diff options
Diffstat (limited to 'security/ssh/patches/patch-bk')
| -rw-r--r-- | security/ssh/patches/patch-bk | 322 |
1 files changed, 14 insertions, 308 deletions
diff --git a/security/ssh/patches/patch-bk b/security/ssh/patches/patch-bk index f976745d6da..b18f6e4eb54 100644 --- a/security/ssh/patches/patch-bk +++ b/security/ssh/patches/patch-bk @@ -1,7 +1,7 @@ -$NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ +$NetBSD: patch-bk,v 1.2 2000/03/20 02:25:57 itojun Exp $ ---- sshconnect.c.orig Wed May 12 07:19:29 1999 -+++ sshconnect.c Fri Dec 24 21:50:42 1999 +--- sshconnect.c- Wed May 12 20:19:29 1999 ++++ sshconnect.c Mon Mar 20 09:55:37 2000 @@ -215,7 +215,6 @@ #include "userfile.h" #include "emulate.h" @@ -31,292 +31,7 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ /* Session id for the current session. */ unsigned char session_id[16]; -@@ -337,7 +348,7 @@ - - /* Creates a (possibly privileged) socket for use as the ssh connection. */ - --int ssh_create_socket(uid_t original_real_uid, int privileged) -+int ssh_create_socket(uid_t original_real_uid, int privileged, int family) - { - int sock; - -@@ -345,41 +356,48 @@ - bind our own socket to a privileged port. */ - if (privileged) - { -- struct sockaddr_in sin; -+ struct addrinfo hints, *ai = NULL; -+ int errgai; -+ char strport[PORTSTRLEN]; - int p; - for (p = 1023; p > 512; p--) - { -- sock = socket(AF_INET, SOCK_STREAM, 0); -+ sock = socket(family, SOCK_STREAM, 0); - if (sock < 0) - fatal("socket: %.100s", strerror(errno)); - -- /* Initialize the desired sockaddr_in structure. */ -- memset(&sin, 0, sizeof(sin)); -- sin.sin_family = AF_INET; -- sin.sin_addr.s_addr = INADDR_ANY; -- sin.sin_port = htons(p); -+ /* Initialize the desired addrinfo structure. */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = family; -+ hints.ai_flags = AI_PASSIVE; -+ hints.ai_socktype = SOCK_STREAM; -+ sprintf(strport, "%d", p); -+ if ((errgai = getaddrinfo(NULL, strport, &hints, &ai)) != 0) -+ fatal("getaddrinfo: %.100s", gai_strerror(errgai)); - - /* Try to bind the socket to the privileged port. */ - #if defined(SOCKS) -- if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) -+ if (Rbind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) - break; /* Success. */ - #else /* SOCKS */ -- if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) -+ if (bind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) - break; /* Success. */ - #endif /* SOCKS */ - if (errno == EADDRINUSE) - { - close(sock); -+ freeaddrinfo(ai); - continue; - } - fatal("bind: %.100s", strerror(errno)); - } - debug("Allocated local port %d.", p); -+ freeaddrinfo(ai); - } - else - { - /* Just create an ordinary socket on arbitrary port. */ -- sock = socket(AF_INET, SOCK_STREAM, 0); -+ sock = socket(family, SOCK_STREAM, 0); - if (sock < 0) - fatal("socket: %.100s", strerror(errno)); - } -@@ -396,14 +414,19 @@ - the daemon. */ - - int ssh_connect(const char *host, int port, int connection_attempts, -+#ifdef ENABLE_ANOTHER_PORT_TRY -+ int another_port, -+#endif /* ENABLE_ANOTHER_PORT_TRY */ - int anonymous, uid_t original_real_uid, - const char *proxy_command, RandomState *random_state) - { - int sock = -1, attempt, i; - int on = 1; - struct servent *sp; -- struct hostent *hp; -- struct sockaddr_in hostaddr; -+ struct addrinfo hints, *ai, *aitop, *aitmp; -+ struct sockaddr_storage hostaddr; -+ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; -+ int gaierr; - #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) - struct linger linger; - #endif /* SO_LINGER */ -@@ -421,10 +444,6 @@ - port = SSH_DEFAULT_PORT; - } - -- /* Map localhost to ip-address locally */ -- if (strcmp(host, "localhost") == 0) -- host = "127.0.0.1"; -- - /* If a proxy command is given, connect using it. */ - if (proxy_command != NULL && *proxy_command) - return ssh_proxy_connect(host, port, original_real_uid, proxy_command, -@@ -432,9 +451,28 @@ - - /* No proxy command. */ - -- /* No host lookup made yet. */ -- hp = NULL; -- -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = IPv4or6; -+ hints.ai_socktype = SOCK_STREAM; -+ sprintf(strport, "%d", port); -+ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) -+ fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); -+ -+#ifdef ENABLE_ANOTHER_PORT_TRY -+ if (another_port) -+ { -+ aitmp = aitop; -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = IPv4or6; -+ hints.ai_socktype = SOCK_STREAM; -+ sprintf(strport, "%d", another_port); -+ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) -+ fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); -+ for (ai = aitop; ai->ai_next; ai = ai->ai_next); -+ ai->ai_next = aitmp; -+ } -+#endif /* ENABLE_ANOTHER_PORT_TRY */ -+ - /* Try to connect several times. On some machines, the first time will - sometimes fail. In general socket code appears to behave quite - magically on many machines. */ -@@ -443,103 +481,27 @@ - if (attempt > 0) - debug("Trying again..."); - -- /* Try to parse the host name as a numeric inet address. */ -- memset(&hostaddr, 0, sizeof(hostaddr)); -- hostaddr.sin_family = AF_INET; -- hostaddr.sin_port = htons(port); --#ifdef BROKEN_INET_ADDR -- hostaddr.sin_addr.s_addr = inet_network(host); --#else /* BROKEN_INET_ADDR */ -- hostaddr.sin_addr.s_addr = inet_addr(host); --#endif /* BROKEN_INET_ADDR */ -- if ((hostaddr.sin_addr.s_addr & 0xffffffff) != 0xffffffff) -- { -- /* Create a socket. */ -- sock = ssh_create_socket(original_real_uid, -- !anonymous && geteuid() == UID_ROOT); -- -- /* Valid numeric IP address */ -- debug("Connecting to %.100s port %d.", -- inet_ntoa(hostaddr.sin_addr), port); -- -- /* Connect to the host. */ --#if defined(SOCKS) -- if (Rconnect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) --#else /* SOCKS */ -- if (connect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) --#endif /* SOCKS */ -- >= 0) -- { -- /* Successful connect. */ -- break; -- } -- debug("connect: %.100s", strerror(errno)); -- -- /* Destroy the failed socket. */ -- shutdown(sock, 2); -- close(sock); -- } -- else -- { -- /* Not a valid numeric inet address. */ -- /* Map host name to an address. */ -- if (!hp) -- { -- struct hostent *hp_static; -- --#if defined(SOCKS5) -- hp_static = Rgethostbyname(host); --#else -- hp_static = gethostbyname(host); --#endif -- if (hp_static) -- { -- hp = xmalloc(sizeof(struct hostent)); -- memcpy(hp, hp_static, sizeof(struct hostent)); -- -- /* Copy list of addresses, not just pointers. -- We don't use h_name & h_aliases so leave them as is */ -- for (i = 0; hp_static->h_addr_list[i]; i++) -- ; /* count them */ -- hp->h_addr_list = xmalloc((i + 1) * -- sizeof(hp_static->h_addr_list[0])); -- for (i = 0; hp_static->h_addr_list[i]; i++) -- { -- hp->h_addr_list[i] = xmalloc(hp->h_length); -- memcpy(hp->h_addr_list[i], hp_static->h_addr_list[i], -- hp->h_length); -- } -- hp->h_addr_list[i] = NULL; /* last one */ -- } -- } -- if (!hp) -- fatal("Bad host name: %.100s", host); -- if (!hp->h_addr_list[0]) -- fatal("Host does not have an IP address: %.100s", host); -- - /* Loop through addresses for this host, and try each one in - sequence until the connection succeeds. */ -- for (i = 0; hp->h_addr_list[i]; i++) -+ for (ai = aitop; ai; ai = ai->ai_next) - { -- /* Set the address to connect to. */ -- hostaddr.sin_family = hp->h_addrtype; -- memcpy(&hostaddr.sin_addr, hp->h_addr_list[i], -- sizeof(hostaddr.sin_addr)); -+ getnameinfo(ai->ai_addr, ai->ai_addrlen, -+ ntop, sizeof(ntop), strport, sizeof(strport), -+ NI_NUMERICHOST|NI_NUMERICSERV); - -- debug("Connecting to %.200s [%.100s] port %d.", -- host, inet_ntoa(hostaddr.sin_addr), port); -+ debug("Connecting to %.200s [%.100s] port %s.", -+ host, ntop, strport); - - /* Create a socket for connecting. */ - sock = ssh_create_socket(original_real_uid, -- !anonymous && geteuid() == UID_ROOT); -+ !anonymous && geteuid() == UID_ROOT, -+ ai->ai_family); - - /* Connect to the host. */ - #if defined(SOCKS) -- if (Rconnect(sock, (struct sockaddr *)&hostaddr, -- sizeof(hostaddr)) >= 