aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--MAINTAINERS3
-rw-r--r--Makefile11
-rw-r--r--Makefile.inc1197
-rw-r--r--Makefile.libcompat161
-rw-r--r--ObsoleteFiles.inc6
-rw-r--r--UPDATING10
-rw-r--r--bin/sh/exec.c5
-rw-r--r--bin/sh/miscbltin.c2
-rw-r--r--bin/sh/sh.17
-rw-r--r--cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c14
-rw-r--r--cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c7
-rw-r--r--cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c7
-rw-r--r--contrib/bmake/ChangeLog38
-rw-r--r--contrib/bmake/Makefile4
-rw-r--r--contrib/bmake/arch.c48
-rw-r--r--contrib/bmake/bmake.147
-rw-r--r--contrib/bmake/bmake.cat161
-rw-r--r--contrib/bmake/compat.c26
-rw-r--r--contrib/bmake/cond.c38
-rw-r--r--contrib/bmake/dirname.c89
-rw-r--r--contrib/bmake/for.c8
-rw-r--r--contrib/bmake/getopt.c89
-rw-r--r--contrib/bmake/job.c35
-rw-r--r--contrib/bmake/main.c114
-rw-r--r--contrib/bmake/make.147
-rw-r--r--contrib/bmake/make.c26
-rw-r--r--contrib/bmake/make.h11
-rw-r--r--contrib/bmake/meta.c82
-rw-r--r--contrib/bmake/meta.h3
-rw-r--r--contrib/bmake/mk/ChangeLog39
-rw-r--r--contrib/bmake/mk/auto.dep.mk12
-rw-r--r--contrib/bmake/mk/dirdeps.mk64
-rw-r--r--contrib/bmake/mk/gendirdeps.mk6
-rw-r--r--contrib/bmake/mk/install-mk4
-rw-r--r--contrib/bmake/mk/meta.autodep.mk4
-rw-r--r--contrib/bmake/mk/meta.stage.mk6
-rw-r--r--contrib/bmake/mk/meta.sys.mk4
-rwxr-xr-xcontrib/bmake/mk/meta2deps.sh4
-rw-r--r--contrib/bmake/mk/sys.clean-env.mk15
-rw-r--r--contrib/bmake/mk/sys.dependfile.mk4
-rw-r--r--contrib/bmake/mk/warnings.mk4
-rw-r--r--contrib/bmake/nonints.h7
-rw-r--r--contrib/bmake/parse.c46
-rw-r--r--contrib/bmake/suff.c17
-rw-r--r--contrib/bmake/targ.c12
-rw-r--r--contrib/bmake/unit-tests/export-env.exp2
-rw-r--r--contrib/bmake/unit-tests/export-env.mk9
-rw-r--r--contrib/bmake/unit-tests/modts.exp10
-rw-r--r--contrib/bmake/unit-tests/modts.mk3
-rw-r--r--contrib/bmake/var.c222
-rw-r--r--contrib/elftoolchain/libdwarf/libdwarf_elf_init.c15
-rw-r--r--contrib/elftoolchain/libelf/libelf_convert.m41
-rw-r--r--contrib/libc++/include/__config9
-rw-r--r--contrib/libc++/include/atomic17
-rw-r--r--contrib/libc++/include/string7
-rw-r--r--contrib/libc++/include/system_error2
-rw-r--r--contrib/pjdfstest/tests/ftruncate/11.t2
-rwxr-xr-xcontrib/pjdfstest/tests/misc.sh34
-rw-r--r--contrib/pjdfstest/tests/open/20.t2
-rw-r--r--contrib/pjdfstest/tests/truncate/11.t2
-rw-r--r--contrib/unbound/iterator/iter_hints.c2
-rw-r--r--crypto/openssh/ChangeLog3230
-rw-r--r--crypto/openssh/FREEBSD-upgrade8
-rw-r--r--crypto/openssh/Makefile.in72
-rw-r--r--crypto/openssh/README2
-rw-r--r--crypto/openssh/README.platform3
-rw-r--r--crypto/openssh/auth-bsdauth.c4
-rw-r--r--crypto/openssh/auth-krb5.c4
-rw-r--r--crypto/openssh/auth-options.c111
-rw-r--r--crypto/openssh/auth-pam.c3
-rw-r--r--crypto/openssh/auth.h4
-rw-r--r--crypto/openssh/auth2-pubkey.c36
-rw-r--r--crypto/openssh/authfd.c20
-rw-r--r--crypto/openssh/authfd.h6
-rw-r--r--crypto/openssh/authfile.c27
-rw-r--r--crypto/openssh/channels.c16
-rw-r--r--crypto/openssh/cipher.c5
-rw-r--r--crypto/openssh/clientloop.c195
-rw-r--r--crypto/openssh/clientloop.h4
-rw-r--r--crypto/openssh/config.h27
-rw-r--r--crypto/openssh/configure.ac75
-rw-r--r--crypto/openssh/contrib/redhat/openssh.spec7
-rw-r--r--crypto/openssh/contrib/ssh-copy-id53
-rw-r--r--crypto/openssh/contrib/ssh-copy-id.15
-rw-r--r--crypto/openssh/contrib/suse/openssh.spec2
-rw-r--r--crypto/openssh/defines.h7
-rw-r--r--crypto/openssh/dh.h9
-rw-r--r--crypto/openssh/includes.h6
-rw-r--r--crypto/openssh/kex.c168
-rw-r--r--crypto/openssh/kex.h13
-rw-r--r--crypto/openssh/kexc25519s.c6
-rw-r--r--crypto/openssh/kexdhs.c6
-rw-r--r--crypto/openssh/kexecdhs.c6
-rw-r--r--crypto/openssh/kexgexs.c6
-rw-r--r--crypto/openssh/key.c6
-rw-r--r--crypto/openssh/key.h5
-rw-r--r--crypto/openssh/krl.c23
-rw-r--r--crypto/openssh/krl.h3
-rw-r--r--crypto/openssh/loginrec.c3
-rw-r--r--crypto/openssh/misc.c58
-rw-r--r--crypto/openssh/monitor.c39
-rw-r--r--crypto/openssh/monitor_wrap.c6
-rw-r--r--crypto/openssh/monitor_wrap.h4
-rw-r--r--crypto/openssh/mux.c34
-rw-r--r--crypto/openssh/myproposal.h24
-rw-r--r--crypto/openssh/opacket.c12
-rw-r--r--crypto/openssh/opacket.h4
-rw-r--r--crypto/openssh/openbsd-compat/bsd-misc.c8
-rw-r--r--crypto/openssh/openbsd-compat/bsd-misc.h4
-rw-r--r--crypto/openssh/openbsd-compat/bsd-poll.h4
-rw-r--r--crypto/openssh/openbsd-compat/glob.c1
-rw-r--r--crypto/openssh/openbsd-compat/glob.h8
-rw-r--r--crypto/openssh/openbsd-compat/openbsd-compat.h1
-rw-r--r--crypto/openssh/openbsd-compat/port-solaris.c136
-rw-r--r--crypto/openssh/openbsd-compat/port-solaris.h6
-rw-r--r--crypto/openssh/openbsd-compat/realpath.c61
-rw-r--r--crypto/openssh/packet.c366
-rw-r--r--crypto/openssh/packet.h11
-rw-r--r--crypto/openssh/platform-pledge.c71
-rw-r--r--crypto/openssh/platform.h5
-rw-r--r--crypto/openssh/readconf.c110
-rw-r--r--crypto/openssh/readconf.h12
-rw-r--r--crypto/openssh/readpass.c4
-rw-r--r--crypto/openssh/regress/Makefile5
-rw-r--r--crypto/openssh/regress/agent-ptrace.sh5
-rwxr-xr-xcrypto/openssh/regress/cert-file.sh138
-rw-r--r--crypto/openssh/regress/check-perm.c205
-rwxr-xr-xcrypto/openssh/regress/dhgex.sh6
-rwxr-xr-xcrypto/openssh/regress/hostkey-rotate.sh20
-rwxr-xr-xcrypto/openssh/regress/keys-command.sh6
-rw-r--r--crypto/openssh/regress/keyscan.sh4
-rwxr-xr-xcrypto/openssh/regress/limit-keytype.sh37
-rwxr-xr-xcrypto/openssh/regress/principals-command.sh7
-rw-r--r--crypto/openssh/regress/proxy-connect.sh5
-rw-r--r--crypto/openssh/regress/rekey.sh6
-rw-r--r--crypto/openssh/regress/setuid-allowed.c2
-rwxr-xr-xcrypto/openssh/regress/sftp-chroot.sh5
-rw-r--r--crypto/openssh/regress/unittests/sshkey/test_file.c42
-rw-r--r--crypto/openssh/regress/unittests/sshkey/test_fuzz.c102
-rw-r--r--crypto/openssh/regress/unittests/sshkey/test_sshkey.c46
-rw-r--r--crypto/openssh/roaming.h45
-rw-r--r--crypto/openssh/roaming_client.c271
-rw-r--r--crypto/openssh/roaming_common.c241
-rw-r--r--crypto/openssh/roaming_dummy.c72
-rw-r--r--crypto/openssh/roaming_serv.c31
-rw-r--r--crypto/openssh/sandbox-pledge.c77
-rw-r--r--crypto/openssh/sandbox-seccomp-filter.c3
-rw-r--r--crypto/openssh/sandbox-solaris.c108
-rw-r--r--crypto/openssh/sandbox-systrace.c36
-rw-r--r--crypto/openssh/scp.15
-rw-r--r--crypto/openssh/scp.c14
-rw-r--r--crypto/openssh/servconf.c57
-rw-r--r--crypto/openssh/serverloop.c31
-rw-r--r--crypto/openssh/session.c84
-rw-r--r--crypto/openssh/sftp-client.c22
-rw-r--r--crypto/openssh/sftp-client.h6
-rw-r--r--crypto/openssh/sftp-server-main.c4
-rw-r--r--crypto/openssh/sftp-server.c12
-rw-r--r--crypto/openssh/sftp.15
-rw-r--r--crypto/openssh/sftp.c3
-rw-r--r--crypto/openssh/ssh-add.c35
-rw-r--r--crypto/openssh/ssh-agent.115
-rw-r--r--crypto/openssh/ssh-agent.c26
-rw-r--r--crypto/openssh/ssh-dss.c11
-rw-r--r--crypto/openssh/ssh-ecdsa.c14
-rw-r--r--crypto/openssh/ssh-keygen.118
-rw-r--r--crypto/openssh/ssh-keygen.c366
-rw-r--r--crypto/openssh/ssh-keyscan.18
-rw-r--r--crypto/openssh/ssh-keyscan.c71
-rw-r--r--crypto/openssh/ssh-keysign.86
-rw-r--r--crypto/openssh/ssh-keysign.c27
-rw-r--r--crypto/openssh/ssh-pkcs11-client.c4
-rw-r--r--crypto/openssh/ssh-pkcs11-helper.c3
-rw-r--r--crypto/openssh/ssh-pkcs11.c8
-rw-r--r--crypto/openssh/ssh-rsa.c149
-rw-r--r--crypto/openssh/ssh.197
-rw-r--r--crypto/openssh/ssh.c148
-rw-r--r--crypto/openssh/ssh.h10
-rw-r--r--crypto/openssh/ssh2.h10
-rw-r--r--crypto/openssh/ssh_api.c16
-rw-r--r--crypto/openssh/ssh_config8
-rw-r--r--crypto/openssh/ssh_config.5145
-rw-r--r--crypto/openssh/ssh_namespace.h18
-rw-r--r--crypto/openssh/sshbuf-getput-basic.c8
-rw-r--r--crypto/openssh/sshbuf.c8
-rw-r--r--crypto/openssh/sshbuf.h65
-rw-r--r--crypto/openssh/sshconnect.c75
-rw-r--r--crypto/openssh/sshconnect.h4
-rw-r--r--crypto/openssh/sshconnect1.c15
-rw-r--r--crypto/openssh/sshconnect2.c265
-rw-r--r--crypto/openssh/sshd.855
-rw-r--r--crypto/openssh/sshd.c76
-rw-r--r--crypto/openssh/sshd_config4
-rw-r--r--crypto/openssh/sshd_config.567
-rw-r--r--crypto/openssh/ssherr.c4
-rw-r--r--crypto/openssh/sshkey.c210
-rw-r--r--crypto/openssh/sshkey.h17
-rw-r--r--crypto/openssh/sshlogin.c2
-rw-r--r--crypto/openssh/uidswap.c18
-rw-r--r--crypto/openssh/version.h6
-rw-r--r--crypto/openssh/xmalloc.c12
-rw-r--r--crypto/openssh/xmalloc.h3
-rw-r--r--etc/Makefile9
-rwxr-xr-xetc/autofs/special_media7
-rw-r--r--etc/defaults/Makefile1
-rw-r--r--etc/defaults/Makefile.depend11
-rw-r--r--etc/login.conf1
-rwxr-xr-xetc/rc.d/netwait2
-rw-r--r--include/Makefile38
-rw-r--r--lib/Makefile2
-rw-r--r--lib/atf/Makefile2
-rw-r--r--lib/clang/clang.build.mk14
-rw-r--r--lib/libc++/Makefile1
-rw-r--r--lib/libc/sys/Symbol.map9
-rw-r--r--lib/libpam/modules/pam_ssh/Makefile5
-rw-r--r--lib/libpam/modules/pam_ssh/Makefile.depend2
-rw-r--r--lib/libpam/modules/pam_ssh/pam_ssh.c5
-rw-r--r--lib/libunbound/Makefile2
-rw-r--r--lib/libutil/login.conf.51
-rw-r--r--lib/libutil/login_class.31
-rw-r--r--lib/libutil/login_class.c1
-rw-r--r--sbin/geom/core/geom.c3
-rw-r--r--sbin/ifconfig/ifieee80211.c2
-rw-r--r--sbin/mdmfs/mdmfs.834
-rw-r--r--sbin/mdmfs/mdmfs.c5
-rw-r--r--sbin/nvmecontrol/power.c10
-rw-r--r--sbin/ping/ping.812
-rw-r--r--sbin/ping/ping.c16
-rw-r--r--secure/lib/libssh/Makefile3
-rw-r--r--secure/libexec/sftp-server/Makefile5
-rw-r--r--secure/libexec/ssh-keysign/Makefile2
-rw-r--r--secure/libexec/ssh-pkcs11-helper/Makefile5
-rw-r--r--secure/usr.bin/scp/Makefile5
-rw-r--r--secure/usr.bin/sftp/Makefile5
-rw-r--r--secure/usr.bin/ssh-add/Makefile5
-rw-r--r--secure/usr.bin/ssh-agent/Makefile5
-rw-r--r--secure/usr.bin/ssh-keygen/Makefile5
-rw-r--r--secure/usr.bin/ssh-keyscan/Makefile2
-rw-r--r--secure/usr.bin/ssh/Makefile3
-rw-r--r--secure/usr.sbin/sshd/Makefile4
-rw-r--r--share/examples/Makefile9
-rw-r--r--share/examples/Makefile.depend12
-rw-r--r--share/i18n/esdb/BIG5/Makefile4
-rw-r--r--share/i18n/esdb/Makefile.part8
-rw-r--r--share/i18n/esdb/UTF/Makefile4
-rw-r--r--share/man/man5/src.conf.514
-rw-r--r--share/man/man9/sx.912
-rw-r--r--share/mk/bsd.dep.mk6
-rw-r--r--share/mk/bsd.files.mk4
-rw-r--r--share/mk/bsd.opts.mk2
-rw-r--r--share/mk/bsd.subdir.mk5
-rw-r--r--share/mk/bsd.sys.mk3
-rw-r--r--share/mk/dirdeps.mk64
-rw-r--r--share/mk/gendirdeps.mk6
-rw-r--r--share/mk/local.meta.sys.mk13
-rw-r--r--share/mk/local.sys.mk28
-rw-r--r--share/mk/meta.autodep.mk4
-rw-r--r--share/mk/meta.stage.mk6
-rw-r--r--share/mk/meta.sys.mk2
-rw-r--r--share/mk/sys.dependfile.mk6
-rw-r--r--share/sendmail/Makefile5
-rw-r--r--share/sendmail/Makefile.depend1
-rw-r--r--share/zoneinfo/Makefile9
-rw-r--r--share/zoneinfo/Makefile.depend1
-rw-r--r--sys/arm/allwinner/a10_hdmi.c29
-rw-r--r--sys/arm/arm/gic.c2
-rw-r--r--sys/arm/arm/vm_machdep.c11
-rw-r--r--sys/arm/conf/ARMADA38X2
-rw-r--r--sys/arm/mv/armada38x/files.armada38x1
-rw-r--r--sys/arm/mv/files.mv1
-rw-r--r--sys/arm/mv/mpic.c346
-rw-r--r--sys/arm/mv/mv_common.c105
-rw-r--r--sys/arm/mv/mvreg.h5
-rw-r--r--sys/arm/mv/mvwin.h4
-rw-r--r--sys/arm64/arm64/pmap.c6
-rw-r--r--sys/boot/efi/boot1/Makefile10
-rw-r--r--sys/boot/efi/boot1/boot1.c2
-rw-r--r--sys/boot/efi/fdt/Makefile2
-rw-r--r--sys/boot/efi/loader/Makefile10
-rw-r--r--sys/boot/fdt/dts/arm/bananapi.dts15
-rw-r--r--sys/boot/fdt/dts/arm/db78460.dts2
-rw-r--r--sys/boot/ficl/Makefile2
-rw-r--r--sys/boot/i386/gptboot/Makefile2
-rw-r--r--sys/boot/i386/gptzfsboot/Makefile2
-rw-r--r--sys/boot/i386/libfirewire/Makefile2
-rw-r--r--sys/boot/i386/libi386/Makefile2
-rw-r--r--sys/boot/i386/loader/Makefile2
-rw-r--r--sys/boot/i386/zfsboot/Makefile2
-rw-r--r--sys/boot/libstand32/Makefile2
-rw-r--r--sys/boot/ofw/libofw/Makefile2
-rw-r--r--sys/boot/uboot/fdt/Makefile2
-rw-r--r--sys/boot/uboot/lib/Makefile2
-rw-r--r--sys/boot/userboot/ficl/Makefile2
-rw-r--r--sys/boot/zfs/Makefile2
-rw-r--r--sys/compat/freebsd32/freebsd32_syscall.h32
-rw-r--r--sys/conf/config.mk8
-rw-r--r--sys/conf/kern.mk5
-rw-r--r--sys/conf/kern.opts.mk5
-rw-r--r--sys/conf/kern.post.mk9
-rw-r--r--sys/conf/kmod.mk6
-rw-r--r--sys/dev/agp/agp_i810.c542
-rw-r--r--sys/dev/agp/agpreg.h22
-rw-r--r--sys/dev/cxgbe/adapter.h7
-rw-r--r--sys/dev/cxgbe/common/common.h2
-rw-r--r--sys/dev/cxgbe/t4_main.c330
-rw-r--r--sys/dev/drm2/drm_drv.c4
-rw-r--r--sys/dev/drm2/i915/i915_dma.c6
-rw-r--r--sys/dev/drm2/i915/i915_gem.c11
-rw-r--r--sys/dev/drm2/i915/i915_gem_context.c8
-rw-r--r--sys/dev/drm2/i915/i915_gem_gtt.c7
-rw-r--r--sys/dev/pci/pci_iov.c2
-rw-r--r--sys/dev/pci/pci_iov_private.h2
-rw-r--r--sys/dev/pci/pci_iov_schema.c2
-rw-r--r--sys/dev/pci/schema_private.h2
-rw-r--r--sys/dev/usb/controller/xhci_mv.c232
-rw-r--r--sys/fs/autofs/autofs.h7
-rw-r--r--sys/fs/autofs/autofs_vfsops.c3
-rw-r--r--sys/fs/autofs/autofs_vnops.c179
-rw-r--r--sys/fs/pseudofs/pseudofs_vnops.c22
-rw-r--r--sys/fs/unionfs/union_subr.c3
-rw-r--r--sys/kern/kern_alq.c2
-rw-r--r--sys/kern/kern_event.c59
-rw-r--r--sys/kern/makesyscalls.sh8
-rw-r--r--sys/kern/vfs_lookup.c39
-rw-r--r--sys/modules/Makefile6
-rw-r--r--sys/net80211/ieee80211.h75
-rw-r--r--sys/net80211/ieee80211_input.c4
-rw-r--r--sys/netinet/siftr.c2
-rw-r--r--sys/netinet/tcp_stacks/fastpath.c2
-rw-r--r--sys/netinet/tcp_var.h2
-rw-r--r--sys/netipsec/key.c3
-rw-r--r--sys/ofed/drivers/infiniband/core/device.c2
-rw-r--r--sys/ofed/drivers/infiniband/hw/mlx4/main.c2
-rw-r--r--sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c2
-rw-r--r--sys/powerpc/powerpc/exec_machdep.c7
-rw-r--r--sys/sys/errno.h1
-rw-r--r--sys/sys/iov.h2
-rw-r--r--sys/sys/iov_schema.h2
-rw-r--r--sys/sys/namei.h1
-rw-r--r--sys/sys/param.h2
-rw-r--r--sys/sys/syscall.h38
-rw-r--r--sys/sys/syscall.mk21
-rw-r--r--sys/sys/sysctl.h3
-rw-r--r--targets/pseudo/bootstrap-tools/Makefile6
-rw-r--r--targets/pseudo/kernel/Makefile3
-rw-r--r--targets/pseudo/stage/Makefile3
-rw-r--r--targets/pseudo/userland/share/Makefile.depend1
-rw-r--r--tools/build/options/WITHOUT_FAST_DEPEND5
-rw-r--r--usr.bin/bmake/Makefile6
-rw-r--r--usr.bin/grep/regex/glue.h2
-rw-r--r--usr.bin/limits/limits.120
-rw-r--r--usr.bin/limits/limits.c5
-rw-r--r--usr.bin/mkuzip/mkuz_blockcache.c49
-rw-r--r--usr.bin/mkuzip/mkuzip.83
-rw-r--r--usr.bin/mkuzip/mkuzip.c21
-rw-r--r--usr.sbin/bhyve/pci_virtio_net.c14
-rw-r--r--usr.sbin/ctld/uclparse.c3
-rw-r--r--usr.sbin/gpioctl/gpioctl.842
-rw-r--r--usr.sbin/gpioctl/gpioctl.c126
-rw-r--r--usr.sbin/iovctl/iovctl.c2
-rw-r--r--usr.sbin/iovctl/iovctl.h2
-rw-r--r--usr.sbin/iovctl/parse.c2
-rw-r--r--usr.sbin/iovctl/validate.c2
-rwxr-xr-xusr.sbin/pc-sysinstall/backend-query/disk-list.sh4
-rwxr-xr-xusr.sbin/pc-sysinstall/backend/functions-disk.sh46
-rw-r--r--usr.sbin/unbound/anchor/Makefile2
-rw-r--r--usr.sbin/unbound/checkconf/Makefile2
-rw-r--r--usr.sbin/unbound/control/Makefile2
-rw-r--r--usr.sbin/unbound/daemon/Makefile2
369 files changed, 8816 insertions, 5207 deletions
diff --git a/MAINTAINERS b/MAINTAINERS
index 07d0c1609635..4b2cd3f5b142 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -102,3 +102,6 @@ usr.sbin/dpv dteske Pre-commit review requested. Keep in sync with libdpv.
usr.sbin/pkg pkg@ Please coordinate behavior or flag changes with pkg team.
usr.sbin/sysrc dteske Pre-commit phabricator review requested. Keep in sync with bsdconfig(8) sysrc.subr.
vmm(4) neel,grehan Pre-commit review requested.
+autofs(5) trasz Pre-commit review recommended.
+iscsi(4) trasz Pre-commit review recommended.
+rctl(8) trasz Pre-commit review recommended.
diff --git a/Makefile b/Makefile
index d18eedef01b4..a0ac974f4fc3 100644
--- a/Makefile
+++ b/Makefile
@@ -125,7 +125,8 @@ TGTS= all all-man buildenv buildenvvars buildkernel buildworld \
obj objlink rerelease showconfig tags toolchain update \
_worldtmp _legacy _bootstrap-tools _cleanobj _obj \
_build-tools _cross-tools _includes _libraries _depend \
- build32 builddtb distribute32 install32 xdev xdev-build xdev-install \
+ build32 distribute32 install32 build32 distribute32 install32 \
+ builddtb xdev xdev-build xdev-install \
xdev-links native-xtools stageworld stagekernel stage-packages \
create-world-packages create-kernel-packages create-packages \
packages installconfig real-packages sign-packages package-pkg
@@ -161,6 +162,8 @@ _MAKEOBJDIRPREFIX!= /usr/bin/env -i PATH=${PATH} MK_AUTO_OBJ=no ${MAKE} \
# We cannot blindly use a make which may not be the one we want
# so be exlicit - until all choice is removed.
WANT_MAKE= bmake
+# 20160220 - support .dinclude for FAST_DEPEND.
+WANT_MAKE_VERSION= 20160220
MYMAKE= ${MAKEOBJDIRPREFIX}${.CURDIR}/make.${MACHINE}/${WANT_MAKE}
.if defined(.PARSEDIR)
HAVE_MAKE= bmake
@@ -303,7 +306,7 @@ kernel: buildkernel installkernel
upgrade_checks:
.if ${HAVE_MAKE} != ${WANT_MAKE} || \
(defined(WANT_MAKE_VERSION) && ${MAKE_VERSION} < ${WANT_MAKE_VERSION})
- @(cd ${.CURDIR} && ${MAKE} ${WANT_MAKE:S,^f,,})
+ @${_+_}(cd ${.CURDIR} && ${MAKE} ${WANT_MAKE:S,^f,,})
.endif
#
@@ -315,9 +318,9 @@ MMAKEENV= MAKEOBJDIRPREFIX=${MYMAKE:H} \
DESTDIR= \
INSTALL="sh ${.CURDIR}/tools/install.sh"
MMAKE= ${MMAKEENV} ${MAKE} \
- -DNO_MAN -DNO_SHARED \
+ MAN= -DNO_SHARED \
-DNO_CPU_CFLAGS -DNO_WERROR \
- MK_TESTS=no \
+ -DNO_SUBDIR \
DESTDIR= PROGNAME=${MYMAKE:T}
bmake: .PHONY
diff --git a/Makefile.inc1 b/Makefile.inc1
index 40bc9fe5b1a9..b5d028a89f29 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -474,70 +474,16 @@ XCXXFLAGS+= ${BFLAGS}
.endif
.endif # ${XCC:M/*}
-WMAKE= ${WMAKEENV} ${MAKE} ${WORLD_FLAGS} -f Makefile.inc1 DESTDIR=${WORLDTMP}
-
-.if ${TARGET_ARCH} == "amd64" || ${TARGET_ARCH} == "powerpc64"
-# 32 bit world
-LIB32_OBJTREE= ${OBJTREE}${.CURDIR}/world32
-LIB32TMP= ${OBJTREE}${.CURDIR}/lib32
-
-.if ${TARGET_ARCH} == "amd64"
-.if empty(TARGET_CPUTYPE)
-LIB32CPUFLAGS= -march=i686 -mmmx -msse -msse2
-.else
-LIB32CPUFLAGS= -march=${TARGET_CPUTYPE}
-.endif
-LIB32WMAKEENV= MACHINE=i386 MACHINE_ARCH=i386 \
- MACHINE_CPU="i686 mmx sse sse2"
-LIB32WMAKEFLAGS= \
- AS="${XAS} --32" \
- LD="${XLD} -m elf_i386_fbsd -Y P,${LIB32TMP}/usr/lib32" \
- OBJCOPY="${XOBJCOPY}"
-
-.elif ${TARGET_ARCH} == "powerpc64"
-.if empty(TARGET_CPUTYPE)
-LIB32CPUFLAGS= -mcpu=powerpc
-.else
-LIB32CPUFLAGS= -mcpu=${TARGET_CPUTYPE}
-.endif
-LIB32WMAKEENV= MACHINE=powerpc MACHINE_ARCH=powerpc
-LIB32WMAKEFLAGS= \
- LD="${XLD} -m elf32ppc_fbsd" \
- OBJCOPY="${XOBJCOPY}"
+.if ${MK_LIB32} != "no" && (${TARGET_ARCH} == "amd64" || \
+ ${TARGET_ARCH} == "powerpc64")
+LIBCOMPAT= 32
+.include "Makefile.libcompat"
+.elif ${MK_LIBSOFT} != "no" && ${TARGET_ARCH} == "armv6"
+LIBCOMPAT= SOFT
+.include "Makefile.libcompat"
.endif
-
-LIB32FLAGS= -m32 ${LIB32CPUFLAGS} -DCOMPAT_32BIT \
- -isystem ${LIB32TMP}/usr/include/ \
- -L${LIB32TMP}/usr/lib32 \
- -B${LIB32TMP}/usr/lib32
-.if ${XCC:N${CCACHE_BIN}:M/*}
-LIB32FLAGS+= --sysroot=${WORLDTMP}
-.endif
-
-# Yes, the flags are redundant.
