svn commit: r239844 - in vendor-crypto/openssh/dist: .
contrib/caldera contrib/cygwin contrib/redhat contrib/suse
lib openbsd-compat regress scp sftp sftp-server ssh ssh-add
ssh-agent ssh-keygen ss...
Dag-Erling Smørgrav
des at FreeBSD.org
Wed Aug 29 15:46:02 UTC 2012
Author: des
Date: Wed Aug 29 15:46:01 2012
New Revision: 239844
URL: http://svn.freebsd.org/changeset/base/239844
Log:
Vendor import of OpenSSH 6.0p1.
Added:
vendor-crypto/openssh/dist/openbsd-compat/getrrsetbyname-ldns.c (contents, props changed)
vendor-crypto/openssh/dist/openbsd-compat/strnlen.c (contents, props changed)
vendor-crypto/openssh/dist/sandbox-seccomp-filter.c (contents, props changed)
Deleted:
vendor-crypto/openssh/dist/lib/
vendor-crypto/openssh/dist/scp/
vendor-crypto/openssh/dist/sftp/
vendor-crypto/openssh/dist/sftp-server/
vendor-crypto/openssh/dist/ssh/
vendor-crypto/openssh/dist/ssh-add/
vendor-crypto/openssh/dist/ssh-agent/
vendor-crypto/openssh/dist/ssh-keygen/
vendor-crypto/openssh/dist/ssh-keyscan/
vendor-crypto/openssh/dist/ssh-keysign/
vendor-crypto/openssh/dist/sshd/
Modified:
vendor-crypto/openssh/dist/ChangeLog
vendor-crypto/openssh/dist/INSTALL
vendor-crypto/openssh/dist/LICENCE
vendor-crypto/openssh/dist/Makefile.in
vendor-crypto/openssh/dist/PROTOCOL.mux
vendor-crypto/openssh/dist/README
vendor-crypto/openssh/dist/audit-bsm.c
vendor-crypto/openssh/dist/auth-options.c
vendor-crypto/openssh/dist/auth2-pubkey.c
vendor-crypto/openssh/dist/auth2.c
vendor-crypto/openssh/dist/authfile.c
vendor-crypto/openssh/dist/channels.c
vendor-crypto/openssh/dist/channels.h
vendor-crypto/openssh/dist/clientloop.c
vendor-crypto/openssh/dist/clientloop.h
vendor-crypto/openssh/dist/compat.c
vendor-crypto/openssh/dist/compat.h
vendor-crypto/openssh/dist/config.h.in
vendor-crypto/openssh/dist/configure
vendor-crypto/openssh/dist/configure.ac
vendor-crypto/openssh/dist/contrib/caldera/openssh.spec
vendor-crypto/openssh/dist/contrib/cygwin/Makefile
vendor-crypto/openssh/dist/contrib/redhat/openssh.spec
vendor-crypto/openssh/dist/contrib/suse/openssh.spec
vendor-crypto/openssh/dist/defines.h
vendor-crypto/openssh/dist/dh.c
vendor-crypto/openssh/dist/entropy.c
vendor-crypto/openssh/dist/entropy.h
vendor-crypto/openssh/dist/key.c
vendor-crypto/openssh/dist/mac.c
vendor-crypto/openssh/dist/misc.c
vendor-crypto/openssh/dist/moduli
vendor-crypto/openssh/dist/moduli.c
vendor-crypto/openssh/dist/monitor.c
vendor-crypto/openssh/dist/mux.c
vendor-crypto/openssh/dist/openbsd-compat/Makefile.in
vendor-crypto/openssh/dist/openbsd-compat/bsd-cygwin_util.c
vendor-crypto/openssh/dist/openbsd-compat/bsd-cygwin_util.h
vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.h
vendor-crypto/openssh/dist/openbsd-compat/getcwd.c
vendor-crypto/openssh/dist/openbsd-compat/getgrouplist.c
vendor-crypto/openssh/dist/openbsd-compat/getrrsetbyname.c
vendor-crypto/openssh/dist/openbsd-compat/glob.c
vendor-crypto/openssh/dist/openbsd-compat/inet_ntop.c
vendor-crypto/openssh/dist/openbsd-compat/mktemp.c
vendor-crypto/openssh/dist/openbsd-compat/openbsd-compat.h
vendor-crypto/openssh/dist/openbsd-compat/openssl-compat.h
vendor-crypto/openssh/dist/openbsd-compat/port-linux.c
vendor-crypto/openssh/dist/openbsd-compat/setenv.c
vendor-crypto/openssh/dist/openbsd-compat/sha2.c
vendor-crypto/openssh/dist/openbsd-compat/sha2.h
vendor-crypto/openssh/dist/openbsd-compat/strlcpy.c
vendor-crypto/openssh/dist/packet.c
vendor-crypto/openssh/dist/packet.h
vendor-crypto/openssh/dist/readconf.c
vendor-crypto/openssh/dist/readconf.h
vendor-crypto/openssh/dist/regress/keytype.sh
vendor-crypto/openssh/dist/roaming.h
vendor-crypto/openssh/dist/roaming_client.c
vendor-crypto/openssh/dist/roaming_common.c
vendor-crypto/openssh/dist/scp.0
vendor-crypto/openssh/dist/scp.1
vendor-crypto/openssh/dist/scp.c
vendor-crypto/openssh/dist/servconf.c
vendor-crypto/openssh/dist/session.c
vendor-crypto/openssh/dist/sftp-client.c
vendor-crypto/openssh/dist/sftp-glob.c
vendor-crypto/openssh/dist/sftp.0
vendor-crypto/openssh/dist/sftp.1
vendor-crypto/openssh/dist/sftp.c
vendor-crypto/openssh/dist/ssh-add.0
vendor-crypto/openssh/dist/ssh-add.1
vendor-crypto/openssh/dist/ssh-add.c
vendor-crypto/openssh/dist/ssh-ecdsa.c
vendor-crypto/openssh/dist/ssh-keygen.0
vendor-crypto/openssh/dist/ssh-keygen.1
vendor-crypto/openssh/dist/ssh-keygen.c
vendor-crypto/openssh/dist/ssh-keyscan.1
vendor-crypto/openssh/dist/ssh-keyscan.c
vendor-crypto/openssh/dist/ssh-pkcs11-client.c