0) -+ if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) - #else /* SOCKS */ -- if (connect(sock, (struct sockaddr *)&hostaddr, -- sizeof(hostaddr)) >= 0) -+ if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) - #endif /* SOCKS */ - { - /* Successful connection. */ -@@ -552,22 +514,15 @@ - returned an error. */ - shutdown(sock, 2); - close(sock); -- } -- if (hp->h_addr_list[i]) -+ } /* for (ai = aitop; ai; ai = ai->ai_next) */ -+ if (ai) - break; /* Successful connection. */ -- } - - /* Sleep a moment before retrying. */ - sleep(1); - } - -- if (hp) -- { -- for (i = 0; hp->h_addr_list[i]; i++) -- xfree(hp->h_addr_list[i]); -- xfree(hp->h_addr_list); -- xfree(hp); -- } -+ freeaddrinfo(aitop); - - /* Return failure if we didn't get a successful connection. */ - if (attempt >= connection_attempts) -@@ -578,9 +533,11 @@ - /* Set socket options. We would like the socket to disappear as soon as - it has been closed for whatever reason. */ - /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ -+#if 0 /* XXX */ - #if defined(TCP_NODELAY) && defined(ENABLE_TCP_NODELAY) - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&on, sizeof(on)); - #endif /* TCP_NODELAY */ -+#endif /* 0 */ - #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) - linger.l_onoff = 1; - linger.l_linger = 15; -@@ -932,10 +889,9 @@ +@@ -932,10 +943,9 @@ return 0; } @@ -328,16 +43,7 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ char *remotehost; krb5_data auth; krb5_error_code r; -@@ -946,7 +902,7 @@ - int ap_opts, ret_stat = 0; - krb5_keyblock *session_key = 0; - krb5_ap_rep_enc_part *repl = 0; -- struct sockaddr_in local, foreign; -+ struct sockaddr_storage local, foreign; - - memset(&auth, 0 , sizeof(auth)); - remotehost = (char *) get_canonical_hostname(); -@@ -1084,15 +1040,118 @@ +@@ -1084,15 +1094,118 @@ krb5_free_ap_rep_enc_part(ssh_context, repl); return(ret_stat); @@ -459,7 +165,7 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ char *remotehost; krb5_principal client; krb5_principal server; -@@ -1172,22 +1231,117 @@ +@@ -1172,22 +1285,117 @@ krb5_free_principal(ssh_context, client); krb5_free_principal(ssh_context, server); @@ -521,7 +227,8 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ + packet_write_wait(); + + return 1; -+} + } +-#endif /* KERBEROS_TGT_PASSING */ + +/* Forwards our AFS tokens to the server. */ +void send_afs_tokens(void) @@ -585,13 +292,12 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ + else if (type != SSH_SMSG_SUCCESS) + packet_disconnect("Protocol error on AFS token response: %d", type); + } - } --#endif /* KERBEROS_TGT_PASSING */ ++} +#endif /* AFS */ /* Waits for the server identification string, and sends our own identification string. */ -@@ -1285,14 +1439,12 @@ +@@ -1285,14 +1493,12 @@ unsigned char check_bytes[8]; unsigned int supported_ciphers, supported_authentications, protocol_flags; HostStatus host_status; @@ -607,7 +313,7 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ /* Convert the user-supplied hostname into all lowercase. */ host = xstrdup(orighost); -@@ -1595,7 +1747,6 @@ +@@ -1595,7 +1801,6 @@ debug("Received encrypted confirmation."); @@ -615,7 +321,7 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ #ifdef KRB5 if (!ssh_context) { -@@ -1629,7 +1780,6 @@ +@@ -1629,7 +1834,6 @@ debug("Kerberos V5: could not get default ccache."); } #endif /* KRB5 */ @@ -623,7 +329,7 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ /* Send the name of the user to log in as on the server. */ packet_start(SSH_CMSG_USER); -@@ -1647,24 +1797,39 @@ +@@ -1647,24 +1851,39 @@ packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); @@ -670,7 +376,7 @@ $NetBSD: patch-bk,v 1.1 1999/12/25 05:28:37 kim Exp $ if (try_kerberos_authentication()) { /* The server should respond with success or failure. */ type = packet_read(); -@@ -1673,10 +1838,8 @@ +@@ -1673,10 +1892,8 @@ if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error: got %d in response to Kerberos auth", type); } |