x3f, 0x3f, 0xef, 0xd8, 0xf4, 0xfc, 0xb3, 0xa0, 0x60, 0x50, 0x06, 0x2b, 0x29, 0x52, 0x70, 0x15, 0x0b, 0x24, 0x24, 0xf8, 0x5f, 0x79, 0x18, 0xcc, 0xff, 0x89, 0x99, 0x84, 0xa1, 0xae, 0x13}} , + {{0x44, 0x1f, 0xb8, 0xc2, 0x01, 0xc1, 0x30, 0x19, 0x55, 0x05, 0x60, 0x10, 0xa4, 0x6c, 0x2d, 0x67, 0x70, 0xe5, 0x25, 0x1b, 0xf2, 0xbf, 0xdd, 0xfb, 0x70, 0x2b, 0xa1, 0x8c, 0x9c, 0x94, 0x84, 0x08}}}, +{{{0xe7, 0xc4, 0x43, 0x4d, 0xc9, 0x2b, 0x69, 0x5d, 0x1d, 0x3c, 0xaf, 0xbb, 0x43, 0x38, 0x4e, 0x98, 0x3d, 0xed, 0x0d, 0x21, 0x03, 0xfd, 0xf0, 0x99, 0x47, 0x04, 0xb0, 0x98, 0x69, 0x55, 0x72, 0x0f}} , + {{0x5e, 0xdf, 0x15, 0x53, 0x3b, 0x86, 0x80, 0xb0, 0xf1, 0x70, 0x68, 0x8f, 0x66, 0x7c, 0x0e, 0x49, 0x1a, 0xd8, 0x6b, 0xfe, 0x4e, 0xef, 0xca, 0x47, 0xd4, 0x03, 0xc1, 0x37, 0x50, 0x9c, 0xc1, 0x16}}}, +{{{0xcd, 0x24, 0xc6, 0x3e, 0x0c, 0x82, 0x9b, 0x91, 0x2b, 0x61, 0x4a, 0xb2, 0x0f, 0x88, 0x55, 0x5f, 0x5a, 0x57, 0xff, 0xe5, 0x74, 0x0b, 0x13, 0x43, 0x00, 0xd8, 0x6b, 0xcf, 0xd2, 0x15, 0x03, 0x2c}} , + {{0xdc, 0xff, 0x15, 0x61, 0x2f, 0x4a, 0x2f, 0x62, 0xf2, 0x04, 0x2f, 0xb5, 0x0c, 0xb7, 0x1e, 0x3f, 0x74, 0x1a, 0x0f, 0xd7, 0xea, 0xcd, 0xd9, 0x7d, 0xf6, 0x12, 0x0e, 0x2f, 0xdb, 0x5a, 0x3b, 0x16}}}, +{{{0x1b, 0x37, 0x47, 0xe3, 0xf5, 0x9e, 0xea, 0x2c, 0x2a, 0xe7, 0x82, 0x36, 0xf4, 0x1f, 0x81, 0x47, 0x92, 0x4b, 0x69, 0x0e, 0x11, 0x8c, 0x5d, 0x53, 0x5b, 0x81, 0x27, 0x08, 0xbc, 0xa0, 0xae, 0x25}} , + {{0x69, 0x32, 0xa1, 0x05, 0x11, 0x42, 0x00, 0xd2, 0x59, 0xac, 0x4d, 0x62, 0x8b, 0x13, 0xe2, 0x50, 0x5d, 0xa0, 0x9d, 0x9b, 0xfd, 0xbb, 0x12, 0x41, 0x75, 0x41, 0x9e, 0xcc, 0xdc, 0xc7, 0xdc, 0x5d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd9, 0xe3, 0x38, 0x06, 0x46, 0x70, 0x82, 0x5e, 0x28, 0x49, 0x79, 0xff, 0x25, 0xd2, 0x4e, 0x29, 0x8d, 0x06, 0xb0, 0x23, 0xae, 0x9b, 0x66, 0xe4, 0x7d, 0xc0, 0x70, 0x91, 0xa3, 0xfc, 0xec, 0x4e}} , + {{0x62, 0x12, 0x37, 0x6a, 0x30, 0xf6, 0x1e, 0xfb, 0x14, 0x5c, 0x0d, 0x0e, 0xb7, 0x81, 0x6a, 0xe7, 0x08, 0x05, 0xac, 0xaa, 0x38, 0x46, 0xe2, 0x73, 0xea, 0x4b, 0x07, 0x81, 0x43, 0x7c, 0x9e, 0x5e}}}, +{{{0xfc, 0xf9, 0x21, 0x4f, 0x2e, 0x76, 0x9b, 0x1f, 0x28, 0x60, 0x77, 0x43, 0x32, 0x9d, 0xbe, 0x17, 0x30, 0x2a, 0xc6, 0x18, 0x92, 0x66, 0x62, 0x30, 0x98, 0x40, 0x11, 0xa6, 0x7f, 0x18, 0x84, 0x28}} , + {{0x3f, 0xab, 0xd3, 0xf4, 0x8a, 0x76, 0xa1, 0x3c, 0xca, 0x2d, 0x49, 0xc3, 0xea, 0x08, 0x0b, 0x85, 0x17, 0x2a, 0xc3, 0x6c, 0x08, 0xfd, 0x57, 0x9f, 0x3d, 0x5f, 0xdf, 0x67, 0x68, 0x42, 0x00, 0x32}}}, +{{{0x51, 0x60, 0x1b, 0x06, 0x4f, 0x8a, 0x21, 0xba, 0x38, 0xa8, 0xba, 0xd6, 0x40, 0xf6, 0xe9, 0x9b, 0x76, 0x4d, 0x56, 0x21, 0x5b, 0x0a, 0x9b, 0x2e, 0x4f, 0x3d, 0x81, 0x32, 0x08, 0x9f, 0x97, 0x5b}} , + {{0xe5, 0x44, 0xec, 0x06, 0x9d, 0x90, 0x79, 0x9f, 0xd3, 0xe0, 0x79, 0xaf, 0x8f, 0x10, 0xfd, 0xdd, 0x04, 0xae, 0x27, 0x97, 0x46, 0x33, 0x79, 0xea, 0xb8, 0x4e, 0xca, 0x5a, 0x59, 0x57, 0xe1, 0x0e}}}, +{{{0x1a, 0xda, 0xf3, 0xa5, 0x41, 0x43, 0x28, 0xfc, 0x7e, 0xe7, 0x71, 0xea, 0xc6, 0x3b, 0x59, 0xcc, 0x2e, 0xd3, 0x40, 0xec, 0xb3, 0x13, 0x6f, 0x44, 0xcd, 0x13, 0xb2, 0x37, 0xf2, 0x6e, 0xd9, 0x1c}} , + {{0xe3, 0xdb, 0x60, 0xcd, 0x5c, 0x4a, 0x18, 0x0f, 0xef, 0x73, 0x36, 0x71, 0x8c, 0xf6, 0x11, 0xb4, 0xd8, 0xce, 0x17, 0x5e, 0x4f, 0x26, 0x77, 0x97, 0x5f, 0xcb, 0xef, 0x91, 0xeb, 0x6a, 0x62, 0x7a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x18, 0x4a, 0xa2, 0x97, 0x08, 0x81, 0x2d, 0x83, 0xc4, 0xcc, 0xf0, 0x83, 0x7e, 0xec, 0x0d, 0x95, 0x4c, 0x5b, 0xfb, 0xfa, 0x98, 0x80, 0x4a, 0x66, 0x56, 0x0c, 0x51, 0xb3, 0xf2, 0x04, 0x5d, 0x27}} , + {{0x3b, 0xb9, 0xb8, 0x06, 0x5a, 0x2e, 0xfe, 0xc3, 0x82, 0x37, 0x9c, 0xa3, 0x11, 0x1f, 0x9c, 0xa6, 0xda, 0x63, 0x48, 0x9b, 0xad, 0xde, 0x2d, 0xa6, 0xbc, 0x6e, 0x32, 0xda, 0x27, 0x65, 0xdd, 0x57}}}, +{{{0x84, 0x4f, 0x37, 0x31, 0x7d, 0x2e, 0xbc, 0xad, 0x87, 0x07, 0x2a, 0x6b, 0x37, 0xfc, 0x5f, 0xeb, 0x4e, 0x75, 0x35, 0xa6, 0xde, 0xab, 0x0a, 0x19, 0x3a, 0xb7, 0xb1, 0xef, 0x92, 0x6a, 0x3b, 0x3c}} , + {{0x3b, 0xb2, 0x94, 0x6d, 0x39, 0x60, 0xac, 0xee, 0xe7, 0x81, 0x1a, 0x3b, 0x76, 0x87, 0x5c, 0x05, 0x94, 0x2a, 0x45, 0xb9, 0x80, 0xe9, 0x22, 0xb1, 0x07, 0xcb, 0x40, 0x9e, 0x70, 0x49, 0x6d, 0x12}}}, +{{{0xfd, 0x18, 0x78, 0x84, 0xa8, 0x4c, 0x7d, 0x6e, 0x59, 0xa6, 0xe5, 0x74, 0xf1, 0x19, 0xa6, 0x84, 0x2e, 0x51, 0xc1, 0x29, 0x13, 0xf2, 0x14, 0x6b, 0x5d, 0x53, 0x51, 0xf7, 0xef, 0xbf, 0x01, 0x22}} , + {{0xa4, 0x4b, 0x62, 0x4c, 0xe6, 0xfd, 0x72, 0x07, 0xf2, 0x81, 0xfc, 0xf2, 0xbd, 0x12, 0x7c, 0x68, 0x76, 0x2a, 0xba, 0xf5, 0x65, 0xb1, 0x1f, 0x17, 0x0a, 0x38, 0xb0, 0xbf, 0xc0, 0xf8, 0xf4, 0x2a}}}, +{{{0x55, 0x60, 0x55, 0x5b, 0xe4, 0x1d, 0x71, 0x4c, 0x9d, 0x5b, 0x9f, 0x70, 0xa6, 0x85, 0x9a, 0x2c, 0xa0, 0xe2, 0x32, 0x48, 0xce, 0x9e, 0x2a, 0xa5, 0x07, 0x3b, 0xc7, 0x6c, 0x86, 0x77, 0xde, 0x3c}} , + {{0xf7, 0x18, 0x7a, 0x96, 0x7e, 0x43, 0x57, 0xa9, 0x55, 0xfc, 0x4e, 0xb6, 0x72, 0x00, 0xf2, 0xe4, 0xd7, 0x52, 0xd3, 0xd3, 0xb6, 0x85, 0xf6, 0x71, 0xc7, 0x44, 0x3f, 0x7f, 0xd7, 0xb3, 0xf2, 0x79}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x46, 0xca, 0xa7, 0x55, 0x7b, 0x79, 0xf3, 0xca, 0x5a, 0x65, 0xf6, 0xed, 0x50, 0x14, 0x7b, 0xe4, 0xc4, 0x2a, 0x65, 0x9e, 0xe2, 0xf9, 0xca, 0xa7, 0x22, 0x26, 0x53, 0xcb, 0x21, 0x5b, 0xa7, 0x31}} , + {{0x90, 0xd7, 0xc5, 0x26, 0x08, 0xbd, 0xb0, 0x53, 0x63, 0x58, 0xc3, 0x31, 0x5e, 0x75, 0x46, 0x15, 0x91, 0xa6, 0xf8, 0x2f, 0x1a, 0x08, 0x65, 0x88, 0x2f, 0x98, 0x04, 0xf1, 0x7c, 0x6e, 0x00, 0x77}}}, +{{{0x81, 0x21, 0x61, 0x09, 0xf6, 0x4e, 0xf1, 0x92, 0xee, 0x63, 0x61, 0x73, 0x87, 0xc7, 0x54, 0x0e, 0x42, 0x4b, 0xc9, 0x47, 0xd1, 0xb8, 0x7e, 0x91, 0x75, 0x37, 0x99, 0x28, 0xb8, 0xdd, 0x7f, 0x50}} , + {{0x89, 0x8f, 0xc0, 0xbe, 0x5d, 0xd6, 0x9f, 0xa0, 0xf0, 0x9d, 0x81, 0xce, 0x3a, 0x7b, 0x98, 0x58, 0xbb, 0xd7, 0x78, 0xc8, 0x3f, 0x13, 0xf1, 0x74, 0x19, 0xdf, 0xf8, 0x98, 0x89, 0x5d, 0xfa, 0x5f}}}, +{{{0x9e, 0x35, 0x85, 0x94, 0x47, 0x1f, 0x90, 0x15, 0x26, 0xd0, 0x84, 0xed, 0x8a, 0x80, 0xf7, 0x63, 0x42, 0x86, 0x27, 0xd7, 0xf4, 0x75, 0x58, 0xdc, 0x9c, 0xc0, 0x22, 0x7e, 0x20, 0x35, 0xfd, 0x1f}} , + {{0x68, 0x0e, 0x6f, 0x97, 0xba, 0x70, 0xbb, 0xa3, 0x0e, 0xe5, 0x0b, 0x12, 0xf4, 0xa2, 0xdc, 0x47, 0xf8, 0xe6, 0xd0, 0x23, 0x6c, 0x33, 0xa8, 0x99, 0x46, 0x6e, 0x0f, 0x44, 0xba, 0x76, 0x48, 0x0f}}}, +{{{0xa3, 0x2a, 0x61, 0x37, 0xe2, 0x59, 0x12, 0x0e, 0x27, 0xba, 0x64, 0x43, 0xae, 0xc0, 0x42, 0x69, 0x79, 0xa4, 0x1e, 0x29, 0x8b, 0x15, 0xeb, 0xf8, 0xaf, 0xd4, 0xa2, 0x68, 0x33, 0xb5, 0x7a, 0x24}} , + {{0x2c, 0x19, 0x33, 0xdd, 0x1b, 0xab, 0xec, 0x01, 0xb0, 0x23, 0xf8, 0x42, 0x2b, 0x06, 0x88, 0xea, 0x3d, 0x2d, 0x00, 0x2a, 0x78, 0x45, 0x4d, 0x38, 0xed, 0x2e, 0x2e, 0x44, 0x49, 0xed, 0xcb, 0x33}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xa0, 0x68, 0xe8, 0x41, 0x8f, 0x91, 0xf8, 0x11, 0x13, 0x90, 0x2e, 0xa7, 0xab, 0x30, 0xef, 0xad, 0xa0, 0x61, 0x00, 0x88, 0xef, 0xdb, 0xce, 0x5b, 0x5c, 0xbb, 0x62, 0xc8, 0x56, 0xf9, 0x00, 0x73}} , + {{0x3f, 0x60, 0xc1, 0x82, 0x2d, 0xa3, 0x28, 0x58, 0x24, 0x9e, 0x9f, 0xe3, 0x70, 0xcc, 0x09, 0x4e, 0x1a, 0x3f, 0x11, 0x11, 0x15, 0x07, 0x3c, 0xa4, 0x41, 0xe0, 0x65, 0xa3, 0x0a, 0x41, 0x6d, 0x11}}}, +{{{0x31, 0x40, 0x01, 0x52, 0x56, 0x94, 0x5b, 0x28, 0x8a, 0xaa, 0x52, 0xee, 0xd8, 0x0a, 0x05, 0x8d, 0xcd, 0xb5, 0xaa, 0x2e, 0x38, 0xaa, 0xb7, 0x87, 0xf7, 0x2b, 0xfb, 0x04, 0xcb, 0x84, 0x3d, 0x54}} , + {{0x20, 0xef, 0x59, 0xde, 0xa4, 0x2b, 0x93, 0x6e, 0x2e, 0xec, 0x42, 0x9a, 0xd4, 0x2d, 0xf4, 0x46, 0x58, 0x27, 0x2b, 0x18, 0x8f, 0x83, 0x3d, 0x69, 0x9e, 0xd4, 0x3e, 0xb6, 0xc5, 0xfd, 0x58, 0x03}}}, +{{{0x33, 0x89, 0xc9, 0x63, 0x62, 0x1c, 0x17, 0xb4, 0x60, 0xc4, 0x26, 0x68, 0x09, 0xc3, 0x2e, 0x37, 0x0f, 0x7b, 0xb4, 0x9c, 0xb6, 0xf9, 0xfb, 0xd4, 0x51, 0x78, 0xc8, 0x63, 0xea, 0x77, 0x47, 0x07}} , + {{0x32, 0xb4, 0x18, 0x47, 0x79, 0xcb, 0xd4, 0x5a, 0x07, 0x14, 0x0f, 0xa0, 0xd5, 0xac, 0xd0, 0x41, 0x40, 0xab, 0x61, 0x23, 0xe5, 0x2a, 0x2a, 0x6f, 0xf7, 0xa8, 0xd4, 0x76, 0xef, 0xe7, 0x45, 0x6c}}}, +{{{0xa1, 0x5e, 0x60, 0x4f, 0xfb, 0xe1, 0x70, 0x6a, 0x1f, 0x55, 0x4f, 0x09, 0xb4, 0x95, 0x33, 0x36, 0xc6, 0x81, 0x01, 0x18, 0x06, 0x25, 0x27, 0xa4, 0xb4, 0x24, 0xa4, 0x86, 0x03, 0x4c, 0xac, 0x02}} , + {{0x77, 0x38, 0xde, 0xd7, 0x60, 0x48, 0x07, 0xf0, 0x74, 0xa8, 0xff, 0x54, 0xe5, 0x30, 0x43, 0xff, 0x77, 0xfb, 0x21, 0x07, 0xff, 0xb2, 0x07, 0x6b, 0xe4, 0xe5, 0x30, 0xfc, 0x19, 0x6c, 0xa3, 0x01}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x13, 0xc5, 0x2c, 0xac, 0xd3, 0x83, 0x82, 0x7c, 0x29, 0xf7, 0x05, 0xa5, 0x00, 0xb6, 0x1f, 0x86, 0x55, 0xf4, 0xd6, 0x2f, 0x0c, 0x99, 0xd0, 0x65, 0x9b, 0x6b, 0x46, 0x0d, 0x43, 0xf8, 0x16, 0x28}} , + {{0x1e, 0x7f, 0xb4, 0x74, 0x7e, 0xb1, 0x89, 0x4f, 0x18, 0x5a, 0xab, 0x64, 0x06, 0xdf, 0x45, 0x87, 0xe0, 0x6a, 0xc6, 0xf0, 0x0e, 0xc9, 0x24, 0x35, 0x38, 0xea, 0x30, 0x54, 0xb4, 0xc4, 0x52, 0x54}}}, +{{{0xe9, 0x9f, 0xdc, 0x3f, 0xc1, 0x89, 0x44, 0x74, 0x27, 0xe4, 0xc1, 0x90, 0xff, 0x4a, 0xa7, 0x3c, 0xee, 0xcd, 0xf4, 0x1d, 0x25, 0x94, 0x7f, 0x63, 0x16, 0x48, 0xbc, 0x64, 0xfe, 0x95, 0xc4, 0x0c}} , + {{0x8b, 0x19, 0x75, 0x6e, 0x03, 0x06, 0x5e, 0x6a, 0x6f, 0x1a, 0x8c, 0xe3, 0xd3, 0x28, 0xf2, 0xe0, 0xb9, 0x7a, 0x43, 0x69, 0xe6, 0xd3, 0xc0, 0xfe, 0x7e, 0x97, 0xab, 0x6c, 0x7b, 0x8e, 0x13, 0x42}}}, +{{{0xd4, 0xca, 0x70, 0x3d, 0xab, 0xfb, 0x5f, 0x5e, 0x00, 0x0c, 0xcc, 0x77, 0x22, 0xf8, 0x78, 0x55, 0xae, 0x62, 0x35, 0xfb, 0x9a, 0xc6, 0x03, 0xe4, 0x0c, 0xee, 0xab, 0xc7, 0xc0, 0x89, 0x87, 0x54}} , + {{0x32, 0xad, 0xae, 0x85, 0x58, 0x43, 0xb8, 0xb1, 0xe6, 0x3e, 0x00, 0x9c, 0x78, 0x88, 0x56, 0xdb, 0x9c, 0xfc, 0x79, 0xf6, 0xf9, 0x41, 0x5f, 0xb7, 0xbc, 0x11, 0xf9, 0x20, 0x36, 0x1c, 0x53, 0x2b}}}, +{{{0x5a, 0x20, 0x5b, 0xa1, 0xa5, 0x44, 0x91, 0x24, 0x02, 0x63, 0x12, 0x64, 0xb8, 0x55, 0xf6, 0xde, 0x2c, 0xdb, 0x47, 0xb8, 0xc6, 0x0a, 0xc3, 0x00, 0x78, 0x93, 0xd8, 0xf5, 0xf5, 0x18, 0x28, 0x0a}} , + {{0xd6, 0x1b, 0x9a, 0x6c, 0xe5, 0x46, 0xea, 0x70, 0x96, 0x8d, 0x4e, 0x2a, 0x52, 0x21, 0x26, 0x4b, 0xb1, 0xbb, 0x0f, 0x7c, 0xa9, 0x9b, 0x04, 0xbb, 0x51, 0x08, 0xf1, 0x9a, 0xa4, 0x76, 0x7c, 0x18}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xfa, 0x94, 0xf7, 0x40, 0xd0, 0xd7, 0xeb, 0xa9, 0x82, 0x36, 0xd5, 0x15, 0xb9, 0x33, 0x7a, 0xbf, 0x8a, 0xf2, 0x63, 0xaa, 0x37, 0xf5, 0x59, 0xac, 0xbd, 0xbb, 0x32, 0x36, 0xbe, 0x73, 0x99, 0x38}} , + {{0x2c, 0xb3, 0xda, 0x7a, 0xd8, 0x3d, 0x99, 0xca, 0xd2, 0xf4, 0xda, 0x99, 0x8e, 0x4f, 0x98, 0xb7, 0xf4, 0xae, 0x3e, 0x9f, 0x8e, 0x35, 0x60, 0xa4, 0x33, 0x75, 0xa4, 0x04, 0x93, 0xb1, 0x6b, 0x4d}}}, +{{{0x97, 0x9d, 0xa8, 0xcd, 0x97, 0x7b, 0x9d, 0xb9, 0xe7, 0xa5, 0xef, 0xfd, 0xa8, 0x42, 0x6b, 0xc3, 0x62, 0x64, 0x7d, 0xa5, 0x1b, 0xc9, 0x9e, 0xd2, 0x45, 0xb9, 0xee, 0x03, 0xb0, 0xbf, 0xc0, 0x68}} , + {{0xed, 0xb7, 0x84, 0x2c, 0xf6, 0xd3, 0xa1, 0x6b, 0x24, 0x6d, 0x87, 0x56, 0x97, 0x59, 0x79, 0x62, 0x9f, 0xac, 0xed, 0xf3, 0xc9, 0x89, 0x21, 0x2e, 0x04, 0xb3, 0xcc, 0x2f, 0xbe, 0xd6, 0x0a, 0x4b}}}, +{{{0x39, 0x61, 0x05, 0xed, 0x25, 0x89, 0x8b, 0x5d, 0x1b, 0xcb, 0x0c, 0x55, 0xf4, 0x6a, 0x00, 0x8a, 0x46, 0xe8, 0x1e, 0xc6, 0x83, 0xc8, 0x5a, 0x76, 0xdb, 0xcc, 0x19, 0x7a, 0xcc, 0x67, 0x46, 0x0b}} , + {{0x53, 0xcf, 0xc2, 0xa1, 0xad, 0x6a, 0xf3, 0xcd, 0x8f, 0xc9, 0xde, 0x1c, 0xf8, 0x6c, 0x8f, 0xf8, 0x76, 0x42, 0xe7, 0xfe, 0xb2, 0x72, 0x21, 0x0a, 0x66, 0x74, 0x8f, 0xb7, 0xeb, 0xe4, 0x6f, 0x01}}}, +{{{0x22, 0x8c, 0x6b, 0xbe, 0xfc, 0x4d, 0x70, 0x62, 0x6e, 0x52, 0x77, 0x99, 0x88, 0x7e, 0x7b, 0x57, 0x7a, 0x0d, 0xfe, 0xdc, 0x72, 0x92, 0xf1, 0x68, 0x1d, 0x97, 0xd7, 0x7c, 0x8d, 0x53, 0x10, 0x37}} , + {{0x53, 0x88, 0x77, 0x02, 0xca, 0x27, 0xa8, 0xe5, 0x45, 0xe2, 0xa8, 0x48, 0x2a, 0xab, 0x18, 0xca, 0xea, 0x2d, 0x2a, 0x54, 0x17, 0x37, 0x32, 0x09, 0xdc, 0xe0, 0x4a, 0xb7, 0x7d, 0x82, 0x10, 0x7d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x8a, 0x64, 0x1e, 0x14, 0x0a, 0x57, 0xd4, 0xda, 0x5c, 0x96, 0x9b, 0x01, 0x4c, 0x67, 0xbf, 0x8b, 0x30, 0xfe, 0x08, 0xdb, 0x0d, 0xd5, 0xa8, 0xd7, 0x09, 0x11, 0x85, 0xa2, 0xd3, 0x45, 0xfb, 0x7e}} , + {{0xda, 0x8c, 0xc2, 0xd0, 0xac, 0x18, 0xe8, 0x52, 0x36, 0xd4, 0x21, 0xa3, 0xdd, 0x57, 0x22, 0x79, 0xb7, 0xf8, 0x71, 0x9d, 0xc6, 0x91, 0x70, 0x86, 0x56, 0xbf, 0xa1, 0x11, 0x8b, 0x19, 0xe1, 0x0f}}}, +{{{0x18, 0x32, 0x98, 0x2c, 0x8f, 0x91, 0xae, 0x12, 0xf0, 0x8c, 0xea, 0xf3, 0x3c, 0xb9, 0x5d, 0xe4, 0x69, 0xed, 0xb2, 0x47, 0x18, 0xbd, 0xce, 0x16, 0x52, 0x5c, 0x23, 0xe2, 0xa5, 0x25, 0x52, 0x5d}} , + {{0xb9, 0xb1, 0xe7, 0x5d, 0x4e, 0xbc, 0xee, 0xbb, 0x40, 0x81, 0x77, 0x82, 0x19, 0xab, 0xb5, 0xc6, 0xee, 0xab, 0x5b, 0x6b, 0x63, 0x92, 0x8a, 0x34, 0x8d, 0xcd, 0xee, 0x4f, 0x49, 0xe5, 0xc9, 0x7e}}}, +{{{0x21, 0xac, 0x8b, 0x22, 0xcd, 0xc3, 0x9a, 0xe9, 0x5e, 0x78, 0xbd, 0xde, 0xba, 0xad, 0xab, 0xbf, 0x75, 0x41, 0x09, 0xc5, 0x58, 0xa4, 0x7d, 0x92, 0xb0, 0x7f, 0xf2, 0xa1, 0xd1, 0xc0, 0xb3, 0x6d}} , + {{0x62, 0x4f, 0xd0, 0x75, 0x77, 0xba, 0x76, 0x77, 0xd7, 0xb8, 0xd8, 0x92, 0x6f, 0x98, 0x34, 0x3d, 0xd6, 0x4e, 0x1c, 0x0f, 0xf0, 0x8f, 0x2e, 0xf1, 0xb3, 0xbd, 0xb1, 0xb9, 0xec, 0x99, 0xb4, 0x07}}}, +{{{0x60, 0x57, 0x2e, 0x9a, 0x72, 0x1d, 0x6b, 0x6e, 0x58, 0x33, 0x24, 0x8c, 0x48, 0x39, 0x46, 0x8e, 0x89, 0x6a, 0x88, 0x51, 0x23, 0x62, 0xb5, 0x32, 0x09, 0x36, 0xe3, 0x57, 0xf5, 0x98, 0xde, 0x6f}} , + {{0x8b, 0x2c, 0x00, 0x48, 0x4a, 0xf9, 0x5b, 0x87, 0x69, 0x52, 0xe5, 0x5b, 0xd1, 0xb1, 0xe5, 0x25, 0x25, 0xe0, 0x9c, 0xc2, 0x13, 0x44, 0xe8, 0xb9, 0x0a, 0x70, 0xad, 0xbd, 0x0f, 0x51, 0x94, 0x69}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xa2, 0xdc, 0xab, 0xa9, 0x25, 0x2d, 0xac, 0x5f, 0x03, 0x33, 0x08, 0xe7, 0x7e, 0xfe, 0x95, 0x36, 0x3c, 0x5b, 0x3a, 0xd3, 0x05, 0x82, 0x1c, 0x95, 0x2d, 0xd8, 0x77, 0x7e, 0x02, 0xd9, 0x5b, 0x70}} , + {{0xc2, 0xfe, 0x1b, 0x0c, 0x67, 0xcd, 0xd6, 0xe0, 0x51, 0x8e, 0x2c, 0xe0, 0x79, 0x88, 0xf0, 0xcf, 0x41, 0x4a, 0xad, 0x23, 0xd4, 0x46, 0xca, 0x94, 0xa1, 0xc3, 0xeb, 0x28, 0x06, 0xfa, 0x17, 0x14}}}, +{{{0x7b, 0xaa, 0x70, 0x0a, 0x4b, 0xfb, 0xf5, 0xbf, 0x80, 0xc5, 0xcf, 0x08, 0x7a, 0xdd, 0xa1, 0xf4, 0x9d, 0x54, 0x50, 0x53, 0x23, 0x77, 0x23, 0xf5, 0x34, 0xa5, 0x22, 0xd1, 0x0d, 0x96, 0x2e, 0x47}} , + {{0xcc, 0xb7, 0x32, 0x89, 0x57, 0xd0, 0x98, 0x75, 0xe4, 0x37, 0x99, 0xa9, 0xe8, 0xba, 0xed, 0xba, 0xeb, 0xc7, 0x4f, 0x15, 0x76, 0x07, 0x0c, 0x4c, 0xef, 0x9f, 0x52, 0xfc, 0x04, 0x5d, 0x58, 0x10}}}, +{{{0xce, 0x82, 0xf0, 0x8f, 0x79, 0x02, 0xa8, 0xd1, 0xda, 0x14, 0x09, 0x48, 0xee, 0x8a, 0x40, 0x98, 0x76, 0x60, 0x54, 0x5a, 0xde, 0x03, 0x24, 0xf5, 0xe6, 0x2f, 0xe1, 0x03, 0xbf, 0x68, 0x82, 0x7f}} , + {{0x64, 0xe9, 0x28, 0xc7, 0xa4, 0xcf, 0x2a, 0xf9, 0x90, 0x64, 0x72, 0x2c, 0x8b, 0xeb, 0xec, 0xa0, 0xf2, 0x7d, 0x35, 0xb5, 0x90, 0x4d, 0x7f, 0x5b, 0x4a, 0x49, 0xe4, 0xb8, 0x3b, 0xc8, 0xa1, 0x2f}}}, +{{{0x8b, 0xc5, 0xcc, 0x3d, 0x69, 0xa6, 0xa1, 0x18, 0x44, 0xbc, 0x4d, 0x77, 0x37, 0xc7, 0x86, 0xec, 0x0c, 0xc9, 0xd6, 0x44, 0xa9, 0x23, 0x27, 0xb9, 0x03, 0x34, 0xa7, 0x0a, 0xd5, 0xc7, 0x34, 0x37}} , + {{0xf9, 0x7e, 0x3e, 0x66, 0xee, 0xf9, 0x99, 0x28, 0xff, 0xad, 0x11, 0xd8, 0xe2, 0x66, 0xc5, 0xcd, 0x0f, 0x0d, 0x0b, 0x6a, 0xfc, 0x7c, 0x24, 0xa8, 0x4f, 0xa8, 0x5e, 0x80, 0x45, 0x8b, 0x6c, 0x41}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xef, 0x1e, 0xec, 0xf7, 0x8d, 0x77, 0xf2, 0xea, 0xdb, 0x60, 0x03, 0x21, 0xc0, 0xff, 0x5e, 0x67, 0xc3, 0x71, 0x0b, 0x21, 0xb4, 0x41, 0xa0, 0x68, 0x38, 0xc6, 0x01, 0xa3, 0xd3, 0x51, 0x3c, 0x3c}} , + {{0x92, 0xf8, 0xd6, 0x4b, 0xef, 0x42, 0x13, 0xb2, 0x4a, 0xc4, 0x2e, 0x72, 0x3f, 0xc9, 0x11, 0xbd, 0x74, 0x02, 0x0e, 0xf5, 0x13, 0x9d, 0x83, 0x1a, 0x1b, 0xd5, 0x54, 0xde, 0xc4, 0x1e, 0x16, 0x6c}}}, +{{{0x27, 0x52, 0xe4, 0x63, 0xaa, 0x94, 0xe6, 0xc3, 0x28, 0x9c, 0xc6, 0x56, 0xac, 0xfa, 0xb6, 0xbd, 0xe2, 0xcc, 0x76, 0xc6, 0x27, 0x27, 0xa2, 0x8e, 0x78, 0x2b, 0x84, 0x72, 0x10, 0xbd, 0x4e, 0x2a}} , + {{0xea, 0xa7, 0x23, 0xef, 0x04, 0x61, 0x80, 0x50, 0xc9, 0x6e, 0xa5, 0x96, 0xd1, 0xd1, 0xc8, 0xc3, 0x18, 0xd7, 0x2d, 0xfd, 0x26, 0xbd, 0xcb, 0x7b, 0x92, 0x51, 0x0e, 0x4a, 0x65, 0x57, 0xb8, 0x49}}}, +{{{0xab, 0x55, 0x36, 0xc3, 0xec, 0x63, 0x55, 0x11, 0x55, 0xf6, 0xa5, 0xc7, 0x01, 0x5f, 0xfe, 0x79, 0xd8, 0x0a, 0xf7, 0x03, 0xd8, 0x98, 0x99, 0xf5, 0xd0, 0x00, 0x54, 0x6b, 0x66, 0x28, 0xf5, 0x25}} , + {{0x7a, 0x8d, 0xa1, 0x5d, 0x70, 0x5d, 0x51, 0x27, 0xee, 0x30, 0x65, 0x56, 0x95, 0x46, 0xde, 0xbd, 0x03, 0x75, 0xb4, 0x57, 0x59, 0x89, 0xeb, 0x02, 0x9e, 0xcc, 0x89, 0x19, 0xa7, 0xcb, 0x17, 0x67}}}, +{{{0x6a, 0xeb, 0xfc, 0x9a, 0x9a, 0x10, 0xce, 0xdb, 0x3a, 0x1c, 0x3c, 0x6a, 0x9d, 0xea, 0x46, 0xbc, 0x45, 0x49, 0xac, 0xe3, 0x41, 0x12, 0x7c, 0xf0, 0xf7, 0x4f, 0xf9, 0xf7, 0xff, 0x2c, 0x89, 0x04}} , + {{0x30, 0x31, 0x54, 0x1a, 0x46, 0xca, 0xe6, 0xc6, 0xcb, 0xe2, 0xc3, 0xc1, 0x8b, 0x75, 0x81, 0xbe, 0xee, 0xf8, 0xa3, 0x11, 0x1c, 0x25, 0xa3, 0xa7, 0x35, 0x51, 0x55, 0xe2, 0x25, 0xaa, 0xe2, 0x3a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xb4, 0x48, 0x10, 0x9f, 0x8a, 0x09, 0x76, 0xfa, 0xf0, 0x7a, 0xb0, 0x70, 0xf7, 0x83, 0x80, 0x52, 0x84, 0x2b, 0x26, 0xa2, 0xc4, 0x5d, 0x4f, 0xba, 0xb1, 0xc8, 0x40, 0x0d, 0x78, 0x97, 0xc4, 0x60}} , + {{0xd4, 0xb1, 0x6c, 0x08, 0xc7, 0x40, 0x38, 0x73, 0x5f, 0x0b, 0xf3, 0x76, 0x5d, 0xb2, 0xa5, 0x2f, 0x57, 0x57, 0x07, 0xed, 0x08, 0xa2, 0x6c, 0x4f, 0x08, 0x02, 0xb5, 0x0e, 0xee, 0x44, 0xfa, 0x22}}}, +{{{0x0f, 0x00, 0x3f, 0xa6, 0x04, 0x19, 0x56, 0x65, 0x31, 0x7f, 0x8b, 0xeb, 0x0d, 0xe1, 0x47, 0x89, 0x97, 0x16, 0x53, 0xfa, 0x81, 0xa7, 0xaa, 0xb2, 0xbf, 0x67, 0xeb, 0x72, 0x60, 0x81, 0x0d, 0x48}} , + {{0x7e, 0x13, 0x33, 0xcd, 0xa8, 0x84, 0x56, 0x1e, 0x67, 0xaf, 0x6b, 0x43, 0xac, 0x17, 0xaf, 0x16, 0xc0, 0x52, 0x99, 0x49, 0x5b, 0x87, 0x73, 0x7e, 0xb5, 0x43, 0xda, 0x6b, 0x1d, 0x0f, 0x2d, 0x55}}}, +{{{0xe9, 0x58, 0x1f, 0xff, 0x84, 0x3f, 0x93, 0x1c, 0xcb, 0xe1, 0x30, 0x69, 0xa5, 0x75, 0x19, 0x7e, 0x14, 0x5f, 0xf8, 0xfc, 0x09, 0xdd, 0xa8, 0x78, 0x9d, 0xca, 0x59, 0x8b, 0xd1, 0x30, 0x01, 0x13}} , + {{0xff, 0x76, 0x03, 0xc5, 0x4b, 0x89, 0x99, 0x70, 0x00, 0x59, 0x70, 0x9c, 0xd5, 0xd9, 0x11, 0x89, 0x5a, 0x46, 0xfe, 0xef, 0xdc, 0xd9, 0x55, 0x2b, 0x45, 0xa7, 0xb0, 0x2d, 0xfb, 0x24, 0xc2, 0x29}}}, +{{{0x38, 0x06, 0xf8, 0x0b, 0xac, 0x82, 0xc4, 0x97, 0x2b, 0x90, 0xe0, 0xf7, 0xa8, 0xab, 0x6c, 0x08, 0x80, 0x66, 0x90, 0x46, 0xf7, 0x26, 0x2d, 0xf8, 0xf1, 0xc4, 0x6b, 0x4a, 0x82, 0x98, 0x8e, 0x37}} , + {{0x8e, 0xb4, 0xee, 0xb8, 0xd4, 0x3f, 0xb2, 0x1b, 0xe0, 0x0a, 0x3d, 0x75, 0x34, 0x28, 0xa2, 0x8e, 0xc4, 0x92, 0x7b, 0xfe, 0x60, 0x6e, 0x6d, 0xb8, 0x31, 0x1d, 0x62, 0x0d, 0x78, 0x14, 0x42, 0x11}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x5e, 0xa8, 0xd8, 0x04, 0x9b, 0x73, 0xc9, 0xc9, 0xdc, 0x0d, 0x73, 0xbf, 0x0a, 0x0a, 0x73, 0xff, 0x18, 0x1f, 0x9c, 0x51, 0xaa, 0xc6, 0xf1, 0x83, 0x25, 0xfd, 0xab, 0xa3, 0x11, 0xd3, 0x01, 0x24}} , + {{0x4d, 0xe3, 0x7e, 0x38, 0x62, 0x5e, 0x64, 0xbb, 0x2b, 0x53, 0xb5, 0x03, 0x68, 0xc4, 0xf2, 0x2b, 0x5a, 0x03, 0x32, 0x99, 0x4a, 0x41, 0x9a, 0xe1, 0x1a, 0xae, 0x8c, 0x48, 0xf3, 0x24, 0x32, 0x65}}}, +{{{0xe8, 0xdd, 0xad, 0x3a, 0x8c, 0xea, 0xf4, 0xb3, 0xb2, 0xe5, 0x73, 0xf2, 0xed, 0x8b, 0xbf, 0xed, 0xb1, 0x0c, 0x0c, 0xfb, 0x2b, 0xf1, 0x01, 0x48, 0xe8, 0x26, 0x03, 0x8e, 0x27, 0x4d, 0x96, 0x72}} , + {{0xc8, 0x09, 0x3b, 0x60, 0xc9, 0x26, 0x4d, 0x7c, 0xf2, 0x9c, 0xd4, 0xa1, 0x3b, 0x26, 0xc2, 0x04, 0x33, 0x44, 0x76, 0x3c, 0x02, 0xbb, 0x11, 0x42, 0x0c, 0x22, 0xb7, 0xc6, 0xe1, 0xac, 0xb4, 0x0e}}}, +{{{0x6f, 0x85, 0xe7, 0xef, 0xde, 0x67, 0x30, 0xfc, 0xbf, 0x5a, 0xe0, 0x7b, 0x7a, 0x2a, 0x54, 0x6b, 0x5d, 0x62, 0x85, 0xa1, 0xf8, 0x16, 0x88, 0xec, 0x61, 0xb9, 0x96, 0xb5, 0xef, 0x2d, 0x43, 0x4d}} , + {{0x7c, 0x31, 0x33, 0xcc, 0xe4, 0xcf, 0x6c, 0xff, 0x80, 0x47, 0x77, 0xd1, 0xd8, 0xe9, 0x69, 0x97, 0x98, 0x7f, 0x20, 0x57, 0x1d, 0x1d, 0x4f, 0x08, 0x27, 0xc8, 0x35, 0x57, 0x40, 0xc6, 0x21, 0x0c}}}, +{{{0xd2, 0x8e, 0x9b, 0xfa, 0x42, 0x8e, 0xdf, 0x8f, 0xc7, 0x86, 0xf9, 0xa4, 0xca, 0x70, 0x00, 0x9d, 0x21, 0xbf, 0xec, 0x57, 0x62, 0x30, 0x58, 0x8c, 0x0d, 0x35, 0xdb, 0x5d, 0x8b, 0x6a, 0xa0, 0x5a}} , + {{0xc1, 0x58, 0x7c, 0x0d, 0x20, 0xdd, 0x11, 0x26, 0x5f, 0x89, 0x3b, 0x97, 0x58, 0xf8, 0x8b, 0xe3, 0xdf, 0x32, 0xe2, 0xfc, 0xd8, 0x67, 0xf2, 0xa5, 0x37, 0x1e, 0x6d, 0xec, 0x7c, 0x27, 0x20, 0x79}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xd0, 0xe9, 0xc0, 0xfa, 0x95, 0x45, 0x23, 0x96, 0xf1, 0x2c, 0x79, 0x25, 0x14, 0xce, 0x40, 0x14, 0x44, 0x2c, 0x36, 0x50, 0xd9, 0x63, 0x56, 0xb7, 0x56, 0x3b, 0x9e, 0xa7, 0xef, 0x89, 0xbb, 0x0e}} , + {{0xce, 0x7f, 0xdc, 0x0a, 0xcc, 0x82, 0x1c, 0x0a, 0x78, 0x71, 0xe8, 0x74, 0x8d, 0x01, 0x30, 0x0f, 0xa7, 0x11, 0x4c, 0xdf, 0x38, 0xd7, 0xa7, 0x0d, 0xf8, 0x48, 0x52, 0x00, 0x80, 0x7b, 0x5f, 0x0e}}}, +{{{0x25, 0x83, 0xe6, 0x94, 0x7b, 0x81, 0xb2, 0x91, 0xae, 0x0e, 0x05, 0xc9, 0xa3, 0x68, 0x2d, 0xd9, 0x88, 0x25, 0x19, 0x2a, 0x61, 0x61, 0x21, 0x97, 0x15, 0xa1, 0x35, 0xa5, 0x46, 0xc8, 0xa2, 0x0e}} , + {{0x1b, 0x03, 0x0d, 0x8b, 0x5a, 0x1b, 0x97, 0x4b, 0xf2, 0x16, 0x31, 0x3d, 0x1f, 0x33, 0xa0, 0x50, 0x3a, 0x18, 0xbe, 0x13, 0xa1, 0x76, 0xc1, 0xba, 0x1b, 0xf1, 0x05, 0x7b, 0x33, 0xa8, 0x82, 0x3b}}}, +{{{0xba, 0x36, 0x7b, 0x6d, 0xa9, 0xea, 0x14, 0x12, 0xc5, 0xfa, 0x91, 0x00, 0xba, 0x9b, 0x99, 0xcc, 0x56, 0x02, 0xe9, 0xa0, 0x26, 0x40, 0x66, 0x8c, 0xc4, 0xf8, 0x85, 0x33, 0x68, 0xe7, 0x03, 0x20}} , + {{0x50, 0x5b, 0xff, 0xa9, 0xb2, 0xf1, 0xf1, 0x78, 0xcf, 0x14, 0xa4, 0xa9, 0xfc, 0x09, 0x46, 0x94, 0x54, 0x65, 0x0d, 0x9c, 0x5f, 0x72, 0x21, 0xe2, 0x97, 0xa5, 0x2d, 0x81, 0xce, 0x4a, 0x5f, 0x79}}}, +{{{0x3d, 0x5f, 0x5c, 0xd2, 0xbc, 0x7d, 0x77, 0x0e, 0x2a, 0x6d, 0x22, 0x45, 0x84, 0x06, 0xc4, 0xdd, 0xc6, 0xa6, 0xc6, 0xd7, 0x49, 0xad, 0x6d, 0x87, 0x91, 0x0e, 0x3a, 0x67, 0x1d, 0x2c, 0x1d, 0x56}} , + {{0xfe, 0x7a, 0x74, 0xcf, 0xd4, 0xd2, 0xe5, 0x19, 0xde, 0xd0, 0xdb, 0x70, 0x23, 0x69, 0xe6, 0x6d, 0xec, 0xec, 0xcc, 0x09, 0x33, 0x6a, 0x77, 0xdc, 0x6b, 0x22, 0x76, 0x5d, 0x92, 0x09, 0xac, 0x2d}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x23, 0x15, 0x17, 0xeb, 0xd3, 0xdb, 0x12, 0x5e, 0x01, 0xf0, 0x91, 0xab, 0x2c, 0x41, 0xce, 0xac, 0xed, 0x1b, 0x4b, 0x2d, 0xbc, 0xdb, 0x17, 0x66, 0x89, 0x46, 0xad, 0x4b, 0x1e, 0x6f, 0x0b, 0x14}} , + {{0x11, 0xce, 0xbf, 0xb6, 0x77, 0x2d, 0x48, 0x22, 0x18, 0x4f, 0xa3, 0x5d, 0x4a, 0xb0, 0x70, 0x12, 0x3e, 0x54, 0xd7, 0xd8, 0x0e, 0x2b, 0x27, 0xdc, 0x53, 0xff, 0xca, 0x8c, 0x59, 0xb3, 0x4e, 0x44}}}, +{{{0x07, 0x76, 0x61, 0x0f, 0x66, 0xb2, 0x21, 0x39, 0x7e, 0xc0, 0xec, 0x45, 0x28, 0x82, 0xa1, 0x29, 0x32, 0x44, 0x35, 0x13, 0x5e, 0x61, 0x5e, 0x54, 0xcb, 0x7c, 0xef, 0xf6, 0x41, 0xcf, 0x9f, 0x0a}} , + {{0xdd, 0xf9, 0xda, 0x84, 0xc3, 0xe6, 0x8a, 0x9f, 0x24, 0xd2, 0x96, 0x5d, 0x39, 0x6f, 0x58, 0x8c, 0xc1, 0x56, 0x93, 0xab, 0xb5, 0x79, 0x3b, 0xd2, 0xa8, 0x73, 0x16, 0xed, 0xfa, 0xb4, 0x2f, 0x73}}}, +{{{0x8b, 0xb1, 0x95, 0xe5, 0x92, 0x50, 0x35, 0x11, 0x76, 0xac, 0xf4, 0x4d, 0x24, 0xc3, 0x32, 0xe6, 0xeb, 0xfe, 0x2c, 0x87, 0xc4, 0xf1, 0x56, 0xc4, 0x75, 0x24, 0x7a, 0x56, 0x85, 0x5a, 0x3a, 0x13}} , + {{0x0d, 0x16, 0xac, 0x3c, 0x4a, 0x58, 0x86, 0x3a, 0x46, 0x7f, 0x6c, 0xa3, 0x52, 0x6e, 0x37, 0xe4, 0x96, 0x9c, 0xe9, 0x5c, 0x66, 0x41, 0x67, 0xe4, 0xfb, 0x79, 0x0c, 0x05, 0xf6, 0x64, 0xd5, 0x7c}}}, +{{{0x28, 0xc1, 0xe1, 0x54, 0x73, 0xf2, 0xbf, 0x76, 0x74, 0x19, 0x19, 0x1b, 0xe4, 0xb9, 0xa8, 0x46, 0x65, 0x73, 0xf3, 0x77, 0x9b, 0x29, 0x74, 0x5b, 0xc6, 0x89, 0x6c, 0x2c, 0x7c, 0xf8, 0xb3, 0x0f}} , + {{0xf7, 0xd5, 0xe9, 0x74, 0x5d, 0xb8, 0x25, 0x16, 0xb5, 0x30, 0xbc, 0x84, 0xc5, 0xf0, 0xad, 0xca, 0x12, 0x28, 0xbc, 0x9d, 0xd4, 0xfa, 0x82, 0xe6, 0xe3, 0xbf, 0xa2, 0x15, 0x2c, 0xd4, 0x34, 0x10}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x61, 0xb1, 0x46, 0xba, 0x0e, 0x31, 0xa5, 0x67, 0x6c, 0x7f, 0xd6, 0xd9, 0x27, 0x85, 0x0f, 0x79, 0x14, 0xc8, 0x6c, 0x2f, 0x5f, 0x5b, 0x9c, 0x35, 0x3d, 0x38, 0x86, 0x77, 0x65, 0x55, 0x6a, 0x7b}} , + {{0xd3, 0xb0, 0x3a, 0x66, 0x60, 0x1b, 0x43, 0xf1, 0x26, 0x58, 0x99, 0x09, 0x8f, 0x2d, 0xa3, 0x14, 0x71, 0x85, 0xdb, 0xed, 0xf6, 0x26, 0xd5, 0x61, 0x9a, 0x73, 0xac, 0x0e, 0xea, 0xac, 0xb7, 0x0c}}}, +{{{0x5e, 0xf4, 0xe5, 0x17, 0x0e, 0x10, 0x9f, 0xe7, 0x43, 0x5f, 0x67, 0x5c, 0xac, 0x4b, 0xe5, 0x14, 0x41, 0xd2, 0xbf, 0x48, 0xf5, 0x14, 0xb0, 0x71, 0xc6, 0x61, 0xc1, 0xb2, 0x70, 0x58, 0xd2, 0x5a}} , + {{0x2d, 0xba, 0x16, 0x07, 0x92, 0x94, 0xdc, 0xbd, 0x50, 0x2b, 0xc9, 0x7f, 0x42, 0x00, 0xba, 0x61, 0xed, 0xf8, 0x43, 0xed, 0xf5, 0xf9, 0x40, 0x60, 0xb2, 0xb0, 0x82, 0xcb, 0xed, 0x75, 0xc7, 0x65}}}, +{{{0x80, 0xba, 0x0d, 0x09, 0x40, 0xa7, 0x39, 0xa6, 0x67, 0x34, 0x7e, 0x66, 0xbe, 0x56, 0xfb, 0x53, 0x78, 0xc4, 0x46, 0xe8, 0xed, 0x68, 0x6c, 0x7f, 0xce, 0xe8, 0x9f, 0xce, 0xa2, 0x64, 0x58, 0x53}} , + {{0xe8, 0xc1, 0xa9, 0xc2, 0x7b, 0x59, 0x21, 0x33, 0xe2, 0x43, 0x73, 0x2b, 0xac, 0x2d, 0xc1, 0x89, 0x3b, 0x15, 0xe2, 0xd5, 0xc0, 0x97, 0x8a, 0xfd, 0x6f, 0x36, 0x33, 0xb7, 0xb9, 0xc3, 0x88, 0x09}}}, +{{{0xd0, 0xb6, 0x56, 0x30, 0x5c, 0xae, 0xb3, 0x75, 0x44, 0xa4, 0x83, 0x51, 0x6e, 0x01, 0x65, 0xef, 0x45, 0x76, 0xe6, 0xf5, 0xa2, 0x0d, 0xd4, 0x16, 0x3b, 0x58, 0x2f, 0xf2, 0x2f, 0x36, 0x18, 0x3f}} , + {{0xfd, 0x2f, 0xe0, 0x9b, 0x1e, 0x8c, 0xc5, 0x18, 0xa9, 0xca, 0xd4, 0x2b, 0x35, 0xb6, 0x95, 0x0a, 0x9f, 0x7e, 0xfb, 0xc4, 0xef, 0x88, 0x7b, 0x23, 0x43, 0xec, 0x2f, 0x0d, 0x0f, 0x7a, 0xfc, 0x5c}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x8d, 0xd2, 0xda, 0xc7, 0x44, 0xd6, 0x7a, 0xdb, 0x26, 0x7d, 0x1d, 0xb8, 0xe1, 0xde, 0x9d, 0x7a, 0x7d, 0x17, 0x7e, 0x1c, 0x37, 0x04, 0x8d, 0x2d, 0x7c, 0x5e, 0x18, 0x38, 0x1e, 0xaf, 0xc7, 0x1b}} , + {{0x33, 0x48, 0x31, 0x00, 0x59, 0xf6, 0xf2, 0xca, 0x0f, 0x27, 0x1b, 0x63, 0x12, 0x7e, 0x02, 0x1d, 0x49, 0xc0, 0x5d, 0x79, 0x87, 0xef, 0x5e, 0x7a, 0x2f, 0x1f, 0x66, 0x55, 0xd8, 0x09, 0xd9, 0x61}}}, +{{{0x54, 0x83, 0x02, 0x18, 0x82, 0x93, 0x99, 0x07, 0xd0, 0xa7, 0xda, 0xd8, 0x75, 0x89, 0xfa, 0xf2, 0xd9, 0xa3, 0xb8, 0x6b, 0x5a, 0x35, 0x28, 0xd2, 0x6b, 0x59, 0xc2, 0xf8, 0x45, 0xe2, 0xbc, 0x06}} , + {{0x65, 0xc0, 0xa3, 0x88, 0x51, 0x95, 0xfc, 0x96, 0x94, 0x78, 0xe8, 0x0d, 0x8b, 0x41, 0xc9, 0xc2, 0x58, 0x48, 0x75, 0x10, 0x2f, 0xcd, 0x2a, 0xc9, 0xa0, 0x6d, 0x0f, 0xdd, 0x9c, 0x98, 0x26, 0x3d}}}, +{{{0x2f, 0x66, 0x29, 0x1b, 0x04, 0x89, 0xbd, 0x7e, 0xee, 0x6e, 0xdd, 0xb7, 0x0e, 0xef, 0xb0, 0x0c, 0xb4, 0xfc, 0x7f, 0xc2, 0xc9, 0x3a, 0x3c, 0x64, 0xef, 0x45, 0x44, 0xaf, 0x8a, 0x90, 0x65, 0x76}} , + {{0xa1, 0x4c, 0x70, 0x4b, 0x0e, 0xa0, 0x83, 0x70, 0x13, 0xa4, 0xaf, 0xb8, 0x38, 0x19, 0x22, 0x65, 0x09, 0xb4, 0x02, 0x4f, 0x06, 0xf8, 0x17, 0xce, 0x46, 0x45, 0xda, 0x50, 0x7c, 0x8a, 0xd1, 0x4e}}}, +{{{0xf7, 0xd4, 0x16, 0x6c, 0x4e, 0x95, 0x9d, 0x5d, 0x0f, 0x91, 0x2b, 0x52, 0xfe, 0x5c, 0x34, 0xe5, 0x30, 0xe6, 0xa4, 0x3b, 0xf3, 0xf3, 0x34, 0x08, 0xa9, 0x4a, 0xa0, 0xb5, 0x6e, 0xb3, 0x09, 0x0a}} , + {{0x26, 0xd9, 0x5e, 0xa3, 0x0f, 0xeb, 0xa2, 0xf3, 0x20, 0x3b, 0x37, 0xd4, 0xe4, 0x9e, 0xce, 0x06, 0x3d, 0x53, 0xed, 0xae, 0x2b, 0xeb, 0xb6, 0x24, 0x0a, 0x11, 0xa3, 0x0f, 0xd6, 0x7f, 0xa4, 0x3a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xdb, 0x9f, 0x2c, 0xfc, 0xd6, 0xb2, 0x1e, 0x2e, 0x52, 0x7a, 0x06, 0x87, 0x2d, 0x86, 0x72, 0x2b, 0x6d, 0x90, 0x77, 0x46, 0x43, 0xb5, 0x7a, 0xf8, 0x60, 0x7d, 0x91, 0x60, 0x5b, 0x9d, 0x9e, 0x07}} , + {{0x97, 0x87, 0xc7, 0x04, 0x1c, 0x38, 0x01, 0x39, 0x58, 0xc7, 0x85, 0xa3, 0xfc, 0x64, 0x00, 0x64, 0x25, 0xa2, 0xbf, 0x50, 0x94, 0xca, 0x26, 0x31, 0x45, 0x0a, 0x24, 0xd2, 0x51, 0x29, 0x51, 0x16}}}, +{{{0x4d, 0x4a, 0xd7, 0x98, 0x71, 0x57, 0xac, 0x7d, 0x8b, 0x37, 0xbd, 0x63, 0xff, 0x87, 0xb1, 0x49, 0x95, 0x20, 0x7c, 0xcf, 0x7c, 0x59, 0xc4, 0x91, 0x9c, 0xef, 0xd0, 0xdb, 0x60, 0x09, 0x9d, 0x46}} , + {{0xcb, 0x78, 0x94, 0x90, 0xe4, 0x45, 0xb3, 0xf6, 0xd9, 0xf6, 0x57, 0x74, 0xd5, 0xf8, 0x83, 0x4f, 0x39, 0xc9, 0xbd, 0x88, 0xc2, 0x57, 0x21, 0x1f, 0x24, 0x32, 0x68, 0xf8, 0xc7, 0x21, 0x5f, 0x0b}}}, +{{{0x2a, 0x36, 0x68, 0xfc, 0x5f, 0xb6, 0x4f, 0xa5, 0xe3, 0x9d, 0x24, 0x2f, 0xc0, 0x93, 0x61, 0xcf, 0xf8, 0x0a, 0xed, 0xe1, 0xdb, 0x27, 0xec, 0x0e, 0x14, 0x32, 0x5f, 0x8e, 0xa1, 0x62, 0x41, 0x16}} , + {{0x95, 0x21, 0x01, 0xce, 0x95, 0x5b, 0x0e, 0x57, 0xc7, 0xb9, 0x62, 0xb5, 0x28, 0xca, 0x11, 0xec, 0xb4, 0x46, 0x06, 0x73, 0x26, 0xff, 0xfb, 0x66, 0x7d, 0xee, 0x5f, 0xb2, 0x56, 0xfd, 0x2a, 0x08}}}, +{{{0x92, 0x67, 0x77, 0x56, 0xa1, 0xff, 0xc4, 0xc5, 0x95, 0xf0, 0xe3, 0x3a, 0x0a, 0xca, 0x94, 0x4d, 0x9e, 0x7e, 0x3d, 0xb9, 0x6e, 0xb6, 0xb0, 0xce, 0xa4, 0x30, 0x89, 0x99, 0xe9, 0xad, 0x11, 0x59}} , + {{0xf6, 0x48, 0x95, 0xa1, 0x6f, 0x5f, 0xb7, 0xa5, 0xbb, 0x30, 0x00, 0x1c, 0xd2, 0x8a, 0xd6, 0x25, 0x26, 0x1b, 0xb2, 0x0d, 0x37, 0x6a, 0x05, 0xf4, 0x9d, 0x3e, 0x17, 0x2a, 0x43, 0xd2, 0x3a, 0x06}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x32, 0x99, 0x93, 0xd1, 0x9a, 0x72, 0xf3, 0xa9, 0x16, 0xbd, 0xb4, 0x4c, 0xdd, 0xf9, 0xd4, 0xb2, 0x64, 0x9a, 0xd3, 0x05, 0xe4, 0xa3, 0x73, 0x1c, 0xcb, 0x7e, 0x57, 0x67, 0xff, 0x04, 0xb3, 0x10}} , + {{0xb9, 0x4b, 0xa4, 0xad, 0xd0, 0x6d, 0x61, 0x23, 0xb4, 0xaf, 0x34, 0xa9, 0xaa, 0x65, 0xec, 0xd9, 0x69, 0xe3, 0x85, 0xcd, 0xcc, 0xe7, 0xb0, 0x9b, 0x41, 0xc1, 0x1c, 0xf9, 0xa0, 0xfa, 0xb7, 0x13}}}, +{{{0x04, 0xfd, 0x88, 0x3c, 0x0c, 0xd0, 0x09, 0x52, 0x51, 0x4f, 0x06, 0x19, 0xcc, 0xc3, 0xbb, 0xde, 0x80, 0xc5, 0x33, 0xbc, 0xf9, 0xf3, 0x17, 0x36, 0xdd, 0xc6, 0xde, 0xe8, 0x9b, 0x5d, 0x79, 0x1b}} , + {{0x65, 0x0a, 0xbe, 0x51, 0x57, 0xad, 0x50, 0x79, 0x08, 0x71, 0x9b, 0x07, 0x95, 0x8f, 0xfb, 0xae, 0x4b, 0x38, 0xba, 0xcf, 0x53, 0x2a, 0x86, 0x1e, 0xc0, 0x50, 0x5c, 0x67, 0x1b, 0xf6, 0x87, 0x6c}}}, +{{{0x4f, 0x00, 0xb2, 0x66, 0x55, 0xed, 0x4a, 0xed, 0x8d, 0xe1, 0x66, 0x18, 0xb2, 0x14, 0x74, 0x8d, 0xfd, 0x1a, 0x36, 0x0f, 0x26, 0x5c, 0x8b, 0x89, 0xf3, 0xab, 0xf2, 0xf3, 0x24, 0x67, 0xfd, 0x70}} , + {{0xfd, 0x4e, 0x2a, 0xc1, 0x3a, 0xca, 0x8f, 0x00, 0xd8, 0xec, 0x74, 0x67, 0xef, 0x61, 0xe0, 0x28, 0xd0, 0x96, 0xf4, 0x48, 0xde, 0x81, 0xe3, 0xef, 0xdc, 0xaa, 0x7d, 0xf3, 0xb6, 0x55, 0xa6, 0x65}}}, +{{{0xeb, 0xcb, 0xc5, 0x70, 0x91, 0x31, 0x10, 0x93, 0x0d, 0xc8, 0xd0, 0xef, 0x62, 0xe8, 0x6f, 0x82, 0xe3, 0x69, 0x3d, 0x91, 0x7f, 0x31, 0xe1, 0x26, 0x35, 0x3c, 0x4a, 0x2f, 0xab, 0xc4, 0x9a, 0x5e}} , + {{0xab, 0x1b, 0xb5, 0xe5, 0x2b, 0xc3, 0x0e, 0x29, 0xb0, 0xd0, 0x73, 0xe6, 0x4f, 0x64, 0xf2, 0xbc, 0xe4, 0xe4, 0xe1, 0x9a, 0x52, 0x33, 0x2f, 0xbd, 0xcc, 0x03, 0xee, 0x8a, 0xfa, 0x00, 0x5f, 0x50}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xf6, 0xdb, 0x0d, 0x22, 0x3d, 0xb5, 0x14, 0x75, 0x31, 0xf0, 0x81, 0xe2, 0xb9, 0x37, 0xa2, 0xa9, 0x84, 0x11, 0x9a, 0x07, 0xb5, 0x53, 0x89, 0x78, 0xa9, 0x30, 0x27, 0xa1, 0xf1, 0x4e, 0x5c, 0x2e}} , + {{0x8b, 0x00, 0x54, 0xfb, 0x4d, 0xdc, 0xcb, 0x17, 0x35, 0x40, 0xff, 0xb7, 0x8c, 0xfe, 0x4a, 0xe4, 0x4e, 0x99, 0x4e, 0xa8, 0x74, 0x54, 0x5d, 0x5c, 0x96, 0xa3, 0x12, 0x55, 0x36, 0x31, 0x17, 0x5c}}}, +{{{0xce, 0x24, 0xef, 0x7b, 0x86, 0xf2, 0x0f, 0x77, 0xe8, 0x5c, 0x7d, 0x87, 0x38, 0x2d, 0xef, 0xaf, 0xf2, 0x8c, 0x72, 0x2e, 0xeb, 0xb6, 0x55, 0x4b, 0x6e, 0xf1, 0x4e, 0x8a, 0x0e, 0x9a, 0x6c, 0x4c}} , + {{0x25, 0xea, 0x86, 0xc2, 0xd1, 0x4f, 0xb7, 0x3e, 0xa8, 0x5c, 0x8d, 0x66, 0x81, 0x25, 0xed, 0xc5, 0x4c, 0x05, 0xb9, 0xd8, 0xd6, 0x70, 0xbe, 0x73, 0x82, 0xe8, 0xa1, 0xe5, 0x1e, 0x71, 0xd5, 0x26}}}, +{{{0x4e, 0x6d, 0xc3, 0xa7, 0x4f, 0x22, 0x45, 0x26, 0xa2, 0x7e, 0x16, 0xf7, 0xf7, 0x63, 0xdc, 0x86, 0x01, 0x2a, 0x71, 0x38, 0x5c, 0x33, 0xc3, 0xce, 0x30, 0xff, 0xf9, 0x2c, 0x91, 0x71, 0x8a, 0x72}} , + {{0x8c, 0x44, 0x09, 0x28, 0xd5, 0x23, 0xc9, 0x8f, 0xf3, 0x84, 0x45, 0xc6, 0x9a, 0x5e, 0xff, 0xd2, 0xc7, 0x57, 0x93, 0xa3, 0xc1, 0x69, 0xdd, 0x62, 0x0f, 0xda, 0x5c, 0x30, 0x59, 0x5d, 0xe9, 0x4c}}}, +{{{0x92, 0x7e, 0x50, 0x27, 0x72, 0xd7, 0x0c, 0xd6, 0x69, 0x96, 0x81, 0x35, 0x84, 0x94, 0x35, 0x8b, 0x6c, 0xaa, 0x62, 0x86, 0x6e, 0x1c, 0x15, 0xf3, 0x6c, 0xb3, 0xff, 0x65, 0x1b, 0xa2, 0x9b, 0x59}} , + {{0xe2, 0xa9, 0x65, 0x88, 0xc4, 0x50, 0xfa, 0xbb, 0x3b, 0x6e, 0x5f, 0x44, 0x01, 0xca, 0x97, 0xd4, 0xdd, 0xf6, 0xcd, 0x3f, 0x3f, 0xe5, 0x97, 0x67, 0x2b, 0x8c, 0x66, 0x0f, 0x35, 0x9b, 0xf5, 0x07}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xf1, 0x59, 0x27, 0xd8, 0xdb, 0x5a, 0x11, 0x5e, 0x82, 0xf3, 0x38, 0xff, 0x1c, 0xed, 0xfe, 0x3f, 0x64, 0x54, 0x3f, 0x7f, 0xd1, 0x81, 0xed, 0xef, 0x65, 0xc5, 0xcb, 0xfd, 0xe1, 0x80, 0xcd, 0x11}} , + {{0xe0, 0xdb, 0x22, 0x28, 0xe6, 0xff, 0x61, 0x9d, 0x41, 0x14, 0x2d, 0x3b, 0x26, 0x22, 0xdf, 0xf1, 0x34, 0x81, 0xe9, 0x45, 0xee, 0x0f, 0x98, 0x8b, 0xa6, 0x3f, 0xef, 0xf7, 0x43, 0x19, 0xf1, 0x43}}}, +{{{0xee, 0xf3, 0x00, 0xa1, 0x50, 0xde, 0xc0, 0xb6, 0x01, 0xe3, 0x8c, 0x3c, 0x4d, 0x31, 0xd2, 0xb0, 0x58, 0xcd, 0xed, 0x10, 0x4a, 0x7a, 0xef, 0x80, 0xa9, 0x19, 0x32, 0xf3, 0xd8, 0x33, 0x8c, 0x06}} , + {{0xcb, 0x7d, 0x4f, 0xff, 0x30, 0xd8, 0x12, 0x3b, 0x39, 0x1c, 0x06, 0xf9, 0x4c, 0x34, 0x35, 0x71, 0xb5, 0x16, 0x94, 0x67, 0xdf, 0xee, 0x11, 0xde, 0xa4, 0x1d, 0x88, 0x93, 0x35, 0xa9, 0x32, 0x10}}}, +{{{0xe9, 0xc3, 0xbc, 0x7b, 0x5c, 0xfc, 0xb2, 0xf9, 0xc9, 0x2f, 0xe5, 0xba, 0x3a, 0x0b, 0xab, 0x64, 0x38, 0x6f, 0x5b, 0x4b, 0x93, 0xda, 0x64, 0xec, 0x4d, 0x3d, 0xa0, 0xf5, 0xbb, 0xba, 0x47, 0x48}} , + {{0x60, 0xbc, 0x45, 0x1f, 0x23, 0xa2, 0x3b, 0x70, 0x76, 0xe6, 0x97, 0x99, 0x4f, 0x77, 0x54, 0x67, 0x30, 0x9a, 0xe7, 0x66, 0xd6, 0xcd, 0x2e, 0x51, 0x24, 0x2c, 0x42, 0x4a, 0x11, 0xfe, 0x6f, 0x7e}}}, +{{{0x87, 0xc0, 0xb1, 0xf0, 0xa3, 0x6f, 0x0c, 0x93, 0xa9, 0x0a, 0x72, 0xef, 0x5c, 0xbe, 0x65, 0x35, 0xa7, 0x6a, 0x4e, 0x2c, 0xbf, 0x21, 0x23, 0xe8, 0x2f, 0x97, 0xc7, 0x3e, 0xc8, 0x17, 0xac, 0x1e}} , + {{0x7b, 0xef, 0x21, 0xe5, 0x40, 0xcc, 0x1e, 0xdc, 0xd6, 0xbd, 0x97, 0x7a, 0x7c, 0x75, 0x86, 0x7a, 0x25, 0x5a, 0x6e, 0x7c, 0xe5, 0x51, 0x3c, 0x1b, 0x5b, 0x82, 0x9a, 0x07, 0x60, 0xa1, 0x19, 0x04}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x96, 0x88, 0xa6, 0xab, 0x8f, 0xe3, 0x3a, 0x49, 0xf8, 0xfe, 0x34, 0xe7, 0x6a, 0xb2, 0xfe, 0x40, 0x26, 0x74, 0x57, 0x4c, 0xf6, 0xd4, 0x99, 0xce, 0x5d, 0x7b, 0x2f, 0x67, 0xd6, 0x5a, 0xe4, 0x4e}} , + {{0x5c, 0x82, 0xb3, 0xbd, 0x55, 0x25, 0xf6, 0x6a, 0x93, 0xa4, 0x02, 0xc6, 0x7d, 0x5c, 0xb1, 0x2b, 0x5b, 0xff, 0xfb, 0x56, 0xf8, 0x01, 0x41, 0x90, 0xc6, 0xb6, 0xac, 0x4f, 0xfe, 0xa7, 0x41, 0x70}}}, +{{{0xdb, 0xfa, 0x9b, 0x2c, 0xd4, 0x23, 0x67, 0x2c, 0x8a, 0x63, 0x6c, 0x07, 0x26, 0x48, 0x4f, 0xc2, 0x03, 0xd2, 0x53, 0x20, 0x28, 0xed, 0x65, 0x71, 0x47, 0xa9, 0x16, 0x16, 0x12, 0xbc, 0x28, 0x33}} , + {{0x39, 0xc0, 0xfa, 0xfa, 0xcd, 0x33, 0x43, 0xc7, 0x97, 0x76, 0x9b, 0x93, 0x91, 0x72, 0xeb, 0xc5, 0x18, 0x67, 0x4c, 0x11, 0xf0, 0xf4, 0xe5, 0x73, 0xb2, 0x5c, 0x1b, 0xc2, 0x26, 0x3f, 0xbf, 0x2b}}}, +{{{0x86, 0xe6, 0x8c, 0x1d, 0xdf, 0xca, 0xfc, 0xd5, 0xf8, 0x3a, 0xc3, 0x44, 0x72, 0xe6, 0x78, 0x9d, 0x2b, 0x97, 0xf8, 0x28, 0x45, 0xb4, 0x20, 0xc9, 0x2a, 0x8c, 0x67, 0xaa, 0x11, 0xc5, 0x5b, 0x2f}} , + {{0x17, 0x0f, 0x86, 0x52, 0xd7, 0x9d, 0xc3, 0x44, 0x51, 0x76, 0x32, 0x65, 0xb4, 0x37, 0x81, 0x99, 0x46, 0x37, 0x62, 0xed, 0xcf, 0x64, 0x9d, 0x72, 0x40, 0x7a, 0x4c, 0x0b, 0x76, 0x2a, 0xfb, 0x56}}}, +{{{0x33, 0xa7, 0x90, 0x7c, 0xc3, 0x6f, 0x17, 0xa5, 0xa0, 0x67, 0x72, 0x17, 0xea, 0x7e, 0x63, 0x14, 0x83, 0xde, 0xc1, 0x71, 0x2d, 0x41, 0x32, 0x7a, 0xf3, 0xd1, 0x2b, 0xd8, 0x2a, 0xa6, 0x46, 0x36}} , + {{0xac, 0xcc, 0x6b, 0x7c, 0xf9, 0xb8, 0x8b, 0x08, 0x5c, 0xd0, 0x7d, 0x8f, 0x73, 0xea, 0x20, 0xda, 0x86, 0xca, 0x00, 0xc7, 0xad, 0x73, 0x4d, 0xe9, 0xe8, 0xa9, 0xda, 0x1f, 0x03, 0x06, 0xdd, 0x24}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x9c, 0xb2, 0x61, 0x0a, 0x98, 0x2a, 0xa5, 0xd7, 0xee, 0xa9, 0xac, 0x65, 0xcb, 0x0a, 0x1e, 0xe2, 0xbe, 0xdc, 0x85, 0x59, 0x0f, 0x9c, 0xa6, 0x57, 0x34, 0xa5, 0x87, 0xeb, 0x7b, 0x1e, 0x0c, 0x3c}} , + {{0x2f, 0xbd, 0x84, 0x63, 0x0d, 0xb5, 0xa0, 0xf0, 0x4b, 0x9e, 0x93, 0xc6, 0x34, 0x9a, 0x34, 0xff, 0x73, 0x19, 0x2f, 0x6e, 0x54, 0x45, 0x2c, 0x92, 0x31, 0x76, 0x34, 0xf1, 0xb2, 0x26, 0xe8, 0x74}}}, +{{{0x0a, 0x67, 0x90, 0x6d, 0x0c, 0x4c, 0xcc, 0xc0, 0xe6, 0xbd, 0xa7, 0x5e, 0x55, 0x8c, 0xcd, 0x58, 0x9b, 0x11, 0xa2, 0xbb, 0x4b, 0xb1, 0x43, 0x04, 0x3c, 0x55, 0xed, 0x23, 0xfe, 0xcd, 0xb1, 0x53}} , + {{0x05, 0xfb, 0x75, 0xf5, 0x01, 0xaf, 0x38, 0x72, 0x58, 0xfc, 0x04, 0x29, 0x34, 0x7a, 0x67, 0xa2, 0x08, 0x50, 0x6e, 0xd0, 0x2b, 0x73, 0xd5, 0xb8, 0xe4, 0x30, 0x96, 0xad, 0x45, 0xdf, 0xa6, 0x5c}}}, +{{{0x0d, 0x88, 0x1a, 0x90, 0x7e, 0xdc, 0xd8, 0xfe, 0xc1, 0x2f, 0x5d, 0x67, 0xee, 0x67, 0x2f, 0xed, 0x6f, 0x55, 0x43, 0x5f, 0x87, 0x14, 0x35, 0x42, 0xd3, 0x75, 0xae, 0xd5, 0xd3, 0x85, 0x1a, 0x76}} , + {{0x87, 0xc8, 0xa0, 0x6e, 0xe1, 0xb0, 0xad, 0x6a, 0x4a, 0x34, 0x71, 0xed, 0x7c, 0xd6, 0x44, 0x03, 0x65, 0x4a, 0x5c, 0x5c, 0x04, 0xf5, 0x24, 0x3f, 0xb0, 0x16, 0x5e, 0x8c, 0xb2, 0xd2, 0xc5, 0x20}}}, +{{{0x98, 0x83, 0xc2, 0x37, 0xa0, 0x41, 0xa8, 0x48, 0x5c, 0x5f, 0xbf, 0xc8, 0xfa, 0x24, 0xe0, 0x59, 0x2c, 0xbd, 0xf6, 0x81, 0x7e, 0x88, 0xe6, 0xca, 0x04, 0xd8, 0x5d, 0x60, 0xbb, 0x74, 0xa7, 0x0b}} , + {{0x21, 0x13, 0x91, 0xbf, 0x77, 0x7a, 0x33, 0xbc, 0xe9, 0x07, 0x39, 0x0a, 0xdd, 0x7d, 0x06, 0x10, 0x9a, 0xee, 0x47, 0x73, 0x1b, 0x15, 0x5a, 0xfb, 0xcd, 0x4d, 0xd0, 0xd2, 0x3a, 0x01, 0xba, 0x54}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x48, 0xd5, 0x39, 0x4a, 0x0b, 0x20, 0x6a, 0x43, 0xa0, 0x07, 0x82, 0x5e, 0x49, 0x7c, 0xc9, 0x47, 0xf1, 0x7c, 0x37, 0xb9, 0x23, 0xef, 0x6b, 0x46, 0x45, 0x8c, 0x45, 0x76, 0xdf, 0x14, 0x6b, 0x6e}} , + {{0x42, 0xc9, 0xca, 0x29, 0x4c, 0x76, 0x37, 0xda, 0x8a, 0x2d, 0x7c, 0x3a, 0x58, 0xf2, 0x03, 0xb4, 0xb5, 0xb9, 0x1a, 0x13, 0x2d, 0xde, 0x5f, 0x6b, 0x9d, 0xba, 0x52, 0xc9, 0x5d, 0xb3, 0xf3, 0x30}}}, +{{{0x4c, 0x6f, 0xfe, 0x6b, 0x0c, 0x62, 0xd7, 0x48, 0x71, 0xef, 0xb1, 0x85, 0x79, 0xc0, 0xed, 0x24, 0xb1, 0x08, 0x93, 0x76, 0x8e, 0xf7, 0x38, 0x8e, 0xeb, 0xfe, 0x80, 0x40, 0xaf, 0x90, 0x64, 0x49}} , + {{0x4a, 0x88, 0xda, 0xc1, 0x98, 0x44, 0x3c, 0x53, 0x4e, 0xdb, 0x4b, 0xb9, 0x12, 0x5f, 0xcd, 0x08, 0x04, 0xef, 0x75, 0xe7, 0xb1, 0x3a, 0xe5, 0x07, 0xfa, 0xca, 0x65, 0x7b, 0x72, 0x10, 0x64, 0x7f}}}, +{{{0x3d, 0x81, 0xf0, 0xeb, 0x16, 0xfd, 0x58, 0x33, 0x8d, 0x7c, 0x1a, 0xfb, 0x20, 0x2c, 0x8a, 0xee, 0x90, 0xbb, 0x33, 0x6d, 0x45, 0xe9, 0x8e, 0x99, 0x85, 0xe1, 0x08, 0x1f, 0xc5, 0xf1, 0xb5, 0x46}} , + {{0xe4, 0xe7, 0x43, 0x4b, 0xa0, 0x3f, 0x2b, 0x06, 0xba, 0x17, 0xae, 0x3d, 0xe6, 0xce, 0xbd, 0xb8, 0xed, 0x74, 0x11, 0x35, 0xec, 0x96, 0xfe, 0x31, 0xe3, 0x0e, 0x7a, 0x4e, 0xc9, 0x1d, 0xcb, 0x20}}}, +{{{0xe0, 0x67, 0xe9, 0x7b, 0xdb, 0x96, 0x5c, 0xb0, 0x32, 0xd0, 0x59, 0x31, 0x90, 0xdc, 0x92, 0x97, 0xac, 0x09, 0x38, 0x31, 0x0f, 0x7e, 0xd6, 0x5d, 0xd0, 0x06, 0xb6, 0x1f, 0xea, 0xf0, 0x5b, 0x07}} , + {{0x81, 0x9f, 0xc7, 0xde, 0x6b, 0x41, 0x22, 0x35, 0x14, 0x67, 0x77, 0x3e, 0x90, 0x81, 0xb0, 0xd9, 0x85, 0x4c, 0xca, 0x9b, 0x3f, 0x04, 0x59, 0xd6, 0xaa, 0x17, 0xc3, 0x88, 0x34, 0x37, 0xba, 0x43}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x4c, 0xb6, 0x69, 0xc8, 0x81, 0x95, 0x94, 0x33, 0x92, 0x34, 0xe9, 0x3c, 0x84, 0x0d, 0x3d, 0x5a, 0x37, 0x9c, 0x22, 0xa0, 0xaa, 0x65, 0xce, 0xb4, 0xc2, 0x2d, 0x66, 0x67, 0x02, 0xff, 0x74, 0x10}} , + {{0x22, 0xb0, 0xd5, 0xe6, 0xc7, 0xef, 0xb1, 0xa7, 0x13, 0xda, 0x60, 0xb4, 0x80, 0xc1, 0x42, 0x7d, 0x10, 0x70, 0x97, 0x04, 0x4d, 0xda, 0x23, 0x89, 0xc2, 0x0e, 0x68, 0xcb, 0xde, 0xe0, 0x9b, 0x29}}}, +{{{0x33, 0xfe, 0x42, 0x2a, 0x36, 0x2b, 0x2e, 0x36, 0x64, 0x5c, 0x8b, 0xcc, 0x81, 0x6a, 0x15, 0x08, 0xa1, 0x27, 0xe8, 0x57, 0xe5, 0x78, 0x8e, 0xf2, 0x58, 0x19, 0x12, 0x42, 0xae, 0xc4, 0x63, 0x3e}} , + {{0x78, 0x96, 0x9c, 0xa7, 0xca, 0x80, 0xae, 0x02, 0x85, 0xb1, 0x7c, 0x04, 0x5c, 0xc1, 0x5b, 0x26, 0xc1, 0xba, 0xed, 0xa5, 0x59, 0x70, 0x85, 0x8c, 0x8c, 0xe8, 0x87, 0xac, 0x6a, 0x28, 0x99, 0x35}}}, +{{{0x9f, 0x04, 0x08, 0x28, 0xbe, 0x87, 0xda, 0x80, 0x28, 0x38, 0xde, 0x9f, 0xcd, 0xe4, 0xe3, 0x62, 0xfb, 0x2e, 0x46, 0x8d, 0x01, 0xb3, 0x06, 0x51, 0xd4, 0x19, 0x3b, 0x11, 0xfa, 0xe2, 0xad, 0x1e}} , + {{0xa0, 0x20, 0x99, 0x69, 0x0a, 0xae, 0xa3, 0x70, 0x4e, 0x64, 0x80, 0xb7, 0x85, 0x9c, 0x87, 0x54, 0x43, 0x43, 0x55, 0x80, 0x6d, 0x8d, 0x7c, 0xa9, 0x64, 0xca, 0x6c, 0x2e, 0x21, 0xd8, 0xc8, 0x6c}}}, +{{{0x91, 0x4a, 0x07, 0xad, 0x08, 0x75, 0xc1, 0x4f, 0xa4, 0xb2, 0xc3, 0x6f, 0x46, 0x3e, 0xb1, 0xce, 0x52, 0xab, 0x67, 0x09, 0x54, 0x48, 0x6b, 0x6c, 0xd7, 0x1d, 0x71, 0x76, 0xcb, 0xff, 0xdd, 0x31}} , + {{0x36, 0x88, 0xfa, 0xfd, 0xf0, 0x36, 0x6f, 0x07, 0x74, 0x88, 0x50, 0xd0, 0x95, 0x38, 0x4a, 0x48, 0x2e, 0x07, 0x64, 0x97, 0x11, 0x76, 0x01, 0x1a, 0x27, 0x4d, 0x8e, 0x25, 0x9a, 0x9b, 0x1c, 0x22}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xbe, 0x57, 0xbd, 0x0e, 0x0f, 0xac, 0x5e, 0x76, 0xa3, 0x71, 0xad, 0x2b, 0x10, 0x45, 0x02, 0xec, 0x59, 0xd5, 0x5d, 0xa9, 0x44, 0xcc, 0x25, 0x4c, 0xb3, 0x3c, 0x5b, 0x69, 0x07, 0x55, 0x26, 0x6b}} , + {{0x30, 0x6b, 0xd4, 0xa7, 0x51, 0x29, 0xe3, 0xf9, 0x7a, 0x75, 0x2a, 0x82, 0x2f, 0xd6, 0x1d, 0x99, 0x2b, 0x80, 0xd5, 0x67, 0x1e, 0x15, 0x9d, 0xca, 0xfd, 0xeb, 0xac, 0x97, 0x35, 0x09, 0x7f, 0x3f}}}, +{{{0x35, 0x0d, 0x34, 0x0a, 0xb8, 0x67, 0x56, 0x29, 0x20, 0xf3, 0x19, 0x5f, 0xe2, 0x83, 0x42, 0x73, 0x53, 0xa8, 0xc5, 0x02, 0x19, 0x33, 0xb4, 0x64, 0xbd, 0xc3, 0x87, 0x8c, 0xd7, 0x76, 0xed, 0x25}} , + {{0x47, 0x39, 0x37, 0x76, 0x0d, 0x1d, 0x0c, 0xf5, 0x5a, 0x6d, 0x43, 0x88, 0x99, 0x15, 0xb4, 0x52, 0x0f, 0x2a, 0xb3, 0xb0, 0x3f, 0xa6, 0xb3, 0x26, 0xb3, 0xc7, 0x45, 0xf5, 0x92, 0x5f, 0x9b, 0x17}}}, +{{{0x9d, 0x23, 0xbd, 0x15, 0xfe, 0x52, 0x52, 0x15, 0x26, 0x79, 0x86, 0xba, 0x06, 0x56, 0x66, 0xbb, 0x8c, 0x2e, 0x10, 0x11, 0xd5, 0x4a, 0x18, 0x52, 0xda, 0x84, 0x44, 0xf0, 0x3e, 0xe9, 0x8c, 0x35}} , + {{0xad, 0xa0, 0x41, 0xec, 0xc8, 0x4d, 0xb9, 0xd2, 0x6e, 0x96, 0x4e, 0x5b, 0xc5, 0xc2, 0xa0, 0x1b, 0xcf, 0x0c, 0xbf, 0x17, 0x66, 0x57, 0xc1, 0x17, 0x90, 0x45, 0x71, 0xc2, 0xe1, 0x24, 0xeb, 0x27}}}, +{{{0x2c, 0xb9, 0x42, 0xa4, 0xaf, 0x3b, 0x42, 0x0e, 0xc2, 0x0f, 0xf2, 0xea, 0x83, 0xaf, 0x9a, 0x13, 0x17, 0xb0, 0xbd, 0x89, 0x17, 0xe3, 0x72, 0xcb, 0x0e, 0x76, 0x7e, 0x41, 0x63, 0x04, 0x88, 0x71}} , + {{0x75, 0x78, 0x38, 0x86, 0x57, 0xdd, 0x9f, 0xee, 0x54, 0x70, 0x65, 0xbf, 0xf1, 0x2c, 0xe0, 0x39, 0x0d, 0xe3, 0x89, 0xfd, 0x8e, 0x93, 0x4f, 0x43, 0xdc, 0xd5, 0x5b, 0xde, 0xf9, 0x98, 0xe5, 0x7b}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xe7, 0x3b, 0x65, 0x11, 0xdf, 0xb2, 0xf2, 0x63, 0x94, 0x12, 0x6f, 0x5c, 0x9e, 0x77, 0xc1, 0xb6, 0xd8, 0xab, 0x58, 0x7a, 0x1d, 0x95, 0x73, 0xdd, 0xe7, 0xe3, 0x6f, 0xf2, 0x03, 0x1d, 0xdb, 0x76}} , + {{0xae, 0x06, 0x4e, 0x2c, 0x52, 0x1b, 0xbc, 0x5a, 0x5a, 0xa5, 0xbe, 0x27, 0xbd, 0xeb, 0xe1, 0x14, 0x17, 0x68, 0x26, 0x07, 0x03, 0xd1, 0x18, 0x0b, 0xdf, 0xf1, 0x06, 0x5c, 0xa6, 0x1b, 0xb9, 0x24}}}, +{{{0xc5, 0x66, 0x80, 0x13, 0x0e, 0x48, 0x8c, 0x87, 0x31, 0x84, 0xb4, 0x60, 0xed, 0xc5, 0xec, 0xb6, 0xc5, 0x05, 0x33, 0x5f, 0x2f, 0x7d, 0x40, 0xb6, 0x32, 0x1d, 0x38, 0x74, 0x1b, 0xf1, 0x09, 0x3d}} , + {{0xd4, 0x69, 0x82, 0xbc, 0x8d, 0xf8, 0x34, 0x36, 0x75, 0x55, 0x18, 0x55, 0x58, 0x3c, 0x79, 0xaf, 0x26, 0x80, 0xab, 0x9b, 0x95, 0x00, 0xf1, 0xcb, 0xda, 0xc1, 0x9f, 0xf6, 0x2f, 0xa2, 0xf4, 0x45}}}, +{{{0x17, 0xbe, 0xeb, 0x85, 0xed, 0x9e, 0xcd, 0x56, 0xf5, 0x17, 0x45, 0x42, 0xb4, 0x1f, 0x44, 0x4c, 0x05, 0x74, 0x15, 0x47, 0x00, 0xc6, 0x6a, 0x3d, 0x24, 0x09, 0x0d, 0x58, 0xb1, 0x42, 0xd7, 0x04}} , + {{0x8d, 0xbd, 0xa3, 0xc4, 0x06, 0x9b, 0x1f, 0x90, 0x58, 0x60, 0x74, 0xb2, 0x00, 0x3b, 0x3c, 0xd2, 0xda, 0x82, 0xbb, 0x10, 0x90, 0x69, 0x92, 0xa9, 0xb4, 0x30, 0x81, 0xe3, 0x7c, 0xa8, 0x89, 0x45}}}, +{{{0x3f, 0xdc, 0x05, 0xcb, 0x41, 0x3c, 0xc8, 0x23, 0x04, 0x2c, 0x38, 0x99, 0xe3, 0x68, 0x55, 0xf9, 0xd3, 0x32, 0xc7, 0xbf, 0xfa, 0xd4, 0x1b, 0x5d, 0xde, 0xdc, 0x10, 0x42, 0xc0, 0x42, 0xd9, 0x75}} , + {{0x2d, 0xab, 0x35, 0x4e, 0x87, 0xc4, 0x65, 0x97, 0x67, 0x24, 0xa4, 0x47, 0xad, 0x3f, 0x8e, 0xf3, 0xcb, 0x31, 0x17, 0x77, 0xc5, 0xe2, 0xd7, 0x8f, 0x3c, 0xc1, 0xcd, 0x56, 0x48, 0xc1, 0x6c, 0x69}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x14, 0xae, 0x5f, 0x88, 0x7b, 0xa5, 0x90, 0xdf, 0x10, 0xb2, 0x8b, 0x5e, 0x24, 0x17, 0xc3, 0xa3, 0xd4, 0x0f, 0x92, 0x61, 0x1a, 0x19, 0x5a, 0xad, 0x76, 0xbd, 0xd8, 0x1c, 0xdd, 0xe0, 0x12, 0x6d}} , + {{0x8e, 0xbd, 0x70, 0x8f, 0x02, 0xa3, 0x24, 0x4d, 0x5a, 0x67, 0xc4, 0xda, 0xf7, 0x20, 0x0f, 0x81, 0x5b, 0x7a, 0x05, 0x24, 0x67, 0x83, 0x0b, 0x2a, 0x80, 0xe7, 0xfd, 0x74, 0x4b, 0x9e, 0x5c, 0x0d}}}, +{{{0x94, 0xd5, 0x5f, 0x1f, 0xa2, 0xfb, 0xeb, 0xe1, 0x07, 0x34, 0xf8, 0x20, 0xad, 0x81, 0x30, 0x06, 0x2d, 0xa1, 0x81, 0x95, 0x36, 0xcf, 0x11, 0x0b, 0xaf, 0xc1, 0x2b, 0x9a, 0x6c, 0x55, 0xc1, 0x16}} , + {{0x36, 0x4f, 0xf1, 0x5e, 0x74, 0x35, 0x13, 0x28, 0xd7, 0x11, 0xcf, 0xb8, 0xde, 0x93, 0xb3, 0x05, 0xb8, 0xb5, 0x73, 0xe9, 0xeb, 0xad, 0x19, 0x1e, 0x89, 0x0f, 0x8b, 0x15, 0xd5, 0x8c, 0xe3, 0x23}}}, +{{{0x33, 0x79, 0xe7, 0x18, 0xe6, 0x0f, 0x57, 0x93, 0x15, 0xa0, 0xa7, 0xaa, 0xc4, 0xbf, 0x4f, 0x30, 0x74, 0x95, 0x5e, 0x69, 0x4a, 0x5b, 0x45, 0xe4, 0x00, 0xeb, 0x23, 0x74, 0x4c, 0xdf, 0x6b, 0x45}} , + {{0x97, 0x29, 0x6c, 0xc4, 0x42, 0x0b, 0xdd, 0xc0, 0x29, 0x5c, 0x9b, 0x34, 0x97, 0xd0, 0xc7, 0x79, 0x80, 0x63, 0x74, 0xe4, 0x8e, 0x37, 0xb0, 0x2b, 0x7c, 0xe8, 0x68, 0x6c, 0xc3, 0x82, 0x97, 0x57}}}, +{{{0x22, 0xbe, 0x83, 0xb6, 0x4b, 0x80, 0x6b, 0x43, 0x24, 0x5e, 0xef, 0x99, 0x9b, 0xa8, 0xfc, 0x25, 0x8d, 0x3b, 0x03, 0x94, 0x2b, 0x3e, 0xe7, 0x95, 0x76, 0x9b, 0xcc, 0x15, 0xdb, 0x32, 0xe6, 0x66}} , + {{0x84, 0xf0, 0x4a, 0x13, 0xa6, 0xd6, 0xfa, 0x93, 0x46, 0x07, 0xf6, 0x7e, 0x5c, 0x6d, 0x5e, 0xf6, 0xa6, 0xe7, 0x48, 0xf0, 0x06, 0xea, 0xff, 0x90, 0xc1, 0xcc, 0x4c, 0x19, 0x9c, 0x3c, 0x4e, 0x53}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2a, 0x50, 0xe3, 0x07, 0x15, 0x59, 0xf2, 0x8b, 0x81, 0xf2, 0xf3, 0xd3, 0x6c, 0x99, 0x8c, 0x70, 0x67, 0xec, 0xcc, 0xee, 0x9e, 0x59, 0x45, 0x59, 0x7d, 0x47, 0x75, 0x69, 0xf5, 0x24, 0x93, 0x5d}} , + {{0x6a, 0x4f, 0x1b, 0xbe, 0x6b, 0x30, 0xcf, 0x75, 0x46, 0xe3, 0x7b, 0x9d, 0xfc, 0xcd, 0xd8, 0x5c, 0x1f, 0xb4, 0xc8, 0xe2, 0x24, 0xec, 0x1a, 0x28, 0x05, 0x32, 0x57, 0xfd, 0x3c, 0x5a, 0x98, 0x10}}}, +{{{0xa3, 0xdb, 0xf7, 0x30, 0xd8, 0xc2, 0x9a, 0xe1, 0xd3, 0xce, 0x22, 0xe5, 0x80, 0x1e, 0xd9, 0xe4, 0x1f, 0xab, 0xc0, 0x71, 0x1a, 0x86, 0x0e, 0x27, 0x99, 0x5b, 0xfa, 0x76, 0x99, 0xb0, 0x08, 0x3c}} , + {{0x2a, 0x93, 0xd2, 0x85, 0x1b, 0x6a, 0x5d, 0xa6, 0xee, 0xd1, 0xd1, 0x33, 0xbd, 0x6a, 0x36, 0x73, 0x37, 0x3a, 0x44, 0xb4, 0xec, 0xa9, 0x7a, 0xde, 0x83, 0x40, 0xd7, 0xdf, 0x28, 0xba, 0xa2, 0x30}}}, +{{{0xd3, 0xb5, 0x6d, 0x05, 0x3f, 0x9f, 0xf3, 0x15, 0x8d, 0x7c, 0xca, 0xc9, 0xfc, 0x8a, 0x7c, 0x94, 0xb0, 0x63, 0x36, 0x9b, 0x78, 0xd1, 0x91, 0x1f, 0x93, 0xd8, 0x57, 0x43, 0xde, 0x76, 0xa3, 0x43}} , + {{0x9b, 0x35, 0xe2, 0xa9, 0x3d, 0x32, 0x1e, 0xbb, 0x16, 0x28, 0x70, 0xe9, 0x45, 0x2f, 0x8f, 0x70, 0x7f, 0x08, 0x7e, 0x53, 0xc4, 0x7a, 0xbf, 0xf7, 0xe1, 0xa4, 0x6a, 0xd8, 0xac, 0x64, 0x1b, 0x11}}}, +{{{0xb2, 0xeb, 0x47, 0x46, 0x18, 0x3e, 0x1f, 0x99, 0x0c, 0xcc, 0xf1, 0x2c, 0xe0, 0xe7, 0x8f, 0xe0, 0x01, 0x7e, 0x65, 0xb8, 0x0c, 0xd0, 0xfb, 0xc8, 0xb9, 0x90, 0x98, 0x33, 0x61, 0x3b, 0xd8, 0x27}} , + {{0xa0, 0xbe, 0x72, 0x3a, 0x50, 0x4b, 0x74, 0xab, 0x01, 0xc8, 0x93, 0xc5, 0xe4, 0xc7, 0x08, 0x6c, 0xb4, 0xca, 0xee, 0xeb, 0x8e, 0xd7, 0x4e, 0x26, 0xc6, 0x1d, 0xe2, 0x71, 0xaf, 0x89, 0xa0, 0x2a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x98, 0x0b, 0xe4, 0xde, 0xdb, 0xa8, 0xfa, 0x82, 0x74, 0x06, 0x52, 0x6d, 0x08, 0x52, 0x8a, 0xff, 0x62, 0xc5, 0x6a, 0x44, 0x0f, 0x51, 0x8c, 0x1f, 0x6e, 0xb6, 0xc6, 0x2c, 0x81, 0xd3, 0x76, 0x46}} , + {{0xf4, 0x29, 0x74, 0x2e, 0x80, 0xa7, 0x1a, 0x8f, 0xf6, 0xbd, 0xd6, 0x8e, 0xbf, 0xc1, 0x95, 0x2a, 0xeb, 0xa0, 0x7f, 0x45, 0xa0, 0x50, 0x14, 0x05, 0xb1, 0x57, 0x4c, 0x74, 0xb7, 0xe2, 0x89, 0x7d}}}, +{{{0x07, 0xee, 0xa7, 0xad, 0xb7, 0x09, 0x0b, 0x49, 0x4e, 0xbf, 0xca, 0xe5, 0x21, 0xe6, 0xe6, 0xaf, 0xd5, 0x67, 0xf3, 0xce, 0x7e, 0x7c, 0x93, 0x7b, 0x5a, 0x10, 0x12, 0x0e, 0x6c, 0x06, 0x11, 0x75}} , + {{0xd5, 0xfc, 0x86, 0xa3, 0x3b, 0xa3, 0x3e, 0x0a, 0xfb, 0x0b, 0xf7, 0x36, 0xb1, 0x5b, 0xda, 0x70, 0xb7, 0x00, 0xa7, 0xda, 0x88, 0x8f, 0x84, 0xa8, 0xbc, 0x1c, 0x39, 0xb8, 0x65, 0xf3, 0x4d, 0x60}}}, +{{{0x96, 0x9d, 0x31, 0xf4, 0xa2, 0xbe, 0x81, 0xb9, 0xa5, 0x59, 0x9e, 0xba, 0x07, 0xbe, 0x74, 0x58, 0xd8, 0xeb, 0xc5, 0x9f, 0x3d, 0xd1, 0xf4, 0xae, 0xce, 0x53, 0xdf, 0x4f, 0xc7, 0x2a, 0x89, 0x4d}} , + {{0x29, 0xd8, 0xf2, 0xaa, 0xe9, 0x0e, 0xf7, 0x2e, 0x5f, 0x9d, 0x8a, 0x5b, 0x09, 0xed, 0xc9, 0x24, 0x22, 0xf4, 0x0f, 0x25, 0x8f, 0x1c, 0x84, 0x6e, 0x34, 0x14, 0x6c, 0xea, 0xb3, 0x86, 0x5d, 0x04}}}, +{{{0x07, 0x98, 0x61, 0xe8, 0x6a, 0xd2, 0x81, 0x49, 0x25, 0xd5, 0x5b, 0x18, 0xc7, 0x35, 0x52, 0x51, 0xa4, 0x46, 0xad, 0x18, 0x0d, 0xc9, 0x5f, 0x18, 0x91, 0x3b, 0xb4, 0xc0, 0x60, 0x59, 0x8d, 0x66}} , + {{0x03, 0x1b, 0x79, 0x53, 0x6e, 0x24, 0xae, 0x57, 0xd9, 0x58, 0x09, 0x85, 0x48, 0xa2, 0xd3, 0xb5, 0xe2, 0x4d, 0x11, 0x82, 0xe6, 0x86, 0x3c, 0xe9, 0xb1, 0x00, 0x19, 0xc2, 0x57, 0xf7, 0x66, 0x7a}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x0f, 0xe3, 0x89, 0x03, 0xd7, 0x22, 0x95, 0x9f, 0xca, 0xb4, 0x8d, 0x9e, 0x6d, 0x97, 0xff, 0x8d, 0x21, 0x59, 0x07, 0xef, 0x03, 0x2d, 0x5e, 0xf8, 0x44, 0x46, 0xe7, 0x85, 0x80, 0xc5, 0x89, 0x50}} , + {{0x8b, 0xd8, 0x53, 0x86, 0x24, 0x86, 0x29, 0x52, 0x01, 0xfa, 0x20, 0xc3, 0x4e, 0x95, 0xcb, 0xad, 0x7b, 0x34, 0x94, 0x30, 0xb7, 0x7a, 0xfa, 0x96, 0x41, 0x60, 0x2b, 0xcb, 0x59, 0xb9, 0xca, 0x50}}}, +{{{0xc2, 0x5b, 0x9b, 0x78, 0x23, 0x1b, 0x3a, 0x88, 0x94, 0x5f, 0x0a, 0x9b, 0x98, 0x2b, 0x6e, 0x53, 0x11, 0xf6, 0xff, 0xc6, 0x7d, 0x42, 0xcc, 0x02, 0x80, 0x40, 0x0d, 0x1e, 0xfb, 0xaf, 0x61, 0x07}} , + {{0xb0, 0xe6, 0x2f, 0x81, 0x70, 0xa1, 0x2e, 0x39, 0x04, 0x7c, 0xc4, 0x2c, 0x87, 0x45, 0x4a, 0x5b, 0x69, 0x97, 0xac, 0x6d, 0x2c, 0x10, 0x42, 0x7c, 0x3b, 0x15, 0x70, 0x60, 0x0e, 0x11, 0x6d, 0x3a}}}, +{{{0x9b, 0x18, 0x80, 0x5e, 0xdb, 0x05, 0xbd, 0xc6, 0xb7, 0x3c, 0xc2, 0x40, 0x4d, 0x5d, 0xce, 0x97, 0x8a, 0x34, 0x15, 0xab, 0x28, 0x5d, 0x10, 0xf0, 0x37, 0x0c, 0xcc, 0x16, 0xfa, 0x1f, 0x33, 0x0d}} , + {{0x19, 0xf9, 0x35, 0xaa, 0x59, 0x1a, 0x0c, 0x5c, 0x06, 0xfc, 0x6a, 0x0b, 0x97, 0x53, 0x36, 0xfc, 0x2a, 0xa5, 0x5a, 0x9b, 0x30, 0xef, 0x23, 0xaf, 0x39, 0x5d, 0x9a, 0x6b, 0x75, 0x57, 0x48, 0x0b}}}, +{{{0x26, 0xdc, 0x76, 0x3b, 0xfc, 0xf9, 0x9c, 0x3f, 0x89, 0x0b, 0x62, 0x53, 0xaf, 0x83, 0x01, 0x2e, 0xbc, 0x6a, 0xc6, 0x03, 0x0d, 0x75, 0x2a, 0x0d, 0xe6, 0x94, 0x54, 0xcf, 0xb3, 0xe5, 0x96, 0x25}} , + {{0xfe, 0x82, 0xb1, 0x74, 0x31, 0x8a, 0xa7, 0x6f, 0x56, 0xbd, 0x8d, 0xf4, 0xe0, 0x94, 0x51, 0x59, 0xde, 0x2c, 0x5a, 0xf4, 0x84, 0x6b, 0x4a, 0x88, 0x93, 0xc0, 0x0c, 0x9a, 0xac, 0xa7, 0xa0, 0x68}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x25, 0x0d, 0xd6, 0xc7, 0x23, 0x47, 0x10, 0xad, 0xc7, 0x08, 0x5c, 0x87, 0x87, 0x93, 0x98, 0x18, 0xb8, 0xd3, 0x9c, 0xac, 0x5a, 0x3d, 0xc5, 0x75, 0xf8, 0x49, 0x32, 0x14, 0xcc, 0x51, 0x96, 0x24}} , + {{0x65, 0x9c, 0x5d, 0xf0, 0x37, 0x04, 0xf0, 0x34, 0x69, 0x2a, 0xf0, 0xa5, 0x64, 0xca, 0xde, 0x2b, 0x5b, 0x15, 0x10, 0xd2, 0xab, 0x06, 0xdd, 0xc4, 0xb0, 0xb6, 0x5b, 0xc1, 0x17, 0xdf, 0x8f, 0x02}}}, +{{{0xbd, 0x59, 0x3d, 0xbf, 0x5c, 0x31, 0x44, 0x2c, 0x32, 0x94, 0x04, 0x60, 0x84, 0x0f, 0xad, 0x00, 0xb6, 0x8f, 0xc9, 0x1d, 0xcc, 0x5c, 0xa2, 0x49, 0x0e, 0x50, 0x91, 0x08, 0x9a, 0x43, 0x55, 0x05}} , + {{0x5d, 0x93, 0x55, 0xdf, 0x9b, 0x12, 0x19, 0xec, 0x93, 0x85, 0x42, 0x9e, 0x66, 0x0f, 0x9d, 0xaf, 0x99, 0xaf, 0x26, 0x89, 0xbc, 0x61, 0xfd, 0xff, 0xce, 0x4b, 0xf4, 0x33, 0x95, 0xc9, 0x35, 0x58}}}, +{{{0x12, 0x55, 0xf9, 0xda, 0xcb, 0x44, 0xa7, 0xdc, 0x57, 0xe2, 0xf9, 0x9a, 0xe6, 0x07, 0x23, 0x60, 0x54, 0xa7, 0x39, 0xa5, 0x9b, 0x84, 0x56, 0x6e, 0xaa, 0x8b, 0x8f, 0xb0, 0x2c, 0x87, 0xaf, 0x67}} , + {{0x00, 0xa9, 0x4c, 0xb2, 0x12, 0xf8, 0x32, 0xa8, 0x7a, 0x00, 0x4b, 0x49, 0x32, 0xba, 0x1f, 0x5d, 0x44, 0x8e, 0x44, 0x7a, 0xdc, 0x11, 0xfb, 0x39, 0x08, 0x57, 0x87, 0xa5, 0x12, 0x42, 0x93, 0x0e}}}, +{{{0x17, 0xb4, 0xae, 0x72, 0x59, 0xd0, 0xaa, 0xa8, 0x16, 0x8b, 0x63, 0x11, 0xb3, 0x43, 0x04, 0xda, 0x0c, 0xa8, 0xb7, 0x68, 0xdd, 0x4e, 0x54, 0xe7, 0xaf, 0x5d, 0x5d, 0x05, 0x76, 0x36, 0xec, 0x0d}} , + {{0x6d, 0x7c, 0x82, 0x32, 0x38, 0x55, 0x57, 0x74, 0x5b, 0x7d, 0xc3, 0xc4, 0xfb, 0x06, 0x29, 0xf0, 0x13, 0x55, 0x54, 0xc6, 0xa7, 0xdc, 0x4c, 0x9f, 0x98, 0x49, 0x20, 0xa8, 0xc3, 0x8d, 0xfa, 0x48}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x87, 0x47, 0x9d, 0xe9, 0x25, 0xd5, 0xe3, 0x47, 0x78, 0xdf, 0x85, 0xa7, 0x85, 0x5e, 0x7a, 0x4c, 0x5f, 0x79, 0x1a, 0xf3, 0xa2, 0xb2, 0x28, 0xa0, 0x9c, 0xdd, 0x30, 0x40, 0xd4, 0x38, 0xbd, 0x28}} , + {{0xfc, 0xbb, 0xd5, 0x78, 0x6d, 0x1d, 0xd4, 0x99, 0xb4, 0xaa, 0x44, 0x44, 0x7a, 0x1b, 0xd8, 0xfe, 0xb4, 0x99, 0xb9, 0xcc, 0xe7, 0xc4, 0xd3, 0x3a, 0x73, 0x83, 0x41, 0x5c, 0x40, 0xd7, 0x2d, 0x55}}}, +{{{0x26, 0xe1, 0x7b, 0x5f, 0xe5, 0xdc, 0x3f, 0x7d, 0xa1, 0xa7, 0x26, 0x44, 0x22, 0x23, 0xc0, 0x8f, 0x7d, 0xf1, 0xb5, 0x11, 0x47, 0x7b, 0x19, 0xd4, 0x75, 0x6f, 0x1e, 0xa5, 0x27, 0xfe, 0xc8, 0x0e}} , + {{0xd3, 0x11, 0x3d, 0xab, 0xef, 0x2c, 0xed, 0xb1, 0x3d, 0x7c, 0x32, 0x81, 0x6b, 0xfe, 0xf8, 0x1c, 0x3c, 0x7b, 0xc0, 0x61, 0xdf, 0xb8, 0x75, 0x76, 0x7f, 0xaa, 0xd8, 0x93, 0xaf, 0x3d, 0xe8, 0x3d}}}, +{{{0xfd, 0x5b, 0x4e, 0x8d, 0xb6, 0x7e, 0x82, 0x9b, 0xef, 0xce, 0x04, 0x69, 0x51, 0x52, 0xff, 0xef, 0xa0, 0x52, 0xb5, 0x79, 0x17, 0x5e, 0x2f, 0xde, 0xd6, 0x3c, 0x2d, 0xa0, 0x43, 0xb4, 0x0b, 0x19}} , + {{0xc0, 0x61, 0x48, 0x48, 0x17, 0xf4, 0x9e, 0x18, 0x51, 0x2d, 0xea, 0x2f, 0xf2, 0xf2, 0xe0, 0xa3, 0x14, 0xb7, 0x8b, 0x3a, 0x30, 0xf5, 0x81, 0xc1, 0x5d, 0x71, 0x39, 0x62, 0x55, 0x1f, 0x60, 0x5a}}}, +{{{0xe5, 0x89, 0x8a, 0x76, 0x6c, 0xdb, 0x4d, 0x0a, 0x5b, 0x72, 0x9d, 0x59, 0x6e, 0x63, 0x63, 0x18, 0x7c, 0xe3, 0xfa, 0xe2, 0xdb, 0xa1, 0x8d, 0xf4, 0xa5, 0xd7, 0x16, 0xb2, 0xd0, 0xb3, 0x3f, 0x39}} , + {{0xce, 0x60, 0x09, 0x6c, 0xf5, 0x76, 0x17, 0x24, 0x80, 0x3a, 0x96, 0xc7, 0x94, 0x2e, 0xf7, 0x6b, 0xef, 0xb5, 0x05, 0x96, 0xef, 0xd3, 0x7b, 0x51, 0xda, 0x05, 0x44, 0x67, 0xbc, 0x07, 0x21, 0x4e}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xe9, 0x73, 0x6f, 0x21, 0xb9, 0xde, 0x22, 0x7d, 0xeb, 0x97, 0x31, 0x10, 0xa3, 0xea, 0xe1, 0xc6, 0x37, 0xeb, 0x8f, 0x43, 0x58, 0xde, 0x41, 0x64, 0x0e, 0x3e, 0x07, 0x99, 0x3d, 0xf1, 0xdf, 0x1e}} , + {{0xf8, 0xad, 0x43, 0xc2, 0x17, 0x06, 0xe2, 0xe4, 0xa9, 0x86, 0xcd, 0x18, 0xd7, 0x78, 0xc8, 0x74, 0x66, 0xd2, 0x09, 0x18, 0xa5, 0xf1, 0xca, 0xa6, 0x62, 0x92, 0xc1, 0xcb, 0x00, 0xeb, 0x42, 0x2e}}}, +{{{0x7b, 0x34, 0x24, 0x4c, 0xcf, 0x38, 0xe5, 0x6c, 0x0a, 0x01, 0x2c, 0x22, 0x0b, 0x24, 0x38, 0xad, 0x24, 0x7e, 0x19, 0xf0, 0x6c, 0xf9, 0x31, 0xf4, 0x35, 0x11, 0xf6, 0x46, 0x33, 0x3a, 0x23, 0x59}} , + {{0x20, 0x0b, 0xa1, 0x08, 0x19, 0xad, 0x39, 0x54, 0xea, 0x3e, 0x23, 0x09, 0xb6, 0xe2, 0xd2, 0xbc, 0x4d, 0xfc, 0x9c, 0xf0, 0x13, 0x16, 0x22, 0x3f, 0xb9, 0xd2, 0x11, 0x86, 0x90, 0x55, 0xce, 0x3c}}}, +{{{0xc4, 0x0b, 0x4b, 0x62, 0x99, 0x37, 0x84, 0x3f, 0x74, 0xa2, 0xf9, 0xce, 0xe2, 0x0b, 0x0f, 0x2a, 0x3d, 0xa3, 0xe3, 0xdb, 0x5a, 0x9d, 0x93, 0xcc, 0xa5, 0xef, 0x82, 0x91, 0x1d, 0xe6, 0x6c, 0x68}} , + {{0xa3, 0x64, 0x17, 0x9b, 0x8b, 0xc8, 0x3a, 0x61, 0xe6, 0x9d, 0xc6, 0xed, 0x7b, 0x03, 0x52, 0x26, 0x9d, 0x3a, 0xb3, 0x13, 0xcc, 0x8a, 0xfd, 0x2c, 0x1a, 0x1d, 0xed, 0x13, 0xd0, 0x55, 0x57, 0x0e}}}, +{{{0x1a, 0xea, 0xbf, 0xfd, 0x4a, 0x3c, 0x8e, 0xec, 0x29, 0x7e, 0x77, 0x77, 0x12, 0x99, 0xd7, 0x84, 0xf9, 0x55, 0x7f, 0xf1, 0x8b, 0xb4, 0xd2, 0x95, 0xa3, 0x8d, 0xf0, 0x8a, 0xa7, 0xeb, 0x82, 0x4b}} , + {{0x2c, 0x28, 0xf4, 0x3a, 0xf6, 0xde, 0x0a, 0xe0, 0x41, 0x44, 0x23, 0xf8, 0x3f, 0x03, 0x64, 0x9f, 0xc3, 0x55, 0x4c, 0xc6, 0xc1, 0x94, 0x1c, 0x24, 0x5d, 0x5f, 0x92, 0x45, 0x96, 0x57, 0x37, 0x14}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xc1, 0xcd, 0x90, 0x66, 0xb9, 0x76, 0xa0, 0x5b, 0xa5, 0x85, 0x75, 0x23, 0xf9, 0x89, 0xa5, 0x82, 0xb2, 0x6f, 0xb1, 0xeb, 0xc4, 0x69, 0x6f, 0x18, 0x5a, 0xed, 0x94, 0x3d, 0x9d, 0xd9, 0x2c, 0x1a}} , + {{0x35, 0xb0, 0xe6, 0x73, 0x06, 0xb7, 0x37, 0xe0, 0xf8, 0xb0, 0x22, 0xe8, 0xd2, 0xed, 0x0b, 0xef, 0xe6, 0xc6, 0x5a, 0x99, 0x9e, 0x1a, 0x9f, 0x04, 0x97, 0xe4, 0x4d, 0x0b, 0xbe, 0xba, 0x44, 0x40}}}, +{{{0xc1, 0x56, 0x96, 0x91, 0x5f, 0x1f, 0xbb, 0x54, 0x6f, 0x88, 0x89, 0x0a, 0xb2, 0xd6, 0x41, 0x42, 0x6a, 0x82, 0xee, 0x14, 0xaa, 0x76, 0x30, 0x65, 0x0f, 0x67, 0x39, 0xa6, 0x51, 0x7c, 0x49, 0x24}} , + {{0x35, 0xa3, 0x78, 0xd1, 0x11, 0x0f, 0x75, 0xd3, 0x70, 0x46, 0xdb, 0x20, 0x51, 0xcb, 0x92, 0x80, 0x54, 0x10, 0x74, 0x36, 0x86, 0xa9, 0xd7, 0xa3, 0x08, 0x78, 0xf1, 0x01, 0x29, 0xf8, 0x80, 0x3b}}}, +{{{0xdb, 0xa7, 0x9d, 0x9d, 0xbf, 0xa0, 0xcc, 0xed, 0x53, 0xa2, 0xa2, 0x19, 0x39, 0x48, 0x83, 0x19, 0x37, 0x58, 0xd1, 0x04, 0x28, 0x40, 0xf7, 0x8a, 0xc2, 0x08, 0xb7, 0xa5, 0x42, 0xcf, 0x53, 0x4c}} , + {{0xa7, 0xbb, 0xf6, 0x8e, 0xad, 0xdd, 0xf7, 0x90, 0xdd, 0x5f, 0x93, 0x89, 0xae, 0x04, 0x37, 0xe6, 0x9a, 0xb7, 0xe8, 0xc0, 0xdf, 0x16, 0x2a, 0xbf, 0xc4, 0x3a, 0x3c, 0x41, 0xd5, 0x89, 0x72, 0x5a}}}, +{{{0x1f, 0x96, 0xff, 0x34, 0x2c, 0x13, 0x21, 0xcb, 0x0a, 0x89, 0x85, 0xbe, 0xb3, 0x70, 0x9e, 0x1e, 0xde, 0x97, 0xaf, 0x96, 0x30, 0xf7, 0x48, 0x89, 0x40, 0x8d, 0x07, 0xf1, 0x25, 0xf0, 0x30, 0x58}} , + {{0x1e, 0xd4, 0x93, 0x57, 0xe2, 0x17, 0xe7, 0x9d, 0xab, 0x3c, 0x55, 0x03, 0x82, 0x2f, 0x2b, 0xdb, 0x56, 0x1e, 0x30, 0x2e, 0x24, 0x47, 0x6e, 0xe6, 0xff, 0x33, 0x24, 0x2c, 0x75, 0x51, 0xd4, 0x67}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0x2b, 0x06, 0xd9, 0xa1, 0x5d, 0xe1, 0xf4, 0xd1, 0x1e, 0x3c, 0x9a, 0xc6, 0x29, 0x2b, 0x13, 0x13, 0x78, 0xc0, 0xd8, 0x16, 0x17, 0x2d, 0x9e, 0xa9, 0xc9, 0x79, 0x57, 0xab, 0x24, 0x91, 0x92, 0x19}} , + {{0x69, 0xfb, 0xa1, 0x9c, 0xa6, 0x75, 0x49, 0x7d, 0x60, 0x73, 0x40, 0x42, 0xc4, 0x13, 0x0a, 0x95, 0x79, 0x1e, 0x04, 0x83, 0x94, 0x99, 0x9b, 0x1e, 0x0c, 0xe8, 0x1f, 0x54, 0xef, 0xcb, 0xc0, 0x52}}}, +{{{0x14, 0x89, 0x73, 0xa1, 0x37, 0x87, 0x6a, 0x7a, 0xcf, 0x1d, 0xd9, 0x2e, 0x1a, 0x67, 0xed, 0x74, 0xc0, 0xf0, 0x9c, 0x33, 0xdd, 0xdf, 0x08, 0xbf, 0x7b, 0xd1, 0x66, 0xda, 0xe6, 0xc9, 0x49, 0x08}} , + {{0xe9, 0xdd, 0x5e, 0x55, 0xb0, 0x0a, 0xde, 0x21, 0x4c, 0x5a, 0x2e, 0xd4, 0x80, 0x3a, 0x57, 0x92, 0x7a, 0xf1, 0xc4, 0x2c, 0x40, 0xaf, 0x2f, 0xc9, 0x92, 0x03, 0xe5, 0x5a, 0xbc, 0xdc, 0xf4, 0x09}}}, +{{{0xf3, 0xe1, 0x2b, 0x7c, 0x05, 0x86, 0x80, 0x93, 0x4a, 0xad, 0xb4, 0x8f, 0x7e, 0x99, 0x0c, 0xfd, 0xcd, 0xef, 0xd1, 0xff, 0x2c, 0x69, 0x34, 0x13, 0x41, 0x64, 0xcf, 0x3b, 0xd0, 0x90, 0x09, 0x1e}} , + {{0x9d, 0x45, 0xd6, 0x80, 0xe6, 0x45, 0xaa, 0xf4, 0x15, 0xaa, 0x5c, 0x34, 0x87, 0x99, 0xa2, 0x8c, 0x26, 0x84, 0x62, 0x7d, 0xb6, 0x29, 0xc0, 0x52, 0xea, 0xf5, 0x81, 0x18, 0x0f, 0x35, 0xa9, 0x0e}}}, +{{{0xe7, 0x20, 0x72, 0x7c, 0x6d, 0x94, 0x5f, 0x52, 0x44, 0x54, 0xe3, 0xf1, 0xb2, 0xb0, 0x36, 0x46, 0x0f, 0xae, 0x92, 0xe8, 0x70, 0x9d, 0x6e, 0x79, 0xb1, 0xad, 0x37, 0xa9, 0x5f, 0xc0, 0xde, 0x03}} , + {{0x15, 0x55, 0x37, 0xc6, 0x1c, 0x27, 0x1c, 0x6d, 0x14, 0x4f, 0xca, 0xa4, 0xc4, 0x88, 0x25, 0x46, 0x39, 0xfc, 0x5a, 0xe5, 0xfe, 0x29, 0x11, 0x69, 0xf5, 0x72, 0x84, 0x4d, 0x78, 0x9f, 0x94, 0x15}}}, +{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, + {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}}, +{{{0xec, 0xd3, 0xff, 0x57, 0x0b, 0xb0, 0xb2, 0xdc, 0xf8, 0x4f, 0xe2, 0x12, 0xd5, 0x36, 0xbe, 0x6b, 0x09, 0x43, 0x6d, 0xa3, 0x4d, 0x90, 0x2d, 0xb8, 0x74, 0xe8, 0x71, 0x45, 0x19, 0x8b, 0x0c, 0x6a}} , + {{0xb8, 0x42, 0x1c, 0x03, 0xad, 0x2c, 0x03, 0x8e, 0xac, 0xd7, 0x98, 0x29, 0x13, 0xc6, 0x02, 0x29, 0xb5, 0xd4, 0xe7, 0xcf, 0xcc, 0x8b, 0x83, 0xec, 0x35, 0xc7, 0x9c, 0x74, 0xb7, 0xad, 0x85, 0x5f}}}, +{{{0x78, 0x84, 0xe1, 0x56, 0x45, 0x69, 0x68, 0x5a, 0x4f, 0xb8, 0xb1, 0x29, 0xff, 0x33, 0x03, 0x31, 0xb7, 0xcb, 0x96, 0x25, 0xe6, 0xe6, 0x41, 0x98, 0x1a, 0xbb, 0x03, 0x56, 0xf2, 0xb2, 0x91, 0x34}} , + {{0x2c, 0x6c, 0xf7, 0x66, 0xa4, 0x62, 0x6b, 0x39, 0xb3, 0xba, 0x65, 0xd3, 0x1c, 0xf8, 0x11, 0xaa, 0xbe, 0xdc, 0x80, 0x59, 0x87, 0xf5, 0x7b, 0xe5, 0xe3, 0xb3, 0x3e, 0x39, 0xda, 0xbe, 0x88, 0x09}}}, +{{{0x8b, 0xf1, 0xa0, 0xf5, 0xdc, 0x29, 0xb4, 0xe2, 0x07, 0xc6, 0x7a, 0x00, 0xd0, 0x89, 0x17, 0x51, 0xd4, 0xbb, 0xd4, 0x22, 0xea, 0x7e, 0x7d, 0x7c, 0x24, 0xea, 0xf2, 0xe8, 0x22, 0x12, 0x95, 0x06}} , + {{0xda, 0x7c, 0xa4, 0x0c, 0xf4, 0xba, 0x6e, 0xe1, 0x89, 0xb5, 0x59, 0xca, 0xf1, 0xc0, 0x29, 0x36, 0x09, 0x44, 0xe2, 0x7f, 0xd1, 0x63, 0x15, 0x99, 0xea, 0x25, 0xcf, 0x0c, 0x9d, 0xc0, 0x44, 0x6f}}}, +{{{0x1d, 0x86, 0x4e, 0xcf, 0xf7, 0x37, 0x10, 0x25, 0x8f, 0x12, 0xfb, 0x19, 0xfb, 0xe0, 0xed, 0x10, 0xc8, 0xe2, 0xf5, 0x75, 0xb1, 0x33, 0xc0, 0x96, 0x0d, 0xfb, 0x15, 0x6c, 0x0d, 0x07, 0x5f, 0x05}} , + {{0x69, 0x3e, 0x47, 0x97, 0x2c, 0xaf, 0x52, 0x7c, 0x78, 0x83, 0xad, 0x1b, 0x39, 0x82, 0x2f, 0x02, 0x6f, 0x47, 0xdb, 0x2a, 0xb0, 0xe1, 0x91, 0x99, 0x55, 0xb8, 0x99, 0x3a, 0xa0, 0x44, 0x11, 0x51}}} diff --git a/hash.c b/hash.c new file mode 100644 index 00000000..cb9ba982 --- /dev/null +++ b/hash.c @@ -0,0 +1,74 @@ +/* $OpenBSD: hash.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_hash/sha512/ref/hash.c */ + +/* +20080913 +D. J. Bernstein +Public domain. +*/ + +#include "crypto_api.h" + +#define blocks crypto_hashblocks_sha512 + +static const unsigned char iv[64] = { + 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, + 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, + 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, + 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, + 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, + 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, + 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, + 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 +} ; + +typedef unsigned long long uint64; + +int crypto_hash_sha512(unsigned char *out,const unsigned char *in,unsigned long long inlen) +{ + unsigned char h[64]; + unsigned char padded[256]; + unsigned int i; + unsigned long long bytes = inlen; + + for (i = 0;i < 64;++i) h[i] = iv[i]; + + blocks(h,in,inlen); + in += inlen; + inlen &= 127; + in -= inlen; + + for (i = 0;i < inlen;++i) padded[i] = in[i]; + padded[inlen] = 0x80; + + if (inlen < 112) { + for (i = inlen + 1;i < 119;++i) padded[i] = 0; + padded[119] = bytes >> 61; + padded[120] = bytes >> 53; + padded[121] = bytes >> 45; + padded[122] = bytes >> 37; + padded[123] = bytes >> 29; + padded[124] = bytes >> 21; + padded[125] = bytes >> 13; + padded[126] = bytes >> 5; + padded[127] = bytes << 3; + blocks(h,padded,128); + } else { + for (i = inlen + 1;i < 247;++i) padded[i] = 0; + padded[247] = bytes >> 61; + padded[248] = bytes >> 53; + padded[249] = bytes >> 45; + padded[250] = bytes >> 37; + padded[251] = bytes >> 29; + padded[252] = bytes >> 21; + padded[253] = bytes >> 13; + padded[254] = bytes >> 5; + padded[255] = bytes << 3; + blocks(h,padded,256); + } + + for (i = 0;i < 64;++i) out[i] = h[i]; + + return 0; +} diff --git a/sc25519.c b/sc25519.c new file mode 100644 index 00000000..c2b6db0e --- /dev/null +++ b/sc25519.c @@ -0,0 +1,302 @@ +/* $OpenBSD: sc25519.