vendor-crypto/openssh/dist/ssh.0
vendor-crypto/openssh/dist/ssh.1
vendor-crypto/openssh/dist/ssh.c
vendor-crypto/openssh/dist/ssh_config.0
vendor-crypto/openssh/dist/ssh_config.5
vendor-crypto/openssh/dist/sshd.0
vendor-crypto/openssh/dist/sshd.8
vendor-crypto/openssh/dist/sshd.c
vendor-crypto/openssh/dist/sshd_config.0
vendor-crypto/openssh/dist/sshd_config.5
vendor-crypto/openssh/dist/umac.c
vendor-crypto/openssh/dist/version.h
Modified: vendor-crypto/openssh/dist/ChangeLog
==============================================================================
--- vendor-crypto/openssh/dist/ChangeLog Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/ChangeLog Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,3 +1,334 @@
+20120420
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Update for release 6.0
+ - (djm) [README] Update URL to release notes.
+ - (djm) Release openssh-6.0
+
+20120419
+ - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil
+ contains openpty() but not login()
+
+20120404
+ - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox
+ mode for Linux's new seccomp filter; patch from Will Drewry; feedback
+ and ok dtucker@
+
+20120330
+ - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING
+ file from spec file. From crighter at nuclioss com.
+ - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running
+ openssh binaries on a newer fix release than they were compiled on.
+ with and ok dtucker@
+ - (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect
+ assumptions when building on Cygwin; patch from Corinna Vinschen
+
+20120309
+ - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux
+ systems where sshd is run in te wrong context. Patch from Sven
+ Vermeulen; ok dtucker@
+ - (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6
+ addressed connections. ok dtucker@
+
+20120224
+ - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM
+ audit breakage in Solaris 11. Patch from Magnus Johansson.
+
+20120215
+ - (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for
+ unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
+ ok dtucker@
+ - (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so
+ it actually works.
+ - (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote
+ to work. Spotted by Angel Gonzalez
+
+20120214
+ - (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of
+ preserved Cygwin environment variables; from Corinna Vinschen
+
+20120211
+ - (djm) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2012/01/05 00:16:56
+ [monitor.c]
+ memleak on error path
+ - djm at cvs.openbsd.org 2012/01/07 21:11:36
+ [mux.c]
+ fix double-free in new session handler
+ - miod at cvs.openbsd.org 2012/01/08 13:17:11
+ [ssh-ecdsa.c]
+ Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron,
+ ok markus@
+ - miod at cvs.openbsd.org 2012/01/16 20:34:09
+ [ssh-pkcs11-client.c]
+ Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
+ While there, be sure to buffer_clear() between send_msg() and recv_msg().
+ ok markus@
+ - dtucker at cvs.openbsd.org 2012/01/18 21:46:43
+ [clientloop.c]
+ Ensure that $DISPLAY contains only valid characters before using it to
+ extract xauth data so that it can't be used to play local shell
+ metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
+ - markus at cvs.openbsd.org 2012/01/25 19:26:43
+ [packet.c]
+ do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying;
+ ok dtucker@, djm@
+ - markus at cvs.openbsd.org 2012/01/25 19:36:31
+ [authfile.c]
+ memleak in key_load_file(); from Jan Klemkow
+ - markus at cvs.openbsd.org 2012/01/25 19:40:09
+ [packet.c packet.h]
+ packet_read_poll() is not used anymore.
+ - markus at cvs.openbsd.org 2012/02/09 20:00:18
+ [version.h]
+ move from 6.0-beta to 6.0
+
+20120206
+ - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
+ that don't support ECC. Patch from Phil Oleson
+
+20111219
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/12/02 00:41:56
+ [mux.c]
+ fix bz#1948: ssh -f doesn't fork for multiplexed connection.
+ ok dtucker@
+ - djm at cvs.openbsd.org 2011/12/02 00:43:57
+ [mac.c]
+ fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before
+ HMAC_init (this change in policy seems insane to me)
+ ok dtucker@
+ - djm at cvs.openbsd.org 2011/12/04 23:16:12
+ [mux.c]
+ revert:
+ > revision 1.32
+ > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1
+ > fix bz#1948: ssh -f doesn't fork for multiplexed connection.