-LIB32WMAKEENV+= MAKEOBJDIRPREFIX=${LIB32_OBJTREE} \
- _LDSCRIPTROOT=${LIB32TMP} \
- INSTALL="sh ${.CURDIR}/tools/install.sh" \
- PATH=${TMPPATH} \
- LIBDIR=/usr/lib32 \
- SHLIBDIR=/usr/lib32 \
- DTRACE="${DTRACE} -32"
-LIB32WMAKEFLAGS+= CC="${XCC} ${LIB32FLAGS}" \
- CXX="${XCXX} ${LIB32FLAGS}" \
- DESTDIR=${LIB32TMP} \
- -DCOMPAT_32BIT \
- -DLIBRARIES_ONLY \
- -DNO_CPU_CFLAGS \
- MK_CTF=no \
- -DNO_LINT \
- MK_TESTS=no
-
-LIB32WMAKE= ${LIB32WMAKEENV} ${MAKE} ${LIB32WMAKEFLAGS} \
- MK_MAN=no MK_HTML=no
-LIB32IMAKE= ${LIB32WMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} \
- MK_TOOLCHAIN=no ${IMAKE_INSTALL}
-.endif
+WMAKE= ${WMAKEENV} ${MAKE} ${WORLD_FLAGS} -f Makefile.inc1 DESTDIR=${WORLDTMP}
IMAKEENV= ${CROSSENV:N_LDSCRIPTROOT=*}
IMAKE= ${IMAKEENV} ${MAKE} -f Makefile.inc1 \
@@ -595,8 +541,8 @@ _worldtmp: .PHONY
@echo "--------------------------------------------------------------"
.if !defined(NO_CLEAN)
rm -rf ${WORLDTMP}
-.if defined(LIB32TMP)
- rm -rf ${LIB32TMP}
+.if defined(LIBCOMPAT)
+ rm -rf ${LIBCOMPATTMP}
.endif
.else
rm -rf ${WORLDTMP}/legacy/usr/include
@@ -626,13 +572,13 @@ _worldtmp: .PHONY
mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \
-p ${WORLDTMP}/usr/lib >/dev/null
.endif
-.if ${MK_LIB32} != "no"
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
+.if defined(LIBCOMPAT)
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
-p ${WORLDTMP}/usr >/dev/null
.if ${MK_DEBUG_FILES} != "no"
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
-p ${WORLDTMP}/legacy/usr/lib/debug/usr >/dev/null
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
-p ${WORLDTMP}/usr/lib/debug/usr >/dev/null
.endif
.endif
@@ -668,8 +614,8 @@ _cleanobj:
@echo ">>> stage 2.1: cleaning up the object tree"
@echo "--------------------------------------------------------------"
${_+_}cd ${.CURDIR}; ${WMAKE} ${CLEANDIR}
-.if defined(LIB32TMP)
- ${_+_}cd ${.CURDIR}; ${LIB32WMAKE} -f Makefile.inc1 ${CLEANDIR}
+.if defined(LIBCOMPAT)
+ ${_+_}cd ${.CURDIR}; ${LIBCOMPATWMAKE} -f Makefile.inc1 ${CLEANDIR}
.endif
.endif
_obj:
@@ -723,78 +669,6 @@ everything:
@echo ">>> stage 4.4: building everything"
@echo "--------------------------------------------------------------"
${_+_}cd ${.CURDIR}; _PARALLEL_SUBDIR_OK=1 ${WMAKE} all
-.if defined(LIB32TMP)
-build32: .PHONY
- @echo
- @echo "--------------------------------------------------------------"
- @echo ">>> stage 5.1: building 32 bit shim libraries"
- @echo "--------------------------------------------------------------"
- mkdir -p ${LIB32TMP}/usr/include
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.usr.dist \
- -p ${LIB32TMP}/usr >/dev/null
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \
- -p ${LIB32TMP}/usr/include >/dev/null
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
- -p ${LIB32TMP}/usr >/dev/null
-.if ${MK_DEBUG_FILES} != "no"
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \
- -p ${LIB32TMP}/usr/lib >/dev/null
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
- -p ${LIB32TMP}/usr/lib/debug/usr >/dev/null
-.endif
- mkdir -p ${WORLDTMP}
- ln -sf ${.CURDIR}/sys ${WORLDTMP}
-.for _t in obj includes
- ${_+_}cd ${.CURDIR}/include; ${LIB32WMAKE} DIRPRFX=include/ ${_t}
- ${_+_}cd ${.CURDIR}/lib; ${LIB32WMAKE} DIRPRFX=lib/ ${_t}
-.if ${MK_CDDL} != "no"
- ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32WMAKE} DIRPRFX=cddl/lib/ ${_t}
-.endif
- ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32WMAKE} DIRPRFX=gnu/lib/ ${_t}
-.if ${MK_CRYPT} != "no"
- ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32WMAKE} DIRPRFX=secure/lib/ ${_t}
-.endif
-.if ${MK_KERBEROS} != "no"
- ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32WMAKE} DIRPRFX=kerberos5/lib ${_t}
-.endif
-.endfor
-.for _dir in usr.bin/lex/lib
- ${_+_}cd ${.CURDIR}/${_dir}; ${LIB32WMAKE} DIRPRFX=${_dir}/ obj
-.endfor
-.for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic
- ${_+_}cd ${.CURDIR}/${_dir}; \
- WORLDTMP=${WORLDTMP} \
- MAKEFLAGS="-m ${.CURDIR}/tools/build/mk ${.MAKEFLAGS}" \
- MAKEOBJDIRPREFIX=${LIB32_OBJTREE} ${MAKE} SSP_CFLAGS= DESTDIR= \
- DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
- build-tools
-.endfor
- ${_+_}cd ${.CURDIR}; \
- ${LIB32WMAKE} -f Makefile.inc1 -DNO_FSCHG libraries
-.for _t in obj depend all
- ${_+_}cd ${.CURDIR}/libexec/rtld-elf; PROG=ld-elf32.so.1 ${LIB32WMAKE} \
- -DNO_FSCHG DIRPRFX=libexec/rtld-elf/ ${_t}
- ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32WMAKE} \
- DIRPRFX=usr.bin/ldd ${_t}
-.endfor
-
-distribute32 install32: .MAKE .PHONY
- ${_+_}cd ${.CURDIR}/lib; ${LIB32IMAKE} ${.TARGET:S/32$//}
-.if ${MK_CDDL} != "no"
- ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32IMAKE} ${.TARGET:S/32$//}
-.endif
- ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32IMAKE} ${.TARGET:S/32$//}
-.if ${MK_CRYPT} != "no"
- ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32IMAKE} ${.TARGET:S/32$//}
-.endif
-.if ${MK_KERBEROS} != "no"
- ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32IMAKE} ${.TARGET:S/32$//}
-.endif
- ${_+_}cd ${.CURDIR}/libexec/rtld-elf; \
- PROG=ld-elf32.so.1 ${LIB32IMAKE} ${.TARGET:S/32$//}
- ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32IMAKE} \
- ${.TARGET:S/32$//}
-.endif
WMAKE_TGTS=
WMAKE_TGTS+= _worldtmp _legacy
@@ -807,8 +681,8 @@ WMAKE_TGTS+= _includes _libraries
WMAKE_TGTS+= _depend
.endif
WMAKE_TGTS+= everything
-.if defined(LIB32TMP) && ${MK_LIB32} != "no" && empty(SUBDIR_OVERRIDE)
-WMAKE_TGTS+= build32
+.if defined(LIBCOMPAT) && empty(SUBDIR_OVERRIDE)
+WMAKE_TGTS+= build${libcompat}
.endif
buildworld: buildworld_prologue ${WMAKE_TGTS} buildworld_epilogue
@@ -848,7 +722,7 @@ buildenv: .PHONY
@cd ${BUILDENV_DIR} && env ${WMAKEENV} BUILDENV=1 ${BUILDENV_SHELL} \
|| true
-TOOLCHAIN_TGTS= ${WMAKE_TGTS:N_depend:Neverything:Nbuild32}
+TOOLCHAIN_TGTS= ${WMAKE_TGTS:N_depend:Neverything:Nbuild${libcompat}}
toolchain: ${TOOLCHAIN_TGTS}
kernel-toolchain: ${TOOLCHAIN_TGTS:N_includes:N_libraries}
@@ -942,8 +816,8 @@ ITOOLS+=makewhatis
# Non-base distributions produced by the base system
EXTRA_DISTRIBUTIONS= doc
-.if defined(LIB32TMP) && ${MK_LIB32} != "no"
-EXTRA_DISTRIBUTIONS+= lib32
+.if defined(LIBCOMPAT)
+EXTRA_DISTRIBUTIONS+= lib${libcompat}
.endif
.if ${MK_TESTS} != "no"
EXTRA_DISTRIBUTIONS+= tests
@@ -995,11 +869,11 @@ distributeworld installworld stageworld: _installcheck_world
mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \
-p ${DESTDIR}/${DISTDIR}/${dist}/usr/lib >/dev/null
.endif
-.if ${MK_LIB32} != "no"
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
+.if defined(LIBCOMPAT)
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
-p ${DESTDIR}/${DISTDIR}/${dist}/usr >/dev/null
.if ${MK_DEBUG_FILES} != "no"
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
-p ${DESTDIR}/${DISTDIR}/${dist}/usr/lib/debug/usr >/dev/null
.endif
.endif
@@ -1019,8 +893,8 @@ distributeworld installworld stageworld: _installcheck_world
sed -e 's#^\./#./${dist}/usr/#' >> ${METALOG}
${IMAKEENV} mtree -C -f ${.CURDIR}/etc/mtree/BSD.include.dist | \
sed -e 's#^\./#./${dist}/usr/include/#' >> ${METALOG}
-.if ${MK_LIB32} != "no"
- ${IMAKEENV} mtree -C -f ${.CURDIR}/etc/mtree/BSD.lib32.dist | \
+.if defined(LIBCOMPAT)
+ ${IMAKEENV} mtree -C -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist | \
sed -e 's#^\./#./${dist}/usr/#' >> ${METALOG}
.endif
.endif
@@ -1105,8 +979,8 @@ reinstall: .MAKE .PHONY
@echo ">>> Installing everything"
@echo "--------------------------------------------------------------"
${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 install
-.if defined(LIB32TMP) && ${MK_LIB32} != "no"
- ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 install32
+.if defined(LIBCOMPAT)
+ ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 install${libcompat}
.endif
restage: .MAKE .PHONY
@@ -1129,9 +1003,9 @@ redistribute: .MAKE .PHONY
@echo ">>> Distributing everything"
@echo "--------------------------------------------------------------"
${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 distribute
-.if defined(LIB32TMP) && ${MK_LIB32} != "no"
- ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 distribute32 \
- DISTRIBUTION=lib32
+.if defined(LIBCOMPAT)
+ ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 distribute${libcompat} \
+ DISTRIBUTION=lib${libcompat}
.endif
distrib-dirs distribution: .MAKE .PHONY
@@ -1194,7 +1068,7 @@ INSTALLKERNEL= ${_kernel}
.endif
.endfor
-${WMAKE_TGTS:N_worldtmp:Nbuild32} ${.ALLTARGETS:M_*:N_worldtmp}: .MAKE .PHONY
+${WMAKE_TGTS:N_worldtmp:Nbuild${libcompat}} ${.ALLTARGETS:M_*:N_worldtmp}: .MAKE .PHONY
#
# buildkernel
@@ -1574,7 +1448,8 @@ update:
#
# ELF Tool Chain libraries are needed for ELF tools and dtrace tools.
-.if ${BOOTSTRAPPING} < 1100006
+# r296685 fix cross-endian objcopy
+.if ${BOOTSTRAPPING} < 1100102
_elftoolchain_libs= lib/libelf lib/libdwarf
.endif
@@ -2578,8 +2453,8 @@ _xi-mtree: .PHONY
-p ${XDDESTDIR}/usr >/dev/null
mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \
-p ${XDDESTDIR}/usr/include >/dev/null
-.if ${MK_LIB32} != "no"
- mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \
+.if defined(LIBCOMPAT)
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
-p ${XDDESTDIR}/usr >/dev/null
.endif
.if ${MK_TESTS} != "no"
diff --git a/Makefile.libcompat b/Makefile.libcompat
new file mode 100644
index 000000000000..8a336b9d5997
--- /dev/null
+++ b/Makefile.libcompat
@@ -0,0 +1,161 @@
+# $FreeBSD$
+
+.if !targets(__<${_this:T}>__)
+__<${_this:T}>__:
+
+# Makefile for the compatibility libraries.
+# - 32-bit compat libraries on PowerPC and AMD64.
+# could also be for mips, but that doesn't work today.
+
+# -------------------------------------------------------------------
+# 32 bit world
+.if ${TARGET_ARCH} == "amd64"
+.if empty(TARGET_CPUTYPE)
+LIB32CPUFLAGS= -march=i686 -mmmx -msse -msse2
+.else
+LIB32CPUFLAGS= -march=${TARGET_CPUTYPE}
+.endif
+LIB32WMAKEENV= MACHINE=i386 MACHINE_ARCH=i386 \
+ MACHINE_CPU="i686 mmx sse sse2"
+LIB32WMAKEFLAGS= \
+ AS="${XAS} --32" \
+ LD="${XLD} -m elf_i386_fbsd -Y P,${LIBCOMPATTMP}/usr/lib32" \
+ OBJCOPY="${XOBJCOPY}"
+
+.elif ${TARGET_ARCH} == "powerpc64"
+.if empty(TARGET_CPUTYPE)
+LIB32CPUFLAGS= -mcpu=powerpc
+.else
+LIB32CPUFLAGS= -mcpu=${TARGET_CPUTYPE}
+.endif
+LIB32WMAKEENV= MACHINE=powerpc MACHINE_ARCH=powerpc
+LIB32WMAKEFLAGS= \
+ LD="${XLD} -m elf32ppc_fbsd" \
+ OBJCOPY="${XOBJCOPY}"
+.endif
+
+
+LIB32CFLAGS= -m32 -DCOMPAT_32BIT
+LIB32DTRACE= ${DTRACE} -32
+LIB32WMAKEFLAGS+= -DCOMPAT_32BIT
+
+# -------------------------------------------------------------------
+# soft-fp world
+.if ${TARGET_ARCH} == "armv6"
+LIBSOFTCFLAGS= -DCOMPAT_SOFTFP
+LIBSOFTCPUFLAGS= -mfloat-abi=softfp
+LIBSOFTWMAKEENV= CPUTYPE=soft MACHINE=arm MACHINE_ARCH=armv6
+LIBSOFTWMAKEFLAGS= -DCOMPAT_SOFTFP
+.endif
+
+# -------------------------------------------------------------------
+# Generic code for each type.
+# Set defaults based on type.
+libcompat= ${LIBCOMPAT:tl}
+_LIBCOMPAT_MAKEVARS= _OBJTREE TMP CPUFLAGS CFLAGS WMAKEENV WMAKEFLAGS WMAKE
+.for _var in ${_LIBCOMPAT_MAKEVARS}
+.if !empty(LIB${LIBCOMPAT}${_var})
+LIBCOMPAT${_var}?= ${LIB${LIBCOMPAT}${_var}}
+.endif
+.endfor
+
+# Shared flags
+LIBCOMPAT_OBJTREE?= ${OBJTREE}${.CURDIR}/world${libcompat}
+LIBCOMPATTMP?= ${OBJTREE}${.CURDIR}/lib${libcompat}
+
+LIBCOMPATCFLAGS+= ${LIBCOMPATCPUFLAGS} \
+ -isystem ${LIBCOMPATTMP}/usr/include/ \
+ -L${LIBCOMPATTMP}/usr/lib${libcompat} \
+ -B${LIBCOMPATTMP}/usr/lib${libcompat}
+
+# Yes, the flags are redundant.
+LIBCOMPATWMAKEENV+= MAKEOBJDIRPREFIX=${LIBCOMPAT_OBJTREE} \
+ _LDSCRIPTROOT=${LIBCOMPATTMP} \
+ INSTALL="sh ${.CURDIR}/tools/install.sh" \
+ PATH=${TMPPATH} \
+ LIBDIR=/usr/lib${libcompat} \
+ SHLIBDIR=/usr/lib${libcompat} \
+ DTRACE="${LIB$COMPATDTRACE:U${DTRACE}}"
+LIBCOMPATWMAKEFLAGS+= CC="${XCC} ${LIBCOMPATCFLAGS}" \
+ CXX="${XCXX} ${LIBCOMPATCFLAGS}" \
+ DESTDIR=${LIBCOMPATTMP} \
+ -DLIBRARIES_ONLY \
+ -DNO_CPU_CFLAGS \
+ MK_CTF=no \
+ -DNO_LINT \
+ MK_TESTS=no
+LIBCOMPATWMAKE+= ${LIBCOMPATWMAKEENV} ${MAKE} ${LIBCOMPATWMAKEFLAGS} \
+ MK_MAN=no MK_HTML=no
+LIBCOMPATIMAKE+= ${LIBCOMPATWMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} \
+ MK_TOOLCHAIN=no ${IMAKE_INSTALL}
+
+.if ${XCC:N${CCACHE_BIN}:M/*}
+LIBCOMPATCFLAGS+= --sysroot=${WORLDTMP}
+.endif
+
+_LC_LIBDIRS.yes= lib gnu/lib
+_LC_LIBDIRS.${MK_CDDL:tl}+= cddl/lib
+_LC_LIBDIRS.${MK_CRYPT:tl}+= secure/lib
+_LC_LIBDIRS.${MK_KERBEROS:tl}+= kerberos5/lib
+
+# Shared logic
+build${libcompat}: .PHONY
+ @echo
+ @echo "--------------------------------------------------------------"
+ @echo ">>> stage 5.1: building lib${libcompat} shim libraries"
+ @echo "--------------------------------------------------------------"
+ mkdir -p ${LIBCOMPATTMP}/usr/include
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.usr.dist \
+ -p ${LIBCOMPATTMP}/usr >/dev/null
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \
+ -p ${LIBCOMPATTMP}/usr/include >/dev/null
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
+ -p ${LIBCOMPATTMP}/usr >/dev/null
+.if ${MK_DEBUG_FILES} != "no"
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \
+ -p ${LIBCOMPATTMP}/usr/lib >/dev/null
+ mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \
+ -p ${LIBCOMPATTMP}/usr/lib/debug/usr >/dev/null
+.endif
+ mkdir -p ${WORLDTMP}
+ ln -sf ${.CURDIR}/sys ${WORLDTMP}
+.for _t in obj includes
+ ${_+_}cd ${.CURDIR}/include; ${LIBCOMPATWMAKE} DIRPRFX=include/ ${_t}
+.for _dir in ${_LC_LIBDIRS.yes}
+ ${_+_}cd ${.CURDIR}/${_dir}; ${LIBCOMPATWMAKE} DIRPRFX=${_dir}/ ${_t}
+.endfor
+.endfor
+.for _dir in usr.bin/lex/lib
+ ${_+_}cd ${.CURDIR}/${_dir}; ${LIBCOMPATWMAKE} DIRPRFX=${_dir}/ obj
+.endfor
+.for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic
+ ${_+_}cd ${.CURDIR}/${_dir}; \
+ WORLDTMP=${WORLDTMP} \
+ MAKEFLAGS="-m ${.CURDIR}/tools/build/mk ${.MAKEFLAGS}" \
+ MAKEOBJDIRPREFIX=${LIBCOMPAT_OBJTREE} ${MAKE} SSP_CFLAGS= DESTDIR= \
+ DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
+ build-tools
+.endfor
+ ${_+_}cd ${.CURDIR}; \
+ ${LIBCOMPATWMAKE} -f Makefile.inc1 -DNO_FSCHG libraries
+.if ${libcompat} == "32"
+.for _t in obj depend all
+ ${_+_}cd ${.CURDIR}/libexec/rtld-elf; PROG=ld-elf32.so.1 ${LIBCOMPATWMAKE} \
+ -DNO_FSCHG DIRPRFX=libexec/rtld-elf/ ${_t}
+ ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIBCOMPATWMAKE} \
+ DIRPRFX=usr.bin/ldd ${_t}
+.endfor
+.endif
+
+distribute${libcompat} install${libcompat}: .PHONY
+.for _dir in ${_LC_LIBDIRS.yes}
+ ${_+_}cd ${.CURDIR}/${_dir}; ${LIBCOMPATIMAKE} ${.TARGET:S/${libcompat}$//}
+.endfor
+.if ${libcompat} == "32"
+ ${_+_}cd ${.CURDIR}/libexec/rtld-elf; \
+ PROG=ld-elf32.so.1 ${LIBCOMPATIMAKE} ${.TARGET:S/32$//}
+ ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIBCOMPATIMAKE} \
+ ${.TARGET:S/32$//}
+.endif
+
+.endif
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index e53a91aaa24d..13c9156a7ded 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -144,6 +144,12 @@ OLD_FILES+=libexec/casper/grp
OLD_FILES+=libexec/casper/pwd
OLD_FILES+=libexec/casper/random
OLD_FILES+=libexec/casper/sysctl
+OLD_FILES+=libexec/casper/.debug/random.debug
+OLD_FILES+=libexec/casper/.debug/dns.debug
+OLD_FILES+=libexec/casper/.debug/sysctl.debug
+OLD_FILES+=libexec/casper/.debug/pwd.debug
+OLD_FILES+=libexec/casper/.debug/grp.debug
+OLD_DIRS+=libexec/casper/.debug
OLD_DIRS+=libexec/casper
OLD_FILES+=usr/lib/libcapsicum.a
OLD_FILES+=usr/lib/libcapsicum.so
diff --git a/UPDATING b/UPDATING
index 09154b656440..d3e454550828 100644
--- a/UPDATING
+++ b/UPDATING
@@ -31,6 +31,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11.x IS SLOW:
disable the most expensive debugging functionality run
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20160311:
+ WITH_FAST_DEPEND is now enabled by default for in-tree and out-of-tree
+ builds. It no longer runs mkdep(1) during 'make depend', and the
+ 'make depend' stage can safely be skipped now as it is auto ran
+ when building 'make all' and will generate all SRCS and DPSRCS before
+ building anything else. Dependencies are gathered at compile time with
+ -MF flags kept in separate .depend files per object file. Users should
+ run 'make cleandepend' once if using -DNO_CLEAN to clean out older
+ stale .depend files.
+
20160306:
On amd64, clang 3.8.0 can now insert sections of type AMD64_UNWIND into
kernel modules. Therefore, if you load any kernel modules at boot time,
diff --git a/bin/sh/exec.c b/bin/sh/exec.c
index ab86b7639c9a..79dad6c690c9 100644
--- a/bin/sh/exec.c
+++ b/bin/sh/exec.c
@@ -332,6 +332,7 @@ find_command(const char *name, struct cmdentry *entry, int act,
if (strchr(name, '/') != NULL) {
entry->cmdtype = CMDNORMAL;
entry->u.index = 0;
+ entry->special = 0;
return;
}
@@ -408,6 +409,7 @@ find_command(const char *name, struct cmdentry *entry, int act,
cmdp = &loc_cmd;
cmdp->cmdtype = CMDNORMAL;
cmdp->param.index = idx;
+ cmdp->special = 0;
INTON;
goto success;
}
@@ -420,6 +422,7 @@ find_command(const char *name, struct cmdentry *entry, int act,
}
entry->cmdtype = CMDUNKNOWN;
entry->u.index = 0;
+ entry->special = 0;
return;
success:
@@ -588,6 +591,7 @@ addcmdentry(const char *name, struct cmdentry *entry)
}
cmdp->cmdtype = entry->cmdtype;
cmdp->param = entry->u;
+ cmdp->special = entry->special;
INTON;
}
@@ -604,6 +608,7 @@ defun(const char *name, union node *func)
INTOFF;
entry.cmdtype = CMDFUNCTION;
entry.u.func = copyfunc(func);
+ entry.special = 0;
addcmdentry(name, &entry);
INTON;
}
diff --git a/bin/sh/miscbltin.c b/bin/sh/miscbltin.c
index 9dae4cb3c255..1537196709c2 100644
--- a/bin/sh/miscbltin.c
+++ b/bin/sh/miscbltin.c
@@ -452,7 +452,7 @@ ulimitcmd(int argc __unused, char **argv __unused)
struct rlimit limit;
what = 'f';
- while ((optc = nextopt("HSatfdsmcnuvlbpwk")) != '\0')
+ while ((optc = nextopt("HSatfdsmcnuvlbpwko")) != '\0')
switch (optc) {
case 'H':
how = HARD;
diff --git a/bin/sh/sh.1 b/bin/sh/sh.1
index 94067792e40e..1f2d67b3d9b5 100644
--- a/bin/sh/sh.1
+++ b/bin/sh/sh.1
@@ -2615,7 +2615,7 @@ and not found.
For aliases the alias expansion is printed;
for commands and tracked aliases
the complete pathname of the command is printed.
-.It Ic ulimit Oo Fl HSabcdfklmnpstuvw Oc Op Ar limit
+.It Ic ulimit Oo Fl HSabcdfklmnopstuvw Oc Op Ar limit
Set or display resource limits (see
.Xr getrlimit 2 ) .
If
@@ -2674,6 +2674,11 @@ kilobytes.
The maximal resident set size of a process, in kilobytes.
.It Fl n Ar nofiles
The maximal number of descriptors that could be opened by a process.
+.It Fl o Ar umtxp
+The maximal number of process-shared locks
+(see
+.Xr pthread 3 )
+for this user ID.
.It Fl p Ar pseudoterminals
The maximal number of pseudo-terminals for this user ID.
.It Fl s Ar stacksize
diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c
index 77f92237e210..5fe256503f5e 100644
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c
@@ -24,6 +24,7 @@
*/
/*
* Copyright (c) 2013, Joyent, Inc. All rights reserved.
+ * Copyright (c) 2016, Pedro Giffuni. All rights reserved.
*/
#include <sys/types.h>
@@ -721,22 +722,20 @@ dt_module_load_proc(dtrace_hdl_t *dtp, dt_module_t *dmp)
return (dt_set_errno(dtp, EDT_CANTLOAD));
}
- dmp->dm_libctfp = malloc(sizeof (ctf_file_t *) * arg.dpa_count);
+ dmp->dm_libctfp = calloc(arg.dpa_count, sizeof (ctf_file_t *));
if (dmp->dm_libctfp == NULL) {
dt_proc_unlock(dtp, p);
dt_proc_release(dtp, p);
return (dt_set_errno(dtp, EDT_NOMEM));
}
- bzero(dmp->dm_libctfp, sizeof (ctf_file_t *) * arg.dpa_count);
- dmp->dm_libctfn = malloc(sizeof (char *) * arg.dpa_count);
+ dmp->dm_libctfn = calloc(arg.dpa_count, sizeof (char *));
if (dmp->dm_libctfn == NULL) {
free(dmp->dm_libctfp);
dt_proc_unlock(dtp, p);
dt_proc_release(dtp, p);
return (dt_set_errno(dtp, EDT_NOMEM));
}
- bzero(dmp->dm_libctfn, sizeof (char *) * arg.dpa_count);
dmp->dm_nctflibs = arg.dpa_count;
@@ -817,17 +816,14 @@ dt_module_load(dtrace_hdl_t *dtp, dt_module_t *dmp)
dmp->dm_nsymbuckets = _dtrace_strbuckets;
dmp->dm_symfree = 1; /* first free element is index 1 */
- dmp->dm_symbuckets = malloc(sizeof (uint_t) * dmp->dm_nsymbuckets);
- dmp->dm_symchains = malloc(sizeof (dt_sym_t) * dmp->dm_nsymelems + 1);
+ dmp->dm_symbuckets = calloc(dmp->dm_nsymbuckets, sizeof (uint_t));
+ dmp->dm_symchains = calloc(dmp->dm_nsymelems + 1, sizeof (dt_sym_t));
if (dmp->dm_symbuckets == NULL || dmp->dm_symchains == NULL) {
dt_module_unload(dtp, dmp);
return (dt_set_errno(dtp, EDT_NOMEM));
}
- bzero(dmp->dm_symbuckets, sizeof (uint_t) * dmp->dm_nsymbuckets);
- bzero(dmp->dm_symchains, sizeof (dt_sym_t) * dmp->dm_nsymelems + 1);
-
/*
* Iterate over the symbol table data buffer and insert each symbol
* name into the name hash if the name and type are valid. Then
diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c
index 0c747ed133ca..a630d300dc50 100644
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c
@@ -27,6 +27,7 @@
/*
* Copyright (c) 2012 by Delphix. All rights reserved.
+ * Copyright (c) 2016 Pedro Giffuni. All rights reserved.
*/
#include <sys/types.h>
@@ -47,15 +48,15 @@ dt_regset_create(ulong_t nregs)
if (drp == NULL)
return (NULL);
- drp->dr_bitmap = malloc(sizeof (ulong_t) * n);
- drp->dr_size = nregs;
+ drp->dr_bitmap = calloc(n, sizeof (ulong_t));
if (drp->dr_bitmap == NULL) {
dt_regset_destroy(drp);
return (NULL);
}
- bzero(drp->dr_bitmap, sizeof (ulong_t) * n);
+ drp->dr_size = nregs;
+
return (drp);
}
diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c
index cf6bc48341db..21669c84aefc 100644
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c
@@ -24,6 +24,10 @@
* Use is subject to license terms.
*/
+/*
+ * Portions Copyright 2016 Pedro Giffuni. All rights reserved.
+ */
+
#pragma ident "%Z%%M% %I% %E% SMI"
#include <sys/types.h>
@@ -70,12 +74,11 @@ dt_strtab_create(size_t bufsz)
return (NULL);
bzero(sp, sizeof (dt_strtab_t));
- sp->str_hash = malloc(nbuckets * sizeof (dt_strhash_t *));
+ sp->str_hash = calloc(nbuckets, sizeof (dt_strhash_t *));
if (sp->str_hash == NULL)
goto err;
- bzero(sp->str_hash, nbuckets * sizeof (dt_strhash_t *));
sp->str_hashsz = nbuckets;
sp->str_bufs = NULL;
sp->str_ptr = NULL;
diff --git a/contrib/bmake/ChangeLog b/contrib/bmake/ChangeLog
index c3a4241f0604..78b5a7eedfdd 100644
--- a/contrib/bmake/ChangeLog
+++ b/contrib/bmake/ChangeLog
@@ -1,3 +1,41 @@
+2016-03-07 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * Makefile (MAKE_VERSION): 20160307
+ Merge with NetBSD make, pick up
+ o var.c: fix :ts\nnn to be octal by default.
+ o meta.c: meta_finish() to cleanup memory.
+
+2016-02-26 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * Makefile (MAKE_VERSION): 20160226
+ Merge with NetBSD make, pick up
+ o meta.c: allow meta file for makeDepend if makefiles want it.
+
+2016-02-19 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * var.c: default .MAKE.SAVE_DOLLARS to FALSE
+ for backwards compatability.
+
+ * Makefile (MAKE_VERSION): 20160220
+ Merge with NetBSD make, pick up
+ o var.c: add knob to control handling of '$$' in :=
+
+2016-02-18 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * Makefile (MAKE_VERSION): 20160218
+ Merge with NetBSD make, pick up
+ o var.c: add .export-literal allows us to fix sys.clean-env.mk
+ post the changes to Var_Subst.
+ Var_Subst now takes flags, and does not consume '$$' in :=
+
+2016-02-17 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * Makefile (MAKE_VERSION): 20160217
+ Merge with NetBSD make, pick up
+ o var.c: preserve '$$' in :=
+ o parse.c: add .dinclude for handling included
+ makefile like .depend
+
2015-12-20 Simon J. Gerraty <sjg@bad.crufty.net>
* Makefile (MAKE_VERSION): 20151220
diff --git a/contrib/bmake/Makefile b/contrib/bmake/Makefile
index 625c254afcdd..730e15d27c51 100644
--- a/contrib/bmake/Makefile
+++ b/contrib/bmake/Makefile
@@ -1,7 +1,7 @@
-# $Id: Makefile,v 1.49 2015/12/20 22:54:40 sjg Exp $
+# $Id: Makefile,v 1.55 2016/03/07 22:02:47 sjg Exp $
# Base version on src date
-MAKE_VERSION= 20151220
+MAKE_VERSION= 20160307
PROG= bmake
diff --git a/contrib/bmake/arch.c b/contrib/bmake/arch.c
index 9ceee10cddb7..f613a663e394 100644
--- a/contrib/bmake/arch.c
+++ b/contrib/bmake/arch.c
@@ -1,4 +1,4 @@
-/* $NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $ */
+/* $NetBSD: arch.c,v 1.68 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -69,14 +69,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $";
+static char rcsid[] = "$NetBSD: arch.c,v 1.68 2016/02/18 18:29:14 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)arch.c 8.2 (Berkeley) 1/2/94";
#else
-__RCSID("$NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $");
+__RCSID("$NetBSD: arch.c,v 1.68 2016/02/18 18:29:14 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -136,7 +136,6 @@ __RCSID("$NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $");
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/param.h>
-#include <ctype.h>
#ifdef HAVE_AR_H
#include <ar.h>
#else
@@ -156,7 +155,6 @@ struct ar_hdr {
#if defined(HAVE_RANLIB_H) && !(defined(__ELF__) || defined(NO_RANLIB))
#include <ranlib.h>
#endif
-#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_UTIME_H
@@ -254,8 +252,7 @@ ArchFree(void *ap)
free(Hash_GetValue(entry));
free(a->name);
- if (a->fnametab)
- free(a->fnametab);
+ free(a->fnametab);
Hash_DeleteTable(&a->members);
free(a);
}
@@ -310,9 +307,10 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt)
void *freeIt;
char *result;
- result = Var_Parse(cp, ctxt, TRUE, TRUE, &length, &freeIt);
- if (freeIt)
- free(freeIt);
+ result = Var_Parse(cp, ctxt, VARF_UNDEFERR|VARF_WANTRES,
+ &length, &freeIt);
+ free(freeIt);
+
if (result == var_Error) {
return(FAILURE);
} else {
@@ -325,7 +323,7 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt)
*cp++ = '\0';
if (subLibName) {
- libName = Var_Subst(NULL, libName, ctxt, TRUE, TRUE);
+ libName = Var_Subst(NULL, libName, ctxt, VARF_UNDEFERR|VARF_WANTRES);
}
@@ -351,9 +349,10 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt)
void *freeIt;
char *result;
- result = Var_Parse(cp, ctxt, TRUE, TRUE, &length, &freeIt);
- if (freeIt)
- free(freeIt);
+ result = Var_Parse(cp, ctxt, VARF_UNDEFERR|VARF_WANTRES,
+ &length, &freeIt);
+ free(freeIt);
+
if (result == var_Error) {
return(FAILURE);
} else {
@@ -404,7 +403,8 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt)
char *oldMemName = memName;
size_t sz;
- memName = Var_Subst(NULL, memName, ctxt, TRUE, TRUE);
+ memName = Var_Subst(NULL, memName, ctxt,
+ VARF_UNDEFERR|VARF_WANTRES);
/*
* Now form an archive spec and recurse to deal with nested
@@ -759,8 +759,7 @@ ArchStatMember(char *archive, char *member, Boolean hash)
badarch:
fclose(arch);
Hash_DeleteTable(&ar->members);
- if (ar->fnametab)
- free(ar->fnametab);
+ free(ar->fnametab);
free(ar);
return NULL;
}
@@ -1045,10 +1044,10 @@ Arch_Touch(GNode *gn)
arch = ArchFindMember(Var_Value(ARCHIVE, gn, &p1),
Var_Value(MEMBER, gn, &p2),
&arh, "r+");
- if (p1)
- free(p1);
- if (p2)
- free(p2);
+
+ free(p1);
+ free(p2);
+
snprintf(arh.AR_DATE, sizeof(arh.AR_DATE), "%-12ld", (long) now);
if (arch != NULL) {
@@ -1127,10 +1126,9 @@ Arch_MTime(GNode *gn)
arhPtr = ArchStatMember(Var_Value(ARCHIVE, gn, &p1),
Var_Value(MEMBER, gn, &p2),
TRUE);
- if (p1)
- free(p1);
- if (p2)
- free(p2);
+
+ free(p1);
+ free(p2);
if (arhPtr != NULL) {
modTime = (time_t)strtol(arhPtr->AR_DATE, NULL, 10);
diff --git a/contrib/bmake/bmake.1 b/contrib/bmake/bmake.1
index 39d28c4e1ee3..603481e9d08c 100644
--- a/contrib/bmake/bmake.1
+++ b/contrib/bmake/bmake.1
@@ -1,4 +1,4 @@
-.\" $NetBSD: make.1,v 1.249 2015/06/05 07:33:40 wiz Exp $
+.\" $NetBSD: make.1,v 1.254 2016/02/20 01:43:28 wiz Exp $
.\"
.\" Copyright (c) 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" from: @(#)make.1 8.4 (Berkeley) 3/19/94
.\"
-.Dd June 4, 2015
+.Dd February 19, 2016
.Dt MAKE 1
.Os
.Sh NAME
@@ -293,7 +293,7 @@ then
will search for the specified file or directory named in the remaining part
of the argument string.