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c */ + +#include "sc25519.h" + +/*Arithmetic modulo the group order m = 2^252 + 27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */ + +static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; + +static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21, + 0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F}; + +static crypto_uint32 lt(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */ +{ + unsigned int x = a; + x -= (unsigned int) b; /* 0..65535: no; 4294901761..4294967295: yes */ + x >>= 31; /* 0: no; 1: yes */ + return x; +} + +/* Reduce coefficients of r before calling reduce_add_sub */ +static void reduce_add_sub(sc25519 *r) +{ + crypto_uint32 pb = 0; + crypto_uint32 b; + crypto_uint32 mask; + int i; + unsigned char t[32]; + + for(i=0;i<32;i++) + { + pb += m[i]; + b = lt(r->v[i],pb); + t[i] = r->v[i]-pb+(b<<8); + pb = b; + } + mask = b - 1; + for(i=0;i<32;i++) + r->v[i] ^= mask & (r->v[i] ^ t[i]); +} + +/* Reduce coefficients of x before calling barrett_reduce */ +static void barrett_reduce(sc25519 *r, const crypto_uint32 x[64]) +{ + /* See HAC, Alg. 14.42 */ + int i,j; + crypto_uint32 q2[66]; + crypto_uint32 *q3 = q2 + 33; + crypto_uint32 r1[33]; + crypto_uint32 r2[33]; + crypto_uint32 carry; + crypto_uint32 pb = 0; + crypto_uint32 b; + + for (i = 0;i < 66;++i) q2[i] = 0; + for (i = 0;i < 33;++i) r2[i] = 0; + + for(i=0;i<33;i++) + for(j=0;j<33;j++) + if(i+j >= 31) q2[i+j] += mu[i]*x[j+31]; + carry = q2[31] >> 8; + q2[32] += carry; + carry = q2[32] >> 8; + q2[33] += carry; + + for(i=0;i<33;i++)r1[i] = x[i]; + for(i=0;i<32;i++) + for(j=0;j<33;j++) + if(i+j < 33) r2[i+j] += m[i]*q3[j]; + + for(i=0;i<32;i++) + { + carry = r2[i] >> 8; + r2[i+1] += carry; + r2[i] &= 0xff; + } + + for(i=0;i<32;i++) + { + pb += r2[i]; + b = lt(r1[i],pb); + r->v[i] = r1[i]-pb+(b<<8); + pb = b; + } + + /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3 + * If so: Handle it here! + */ + + reduce_add_sub(r); + reduce_add_sub(r); +} + +void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]) +{ + int i; + crypto_uint32 t[64]; + for(i=0;i<32;i++) t[i] = x[i]; + for(i=32;i<64;++i) t[i] = 0; + barrett_reduce(r, t); +} + +void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]) +{ + int i; + for(i=0;i<16;i++) r->v[i] = x[i]; +} + +void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]) +{ + int i; + crypto_uint32 t[64]; + for(i=0;i<64;i++) t[i] = x[i]; + barrett_reduce(r, t); +} + +void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x) +{ + int i; + for(i=0;i<16;i++) + r->v[i] = x->v[i]; + for(i=0;i<16;i++) + r->v[16+i] = 0; +} + +void sc25519_to32bytes(unsigned char r[32], const sc25519 *x) +{ + int i; + for(i=0;i<32;i++) r[i] = x->v[i]; +} + +int sc25519_iszero_vartime(const sc25519 *x) +{ + int i; + for(i=0;i<32;i++) + if(x->v[i] != 0) return 0; + return 1; +} + +int sc25519_isshort_vartime(const sc25519 *x) +{ + int i; + for(i=31;i>15;i--) + if(x->v[i] != 0) return 0; + return 1; +} + +int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y) +{ + int i; + for(i=31;i>=0;i--) + { + if(x->v[i] < y->v[i]) return 1; + if(x->v[i] > y->v[i]) return 0; + } + return 0; +} + +void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + int i, carry; + for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i]; + for(i=0;i<31;i++) + { + carry = r->v[i] >> 8; + r->v[i+1] += carry; + r->v[i] &= 0xff; + } + reduce_add_sub(r); +} + +void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + crypto_uint32 b = 0; + crypto_uint32 t; + int i; + for(i=0;i<32;i++) + { + t = x->v[i] - y->v[i] - b; + r->v[i] = t & 255; + b = (t >> 8) & 1; + } +} + +void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + int i,j,carry; + crypto_uint32 t[64]; + for(i=0;i<64;i++)t[i] = 0; + + for(i=0;i<32;i++) + for(j=0;j<32;j++) + t[i+j] += x->v[i] * y->v[j]; + + /* Reduce coefficients */ + for(i=0;i<63;i++) + { + carry = t[i] >> 8; + t[i+1] += carry; + t[i] &= 0xff; + } + + barrett_reduce(r, t); +} + +void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y) +{ + sc25519 t; + sc25519_from_shortsc(&t, y); + sc25519_mul(r, x, &t); +} + +void sc25519_window3(signed char r[85], const sc25519 *s) +{ + char carry; + int i; + for(i=0;i<10;i++) + { + r[8*i+0] = s->v[3*i+0] & 7; + r[8*i+1] = (s->v[3*i+0] >> 3) & 7; + r[8*i+2] = (s->v[3*i+0] >> 6) & 7; + r[8*i+2] ^= (s->v[3*i+1] << 2) & 7; + r[8*i+3] = (s->v[3*i+1] >> 1) & 7; + r[8*i+4] = (s->v[3*i+1] >> 4) & 7; + r[8*i+5] = (s->v[3*i+1] >> 7) & 7; + r[8*i+5] ^= (s->v[3*i+2] << 1) & 7; + r[8*i+6] = (s->v[3*i+2] >> 2) & 7; + r[8*i+7] = (s->v[3*i+2] >> 5) & 7; + } + r[8*i+0] = s->v[3*i+0] & 7; + r[8*i+1] = (s->v[3*i+0] >> 3) & 7; + r[8*i+2] = (s->v[3*i+0] >> 6) & 7; + r[8*i+2] ^= (s->v[3*i+1] << 2) & 7; + r[8*i+3] = (s->v[3*i+1] >> 1) & 7; + r[8*i+4] = (s->v[3*i+1] >> 4) & 7; + + /* Making it signed */ + carry = 0; + for(i=0;i<84;i++) + { + r[i] += carry; + r[i+1] += r[i] >> 3; + r[i] &= 7; + carry = r[i] >> 2; + r[i] -= carry<<3; + } + r[84] += carry; +} + +void sc25519_window5(signed char r[51], const sc25519 *s) +{ + char carry; + int i; + for(i=0;i<6;i++) + { + r[8*i+0] = s->v[5*i+0] & 31; + r[8*i+1] = (s->v[5*i+0] >> 5) & 31; + r[8*i+1] ^= (s->v[5*i+1] << 3) & 31; + r[8*i+2] = (s->v[5*i+1] >> 2) & 31; + r[8*i+3] = (s->v[5*i+1] >> 7) & 31; + r[8*i+3] ^= (s->v[5*i+2] << 1) & 31; + r[8*i+4] = (s->v[5*i+2] >> 4) & 31; + r[8*i+4] ^= (s->v[5*i+3] << 4) & 31; + r[8*i+5] = (s->v[5*i+3] >> 1) & 31; + r[8*i+6] = (s->v[5*i+3] >> 6) & 31; + r[8*i+6] ^= (s->v[5*i+4] << 2) & 31; + r[8*i+7] = (s->v[5*i+4] >> 3) & 31; + } + r[8*i+0] = s->v[5*i+0] & 31; + r[8*i+1] = (s->v[5*i+0] >> 5) & 31; + r[8*i+1] ^= (s->v[5*i+1] << 3) & 31; + r[8*i+2] = (s->v[5*i+1] >> 2) & 31; + + /* Making it signed */ + carry = 0; + for(i=0;i<50;i++) + { + r[i] += carry; + r[i+1] += r[i] >> 5; + r[i] &= 31; + carry = r[i] >> 4; + r[i] -= carry<<5; + } + r[50] += carry; +} + +void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2) +{ + int i; + for(i=0;i<31;i++) + { + r[4*i] = ( s1->v[i] & 3) ^ (( s2->v[i] & 3) << 2); + r[4*i+1] = ((s1->v[i] >> 2) & 3) ^ (((s2->v[i] >> 2) & 3) << 2); + r[4*i+2] = ((s1->v[i] >> 4) & 3) ^ (((s2->v[i] >> 4) & 3) << 2); + r[4*i+3] = ((s1->v[i] >> 6) & 3) ^ (((s2->v[i] >> 6) & 3) << 2); + } + r[124] = ( s1->v[31] & 3) ^ (( s2->v[31] & 3) << 2); + r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2); + r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2); +} diff --git a/sc25519.h b/sc25519.h new file mode 100644 index 00000000..d49abcee --- /dev/null +++ b/sc25519.h @@ -0,0 +1,76 @@ +/* $OpenBSD: sc25519.h,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/sc25519.h */ + +#ifndef SC25519_H +#define SC25519_H + +#include "crypto_api.h" + +#define sc25519 crypto_sign_ed25519_ref_sc25519 +#define shortsc25519 crypto_sign_ed25519_ref_shortsc25519 +#define sc25519_from32bytes crypto_sign_ed25519_ref_sc25519_from32bytes +#define shortsc25519_from16bytes crypto_sign_ed25519_ref_shortsc25519_from16bytes +#define sc25519_from64bytes crypto_sign_ed25519_ref_sc25519_from64bytes +#define sc25519_from_shortsc crypto_sign_ed25519_ref_sc25519_from_shortsc +#define sc25519_to32bytes crypto_sign_ed25519_ref_sc25519_to32bytes +#define sc25519_iszero_vartime crypto_sign_ed25519_ref_sc25519_iszero_vartime +#define sc25519_isshort_vartime crypto_sign_ed25519_ref_sc25519_isshort_vartime +#define sc25519_lt_vartime crypto_sign_ed25519_ref_sc25519_lt_vartime +#define sc25519_add crypto_sign_ed25519_ref_sc25519_add +#define sc25519_sub_nored crypto_sign_ed25519_ref_sc25519_sub_nored +#define sc25519_mul crypto_sign_ed25519_ref_sc25519_mul +#define sc25519_mul_shortsc crypto_sign_ed25519_ref_sc25519_mul_shortsc +#define sc25519_window3 crypto_sign_ed25519_ref_sc25519_window3 +#define sc25519_window5 crypto_sign_ed25519_ref_sc25519_window5 +#define sc25519_2interleave2 crypto_sign_ed25519_ref_sc25519_2interleave2 + +typedef struct +{ + crypto_uint32 v[32]; +} +sc25519; + +typedef struct +{ + crypto_uint32 v[16]; +} +shortsc25519; + +void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]); + +void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]); + +void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]); + +void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x); + +void sc25519_to32bytes(unsigned char r[32], const sc25519 *x); + +int sc25519_iszero_vartime(const sc25519 *x); + +int sc25519_isshort_vartime(const sc25519 *x); + +int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y); + +void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y); + +/* Convert s into a representation of the form \sum_{i=0}^{84}r[i]2^3 + * with r[i] in {-4,...,3} + */ +void sc25519_window3(signed char r[85], const sc25519 *s); + +/* Convert s into a representation of the form \sum_{i=0}^{50}r[i]2^5 + * with r[i] in {-16,...,15} + */ +void sc25519_window5(signed char r[51], const sc25519 *s); + +void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2); + +#endif diff --git a/verify.c b/verify.c new file mode 100644 index 00000000..c2682414 --- /dev/null +++ b/verify.c @@ -0,0 +1,44 @@ +/* $OpenBSD: verify.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ + +/* Public Domain, from supercop-20130419/crypto_verify/32/ref/verify.c */ + +#include "crypto_api.h" + +int crypto_verify_32(const unsigned char *x,const unsigned char *y) +{ + unsigned int differentbits = 0; +#define F(i) differentbits |= x[i] ^ y[i]; + F(0) + F(1) + F(2) + F(3) + F(4) + F(5) + F(6) + F(7) + F(8) + F(9) + F(10) + F(11) + F(12) + F(13) + F(14) + F(15) + F(16) + F(17) + F(18) + F(19) + F(20) + F(21) + F(22) + F(23) + F(24) + F(25) + F(26) + F(27) + F(28) + F(29) + F(30) + F(31) + return (1 & ((differentbits - 1) >> 8)) - 1; +} -- cgit v1.2.1 From 857174992094730b830b983f1163252e92ba431a Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 00:29:09 +0000 Subject: - djm@cvs.openbsd.org 2013/12/07 00:19:15 [key.c] set k->cert = NULL after freeing it --- ChangeLog | 18 ++++++ key.c | 196 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 189 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index 76854907..250599b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,24 @@ [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@ + - markus@cvs.openbsd.org 2013/12/06 13:39:49 + [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] + [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] + [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] + [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] + [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] + support ed25519 keys (hostkeys and user identities) using the public + domain ed25519 reference code from SUPERCOP, see + http://ed25519.cr.yp.to/software.html + feedback, help & ok djm@ + - jmc@cvs.openbsd.org 2013/12/06 15:29:07 + [sshd.8] + missing comma; + - djm@cvs.openbsd.org 2013/12/07 00:19:15 + [key.c] + set k->cert = NULL after freeing it + - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] + [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents 20131205 - (djm) OpenBSD CVS Sync diff --git a/key.c b/key.c index c09f43f1..814f9a00 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.108 2013/12/06 13:34:54 markus Exp $ */ +/* $OpenBSD: key.c,v 1.110 2013/12/07 00:19:15 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -39,6 +39,8 @@ #include #include +#include "crypto_api.h" + #include #include @@ -86,6 +88,8 @@ key_new(int type) k->dsa = NULL; k->rsa = NULL; k->cert = NULL; + k->ed25519_sk = NULL; + k->ed25519_pk = NULL; switch (k->type) { case KEY_RSA1: case KEY_RSA: @@ -120,6 +124,10 @@ key_new(int type) /* Cannot do anything until we know the group */ break; #endif + case KEY_ED25519: + case KEY_ED25519_CERT: + /* no need to prealloc */ + break; case KEY_UNSPEC: break; default: @@ -164,6 +172,10 @@ key_add_private(Key *k) case KEY_ECDSA_CERT: /* Cannot do anything until we know the group */ break; + case KEY_ED25519: + case KEY_ED25519_CERT: + /* no need to prealloc */ + break; case KEY_UNSPEC: break; default: @@ -226,6 +238,19 @@ key_free(Key *k) k->ecdsa = NULL; break; #endif + case KEY_ED25519: + case KEY_ED25519_CERT: + if (k->ed25519_pk) { + memset(k->ed25519_pk, 0, ED25519_PK_SZ); + free(k->ed25519_pk); + k->ed25519_pk = NULL; + } + if (k->ed25519_sk) { + memset(k->ed25519_sk, 0, ED25519_SK_SZ); + free(k->ed25519_sk); + k->ed25519_sk = NULL; + } + break; case KEY_UNSPEC: break; default: @@ -307,6 +332,10 @@ key_equal_public(const Key *a, const Key *b) BN_CTX_free(bnctx); return 1; #endif /* OPENSSL_HAS_ECC */ + case KEY_ED25519: + case KEY_ED25519_CERT: + return a->ed25519_pk != NULL && b->ed25519_pk != NULL && + memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; default: fatal("key_equal: bad key type %d", a->type); } @@ -366,6 +395,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, case KEY_DSA: case KEY_ECDSA: case KEY_RSA: + case KEY_ED25519: key_to_blob(k, &blob, &len); break; case KEY_DSA_CERT_V00: @@ -373,6 +403,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: + case KEY_ED25519_CERT: /* We want a fingerprint of the _key_ not of the cert */ to_blob(k, &blob, &len, 1); break; @@ -699,11 +730,13 @@ key_read(Key *ret, char **cpp) case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: case KEY_DSA_CERT_V00: case KEY_RSA_CERT_V00: case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: + case KEY_ED25519_CERT: space = strchr(cp, ' '); if (space == NULL) { debug3("key_read: missing whitespace"); @@ -805,6 +838,14 @@ key_read(Key *ret, char **cpp) #endif } #endif + if (key_type_plain(ret->type) == KEY_ED25519) { + free(ret->ed25519_pk); + ret->ed25519_pk = k->ed25519_pk; + k->ed25519_pk = NULL; +#ifdef DEBUG_PK + /* XXX */ +#endif + } success = 1; /*XXXX*/ key_free(k); @@ -868,6 +909,11 @@ key_write(const Key *key, FILE *f) return 0; break; #endif + case KEY_ED25519: + case KEY_ED25519_CERT: + if (key->ed25519_pk == NULL) + return 0; + break; case KEY_RSA: case KEY_RSA_CERT_V00: case KEY_RSA_CERT: @@ -915,6 +961,7 @@ static const struct keytype keytypes[] = { { NULL, "RSA1", KEY_RSA1, 0, 0 }, { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, + { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, #ifdef OPENSSL_HAS_ECC { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, @@ -938,6 +985,8 @@ static const struct keytype keytypes[] = { KEY_RSA_CERT_V00, 0, 1 }, { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", KEY_DSA_CERT_V00, 0, 1 }, + { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", + KEY_ED25519_CERT, 0, 1 }, { NULL, NULL, -1, -1, 0 } }; @@ -1009,7 +1058,7 @@ key_ecdsa_nid_from_name(const char *name) } char * -key_alg_list(void) +key_alg_list(int certs_only, int plain_only) { char *ret = NULL; size_t nlen, rlen = 0; @@ -1018,6 +1067,8 @@ key_alg_list(void) for (kt = keytypes; kt->type != -1; kt++) { if (kt->name == NULL) continue; + if ((certs_only && !kt->cert) || (plain_only && kt->cert)) + continue; if (ret != NULL) ret[rlen++] = '\n'; nlen = strlen(kt->name); @@ -1053,6 +1104,8 @@ key_size(const Key *k) case KEY_DSA_CERT_V00: case KEY_DSA_CERT: return BN_num_bits(k->dsa->p); + case KEY_ED25519: + return 256; /* XXX */ #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: case KEY_ECDSA_CERT: @@ -1196,6 +1249,11 @@ key_generate(int type, u_int bits) case KEY_RSA1: k->rsa = rsa_generate_private_key(bits); break; + case KEY_ED25519: + k->ed25519_pk = xmalloc(ED25519_PK_SZ); + k->ed25519_sk = xmalloc(ED25519_SK_SZ); + crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); + break; case KEY_RSA_CERT_V00: case KEY_DSA_CERT_V00: case KEY_RSA_CERT: @@ -1289,6 +1347,14 @@ key_from_private(const Key *k) (BN_copy(n->rsa->e, k->rsa->e) == NULL)) fatal("key_from_private: BN_copy failed"); break; + case KEY_ED25519: + case KEY_ED25519_CERT: + n = key_new(k->type); + if (k->ed25519_pk != NULL) { + n->ed25519_pk = xmalloc(ED25519_PK_SZ); + memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); + } + break; default: fatal("key_from_private: unknown type %d", k->type); break; @@ -1451,7 +1517,9 @@ key_from_blob2(const u_char *blob, u_int blen, int allow_cert) { Buffer b; int rlen, type; + u_int len; char *ktype = NULL, *curve = NULL; + u_char *pk = NULL; Key *key = NULL; #ifdef OPENSSL_HAS_ECC EC_POINT *q = NULL; @@ -1550,6 +1618,23 @@ key_from_blob2(const u_char *blob, u_int blen, int allow_cert) #endif break; #endif /* OPENSSL_HAS_ECC */ + case KEY_ED25519_CERT: + (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ + /* FALLTHROUGH */ + case KEY_ED25519: + if ((pk = buffer_get_string_ret(&b, &len)) == NULL) { + error("key_from_blob: can't read ed25519 key"); + goto badkey; + } + if (len != ED25519_PK_SZ) { + error("key_from_blob: ed25519 len %d != %d", + len, ED25519_PK_SZ); + goto badkey; + } + key = key_new(type); + key->ed25519_pk = pk; + pk = NULL; + break; case KEY_UNSPEC: key = key_new(type); break; @@ -1567,6 +1652,7 @@ key_from_blob2(const u_char *blob, u_int blen, int allow_cert) out: free(ktype); free(curve); + free(pk); #ifdef OPENSSL_HAS_ECC if (q != NULL) EC_POINT_free(q); @@ -1603,6 +1689,7 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: + case KEY_ED25519_CERT: /* Use the existing blob */ buffer_append(&b, buffer_ptr(&key->cert->certblob), buffer_len(&key->cert->certblob)); @@ -1630,6 +1717,11 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) buffer_put_bignum2(&b, key->rsa->e); buffer_put_bignum2(&b, key->rsa->n); break; + case KEY_ED25519: + buffer_put_cstring(&b, + key_ssh_name_from_type_nid(type, key->ecdsa_nid)); + buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ); + break; default: error("key_to_blob: unsupported key type %d", key->type); buffer_free(&b); @@ -1673,6 +1765,9 @@ key_sign( case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_sign(key, sigp, lenp, data, datalen); + case KEY_ED25519: + case KEY_ED25519_CERT: + return ssh_ed25519_sign(key, sigp, lenp, data, datalen); default: error("key_sign: invalid key type %d", key->type); return -1; @@ -1706,6 +1801,9 @@ key_verify( case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_verify(key, signature, signaturelen, data, datalen); + case KEY_ED25519: + case KEY_ED25519_CERT: + return ssh_ed25519_verify(key, signature, signaturelen, data, datalen); default: error("key_verify: invalid key type %d", key->type); return -1; @@ -1725,6 +1823,8 @@ key_demote(const Key *k) pk->dsa = NULL; pk->ecdsa = NULL; pk->rsa = NULL; + pk->ed25519_pk = NULL; + pk->ed25519_sk = NULL; switch (k->type) { case KEY_RSA_CERT_V00: @@ -1768,8 +1868,17 @@ key_demote(const Key *k) fatal("key_demote: EC_KEY_set_public_key failed"); break; #endif + case KEY_ED25519_CERT: + key_cert_copy(k, pk); + /* FALLTHROUGH */ + case KEY_ED25519: + if (k->ed25519_pk != NULL) { + pk->ed25519_pk = xmalloc(ED25519_PK_SZ); + memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); + } + break; default: - fatal("key_free: bad key type %d", k->type); + fatal("key_demote: bad key type %d", k->type); break; } @@ -1797,6 +1906,8 @@ key_type_plain(int type) return KEY_DSA; case KEY_ECDSA_CERT: return KEY_ECDSA; + case KEY_ED25519_CERT: + return KEY_ED25519; default: return type; } @@ -1822,6 +1933,13 @@ key_to_certified(Key *k, int legacy) k->cert = cert_new(); k->type = KEY_ECDSA_CERT; return 0; + case KEY_ED25519: + if (legacy) + fatal("%s: legacy ED25519 certificates are not " + "supported", __func__); + k->cert = cert_new(); + k->type = KEY_ED25519_CERT; + return 0; default: error("%s: key has incorrect type %s", __func__, key_type(k)); return -1; @@ -1832,31 +1950,17 @@ key_to_certified(Key *k, int legacy) int key_drop_cert(Key *k) { - switch (k->type) { - case KEY_RSA_CERT_V00: - case KEY_RSA_CERT: - cert_free(k->cert); - k->type = KEY_RSA; - return 0; - case KEY_DSA_CERT_V00: - case KEY_DSA_CERT: - cert_free(k->cert); - k->type = KEY_DSA; - return 0; - case KEY_ECDSA_CERT: - cert_free(k->cert); - k->type = KEY_ECDSA; - return 0; - default: + if (!key_type_is_cert(k->type)) { error("%s: key has incorrect type %s", __func__, key_type(k)); return -1; } + cert_free(k->cert); + k->cert = NULL; + k->type = key_type_plain(k->type); + return 0; } -/* - * Sign a KEY_RSA_CERT, KEY_DSA_CERT or KEY_ECDSA_CERT, (re-)generating - * the signed certblob - */ +/* Sign a certified key, (re-)generating the signed certblob. */ int key_certify(Key *k, Key *ca) { @@ -1876,7 +1980,7 @@ key_certify(Key *k, Key *ca) } if (ca->type != KEY_RSA && ca->type != KEY_DSA && - ca->type != KEY_ECDSA) { + ca->type != KEY_ECDSA && ca->type != KEY_ED25519) { error("%s: CA key has unsupported type %s", __func__, key_type(ca)); return -1; @@ -1915,6 +2019,10 @@ key_certify(Key *k, Key *ca) buffer_put_bignum2(&k->cert->certblob, k->rsa->e); buffer_put_bignum2(&k->cert->certblob, k->rsa->n); break; + case KEY_ED25519_CERT: + buffer_put_string(&k->cert->certblob, + k->ed25519_pk, ED25519_PK_SZ); + break; default: error("%s: key has incorrect type %s", __func__, key_type(k)); buffer_clear(&k->cert->certblob); @@ -2332,6 +2440,18 @@ key_private_serialize(const Key *key, Buffer *b) buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); break; #endif /* OPENSSL_HAS_ECC */ + case KEY_ED25519: + buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); + buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); + break; + case KEY_ED25519_CERT: + if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) + fatal("%s: no cert/certblob", __func__); + buffer_put_string(b, buffer_ptr(&key->cert->certblob), + buffer_len(&key->cert->certblob)); + buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); + buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); + break; } } @@ -2341,7 +2461,7 @@ key_private_deserialize(Buffer *blob) char *type_name; Key *k = NULL; u_char *cert; - u_int len; + u_int len, pklen, sklen; int type; #ifdef OPENSSL_HAS_ECC char *curve; @@ -2446,6 +2566,32 @@ key_private_deserialize(Buffer *blob) buffer_get_bignum2(blob, k->rsa->p); buffer_get_bignum2(blob, k->rsa->q); break; + case KEY_ED25519: + k = key_new_private(type); + k->ed25519_pk = buffer_get_string(blob, &pklen); + k->ed25519_sk = buffer_get_string(blob, &sklen); + if (pklen != ED25519_PK_SZ) + fatal("%s: ed25519 pklen %d != %d", + __func__, pklen, ED25519_PK_SZ); + if (sklen != ED25519_SK_SZ) + fatal("%s: ed25519 sklen %d != %d", + __func__, sklen, ED25519_SK_SZ); + break; + case KEY_ED25519_CERT: + cert = buffer_get_string(blob, &len); + if ((k = key_from_blob(cert, len)) == NULL) + fatal("Certificate parse failed"); + free(cert); + key_add_private(k); + k->ed25519_pk = buffer_get_string(blob, &pklen); + k->ed25519_sk = buffer_get_string(blob, &sklen); + if (pklen != ED25519_PK_SZ) + fatal("%s: ed25519 pklen %d != %d", + __func__, pklen, ED25519_PK_SZ); + if (sklen != ED25519_SK_SZ) + fatal("%s: ed25519 sklen %d != %d", + __func__, sklen, ED25519_SK_SZ); + break; default: free(type_name); buffer_clear(blob); -- cgit v1.2.1 From f92161dd91fa482e938047bc3221bdb11ba3355d Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 00:35:36 +0000 Subject: - [Makefile.in] Add ed25519 sources --- ChangeLog | 1 + Makefile.in | 6 ++++-- configure.ac | 5 +++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 250599b5..3f9fc6af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,7 @@ set k->cert = NULL after freeing it - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents + - [Makefile.in] Add ed25519 sources 20131205 - (djm) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index 91f39d4f..2c263af7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.345 2013/11/21 03:12:23 djm Exp $ +# $Id: Makefile.in,v 1.346 2013/12/07 00:35:37 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -74,7 +74,9 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ - kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o + kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ + ssh-ed25519.o \ + sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff --git a/configure.ac b/configure.ac index c691200b..95240f51 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.544 2013/12/05 00:00:16 dtucker Exp $ +# $Id: configure.ac,v 1.545 2013/12/07 00:35:37 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.544 $) +AC_REVISION($Revision: 1.545 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1540,6 +1540,7 @@ AC_CHECK_FUNCS([ \ b64_pton \ __b64_pton \ bcopy \ + bcrypt_pbkdf \ bindresvport_sa \ clock \ closefrom \ -- cgit v1.2.1 From 5bea9bc967ce8d7f5f0d7d12240bf3f7be17afff Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 00:38:03 +0000 Subject: - [authfile.c] Conditionalise inclusion of util.h --- ChangeLog | 1 + authfile.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 3f9fc6af..9ca70ed1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,7 @@ - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents - [Makefile.in] Add ed25519 sources + - [authfile.c] Conditionalise inclusion of util.h 20131205 - (djm) OpenBSD CVS Sync diff --git a/authfile.c b/authfile.c index b0fc23e6..3bbc7cbb 100644 --- a/authfile.c +++ b/authfile.c @@ -60,7 +60,9 @@ #include #include +#ifdef HAVE_UTIL_H #include +#endif #include "xmalloc.h" #include "cipher.h" -- cgit v1.2.1 From 21c9a82b28bee6570a384957a88163820e31212e Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 00:51:51 +0000 Subject: - [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c] [openbsd-compat/blf.h openbsd-compat/blowfish.c] [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in portable. --- ChangeLog | 4 + configure.ac | 10 +- openbsd-compat/Makefile.in | 4 +- openbsd-compat/bcrypt_pbkdf.c | 176 ++++++++++ openbsd-compat/blf.h | 88 +++++ openbsd-compat/blowfish.c | 694 ++++++++++++++++++++++++++++++++++++++++ openbsd-compat/openbsd-compat.h | 8 +- 7 files changed, 979 insertions(+), 5 deletions(-) create mode 100644 openbsd-compat/bcrypt_pbkdf.c create mode 100644 openbsd-compat/blf.h create mode 100644 openbsd-compat/blowfish.c diff --git a/ChangeLog b/ChangeLog index 9ca70ed1..5d630fb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,10 @@ [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents - [Makefile.in] Add ed25519 sources - [authfile.c] Conditionalise inclusion of util.h + - [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c] + [openbsd-compat/blf.h openbsd-compat/blowfish.c] + [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in + portable. 20131205 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 95240f51..c8d4bfc6 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.545 2013/12/07 00:35:37 djm Exp $ +# $Id: configure.ac,v 1.546 2013/12/07 00:51:51 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.545 $) +AC_REVISION($Revision: 1.546 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -296,6 +296,7 @@ AC_ARG_WITH([Werror], ) AC_CHECK_HEADERS([ \ + blf.h \ bstring.h \ crypt.h \ crypto/sha2.h \ @@ -1530,6 +1531,10 @@ AC_ARG_WITH([audit], dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ + Blowfish_stream2word \ arc4random \ arc4random_buf \ arc4random_stir \ @@ -1542,6 +1547,7 @@ AC_CHECK_FUNCS([ \ bcopy \ bcrypt_pbkdf \ bindresvport_sa \ + blf_enc \ clock \ closefrom \ dirfd \ diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index a5f4a266..3866a549 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.52 2013/10/08 23:44:49 djm Exp $ +# $Id: Makefile.in,v 1.53 2013/12/07 00:51:54 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o +OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c new file mode 100644 index 00000000..58bbfe15 --- /dev/null +++ b/openbsd-compat/bcrypt_pbkdf.c @@ -0,0 +1,176 @@ +/* $OpenBSD: bcrypt_pbkdf.c,v 1.4 2013/07/29 00:55:53 tedu Exp $ */ +/* + * Copyright (c) 2013 Ted Unangst + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifndef HAVE_BCRYPT_PBKDF + +#include +#include + +#include +#include +#include + +#ifdef HAVE_BLF_H +# include +#endif +#ifdef HAVE_SHA256_UPDATE +# ifdef HAVE_SHA2_H +# include +# elif defined(HAVE_CRYPTO_SHA2_H) +# include +# endif +#endif + +/* + * pkcs #5 pbkdf2 implementation using the "bcrypt" hash + * + * The bcrypt hash function is derived from the bcrypt password hashing + * function with the following modifications: + * 1. The input password and salt are preprocessed with SHA512. + * 2. The output length is expanded to 256 bits. + * 3. Subsequently the magic string to be encrypted is lengthened and modifed + * to "OxychromaticBlowfishSwatDynamite" + * 4. The hash function is defined to perform 64 rounds of initial state + * expansion. (More rounds are performed by iterating the hash.) + * + * Note that this implementation pulls the SHA512 operations into the caller + * as a performance optimization. + * + * One modification from official pbkdf2. Instead of outputting key material + * linearly, we mix it. pbkdf2 has a known weakness where if one uses it to + * generate (i.e.) 512 bits of key material for use as two 256 bit keys, an + * attacker can merely run once through the outer loop below, but the user + * always runs it twice. Shuffling output bytes requires computing the + * entirety of the key material to assemble any subkey. This is something a + * wise caller could do; we just do it for you. + */ + +#define BCRYPT_BLOCKS 8 +#define BCRYPT_HASHSIZE (BCRYPT_BLOCKS * 4) + +static void +bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out) +{ + blf_ctx state; + u_int8_t ciphertext[BCRYPT_HASHSIZE] = + "OxychromaticBlowfishSwatDynamite"; + uint32_t cdata[BCRYPT_BLOCKS]; + int i; + uint16_t j; + size_t shalen = SHA512_DIGEST_LENGTH; + + /* key expansion */ + Blowfish_initstate(&state); + Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen); + for (i = 0; i < 64; i++) { + Blowfish_expand0state(&state, sha2salt, shalen); + Blowfish_expand0state(&state, sha2pass, shalen); + } + + /* encryption */ + j = 0; + for (i = 0; i < BCRYPT_BLOCKS; i++) + cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext), + &j); + for (i = 0; i < 64; i++) + blf_enc(&state, cdata, sizeof(cdata) / sizeof(uint64_t)); + + /* copy out */ + for (i = 0; i < BCRYPT_BLOCKS; i++) { + out[4 * i + 3] = (cdata[i] >> 24) & 0xff; + out[4 * i + 2] = (cdata[i] >> 16) & 0xff; + out[4 * i + 1] = (cdata[i] >> 8) & 0xff; + out[4 * i + 0] = cdata[i] & 0xff; + } + + /* zap */ + memset(ciphertext, 0, sizeof(ciphertext)); + memset(cdata, 0, sizeof(cdata)); + memset(&state, 0, sizeof(state)); +} + +int +bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t saltlen, + u_int8_t *key, size_t keylen, unsigned int rounds) +{ + SHA2_CTX ctx; + u_int8_t sha2pass[SHA512_DIGEST_LENGTH]; + u_int8_t sha2salt[SHA512_DIGEST_LENGTH]; + u_int8_t out[BCRYPT_HASHSIZE]; + u_int8_t tmpout[BCRYPT_HASHSIZE]; + u_int8_t countsalt[4]; + size_t i, j, amt, stride; + uint32_t count; + + /* nothing crazy */ + if (rounds < 1) + return -1; + if (passlen == 0 || saltlen == 0 || keylen == 0 || + keylen > sizeof(out) * sizeof(out)) + return -1; + stride = (keylen + sizeof(out) - 1) / sizeof(out); + amt = (keylen + stride - 1) / stride; + + /* collapse password */ + SHA512Init(&ctx); + SHA512Update(&ctx, pass, passlen); + SHA512Final(sha2pass, &ctx); + + + /* generate key, sizeof(out) at a time */ + for (count = 1; keylen > 0; count++) { + countsalt[0] = (count >> 24) & 0xff; + countsalt[1] = (count >> 16) & 0xff; + countsalt[2] = (count >> 8) & 0xff; + countsalt[3] = count & 0xff; + + /* first round, salt is salt */ + SHA512Init(&ctx); + SHA512Update(&ctx, salt, saltlen); + SHA512Update(&ctx, countsalt, sizeof(countsalt)); + SHA512Final(sha2salt, &ctx); + bcrypt_hash(sha2pass, sha2salt, tmpout); + memcpy(out, tmpout, sizeof(out)); + + for (i = 1; i < rounds; i++) { + /* subsequent rounds, salt is previous output */ + SHA512Init(&ctx); + SHA512Update(&ctx, tmpout, sizeof(tmpout)); + SHA512Final(sha2salt, &ctx); + bcrypt_hash(sha2pass, sha2salt, tmpout); + for (j = 0; j < sizeof(out); j++) + out[j] ^= tmpout[j]; + } + + /* + * pbkdf2 deviation: ouput the key material non-linearly. + */ + amt = MIN(amt, keylen); + for (i = 0; i < amt; i++) + key[i * stride + (count - 1)] = out[i]; + keylen -= amt; + } + + /* zap */ + memset(&ctx, 0, sizeof(ctx)); + memset(out, 0, sizeof(out)); + + return 0; +} +#endif /* HAVE_BCRYPT_PBKDF */ diff --git a/openbsd-compat/blf.h b/openbsd-compat/blf.h new file mode 100644 index 00000000..f1ac5a5c --- /dev/null +++ b/openbsd-compat/blf.h @@ -0,0 +1,88 @@ +/* $OpenBSD: blf.h,v 1.7 2007/03/14 17:59:41 grunk Exp $ */ +/* + * Blowfish - a fast block cipher designed by Bruce Schneier + * + * Copyright 1997 Niels Provos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Niels Provos. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _BLF_H_ +#define _BLF_H_ + +#include "includes.h" + +#if !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) + +/* Schneier specifies a maximum key length of 56 bytes. + * This ensures that every key bit affects every cipher + * bit. However, the subkeys can hold up to 72 bytes. + * Warning: For normal blowfish encryption only 56 bytes + * of the key affect all cipherbits. + */ + +#define BLF_N 16 /* Number of Subkeys */ +#define BLF_MAXKEYLEN ((BLF_N-2)*4) /* 448 bits */ +#define BLF_MAXUTILIZED ((BLF_N+2)*4) /* 576 bits */ + +/* Blowfish context */ +typedef struct BlowfishContext { + u_int32_t S[4][256]; /* S-Boxes */ + u_int32_t P[BLF_N + 2]; /* Subkeys */ +} blf_ctx; + +/* Raw access to customized Blowfish + * blf_key is just: + * Blowfish_initstate( state ) + * Blowfish_expand0state( state, key, keylen ) + */ + +void Blowfish_encipher(blf_ctx *, u_int32_t *, u_int32_t *); +void Blowfish_decipher(blf_ctx *, u_int32_t *, u_int32_t *); +void Blowfish_initstate(blf_ctx *); +void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t); +void Blowfish_expandstate +(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t); + +/* Standard Blowfish */ + +void blf_key(blf_ctx *, const u_int8_t *, u_int16_t); +void blf_enc(blf_ctx *, u_int32_t *, u_int16_t); +void blf_dec(blf_ctx *, u_int32_t *, u_int16_t); + +void blf_ecb_encrypt(blf_ctx *, u_int8_t *, u_int32_t); +void blf_ecb_decrypt(blf_ctx *, u_int8_t *, u_int32_t); + +void blf_cbc_encrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t); +void blf_cbc_decrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t); + +/* Converts u_int8_t to u_int32_t */ +u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t , u_int16_t *); + +#endif /* !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) */ +#endif /* _BLF_H */ + diff --git a/openbsd-compat/blowfish.c b/openbsd-compat/blowfish.c new file mode 100644 index 00000000..6c419549 --- /dev/null +++ b/openbsd-compat/blowfish.c @@ -0,0 +1,694 @@ +/* $OpenBSD: blowfish.c,v 1.18 2004/11/02 17:23:26 hshoexer Exp $ */ +/* + * Blowfish block cipher for OpenBSD + * Copyright 1997 Niels Provos + * All rights reserved. + * + * Implementation advice by David Mazieres . + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Niels Provos. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code is derived from section 14.3 and the given source + * in section V of Applied Cryptography, second edition. + * Blowfish is an unpatented fast block cipher designed by + * Bruce Schneier. + */ + +#include "includes.h" + +#if !defined(HAVE_BCRYPT_PBKDF) && (!defined(HAVE_BLOWFISH_INITSTATE) || \ + !defined(HAVE_BLOWFISH_EXPAND0STATE) || !defined(HAVE_BLF_ENC)) + +#if 0 +#include /* used for debugging */ +#include +#endif + +#include +#include + +#undef inline +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +/* Function for Feistel Networks */ + +#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \ + + (s)[0x100 + (((x)>>16)&0xFF)]) \ + ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \ + + (s)[0x300 + ( (x) &0xFF)]) + +#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n]) + +void +Blowfish_encipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr) +{ + u_int32_t Xl; + u_int32_t Xr; + u_int32_t *s = c->S[0]; + u_int32_t *p = c->P; + + Xl = *xl; + Xr = *xr; + + Xl ^= p[0]; + BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2); + BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4); + BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6); + BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8); + BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10); + BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12); + BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14); + BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16); + + *xl = Xr ^ p[17]; + *xr = Xl; +} + +void +Blowfish_decipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr) +{ + u_int32_t Xl; + u_int32_t Xr; + u_int32_t *s = c->S[0]; + u_int32_t *p = c->P; + + Xl = *xl; + Xr = *xr; + + Xl ^= p[17]; + BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15); + BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13); + BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11); + BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9); + BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7); + BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5); + BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3); + BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1); + + *xl = Xr ^ p[0]; + *xr = Xl; +} + +void +Blowfish_initstate(blf_ctx *c) +{ + /* P-box and S-box tables initialized with digits of Pi */ + + static const blf_ctx initstate = + { { + { + 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, + 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, + 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, + 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, + 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, + 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, + 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, + 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, + 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, + 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, + 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, + 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, + 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, + 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, + 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, + 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, + 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, + 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, + 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, + 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, + 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, + 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, + 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, + 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, + 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, + 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, + 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, + 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, + 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, + 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, + 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, + 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, + 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, + 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, + 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, + 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, + 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, + 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, + 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, + 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, + 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, + 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, + 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, + 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, + 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, + 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, + 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, + 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, + 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, + 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, + 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, + 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, + 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, + 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, + 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, + 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, + 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, + 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, + 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, + 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, + 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, + 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, + 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, + 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a}, + { + 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, + 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, + 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, + 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, + 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, + 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, + 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, + 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, + 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, + 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, + 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, + 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, + 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, + 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, + 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, + 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, + 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, + 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, + 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, + 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, + 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, + 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, + 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, + 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, + 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, + 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, + 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, + 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, + 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, + 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, + 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, + 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, + 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, + 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, + 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, + 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, + 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, + 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, + 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, + 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, + 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, + 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, + 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, + 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, + 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, + 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, + 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, + 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, + 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, + 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, + 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, + 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, + 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, + 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, + 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, + 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, + 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, + 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, + 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, + 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, + 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, + 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, + 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, + 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7}, + { + 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, + 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, + 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, + 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, + 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, + 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, + 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, + 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, + 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, + 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, + 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, + 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, + 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, + 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, + 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, + 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, + 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, + 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, + 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, + 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, + 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, + 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, + 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, + 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, + 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, + 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, + 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, + 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, + 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, + 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, + 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, + 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, + 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, + 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, + 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, + 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, + 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, + 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, + 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, + 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, + 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, + 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, + 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, + 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, + 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, + 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, + 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, + 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, + 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, + 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, + 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, + 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, + 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, + 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, + 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, + 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, + 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, + 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, + 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, + 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, + 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, + 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, + 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, + 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0}, + { + 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, + 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, + 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, + 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, + 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, + 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, + 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, + 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, + 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, + 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, + 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, + 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, + 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, + 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, + 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, + 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, + 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, + 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, + 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, + 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, + 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, + 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, + 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, + 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, + 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, + 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, + 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, + 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, + 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, + 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, + 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, + 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, + 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, + 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, + 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, + 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, + 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, + 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, + 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, + 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, + 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, + 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, + 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, + 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, + 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, + 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, + 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, + 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, + 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, + 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, + 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, + 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, + 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, + 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, + 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, + 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, + 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, + 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, + 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, + 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, + 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, + 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, + 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, + 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6} + }, + { + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, + 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, + 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, + 0x9216d5d9, 0x8979fb1b + } }; + + *c = initstate; +} + +u_int32_t +Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes, + u_int16_t *current) +{ + u_int8_t i; + u_int16_t j; + u_int32_t temp; + + temp = 0x00000000; + j = *current; + + for (i = 0; i < 4; i++, j++) { + if (j >= databytes) + j = 0; + temp = (temp << 8) | data[j]; + } + + *current = j; + return temp; +} + +void +Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes) +{ + u_int16_t i; + u_int16_t j; + u_int16_t k; + u_int32_t temp; + u_int32_t datal; + u_int32_t datar; + + j = 0; + for (i = 0; i < BLF_N + 2; i++) { + /* Extract 4 int8 to 1 int32 from keystream */ + temp = Blowfish_stream2word(key, keybytes, &j); + c->P[i] = c->P[i] ^ temp; + } + + j = 0; + datal = 0x00000000; + datar = 0x00000000; + for (i = 0; i < BLF_N + 2; i += 2) { + Blowfish_encipher(c, &datal, &datar); + + c->P[i] = datal; + c->P[i + 1] = datar; + } + + for (i = 0; i < 4; i++) { + for (k = 0; k < 256; k += 2) { + Blowfish_encipher(c, &datal, &datar); + + c->S[i][k] = datal; + c->S[i][k + 1] = datar; + } + } +} + + +void +Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes, + const u_int8_t *key, u_int16_t keybytes) +{ + u_int16_t i; + u_int16_t j; + u_int16_t k; + u_int32_t temp; + u_int32_t datal; + u_int32_t datar; + + j = 0; + for (i = 0; i < BLF_N + 2; i++) { + /* Extract 4 int8 to 1 int32 from keystream */ + temp = Blowfish_stream2word(key, keybytes, &j); + c->P[i] = c->P[i] ^ temp; + } + + j = 0; + datal = 0x00000000; + datar = 0x00000000; + for (i = 0; i < BLF_N + 2; i += 2) { + datal ^= Blowfish_stream2word(data, databytes, &j); + datar ^= Blowfish_stream2word(data, databytes, &j); + Blowfish_encipher(c, &datal, &datar); + + c->P[i] = datal; + c->P[i + 1] = datar; + } + + for (i = 0; i < 4; i++) { + for (k = 0; k < 256; k += 2) { + datal ^= Blowfish_stream2word(data, databytes, &j); + datar ^= Blowfish_stream2word(data, databytes, &j); + Blowfish_encipher(c, &datal, &datar); + + c->S[i][k] = datal; + c->S[i][k + 1] = datar; + } + } + +} + +void +blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len) +{ + /* Initialize S-boxes and subkeys with Pi */ + Blowfish_initstate(c); + + /* Transform S-boxes and subkeys with key */ + Blowfish_expand0state(c, k, len); +} + +void +blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks) +{ + u_int32_t *d; + u_int16_t i; + + d = data; + for (i = 0; i < blocks; i++) { + Blowfish_encipher(c, d, d + 1); + d += 2; + } +} + +void +blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks) +{ + u_int32_t *d; + u_int16_t i; + + d = data; + for (i = 0; i < blocks; i++) { + Blowfish_decipher(c, d, d + 1); + d += 2; + } +} + +void +blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int32_t i; + + for (i = 0; i < len; i += 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_encipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + data += 8; + } +} + +void +blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int32_t i; + + for (i = 0; i < len; i += 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_decipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + data += 8; + } +} + +void +blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int32_t i, j; + + for (i = 0; i < len; i += 8) { + for (j = 0; j < 8; j++) + data[j] ^= iv[j]; + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_encipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + iv = data; + data += 8; + } +} + +void +blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r; + u_int8_t *iv; + u_int32_t i, j; + + iv = data + len - 16; + data = data + len - 8; + for (i = len - 8; i >= 8; i -= 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_decipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + for (j = 0; j < 8; j++) + data[j] ^= iv[j]; + iv -= 8; + data -= 8; + } + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + Blowfish_decipher(c, &l, &r); + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + for (j = 0; j < 8; j++) + data[j] ^= iva[j]; +} + +#if 0 +void +report(u_int32_t data[], u_int16_t len) +{ + u_int16_t i; + for (i = 0; i < len; i += 2) + printf("Block %0hd: %08lx %08lx.\n", + i / 2, data[i], data[i + 1]); +} +void +main(void) +{ + + blf_ctx c; + char key[] = "AAAAA"; + char key2[] = "abcdefghijklmnopqrstuvwxyz"; + + u_int32_t data[10]; + u_int32_t data2[] = + {0x424c4f57l, 0x46495348l}; + + u_int16_t i; + + /* First test */ + for (i = 0; i < 10; i++) + data[i] = i; + + blf_key(&c, (u_int8_t *) key, 5); + blf_enc(&c, data, 5); + blf_dec(&c, data, 1); + blf_dec(&c, data + 2, 4); + printf("Should read as 0 - 9.\n"); + report(data, 10); + + /* Second test */ + blf_key(&c, (u_int8_t *) key2, strlen(key2)); + blf_enc(&c, data2, 1); + printf("\nShould read as: 0x324ed0fe 0xf413a203.