+ > ok dtucker@
+ it interacts badly with ControlPersist
+ - djm at cvs.openbsd.org 2011/12/07 05:44:38
+ [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
+ fix some harmless and/or unreachable int overflows;
+ reported Xi Wang, ok markus@
+
+20111125
+ - OpenBSD CVS Sync
+ - oga at cvs.openbsd.org 2011/11/16 12:24:28
+ [sftp.c]
+ Don't leak list in complete_cmd_parse if there are no commands found.
+ Discovered when I was ``borrowing'' this code for something else.
+ ok djm@
+
+20111121
+ - (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@
+
+20111104
+ - (dtucker) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/10/18 05:15:28
+ [ssh.c]
+ ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
+ - djm at cvs.openbsd.org 2011/10/18 23:37:42
+ [ssh-add.c]
+ add -k to usage(); reminded by jmc@
+ - djm at cvs.openbsd.org 2011/10/19 00:06:10
+ [moduli.c]
+ s/tmpfile/tmp/ to make this -Wshadow clean
+ - djm at cvs.openbsd.org 2011/10/19 10:39:48
+ [umac.c]
+ typo in comment; patch from Michael W. Bombardieri
+ - djm at cvs.openbsd.org 2011/10/24 02:10:46
+ [ssh.c]
+ bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh
+ was incorrectly requesting the forward in both the control master and
+ slave. skip requesting it in the master to fix. ok markus@
+ - djm at cvs.openbsd.org 2011/10/24 02:13:13
+ [session.c]
+ bz#1859: send tty break to pty master instead of (probably already
+ closed) slave side; "looks good" markus@
+ - dtucker at cvs.openbsd.org 011/11/04 00:09:39
+ [moduli]
+ regenerated moduli file; ok deraadt
+ - (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in
+ openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
+ bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
+ which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr)
+ with some rework from myself and djm. ok djm.
+
+20111025
+ - (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file
+ fails. Patch from Corinna Vinschen.
+
+20111018
+ - (djm) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/10/04 14:17:32
+ [sftp-glob.c]
+ silence error spam for "ls */foo" in directory with files; bz#1683
+ - dtucker at cvs.openbsd.org 2011/10/16 11:02:46
+ [moduli.c ssh-keygen.1 ssh-keygen.c]
+ Add optional checkpoints for moduli screening. feedback & ok deraadt
+ - jmc at cvs.openbsd.org 2011/10/16 15:02:41
+ [ssh-keygen.c]
+ put -K in the right place (usage());
+ - stsp at cvs.openbsd.org 2011/10/16 15:51:39
+ [moduli.c]
+ add missing includes to unbreak tree; fix from rpointel
+ - djm at cvs.openbsd.org 2011/10/18 04:58:26
+ [auth-options.c key.c]
+ remove explict search for \0 in packet strings, this job is now done
+ implicitly by buffer_get_cstring; ok markus
+ - djm at cvs.openbsd.org 2011/10/18 05:00:48
+ [ssh-add.1 ssh-add.c]
+ new "ssh-add -k" option to load plain keys (skipping certificates);
+ "looks ok" markus@
+
+20111001
+ - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2011/09/23 00:22:04
+ [channels.c auth-options.c servconf.c channels.h sshd.8]
+ Add wildcard support to PermitOpen, allowing things like "PermitOpen
+ localhost:*". bz #1857, ok djm markus.
+ - markus at cvs.openbsd.org 2011/09/23 07:45:05
+ [mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c
+ version.h]
+ unbreak remote portforwarding with dynamic allocated listen ports:
+ 1) send the actual listen port in the open message (instead of 0).
+ this allows multiple forwardings with a dynamic listen port
+ 2) update the matching permit-open entry, so we can identify where
+ to connect to
+ report: den at skbkontur.ru and P. Szczygielski
+ feedback and ok djm@
+ - djm at cvs.openbsd.org 2011/09/25 05:44:47
+ [auth2-pubkey.c]
+ improve the AuthorizedPrincipalsFile debug log message to include
+ file and line number
+ - dtucker at cvs.openbsd.org 2011/09/30 00:47:37
+ [sshd.c]
+ don't attempt privsep cleanup when not using privsep; ok markus@
+ - djm at cvs.openbsd.org 2011/09/30 21:22:49
+ [sshd.c]
+ fix inverted test that caused logspam; spotted by henning@
+
+20110929
+ - (djm) [configure.ac defines.h] No need to detect sizeof(char); patch
+ from des AT des.no
+ - (dtucker) [configure.ac openbsd-compat/Makefile.in
+ openbsd-compat/strnlen.c] Add strnlen to the compat library.
+
+20110923
+ - (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no
+ longer want to sync this file (OpenBSD uses a __getcwd syscall now, we
+ want this longhand version)
+ - (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the
+ upstream version is YPified and we don't want this
+ - (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version.
+ The file was totally rewritten between what we had in tree and -current.
+ - (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid
+ marker. The upstream API has changed (function and structure names)
+ enough to put it out of sync with other providers of this interface.