The search starts with the current directory of
-the Makefile and then works upward towards the root of the filesystem.
+the Makefile and then works upward towards the root of the file system.
If the search is successful, then the resulting directory replaces the
.Qq \&.../
specification in the
@@ -868,7 +868,7 @@ This can be overridden by setting
.Va bf
to a value which represents True.
.It Pa env
-For debugging, it can be useful to inlcude the environment
+For debugging, it can be useful to include the environment
in the .meta file.
.It Pa verbose
If in "meta" mode, print a clue about the target being built.
@@ -918,7 +918,7 @@ The default value is:
This variable is used to record the names of variables assigned to
on the command line, so that they may be exported as part of
.Ql Ev MAKEFLAGS .
-This behaviour can be disabled by assigning an empty value to
+This behavior can be disabled by assigning an empty value to
.Ql Va .MAKEOVERRIDES
within a makefile.
Extra variables can be exported from a makefile
@@ -941,6 +941,19 @@ The process-id of
.It Va .MAKE.PPID
The parent process-id of
.Nm .
+.It Va .MAKE.SAVE_DOLLARS
+value should be a boolean that controls whether
+.Ql $$
+are preserved when doing
+.Ql :=
+assignments.
+The default is false, for backwards compatibility.
+Set to true for compatability with other makes.
+If set to false,
+.Ql $$
+becomes
+.Ql $
+per normal evaluation rules.
.It Va MAKE_PRINT_VAR_ON_ERROR
When
.Nm
@@ -1044,7 +1057,7 @@ sets
to the value of
.Ql Ev PWD
instead.
-This behaviour is disabled if
+This behavior is disabled if
.Ql Ev MAKEOBJDIRPREFIX
is set or
.Ql Ev MAKEOBJDIR
@@ -1114,7 +1127,7 @@ The wildcard characters may be escaped with a backslash
As a consequence of the way values are split into words, matched,
and then joined, a construct like
.Dl ${VAR:M*}
-will normalise the inter-word spacing, removing all leading and
+will normalize the inter-word spacing, removing all leading and
trailing space, and converting multiple consecutive spaces
to single spaces.
.
@@ -1134,7 +1147,7 @@ Randomize words in variable.
The results will be different each time you are referring to the
modified variable; use the assignment with expansion
.Pq Ql Cm \&:=
-to prevent such behaviour.
+to prevent such behavior.
For example,
.Bd -literal -offset indent
LIST= uno due tre quattro
@@ -1166,7 +1179,7 @@ The value is a format string for
using the current
.Xr gmtime 3 .
.It Cm \&:hash
-Compute a 32bit hash of the value and encode it as hex digits.
+Compute a 32-bit hash of the value and encode it as hex digits.
.It Cm \&:localtime
The value is a format string for
.Xr strftime 3 ,
@@ -1444,7 +1457,7 @@ value is divided into words.
.Pp
Ordinarily, a value is treated as a sequence of words
delimited by white space.
-Some modifiers suppress this behaviour,
+Some modifiers suppress this behavior,
causing a value to be treated as a single word
(possibly containing embedded white space).
An empty value, or a value that consists entirely of white-space,
@@ -1530,12 +1543,20 @@ For compatibility with other versions of
.Nm
.Ql include file ...
is also accepted.
+.Pp
If the include statement is written as
.Cm .-include
or as
.Cm .sinclude
then errors locating and/or opening include files are ignored.
.Pp
+If the include statement is written as
+.Cm .dinclude
+not only are errors locating and/or opening include files ignored,
+but stale dependencies within the included file will be ignored
+just like
+.Va .MAKE.DEPENDFILE .
+.Pp
Conditional expressions are also preceded by a single dot as the first
character of a line.
The possible conditionals are as follows:
@@ -1571,6 +1592,10 @@ This allows exporting a value to the environment which is different from that
used by
.Nm
internally.
+.It Ic .export-literal Ar variable ...
+The same as
+.Ql .export-env ,
+except that variables in the value are not expanded.
.It Ic .info Ar message
The message is printed along with the name of the makefile and line number.
.It Ic .undef Ar variable
@@ -2068,7 +2093,7 @@ The sources are a set of
pairs.
.Bl -tag -width hasErrCtls
.It Ar name
-This is the minimal specification, used to select one of the builtin
+This is the minimal specification, used to select one of the built-in
shell specs;
.Ar sh ,
.Ar ksh ,
diff --git a/contrib/bmake/bmake.cat1 b/contrib/bmake/bmake.cat1
index 4d43e2de00c9..b6159a8dcfe8 100644
--- a/contrib/bmake/bmake.cat1
+++ b/contrib/bmake/bmake.cat1
@@ -178,11 +178,11 @@ DDEESSCCRRIIPPTTIIOONN
then bbmmaakkee will search for the specified file or directory named
in the remaining part of the argument string. The search starts
with the current directory of the Makefile and then works upward
- towards the root of the filesystem. If the search is successful,
- then the resulting directory replaces the ".../" specification in
- the --mm argument. If used, this feature allows bbmmaakkee to easily
- search in the current source tree for customized sys.mk files
- (e.g., by using ".../mk/sys.mk" as an argument).
+ towards the root of the file system. If the search is success-
+ ful, then the resulting directory replaces the ".../" specifica-
+ tion in the --mm argument. If used, this feature allows bbmmaakkee to
+ easily search in the current source tree for customized sys.mk
+ files (e.g., by using ".../mk/sys.mk" as an argument).
--nn Display the commands that would have been executed, but do not
actually execute them unless the target depends on the .MAKE spe-
@@ -543,7 +543,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
in `_._C_U_R_D_I_R'. This can be overridden by set-
ting _b_f to a value which represents True.
- _e_n_v For debugging, it can be useful to inlcude
+ _e_n_v For debugging, it can be useful to include
the environment in the .meta file.
_v_e_r_b_o_s_e If in "meta" mode, print a clue about the
@@ -591,7 +591,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
_._M_A_K_E_O_V_E_R_R_I_D_E_S This variable is used to record the names of variables
assigned to on the command line, so that they may be
- exported as part of `MAKEFLAGS'. This behaviour can be
+ exported as part of `MAKEFLAGS'. This behavior can be
disabled by assigning an empty value to `_._M_A_K_E_O_V_E_R_R_I_D_E_S'
within a makefile. Extra variables can be exported from
a makefile by appending their names to `_._M_A_K_E_O_V_E_R_R_I_D_E_S'.
@@ -607,6 +607,13 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
_._M_A_K_E_._P_P_I_D The parent process-id of bbmmaakkee.
+ _._M_A_K_E_._S_A_V_E___D_O_L_L_A_R_S
+ value should be a boolean that controls whether `$$' are
+ preserved when doing `:=' assignments. The default is
+ false, for backwards compatibility. Set to true for com-
+ patability with other makes. If set to false, `$$'
+ becomes `$' per normal evaluation rules.
+
_M_A_K_E___P_R_I_N_T___V_A_R___O_N___E_R_R_O_R
When bbmmaakkee stops due to an error, it prints its name and
the value of `_._C_U_R_D_I_R' as well as the value of any vari-
@@ -670,7 +677,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
sets `_._C_U_R_D_I_R' to the canonical path given by getcwd(3).
However, if the environment variable `PWD' is set and
gives a path to the current directory, then bbmmaakkee sets
- `_._C_U_R_D_I_R' to the value of `PWD' instead. This behaviour
+ `_._C_U_R_D_I_R' to the value of `PWD' instead. This behavior
is disabled if `MAKEOBJDIRPREFIX' is set or `MAKEOBJDIR'
contains a variable transform. `PWD' is set to the value
of `_._O_B_J_D_I_R' for all programs which bbmmaakkee executes.
@@ -717,7 +724,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
of the way values are split into words, matched, and then joined, a
construct like
${VAR:M*}
- will normalise the inter-word spacing, removing all leading and
+ will normalize the inter-word spacing, removing all leading and
trailing space, and converting multiple consecutive spaces to single
spaces.
@@ -730,7 +737,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
::OOxx Randomize words in variable. The results will be different each
time you are referring to the modified variable; use the assignment
- with expansion (`::==') to prevent such behaviour. For example,
+ with expansion (`::==') to prevent such behavior. For example,
LIST= uno due tre quattro
RANDOM_LIST= ${LIST:Ox}
@@ -758,7 +765,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
gmtime(3).
::hhaasshh
- Compute a 32bit hash of the value and encode it as hex digits.
+ Compute a 32-bit hash of the value and encode it as hex digits.
::llooccaallttiimmee
The value is a format string for strftime(3), using the current
@@ -914,13 +921,13 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS
tions related to the way in which the value is divided into words.
Ordinarily, a value is treated as a sequence of words delimited by
- white space. Some modifiers suppress this behaviour, causing a
- value to be treated as a single word (possibly containing embedded
- white space). An empty value, or a value that consists entirely of
- white-space, is treated as a single word. For the purposes of the
- `::[[]]' modifier, the words are indexed both forwards using positive
- integers (where index 1 represents the first word), and backwards
- using negative integers (where index -1 represents the last word).
+ white space. Some modifiers suppress this behavior, causing a value
+ to be treated as a single word (possibly containing embedded white
+ space). An empty value, or a value that consists entirely of white-
+ space, is treated as a single word. For the purposes of the `::[[]]'
+ modifier, the words are indexed both forwards using positive inte-
+ gers (where index 1 represents the first word), and backwards using
+ negative integers (where index -1 represents the last word).
The _r_a_n_g_e is subjected to variable expansion, and the expanded
result is then interpreted as follows:
@@ -957,8 +964,14 @@ IINNCCLLUUDDEE SSTTAATTEEMMEENNTTSS,, CCOONNDDIITTIIOO
used, the including makefile's directory and any directories specified
using the --II option are searched before the system makefile directory.
For compatibility with other versions of bbmmaakkee `include file ...' is also
- accepted. If the include statement is written as ..--iinncclluuddee or as
- ..ssiinncclluuddee then errors locating and/or opening include files are ignored.
+ accepted.
+
+ If the include statement is written as ..--iinncclluuddee or as ..ssiinncclluuddee then
+ errors locating and/or opening include files are ignored.
+
+ If the include statement is written as ..ddiinncclluuddee not only are errors
+ locating and/or opening include files ignored, but stale dependencies
+ within the included file will be ignored just like _._M_A_K_E_._D_E_P_E_N_D_F_I_L_E.
Conditional expressions are also preceded by a single dot as the first
character of a line. The possible conditionals are as follows:
@@ -982,6 +995,10 @@ IINNCCLLUUDDEE SSTTAATTEEMMEENNTTSS,, CCOONNDDIITTIIOO
to _._M_A_K_E_._E_X_P_O_R_T_E_D. This allows exporting a value to the environ-
ment which is different from that used by bbmmaakkee internally.
+ ..eexxppoorrtt--lliitteerraall _v_a_r_i_a_b_l_e _._._.
+ The same as `.export-env', except that variables in the value are
+ not expanded.
+
..iinnffoo _m_e_s_s_a_g_e
The message is printed along with the name of the makefile and
line number.
@@ -1307,7 +1324,7 @@ SSPPEECCIIAALL TTAARRGGEETTSS
sources are a set of _f_i_e_l_d_=_v_a_l_u_e pairs.
_n_a_m_e This is the minimal specification, used to select
- one of the builtin shell specs; _s_h, _k_s_h, and _c_s_h.
+ one of the built-in shell specs; _s_h, _k_s_h, and _c_s_h.
_p_a_t_h Specifies the path to the shell.
@@ -1452,4 +1469,4 @@ BBUUGGSS
There is no way of escaping a space character in a filename.
-NetBSD 5.1 June 4, 2015 NetBSD 5.1
+NetBSD 5.1 February 19, 2016 NetBSD 5.1
diff --git a/contrib/bmake/compat.c b/contrib/bmake/compat.c
index 6cf963ffb2da..475c59d51118 100644
--- a/contrib/bmake/compat.c
+++ b/contrib/bmake/compat.c
@@ -1,4 +1,4 @@
-/* $NetBSD: compat.c,v 1.101 2015/10/11 04:51:24 sjg Exp $ */
+/* $NetBSD: compat.c,v 1.104 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990 The Regents of the University of California.
@@ -70,14 +70,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: compat.c,v 1.101 2015/10/11 04:51:24 sjg Exp $";
+static char rcsid[] = "$NetBSD: compat.c,v 1.104 2016/02/18 18:29:14 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)compat.c 8.2 (Berkeley) 3/19/94";
#else
-__RCSID("$NetBSD: compat.c,v 1.101 2015/10/11 04:51:24 sjg Exp $");
+__RCSID("$NetBSD: compat.c,v 1.104 2016/02/18 18:29:14 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -146,8 +146,8 @@ CompatInterrupt(int signo)
if (!noExecute && eunlink(file) != -1) {
Error("*** %s removed", file);
}
- if (p1)
- free(p1);
+
+ free(p1);
/*
* Run .INTERRUPT only if hit with interrupt signal
@@ -213,7 +213,7 @@ CompatRunCommand(void *cmdp, void *gnp)
doIt = FALSE;
cmdNode = Lst_Member(gn->commands, cmd);
- cmdStart = Var_Subst(NULL, cmd, gn, FALSE, TRUE);
+ cmdStart = Var_Subst(NULL, cmd, gn, VARF_WANTRES);
/*
* brk_string will return an argv with a NULL in av[0], thus causing
@@ -374,10 +374,10 @@ again:
execError("exec", av[0]);
_exit(1);
}
- if (mav)
- free(mav);
- if (bp)
- free(bp);
+
+ free(mav);
+ free(bp);
+
Lst_Replace(cmdNode, NULL);
#ifdef USE_META
@@ -516,8 +516,7 @@ Compat_Make(void *gnp, void *pgnp)
if (Lst_Member(gn->iParents, pgn) != NULL) {
char *p1;
Var_Set(IMPSRC, Var_Value(TARGET, gn, &p1), pgn, 0);
- if (p1)
- free(p1);
+ free(p1);
}
/*
@@ -620,8 +619,7 @@ Compat_Make(void *gnp, void *pgnp)
if (Lst_Member(gn->iParents, pgn) != NULL) {
char *p1;
Var_Set(IMPSRC, Var_Value(TARGET, gn, &p1), pgn, 0);
- if (p1)
- free(p1);
+ free(p1);
}
switch(gn->made) {
case BEINGMADE:
diff --git a/contrib/bmake/cond.c b/contrib/bmake/cond.c
index 19163008250f..cf0107bc2edd 100644
--- a/contrib/bmake/cond.c
+++ b/contrib/bmake/cond.c
@@ -1,4 +1,4 @@
-/* $NetBSD: cond.c,v 1.71 2015/12/02 00:28:24 sjg Exp $ */
+/* $NetBSD: cond.c,v 1.74 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990 The Regents of the University of California.
@@ -70,14 +70,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: cond.c,v 1.71 2015/12/02 00:28:24 sjg Exp $";
+static char rcsid[] = "$NetBSD: cond.c,v 1.74 2016/02/18 18:29:14 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)cond.c 8.2 (Berkeley) 1/2/94";
#else
-__RCSID("$NetBSD: cond.c,v 1.71 2015/12/02 00:28:24 sjg Exp $");
+__RCSID("$NetBSD: cond.c,v 1.74 2016/02/18 18:29:14 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -289,10 +289,10 @@ CondGetArg(char **linePtr, char **argPtr, const char *func)
int len;
void *freeIt;
- cp2 = Var_Parse(cp, VAR_CMD, TRUE, TRUE, &len, &freeIt);
+ cp2 = Var_Parse(cp, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES,
+ &len, &freeIt);
Buf_AddBytes(&buf, strlen(cp2), cp2);
- if (freeIt)
- free(freeIt);
+ free(freeIt);
cp += len;
continue;
}
@@ -346,8 +346,8 @@ CondDoDefined(int argLen MAKE_ATTR_UNUSED, const char *arg)
} else {
result = FALSE;
}
- if (p1)
- free(p1);
+
+ free(p1);
return (result);
}
@@ -574,8 +574,9 @@ CondGetString(Boolean doEval, Boolean *quoted, void **freeIt, Boolean strictLHS)
break;
case '$':
/* if we are in quotes, then an undefined variable is ok */
- str = Var_Parse(condExpr, VAR_CMD, (qt ? 0 : doEval),
- TRUE, &len, freeIt);
+ str = Var_Parse(condExpr, VAR_CMD,
+ ((!qt && doEval) ? VARF_UNDEFERR : 0) |
+ VARF_WANTRES, &len, freeIt);
if (str == var_Error) {
if (*freeIt) {
free(*freeIt);
@@ -805,10 +806,8 @@ do_string_compare:
}
done:
- if (lhsFree)
- free(lhsFree);
- if (rhsFree)
- free(rhsFree);
+ free(lhsFree);
+ free(rhsFree);
return t;
}
@@ -827,7 +826,7 @@ get_mpt_arg(char **linePtr, char **argPtr, const char *func MAKE_ATTR_UNUSED)
/* We do all the work here and return the result as the length */
*argPtr = NULL;
- val = Var_Parse(cp - 1, VAR_CMD, FALSE, TRUE, &length, &freeIt);
+ val = Var_Parse(cp - 1, VAR_CMD, VARF_WANTRES, &length, &freeIt);
/*
* Advance *linePtr to beyond the closing ). Note that
* we subtract one because 'length' is calculated from 'cp - 1'.
@@ -848,8 +847,7 @@ get_mpt_arg(char **linePtr, char **argPtr, const char *func MAKE_ATTR_UNUSED)
* true/false here.
*/
length = *val ? 2 : 1;
- if (freeIt)
- free(freeIt);
+ free(freeIt);
return length;
}
@@ -900,8 +898,7 @@ compare_function(Boolean doEval)
}
/* Evaluate the argument using the required function. */
t = !doEval || fn_def->fn_proc(arglen, arg);
- if (arg)
- free(arg);
+ free(arg);
condExpr = cp;
return t;
}
@@ -933,8 +930,7 @@ compare_function(Boolean doEval)
* be empty - even if it contained a variable expansion.
*/
t = !doEval || if_info->defProc(arglen, arg) != if_info->doNot;
- if (arg)
- free(arg);
+ free(arg);
return t;
}
diff --git a/contrib/bmake/dirname.c b/contrib/bmake/dirname.c
index 8b6b6c3d44de..154593b1d523 100644
--- a/contrib/bmake/dirname.c
+++ b/contrib/bmake/dirname.c
@@ -1,4 +1,4 @@
-/* $NetBSD: dirname.c,v 1.11 2009/11/24 13:34:20 tnozaki Exp $ */
+/* $NetBSD: dirname.c,v 1.13 2014/07/16 10:52:26 christos Exp $ */
/*-
* Copyright (c) 1997, 2002 The NetBSD Foundation, Inc.
@@ -35,7 +35,10 @@
#ifndef HAVE_DIRNAME
#include <sys/cdefs.h>
-
+#include <sys/param.h>
+#ifdef HAVE_LIBGEN_H
+#include <libgen.h>
+#endif
#ifdef HAVE_LIMITS_H
#include <limits.h>
#endif
@@ -45,51 +48,73 @@
#ifndef PATH_MAX
# define PATH_MAX 1024
#endif
+#ifndef MIN
+# define MIN(a, b) ((a < b) ? a : b)
+#endif
-char *
-dirname(char *path)
+
+static size_t
+xdirname_r(const char *path, char *buf, size_t buflen)
{
- static char result[PATH_MAX];
- const char *lastp;
+ const char *endp;
size_t len;
/*
* If `path' is a null pointer or points to an empty string,
* return a pointer to the string ".".
*/
- if ((path == NULL) || (*path == '\0'))
- goto singledot;
-
+ if (path == NULL || *path == '\0') {
+ path = ".";
+ len = 1;
+ goto out;
+ }
/* Strip trailing slashes, if any. */
- lastp = path + strlen(path) - 1;
- while (lastp != path && *lastp == '/')
- lastp--;
+ endp = path + strlen(path) - 1;
+ while (endp != path && *endp == '/')
+ endp--;
- /* Terminate path at the last occurence of '/'. */
- do {
- if (*lastp == '/') {
- /* Strip trailing slashes, if any. */
- while (lastp != path && *lastp == '/')
- lastp--;
+ /* Find the start of the dir */
+ while (endp > path && *endp != '/')
+ endp--;
- /* ...and copy the result into the result buffer. */
- len = (lastp - path) + 1 /* last char */;
- if (len > (PATH_MAX - 1))
- len = PATH_MAX - 1;
+ if (endp == path) {
+ path = *endp == '/' ? "/" : ".";
+ len = 1;
+ goto out;
+ }
- memcpy(result, path, len);
- result[len] = '\0';
+ do
+ endp--;
+ while (endp > path && *endp == '/');
- return (result);
- }
- } while (--lastp >= path);
+ len = endp - path + 1;
+out:
+ if (buf != NULL && buflen != 0) {
+ buflen = MIN(len, buflen - 1);
+ memcpy(buf, path, buflen);
+ buf[buflen] = '\0';
+ }
+ return len;
+}
- /* No /'s found, return a pointer to the string ".". */
-singledot:
- result[0] = '.';
- result[1] = '\0';
+char *
+dirname(char *path)
+{
+ static char result[PATH_MAX];
+ (void)xdirname_r(path, result, sizeof(result));
+ return result;
+}
+
+#ifdef MAIN
+#include <stdlib.h>
+#include <stdio.h>
- return (result);
+int
+main(int argc, char *argv[])
+{
+ printf("%s\n", dirname(argv[1]));
+ exit(0);
}
#endif
+#endif
diff --git a/contrib/bmake/for.c b/contrib/bmake/for.c
index 7f10e5626f9a..ec00a456a268 100644
--- a/contrib/bmake/for.c
+++ b/contrib/bmake/for.c
@@ -1,4 +1,4 @@
-/* $NetBSD: for.c,v 1.50 2015/10/11 04:51:24 sjg Exp $ */
+/* $NetBSD: for.c,v 1.52 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1992, The Regents of the University of California.
@@ -30,14 +30,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: for.c,v 1.50 2015/10/11 04:51:24 sjg Exp $";
+static char rcsid[] = "$NetBSD: for.c,v 1.52 2016/02/18 18:29:14 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)for.c 8.1 (Berkeley) 6/6/93";
#else
-__RCSID("$NetBSD: for.c,v 1.50 2015/10/11 04:51:24 sjg Exp $");
+__RCSID("$NetBSD: for.c,v 1.52 2016/02/18 18:29:14 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -216,7 +216,7 @@ For_Eval(char *line)
* We can't do the escapes here - because we don't know whether
* we are substuting into ${...} or $(...).
*/
- sub = Var_Subst(NULL, ptr, VAR_GLOBAL, FALSE, TRUE);
+ sub = Var_Subst(NULL, ptr, VAR_GLOBAL, VARF_WANTRES);
/*
* Split into words allowing for quoted strings.
diff --git a/contrib/bmake/getopt.c b/contrib/bmake/getopt.c
index c40bc1356d8c..da29daed2ca8 100644
--- a/contrib/bmake/getopt.c
+++ b/contrib/bmake/getopt.c
@@ -1,3 +1,5 @@
+/* $NetBSD: getopt.c,v 1.29 2014/06/05 22:00:22 christos Exp $ */
+
/*
* Copyright (c) 1987, 1993, 1994
* The Regents of the University of California. All rights reserved.
@@ -10,11 +12,7 @@
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
@@ -35,11 +33,7 @@
# include "config.h"
#endif
#if !defined(HAVE_GETOPT) || defined(WANT_GETOPT_LONG) || defined(BROKEN_GETOPT)
-
-#if defined(LIBC_SCCS) && !defined(lint)
-/* static char sccsid[] = "from: @(#)getopt.c 8.2 (Berkeley) 4/2/94"; */
-static char *rcsid = "$Id: getopt.c,v 1.3 1999/01/08 02:14:18 sjg Exp $";
-#endif /* LIBC_SCCS and not lint */
+#include <sys/cdefs.h>
#include <stdio.h>
#include <stdlib.h>
@@ -61,13 +55,10 @@ char *optarg; /* argument associated with option */
* Parse argc/argv argument vector.
*/
int
-getopt(nargc, nargv, ostr)
- int nargc;
- char * const *nargv;
- const char *ostr;
+getopt(int nargc, char * const nargv[], const char *ostr)
{
extern char *__progname;
- static char *place = EMSG; /* option letter processing */
+ static const char *place = EMSG; /* option letter processing */
char *oli; /* option letter list index */
#ifndef BSD4_4
@@ -79,43 +70,63 @@ getopt(nargc, nargv, ostr)
}
#endif
- if (optreset || !*place) { /* update scanning pointer */
+ if (optreset || *place == 0) { /* update scanning pointer */
optreset = 0;
- if (optind >= nargc || *(place = nargv[optind]) != '-') {
+ place = nargv[optind];
+ if (optind >= nargc || *place++ != '-') {
+ /* Argument is absent or is not an option */
place = EMSG;
return (-1);
}
- if (place[1] && *++place == '-' /* found "--" */
- && !place[1]) { /* and not "--foo" */
+ optopt = *place++;
+ if (optopt == '-' && *place == 0) {
+ /* "--" => end of options */
++optind;
place = EMSG;
return (-1);
}
- } /* option letter okay? */
- if ((optopt = (int)*place++) == (int)':' ||
- !(oli = strchr(ostr, optopt))) {
- /*
- * if the user didn't specify '-' as an option,
- * assume it means -1.
- */
- if (optopt == (int)'-')
- return (-1);
- if (!*place)
+ if (optopt == 0) {
+ /* Solitary '-', treat as a '-' option
+ if the program (eg su) is looking for it. */
+ place = EMSG;
+ if (strchr(ostr, '-') == NULL)
+ return -1;
+ optopt = '-';
+ }
+ } else
+ optopt = *place++;
+
+ /* See if option letter is one the caller wanted... */
+ if (optopt == ':' || (oli = strchr(ostr, optopt)) == NULL) {
+ if (*place == 0)
++optind;
if (opterr && *ostr != ':')
(void)fprintf(stderr,
- "%s: illegal option -- %c\n", __progname, optopt);
+ "%s: unknown option -- %c\n", __progname, optopt);
return (BADCH);
}
- if (*++oli != ':') { /* don't need argument */
+
+ /* Does this option need an argument? */
+ if (oli[1] != ':') {
+ /* don't need argument */
optarg = NULL;
- if (!*place)
+ if (*place == 0)
++optind;
- }
- else { /* need an argument */
- if (*place) /* no white space */
- optarg = place;
- else if (nargc <= ++optind) { /* no arg */
+ } else {
+ /* Option-argument is either the rest of this argument or the
+ entire next argument. */
+ if (*place)
+ optarg = __UNCONST(place);
+ else if (oli[2] == ':')
+ /*
+ * GNU Extension, for optional arguments if the rest of
+ * the argument is empty, we return NULL
+ */
+ optarg = NULL;
+ else if (nargc > ++optind)
+ optarg = nargv[optind];
+ else {
+ /* option-argument absent */
place = EMSG;
if (*ostr == ':')
return (BADARG);
@@ -125,12 +136,10 @@ getopt(nargc, nargv, ostr)
__progname, optopt);
return (BADCH);
}
- else /* white space */
- optarg = nargv[optind];
place = EMSG;
++optind;
}
- return (optopt); /* dump back option letter */
+ return (optopt); /* return option letter */
}
#endif
#ifdef MAIN
diff --git a/contrib/bmake/job.c b/contrib/bmake/job.c
index 20f693ab8618..54c25f50585d 100644
--- a/contrib/bmake/job.c
+++ b/contrib/bmake/job.c
@@ -1,4 +1,4 @@
-/* $NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $ */
+/* $NetBSD: job.c,v 1.186 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990 The Regents of the University of California.
@@ -70,14 +70,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $";
+static char rcsid[] = "$NetBSD: job.c,v 1.186 2016/02/18 18:29:14 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)job.c 8.2 (Berkeley) 3/19/94";
#else
-__RCSID("$NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $");
+__RCSID("$NetBSD: job.c,v 1.186 2016/02/18 18:29:14 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -144,7 +144,6 @@ __RCSID("$NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $");
#include <assert.h>
#include <errno.h>
-#include <fcntl.h>
#if !defined(USE_SELECT) && defined(HAVE_POLL_H)
#include <poll.h>
#else
@@ -441,8 +440,8 @@ JobCreatePipe(Job *job, int minfd)
}
/* Set close-on-exec flag for both */
- (void)fcntl(job->jobPipe[0], F_SETFD, 1);
- (void)fcntl(job->jobPipe[1], F_SETFD, 1);
+ (void)fcntl(job->jobPipe[0], F_SETFD, FD_CLOEXEC);
+ (void)fcntl(job->jobPipe[1], F_SETFD, FD_CLOEXEC);
/*
* We mark the input side of the pipe non-blocking; we poll(2) the
@@ -731,7 +730,7 @@ JobPrintCommand(void *cmdp, void *jobp)
numCommands += 1;
- cmdStart = cmd = Var_Subst(NULL, cmd, job->node, FALSE, TRUE);
+ cmdStart = cmd = Var_Subst(NULL, cmd, job->node, VARF_WANTRES);
cmdTemplate = "%s\n";
@@ -882,8 +881,7 @@ JobPrintCommand(void *cmdp, void *jobp)
DBPRINTF(cmdTemplate, cmd);
free(cmdStart);
- if (escCmd)
- free(escCmd);
+ free(escCmd);
if (errOff) {
/*
* If echoing is already off, there's no point in issuing the
@@ -919,7 +917,7 @@ JobPrintCommand(void *cmdp, void *jobp)
static int
JobSaveCommand(void *cmd, void *gn)
{
- cmd = Var_Subst(NULL, (char *)cmd, (GNode *)gn, FALSE, TRUE);
+ cmd = Var_Subst(NULL, (char *)cmd, (GNode *)gn, VARF_WANTRES);
(void)Lst_AtEnd(postCommands->commands, cmd);
return(0);
}
@@ -1250,8 +1248,7 @@ Job_CheckCommands(GNode *gn, void (*abortProc)(const char *, ...))