\n"); + report(data2, 2); + blf_dec(&c, data2, 1); + report(data2, 2); +} +#endif + +#endif /* !defined(HAVE_BCRYPT_PBKDF) && (!defined(HAVE_BLOWFISH_INITSTATE) || \ + !defined(HAVE_BLOWFISH_EXPAND0STATE) || !defined(HAVE_BLF_ENC)) */ + diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index cb007f01..f34619e4 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.59 2013/11/08 07:54:39 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.60 2013/12/07 00:51:54 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -44,6 +44,7 @@ #include "vis.h" #include "getrrsetbyname.h" #include "sha2.h" +#include "blf.h" #ifndef HAVE_BASENAME char *basename(const char *path); @@ -240,6 +241,11 @@ char *group_from_gid(gid_t, int); int timingsafe_bcmp(const void *, const void *, size_t); #endif +#ifndef HAVE_BCRYPT_PBKDF +int bcrypt_pbkdf(const char *, size_t, const u_int8_t *, size_t, + u_int8_t *, size_t, unsigned int); +#endif + void *xmmap(size_t size); char *xcrypt(const char *password, const char *salt); char *shadow_pw(struct passwd *pw); -- cgit v1.2.1 From 00ac1dd670f2cee47bef0218d88539bf780c55e0 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 01:37:53 +0000 Subject: - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in] [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on Linux --- ChangeLog | 11 +++++++---- ed25519.c | 1 + openbsd-compat/Makefile.in | 4 ++-- openbsd-compat/bcrypt_pbkdf.c | 46 ++++++++++++++++++------------------------- ssh-ed25519.c | 2 ++ 5 files changed, 31 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5d630fb5..cf5e0d50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,14 +33,17 @@ - djm@cvs.openbsd.org 2013/12/07 00:19:15 [key.c] set k->cert = NULL after freeing it - - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] + - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents - - [Makefile.in] Add ed25519 sources - - [authfile.c] Conditionalise inclusion of util.h - - [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c] + - (djm) [Makefile.in] Add ed25519 sources + - (djm) [authfile.c] Conditionalise inclusion of util.h + - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c] [openbsd-compat/blf.h openbsd-compat/blowfish.c] [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in portable. + - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in] + [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on + Linux 20131205 - (djm) OpenBSD CVS Sync diff --git a/ed25519.c b/ed25519.c index c7c861bb..9c9879c0 100644 --- a/ed25519.c +++ b/ed25519.c @@ -2,6 +2,7 @@ /* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c */ +#include "includes.h" #include "crypto_api.h" #include "ge25519.h" diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 3866a549..276646fa 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.53 2013/12/07 00:51:54 djm Exp $ +# $Id: Makefile.in,v 1.54 2013/12/07 01:37:54 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o +OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c index 58bbfe15..e0736fea 100644 --- a/openbsd-compat/bcrypt_pbkdf.c +++ b/openbsd-compat/bcrypt_pbkdf.c @@ -24,18 +24,13 @@ #include #include -#include #ifdef HAVE_BLF_H # include #endif -#ifdef HAVE_SHA256_UPDATE -# ifdef HAVE_SHA2_H -# include -# elif defined(HAVE_CRYPTO_SHA2_H) -# include -# endif -#endif + +#include "crypto_api.h" +#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES /* * pkcs #5 pbkdf2 implementation using the "bcrypt" hash @@ -109,12 +104,11 @@ int bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t saltlen, u_int8_t *key, size_t keylen, unsigned int rounds) { - SHA2_CTX ctx; u_int8_t sha2pass[SHA512_DIGEST_LENGTH]; u_int8_t sha2salt[SHA512_DIGEST_LENGTH]; u_int8_t out[BCRYPT_HASHSIZE]; u_int8_t tmpout[BCRYPT_HASHSIZE]; - u_int8_t countsalt[4]; + u_int8_t *countsalt; size_t i, j, amt, stride; uint32_t count; @@ -122,37 +116,34 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t salt if (rounds < 1) return -1; if (passlen == 0 || saltlen == 0 || keylen == 0 || - keylen > sizeof(out) * sizeof(out)) + keylen > sizeof(out) * sizeof(out) || saltlen > 1<<20) + return -1; + if ((countsalt = calloc(1, saltlen + 4)) == NULL) return -1; stride = (keylen + sizeof(out) - 1) / sizeof(out); amt = (keylen + stride - 1) / stride; - /* collapse password */ - SHA512Init(&ctx); - SHA512Update(&ctx, pass, passlen); - SHA512Final(sha2pass, &ctx); + memcpy(countsalt, salt, saltlen); + /* collapse password */ + crypto_hash_sha512(sha2pass, pass, passlen); /* generate key, sizeof(out) at a time */ for (count = 1; keylen > 0; count++) { - countsalt[0] = (count >> 24) & 0xff; - countsalt[1] = (count >> 16) & 0xff; - countsalt[2] = (count >> 8) & 0xff; - countsalt[3] = count & 0xff; + countsalt[saltlen + 0] = (count >> 24) & 0xff; + countsalt[saltlen + 1] = (count >> 16) & 0xff; + countsalt[saltlen + 2] = (count >> 8) & 0xff; + countsalt[saltlen + 3] = count & 0xff; /* first round, salt is salt */ - SHA512Init(&ctx); - SHA512Update(&ctx, salt, saltlen); - SHA512Update(&ctx, countsalt, sizeof(countsalt)); - SHA512Final(sha2salt, &ctx); + crypto_hash_sha512(sha2salt, countsalt, saltlen + 4); + bcrypt_hash(sha2pass, sha2salt, tmpout); memcpy(out, tmpout, sizeof(out)); for (i = 1; i < rounds; i++) { /* subsequent rounds, salt is previous output */ - SHA512Init(&ctx); - SHA512Update(&ctx, tmpout, sizeof(tmpout)); - SHA512Final(sha2salt, &ctx); + crypto_hash_sha512(sha2salt, tmpout, sizeof(tmpout)); bcrypt_hash(sha2pass, sha2salt, tmpout); for (j = 0; j < sizeof(out); j++) out[j] ^= tmpout[j]; @@ -168,8 +159,9 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t salt } /* zap */ - memset(&ctx, 0, sizeof(ctx)); memset(out, 0, sizeof(out)); + memset(countsalt, 0, saltlen + 4); + free(countsalt); return 0; } diff --git a/ssh-ed25519.c b/ssh-ed25519.c index c03c1634..1aedcf83 100644 --- a/ssh-ed25519.c +++ b/ssh-ed25519.c @@ -15,6 +15,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include "includes.h" + #include #include "crypto_api.h" -- cgit v1.2.1 From 5cd1bb0fb9b1c95dc83732bdfedb7ca7e2e8d5da Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 05:32:44 +0000 Subject: - markus@cvs.openbsd.org 2013/12/06 13:52:46 [regress/Makefile regress/agent.sh regress/cert-hostkey.sh] [regress/cert-userkey.sh regress/keytype.sh] test ed25519 support; from djm@ --- ChangeLog | 4 ++++ regress/Makefile | 12 ++++++++++-- regress/agent.sh | 4 ++-- regress/cert-hostkey.sh | 48 ++++++++++++++++++++++++++++-------------------- regress/cert-userkey.sh | 31 +++++++++++++++++-------------- regress/keytype.sh | 4 ++-- 6 files changed, 63 insertions(+), 40 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf5e0d50..5edeb82b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ - djm@cvs.openbsd.org 2013/12/07 00:19:15 [key.c] set k->cert = NULL after freeing it + - markus@cvs.openbsd.org 2013/12/06 13:52:46 + [regress/Makefile regress/agent.sh regress/cert-hostkey.sh] + [regress/cert-userkey.sh regress/keytype.sh] + test ed25519 support; from djm@ - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents - (djm) [Makefile.in] Add ed25519 sources diff --git a/regress/Makefile b/regress/Makefile index eca634a6..098f2014 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.66 2013/10/09 23:44:14 djm Exp $ +# $OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $ -REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec +REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec tests: $(REGRESS_TARGETS) # Interop tests are not run by default @@ -153,6 +153,14 @@ t9: $(OBJ)/t9.out test "${TEST_SSH_ECC}" != yes || \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null + +$(OBJ)/t10.out: + ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -f $@ + +t10: $(OBJ)/t10.out + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null + t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ diff --git a/regress/agent.sh b/regress/agent.sh index be7d9133..90bad15d 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -20,7 +20,7 @@ else fi trace "overwrite authorized keys" printf '' > $OBJ/authorized_keys_$USER - for t in rsa rsa1; do + for t in ed25519 rsa rsa1; do # generate user key for agent rm -f $OBJ/$t-agent ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 35cd3929..da2cec87 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,14 +1,8 @@ -# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="certified host keys" -# used to disable ECC based tests on platforms without ECC -ecdsa="" -if test "x$TEST_SSH_ECC" = "xyes"; then - ecdsa=ecdsa -fi - rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak @@ -23,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + # Generate and sign host keys -for ktype in rsa dsa $ecdsa ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: sign host ${ktype} cert" # Generate and sign a host key ${SSHKEYGEN} -q -N '' -t ${ktype} \ @@ -34,10 +37,10 @@ for ktype in rsa dsa $ecdsa ; do -I "regress host key for $USER" \ -n $HOSTS $OBJ/cert_host_key_${ktype} || fail "couldn't sign cert_host_key_${ktype}" - # v00 ecdsa certs do not exist - test "${ktype}" = "ecdsa" && continue + type_has_legacy $ktype || continue cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ -I "regress host key for $USER" \ -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || @@ -46,7 +49,7 @@ done # Basic connect tests for privsep in yes no ; do - for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} cert connect privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -73,9 +76,16 @@ done printf "* " cat $OBJ/cert_host_key_rsa.pub if test "x$TEST_SSH_ECC" = "xyes"; then + cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub + printf '@revoked ' + printf "* " + cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub + printf '@revoked ' + printf "* " + cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub printf '@revoked ' printf "* " - cat $OBJ/cert_host_key_ecdsa.pub + cat $OBJ/cert_host_key_ed25519.pub fi printf '@revoked ' printf "* " @@ -88,7 +98,7 @@ done cat $OBJ/cert_host_key_dsa_v00.pub ) > $OBJ/known_hosts-cert for privsep in yes no ; do - for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} revoked cert privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -115,7 +125,7 @@ done printf "* " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do verbose "$tid: host ${ktype} revoked cert" ( cat $OBJ/sshd_proxy_bak @@ -186,9 +196,8 @@ test_one "cert has constraints" failure "-h -Oforce-command=false" # Check downgrade of cert to raw key when no CA found for v in v01 v00 ; do - for ktype in rsa dsa $ecdsa ; do - # v00 ecdsa certs do not exist. - test "${v}${ktype}" = "v00ecdsa" && continue + for ktype in $PLAIN_TYPES ; do + type_has_legacy $ktype || continue rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" # Generate and sign a host key @@ -225,9 +234,8 @@ done cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert for v in v01 v00 ; do - for kt in rsa dsa $ecdsa ; do - # v00 ecdsa certs do not exist. - test "${v}${ktype}" = "v00ecdsa" && continue + for kt in $PLAIN_TYPES ; do + type_has_legacy $kt || continue rm -f $OBJ/cert_host_key* # Self-sign key ${SSHKEYGEN} -q -N '' -t ${kt} \ diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6018b38f..b093a919 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,23 +1,26 @@ -# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="certified user keys" -# used to disable ECC based tests on platforms without ECC -ecdsa="" -if test "x$TEST_SSH_ECC" = "xyes"; then - ecdsa=ecdsa -fi - rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + # Create a CA key ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ fail "ssh-keygen of user_ca_key failed" # Generate and sign user keys -for ktype in rsa dsa $ecdsa ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: sign user ${ktype} cert" ${SSHKEYGEN} -q -N '' -t ${ktype} \ -f $OBJ/cert_user_key_${ktype} || \ @@ -25,18 +28,18 @@ for ktype in rsa dsa $ecdsa ; do ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" - # v00 ecdsa certs do not exist - test "${ktype}" = "ecdsa" && continue + type_has_legacy $ktype || continue cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || - fail "couldn't sign cert_user_key_${ktype}_v00" + fatal "couldn't sign cert_user_key_${ktype}_v00" done # Test explicitly-specified principals -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep" @@ -162,7 +165,7 @@ basic_tests() { extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" fi - for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep $auth" # Simple connect @@ -332,7 +335,7 @@ test_one "principals key option no principals" failure "" \ # Wrong certificate cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do case $ktype in *_v00) args="-t v00" ;; *) args="" ;; diff --git a/regress/keytype.sh b/regress/keytype.sh index 65436b2c..2c57ec6b 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -11,7 +11,7 @@ fi cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -ktypes="dsa-1024 rsa-2048 rsa-3072" +ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512" for i in `$SSH -Q key`; do case "$i" in ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; -- cgit v1.2.1 From 2abe8f77c2def1d602da67837a6f96c711336f91 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 06:07:15 +0000 Subject: - (djm) [regress/cert-hostkey.sh] Fix merge botch --- ChangeLog | 1 + regress/cert-hostkey.sh | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5edeb82b..317dd2c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,7 @@ - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in] [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on Linux + - (djm) [regress/cert-hostkey.sh] Fix merge botch 20131205 - (djm) OpenBSD CVS Sync diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index da2cec87..1ed5af50 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -76,6 +76,8 @@ done printf "* " cat $OBJ/cert_host_key_rsa.pub if test "x$TEST_SSH_ECC" = "xyes"; then + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub printf '@revoked ' printf "* " @@ -83,12 +85,12 @@ done printf '@revoked ' printf "* " cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ed25519.pub fi printf '@revoked ' printf "* " + cat $OBJ/cert_host_key_ed25519.pub + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_dsa.pub printf '@revoked ' printf "* " -- cgit v1.2.1 From face52eec160c8ad8e4a0fbd2c7042a9c349aa47 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 10:43:46 +0000 Subject: - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from Loganaden Velvindron @ AfriNIC in bz#2179 --- ChangeLog | 2 ++ Makefile.in | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 317dd2c4..68ee8538 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,8 @@ [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on Linux - (djm) [regress/cert-hostkey.sh] Fix merge botch + - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from + Loganaden Velvindron @ AfriNIC in bz#2179 20131205 - (djm) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index 2c263af7..f45c8809 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.346 2013/12/07 00:35:37 djm Exp $ +# $Id: Makefile.in,v 1.347 2013/12/07 10:43:47 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -115,6 +115,7 @@ PATHSUBS = \ -e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \ -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ + -e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \ -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ -e 's|/etc/moduli|$(sysconfdir)/moduli|g' \ -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \ @@ -335,6 +336,11 @@ host-key: ssh-keygen$(EXEEXT) else \ ./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \ fi ; \ + if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \ + echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \ + fi ; \ if [ -z "@COMMENT_OUT_ECC@" ] ; then \ if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \ echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \ @@ -348,6 +354,7 @@ host-key-force: ssh-keygen$(EXEEXT) ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" + ./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N "" test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N "" uninstallall: uninstall -- cgit v1.2.1 From ab3fed8dd0ab756971756620dddad778d67faee4 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 7 Dec 2013 21:23:08 +0000 Subject: - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna Vinschen --- ChangeLog | 4 ++++ openbsd-compat/bsd-setres_id.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 68ee8538..3434d6d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20131208 + - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna + Vinschen + 20131207 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/12/05 22:59:45 diff --git a/openbsd-compat/bsd-setres_id.c b/openbsd-compat/bsd-setres_id.c index 020b214b..018bde8c 100644 --- a/openbsd-compat/bsd-setres_id.c +++ b/openbsd-compat/bsd-setres_id.c @@ -1,4 +1,4 @@ -/* $Id: bsd-setres_id.c,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */ +/* $Id: bsd-setres_id.c,v 1.2 2013/12/07 21:23:09 djm Exp $ */ /* * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). @@ -22,6 +22,7 @@ #include #include +#include #include "log.h" -- cgit v1.2.1 From 5b4f2d38224df0aa98000b7008431068e02c12d1 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 8 Dec 2013 04:53:28 +0000 Subject: - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh] [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid filesystem before running agent-ptrace.sh; ok dtucker --- ChangeLog | 3 +++ Makefile.in | 9 +++++++- regress/Makefile | 2 +- regress/agent-ptrace.sh | 7 ++++++ regress/setuid-allowed.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 regress/setuid-allowed.c diff --git a/ChangeLog b/ChangeLog index 3434d6d2..c56f5978 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna Vinschen + - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh] + [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid + filesystem before running agent-ptrace.sh; ok dtucker 20131207 - (djm) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index f45c8809..e789b476 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.347 2013/12/07 10:43:47 djm Exp $ +# $Id: Makefile.in,v 1.348 2013/12/08 04:53:28 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -401,6 +401,13 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ TEST_SHELL="@TEST_SHELL@"; \ diff --git a/regress/Makefile b/regress/Makefile index 098f2014..ba850483 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -88,7 +88,7 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ regress.log failed-regress.log ssh-log-wrapper.sh \ - sftp-server.sh sftp-server.log sftp.log + sftp-server.sh sftp-server.log sftp.log setuid-allowed SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 9f29464c..6824b814 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -19,6 +19,13 @@ else exit 0 fi +if $OBJ/setuid-allowed ${SSHAGENT} ; then + : ok +else + echo "skipped (${SSHAGENT} is mounted on a no-setuid filesystem)" + exit 0 +fi + if test -z "$SUDO" ; then echo "skipped (SUDO not set)" exit 0 diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c new file mode 100644 index 00000000..37b7dc8a --- /dev/null +++ b/regress/setuid-allowed.c @@ -0,0 +1,56 @@ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD$ */ + +#include "includes.h" + +#include +#ifdef HAVE_SYS_STATVFS_H +# include +#endif +#include +#include + +void +usage(void) +{ + fprintf(stderr, "check-setuid [path]\n"); + exit(1); +} + +int +main(int argc, char **argv) +{ + const char *path = "."; + struct statvfs sb; + + if (argc > 2) + usage(); + else if (argc == 2) + path = argv[1]; + + if (statvfs(path, &sb) != 0) { + /* Don't return an error if the host doesn't support statvfs */ + if (errno == ENOSYS) + return 0; + fprintf(stderr, "statvfs for \"%s\" failed: %s\n", + path, strerror(errno)); + } + return (sb.f_flag & ST_NOSUID) ? 1 : 0; +} + + -- cgit v1.2.1 From 6a681160427a8596092c13866069a86021bbac0e Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 18 Dec 2013 06:45:35 +0000 Subject: - djm@cvs.openbsd.org 2013/12/07 08:08:26 [ssh-keygen.1] document -a and -o wrt new key format --- ChangeLog | 6 ++++++ ssh-keygen.1 | 31 ++++++++++++++++++++++++------- 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index c56f5978..351bd038 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20131218 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/12/07 08:08:26 + [ssh-keygen.1] + document -a and -o wrt new key format + 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna Vinschen diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 0d55854e..689db22f 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.117 2013/12/07 08:08:26 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 27 2013 $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -103,7 +103,7 @@ .Fl T Ar output_file .Fl f Ar input_file .Op Fl v -.Op Fl a Ar num_trials +.Op Fl a Ar rounds .Op Fl J Ar num_lines .Op Fl j Ar start_line .Op Fl K Ar checkpt @@ -222,11 +222,20 @@ an empty passphrase, default bits for the key type, and default comment. This is used by .Pa /etc/rc to generate new host keys. -.It Fl a Ar trials -Specifies the number of primality tests to perform when screening DH-GEX -candidates using the +.It Fl a Ar rounds +When saving a new-format private key (i.e. an ed25519 key or any SSH protocol +2 key when the +.Fl o +flag is set), this option specifies the number of KDF (key derivation function) +rounds used. +Higher numbers result in slower passphrase verification and increased +resistance to brute-force password cracking (should the keys be stolen). +.Pp +When screening DH-GEX candidates ( +using the .Fl T -command. +command). +This option specifies the number of primality tests to perform. .It Fl B Show the bubblebabble digest of specified private or public key file. .It Fl b Ar bits @@ -447,6 +456,14 @@ format. .El .Pp At present, no options are valid for host keys. +.It Fl o +Causes +.Nm +to save SSH protocol 2 private keys using the new OpenSSH format rather than +the more compatible PEM format. +The new format has increased resistance to brute-force password cracking +but is not supported by versions of OpenSSH prior to 6.5. +Ed25519 keys always use the new private key format. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p -- cgit v1.2.1 From af2a9b7b4cf91f377d2e5942fcf1fb2f3239cbae Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 18 Dec 2013 06:46:27 +0000 Subject: - naddy@cvs.openbsd.org 2013/12/07 11:58:46 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] [ssh_config.5 sshd.8 sshd_config.5] add missing mentions of ed25519; ok djm@ --- ChangeLog | 4 ++++ ssh-add.1 | 9 ++++++--- ssh-agent.1 | 11 +++++++---- ssh-keygen.1 | 26 ++++++++++++++++++-------- ssh-keyscan.1 | 7 ++++--- ssh-keysign.8 | 6 ++++-- ssh.1 | 20 ++++++++++++++------ ssh_config.5 | 10 ++++++---- sshd.8 | 16 ++++++++++------ sshd_config.5 | 10 ++++++---- 10 files changed, 79 insertions(+), 40 deletions(-) diff --git a/ChangeLog b/ChangeLog index 351bd038..c162b7f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - djm@cvs.openbsd.org 2013/12/07 08:08:26 [ssh-keygen.1] document -a and -o wrt new key format + - naddy@cvs.openbsd.org 2013/12/07 11:58:46 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] + [ssh_config.5 sshd.8 sshd_config.5] + add missing mentions of ed25519; ok djm@ 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna diff --git a/ssh-add.1 b/ssh-add.1 index 44846b67..4812448f 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.59 2013/12/07 11:58:46 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2012 $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -57,7 +57,8 @@ adds private key identities to the authentication agent, When run without arguments, it adds the files .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/identity . After loading a private key, @@ -169,6 +170,8 @@ Contains the protocol version 1 RSA authentication identity of the user. Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa Contains the protocol version 2 ECDSA authentication identity of the user. +.It Pa ~/.ssh/id_ed25519 +Contains the protocol version 2 ED25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .El diff --git a/ssh-agent.1 b/ssh-agent.1 index bb801c90..281ecbdc 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.53 2010/11/21 01:01:13 djm Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.54 2013/12/07 11:58:46 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 21 2010 $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -53,7 +53,7 @@ .Sh DESCRIPTION .Nm is a program to hold private keys used for public key authentication -(RSA, DSA, ECDSA). +(RSA, DSA, ECDSA, ED25519). The idea is that .Nm is started in the beginning of an X-session or a login session, and @@ -115,7 +115,8 @@ When executed without arguments, adds the files .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/identity . If the identity has a passphrase, @@ -190,6 +191,8 @@ Contains the protocol version 1 RSA authentication identity of the user. Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa Contains the protocol version 2 ECDSA authentication identity of the user. +.It Pa ~/.ssh/id_ed25519 +Contains the protocol version 2 ED25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 689db22f..09e401bf 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.117 2013/12/07 08:08:26 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.118 2013/12/07 11:58:46 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -139,8 +139,8 @@ generates, manages and converts authentication keys for .Xr ssh 1 . .Nm -can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA -keys for use by SSH protocol version 2. +can create RSA keys for use by SSH protocol version 1 and +DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. The type of key to be generated is specified with the .Fl t option. @@ -167,8 +167,9 @@ Normally each user wishing to use SSH with public key authentication runs this once to create the authentication key in .Pa ~/.ssh/identity , +.Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , -.Pa ~/.ssh/id_dsa +.Pa ~/.ssh/id_ed25519 or .Pa ~/.ssh/id_rsa . Additionally, the system administrator may use this to generate host keys, @@ -216,7 +217,8 @@ should be placed to be activated. The options are as follows: .Bl -tag -width Ds .It Fl A -For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys +For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) +for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by @@ -249,6 +251,9 @@ flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. +ED25519 keys have a fixed length and the +.Fl b +flag will be ignored. .It Fl C Ar comment Provides a new comment. .It Fl c @@ -515,7 +520,8 @@ The possible values are .Dq rsa1 for protocol version 1 and .Dq dsa , -.Dq ecdsa +.Dq ecdsa , +.Dq ed25519 , or .Dq rsa for protocol version 2. @@ -795,8 +801,10 @@ There is no need to keep the contents of this file secret. .Pp .It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa +.It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_rsa -Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. +Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA +authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -809,8 +817,10 @@ will read this file when a login attempt is made. .Pp .It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub +.It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_rsa.pub -Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. +Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA +public key for authentication. The contents of this file should be added to .Pa ~/.ssh/authorized_keys on all machines diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index 79dd6aa1..65ef43ef 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.32 2013/12/06 13:39:49 markus Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.33 2013/12/07 11:58:46 naddy Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: December 6 2013 $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -89,7 +89,8 @@ The possible values are .Dq rsa1 for protocol version 1 and .Dq dsa , -.Dq ecdsa +.Dq ecdsa , +.Dq ed25519 , or .Dq rsa for protocol version 2. diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 5e0b2d23..69d08295 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.13 2013/07/16 00:07:52 schwarze Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.14 2013/12/07 11:58:46 naddy Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 16 2013 $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSH-KEYSIGN 8 .Os .Sh NAME @@ -63,6 +63,7 @@ is enabled. .Pp .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key +.It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys used to generate the digital signature. @@ -74,6 +75,7 @@ must be set-uid root if host-based authentication is used. .Pp .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub +.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub If these files exist they are assumed to contain public certificate information corresponding with the private keys above. diff --git a/ssh.1 b/ssh.1 index fc56997f..27794e2d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.342 2013/11/26 12:14:54 jmc Exp $ -.Dd $Mdocdate: November 26 2013 $ +.\" $OpenBSD: ssh.1,v 1.343 2013/12/07 11:58:46 naddy Exp $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -279,7 +279,8 @@ The default is .Pa ~/.ssh/identity for protocol version 1, and .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/id_rsa for protocol version 2. @@ -757,7 +758,7 @@ key pair for authentication purposes. The server knows the public key, and only the user knows the private key. .Nm implements public key authentication protocol automatically, -using one of the DSA, ECDSA or RSA algorithms. +using one of the DSA, ECDSA, ED25519 or RSA algorithms. Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. The HISTORY section of @@ -784,6 +785,8 @@ This stores the private key in (protocol 2 DSA), .Pa ~/.ssh/id_ecdsa (protocol 2 ECDSA), +.Pa ~/.ssh/id_ed25519 +(protocol 2 ED25519), or .Pa ~/.ssh/id_rsa (protocol 2 RSA) @@ -794,6 +797,8 @@ and stores the public key in (protocol 2 DSA), .Pa ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), +.Pa ~/.ssh/id_ed25519.pub +(protocol 2 ED25519), or .Pa ~/.ssh/id_rsa.pub (protocol 2 RSA) @@ -1333,8 +1338,8 @@ secret, but the recommended permissions are read/write/execute for the user, and not accessible by others. .Pp .It Pa ~/.ssh/authorized_keys -Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as -this user. +Lists the public keys (DSA, ECDSA, ED25519, RSA) +that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 manual page. @@ -1356,6 +1361,7 @@ above. .It Pa ~/.ssh/identity .It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa +.It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_rsa Contains the private key for authentication. These files @@ -1370,6 +1376,7 @@ sensitive part of this file using 3DES. .It Pa ~/.ssh/identity.pub .It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub +.It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_rsa.pub Contains the public key for authentication. These files are not @@ -1409,6 +1416,7 @@ The file format and configuration options are described in .It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key +.It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys and are used for host-based authentication. diff --git a/ssh_config.5 b/ssh_config.5 index 43455342..7b2fdacb 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.182 2013/12/06 13:39:49 markus Exp $ -.Dd $Mdocdate: December 6 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.183 2013/12/07 11:58:46 naddy Exp $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -718,6 +718,7 @@ The default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, +ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, @@ -763,13 +764,14 @@ offers many different identities. The default is .Dq no . .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA or RSA authentication +Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication identity is read. The default is .Pa ~/.ssh/identity for protocol version 1, and .Pa ~/.ssh/id_dsa , -.Pa ~/.ssh/id_ecdsa +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/id_rsa for protocol version 2. diff --git a/sshd.8 b/sshd.8 index 62615bf6..e6a900b0 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.272 2013/12/06 15:29:07 jmc Exp $ -.Dd $Mdocdate: December 6 2013 $ +.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSHD 8 .Os .Sh NAME @@ -175,7 +175,8 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and .Pa /etc/ssh/ssh_host_dsa_key , -.Pa /etc/ssh/ssh_host_ecdsa_key +.Pa /etc/ssh/ssh_host_ecdsa_key . +.Pa /etc/ssh/ssh_host_ed25519_key and .Pa /etc/ssh/ssh_host_rsa_key for protocol version 2. @@ -280,7 +281,7 @@ though this can be changed via the .Cm Protocol option in .Xr sshd_config 5 . -Protocol 2 supports DSA, ECDSA and RSA keys; +Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys; protocol 1 only supports RSA keys. For both protocols, each host has a host-specific key, @@ -507,6 +508,7 @@ You don't want to type them in; instead, copy the .Pa identity.pub , .Pa id_dsa.pub , .Pa id_ecdsa.pub , +.Pa id_ed25519.pub , or the .Pa id_rsa.pub file and edit it. @@ -806,8 +808,8 @@ secret, but the recommended permissions are read/write/execute for the user, and not accessible by others. .Pp .It Pa ~/.ssh/authorized_keys -Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in -as this user. +Lists the public keys (DSA, ECDSA, ED25519, RSA) +that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. @@ -887,6 +889,7 @@ rlogin/rsh. .It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key +.It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not @@ -898,6 +901,7 @@ does not start if these files are group/world-accessible. .It Pa /etc/ssh/ssh_host_key.pub .It Pa /etc/ssh/ssh_host_dsa_key.pub .It Pa /etc/ssh/ssh_host_ecdsa_key.pub +.It Pa /etc/ssh/ssh_host_ed25519_key.pub .It Pa /etc/ssh/ssh_host_rsa_key.pub These files contain the public parts of the host keys. These files should be world-readable but writable only by diff --git a/sshd_config.5 b/sshd_config.5 index 0418c86e..0ae1740b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.168 2013/11/21 08:05:09 jmc Exp $ -.Dd $Mdocdate: November 21 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.169 2013/12/07 11:58:46 naddy Exp $ +.Dd $Mdocdate: December 7 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -540,7 +540,8 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and .Pa /etc/ssh/ssh_host_dsa_key , -.Pa /etc/ssh/ssh_host_ecdsa_key +.Pa /etc/ssh/ssh_host_ecdsa_key , +.Pa /etc/ssh/ssh_host_ed25519_key and .Pa /etc/ssh/ssh_host_rsa_key for protocol version 2. @@ -551,7 +552,8 @@ It is possible to have multiple host key files. .Dq rsa1 keys are used for version 1 and .Dq dsa , -.Dq ecdsa +.Dq ecdsa , +.Dq ed25519 or .Dq rsa are used for version 2 of the SSH protocol. -- cgit v1.2.1 From 231a41175f11d03bc3baa1f1fcc275352adc0553 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 18 Dec 2013 06:47:02 +0000 Subject: - dtucker@cvs.openbsd.org 2013/12/08 09:53:27 [sshd_config.5] Use a literal for the default value of KEXAlgorithms. ok deraadt jmc --- ChangeLog | 3 +++ sshd_config.5 | 20 ++++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index c162b7f5..dd31fd63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] [ssh_config.5 sshd.8 sshd_config.5] add missing mentions of ed25519; ok djm@ + - dtucker@cvs.openbsd.org 2013/12/08 09:53:27 + [sshd_config.5] + Use a literal for the default value of KEXAlgorithms. ok deraadt jmc 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna diff --git a/sshd_config.5 b/sshd_config.5 index 0ae1740b..3b21ea6e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.169 2013/12/07 11:58:46 naddy Exp $ -.Dd $Mdocdate: December 7 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.170 2013/12/08 09:53:27 dtucker Exp $ +.Dd $Mdocdate: December 8 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -662,14 +662,14 @@ The default is Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is -.Dq curve25519-sha256@libssh.org , -.Dq ecdh-sha2-nistp256 , -.Dq ecdh-sha2-nistp384 , -.Dq ecdh-sha2-nistp521 , -.Dq diffie-hellman-group-exchange-sha256 , -.Dq diffie-hellman-group-exchange-sha1 , -.Dq diffie-hellman-group14-sha1 , -.Dq diffie-hellman-group1-sha1 . +.Bd -literal -offset indent +curve25519-sha256@libssh.org, +ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +diffie-hellman-group-exchange-sha256, +diffie-hellman-group-exchange-sha1, +diffie-hellman-group14-sha1, +diffie-hellman-group1-sha1 +.Ed .It Cm KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). -- cgit v1.2.1 From 2b38b8933da69cc7fc375668440a6383f8573d3a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 18 Dec 2013 06:48:11 +0000 Subject: - markus@cvs.openbsd.org 2013/12/09 11:03:45 [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Add Authors for the public domain ed25519/nacl code. see also http://nacl.cr.yp.to/features.html All of the NaCl software is in the public domain. and http://ed25519.cr.yp.to/software.html The Ed25519 software is in the public domain. --- ChangeLog | 8 ++++++++ blocks.c | 7 +++++-- ed25519.c | 8 ++++++-- fe25519.c | 8 ++++++-- fe25519.h | 8 ++++++-- ge25519.c | 8 ++++++-- ge25519.h | 8 ++++++-- ge25519_base.data | 8 ++++++-- hash.c | 4 ++-- sc25519.c | 8 ++++++-- sc25519.h | 8 ++++++-- verify.c | 7 +++++-- 12 files changed, 68 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index dd31fd63..a9705ad5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,14 @@ - dtucker@cvs.openbsd.org 2013/12/08 09:53:27 [sshd_config.5] Use a literal for the default value of KEXAlgorithms. ok deraadt jmc + - markus@cvs.openbsd.org 2013/12/09 11:03:45 + [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] + [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] + Add Authors for the public domain ed25519/nacl code. + see also http://nacl.cr.yp.to/features.html + All of the NaCl software is in the public domain. + and http://ed25519.cr.yp.to/software.html + The Ed25519 software is in the public domain. 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna diff --git a/blocks.c b/blocks.c index 8e698c4a..ba569b00 100644 --- a/blocks.c +++ b/blocks.c @@ -1,6 +1,9 @@ -/* $OpenBSD: blocks.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ +/* $OpenBSD: blocks.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ -/* Public Domain, from supercop-20130419/crypto_hashblocks/sha512/ref/blocks.c */ +/* + * Public Domain, Author: Daniel J. Bernstein + * Copied from nacl-20110221/crypto_hashblocks/sha512/ref/blocks.c + */ #include "crypto_api.h" diff --git a/ed25519.c b/ed25519.c index 9c9879c0..767ec24d 100644 --- a/ed25519.c +++ b/ed25519.c @@ -1,6 +1,10 @@ -/* $OpenBSD: ed25519.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ +/* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ -/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c */ +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c + */ #include "includes.h" #include "crypto_api.h" diff --git a/fe25519.c b/fe25519.c index 3a9181ba..2f368ebe 100644 --- a/fe25519.c +++ b/fe25519.c @@ -1,6 +1,10 @@ -/* $OpenBSD: fe25519.c,v 1.2 2013/12/07 00:26:37 djm Exp $ */ +/* $OpenBSD: fe25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */ -/* Public Domain, from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c */ +/* + * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, + * Peter Schwabe, Bo-Yin Yang. + * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c + */ #define WINDOWSIZE 1 /* Should be 1,2, or 4 */ #define WINDOWMASK ((1< Date: Wed, 18 Dec 2013 06:48:32 +0000 Subject: - markus@cvs.openbsd.org 2013/12/09 11:08:17 [crypto_api.h] remove unused defines --- ChangeLog | 3 +++ crypto_api.h | 6 +----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index a9705ad5..c019c0e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ All of the NaCl software is in the public domain. and http://ed25519.cr.yp.to/software.html The Ed25519 software is in the public domain. + - markus@cvs.openbsd.org 2013/12/09 11:08:17 + [crypto_api.h] + remove unused defines 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna diff --git a/crypto_api.h b/crypto_api.h index 633463dc..88668451 100644 --- a/crypto_api.h +++ b/crypto_api.h @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto_api.h,v 1.1 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: crypto_api.h,v 1.2 2013/12/09 11:08:17 markus Exp $ */ /* Placed in the public domain. */ @@ -26,10 +26,6 @@ int crypto_hash_sha512(unsigned char *, const unsigned char *, int crypto_verify_32(const unsigned char *, const unsigned char *); -#define crypto_sign_BYTES crypto_sign_ed25519_BYTES -#define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES -#define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES - #define crypto_sign_ed25519_SECRETKEYBYTES 64U #define crypto_sign_ed25519_PUBLICKEYBYTES 32U #define crypto_sign_ed25519_BYTES 64U -- cgit v1.2.1 From f0c97ca41088f978f19d9a100b3bbf86c52876fe Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 18 Dec 2013 06:49:48 +0000 Subject: - pascal@cvs.openbsd.org 2013/12/15 18:17:26 [ssh-add.c] Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page. ok markus@ --- ChangeLog | 4 ++++ ssh-add.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c019c0e8..29555355 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,10 @@ - markus@cvs.openbsd.org 2013/12/09 11:08:17 [crypto_api.h] remove unused defines + - pascal@cvs.openbsd.org 2013/12/15 18:17:26 + [ssh-add.c] + Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page. + ok markus@ 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna diff --git a/ssh-add.c b/ssh-add.c index 5e8166f6..89658448 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.106 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.107 2013/12/15 18:17:26 pascal Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -73,6 +73,7 @@ static char *default_files[] = { #ifdef OPENSSL_HAS_ECC _PATH_SSH_CLIENT_ID_ECDSA, #endif + _PATH_SSH_CLIENT_ID_ED25519, _PATH_SSH_CLIENT_IDENTITY, NULL }; -- cgit v1.2.1 From 0cfd6afb41784fb254caf5b428c8db27da4fa72e Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 18 Dec 2013 06:50:13 +0000 Subject: - djm@cvs.openbsd.org 2013/12/15 21:42:35 [cipher-chachapoly.c] add some comments and constify a constant --- ChangeLog | 3 +++ cipher-chachapoly.c | 20 ++++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 29555355..a473122f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ [ssh-add.c] Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page. ok markus@ + - djm@cvs.openbsd.org 2013/12/15 21:42:35 + [cipher-chachapoly.c] + add some comments and constify a constant 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c index 20628ab5..91b0830f 100644 --- a/cipher-chachapoly.c +++ b/cipher-chachapoly.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: cipher-chachapoly.c,v 1.2 2013/11/21 02:50:00 djm Exp $ */ +/* $OpenBSD: cipher-chachapoly.c,v 1.3 2013/12/15 21:42:35 djm Exp $ */ #include "includes.h" @@ -38,20 +38,19 @@ void chachapoly_init(struct chachapoly_ctx *ctx, /* * chachapoly_crypt() operates as following: - * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. - * Theses bytes are treated as additional authenticated data. - * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. - * Use POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the - * authentication tag. - * This tag is written on encryption and verified on decryption. - * Both 'aadlen' and 'authlen' can be set to 0. + * En/decrypt with header key 'aadlen' bytes from 'src', storing result + * to 'dest'. The ciphertext here is treated as additional authenticated + * data for MAC calculation. + * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use + * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication + * tag. This tag is written on encryption and verified on decryption. */ int chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt) { u_char seqbuf[8]; - u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB. little-endian */ + const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */ u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; int r = -1; @@ -76,7 +75,7 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, goto out; } /* Crypt additional data */ - if (aadlen) { + if (aadlen) { chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen); } @@ -97,6 +96,7 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, return r; } +/* Decrypt and extract the encrypted packet length */ int chachapoly_get_length(struct chachapoly_ctx *ctx, u_int *plenp, u_int seqnr, const u_char *cp, u_int len) -- cgit v1.2.1 From 1bb38775e8b33a3e1294ce356b7b752318d94c6b Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 18 Dec 2013 06:50:39 +0000 Subject: - markus@cvs.openbsd.org 2013/12/17 10:36:38 [crypto_api.h] I've assempled the header file by cut&pasting from generated headers and the source files. --- ChangeLog | 4 ++++ crypto_api.h | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index a473122f..a8d892f6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,10 @@ - djm@cvs.openbsd.org 2013/12/15 21:42:35 [cipher-chachapoly.c] add some comments and constify a constant + - markus@cvs.openbsd.org 2013/12/17 10:36:38 + [crypto_api.h] + I've assempled the header file by cut&pasting from generated headers + and the source files. 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna diff --git a/crypto_api.h b/crypto_api.h index 88668451..580ba79b 100644 --- a/crypto_api.h +++ b/crypto_api.h @@ -1,6 +1,9 @@ -/* $OpenBSD: crypto_api.h,v 1.2 2013/12/09 11:08:17 markus Exp $ */ +/* $OpenBSD: crypto_api.h,v 1.3 2013/12/17 10:36:38 markus Exp $ */ -/* Placed in the public domain. */ +/* + * Assembled from generated headers and source files by Markus Friedl. + * Placed in the public domain. + */ #ifndef crypto_api_h #define crypto_api_h -- cgit v1.2.1 From a5380e76e41bcc273488c68af1e5e3148e9ff494 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 19 Dec 2013 00:00:12 +0000 Subject: - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions greater than 11 either rather than just 11. Patch from Tomas Kuthan. --- ChangeLog | 4 ++++ configure.ac | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a8d892f6..092344a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20131219 + - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions + greater than 11 either rather than just 11. Patch from Tomas Kuthan. + 20131218 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/12/07 08:08:26 diff --git a/configure.ac b/configure.ac index c8d4bfc6..d37a211e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.546 2013/12/07 00:51:51 djm Exp $ +# $Id: configure.ac,v 1.547 2013/12/19 00:00:12 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.546 $) +AC_REVISION($Revision: 1.547 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1501,7 +1501,7 @@ AC_ARG_WITH([audit], # These are optional AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) - if test "$sol2ver" -eq 11; then + if test "$sol2ver" -ge 11; then SSHDLIBS="$SSHDLIBS -lscf" AC_DEFINE([BROKEN_BSM_API], [1], [The system has incomplete BSM API]) -- cgit v1.2.1 From d411b99833606a9551e8f48b1f75df4fc1e95d2e Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 19 Dec 2013 00:31:44 +0000 Subject: - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item(). Patch from Loganaden Velvindron. --- ChangeLog | 2 ++ auth-pam.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 092344a4..3b64040c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20131219 - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions greater than 11 either rather than just 11. Patch from Tomas Kuthan. + - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item(). + Patch from Loganaden Velvindron. 20131218 - (djm) OpenBSD CVS Sync diff --git a/auth-pam.c b/auth-pam.c index d51318b3..d789bad7 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -438,8 +438,10 @@ sshpam_thread(void *ctxtp) const char **ptr_pam_user = &pam_user; char *tz = getenv("TZ"); - pam_get_item(sshpam_handle, PAM_USER, + sshpam_err = pam_get_item(sshpam_handle, PAM_USER, (sshpam_const void **)ptr_pam_user); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; environ[0] = NULL; if (tz != NULL) -- cgit v1.2.1 From 020e92473bae29d7c205baacecb57ae25c89d842 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 21 Dec 2013 06:02:39 +0000 Subject: 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. --- ChangeLog | 3 +++ regress/keytype.sh | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b64040c..017c05a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20131221 + - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. + 20131219 - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions greater than 11 either rather than just 11. Patch from Tomas Kuthan. diff --git a/regress/keytype.sh b/regress/keytype.sh index 2c57ec6b..9752acb0 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -11,12 +11,14 @@ fi cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak +# Traditional and builtin key types. ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512" +# Types not present in all OpenSSL versions. for i in `$SSH -Q key`; do case "$i" in - ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; - ecdsa-sha2-nistp384) ktype="$ktype ecdsa-384" ;; - ecdsa-sha2-nistp521) ktype="$ktype ecdsa-521" ;; + ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; + ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; + ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; esac done -- cgit v1.2.1 From 81ddf844dfbfca20cf84ade0f657dbae1d1faa51 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:40:18 +0000 Subject: - (djm) [loginrec.c] Check for username truncation when looking up lastlog entries --- ChangeLog | 4 ++++ loginrec.c | 10 ++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 017c05a7..b8108d92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20131229 + - (djm) [loginrec.c] Check for username truncation when looking up lastlog + entries + 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/loginrec.c b/loginrec.c index 59e8a44e..8844db54 100644 --- a/loginrec.c +++ b/loginrec.c @@ -310,9 +310,12 @@ login_get_lastlog(struct logininfo *li, const uid_t uid) fatal("%s: Cannot find account for uid %ld", __func__, (long)uid); - /* No MIN_SIZEOF here - we absolutely *must not* truncate the - * username (XXX - so check for trunc!) */ - strlcpy(li->username, pw->pw_name, sizeof(li->username)); + if (strlcpy(li->username, pw->pw_name, sizeof(li->username)) >= + sizeof(li->username)) { + error("%s: username too long (%lu > max %lu)", __func__, + strlen(pw->pw_name), sizeof(li->username) - 1); + return NULL; + } if (getlast_entry(li)) return (li); @@ -320,7 +323,6 @@ login_get_lastlog(struct logininfo *li, const uid_t uid) return (NULL); } - /* * login_alloc_entry(int, char*, char*, char*) - Allocate and initialise * a logininfo structure -- cgit v1.2.1 From dfdcb80ac03179eb29438f09d941aaedd0e14ace Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:44:07 +0000 Subject: - djm@cvs.openbsd.org 2013/12/19 00:10:30 [ssh-add.c] skip requesting smartcard PIN when removing keys from agent; bz#2187 patch from jay AT slushpupie.com; ok dtucker --- ChangeLog | 5 +++++ ssh-add.c | 15 +++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index b8108d92..32ec354e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,11 @@ 20131229 - (djm) [loginrec.c] Check for username truncation when looking up lastlog entries + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/12/19 00:10:30 + [ssh-add.c] + skip requesting smartcard PIN when removing keys from agent; bz#2187 + patch from jay AT slushpupie.com; ok dtucker 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/ssh-add.c b/ssh-add.c index 89658448..63ce7208 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.107 2013/12/15 18:17:26 pascal Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.108 2013/12/19 00:10:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -293,14 +293,17 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) static int update_card(AuthenticationConnection *ac, int add, const char *id) { - char *pin; + char *pin = NULL; int ret = -1; - pin = read_passphrase("Enter passphrase for PKCS#11: ", RP_ALLOW_STDIN); - if (pin == NULL) - return -1; + if (add) { + if ((pin = read_passphrase("Enter passphrase for PKCS#11: ", + RP_ALLOW_STDIN)) == NULL) + return -1; + } - if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) { + if (ssh_update_card(ac, add, id, pin == NULL ? "" : pin, + lifetime, confirm)) { fprintf(stderr, "Card %s: %s\n", add ? "added" : "removed", id); ret = 0; -- cgit v1.2.1 From a1eec160f1b1d24462e4b3f3aa8ccb5a2f26deeb Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:44:29 +0000 Subject: - dtucker@cvs.openbsd.org 2013/12/19 00:19:12 [serverloop.c] Cast client_alive_interval to u_int64_t before assinging to max_time_milliseconds to avoid potential integer overflow in the timeout. bz#2170, patch from Loganaden Velvindron, ok djm@ --- ChangeLog | 5 +++++ serverloop.c | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 32ec354e..041cfe83 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,11 @@ [ssh-add.c] skip requesting smartcard PIN when removing keys from agent; bz#2187 patch from jay AT slushpupie.com; ok dtucker + - dtucker@cvs.openbsd.org 2013/12/19 00:19:12 + [serverloop.c] + Cast client_alive_interval to u_int64_t before assinging to + max_time_milliseconds to avoid potential integer overflow in the timeout. + bz#2170, patch from Loganaden Velvindron, ok djm@ 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/serverloop.c b/serverloop.c index ccbad617..5b2f8028 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.168 2013/07/12 00:19:59 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.169 2013/12/19 00:19:12 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -304,7 +304,8 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, if (compat20 && max_time_milliseconds == 0 && options.client_alive_interval) { client_alive_scheduled = 1; - max_time_milliseconds = options.client_alive_interval * 1000; + max_time_milliseconds = + (u_int64_t)options.client_alive_interval * 1000; } if (compat20) { -- cgit v1.2.1 From 7316cf1da8c0b5a069c0572567b0dfc7a8b05c82 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:44:56 +0000 Subject: - djm@cvs.openbsd.org 2013/12/19 00:27:57 [auth-options.c] simplify freeing of source-address certificate restriction --- ChangeLog | 3 +++ auth-options.c | 20 ++++++++------------ 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 041cfe83..a3689a4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ Cast client_alive_interval to u_int64_t before assinging to max_time_milliseconds to avoid potential integer overflow in the timeout. bz#2170, patch from Loganaden Velvindron, ok djm@ + - djm@cvs.openbsd.org 2013/12/19 00:27:57 + [auth-options.c] + simplify freeing of source-address certificate restriction 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/auth-options.c b/auth-options.c index 80d59ee9..fa209eaa 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.62 2013/12/19 00:27:57 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -33,10 +33,6 @@ #include "auth-options.h" #include "hostfile.h" #include "auth.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" /* Flags set authorized_keys flags */ int no_port_forwarding_flag = 0; @@ -239,7 +235,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) auth_debug_add("Adding to environment: %.900s", s); debug("Adding to environment: %.900s", s); opts++; - new_envstring = xmalloc(sizeof(struct envstring)); + new_envstring = xcalloc(1, sizeof(struct envstring)); new_envstring->s = s; new_envstring->next = custom_environment; custom_environment = new_envstring; @@ -436,7 +432,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, u_char *data_blob = NULL; u_int nlen, dlen, clen; Buffer c, data; - int ret = -1, found; + int ret = -1, result, found; buffer_init(&data); @@ -505,11 +501,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, goto out; } remote_ip = get_remote_ipaddr(); - switch (addr_match_cidr_list(remote_ip, - allowed)) { + result = addr_match_cidr_list(remote_ip, + allowed); + free(allowed); + switch (result) { case 1: /* accepted */ - free(allowed); break; case 0: /* no match */ @@ -522,12 +519,11 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, "is not permitted to use this " "certificate for login.", remote_ip); - free(allowed); goto out; case -1: + default: error("Certificate source-address " "contents invalid"); - free(allowed); goto out; } found = 1; -- cgit v1.2.1 From d9e076bf29c922757f627cb0dca4bf25dd62f549 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:45:26 +0000 Subject: - djm@cvs.openbsd.org 2013/12/19 01:04:36 [channels.c] bz#2147: fix multiple remote forwardings with dynamically assigned listen ports. In the s->c message to open the channel we were sending zero (the magic number to request a dynamic port) instead of the actual listen port. The client therefore had no way of discriminating between them. Diagnosis and fix by ronf AT timeheart.net --- ChangeLog | 9 +++++++++ channels.c | 13 ++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index a3689a4a..c22c8b4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,15 @@ - djm@cvs.openbsd.org 2013/12/19 00:27:57 [auth-options.c] simplify freeing of source-address certificate restriction + - djm@cvs.openbsd.org 2013/12/19 01:04:36 + [channels.c] + bz#2147: fix multiple remote forwardings with dynamically assigned + listen ports. In the s->c message to open the channel we were sending + zero (the magic number to request a dynamic port) instead of the actual + listen port. The client therefore had no way of discriminating between + them. + + Diagnosis and fix by ronf AT timeheart.net 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/channels.c b/channels.c index d227379d..e741f29b 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.326 2013/09/19 01:24:46 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.328 2013/12/19 01:04:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -704,7 +704,7 @@ channel_register_status_confirm(int id, channel_confirm_cb *cb, if ((c = channel_lookup(id)) == NULL) fatal("channel_register_expect: %d: bad id", id); - cc = xmalloc(sizeof(*cc)); + cc = xcalloc(1, sizeof(*cc)); cc->cb = cb; cc->abandon_cb = abandon_cb; cc->ctx = ctx; @@ -1385,6 +1385,8 @@ port_open_helper(Channel *c, char *rtype) { int direct; char buf[1024]; + char *local_ipaddr = get_local_ipaddr(c->sock); + int local_port = get_sock_port(c->sock, 1); char *remote_ipaddr = get_peer_ipaddr(c->sock); int remote_port = get_peer_port(c->sock); @@ -1399,9 +1401,9 @@ port_open_helper(Channel *c, char *rtype) snprintf(buf, sizeof buf, "%s: listening port %d for %.100s port %d, " - "connect from %.200s port %d", + "connect from %.200s port %d to %.100s port %d", rtype, c->listening_port, c->path, c->host_port, - remote_ipaddr, remote_port); + remote_ipaddr, remote_port, local_ipaddr, local_port); free(c->remote_name); c->remote_name = xstrdup(buf); @@ -1419,7 +1421,7 @@ port_open_helper(Channel *c, char *rtype) } else { /* listen address, port */ packet_put_cstring(c->path); - packet_put_int(c->listening_port); + packet_put_int(local_port); } /* originator host and port */ packet_put_cstring(remote_ipaddr); @@ -1436,6 +1438,7 @@ port_open_helper(Channel *c, char *rtype) packet_send(); } free(remote_ipaddr); + free(local_ipaddr); } static void -- cgit v1.2.1 From 6a485e1059dabc0bb5a0403b43b786f4c9f1bdcb Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:45:51 +0000 Subject: - djm@cvs.openbsd.org 2013/12/19 01:19:41 [ssh-agent.c] bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com; ok dtucker --- ChangeLog | 5 +++++ ssh-agent.c | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c22c8b4d..604bbbb7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,11 @@ them. Diagnosis and fix by ronf AT timeheart.net + - djm@cvs.openbsd.org 2013/12/19 01:19:41 + [ssh-agent.c] + bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent + that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com; + ok dtucker 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/ssh-agent.c b/ssh-agent.c index 8210a8e3..95117e07 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.180 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.181 2013/12/19 01:19:41 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -660,6 +660,9 @@ process_remove_smartcard_key(SocketEntry *e) tab = idtab_lookup(version); for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) { nxt = TAILQ_NEXT(id, next); + /* Skip file--based keys */ + if (id->provider == NULL) + continue; if (!strcmp(provider, id->provider)) { TAILQ_REMOVE(&tab->idlist, id, next); free_identity(id); -- cgit v1.2.1 From cf195d599f001d7646ee9163dca0fe0c0dcbf3a2 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:46:49 +0000 Subject: - djm@cvs.openbsd.org 2013/12/19 22:57:13 [poly1305.c poly1305.h] use full name for author, with his permission --- ChangeLog | 3 +++ poly1305.c | 4 ++-- poly1305.h | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 604bbbb7..339140fe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com; ok dtucker + - djm@cvs.openbsd.org 2013/12/19 22:57:13 + [poly1305.c poly1305.h] + use full name for author, with his permission 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/poly1305.c b/poly1305.c index 059cc60f..a5eada49 100644 --- a/poly1305.c +++ b/poly1305.c @@ -1,9 +1,9 @@ /* - * Public Domain poly1305 from Andrew M. + * Public Domain poly1305 from Andrew Moon * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna */ -/* $OpenBSD: poly1305.c,v 1.2 2013/11/21 02:50:00 djm Exp $ */ +/* $OpenBSD: poly1305.c,v 1.3 2013/12/19 22:57:13 djm Exp $ */ #include "includes.h" diff --git a/poly1305.h b/poly1305.h index a31fb742..221efc46 100644 --- a/poly1305.h +++ b/poly1305.h @@ -1,7 +1,7 @@ -/* $OpenBSD: poly1305.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: poly1305.h,v 1.2 2013/12/19 22:57:13 djm Exp $ */ /* - * Public Domain poly1305 from Andrew M. + * Public Domain poly1305 from Andrew Moon * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna */ -- cgit v1.2.1 From 95419abafabc61e5bdab085d0ecfaf245ce51fbc Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:47:14 +0000 Subject: - tedu@cvs.openbsd.org 2013/12/21 07:10:47 [ssh-keygen.1] small typo --- ChangeLog | 3 +++ ssh-keygen.