+ - (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion
+ of static __findenv() function from upstream setenv.c
+ - OpenBSD CVS Sync
+ - millert at cvs.openbsd.org 2006/05/05 15:27:38
+ [openbsd-compat/strlcpy.c]
+ Convert do {} while loop -> while {} for clarity. No binary change
+ on most architectures. From Oliver Smith. OK deraadt@ and henning@
+ - tobias at cvs.openbsd.org 2007/10/21 11:09:30
+ [openbsd-compat/mktemp.c]
+ Comment fix about time consumption of _gettemp.
+ FreeBSD did this in revision 1.20.
+ OK deraadt@, krw@
+ - deraadt at cvs.openbsd.org 2008/07/22 21:47:45
+ [openbsd-compat/mktemp.c]
+ use arc4random_uniform(); ok djm millert
+ - millert at cvs.openbsd.org 2008/08/21 16:54:44
+ [openbsd-compat/mktemp.c]
+ Remove useless code, the kernel will set errno appropriately if an
+ element in the path does not exist. OK deraadt@ pvalchev@
+ - otto at cvs.openbsd.org 2008/12/09 19:38:38
+ [openbsd-compat/inet_ntop.c]
+ fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon
+
+20110922
+ - OpenBSD CVS Sync
+ - pyr at cvs.openbsd.org 2011/05/12 07:15:10
+ [openbsd-compat/glob.c]
+ When the max number of items for a directory has reached GLOB_LIMIT_READDIR
+ an error is returned but closedir() is not called.
+ spotted and fix provided by Frank Denis obsd-tech at pureftpd.org
+ ok otto@, millert@
+ - stsp at cvs.openbsd.org 2011/09/20 10:18:46
+ [glob.c]
+ In glob(3), limit recursion during matching attempts. Similar to
+ fnmatch fix. Also collapse consecutive '*' (from NetBSD).
+ ok miod deraadt
+ - djm at cvs.openbsd.org 2011/09/22 06:27:29
+ [glob.c]
+ fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being
+ applied only to the gl_pathv vector and not the corresponding gl_statv
+ array. reported in OpenSSH bz#1935; feedback and okay matthew@
+ - djm at cvs.openbsd.org 2011/08/26 01:45:15
+ [ssh.1]
+ Add some missing ssh_config(5) options that can be used in ssh(1)'s
+ -o argument. Patch from duclare AT guu.fi
+ - djm at cvs.openbsd.org 2011/09/05 05:56:13
+ [scp.1 sftp.1]
+ mention ControlPersist and KbdInteractiveAuthentication in the -o
+ verbiage in these pages too (prompted by jmc@)
+ - djm at cvs.openbsd.org 2011/09/05 05:59:08
+ [misc.c]
+ fix typo in IPQoS parsing: there is no "AF14" class, but there is
+ an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
+ - jmc at cvs.openbsd.org 2011/09/05 07:01:44
+ [scp.1]
+ knock out a useless Ns;
+ - deraadt at cvs.openbsd.org 2011/09/07 02:18:31
+ [ssh-keygen.1]
+ typo (they vs the) found by Lawrence Teo
+ - djm at cvs.openbsd.org 2011/09/09 00:43:00
+ [ssh_config.5 sshd_config.5]
+ fix typo in IPQoS parsing: there is no "AF14" class, but there is
+ an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
+ - djm at cvs.openbsd.org 2011/09/09 00:44:07
+ [PROTOCOL.mux]
+ MUX_C_CLOSE_FWD includes forward type in message (though it isn't
+ implemented anyway)
+ - djm at cvs.openbsd.org 2011/09/09 22:37:01
+ [scp.c]
+ suppress adding '--' to remote commandlines when the first argument
+ does not start with '-'. saves breakage on some difficult-to-upgrade
+ embedded/router platforms; feedback & ok dtucker ok markus
+ - djm at cvs.openbsd.org 2011/09/09 22:38:21
+ [sshd.c]
+ kill the preauth privsep child on fatal errors in the monitor;
+ ok markus@
+ - djm at cvs.openbsd.org 2011/09/09 22:46:44
+ [channels.c channels.h clientloop.h mux.c ssh.c]
+ support for cancelling local and remote port forwards via the multiplex
+ socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user at host" to request
+ the cancellation of the specified forwardings; ok markus@
+ - markus at cvs.openbsd.org 2011/09/10 22:26:34
+ [channels.c channels.h clientloop.c ssh.1]
+ support cancellation of local/dynamic forwardings from ~C commandline;
+ ok & feedback djm@
+ - okan at cvs.openbsd.org 2011/09/11 06:59:05
+ [ssh.1]
+ document new -O cancel command; ok djm@
+ - markus at cvs.openbsd.org 2011/09/11 16:07:26
+ [sftp-client.c]
+ fix leaks in do_hardlink() and do_readlink(); bz#1921
+ from Loganaden Velvindron
+ - markus at cvs.openbsd.org 2011/09/12 08:46:15
+ [sftp-client.c]
+ fix leak in do_lsreaddir(); ok djm
+ - djm at cvs.openbsd.org 2011/09/22 06:29:03
+ [sftp.c]
+ don't let remote_glob() implicitly sort its results in do_globbed_ls() -
+ in all likelihood, they will be resorted anyway
+
+20110909
+ - (dtucker) [entropy.h] Bug #1932: remove old definition of init_rng. From
+ Colin Watson.