*/
Make_HandleUse(DEFAULT, gn);
Var_Set(IMPSRC, Var_Value(TARGET, gn, &p1), gn, 0);
- if (p1)
- free(p1);
+ free(p1);
} else if (Dir_MTime(gn, 0) == 0 && (gn->type & OP_SPECIAL) == 0) {
/*
* The node wasn't the target of an operator we have no .DEFAULT
@@ -1615,7 +1612,7 @@ JobStart(GNode *gn, int flags)
if (job->cmdFILE == NULL) {
Punt("Could not fdopen %s", tfile);
}
- (void)fcntl(FILENO(job->cmdFILE), F_SETFD, 1);
+ (void)fcntl(FILENO(job->cmdFILE), F_SETFD, FD_CLOEXEC);
/*
* Send the commands to the command file, flush all its buffers then
* rewind and remove the thing.
@@ -2212,7 +2209,7 @@ Job_SetPrefix(void)
}
targPrefix = Var_Subst(NULL, "${" MAKE_JOB_PREFIX "}",
- VAR_GLOBAL, FALSE, TRUE);
+ VAR_GLOBAL, VARF_WANTRES);
}
/*-
@@ -2425,8 +2422,7 @@ Job_ParseShell(char *line)
line++;
}
- if (shellArgv)
- free(UNCONST(shellArgv));
+ free(UNCONST(shellArgv));
memset(&newShell, 0, sizeof(newShell));
@@ -2674,8 +2670,7 @@ void
Job_End(void)
{
#ifdef CLEANUP
- if (shellArgv)
- free(shellArgv);
+ free(shellArgv);
#endif
}
@@ -2880,8 +2875,8 @@ Job_ServerStart(int max_tokens, int jp_0, int jp_1)
/* Pipe passed in from parent */
tokenWaitJob.inPipe = jp_0;
tokenWaitJob.outPipe = jp_1;
- (void)fcntl(jp_0, F_SETFD, 1);
- (void)fcntl(jp_1, F_SETFD, 1);
+ (void)fcntl(jp_0, F_SETFD, FD_CLOEXEC);
+ (void)fcntl(jp_1, F_SETFD, FD_CLOEXEC);
return;
}
diff --git a/contrib/bmake/main.c b/contrib/bmake/main.c
index fcae4961543f..be6039e7dea8 100644
--- a/contrib/bmake/main.c
+++ b/contrib/bmake/main.c
@@ -1,4 +1,4 @@
-/* $NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $ */
+/* $NetBSD: main.c,v 1.242 2016/03/07 21:45:43 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -69,7 +69,7 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $";
+static char rcsid[] = "$NetBSD: main.c,v 1.242 2016/03/07 21:45:43 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
@@ -81,7 +81,7 @@ __COPYRIGHT("@(#) Copyright (c) 1988, 1989, 1990, 1993\
#if 0
static char sccsid[] = "@(#)main.c 8.3 (Berkeley) 3/19/94";
#else
-__RCSID("$NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $");
+__RCSID("$NetBSD: main.c,v 1.242 2016/03/07 21:45:43 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -125,7 +125,6 @@ __RCSID("$NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $");
#include "wait.h"
#include <errno.h>
-#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
@@ -696,8 +695,7 @@ Main_ParseArgLine(const char *line)
#endif
buf = bmake_malloc(len = strlen(line) + strlen(argv0) + 2);
(void)snprintf(buf, len, "%s %s", argv0, line);
- if (p1)
- free(p1);
+ free(p1);
argv = brk_string(buf, &argc, TRUE, &args);
if (argv == NULL) {
@@ -723,7 +721,7 @@ Main_SetObjdir(const char *path)
/* expand variable substitutions */
if (strchr(path, '$') != 0) {
snprintf(buf, MAXPATHLEN, "%s", path);
- path = p = Var_Subst(NULL, buf, VAR_GLOBAL, FALSE, TRUE);
+ path = p = Var_Subst(NULL, buf, VAR_GLOBAL, VARF_WANTRES);
}
if (path[0] != '/') {
@@ -747,8 +745,7 @@ Main_SetObjdir(const char *path)
}
}
- if (p)
- free(p);
+ free(p);
return rc;
}
@@ -807,7 +804,7 @@ MakeMode(const char *mode)
if (!mode)
mode = mp = Var_Subst(NULL, "${" MAKE_MODE ":tl}",
- VAR_GLOBAL, FALSE, TRUE);
+ VAR_GLOBAL, VARF_WANTRES);
if (mode && *mode) {
if (strstr(mode, "compat")) {
@@ -819,8 +816,8 @@ MakeMode(const char *mode)
meta_mode_init(mode);
#endif
}
- if (mp)
- free(mp);
+
+ free(mp);
}
/*-
@@ -1253,7 +1250,7 @@ main(int argc, char **argv)
(char *)Lst_Datum(ln));
} else {
p1 = Var_Subst(NULL, "${" MAKEFILE_PREFERENCE "}",
- VAR_CMD, FALSE, TRUE);
+ VAR_CMD, VARF_WANTRES);
if (p1) {
(void)str2Lst_Append(makefiles, p1, NULL);
(void)Lst_Find(makefiles, NULL, ReadMakefile);
@@ -1264,7 +1261,7 @@ main(int argc, char **argv)
/* In particular suppress .depend for '-r -V .OBJDIR -f /dev/null' */
if (!noBuiltins || !printVars) {
makeDependfile = Var_Subst(NULL, "${.MAKE.DEPENDFILE:T}",
- VAR_CMD, FALSE, TRUE);
+ VAR_CMD, VARF_WANTRES);
doing_depend = TRUE;
(void)ReadMakefile(makeDependfile, NULL);
doing_depend = FALSE;
@@ -1276,8 +1273,7 @@ main(int argc, char **argv)
MakeMode(NULL);
Var_Append("MFLAGS", Var_Value(MAKEFLAGS, VAR_GLOBAL, &p1), VAR_GLOBAL);
- if (p1)
- free(p1);
+ free(p1);
if (!compatMake)
Job_ServerStart(maxJobTokens, jp_0, jp_1);
@@ -1302,7 +1298,7 @@ main(int argc, char **argv)
*/
static char VPATH[] = "${VPATH}";
- vpath = Var_Subst(NULL, VPATH, VAR_CMD, FALSE, TRUE);
+ vpath = Var_Subst(NULL, VPATH, VAR_CMD, VARF_WANTRES);
path = vpath;
do {
/* skip to end of directory */
@@ -1350,7 +1346,7 @@ main(int argc, char **argv)
if (strchr(var, '$')) {
value = p1 = Var_Subst(NULL, var, VAR_GLOBAL,
- FALSE, TRUE);
+ VARF_WANTRES);
} else if (expandVars) {
char tmp[128];
@@ -1358,13 +1354,12 @@ main(int argc, char **argv)
Fatal("%s: variable name too big: %s",
progname, var);
value = p1 = Var_Subst(NULL, tmp, VAR_GLOBAL,
- FALSE, TRUE);
+ VARF_WANTRES);
} else {
value = Var_Value(var, VAR_GLOBAL, &p1);
}
printf("%s\n", value ? value : "");
- if (p1)
- free(p1);
+ free(p1);
}
} else {
/*
@@ -1420,6 +1415,9 @@ main(int argc, char **argv)
if (enterFlag)
printf("%s: Leaving directory `%s'\n", progname, curdir);
+#ifdef USE_META
+ meta_finish();
+#endif
Suff_End();
Targ_End();
Arch_End();
@@ -1488,8 +1486,7 @@ ReadMakefile(const void *p, const void *q MAKE_ATTR_UNUSED)
name = Dir_FindFile(fname,
Lst_IsEmpty(sysIncPath) ? defIncPath : sysIncPath);
if (!name || (fd = open(name, O_RDONLY)) == -1) {
- if (name)
- free(name);
+ free(name);
free(path);
return(-1);
}
@@ -1896,7 +1893,7 @@ PrintOnError(GNode *gn, const char *s)
}
strncpy(tmp, "${MAKE_PRINT_VAR_ON_ERROR:@v@$v='${$v}'\n@}",
sizeof(tmp) - 1);
- cp = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE);
+ cp = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES);
if (cp) {
if (*cp)
printf("%s", cp);
@@ -1927,7 +1924,7 @@ Main_ExportMAKEFLAGS(Boolean first)
strncpy(tmp, "${.MAKEFLAGS} ${.MAKEOVERRIDES:O:u:@v@$v=${$v:Q}@}",
sizeof(tmp));
- s = Var_Subst(NULL, tmp, VAR_CMD, FALSE, TRUE);
+ s = Var_Subst(NULL, tmp, VAR_CMD, VARF_WANTRES);
if (s && *s) {
#ifdef POSIX
setenv("MAKEFLAGS", s, 1);
@@ -1950,7 +1947,7 @@ getTmpdir(void)
* Ensure it ends with /.
*/
tmpdir = Var_Subst(NULL, "${TMPDIR:tA:U" _PATH_TMP "}/", VAR_GLOBAL,
- FALSE, TRUE);
+ VARF_WANTRES);
if (stat(tmpdir, &st) < 0 || !S_ISDIR(st.st_mode)) {
free(tmpdir);
tmpdir = bmake_strdup(_PATH_TMP);
@@ -1990,6 +1987,44 @@ mkTempFile(const char *pattern, char **fnamep)
return fd;
}
+/*
+ * Convert a string representation of a boolean.
+ * Anything that looks like "No", "False", "Off", "0" etc,
+ * is FALSE, otherwise TRUE.
+ */
+Boolean
+s2Boolean(const char *s, Boolean bf)
+{
+ if (s) {
+ switch(*s) {
+ case '\0': /* not set - the default wins */
+ break;
+ case '0':
+ case 'F':
+ case 'f':
+ case 'N':
+ case 'n':
+ bf = FALSE;
+ break;
+ case 'O':
+ case 'o':
+ switch (s[1]) {
+ case 'F':
+ case 'f':
+ bf = FALSE;
+ break;
+ default:
+ bf = TRUE;
+ break;
+ }
+ break;
+ default:
+ bf = TRUE;
+ break;
+ }
+ }
+ return (bf);
+}
/*
* Return a Boolean based on setting of a knob.
@@ -2004,32 +2039,11 @@ getBoolean(const char *name, Boolean bf)
char tmp[64];
char *cp;
- if (snprintf(tmp, sizeof(tmp), "${%s:tl}", name) < (int)(sizeof(tmp))) {
- cp = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE);
+ if (snprintf(tmp, sizeof(tmp), "${%s:U:tl}", name) < (int)(sizeof(tmp))) {
+ cp = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES);
if (cp) {
- switch(*cp) {
- case '\0': /* not set - the default wins */
- break;
- case '0':
- case 'f':
- case 'n':
- bf = FALSE;
- break;
- case 'o':
- switch (cp[1]) {
- case 'f':
- bf = FALSE;
- break;
- default:
- bf = TRUE;
- break;
- }
- break;
- default:
- bf = TRUE;
- break;
- }
+ bf = s2Boolean(cp, bf);
free(cp);
}
}
diff --git a/contrib/bmake/make.1 b/contrib/bmake/make.1
index 38bba31b39df..ecece486e74f 100644
--- a/contrib/bmake/make.1
+++ b/contrib/bmake/make.1
@@ -1,4 +1,4 @@
-.\" $NetBSD: make.1,v 1.249 2015/06/05 07:33:40 wiz Exp $
+.\" $NetBSD: make.1,v 1.254 2016/02/20 01:43:28 wiz Exp $
.\"
.\" Copyright (c) 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" from: @(#)make.1 8.4 (Berkeley) 3/19/94
.\"
-.Dd June 4, 2015
+.Dd February 19, 2016
.Dt MAKE 1
.Os
.Sh NAME
@@ -293,7 +293,7 @@ then
will search for the specified file or directory named in the remaining part
of the argument string.
The search starts with the current directory of
-the Makefile and then works upward towards the root of the filesystem.
+the Makefile and then works upward towards the root of the file system.
If the search is successful, then the resulting directory replaces the
.Qq \&.../
specification in the
@@ -879,7 +879,7 @@ This can be overridden by setting
.Va bf
to a value which represents True.
.It Pa env
-For debugging, it can be useful to inlcude the environment
+For debugging, it can be useful to include the environment
in the .meta file.
.It Pa verbose
If in "meta" mode, print a clue about the target being built.
@@ -929,7 +929,7 @@ The default value is:
This variable is used to record the names of variables assigned to
on the command line, so that they may be exported as part of
.Ql Ev MAKEFLAGS .
-This behaviour can be disabled by assigning an empty value to
+This behavior can be disabled by assigning an empty value to
.Ql Va .MAKEOVERRIDES
within a makefile.
Extra variables can be exported from a makefile
@@ -952,6 +952,19 @@ The process-id of
.It Va .MAKE.PPID
The parent process-id of
.Nm .
+.It Va .MAKE.SAVE_DOLLARS
+value should be a boolean that controls whether
+.Ql $$
+are preserved when doing
+.Ql :=
+assignments.
+The default is false, for backwards compatibility.
+Set to true for compatability with other makes.
+If set to false,
+.Ql $$
+becomes
+.Ql $
+per normal evaluation rules.
.It Va MAKE_PRINT_VAR_ON_ERROR
When
.Nm
@@ -1055,7 +1068,7 @@ sets
to the value of
.Ql Ev PWD
instead.
-This behaviour is disabled if
+This behavior is disabled if
.Ql Ev MAKEOBJDIRPREFIX
is set or
.Ql Ev MAKEOBJDIR
@@ -1125,7 +1138,7 @@ The wildcard characters may be escaped with a backslash
As a consequence of the way values are split into words, matched,
and then joined, a construct like
.Dl ${VAR:M*}
-will normalise the inter-word spacing, removing all leading and
+will normalize the inter-word spacing, removing all leading and
trailing space, and converting multiple consecutive spaces
to single spaces.
.
@@ -1145,7 +1158,7 @@ Randomize words in variable.
The results will be different each time you are referring to the
modified variable; use the assignment with expansion
.Pq Ql Cm \&:=
-to prevent such behaviour.
+to prevent such behavior.
For example,
.Bd -literal -offset indent
LIST= uno due tre quattro
@@ -1177,7 +1190,7 @@ The value is a format string for
using the current
.Xr gmtime 3 .
.It Cm \&:hash
-Compute a 32bit hash of the value and encode it as hex digits.
+Compute a 32-bit hash of the value and encode it as hex digits.
.It Cm \&:localtime
The value is a format string for
.Xr strftime 3 ,
@@ -1455,7 +1468,7 @@ value is divided into words.
.Pp
Ordinarily, a value is treated as a sequence of words
delimited by white space.
-Some modifiers suppress this behaviour,
+Some modifiers suppress this behavior,
causing a value to be treated as a single word
(possibly containing embedded white space).
An empty value, or a value that consists entirely of white-space,
@@ -1541,12 +1554,20 @@ For compatibility with other versions of
.Nm
.Ql include file ...
is also accepted.
+.Pp
If the include statement is written as
.Cm .-include
or as
.Cm .sinclude
then errors locating and/or opening include files are ignored.
.Pp
+If the include statement is written as
+.Cm .dinclude
+not only are errors locating and/or opening include files ignored,
+but stale dependencies within the included file will be ignored
+just like
+.Va .MAKE.DEPENDFILE .
+.Pp
Conditional expressions are also preceded by a single dot as the first
character of a line.
The possible conditionals are as follows:
@@ -1582,6 +1603,10 @@ This allows exporting a value to the environment which is different from that
used by
.Nm
internally.
+.It Ic .export-literal Ar variable ...
+The same as
+.Ql .export-env ,
+except that variables in the value are not expanded.
.It Ic .info Ar message
The message is printed along with the name of the makefile and line number.
.It Ic .undef Ar variable
@@ -2079,7 +2104,7 @@ The sources are a set of
pairs.
.Bl -tag -width hasErrCtls
.It Ar name
-This is the minimal specification, used to select one of the builtin
+This is the minimal specification, used to select one of the built-in
shell specs;
.Ar sh ,
.Ar ksh ,
diff --git a/contrib/bmake/make.c b/contrib/bmake/make.c
index b43bfd578cf0..5ea04fc0a8bc 100644
--- a/contrib/bmake/make.c
+++ b/contrib/bmake/make.c
@@ -1,4 +1,4 @@
-/* $NetBSD: make.c,v 1.92 2015/10/11 04:51:24 sjg Exp $ */
+/* $NetBSD: make.c,v 1.95 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -69,14 +69,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: make.c,v 1.92 2015/10/11 04:51:24 sjg Exp $";
+static char rcsid[] = "$NetBSD: make.c,v 1.95 2016/02/18 18:29:14 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)make.c 8.1 (Berkeley) 6/6/93";
#else
-__RCSID("$NetBSD: make.c,v 1.92 2015/10/11 04:51:24 sjg Exp $");
+__RCSID("$NetBSD: make.c,v 1.95 2016/02/18 18:29:14 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -482,10 +482,9 @@ Make_HandleUse(GNode *cgn, GNode *pgn)
if (gn->uname == NULL) {
gn->uname = gn->name;
} else {
- if (gn->name)
- free(gn->name);
+ free(gn->name);
}
- gn->name = Var_Subst(NULL, gn->uname, pgn, FALSE, TRUE);
+ gn->name = Var_Subst(NULL, gn->uname, pgn, VARF_WANTRES);
if (gn->name && gn->uname && strcmp(gn->name, gn->uname) != 0) {
/* See if we have a target for this node. */
tgn = Targ_FindNode(gn->name, TARG_NOCREATE);
@@ -692,8 +691,7 @@ Make_Update(GNode *cgn)
checked++;
cname = Var_Value(TARGET, cgn, &p1);
- if (p1)
- free(p1);
+ free(p1);
if (DEBUG(MAKE))
fprintf(debug_file, "Make_Update: %s%s\n", cgn->name, cgn->cohort_num);
@@ -838,8 +836,7 @@ Make_Update(GNode *cgn)
Var_Set(PREFIX, cpref, pgn, 0);
}
}
- if (p1)
- free(p1);
+ free(p1);
Lst_Close(cgn->iParents);
}
}
@@ -907,8 +904,7 @@ MakeAddAllSrc(void *cgnp, void *pgnp)
}
if (allsrc != NULL)
Var_Append(ALLSRC, allsrc, pgn);
- if (p2)
- free(p2);
+ free(p2);
if (pgn->type & OP_JOIN) {
if (cgn->made == MADE) {
Var_Append(OODATE, child, pgn);
@@ -934,8 +930,7 @@ MakeAddAllSrc(void *cgnp, void *pgnp)
*/
Var_Append(OODATE, child, pgn);
}
- if (p1)
- free(p1);
+ free(p1);
}
return (0);
}
@@ -981,8 +976,7 @@ Make_DoAllVar(GNode *gn)
if (gn->type & OP_JOIN) {
char *p1;
Var_Set(TARGET, Var_Value(ALLSRC, gn, &p1), gn, 0);
- if (p1)
- free(p1);
+ free(p1);
}
gn->flags |= DONE_ALLSRC;
}
diff --git a/contrib/bmake/make.h b/contrib/bmake/make.h
index 7cf34d82e0a6..444850544206 100644
--- a/contrib/bmake/make.h
+++ b/contrib/bmake/make.h
@@ -1,4 +1,4 @@
-/* $NetBSD: make.h,v 1.96 2015/09/21 21:50:16 pooka Exp $ */
+/* $NetBSD: make.h,v 1.98 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -88,6 +88,7 @@
#include <sys/param.h>
#include <ctype.h>
+#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H
@@ -98,6 +99,10 @@
#include <unistd.h>
#include <sys/cdefs.h>
+#ifndef FD_CLOEXEC
+#define FD_CLOEXEC 1
+#endif
+
#if defined(__GNUC__)
#define MAKE_GNUC_PREREQ(x, y) \
((__GNUC__ == (x) && __GNUC_MINOR__ >= (y)) || \
@@ -501,6 +506,10 @@ Boolean Main_SetObjdir(const char *);
int mkTempFile(const char *, char **);
int str2Lst_Append(Lst, char *, const char *);
+#define VARF_UNDEFERR 1
+#define VARF_WANTRES 2
+#define VARF_ASSIGN 4
+
#ifdef __GNUC__
#define UNCONST(ptr) ({ \
union __unconst { \
diff --git a/contrib/bmake/meta.c b/contrib/bmake/meta.c
index a7a4b1962908..f4acbde937ee 100644
--- a/contrib/bmake/meta.c
+++ b/contrib/bmake/meta.c
@@ -1,4 +1,4 @@
-/* $NetBSD: meta.c,v 1.41 2015/11/30 23:37:56 sjg Exp $ */
+/* $NetBSD: meta.c,v 1.53 2016/03/07 21:45:43 christos Exp $ */
/*
* Implement 'meta' mode.
@@ -6,7 +6,7 @@
* --sjg
*/
/*
- * Copyright (c) 2009-2010, Juniper Networks, Inc.
+ * Copyright (c) 2009-2016, Juniper Networks, Inc.
* Portions Copyright (c) 2009, John Birrell.
*
* Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,6 @@
#endif
#include <sys/stat.h>
#include <sys/ioctl.h>
-#include <fcntl.h>
#ifdef HAVE_LIBGEN_H
#include <libgen.h>
#elif !defined(HAVE_DIRNAME)
@@ -60,7 +59,9 @@ char * dirname(char *);
static BuildMon Mybm; /* for compat */
static Lst metaBailiwick; /* our scope of control */
+static char *metaBailiwickStr; /* string storage for the list */
static Lst metaIgnorePaths; /* paths we deliberately ignore */
+static char *metaIgnorePathsStr; /* string storage for the list */
#ifndef MAKE_META_IGNORE_PATHS
#define MAKE_META_IGNORE_PATHS ".MAKE.META.IGNORE_PATHS"
@@ -148,8 +149,8 @@ filemon_open(BuildMon *pbm)
err(1, "Could not set filemon file descriptor!");
}
/* we don't need these once we exec */
- (void)fcntl(pbm->mon_fd, F_SETFD, 1);
- (void)fcntl(pbm->filemon_fd, F_SETFD, 1);
+ (void)fcntl(pbm->mon_fd, F_SETFD, FD_CLOEXEC);
+ (void)fcntl(pbm->filemon_fd, F_SETFD, FD_CLOEXEC);
}
/*
@@ -300,8 +301,7 @@ meta_name(struct GNode *gn, char *mname, size_t mnamelen,
}
free(tp);
for (i--; i >= 0; i--) {
- if (p[i])
- free(p[i]);
+ free(p[i]);
}
return (mname);
}
@@ -328,7 +328,7 @@ is_submake(void *cmdp, void *gnp)
}
cp = strchr(cmd, '$');
if ((cp)) {
- mp = Var_Subst(NULL, cmd, gn, FALSE, TRUE);
+ mp = Var_Subst(NULL, cmd, gn, VARF_WANTRES);
cmd = mp;
}
cp2 = strstr(cmd, p_make);
@@ -353,8 +353,7 @@ is_submake(void *cmdp, void *gnp)
}
}
}
- if (mp)
- free(mp);
+ free(mp);
return (rc);
}
@@ -371,11 +370,10 @@ printCMD(void *cmdp, void *mfpp)
char *cp = NULL;
if (strchr(cmd, '$')) {
- cmd = cp = Var_Subst(NULL, cmd, mfp->gn, FALSE, TRUE);
+ cmd = cp = Var_Subst(NULL, cmd, mfp->gn, VARF_WANTRES);
}
fprintf(mfp->fp, "CMD %s\n", cmd);
- if (cp)
- free(cp);
+ free(cp);
return 0;
}
@@ -466,7 +464,7 @@ meta_create(BuildMon *pbm, GNode *gn)
char *mp;
/* Describe the target we are building */
- mp = Var_Subst(NULL, "${" MAKE_META_PREFIX "}", gn, FALSE, TRUE);
+ mp = Var_Subst(NULL, "${" MAKE_META_PREFIX "}", gn, VARF_WANTRES);
if (*mp)
fprintf(stdout, "%s\n", mp);
free(mp);
@@ -480,9 +478,6 @@ meta_create(BuildMon *pbm, GNode *gn)
fflush(stdout);
- if (strcmp(cp, makeDependfile) == 0)
- goto out;
-
if (!writeMeta)
/* Don't create meta data. */
goto out;
@@ -524,8 +519,7 @@ meta_create(BuildMon *pbm, GNode *gn)
}
out:
for (i--; i >= 0; i--) {
- if (p[i])
- free(p[i]);
+ free(p[i]);
}
return (mf.fp);
@@ -609,10 +603,10 @@ meta_mode_init(const char *make_mode)
* We consider ourselves master of all within ${.MAKE.META.BAILIWICK}
*/
metaBailiwick = Lst_Init(FALSE);
- cp = Var_Subst(NULL, "${.MAKE.META.BAILIWICK:O:u:tA}", VAR_GLOBAL,
- FALSE, TRUE);
- if (cp) {
- str2Lst_Append(metaBailiwick, cp, NULL);
+ metaBailiwickStr = Var_Subst(NULL, "${.MAKE.META.BAILIWICK:O:u:tA}",
+ VAR_GLOBAL, VARF_WANTRES);
+ if (metaBailiwickStr) {
+ str2Lst_Append(metaBailiwick, metaBailiwickStr, NULL);
}
/*
* We ignore any paths that start with ${.MAKE.META.IGNORE_PATHS}
@@ -620,11 +614,11 @@ meta_mode_init(const char *make_mode)
metaIgnorePaths = Lst_Init(FALSE);
Var_Append(MAKE_META_IGNORE_PATHS,
"/dev /etc /proc /tmp /var/run /var/tmp ${TMPDIR}", VAR_GLOBAL);
- cp = Var_Subst(NULL,
+ metaIgnorePathsStr = Var_Subst(NULL,
"${" MAKE_META_IGNORE_PATHS ":O:u:tA}", VAR_GLOBAL,
- FALSE, TRUE);
- if (cp) {
- str2Lst_Append(metaIgnorePaths, cp, NULL);
+ VARF_WANTRES);
+ if (metaIgnorePathsStr) {
+ str2Lst_Append(metaIgnorePaths, metaIgnorePathsStr, NULL);
}
}
@@ -693,9 +687,9 @@ meta_job_error(Job *job, GNode *gn, int flags, int status)
if (job != NULL) {
pbm = &job->bm;
- } else {
if (!gn)
gn = job->node;
+ } else {
pbm = &Mybm;
}
if (pbm->mfp != NULL) {
@@ -709,7 +703,7 @@ meta_job_error(Job *job, GNode *gn, int flags, int status)
}
getcwd(cwd, sizeof(cwd));
Var_Set(".ERROR_CWD", cwd, VAR_GLOBAL, 0);
- if (pbm && pbm->meta_fname[0]) {
+ if (pbm->meta_fname[0]) {
Var_Set(".ERROR_META_FILE", pbm->meta_fname, VAR_GLOBAL, 0);
}
meta_job_finish(job);
@@ -734,7 +728,7 @@ meta_job_output(Job *job, char *cp, const char *nl)
char *cp2;
meta_prefix = Var_Subst(NULL, "${" MAKE_META_PREFIX "}",
- VAR_GLOBAL, FALSE, TRUE);
+ VAR_GLOBAL, VARF_WANTRES);
if ((cp2 = strchr(meta_prefix, '$')))
meta_prefix_len = cp2 - meta_prefix;
else
@@ -785,6 +779,15 @@ meta_job_finish(Job *job)
}
}
+void
+meta_finish(void)
+{
+ Lst_Destroy(metaBailiwick, NULL);
+ free(metaBailiwickStr);
+ Lst_Destroy(metaIgnorePaths, NULL);
+ free(metaIgnorePathsStr);
+}
+
/*
* Fetch a full line from fp - growing bufp if needed
* Return length in bufp.
@@ -1035,14 +1038,12 @@ meta_oodate(GNode *gn, Boolean oodate)
ldir = Var_Value(ldir_vname, VAR_GLOBAL, &tp);
if (ldir) {
strlcpy(latestdir, ldir, sizeof(latestdir));
- if (tp)
- free(tp);
+ free(tp);
}
ldir = Var_Value(lcwd_vname, VAR_GLOBAL, &tp);
if (ldir) {
strlcpy(lcwd, ldir, sizeof(lcwd));
- if (tp)
- free(tp);
+ free(tp);
}
}
/* Skip past the pid. */
@@ -1320,7 +1321,7 @@ meta_oodate(GNode *gn, Boolean oodate)
if (DEBUG(META))
fprintf(debug_file, "%s: %d: cannot compare command using .OODATE\n", fname, lineno);
}
- cmd = Var_Subst(NULL, cmd, gn, TRUE, TRUE);
+ cmd = Var_Subst(NULL, cmd, gn, VARF_WANTRES|VARF_UNDEFERR);
if ((cp = strchr(cmd, '\n'))) {
int n;
@@ -1382,7 +1383,6 @@ meta_oodate(GNode *gn, Boolean oodate)
fprintf(debug_file, "%s: missing files: %s...\n",
fname, (char *)Lst_Datum(Lst_First(missingFiles)));
oodate = TRUE;
- Lst_Destroy(missingFiles, (FreeProc *)free);
}
} else {
if ((gn->type & OP_META)) {
@@ -1391,6 +1391,9 @@ meta_oodate(GNode *gn, Boolean oodate)
oodate = TRUE;
}
}
+
+ Lst_Destroy(missingFiles, (FreeProc *)free);
+
if (oodate && needOODATE) {
/*
* Target uses .OODATE which is empty; or we wouldn't be here.
@@ -1399,8 +1402,7 @@ meta_oodate(GNode *gn, Boolean oodate)
*/
Var_Delete(OODATE, gn);
Var_Set(OODATE, Var_Value(ALLSRC, gn, &cp), gn, 0);
- if (cp)
- free(cp);
+ free(cp);
}
return oodate;
}
@@ -1427,8 +1429,8 @@ meta_compat_start(void)
if (pipe(childPipe) < 0)
Punt("Cannot create pipe: %s", strerror(errno));
/* Set close-on-exec flag for both */
- (void)fcntl(childPipe[0], F_SETFD, 1);
- (void)fcntl(childPipe[1], F_SETFD, 1);
+ (void)fcntl(childPipe[0], F_SETFD, FD_CLOEXEC);
+ (void)fcntl(childPipe[1], F_SETFD, FD_CLOEXEC);
}
void
diff --git a/contrib/bmake/meta.h b/contrib/bmake/meta.h
index 57c73ca9b5f1..e9f5ed362969 100644
--- a/contrib/bmake/meta.h
+++ b/contrib/bmake/meta.h
@@ -1,4 +1,4 @@
-/* $NetBSD: meta.h,v 1.3 2013/03/23 05:31:29 sjg Exp $ */
+/* $NetBSD: meta.h,v 1.4 2016/03/07 21:45:43 christos Exp $ */
/*
* Things needed for 'meta' mode.
@@ -42,6 +42,7 @@ extern Boolean useMeta;
struct Job; /* not defined yet */
void meta_init(void);
+void meta_finish(void);
void meta_mode_init(const char *);
void meta_job_start(struct Job *, GNode *);
void meta_job_child(struct Job *);
diff --git a/contrib/bmake/mk/ChangeLog b/contrib/bmake/mk/ChangeLog
index 3c728c8fa7c4..f84b5c5040e9 100644
--- a/contrib/bmake/mk/ChangeLog
+++ b/contrib/bmake/mk/ChangeLog
@@ -1,3 +1,42 @@
+2016-03-02 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * meta2deps.sh: don't ignore subdirs.
+ patch from Bryan Drewery
+
+2016-02-26 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * install-mk (MK_VERSION): 20160226
+
+ * gendirdeps.mk: mark _DEPENDFILE .NOMETA
+
+2016-02-20 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * dirdeps.mk: we shouldn't normally include .depend but if we do
+ use .dinclude if we can.
+
+2016-02-18 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * install-mk (MK_VERSION): 20160218
+ * sys.clean-env.mk: with recent change to Var_Subst()
+ we cannot use the '$$' trick, but .export-literal does the job
+ we need.
+ * auto.dep.mk: make use .dinclude if we can.