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 339140fe..f3a72291 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,9 @@ - djm@cvs.openbsd.org 2013/12/19 22:57:13 [poly1305.c poly1305.h] use full name for author, with his permission + - tedu@cvs.openbsd.org 2013/12/21 07:10:47 + [ssh-keygen.1] + small typo 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 09e401bf..0e0ed989 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.118 2013/12/07 11:58:46 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.119 2013/12/21 07:10:47 tedu Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 7 2013 $ +.Dd $Mdocdate: December 21 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -714,7 +714,7 @@ Please refer to those manual pages for details. .Nm is able to manage OpenSSH format Key Revocation Lists (KRLs). These binary files specify keys or certificates to be revoked using a -compact format, taking as little a one bit per certificate if they are being +compact format, taking as little as one bit per certificate if they are being revoked by serial number. .Pp KRLs may be generated using the -- cgit v1.2.1 From 268ff321121bda8f986f7de86f322410d4009e20 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:47:50 +0000 Subject: - djm@cvs.openbsd.org 2013/12/27 22:30:17 [ssh-dss.c ssh-ecdsa.c ssh-rsa.c] make the original RSA and DSA signing/verification code look more like the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type rather than tediously listing all variants, use __func__ for debug/ error messages --- ChangeLog | 6 ++++++ ssh-dss.c | 29 +++++++++++++++-------------- ssh-ecdsa.c | 12 +++++++----- ssh-rsa.c | 39 +++++++++++++++++++++------------------ 4 files changed, 49 insertions(+), 37 deletions(-) diff --git a/ChangeLog b/ChangeLog index f3a72291..442dec3e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,12 @@ - tedu@cvs.openbsd.org 2013/12/21 07:10:47 [ssh-keygen.1] small typo + - djm@cvs.openbsd.org 2013/12/27 22:30:17 + [ssh-dss.c ssh-ecdsa.c ssh-rsa.c] + make the original RSA and DSA signing/verification code look more like + the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type + rather than tediously listing all variants, use __func__ for debug/ + error messages 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/ssh-dss.c b/ssh-dss.c index 322ec9fd..a6292aa8 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.29 2013/12/27 22:30:17 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -53,11 +53,12 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, u_int rlen, slen, len, dlen; Buffer b; - if (key == NULL || key->dsa == NULL || (key->type != KEY_DSA && - key->type != KEY_DSA_CERT && key->type != KEY_DSA_CERT_V00)) { - error("ssh_dss_sign: no DSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_DSA || + key->dsa == NULL) { + error("%s: no DSA key", __func__); return -1; } + EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, data, datalen); EVP_DigestFinal(&md, digest, &dlen); @@ -117,9 +118,9 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, int rlen, ret; Buffer b; - if (key == NULL || key->dsa == NULL || (key->type != KEY_DSA && - key->type != KEY_DSA_CERT && key->type != KEY_DSA_CERT_V00)) { - error("ssh_dss_verify: no DSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_DSA || + key->dsa == NULL) { + error("%s: no DSA key", __func__); return -1; } @@ -135,7 +136,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, buffer_append(&b, signature, signaturelen); ktype = buffer_get_cstring(&b, NULL); if (strcmp("ssh-dss", ktype) != 0) { - error("ssh_dss_verify: cannot handle type %s", ktype); + error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); free(ktype); return -1; @@ -145,8 +146,8 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { - error("ssh_dss_verify: " - "remaining bytes in signature %d", rlen); + error("%s: remaining bytes in signature %d", + __func__, rlen); free(sigblob); return -1; } @@ -158,14 +159,14 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, /* parse signature */ if ((sig = DSA_SIG_new()) == NULL) - fatal("ssh_dss_verify: DSA_SIG_new failed"); + fatal("%s: DSA_SIG_new failed", __func__); if ((sig->r = BN_new()) == NULL) - fatal("ssh_dss_verify: BN_new failed"); + fatal("%s: BN_new failed", __func__); if ((sig->s = BN_new()) == NULL) fatal("ssh_dss_verify: BN_new failed"); if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) || (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) - fatal("ssh_dss_verify: BN_bin2bn failed"); + fatal("%s: BN_bin2bn failed", __func__); /* clean up */ memset(sigblob, 0, len); @@ -181,7 +182,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, DSA_SIG_free(sig); - debug("ssh_dss_verify: signature %s", + debug("%s: signature %s", __func__, ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error"); return ret; } diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 76633894..52f9e74c 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.7 2013/12/27 22:30:17 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -54,11 +54,12 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, u_int len, dlen; Buffer b, bb; - if (key == NULL || key->ecdsa == NULL || - (key->type != KEY_ECDSA && key->type != KEY_ECDSA_CERT)) { + if (key == NULL || key_type_plain(key->type) != KEY_ECDSA || + key->ecdsa == NULL) { error("%s: no ECDSA key", __func__); return -1; } + evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, data, datalen); @@ -105,11 +106,12 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, Buffer b, bb; char *ktype; - if (key == NULL || key->ecdsa == NULL || - (key->type != KEY_ECDSA && key->type != KEY_ECDSA_CERT)) { + if (key == NULL || key_type_plain(key->type) != KEY_ECDSA || + key->ecdsa == NULL) { error("%s: no ECDSA key", __func__); return -1; } + evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); /* fetch signature */ diff --git a/ssh-rsa.c b/ssh-rsa.c index 30f96abc..782c8557 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.46 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.47 2013/12/27 22:30:17 djm Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -47,14 +47,15 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, int ok, nid; Buffer b; - if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA && - key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) { - error("ssh_rsa_sign: no RSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_RSA || + key->rsa == NULL) { + error("%s: no RSA key", __func__); return -1; } + nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { - error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid); + error("%s: EVP_get_digestbynid %d failed", __func__, nid); return -1; } EVP_DigestInit(&md, evp_md); @@ -70,7 +71,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, if (ok != 1) { int ecode = ERR_get_error(); - error("ssh_rsa_sign: RSA_sign failed: %s", + error("%s: RSA_sign failed: %s", __func__, ERR_error_string(ecode, NULL)); free(sig); return -1; @@ -81,7 +82,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, memmove(sig + diff, sig, len); memset(sig, 0, diff); } else if (len > slen) { - error("ssh_rsa_sign: slen %u slen2 %u", slen, len); + error("%s: slen %u slen2 %u", __func__, slen, len); free(sig); return -1; } @@ -115,21 +116,23 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, u_int len, dlen, modlen; int rlen, ret, nid; - if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA && - key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) { - error("ssh_rsa_verify: no RSA key"); + if (key == NULL || key_type_plain(key->type) != KEY_RSA || + key->rsa == NULL) { + error("%s: no RSA key", __func__); return -1; } + if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits", - BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); + error("%s: RSA modulus too small: %d < minimum %d bits", + __func__, BN_num_bits(key->rsa->n), + SSH_RSA_MINIMUM_MODULUS_SIZE); return -1; } buffer_init(&b); buffer_append(&b, signature, signaturelen); ktype = buffer_get_cstring(&b, NULL); if (strcmp("ssh-rsa", ktype) != 0) { - error("ssh_rsa_verify: cannot handle type %s", ktype); + error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); free(ktype); return -1; @@ -139,19 +142,19 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { - error("ssh_rsa_verify: remaining bytes in signature %d", rlen); + error("%s: remaining bytes in signature %d", __func__, rlen); free(sigblob); return -1; } /* RSA_verify expects a signature of RSA_size */ modlen = RSA_size(key->rsa); if (len > modlen) { - error("ssh_rsa_verify: len %u > modlen %u", len, modlen); + error("%s: len %u > modlen %u", __func__, len, modlen); free(sigblob); return -1; } else if (len < modlen) { u_int diff = modlen - len; - debug("ssh_rsa_verify: add padding: modlen %u > len %u", + debug("%s: add padding: modlen %u > len %u", __func__, modlen, len); sigblob = xrealloc(sigblob, 1, modlen); memmove(sigblob + diff, sigblob, len); @@ -160,7 +163,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, } nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { - error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); + error("%s: EVP_get_digestbynid %d failed", __func__, nid); free(sigblob); return -1; } @@ -172,7 +175,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, memset(digest, 'd', sizeof(digest)); memset(sigblob, 's', len); free(sigblob); - debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); + debug("%s: signature %scorrect", __func__, (ret == 0) ? "in" : ""); return ret; } -- cgit v1.2.1 From be0ff5cf80166dac23fe4afdd110c1d060182a3b Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:48:15 +0000 Subject: - djm@cvs.openbsd.org 2013/12/27 22:37:18 [ssh-rsa.c] correct comment --- ChangeLog | 3 +++ ssh-rsa.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 442dec3e..fe048ae5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type rather than tediously listing all variants, use __func__ for debug/ error messages + - djm@cvs.openbsd.org 2013/12/27 22:37:18 + [ssh-rsa.c] + correct comment 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/ssh-rsa.c b/ssh-rsa.c index 782c8557..6e28bb4a 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.47 2013/12/27 22:30:17 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.48 2013/12/27 22:37:18 djm Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -202,8 +202,8 @@ static const u_char id_sha1[] = { */ static const u_char id_md5[] = { 0x30, 0x20, /* type Sequence, length 0x20 (32) */ - 0x30, 0x0c, /* type Sequence, length 0x09 */ - 0x06, 0x08, /* type OID, length 0x05 */ + 0x30, 0x0c, /* type Sequence, length 0x0c (12) */ + 0x06, 0x08, /* type OID, length 0x08 */ 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */ 0x05, 0x00, /* NULL */ 0x04, 0x10 /* Octet string, length 0x10 (16), followed by md5 hash */ -- cgit v1.2.1 From 9d7a9a09f63a97b61d6db7c13af0afac2eb4479a Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:48:38 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 02:28:10 [key.c] allow ed25519 keys to appear as certificate authorities --- ChangeLog | 3 +++ key.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fe048ae5..3a541c8e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - djm@cvs.openbsd.org 2013/12/27 22:37:18 [ssh-rsa.c] correct comment + - djm@cvs.openbsd.org 2013/12/29 02:28:10 + [key.c] + allow ed25519 keys to appear as certificate authorities 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/key.c b/key.c index 814f9a00..ec40cb15 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.110 2013/12/07 00:19:15 djm Exp $ */ +/* $OpenBSD: key.c,v 1.111 2013/12/29 02:28:10 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1481,7 +1481,8 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) } if (key->cert->signature_key->type != KEY_RSA && key->cert->signature_key->type != KEY_DSA && - key->cert->signature_key->type != KEY_ECDSA) { + key->cert->signature_key->type != KEY_ECDSA && + key->cert->signature_key->type != KEY_ED25519) { error("%s: Invalid signature key type %s (%d)", __func__, key_type(key->cert->signature_key), key->cert->signature_key->type); -- cgit v1.2.1 From c578d338bb121f65c252eb77cf1773bc77b75c33 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:48:55 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 02:37:04 [key.c] correct comment for key_to_certified() --- ChangeLog | 3 +++ key.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3a541c8e..8aef749a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ - djm@cvs.openbsd.org 2013/12/29 02:28:10 [key.c] allow ed25519 keys to appear as certificate authorities + - djm@cvs.openbsd.org 2013/12/29 02:37:04 + [key.c] + correct comment for key_to_certified() 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/key.c b/key.c index ec40cb15..10a48fa6 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.111 2013/12/29 02:28:10 djm Exp $ */ +/* $OpenBSD: key.c,v 1.112 2013/12/29 02:37:04 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1914,7 +1914,7 @@ key_type_plain(int type) } } -/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ +/* Convert a plain key to their _CERT equivalent */ int key_to_certified(Key *k, int legacy) { -- cgit v1.2.1 From ca9b0006a39bff8862cd29b972229bf96f5a7362 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:49:13 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 02:49:52 [key.c] correct comment for key_drop_cert() --- ChangeLog | 3 +++ key.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8aef749a..bae45adc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,9 @@ - djm@cvs.openbsd.org 2013/12/29 02:37:04 [key.c] correct comment for key_to_certified() + - djm@cvs.openbsd.org 2013/12/29 02:49:52 + [key.c] + correct comment for key_drop_cert() 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/key.c b/key.c index 10a48fa6..1d20167e 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.112 2013/12/29 02:37:04 djm Exp $ */ +/* $OpenBSD: key.c,v 1.113 2013/12/29 02:49:52 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1947,7 +1947,7 @@ key_to_certified(Key *k, int legacy) } } -/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ +/* Convert a certificate to its raw key equivalent */ int key_drop_cert(Key *k) { -- cgit v1.2.1 From 1971ead9007bbb06686384144f604d27de89ac9e Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:49:31 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 04:20:04 [key.c] to make sure we don't omit any key types as valid CA keys again, factor the valid key type check into a key_type_is_valid_ca() function --- ChangeLog | 5 +++++ key.c | 24 +++++++++++++++++------- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index bae45adc..40befaa7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,11 @@ - djm@cvs.openbsd.org 2013/12/29 02:49:52 [key.c] correct comment for key_drop_cert() + - djm@cvs.openbsd.org 2013/12/29 04:20:04 + [key.c] + to make sure we don't omit any key types as valid CA keys again, + factor the valid key type check into a key_type_is_valid_ca() + function 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/key.c b/key.c index 1d20167e..b0bb46f3 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.113 2013/12/29 02:49:52 djm Exp $ */ +/* $OpenBSD: key.c,v 1.114 2013/12/29 04:20:04 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1091,6 +1091,20 @@ key_type_is_cert(int type) return 0; } +static int +key_type_is_valid_ca(int type) +{ + switch (type) { + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: + case KEY_ED25519: + return 1; + default: + return 0; + } +} + u_int key_size(const Key *k) { @@ -1479,10 +1493,7 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) error("%s: Signature key invalid", __func__); goto out; } - if (key->cert->signature_key->type != KEY_RSA && - key->cert->signature_key->type != KEY_DSA && - key->cert->signature_key->type != KEY_ECDSA && - key->cert->signature_key->type != KEY_ED25519) { + if (!key_type_is_valid_ca(key->cert->signature_key->type)) { error("%s: Invalid signature key type %s (%d)", __func__, key_type(key->cert->signature_key), key->cert->signature_key->type); @@ -1980,8 +1991,7 @@ key_certify(Key *k, Key *ca) return -1; } - if (ca->type != KEY_RSA && ca->type != KEY_DSA && - ca->type != KEY_ECDSA && ca->type != KEY_ED25519) { + if (!key_type_is_valid_ca(ca->type)) { error("%s: CA key has unsupported type %s", __func__, key_type(ca)); return -1; -- cgit v1.2.1 From e10404e39ccf531dc9a93959495c75d75af95c44 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:49:55 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 04:29:25 [authfd.c] allow deletion of ed25519 keys from the agent --- ChangeLog | 3 +++ authfd.c | 6 ++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 40befaa7..3e85c79f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -57,6 +57,9 @@ to make sure we don't omit any key types as valid CA keys again, factor the valid key type check into a key_type_is_valid_ca() function + - djm@cvs.openbsd.org 2013/12/29 04:29:25 + [authfd.c] + allow deletion of ed25519 keys from the agent 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/authfd.c b/authfd.c index 0971cee3..f9636903 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.90 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: authfd.c,v 1.91 2013/12/29 04:29:25 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -557,9 +557,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) buffer_put_int(&msg, BN_num_bits(key->rsa->n)); buffer_put_bignum(&msg, key->rsa->e); buffer_put_bignum(&msg, key->rsa->n); - } else if (key_type_plain(key->type) == KEY_DSA || - key_type_plain(key->type) == KEY_RSA || - key_type_plain(key->type) == KEY_ECDSA) { + } else if (key->type != KEY_UNSPEC) { key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); buffer_put_string(&msg, blob, blen); -- cgit v1.2.1 From 828308d0e80d8f183cd1d819599323ef67d67ff0 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:50:15 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 04:35:50 [authfile.c] don't refuse to load Ed25519 certificates --- ChangeLog | 3 +++ authfile.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3e85c79f..3721d3d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,9 @@ - djm@cvs.openbsd.org 2013/12/29 04:29:25 [authfd.c] allow deletion of ed25519 keys from the agent + - djm@cvs.openbsd.org 2013/12/29 04:35:50 + [authfile.c] + don't refuse to load Ed25519 certificates 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/authfile.c b/authfile.c index 3bbc7cbb..7eccbb2c 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.100 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.101 2013/12/29 04:35:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1213,6 +1213,7 @@ key_load_private_cert(int type, const char *filename, const char *passphrase, case KEY_RSA: case KEY_DSA: case KEY_ECDSA: + case KEY_ED25519: break; default: error("%s: unsupported key type", __func__); -- cgit v1.2.1 From 8d99d35a8caf6b460df647dfee84d629134cdae9 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:53:39 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 05:42:16 [ssh.c] don't forget to load Ed25519 certs too --- ChangeLog | 3 +++ ssh.c | 28 ++++++++++++++++------------ 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3721d3d6..935e9e0a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -63,6 +63,9 @@ - djm@cvs.openbsd.org 2013/12/29 04:35:50 [authfile.c] don't refuse to load Ed25519 certificates + - djm@cvs.openbsd.org 2013/12/29 05:42:16 + [ssh.c] + don't forget to load Ed25519 certs too 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/ssh.c b/ssh.c index 543a3baf..5de8fcf4 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.396 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: ssh.c,v 1.397 2013/12/29 05:42:16 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -993,7 +993,7 @@ main(int ac, char **av) sensitive_data.external_keysign = 0; if (options.rhosts_rsa_authentication || options.hostbased_authentication) { - sensitive_data.nkeys = 8; + sensitive_data.nkeys = 9; sensitive_data.keys = xcalloc(sensitive_data.nkeys, sizeof(Key)); for (i = 0; i < sensitive_data.nkeys; i++) @@ -1010,24 +1010,26 @@ main(int ac, char **av) #endif sensitive_data.keys[3] = key_load_private_cert(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL); - sensitive_data.keys[4] = key_load_private_type(KEY_DSA, + sensitive_data.keys[4] = key_load_private_cert(KEY_ED25519, + _PATH_HOST_ED25519_KEY_FILE, "", NULL); + sensitive_data.keys[5] = key_load_private_type(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); #ifdef OPENSSL_HAS_ECC - sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA, + sensitive_data.keys[6] = key_load_private_type(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL); #endif - sensitive_data.keys[6] = key_load_private_type(KEY_RSA, + sensitive_data.keys[7] = key_load_private_type(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); - sensitive_data.keys[7] = key_load_private_type(KEY_ED25519, + sensitive_data.keys[8] = key_load_private_type(KEY_ED25519, _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL); PRIV_END; if (options.hostbased_authentication == 1 && sensitive_data.keys[0] == NULL && - sensitive_data.keys[4] == NULL && sensitive_data.keys[5] == NULL && sensitive_data.keys[6] == NULL && - sensitive_data.keys[7] == NULL) { + sensitive_data.keys[7] == NULL && + sensitive_data.keys[8] == NULL) { sensitive_data.keys[1] = key_load_cert( _PATH_HOST_DSA_KEY_FILE); #ifdef OPENSSL_HAS_ECC @@ -1036,15 +1038,17 @@ main(int ac, char **av) #endif sensitive_data.keys[3] = key_load_cert( _PATH_HOST_RSA_KEY_FILE); - sensitive_data.keys[4] = key_load_public( + sensitive_data.keys[4] = key_load_cert( + _PATH_HOST_ED25519_KEY_FILE); + sensitive_data.keys[5] = key_load_public( _PATH_HOST_DSA_KEY_FILE, NULL); #ifdef OPENSSL_HAS_ECC - sensitive_data.keys[5] = key_load_public( + sensitive_data.keys[6] = key_load_public( _PATH_HOST_ECDSA_KEY_FILE, NULL); #endif - sensitive_data.keys[6] = key_load_public( - _PATH_HOST_RSA_KEY_FILE, NULL); sensitive_data.keys[7] = key_load_public( + _PATH_HOST_RSA_KEY_FILE, NULL); + sensitive_data.keys[8] = key_load_public( _PATH_HOST_ED25519_KEY_FILE, NULL); sensitive_data.external_keysign = 1; } -- cgit v1.2.1 From 63e41a239b2c306596099d20bb0d9b0fcb26724e Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:54:03 +0000 Subject: - djm@cvs.openbsd.org 2013/12/29 05:57:02 [sshconnect.c] when showing other hostkeys, don't forget Ed25519 keys --- ChangeLog | 3 +++ sshconnect.c | 11 +++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 935e9e0a..02d8050a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -66,6 +66,9 @@ - djm@cvs.openbsd.org 2013/12/29 05:42:16 [ssh.c] don't forget to load Ed25519 certs too + - djm@cvs.openbsd.org 2013/12/29 05:57:02 + [sshconnect.c] + when showing other hostkeys, don't forget Ed25519 keys 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. diff --git a/sshconnect.c b/sshconnect.c index 3cdc4614..b492ce91 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.241 2013/10/16 02:31:46 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.242 2013/12/29 05:57:02 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1301,7 +1301,14 @@ ssh_put_password(char *password) static int show_other_keys(struct hostkeys *hostkeys, Key *key) { - int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, KEY_ECDSA, -1}; + int type[] = { + KEY_RSA1, + KEY_RSA, + KEY_DSA, + KEY_ECDSA, + KEY_ED25519, + -1 + }; int i, ret = 0; char *fp, *ra; const struct hostkey_entry *found; -- cgit v1.2.1 From aeeb98e5b387b0670b30d80e6fcf79b64c8014bf Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 06:57:46 +0000 Subject: - (djm) [regress/Makefile] Add some generated files for cleaning --- ChangeLog | 1 + regress/Makefile | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 02d8050a..d33de38a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20131229 - (djm) [loginrec.c] Check for username truncation when looking up lastlog entries + - (djm) [regress/Makefile] Add some generated files for cleaning - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/12/19 00:10:30 [ssh-add.c] diff --git a/regress/Makefile b/regress/Makefile index ba850483..0c66b177 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -73,7 +73,7 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers USER!= id -un CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ - t8.out t8.out.pub t9.out t9.out.pub \ + t8.out t8.out.pub t9.out t9.out.pub t10.out t10.out.pub \ authorized_keys_${USER} known_hosts pidfile testdata \ ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ @@ -88,7 +88,9 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ regress.log failed-regress.log ssh-log-wrapper.sh \ - sftp-server.sh sftp-server.log sftp.log setuid-allowed + sftp-server.sh sftp-server.log sftp.log setuid-allowed \ + data ed25519-agent ed25519-agent.pub key.ed25519-512 \ + key.ed25519-512.pub SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} -- cgit v1.2.1 From 229beab37985c2149a83aa67c97c0d1f0f0a0e76 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 31 Dec 2013 01:25:40 +0000 Subject: - djm@cvs.openbsd.org 2013/12/30 23:52:28 [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] refuse RSA keys from old proprietary clients/servers that use the obsolete RSA+MD5 signature scheme. it will still be possible to connect with these clients/servers but only DSA keys will be accepted, and we'll deprecate them entirely in a future release. ok markus@ --- ChangeLog | 10 +++++++++ auth2-hostbased.c | 8 +++++++- auth2-pubkey.c | 8 +++++++- compat.c | 61 +++++++++++++++++++++++++++++++++++++++---------------- compat.h | 3 ++- ssh-rsa.c | 23 +++------------------ sshconnect.c | 5 ++++- sshconnect2.c | 33 ++++++++++++++++++++++-------- sshd.c | 13 +++++++----- 9 files changed, 109 insertions(+), 55 deletions(-) diff --git a/ChangeLog b/ChangeLog index d33de38a..7b512341 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +20131231 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/12/30 23:52:28 + [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] + [sshconnect.c sshconnect2.c sshd.c] + refuse RSA keys from old proprietary clients/servers that use the + obsolete RSA+MD5 signature scheme. it will still be possible to connect + with these clients/servers but only DSA keys will be accepted, and we'll + deprecate them entirely in a future release. ok markus@ + 20131229 - (djm) [loginrec.c] Check for username truncation when looking up lastlog entries diff --git a/auth2-hostbased.c b/auth2-hostbased.c index a344dcc1..488008f6 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.17 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -100,6 +100,12 @@ userauth_hostbased(Authctxt *authctxt) "(received %d, expected %d)", key->type, pktype); goto done; } + if (key_type_plain(key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + error("Refusing RSA key because peer uses unsafe " + "signature format"); + goto done; + } service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 2b3ecb10..0fd27bb9 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.39 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -116,6 +116,12 @@ userauth_pubkey(Authctxt *authctxt) "(received %d, expected %d)", key->type, pktype); goto done; } + if (key_type_plain(key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + logit("Refusing RSA key because client uses unsafe " + "signature scheme"); + goto done; + } if (have_sig) { sig = packet_get_string(&slen); packet_check_eom(); diff --git a/compat.c b/compat.c index ac353a70..9d9fabef 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -171,8 +171,9 @@ compat_datafellows(const char *version) for (i = 0; check[i].pat; i++) { if (match_pattern_list(version, check[i].pat, strlen(check[i].pat), 0) == 1) { - debug("match: %s pat %s", version, check[i].pat); datafellows = check[i].bugs; + debug("match: %s pat %s compat 0x%08x", + version, check[i].pat, datafellows); return; } } @@ -208,33 +209,59 @@ proto_spec(const char *spec) return ret; } -char * -compat_cipher_proposal(char *cipher_prop) +/* + * Filters a proposal string, excluding any algorithm matching the 'filter' + * pattern list. + */ +static char * +filter_proposal(char *proposal, const char *filter) { Buffer b; - char *orig_prop, *fix_ciphers; + char *orig_prop, *fix_prop; char *cp, *tmp; - if (!(datafellows & SSH_BUG_BIGENDIANAES)) - return(cipher_prop); - buffer_init(&b); - tmp = orig_prop = xstrdup(cipher_prop); + tmp = orig_prop = xstrdup(proposal); while ((cp = strsep(&tmp, ",")) != NULL) { - if (strncmp(cp, "aes", 3) != 0) { + if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) { if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); buffer_append(&b, cp, strlen(cp)); - } + } else + debug2("Compat: skipping algorithm \"%s\"", cp); } buffer_append(&b, "\0", 1); - fix_ciphers = xstrdup(buffer_ptr(&b)); + fix_prop = xstrdup(buffer_ptr(&b)); buffer_free(&b); free(orig_prop); - debug2("Original cipher proposal: %s", cipher_prop); - debug2("Compat cipher proposal: %s", fix_ciphers); - if (!*fix_ciphers) - fatal("No available ciphers found."); - return(fix_ciphers); + return fix_prop; } + +char * +compat_cipher_proposal(char *cipher_prop) +{ + if (!(datafellows & SSH_BUG_BIGENDIANAES)) + return cipher_prop; + debug2("%s: original cipher proposal: %s", __func__, cipher_prop); + cipher_prop = filter_proposal(cipher_prop, "aes*"); + debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); + if (*cipher_prop == '\0') + fatal("No supported ciphers found"); + return cipher_prop; +} + + +char * +compat_pkalg_proposal(char *pkalg_prop) +{ + if (!(datafellows & SSH_BUG_RSASIGMD5)) + return pkalg_prop; + debug2("%s: original public key proposal: %s", __func__, pkalg_prop); + pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa"); + debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); + if (*pkalg_prop == '\0') + fatal("No supported PK algorithms found"); + return pkalg_prop; +} + diff --git a/compat.h b/compat.h index 3ae5d9c7..b174fa17 100644 --- a/compat.h +++ b/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.43 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -65,6 +65,7 @@ void enable_compat20(void); void compat_datafellows(const char *); int proto_spec(const char *); char *compat_cipher_proposal(char *); +char *compat_pkalg_proposal(char *); extern int compat13; extern int compat20; diff --git a/ssh-rsa.c b/ssh-rsa.c index 6e28bb4a..b1ac50b3 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.48 2013/12/27 22:37:18 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.49 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -53,7 +53,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, return -1; } - nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; + nid = NID_sha1; if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { error("%s: EVP_get_digestbynid %d failed", __func__, nid); return -1; @@ -161,7 +161,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, memset(sigblob, 0, diff); len = modlen; } - nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; + nid = NID_sha1; if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { error("%s: EVP_get_digestbynid %d failed", __func__, nid); free(sigblob); @@ -196,18 +196,6 @@ static const u_char id_sha1[] = { 0x05, 0x00, /* NULL */ 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */ }; -/* - * id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) - * rsadsi(113549) digestAlgorithm(2) 5 } - */ -static const u_char id_md5[] = { - 0x30, 0x20, /* type Sequence, length 0x20 (32) */ - 0x30, 0x0c, /* type Sequence, length 0x0c (12) */ - 0x06, 0x08, /* type OID, length 0x08 */ - 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */ - 0x05, 0x00, /* NULL */ - 0x04, 0x10 /* Octet string, length 0x10 (16), followed by md5 hash */ -}; static int openssh_RSA_verify(int type, u_char *hash, u_int hashlen, @@ -225,11 +213,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, oidlen = sizeof(id_sha1); hlen = 20; break; - case NID_md5: - oid = id_md5; - oidlen = sizeof(id_md5); - hlen = 16; - break; default: goto done; } diff --git a/sshconnect.c b/sshconnect.c index b492ce91..791b31c1 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.242 2013/12/29 05:57:02 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.243 2013/12/30 23:52:27 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -662,6 +662,9 @@ ssh_exchange_identification(int timeout_ms) fatal("Protocol major versions differ: %d vs. %d", (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, remote_major); + if ((datafellows & SSH_BUG_RSASIGMD5) != 0) + logit("Server version \"%.100s\" uses unsafe RSA signature " + "scheme; disabling use of RSA keys", remote_version); if (!client_banner_sent) send_client_banner(connection_out, minor1); chop(server_version_string); diff --git a/sshconnect2.c b/sshconnect2.c index 1f6160e8..0d339b9c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.199 2013/11/02 21:59:15 markus Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.200 2013/12/30 23:52:28 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -188,11 +188,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) } if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - options.hostkeyalgorithms; + compat_pkalg_proposal(options.hostkeyalgorithms); else { /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - order_hostkeyalgs(host, hostaddr, port); + compat_pkalg_proposal( + order_hostkeyalgs(host, hostaddr, port)); } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -1489,17 +1490,31 @@ userauth_pubkey(Authctxt *authctxt) * encrypted keys we cannot do this and have to load the * private key instead */ - if (id->key && id->key->type != KEY_RSA1) { - debug("Offering %s public key: %s", key_type(id->key), - id->filename); - sent = send_pubkey_test(authctxt, id); - } else if (id->key == NULL) { + if (id->key != NULL) { + if (key_type_plain(id->key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + debug("Skipped %s key %s for RSA/MD5 server", + key_type(id->key), id->filename); + } else if (id->key->type != KEY_RSA1) { + debug("Offering %s public key: %s", + key_type(id->key), id->filename); + sent = send_pubkey_test(authctxt, id); + } + } else { debug("Trying private key: %s", id->filename); id->key = load_identity_file(id->filename, id->userprovided); if (id->key != NULL) { id->isprivate = 1; - sent = sign_and_send_pubkey(authctxt, id); + if (key_type_plain(id->key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + debug("Skipped %s key %s for RSA/MD5 " + "server", key_type(id->key), + id->filename); + } else { + sent = sign_and_send_pubkey( + authctxt, id); + } key_free(id->key); id->key = NULL; } diff --git a/sshd.c b/sshd.c index 786d9ff9..87795bea 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.412 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.413 2013/12/30 23:52:28 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -492,17 +492,19 @@ sshd_exchange_identification(int sock_in, int sock_out) compat_datafellows(remote_version); - if (datafellows & SSH_BUG_PROBE) { + if ((datafellows & SSH_BUG_PROBE) != 0) { logit("probed from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); cleanup_exit(255); } - - if (datafellows & SSH_BUG_SCANNER) { + if ((datafellows & SSH_BUG_SCANNER) != 0) { logit("scanned from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); cleanup_exit(255); } + if ((datafellows & SSH_BUG_RSASIGMD5) != 0) + logit("Client version \"%.100s\" uses unsafe RSA signature " + "scheme; disabling use of RSA keys", remote_version); mismatch = 0; switch (remote_major) { @@ -2446,7 +2448,8 @@ do_ssh2_kex(void) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( + list_hostkey_types()); /* start key exchange */ kex = kex_setup(myproposal); -- cgit v1.2.1 From 1376b94a37e7033bc67021dd8b7f67778e82af1c Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 8 Jan 2014 05:13:12 +0000 Subject: - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ --- ChangeLog | 3 +++ regress/.cvsignore | 30 +++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7b512341..c429c3b8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20140108 + - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ + 20131231 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/12/30 23:52:28 diff --git a/regress/.cvsignore b/regress/.cvsignore index f3c7a7c5..99add9cc 100644 --- a/regress/.cvsignore +++ b/regress/.cvsignore @@ -1 +1,29 @@ -Makefile +*-agent +*.copy +*.log +*.prv +*.pub +actual +authorized_keys_* +data +expect +host.rsa* +key.* +known_hosts +krl-* +modpipe +remote_pid +revoked-* +revoked-ca +revoked-keyid +revoked-serials +rsa +rsa1 +sftp-server.sh +ssh-log-wrapper.sh +ssh_config +ssh_proxy* +sshd_config +sshd_proxy* +t*.out +t*.out[0-9] -- cgit v1.2.1 From f65633fa440913335f16feef1183ebe3a51578ec Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 9 Jan 2014 23:37:05 +0000 Subject: - tedu@cvs.openbsd.org 2014/01/04 17:50:55 [mac.c monitor_mm.c monitor_mm.h xmalloc.c] use standard types and formats for size_t like variables. ok dtucker --- ChangeLog | 6 ++++++ mac.c | 6 +++--- monitor_mm.c | 34 ++++++++++++++++++---------------- monitor_mm.h | 4 ++-- xmalloc.c | 12 ++++++------ 5 files changed, 35 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index c429c3b8..ab584d99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20140110 + - (djm) OpenBSD CVS Sync + - tedu@cvs.openbsd.org 2014/01/04 17:50:55 + [mac.c monitor_mm.c monitor_mm.h xmalloc.c] + use standard types and formats for size_t like variables. ok dtucker + 20140108 - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ diff --git a/mac.c b/mac.c index c71b6a74..d3a0b935 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.25 2013/11/07 11:58:27 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.26 2014/01/04 17:50:55 tedu Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -181,8 +181,8 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) u_char b[4], nonce[8]; if (mac->mac_len > sizeof(u)) - fatal("mac_compute: mac too long %u %lu", - mac->mac_len, (u_long)sizeof(u)); + fatal("mac_compute: mac too long %u %zu", + mac->mac_len, sizeof(u)); switch (mac->type) { case SSH_EVP: diff --git a/monitor_mm.c b/monitor_mm.c index ee7bad4b..0ba0658a 100644 --- a/monitor_mm.c +++ b/monitor_mm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.c,v 1.17 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: monitor_mm.c,v 1.19 2014/01/04 17:50:55 tedu Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -35,6 +35,7 @@ #include #include +#include #include #include @@ -46,7 +47,7 @@ static int mm_compare(struct mm_share *a, struct mm_share *b) { - long diff = (char *)a->address - (char *)b->address; + ptrdiff_t diff = (char *)a->address - (char *)b->address; if (diff == 0) return (0); @@ -65,7 +66,7 @@ mm_make_entry(struct mm_master *mm, struct mmtree *head, struct mm_share *tmp, *tmp2; if (mm->mmalloc == NULL) - tmp = xmalloc(sizeof(struct mm_share)); + tmp = xcalloc(1, sizeof(struct mm_share)); else tmp = mm_xmalloc(mm->mmalloc, sizeof(struct mm_share)); tmp->address = address; @@ -73,8 +74,8 @@ mm_make_entry(struct mm_master *mm, struct mmtree *head, tmp2 = RB_INSERT(mmtree, head, tmp); if (tmp2 != NULL) - fatal("mm_make_entry(%p): double address %p->%p(%lu)", - mm, tmp2, address, (u_long)size); + fatal("mm_make_entry(%p): double address %p->%p(%zu)", + mm, tmp2, address, size); return (tmp); } @@ -88,7 +89,7 @@ mm_create(struct mm_master *mmalloc, size_t size) struct mm_master *mm; if (mmalloc == NULL) - mm = xmalloc(sizeof(struct mm_master)); + mm = xcalloc(1, sizeof(struct mm_master)); else mm = mm_xmalloc(mmalloc, sizeof(struct mm_master)); @@ -101,7 +102,7 @@ mm_create(struct mm_master *mmalloc, size_t size) address = xmmap(size); if (address == (void *)MAP_FAILED) - fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); + fatal("mmap(%zu): %s", size, strerror(errno)); mm->address = address; mm->size = size; @@ -141,7 +142,7 @@ mm_destroy(struct mm_master *mm) #ifdef HAVE_MMAP if (munmap(mm->address, mm->size) == -1) - fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size, + fatal("munmap(%p, %zu): %s", mm->address, mm->size, strerror(errno)); #else fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", @@ -160,7 +161,8 @@ mm_xmalloc(struct mm_master *mm, size_t size) address = mm_malloc(mm, size); if (address == NULL) - fatal("%s: mm_malloc(%lu)", __func__, (u_long)size); + fatal("%s: mm_malloc(%zu)", __func__, size); + memset(address, 0, size); return (address); } @@ -194,7 +196,7 @@ mm_malloc(struct mm_master *mm, size_t size) /* Does not change order in RB tree */ mms->size -= size; - mms->address = (u_char *)mms->address + size; + mms->address = (char *)mms->address + size; if (mms->size == 0) { RB_REMOVE(mmtree, &mm->rb_free, mms); @@ -247,8 +249,8 @@ mm_free(struct mm_master *mm, void *address) /* Check if range does not overlap */ if (prev != NULL && MM_ADDRESS_END(prev) > address) - fatal("mm_free: memory corruption: %p(%lu) > %p", - prev->address, (u_long)prev->size, address); + fatal("mm_free: memory corruption: %p(%zu) > %p", + prev->address, prev->size, address); /* See if we can merge backwards */ if (prev != NULL && MM_ADDRESS_END(prev) == address) { @@ -270,8 +272,8 @@ mm_free(struct mm_master *mm, void *address) return; if (MM_ADDRESS_END(prev) > mms->address) - fatal("mm_free: memory corruption: %p < %p(%lu)", - mms->address, prev->address, (u_long)prev->size); + fatal("mm_free: memory corruption: %p < %p(%zu)", + mms->address, prev->address, prev->size); if (MM_ADDRESS_END(prev) != mms->address) return; @@ -342,12 +344,12 @@ mm_share_sync(struct mm_master **pmm, struct mm_master **pmmalloc) void mm_memvalid(struct mm_master *mm, void *address, size_t size) { - void *end = (u_char *)address + size; + void *end = (char *)address + size; if (address < mm->address) fatal("mm_memvalid: address too small: %p", address); if (end < address) fatal("mm_memvalid: end < address: %p < %p", end, address); - if (end > (void *)((u_char *)mm->address + mm->size)) + if (end > MM_ADDRESS_END(mm)) fatal("mm_memvalid: address too large: %p", address); } diff --git a/monitor_mm.h b/monitor_mm.h index c890f770..f1fae7e3 100644 --- a/monitor_mm.h +++ b/monitor_mm.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.h,v 1.5 2008/04/29 11:20:31 otto Exp $ */ +/* $OpenBSD: monitor_mm.h,v 1.6 2014/01/04 17:50:55 tedu Exp $ */ /* * Copyright 2002 Niels Provos @@ -47,7 +47,7 @@ RB_PROTOTYPE(mmtree, mm_share, next, mm_compare) #define MM_MINSIZE 128 -#define MM_ADDRESS_END(x) (void *)((u_char *)(x)->address + (x)->size) +#define MM_ADDRESS_END(x) (void *)((char *)(x)->address + (x)->size) struct mm_master *mm_create(struct mm_master *, size_t); void mm_destroy(struct mm_master *); diff --git a/xmalloc.c b/xmalloc.c index 92f781fd..2f1cd230 100644 --- a/xmalloc.c +++ b/xmalloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: xmalloc.c,v 1.29 2014/01/04 17:50:55 tedu Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -33,7 +33,7 @@ xmalloc(size_t size) fatal("xmalloc: zero size"); ptr = malloc(size); if (ptr == NULL) - fatal("xmalloc: out of memory (allocating %lu bytes)", (u_long) size); + fatal("xmalloc: out of memory (allocating %zu bytes)", size); return ptr; } @@ -48,8 +48,8 @@ xcalloc(size_t nmemb, size_t size) fatal("xcalloc: nmemb * size > SIZE_T_MAX"); ptr = calloc(nmemb, size); if (ptr == NULL) - fatal("xcalloc: out of memory (allocating %lu bytes)", - (u_long)(size * nmemb)); + fatal("xcalloc: out of memory (allocating %zu bytes)", + size * nmemb); return ptr; } @@ -68,8 +68,8 @@ xrealloc(void *ptr, size_t nmemb, size_t size) else new_ptr = realloc(ptr, new_size); if (new_ptr == NULL) - fatal("xrealloc: out of memory (new_size %lu bytes)", - (u_long) new_size); + fatal("xrealloc: out of memory (new_size %zu bytes)", + new_size); return new_ptr; } -- cgit v1.2.1 From d5a0ca7a5485b783a1d32375f30296153bf8f45d Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 9 Jan 2014 23:40:45 +0000 Subject: - guenther@cvs.openbsd.org 2014/01/09 03:26:00 [sftp-common.c] When formating the time for "ls -l"-style output, show dates in the future with the year, and rearrange a comparison to avoid a potentional signed arithmetic overflow that would give the wrong result. ok djm@ --- ChangeLog | 6 ++++++ sftp-common.c | 7 +++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ab584d99..df1d5ea6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,12 @@ - tedu@cvs.openbsd.org 2014/01/04 17:50:55 [mac.c monitor_mm.c monitor_mm.h xmalloc.c] use standard types and formats for size_t like variables. ok dtucker + - guenther@cvs.openbsd.org 2014/01/09 03:26:00 + [sftp-common.c] + When formating the time for "ls -l"-style output, show dates in the future + with the year, and rearrange a comparison to avoid a potentional signed + arithmetic overflow that would give the wrong result. + ok djm@ 20140108 - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ diff --git a/sftp-common.c b/sftp-common.c index 88bf51bc..70a929cc 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.c,v 1.25 2013/11/08 11:15:19 dtucker Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.26 2014/01/09 03:26:00 guenther Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -195,6 +195,7 @@ ls_file(const char *name, const struct stat *st, int remote, int si_units) char *user, *group; char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1]; char sbuf[FMT_SCALED_STRSIZE]; + time_t now; strmode(st->st_mode, mode); if (!remote) { @@ -210,7 +211,9 @@ ls_file(const char *name, const struct stat *st, int remote, int si_units) group = gbuf; } if (ltime != NULL) { - if (time(NULL) - st->st_mtime < (365*24*60*60)/2) + now = time(NULL); + if (now - (365*24*60*60)/2 < st->st_mtime && + now >= st->st_mtime) sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime); else sz = strftime(tbuf, sizeof tbuf, "%b %e %Y", ltime); -- cgit v1.2.1 From e057c06b0cb4dd512d3c166856b40447d849a3b1 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 9 Jan 2014 23:58:53 +0000 Subject: - djm@cvs.openbsd.org 2014/01/09 23:20:00 [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@ --- ChangeLog | 9 ++++ Makefile.in | 4 +- digest.c | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ digest.h | 55 +++++++++++++++++++++ hostfile.c | 3 +- kex.c | 94 ++++++++++++++++++++--------------- kex.h | 10 ++-- kexc25519.c | 17 +++---- kexc25519c.c | 4 +- kexc25519s.c | 4 +- kexdh.c | 17 +++---- kexecdh.c | 18 +++---- kexecdhc.c | 4 +- kexecdhs.c | 4 +- kexgex.c | 24 ++++----- kexgexc.c | 4 +- kexgexs.c | 4 +- key.c | 42 ++++++++-------- key.h | 4 +- roaming_client.c | 14 +++--- roaming_common.c | 14 +++--- schnorr.c | 59 ++++++++++------------ schnorr.h | 8 +-- ssh-dss.c | 31 ++++++------ ssh-ecdsa.c | 42 ++++++++++------ ssh-rsa.c | 54 +++++++++++--------- sshconnect2.c | 4 +- 27 files changed, 459 insertions(+), 236 deletions(-) create mode 100644 digest.c create mode 100644 digest.h diff --git a/ChangeLog b/ChangeLog index df1d5ea6..a1d37bc2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,15 @@ with the year, and rearrange a comparison to avoid a potentional signed arithmetic overflow that would give the wrong result. ok djm@ + - djm@cvs.openbsd.org 2014/01/09 23:20:00 + [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] + [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] + [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] + [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] + Introduce digest API and use it to perform all hashing operations + rather than calling OpenSSL EVP_Digest* directly. Will make it easier + to build a reduced-feature OpenSSH without OpenSSL in future; + feedback, ok markus@ 20140108 - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ diff --git a/Makefile.in b/Makefile.in index e789b476..4a930c66 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.348 2013/12/08 04:53:28 djm Exp $ +# $Id: Makefile.in,v 1.349 2014/01/09 23:58:53 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -75,7 +75,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o \ + ssh-ed25519.o digest.o \ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ diff --git a/digest.c b/digest.c new file mode 100644 index 00000000..59a8ffe0 --- /dev/null +++ b/digest.c @@ -0,0 +1,148 @@ +/* $OpenBSD: digest.c,v 1.1 2014/01/09 23:20:00 djm Exp $ */ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include +#include +#include + +#include /* for buffer.h */ +#include /* for buffer.h */ +#include + +#include "buffer.h" +#include "digest.h" + +struct ssh_digest_ctx { + int alg; + EVP_MD_CTX mdctx; +}; + +struct ssh_digest { + int id; + const char *name; + size_t digest_len; + const EVP_MD *(*mdfunc)(void); +}; + +/* NB. Indexed directly by algorithm number */ +const struct ssh_digest digests[] = { + { SSH_DIGEST_MD5, "MD5", 16, EVP_md5 }, + { SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 }, + { SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 }, +#ifdef HAVE_EVP_SHA256 /* XXX replace with local if missing */ + { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, + { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 }, + { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, +#endif + { -1, NULL, 0, NULL }, +}; + +static const struct ssh_digest * +ssh_digest_by_alg(int alg) +{ + if (alg < 0 || alg >= SSH_DIGEST_MAX) + return NULL; + if (digests[alg].id != alg) /* sanity */ + return NULL; + return &(digests[alg]); +} + +size_t +ssh_digest_bytes(int alg) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(alg); + + return digest == NULL ? 0 : digest->digest_len; +} + +struct ssh_digest_ctx * +ssh_digest_start(int alg) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(alg); + struct ssh_digest_ctx *ret; + + if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL)) + return NULL; + ret->alg = alg; + EVP_MD_CTX_init(&ret->mdctx); + if (EVP_DigestInit_ex(&ret->mdctx, digest->mdfunc(), NULL) != 1) { + free(ret); + return NULL; + } + return ret; +} + +int +ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen) +{ + if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1) + return -1; + return 0; +} + +int +ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b) +{ + return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b)); +} + +int +ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen) +{ + const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg); + u_int l = dlen; + + if (dlen > UINT_MAX) + return -1; + if (dlen < digest->digest_len) /* No truncation allowed */ + return -1; + if (EVP_DigestFinal_ex(&ctx->mdctx, d, &l) != 1) + return -1; + if (l != digest->digest_len) /* sanity */ + return -1; + return 0; +} + +void +ssh_digest_free(struct ssh_digest_ctx *ctx) +{ + EVP_MD_CTX_cleanup(&ctx->mdctx); + memset(ctx, 0, sizeof(*ctx)); +} + +int +ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen) +{ + struct ssh_digest_ctx *ctx = ssh_digest_start(alg); + + if (ctx == NULL) + return -1; + if (ssh_digest_update(ctx, m, mlen) != 0 || + ssh_digest_final(ctx, d, dlen) != 0) + return -1; + ssh_digest_free(ctx); + return 0; +} + +int +ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen) +{ + return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen); +} diff --git a/digest.h b/digest.h new file mode 100644 index 00000000..faefda3f --- /dev/null +++ b/digest.h @@ -0,0 +1,55 @@ +/* $OpenBSD: digest.h,v 1.1 2014/01/09 23:20:00 djm Exp $ */ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _DIGEST_H +#define _DIGEST_H + +/* Maximum digest output length */ +#define SSH_DIGEST_MAX_LENGTH 64 + +/* Digest algorithms */ +#define SSH_DIGEST_MD5 0 +#define SSH_DIGEST_RIPEMD160 1 +#define SSH_DIGEST_SHA1 2 +#define SSH_DIGEST_SHA256 3 +#define SSH_DIGEST_SHA384 4 +#define SSH_DIGEST_SHA512 5 +#define SSH_DIGEST_MAX 6 + +/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */ +size_t ssh_digest_bytes(int alg); + +/* One-shot API */ +int ssh_digest_memory(int alg, const void *m, size_t mlen, + u_char *d, size_t dlen) + __attribute__((__bounded__(__buffer__, 2, 3))) + __attribute__((__bounded__(__buffer__, 4, 5))); +int ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen) + __attribute__((__bounded__(__buffer__, 3, 4))); + +/* Update API */ +struct ssh_digest_ctx; +struct ssh_digest_ctx *ssh_digest_start(int alg); +int ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen) + __attribute__((__bounded__(__buffer__, 2, 3))); +int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b); +int ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen) + __attribute__((__bounded__(__buffer__, 2, 3))); +void ssh_digest_free(struct ssh_digest_ctx *ctx); + +#endif /* _DIGEST_H */ + diff --git a/hostfile.c b/hostfile.c index 2ff4c48b..2778fb5d 100644 --- a/hostfile.c +++ b/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.53 2014/01/09 23:20:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -57,6 +57,7 @@ #include "hostfile.h" #include "log.h" #include "misc.h" +#include "digest.h" struct hostkeys { struct hostkey_entry *entries; diff --git a/kex.c b/kex.c index b38bae0f..dbb1a981 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.93 2013/11/07 11:58:27 dtucker Exp $ */ +/* $OpenBSD: kex.c,v 1.94 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -49,6 +49,7 @@ #include "dispatch.h" #include "monitor.h" #include "roaming.h" +#include "digest.h" #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) @@ -66,26 +67,30 @@ struct kexalg { char *name; int type; int ec_nid; - const EVP_MD *(*mdfunc)(void); + int hash_alg; }; static const struct kexalg kexalgs[] = { - { KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 }, - { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 }, - { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 }, + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, #ifdef HAVE_EVP_SHA256 - { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 }, + { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, #endif #ifdef OPENSSL_HAS_ECC - { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 }, - { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, + { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, + NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, + { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, + SSH_DIGEST_SHA384 }, # ifdef OPENSSL_HAS_NISTP521 - { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, + { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, + SSH_DIGEST_SHA512 }, # endif #endif + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, #ifdef HAVE_EVP_SHA256 - { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, EVP_sha256 }, + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #endif - { NULL, -1, -1, NULL}, + { NULL, -1, -1, -1}, }; char * @@ -406,7 +411,7 @@ choose_kex(Kex *k, char *client, char *server) if ((kexalg = kex_alg_by_name(k->name)) == NULL) fatal("unsupported kex alg %s", k->name); k->kex_type = kexalg->type; - k->evp_md = kexalg->mdfunc(); + k->hash_alg = kexalg->hash_alg; k->ec_nid = kexalg->ec_nid; } @@ -532,27 +537,31 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, BIGNUM *shared_secret) { Buffer b; - EVP_MD_CTX md; + struct ssh_digest_ctx *hashctx; char c = id; u_int have; - int mdsz; + size_t mdsz; u_char *digest; - if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0) - fatal("bad kex md size %d", mdsz); + if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) + fatal("bad kex md size %zu", mdsz); digest = xmalloc(roundup(need, mdsz)); buffer_init(&b); buffer_put_bignum2(&b, shared_secret); /* K1 = HASH(K || H || "A" || session_id) */ - EVP_DigestInit(&md, kex->evp_md); - if (!(datafellows & SSH_BUG_DERIVEKEY)) - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestUpdate(&md, hash, hashlen); - EVP_DigestUpdate(&md, &c, 1); - EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); - EVP_DigestFinal(&md, digest, NULL); + if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL) + fatal("%s: ssh_digest_start failed", __func__); + if (ssh_digest_update_buffer(hashctx, &b) != 0 || + ssh_digest_update(hashctx, hash, hashlen) != 0 || + ssh_digest_update(hashctx, &c, 1) != 0 || + ssh_digest_update(hashctx, kex->session_id, + kex->session_id_len) != 0) + fatal("%s: ssh_digest_update failed", __func__); + if (ssh_digest_final(hashctx, digest, mdsz) != 0) + fatal("%s: ssh_digest_final failed", __func__); + ssh_digest_free(hashctx); /* * expand key: @@ -560,12 +569,15 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, * Key = K1 || K2 || ... || Kn */ for (have = mdsz; need > have; have += mdsz) { - EVP_DigestInit(&md, kex->evp_md); - if (!(datafellows & SSH_BUG_DERIVEKEY)) - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestUpdate(&md, hash, hashlen); - EVP_DigestUpdate(&md, digest, have); - EVP_DigestFinal(&md, digest + have, NULL); + if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL) + fatal("%s: ssh_digest_start failed", __func__); + if (ssh_digest_update_buffer(hashctx, &b) != 0 || + ssh_digest_update(hashctx, hash, hashlen) != 0 || + ssh_digest_update(hashctx, digest, have) != 0) + fatal("%s: ssh_digest_update failed", __func__); + if (ssh_digest_final(hashctx, digest + have, mdsz) != 0) + fatal("%s: ssh_digest_final failed", __func__); + ssh_digest_free(hashctx); } buffer_free(&b); #ifdef DEBUG_KEX @@ -615,33 +627,33 @@ void derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, u_int8_t cookie[8], u_int8_t id[16]) { - const EVP_MD *evp_md = EVP_md5(); - EVP_MD_CTX md; - u_int8_t nbuf[2048], obuf[EVP_MAX_MD_SIZE]; + u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; int len; + struct ssh_digest_ctx *hashctx; - EVP_DigestInit(&md, evp_md); + if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) + fatal("%s: ssh_digest_start", __func__); len = BN_num_bytes(host_modulus); if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) fatal("%s: bad host modulus (len %d)", __func__, len); BN_bn2bin(host_modulus, nbuf); - EVP_DigestUpdate(&md, nbuf, len); + if (ssh_digest_update(hashctx, nbuf, len) != 0) + fatal("%s: ssh_digest_update failed", __func__); len = BN_num_bytes(server_modulus); if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) fatal("%s: bad server modulus (len %d)", __func__, len); BN_bn2bin(server_modulus, nbuf); - EVP_DigestUpdate(&md, nbuf, len); - - EVP_DigestUpdate(&md, cookie, 8); - - EVP_DigestFinal(&md, obuf, NULL); - memcpy(id, obuf, 16); + if (ssh_digest_update(hashctx, nbuf, len) != 0 || + ssh_digest_update(hashctx, cookie, 8) != 0) + fatal("%s: ssh_digest_update failed", __func__); + if (ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) + fatal("%s: ssh_digest_final failed", __func__); + memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); memset(nbuf, 0, sizeof(nbuf)); memset(obuf, 0, sizeof(obuf)); - memset(&md, 0, sizeof(md)); } #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) diff --git a/kex.h b/kex.h index 800a6923..fbe4940e 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.58 2013/11/07 11:58:27 dtucker Exp $ */ +/* $OpenBSD: kex.h,v 1.59 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -133,7 +133,7 @@ struct Kex { Buffer peer; sig_atomic_t done; int flags; - const EVP_MD *evp_md; + int hash_alg; int ec_nid; char *client_version_string; char *server_version_string; @@ -170,17 +170,17 @@ void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); void -kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, +kexgex_hash(int, char *, char *, char *, int, char *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); #ifdef OPENSSL_HAS_ECC void -kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, +kex_ecdh_hash(int, const EC_GROUP *, char *, char *, char *, int, char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char **, u_int *); #endif void -kex_c25519_hash(const EVP_MD *, char *, char *, char *, int, +kex_c25519_hash(int, char *, char *, char *, int, char *, int, u_char *, int, const u_char *, const u_char *, const BIGNUM *, u_char **, u_int *); diff --git a/kexc25519.c b/kexc25519.c index 348a7d50..8dd36399 100644 --- a/kexc25519.c +++ b/kexc25519.