+
20110906
- (djm) [README version.h] Correct version
- (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon
Modified: vendor-crypto/openssh/dist/INSTALL
==============================================================================
--- vendor-crypto/openssh/dist/INSTALL Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/INSTALL Wed Aug 29 15:46:01 2012 (r239844)
@@ -80,6 +80,12 @@ these multi-platform ports:
http://www.thrysoee.dk/editline/
http://sourceforge.net/projects/libedit/
+LDNS:
+
+LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
+
+http://nlnetlabs.nl/projects/ldns/
+
Autoconf:
If you modify configure.ac or configure doesn't exist (eg if you checked
@@ -260,4 +266,4 @@ Please refer to the "reporting bugs" sec
http://www.openssh.com/
-$Id: INSTALL,v 1.86 2011/05/05 03:48:37 djm Exp $
+$Id: INSTALL,v 1.87 2011/11/04 00:25:25 dtucker Exp $
Modified: vendor-crypto/openssh/dist/LICENCE
==============================================================================
--- vendor-crypto/openssh/dist/LICENCE Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/LICENCE Wed Aug 29 15:46:01 2012 (r239844)
@@ -207,6 +207,7 @@ OpenSSH contains no GPL code.
The SCO Group
Daniel Walsh
Red Hat, Inc
+ Simon Vallet / Genoscope
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
Modified: vendor-crypto/openssh/dist/Makefile.in
==============================================================================
--- vendor-crypto/openssh/dist/Makefile.in Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/Makefile.in Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.325 2011/08/05 20:15:18 djm Exp $
+# $Id: Makefile.in,v 1.326 2012/04/04 01:27:57 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@@ -90,7 +90,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
- sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
+ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+ sandbox-seccomp-filter.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Modified: vendor-crypto/openssh/dist/PROTOCOL.mux
==============================================================================
--- vendor-crypto/openssh/dist/PROTOCOL.mux Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/PROTOCOL.mux Wed Aug 29 15:46:01 2012 (r239844)
@@ -133,6 +133,7 @@ A client may request the master to close
uint32 MUX_C_CLOSE_FWD
uint32 request id
+ uint32 forwarding type
string listen host
string listen port
string connect host
@@ -218,4 +219,4 @@ XXX inject packet (what about replies)
XXX server->client error/warning notifications
XXX send signals via mux
-$OpenBSD: PROTOCOL.mux,v 1.7 2011/05/08 12:52:01 djm Exp $
+$OpenBSD: PROTOCOL.mux,v 1.8 2011/09/09 00:44:07 djm Exp $
Modified: vendor-crypto/openssh/dist/README
==============================================================================
--- vendor-crypto/openssh/dist/README Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/README Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.9 for the release notes.
+See http://www.openssh.com/txt/release-6.0 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
-$Id: README,v 1.77.2.2 2011/09/06 23:11:20 djm Exp $
+$Id: README,v 1.80 2012/04/20 04:11:04 djm Exp $
Modified: vendor-crypto/openssh/dist/audit-bsm.c
==============================================================================
--- vendor-crypto/openssh/dist/audit-bsm.c Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/audit-bsm.c Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-/* $Id: audit-bsm.c,v 1.7 2011/01/17 10:15:29 dtucker Exp $ */
+/* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */
/*
* TODO
@@ -45,6 +45,10 @@
#include <string.h>
#include <unistd.h>
+#ifdef BROKEN_BSM_API
+#include <libscf.h>
+#endif
+
#include "ssh.h"
#include "log.h"
#include "key.h"
@@ -114,6 +118,12 @@ extern int aug_daemon_session(void);
extern Authctxt *the_authctxt;
static AuditInfoTermID ssh_bsm_tid;
+#ifdef BROKEN_BSM_API
+/* For some reason this constant is no longer defined
+ in Solaris 11. */
+#define BSM_TEXTBUFSZ 256
+#endif
+
/* Below is the low-level BSM interface code */
/*
@@ -161,6 +171,65 @@ aug_get_machine(char *host, u_int32_t *a
}
#endif
+#ifdef BROKEN_BSM_API
+/*
+ In Solaris 11 the audit daemon has been moved to SMF. In the process
+ they simply dropped getacna() from the API, since it read from a now
+ non-existent config file. This function re-implements getacna() to
+ read from the SMF repository instead.
+ */
+int
+getacna(char *auditstring, int len)
+{
+ scf_handle_t *handle = NULL;
+ scf_property_t *property = NULL;
+ scf_value_t *value = NULL;
+ int ret = 0;
+
+ handle = scf_handle_create(SCF_VERSION);
+ if (handle == NULL)
+ return -2; /* The man page for getacna on Solaris 10 states
+ we should return -2 in case of error and set
+ errno to indicate the error. We don't bother
+ with errno here, though, since the only use
+ of this function below doesn't check for errors
+ anyway.
+ */
+
+ ret = scf_handle_bind(handle);
+ if (ret == -1)
+ return -2;
+
+ property = scf_property_create(handle);
+ if (property == NULL)
+ return -2;
+
+ ret = scf_handle_decode_fmri(handle,
+ "svc:/system/auditd:default/:properties/preselection/naflags",
+ NULL, NULL, NULL, NULL, property, 0);
+ if (ret == -1)
+ return -2;
+
+ value = scf_value_create(handle);
+ if (value == NULL)
+ return -2;
+
+ ret = scf_property_get_value(property, value);
+ if (ret == -1)
+ return -2;
+
+ ret = scf_value_get_astring(value, auditstring, len);
+ if (ret == -1)
+ return -2;
+
+ scf_value_destroy(value);
+ scf_property_destroy(property);
+ scf_handle_destroy(handle);
+
+ return 0;
+}
+#endif
+
/*
* Check if the specified event is selected (enabled) for auditing.