+
+
+2016-02-05 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * dirdeps.mk:
+ Add _build_all_dirs such that local.dirdeps.mk can
+ add fully qualified dirs to it.
+ These will be built normally but the current
+ DEP_RELDIR will not depend on then (to avoid cycles).
+ This makes it easy to hook things like unit-tests into build.
+
+
+2016-01-21 Simon J. Gerraty <sjg@bad.crufty.net>
+
+ * dirdeps.mk: add bootstrap-empty
+
2015-12-12 Simon J. Gerraty <sjg@bad.crufty.net>
* install-mk (MK_VERSION): 20151212
diff --git a/contrib/bmake/mk/auto.dep.mk b/contrib/bmake/mk/auto.dep.mk
index 33137248d450..6bc53e528ac1 100644
--- a/contrib/bmake/mk/auto.dep.mk
+++ b/contrib/bmake/mk/auto.dep.mk
@@ -1,6 +1,6 @@
#
# RCSid:
-# $Id: auto.dep.mk,v 1.3 2014/08/04 05:19:10 sjg Exp $
+# $Id: auto.dep.mk,v 1.4 2016/02/18 21:16:39 sjg Exp $
#
# @(#) Copyright (c) 2010, Simon J. Gerraty
#
@@ -45,6 +45,7 @@ CXXFLAGS += ${CFLAGS_MD} ${CFLAGS_MF}
CLEANFILES += .depend ${.MAKE.DEPENDFILE} *.d
+.if ${MAKE_VERSION} < 20160218
# skip generating dependfile for misc targets
.if ${.TARGETS:Uall:M*all} != ""
.END: ${.MAKE.DEPENDFILE}
@@ -60,5 +61,14 @@ ${.MAKE.DEPENDFILE}: ${OBJS} ${POBJS} ${SOBJS}
-@for f in ${.ALLSRC:M*o:T:O:u:%=%.d}; do \
echo ".-include \"$$f\""; \
done > $@
+.else
+# we have .dinclude
+.if empty(_SKIP_BUILD)
+_all_objs = ${OBJS} ${POBJS} ${SOBJS}
+.for d in ${_all_objs:M*o:T:O:u:%=%.d}
+.dinclude "$d"
+.endfor
+.endif
.endif
+.endif
diff --git a/contrib/bmake/mk/dirdeps.mk b/contrib/bmake/mk/dirdeps.mk
index 823115d7a8ce..ec37e35dfa54 100644
--- a/contrib/bmake/mk/dirdeps.mk
+++ b/contrib/bmake/mk/dirdeps.mk
@@ -1,4 +1,4 @@
-# $Id: dirdeps.mk,v 1.55 2015/10/20 22:04:53 sjg Exp $
+# $Id: dirdeps.mk,v 1.59 2016/02/26 23:32:29 sjg Exp $
# Copyright (c) 2010-2013, Juniper Networks, Inc.
# All rights reserved.
@@ -121,6 +121,9 @@ _DIRDEP_USE_LEVEL?= 0
# and non-specific Makefile.depend*
.if !target(_DIRDEP_USE)
+# make sure we get the behavior we expect
+.MAKE.SAVE_DOLLARS = no
+
# do some setup we only need once
_CURDIR ?= ${.CURDIR}
_OBJDIR ?= ${.OBJDIR}
@@ -256,11 +259,8 @@ DEP_RELDIR := ${DIRDEPS:R:[1]}
MK_DIRDEPS_CACHE = no
.endif
-
-# pickup customizations
-# as below you can use !target(_DIRDEP_USE) to protect things
-# which should only be done once.
-.-include "local.dirdeps.mk"
+# reset each time through
+_build_all_dirs =
# the first time we are included the _DIRDEP_USE target will not be defined
# we can use this as a clue to do initialization and other one time things.
@@ -280,6 +280,14 @@ DEBUG_DIRDEPS ?= no
# remember the initial value of DEP_RELDIR - we test for it below.
_DEP_RELDIR := ${DEP_RELDIR}
+.endif
+
+# pickup customizations
+# as below you can use !target(_DIRDEP_USE) to protect things
+# which should only be done once.
+.-include "local.dirdeps.mk"
+
+.if !target(_DIRDEP_USE)
# things we skip for host tools
SKIP_HOSTDIR ?=
@@ -399,6 +407,7 @@ ${DIRDEPS_CACHE}: .META .NOMETA_CMP
MAKEFLAGS= ${.MAKE} -C ${_CURDIR} -f ${BUILD_DIRDEPS_MAKEFILE} \
${BUILD_DIRDEPS_TARGETS} BUILD_DIRDEPS_CACHE=yes \
.MAKE.DEPENDFILE=.none \
+ ${.MAKEFLAGS:tW:S,-D ,-D,g:tw:M*WITH*} \
3>&1 1>&2 | sed 's,${SRCTOP},$${SRCTOP},g' >> ${.TARGET}.new && \
mv ${.TARGET}.new ${.TARGET}
@@ -479,7 +488,11 @@ _build_dirs += ${_machines:@m@${_CURDIR}.$m@}
_build_dirs += ${_machines:N${DEP_TARGET_SPEC}:@m@${_CURDIR}.$m@}
.if ${DEP_TARGET_SPEC} == ${TARGET_SPEC}
# pickup local dependencies now
+.if ${MAKE_VERSION} < 20160220
.-include <.depend>
+.else
+.dinclude <.depend>
+.endif
.endif
.endif
.endif
@@ -531,22 +544,25 @@ _build_dirs += \
# qualify everything now
_build_dirs := ${_build_dirs:${M_dep_qual_fixes:ts:}:O:u}
+_build_all_dirs += ${_build_dirs}
+_build_all_dirs := ${_build_all_dirs:O:u}
+
.endif # empty DIRDEPS
# Normally if doing make -V something,
# we do not want to waste time chasing DIRDEPS
# but if we want to count the number of Makefile.depend* read, we do.
.if ${.MAKEFLAGS:M-V${_V_READ_DIRDEPS}} == ""
-.if !empty(_build_dirs)
+.if !empty(_build_all_dirs)
.if ${BUILD_DIRDEPS_CACHE} == "yes"
x!= { echo; echo '\# ${DEP_RELDIR}.${DEP_TARGET_SPEC}'; \
- echo 'dirdeps: ${_build_dirs:${M_oneperline}}'; echo; } >&3; echo
-x!= { ${_build_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo
+ echo 'dirdeps: ${_build_all_dirs:${M_oneperline}}'; echo; } >&3; echo
+x!= { ${_build_all_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo
.else
# this makes it all happen
-dirdeps: ${_build_dirs}
+dirdeps: ${_build_all_dirs}
.endif
-${_build_dirs}: _DIRDEP_USE
+${_build_all_dirs}: _DIRDEP_USE
.if ${_debug_reldir}
.info ${DEP_RELDIR}.${DEP_TARGET_SPEC}: needs: ${_build_dirs}
@@ -580,14 +596,14 @@ ${_this_dir}.$m: ${_build_dirs:M*.$m:N${_this_dir}.$m}
.endif
# Now find more dependencies - and recurse.
-.for d in ${_build_dirs}
+.for d in ${_build_all_dirs}
.if ${_DIRDEP_CHECKED:M$d} == ""
# once only
_DIRDEP_CHECKED += $d
.if ${_debug_search}
.info checking $d
.endif
-# Note: _build_dirs is fully qualifed so d:R is always the directory
+# Note: _build_all_dirs is fully qualifed so d:R is always the directory
.if exists(${d:R})
# Warning: there is an assumption here that MACHINE is always
# the first entry in TARGET_SPEC_VARS.
@@ -627,28 +643,37 @@ DIRDEPS =
DEP_RELDIR := ${RELDIR}
_DEP_RELDIR := ${RELDIR}
# pickup local dependencies
+.if ${MAKE_VERSION} < 20160220
.-include <.depend>
+.else
+.dinclude <.depend>
+.endif
.endif
# bootstrapping new dependencies made easy?
-.if (make(bootstrap) || make(bootstrap-recurse)) && !target(bootstrap)
+.if !target(bootstrap) && (make(bootstrap) || \
+ make(bootstrap-this) || \
+ make(bootstrap-recurse) || \
+ make(bootstrap-empty))
.if exists(${.CURDIR}/${.MAKE.DEPENDFILE:T})
# stop here
${.TARGETS:Mboot*}:
-.else
+.elif !make(bootstrap-empty)
# find a Makefile.depend to use as _src
_src != cd ${.CURDIR} && for m in ${.MAKE.DEPENDFILE_PREFERENCE:T:S,${MACHINE},*,}; do test -s $$m || continue; echo $$m; break; done; echo
.if empty(_src)
-.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T}
+.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T}${.newline}Use: bootstrap-empty
.endif
_src?= ${.MAKE.DEPENDFILE:T}
+# just create Makefile.depend* for this dir
bootstrap-this: .NOTMAIN
@echo Bootstrapping ${RELDIR}/${.MAKE.DEPENDFILE:T} from ${_src:T}
(cd ${.CURDIR} && sed 's,${_src:E},${MACHINE},g' ${_src} > ${.MAKE.DEPENDFILE:T})
+# create Makefile.depend* for this dir and its dependencies
bootstrap: bootstrap-recurse
bootstrap-recurse: bootstrap-this
@@ -663,4 +688,11 @@ bootstrap-recurse: .NOTMAIN .MAKE
done
.endif
+
+# create an empty Makefile.depend* to get the ball rolling.
+bootstrap-empty: .NOTMAIN .NOMETA
+ @echo Creating empty ${RELDIR}/${.MAKE.DEPENDFILE:T}; \
+ echo You need to build ${RELDIR} to correctly populate it.
+ @{ echo DIRDEPS=; echo ".include <dirdeps.mk>"; } > ${.CURDIR}/${.MAKE.DEPENDFILE:T}
+
.endif
diff --git a/contrib/bmake/mk/gendirdeps.mk b/contrib/bmake/mk/gendirdeps.mk
index 2497f853c3b6..8b803385c54b 100644
--- a/contrib/bmake/mk/gendirdeps.mk
+++ b/contrib/bmake/mk/gendirdeps.mk
@@ -1,4 +1,4 @@
-# $Id: gendirdeps.mk,v 1.29 2015/10/03 05:00:46 sjg Exp $
+# $Id: gendirdeps.mk,v 1.30 2016/02/27 00:20:39 sjg Exp $
# Copyright (c) 2010-2013, Juniper Networks, Inc.
# All rights reserved.
@@ -309,7 +309,7 @@ CAT_DEPEND ?= .depend
# .depend may contain things we don't want.
# The sed command at the end of the stream, allows for the filters
# to output _{VAR} tokens which we will turn into proper ${VAR} references.
-${_DEPENDFILE}: ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS}
+${_DEPENDFILE}: .NOMETA ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS}
@(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \
echo 'DIRDEPS = \'; \
echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \
@@ -329,7 +329,7 @@ DIRDEPS := ${SUBDIR:S,^,${RELDIR}/,:O:u}
all: ${_DEPENDFILE}
-${_DEPENDFILE}: ${MAKEFILE} ${_this}
+${_DEPENDFILE}: .NOMETA ${MAKEFILE} ${_this}
@(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \
echo 'DIRDEPS = \'; \
echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \
diff --git a/contrib/bmake/mk/install-mk b/contrib/bmake/mk/install-mk
index 0c3db00ba9db..64b238fd8356 100644
--- a/contrib/bmake/mk/install-mk
+++ b/contrib/bmake/mk/install-mk
@@ -55,7 +55,7 @@
# Simon J. Gerraty <sjg@crufty.net>
# RCSid:
-# $Id: install-mk,v 1.118 2015/12/16 01:57:06 sjg Exp $
+# $Id: install-mk,v 1.121 2016/02/27 00:23:02 sjg Exp $
#
# @(#) Copyright (c) 1994 Simon J. Gerraty
#
@@ -70,7 +70,7 @@
# sjg@crufty.net
#
-MK_VERSION=20151212
+MK_VERSION=20160226
OWNER=
GROUP=
MODE=444
diff --git a/contrib/bmake/mk/meta.autodep.mk b/contrib/bmake/mk/meta.autodep.mk
index c9fdb0ef2221..5f705647efe1 100644
--- a/contrib/bmake/mk/meta.autodep.mk
+++ b/contrib/bmake/mk/meta.autodep.mk
@@ -1,4 +1,4 @@
-# $Id: meta.autodep.mk,v 1.39 2015/12/07 04:35:32 sjg Exp $
+# $Id: meta.autodep.mk,v 1.40 2016/02/22 22:44:58 sjg Exp $
#
# @(#) Copyright (c) 2010, Simon J. Gerraty
@@ -86,7 +86,7 @@ WANT_UPDATE_DEPENDFILE ?= yes
.endif
.if ${WANT_UPDATE_DEPENDFILE:Uno:tl} != "no"
-.if ${.MAKE.MODE:Mmeta*} == "" || ${.MAKE.MODE:M*read*} != ""
+.if ${.MAKE.MODE:Uno:Mmeta*} == "" || ${.MAKE.MODE:Uno:M*read*} != ""
UPDATE_DEPENDFILE = no
.endif
diff --git a/contrib/bmake/mk/meta.stage.mk b/contrib/bmake/mk/meta.stage.mk
index b77b27a9fea1..0355d66af041 100644
--- a/contrib/bmake/mk/meta.stage.mk
+++ b/contrib/bmake/mk/meta.stage.mk
@@ -1,4 +1,4 @@
-# $Id: meta.stage.mk,v 1.41 2015/11/13 17:34:04 sjg Exp $
+# $Id: meta.stage.mk,v 1.43 2016/02/24 18:46:32 sjg Exp $
#
# @(#) Copyright (c) 2011, Simon J. Gerraty
#
@@ -26,7 +26,7 @@ _dirdep = ${RELDIR}
CLEANFILES+= .dirdep
# this allows us to trace dependencies back to their src dir
-.dirdep:
+.dirdep: .NOPATH
@echo '${_dirdep}' > $@
.if defined(NO_POSIX_SHELL) || ${type printf:L:sh:Mbuiltin} == ""
@@ -241,7 +241,7 @@ CLEANFILES += ${STAGE_TARGETS} stage_incs stage_includes
# for non-jobs mode the order here matters
staging: ${STAGE_TARGETS:N*_links} ${STAGE_TARGETS:M*_links}
-.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:M*_links} != ""
+.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:U:M*_links} != ""
# the above isn't sufficient
.for t in ${STAGE_TARGETS:N*links:O:u}
.ORDER: $t stage_links
diff --git a/contrib/bmake/mk/meta.sys.mk b/contrib/bmake/mk/meta.sys.mk
index 8e55878b628b..764f2d1570ef 100644
--- a/contrib/bmake/mk/meta.sys.mk
+++ b/contrib/bmake/mk/meta.sys.mk
@@ -1,4 +1,4 @@
-# $Id: meta.sys.mk,v 1.26 2015/11/14 21:16:13 sjg Exp $
+# $Id: meta.sys.mk,v 1.27 2016/02/22 22:44:58 sjg Exp $
#
# @(#) Copyright (c) 2010, Simon J. Gerraty
@@ -102,7 +102,7 @@ META_COOKIE_TOUCH=
# some targets need to be .PHONY in non-meta mode
META_NOPHONY= .PHONY
# Are we, after all, in meta mode?
-.if ${.MAKE.MODE:Mmeta*} != ""
+.if ${.MAKE.MODE:Uno:Mmeta*} != ""
MKDEP_MK = meta.autodep.mk
.if ${.MAKE.MAKEFILES:M*sys.dependfile.mk} == ""
diff --git a/contrib/bmake/mk/meta2deps.sh b/contrib/bmake/mk/meta2deps.sh
index 0c934afd1c5f..a9ea0752f389 100755
--- a/contrib/bmake/mk/meta2deps.sh
+++ b/contrib/bmake/mk/meta2deps.sh
@@ -77,7 +77,7 @@
# RCSid:
-# $Id: meta2deps.sh,v 1.9 2015/04/03 18:23:25 sjg Exp $
+# $Id: meta2deps.sh,v 1.10 2016/03/02 18:53:36 sjg Exp $
# Copyright (c) 2010-2013, Juniper Networks, Inc.
# All rights reserved.
@@ -309,7 +309,7 @@ meta2deps() {
*) seen=$dir;;
esac
case "$dir" in
- ${CURDIR:-.}|${CURDIR:-.}/*|"") continue;;
+ ${CURDIR:-.}|"") continue;;
$src_re)
# avoid repeating ourselves...
case "$DPDEPS,$seensrc," in
diff --git a/contrib/bmake/mk/sys.clean-env.mk b/contrib/bmake/mk/sys.clean-env.mk
index b1867c3804bc..396599bd7832 100644
--- a/contrib/bmake/mk/sys.clean-env.mk
+++ b/contrib/bmake/mk/sys.clean-env.mk
@@ -1,4 +1,4 @@
-# $Id: sys.clean-env.mk,v 1.20 2012/11/12 06:56:04 sjg Exp $
+# $Id: sys.clean-env.mk,v 1.21 2016/02/18 21:16:40 sjg Exp $
#
# @(#) Copyright (c) 2009, Simon J. Gerraty
#
@@ -94,6 +94,7 @@ _tricky_env_vars = MAKEOBJDIR OBJTOP
# MAKEOBJDIR='${.CURDIR:S,${SRCTOP},${OBJTOP},}'
_srctop := ${SRCTOP:U${SB_SRC:U${SB}/src}}
_objroot := ${OBJROOT:U${SB_OBJROOT:U${SB}/${SB_OBJPREFIX}}}
+.if ${MAKE_VERSION} < 20160218
_objtop := ${OBJTOP:U${_objroot}${MACHINE}}
# Take care of ${MACHINE}
.if ${MACHINE} == "host" || ${OBJTOP} == ${HOST_OBJTOP:Uno}
@@ -113,7 +114,17 @@ MAKEOBJDIR = $${.CURDIR:S,${_srctop},$${OBJTOP},}
.for v in ${_tricky_env_vars}
$v := ${$v}
.endfor
+.else
+# we cannot use the '$$' trick, anymore
+# but we can export a literal (unexpanded) value
+SRCTOP := ${_srctop}
+OBJROOT := ${_objroot}
+OBJTOP = ${OBJROOT}${MACHINE}
+MAKEOBJDIR = ${.CURDIR:S,${SRCTOP},${OBJTOP},}
+.export-literal SRCTOP OBJROOT ${_tricky_env_vars}
+.endif
#.info ${_tricky_env_vars:@v@${.newline}$v=${$v}@}
-
+#showenv:
+# @env | egrep 'OBJ|SRC'
.endif # MAKEOBJDIR
.endif # level 0
diff --git a/contrib/bmake/mk/sys.dependfile.mk b/contrib/bmake/mk/sys.dependfile.mk
index e915082e778c..b4d79f7e11e8 100644
--- a/contrib/bmake/mk/sys.dependfile.mk
+++ b/contrib/bmake/mk/sys.dependfile.mk
@@ -1,4 +1,4 @@
-# $Id: sys.dependfile.mk,v 1.6 2014/08/02 18:02:06 sjg Exp $
+# $Id: sys.dependfile.mk,v 1.7 2016/02/20 01:57:39 sjg Exp $
#
# @(#) Copyright (c) 2012, Simon J. Gerraty
#
@@ -49,7 +49,9 @@ _e := ${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@}
# If any already exist, we should follow suit.
_aml = ${ALL_MACHINE_LIST:Uarm amd64 i386 powerpc:N${MACHINE}} ${MACHINE}
# MACHINE must be the last entry in _aml ;-)
+_m := ${MACHINE}
_e := ${_aml:@MACHINE@${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@}@}
+MACHINE := ${_m}
.if !empty(_e)
.MAKE.DEPENDFILE ?= ${.MAKE.DEPENDFILE_PREFERENCE:M*${MACHINE}:[1]}
.endif
diff --git a/contrib/bmake/mk/warnings.mk b/contrib/bmake/mk/warnings.mk
index bacbefb2b837..dc230bc83280 100644
--- a/contrib/bmake/mk/warnings.mk
+++ b/contrib/bmake/mk/warnings.mk
@@ -1,5 +1,5 @@
# RCSid:
-# $Id: warnings.mk,v 1.8 2014/04/02 19:20:23 sjg Exp $
+# $Id: warnings.mk,v 1.9 2016/02/20 02:00:58 sjg Exp $
#
# @(#) Copyright (c) 2002, Simon J. Gerraty
#
@@ -15,6 +15,8 @@
#
.ifndef _w_cflags
+# make sure we get the behavior we expect
+.MAKE.SAVE_DOLLARS = no
# Any number of warnings sets can be added.
.-include "warnings-sets.mk"
diff --git a/contrib/bmake/nonints.h b/contrib/bmake/nonints.h
index 2332858c25cc..5a5c613566f7 100644
--- a/contrib/bmake/nonints.h
+++ b/contrib/bmake/nonints.h
@@ -1,4 +1,4 @@
-/* $NetBSD: nonints.h,v 1.69 2015/10/11 04:51:24 sjg Exp $ */
+/* $NetBSD: nonints.h,v 1.72 2016/02/18 20:25:08 sjg Exp $ */
/*-
* Copyright (c) 1988, 1989, 1990, 1993
@@ -120,6 +120,7 @@ void Finish(int) MAKE_ATTR_DEAD;
int eunlink(const char *);
void execError(const char *, const char *);
char *getTmpdir(void);
+Boolean s2Boolean(const char *, Boolean);
Boolean getBoolean(const char *, Boolean);
/* parse.c */
@@ -184,8 +185,8 @@ void Var_Set(const char *, const char *, GNode *, int);
void Var_Append(const char *, const char *, GNode *);
Boolean Var_Exists(const char *, GNode *);
char *Var_Value(const char *, GNode *, char **);
-char *Var_Parse(const char *, GNode *, Boolean, Boolean, int *, void **);
-char *Var_Subst(const char *, const char *, GNode *, Boolean, Boolean);
+char *Var_Parse(const char *, GNode *, int, int *, void **);
+char *Var_Subst(const char *, const char *, GNode *, int);
char *Var_GetTail(const char *);
char *Var_GetHead(const char *);
void Var_Init(void);
diff --git a/contrib/bmake/parse.c b/contrib/bmake/parse.c
index 7f3afbde7bf0..2a22c0b60695 100644
--- a/contrib/bmake/parse.c
+++ b/contrib/bmake/parse.c
@@ -1,4 +1,4 @@
-/* $NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $ */
+/* $NetBSD: parse.c,v 1.212 2016/02/19 06:19:06 sjg Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -69,14 +69,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $";
+static char rcsid[] = "$NetBSD: parse.c,v 1.212 2016/02/19 06:19:06 sjg Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)parse.c 8.3 (Berkeley) 3/19/94";
#else
-__RCSID("$NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $");
+__RCSID("$NetBSD: parse.c,v 1.212 2016/02/19 06:19:06 sjg Exp $");
#endif
#endif /* not lint */
#endif
@@ -128,7 +128,6 @@ __RCSID("$NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $");
#include <assert.h>
#include <ctype.h>
#include <errno.h>
-#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
@@ -161,6 +160,7 @@ typedef struct IFile {
int lineno; /* current line number in file */
int first_lineno; /* line number of start of text */
int cond_depth; /* 'if' nesting when file opened */
+ Boolean depending; /* state of doing_depend on EOF */
char *P_str; /* point to base of string buffer */
char *P_ptr; /* point to next char of string buffer */
char *P_end; /* point to the end of string buffer */
@@ -816,7 +816,7 @@ ParseMessage(char *line)
while (isspace((u_char)*line))
line++;
- line = Var_Subst(NULL, line, VAR_CMD, FALSE, TRUE);
+ line = Var_Subst(NULL, line, VAR_CMD, VARF_WANTRES);
Parse_Error(mtype, "%s", line);
free(line);
@@ -1233,9 +1233,9 @@ ParseDoDependency(char *line)
int length;
void *freeIt;
- (void)Var_Parse(cp, VAR_CMD, TRUE, TRUE, &length, &freeIt);
- if (freeIt)
- free(freeIt);
+ (void)Var_Parse(cp, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES,
+ &length, &freeIt);
+ free(freeIt);
cp += length-1;
}
}
@@ -1948,7 +1948,7 @@ Parse_DoVar(char *line, GNode *ctxt)
if (!Var_Exists(line, ctxt))
Var_Set(line, "", ctxt, 0);
- cp = Var_Subst(NULL, cp, ctxt, FALSE, TRUE);
+ cp = Var_Subst(NULL, cp, ctxt, VARF_WANTRES|VARF_ASSIGN);
oldVars = oldOldVars;
freeCp = TRUE;
@@ -1963,7 +1963,7 @@ Parse_DoVar(char *line, GNode *ctxt)
* expansion on the whole thing. The resulting string will need
* freeing when we're done, so set freeCmd to TRUE.
*/
- cp = Var_Subst(NULL, cp, VAR_CMD, TRUE, TRUE);
+ cp = Var_Subst(NULL, cp, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES);
freeCp = TRUE;
}
@@ -2155,7 +2155,7 @@ Parse_AddIncludeDir(char *dir)
*/
static void
-Parse_include_file(char *file, Boolean isSystem, int silent)
+Parse_include_file(char *file, Boolean isSystem, Boolean depinc, int silent)
{
struct loadedfile *lf;
char *fullname; /* full pathname of file */
@@ -2255,6 +2255,8 @@ Parse_include_file(char *file, Boolean isSystem, int silent)
/* Start reading from this file next */
Parse_SetInput(fullname, 0, -1, loadedfile_nextbuf, lf);
curFile->lf = lf;
+ if (depinc)
+ doing_depend = depinc; /* only turn it on */
}
static void
@@ -2302,9 +2304,9 @@ ParseDoInclude(char *line)
* Substitute for any variables in the file name before trying to
* find the thing.
*/
- file = Var_Subst(NULL, file, VAR_CMD, FALSE, TRUE);
+ file = Var_Subst(NULL, file, VAR_CMD, VARF_WANTRES);
- Parse_include_file(file, endc == '>', silent);
+ Parse_include_file(file, endc == '>', (*line == 'd'), silent);
free(file);
}
@@ -2339,10 +2341,8 @@ ParseSetIncludedFile(void)
fprintf(debug_file, "%s: ${.INCLUDEDFROMDIR} = `%s' "
"${.INCLUDEDFROMFILE} = `%s'\n", __func__, pd, pf);
- if (fp)
- free(fp);
- if (dp)
- free(dp);
+ free(fp);
+ free(dp);
}
/*-
*---------------------------------------------------------------------
@@ -2472,6 +2472,7 @@ Parse_SetInput(const char *name, int line, int fd,
curFile->nextbuf = nextbuf;
curFile->nextbuf_arg = arg;
curFile->lf = NULL;
+ curFile->depending = doing_depend; /* restore this on EOF */
assert(nextbuf != NULL);
@@ -2532,7 +2533,7 @@ ParseTraditionalInclude(char *line)
* Substitute for any variables in the file name before trying to
* find the thing.
*/
- all_files = Var_Subst(NULL, file, VAR_CMD, FALSE, TRUE);
+ all_files = Var_Subst(NULL, file, VAR_CMD, VARF_WANTRES);
if (*file == '\0') {
Parse_Error(PARSE_FATAL,
@@ -2550,7 +2551,7 @@ ParseTraditionalInclude(char *line)
else
done = 1;
- Parse_include_file(file, FALSE, silent);
+ Parse_include_file(file, FALSE, FALSE, silent);
}
free(all_files);
}
@@ -2600,7 +2601,7 @@ ParseGmakeExport(char *line)
/*
* Expand the value before putting it in the environment.
*/
- value = Var_Subst(NULL, value, VAR_CMD, FALSE, TRUE);
+ value = Var_Subst(NULL, value, VAR_CMD, VARF_WANTRES);
setenv(variable, value, 1);
}
#endif
@@ -2628,6 +2629,7 @@ ParseEOF(void)
assert(curFile->nextbuf != NULL);
+ doing_depend = curFile->depending; /* restore this */
/* get next input buffer, if any */
ptr = curFile->nextbuf(curFile->nextbuf_arg, &len);
curFile->P_ptr = ptr;
@@ -2990,7 +2992,7 @@ Parse_File(const char *name, int fd)
continue;
}
if (strncmp(cp, "include", 7) == 0 ||
- ((cp[0] == 's' || cp[0] == '-') &&
+ ((cp[0] == 'd' || cp[0] == 's' || cp[0] == '-') &&
strncmp(&cp[1], "include", 7) == 0)) {
ParseDoInclude(cp);
continue;
@@ -3149,7 +3151,7 @@ Parse_File(const char *name, int fd)
* variables expanded before being parsed. Tell the variable
* module to complain if some variable is undefined...
*/
- line = Var_Subst(NULL, line, VAR_CMD, TRUE, TRUE);
+ line = Var_Subst(NULL, line, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES);
/*
* Need a non-circular list for the target nodes
diff --git a/contrib/bmake/suff.c b/contrib/bmake/suff.c
index db69643f4ce4..98bd44734872 100644
--- a/contrib/bmake/suff.c
+++ b/contrib/bmake/suff.c
@@ -1,4 +1,4 @@
-/* $NetBSD: suff.c,v 1.75 2015/12/20 22:44:10 sjg Exp $ */
+/* $NetBSD: suff.c,v 1.78 2016/02/18 18:29:14 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -69,14 +69,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: suff.c,v 1.75 2015/12/20 22:44:10 sjg Exp $";
+static char rcsid[] = "$NetBSD: suff.c,v 1.78 2016/02/18 18:29:14 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)suff.c 8.4 (Berkeley) 3/21/94";
#else
-__RCSID("$NetBSD: suff.c,v 1.75 2015/12/20 22:44:10 sjg Exp $");
+__RCSID("$NetBSD: suff.c,v 1.78 2016/02/18 18:29:14 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -1556,7 +1556,7 @@ SuffExpandChildren(LstNode cln, GNode *pgn)
if (DEBUG(SUFF)) {
fprintf(debug_file, "Expanding \"%s\"...", cgn->name);
}
- cp = Var_Subst(NULL, cgn->name, pgn, TRUE, TRUE);
+ cp = Var_Subst(NULL, cgn->name, pgn, VARF_UNDEFERR|VARF_WANTRES);
if (cp != NULL) {
Lst members = Lst_Init(FALSE);
@@ -1609,13 +1609,13 @@ SuffExpandChildren(LstNode cln, GNode *pgn)
int len;
void *freeIt;
- junk = Var_Parse(cp, pgn, TRUE, TRUE, &len, &freeIt);
+ junk = Var_Parse(cp, pgn, VARF_UNDEFERR|VARF_WANTRES,
+ &len, &freeIt);
if (junk != var_Error) {
cp += len - 1;
}
- if (freeIt)
- free(freeIt);
+ free(freeIt);
} else if (*cp == '\\' && *cp != '\0') {
/*
* Escaped something -- skip over it
@@ -1933,8 +1933,7 @@ SuffFindArchiveDeps(GNode *gn, Lst slst)
for (i = (sizeof(copy)/sizeof(copy[0]))-1; i >= 0; i--) {
char *p1;
Var_Set(copy[i], Var_Value(copy[i], mem, &p1), gn, 0);
- if (p1)
- free(p1);
+ free(p1);
}
diff --git a/contrib/bmake/targ.c b/contrib/bmake/targ.c
index 5db5477ca546..dd52b296ff3a 100644
--- a/contrib/bmake/targ.c
+++ b/contrib/bmake/targ.c
@@ -1,4 +1,4 @@
-/* $NetBSD: targ.c,v 1.60 2015/05/25 09:01:06 manu Exp $ */
+/* $NetBSD: targ.c,v 1.61 2016/01/17 17:45:21 christos Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -69,14 +69,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: targ.c,v 1.60 2015/05/25 09:01:06 manu Exp $";
+static char rcsid[] = "$NetBSD: targ.c,v 1.61 2016/01/17 17:45:21 christos Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)targ.c 8.2 (Berkeley) 3/19/94";
#else
-__RCSID("$NetBSD: targ.c,v 1.60 2015/05/25 09:01:06 manu Exp $");
+__RCSID("$NetBSD: targ.c,v 1.61 2016/01/17 17:45:21 christos Exp $");
#endif
#endif /* not lint */
#endif
@@ -292,10 +292,8 @@ TargFreeGN(void *gnp)
free(gn->name);
- if (gn->uname)
- free(gn->uname);
- if (gn->path)
- free(gn->path);
+ free(gn->uname);
+ free(gn->path);
/* gn->fname points to name allocated when file was opened, don't free */
Lst_Destroy(gn->iParents, NULL);
diff --git a/contrib/bmake/unit-tests/export-env.exp b/contrib/bmake/unit-tests/export-env.exp
index 6221232a2a1b..8a779e6aff0a 100644
--- a/contrib/bmake/unit-tests/export-env.exp
+++ b/contrib/bmake/unit-tests/export-env.exp
@@ -2,8 +2,10 @@ make:
UT_TEST=export-env.mk
UT_ENV=not-exported
UT_EXP=not-exported
+UT_LIT=literal export-env.mk
env:
UT_TEST=export-env.mk
UT_ENV=exported
UT_EXP=exported
+UT_LIT=literal ${UT_TEST}
exit status 0
diff --git a/contrib/bmake/unit-tests/export-env.mk b/contrib/bmake/unit-tests/export-env.mk
index 6b7cd4c3060c..93aa6721a23e 100644
--- a/contrib/bmake/unit-tests/export-env.mk
+++ b/contrib/bmake/unit-tests/export-env.mk
@@ -1,4 +1,4 @@
-# $Id: export-env.mk,v 1.1.1.1 2014/08/30 18:57:18 sjg Exp $
+# $Id: export-env.mk,v 1.1.1.2 2016/02/18 20:35:24 sjg Exp $
# our normal .export, subsequent changes affect the environment
UT_TEST=this
@@ -15,9 +15,12 @@ UT_EXP=before-export
export UT_EXP=exported
UT_EXP=not-exported
+UT_LIT= literal ${UT_TEST}
+.export-literal UT_LIT
+
all:
- @echo make:; ${UT_TEST UT_ENV UT_EXP:L:@v@echo $v=${$v};@}
- @echo env:; ${UT_TEST UT_ENV UT_EXP:L:@v@echo $v=$${$v};@}
+ @echo make:; ${UT_TEST UT_ENV UT_EXP UT_LIT:L:@v@echo $v=${$v};@}
+ @echo env:; ${UT_TEST UT_ENV UT_EXP UT_LIT:L:@v@echo $v=$${$v};@}
diff --git a/contrib/bmake/unit-tests/modts.exp b/contrib/bmake/unit-tests/modts.exp
index cf3c91d43c0c..338964963a86 100644
--- a/contrib/bmake/unit-tests/modts.exp
+++ b/contrib/bmake/unit-tests/modts.exp
@@ -23,10 +23,16 @@ THREE
FOUR
FIVE
SIX"
+LIST:ts/xa:tu="ONE
+TWO
+THREE
+FOUR
+FIVE
+SIX"
make: Bad modifier `:tx' for LIST
LIST:tx="}"
-make: Bad modifier `:ts\x' for LIST
-LIST:ts/x:tu="\x:tu}"
+make: Bad modifier `:ts\X' for LIST
+LIST:ts/x:tu="\X:tu}"
FU_mod-ts="a/b/cool"
FU_mod-ts:ts:T="cool" == cool?