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* $OpenBSD: kexc25519.c,v 1.3 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -41,6 +41,7 @@ #include "cipher.h" #include "kex.h" #include "log.h" +#include "digest.h" extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE], const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE]) @@ -78,7 +79,7 @@ kexc25519_shared_key(const u_char key[CURVE25519_SIZE], void kex_c25519_hash( - const EVP_MD *evp_md, + int hash_alg, char *client_version_string, char *server_version_string, char *ckexinit, int ckexinitlen, @@ -90,8 +91,7 @@ kex_c25519_hash( u_char **hash, u_int *hashlen) { Buffer b; - EVP_MD_CTX md; - static u_char digest[EVP_MAX_MD_SIZE]; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); @@ -113,15 +113,14 @@ kex_c25519_hash( #ifdef DEBUG_KEX buffer_dump(&b); #endif - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) + fatal("%s: digest_buffer failed", __func__); buffer_free(&b); #ifdef DEBUG_KEX - dump_digest("hash", digest, EVP_MD_size(evp_md)); + dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); #endif *hash = digest; - *hashlen = EVP_MD_size(evp_md); + *hashlen = ssh_digest_bytes(hash_alg); } diff --git a/kexc25519c.c b/kexc25519c.c index f741566c..4655c254 100644 --- a/kexc25519c.c +++ b/kexc25519c.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519c.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* $OpenBSD: kexc25519c.c,v 1.3 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -97,7 +97,7 @@ kexc25519_client(Kex *kex) /* calc and verify H */ kex_c25519_hash( - kex->evp_md, + kex->hash_alg, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->my), buffer_len(&kex->my), diff --git a/kexc25519s.c b/kexc25519s.c index 784841b8..dc4f56c8 100644 --- a/kexc25519s.c +++ b/kexc25519s.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519s.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */ +/* $OpenBSD: kexc25519s.c,v 1.3 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -81,7 +81,7 @@ kexc25519_server(Kex *kex) /* calc H */ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); kex_c25519_hash( - kex->evp_md, + kex->hash_alg, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->peer), buffer_len(&kex->peer), diff --git a/kexdh.c b/kexdh.c index 56e22f5b..e7cdadc9 100644 --- a/kexdh.c +++ b/kexdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdh.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: kexdh.c,v 1.24 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -36,6 +36,8 @@ #include "key.h" #include "cipher.h" #include "kex.h" +#include "digest.h" +#include "log.h" void kex_dh_hash( @@ -50,9 +52,7 @@ kex_dh_hash( u_char **hash, u_int *hashlen) { Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; - const EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); @@ -74,15 +74,14 @@ kex_dh_hash( #ifdef DEBUG_KEX buffer_dump(&b); #endif - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); #ifdef DEBUG_KEX - dump_digest("hash", digest, EVP_MD_size(evp_md)); + dump_digest("hash", digest, ssh_digest_bytes(SSH_DIGEST_SHA1)); #endif *hash = digest; - *hashlen = EVP_MD_size(evp_md); + *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); } diff --git a/kexecdh.c b/kexecdh.c index c948fe20..c52c5e23 100644 --- a/kexecdh.c +++ b/kexecdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdh.c,v 1.4 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kexecdh.c,v 1.5 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -44,10 +44,11 @@ #include "cipher.h" #include "kex.h" #include "log.h" +#include "digest.h" void kex_ecdh_hash( - const EVP_MD *evp_md, + int hash_alg, const EC_GROUP *ec_group, char *client_version_string, char *server_version_string, @@ -60,8 +61,7 @@ kex_ecdh_hash( u_char **hash, u_int *hashlen) { Buffer b; - EVP_MD_CTX md; - static u_char digest[EVP_MAX_MD_SIZE]; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); @@ -83,17 +83,15 @@ kex_ecdh_hash( #ifdef DEBUG_KEX buffer_dump(&b); #endif - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); #ifdef DEBUG_KEX - dump_digest("hash", digest, EVP_MD_size(evp_md)); + dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); #endif *hash = digest; - *hashlen = EVP_MD_size(evp_md); + *hashlen = ssh_digest_bytes(hash_alg); } - #endif /* OPENSSL_HAS_ECC */ diff --git a/kexecdhc.c b/kexecdhc.c index 6193836c..fc62cec5 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.5 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -124,7 +124,7 @@ kexecdh_client(Kex *kex) /* calc and verify H */ kex_ecdh_hash( - kex->evp_md, + kex->hash_alg, group, kex->client_version_string, kex->server_version_string, diff --git a/kexecdhs.c b/kexecdhs.c index 431fd2c2..d1dd8c7f 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.7 2013/11/02 22:24:24 markus Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.8 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -109,7 +109,7 @@ kexecdh_server(Kex *kex) /* calc H */ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); kex_ecdh_hash( - kex->evp_md, + kex->hash_alg, group, kex->client_version_string, kex->server_version_string, diff --git a/kexgex.c b/kexgex.c index b60ab5c5..c2e6bc16 100644 --- a/kexgex.c +++ b/kexgex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: kexgex.c,v 1.28 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -36,10 +36,12 @@ #include "cipher.h" #include "kex.h" #include "ssh2.h" +#include "digest.h" +#include "log.h" void kexgex_hash( - const EVP_MD *evp_md, + int hash_alg, char *client_version_string, char *server_version_string, char *ckexinit, int ckexinitlen, @@ -52,8 +54,7 @@ kexgex_hash( u_char **hash, u_int *hashlen) { Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; - EVP_MD_CTX md; + static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); @@ -84,15 +85,14 @@ kexgex_hash( #ifdef DEBUG_KEXDH buffer_dump(&b); #endif - - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); - *hash = digest; - *hashlen = EVP_MD_size(evp_md); -#ifdef DEBUG_KEXDH - dump_digest("hash", digest, *hashlen); + +#ifdef DEBUG_KEX + dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); #endif + *hash = digest; + *hashlen = ssh_digest_bytes(hash_alg); } diff --git a/kexgexc.c b/kexgexc.c index 5a3be200..ca771edf 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.14 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -170,7 +170,7 @@ kexgex_client(Kex *kex) /* calc and verify H */ kexgex_hash( - kex->evp_md, + kex->hash_alg, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->my), buffer_len(&kex->my), diff --git a/kexgexs.c b/kexgexs.c index 4e473fc7..90853403 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.16 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.17 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -160,7 +160,7 @@ kexgex_server(Kex *kex) /* calc H */ kexgex_hash( - kex->evp_md, + kex->hash_alg, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->peer), buffer_len(&kex->peer), diff --git a/key.c b/key.c index b0bb46f3..91423380 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.114 2013/12/29 04:20:04 djm Exp $ */ +/* $OpenBSD: key.c,v 1.115 2014/01/09 23:20:00 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -56,6 +56,7 @@ #include "log.h" #include "misc.h" #include "ssh2.h" +#include "digest.h" static int to_blob(const Key *, u_char **, u_int *, int); static Key *key_from_blob2(const u_char *, u_int, int); @@ -358,30 +359,26 @@ u_char* key_fingerprint_raw(const Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) { - const EVP_MD *md = NULL; - EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; u_int len = 0; - int nlen, elen; + int nlen, elen, hash_alg = -1; *dgst_raw_length = 0; + /* XXX switch to DIGEST_* directly? */ switch (dgst_type) { case SSH_FP_MD5: - md = EVP_md5(); + hash_alg = SSH_DIGEST_MD5; break; case SSH_FP_SHA1: - md = EVP_sha1(); + hash_alg = SSH_DIGEST_SHA1; break; -#ifdef HAVE_EVP_SHA256 case SSH_FP_SHA256: - md = EVP_sha256(); + hash_alg = SSH_DIGEST_SHA256; break; -#endif default: - fatal("key_fingerprint_raw: bad digest type %d", - dgst_type); + fatal("%s: bad digest type %d", __func__, dgst_type); } switch (k->type) { case KEY_RSA1: @@ -410,18 +407,19 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, case KEY_UNSPEC: return retval; default: - fatal("key_fingerprint_raw: bad key type %d", k->type); + fatal("%s: bad key type %d", __func__, k->type); break; } if (blob != NULL) { - retval = xmalloc(EVP_MAX_MD_SIZE); - EVP_DigestInit(&ctx, md); - EVP_DigestUpdate(&ctx, blob, len); - EVP_DigestFinal(&ctx, retval, dgst_raw_length); + retval = xmalloc(SSH_DIGEST_MAX_LENGTH); + if ((ssh_digest_memory(hash_alg, blob, len, + retval, SSH_DIGEST_MAX_LENGTH)) != 0) + fatal("%s: digest_memory failed", __func__); memset(blob, 0, len); free(blob); + *dgst_raw_length = ssh_digest_bytes(hash_alg); } else { - fatal("key_fingerprint_raw: blob is null"); + fatal("%s: blob is null", __func__); } return retval; } @@ -2211,8 +2209,8 @@ key_curve_nid_to_name(int nid) } #ifdef OPENSSL_HAS_ECC -const EVP_MD * -key_ec_nid_to_evpmd(int nid) +int +key_ec_nid_to_hash_alg(int nid) { int kbits = key_curve_nid_to_bits(nid); @@ -2220,11 +2218,11 @@ key_ec_nid_to_evpmd(int nid) fatal("%s: invalid nid %d", __func__, nid); /* RFC5656 section 6.2.1 */ if (kbits <= 256) - return EVP_sha256(); + return SSH_DIGEST_SHA256; else if (kbits <= 384) - return EVP_sha384(); + return SSH_DIGEST_SHA384; else - return EVP_sha512(); + return SSH_DIGEST_SHA512; } int diff --git a/key.h b/key.h index 6a049d27..d8ad13d0 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.40 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: key.h,v 1.41 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -131,7 +131,7 @@ u_int key_curve_nid_to_bits(int); int key_ecdsa_bits_to_nid(int); #ifdef OPENSSL_HAS_ECC int key_ecdsa_key_to_nid(EC_KEY *); -const EVP_MD *key_ec_nid_to_evpmd(int nid); +int key_ec_nid_to_hash_alg(int nid); int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); int key_ec_validate_private(const EC_KEY *); #endif diff --git a/roaming_client.c b/roaming_client.c index 2fb62312..de049cdc 100644 --- a/roaming_client.c +++ b/roaming_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_client.c,v 1.6 2013/10/16 02:31:46 djm Exp $ */ +/* $OpenBSD: roaming_client.c,v 1.7 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -48,6 +48,7 @@ #include "roaming.h" #include "ssh2.h" #include "sshconnect.h" +#include "digest.h" /* import */ extern Options options; @@ -90,10 +91,8 @@ request_roaming(void) static void roaming_auth_required(void) { - u_char digest[SHA_DIGEST_LENGTH]; - EVP_MD_CTX md; + u_char digest[SSH_DIGEST_MAX_LENGTH]; Buffer b; - const EVP_MD *evp_md = EVP_sha1(); u_int64_t chall, oldchall; chall = packet_get_int64(); @@ -107,14 +106,13 @@ roaming_auth_required(void) buffer_init(&b); buffer_put_int64(&b, cookie); buffer_put_int64(&b, chall); - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0) + fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); packet_start(SSH2_MSG_KEX_ROAMING_AUTH); packet_put_int64(key1 ^ get_recv_bytes()); - packet_put_raw(digest, sizeof(digest)); + packet_put_raw(digest, ssh_digest_bytes(SSH_DIGEST_SHA1)); packet_send(); oldkey1 = key1; diff --git a/roaming_common.c b/roaming_common.c index 86b3372e..787bef04 100644 --- a/roaming_common.c +++ b/roaming_common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_common.c,v 1.11 2013/11/03 10:37:19 djm Exp $ */ +/* $OpenBSD: roaming_common.c,v 1.12 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -36,6 +36,7 @@ #include "cipher.h" #include "buffer.h" #include "roaming.h" +#include "digest.h" static size_t out_buf_size = 0; static char *out_buf = NULL; @@ -225,9 +226,7 @@ resend_bytes(int fd, u_int64_t *offset) void calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) { - const EVP_MD *md = EVP_sha1(); - EVP_MD_CTX ctx; - u_char hash[EVP_MAX_MD_SIZE]; + u_char hash[SSH_DIGEST_MAX_LENGTH]; Buffer b; buffer_init(&b); @@ -235,12 +234,11 @@ calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) buffer_put_int64(&b, cookie); buffer_put_int64(&b, challenge); - EVP_DigestInit(&ctx, md); - EVP_DigestUpdate(&ctx, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&ctx, hash, NULL); + if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0) + fatal("%s: digest_buffer failed", __func__); buffer_clear(&b); - buffer_append(&b, hash, EVP_MD_size(md)); + buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); *key = buffer_get_int64(&b); buffer_free(&b); } diff --git a/schnorr.c b/schnorr.c index 9549dcf0..aa3a5777 100644 --- a/schnorr.c +++ b/schnorr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: schnorr.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: schnorr.c,v 1.9 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -41,6 +41,7 @@ #include "log.h" #include "schnorr.h" +#include "digest.h" #include "openbsd-compat/openssl-compat.h" @@ -57,12 +58,12 @@ /* * Calculate hash component of Schnorr signature H(g || g^v || g^x || id) - * using the hash function defined by "evp_md". Returns signature as + * using the hash function defined by "hash_alg". Returns signature as * bignum or NULL on error. */ static BIGNUM * schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, - const EVP_MD *evp_md, const BIGNUM *g_v, const BIGNUM *g_x, + int hash_alg, const BIGNUM *g_v, const BIGNUM *g_x, const u_char *id, u_int idlen) { u_char *digest; @@ -88,7 +89,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b), "%s: hashblob", __func__)); - if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_md, + if (hash_buffer(buffer_ptr(&b), buffer_len(&b), hash_alg, &digest, &digest_len) != 0) { error("%s: hash_buffer", __func__); goto out; @@ -113,7 +114,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, /* * Generate Schnorr signature to prove knowledge of private value 'x' used * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g' - * using the hash function "evp_md". + * using the hash function "hash_alg". * 'idlen' bytes from 'id' will be included in the signature hash as an anti- * replay salt. * @@ -123,7 +124,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, */ int schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x, + int hash_alg, const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p) { int success = -1; @@ -173,7 +174,7 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__)); /* h = H(g || g^v || g^x || id) */ - if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, g_v, g_x, + if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, g_v, g_x, id, idlen)) == NULL) { error("%s: schnorr_hash failed", __func__); goto out; @@ -223,7 +224,7 @@ schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, Buffer b; BIGNUM *r, *e; - if (schnorr_sign(grp_p, grp_q, grp_g, EVP_sha256(), + if (schnorr_sign(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256, x, g_x, id, idlen, &r, &e) != 0) return -1; @@ -248,13 +249,13 @@ schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, /* * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and - * 'grp_g' using hash "evp_md". + * 'grp_g' using hash "hash_alg". * Signature hash will be salted with 'idlen' bytes from 'id'. * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature. */ int schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen, + int hash_alg, const BIGNUM *g_x, const u_char *id, u_int idlen, const BIGNUM *r, const BIGNUM *e) { int success = -1; @@ -302,7 +303,7 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__)); /* h = H(g || g^v || g^x || id) */ - if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x, + if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, e, g_x, id, idlen)) == NULL) { error("%s: schnorr_hash failed", __func__); goto out; @@ -385,7 +386,7 @@ schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, goto out; } - ret = schnorr_verify(grp_p, grp_q, grp_g, EVP_sha256(), + ret = schnorr_verify(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256, g_x, id, idlen, r, e); out: BN_clear_free(e); @@ -443,43 +444,33 @@ bn_rand_range_gt_one(const BIGNUM *high) return NULL; } +/* XXX convert all callers of this to use ssh_digest_memory() directly */ /* * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success, * with digest via 'digestp' (caller to free) and length via 'lenp'. * Returns -1 on failure. */ int -hash_buffer(const u_char *buf, u_int len, const EVP_MD *md, +hash_buffer(const u_char *buf, u_int len, int hash_alg, u_char **digestp, u_int *lenp) { - u_char digest[EVP_MAX_MD_SIZE]; - u_int digest_len; - EVP_MD_CTX evp_md_ctx; - int success = -1; + u_char digest[SSH_DIGEST_MAX_LENGTH]; + u_int digest_len = ssh_digest_bytes(hash_alg); - EVP_MD_CTX_init(&evp_md_ctx); - - if (EVP_DigestInit_ex(&evp_md_ctx, md, NULL) != 1) { - error("%s: EVP_DigestInit_ex", __func__); - goto out; - } - if (EVP_DigestUpdate(&evp_md_ctx, buf, len) != 1) { - error("%s: EVP_DigestUpdate", __func__); - goto out; + if (digest_len == 0) { + error("%s: invalid hash", __func__); + return -1; } - if (EVP_DigestFinal_ex(&evp_md_ctx, digest, &digest_len) != 1) { - error("%s: EVP_DigestFinal_ex", __func__); - goto out; + if (ssh_digest_memory(hash_alg, buf, len, digest, digest_len) != 0) { + error("%s: digest_memory failed", __func__); + return -1; } *digestp = xmalloc(digest_len); *lenp = digest_len; memcpy(*digestp, digest, *lenp); - success = 0; - out: - EVP_MD_CTX_cleanup(&evp_md_ctx); bzero(digest, sizeof(digest)); digest_len = 0; - return success; + return 0; } /* print formatted string followed by bignum */ @@ -549,7 +540,7 @@ modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p) { struct modp_group *ret; - ret = xmalloc(sizeof(*ret)); + ret = xcalloc(1, sizeof(*ret)); ret->p = ret->q = ret->g = NULL; if (BN_hex2bn(&ret->p, grp_p) == 0 || BN_hex2bn(&ret->g, grp_g) == 0) diff --git a/schnorr.h b/schnorr.h index 9730b47c..e2405c10 100644 --- a/schnorr.h +++ b/schnorr.h @@ -1,4 +1,4 @@ -/* $OpenBSD: schnorr.h,v 1.1 2009/03/05 07:18:19 djm Exp $ */ +/* $OpenBSD: schnorr.h,v 1.2 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2009 Damien Miller. All rights reserved. * @@ -27,7 +27,7 @@ struct modp_group { }; BIGNUM *bn_rand_range_gt_one(const BIGNUM *high); -int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *); +int hash_buffer(const u_char *, u_int, int, u_char **, u_int *); void debug3_bn(const BIGNUM *, const char *, ...) __attribute__((__nonnull__ (2))) __attribute__((format(printf, 2, 3))); @@ -40,7 +40,7 @@ void modp_group_free(struct modp_group *); /* Signature and verification functions */ int schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x, + int hash_alg, const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p); int schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, @@ -48,7 +48,7 @@ schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, u_char **sig, u_int *siglen); int schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, - const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen, + int hash_alg, const BIGNUM *g_x, const u_char *id, u_int idlen, const BIGNUM *r, const BIGNUM *e); int schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, diff --git a/ssh-dss.c b/ssh-dss.c index a6292aa8..7b897475 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.29 2013/12/27 22:30:17 djm Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.30 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -38,6 +38,7 @@ #include "compat.h" #include "log.h" #include "key.h" +#include "digest.h" #define INTBLOB_LEN 20 #define SIGBLOB_LEN (2*INTBLOB_LEN) @@ -47,10 +48,8 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { DSA_SIG *sig; - const EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN]; - u_int rlen, slen, len, dlen; + u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; + u_int rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); Buffer b; if (key == NULL || key_type_plain(key->type) != KEY_DSA || @@ -59,9 +58,11 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, return -1; } - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); + if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: ssh_digest_memory failed", __func__); + return -1; + } sig = DSA_do_sign(digest, dlen, key->dsa); memset(digest, 'd', sizeof(digest)); @@ -111,10 +112,8 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { DSA_SIG *sig; - const EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], *sigblob; - u_int len, dlen; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob; + u_int len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); int rlen, ret; Buffer b; @@ -173,9 +172,11 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, free(sigblob); /* sha1 the data */ - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); + if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: digest_memory failed", __func__); + return -1; + } ret = DSA_do_verify(digest, dlen, sig, key->dsa); memset(digest, 'd', sizeof(digest)); diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 52f9e74c..10ad9da6 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa.c,v 1.7 2013/12/27 22:30:17 djm Exp $ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.8 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -42,15 +42,15 @@ #include "compat.h" #include "log.h" #include "key.h" +#include "digest.h" int ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { ECDSA_SIG *sig; - const EVP_MD *evp_md; - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE]; + int hash_alg; + u_char digest[SSH_DIGEST_MAX_LENGTH]; u_int len, dlen; Buffer b, bb; @@ -60,10 +60,16 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, return -1; } - evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); + hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid); + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: digest_memory failed", __func__); + return -1; + } sig = ECDSA_do_sign(digest, dlen, key->ecdsa); memset(digest, 'd', sizeof(digest)); @@ -98,9 +104,8 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { ECDSA_SIG *sig; - const EVP_MD *evp_md; - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], *sigblob; + int hash_alg; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob; u_int len, dlen; int rlen, ret; Buffer b, bb; @@ -112,8 +117,6 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, return -1; } - evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); - /* fetch signature */ buffer_init(&b); buffer_append(&b, signature, signaturelen); @@ -154,9 +157,16 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, free(sigblob); /* hash the data */ - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); + hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid); + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: digest_memory failed", __func__); + return -1; + } ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa); memset(digest, 'd', sizeof(digest)); diff --git a/ssh-rsa.c b/ssh-rsa.c index b1ac50b3..a2112d03 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.49 2013/12/30 23:52:27 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.50 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -32,6 +32,7 @@ #include "compat.h" #include "misc.h" #include "ssh.h" +#include "digest.h" static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *); @@ -40,9 +41,8 @@ int ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { - const EVP_MD *evp_md; - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE], *sig; + int hash_alg; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sig; u_int slen, dlen, len; int ok, nid; Buffer b; @@ -53,14 +53,18 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, return -1; } + /* hash the data */ + hash_alg = SSH_DIGEST_SHA1; nid = NID_sha1; - if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { - error("%s: EVP_get_digestbynid %d failed", __func__, nid); + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: ssh_digest_memory failed", __func__); return -1; } - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); slen = RSA_size(key->rsa); sig = xmalloc(slen); @@ -109,12 +113,11 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { Buffer b; - const EVP_MD *evp_md; - EVP_MD_CTX md; + int hash_alg; char *ktype; - u_char digest[EVP_MAX_MD_SIZE], *sigblob; + u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob; u_int len, dlen, modlen; - int rlen, ret, nid; + int rlen, ret; if (key == NULL || key_type_plain(key->type) != KEY_RSA || key->rsa == NULL) { @@ -161,17 +164,20 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, memset(sigblob, 0, diff); len = modlen; } - nid = NID_sha1; - if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { - error("%s: EVP_get_digestbynid %d failed", __func__, nid); - free(sigblob); + /* hash the data */ + hash_alg = SSH_DIGEST_SHA1; + if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { + error("%s: bad hash algorithm %d", __func__, hash_alg); + return -1; + } + if (ssh_digest_memory(hash_alg, data, datalen, + digest, sizeof(digest)) != 0) { + error("%s: ssh_digest_memory failed", __func__); return -1; } - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); - ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); + ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len, + key->rsa); memset(digest, 'd', sizeof(digest)); memset(sigblob, 's', len); free(sigblob); @@ -198,7 +204,7 @@ static const u_char id_sha1[] = { }; static int -openssh_RSA_verify(int type, u_char *hash, u_int hashlen, +openssh_RSA_verify(int hash_alg, u_char *hash, u_int hashlen, u_char *sigbuf, u_int siglen, RSA *rsa) { u_int ret, rsasize, oidlen = 0, hlen = 0; @@ -207,8 +213,8 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, u_char *decrypted = NULL; ret = 0; - switch (type) { - case NID_sha1: + switch (hash_alg) { + case SSH_DIGEST_SHA1: oid = id_sha1; oidlen = sizeof(id_sha1); hlen = 20; diff --git a/sshconnect2.c b/sshconnect2.c index 0d339b9c..8acffc5c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.200 2013/12/30 23:52:28 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.201 2014/01/09 23:20:00 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1006,7 +1006,7 @@ jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme, debug3("%s: crypted = %s", __func__, crypted); #endif - if (hash_buffer(crypted, strlen(crypted), EVP_sha256(), + if (hash_buffer(crypted, strlen(crypted), SSH_DIGEST_SHA1, &secret, &secret_len) != 0) fatal("%s: hash_buffer", __func__); -- cgit v1.2.1 From 97efc2dee099e942683b71888780793db38a5944 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 9 Jan 2014 23:59:24 +0000 Subject: - djm@cvs.openbsd.org 2014/01/09 23:26:48 [sshconnect.c sshd.c] ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, deranged and might make some attacks on KEX easier; ok markus@ --- ChangeLog | 4 ++++ sshconnect.c | 5 ++++- sshd.c | 9 +++++++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a1d37bc2..be7d868b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,10 @@ rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@ + - djm@cvs.openbsd.org 2014/01/09 23:26:48 + [sshconnect.c sshd.c] + ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, + deranged and might make some attacks on KEX easier; ok markus@ 20140108 - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ diff --git a/sshconnect.c b/sshconnect.c index 791b31c1..d21781ea 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.243 2013/12/30 23:52:27 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.244 2014/01/09 23:26:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -662,6 +662,9 @@ ssh_exchange_identification(int timeout_ms) fatal("Protocol major versions differ: %d vs. %d", (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, remote_major); + if ((datafellows & SSH_BUG_DERIVEKEY) != 0) + fatal("Server version \"%.100s\" uses unsafe key agreement; " + "refusing connection", remote_version); if ((datafellows & SSH_BUG_RSASIGMD5) != 0) logit("Server version \"%.100s\" uses unsafe RSA signature " "scheme; disabling use of RSA keys", remote_version); diff --git a/sshd.c b/sshd.c index 87795bea..60b416e3 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.413 2013/12/30 23:52:28 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.414 2014/01/09 23:26:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -502,9 +502,14 @@ sshd_exchange_identification(int sock_in, int sock_out) get_remote_ipaddr(), client_version_string); cleanup_exit(255); } - if ((datafellows & SSH_BUG_RSASIGMD5) != 0) + if ((datafellows & SSH_BUG_RSASIGMD5) != 0) { logit("Client version \"%.100s\" uses unsafe RSA signature " "scheme; disabling use of RSA keys", remote_version); + } + if ((datafellows & SSH_BUG_DERIVEKEY) != 0) { + fatal("Client version \"%.100s\" uses unsafe key agreement; " + "refusing connection", remote_version); + } mismatch = 0; switch (remote_major) { -- cgit v1.2.1 From a6ec36e46c25f686a3c7eea16a6cc9a8633251cf Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 12 Jan 2014 08:20:47 +0000 Subject: - djm@cvs.openbsd.org 2014/01/10 05:59:19 [sshd_config] the /etc/ssh/ssh_host_ed25519_key is loaded by default too --- ChangeLog | 6 ++++++ sshd_config | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index be7d868b..99b846e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20140112 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/10 05:59:19 + [sshd_config] + the /etc/ssh/ssh_host_ed25519_key is loaded by default too + 20140110 - (djm) OpenBSD CVS Sync - tedu@cvs.openbsd.org 2014/01/04 17:50:55 diff --git a/sshd_config b/sshd_config index 235459af..e9045bc4 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.92 2013/10/29 09:48:02 djm Exp $ +# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -24,6 +24,7 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -- cgit v1.2.1 From 69750d71ff3d6393eccf6fa3c77376a68a3215bc Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 12 Jan 2014 08:21:22 +0000 Subject: - djm@cvs.openbsd.org 2014/01/12 08:13:13 [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c] [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c] avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@ --- ChangeLog | 8 +++++++ bufaux.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- buffer.h | 6 ++++- kex.c | 23 +++++++++++++++---- kex.h | 11 +++++---- kexc25519.c | 18 ++++++--------- kexc25519c.c | 15 ++++++------ kexc25519s.c | 15 +++++++----- kexdhc.c | 4 ++-- kexdhs.c | 4 ++-- kexecdhc.c | 4 ++-- kexecdhs.c | 4 ++-- kexgexc.c | 4 ++-- kexgexs.c | 4 ++-- 14 files changed, 147 insertions(+), 48 deletions(-) diff --git a/ChangeLog b/ChangeLog index 99b846e3..e30cec1a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,14 @@ - djm@cvs.openbsd.org 2014/01/10 05:59:19 [sshd_config] the /etc/ssh/ssh_host_ed25519_key is loaded by default too + - djm@cvs.openbsd.org 2014/01/12 08:13:13 + [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c] + [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c] + avoid use of OpenSSL BIGNUM type and functions for KEX with + Curve25519 by adding a buffer_put_bignum2_from_string() that stores + a string using the bignum encoding rules. Will make it easier to + build a reduced-feature OpenSSH without OpenSSL in the future; + ok markus@ 20140110 - (djm) OpenBSD CVS Sync diff --git a/bufaux.c b/bufaux.c index 3e70b8d9..9401fe1d 100644 --- a/bufaux.c +++ b/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.53 2013/11/08 11:15:19 dtucker Exp $ */ +/* $OpenBSD: bufaux.c,v 1.54 2014/01/12 08:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -315,3 +315,76 @@ buffer_put_char(Buffer *buffer, int value) buffer_append(buffer, &ch, 1); } + +/* Pseudo bignum functions */ + +void * +buffer_get_bignum2_as_string_ret(Buffer *buffer, u_int *length_ptr) +{ + u_int len; + u_char *bin, *p, *ret; + + if ((p = bin = buffer_get_string_ret(buffer, &len)) == NULL) { + error("%s: invalid bignum", __func__); + return NULL; + } + + if (len > 0 && (bin[0] & 0x80)) { + error("%s: negative numbers not supported", __func__); + free(bin); + return NULL; + } + if (len > 8 * 1024) { + error("%s: cannot handle BN of size %d", __func__, len); + free(bin); + return NULL; + } + /* Skip zero prefix on numbers with the MSB set */ + if (len > 1 && bin[0] == 0x00 && (bin[1] & 0x80) != 0) { + p++; + len--; + } + ret = xmalloc(len); + memcpy(ret, p, len); + memset(p, '\0', len); + free(bin); + return ret; +} + +void * +buffer_get_bignum2_as_string(Buffer *buffer, u_int *l) +{ + void *ret = buffer_get_bignum2_as_string_ret(buffer, l); + + if (ret == NULL) + fatal("%s: buffer error", __func__); + return ret; +} + +/* + * Stores a string using the bignum encoding rules (\0 pad if MSB set). + */ +void +buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) +{ + u_char *buf, *p; + int pad = 0; + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to + * avoid interpretation as a negative number. + */ + if (l > 0 && (s[0] & 0x80) != 0) { + *p++ = '\0'; + pad = 1; + } + memcpy(p, s, l); + buffer_put_string(buffer, buf, l + pad); + memset(buf, '\0', l + pad); + free(buf); +} + + diff --git a/buffer.h b/buffer.h index 4fa2ca11..7df8a38f 100644 --- a/buffer.h +++ b/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.22 2013/07/12 00:19:58 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.23 2014/01/12 08:13:13 djm Exp $ */ /* * Author: Tatu Ylonen @@ -86,6 +86,10 @@ char *buffer_get_cstring_ret(Buffer *, u_int *); void *buffer_get_string_ptr_ret(Buffer *, u_int *); int buffer_get_char_ret(u_char *, Buffer *); +void *buffer_get_bignum2_as_string_ret(Buffer *, u_int *); +void *buffer_get_bignum2_as_string(Buffer *, u_int *); +void buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int); + #ifdef OPENSSL_HAS_ECC #include diff --git a/kex.c b/kex.c index dbb1a981..7d054cdc 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.94 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.95 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -534,7 +534,7 @@ kex_choose_conf(Kex *kex) static u_char * derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, - BIGNUM *shared_secret) + const u_char *shared_secret, u_int slen) { Buffer b; struct ssh_digest_ctx *hashctx; @@ -548,7 +548,7 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, digest = xmalloc(roundup(need, mdsz)); buffer_init(&b); - buffer_put_bignum2(&b, shared_secret); + buffer_append(&b, shared_secret, slen); /* K1 = HASH(K || H || "A" || session_id) */ if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL) @@ -591,14 +591,15 @@ Newkeys *current_keys[MODE_MAX]; #define NKEYS 6 void -kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret) +kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, + const u_char *shared_secret, u_int slen) { u_char *keys[NKEYS]; u_int i, mode, ctos; for (i = 0; i < NKEYS; i++) { keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen, - shared_secret); + shared_secret, slen); } debug2("kex_derive_keys"); @@ -613,6 +614,18 @@ kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret) } } +void +kex_derive_keys_bn(Kex *kex, u_char *hash, u_int hashlen, const BIGNUM *secret) +{ + Buffer shared_secret; + + buffer_init(&shared_secret); + buffer_put_bignum2(&shared_secret, secret); + kex_derive_keys(kex, hash, hashlen, + buffer_ptr(&shared_secret), buffer_len(&shared_secret)); + buffer_free(&shared_secret); +} + Newkeys * kex_get_newkeys(int mode) { diff --git a/kex.h b/kex.h index fbe4940e..7e2878f7 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.59 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.60 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -153,7 +153,8 @@ void kex_finish(Kex *); void kex_send_kexinit(Kex *); void kex_input_kexinit(int, u_int32_t, void *); -void kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *); +void kex_derive_keys(Kex *, u_char *, u_int, const u_char *, u_int); +void kex_derive_keys_bn(Kex *, u_char *, u_int, const BIGNUM *); Newkeys *kex_get_newkeys(int); @@ -182,14 +183,14 @@ kex_ecdh_hash(int, const EC_GROUP *, char *, char *, char *, int, void kex_c25519_hash(int, char *, char *, char *, int, char *, int, u_char *, int, const u_char *, const u_char *, - const BIGNUM *, u_char **, u_int *); + const u_char *, u_int, u_char **, u_int *); #define CURVE25519_SIZE 32 void kexc25519_keygen(u_char[CURVE25519_SIZE], u_char[CURVE25519_SIZE]) __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); -BIGNUM *kexc25519_shared_key(const u_char[CURVE25519_SIZE], - const u_char[CURVE25519_SIZE]) +void kexc25519_shared_key(const u_char key[CURVE25519_SIZE], + const u_char pub[CURVE25519_SIZE], Buffer *out) __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); diff --git a/kexc25519.c b/kexc25519.c index 8dd36399..48ca4aaa 100644 --- a/kexc25519.c +++ b/kexc25519.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519.c,v 1.3 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kexc25519.c,v 1.4 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -58,23 +58,19 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) crypto_scalarmult_curve25519(pub, key, basepoint); } -BIGNUM * +void kexc25519_shared_key(const u_char key[CURVE25519_SIZE], - const u_char pub[CURVE25519_SIZE]) + const u_char pub[CURVE25519_SIZE], Buffer *out) { u_char shared_key[CURVE25519_SIZE]; - BIGNUM *shared_secret; crypto_scalarmult_curve25519(shared_key, key, pub); #ifdef DEBUG_KEXECDH dump_digest("shared secret", shared_key, CURVE25519_SIZE); #endif - if ((shared_secret = BN_new()) == NULL) - fatal("%s: BN_new failed", __func__); - if (BN_bin2bn(shared_key, sizeof(shared_key), shared_secret) == NULL) - fatal("%s: BN_bin2bn failed", __func__); + buffer_clear(out); + buffer_put_bignum2_from_string(out, shared_key, CURVE25519_SIZE); memset(shared_key, 0, CURVE25519_SIZE); /* XXX explicit_bzero() */ - return (shared_secret); } void @@ -87,7 +83,7 @@ kex_c25519_hash( u_char *serverhostkeyblob, int sbloblen, const u_char client_dh_pub[CURVE25519_SIZE], const u_char server_dh_pub[CURVE25519_SIZE], - const BIGNUM *shared_secret, + const u_char *shared_secret, u_int secretlen, u_char **hash, u_int *hashlen) { Buffer b; @@ -108,7 +104,7 @@ kex_c25519_hash( buffer_put_string(&b, serverhostkeyblob, sbloblen); buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE); buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE); - buffer_put_bignum2(&b, shared_secret); + buffer_append(&b, shared_secret, secretlen); #ifdef DEBUG_KEX buffer_dump(&b); diff --git a/kexc25519c.c b/kexc25519c.c index 4655c254..a80678af 100644 --- a/kexc25519c.c +++ b/kexc25519c.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519c.c,v 1.3 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kexc25519c.c,v 1.4 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -45,7 +45,6 @@ void kexc25519_client(Kex *kex) { - BIGNUM *shared_secret; Key *server_host_key; u_char client_key[CURVE25519_SIZE]; u_char client_pubkey[CURVE25519_SIZE]; @@ -53,6 +52,7 @@ kexc25519_client(Kex *kex) u_char *server_host_key_blob = NULL, *signature = NULL; u_char *hash; u_int slen, sbloblen, hashlen; + Buffer shared_secret; kexc25519_keygen(client_key, client_pubkey); @@ -93,7 +93,8 @@ kexc25519_client(Kex *kex) signature = packet_get_string(&slen); packet_check_eom(); - shared_secret = kexc25519_shared_key(client_key, server_pubkey); + buffer_init(&shared_secret); + kexc25519_shared_key(client_key, server_pubkey, &shared_secret); /* calc and verify H */ kex_c25519_hash( @@ -105,7 +106,7 @@ kexc25519_client(Kex *kex) server_host_key_blob, sbloblen, client_pubkey, server_pubkey, - shared_secret, + buffer_ptr(&shared_secret), buffer_len(&shared_secret), &hash, &hashlen ); free(server_host_key_blob); @@ -121,8 +122,8 @@ kexc25519_client(Kex *kex) kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } - - kex_derive_keys(kex, hash, hashlen, shared_secret); - BN_clear_free(shared_secret); + kex_derive_keys(kex, hash, hashlen, + buffer_ptr(&shared_secret), buffer_len(&shared_secret)); + buffer_free(&shared_secret); kex_finish(kex); } diff --git a/kexc25519s.c b/kexc25519s.c index dc4f56c8..2b8e8efa 100644 --- a/kexc25519s.c +++ b/kexc25519s.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519s.c,v 1.3 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kexc25519s.c,v 1.4 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -42,7 +42,6 @@ void kexc25519_server(Kex *kex) { - BIGNUM *shared_secret; Key *server_host_private, *server_host_public; u_char *server_host_key_blob = NULL, *signature = NULL; u_char server_key[CURVE25519_SIZE]; @@ -50,6 +49,7 @@ kexc25519_server(Kex *kex) u_char server_pubkey[CURVE25519_SIZE]; u_char *hash; u_int slen, sbloblen, hashlen; + Buffer shared_secret; /* generate private key */ kexc25519_keygen(server_key, server_pubkey); @@ -76,7 +76,8 @@ kexc25519_server(Kex *kex) dump_digest("client public key:", client_pubkey, CURVE25519_SIZE); #endif - shared_secret = kexc25519_shared_key(server_key, client_pubkey); + buffer_init(&shared_secret); + kexc25519_shared_key(server_key, client_pubkey, &shared_secret); /* calc H */ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -89,7 +90,7 @@ kexc25519_server(Kex *kex) server_host_key_blob, sbloblen, client_pubkey, server_pubkey, - shared_secret, + buffer_ptr(&shared_secret), buffer_len(&shared_secret), &hash, &hashlen ); @@ -117,7 +118,9 @@ kexc25519_server(Kex *kex) free(server_host_key_blob); /* have keys, free server key */ free(client_pubkey); - kex_derive_keys(kex, hash, hashlen, shared_secret); - BN_clear_free(shared_secret); + + kex_derive_keys(kex, hash, hashlen, + buffer_ptr(&shared_secret), buffer_len(&shared_secret)); + buffer_free(&shared_secret); kex_finish(kex); } diff --git a/kexdhc.c b/kexdhc.c index ccd137ca..78509af2 100644 --- a/kexdhc.c +++ b/kexdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexdhc.c,v 1.14 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -155,7 +155,7 @@ kexdh_client(Kex *kex) memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/kexdhs.c b/kexdhs.c index 39b9aba5..d2c7adc9 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.16 2013/11/02 22:24:24 markus Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.17 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -154,7 +154,7 @@ kexdh_server(Kex *kex) /* have keys, free DH */ DH_free(dh); - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/kexecdhc.c b/kexecdhc.c index fc62cec5..e3d1cf5f 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.5 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.6 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -152,7 +152,7 @@ kexecdh_client(Kex *kex) memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/kexecdhs.c b/kexecdhs.c index d1dd8c7f..6fbb79c9 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.8 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.9 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -148,7 +148,7 @@ kexecdh_server(Kex *kex) /* have keys, free server key */ EC_KEY_free(server_key); - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/kexgexc.c b/kexgexc.c index ca771edf..a69ff270 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.14 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.15 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -200,7 +200,7 @@ kexgex_client(Kex *kex) kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); diff --git a/kexgexs.c b/kexgexs.c index 90853403..8773778e 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.17 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.18 2014/01/12 08:13:13 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -201,7 +201,7 @@ kexgex_server(Kex *kex) /* have keys, free DH */ DH_free(dh); - kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); -- cgit v1.2.1 From fb1e3c16153ee2f53a81bc2bf79c54fba168028a Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 16 Jan 2014 07:42:10 +0000 Subject: - djm@cvs.openbsd.org 2014/01/16 07:31:09 [sftp-client.c] needless and incorrect cast to size_t can break resumption of large download; patch from tobias@ --- ChangeLog | 7 +++++++ sftp-client.c | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e30cec1a..f8f432e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20140118 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/16 07:31:09 + [sftp-client.c] + needless and incorrect cast to size_t can break resumption of + large download; patch from tobias@ + 20140112 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2014/01/10 05:59:19 diff --git a/sftp-client.c b/sftp-client.c index 1eb82108..cb4e0c4b 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.111 2013/12/05 22:59:45 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.112 2014/01/16 07:31:09 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1104,7 +1104,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, local_path, strerror(errno)); goto fail; } - if ((size_t)st.st_size > size) { + if (st.st_size > size) { error("Unable to resume download of \"%s\": " "local file is larger than remote", local_path); fail: -- cgit v1.2.1 From 6a5d9fd0111e60b371f0fbe19c9d28d951aa4b59 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 16 Jan 2014 07:42:31 +0000 Subject: - djm@cvs.openbsd.org 2014/01/16 07:32:00 [version.h] openssh-6.5 --- ChangeLog | 3 +++ version.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f8f432e7..8c252da9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [sftp-client.c] needless and incorrect cast to size_t can break resumption of large download; patch from tobias@ + - djm@cvs.openbsd.org 2014/01/16 07:32:00 + [version.h] + openssh-6.5 20140112 - (djm) OpenBSD CVS Sync diff --git a/version.h b/version.h index f6ec0ee3..83d70c6f 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */ +/* $OpenBSD: version.h,v 1.69 2014/01/16 07:32:00 djm Exp $ */ -#define SSH_VERSION "OpenSSH_6.3" +#define SSH_VERSION "OpenSSH_6.5" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.1 From f289258cb1c92aa115b28e2952e28020591f5668 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 16 Jan 2014 07:51:07 +0000 Subject: - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank RPM spec version numbers. --- ChangeLog | 2 ++ contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8c252da9..347c21f3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ - djm@cvs.openbsd.org 2014/01/16 07:32:00 [version.h] openssh-6.5 + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Crank RPM spec version numbers. 20140112 - (djm) OpenBSD CVS Sync diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index c483692a..3c417bb8 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 6.4p1 +%define version 6.5p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.81 2013/11/08 05:48:15 djm Exp $ +$Id: openssh.spec,v 1.82 2014/01/16 07:51:10 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 29a38ded..d47cf386 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 6.4p1 +%define ver 6.5p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 3a612bd2..6693fe2b 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.4p1 +Version: 6.5p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.1 From 50f26de44433c347221c49effc1950b51d956482 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 16 Jan 2014 07:51:44 +0000 Subject: - (djm) [README] update release notes URL. --- ChangeLog | 1 + README | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 347c21f3..d798e7f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,7 @@ openssh-6.5 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank RPM spec version numbers. + - (djm) [README] update release notes URL. 20140112 - (djm) OpenBSD CVS Sync diff --git a/README b/README index 41a97fdc..8da9759e 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-6.4 for the release notes. +See http://www.openssh.com/txt/release-6.5 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.84 2013/11/08 05:48:13 djm Exp $ +$Id: README,v 1.85 2014/01/16 07:51:45 djm Exp $ -- cgit v1.2.1 From 9672b2f96b79aa1a390ced409455c5e8a44d813d Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 16 Jan 2014 22:53:24 +0000 Subject: - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain hardening flags including -fstack-protector-strong. These default to on if the toolchain supports them, but there is a configure-time knob (--without-hardening) to disable them if necessary. ok djm@ --- ChangeLog | 6 ++++++ aclocal.m4 | 21 +++++++++++++++++++-- configure.ac | 40 +++++++++++++++++++++++++++++++++------- 3 files changed, 58 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index d798e7f4..880763a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20140117 + - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain + hardening flags including -fstack-protector-strong. These default to on + if the toolchain supports them, but there is a configure-time knob + (--without-hardening) to disable them if necessary. ok djm@ + 20140118 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2014/01/16 07:31:09 diff --git a/aclocal.m4 b/aclocal.m4 index 1b3bed79..b1648e4e 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $ +dnl $Id: aclocal.m4,v 1.10 2014/01/16 22:53:24 dtucker Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -10,7 +10,7 @@ dnl 'check_flag'. AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ AC_MSG_CHECKING([if $CC supports $1]) saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $1" + CFLAGS="$CFLAGS $WERROR $1" _define_flag="$2" test "x$_define_flag" = "x" && _define_flag="$1" AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], @@ -28,6 +28,23 @@ fi], ) }]) +dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) +dnl Check that $LD accepts a flag 'check_flag'. If it is supported append +dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append +dnl 'check_flag'. +AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ + AC_MSG_CHECKING([if $LD supports $1]) + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR $1" + _define_flag="$2" + test "x$_define_flag" = "x" && _define_flag="$1" + AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], + [ AC_MSG_RESULT([yes]) + LDFLAGS="$saved_LDFLAGS $_define_flag"], + [ AC_MSG_RESULT([no]) + LDFLAGS="$saved_LDFLAGS" ] + ) +}]) dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) dnl Does AC_EGREP_HEADER on 'header' for the string 'field' diff --git a/configure.ac b/configure.ac index d37a211e..37db0fa7 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.547 2013/12/19 00:00:12 dtucker Exp $ +# $Id: configure.ac,v 1.548 2014/01/16 22:53:24 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.547 $) +AC_REVISION($Revision: 1.548 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -121,18 +121,35 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ #include ]) use_stack_protector=1 +use_toolchain_hardening=1 AC_ARG_WITH([stackprotect], [ --without-stackprotect Don't use compiler's stack protection], [ if test "x$withval" = "xno"; then use_stack_protector=0 fi ]) +AC_ARG_WITH([hardening], + [ --without-hardening Don't use toolchain hardening flags], [ + if test "x$withval" = "xno"; then + use_stack_protector=0 + use_toolchain_hardening=0 + fi ]) +# We use -Werror for the tests only so that we catch warnings like "this is +# on by default" for things like -fPIE. +AC_MSG_CHECKING([if $CC supports -Werror]) +saved_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS -Werror" +AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], + [ AC_MSG_RESULT([yes]) + WERROR="-Werror"], + [ AC_MSG_RESULT([no]) + WERROR="" ] +) +CFLAGS="$saved_CFLAGS" if test "$GCC" = "yes" || test "$GCC" = "egcs"; then - OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], - [-Qunused-arguments]) - OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror], - [-Wno-unknown-warning-option]) + OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) + OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option]) OSSH_CHECK_CFLAG_COMPILE([-Wall]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) @@ -143,6 +160,14 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) + if test "x$use_toolchain_hardening" = "x1"; then + OSSH_CHECK_CFLAG_COMPILE([-ftrapv]) + OSSH_CHECK_CFLAG_COMPILE([-fPIE]) + OSSH_CHECK_LDFLAG_LINK([-pie]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) + fi AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` case $GCC_VER in @@ -169,7 +194,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then # and/or platforms, so we test if we can. If it's not supported # on a given platform gcc will emit a warning so we use -Werror. if test "x$use_stack_protector" = "x1"; then - for t in -fstack-protector-all -fstack-protector; do + for t in -fstack-protector-strong -fstack-protector-all \ + -fstack-protector; do AC_MSG_CHECKING([if $CC supports $t]) saved_CFLAGS="$CFLAGS" saved_LDFLAGS="$LDFLAGS" -- cgit v1.2.1 From 8267d2e16cee25769159250aae4f70e9f3bace4b Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 17 Jan 2014 00:20:26 +0000 Subject: - (djm) [sftp-client.c] signed/unsigned comparison fix --- ChangeLog | 1 + sftp-client.c | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 880763a7..ada012fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ hardening flags including -fstack-protector-strong. These default to on if the toolchain supports them, but there is a configure-time knob (--without-hardening) to disable them if necessary. ok djm@ + - (djm) [sftp-client.c] signed/unsigned comparison fix 20140118 - (djm) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index cb4e0c4b..e3c63083 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1104,7 +1104,11 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, local_path, strerror(errno)); goto fail; } - if (st.st_size > size) { + if (st.st_size < 0) { + error("\"%s\" has negative size", local_path); + goto fail; + } + if ((u_int64_t)st.st_size > size) { error("Unable to resume download of \"%s\": " "local file is larger than remote", local_path); fail: -- cgit v1.2.1 From 5666d3362f5b76ed194a33b321810447e8355d13 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 01:23:23 +0000 Subject: - (dtucker) [loginrec.c] Cast to the types specfied in the format specification to prevent warnings. --- ChangeLog | 2 ++ loginrec.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ada012fb..14098dbc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ if the toolchain supports them, but there is a configure-time knob (--without-hardening) to disable them if necessary. ok djm@ - (djm) [sftp-client.c] signed/unsigned comparison fix + - (dtucker) [loginrec.c] Cast to the types specfied in the format + specification to prevent warnings. 20140118 - (djm) OpenBSD CVS Sync diff --git a/loginrec.c b/loginrec.c index 8844db54..4219b9ae 100644 --- a/loginrec.c +++ b/loginrec.c @@ -313,7 +313,8 @@ login_get_lastlog(struct logininfo *li, const uid_t uid) if (strlcpy(li->username, pw->pw_name, sizeof(li->username)) >= sizeof(li->username)) { error("%s: username too long (%lu > max %lu)", __func__, - strlen(pw->pw_name), sizeof(li->username) - 1); + (unsigned long)strlen(pw->pw_name), + (unsigned long)sizeof(li->username) - 1); return NULL; } -- cgit v1.2.1 From 62ef2f6fc45bb1f1618a239f0d1ee57f4f591287 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 01:31:33 +0000 Subject: - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. --- ChangeLog | 1 + crypto_api.h | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 14098dbc..57c0a596 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ - (djm) [sftp-client.c] signed/unsigned comparison fix - (dtucker) [loginrec.c] Cast to the types specfied in the format specification to prevent warnings. + - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. 20140118 - (djm) OpenBSD CVS Sync diff --git a/crypto_api.h b/crypto_api.h index 580ba79b..5820ce8f 100644 --- a/crypto_api.h +++ b/crypto_api.h @@ -8,7 +8,9 @@ #ifndef crypto_api_h #define crypto_api_h -#include +#ifdef HAVE_STDINT_H +# include +#endif #include typedef int32_t crypto_int32; -- cgit v1.2.1 From 60a36a35ebec4d6a433d2a8ada9538d4f19f259c Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 01:42:17 +0000 Subject: - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. --- ChangeLog | 1 + poly1305.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 57c0a596..4542fbb8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ - (dtucker) [loginrec.c] Cast to the types specfied in the format specification to prevent warnings. - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. + - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. 20140118 - (djm) OpenBSD CVS Sync diff --git a/poly1305.c b/poly1305.c index a5eada49..6fd1fc8c 100644 --- a/poly1305.c +++ b/poly1305.c @@ -8,7 +8,9 @@ #include "includes.h" #include -#include +#ifdef HAVE_STDINT_H +# include +#endif #include "poly1305.h" -- cgit v1.2.1 From 32ddbfba4aaa7bbbaf2a9c9d23b170bca583a129 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 01:43:43 +0000 Subject: - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include includes.h to pull in all of the compatibility stuff. --- ChangeLog | 2 ++ blocks.c | 2 ++ fe25519.c | 2 ++ ge25519.c | 2 ++ hash.c | 2 ++ sc25519.c | 2 ++ verify.c | 2 ++ 7 files changed, 14 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4542fbb8..51eff2d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ specification to prevent warnings. - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. + - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include + includes.h to pull in all of the compatibility stuff. 20140118 - (djm) OpenBSD CVS Sync diff --git a/blocks.c b/blocks.c index ba569b00..ad93fe50 100644 --- a/blocks.c +++ b/blocks.c @@ -5,6 +5,8 @@ * Copied from nacl-20110221/crypto_hashblocks/sha512/ref/blocks.c */ +#include "includes.h" + #include "crypto_api.h" typedef unsigned long long uint64; diff --git a/fe25519.c b/fe25519.c index 2f368ebe..e54fd154 100644 --- a/fe25519.c +++ b/fe25519.c @@ -6,6 +6,8 @@ * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c */ +#include "includes.h" + #define WINDOWSIZE 1 /* Should be 1,2, or 4 */ #define WINDOWMASK ((1< Date: Fri, 17 Jan 2014 03:18:45 +0000 Subject: - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. --- ChangeLog | 2 ++ openbsd-compat/bcrypt_pbkdf.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 51eff2d6..54a894d4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,8 @@ - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include includes.h to pull in all of the compatibility stuff. + - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside + #ifdef HAVE_STDINT_H. 20140118 - (djm) OpenBSD CVS Sync diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c index e0736fea..91b6ba07 100644 --- a/openbsd-compat/bcrypt_pbkdf.c +++ b/openbsd-compat/bcrypt_pbkdf.c @@ -22,7 +22,9 @@ #include #include -#include +#ifdef HAVE_STDLIB_H +# include +#endif #include #ifdef HAVE_BLF_H -- cgit v1.2.1 From 522ff98f51ee34866e26fde180a181c1a0244317 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 03:20:05 +0000 Subject: - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that don't have them. --- ChangeLog | 2 ++ defines.h | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 54a894d4..feaf96eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ includes.h to pull in all of the compatibility stuff. - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. + - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that + don't have them. 20140118 - (djm) OpenBSD CVS Sync diff --git a/defines.h b/defines.h index b014f349..66100c84 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.174 2013/11/07 02:28:16 djm Exp $ */ +/* $Id: defines.h,v 1.175 2014/01/17 03:20:05 dtucker Exp $ */ /* Constants */ @@ -249,6 +249,13 @@ typedef unsigned long u_int32_t; #define __BIT_TYPES_DEFINED__ #endif +#ifndef HAVE_UINTXX_T +typedef u_int8_t uint8_t; +typedef u_int16_t uint16_t; +typedef u_int32_t uint32_t; +typedef u_int64_t uint64_t; +#endif + /* 64-bit types */ #ifndef HAVE_INT64_T # if (SIZEOF_LONG_INT == 8) -- cgit v1.2.1 From 92213e682918abfdf38cf62a203359ac397ce441 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 04:12:16 +0000 Subject: - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into separate lines and alphabetize for easier diffing of changes. --- ChangeLog | 2 ++ configure.ac | 12 +++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index feaf96eb..723ab4d4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,8 @@ #ifdef HAVE_STDINT_H. - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that don't have them. + - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into + separate lines and alphabetize for easier diffing of changes. 