* Returns 1 if the event is selected, 0 if not and -1 on failure.
@@ -213,7 +282,15 @@ bsm_audit_record(int typ, char *string,
(void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc));
+#ifdef BROKEN_BSM_API
+ /* The last argument is the event modifier flags. For
+ some seemingly undocumented reason it was added in
+ Solaris 11. */
+ rc = au_close(ad, AU_TO_WRITE, event_no, 0);
+#else
rc = au_close(ad, AU_TO_WRITE, event_no);
+#endif
+
if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno));
Modified: vendor-crypto/openssh/dist/auth-options.c
==============================================================================
--- vendor-crypto/openssh/dist/auth-options.c Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/auth-options.c Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.54 2010/12/24 21:41:48 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -341,7 +341,7 @@ auth_parse_options(struct passwd *pw, ch
goto bad_option;
}
host = cleanhostname(host);
- if (p == NULL || (port = a2port(p)) <= 0) {
+ if (p == NULL || (port = permitopen_port(p)) < 0) {
debug("%.100s, line %lu: Bad permitopen port "
"<%.100s>", file, linenum, p ? p : "");
auth_debug_add("%.100s, line %lu: "
@@ -452,10 +452,6 @@ parse_option_list(u_char *optblob, size_
buffer_append(&data, data_blob, dlen);
debug3("found certificate option \"%.100s\" len %u",
name, dlen);
- if (strlen(name) != nlen) {
- error("Certificate constraint name contains \\0");
- goto out;
- }
found = 0;
if ((which & OPTIONS_EXTENSIONS) != 0) {
if (strcmp(name, "permit-X11-forwarding") == 0) {
@@ -485,11 +481,6 @@ parse_option_list(u_char *optblob, size_
"corrupt", name);
goto out;
}
- if (strlen(command) != clen) {
- error("force-command constraint "
- "contains \\0");
- goto out;
- }
if (*cert_forced_command != NULL) {
error("Certificate has multiple "
"force-command options");
@@ -506,11 +497,6 @@ parse_option_list(u_char *optblob, size_
"\"%s\" corrupt", name);
goto out;
}
- if (strlen(allowed) != clen) {
- error("source-address constraint "
- "contains \\0");
- goto out;
- }
if ((*cert_source_address_done)++) {
error("Certificate has multiple "
"source-address options");
Modified: vendor-crypto/openssh/dist/auth2-pubkey.c
==============================================================================
--- vendor-crypto/openssh/dist/auth2-pubkey.c Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/auth2-pubkey.c Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.29 2011/05/23 03:30:07 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -238,8 +238,9 @@ match_principals_file(char *file, struct
}
for (i = 0; i < cert->nprincipals; i++) {
if (strcmp(cp, cert->principals[i]) == 0) {
- debug3("matched principal from file \"%.100s\"",
- cert->principals[i]);
+ debug3("matched principal \"%.100s\" "
+ "from file \"%s\" on line %lu",
+ cert->principals[i], file, linenum);
if (auth_parse_options(pw, line_opts,
file, linenum) != 1)
continue;
Modified: vendor-crypto/openssh/dist/auth2.c
==============================================================================
--- vendor-crypto/openssh/dist/auth2.c Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/auth2.c Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -113,7 +113,7 @@ auth2_read_banner(void)
close(fd);
return (NULL);
}
- if (st.st_size > 1*1024*1024) {
+ if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
close(fd);
return (NULL);
}
Modified: vendor-crypto/openssh/dist/authfile.c
==============================================================================
--- vendor-crypto/openssh/dist/authfile.c Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/authfile.c Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.92 2011/06/14 22:49:18 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -340,7 +340,7 @@ key_load_file(int fd, const char *filena
filename == NULL ? "" : " ");
return 0;
}
- buffer_init(blob);
+ buffer_clear(blob);
for (;;) {
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
if (errno == EPIPE)
Modified: vendor-crypto/openssh/dist/channels.c
==============================================================================
--- vendor-crypto/openssh/dist/channels.c Wed Aug 29 15:45:58 2012 (r239843)
+++ vendor-crypto/openssh/dist/channels.c Wed Aug 29 15:46:01 2012 (r239844)
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -125,6 +125,9 @@ static int num_permitted_opens = 0;
/* Number of permitted host/port pair in the array permitted by the admin. */
static int num_adm_permitted_opens = 0;
+/* special-case port number meaning allow any port */
+#define FWD_PERMIT_ANY_PORT 0
+
/*
* If this is true, all opens are permitted. This is the case on the server
* on which we have to trust the client anyway, and the user could do
@@ -302,6 +305,8 @@ channel_new(char *ctype, int type, int r
buffer_init(&c->output);
buffer_init(&c->extended);
c->path = NULL;
+ c->listening_addr = NULL;
+ c->listening_port = 0;
c->ostate = CHAN_OUTPUT_OPEN;
c->istate = CHAN_INPUT_OPEN;
c->flags = 0;
@@ -411,6 +416,10 @@ channel_free(Channel *c)
xfree(c->path);
c->path = NULL;
}
+ if (c->listening_addr) {
+ xfree(c->listening_addr);
+ c->listening_addr = NULL;
+ }
while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
if (cc->abandon_cb != NULL)
cc->abandon_cb(c, cc->ctx);
@@ -2634,6 +2643,46 @@ channel_set_af(int af)
IPv4or6 = af;
}
+
+/*
+ * Determine whether or not a port forward listens to loopback, the
+ * specified address or wildcard. On the client, a specified bind
+ * address will always override gateway_ports. On the server, a
+ * gateway_ports of 1 (``yes'') will override the client's specification
+ * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
+ * will bind to whatever address the client asked for.