B.${AAA:ts}="Baaa" == Baaa?
diff --git a/contrib/bmake/unit-tests/modts.mk b/contrib/bmake/unit-tests/modts.mk
index 54b3d3d2ffa1..e66dc25a2a02 100644
--- a/contrib/bmake/unit-tests/modts.mk
+++ b/contrib/bmake/unit-tests/modts.mk
@@ -36,8 +36,9 @@ mod-ts:
@${PRINT} 'LIST:ts/n="${LIST:ts\n}"'
@${PRINT} 'LIST:ts/t="${LIST:ts\t}"'
@${PRINT} 'LIST:ts/012:tu="${LIST:ts\012:tu}"'
+ @${PRINT} 'LIST:ts/xa:tu="${LIST:ts\xa:tu}"'
@${PRINT} 'LIST:tx="${LIST:tx}"'
- @${PRINT} 'LIST:ts/x:tu="${LIST:ts\x:tu}"'
+ @${PRINT} 'LIST:ts/x:tu="${LIST:ts\X:tu}"'
@${PRINT} 'FU_$@="${FU_${@:ts}:ts}"'
@${PRINT} 'FU_$@:ts:T="${FU_${@:ts}:ts:T}" == cool?'
@${PRINT} 'B.$${AAA:ts}="${B.${AAA:ts}}" == Baaa?'
diff --git a/contrib/bmake/var.c b/contrib/bmake/var.c
index 43429e28dc3d..36ba6de678db 100644
--- a/contrib/bmake/var.c
+++ b/contrib/bmake/var.c
@@ -1,4 +1,4 @@
-/* $NetBSD: var.c,v 1.200 2015/12/01 07:26:08 sjg Exp $ */
+/* $NetBSD: var.c,v 1.206 2016/03/07 20:20:35 sjg Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1993
@@ -69,14 +69,14 @@
*/
#ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: var.c,v 1.200 2015/12/01 07:26:08 sjg Exp $";
+static char rcsid[] = "$NetBSD: var.c,v 1.206 2016/03/07 20:20:35 sjg Exp $";
#else
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)var.c 8.3 (Berkeley) 3/19/94";
#else
-__RCSID("$NetBSD: var.c,v 1.200 2015/12/01 07:26:08 sjg Exp $");
+__RCSID("$NetBSD: var.c,v 1.206 2016/03/07 20:20:35 sjg Exp $");
#endif
#endif /* not lint */
#endif
@@ -154,13 +154,23 @@ char **savedEnv = NULL;
char var_Error[] = "";
/*
- * Similar to var_Error, but returned when the 'errnum' flag for Var_Parse is
- * set false. Why not just use a constant? Well, gcc likes to condense
- * identical string instances...
+ * Similar to var_Error, but returned when the 'VARF_UNDEFERR' flag for
+ * Var_Parse is not set. Why not just use a constant? Well, gcc likes
+ * to condense identical string instances...
*/
static char varNoError[] = "";
/*
+ * Traditionally we consume $$ during := like any other expansion.
+ * Other make's do not.
+ * This knob allows controlling the behavior.
+ * FALSE for old behavior.
+ * TRUE for new compatible.
+ */
+#define SAVE_DOLLARS ".MAKE.SAVE_DOLLARS"
+static Boolean save_dollars = FALSE;
+
+/*
* Internally, variables are contained in four different contexts.
* 1) the environment. They may not be changed. If an environment
* variable is appended-to, the result is placed in the global
@@ -216,7 +226,11 @@ static int var_exportedVars = VAR_EXPORTED_NONE;
* We pass this to Var_Export when doing the initial export
* or after updating an exported var.
*/
-#define VAR_EXPORT_PARENT 1
+#define VAR_EXPORT_PARENT 1
+/*
+ * We pass this to Var_Export1 to tell it to leave the value alone.
+ */
+#define VAR_EXPORT_LITERAL 2
/* Var*Pattern flags */
#define VAR_SUB_GLOBAL 0x01 /* Apply substitution globally */
@@ -541,7 +555,7 @@ Var_Delete(const char *name, GNode *ctxt)
char *cp;
if (strchr(name, '$')) {
- cp = Var_Subst(NULL, name, VAR_GLOBAL, FALSE, TRUE);
+ cp = Var_Subst(NULL, name, VAR_GLOBAL, VARF_WANTRES);
} else {
cp = (char *)name;
}
@@ -580,12 +594,13 @@ Var_Delete(const char *name, GNode *ctxt)
* We only manipulate flags of vars if 'parent' is set.
*/
static int
-Var_Export1(const char *name, int parent)
+Var_Export1(const char *name, int flags)
{
char tmp[BUFSIZ];
Var *v;
char *val = NULL;
int n;
+ int parent = (flags & VAR_EXPORT_PARENT);
if (*name == '.')
return 0; /* skip internals */
@@ -613,7 +628,7 @@ Var_Export1(const char *name, int parent)
return 0; /* nothing to do */
}
val = Buf_GetAll(&v->val, NULL);
- if (strchr(val, '$')) {
+ if ((flags & VAR_EXPORT_LITERAL) == 0 && strchr(val, '$')) {
if (parent) {
/*
* Flag this as something we need to re-export.
@@ -632,7 +647,7 @@ Var_Export1(const char *name, int parent)
}
n = snprintf(tmp, sizeof(tmp), "${%s}", name);
if (n < (int)sizeof(tmp)) {
- val = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE);
+ val = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES);
setenv(name, val, 1);
free(val);
}
@@ -700,7 +715,7 @@ Var_ExportVars(void)
int ac;
int i;
- val = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE);
+ val = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES);
if (*val) {
av = brk_string(val, &ac, FALSE, &as);
for (i = 0; i < ac; i++) {
@@ -725,7 +740,7 @@ Var_Export(char *str, int isExport)
char *val;
char **av;
char *as;
- int track;
+ int flags;
int ac;
int i;
@@ -734,13 +749,16 @@ Var_Export(char *str, int isExport)
return;
}
+ flags = 0;
if (strncmp(str, "-env", 4) == 0) {
- track = 0;
str += 4;
+ } else if (strncmp(str, "-literal", 8) == 0) {
+ str += 8;
+ flags |= VAR_EXPORT_LITERAL;
} else {
- track = VAR_EXPORT_PARENT;
+ flags |= VAR_EXPORT_PARENT;
}
- val = Var_Subst(NULL, str, VAR_GLOBAL, FALSE, TRUE);
+ val = Var_Subst(NULL, str, VAR_GLOBAL, VARF_WANTRES);
if (*val) {
av = brk_string(val, &ac, FALSE, &as);
for (i = 0; i < ac; i++) {
@@ -760,10 +778,10 @@ Var_Export(char *str, int isExport)
continue;
}
}
- if (Var_Export1(name, track)) {
+ if (Var_Export1(name, flags)) {
if (VAR_EXPORTED_ALL != var_exportedVars)
var_exportedVars = VAR_EXPORTED_YES;
- if (isExport && track) {
+ if (isExport && (flags & VAR_EXPORT_PARENT)) {
Var_Append(MAKE_EXPORTED, name, VAR_GLOBAL);
}
}
@@ -830,7 +848,7 @@ Var_UnExport(char *str)
/* Using .MAKE.EXPORTED */
n = snprintf(tmp, sizeof(tmp), "${" MAKE_EXPORTED ":O:u}");
if (n < (int)sizeof(tmp)) {
- vlist = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE);
+ vlist = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES);
}
}
if (vlist) {
@@ -860,7 +878,7 @@ Var_UnExport(char *str)
n = snprintf(tmp, sizeof(tmp),
"${" MAKE_EXPORTED ":N%s}", v->name);
if (n < (int)sizeof(tmp)) {
- cp = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE);
+ cp = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES);
Var_Set(MAKE_EXPORTED, cp, VAR_GLOBAL, 0);
free(cp);
}
@@ -915,7 +933,7 @@ Var_Set(const char *name, const char *val, GNode *ctxt, int flags)
* point in searching them all just to save a bit of memory...
*/
if (strchr(name, '$') != NULL) {
- expanded_name = Var_Subst(NULL, name, ctxt, FALSE, TRUE);
+ expanded_name = Var_Subst(NULL, name, ctxt, VARF_WANTRES);
if (expanded_name[0] == 0) {
if (DEBUG(VAR)) {
fprintf(debug_file, "Var_Set(\"%s\", \"%s\", ...) "
@@ -983,7 +1001,10 @@ Var_Set(const char *name, const char *val, GNode *ctxt, int flags)
Var_Append(MAKEOVERRIDES, name, VAR_GLOBAL);
}
-
+ if (*name == '.') {
+ if (strcmp(name, SAVE_DOLLARS) == 0)
+ save_dollars = s2Boolean(val, save_dollars);
+ }
out:
free(expanded_name);
@@ -1026,7 +1047,7 @@ Var_Append(const char *name, const char *val, GNode *ctxt)
char *expanded_name = NULL;
if (strchr(name, '$') != NULL) {
- expanded_name = Var_Subst(NULL, name, ctxt, FALSE, TRUE);
+ expanded_name = Var_Subst(NULL, name, ctxt, VARF_WANTRES);
if (expanded_name[0] == 0) {
if (DEBUG(VAR)) {
fprintf(debug_file, "Var_Append(\"%s\", \"%s\", ...) "
@@ -1091,7 +1112,7 @@ Var_Exists(const char *name, GNode *ctxt)
char *cp;
if ((cp = strchr(name, '$')) != NULL) {
- cp = Var_Subst(NULL, name, ctxt, FALSE, TRUE);
+ cp = Var_Subst(NULL, name, ctxt, VARF_WANTRES);
}
v = VarFind(cp ? cp : name, ctxt, FIND_CMD|FIND_GLOBAL|FIND_ENV);
free(cp);
@@ -1389,7 +1410,7 @@ VarSYSVMatch(GNode *ctx, Var_Parse_State *vpstate,
addSpace = TRUE;
if ((ptr = Str_SYSVMatch(word, pat->lhs, &len)) != NULL) {
- varexp = Var_Subst(NULL, pat->rhs, ctx, FALSE, TRUE);
+ varexp = Var_Subst(NULL, pat->rhs, ctx, VARF_WANTRES);
Str_SYSVSubst(buf, varexp, ptr, len);
free(varexp);
} else {
@@ -1629,14 +1650,14 @@ VarSubstitute(GNode *ctx MAKE_ATTR_UNUSED, Var_Parse_State *vpstate,
*-----------------------------------------------------------------------
*/
static void
-VarREError(int errnum, regex_t *pat, const char *str)
+VarREError(int reerr, regex_t *pat, const char *str)
{
char *errbuf;
int errlen;
- errlen = regerror(errnum, pat, 0, 0);
+ errlen = regerror(reerr, pat, 0, 0);
errbuf = bmake_malloc(errlen);
- regerror(errnum, pat, errbuf, errlen);
+ regerror(reerr, pat, errbuf, errlen);
Error("%s: %s", str, errbuf);
free(errbuf);
}
@@ -1809,7 +1830,7 @@ VarLoopExpand(GNode *ctx MAKE_ATTR_UNUSED,
if (word && *word) {
Var_Set(loop->tvar, word, loop->ctxt, VAR_NO_EXPORT);
- s = Var_Subst(NULL, loop->str, loop->ctxt, loop->errnum, TRUE);
+ s = Var_Subst(NULL, loop->str, loop->ctxt, loop->errnum | VARF_WANTRES);
if (s != NULL && *s != '\0') {
if (addSpace && *s != '\n')
Buf_AddByte(buf, ' ');
@@ -2143,13 +2164,14 @@ VarUniq(const char *str)
*/
static char *
VarGetPattern(GNode *ctxt, Var_Parse_State *vpstate MAKE_ATTR_UNUSED,
- int errnum, const char **tstr, int delim, int *flags,
+ int flags, const char **tstr, int delim, int *vflags,
int *length, VarPattern *pattern)
{
const char *cp;
char *rstr;
Buffer buf;
int junk;
+ int errnum = flags & VARF_UNDEFERR;
Buf_Init(&buf, 0);
if (length == NULL)
@@ -2171,16 +2193,16 @@ VarGetPattern(GNode *ctxt, Var_Parse_State *vpstate MAKE_ATTR_UNUSED,
cp++;
} else if (*cp == '$') {
if (cp[1] == delim) {
- if (flags == NULL)
+ if (vflags == NULL)
Buf_AddByte(&buf, *cp);
else
/*
* Unescaped $ at end of pattern => anchor
* pattern at end.
*/
- *flags |= VAR_MATCH_END;
+ *vflags |= VAR_MATCH_END;
} else {
- if (flags == NULL || (*flags & VAR_NOSUBST) == 0) {
+ if (vflags == NULL || (*vflags & VAR_NOSUBST) == 0) {
char *cp2;
int len;
void *freeIt;
@@ -2190,7 +2212,8 @@ VarGetPattern(GNode *ctxt, Var_Parse_State *vpstate MAKE_ATTR_UNUSED,
* delimiter, assume it's a variable
* substitution and recurse.
*/
- cp2 = Var_Parse(cp, ctxt, errnum, TRUE, &len, &freeIt);
+ cp2 = Var_Parse(cp, ctxt, errnum | VARF_WANTRES, &len,
+ &freeIt);
Buf_AddBytes(&buf, strlen(cp2), cp2);
free(freeIt);
cp += len - 1;
@@ -2463,7 +2486,7 @@ VarStrftime(const char *fmt, int zulu)
static char *
ApplyModifiers(char *nstr, const char *tstr,
int startc, int endc,
- Var *v, GNode *ctxt, Boolean errnum, Boolean wantit,
+ Var *v, GNode *ctxt, int flags,
int *lengthPtr, void **freePtr)
{
const char *start;
@@ -2494,7 +2517,7 @@ ApplyModifiers(char *nstr, const char *tstr,
int rlen;
int c;
- rval = Var_Parse(tstr, ctxt, errnum, wantit, &rlen, &freeIt);
+ rval = Var_Parse(tstr, ctxt, flags, &rlen, &freeIt);
/*
* If we have not parsed up to endc or ':',
@@ -2519,10 +2542,9 @@ ApplyModifiers(char *nstr, const char *tstr,
int used;
nstr = ApplyModifiers(nstr, rval,
- 0, 0,
- v, ctxt, errnum, wantit, &used, freePtr);
+ 0, 0, v, ctxt, flags, &used, freePtr);
if (nstr == var_Error
- || (nstr == varNoError && errnum == 0)
+ || (nstr == varNoError && (flags & VARF_UNDEFERR) == 0)
|| strlen(rval) != (size_t) used) {
free(freeIt);
goto out; /* error already reported */
@@ -2557,7 +2579,7 @@ ApplyModifiers(char *nstr, const char *tstr,
char *sv_name;
VarPattern pattern;
int how;
- int flags;
+ int vflags;
if (v->name[0] == 0)
goto bad_modifier;
@@ -2593,9 +2615,9 @@ ApplyModifiers(char *nstr, const char *tstr,
delim = startc == PROPEN ? PRCLOSE : BRCLOSE;
pattern.flags = 0;
- flags = (wantit) ? 0 : VAR_NOSUBST;
- pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum,
- &cp, delim, &flags,
+ vflags = (flags & VARF_WANTRES) ? 0 : VAR_NOSUBST;
+ pattern.rhs = VarGetPattern(ctxt, &parsestate, flags,
+ &cp, delim, &vflags,
&pattern.rightLen,
NULL);
if (v->flags & VAR_JUNK) {
@@ -2609,7 +2631,7 @@ ApplyModifiers(char *nstr, const char *tstr,
termc = *--cp;
delim = '\0';
- if (wantit) {
+ if (flags & VARF_WANTRES) {
switch (how) {
case '+':
Var_Append(v->name, pattern.rhs, v_ctxt);
@@ -2640,29 +2662,30 @@ ApplyModifiers(char *nstr, const char *tstr,
case '@':
{
VarLoop_t loop;
- int flags = VAR_NOSUBST;
+ int vflags = VAR_NOSUBST;
cp = ++tstr;
delim = '@';
- if ((loop.tvar = VarGetPattern(ctxt, &parsestate, errnum,
+ if ((loop.tvar = VarGetPattern(ctxt, &parsestate, flags,
&cp, delim,
- &flags, &loop.tvarLen,
+ &vflags, &loop.tvarLen,
NULL)) == NULL)
goto cleanup;
- if ((loop.str = VarGetPattern(ctxt, &parsestate, errnum,
+ if ((loop.str = VarGetPattern(ctxt, &parsestate, flags,
&cp, delim,
- &flags, &loop.strLen,
+ &vflags, &loop.strLen,
NULL)) == NULL)
goto cleanup;
termc = *cp;
delim = '\0';
- loop.errnum = errnum;
+ loop.errnum = flags & VARF_UNDEFERR;
loop.ctxt = ctxt;
newStr = VarModify(ctxt, &parsestate, nstr, VarLoopExpand,
&loop);
+ Var_Delete(loop.tvar, ctxt);
free(loop.tvar);
free(loop.str);
break;
@@ -2671,15 +2694,19 @@ ApplyModifiers(char *nstr, const char *tstr,
case 'U':
{
Buffer buf; /* Buffer for patterns */
- int wantit_; /* want data in buffer */
+ int nflags;
- if (wantit) {
+ if (flags & VARF_WANTRES) {
+ int wantres;
if (*tstr == 'U')
- wantit_ = ((v->flags & VAR_JUNK) != 0);
+ wantres = ((v->flags & VAR_JUNK) != 0);
else
- wantit_ = ((v->flags & VAR_JUNK) == 0);
+ wantres = ((v->flags & VAR_JUNK) == 0);
+ nflags = flags & ~VARF_WANTRES;
+ if (wantres)
+ nflags |= VARF_WANTRES;
} else
- wantit_ = wantit;
+ nflags = flags;
/*
* Pass through tstr looking for 1) escaped delimiters,
* '$'s and backslashes (place the escaped character in
@@ -2708,7 +2735,7 @@ ApplyModifiers(char *nstr, const char *tstr,
int len;
void *freeIt;
- cp2 = Var_Parse(cp, ctxt, errnum, wantit_, &len, &freeIt);
+ cp2 = Var_Parse(cp, ctxt, nflags, &len, &freeIt);
Buf_AddBytes(&buf, strlen(cp2), cp2);
free(freeIt);
cp += len - 1;
@@ -2721,7 +2748,7 @@ ApplyModifiers(char *nstr, const char *tstr,
if ((v->flags & VAR_JUNK) != 0)
v->flags |= VAR_KEEP;
- if (wantit_) {
+ if (nflags & VARF_WANTRES) {
newStr = Buf_Destroy(&buf, FALSE);
} else {
newStr = nstr;
@@ -2768,12 +2795,12 @@ ApplyModifiers(char *nstr, const char *tstr,
delim = '!';
emsg = NULL;
cp = ++tstr;
- if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum,
+ if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, flags,
&cp, delim,
NULL, &pattern.rightLen,
NULL)) == NULL)
goto cleanup;
- if (wantit)
+ if (flags & VARF_WANTRES)
newStr = Cmd_Exec(pattern.rhs, &emsg);
else
newStr = varNoError;
@@ -2801,7 +2828,7 @@ ApplyModifiers(char *nstr, const char *tstr,
cp = tstr+1; /* point to char after '[' */
delim = ']'; /* look for closing ']' */
estr = VarGetPattern(ctxt, &parsestate,
- errnum, &cp, delim,
+ flags, &cp, delim,
NULL, NULL, NULL);
if (estr == NULL)
goto cleanup; /* report missing ']' */
@@ -2978,6 +3005,9 @@ ApplyModifiers(char *nstr, const char *tstr,
parsestate.varSpace = 0; /* no separator */
cp = tstr + 2;
} else if (tstr[2] == '\\') {
+ const char *xp = &tstr[3];
+ int base = 8; /* assume octal */
+
switch (tstr[3]) {
case 'n':
parsestate.varSpace = '\n';
@@ -2987,12 +3017,20 @@ ApplyModifiers(char *nstr, const char *tstr,
parsestate.varSpace = '\t';
cp = tstr + 4;
break;
+ case 'x':
+ base = 16;
+ xp++;
+ goto get_numeric;
+ case '0':
+ base = 0;
+ goto get_numeric;
default:
if (isdigit((unsigned char)tstr[3])) {
char *ep;
+ get_numeric:
parsestate.varSpace =
- strtoul(&tstr[3], &ep, 0);
+ strtoul(xp, &ep, base);
if (*ep != ':' && *ep != endc)
goto bad_modifier;
cp = ep;
@@ -3152,7 +3190,7 @@ ApplyModifiers(char *nstr, const char *tstr,
* expand it.
*/
cp2 = pattern;
- pattern = Var_Subst(NULL, cp2, ctxt, errnum, TRUE);
+ pattern = Var_Subst(NULL, cp2, ctxt, flags | VARF_WANTRES);
free(cp2);
}
if (DEBUG(VAR))
@@ -3188,14 +3226,14 @@ ApplyModifiers(char *nstr, const char *tstr,
}
cp = tstr;
- if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, errnum,
+ if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, flags,
&cp, delim,
&pattern.flags,
&pattern.leftLen,
NULL)) == NULL)
goto cleanup;
- if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum,
+ if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, flags,
&cp, delim, NULL,
&pattern.rightLen,
&pattern)) == NULL)
@@ -3242,7 +3280,7 @@ ApplyModifiers(char *nstr, const char *tstr,
int lhs_flags, rhs_flags;
/* find ':', and then substitute accordingly */
- if (wantit) {
+ if (flags & VARF_WANTRES) {
cond_rc = Cond_EvalExpression(NULL, v->name, &value, 0, FALSE);
if (cond_rc == COND_INVALID) {
lhs_flags = rhs_flags = VAR_NOSUBST;
@@ -3262,7 +3300,7 @@ ApplyModifiers(char *nstr, const char *tstr,
cp = ++tstr;
delim = ':';
- if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, errnum,
+ if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, flags,
&cp, delim, &lhs_flags,
&pattern.leftLen,
NULL)) == NULL)
@@ -3270,7 +3308,7 @@ ApplyModifiers(char *nstr, const char *tstr,
/* BROPEN or PROPEN */
delim = endc;
- if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum,
+ if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, flags,
&cp, delim, &rhs_flags,
&pattern.rightLen,
NULL)) == NULL)
@@ -3311,12 +3349,12 @@ ApplyModifiers(char *nstr, const char *tstr,
cp = tstr;
- if ((re = VarGetPattern(ctxt, &parsestate, errnum, &cp, delim,
+ if ((re = VarGetPattern(ctxt, &parsestate, flags, &cp, delim,
NULL, NULL, NULL)) == NULL)
goto cleanup;
if ((pattern.replace = VarGetPattern(ctxt, &parsestate,
- errnum, &cp, delim, NULL,
+ flags, &cp, delim, NULL,
NULL, NULL)) == NULL){
free(re);
goto cleanup;
@@ -3440,7 +3478,7 @@ ApplyModifiers(char *nstr, const char *tstr,
case 's':
if (tstr[1] == 'h' && (tstr[2] == endc || tstr[2] == ':')) {
const char *emsg;
- if (wantit) {
+ if (flags & VARF_WANTRES) {
newStr = Cmd_Exec(nstr, &emsg);
if (emsg)
Error(emsg, nstr);
@@ -3493,12 +3531,12 @@ ApplyModifiers(char *nstr, const char *tstr,
delim='=';
cp = tstr;
if ((pattern.lhs = VarGetPattern(ctxt, &parsestate,
- errnum, &cp, delim, &pattern.flags,
+ flags, &cp, delim, &pattern.flags,
&pattern.leftLen, NULL)) == NULL)
goto cleanup;
delim = endc;
if ((pattern.rhs = VarGetPattern(ctxt, &parsestate,
- errnum, &cp, delim, NULL, &pattern.rightLen,
+ flags, &cp, delim, NULL, &pattern.rightLen,
&pattern)) == NULL)
goto cleanup;
@@ -3581,8 +3619,9 @@ ApplyModifiers(char *nstr, const char *tstr,
* Input:
* str The string to parse
* ctxt The context for the variable
- * errnum TRUE if undefined variables are an error
- * wantit TRUE if we actually want the result
+ * flags VARF_UNDEFERR if undefineds are an error
+ * VARF_WANTRES if we actually want the result
+ * VARF_ASSIGN if we are in a := assignment
* lengthPtr OUT: The length of the specification
* freePtr OUT: Non-NULL if caller should free *freePtr
*
@@ -3601,9 +3640,8 @@ ApplyModifiers(char *nstr, const char *tstr,
*/
/* coverity[+alloc : arg-*4] */
char *
-Var_Parse(const char *str, GNode *ctxt,
- Boolean errnum, Boolean wantit,
- int *lengthPtr, void **freePtr)
+Var_Parse(const char *str, GNode *ctxt, int flags,
+ int *lengthPtr, void **freePtr)
{
const char *tstr; /* Pointer into str */
Var *v; /* Variable in invocation */
@@ -3671,7 +3709,7 @@ Var_Parse(const char *str, GNode *ctxt,
/*
* Error
*/
- return (errnum ? var_Error : varNoError);
+ return (flags & VARF_UNDEFERR) ? var_Error : varNoError;
} else {
haveModifier = FALSE;
tstr = &str[1];
@@ -3708,7 +3746,7 @@ Var_Parse(const char *str, GNode *ctxt,
if (*tstr == '$') {
int rlen;
void *freeIt;
- char *rval = Var_Parse(tstr, ctxt, errnum, wantit, &rlen, &freeIt);
+ char *rval = Var_Parse(tstr, ctxt, flags, &rlen, &freeIt);
if (rval != NULL) {
Buf_AddBytes(&buf, strlen(rval), rval);
}
@@ -3821,7 +3859,7 @@ Var_Parse(const char *str, GNode *ctxt,
return(pstr);
} else {
Buf_Destroy(&buf, TRUE);
- return (errnum ? var_Error : varNoError);
+ return (flags & VARF_UNDEFERR) ? var_Error : varNoError;
}
} else {
/*
@@ -3855,7 +3893,7 @@ Var_Parse(const char *str, GNode *ctxt,
*/
nstr = Buf_GetAll(&v->val, NULL);
if (strchr(nstr, '$') != NULL) {
- nstr = Var_Subst(NULL, nstr, ctxt, errnum, wantit);
+ nstr = Var_Subst(NULL, nstr, ctxt, flags);
*freePtr = nstr;
}
@@ -3868,7 +3906,7 @@ Var_Parse(const char *str, GNode *ctxt,
extraFree = NULL;
if (extramodifiers != NULL) {
nstr = ApplyModifiers(nstr, extramodifiers, '(', ')',
- v, ctxt, errnum, wantit, &used, &extraFree);
+ v, ctxt, flags, &used, &extraFree);
}
if (haveModifier) {
@@ -3876,7 +3914,7 @@ Var_Parse(const char *str, GNode *ctxt,
tstr++;
nstr = ApplyModifiers(nstr, tstr, startc, endc,
- v, ctxt, errnum, wantit, &used, freePtr);
+ v, ctxt, flags, &used, freePtr);
tstr += used;
free(extraFree);
} else {
@@ -3917,7 +3955,7 @@ Var_Parse(const char *str, GNode *ctxt,
nstr = bmake_strndup(start, *lengthPtr);
*freePtr = nstr;
} else {
- nstr = errnum ? var_Error : varNoError;
+ nstr = (flags & VARF_UNDEFERR) ? var_Error : varNoError;
}
}
if (nstr != Buf_GetAll(&v->val, NULL))
@@ -3932,15 +3970,16 @@ Var_Parse(const char *str, GNode *ctxt,
*-----------------------------------------------------------------------
* Var_Subst --
* Substitute for all variables in the given string in the given context
- * If undefErr is TRUE, Parse_Error will be called when an undefined
+ * If flags & VARF_UNDEFERR, Parse_Error will be called when an undefined
* variable is encountered.
*
* Input:
* var Named variable || NULL for all
* str the string which to substitute
* ctxt the context wherein to find variables
- * undefErr TRUE if undefineds are an error
- * wantit TRUE if we actually want the result
+ * flags VARF_UNDEFERR if undefineds are an error
+ * VARF_WANTRES if we actually want the result
+ * VARF_ASSIGN if we are in a := assignment
*
* Results:
* The resulting string.
@@ -3950,8 +3989,7 @@ Var_Parse(const char *str, GNode *ctxt,
*-----------------------------------------------------------------------
*/
char *
-Var_Subst(const char *var, const char *str, GNode *ctxt,
- Boolean undefErr, Boolean wantit)
+Var_Subst(const char *var, const char *str, GNode *ctxt, int flags)
{
Buffer buf; /* Buffer for forming things */
char *val; /* Value to substitute for a variable */
@@ -3975,6 +4013,8 @@ Var_Subst(const char *var, const char *str, GNode *ctxt,
* In such a case, we skip over the escape character and store the
* dollar sign into the buffer directly.