20140118 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 37db0fa7..abd912f5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.548 2014/01/16 22:53:24 dtucker Exp $ +# $Id: configure.ac,v 1.549 2014/01/17 04:12:16 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.548 $) +AC_REVISION($Revision: 1.549 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2350,7 +2350,13 @@ AC_LINK_IFELSE( ] ) -AC_CHECK_FUNCS([RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init]) +AC_CHECK_FUNCS([ \ + BN_is_prime_ex \ + DSA_generate_parameters_ex \ + HMAC_CTX_init \ + RSA_generate_key_ex \ + RSA_get_default_method \ +]) AC_ARG_WITH([ssl-engine], [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], -- cgit v1.2.1 From bf15e1789088585438430c6a059c7a870dad7354 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 05:29:45 +0000 Subject: - djm@cvs.openbsd.org 2014/01/17 00:21:06 [sftp-client.c] signed/unsigned comparison warning fix; from portable (Id sync only) --- ChangeLog | 4 ++++ sftp-client.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 723ab4d4..f3450c8e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ don't have them. - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into separate lines and alphabetize for easier diffing of changes. + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/17 00:21:06 + [sftp-client.c] + signed/unsigned comparison warning fix; from portable (Id sync only) 20140118 - (djm) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index e3c63083..fc035f2e 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.112 2014/01/16 07:31:09 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.113 2014/01/17 00:21:06 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * -- cgit v1.2.1 From c6b66224e8d479de5f76fe704001b9d4b9e70bfb Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 05:30:49 +0000 Subject: - dtucker@cvs.openbsd.org 2014/01/17 05:26:41 [digest.c] remove unused includes. ok djm@ --- ChangeLog | 3 +++ digest.c | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f3450c8e..257a36ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ - djm@cvs.openbsd.org 2014/01/17 00:21:06 [sftp-client.c] signed/unsigned comparison warning fix; from portable (Id sync only) + - dtucker@cvs.openbsd.org 2014/01/17 05:26:41 + [digest.c] + remove unused includes. ok djm@ 20140118 - (djm) OpenBSD CVS Sync diff --git a/digest.c b/digest.c index 59a8ffe0..7d7f7357 100644 --- a/digest.c +++ b/digest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest.c,v 1.1 2014/01/09 23:20:00 djm Exp $ */ +/* $OpenBSD: digest.c,v 1.2 2014/01/17 05:26:41 dtucker Exp $ */ /* * Copyright (c) 2013 Damien Miller * @@ -22,8 +22,6 @@ #include #include -#include /* for buffer.h */ -#include /* for buffer.h */ #include #include "buffer.h" -- cgit v1.2.1 From b061fb472c7075a0ac3cf14fe1baf6c0c6dfd1f0 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 17 Jan 2014 05:47:04 +0000 Subject: - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c] [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@ --- ChangeLog | 5 ++ Makefile.in | 5 +- configure.ac | 17 +++++-- sandbox-capsicum.c | 118 +++++++++++++++++++++++++++++++++++++++++++++++ sandbox-darwin.c | 2 +- sandbox-null.c | 2 +- sandbox-rlimit.c | 2 +- sandbox-seccomp-filter.c | 2 +- sandbox-systrace.c | 2 +- ssh-sandbox.h | 3 +- sshd.c | 2 +- 11 files changed, 147 insertions(+), 13 deletions(-) create mode 100644 sandbox-capsicum.c mode change 100755 => 100644 ssh-sandbox.h diff --git a/ChangeLog b/ChangeLog index 257a36ba..1bf7e0dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,11 @@ - dtucker@cvs.openbsd.org 2014/01/17 05:26:41 [digest.c] remove unused includes. ok djm@ + - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c] + [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] + [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing + using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling + Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@ 20140118 - (djm) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index 4a930c66..f5dd3b83 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.349 2014/01/09 23:58:53 djm Exp $ +# $Id: Makefile.in,v 1.350 2014/01/17 05:47:04 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -96,7 +96,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ - sandbox-seccomp-filter.o + sandbox-seccomp-filter.o sandbox-capsicum.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 @@ -472,4 +472,3 @@ package: $(CONFIGFILES) $(MANPAGES) $(TARGETS) if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \ sh buildpkg.sh; \ fi - diff --git a/configure.ac b/configure.ac index abd912f5..f14e177f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.549 2014/01/17 04:12:16 dtucker Exp $ +# $Id: configure.ac,v 1.550 2014/01/17 05:47:04 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.549 $) +AC_REVISION($Revision: 1.550 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -120,6 +120,10 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ #include #include ]) +AC_CHECK_DECL([cap_enter], [have_cap_enter=1], , [ + #include +]) + use_stack_protector=1 use_toolchain_hardening=1 AC_ARG_WITH([stackprotect], @@ -2835,7 +2839,7 @@ fi # Decide which sandbox style to use sandbox_arg="" AC_ARG_WITH([sandbox], - [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], + [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], [ if test "x$withval" = "xyes" ; then sandbox_arg="" @@ -2974,6 +2978,13 @@ elif test "x$sandbox_arg" = "xrlimit" || \ AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit]) SANDBOX_STYLE="rlimit" AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) +elif test "x$sandbox_arg" = "xcapsicum" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_cap_enter" = "x1") ; then + test "x$have_cap_enter" != "x1" && \ + AC_MSG_ERROR([capsicum sandbox requires cap_enter function]) + SANDBOX_STYLE="capsicum" + AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then SANDBOX_STYLE="none" diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c new file mode 100644 index 00000000..5853a13e --- /dev/null +++ b/sandbox-capsicum.c @@ -0,0 +1,118 @@ +/* + * Copyright (c) 2011 Dag-Erling Smorgrav + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_CAPSICUM + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "monitor.h" +#include "ssh-sandbox.h" +#include "xmalloc.h" + +/* + * Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits, + * limits rights on stdout, stdin, stderr, monitor and switches to + * capability mode. + */ + +struct ssh_sandbox { + struct monitor *monitor; + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(struct monitor *monitor) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing capsicum sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->monitor = monitor; + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + cap_rights_t rights; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); + + cap_rights_init(&rights); + + if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) + fatal("can't limit stdin: %m"); + if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS) + fatal("can't limit stdin: %m"); + if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS) + fatal("can't limit stdin: %m"); + + cap_rights_init(&rights, CAP_READ, CAP_WRITE); + if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1) + fatal("%s: failed to limit the network socket", __func__); + cap_rights_init(&rights, CAP_WRITE); + if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1) + fatal("%s: failed to limit the logging socket", __func__); + if (cap_enter() != 0 && errno != ENOSYS) + fatal("%s: failed to enter capability mode", __func__); + +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_CAPSICUM */ diff --git a/sandbox-darwin.c b/sandbox-darwin.c index 69901ef1..35f0c4d1 100644 --- a/sandbox-darwin.c +++ b/sandbox-darwin.c @@ -40,7 +40,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; diff --git a/sandbox-null.c b/sandbox-null.c index 29fa9669..d4cb9188 100644 --- a/sandbox-null.c +++ b/sandbox-null.c @@ -39,7 +39,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index a0038633..da91eb1b 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c @@ -42,7 +42,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index cc146530..2f73067e 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -132,7 +132,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; diff --git a/sandbox-systrace.c b/sandbox-systrace.c index cc0db46c..53fbd47c 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -78,7 +78,7 @@ struct ssh_sandbox { }; struct ssh_sandbox * -ssh_sandbox_init(void) +ssh_sandbox_init(struct monitor *monitor) { struct ssh_sandbox *box; diff --git a/ssh-sandbox.h b/ssh-sandbox.h old mode 100755 new mode 100644 index dfecd5aa..bd5fd837 --- a/ssh-sandbox.h +++ b/ssh-sandbox.h @@ -15,9 +15,10 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +struct monitor; struct ssh_sandbox; -struct ssh_sandbox *ssh_sandbox_init(void); +struct ssh_sandbox *ssh_sandbox_init(struct monitor *); void ssh_sandbox_child(struct ssh_sandbox *); void ssh_sandbox_parent_finish(struct ssh_sandbox *); void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); diff --git a/sshd.c b/sshd.c index 60b416e3..a5d4218b 100644 --- a/sshd.c +++ b/sshd.c @@ -660,7 +660,7 @@ privsep_preauth(Authctxt *authctxt) pmonitor->m_pkex = &xxx_kex; if (use_privsep == PRIVSEP_ON) - box = ssh_sandbox_init(); + box = ssh_sandbox_init(pmonitor); pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); -- cgit v1.2.1 From f3c06868e1b64b7ab52357d25d9947ffacfb364b Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 06:32:30 +0000 Subject: - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] Add compatibility layer for older openssl versions. ok djm@ --- ChangeLog | 3 +++ configure.ac | 8 ++++++-- digest.c | 2 ++ openbsd-compat/openssl-compat.c | 30 +++++++++++++++++++++++++++++- openbsd-compat/openssl-compat.h | 18 +++++++++++++++++- 5 files changed, 57 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1bf7e0dc..be044b94 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@ + - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c + openbsd-compat/openssl-compat.h] Add compatibility layer for older + openssl versions. ok djm@ 20140118 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index f14e177f..2ac3afa3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.550 2014/01/17 05:47:04 djm Exp $ +# $Id: configure.ac,v 1.551 2014/01/17 06:32:30 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.550 $) +AC_REVISION($Revision: 1.551 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2357,6 +2357,10 @@ AC_LINK_IFELSE( AC_CHECK_FUNCS([ \ BN_is_prime_ex \ DSA_generate_parameters_ex \ + EVP_DigestInit_ex \ + EVP_DigestFinal_ex \ + EVP_MD_CTX_init \ + EVP_MD_CTX_cleanup \ HMAC_CTX_init \ RSA_generate_key_ex \ RSA_get_default_method \ diff --git a/digest.c b/digest.c index 7d7f7357..d6004e7d 100644 --- a/digest.c +++ b/digest.c @@ -24,6 +24,8 @@ #include +#include "openbsd-compat/openssl-compat.h" + #include "buffer.h" #include "digest.h" diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 5189cab6..52c7183f 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.14 2011/05/10 01:13:38 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.15 2014/01/17 06:32:31 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -59,6 +59,34 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) } #endif +#ifndef HAVE_EVP_DIGESTINIT_EX +int +EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine) +{ + if (engine != NULL) + fatal("%s: ENGINE is not supported", __func__); +# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID + EVP_DigestInit(ctx, md); + return 1; +# else + return EVP_DigestInit(ctx, md); +# endif +} +#endif + +#ifndef HAVE_EVP_DISESTFINAL_EX +int +EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s) +{ +# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID + EVP_DigestFinal(ctx, md, s); + return 1; +# else + return EVP_DigestFinal(ctx, md, s); +# endif +} +#endif + #ifdef OPENSSL_EVP_DIGESTUPDATE_VOID int ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index e7439b4e..021ea98f 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.24 2013/02/12 00:00:40 djm Exp $ */ +/* $Id: openssl-compat.h,v 1.25 2014/01/17 06:32:31 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -148,6 +148,14 @@ int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *, int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *); # endif +# ifndef HAVE_EVP_DIGESTINIT_EX +int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *); +# endif + +# ifndef HAVE_EVP_DISESTFINAL_EX +int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *); +# endif + int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, unsigned char *, int); int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); @@ -158,5 +166,13 @@ void ssh_OpenSSL_add_all_algorithms(void); # define HMAC_CTX_init(a) # endif +# ifndef HAVE_EVP_MD_CTX_INIT +# define EVP_MD_CTX_init(a) +# endif + +# ifndef HAVE_EVP_MD_CTX_CLEANUP +# define EVP_MD_CTX_cleanup(a) +# endif + #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ -- cgit v1.2.1 From 7bdd24a71231dbd47661b2ce5b7c235b29bdedaf Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 07:00:40 +0000 Subject: - (dtucker) Fix typo in #ifndef. --- ChangeLog | 1 + openbsd-compat/openssl-compat.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index be044b94..d3a15e4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] Add compatibility layer for older openssl versions. ok djm@ + - (dtucker) Fix typo in #ifndef. 20140118 - (djm) OpenBSD CVS Sync diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 52c7183f..60eac4b1 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.15 2014/01/17 06:32:31 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.16 2014/01/17 07:00:41 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -74,7 +74,7 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine) } #endif -#ifndef HAVE_EVP_DISESTFINAL_EX +#ifndef HAVE_EVP_DIGESTFINAL_EX int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s) { -- cgit v1.2.1 From 850d7ee31b13e7d2a2172e59955192e26b15f98c Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 07:10:58 +0000 Subject: - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs to be useful (and for the regression tests to pass) on platforms that have statfs and fstatfs. ok djm@ --- ChangeLog | 4 ++++ configure.ac | 5 ++-- openbsd-compat/bsd-statvfs.c | 55 ++++++++++++++++++++++++++++++++++++++++---- openbsd-compat/bsd-statvfs.h | 9 +++++--- 4 files changed, 63 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index d3a15e4d..70dad451 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,10 @@ openbsd-compat/openssl-compat.h] Add compatibility layer for older openssl versions. ok djm@ - (dtucker) Fix typo in #ifndef. + - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c + openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs + to be useful (and for the regression tests to pass) on platforms that + have statfs and fstatfs. ok djm@ 20140118 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 2ac3afa3..c97e12f3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.551 2014/01/17 06:32:30 dtucker Exp $ +# $Id: configure.ac,v 1.552 2014/01/17 07:10:58 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.551 $) +AC_REVISION($Revision: 1.552 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1585,6 +1585,7 @@ AC_CHECK_FUNCS([ \ fchmod \ fchown \ freeaddrinfo \ + fstatfs \ fstatvfs \ futimes \ getaddrinfo \ diff --git a/openbsd-compat/bsd-statvfs.c b/openbsd-compat/bsd-statvfs.c index 844d5b46..2b1da80e 100644 --- a/openbsd-compat/bsd-statvfs.c +++ b/openbsd-compat/bsd-statvfs.c @@ -1,7 +1,7 @@ -/* $Id: bsd-statvfs.c,v 1.1 2008/06/08 17:32:29 dtucker Exp $ */ +/* $Id: bsd-statvfs.c,v 1.2 2014/01/17 07:10:59 dtucker Exp $ */ /* - * Copyright (c) 2008 Darren Tucker + * Copyright (c) 2008,2014 Darren Tucker * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,20 +18,65 @@ #include "includes.h" +#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS) + +#include +#ifdef HAVE_SYS_MOUNT_H +# include +#endif + #include -#ifndef HAVE_STATVFS +static void +copy_statfs_to_statvfs(struct statvfs *to, struct statfs *from) +{ + to->f_bsize = from->f_bsize; + to->f_frsize = from->f_bsize; /* no exact equivalent */ + to->f_blocks = from->f_blocks; + to->f_bfree = from->f_bfree; + to->f_bavail = from->f_bavail; + to->f_files = from->f_files; + to->f_ffree = from->f_ffree; + to->f_favail = from->f_ffree; /* no exact equivalent */ + to->f_fsid = 0; /* XXX fix me */ + to->f_flag = from->f_flags; + to->f_namemax = MNAMELEN; +} + +# ifndef HAVE_STATVFS int statvfs(const char *path, struct statvfs *buf) { +# ifdef HAVE_STATFS + struct statfs fs; + + memset(&fs, 0, sizeof(fs)); + if (statfs(path, &fs) == -1) + return -1; + copy_statfs_to_statvfs(buf, &fs); + return 0; +# else errno = ENOSYS; return -1; +# endif } -#endif +# endif -#ifndef HAVE_FSTATVFS +# ifndef HAVE_FSTATVFS int fstatvfs(int fd, struct statvfs *buf) { +# ifdef HAVE_FSTATFS + struct statfs fs; + + memset(&fs, 0, sizeof(fs)); + if (fstatfs(fd, &fs) == -1) + return -1; + copy_statfs_to_statvfs(buf, &fs); + return 0; +# else errno = ENOSYS; return -1; +# endif } +# endif + #endif diff --git a/openbsd-compat/bsd-statvfs.h b/openbsd-compat/bsd-statvfs.h index da215ffc..057407cc 100644 --- a/openbsd-compat/bsd-statvfs.h +++ b/openbsd-compat/bsd-statvfs.h @@ -1,7 +1,7 @@ -/* $Id: bsd-statvfs.h,v 1.1 2008/06/08 17:32:29 dtucker Exp $ */ +/* $Id: bsd-statvfs.h,v 1.2 2014/01/17 07:10:59 dtucker Exp $ */ /* - * Copyright (c) 2008 Darren Tucker + * Copyright (c) 2008,2014 Darren Tucker * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -20,11 +20,14 @@ #include +#ifdef HAVE_SYS_MOUNT_H +#include +#endif #ifdef HAVE_SYS_STATFS_H #include #endif -#ifndef HAVE_STATVFS +#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS) #ifndef HAVE_FSBLKCNT_T typedef unsigned long fsblkcnt_t; -- cgit v1.2.1 From cf8a04e071d978db45f26e770a832a36c5eb3918 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 07:48:22 +0000 Subject: - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we need them to cut down on the name collisions. --- ChangeLog | 2 ++ openbsd-compat/bsd-statvfs.h | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 70dad451..3822b048 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,8 @@ openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs to be useful (and for the regression tests to pass) on platforms that have statfs and fstatfs. ok djm@ + - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we + need them to cut down on the name collisions. 20140118 - (djm) OpenBSD CVS Sync diff --git a/openbsd-compat/bsd-statvfs.h b/openbsd-compat/bsd-statvfs.h index 057407cc..dfd60997 100644 --- a/openbsd-compat/bsd-statvfs.h +++ b/openbsd-compat/bsd-statvfs.h @@ -1,4 +1,4 @@ -/* $Id: bsd-statvfs.h,v 1.2 2014/01/17 07:10:59 dtucker Exp $ */ +/* $Id: bsd-statvfs.h,v 1.3 2014/01/17 07:48:22 dtucker Exp $ */ /* * Copyright (c) 2008,2014 Darren Tucker @@ -18,6 +18,8 @@ #include "includes.h" +#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS) + #include #ifdef HAVE_SYS_MOUNT_H @@ -27,8 +29,6 @@ #include #endif -#if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS) - #ifndef HAVE_FSBLKCNT_T typedef unsigned long fsblkcnt_t; #endif -- cgit v1.2.1 From 657c164bbbb838a57325891c9df86039bd1a7b8c Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 08:17:34 +0000 Subject: - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types. --- ChangeLog | 1 + configure.ac | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3822b048..d6ed13f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,7 @@ have statfs and fstatfs. ok djm@ - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we need them to cut down on the name collisions. + - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types. 20140118 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index c97e12f3..4f40afce 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.552 2014/01/17 07:10:58 dtucker Exp $ +# $Id: configure.ac,v 1.553 2014/01/17 08:17:35 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.552 $) +AC_REVISION($Revision: 1.553 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -340,6 +340,7 @@ AC_CHECK_HEADERS([ \ glob.h \ ia.h \ iaf.h \ + inttypes.h \ limits.h \ locale.h \ login.h \ @@ -3244,6 +3245,17 @@ if test -z "$have_uintxx_t" ; then ]) fi +if test -z "$have_uintxx_t" ; then + AC_MSG_CHECKING([for uintXX_t types in inttypes.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], + [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], + [ + AC_DEFINE([HAVE_UINTXX_T]) + AC_MSG_RESULT([yes]) + ], [ AC_MSG_RESULT([no]) + ]) +fi + if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then -- cgit v1.2.1 From b764c30d4ceee15808071bbdcd2d2c9a2fef9787 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 10:54:32 +0000 Subject: - (dtucker) [configure.ac] Have --without-toolchain-hardening not turn off stack-protector since that has a separate flag that's been around a while. --- ChangeLog | 2 ++ configure.ac | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index d6ed13f8..fa793d78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,8 @@ - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we need them to cut down on the name collisions. - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types. + - (dtucker) [configure.ac] Have --without-hardening not turn off + stack-protector since that has a separate flag that's been around a while. 20140118 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 4f40afce..f9d87e4b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.553 2014/01/17 08:17:35 dtucker Exp $ +# $Id: configure.ac,v 1.554 2014/01/17 10:54:32 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.553 $) +AC_REVISION($Revision: 1.554 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -134,7 +134,6 @@ AC_ARG_WITH([stackprotect], AC_ARG_WITH([hardening], [ --without-hardening Don't use toolchain hardening flags], [ if test "x$withval" = "xno"; then - use_stack_protector=0 use_toolchain_hardening=0 fi ]) -- cgit v1.2.1 From 259705ddec362633eb56606747d00eb3ff5e6619 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 13:03:57 +0000 Subject: - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on Solaris. --- ChangeLog | 2 ++ readconf.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index fa793d78..0af27d08 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,8 @@ - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types. - (dtucker) [configure.ac] Have --without-hardening not turn off stack-protector since that has a separate flag that's been around a while. + - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on + Solaris. 20140118 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index 08e16852..9c7e73d7 100644 --- a/readconf.c +++ b/readconf.c @@ -27,7 +27,9 @@ #include #include #include -#include +#ifdef HAVE_PATHS_H +# include +#endif #include #include #include -- cgit v1.2.1 From 767e2c5e9d65edeb7fe4ba35b851eb6512748750 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Jan 2014 13:12:38 +0000 Subject: - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after they're defined if we have to define them ourselves. Fixes builds on old AIX. --- ChangeLog | 3 +++ defines.h | 16 ++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0af27d08..4eb85904 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ stack-protector since that has a separate flag that's been around a while. - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on Solaris. + - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after + they're defined if we have to define them ourselves. Fixes builds on old + AIX. 20140118 - (djm) OpenBSD CVS Sync diff --git a/defines.h b/defines.h index 66100c84..354d5b61 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.175 2014/01/17 03:20:05 dtucker Exp $ */ +/* $Id: defines.h,v 1.176 2014/01/17 13:12:38 dtucker Exp $ */ /* Constants */ @@ -249,13 +249,6 @@ typedef unsigned long u_int32_t; #define __BIT_TYPES_DEFINED__ #endif -#ifndef HAVE_UINTXX_T -typedef u_int8_t uint8_t; -typedef u_int16_t uint16_t; -typedef u_int32_t uint32_t; -typedef u_int64_t uint64_t; -#endif - /* 64-bit types */ #ifndef HAVE_INT64_T # if (SIZEOF_LONG_INT == 8) @@ -276,6 +269,13 @@ typedef unsigned long long int u_int64_t; # endif #endif +#ifndef HAVE_UINTXX_T +typedef u_int8_t uint8_t; +typedef u_int16_t uint16_t; +typedef u_int32_t uint32_t; +typedef u_int64_t uint64_t; +#endif + #ifndef HAVE_INTMAX_T typedef long long intmax_t; #endif -- cgit v1.2.1 From a0fd4064553945f52aafd0d6d83fe112d87afc6f Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 18 Jan 2014 09:43:49 +0000 Subject: - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch from vinschen at redhat.com --- ChangeLog | 4 ++++ uidswap.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4eb85904..ad20184b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20140118 + - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch + from vinschen at redhat.com + 20140117 - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain hardening flags including -fstack-protector-strong. These default to on diff --git a/uidswap.c b/uidswap.c index 23217ba5..1f09d588 100644 --- a/uidswap.c +++ b/uidswap.c @@ -134,7 +134,9 @@ temporarily_use_uid(struct passwd *pw) void permanently_drop_suid(uid_t uid) { +#ifndef HAVE_CYGWIN uid_t old_uid = getuid(); +#endif debug("permanently_drop_suid: %u", (u_int)uid); if (setresuid(uid, uid, uid) < 0) @@ -197,8 +199,10 @@ restore_uid(void) void permanently_set_uid(struct passwd *pw) { +#ifndef HAVE_CYGWIN uid_t old_uid = getuid(); gid_t old_gid = getgid(); +#endif if (pw == NULL) fatal("permanently_set_uid: no user given"); -- cgit v1.2.1 From e8b65fcef5c0711be1e3d09f75d6b76ba4472837 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 18 Jan 2014 10:03:59 +0000 Subject: - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function declarations that stopped being included when we stopped including from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at redhat.com. --- ChangeLog | 4 ++++ openbsd-compat/bsd-cygwin_util.h | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ad20184b..092333cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20140118 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch from vinschen at redhat.com + - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function + declarations that stopped being included when we stopped including + from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at + redhat.com. 20140117 - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 372e4195..1177366f 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cygwin_util.h,v 1.16 2013/04/01 01:40:49 dtucker Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */ /* * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen @@ -40,9 +40,15 @@ typedef void *HANDLE; #define INVALID_HANDLE_VALUE ((HANDLE) -1) +/* Cygwin functions for which declarations are only available when including + windows headers, so we have to define them here explicitely. */ +extern HANDLE cygwin_logon_user (const struct passwd *, const char *); +extern void cygwin_set_impersonation_token (const HANDLE); + #include #include + int binary_open(const char *, int , ...); int check_ntsec(const char *); char **fetch_windows_environment(void); -- cgit v1.2.1 From 7f5da3211ef3764c9b62cd4048c9cff0389c8104 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 18 Jan 2014 10:12:42 +0000 Subject: - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs, optind) are defined in getopt.h already. Unfortunately they are defined as "declspec(dllimport)" for historical reasons, because the GNU linker didn't allow auto-import on PE/COFF targets way back when. The problem is the dllexport attributes collide with the definitions in the various source files in OpenSSH, which obviousy define the variables without declspec(dllimport). The least intrusive way to get rid of these warnings is to disable warnings for GCC compiler attributes when building on Cygwin. Patch from vinschen at redhat.com. --- ChangeLog | 9 +++++++++ configure.ac | 9 ++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 092333cd..ebe80e5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,15 @@ declarations that stopped being included when we stopped including from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at redhat.com. + - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs, + optind) are defined in getopt.h already. Unfortunately they are defined as + "declspec(dllimport)" for historical reasons, because the GNU linker didn't + allow auto-import on PE/COFF targets way back when. The problem is the + dllexport attributes collide with the definitions in the various source + files in OpenSSH, which obviousy define the variables without + declspec(dllimport). The least intrusive way to get rid of these warnings + is to disable warnings for GCC compiler attributes when building on Cygwin. + Patch from vinschen at redhat.com. 20140117 - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain diff --git a/configure.ac b/configure.ac index f9d87e4b..76784c52 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.554 2014/01/17 10:54:32 dtucker Exp $ +# $Id: configure.ac,v 1.555 2014/01/18 10:12:43 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.554 $) +AC_REVISION($Revision: 1.555 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -544,7 +544,10 @@ case "$host" in [Define if your platform needs to skip post auth file descriptor passing]) AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) - AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) + AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) + # Cygwin defines optargs, optargs as declspec(dllimport) for historical + # reasons which cause compile warnings, so we disable those warnings. + OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes]) ;; *-*-dgux*) AC_DEFINE([IP_TOS_IS_BROKEN], [1], -- cgit v1.2.1 From 9a0f9f0f3e69e6b29956c487b9a6c51c58c6aac3 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 18 Jan 2014 11:12:15 +0000 Subject: - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the return value check for cap_enter() consistent with the other uses in FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140. --- ChangeLog | 3 +++ sandbox-capsicum.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ebe80e5c..5d9b9d10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ declspec(dllimport). The least intrusive way to get rid of these warnings is to disable warnings for GCC compiler attributes when building on Cygwin. Patch from vinschen at redhat.com. + - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the + return value check for cap_enter() consistent with the other uses in + FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140. 20140117 - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c index 5853a13e..f648c6ec 100644 --- a/sandbox-capsicum.c +++ b/sandbox-capsicum.c @@ -87,9 +87,9 @@ ssh_sandbox_child(struct ssh_sandbox *box) if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) fatal("can't limit stdin: %m"); if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS) - fatal("can't limit stdin: %m"); + fatal("can't limit stdout: %m"); if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS) - fatal("can't limit stdin: %m"); + fatal("can't limit stderr: %m"); cap_rights_init(&rights, CAP_READ, CAP_WRITE); if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1) @@ -97,7 +97,7 @@ ssh_sandbox_child(struct ssh_sandbox *box) cap_rights_init(&rights, CAP_WRITE); if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1) fatal("%s: failed to limit the logging socket", __func__); - if (cap_enter() != 0 && errno != ENOSYS) + if (cap_enter() < 0 && errno != ENOSYS) fatal("%s: failed to enter capability mode", __func__); } -- cgit v1.2.1 From e1fc368e7ceabe54d3e8477737088f85788e6bff Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 19 Jan 2014 04:25:34 +0000 Subject: - dtucker@cvs.openbsd.org 2014/01/17 06:23:24 [sftp-server.c] fix log message statvfs. ok djm --- ChangeLog | 6 ++++++ sftp-server.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5d9b9d10..f6167009 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20140119 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2014/01/17 06:23:24 + [sftp-server.c] + fix log message statvfs. ok djm + 20140118 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch from vinschen at redhat.com diff --git a/sftp-server.c b/sftp-server.c index ad158f8e..b8eb59c3 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.102 2013/10/17 00:30:13 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.103 2014/01/17 06:23:24 dtucker Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1256,8 +1256,8 @@ process_extended_statvfs(u_int32_t id) struct statvfs st; path = get_string(NULL); - debug3("request %u: statfs", id); - logit("statfs \"%s\"", path); + debug3("request %u: statvfs", id); + logit("statvfs \"%s\"", path); if (statvfs(path, &st) != 0) send_status(id, errno_to_portable(errno)); -- cgit v1.2.1 From 0bdb7063cd17d0cb68f632002136ccb9cb104884 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 19 Jan 2014 04:28:01 +0000 Subject: - dtucker@cvs.openbsd.org 2014/01/18 09:36:26 [session.c] explicitly define USE_PIPES to 1 to prevent redefinition warnings in portable on platforms that use pipes for everything. From redhat @ redhat. --- ChangeLog | 4 ++++ session.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f6167009..d274fc4e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - dtucker@cvs.openbsd.org 2014/01/17 06:23:24 [sftp-server.c] fix log message statvfs. ok djm + - dtucker@cvs.openbsd.org 2014/01/18 09:36:26 + [session.c] + explicitly define USE_PIPES to 1 to prevent redefinition warnings in + portable on platforms that use pipes for everything. 20140118 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch diff --git a/session.c b/session.c index a0a0c2d9..924c11bc 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.268 2013/10/29 09:48:02 djm Exp $ */ +/* $OpenBSD: session.c,v 1.269 2014/01/18 09:36:26 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -441,7 +441,7 @@ do_authenticated1(Authctxt *authctxt) } } -#define USE_PIPES +#define USE_PIPES 1 /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after -- cgit v1.2.1 From 93c41abf20b49803057178474e27015f720f705e Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 19 Jan 2014 04:30:02 +0000 Subject: - dtucker@cvs.openbsd.org 2014/01/19 04:17:29 [canohost.c addrmatch.c] Cast socklen_t when comparing to size_t and use socklen_t to iterate over the ip options, both to prevent signed/unsigned comparison warnings. Patch from vinschen at redhat via portable openssh, begrudging ok deraadt. --- ChangeLog | 8 +++++++- addrmatch.c | 6 +++--- canohost.c | 5 ++--- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index d274fc4e..847be146 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,7 +6,13 @@ - dtucker@cvs.openbsd.org 2014/01/18 09:36:26 [session.c] explicitly define USE_PIPES to 1 to prevent redefinition warnings in - portable on platforms that use pipes for everything. + portable on platforms that use pipes for everything. From vinschen at + redhat. + - dtucker@cvs.openbsd.org 2014/01/19 04:17:29 + [canohost.c addrmatch.c] + Cast socklen_t when comparing to size_t and use socklen_t to iterate over + the ip options, both to prevent signed/unsigned comparison warnings. + Patch from vinschen at redhat via portable openssh, begrudging ok deraadt. 20140118 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch diff --git a/addrmatch.c b/addrmatch.c index fb6de92e..649de413 100644 --- a/addrmatch.c +++ b/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.8 2014/01/19 04:17:29 dtucker Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -88,13 +88,13 @@ addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa) switch (sa->sa_family) { case AF_INET: - if (slen < sizeof(*in4)) + if ((size_t)slen < sizeof(*in4)) return -1; xa->af = AF_INET; memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4)); break; case AF_INET6: - if (slen < sizeof(*in6)) + if ((size_t)slen < sizeof(*in6)) return -1; xa->af = AF_INET6; memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6)); diff --git a/canohost.c b/canohost.c index 2e5a0b86..a19a60cd 100644 --- a/canohost.c +++ b/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.69 2013/11/20 20:54:10 deraadt Exp $ */ +/* $OpenBSD: canohost.c,v 1.70 2014/01/19 04:17:29 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -154,8 +154,7 @@ check_ip_options(int sock, char *ipaddr) #ifdef IP_OPTIONS u_char options[200]; char text[sizeof(options) * 3 + 1]; - socklen_t option_size; - u_int i; + socklen_t option_size, i; int ipproto; struct protoent *ip; -- cgit v1.2.1 From 4d827fd89231269ae590d47c2ff7ee539b1b58fc Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 19 Jan 2014 11:36:13 +0000 Subject: - djm@cvs.openbsd.org 2014/01/19 04:48:08 [ssh_config.5] fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal --- ChangeLog | 3 +++ ssh_config.5 | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 847be146..99073946 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ Cast socklen_t when comparing to size_t and use socklen_t to iterate over the ip options, both to prevent signed/unsigned comparison warnings. Patch from vinschen at redhat via portable openssh, begrudging ok deraadt. + - djm@cvs.openbsd.org 2014/01/19 04:48:08 + [ssh_config.5] + fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal 20140118 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch diff --git a/ssh_config.5 b/ssh_config.5 index 7b2fdacb..3cadcd76 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.183 2013/12/07 11:58:46 naddy Exp $ -.Dd $Mdocdate: December 7 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $ +.Dd $Mdocdate: January 19 2014 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -229,11 +229,11 @@ search for the specified destination host. .It Cm CanonicalizeFallbackLocal Specifies whether to fail with an error when hostname canonicalization fails. The default, -.Dq no , +.Dq yes , will attempt to look up the unqualified hostname using the system resolver's search rules. A value of -.Dq yes +.Dq no will cause .Xr ssh 1 to fail instantly if -- cgit v1.2.1 From 24ceaffeafd3779171584109d5b7454cf7d099ea Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 19 Jan 2014 11:37:02 +0000 Subject: - dtucker@cvs.openbsd.org 2014/01/19 11:21:51 [addrmatch.c] Cast the sizeof to socklen_t so it'll work even if the supplied len is negative. Suggested by and ok djm, ok deraadt. --- ChangeLog | 4 ++++ addrmatch.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 99073946..22578ab2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ - djm@cvs.openbsd.org 2014/01/19 04:48:08 [ssh_config.5] fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal + - dtucker@cvs.openbsd.org 2014/01/19 11:21:51 + [addrmatch.c] + Cast the sizeof to socklen_t so it'll work even if the supplied len is + negative. Suggested by and ok djm, ok deraadt. 20140118 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch diff --git a/addrmatch.c b/addrmatch.c index 649de413..c4431463 100644 --- a/addrmatch.c +++ b/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.8 2014/01/19 04:17:29 dtucker Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.9 2014/01/19 11:21:51 dtucker Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -88,13 +88,13 @@ addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa) switch (sa->sa_family) { case AF_INET: - if ((size_t)slen < sizeof(*in4)) + if (slen < (socklen_t)sizeof(*in4)) return -1; xa->af = AF_INET; memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4)); break; case AF_INET6: - if ((size_t)slen < sizeof(*in6)) + if (slen < (socklen_t)sizeof(*in6)) return -1; xa->af = AF_INET6; memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6)); -- cgit v1.2.1 From ca4fe166a6066fd63cee01ae59850ca0215d7fb8 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 20 Jan 2014 01:41:53 +0000 Subject: - djm@cvs.openbsd.org 2014/01/20 00:08:48 [digest.c] memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@ --- ChangeLog | 6 ++++++ digest.c | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 22578ab2..b870c075 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20140120 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/01/20 00:08:48 + [digest.c] + memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@ + 20140119 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2014/01/17 06:23:24 diff --git a/digest.c b/digest.c index d6004e7d..a221819e 100644 --- a/digest.c +++ b/digest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest.c,v 1.2 2014/01/17 05:26:41 dtucker Exp $ */ +/* $OpenBSD: digest.c,v 1.3 2014/01/20 00:08:48 djm Exp $ */ /* * Copyright (c) 2013 Damien Miller * @@ -125,6 +125,7 @@ ssh_digest_free(struct ssh_digest_ctx *ctx) { EVP_MD_CTX_cleanup(&ctx->mdctx); memset(ctx, 0, sizeof(*ctx)); + free(ctx); } int -- cgit v1.2.1 From 012c5940a90d5e0e12a1d304419a3f274efec48a Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 20 Jan 2014 02:18:09 +0000 Subject: - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos implementation does not have krb5_cc_new_unique, similar to what we do in auth-krb5.c. --- ChangeLog | 3 +++ gss-serv-krb5.c | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/ChangeLog b/ChangeLog index b870c075..6073abbb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,7 @@ 20140120 + - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos + implementation does not have krb5_cc_new_unique, similar to what we do + in auth-krb5.c. - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2014/01/20 00:08:48 [digest.c] diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 87f26831..759fa104 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -132,10 +132,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) return; #ifdef HEIMDAL +# ifdef HAVE_KRB5_CC_NEW_UNIQUE if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix, NULL, &ccache)) != 0) { errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_cc_new_unique(): %.100s", errmsg); +# else + if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { + logit("krb5_cc_gen_new(): %.100s", + krb5_get_err_text(krb_context, problem)); +# endif krb5_free_error_message(krb_context, errmsg); return; } -- cgit v1.2.1 From 67cd56ea8e0319f560ec8f5967da9d4c6525984d Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 20 Jan 2014 09:07:15 +0000 Subject: - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@ --- ChangeLog | 2 ++ regress/cert-hostkey.sh | 30 ++++-------------------------- 2 files changed, 6 insertions(+), 26 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6073abbb..66c3b624 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos implementation does not have krb5_cc_new_unique, similar to what we do in auth-krb5.c. + - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that + skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@ - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2014/01/20 00:08:48 [digest.c] diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 1ed5af50..a1318cd5 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -72,32 +72,10 @@ done printf '@cert-authority ' printf "$HOSTS " cat $OBJ/host_ca_key.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_rsa.pub - if test "x$TEST_SSH_ECC" = "xyes"; then - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub - fi - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ed25519.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_dsa.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_rsa_v00.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_dsa_v00.pub + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" + printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" + done ) > $OBJ/known_hosts-cert for privsep in yes no ; do for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do -- cgit v1.2.1 From b3d63d27fd011f7f8ec6bb569466f1bfb40c6757 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 21 Jan 2014 01:48:51 +0000 Subject: - (dtucker) [configure.ac] Make PIE a configure-time option which defaults to on platforms where it's known to be reliably detected and off elsewhere. Works around platforms such as FreeBSD 9.1 where it does not interop with -ftrapv (it seems to work but fails when trying to link ssh). ok djm@ --- ChangeLog | 6 ++++++ configure.ac | 25 +++++++++++++++++++++---- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 66c3b624..cbbab53a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20140121 + - (dtucker) [configure.ac] Make PIE a configure-time option which defaults + to on platforms where it's known to be reliably detected and off elsewhere. + Works around platforms such as FreeBSD 9.1 where it does not interop with + -ftrapv (it seems to work but fails when trying to link ssh). ok djm@ + 20140120 - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos implementation does not have krb5_cc_new_unique, similar to what we do diff --git a/configure.ac b/configure.ac index 76784c52..e5bb6840 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.555 2014/01/18 10:12:43 dtucker Exp $ +# $Id: configure.ac,v 1.556 2014/01/21 01:48:52 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.555 $) +AC_REVISION($Revision: 1.556 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -165,8 +165,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) if test "x$use_toolchain_hardening" = "x1"; then OSSH_CHECK_CFLAG_COMPILE([-ftrapv]) - OSSH_CHECK_CFLAG_COMPILE([-fPIE]) - OSSH_CHECK_LDFLAG_LINK([-pie]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) @@ -557,6 +555,7 @@ case "$host" in AC_DEFINE([BROKEN_SETREGID]) ;; *-*-darwin*) + use_pie=1 AC_MSG_CHECKING([if we have working getaddrinfo]) AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) @@ -695,6 +694,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) ;; *-*-linux*) no_dev_ptmx=1 + use_pie=1 check_for_libcrypt_later=1 check_for_openpty_ctty_bug=1 AC_DEFINE([PAM_TTY_KLUDGE], [1], @@ -791,6 +791,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) ;; *-*-openbsd*) + use_pie=1 AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) @@ -1562,6 +1563,22 @@ AC_ARG_WITH([audit], esac ] ) +AC_ARG_WITH([pie], + [ --with-pie Build Position Independent Executables if possible], [ + if test "x$withval" = "xno"; then + use_pie=0 + fi + if test "x$withval" = "xyes"; then + use_pie=1 + fi + ] +) + +if test "x$use_toolchain_hardening" = "x1" && test "x$use_pie" = "x1"; then + OSSH_CHECK_CFLAG_COMPILE([-fPIE]) + OSSH_CHECK_LDFLAG_LINK([-pie]) +fi + dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ Blowfish_initstate \ -- cgit v1.2.1 From dabbb8aab69f8fce651fa6a3d54691d65e94abf8 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 21 Jan 2014 01:50:46 +0000 Subject: - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time tests in the configure output. ok djm. --- ChangeLog | 2 ++ aclocal.m4 | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index cbbab53a..9ebe5a63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ to on platforms where it's known to be reliably detected and off elsewhere. Works around platforms such as FreeBSD 9.1 where it does not interop with -ftrapv (it seems to work but fails when trying to link ssh). ok djm@ + - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time + tests in the configure output. ok djm. 20140120 - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos diff --git a/aclocal.m4 b/aclocal.m4 index b1648e4e..ce679648 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.10 2014/01/16 22:53:24 dtucker Exp $ +dnl $Id: aclocal.m4,v 1.11 2014/01/21 01:50:46 dtucker Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -8,7 +8,7 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append dnl 'check_flag'. AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ - AC_MSG_CHECKING([if $CC supports $1]) + AC_MSG_CHECKING([if $CC supports compile flag $1]) saved_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $WERROR $1" _define_flag="$2" @@ -33,7 +33,7 @@ dnl Check that $LD accepts a flag 'check_flag'. If it is supported append dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append dnl 'check_flag'. AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ - AC_MSG_CHECKING([if $LD supports $1]) + AC_MSG_CHECKING([if $LD supports link flag $1]) saved_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS $WERROR $1" _define_flag="$2" -- cgit v1.2.1 From f5fcf86e24482987ea0becdbc6ec16027dd088a5 Mon Sep 17 00:00:00 2001 From: tim Date: Tue, 21 Jan 2014 01:59:28 +0000 Subject: - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced with sftp chroot support. Move set_id call after chroot. --- ChangeLog | 2 ++ platform.c | 8 +------- session.c | 5 +++++ 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9ebe5a63..5c26fa9f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ -ftrapv (it seems to work but fails when trying to link ssh). ok djm@ - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time tests in the configure output. ok djm. + - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced + with sftp chroot support. Move set_id call after chroot. 20140120 - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos diff --git a/platform.c b/platform.c index 6d896c22..30fc6090 100644 --- a/platform.c +++ b/platform.c @@ -1,4 +1,4 @@ -/* $Id: platform.c,v 1.20 2013/09/22 09:02:40 dtucker Exp $ */ +/* $Id: platform.c,v 1.21 2014/01/21 01:59:29 tim Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -164,12 +164,6 @@ platform_setusercontext_post_groups(struct passwd *pw) aix_usrinfo(pw); #endif /* _AIX */ -#if !defined(HAVE_LOGIN_CAP) && defined(USE_LIBIAF) - if (set_id(pw->pw_name) != 0) { - exit(1); - } -# endif /* USE_LIBIAF */ - #ifdef HAVE_SETPCRED /* * If we have a chroot directory, we set all creds except real diff --git a/session.c b/session.c index 924c11bc..6be16ca8 100644 --- a/session.c +++ b/session.c @@ -1552,6 +1552,11 @@ do_setusercontext(struct passwd *pw) */ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); #else +# ifdef USE_LIBIAF + if (set_id(pw->pw_name) != 0) { + exit(1); + } +# endif /* USE_LIBIAF */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif -- cgit v1.2.1 From 5d15a1787745da0d3d65f073fd2b0efb57bc2788 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 21 Jan 2014 02:10:26 +0000 Subject: - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of detecting toolchain-related problems; ok dtucker --- ChangeLog | 3 +++ aclocal.m4 | 30 ++++++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5c26fa9f..8010f8b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ tests in the configure output. ok djm. - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced with sftp chroot support. Move set_id call after chroot. + - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE + and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of + detecting toolchain-related problems; ok dtucker 20140120 - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos diff --git a/aclocal.m4 b/aclocal.m4 index ce679648..195a8763 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.11 2014/01/21 01:50:46 dtucker Exp $ +dnl $Id: aclocal.m4,v 1.12 2014/01/21 02:10:27 djm Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -13,7 +13,18 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ CFLAGS="$CFLAGS $WERROR $1" _define_flag="$2" test "x$_define_flag" = "x" && _define_flag="$1" - AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + printf("%d %d %d %f %f\n", i, j, k, l, m); + exit(0); +} + ]])], [ if `grep -i "unrecognized option" conftest.err >/dev/null` then @@ -28,7 +39,7 @@ fi], ) }]) -dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) +dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag]) dnl Check that $LD accepts a flag 'check_flag'. If it is supported append dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append dnl 'check_flag'. @@ -38,7 +49,18 @@ AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ LDFLAGS="$LDFLAGS $WERROR $1" _define_flag="$2" test "x$_define_flag" = "x" && _define_flag="$1" - AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], + AC_LINK_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + printf("%d %d %d %f %f\n", i, j, k, l, m); + exit(0); +} + ]])], [ AC_MSG_RESULT([yes]) LDFLAGS="$saved_LDFLAGS $_define_flag"], [ AC_MSG_RESULT([no]) -- cgit v1.2.1 From 18e82cc6b94c292952a0249eba759216f041ccd3 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 22 Jan 2014 05:30:15 +0000 Subject: - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a platform that is expected to use the reuse-argv style setproctitle hack surprises us by providing a setproctitle in libc; ok dtucker --- ChangeLog | 5 +++++ openbsd-compat/setproctitle.c | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 8010f8b4..479221af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130122 + - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a + platform that is expected to use the reuse-argv style setproctitle + hack surprises us by providing a setproctitle in libc; ok dtucker + 20140121 - (dtucker) [configure.ac] Make PIE a configure-time option which defaults to on platforms where it's known to be reliably detected and off elsewhere. diff --git a/openbsd-compat/setproctitle.c b/openbsd-compat/setproctitle.c index a69db22a..9f7ca14c 100644 --- a/openbsd-compat/setproctitle.c +++ b/openbsd-compat/setproctitle.c @@ -67,7 +67,8 @@ static size_t argv_env_len = 0; void compat_init_setproctitle(int argc, char *argv[]) { -#if defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV +#if !defined(HAVE_SETPROCTITLE) && \ + defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV extern char **environ; char *lastargv = NULL; char **envp = environ; -- cgit v1.2.1 From 341268326711ddd56413c0f3d044ef5adc1671a4 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 22 Jan 2014 05:31:18 +0000 Subject: - (djm) [configure.ac] Unless specifically requested, only attempt to build Position Independent Executables on gcc >= 4.x; ok dtucker --- ChangeLog | 2 ++ configure.ac | 37 ++++++++++++++++++++++++++++--------- 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 479221af..bbe112e6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a platform that is expected to use the reuse-argv style setproctitle hack surprises us by providing a setproctitle in libc; ok dtucker + - (djm) [configure.ac] Unless specifically requested, only attempt + to build Position Independent Executables on gcc >= 4.x; ok dtucker 20140121 - (dtucker) [configure.ac] Make PIE a configure-time option which defaults diff --git a/configure.ac b/configure.ac index e5bb6840..b738f4e6 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.556 2014/01/21 01:48:52 dtucker Exp $ +# $Id: configure.ac,v 1.557 2014/01/22 05:31:18 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.556 $) +AC_REVISION($Revision: 1.557 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -555,7 +555,7 @@ case "$host" in AC_DEFINE([BROKEN_SETREGID]) ;; *-*-darwin*) - use_pie=1 + use_pie=auto AC_MSG_CHECKING([if we have working getaddrinfo]) AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) @@ -694,7 +694,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) ;; *-*-linux*) no_dev_ptmx=1 - use_pie=1 + use_pie=auto check_for_libcrypt_later=1 check_for_openpty_ctty_bug=1 AC_DEFINE([PAM_TTY_KLUDGE], [1], @@ -791,7 +791,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) ;; *-*-openbsd*) - use_pie=1 + use_pie=auto AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) @@ -1566,15 +1566,34 @@ AC_ARG_WITH([audit], AC_ARG_WITH([pie], [ --with-pie Build Position Independent Executables if possible], [ if test "x$withval" = "xno"; then - use_pie=0 + use_pie=no fi if test "x$withval" = "xyes"; then - use_pie=1 + use_pie=yes fi ] ) - -if test "x$use_toolchain_hardening" = "x1" && test "x$use_pie" = "x1"; then +if test "x$use_pie" = "x"; then + use_pie=no +fi +if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then + # Turn off automatic PIE when toolchain hardening is off. + use_pie=no +fi +if test "x$use_pie" == "xauto"; then + # Automatic PIE requires gcc >= 4.x + AC_MSG_CHECKING([for gcc >= 4.x]) + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ +#if !defined(__GNUC__) || __GNUC__ < 4 +#error gcc is too old +#endif +]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + use_pie=no ] +) +fi +if test "x$use_pie" != "xno"; then OSSH_CHECK_CFLAG_COMPILE([-fPIE]) OSSH_CHECK_LDFLAG_LINK([-pie]) fi -- cgit v1.2.1 From 99e6f38f908eddf7808b265989908f0f2091ea72 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 22 Jan 2014 10:30:12 +0000 Subject: - (djm) [configure.ac aclocal.m4] More tests to detect fallout from platform hardening options: include some long long int arithmatic to detect missing support functions for -ftrapv in libgcc and equivalents, actually test linking when -ftrapv is supplied and set either both -pie/-fPIE or neither. feedback and ok dtucker@ --- ChangeLog | 5 +++++ aclocal.m4 | 45 ++++++++++++++++++++++++++++++++++++++++++--- configure.ac | 23 ++++++++++++++++++++--- 3 files changed, 67 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index bbe112e6..b4a81f99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ hack surprises us by providing a setproctitle in libc; ok dtucker - (djm) [configure.ac] Unless specifically requested, only attempt to build Position Independent Executables on gcc >= 4.x; ok dtucker + - (djm) [configure.ac aclocal.m4] More tests to detect fallout from + platform hardening options: include some long long int arithmatic + to detect missing support functions for -ftrapv in libgcc and + equivalents, actually test linking when -ftrapv is supplied and + set either both -pie/-fPIE or neither. feedback and ok dtucker@ 20140121 - (dtucker) [configure.ac] Make PIE a configure-time option which defaults diff --git a/aclocal.m4 b/aclocal.m4 index 195a8763..1640683e 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.12 2014/01/21 02:10:27 djm Exp $ +dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -21,7 +21,45 @@ int main(int argc, char **argv) { int i = 123 * argc, j = 456 + argc, k = 789 - argc; float l = i * 2.1; double m = l / 0.5; - printf("%d %d %d %f %f\n", i, j, k, l, m); + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + ]])], + [ +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" +else + AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $_define_flag" +fi], + [ AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" ] + ) +}]) + +dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) +dnl Check that $CC accepts a flag 'check_flag'. If it is supported append +dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append +dnl 'check_flag'. +AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{ + AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds]) + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR $1" + _define_flag="$2" + test "x$_define_flag" = "x" && _define_flag="$1" + AC_LINK_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); exit(0); } ]])], @@ -57,7 +95,8 @@ int main(int argc, char **argv) { int i = 123 * argc, j = 456 + argc, k = 789 - argc; float l = i * 2.1; double m = l / 0.5; - printf("%d %d %d %f %f\n", i, j, k, l, m); + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); exit(0); } ]])], diff --git a/configure.ac b/configure.ac index b738f4e6..12d62e29 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.557 2014/01/22 05:31:18 djm Exp $ +# $Id: configure.ac,v 1.558 2014/01/22 10:30:13 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.557 $) +AC_REVISION($Revision: 1.558 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -164,10 +164,15 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) if test "x$use_toolchain_hardening" = "x1"; then - OSSH_CHECK_CFLAG_COMPILE([-ftrapv]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) + # NB. -ftrapv expects certain support functions to be present in + # the compiler library (libgcc or similar) to detect integer operations + # that can overflow. We must check that the result of enabling it + # actually links. The test program compiled/linked includes a number + # of integer operations that should exercise this. + OSSH_CHECK_CFLAG_LINK([-ftrapv]) fi AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` @@ -1594,8 +1599,20 @@ if test "x$use_pie" == "xauto"; then ) fi if test "x$use_pie" != "xno"; then + SAVED_CFLAGS="$CFLAGS" + SAVED_LDFLAGS="$LDFLAGS" OSSH_CHECK_CFLAG_COMPILE([-fPIE]) OSSH_CHECK_LDFLAG_LINK([-pie]) + # We use both -fPIE and -pie or neither. + AC_MSG_CHECKING([whether both -fPIE and -pie are supported]) + if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \ + echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + CFLAGS="$SAVED_CFLAGS" + LDFLAGS="$SAVED_LDFLAGS" + fi fi dnl Checks for library functions. Please keep in alphabetical order -- cgit v1.2.1 From 3e4ba92f09634755c396140fff64db7376f4e187 Mon Sep 17 00:00:00 2001 From: tim Date: Thu, 23 Jan 2014 03:16:10 +0000 Subject: - (tim) [session.c] Improve error reporting on set_id(). --- ChangeLog | 3 +++ session.