+ *
+ * Special-case listen_addrs are:
+ *
+ * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
+ * "" (empty string), "*" -> wildcard v4/v6
+ * "localhost" -> loopback v4/v6
+ */
+static const char *
+channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+ int is_client, int gateway_ports)
+{
+ const char *addr = NULL;
+ int wildcard = 0;
+
+ if (listen_addr == NULL) {
+ /* No address specified: default to gateway_ports setting */
+ if (gateway_ports)
+ wildcard = 1;
+ } else if (gateway_ports || is_client) {
+ if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
+ strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
+ *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
+ (!is_client && gateway_ports == 1))
+ wildcard = 1;
+ else if (strcmp(listen_addr, "localhost") != 0)
+ addr = listen_addr;
+ }
+ if (wildcardp != NULL)
+ *wildcardp = wildcard;
+ return addr;
+}
+
static int
channel_setup_fwd_listener(int type, const char *listen_addr,
u_short listen_port, int *allocated_listen_port,
@@ -2659,36 +2708,9 @@ channel_setup_fwd_listener(int type, con
return 0;
}
- /*
- * Determine whether or not a port forward listens to loopback,
- * specified address or wildcard. On the client, a specified bind
- * address will always override gateway_ports. On the server, a
- * gateway_ports of 1 (``yes'') will override the client's
- * specification and force a wildcard bind, whereas a value of 2
- * (``clientspecified'') will bind to whatever address the client
- * asked for.
- *
- * Special-case listen_addrs are:
- *
- * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
- * "" (empty string), "*" -> wildcard v4/v6
- * "localhost" -> loopback v4/v6
- */
- addr = NULL;
- if (listen_addr == NULL) {
- /* No address specified: default to gateway_ports setting */
- if (gateway_ports)
- wildcard = 1;
- } else if (gateway_ports || is_client) {
- if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
- strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
- *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
- (!is_client && gateway_ports == 1))
- wildcard = 1;
- else if (strcmp(listen_addr, "localhost") != 0)
- addr = listen_addr;
- }
-
+ /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
+ addr = channel_fwd_bind_addr(listen_addr, &wildcard,
+ is_client, gateway_ports);
debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
type, wildcard, (addr == NULL) ? "NULL" : addr);
@@ -2792,7 +2814,12 @@ channel_setup_fwd_listener(int type, con
0, "port listener", 1);
c->path = xstrdup(host);
c->host_port = port_to_connect;
- c->listening_port = listen_port;
+ c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
+ if (listen_port == 0 && allocated_listen_port != NULL &&
+ !(datafellows & SSH_BUG_DYNAMIC_RPORT))
+ c->listening_port = *allocated_listen_port;
+ else
+ c->listening_port = listen_port;
success = 1;
}
if (success == 0)
@@ -2810,9 +2837,44 @@ channel_cancel_rport_listener(const char
for (i = 0; i < channels_alloc; i++) {
Channel *c = channels[i];
+ if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
+ continue;
+ if (strcmp(c->path, host) == 0 && c->listening_port == port) {
+ debug2("%s: close channel %d", __func__, i);
+ channel_free(c);
+ found = 1;
+ }
+ }
+
+ return (found);
+}
+
+int
+channel_cancel_lport_listener(const char *lhost, u_short lport,
+ int cport, int gateway_ports)
+{
+ u_int i;
+ int found = 0;
+ const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, gateway_ports);
- if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
- strcmp(c->path, host) == 0 && c->listening_port == port) {
+ for (i = 0; i < channels_alloc; i++) {
+ Channel *c = channels[i];
+ if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
+ continue;
+ if (c->listening_port != lport)
+ continue;
+ if (cport == CHANNEL_CANCEL_PORT_STATIC) {
+ /* skip dynamic forwardings */
+ if (c->host_port == 0)
+ continue;
+ } else {
+ if (c->host_port != cport)
+ continue;
+ }
+ if ((c->listening_addr == NULL && addr != NULL) ||
+ (c->listening_addr != NULL && addr == NULL))
+ continue;
+ if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
debug2("%s: close channel %d", __func__, i);
channel_free(c);
found = 1;
@@ -2843,37 +2905,44 @@ channel_setup_remote_fwd_listener(const
}
/*
+ * Translate the requested rfwd listen host to something usable for
+ * this server.