*/
+ if (save_dollars && (flags & VARF_ASSIGN))
+ Buf_AddByte(&buf, *str);
str++;
Buf_AddByte(&buf, *str);
str++;
@@ -4049,7 +4089,7 @@ Var_Subst(const char *var, const char *str, GNode *ctxt,
continue;
}
- val = Var_Parse(str, ctxt, undefErr, wantit, &length, &freeIt);
+ val = Var_Parse(str, ctxt, flags, &length, &freeIt);
/*
* When we come down here, val should either point to the
@@ -4066,7 +4106,7 @@ Var_Subst(const char *var, const char *str, GNode *ctxt,
*/
if (oldVars) {
str += length;
- } else if (undefErr || val == var_Error) {
+ } else if ((flags & VARF_UNDEFERR) || val == var_Error) {
/*
* If variable is undefined, complain and skip the
* variable. The complaint will stop us from doing anything
diff --git a/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c b/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c
index af2d370b980c..5ab6ffc96b50 100644
--- a/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c
+++ b/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c
@@ -51,7 +51,8 @@ static const char *debug_name[] = {
static void
_dwarf_elf_write_reloc(Dwarf_Debug dbg, Elf_Data *symtab_data, int endian,
- void *buf, uint64_t offset, GElf_Xword r_info, GElf_Sxword r_addend)
+ void *buf, uint64_t offset, GElf_Xword r_info, GElf_Sxword r_addend,
+ int is_rel)
{
GElf_Sym sym;
int size;
@@ -60,6 +61,14 @@ _dwarf_elf_write_reloc(Dwarf_Debug dbg, Elf_Data *symtab_data, int endian,
return;
if ((size = _dwarf_get_reloc_size(dbg, GELF_R_TYPE(r_info))) == 0)
return; /* Unknown or non-absolute relocation. */
+ if (is_rel) {
+ uint64_t roffset = offset;
+
+ if (endian == ELFDATA2MSB)
+ r_addend = _dwarf_read_msb(buf, &roffset, size);
+ else
+ r_addend = _dwarf_read_lsb(buf, &roffset, size);
+ }
if (endian == ELFDATA2MSB)
_dwarf_write_msb(buf, &offset, sym.st_value + r_addend, size);
else
@@ -76,7 +85,7 @@ _dwarf_elf_apply_rel_reloc(Dwarf_Debug dbg, void *buf, Elf_Data *rel_data,
j = 0;
while (gelf_getrel(rel_data, j++, &rel) != NULL)
_dwarf_elf_write_reloc(dbg, symtab_data, endian, buf,
- rel.r_offset, rel.r_info, 0);
+ rel.r_offset, rel.r_info, 0, 1);
}
static void
@@ -89,7 +98,7 @@ _dwarf_elf_apply_rela_reloc(Dwarf_Debug dbg, void *buf, Elf_Data *rel_data,
j = 0;
while (gelf_getrela(rel_data, j++, &rela) != NULL)
_dwarf_elf_write_reloc(dbg, symtab_data, endian, buf,
- rela.r_offset, rela.r_info, rela.r_addend);
+ rela.r_offset, rela.r_info, rela.r_addend, 0);
}
static int
diff --git a/contrib/elftoolchain/libelf/libelf_convert.m4 b/contrib/elftoolchain/libelf/libelf_convert.m4
index 9f99f1ead866..0eddbe7c76b8 100644
--- a/contrib/elftoolchain/libelf/libelf_convert.m4
+++ b/contrib/elftoolchain/libelf/libelf_convert.m4
@@ -1019,6 +1019,7 @@ _libelf_cvt_NOTE_tof(unsigned char *dst, size_t dsz, unsigned char *src,
WRITE_WORD(dst, type);
src += sizeof(Elf_Note);
+ count -= sizeof(Elf_Note);
if (count < sz)
sz = count;
diff --git a/contrib/libc++/include/__config b/contrib/libc++/include/__config
index 8288b46a8892..051d12cc716f 100644
--- a/contrib/libc++/include/__config
+++ b/contrib/libc++/include/__config
@@ -429,10 +429,15 @@ namespace std {
#define _LIBCPP_HAS_NO_CONSTEXPR
#endif
-// No version of GCC supports relaxed constexpr rules
+// Determine if GCC supports relaxed constexpr
+#if !defined(__cpp_constexpr) || __cpp_constexpr < 201304L
#define _LIBCPP_HAS_NO_CXX14_CONSTEXPR
+#endif
+
// GCC 5 will support variable templates
+#if !defined(__cpp_variable_templates) || __cpp_variable_templates < 201304L
#define _LIBCPP_HAS_NO_VARIABLE_TEMPLATES
+#endif
#define _NOEXCEPT throw()
#define _NOEXCEPT_(x)
@@ -454,7 +459,6 @@ namespace std {
#else // __GXX_EXPERIMENTAL_CXX0X__
-#define _LIBCPP_HAS_NO_TRAILING_RETURN
#define _LIBCPP_HAS_NO_ALWAYS_INLINE_VARIADICS
#if _GNUC_VER < 403
@@ -468,6 +472,7 @@ namespace std {
#if _GNUC_VER < 404
#define _LIBCPP_HAS_NO_DECLTYPE
#define _LIBCPP_HAS_NO_DELETED_FUNCTIONS
+#define _LIBCPP_HAS_NO_TRAILING_RETURN
#define _LIBCPP_HAS_NO_UNICODE_CHARS
#define _LIBCPP_HAS_NO_VARIADICS
#define _LIBCPP_HAS_NO_GENERALIZED_INITIALIZERS
diff --git a/contrib/libc++/include/atomic b/contrib/libc++/include/atomic
index 97a998d33633..92b9c4dd4642 100644
--- a/contrib/libc++/include/atomic
+++ b/contrib/libc++/include/atomic
@@ -553,7 +553,18 @@ typedef enum memory_order
namespace __gcc_atomic {
template <typename _Tp>
struct __gcc_atomic_t {
- __gcc_atomic_t() _NOEXCEPT {}
+
+#if _GNUC_VER >= 501
+ static_assert(is_trivially_copyable<_Tp>::value,
+ "std::atomic<Tp> requires that 'Tp' be a trivially copyable type");
+#endif
+
+ _LIBCPP_INLINE_VISIBILITY
+#ifndef _LIBCPP_HAS_NO_DEFAULTED_FUNCTIONS
+ __gcc_atomic_t() _NOEXCEPT = default;
+#else
+ __gcc_atomic_t() _NOEXCEPT : __a_value() {}
+#endif // _LIBCPP_HAS_NO_DEFAULTED_FUNCTIONS
_LIBCPP_CONSTEXPR explicit __gcc_atomic_t(_Tp value) _NOEXCEPT
: __a_value(value) {}
_Tp __a_value;
@@ -574,7 +585,7 @@ struct __can_assign {
sizeof(__test_atomic_assignable<_Tp, _Td>(1)) == sizeof(char);
};
-static inline constexpr int __to_gcc_order(memory_order __order) {
+static inline _LIBCPP_CONSTEXPR int __to_gcc_order(memory_order __order) {
// Avoid switch statement to make this a constexpr.
return __order == memory_order_relaxed ? __ATOMIC_RELAXED:
(__order == memory_order_acquire ? __ATOMIC_ACQUIRE:
@@ -584,7 +595,7 @@ static inline constexpr int __to_gcc_order(memory_order __order) {
__ATOMIC_CONSUME))));
}
-static inline constexpr int __to_gcc_failure_order(memory_order __order) {
+static inline _LIBCPP_CONSTEXPR int __to_gcc_failure_order(memory_order __order) {
// Avoid switch statement to make this a constexpr.
return __order == memory_order_relaxed ? __ATOMIC_RELAXED:
(__order == memory_order_acquire ? __ATOMIC_ACQUIRE:
diff --git a/contrib/libc++/include/string b/contrib/libc++/include/string
index 5777ee2a547b..6e63ab18418f 100644
--- a/contrib/libc++/include/string
+++ b/contrib/libc++/include/string
@@ -1445,7 +1445,8 @@ public:
_LIBCPP_INLINE_VISIBILITY size_type length() const _NOEXCEPT {return size();}
_LIBCPP_INLINE_VISIBILITY size_type max_size() const _NOEXCEPT;
_LIBCPP_INLINE_VISIBILITY size_type capacity() const _NOEXCEPT
- {return (__is_long() ? __get_long_cap() : __min_cap) - 1;}
+ {return (__is_long() ? __get_long_cap()
+ : static_cast<size_type>(__min_cap)) - 1;}
void resize(size_type __n, value_type __c);
_LIBCPP_INLINE_VISIBILITY void resize(size_type __n) {resize(__n, value_type());}
@@ -1785,11 +1786,11 @@ private:
template <size_type __a> static
_LIBCPP_INLINE_VISIBILITY
size_type __align_it(size_type __s) _NOEXCEPT
- {return __s + (__a-1) & ~(__a-1);}
+ {return (__s + (__a-1)) & ~(__a-1);}
enum {__alignment = 16};
static _LIBCPP_INLINE_VISIBILITY
size_type __recommend(size_type __s) _NOEXCEPT
- {return (__s < __min_cap ? __min_cap :
+ {return (__s < __min_cap ? static_cast<size_type>(__min_cap) :
__align_it<sizeof(value_type) < __alignment ?
__alignment/sizeof(value_type) : 1 > (__s+1)) - 1;}
diff --git a/contrib/libc++/include/system_error b/contrib/libc++/include/system_error
index 66bf6d6c4249..134bb3274031 100644
--- a/contrib/libc++/include/system_error
+++ b/contrib/libc++/include/system_error
@@ -371,7 +371,7 @@ public:
error_category() _NOEXCEPT;
#else
_LIBCPP_ALWAYS_INLINE
- _LIBCPP_CONSTEXPR_AFTER_CXX11 error_category() _NOEXCEPT _LIBCPP_DEFAULT;
+ _LIBCPP_CONSTEXPR_AFTER_CXX11 error_category() _NOEXCEPT _LIBCPP_DEFAULT
#endif
private:
error_category(const error_category&);// = delete;
diff --git a/contrib/pjdfstest/tests/ftruncate/11.t b/contrib/pjdfstest/tests/ftruncate/11.t
index b00d7b89c16d..8d9f0d58c9c3 100644
--- a/contrib/pjdfstest/tests/ftruncate/11.t
+++ b/contrib/pjdfstest/tests/ftruncate/11.t
@@ -8,6 +8,8 @@ dir=`dirname $0`
[ "${os}" = "FreeBSD" ] || quick_exit
+requires_exec
+
echo "1..2"
n0=`namegen`
diff --git a/contrib/pjdfstest/tests/misc.sh b/contrib/pjdfstest/tests/misc.sh
index 8978b5fcc6a9..654d3ddf7f85 100755
--- a/contrib/pjdfstest/tests/misc.sh
+++ b/contrib/pjdfstest/tests/misc.sh
@@ -219,3 +219,37 @@ create_file() {
expect 0 lchmod ${name} ${3}
fi
}
+
+# Tests for whether or not a filesystem is mounted with a particular option
+# with -o, e.g. `mount -o noexec`.
+#
+# Parameters:
+# - mount_option - noatime, noexec, etc.
+#
+# Returns:
+# - 0 if mounted with the option.
+# - 1 otherwise.
+has_mount_option()
+{
+ local IFS=,
+ local mount_opt
+
+ local mount_option_search=$1
+
+ # XXX: mountpoint is defined in .../tests/sys/pjdfstest/tests/conf
+ for mount_opt in $(mount -d -p | awk '$2 == "'$mountpoint'" { print $4 }'); do
+ if [ "$mount_opt" = "$mount_option_search" ]; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+# Filesystem must be mounted with -o exec
+requires_exec()
+{
+ if has_mount_option noexec; then
+ echo "1..0 # SKIP filesystem mounted with -o noexec"
+ exit 0
+ fi
+}
diff --git a/contrib/pjdfstest/tests/open/20.t b/contrib/pjdfstest/tests/open/20.t
index 7b94b036ab53..eb4e5f3792cd 100644
--- a/contrib/pjdfstest/tests/open/20.t
+++ b/contrib/pjdfstest/tests/open/20.t
@@ -8,6 +8,8 @@ dir=`dirname $0`
[ "${os}:${fs}" = "FreeBSD:UFS" ] || quick_exit
+requires_exec
+
echo "1..4"
n0=`namegen`
diff --git a/contrib/pjdfstest/tests/truncate/11.t b/contrib/pjdfstest/tests/truncate/11.t
index f4ecb42d2f07..6724784c69c2 100644
--- a/contrib/pjdfstest/tests/truncate/11.t
+++ b/contrib/pjdfstest/tests/truncate/11.t
@@ -8,6 +8,8 @@ dir=`dirname $0`
[ "${os}" = "FreeBSD" ] || quick_exit
+requires_exec
+
echo "1..2"
n0=`namegen`
diff --git a/contrib/unbound/iterator/iter_hints.c b/contrib/unbound/iterator/iter_hints.c
index d7f8158d11d7..217dfa2578ba 100644
--- a/contrib/unbound/iterator/iter_hints.c
+++ b/contrib/unbound/iterator/iter_hints.c
@@ -152,7 +152,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;
- if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:3::42")) goto failed;
+ if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:9f::42")) goto failed;
if(!ah(dp, "M.ROOT-SERVERS.NET.", "2001:dc3::35")) goto failed;
}
return dp;
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 35a1a76b146b..1e4346715204 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,22 +1,1909 @@
-commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443
+commit 5c35450a0c901d9375fb23343a8dc82397da5f75
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Mar 10 05:04:48 2016 +1100
+
+ update versions for release
+
+commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Mar 10 05:03:39 2016 +1100
+
+ sanitise characters destined for xauth(1)
+
+ reported by github.com/tintinweb
+
+commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Feb 26 14:40:04 2016 +1100
+
+ Add a note about using xlc on AIX.
+
+commit fd4e4f2416baa2e6565ea49d52aade296bad3e28
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Wed Feb 24 10:44:25 2016 +1100
+
+ Skip PrintLastLog in config dump mode.
+
+ When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
+ config dump since it'll be reported as UNKNOWN.
+
+commit 99135c764fa250801da5ec3b8d06cbd0111caae8
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Feb 23 20:17:23 2016 +1100
+
+ update spec/README versions ahead of release
+
+commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Feb 23 20:16:53 2016 +1100
+
+ put back portable patchlevel to p1
+
+commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 23 09:14:34 2016 +0000
+
+ upstream commit
+
+ openssh-7.2
+
+ Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78
+
+commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Feb 23 16:12:13 2016 +1100
+
+ Disable tests where fs perms are incorrect
+
+ Some tests have strict requirements on the filesystem permissions
+ for certain files and directories. This adds a regress/check-perm
+ tool that copies the relevant logic from sshd to exactly test
+ the paths in question. This lets us skip tests when the local
+ filesystem doesn't conform to our expectations rather than
+ continuing and failing the test run.
+
+ ok dtucker@
+
+commit 39f303b1f36d934d8410b05625f25c7bcb75db4d
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Feb 23 12:56:59 2016 +1100
+
+ fix sandbox on OSX Lion
+
+ sshd was failing with:
+
+ ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
+ image not found [preauth]
+
+ caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
+ to sshd. Spotted by Darren.
+
+commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 23 01:34:14 2016 +0000
+
+ upstream commit
+
+ fix spurious error message when incorrect passphrase
+ entered for keys; reported by espie@ ok deraadt@
+
+ Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
+
+commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date: Sat Feb 20 23:06:23 2016 +0000
+
+ upstream commit
+
+ set ssh(1) protocol version to 2 only.
+
+ ok djm@
+
+ Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
+
+commit 9262e07826ba5eebf8423f7ac9e47ec488c47869
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date: Sat Feb 20 23:02:39 2016 +0000
+
+ upstream commit
+
+ add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to
+ IdentityFile.
+
+ ok djm@
+
+ Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
+
+commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date: Sat Feb 20 23:01:46 2016 +0000
+
+ upstream commit
+
+ AddressFamily defaults to any.
+
+ ok djm@
+
+ Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
+
+commit 907091acb188b1057d50c2158f74c3ecf1c2302b
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Feb 19 09:05:39 2016 +1100
+
+ Make Solaris privs code build on older systems.
+
+ Not all systems with Solaris privs have priv_basicset so factor that
+ out and provide backward compatibility code. Similarly, not all have
+ PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
+ alex at cooperi.net and djm@ with help from carson at taltos.org and
+ wieland at purdue.edu.
+
+commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 17 22:20:14 2016 +0000
+
+ upstream commit
+
+ rekey refactor broke SSH1; spotted by Tom G. Christensen
+
+ Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
+
+commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 17 08:57:34 2016 +0000
+
+ upstream commit
+
+ rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
+ in *KeyTypes options yet. Remove them from the lists of algorithms for now.
+ committing on behalf of markus@ ok djm@
+
+ Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
+
+commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Wed Feb 17 07:38:19 2016 +0000
+
+ upstream commit
+
+ since these pages now clearly tell folks to avoid v1,
+ normalise the docs from a v2 perspective (i.e. stop pointing out which bits
+ are v2 only);
+
+ ok/tweaks djm ok markus
+
+ Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
+
+commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 17 05:29:04 2016 +0000
+
+ upstream commit
+
+ make sandboxed privilege separation the default, not just
+ for new installs; "absolutely" deraadt@
+
+ Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
+
+commit eb3f7337a651aa01d5dec019025e6cdc124ed081
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Tue Feb 16 07:47:54 2016 +0000
+
+ upstream commit
+
+ no need to state that protocol 2 is the default twice;
+
+ Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
+
+commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 16 05:11:04 2016 +0000
+
+ upstream commit
+
+ Replace list of ciphers and MACs adjacent to -1/-2 flag
+ descriptions in ssh(1) with a strong recommendation not to use protocol 1.
+ Add a similar warning to the Protocol option descriptions in ssh_config(5)
+ and sshd_config(5);
+
+ prompted by and ok mmcc@
+
+ Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
+
+commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 16 03:37:48 2016 +0000
+
+ upstream commit
+
+ add a "Close session" log entry (at loglevel=verbose) to
+ correspond to the existing "Starting session" one. Also include the session
+ id number to make multiplexed sessions more apparent.
+
+ feedback and ok dtucker@
+
+ Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
+
+commit 624fd395b559820705171f460dd33d67743d13d6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 17 02:24:17 2016 +0000
+
+ upstream commit
+
+ include bad $SSH_CONNECTION in failure output
+
+ Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
+
+commit 60d860e54b4f199e5e89963b1c086981309753cb
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Wed Feb 17 13:37:09 2016 +1100
+
+ Rollback addition of va_start.
+
+ va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however
+ it has the wrong number of args and it's not usable in non-variadic
+ functions anyway so it breaks things (for example Solaris 2.6 as
+ reported by Tom G. Christensen).i ok djm@
+
+commit 2fee909c3cee2472a98b26eb82696297b81e0d38
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Wed Feb 17 09:48:15 2016 +1100
+
+ Look for gethostbyname in libresolv and libnsl.
+
+ Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
+
+commit 5ac712d81a84396aab441a272ec429af5b738302
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Feb 16 10:45:02 2016 +1100
+
+ make existing ssh_malloc_init only for __OpenBSD__
+
+commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Feb 15 23:32:37 2016 +0000
+
+ upstream commit
+
+ memleak of algorithm name in mm_answer_sign; reported by
+ Jakub Jelen
+
+ Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
+
+commit ffb1e7e896139a42ceb78676f637658f44612411
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Feb 15 09:47:49 2016 +0000
+
+ upstream commit
+
+ Add a function to enable security-related malloc_options.
+ With and ok deraadt@, something similar has been in the snaps for a while.
+
+ Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
+
+commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Feb 16 10:34:39 2016 +1100
+
+ sync ssh-copy-id with upstream 783ef08b0a75
+
+commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 12 00:20:30 2016 +0000
+
+ upstream commit
+
+ avoid fatal() for PKCS11 tokens that present empty key IDs
+ bz#1773, ok markus@
+
+ Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
+
+commit e4c918a6c721410792b287c9fd21356a1bed5805
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Feb 11 02:56:32 2016 +0000
+
+ upstream commit
+
+ sync crypto algorithm lists in ssh_config(5) and
+ sshd_config(5) with current reality. bz#2527
+
+ Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
+
+commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Feb 11 02:21:34 2016 +0000
+
+ upstream commit
+
+ fix regression in openssh-6.8 sftp client: existing
+ destination directories would incorrectly terminate recursive uploads;
+ bz#2528
+
+ Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
+
+commit 714e367226ded4dc3897078be48b961637350b05
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 9 05:30:04 2016 +0000
+
+ upstream commit
+
+ turn off more old crypto in the client: hmac-md5, ripemd,
+ truncated HMACs, RC4, blowfish. ok markus@ dtucker@
+
+ Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
+
+commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Feb 8 23:40:12 2016 +0000
+
+ upstream commit
+
+ don't attempt to percent_expand() already-canonicalised
+ addresses, avoiding unnecessary failures when attempting to connect to scoped
+ IPv6 addresses (that naturally contain '%' characters)
+
+ Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
+
+commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Feb 8 10:57:07 2016 +0000
+
+ upstream commit
+
+ refactor activation of rekeying
+
+ This makes automatic rekeying internal to the packet code (previously
+ the server and client loops needed to assist). In doing to it makes
+ application of rekey limits more accurate by accounting for packets
+ about to be sent as well as packets queued during rekeying events
+ themselves.
+
+ Based on a patch from dtucker@ which was in turn based on a patch
+ Aleksander Adamowski in bz#2521; ok markus@
+
+ Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
+
+commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Fri Feb 5 13:28:19 2016 +0000
+
+ upstream commit
+
+ Only check errno if read() has returned an error. EOF is
+ not an error. This fixes a problem where the mux master would sporadically
+ fail to notice that the client had exited. ok mikeb@ djm@
+
+ Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
+
+commit 56d7dac790693ce420d225119283bc355cff9185
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Fri Feb 5 04:31:21 2016 +0000
+
+ upstream commit
+
+ avoid an uninitialised value when NumberOfPasswordPrompts
+ is 0 ok markus@ djm@
+
+ Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
+
+commit deae7d52d59c5019c528f977360d87fdda15d20b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 5 03:07:06 2016 +0000
+
+ upstream commit
+
+ mention internal DH-GEX fallback groups; bz#2302
+
+ Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
+
+commit cac3b6665f884d46192c0dc98a64112e8b11a766
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 5 02:37:56 2016 +0000
+
+ upstream commit
+
+ better description for MaxSessions; bz#2531
+
+ Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
+
+commit 5ef4b0fdcc7a239577a754829b50022b91ab4712
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Jan 27 17:45:56 2016 +1100
+
+ avoid FreeBSD RCS Id in comment
+
+ Change old $FreeBSD version string in comment so it doesn't
+ become an RCS ident downstream; requested by des AT des.no
+
+commit 696d12683c90d20a0a9c5f4275fc916b7011fb04
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Feb 4 23:43:48 2016 +0000
+
+ upstream commit
+
+ printf argument casts to avoid warnings on strict
+ compilers
+
+ Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
+
+commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a
+Author: millert@openbsd.org <millert@openbsd.org>
+Date: Mon Feb 1 21:18:17 2016 +0000
+
+ upstream commit
+
+ Avoid ugly "DISPLAY "(null)" invalid; disabling X11
+ forwarding" message when DISPLAY is not set. This could also result in a
+ crash on systems with a printf that doesn't handle NULL. OK djm@
+
+ Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
+
+commit 537f88ec7bcf40bd444ac5584c707c5588c55c43
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Jan 29 05:18:15 2016 +0000
+
+ upstream commit
+
+ Add regression test for RekeyLimit parsing of >32bit values
+ (4G and 8G).
+
+ Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
+
+commit 4c6cb8330460f94e6c7ae28a364236d4188156a3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Jan 29 23:04:46 2016 +0000
+
+ upstream commit
+
+ Remove leftover roaming dead code. ok djm markus.
+
+ Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
+
+commit 28136471809806d6246ef41e4341467a39fe2f91
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jan 29 05:46:01 2016 +0000
+
+ upstream commit
+
+ include packet type of non-data packets in debug3 output;
+ ok markus dtucker
+
+ Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
+
+commit 6fd6e28daccafaa35f02741036abe64534c361a1
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Jan 29 03:31:03 2016 +0000
+
+ upstream commit
+
+ Revert "account for packets buffered but not yet
+ processed" change as it breaks for very small RekeyLimit values due to
+ continuous rekeying. ok djm@
+
+ Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
+
+commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Jan 29 02:54:45 2016 +0000
+
+ upstream commit
+
+ Allow RekeyLimits in excess of 4G up to 2**63 bits
+ (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
+
+ Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
+
+commit c0060a65296f01d4634f274eee184c0e93ba0f23
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Jan 29 02:42:46 2016 +0000
+
+ upstream commit
+
+ Account for packets buffered but not yet processed when
+ computing whether or not it is time to perform rekeying. bz#2521, based
+ loosely on a patch from olo at fb.com, ok djm@
+
+ Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
+
+commit 44cf930e670488c85c9efeb373fa5f4b455692ac
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 27 06:44:58 2016 +0000
+
+ upstream commit
+
+ change old $FreeBSD version string in comment so it doesn't
+ become an RCS ident downstream; requested by des AT des.no
+
+ Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
+
+commit ebacd377769ac07d1bf3c75169644336056b7060
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 27 00:53:12 2016 +0000
+
+ upstream commit
+
+ make the debug messages a bit more useful here
+
+ Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
+
+commit 458abc2934e82034c5c281336d8dc0f910aecad3
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Sat Jan 23 05:31:35 2016 +0000
+
+ upstream commit
+
+ Zero a stack buffer with explicit_bzero() instead of
+ memset() when returning from client_loop() for consistency with
+ buffer_free()/sshbuf_free().
+
+ ok dtucker@ deraadt@ djm@
+
+ Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
+
+commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jan 20 09:22:39 2016 +0000
+
+ upstream commit
+
+ Include sys/time.h for gettimeofday. From sortie at
+ maxsi.org.
+
+ Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
+
+commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Thu Jan 14 22:56:56 2016 +0000
+
+ upstream commit
+
+ fd leaks; report Qualys Security Advisory team; ok
+ deraadt@
+
+ Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
+
+commit a306863831c57ec5fad918687cc5d289ee8e2635
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Thu Jan 14 16:17:39 2016 +0000
+
+ upstream commit
+
+ remove roaming support; ok djm@
+
+ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
+
+commit 6ef49e83e30688504552ac10875feabd5521565f
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Thu Jan 14 14:34:34 2016 +0000
+
+ upstream commit
+
+ Disable experimental client-side roaming support. Server
+ side was disabled/gutted for years already, but this aspect was surprisingly
+ forgotten. Thanks for report from Qualys
+
+ Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
+
+commit 8d7b523b96d3be180572d9d338cedaafc0570f60
Author: Damien Miller <djm@mindrot.org>
Date: Thu Jan 14 11:08:19 2016 +1100
bump version numbers
-commit 302bc21e6fadacb04b665868cd69b625ef69df90
+commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca
Author: Damien Miller <djm@mindrot.org>
Date: Thu Jan 14 11:04:04 2016 +1100
openssh-7.1p2
-commit 6b33763242c063e4e0593877e835eeb1fd1b60aa
+commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5
Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 14 11:02:58 2016 +1100
+Date: Fri Jan 15 01:30:36 2016 +1100
forcibly disable roaming support in the client
-commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13
+commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 13 23:04:47 2016 +0000
+
+ upstream commit
+
+ eliminate fallback from untrusted X11 forwarding to trusted
+ forwarding when the X server disables the SECURITY extension; Reported by
+ Thomas Hoger; ok deraadt@
+
+ Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
+
+commit 9a728cc918fad67c8a9a71201088b1e150340ba4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 12 23:42:54 2016 +0000
+
+ upstream commit
+
+ use explicit_bzero() more liberally in the buffer code; ok
+ deraadt
+
+ Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
+
+commit 4626cbaf78767fc8e9c86dd04785386c59ae0839
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Jan 8 14:24:56 2016 +1100
+
+ Support Illumos/Solaris fine-grained privileges
+
+ Includes a pre-auth privsep sandbox and several pledge()
+ emulations. bz#2511, patch by Alex Wilson.
+
+ ok dtucker@
+
+commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 31 00:33:52 2015 +0000
+
+ upstream commit
+
+ fix three bugs in KRL code related to (unused) signature
+ support: verification length was being incorrectly calculated, multiple
+ signatures were being incorrectly processed and a NULL dereference that
+ occurred when signatures were verified. Reported by Carl Jackson
+
+ Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
+
+commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Dec 30 23:46:14 2015 +0000
+
+ upstream commit
+
+ unused prototype
+
+ Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97
+
+commit 6213f0e180e54122bb1ba928e11c784e2b4e5380
+Author: guenther@openbsd.org <guenther@openbsd.org>
+Date: Sat Dec 26 20:51:35 2015 +0000
+
+ upstream commit
+
+ Use pread/pwrite instead separate lseek+read/write for
+ lastlog. Cast to off_t before multiplication to avoid truncation on ILP32
+
+ ok kettenis@ mmcc@
+
+ Upstream-ID: fc40092568cd195719ddf1a00aa0742340d616cf
+
+commit d7d2bc95045a43dd56ea696cc1d030ac9d77e81f
+Author: semarie@openbsd.org <semarie@openbsd.org>
+Date: Sat Dec 26 07:46:03 2015 +0000
+
+ upstream commit
+
+ adjust pledge promises for ControlMaster: when using
+ "ask" or "autoask", the process will use ssh-askpass for asking confirmation.
+
+ problem found by halex@
+
+ ok halex@
+
+ Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80
+
+commit 271df8185d9689b3fb0523f58514481b858f6843
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Dec 13 22:42:23 2015 +0000
+
+ upstream commit
+
+ unbreak connections with peers that set
+ first_kex_follows; fix from Matt Johnston va bz#2515
+
+ Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
+
+commit 43849a47c5f8687699eafbcb5604f6b9c395179f
+Author: doug@openbsd.org <doug@openbsd.org>
+Date: Fri Dec 11 17:41:37 2015 +0000
+
+ upstream commit
+
+ Add "id" to ssh-agent pledge for subprocess support.
+
+ Found the hard way by Jan Johansson when using ssh-agent with X. Also,
+ rearranged proc/exec and retval to match other pledge calls in the tree.
+
+ ok djm@
+
+ Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db
+
+commit 52d7078421844b2f88329f5be3de370b0a938636
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Fri Dec 11 04:21:11 2015 +0000
+
+ upstream commit
+
+ Remove NULL-checks before sshbuf_free().
+
+ ok djm@
+
+ Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
+
+commit a4b9e0f4e4a6980a0eb8072f76ea611cab5b77e7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 11 03:24:25 2015 +0000
+
+ upstream commit
+
+ include remote port number in a few more messages; makes
+ tying log messages together into a session a bit easier; bz#2503 ok dtucker@
+
+ Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
+
+commit 6091c362e89079397e68744ae30df121b0a72c07
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 11 03:20:09 2015 +0000
+
+ upstream commit
+
+ don't try to load SSHv1 private key when compiled without
+ SSHv1 support. From Iain Morgan bz#2505
+
+ Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
+
+commit cce6a36bb95e81fa8bfb46daf22eabcf13afc352
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 11 03:19:09 2015 +0000
+
+ upstream commit
+
+ use SSH_MAX_PUBKEY_BYTES consistently as buffer size when
+ reading key files. Increase it to match the size of the buffers already being
+ used.
+
+ Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae
+
+commit 89540b6de025b80404a0cb8418c06377f3f98848
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Fri Dec 11 02:31:47 2015 +0000
+
+ upstream commit
+
+ Remove NULL-checks before sshkey_free().
+
+ ok djm@
+
+ Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52
+
+commit 79394ed6d74572c2d2643d73937dad33727fc240
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Dec 11 02:29:03 2015 +0000
+
+ upstream commit
+
+ fflush stdout so that output is seen even when running in
+ debug mode when output may otherwise not be flushed. Patch from dustin at
+ null-ptr.net.