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b4a81f99..962caf07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20130123 + - (tim) [session.c] Improve error reporting on set_id(). + 20130122 - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a platform that is expected to use the reuse-argv style setproctitle diff --git a/session.c b/session.c index 6be16ca8..12dd9ab1 100644 --- a/session.c +++ b/session.c @@ -1554,7 +1554,7 @@ do_setusercontext(struct passwd *pw) #else # ifdef USE_LIBIAF if (set_id(pw->pw_name) != 0) { - exit(1); + fatal("set_id(%s) Failed", pw->pw_name); } # endif /* USE_LIBIAF */ /* Permanently switch to the desired uid. */ -- cgit v1.2.1 From cb2a6b4bc0ef35b5b3e93af5e4e165990e58ff43 Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 23 Jan 2014 12:14:39 +0000 Subject: - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously incompatible with OpenBSD's despite post-dating it by more than a decade. Declare it as broken, and document FreeBSD's as the same. ok djm@ --- ChangeLog | 3 +++ configure.ac | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 962caf07..e352892c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 20130123 - (tim) [session.c] Improve error reporting on set_id(). + - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously + incompatible with OpenBSD's despite post-dating it by more than a decade. + Declare it as broken, and document FreeBSD's as the same. ok djm@ 20130122 - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a diff --git a/configure.ac b/configure.ac index 12d62e29..736f6502 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.558 2014/01/22 10:30:13 djm Exp $ +# $Id: configure.ac,v 1.559 2014/01/23 12:14:40 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.558 $) +AC_REVISION($Revision: 1.559 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -769,6 +769,8 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) TEST_MALLOC_OPTIONS="AJRX" + AC_DEFINE([BROKEN_STRNVIS], [1], + [NetBSD strnvis argument order is swapped compared to OpenBSD]) ;; *-*-freebsd*) check_for_libcrypt_later=1 @@ -777,7 +779,8 @@ mips-sony-bsd|mips-sony-newsos4) AC_CHECK_HEADER([net/if_tap.h], , AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) - AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) + AC_DEFINE([BROKEN_STRNVIS], [1], + [FreeBSD strnvis argument order is swapped compared to OpenBSD]) TEST_MALLOC_OPTIONS="AJRX" ;; *-*-bsdi*) -- cgit v1.2.1 From 30a80e45ad1b629a5492d244ac0715da56c1dcf7 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 24 Jan 2014 03:27:04 +0000 Subject: - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make the scp regress test actually test the built scp rather than the one in $PATH. ok dtucker@ --- ChangeLog | 5 +++++ Makefile.in | 4 +++- regress/scp-ssh-wrapper.sh | 6 ++++-- regress/scp.sh | 1 + 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e352892c..d9284799 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130124 + - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make + the scp regress test actually test the built scp rather than the one + in $PATH. ok dtucker@ + 20130123 - (tim) [session.c] Improve error reporting on set_id(). - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously diff --git a/Makefile.in b/Makefile.in index f5dd3b83..e3dfab2f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.350 2014/01/17 05:47:04 djm Exp $ +# $Id: Makefile.in,v 1.351 2014/01/24 03:27:04 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -411,6 +411,7 @@ regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ TEST_SHELL="@TEST_SHELL@"; \ + TEST_SSH_SCP="$${BUILDDIR}/scp"; \ TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \ @@ -434,6 +435,7 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) PATH="$${BUILDDIR}:$${PATH}" \ TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \ TEST_SHELL="$${TEST_SHELL}" \ + TEST_SSH_SCP="$${TEST_SSH_SCP}" \ TEST_SSH_SSH="$${TEST_SSH_SSH}" \ TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \ diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh index d1005a99..c63bc2bc 100644 --- a/regress/scp-ssh-wrapper.sh +++ b/regress/scp-ssh-wrapper.sh @@ -17,7 +17,7 @@ printname () { } # Discard all but last argument. We use arg later. -while test "$1" != ""; do +while test "x$1" != "x"; do arg="$1" shift done @@ -52,6 +52,8 @@ badserver_4) echo "X" ;; *) - exec $arg + set -- $arg + shift + exec $SCP "$@" ;; esac diff --git a/regress/scp.sh b/regress/scp.sh index 29c5b35d..c2da2a86 100644 --- a/regress/scp.sh +++ b/regress/scp.sh @@ -20,6 +20,7 @@ SRC=`dirname ${SCRIPT}` cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp chmod 755 ${OBJ}/scp-ssh-wrapper.scp scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp" +export SCP # used in scp-ssh-wrapper.scp scpclean() { rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2} -- cgit v1.2.1 From 79538434790b4e9d3494a2f4ce62499b2306bc9f Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 25 Jan 2014 01:34:38 +0000 Subject: - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD --- ChangeLog | 3 +++ configure.ac | 18 +++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index d9284799..d0871895 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20130125 + - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD + 20130124 - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make the scp regress test actually test the built scp rather than the one diff --git a/configure.ac b/configure.ac index 736f6502..00ca0fb5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.559 2014/01/23 12:14:40 dtucker Exp $ +# $Id: configure.ac,v 1.560 2014/01/25 01:34:39 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.559 $) +AC_REVISION($Revision: 1.560 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3032,6 +3032,13 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) SANDBOX_STYLE="seccomp_filter" AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) +elif test "x$sandbox_arg" = "xcapsicum" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_cap_enter" = "x1") ; then + test "x$have_cap_enter" != "x1" && \ + AC_MSG_ERROR([capsicum sandbox requires cap_enter function]) + SANDBOX_STYLE="capsicum" + AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ test "x$select_works_with_rlimit" = "xyes" && \ @@ -3042,13 +3049,6 @@ elif test "x$sandbox_arg" = "xrlimit" || \ AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit]) SANDBOX_STYLE="rlimit" AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) -elif test "x$sandbox_arg" = "xcapsicum" || \ - ( test -z "$sandbox_arg" && \ - test "x$have_cap_enter" = "x1") ; then - test "x$have_cap_enter" != "x1" && \ - AC_MSG_ERROR([capsicum sandbox requires cap_enter function]) - SANDBOX_STYLE="capsicum" - AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then SANDBOX_STYLE="none" -- cgit v1.2.1 From 5772b5b65610762f5a74d3a90397034ca9e2baca Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 25 Jan 2014 02:12:28 +0000 Subject: - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless sys/capability.h exists and cap_rights_limit is in libc. Fixes build on FreeBSD9x which provides the header but not the libc support. --- ChangeLog | 4 ++++ configure.ac | 18 ++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index d0871895..9dc664e5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 20130125 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD + - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless + sys/capability.h exists and cap_rights_limit is in libc. Fixes + build on FreeBSD9x which provides the header but not the libc + support. 20130124 - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make diff --git a/configure.ac b/configure.ac index 00ca0fb5..6bf30e82 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.560 2014/01/25 01:34:39 djm Exp $ +# $Id: configure.ac,v 1.561 2014/01/25 02:12:29 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.560 $) +AC_REVISION($Revision: 1.561 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -120,9 +120,6 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ #include #include ]) -AC_CHECK_DECL([cap_enter], [have_cap_enter=1], , [ - #include -]) use_stack_protector=1 use_toolchain_hardening=1 @@ -367,6 +364,7 @@ AC_CHECK_HEADERS([ \ sys/audit.h \ sys/bitypes.h \ sys/bsdtty.h \ + sys/capability.h \ sys/cdefs.h \ sys/dir.h \ sys/mman.h \ @@ -1637,6 +1635,7 @@ AC_CHECK_FUNCS([ \ bcrypt_pbkdf \ bindresvport_sa \ blf_enc \ + cap_rights_limit \ clock \ closefrom \ dirfd \ @@ -3034,9 +3033,12 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xcapsicum" || \ ( test -z "$sandbox_arg" && \ - test "x$have_cap_enter" = "x1") ; then - test "x$have_cap_enter" != "x1" && \ - AC_MSG_ERROR([capsicum sandbox requires cap_enter function]) + test "x$ac_cv_header_sys_capability_h" = "x1" && \ + test "x$ac_cv_func_cap_rights_limit" = "x1") ; then + test "x$ac_cv_header_sys_capability_h" != "x1" && \ + AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header]) + test "x$ac_cv_func_cap_rights_limit" != "x1" && \ + AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function]) SANDBOX_STYLE="capsicum" AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) elif test "x$sandbox_arg" = "xrlimit" || \ -- cgit v1.2.1 From a48c0e64f3225571cd265236e9c27be98367a996 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 25 Jan 2014 02:16:59 +0000 Subject: - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test against the correct thing. --- ChangeLog | 2 ++ configure.ac | 12 ++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9dc664e5..44e56f4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ sys/capability.h exists and cap_rights_limit is in libc. Fixes build on FreeBSD9x which provides the header but not the libc support. + - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test + against the correct thing. 20130124 - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make diff --git a/configure.ac b/configure.ac index 6bf30e82..5e5e4d13 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.561 2014/01/25 02:12:29 djm Exp $ +# $Id: configure.ac,v 1.562 2014/01/25 02:16:59 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.561 $) +AC_REVISION($Revision: 1.562 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3033,11 +3033,11 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xcapsicum" || \ ( test -z "$sandbox_arg" && \ - test "x$ac_cv_header_sys_capability_h" = "x1" && \ - test "x$ac_cv_func_cap_rights_limit" = "x1") ; then - test "x$ac_cv_header_sys_capability_h" != "x1" && \ + test "x$ac_cv_header_sys_capability_h" = "xyes" && \ + test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then + test "x$ac_cv_header_sys_capability_h" != "xyes" && \ AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header]) - test "x$ac_cv_func_cap_rights_limit" != "x1" && \ + test "x$ac_cv_func_cap_rights_limit" != "xyes" && \ AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function]) SANDBOX_STYLE="capsicum" AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) -- cgit v1.2.1 From 3aee45a092a827e0f097e690ca82454329d24723 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 25 Jan 2014 22:37:25 +0000 Subject: - dtucker@cvs.openbsd.org 2014/01/25 10:12:50 [cipher.c cipher.h kex.c kex.h kexgexc.c] Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@ --- ChangeLog | 11 +++++++++++ cipher.c | 10 +++++++++- cipher.h | 3 ++- kex.c | 9 ++++++--- kex.h | 3 ++- kexgexc.c | 4 ++-- 6 files changed, 32 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 44e56f4a..64da7a47 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +20130126 + - OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2014/01/25 10:12:50 + [cipher.c cipher.h kex.c kex.h kexgexc.c] + Add a special case for the DH group size for 3des-cbc, which has an + effective strength much lower than the key size. This causes problems + with some cryptlib implementations, which don't support group sizes larger + than 4k but also don't use the largest group size it does support as + specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, + reduced by me with input from Markus. ok djm@ markus@ + 20130125 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless diff --git a/cipher.c b/cipher.c index 76e6c596..2476e653 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.93 2013/12/06 13:34:54 markus Exp $ */ +/* $OpenBSD: cipher.c,v 1.94 2014/01/25 10:12:50 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -141,6 +141,14 @@ cipher_keylen(const Cipher *c) return (c->key_len); } +u_int +cipher_seclen(const Cipher *c) +{ + if (strcmp("3des-cbc", c->name) == 0) + return 14; + return cipher_keylen(c); +} + u_int cipher_authlen(const Cipher *c) { diff --git a/cipher.h b/cipher.h index d7824561..133d2e73 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.43 2013/12/06 13:34:54 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.44 2014/01/25 10:12:50 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -89,6 +89,7 @@ void cipher_cleanup(CipherContext *); void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); +u_int cipher_seclen(const Cipher *); u_int cipher_authlen(const Cipher *); u_int cipher_ivlen(const Cipher *); u_int cipher_is_cbc(const Cipher *); diff --git a/kex.c b/kex.c index 7d054cdc..39d16f8e 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.95 2014/01/12 08:13:13 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.96 2014/01/25 10:12:50 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -458,7 +458,7 @@ kex_choose_conf(Kex *kex) char **my, **peer; char **cprop, **sprop; int nenc, nmac, ncomp; - u_int mode, ctos, need, authlen; + u_int mode, ctos, need, dh_need, authlen; int first_kex_follows, type; my = kex_buf2prop(&kex->my, NULL); @@ -506,7 +506,7 @@ kex_choose_conf(Kex *kex) choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); - need = 0; + need = dh_need = 0; for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; if (need < newkeys->enc.key_len) @@ -517,9 +517,12 @@ kex_choose_conf(Kex *kex) need = newkeys->enc.iv_len; if (need < newkeys->mac.key_len) need = newkeys->mac.key_len; + if (dh_need < cipher_seclen(newkeys->enc.cipher)) + dh_need = cipher_seclen(newkeys->enc.cipher); } /* XXX need runden? */ kex->we_need = need; + kex->dh_need = dh_need; /* ignore the next message if the proposals do not match */ if (first_kex_follows && !proposals_match(my, peer) && diff --git a/kex.h b/kex.h index 7e2878f7..1aa3ec26 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.60 2014/01/12 08:13:13 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.61 2014/01/25 10:12:50 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -124,6 +124,7 @@ struct Kex { u_int session_id_len; Newkeys *newkeys[MODE_MAX]; u_int we_need; + u_int dh_need; int server; char *name; int hostkey_type; diff --git a/kexgexc.c b/kexgexc.c index a69ff270..629b5fbb 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.15 2014/01/12 08:13:13 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.16 2014/01/25 10:12:50 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -58,7 +58,7 @@ kexgex_client(Kex *kex) int min, max, nbits; DH *dh; - nbits = dh_estimate(kex->we_need * 8); + nbits = dh_estimate(kex->dh_need * 8); if (datafellows & SSH_OLD_DHGEX) { /* Old GEX request */ -- cgit v1.2.1 From 913a4df497e30cfd71e9d7b3b1af283fe4d557f1 Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 25 Jan 2014 22:38:03 +0000 Subject: - markus@cvs.openbsd.org 2014/01/25 20:35:37 [kex.c] dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha --- ChangeLog | 4 ++++ kex.c | 20 +++++++++----------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 64da7a47..384c0712 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@ + - markus@cvs.openbsd.org 2014/01/25 20:35:37 + [kex.c] + dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) + ok dtucker@, noted by mancha 20130125 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD diff --git a/kex.c b/kex.c index 39d16f8e..616484b8 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.96 2014/01/25 10:12:50 dtucker Exp $ */ +/* $OpenBSD: kex.c,v 1.97 2014/01/25 20:35:37 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -509,16 +509,14 @@ kex_choose_conf(Kex *kex) need = dh_need = 0; for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; - if (need < newkeys->enc.key_len) - need = newkeys->enc.key_len; - if (need < newkeys->enc.block_size) - need = newkeys->enc.block_size; - if (need < newkeys->enc.iv_len) - need = newkeys->enc.iv_len; - if (need < newkeys->mac.key_len) - need = newkeys->mac.key_len; - if (dh_need < cipher_seclen(newkeys->enc.cipher)) - dh_need = cipher_seclen(newkeys->enc.cipher); + need = MAX(need, newkeys->enc.key_len); + need = MAX(need, newkeys->enc.block_size); + need = MAX(need, newkeys->enc.iv_len); + need = MAX(need, newkeys->mac.key_len); + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); + dh_need = MAX(dh_need, newkeys->enc.block_size); + dh_need = MAX(dh_need, newkeys->enc.iv_len); + dh_need = MAX(dh_need, newkeys->mac.key_len); } /* XXX need runden? */ kex->we_need = need; -- cgit v1.2.1 From d899bbe1f4a8f480ae992b0ac1877fab8cc0e42e Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 25 Jan 2014 22:39:53 +0000 Subject: - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, libc will attempt to open additional file descriptors for crypto offload and crash if they cannot be opened. --- ChangeLog | 4 ++++ configure.ac | 7 +++++-- sandbox-capsicum.c | 2 ++ sandbox-rlimit.c | 2 ++ 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 384c0712..6b965261 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ [kex.c] dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha + - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable + RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, + libc will attempt to open additional file descriptors for crypto + offload and crash if they cannot be opened. 20130125 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD diff --git a/configure.ac b/configure.ac index 5e5e4d13..4a398418 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.562 2014/01/25 02:16:59 djm Exp $ +# $Id: configure.ac,v 1.563 2014/01/25 22:39:53 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.562 $) +AC_REVISION($Revision: 1.563 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -780,6 +780,9 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis argument order is swapped compared to OpenBSD]) TEST_MALLOC_OPTIONS="AJRX" + # Preauth crypto occasionally uses file descriptors for crypto offload + # and will crash if they cannot be opened. + AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE]) ;; *-*-bsdi*) AC_DEFINE([SETEUID_BREAKS_SETUID]) diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c index f648c6ec..ee2a7e79 100644 --- a/sandbox-capsicum.c +++ b/sandbox-capsicum.c @@ -75,9 +75,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); +#ifndef SANDBOX_SKIP_RLIMIT_NOFILE if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror(errno)); +#endif if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", __func__, strerror(errno)); diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index da91eb1b..bba80778 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c @@ -69,9 +69,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); #endif +#ifndef SANDBOX_SKIP_RLIMIT_NOFILE if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror(errno)); +#endif #ifdef HAVE_RLIMIT_NPROC if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", -- cgit v1.2.1 From dcf05776478d7161e5100f9ac1070d4f6311246e Mon Sep 17 00:00:00 2001 From: djm Date: Sat, 25 Jan 2014 22:46:53 +0000 Subject: - (djm) [configure.ac] correct AC_DEFINE for previous. --- ChangeLog | 1 + configure.ac | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6b965261..f736fddc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, libc will attempt to open additional file descriptors for crypto offload and crash if they cannot be opened. + - (djm) [configure.ac] correct AC_DEFINE for previous. 20130125 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD diff --git a/configure.ac b/configure.ac index 4a398418..ce881e27 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.563 2014/01/25 22:39:53 djm Exp $ +# $Id: configure.ac,v 1.564 2014/01/25 22:46:54 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.563 $) +AC_REVISION($Revision: 1.564 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -782,7 +782,8 @@ mips-sony-bsd|mips-sony-newsos4) TEST_MALLOC_OPTIONS="AJRX" # Preauth crypto occasionally uses file descriptors for crypto offload # and will crash if they cannot be opened. - AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE]) + AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1], + [define if setrlimit RLIMIT_NOFILE breaks things])], ;; *-*-bsdi*) AC_DEFINE([SETEUID_BREAKS_SETUID]) -- cgit v1.2.1 From 75b23d45a706862e11c2ea272b9555801c295dad Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 27 Jan 2014 06:32:50 +0000 Subject: Welcome to 2014 --- ChangeLog | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index f736fddc..7b3fa5ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -20130126 +20140126 - OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2014/01/25 10:12:50 [cipher.c cipher.h kex.c kex.h kexgexc.c] @@ -18,7 +18,7 @@ offload and crash if they cannot be opened. - (djm) [configure.ac] correct AC_DEFINE for previous. -20130125 +20140125 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless sys/capability.h exists and cap_rights_limit is in libc. Fixes @@ -27,18 +27,18 @@ - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test against the correct thing. -20130124 +20140124 - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make the scp regress test actually test the built scp rather than the one in $PATH. ok dtucker@ -20130123 +20140123 - (tim) [session.c] Improve error reporting on set_id(). - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously incompatible with OpenBSD's despite post-dating it by more than a decade. Declare it as broken, and document FreeBSD's as the same. ok djm@ -20130122 +20140122 - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a platform that is expected to use the reuse-argv style setproctitle hack surprises us by providing a setproctitle in libc; ok dtucker -- cgit v1.2.1 From b6d050da4c48358f3a5df8b3ed38ceed507102f3 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 27 Jan 2014 06:35:04 +0000 Subject: - (dtucker) [Makefile.in] Remove trailing backslash which some make implementations (eg older Solaris) do not cope with. --- ChangeLog | 4 ++++ Makefile.in | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7b3fa5ed..ca3979b6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20140127 + - (dtucker) [Makefile.in] Remove trailing backslash which some make + implementations (eg older Solaris) do not cope with. + 20140126 - OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2014/01/25 10:12:50 diff --git a/Makefile.in b/Makefile.in index e3dfab2f..a8aa1272 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.351 2014/01/24 03:27:04 djm Exp $ +# $Id: Makefile.in,v 1.352 2014/01/27 06:35:04 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -76,7 +76,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ ssh-ed25519.o digest.o \ - sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ + sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -- cgit v1.2.1 From ef2d5ba0c3fa1749f45130cb752dce498c2e68c9 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 28 Jan 2014 04:07:10 +0000 Subject: - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl; ok dtucker --- ChangeLog | 4 ++++ configure.ac | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ca3979b6..a2be7f8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20140128 + - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl; + ok dtucker + 20140127 - (dtucker) [Makefile.in] Remove trailing backslash which some make implementations (eg older Solaris) do not cope with. diff --git a/configure.ac b/configure.ac index ce881e27..62229b64 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.564 2014/01/25 22:46:54 djm Exp $ +# $Id: configure.ac,v 1.565 2014/01/28 04:07:10 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.564 $) +AC_REVISION($Revision: 1.565 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1240,6 +1240,9 @@ AC_SEARCH_LIBS([openpty], [util bsd]) AC_SEARCH_LIBS([updwtmp], [util bsd]) AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) +# On some platforms, inet_ntop may be found in libresolv or libnsl. +AC_SEARCH_LIBS([inet_ntop], [resolv nsl]) + AC_FUNC_STRFTIME # Check for ALTDIRFUNC glob() extension -- cgit v1.2.1 From b57c941b7707e087f22ca7d23042ac2050b5af60 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 28 Jan 2014 04:08:12 +0000 Subject: - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the latter being specified to have undefined behaviour in SUSv3; ok dtucker --- ChangeLog | 3 +++ sshd.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a2be7f8b..549db120 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20140128 - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl; ok dtucker + - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the + latter being specified to have undefined behaviour in SUSv3; + ok dtucker 20140127 - (dtucker) [Makefile.in] Remove trailing backslash which some make diff --git a/sshd.c b/sshd.c index a5d4218b..25380c91 100644 --- a/sshd.c +++ b/sshd.c @@ -372,7 +372,7 @@ grace_alarm_handler(int sig) */ if (getpgid(0) == getpid()) { signal(SIGTERM, SIG_IGN); - killpg(0, SIGTERM); + kill(0, SIGTERM); } /* Log error and exit. */ -- cgit v1.2.1 From e35da179b90199951e6bf8ba171f2bc9338a58eb Mon Sep 17 00:00:00 2001 From: tim Date: Tue, 28 Jan 2014 18:26:25 +0000 Subject: - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable when used as an error message inside an if statement so we display the correct into. agent.sh patch from Petr Lautrbach. --- ChangeLog | 3 +++ regress/agent-ptrace.sh | 5 +++-- regress/agent.sh | 30 ++++++++++++++++++------------ 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 549db120..74390565 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the latter being specified to have undefined behaviour in SUSv3; ok dtucker + - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable + when used as an error message inside an if statement so we display the + correct into. agent.sh patch from Petr Lautrbach. 20140127 - (dtucker) [Makefile.in] Remove trailing backslash which some make diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 6824b814..ae150641 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -45,8 +45,9 @@ else gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF quit EOF - if [ $? -ne 0 ]; then - fail "gdb failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "gdb failed: exit code $r" fi egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out r=$? diff --git a/regress/agent.sh b/regress/agent.sh index 90bad15d..cf1a45fe 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -34,40 +34,46 @@ else fi done ${SSHADD} -l > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -l failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l failed: exit code $r" fi # the same for full pubkey output ${SSHADD} -L > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -L failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -L failed: exit code $r" fi trace "simple connect via agent" for p in 1 2; do ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p - if [ $? -ne 5$p ]; then - fail "ssh connect with protocol $p failed (exit code $?)" + r=$? + if [ $r -ne 5$p ]; then + fail "ssh connect with protocol $p failed (exit code $r)" fi done trace "agent forwarding" for p in 1 2; do ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -l via agent fwd proto $p failed (exit code $?)" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l via agent fwd proto $p failed (exit code $r)" fi ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" - if [ $? -ne 5$p ]; then - fail "agent fwd proto $p failed (exit code $?)" + r=$? + if [ $r -ne 5$p ]; then + fail "agent fwd proto $p failed (exit code $r)" fi done trace "delete all agent keys" ${SSHADD} -D > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -D failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -D failed: exit code $r" fi trace "kill agent" -- cgit v1.2.1 From ddc3d60fd552064b26954b00ca8d0db3941a3546 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 29 Jan 2014 10:01:33 +0000 Subject: - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from Tom G. Christensen --- ChangeLog | 4 ++++ configure.ac | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 74390565..727c4a5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130129 + - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from + Tom G. Christensen + 20140128 - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl; ok dtucker diff --git a/configure.ac b/configure.ac index 62229b64..627ce517 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.565 2014/01/28 04:07:10 djm Exp $ +# $Id: configure.ac,v 1.566 2014/01/29 10:01:33 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.565 $) +AC_REVISION($Revision: 1.566 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1593,7 +1593,7 @@ if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then # Turn off automatic PIE when toolchain hardening is off. use_pie=no fi -if test "x$use_pie" == "xauto"; then +if test "x$use_pie" = "xauto"; then # Automatic PIE requires gcc >= 4.x AC_MSG_CHECKING([for gcc >= 4.x]) AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ -- cgit v1.2.1 From bbced47ad0d0d0c6c559afcd2923b0e7c856cc55 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 29 Jan 2014 23:21:19 +0000 Subject: - (djm) [configure.ac] Only check for width-specified integer types in headers that actually exist. patch from Tom G. Christensen; ok dtucker@ --- ChangeLog | 7 ++++++- configure.ac | 16 +++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 727c4a5a..05e75342 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,9 @@ -20130129 +20140130 + - (djm) [configure.ac] Only check for width-specified integer types + in headers that actually exist. patch from Tom G. Christensen; + ok dtucker@ + +20140129 - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from Tom G. Christensen diff --git a/configure.ac b/configure.ac index 627ce517..57136216 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.566 2014/01/29 10:01:33 djm Exp $ +# $Id: configure.ac,v 1.567 2014/01/29 23:21:20 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.566 $) +AC_REVISION($Revision: 1.567 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3271,7 +3271,9 @@ if test "x$ac_cv_have_u_int64_t" = "xyes" ; then have_u_int64_t=1 fi -if test -z "$have_u_int64_t" ; then +if (test -z "$have_u_int64_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ u_int64_t a; a = 1]])], @@ -3301,7 +3303,9 @@ if test -z "$have_u_intxx_t" ; then fi fi -if test -z "$have_uintxx_t" ; then +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then AC_MSG_CHECKING([for uintXX_t types in stdint.h]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], @@ -3312,7 +3316,9 @@ if test -z "$have_uintxx_t" ; then ]) fi -if test -z "$have_uintxx_t" ; then +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_inttypes_h" = "xyes") +then AC_MSG_CHECKING([for uintXX_t types in inttypes.h]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], -- cgit v1.2.1 From 6882fae00daccee2d3a55a6248effd7732e15cae Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 30 Jan 2014 00:26:46 +0000 Subject: - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering different symbols for 'read' when various compiler flags are in use, causing atomicio.c comparisons against it to break and read/write operations to hang; ok dtucker --- ChangeLog | 4 ++++ atomicio.c | 4 ++++ configure.ac | 6 ++++-- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 05e75342..cf7e12f0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (djm) [configure.ac] Only check for width-specified integer types in headers that actually exist. patch from Tom G. Christensen; ok dtucker@ + - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering + different symbols for 'read' when various compiler flags are + in use, causing atomicio.c comparisons against it to break and + read/write operations to hang; ok dtucker 20140129 - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from diff --git a/atomicio.c b/atomicio.c index 601b3c37..2bac36c9 100644 --- a/atomicio.c +++ b/atomicio.c @@ -56,8 +56,10 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n, ssize_t res; struct pollfd pfd; +#ifndef BROKEN_READ_COMPARISON pfd.fd = fd; pfd.events = f == read ? POLLIN : POLLOUT; +#endif while (n > pos) { res = (f) (fd, s + pos, n - pos); switch (res) { @@ -65,7 +67,9 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n, if (errno == EINTR) continue; if (errno == EAGAIN || errno == EWOULDBLOCK) { +#ifndef BROKEN_READ_COMPARISON (void)poll(&pfd, 1, -1); +#endif continue; } return 0; diff --git a/configure.ac b/configure.ac index 57136216..dfd32cd8 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.567 2014/01/29 23:21:20 djm Exp $ +# $Id: configure.ac,v 1.568 2014/01/30 00:26:46 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.567 $) +AC_REVISION($Revision: 1.568 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -769,6 +769,8 @@ mips-sony-bsd|mips-sony-newsos4) TEST_MALLOC_OPTIONS="AJRX" AC_DEFINE([BROKEN_STRNVIS], [1], [NetBSD strnvis argument order is swapped compared to OpenBSD]) + AC_DEFINE([BROKEN_READ_COMPARISON], [1], + [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it]) ;; *-*-freebsd*) check_for_libcrypt_later=1 -- cgit v1.2.1 From 5507285a96e8b882d3bba12b1610b0ce5635200d Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 30 Jan 2014 01:49:55 +0000 Subject: trim entries prior to openssh-6.0p1 --- ChangeLog | 2049 ------------------------------------------------------------- 1 file changed, 2049 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf7e12f0..b617c5ae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2662,2052 +2662,3 @@ [contrib/suse/openssh.spec] Update for release 6.0 - (djm) [README] Update URL to release notes. - (djm) Release openssh-6.0 - -20120419 - - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil - contains openpty() but not login() - -20120404 - - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox - mode for Linux's new seccomp filter; patch from Will Drewry; feedback - and ok dtucker@ - -20120330 - - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING - file from spec file. From crighter at nuclioss com. - - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running - openssh binaries on a newer fix release than they were compiled on. - with and ok dtucker@ - - (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect - assumptions when building on Cygwin; patch from Corinna Vinschen - -20120309 - - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux - systems where sshd is run in te wrong context. Patch from Sven - Vermeulen; ok dtucker@ - - (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6 - addressed connections. ok dtucker@ - -20120224 - - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM - audit breakage in Solaris 11. Patch from Magnus Johansson. - -20120215 - - (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for - unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c - ok dtucker@ - - (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so - it actually works. - - (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote - to work. Spotted by Angel Gonzalez - -20120214 - - (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of - preserved Cygwin environment variables; from Corinna Vinschen - -20120211 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2012/01/05 00:16:56 - [monitor.c] - memleak on error path - - djm@cvs.openbsd.org 2012/01/07 21:11:36 - [mux.c] - fix double-free in new session handler - - miod@cvs.openbsd.org 2012/01/08 13:17:11 - [ssh-ecdsa.c] - Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron, - ok markus@ - - miod@cvs.openbsd.org 2012/01/16 20:34:09 - [ssh-pkcs11-client.c] - Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow. - While there, be sure to buffer_clear() between send_msg() and recv_msg(). - ok markus@ - - dtucker@cvs.openbsd.org 2012/01/18 21:46:43 - [clientloop.c] - Ensure that $DISPLAY contains only valid characters before using it to - extract xauth data so that it can't be used to play local shell - metacharacter games. Report from r00t_ati at ihteam.net, ok markus. - - markus@cvs.openbsd.org 2012/01/25 19:26:43 - [packet.c] - do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; - ok dtucker@, djm@ - - markus@cvs.openbsd.org 2012/01/25 19:36:31 - [authfile.c] - memleak in key_load_file(); from Jan Klemkow - - markus@cvs.openbsd.org 2012/01/25 19:40:09 - [packet.c packet.h] - packet_read_poll() is not used anymore. - - markus@cvs.openbsd.org 2012/02/09 20:00:18 - [version.h] - move from 6.0-beta to 6.0 - -20120206 - - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms - that don't support ECC. Patch from Phil Oleson - -20111219 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/12/02 00:41:56 - [mux.c] - fix bz#1948: ssh -f doesn't fork for multiplexed connection. - ok dtucker@ - - djm@cvs.openbsd.org 2011/12/02 00:43:57 - [mac.c] - fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before - HMAC_init (this change in policy seems insane to me) - ok dtucker@ - - djm@cvs.openbsd.org 2011/12/04 23:16:12 - [mux.c] - revert: - > revision 1.32 - > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 - > fix bz#1948: ssh -f doesn't fork for multiplexed connection. - > ok dtucker@ - it interacts badly with ControlPersist - - djm@cvs.openbsd.org 2011/12/07 05:44:38 - [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c] - fix some harmless and/or unreachable int overflows; - reported Xi Wang, ok markus@ - -20111125 - - OpenBSD CVS Sync - - oga@cvs.openbsd.org 2011/11/16 12:24:28 - [sftp.c] - Don't leak list in complete_cmd_parse if there are no commands found. - Discovered when I was ``borrowing'' this code for something else. - ok djm@ - -20111121 - - (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@ - -20111104 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/10/18 05:15:28 - [ssh.c] - ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@ - - djm@cvs.openbsd.org 2011/10/18 23:37:42 - [ssh-add.c] - add -k to usage(); reminded by jmc@ - - djm@cvs.openbsd.org 2011/10/19 00:06:10 - [moduli.c] - s/tmpfile/tmp/ to make this -Wshadow clean - - djm@cvs.openbsd.org 2011/10/19 10:39:48 - [umac.c] - typo in comment; patch from Michael W. Bombardieri - - djm@cvs.openbsd.org 2011/10/24 02:10:46 - [ssh.c] - bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh - was incorrectly requesting the forward in both the control master and - slave. skip requesting it in the master to fix. ok markus@ - - djm@cvs.openbsd.org 2011/10/24 02:13:13 - [session.c] - bz#1859: send tty break to pty master instead of (probably already - closed) slave side; "looks good" markus@ - - dtucker@cvs.openbsd.org 011/11/04 00:09:39 - [moduli] - regenerated moduli file; ok deraadt - - (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in - openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c] - bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library - which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr) - with some rework from myself and djm. ok djm. - -20111025 - - (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file - fails. Patch from Corinna Vinschen. - -20111018 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/10/04 14:17:32 - [sftp-glob.c] - silence error spam for "ls */foo" in directory with files; bz#1683 - - dtucker@cvs.openbsd.org 2011/10/16 11:02:46 - [moduli.c ssh-keygen.1 ssh-keygen.c] - Add optional checkpoints for moduli screening. feedback & ok deraadt - - jmc@cvs.openbsd.org 2011/10/16 15:02:41 - [ssh-keygen.c] - put -K in the right place (usage()); - - stsp@cvs.openbsd.org 2011/10/16 15:51:39 - [moduli.c] - add missing includes to unbreak tree; fix from rpointel - - djm@cvs.openbsd.org 2011/10/18 04:58:26 - [auth-options.c key.c] - remove explict search for \0 in packet strings, this job is now done - implicitly by buffer_get_cstring; ok markus - - djm@cvs.openbsd.org 2011/10/18 05:00:48 - [ssh-add.1 ssh-add.c] - new "ssh-add -k" option to load plain keys (skipping certificates); - "looks ok" markus@ - -20111001 - - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2011/09/23 00:22:04 - [channels.c auth-options.c servconf.c channels.h sshd.8] - Add wildcard support to PermitOpen, allowing things like "PermitOpen - localhost:*". bz #1857, ok djm markus. - - markus@cvs.openbsd.org 2011/09/23 07:45:05 - [mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c - version.h] - unbreak remote portforwarding with dynamic allocated listen ports: - 1) send the actual listen port in the open message (instead of 0). - this allows multiple forwardings with a dynamic listen port - 2) update the matching permit-open entry, so we can identify where - to connect to - report: den at skbkontur.ru and P. Szczygielski - feedback and ok djm@ - - djm@cvs.openbsd.org 2011/09/25 05:44:47 - [auth2-pubkey.c] - improve the AuthorizedPrincipalsFile debug log message to include - file and line number - - dtucker@cvs.openbsd.org 2011/09/30 00:47:37 - [sshd.c] - don't attempt privsep cleanup when not using privsep; ok markus@ - - djm@cvs.openbsd.org 2011/09/30 21:22:49 - [sshd.c] - fix inverted test that caused logspam; spotted by henning@ - -20110929 - - (djm) [configure.ac defines.h] No need to detect sizeof(char); patch - from des AT des.no - - (dtucker) [configure.ac openbsd-compat/Makefile.in - openbsd-compat/strnlen.c] Add strnlen to the compat library. - -20110923 - - (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no - longer want to sync this file (OpenBSD uses a __getcwd syscall now, we - want this longhand version) - - (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the - upstream version is YPified and we don't want this - - (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version. - The file was totally rewritten between what we had in tree and -current. - - (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid - marker. The upstream API has changed (function and structure names) - enough to put it out of sync with other providers of this interface. - - (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion - of static __findenv() function from upstream setenv.c - - OpenBSD CVS Sync - - millert@cvs.openbsd.org 2006/05/05 15:27:38 - [openbsd-compat/strlcpy.c] - Convert do {} while loop -> while {} for clarity. No binary change - on most architectures. From Oliver Smith. OK deraadt@ and henning@ - - tobias@cvs.openbsd.org 2007/10/21 11:09:30 - [openbsd-compat/mktemp.c] - Comment fix about time consumption of _gettemp. - FreeBSD did this in revision 1.20. - OK deraadt@, krw@ - - deraadt@cvs.openbsd.org 2008/07/22 21:47:45 - [openbsd-compat/mktemp.c] - use arc4random_uniform(); ok djm millert - - millert@cvs.openbsd.org 2008/08/21 16:54:44 - [openbsd-compat/mktemp.c] - Remove useless code, the kernel will set errno appropriately if an - element in the path does not exist. OK deraadt@ pvalchev@ - - otto@cvs.openbsd.org 2008/12/09 19:38:38 - [openbsd-compat/inet_ntop.c] - fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon - -20110922 - - OpenBSD CVS Sync - - pyr@cvs.openbsd.org 2011/05/12 07:15:10 - [openbsd-compat/glob.c] - When the max number of items for a directory has reached GLOB_LIMIT_READDIR - an error is returned but closedir() is not called. - spotted and fix provided by Frank Denis obsd-tech@pureftpd.org - ok otto@, millert@ - - stsp@cvs.openbsd.org 2011/09/20 10:18:46 - [glob.c] - In glob(3), limit recursion during matching attempts. Similar to - fnmatch fix. Also collapse consecutive '*' (from NetBSD). - ok miod deraadt - - djm@cvs.openbsd.org 2011/09/22 06:27:29 - [glob.c] - fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being - applied only to the gl_pathv vector and not the corresponding gl_statv - array. reported in OpenSSH bz#1935; feedback and okay matthew@ - - djm@cvs.openbsd.org 2011/08/26 01:45:15 - [ssh.1] - Add some missing ssh_config(5) options that can be used in ssh(1)'s - -o argument. Patch from duclare AT guu.fi - - djm@cvs.openbsd.org 2011/09/05 05:56:13 - [scp.1 sftp.1] - mention ControlPersist and KbdInteractiveAuthentication in the -o - verbiage in these pages too (prompted by jmc@) - - djm@cvs.openbsd.org 2011/09/05 05:59:08 - [misc.c] - fix typo in IPQoS parsing: there is no "AF14" class, but there is - an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk - - jmc@cvs.openbsd.org 2011/09/05 07:01:44 - [scp.1] - knock out a useless Ns; - - deraadt@cvs.openbsd.org 2011/09/07 02:18:31 - [ssh-keygen.1] - typo (they vs the) found by Lawrence Teo - - djm@cvs.openbsd.org 2011/09/09 00:43:00 - [ssh_config.5 sshd_config.5] - fix typo in IPQoS parsing: there is no "AF14" class, but there is - an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk - - djm@cvs.openbsd.org 2011/09/09 00:44:07 - [PROTOCOL.mux] - MUX_C_CLOSE_FWD includes forward type in message (though it isn't - implemented anyway) - - djm@cvs.openbsd.org 2011/09/09 22:37:01 - [scp.c] - suppress adding '--' to remote commandlines when the first argument - does not start with '-'. saves breakage on some difficult-to-upgrade - embedded/router platforms; feedback & ok dtucker ok markus - - djm@cvs.openbsd.org 2011/09/09 22:38:21 - [sshd.c] - kill the preauth privsep child on fatal errors in the monitor; - ok markus@ - - djm@cvs.openbsd.org 2011/09/09 22:46:44 - [channels.c channels.h clientloop.h mux.c ssh.c] - support for cancelling local and remote port forwards via the multiplex - socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request - the cancellation of the specified forwardings; ok markus@ - - markus@cvs.openbsd.org 2011/09/10 22:26:34 - [channels.c channels.h clientloop.c ssh.1] - support cancellation of local/dynamic forwardings from ~C commandline; - ok & feedback djm@ - - okan@cvs.openbsd.org 2011/09/11 06:59:05 - [ssh.1] - document new -O cancel command; ok djm@ - - markus@cvs.openbsd.org 2011/09/11 16:07:26 - [sftp-client.c] - fix leaks in do_hardlink() and do_readlink(); bz#1921 - from Loganaden Velvindron - - markus@cvs.openbsd.org 2011/09/12 08:46:15 - [sftp-client.c] - fix leak in do_lsreaddir(); ok djm - - djm@cvs.openbsd.org 2011/09/22 06:29:03 - [sftp.c] - don't let remote_glob() implicitly sort its results in do_globbed_ls() - - in all likelihood, they will be resorted anyway - -20110909 - - (dtucker) [entropy.h] Bug #1932: remove old definition of init_rng. From - Colin Watson. - -20110906 - - (djm) [README version.h] Correct version - - (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon - - (djm) Respin OpenSSH-5.9p1 release - -20110905 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update version numbers. - -20110904 - - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal - regress errors for the sandbox to warnings. ok tim dtucker - - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations - ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen - support. - -20110829 - - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting - to switch SELinux context away from unconfined_t, based on patch from - Jan Chadima; bz#1919 ok dtucker@ - -20110827 - - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. - -20110818 - - (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze - -20110817 - - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for - OpenSSL 0.9.7. ok djm - - (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] - binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen - - (djm) [configure.ac] error out if the host lacks the necessary bits for - an explicitly requested sandbox type - - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by - bisson AT archlinux.org - - (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 - [regress/cfgmatch.sh] - use OBJ to find test configs, patch from Tim Rice - - markus@cvs.openbsd.org 2011/06/30 22:44:43 - [regress/connect-privsep.sh] - test with sandbox enabled; ok djm@ - - djm@cvs.openbsd.org 2011/08/02 01:23:41 - [regress/cipher-speed.sh regress/try-ciphers.sh] - add SHA256/SHA512 based HMAC modes - - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 - MAC tests for platforms that hack EVP_SHA2 support - -20110812 - - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context - change error by reporting old and new context names Patch from - jchadima at redhat. - - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init] - [contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES - init scrips from imorgan AT nas.nasa.gov; bz#1920 - - (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the - identify file contained whitespace. bz#1828 patch from gwenael.lambrouin - AT gmail.com; ok dtucker@ - -20110807 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2008/06/26 06:59:39 - [moduli.5] - tweak previous; - - sobrado@cvs.openbsd.org 2009/10/28 08:56:54 - [moduli.5] - "Diffie-Hellman" is the usual spelling for the cryptographic protocol - first published by Whitfield Diffie and Martin Hellman in 1976. - ok jmc@ - - jmc@cvs.openbsd.org 2010/10/14 20:41:28 - [moduli.5] - probabalistic -> probabilistic; from naddy - - dtucker@cvs.openbsd.org 2011/08/07 12:55:30 - [sftp.1] - typo, fix from Laurent Gautrot - -20110805 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/23 23:35:42 - [monitor.c] - ignore EINTR errors from poll() - - tedu@cvs.openbsd.org 2011/07/06 18:09:21 - [authfd.c] - bzero the agent address. the kernel was for a while very cranky about - these things. evne though that's fixed, always good to initialize - memory. ok deraadt djm - - djm@cvs.openbsd.org 2011/07/29 14:42:45 - [sandbox-systrace.c] - fail open(2) with EPERM rather than SIGKILLing the whole process. libc - will call open() to do strerror() when NLS is enabled; - feedback and ok markus@ - - markus@cvs.openbsd.org 2011/08/01 19:18:15 - [gss-serv.c] - prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); - report Adam Zabrock; ok djm@, deraadt@ - - djm@cvs.openbsd.org 2011/08/02 01:22:11 - [mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] - Add new SHA256 and SHA512 based HMAC modes from - http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt - Patch from mdb AT juniper.net; feedback and ok markus@ - - djm@cvs.openbsd.org 2011/08/02 23:13:01 - [version.h] - crank now, release later - - djm@cvs.openbsd.org 2011/08/02 23:15:03 - [ssh.c] - typo in comment - -20110624 - - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for - Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing - markus@ - -20110623 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/22 21:47:28 - [servconf.c] - reuse the multistate option arrays to pretty-print options for "sshd -T" - - djm@cvs.openbsd.org 2011/06/22 21:57:01 - [servconf.c servconf.h sshd.c sshd_config.5] - [configure.ac Makefile.in] - introduce sandboxing of the pre-auth privsep child using systrace(4). - - This introduces a new "UsePrivilegeSeparation=sandbox" option for - sshd_config that applies mandatory restrictions on the syscalls the - privsep child can perform. This prevents a compromised privsep child - from being used to attack other hosts (by opening sockets and proxying) - or probing local kernel attack surface. - - The sandbox is implemented using systrace(4) in unsupervised "fast-path" - mode, where a list of permitted syscalls is supplied. Any syscall not - on the list results in SIGKILL being sent to the privsep child. Note - that this requires a kernel with the new SYSTR_POLICY_KILL option. - - UsePrivilegeSeparation=sandbox will become the default in the future - so please start testing it now. - - feedback dtucker@; ok markus@ - - djm@cvs.openbsd.org 2011/06/22 22:08:42 - [channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] - hook up a channel confirm callback to warn the user then requested X11 - forwarding was refused by the server; ok markus@ - - djm@cvs.openbsd.org 2011/06/23 09:34:13 - [sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] - [sandbox-null.c] - rename sandbox.h => ssh-sandbox.h to make things easier for portable - - (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support - setrlimit(2) - -20110620 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/04 00:10:26 - [ssh_config.5] - explain IdentifyFile's semantics a little better, prompted by bz#1898 - ok dtucker jmc - - markus@cvs.openbsd.org 2011/06/14 22:49:18 - [authfile.c] - make sure key_parse_public/private_rsa1() no longer consumes its input - buffer. fixes ssh-add for passphrase-protected ssh1-keys; - noted by naddy@; ok djm@ - - djm@cvs.openbsd.org 2011/06/17 21:44:31 - [log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] - make the pre-auth privsep slave log via a socketpair shared with the - monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@ - - djm@cvs.openbsd.org 2011/06/17 21:46:16 - [sftp-server.c] - the protocol version should be unsigned; bz#1913 reported by mb AT - smartftp.com - - djm@cvs.openbsd.org 2011/06/17 21:47:35 - [servconf.c] - factor out multi-choice option parsing into a parse_multistate label - and some support structures; ok dtucker@ - - djm@cvs.openbsd.org 2011/06/17 21:57:25 - [clientloop.c] - setproctitle for a mux master that has been gracefully stopped; - bz#1911 from Bert.Wesarg AT googlemail.com - -20110603 - - (dtucker) [README version.h contrib/caldera/openssh.spec - contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version - bumps from the 5.8p2 branch into HEAD. ok djm. - - (tim) [configure.ac defines.h] Run test program to detect system mail - directory. Add --with-maildir option to override. Fixed OpenServer 6 - getting it wrong. Fixed many systems having MAIL=/var/mail//username - ok dtucker - - (dtucker) [monitor.c] Remove the !HAVE_SOCKETPAIR case. We use socketpair - unconditionally in other places and the survey data we have does not show - any systems that use it. "nuke it" djm@ - - (djm) [configure.ac] enable setproctitle emulation for OS X - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/06/03 00:54:38 - [ssh.c] - bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg - AT googlemail.com; ok dtucker@ - NB. includes additional portability code to enable setproctitle emulation - on platforms that don't support it. - - dtucker@cvs.openbsd.org 2011/06/03 01:37:40 - [ssh-agent.c] - Check current parent process ID against saved one to determine if the parent - has exited, rather than attempting to send a zero signal, since the latter - won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn - Gillmor, ok djm@ - - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 - [regress/dynamic-forward.sh] - back out revs 1.6 and 1.5 since it's not reliable - - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 - [regress/dynamic-forward.sh] - work around startup and teardown races; caught by deraadt - - dtucker@cvs.openbsd.org 2011/06/03 00:29:52 - [regress/dynamic-forward.sh] - Retry establishing the port forwarding after a small delay, should make - the tests less flaky when the previous test is slow to shut down and free - up the port. - - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. - -20110529 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/05/23 03:30:07 - [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c] - [pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] - allow AuthorizedKeysFile to specify multiple files, separated by spaces. - Bring back authorized_keys2 as a default search path (to avoid breaking - existing users of this file), but override this in sshd_config so it will - be no longer used on fresh installs. Maybe in 2015 we can remove it - entierly :) - - feedback and ok markus@ dtucker@ - - djm@cvs.openbsd.org 2011/05/23 03:33:38 - [auth.c] - make secure_filename() spam debug logs less - - djm@cvs.openbsd.org 2011/05/23 03:52:55 - [sshconnect.c] - remove extra newline - - jmc@cvs.openbsd.org 2011/05/23 07:10:21 - [sshd.8 sshd_config.5] - tweak previous; ok djm - - djm@cvs.openbsd.org 2011/05/23 07:24:57 - [authfile.c] - read in key comments for v.2 keys (though note that these are not - passed over the agent protocol); bz#439, based on patch from binder - AT arago.de; ok markus@ - - djm@cvs.openbsd.org 2011/05/24 07:15:47 - [readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c] - Remove undocumented legacy options UserKnownHostsFile2 and - GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile - accept multiple paths per line and making their defaults include - known_hosts2; ok markus - - djm@cvs.openbsd.org 2011/05/23 03:31:31 - [regress/cfgmatch.sh] - include testing of multiple/overridden AuthorizedKeysFiles - refactor to simply daemon start/stop and get rid of racy constructs - -20110520 - - (djm) [session.c] call setexeccon() before executing passwd for pw - changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@ - - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options - options, we should corresponding -W-option when trying to determine - whether it is accepted. Also includes a warning fix on the program - fragment uses (bad main() return type). - bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@ - - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/05/15 08:09:01 - [authfd.c monitor.c serverloop.c] - use FD_CLOEXEC consistently; patch from zion AT x96.org - - djm@cvs.openbsd.org 2011/05/17 07:13:31 - [key.c] - fatal() if asked to generate a legacy ECDSA cert (these don't exist) - and fix the regress test that was trying to generate them :) - - djm@cvs.openbsd.org 2011/05/20 00:55:02 - [servconf.c] - the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile - and AuthorizedPrincipalsFile were not being correctly applied in - Match blocks, despite being overridable there; ok dtucker@ - - dtucker@cvs.openbsd.org 2011/05/20 02:00:19 - [servconf.c] - Add comment documenting what should be after the preauth check. ok djm - - djm@cvs.openbsd.org 2011/05/20 03:25:45 - [monitor.c monitor_wrap.c servconf.c servconf.h] - use a macro to define which string options to copy between configs - for Match. This avoids problems caused by forgetting to keep three - code locations in perfect sync and ordering - - "this is at once beautiful and horrible" + ok dtucker@ - - djm@cvs.openbsd.org 2011/05/17 07:13:31 - [regress/cert-userkey.sh] - fatal() if asked to generate a legacy ECDSA cert (these don't exist) - and fix the regress test that was trying to generate them :) - - djm@cvs.openbsd.org 2011/05/20 02:43:36 - [cert-hostkey.sh] - another attempt to generate a v00 ECDSA key that broke the test - ID sync only - portable already had this somehow - - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 - [dynamic-forward.sh] - Prevent races in dynamic forwarding test; ok djm - - dtucker@cvs.openbsd.org 2011/05/20 06:32:30 - [dynamic-forward.sh] - fix dumb error in dynamic-forward test - -20110515 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/05/05 05:12:08 - [mux.c] - gracefully fall back when ControlPath is too large for a - sockaddr_un. ok markus@ as part of a larger diff - - dtucker@cvs.openbsd.org 2011/05/06 01:03:35 - [sshd_config] - clarify language about overriding defaults. bz#1892, from Petr Cerny - - djm@cvs.openbsd.org 2011/05/06 01:09:53 - [sftp.1] - mention that IPv6 addresses must be enclosed in square brackets; - bz#1845 - - djm@cvs.openbsd.org 2011/05/06 02:05:41 - [sshconnect2.c] - fix memory leak; bz#1849 ok dtucker@ - - djm@cvs.openbsd.org 2011/05/06 21:14:05 - [packet.c packet.h] - set traffic class for IPv6 traffic as we do for IPv4 TOS; - patch from lionel AT mamane.lu via Colin Watson in bz#1855; - ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:18:02 - [ssh.c ssh_config.5] - add a %L expansion (short-form of the local host name) for ControlPath; - sync some more expansions with LocalCommand; ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:31:38 - [readconf.c ssh_config.5] - support negated Host matching, e.g. - - Host *.example.org !c.example.org - User mekmitasdigoat - - Will match "a.example.org", "b.example.org", but not "c.example.org" - ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:34:32 - [clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] - Add a RequestTTY ssh_config option to allow configuration-based - control over tty allocation (like -t/-T); ok markus@ - - djm@cvs.openbsd.org 2011/05/06 21:38:58 - [ssh.c] - fix dropping from previous diff - - djm@cvs.openbsd.org 2011/05/06 22:20:10 - [PROTOCOL.mux] - fix numbering; from bert.wesarg AT googlemail.com - - jmc@cvs.openbsd.org 2011/05/07 23:19:39 - [ssh_config.5] - - tweak previous - - come consistency fixes - ok djm - - jmc@cvs.openbsd.org 2011/05/07 23:20:25 - [ssh.1] - +.It RequestTTY - - djm@cvs.openbsd.org 2011/05/08 12:52:01 - [PROTOCOL.mux clientloop.c clientloop.h mux.c] - improve our behaviour when TTY allocation fails: if we are in - RequestTTY=auto mode (the default), then do not treat at TTY - allocation error as fatal but rather just restore the local TTY - to cooked mode and continue. This is more graceful on devices that - never allocate TTYs. - - If RequestTTY is set to "yes" or "force", then failure to allocate - a TTY is fatal. - - ok markus@ - - djm@cvs.openbsd.org 2011/05/10 05:46:46 - [authfile.c] - despam debug() logs by detecting that we are trying to load a private key - in key_try_load_public() and returning early; ok markus@ - - djm@cvs.openbsd.org 2011/05/11 04:47:06 - [auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] - remove support for authorized_keys2; it is a relic from the early days - of protocol v.2 support and has been undocumented for many years; - ok markus@ - - djm@cvs.openbsd.org 2011/05/13 00:05:36 - [authfile.c] - warn on unexpected key type in key_parse_private_type() - - (djm) [packet.c] unbreak portability #endif - -20110510 - - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix - --with-ssl-engine which was broken with the change from deprecated - SSLeay_add_all_algorithms(). ok djm - -20110506 - - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875: add prototype - for closefrom() in test code. Report from Dan Wallis via Gentoo. - -20110505 - - (djm) [defines.h] Move up include of netinet/ip.h for IPTOS - definitions. From des AT des.no - - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] - [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] - [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] - [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] - [regress/README.regress] Remove ssh-rand-helper and all its - tentacles. PRNGd seeding has been rolled into entropy.c directly. - Thanks to tim@ for testing on affected platforms. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/03/10 02:52:57 - [auth2-gss.c auth2.c auth.h] - allow GSSAPI authentication to detect when a server-side failure causes - authentication failure and don't count such failures against MaxAuthTries; - bz#1244 from simon AT sxw.org.uk; ok markus@ before lock - - okan@cvs.openbsd.org 2011/03/15 10:36:02 - [ssh-keyscan.c] - use timerclear macro - ok djm@ - - stevesk@cvs.openbsd.org 2011/03/23 15:16:22 - [ssh-keygen.1 ssh-keygen.c] - Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) - for which host keys do not exist, generate the host keys with the - default key file path, an empty passphrase, default bits for the key - type, and default comment. This will be used by /etc/rc to generate - new host keys. Idea from deraadt. - ok deraadt - - stevesk@cvs.openbsd.org 2011/03/23 16:24:56 - [ssh-keygen.1] - -q not used in /etc/rc now so remove statement. - - stevesk@cvs.openbsd.org 2011/03/23 16:50:04 - [ssh-keygen.c] - remove -d, documentation removed >10 years ago; ok markus - - jmc@cvs.openbsd.org 2011/03/24 15:29:30 - [ssh-keygen.1] - zap trailing whitespace; - - stevesk@cvs.openbsd.org 2011/03/24 22:14:54 - [ssh-keygen.c] - use strcasecmp() for "clear" cert permission option also; ok djm - - stevesk@cvs.openbsd.org 2011/03/29 18:54:17 - [misc.c misc.h servconf.c] - print ipqos friendly string for sshd -T; ok markus - # sshd -Tf sshd_config|grep ipqos - ipqos lowdelay throughput - - djm@cvs.openbsd.org 2011/04/12 04:23:50 - [ssh-keygen.c] - fix -Wshadow - - djm@cvs.openbsd.org 2011/04/12 05:32:49 - [sshd.c] - exit with 0 status on SIGTERM; bz#1879 - - djm@cvs.openbsd.org 2011/04/13 04:02:48 - [ssh-keygen.1] - improve wording; bz#1861 - - djm@cvs.openbsd.org 2011/04/13 04:09:37 - [ssh-keygen.1] - mention valid -b sizes for ECDSA keys; bz#1862 - - djm@cvs.openbsd.org 2011/04/17 22:42:42 - [PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c] - allow graceful shutdown of multiplexing: request that a mux server - removes its listener socket and refuse future multiplexing requests; - ok markus@ - - djm@cvs.openbsd.org 2011/04/18 00:46:05 - [ssh-keygen.c] - certificate options are supposed to be packed in lexical order of - option name (though we don't actually enforce this at present). - Move one up that was out of sequence - - djm@cvs.openbsd.org 2011/05/04 21:15:29 - [authfile.c authfile.h ssh-add.c] - allow "ssh-add - < key"; feedback and ok markus@ - - (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE - so autoreconf 2.68 is happy. - - (tim) [defines.h] Deal with platforms that do not have S_IFSOCK ok djm@ - -20110221 - - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the - Cygwin-specific service installer script ssh-host-config. The actual - functionality is the same, the revisited version is just more - exact when it comes to check for problems which disallow to run - certain aspects of the script. So, part of this script and the also - rearranged service helper script library "csih" is to check if all - the tools required to run the script are available on the system. - The new script also is more thorough to inform the user why the - script failed. Patch from vinschen at redhat com. - -20110218 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/02/16 00:31:14 - [ssh-keysign.c] - make hostbased auth with ECDSA keys work correctly. Based on patch - by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock) - -20110206 - - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in - selinux code. Patch from Leonardo Chiquitto - - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key - generation and simplify. Patch from Corinna Vinschen. - -20110204 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/31 21:42:15 - [PROTOCOL.mux] - cut'n'pasto; from bert.wesarg AT googlemail.com - - djm@cvs.openbsd.org 2011/02/04 00:44:21 - [key.c] - fix uninitialised nonce variable; reported by Mateusz Kocielski - - djm@cvs.openbsd.org 2011/02/04 00:44:43 - [version.h] - openssh-5.8 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] update versions in docs and spec files. - - Release OpenSSH 5.8p1 - -20110128 - - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled - before attempting setfscreatecon(). Check whether matchpathcon() - succeeded before using its result. Patch from cjwatson AT debian.org; - bz#1851 - -20110127 - - (tim) [config.guess config.sub] Sync with upstream. - - (tim) [configure.ac] Consistent M4 quoting throughout, updated obsolete - AC_TRY_COMPILE with AC_COMPILE_IFELSE, updated obsolete AC_TRY_LINK with - AC_LINK_IFELSE, updated obsolete AC_TRY_RUN with AC_RUN_IFELSE, misc white - space changes for consistency/readability. Makes autoconf 2.68 happy. - "Nice work" djm - -20110125 - - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c - openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to - port-linux.c to avoid compilation errors. Add -lselinux to ssh when - building with SELinux support to avoid linking failure; report from - amk AT spamfence.net; ok dtucker - -20110122 - - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add - RSA_get_default_method() for the benefit of openssl versions that don't - have it (at least openssl-engine-0.9.6b). Found and tested by Kevin Brott, - ok djm@. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/22 09:18:53 - [version.h] - crank to OpenSSH-5.7 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] update versions in docs and spec files. - - (djm) Release 5.7p1 - -20110119 - - (tim) [contrib/caldera/openssh.spec] Use CFLAGS from Makefile instead - of RPM so build completes. Signatures were changed to .asc since 4.1p1. - - (djm) [configure.ac] Disable ECC on OpenSSL <0.9.8g. Releases prior to - 0.9.8 lacked it, and 0.9.8a through 0.9.8d have proven buggy in pre- - release testing (random crashes and failure to load ECC keys). - ok dtucker@ - -20110117 - - (djm) [regress/Makefile] use $TEST_SSH_KEYGEN instead of the one in - $PATH, fix cleanup of droppings; reported by openssh AT - roumenpetrov.info; ok dtucker@ - - (djm) [regress/agent-ptrace.sh] Fix false failure on OS X by adding - its unique snowflake of a gdb error to the ones we look for. - - (djm) [regress/agent-getpeereid.sh] leave stdout attached when running - ssh-add to avoid $SUDO failures on Linux - - (dtucker) [openbsd-compat/port-linux.c] Bug #1838: Add support for the new - Linux OOM-killer magic values that changed in 2.6.36 kernels, with fallback - to the old values. Feedback from vapier at gentoo org and djm, ok djm. - - (djm) [configure.ac regress/agent-getpeereid.sh regress/multiplex.sh] - [regress/sftp-glob.sh regress/test-exec.sh] Rework how feature tests are - disabled on platforms that do not support them; add a "config_defined()" - shell function that greps for defines in config.h and use them to decide - on feature tests. - Convert a couple of existing grep's over config.h to use the new function - Add a define "FILESYSTEM_NO_BACKSLASH" for filesystem that can't represent - backslash characters in filenames, enable it for Cygwin and use it to turn - of tests for quotes backslashes in sftp-glob.sh. - based on discussion with vinschen AT redhat.com and dtucker@; ok dtucker@ - - (tim) [regress/agent-getpeereid.sh] shell portability fix. - - (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror on - the tinderbox. - - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h - configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem - support, based on patches from Tomas Mraz and jchadima at redhat. - -20110116 - - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based - on configurations that don't have it. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/16 11:50:05 - [clientloop.c] - Use atomicio when flushing protocol 1 std{out,err} buffers at - session close. This was a latent bug exposed by setting a SIGCHLD - handler and spotted by kevin.brott AT gmail.com; ok dtucker@ - - djm@cvs.openbsd.org 2011/01/16 11:50:36 - [sshconnect.c] - reset the SIGPIPE handler when forking to execute child processes; - ok dtucker@ - - djm@cvs.openbsd.org 2011/01/16 12:05:59 - [clientloop.c] - a couple more tweaks to the post-close protocol 1 stderr/stdout flush: - now that we use atomicio(), convert them from while loops to if statements - add test and cast to compile cleanly with -Wsigned - -20110114 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/13 21:54:53 - [mux.c] - correct error messages; patch from bert.wesarg AT googlemail.com - - djm@cvs.openbsd.org 2011/01/13 21:55:25 - [PROTOCOL.mux] - correct protocol names and add a couple of missing protocol number - defines; patch from bert.wesarg AT googlemail.com - - (djm) [Makefile.in] Use shell test to disable ecdsa key generating in - host-key-force target rather than a substitution that is replaced with a - comment so that the Makefile.in is still a syntactically valid Makefile - (useful to run the distprep target) - - (tim) [regress/cert-hostkey.sh] Typo. Missing $ on variable name. - - (tim) [regress/cert-hostkey.sh] Add missing TEST_SSH_ECC guard around some - ecdsa bits. - -20110113 - - (djm) [misc.c] include time.h for nanosleep() prototype - - (tim) [Makefile.in] test the ECC bits if we have the capability. ok djm - - (tim) [Makefile.in configure.ac opensshd.init.in] Add support for generating - ecdsa keys. ok djm. - - (djm) [entropy.c] cast OPENSSL_VERSION_NUMBER to u_long to avoid - gcc warning on platforms where it defaults to int - - (djm) [regress/Makefile] add a few more generated files to the clean - target - - (djm) [myproposal.h] Fix reversed OPENSSL_VERSION_NUMBER test and bad - #define that was causing diffie-hellman-group-exchange-sha256 to be - incorrectly disabled - - (djm) [regress/kextype.sh] Testing diffie-hellman-group-exchange-sha256 - should not depend on ECC support - -20110112 - - OpenBSD CVS Sync - - nicm@cvs.openbsd.org 2010/10/08 21:48:42 - [openbsd-compat/glob.c] - Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit - from ARG_MAX to 64K. - Fixes glob-using programs (notably ftp) able to be triggered to hit - resource limits. - Idea from a similar NetBSD change, original problem reported by jasper@. - ok millert tedu jasper - - djm@cvs.openbsd.org 2011/01/12 01:53:14 - avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS - and sanity check arguments (these will be unnecessary when we switch - struct glob members from being type into to size_t in the future); - "looks ok" tedu@ feedback guenther@ - - (djm) [configure.ac] Turn on -Wno-unused-result for gcc >= 4.4 to avoid - silly warnings on write() calls we don't care succeed or not. - - (djm) [configure.ac] Fix broken test for gcc >= 4.4 with per-compiler - flag tests that don't depend on gcc version at all; suggested by and - ok dtucker@ - -20110111 - - (tim) [regress/host-expand.sh] Fix for building outside of read only - source tree. - - (djm) [platform.c] Some missing includes that show up under -Werror - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2011/01/08 10:51:51 - [clientloop.c] - use host and not options.hostname, as the latter may have unescaped - substitution characters - - djm@cvs.openbsd.org 2011/01/11 06:06:09 - [sshlogin.c] - fd leak on error paths; from zinovik@ - NB. Id sync only; we use loginrec.c that was also audited and fixed - recently - - djm@cvs.openbsd.org 2011/01/11 06:13:10 - [clientloop.c ssh-keygen.c sshd.c] - some unsigned long long casts that make things a bit easier for - portable without resorting to dropping PRIu64 formats everywhere - -20110109 - - (djm) [Makefile.in] list ssh_host_ecdsa key in PATHSUBS; spotted by - openssh AT roumenpetrov.info - -20110108 - - (djm) [regress/keytype.sh] s/echo -n/echon/ to repair failing regress - test on OSX and others. Reported by imorgan AT nas.nasa.gov - -20110107 - - (djm) [regress/cert-hostkey.sh regress/cert-userkey.sh] fix shell test - for no-ECC case. Patch from cristian.ionescu-idbohrn AT axis.com - - djm@cvs.openbsd.org 2011/01/06 22:23:53 - [ssh.c] - unbreak %n expansion in LocalCommand; patch from bert.wesarg AT - googlemail.com; ok markus@ - - djm@cvs.openbsd.org 2011/01/06 22:23:02 - [clientloop.c] - when exiting due to ServerAliveTimeout, mention the hostname that caused - it (useful with backgrounded controlmaster) - - djm@cvs.openbsd.org 2011/01/06 22:46:21 - [regress/Makefile regress/host-expand.sh] - regress test for LocalCommand %n expansion from bert.wesarg AT - googlemail.com; ok markus@ - - djm@cvs.openbsd.org 2011/01/06 23:01:35 - [sshconnect.c] - reset SIGCHLD handler to SIG_DFL when execuring LocalCommand; - ok markus@ - -20110106 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2010/12/08 22:46:03 - [scp.1 scp.c] - add a new -3 option to scp: Copies between two remote hosts are - transferred through the local host. Without this option the data - is copied directly between the two remote hosts. ok djm@ (bugzilla #1837) - - jmc@cvs.openbsd.org 2010/12/09 14:13:33 - [scp.1 scp.c] - scp.1: grammer fix - scp.c: add -3 to usage() - - markus@cvs.openbsd.org 2010/12/14 11:59:06 - [sshconnect.c] - don't mention key type in key-changed-warning, since we also print - this warning if a new key type appears. ok djm@ - - djm@cvs.openbsd.org 2010/12/15 00:49:27 - [readpass.c] - fix ControlMaster=ask regression - reset SIGCHLD handler before fork (and restore it after) so we don't miss - the the askpass child's exit status. Correct test for exit status/signal to - account for waitpid() failure; with claudio@ ok claudio@ markus@ - - djm@cvs.openbsd.org 2010/12/24 21:41:48 - [auth-options.c] - don't send the actual forced command in a debug message; ok markus deraadt - - otto@cvs.openbsd.org 2011/01/04 20:44:13 - [ssh-keyscan.c] - handle ecdsa-sha2 with various key lengths; hint and ok djm@ - -20110104 - - (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage - formatter if it is present, followed by nroff and groff respectively. - Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports - in favour of mandoc). feedback and ok tim - -20110103 - - (djm) [Makefile.in] revert local hack I didn't intend to commit - -20110102 - - (djm) [loginrec.c] Fix some fd leaks on error paths. ok dtucker - - (djm) [configure.ac] Check whether libdes is needed when building - with Heimdal krb5 support. On OpenBSD this library no longer exists, - so linking it unconditionally causes a build failure; ok dtucker - -20101226 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/12/08 04:02:47 - [ssh_config.5 sshd_config.5] - explain that IPQoS arguments are separated by whitespace; iirc requested - by jmc@ a while back - -20101205 - - (dtucker) openbsd-compat/openssl-compat.c] remove sleep leftover from - debugging. Spotted by djm. - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/12/03 23:49:26 - [schnorr.c] - check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao - (this code is still disabled, but apprently people are treating it as - a reference implementation) - - djm@cvs.openbsd.org 2010/12/03 23:55:27 - [auth-rsa.c] - move check for revoked keys to run earlier (in auth_rsa_key_allowed) - bz#1829; patch from ldv AT altlinux.org; ok markus@ - - djm@cvs.openbsd.org 2010/12/04 00:18:01 - [sftp-server.c sftp.1 sftp-client.h sftp.c PROTOCOL sftp-client.c] - add a protocol extension to support a hard link operation. It is - available through the "ln" command in the client. The old "ln" - behaviour of creating a symlink is available using its "-s" option - or through the preexisting "symlink" command; based on a patch from - miklos AT szeredi.hu in bz#1555; ok markus@ - - djm@cvs.openbsd.org 2010/12/04 13:31:37 - [hostfile.c] - fix fd leak; spotted and ok dtucker - - djm@cvs.openbsd.org 2010/12/04 00:21:19 - [regress/sftp-cmds.sh] - adjust for hard-link support - - (dtucker) [regress/Makefile] Id sync. - -20101204 - - (djm) [openbsd-compat/bindresvport.c] Use arc4random_uniform(range) - instead of (arc4random() % range) - - (dtucker) [configure.ac moduli.c openbsd-compat/openssl-compat.{c,h}] Add - shims for the new, non-deprecated OpenSSL key generation functions for - platforms that don't have the new interfaces. - -20101201 - - OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2010/11/20 05:12:38 - [auth2-pubkey.c] - clean up cases of ;; - - djm@cvs.openbsd.org 2010/11/21 01:01:13 - [clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c] - honour $TMPDIR for client xauth and ssh-agent temporary directories; - feedback and ok markus@ - - djm@cvs.openbsd.org 2010/11/21 10:57:07 - [authfile.c] - Refactor internals of private key loading and saving to work on memory - buffers rather than directly on files. This will make a few things - easier to do in the future; ok markus@ - - djm@cvs.openbsd.org 2010/11/23 02:35:50 - [auth.c] - use strict_modes already passed as function argument over referencing - global options.strict_modes - - djm@cvs.openbsd.org 2010/11/23 23:57:24 - [clientloop.c] - avoid NULL deref on receiving a channel request on an unknown or invalid - channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@ - - djm@cvs.openbsd.org 2010/11/24 01:24:14 - [channels.c] - remove a debug() that pollutes stderr on client connecting to a server - in debug mode (channel_close_fds is called transitively from the session - code post-fork); bz#1719, ok dtucker - - djm@cvs.openbsd.org 2010/11/25 04:10:09 - [session.c] - replace close() loop for fds 3->64 with closefrom(); - ok markus deraadt dtucker - - djm@cvs.openbsd.org 2010/11/26 05:52:49 - [scp.c] - Pass through ssh command-line flags and options when doing remote-remote - transfers, e.g. to enable agent forwarding which is particularly useful - in this case; bz#1837 ok dtucker@ - - markus@cvs.openbsd.org 2010/11/29 18:57:04 - [authfile.c] - correctly load comment for encrypted rsa1 keys; - report/fix Joachim Schipper; ok djm@ - - djm@cvs.openbsd.org 2010/11/29 23:45:51 - [auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c] - [sshconnect.h sshconnect2.c] - automatically order the hostkeys requested by the client based on - which hostkeys are already recorded in known_hosts. This avoids - hostkey warnings when connecting to servers with new ECDSA keys - that are preferred by default; with markus@ - -20101124 - - (dtucker) [platform.c session.c] Move the getluid call out of session.c and - into the platform-specific code Only affects SCO, tested by and ok tim@. - - (djm) [loginrec.c] Relax permission requirement on btmp logs to allow - group read/write. ok dtucker@ - - (dtucker) [packet.c] Remove redundant local declaration of "int tos". - - (djm) [defines.h] Add IP DSCP defines - -20101122 - - (dtucker) Bug #1840: fix warning when configuring --with-ssl-engine, patch - from vapier at gentoo org. - -20101120 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/11/05 02:46:47 - [packet.c] - whitespace KNF - - djm@cvs.openbsd.org 2010/11/10 01:33:07 - [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c] - use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED. - these have been around for years by this time. ok markus - - djm@cvs.openbsd.org 2010/11/13 23:27:51 - [clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] - [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] - allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of - hardcoding lowdelay/throughput. - - bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@ - - jmc@cvs.openbsd.org 2010/11/15 07:40:14 - [ssh_config.5] - libary -> library; - - jmc@cvs.openbsd.org 2010/11/18 15:01:00 - [scp.1 sftp.1 ssh.1 sshd_config.5] - add IPQoS to the various -o lists, and zap some trailing whitespace; - -20101111 - - (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys on - platforms that don't support ECC. Fixes some spurious warnings reported - by tim@ - -20101109 - - (tim) [regress/kextype.sh] Not all platforms have time in /usr/bin. - Feedback from dtucker@ - - (tim) [configure.ac openbsd-compat/bsd-misc.h openbsd-compat/bsd-misc.c] Add - support for platforms missing isblank(). ok djm@ - -20101108 - - (tim) [regress/Makefile] Fixes to allow building/testing outside source - tree. - - (tim) [regress/kextype.sh] Shell portability fix. - -20101107 - - (dtucker) [platform.c] includes.h instead of defines.h so that we get - the correct typedefs. - -20101105 - - (djm) [loginrec.c loginrec.h] Use correct uid_t/pid_t types instead of - int. Should fix bz#1817 cleanly; ok dtucker@ - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/09/22 12:26:05 - [regress/Makefile regress/kextype.sh] - regress test for each of the key exchange algorithms that we support - - djm@cvs.openbsd.org 2010/10/28 11:22:09 - [authfile.c key.c key.h ssh-keygen.c] - fix a possible NULL deref on loading a corrupt ECDH key - - store ECDH group information in private keys files as "named groups" - rather than as a set of explicit group parameters (by setting - the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and - retrieves the group's OpenSSL NID that we need for various things. - - jmc@cvs.openbsd.org 2010/10/28 18:33:28 - [scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] - knock out some "-*- nroff -*-" lines; - - djm@cvs.openbsd.org 2010/11/04 02:45:34 - [sftp-server.c] - umask should be parsed as octal. reported by candland AT xmission.com; - ok markus@ - - (dtucker) [configure.ac platform.{c,h} session.c - openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support. - Patch from cory.erickson at csu mnscu edu with a bit of rework from me. - ok djm@ - - (dtucker) [platform.c platform.h session.c] Add a platform hook to run - after the user's groups are established and move the selinux calls into it. - - (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into - platform.c - - (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c. - - (dtucker) [platform.c] Only call setpgrp on BSDI if running as root to - retain previous behavior. - - (dtucker) [platform.c session.c] Move the PAM credential establishment for - the LOGIN_CAP case into platform.c. - - (dtucker) platform.c session.c] Move the USE_LIBIAF fragment into - platform.c - - (dtucker) [platform.c session.c] Move aix_usrinfo frament into platform.c. - - (dtucker) [platform.c session.c] Move irix setusercontext fragment into - platform.c. - - (dtucker) [platform.c session.c] Move PAM credential establishment for the - non-LOGIN_CAP case into platform.c. - - (dtucker) [platform.c platform.h session.c] Move the Cygwin special-case - check into platform.c - - (dtucker) [regress/keytype.sh] Import new test. - - (dtucker) [Makefile configure.ac regress/Makefile regress/keytype.sh] - Import recent changes to regress/Makefile, pass a flag to enable ECC tests - from configure through to regress/Makefile and use it in the tests. - - (dtucker) [regress/kextype.sh] Add missing "test". - - (dtucker) [regress/kextype.sh] Make sha256 test depend on ECC. This is not - strictly correct since while ECC requires sha256 the reverse is not true - however it does prevent spurious test failures. - - (dtucker) [platform.c] Need servconf.h and extern options. - -20101025 - - (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with - 1.12 to unbreak Solaris build. - ok djm@ - - (dtucker) [defines.h] Use SIZE_T_MAX for SIZE_MAX for platforms that have a - native one. - -20101024 - - (dtucker) [includes.h] Add missing ifdef GLOB_HAS_GL_STATV to fix build. - - (dtucker) [regress/cert-hostkey.sh] Disable ECC-based tests on platforms - which don't have ECC support in libcrypto. - - (dtucker) [regress/cert-userkey.sh] Disable ECC-based tests on platforms - which don't have ECC support in libcrypto. - - (dtucker) [defines.h] Add SIZE_MAX for the benefit of platforms that don't - have it. - - (dtucker) OpenBSD CVS Sync - - sthen@cvs.openbsd.org 2010/10/23 22:06:12 - [sftp.c] - escape '[' in filename tab-completion; fix a type while there. - ok djm@ - -20101021 - - OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2010/10/12 02:22:24 - [mux.c] - Typo in confirmation message. bz#1827, patch from imorgan at - nas nasa gov - - djm@cvs.openbsd.org 2010/08/31 12:24:09 - [regress/cert-hostkey.sh regress/cert-userkey.sh] - tests for ECDSA certificates - -20101011 - - (djm) [canohost.c] Zero a4 instead of addr to better match type. - bz#1825, reported by foo AT mailinator.com - - (djm) [sshconnect.c] Need signal.h for prototype for kill(2) - -20101011 - - (djm) [configure.ac] Use = instead of == in shell tests. Patch from - dr AT vasco.com - -20101007 - - (djm) [ssh-agent.c] Fix type for curve name. - - (djm) OpenBSD CVS Sync - - matthew@cvs.openbsd.org 2010/09/24 13:33:00 - [misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h] - [openbsd-compat/timingsafe_bcmp.c] - Add timingsafe_bcmp(3) to libc, mention that it's already in the - kernel in kern(9), and remove it from OpenSSH. - ok deraadt@, djm@ - NB. re-added under openbsd-compat/ for portable OpenSSH - - djm@cvs.openbsd.org 2010/09/25 09:30:16 - [sftp.c configure.ac openbsd-compat/glob.c openbsd-compat/glob.h] - make use of new glob(3) GLOB_KEEPSTAT extension to save extra server - rountrips to fetch per-file stat(2) information. - NB. update openbsd-compat/ glob(3) implementation from OpenBSD libc to - match. - - djm@cvs.openbsd.org 2010/09/26 22:26:33 - [sftp.c] - when performing an "ls" in columnated (short) mode, only call - ioctl(TIOCGWINSZ) once to get the window width instead of per- - filename - - djm@cvs.openbsd.org 2010/09/30 11:04:51 - [servconf.c] - prevent free() of string in .rodata when overriding AuthorizedKeys in - a Match block; patch from rein AT basefarm.no - - djm@cvs.openbsd.org 2010/10/01 23:05:32 - [cipher-3des1.c cipher-bf1.c cipher-ctr.c openbsd-compat/openssl-compat.h] - adapt to API changes in openssl-1.0.0a - NB. contains compat code to select correct API for older OpenSSL - - djm@cvs.openbsd.org 2010/10/05 05:13:18 - [sftp.c sshconnect.c] - use default shell /bin/sh if $SHELL is ""; ok markus@ - - djm@cvs.openbsd.org 2010/10/06 06:39:28 - [clientloop.c ssh.c sshconnect.c sshconnect.h] - kill proxy command on fatal() (we already kill it on clean exit); - ok markus@ - - djm@cvs.openbsd.org 2010/10/06 21:10:21 - [sshconnect.c] - swapped args to kill(2) - - (djm) [openbsd-compat/glob.c] restore ARG_MAX compat code. - - (djm) [cipher-acss.c] Add missing header. - - (djm) [openbsd-compat/Makefile.in] Actually link timingsafe_bcmp - -20100924 - - (djm) OpenBSD CVS Sync - - naddy@cvs.openbsd.org 2010/09/10 15:19:29 - [ssh-keygen.1] - * mention ECDSA in more places - * less repetition in FILES section - * SSHv1 keys are still encrypted with 3DES - help and ok jmc@ - - djm@cvs.openbsd.org 2010/09/11 21:44:20 - [ssh.1] - mention RFC 5656 for ECC stuff - - jmc@cvs.openbsd.org 2010/09/19 21:30:05 - [sftp.1] - more wacky macro fixing; - - djm@cvs.openbsd.org 2010/09/20 04:41:47 - [ssh.c] - install a SIGCHLD handler to reap expiried child process; ok markus@ - - djm@cvs.openbsd.org 2010/09/20 04:50:53 - [jpake.c schnorr.c] - check that received values are smaller than the group size in the - disabled and unfinished J-PAKE code. - avoids catastrophic security failure found by Sebastien Martini - - djm@cvs.openbsd.org 2010/09/20 04:54:07 - [jpake.c] - missing #include - - djm@cvs.openbsd.org 2010/09/20 07:19:27 - [mux.c] - "atomically" create the listening mux socket by binding it on a temorary - name and then linking it into position after listen() has succeeded. - this allows the mux clients to determine that the server socket is - either ready or stale without races. stale server sockets are now - automatically removed - ok deraadt - - djm@cvs.openbsd.org 2010/09/22 05:01:30 - [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] - [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] - add a KexAlgorithms knob to the client and server configuration to allow - selection of which key exchange methods are used by ssh(1) and sshd(8) - and their order of preference. - ok markus@ - - jmc@cvs.openbsd.org 2010/09/22 08:30:08 - [ssh.1 ssh_config.5] - ssh.1: add kexalgorithms to the -o list - ssh_config.5: format the kexalgorithms in a more consistent - (prettier!) way - ok djm - - djm@cvs.openbsd.org 2010/09/22 22:58:51 - [atomicio.c atomicio.h misc.c misc.h scp.c sftp-client.c] - [sftp-client.h sftp.1 sftp.c] - add an option per-read/write callback to atomicio - - factor out bandwidth limiting code from scp(1) into a generic bandwidth - limiter that can be attached using the atomicio callback mechanism - - add a bandwidth limit option to sftp(1) using the above - "very nice" markus@ - - jmc@cvs.openbsd.org 2010/09/23 13:34:43 - [sftp.c] - add [-l limit] to usage(); - - jmc@cvs.openbsd.org 2010/09/23 13:36:46 - [scp.1 sftp.1] - add KexAlgorithms to the -o list; - -20100910 - - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact - return code since it can apparently return -1 under some conditions. From - openssh bugs werbittewas de, ok djm@ - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/31 12:33:38 - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - reintroduce commit from tedu@, which I pulled out for release - engineering: - OpenSSL_add_all_algorithms is the name of the function we have a - man page for, so use that. ok djm - - jmc@cvs.openbsd.org 2010/08/31 17:40:54 - [ssh-agent.1] - fix some macro abuse; - - jmc@cvs.openbsd.org 2010/08/31 21:14:58 - [ssh.1] - small text tweak to accommodate previous; - - naddy@cvs.openbsd.org 2010/09/01 15:21:35 - [servconf.c] - pick up ECDSA host key by default; ok djm@ - - markus@cvs.openbsd.org 2010/09/02 16:07:25 - [ssh-keygen.c] - permit -b 256, 384 or 521 as key size for ECDSA; ok djm@ - - markus@cvs.openbsd.org 2010/09/02 16:08:39 - [ssh.c] - unbreak ControlPersist=yes for ControlMaster=yes; ok djm@ - - naddy@cvs.openbsd.org 2010/09/02 17:21:50 - [ssh-keygen.c] - Switch ECDSA default key size to 256 bits, which according to RFC5656 - should still be better than our current RSA-2048 default. - ok djm@, markus@ - - jmc@cvs.openbsd.org 2010/09/03 11:09:29 - [scp.1] - add an EXIT STATUS section for /usr/bin; - - jmc@cvs.openbsd.org 2010/09/04 09:38:34 - [ssh-add.1 ssh.1] - two more EXIT STATUS sections; - - naddy@cvs.openbsd.org 2010/09/06 17:10:19 - [sshd_config] - add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste - - ok deraadt@ - - djm@cvs.openbsd.org 2010/09/08 03:54:36 - [authfile.c] - typo - - deraadt@cvs.openbsd.org 2010/09/08 04:13:31 - [compress.c] - work around name-space collisions some buggy compilers (looking at you - gcc, at least in earlier versions, but this does not forgive your current - transgressions) seen between zlib and openssl - ok djm - - djm@cvs.openbsd.org 2010/09/09 10:45:45 - [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] - ECDH/ECDSA compliance fix: these methods vary the hash function they use - (SHA256/384/512) depending on the length of the curve in use. The previous - code incorrectly used SHA256 in all cases. - - This fix will cause authentication failure when using 384 or 521-bit curve - keys if one peer hasn't been upgraded and the other has. (256-bit curve - keys work ok). In particular you may need to specify HostkeyAlgorithms - when connecting to a server that has not been upgraded from an upgraded - client. - - ok naddy@ - - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c] - [kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] - [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on - platforms that don't have the requisite OpenSSL support. ok dtucker@ - - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs - for missing headers and compiler warnings. - -20100831 - - OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/08/08 19:36:30 - [ssh-keysign.8 ssh.1 sshd.8] - use the same template for all FILES sections; i.e. -compact/.Pp where we - have multiple items, and .Pa for path names; - - tedu@cvs.openbsd.org 2010/08/12 23:34:39 - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - OpenSSL_add_all_algorithms is the name of the function we have a man page - for, so use that. ok djm - - djm@cvs.openbsd.org 2010/08/16 04:06:06 - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - backout previous temporarily; discussed with deraadt@ - - djm@cvs.openbsd.org 2010/08/31 09:58:37 - [auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] - [packet.h ssh-dss.c ssh-rsa.c] - Add buffer_get_cstring() and related functions that verify that the - string extracted from the buffer contains no embedded \0 characters* - This prevents random (possibly malicious) crap from being appended to - strings where it would not be noticed if the string is used with - a string(3) function. - - Use the new API in a few sensitive places. - - * actually, we allow a single one at the end of the string for now because - we don't know how many deployed implementations get this wrong, but don't - count on this to remain indefinitely. - - djm@cvs.openbsd.org 2010/08/31 11:54:45 - [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] - [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] - [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] - [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] - [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] - [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] - [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] - Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and - host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer - better performance than plain DH and DSA at the same equivalent symmetric - key length, as well as much shorter keys. - - Only the mandatory sections of RFC5656 are implemented, specifically the - three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and - ECDSA. Point compression (optional in RFC5656 is NOT implemented). - - Certificate host and user keys using the new ECDSA key types are supported. - - Note that this code has not been tested for interoperability and may be - subject to change. - - feedback and ok markus@ - - (djm) [Makefile.in] Add new ECC files - - (djm) [bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] include - includes.h - -20100827 - - (dtucker) [contrib/redhat/sshd.init] Bug #1810: initlog is deprecated, - remove. Patch from martynas at venck us - -20100823 - - (djm) Release OpenSSH-5.6p1 - -20100816 - - (dtucker) [configure.ac openbsd-compat/Makefile.in - openbsd-compat/openbsd-compat.h openbsd-compat/strptime.c] Add strptime to - the compat library which helps on platforms like old IRIX. Based on work - by djm, tested by Tom Christensen. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/12 21:49:44 - [ssh.c] - close any extra file descriptors inherited from parent at start and - reopen stdin/stdout to /dev/null when forking for ControlPersist. - - prevents tools that fork and run a captive ssh for communication from - failing to exit when the ssh completes while they wait for these fds to - close. The inherited fds may persist arbitrarily long if a background - mux master has been started by ControlPersist. cvs and scp were effected - by this. - - "please commit" markus@ - - (djm) [regress/README.regress] typo - -20100812 - - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.sh - regress/test-exec.sh] Under certain conditions when testing with sudo - tests would fail because the pidfile could not be read by a regular user. - "cat: cannot open ...../regress/pidfile: Permission denied (error 13)" - Make sure cat is run by $SUDO. no objection from me. djm@ - - (tim) [auth.c] add cast to quiet compiler. Change only affects SVR5 systems. - -20100809 - - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it is - already set. Makes FreeBSD user openable tunnels useful; patch from - richard.burakowski+ossh AT mrburak.net, ok dtucker@ - - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id. - based in part on a patch from Colin Watson, ok djm@ - -20100809 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/08 16:26:42 - [version.h] - crank to 5.6 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Crank version numbers - -20100805 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/08/04 05:37:01 - [ssh.1 ssh_config.5 sshd.8] - Remove mentions of weird "addr/port" alternate address format for IPv6 - addresses combinations. It hasn't worked for ages and we have supported - the more commen "[addr]:port" format for a long time. ok jmc@ markus@ - - djm@cvs.openbsd.org 2010/08/04 05:40:39 - [PROTOCOL.certkeys ssh-keygen.c] - tighten the rules for certificate encoding by requiring that options - appear in lexical order and make our ssh-keygen comply. ok markus@ - - djm@cvs.openbsd.org 2010/08/04 05:42:47 - [auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] - [ssh-keysign.c ssh.c] - enable certificates for hostbased authentication, from Iain Morgan; - "looks ok" markus@ - - djm@cvs.openbsd.org 2010/08/04 05:49:22 - [authfile.c] - commited the wrong version of the hostbased certificate diff; this - version replaces some strlc{py,at} verbosity with xasprintf() at - the request of markus@ - - djm@cvs.openbsd.org 2010/08/04 06:07:11 - [ssh-keygen.1 ssh-keygen.c] - Support CA keys in PKCS#11 tokens; feedback and ok markus@ - - djm@cvs.openbsd.org 2010/08/04 06:08:40 - [ssh-keysign.c] - clean for -Wuninitialized (Id sync only; portable had this change) - - djm@cvs.openbsd.org 2010/08/05 13:08:42 - [channels.c] - Fix a trio of bugs in the local/remote window calculation for datagram - data channels (i.e. TunnelForward): - - Calculate local_consumed correctly in channel_handle_wfd() by measuring - the delta to buffer_len(c->output) from when we start to when we finish. - The proximal problem here is that the output_filter we use in portable - modified the length of the dequeued datagram (to futz with the headers - for !OpenBSD). - - In channel_output_poll(), don't enqueue datagrams that won't fit in the - peer's advertised packet size (highly unlikely to ever occur) or which - won't fit in the peer's remaining window (more likely). - - In channel_input_data(), account for the 4-byte string header in - datagram packets that we accept from the peer and enqueue in c->output. - - report, analysis and testing 2/3 cases from wierbows AT us.ibm.com; - "looks good" markus@ - -20100803 - - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from - PAM to sane values in case the PAM method doesn't write to them. Spotted by - Bitman Zhou, ok djm@. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/07/16 04:45:30 - [ssh-keygen.c] - avoid bogus compiler warning - - djm@cvs.openbsd.org 2010/07/16 14:07:35 - [ssh-rsa.c] - more timing paranoia - compare all parts of the expected decrypted - data before returning. AFAIK not exploitable in the SSH protocol. - "groovy" deraadt@ - - djm@cvs.openbsd.org 2010/07/19 03:16:33 - [sftp-client.c] - bz#1797: fix swapped args in upload_dir_internal(), breaking recursive - upload depth checks and causing verbose printing of transfers to always - be turned on; patch from imorgan AT nas.nasa.gov - - djm@cvs.openbsd.org 2010/07/19 09:15:12 - [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] - add a "ControlPersist" option that automatically starts a background - ssh(1) multiplex master when connecting. This connection can stay alive - indefinitely, or can be set to automatically close after a user-specified - duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but - further hacked on by wmertens AT cisco.com, apb AT cequrux.com, - martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@ - - djm@cvs.openbsd.org 2010/07/21 02:10:58 - [misc.c] - sync timingsafe_bcmp() with the one dempsky@ committed to sys/lib/libkern - - dtucker@cvs.openbsd.org 2010/07/23 08:49:25 - [ssh.1] - Ciphers is documented in ssh_config(5) these days - -20100819 - - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more - details about its behaviour WRT existing directories. Patch from - asguthrie at gmail com, ok djm. - -20100716 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/07/02 04:32:44 - [misc.c] - unbreak strdelim() skipping past quoted strings, e.g. - AllowUsers "blah blah" blah - was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com - ok dtucker; - - djm@cvs.openbsd.org 2010/07/12 22:38:52 - [ssh.c] - Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f") - for protocol 2. ok markus@ - - djm@cvs.openbsd.org 2010/07/12 22:41:13 - [ssh.c ssh_config.5] - expand %h to the hostname in ssh_config Hostname options. While this - sounds useless, it is actually handy for working with unqualified - hostnames: - - Host *.* - Hostname %h - Host * - Hostname %h.example.org - - "I like it" markus@ - - djm@cvs.openbsd.org 2010/07/13 11:52:06 - [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c] - [packet.c ssh-rsa.c] - implement a timing_safe_cmp() function to compare memory without leaking - timing information by short-circuiting like memcmp() and use it for - some of the more sensitive comparisons (though nothing high-value was - readily attackable anyway); "looks ok" markus@ - - djm@cvs.openbsd.org 2010/07/13 23:13:16 - [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c] - [ssh-rsa.c] - s/timing_safe_cmp/timingsafe_bcmp/g - - jmc@cvs.openbsd.org 2010/07/14 17:06:58 - [ssh.1] - finally ssh synopsis looks nice again! this commit just removes a ton of - hacks we had in place to make it work with old groff; - - schwarze@cvs.openbsd.org 2010/07/15 21:20:38 - [ssh-keygen.1] - repair incorrect block nesting, which screwed up indentation; - problem reported and fix OK by jmc@ - -20100714 - - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpass - (line 77) should have been for no_x11_askpass. - -20100702 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/06/26 00:57:07 - [ssh_config.5] - tweak previous; - - djm@cvs.openbsd.org 2010/06/26 23:04:04 - [ssh.c] - oops, forgot to #include ; spotted and patch from chl@ - - djm@cvs.openbsd.org 2010/06/29 23:15:30 - [ssh-keygen.1 ssh-keygen.c] - allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; - bz#1749; ok markus@ - - djm@cvs.openbsd.org 2010/06/29 23:16:46 - [auth2-pubkey.c sshd_config.5] - allow key options (command="..." and friends) in AuthorizedPrincipals; - ok markus@ - - jmc@cvs.openbsd.org 2010/06/30 07:24:25 - [ssh-keygen.1] - tweak previous; - - jmc@cvs.openbsd.org 2010/06/30 07:26:03 - [ssh-keygen.c] - sort usage(); - - jmc@cvs.openbsd.org 2010/06/30 07:28:34 - [sshd_config.5] - tweak previous; - - millert@cvs.openbsd.org 2010/07/01 13:06:59 - [scp.c] - Fix a longstanding problem where if you suspend scp at the - password/passphrase prompt the terminal mode is not restored. - OK djm@ - - phessler@cvs.openbsd.org 2010/06/27 19:19:56 - [regress/Makefile] - fix how we run the tests so we can successfully use SUDO='sudo -E' - in our env - - djm@cvs.openbsd.org 2010/06/29 23:59:54 - [cert-userkey.sh] - regress tests for key options in AuthorizedPrincipals - -20100627 - - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs - key.h. - -20100626 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/05/21 05:00:36 - [misc.c] - colon() returns char*, so s/return (0)/return NULL/ - - markus@cvs.openbsd.org 2010/06/08 21:32:19 - [ssh-pkcs11.c] - check length of value returned C_GetAttributValue for != 0 - from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/17 07:07:30 - [mux.c] - Correct sizing of object to be allocated by calloc(), replacing - sizeof(state) with sizeof(*state). This worked by accident since - the struct contained a single int at present, but could have broken - in the future. patch from hyc AT symas.com - - djm@cvs.openbsd.org 2010/06/18 00:58:39 - [sftp.c] - unbreak ls in working directories that contains globbing characters in - their pathnames. bz#1655 reported by vgiffin AT apple.com - - djm@cvs.openbsd.org 2010/06/18 03:16:03 - [session.c] - Missing check for chroot_director == "none" (we already checked against - NULL); bz#1564 from Jan.Pechanec AT Sun.COM - - djm@cvs.openbsd.org 2010/06/18 04:43:08 - [sftp-client.c] - fix memory leak in do_realpath() error path; bz#1771, patch from - anicka AT suse.cz - - djm@cvs.openbsd.org 2010/06/22 04:22:59 - [servconf.c sshd_config.5] - expose some more sshd_config options inside Match blocks: - AuthorizedKeysFile AuthorizedPrincipalsFile - HostbasedUsesNameFromPacketOnly PermitTunnel - bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:32:06 - [ssh-keygen.c] - standardise error messages when attempting to open private key - files to include "progname: filename: error reason" - bz#1783; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:49:47 - [auth.c] - queue auth debug messages for bad ownership or permissions on the user's - keyfiles. These messages will be sent after the user has successfully - authenticated (where our client will display them with LogLevel=debug). - bz#1554; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:54:30 - [ssh-keyscan.c] - replace verbose and overflow-prone Linebuf code with read_keyfile_line() - based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/22 04:59:12 - [session.c] - include the user name on "subsystem request for ..." log messages; - bz#1571; ok dtucker@ - - djm@cvs.openbsd.org 2010/06/23 02:59:02 - [ssh-keygen.c] - fix printing of extensions in v01 certificates that I broke in r1.190 - - djm@cvs.openbsd.org 2010/06/25 07:14:46 - [channels.c mux.c readconf.c readconf.h ssh.h] - bz#1327: remove hardcoded limit of 100 permitopen clauses and port - forwards per direction; ok markus@ stevesk@ - - djm@cvs.openbsd.org 2010/06/25 07:20:04 - [channels.c session.c] - bz#1750: fix requirement for /dev/null inside ChrootDirectory for - internal-sftp accidentally introduced in r1.253 by removing the code - that opens and dup /dev/null to stderr and modifying the channels code - to read stderr but discard it instead; ok markus@ - - djm@cvs.openbsd.org 2010/06/25 08:46:17 - [auth1.c auth2-none.c] - skip the initial check for access with an empty password when - PermitEmptyPasswords=no; bz#1638; ok markus@ - - djm@cvs.openbsd.org 2010/06/25 23:10:30 - [ssh.c] - log the hostname and address that we connected to at LogLevel=verbose - after authentication is successful to mitigate "phishing" attacks by - servers with trusted keys that accept authentication silently and - automatically before presenting fake password/passphrase prompts; - "nice!" markus@ - - djm@cvs.openbsd.org 2010/06/25 23:10:30 - [ssh.c] - log the hostname and address that we connected to at LogLevel=verbose - after authentication is successful to mitigate "phishing" attacks by - servers with trusted keys that accept authentication silently and - automatically before presenting fake password/passphrase prompts; - "nice!" markus@ - -20100622 - - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512 - bz#1579; ok dtucker - -20100618 - - (djm) [contrib/ssh-copy-id] Update key file explicitly under ~ - rather than assuming that $CWD == $HOME. bz#1500, patch from - timothy AT gelter.com - -20100617 - - (tim) [contrib/cygwin/README] Remove a reference to the obsolete - minires-devel package, and to add the reference to the libedit-devel - package since CYgwin now provides libedit. Patch from Corinna Vinschen. - -20100521 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/05/07 11:31:26 - [regress/Makefile regress/cert-userkey.sh] - regress tests for AuthorizedPrincipalsFile and "principals=" key option. - feedback and ok markus@ - - djm@cvs.openbsd.org 2010/05/11 02:58:04 - [auth-rsa.c] - don't accept certificates marked as "cert-authority" here; ok markus@ - - djm@cvs.openbsd.org 2010/05/14 00:47:22 - [ssh-add.c] - check that the certificate matches the corresponding private key before - grafting it on - - djm@cvs.openbsd.org 2010/05/14 23:29:23 - [channels.c channels.h mux.c ssh.c] - Pause the mux channel while waiting for reply from aynch callbacks. - Prevents misordering of replies if new requests arrive while waiting. - - Extend channel open confirm callback to allow signalling failure - conditions as well as success. Use this to 1) fix a memory leak, 2) - start using the above pause mechanism and 3) delay sending a success/ - failure message on mux slave session open until we receive a reply from - the server. - - motivated by and with feedback from markus@ - - markus@cvs.openbsd.org 2010/05/16 12:55:51 - [PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c] - mux support for remote forwarding with dynamic port allocation, - use with - LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost` - feedback and ok djm@ - - djm@cvs.openbsd.org 2010/05/20 11:25:26 - [auth2-pubkey.c] - fix logspam when key options (from="..." especially) deny non-matching - keys; reported by henning@ also bz#1765; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2010/05/20 23:46:02 - [PROTOCOL.certkeys auth-options.c ssh-keygen.c] - Move the permit-* options to the non-critical "extensions" field for v01 - certificates. The logic is that if another implementation fails to - implement them then the connection just loses features rather than fails - outright. - - ok markus@ - -20100511 - - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve - circular dependency problem on old or odd platforms. From Tom Lane, ok - djm@. - - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older - libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't - already. ok dtucker@ - -20100510 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/04/23 01:47:41 - [ssh-keygen.c] - bz#1740: display a more helpful error message when $HOME is - inaccessible while trying to create .ssh directory. Based on patch - from jchadima AT redhat.com; ok dtucker@ - - djm@cvs.openbsd.org 2010/04/23 22:27:38 - [mux.c] - set "detach_close" flag when registering channel cleanup callbacks. - This causes the channel to close normally when its fds close and - hangs when terminating a mux slave using ~. bz#1758; ok markus@ - - djm@cvs.openbsd.org 2010/04/23 22:42:05 - [session.c] - set stderr to /dev/null for subsystems rather than just closing it. - avoids hangs if a subsystem or shell initialisation writes to stderr. - bz#1750; ok markus@ - - djm@cvs.openbsd.org 2010/04/23 22:48:31 - [ssh-keygen.c] - refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS, - since we would refuse to use them anyway. bz#1516; ok dtucker@ - - djm@cvs.openbsd.org 2010/04/26 22:28:24 - [sshconnect2.c] - bz#1502: authctxt.success is declared as an int, but passed by - reference to function that accepts sig_atomic_t*. Convert it to - the latter; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2010/05/01 02:50:50 - [PROTOCOL.certkeys] - typo; jmeltzer@ - - dtucker@cvs.openbsd.org 2010/05/05 04:22:09 - [sftp.c] - restore mput and mget which got lost in the tab-completion changes. - found by Kenneth Whitaker, ok djm@ - - djm@cvs.openbsd.org 2010/05/07 11:30:30 - [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] - [key.c servconf.c servconf.h sshd.8 sshd_config.5] - add some optional indirection to matching of principal names listed - in certificates. Currently, a certificate must include the a user's name - to be accepted for authentication. This change adds the ability to - specify a list of certificate principal names that are acceptable. - - When authenticating using a CA trusted through ~/.ssh/authorized_keys, - this adds a new principals="name1[,name2,...]" key option. - - For CAs listed through sshd_config's TrustedCAKeys option, a new config - option "AuthorizedPrincipalsFile" specifies a per-user file containing - the list of acceptable names. - - If either option is absent, the current behaviour of requiring the - username to appear in principals continues to apply. - - These options are useful for role accounts, disjoint account namespaces - and "user@realm"-style naming policies in certificates. - - feedback and ok markus@ - - jmc@cvs.openbsd.org 2010/05/07 12:49:17 - [sshd_config.5] - tweak previous; - -20100423 - - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir - in the openssl install directory (some newer openssl versions do this on at - least some amd64 platforms). - -20100418 - - OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/04/16 06:45:01 - [ssh_config.5] - tweak previous; ok djm - - jmc@cvs.openbsd.org 2010/04/16 06:47:04 - [ssh-keygen.1 ssh-keygen.c] - tweak previous; ok djm - - djm@cvs.openbsd.org 2010/04/16 21:14:27 - [sshconnect.c] - oops, %r => remote username, not %u - - djm@cvs.openbsd.org 2010/04/16 01:58:45 - [regress/cert-hostkey.sh regress/cert-userkey.sh] - regression tests for v01 certificate format - includes interop tests for v00 certs - - (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.default - file. - -20100416 - - (djm) Release openssh-5.5p1 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/03/26 03:13:17 - [bufaux.c] - allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer - argument to allow skipping past values in a buffer - - jmc@cvs.openbsd.org 2010/03/26 06:54:36 - [ssh.1] - tweak previous; - - jmc@cvs.openbsd.org 2010/03/27 14:26:55 - [ssh_config.5] - tweak previous; ok dtucker - - djm@cvs.openbsd.org 2010/04/10 00:00:16 - [ssh.c] - bz#1746 - suppress spurious tty warning when using -O and stdin - is not a tty; ok dtucker@ markus@ - - djm@cvs.openbsd.org 2010/04/10 00:04:30 - [sshconnect.c] - fix terminology: we didn't find a certificate in known_hosts, we found - a CA key - - djm@cvs.openbsd.org 2010/04/10 02:08:44 - [clientloop.c] - bz#1698: kill channel when pty allocation requests fail. Fixed - stuck client if the server refuses pty allocation. - ok dtucker@ "think so" markus@ - - djm@cvs.openbsd.org 2010/04/10 02:10:56 - [sshconnect2.c] - show the key type that we are offering in debug(), helps distinguish - between certs and plain keys as the path to the private key is usually - the same. - - djm@cvs.openbsd.org 2010/04/10 05:48:16 - [mux.c] - fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au - - djm@cvs.openbsd.org 2010/04/14 22:27:42 - [ssh_config.5 sshconnect.c] - expand %r => remote username in ssh_config:ProxyCommand; - ok deraadt markus - - markus@cvs.openbsd.org 2010/04/15 20:32:55 - [ssh-pkcs11.c] - retry lookup for private key if there's no matching key with CKA_SIGN - attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736) - ok djm@ - - djm@cvs.openbsd.org 2010/04/16 01:47:26 - [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] - [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] - [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] - [sshconnect.c sshconnect2.c sshd.c] - revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the - following changes: - - move the nonce field to the beginning of the certificate where it can - better protect against chosen-prefix attacks on the signature hash - - Rename "constraints" field to "critical options" - - Add a new non-critical "extensions" field - - Add a serial number - - The older format is still support for authentication and cert generation - (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) - - ok markus@ -- cgit v1.2.1 From 86d44872a83a299f64801163e0c84b92e9734525 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 30 Jan 2014 01:50:17 +0000 Subject: - (djm) Release openssh-6.5p1 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index b617c5ae..c0dab651 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ different symbols for 'read' when various compiler flags are in use, causing atomicio.c comparisons against it to break and read/write operations to hang; ok dtucker + - (djm) Release openssh-6.5p1 20140129 - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from -- cgit v1.2.1 From eab087969b5a57ab226d714fb7e3a1471d6f8dac Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 30 Jan 2014 05:35:05 +0000 Subject: gratuitious commit to let the git tree see this branch --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index c0dab651..5f122aca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2663,3 +2663,4 @@ [contrib/suse/openssh.spec] Update for release 6.0 - (djm) [README] Update URL to release notes. - (djm) Release openssh-6.0 + -- cgit v1.2.1