+ */
+static const char *
+channel_rfwd_bind_host(const char *listen_host)
+{
+ if (listen_host == NULL) {
+ if (datafellows & SSH_BUG_RFWD_ADDR)
+ return "127.0.0.1";
+ else
+ return "localhost";
+ } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
+ if (datafellows & SSH_BUG_RFWD_ADDR)
+ return "0.0.0.0";
+ else
+ return "";
+ } else
+ return listen_host;
+}
+
+/*
* Initiate forwarding of connections to port "port" on remote host through
* the secure channel to host:port from local side.
+ * Returns handle (index) for updating the dynamic listen port with
+ * channel_update_permitted_opens().
*/
-
int
channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
const char *host_to_connect, u_short port_to_connect)
{
- int type, success = 0;
+ int type, success = 0, idx = -1;
/* Send the forward request to the remote side. */
if (compat20) {
- const char *address_to_bind;
- if (listen_host == NULL) {
- if (datafellows & SSH_BUG_RFWD_ADDR)
- address_to_bind = "127.0.0.1";
- else
- address_to_bind = "localhost";
- } else if (*listen_host == '\0' ||
- strcmp(listen_host, "*") == 0) {
- if (datafellows & SSH_BUG_RFWD_ADDR)
- address_to_bind = "0.0.0.0";
- else
- address_to_bind = "";
- } else
- address_to_bind = listen_host;
-
packet_start(SSH2_MSG_GLOBAL_REQUEST);
packet_put_cstring("tcpip-forward");
- packet_put_char(1); /* boolean: want reply */
- packet_put_cstring(address_to_bind);
+ packet_put_char(1); /* boolean: want reply */
+ packet_put_cstring(channel_rfwd_bind_host(listen_host));
packet_put_int(listen_port);
packet_send();
packet_write_wait();
@@ -2905,25 +2974,25 @@ channel_request_remote_forwarding(const
/* Record that connection to this host/port is permitted. */
permitted_opens = xrealloc(permitted_opens,
num_permitted_opens + 1, sizeof(*permitted_opens));
- permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
- permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
- permitted_opens[num_permitted_opens].listen_port = listen_port;
- num_permitted_opens++;
+ idx = num_permitted_opens++;
+ permitted_opens[idx].host_to_connect = xstrdup(host_to_connect);
+ permitted_opens[idx].port_to_connect = port_to_connect;
+ permitted_opens[idx].listen_port = listen_port;
}
- return (success ? 0 : -1);
+ return (idx);
}
/*
* Request cancellation of remote forwarding of connection host:port from
* local side.
*/
-void
+int
channel_request_rforward_cancel(const char *host, u_short port)
{
int i;
if (!compat20)
- return;
+ return -1;
for (i = 0; i < num_permitted_opens; i++) {
if (permitted_opens[i].host_to_connect != NULL &&
@@ -2932,12 +3001,12 @@ channel_request_rforward_cancel(const ch
}
if (i >= num_permitted_opens) {
debug("%s: requested forward not found", __func__);
- return;
+ return -1;
}
packet_start(SSH2_MSG_GLOBAL_REQUEST);
packet_put_cstring("cancel-tcpip-forward");
packet_put_char(0);
- packet_put_cstring(host == NULL ? "" : host);
+ packet_put_cstring(channel_rfwd_bind_host(host));
packet_put_int(port);
packet_send();
@@ -2945,6 +3014,8 @@ channel_request_rforward_cancel(const ch
permitted_opens[i].port_to_connect = 0;
xfree(permitted_opens[i].host_to_connect);
permitted_opens[i].host_to_connect = NULL;
+
+ return 0;
}
/*
@@ -3013,6 +3084,35 @@ channel_add_permitted_opens(char *host,
all_opens_permitted = 0;
}
+/*
+ * Update the listen port for a dynamic remote forward, after
+ * the actual 'newport' has been allocated. If 'newport' < 0 is
+ * passed then they entry will be invalidated.
+ */
+void
+channel_update_permitted_opens(int idx, int newport)
+{
+ if (idx < 0 || idx >= num_permitted_opens) {
+ debug("channel_update_permitted_opens: index out of range:"
+ " %d num_permitted_opens %d", idx, num_permitted_opens);
+ return;
+ }
+ debug("%s allowed port %d for forwarding to host %s port %d",
+ newport > 0 ? "Updating" : "Removing",
+ newport,
+ permitted_opens[idx].host_to_connect,
+ permitted_opens[idx].port_to_connect);
+ if (newport >= 0) {
+ permitted_opens[idx].listen_port =
+ (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
+ } else {
+ permitted_opens[idx].listen_port = 0;
+ permitted_opens[idx].port_to_connect = 0;
+ xfree(permitted_opens[idx].host_to_connect);
+ permitted_opens[idx].host_to_connect = NULL;
+ }
+}
+
int
channel_add_adm_permitted_opens(char *host, int port)
{
@@ -3073,6 +3173,28 @@ channel_print_adm_permitted_opens(void)
printf("\n");
}
+/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
+int
+permitopen_port(const char *p)
+{
+ int port;
+
+ if (strcmp(p, "*") == 0)
+ return FWD_PERMIT_ANY_PORT;
+ if ((port = a2port(p)) > 0)
+ return port;
+ return -1;
+}
+
+static int
+port_match(u_short allowedport, u_short requestedport)
+{
+ if (allowedport == FWD_PERMIT_ANY_PORT ||
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-vendor
mailing list