+
+ Upstream-ID: b0c6b4cd2cdb01d7e9eefbffdc522e35b5bc4acc
+
+commit ee607cccb6636eb543282ba90e0677b0604d8b7a
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Tue Dec 15 15:23:49 2015 +1100
+
+ Increase robustness of redhat/openssh.spec
+
+ - remove configure --with-rsh, because this option isn't supported anymore
+ - replace last occurrence of BuildPreReq by BuildRequires
+ - update grep statement to query the krb5 include directory
+
+ Patch from CarstenGrohmann via github, ok djm.
+
+commit b5fa0cd73555b991a543145603658d7088ec6b60
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Tue Dec 15 15:10:32 2015 +1100
+
+ Allow --without-ssl-engine with --without-openssl
+
+ Patch from Mike Frysinger via github.
+
+commit c1d7e546f6029024f3257cc25c92f2bddf163125
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Tue Dec 15 14:27:09 2015 +1100
+
+ Include openssl crypto.h for SSLeay.
+
+ Patch from doughdemon via github.
+
+commit c6f5f01651526e88c00d988ce59d71f481ebac62
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Tue Dec 15 13:59:12 2015 +1100
+
+ Add sys/time.h for gettimeofday.
+
+ Should allow it it compile with MUSL libc. Based on patch from
+ doughdemon via github.
+
+commit 39736be06c7498ef57d6970f2d85cf066ae57c82
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 11 02:20:28 2015 +0000
+
+ upstream commit
+
+ correct error messages; from Tomas Kuthan bz#2507
+
+ Upstream-ID: 7454a0affeab772398052954c79300aa82077093
+
+commit 94141b7ade24afceeb6762a3f99e09e47a6c42b6
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Fri Dec 11 00:20:04 2015 +0000
+
+ upstream commit
+
+ Pass (char *)NULL rather than (char *)0 to execl and
+ execlp.
+
+ ok dtucker@
+
+ Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492
+
+commit d59ce08811bf94111c2f442184cf7d1257ffae24
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Thu Dec 10 17:08:40 2015 +0000
+
+ upstream commit
+
+ Remove NULL-checks before free().
+
+ ok dtucker@
+
+ Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
+
+commit 8e56dd46cb37879c73bce2d6032cf5e7f82d5a71
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Thu Dec 10 07:01:35 2015 +0000
+
+ upstream commit
+
+ Fix a couple "the the" typos. ok dtucker@
+
+ Upstream-ID: ec364c5af32031f013001fd28d1bd3dfacfe9a72
+
+commit 6262a0522ddc2c0f2e9358dcb68d59b46e9c533e
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Mon Dec 7 20:04:09 2015 +0000
+
+ upstream commit
+
+ stricter encoding type checks for ssh-rsa; ok djm@
+
+ Upstream-ID: 8cca7c787599a5e8391e184d0b4f36fdc3665650
+
+commit d86a3ba7af160c13496102aed861ae48a4297072
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Dec 9 09:18:45 2015 +1100
+
+ Don't set IPV6_V6ONLY on OpenBSD
+
+ It isn't necessary and runs afoul of pledge(2) restrictions.
+
+commit da98c11d03d819a15429d8fff9688acd7505439f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 7 02:20:46 2015 +0000
+
+ upstream commit
+
+ basic unit tests for rsa-sha2-* signature types
+
+ Upstream-Regress-ID: 7dc4b9db809d578ff104d591b4d86560c3598d3c
+
+commit 3da893fdec9936dd2c23739cdb3c0c9d4c59fca0
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Sat Dec 5 20:53:21 2015 +0000
+
+ upstream commit
+
+ prefer rsa-sha2-512 over -256 for hostkeys, too; noticed
+ by naddy@
+
+ Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe
+
+commit 8b56e59714d87181505e4678f0d6d39955caf10e
+Author: tobias@openbsd.org <tobias@openbsd.org>
+Date: Fri Dec 4 21:51:06 2015 +0000
+
+ upstream commit
+
+ Properly handle invalid %-format by calling fatal.
+
+ ok deraadt, djm
+
+ Upstream-ID: 5692bce7d9f6eaa9c488cb93d3b55e758bef1eac
+
+commit 76c9fbbe35aabc1db977fb78e827644345e9442e
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Fri Dec 4 16:41:28 2015 +0000
+
+ upstream commit
+
+ implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
+ (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
+ draft-ssh-ext-info-04.txt; with & ok djm@
+
+ Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
+
+commit 6064a8b8295cb5a17b5ebcfade53053377714f40
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 4 00:24:55 2015 +0000
+
+ upstream commit
+
+ clean up agent_fd handling; properly initialise it to -1
+ and make tests consistent
+
+ ok markus@
+
+ Upstream-ID: ac9554323d5065745caf17b5e37cb0f0d4825707
+
+commit b91926a97620f3e51761c271ba57aa5db790f48d
+Author: semarie@openbsd.org <semarie@openbsd.org>
+Date: Thu Dec 3 17:00:18 2015 +0000
+
+ upstream commit
+
+ pledges ssh client: - mux client: which is used when
+ ControlMaster is in use. will end with "stdio proc tty" (proc is to
+ permit sending SIGWINCH to mux master on window resize)
+
+ - client loop: several levels of pledging depending of your used options
+
+ ok deraadt@
+
+ Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b
+
+commit bcce47466bbc974636f588b5e4a9a18ae386f64a
+Author: doug@openbsd.org <doug@openbsd.org>
+Date: Wed Dec 2 08:30:50 2015 +0000
+
+ upstream commit
+
+ Add "cpath" to the ssh-agent pledge so the cleanup
+ handler can unlink().
+
+ ok djm@
+
+ Upstream-ID: 9e632991d48241d56db645602d381253a3d8c29d
+
+commit a90d001543f46716b6590c6dcc681d5f5322f8cf
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Dec 2 08:00:58 2015 +0000
+
+ upstream commit
+
+ ssh-agent pledge needs proc for askpass; spotted by todd@
+
+ Upstream-ID: 349aa261b29cc0e7de47ef56167769c432630b2a
+
+commit d952162b3c158a8f23220587bb6c8fcda75da551
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Dec 1 23:29:24 2015 +0000
+
+ upstream commit
+
+ basic pledge() for ssh-agent, more refinement needed
+
+ Upstream-ID: 5b5b03c88162fce549e45e1b6dd833f20bbb5e13
+
+commit f0191d7c8e76e30551084b79341886d9bb38e453
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Nov 30 10:53:25 2015 +1100
+
+ Revert "stub for pledge(2) for systems that lack it"
+
+ This reverts commit 14c887c8393adde2d9fd437d498be30f8c98535c.
+
+ dtucker beat me to it :/
+
+commit 6283cc72eb0e49a3470d30e07ca99a1ba9e89676
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Nov 30 10:37:03 2015 +1100
+
+ revert 7d4c7513: bring back S/Key prototypes
+
+ (but leave RCSID changes)
+
+commit 14c887c8393adde2d9fd437d498be30f8c98535c
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Nov 30 09:45:29 2015 +1100
+
+ stub for pledge(2) for systems that lack it
+
+commit 452c0b6af5d14c37553e30059bf74456012493f3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Nov 29 22:18:37 2015 +0000
+
+ upstream commit
+
+ pledge, better fatal() messages; feedback deraadt@
+
+ Upstream-ID: 3e00f6ccfe2b9a7a2d1dbba5409586180801488f
+
+commit 6da413c085dba37127687b2617a415602505729b
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Sat Nov 28 06:50:52 2015 +0000
+
+ upstream commit
+
+ do not leak temp file if there is no known_hosts file
+ from craig leres, ok djm
+
+ Upstream-ID: c820497fd5574844c782e79405c55860f170e426
+
+commit 3ddd15e1b63a4d4f06c8ab16fbdd8a5a61764f16
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Mon Nov 30 07:23:53 2015 +1100
+
+ Add a null implementation of pledge.
+
+ Fixes builds on almost everything.
+
+commit b1d6b3971ef256a08692efc409fc9ada719111cc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Nov 28 06:41:03 2015 +0000
+
+ upstream commit
+
+ don't include port number in tcpip-forward replies for
+ requests that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok
+ markus
+
+ Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a
+
+commit 9080bd0b9cf10d0f13b1f642f20cb84285cb8d65
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Nov 27 00:49:31 2015 +0000
+
+ upstream commit
+
+ pledge "stdio rpath wpath cpath fattr tty proc exec"
+ except for the -p option (which sadly has insane semantics...) ok semarie
+ dtucker
+
+ Upstream-ID: 8854bbd58279abe00f6c33f8094bdc02c8c65059
+
+commit 4d90625b229cf6b3551d81550a9861897509a65f
+Author: halex@openbsd.org <halex@openbsd.org>
+Date: Fri Nov 20 23:04:01 2015 +0000
+
+ upstream commit
+
+ allow comment change for all supported formats
+
+ ok djm@
+
+ Upstream-ID: 5fc477cf2f119b2d44aa9c683af16cb00bb3744b
+
+commit 8ca915fc761519dd1f7766a550ec597a81db5646
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 20 01:45:29 2015 +0000
+
+ upstream commit
+
+ add cast to make -Werror clean
+
+ Upstream-ID: 288db4f8f810bd475be01320c198250a04ff064d
+
+commit ac9473580dcd401f8281305af98635cdaae9bf96
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Nov 20 12:35:41 2015 +1100
+
+ fix multiple authentication using S/Key w/ privsep
+
+ bz#2502, patch from Kevin Korb and feandil_
+
+commit 88b6fcdeb87a2fb76767854d9eb15006662dca57
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Nov 19 08:23:27 2015 +0000
+
+ upstream commit
+
+ ban ConnectionAttempts=0, it makes no sense and would cause
+ ssh_connect_direct() to print an uninitialised stack variable; bz#2500
+ reported by dvw AT phas.ubc.ca
+
+ Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
+
+commit 964ab3ee7a8f96bdbc963d5b5a91933d6045ebe7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Nov 19 01:12:32 2015 +0000
+
+ upstream commit
+
+ trailing whitespace
+
+ Upstream-ID: 31fe0ad7c4d08e87f1d69c79372f5e3c5cd79051
+
+commit f96516d052dbe38561f6b92b0e4365d8e24bb686
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Nov 19 01:09:38 2015 +0000
+
+ upstream commit
+
+ print host certificate contents at debug level
+
+ Upstream-ID: 39354cdd8a2b32b308fd03f98645f877f540f00d
+
+commit 499cf36fecd6040e30e2912dd25655bc574739a7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Nov 19 01:08:55 2015 +0000
+
+ upstream commit
+
+ move the certificate validity formatting code to
+ sshkey.[ch]
+
+ Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523
+
+commit bcb7bc77bbb1535d1008c7714085556f3065d99d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Nov 18 08:37:28 2015 +0000
+
+ upstream commit
+
+ fix "ssh-keygen -l" of private key, broken in support for
+ multiple plain keys on stdin
+
+ Upstream-ID: 6b3132d2c62d03d0bad6f2bcd7e2d8b7dab5cd9d
+
+commit 259adb6179e23195c8f6913635ea71040d1ccd63
+Author: millert@openbsd.org <millert@openbsd.org>
+Date: Mon Nov 16 23:47:52 2015 +0000
+
+ upstream commit
+
+ Replace remaining calls to index(3) with strchr(3). OK
+ jca@ krw@
+
+ Upstream-ID: 33837d767a0cf1db1489b96055f9e330bc0bab6d
+
+commit c56a255162c2166884539c0a1f7511575325b477
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Nov 16 22:53:07 2015 +0000
+
+ upstream commit
+
+ Allow fingerprinting from standard input "ssh-keygen -lf
+ -"
+
+ Support fingerprinting multiple plain keys in a file and authorized_keys
+ files too (bz#1319)
+
+ ok markus@
+
+ Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77
+
+commit 5b4010d9b923cf1b46c9c7b1887c013c2967e204
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Nov 16 22:51:05 2015 +0000
+
+ upstream commit
+
+ always call privsep_preauth_child() regardless of whether
+ sshd was started by root; it does important priming before sandboxing and
+ failing to call it could result in sandbox violations later; ok markus@
+
+ Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383
+
+commit 3a9f84b58b0534bbb485f1eeab75665e2d03371f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Nov 16 22:50:01 2015 +0000
+
+ upstream commit
+
+ improve sshkey_read() semantics; only update *cpp when a
+ key is successfully read; ok markus@
+
+ Upstream-ID: f371e78e8f4fab366cf69a42bdecedaed5d1b089
+
+commit db6f8dc5dd5655b59368efd074994d4568bc3556
+Author: logan@openbsd.org <logan@openbsd.org>
+Date: Mon Nov 16 06:13:04 2015 +0000
+
+ upstream commit
+
+ 1) Use xcalloc() instead of xmalloc() to check for
+ potential overflow. (Feedback from both mmcc@ and djm@) 2) move set_size
+ just before the for loop. (suggested by djm@)
+
+ OK djm@
+
+ Upstream-ID: 013534c308187284756c3141f11d2c0f33c47213
+
+commit 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Nov 16 00:30:02 2015 +0000
+
+ upstream commit
+
+ Add a new authorized_keys option "restrict" that
+ includes all current and future key restrictions (no-*-forwarding, etc). Also
+ add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
+ This simplifies the task of setting up restricted keys and ensures they are
+ maximally-restricted, regardless of any permissions we might implement in the
+ future.
+
+ Example:
+
+ restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...
+
+ Idea from Jann Horn; ok markus@
+
+ Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
+
+commit e41a071f7bda6af1fb3f081bed0151235fa61f15
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Sun Nov 15 23:58:04 2015 +0000
+
+ upstream commit
+
+ correct section number for ssh-agent;
+
+ Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6
+
+commit 1a11670286acddcc19f5eff0966c380831fc4638
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Sun Nov 15 23:54:15 2015 +0000
+
+ upstream commit
+
+ do not confuse mandoc by presenting "Dd";
+
+ Upstream-ID: 1470fce171c47b60bbc7ecd0fc717a442c2cfe65
+
+commit f361df474c49a097bfcf16d1b7b5c36fcd844b4b
+Author: jcs@openbsd.org <jcs@openbsd.org>
+Date: Sun Nov 15 22:26:49 2015 +0000
+
+ upstream commit
+
+ Add an AddKeysToAgent client option which can be set to
+ 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
+ private key that is used during authentication will be added to ssh-agent if
+ it is running (with confirmation enabled if set to 'confirm').
+
+ Initial version from Joachim Schipper many years ago.
+
+ ok markus@
+
+ Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
+
+commit d87063d9baf5479b6e813d47dfb694a97df6f6f5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 13 04:39:35 2015 +0000
+
+ upstream commit
+
+ send SSH2_MSG_UNIMPLEMENTED replies to unexpected
+ messages during KEX; bz#2949, ok dtucker@
+
+ Upstream-ID: 2b3abdff344d53c8d505f45c83a7b12e84935786
+
+commit 9fd04681a1e9b0af21e08ff82eb674cf0a499bfc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 13 04:38:06 2015 +0000
+
+ upstream commit
+
+ Support "none" as an argument for sshd_config
+ ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
+ global default. bz#2486 ok dtucker@
+
+ Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
+
+commit 94bc0b72c29e511cbbc5772190d43282e5acfdfe
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 13 04:34:15 2015 +0000
+
+ upstream commit
+
+ support multiple certificates (one per line) and
+ reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@
+
+ Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
+
+commit b6b9108f5b561c83612cb97ece4134eb59fde071
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 13 02:57:46 2015 +0000
+
+ upstream commit
+
+ list a couple more options usable in Match blocks;
+ bz#2489
+
+ Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879
+
+commit a7994b3f5a5a5a33b52b0a6065d08e888f0a99fb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Nov 11 04:56:39 2015 +0000
+
+ upstream commit
+
+ improve PEEK/POKE macros: better casts, don't multiply
+ evaluate arguments; ok deraadt@
+
+ Upstream-ID: 9a1889e19647615ededbbabab89064843ba92d3e
+
+commit 7d4c7513a7f209cb303a608ac6e46b3f1dfc11ec
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Nov 11 01:48:01 2015 +0000
+
+ upstream commit
+
+ remove prototypes for long-gone s/key support; ok
+ dtucker@
+
+ Upstream-ID: db5bed3c57118af986490ab23d399df807359a79
+
+commit 07889c75926c040b8e095949c724e66af26441cb
+Author: Damien Miller <djm@mindrot.org>
+Date: Sat Nov 14 18:44:49 2015 +1100
+
+ read back from libcrypto RAND when privdropping
+
+ makes certain libcrypto implementations cache a /dev/urandom fd
+ in preparation of sandboxing. Based on patch by Greg Hartman.
+
+commit 1560596f44c01bb0cef977816410950ed17b8ecd
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Tue Nov 10 11:14:47 2015 +1100
+
+ Fix compiler warnings in the openssl header check.
+
+ Noted by Austin English.
+
+commit e72a8575ffe1d8adff42c9abe9ca36938acc036b
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Sun Nov 8 23:24:03 2015 +0000
+
+ upstream commit
+
+ -c before -H, in SYNOPSIS and usage();
+
+ Upstream-ID: 25e8c58a69e1f37fcd54ac2cd1699370acb5e404
+
+commit 3a424cdd21db08c7b0ded902f97b8f02af5aa485
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Nov 8 22:30:20 2015 +0000
+
+ upstream commit
+
+ Add "ssh-keyscan -c ..." flag to allow fetching
+ certificates instead of plain keys; ok markus@
+
+ Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
+
+commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Sun Nov 8 22:08:38 2015 +0000
+
+ upstream commit
+
+ remove slogin links; ok deraadt markus djm
+
+ Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730
+
+commit 2fecfd486bdba9f51b3a789277bb0733ca36e1c0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Nov 8 21:59:11 2015 +0000
+
+ upstream commit
+
+ fix OOB read in packet code caused by missing return
+ statement found by Ben Hawkes; ok markus@ deraadt@
+
+ Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
+
+commit 5e288923a303ca672b686908320bc5368ebec6e6
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Fri Nov 6 00:31:41 2015 +0000
+
+ upstream commit
+
+ 1. rlogin and rsh are long gone 2. protocol version isn't
+ of core relevance here, and v1 is going away
+
+ ok markus@, deraadt@
+
+ Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
+
+commit 8b29008bbe97f33381d9b4b93fcfa304168d0286
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Thu Nov 5 09:48:05 2015 +0000
+
+ upstream commit
+
+ "commandline" -> "command line", since there are so few
+ examples of the former in the pages, so many of the latter, and in some of
+ these pages we had multiple spellings;
+
+ prompted by tj
+
+ Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
+
+commit 996b24cebf20077fbe5db07b3a2c20c2d9db736e
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Thu Oct 29 20:57:34 2015 +1100
+
+ (re)wrap SYS_sendsyslog in ifdef.
+
+ Replace ifdef that went missing in commit
+ c61b42f2678f21f05653ac2d3d241b48ab5d59ac. Fixes build on older
+ OpenBSDs.
+
+commit b67e2e76fcf1ae7c802eb27ca927e16c91a513ff
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Oct 29 08:05:17 2015 +0000
+
+ upstream commit
+
+ regress test for "PubkeyAcceptedKeyTypes +..." inside a
+ Match block
+
+ Upstream-Regress-ID: 246c37ed64a2e5704d4c158ccdca1ff700e10647
+
+commit abd9dbc3c0d8c8c7561347cfa22166156e78c077
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Oct 26 02:50:58 2015 +0000
+
+ upstream commit
+
+ Fix typo certopt->certopts in shell variable. This would
+ cause the test to hang at a host key prompt if you have an A or CNAME for
+ "proxy" in your local domain.
+
+ Upstream-Regress-ID: 6ea03bcd39443a83c89e2c5606392ceb9585836a
+
+commit ed08510d38aef930a061ae30d10f2a9cf233bafa
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Oct 29 08:05:01 2015 +0000
+
+ upstream commit
+
+ Fix "PubkeyAcceptedKeyTypes +..." inside a Match block;
+ ok dtucker@
+
+ Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
+
+commit a4aef3ed29071719b2af82fdf1ac3c2514f82bc5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Oct 27 08:54:52 2015 +0000
+
+ upstream commit
+
+ fix execv arguments in a way less likely to cause grief
+ for -portable; ok dtucker@
+
+ Upstream-ID: 5902bf0ea0371f39f1300698dc3b8e4105fc0fc5
+
+commit 63d188175accea83305e89fafa011136ff3d96ad
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Oct 27 01:44:45 2015 +0000
+
+ upstream commit
+
+ log certificate serial in verbose() messages to match the
+ main auth success/fail message; ok dtucker@
+
+ Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288
+
+commit 2aaba0cfd560ecfe92aa50c00750e6143842cf1f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Oct 27 00:49:53 2015 +0000
+
+ upstream commit
+
+ avoid de-const warning & shrink; ok dtucker@
+
+ Upstream-ID: 69a85ef94832378952a22c172009cbf52aaa11db
+
+commit 03239c18312b9bab7d1c3b03062c61e8bbc1ca6e
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sun Oct 25 23:42:00 2015 +0000
+
+ upstream commit
+
+ Expand tildes in filenames passed to -i before checking
+ whether or not the identity file exists. This means that if the shell
+ doesn't do the expansion (eg because the option and filename were given as a
+ single argument) then we'll still add the key. bz#2481, ok markus@
+
+ Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6
+
+commit 97e184e508dd33c37860c732c0eca3fc57698b40
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sun Oct 25 23:14:03 2015 +0000
+
+ upstream commit
+
+ Do not prepend "exec" to the shell command run by "Match
+ exec" in a config file. It's an unnecessary optimization from repurposed
+ ProxyCommand code and prevents some things working with some shells.
+ bz#2471, pointed out by res at qoxp.net. ok markus@
+
+ Upstream-ID: a1ead25ae336bfa15fb58d8c6b5589f85b4c33a3
+
+commit 8db134e7f457bcb069ec72bc4ee722e2af557c69
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Thu Oct 29 10:48:23 2015 +1100
+
+ Prevent name collisions with system glob (bz#2463)
+
+ Move glob.h from includes.h to the only caller (sftp) and override the
+ names for the symbols. This prevents name collisions with the system glob
+ in the case where something other than ssh uses it (eg kerberos). With
+ jjelen at redhat.com, ok djm@
+
+commit 86c10dbbef6a5800d2431a66cf7f41a954bb62b5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Oct 23 02:22:01 2015 +0000
+
+ upstream commit
+
+ Update expected group sizes to match recent code changes.
+
+ Upstream-Regress-ID: 0004f0ea93428969fe75bcfff0d521c553977794
+
+commit 9ada37d36003a77902e90a3214981e417457cf13
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Oct 24 22:56:19 2015 +0000
+
+ upstream commit
+
+ fix keyscan output for multiple hosts/addrs on one line
+ when host hashing or a non standard port is in use; bz#2479 ok dtucker@
+
+ Upstream-ID: 5321dabfaeceba343da3c8a8b5754c6f4a0a307b
+
+commit 44fc7cd7dcef6c52c6b7e9ff830dfa32879bd319
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Oct 24 22:52:22 2015 +0000
+
+ upstream commit
+
+ skip "Could not chdir to home directory" message when
+ chrooted
+
+ patch from Christian Hesse in bz#2485 ok dtucker@
+
+ Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431
+
+commit a820a8618ec44735dabc688fab96fba38ad66bb2
+Author: sthen@openbsd.org <sthen@openbsd.org>
+Date: Sat Oct 24 08:34:09 2015 +0000
+
+ upstream commit
+
+ Handle the split of tun(4) "link0" into tap(4) in ssh
+ tun-forwarding. Adapted from portable (using separate devices for this is the
+ normal case in most OS). ok djm@
+
+ Upstream-ID: 90facf4c59ce73d6741db1bc926e578ef465cd39
+
+commit 66d2e229baa9fe57b868c373b05f7ff3bb20055b
+Author: gsoares@openbsd.org <gsoares@openbsd.org>
+Date: Wed Oct 21 11:33:03 2015 +0000
+
+ upstream commit
+
+ fix memory leak in error path ok djm@
+
+ Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35
+
+commit 7d6c0362039ceacdc1366b5df29ad5d2693c13e5
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Tue Oct 20 23:24:25 2015 +0000
+
+ upstream commit
+
+ Compare pointers to NULL rather than 0.
+
+ ok djm@
+
+ Upstream-ID: 21616cfea27eda65a06e772cc887530b9a1a27f8
+
+commit f98a09cacff7baad8748c9aa217afd155a4d493f
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Tue Oct 20 03:36:35 2015 +0000
+
+ upstream commit
+
+ Replace a function-local allocation with stack memory.
+
+ ok djm@
+
+ Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
+
+commit ac908c1eeacccfa85659594d92428659320fd57e
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Oct 22 09:35:24 2015 +1100
+
+ turn off PrintLastLog when --disable-lastlog
+
+ bz#2278 from Brent Paulson
+
+commit b56deb847f4a0115a8bf488bf6ee8524658162fd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 16 22:32:22 2015 +0000
+
+ upstream commit
+
+ increase the minimum modulus that we will send or accept in
+ diffie-hellman-group-exchange to 2048 bits; ok markus@
+
+ Upstream-ID: 06dce7a24c17b999a0f5fadfe95de1ed6a1a9b6a
+
+commit 5ee0063f024bf5b3f3ffb275b8cd20055d62b4b9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 16 18:40:49 2015 +0000
+
+ upstream commit
+
+ better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
+ hostname canonicalisation - treat them as already canonical and remove the
+ trailing '.' before matching ssh_config; ok markus@
+
+ Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a
+
+commit e92c499a75477ecfe94dd7b4aed89f20b1fac5a7
+Author: mmcc@openbsd.org <mmcc@openbsd.org>
+Date: Fri Oct 16 17:07:24 2015 +0000
+
+ upstream commit
+
+ 0 -> NULL when comparing with a char*.
+
+ ok dtucker@, djm@.
+
+ Upstream-ID: a928e9c21c0a9020727d99738ff64027c1272300
+
+commit b1d38a3cc6fe349feb8d16a5f520ef12d1de7cb2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Oct 15 23:51:40 2015 +0000
+
+ upstream commit
+
+ fix some signed/unsigned integer type mismatches in
+ format strings; reported by Nicholas Lemonias
+
+ Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c
+
+commit 1a2663a15d356bb188196b6414b4c50dc12fd42b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Oct 15 23:08:23 2015 +0000
+
+ upstream commit
+
+ argument to sshkey_from_private() and sshkey_demote()
+ can't be NULL
+
+ Upstream-ID: 0111245b1641d387977a9b38da15916820a5fd1f
+
+commit 0f754e29dd3760fc0b172c1220f18b753fb0957e
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Oct 16 10:53:14 2015 +1100
+
+ need va_copy before va_start
+
+ reported by Nicholas Lemonias
+
+commit eb6c50d82aa1f0d3fc95f5630ea69761e918bfcd
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Oct 15 15:48:28 2015 -0700
+
+ fix compilation on systems without SYMLOOP_MAX
+
+commit fafe1d84a210fb3dae7744f268059cc583db8c12
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 09:22:15 2015 -0700
+
+ s/SANDBOX_TAME/SANDBOX_PLEDGE/g
+
+commit 8f22911027ff6c17d7226d232ccd20727f389310
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 08:28:19 2015 +1100
+
+ upstream commit
+
+ revision 1.20
+ date: 2015/10/13 20:55:37; author: millert; state: Exp; lines: +2 -2; commitid: X39sl5ay1czgFIgp;
+ In rev 1.15 the sizeof argument was fixed in a strlcat() call but
+ the truncation check immediately following it was not updated to
+ match. Not an issue in practice since the buffers are the same
+ size. OK deraadt@
+
+commit 23fa695bb735f54f04d46123662609edb6c76767
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 08:27:51 2015 +1100
+
+ upstream commit
+
+ revision 1.19
+ date: 2015/01/16 16:48:51; author: deraadt; state: Exp; lines: +3 -3; commitid: 0DYulI8hhujBHMcR;
+ Move to the <limits.h> universe.
+ review by millert, binary checking process with doug, concept with guenther
+
+commit c71be375a69af00c2d0a0c24d8752bec12d8fd1b
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 08:27:08 2015 +1100
+
+ upstream commit
+
+ revision 1.18
+ date: 2014/10/19 03:56:28; author: doug; state: Exp; lines: +9 -9; commitid: U6QxmtbXrGoc02S5;
+ Revert last commit due to changed semantics found by make release.
+
+commit c39ad23b06e9aecc3ff788e92f787a08472905b1
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 08:26:24 2015 +1100
+
+ upstream commit
+
+ revision 1.17
+ date: 2014/10/18 20:43:52; author: doug; state: Exp; lines: +10 -10; commitid: I74hI1tVZtsspKEt;
+ Better POSIX compliance in realpath(3).
+
+ millert@ made changes to realpath.c based on FreeBSD's version. I merged
+ Todd's changes into dl_realpath.c.
+
+ ok millert@, guenther@
+
+commit e929a43f957dbd1254aca2aaf85c8c00cbfc25f4
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 08:25:55 2015 +1100
+
+ upstream commit
+
+ revision 1.16
+ date: 2013/04/05 12:59:54; author: kurt; state: Exp; lines: +3 -1;
+ - Add comments regarding copies of these files also in libexec/ld.so
+ okay guenther@
+
+commit 5225db68e58a1048cb17f0e36e0d33bc4a8fc410
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 08:25:32 2015 +1100
+
+ upstream commit
+
+ revision 1.15
+ date: 2012/09/13 15:39:05; author: deraadt; state: Exp; lines: +2 -2;
+ specify the bounds of the dst to strlcat (both values were static and
+ equal, but it is more correct)
+ from Michal Mazurek
+
+commit 7365fe5b4859de2305e40ea132da3823830fa710
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 14 08:25:09 2015 +1100
+
+ upstream commit
+
+ revision 1.14
+ date: 2011/07/24 21:03:00; author: miod; state: Exp; lines: +35 -13;
+ Recent Single Unix will malloc memory if the second argument of realpath()
+ is NULL, and third-party software is starting to rely upon this.
+ Adapted from FreeBSD via Jona Joachim (jaj ; hcl-club , .lu), with minor
+ tweaks from nicm@ and yours truly.
+
+commit e679c09cd1951f963793aa3d9748d1c3fdcf808f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Oct 13 16:15:21 2015 +0000
+
+ upstream commit
+
+ apply PubkeyAcceptedKeyTypes filtering earlier, so all
+ skipped keys are noted before pubkey authentication starts. ok dtucker@
+
+ Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8
+
+commit 179c353f564ec7ada64b87730b25fb41107babd7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Oct 13 00:21:27 2015 +0000
+
+ upstream commit
+
+ free the correct IV length, don't assume it's always the
+ cipher blocksize; ok dtucker@
+
+ Upstream-ID: c260d9e5ec73628d9ff4b067fbb060eff5a7d298
+
+commit 2539dce2a049a8f6bb0d44cac51f07ad48e691d3
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Oct 9 01:37:08 2015 +0000
+
+ upstream commit
+
+ Change all tame callers to namechange to pledge(2).
+
+ Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
+
+commit 9846a2f4067383bb76b4e31a9d2303e0a9c13a73
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Oct 8 04:30:48 2015 +1100
+
+ hook tame(2) sandbox up to build
+
+ OpenBSD only for now
+
+commit 0c46bbe68b70bdf0d6d20588e5847e71f3739fe6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 7 15:59:12 2015 +0000
+
+ upstream commit
+
+ include PubkeyAcceptedKeyTypes in ssh -G config dump
+
+ Upstream-ID: 6c097ce6ffebf6fe393fb7988b5d152a5d6b36bb
+
+commit bdcb73fb7641b1cf73c0065d1a0dd57b1e8b778e
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date: Wed Oct 7 14:45:30 2015 +0000
+
+ upstream commit
+
+ UsePrivilegeSeparation defaults to sandbox now.
+
+ ok djm@
+
+ Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
+
+commit 2905d6f99c837bb699b6ebc61711b19acd030709
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 7 00:54:06 2015 +0000
+
+ upstream commit
+
+ don't try to change tun device flags if they are already
+ what we need; makes it possible to use tun/tap networking as non- root user
+ if device permissions and interface flags are pre-established; based on patch
+ by Ossi Herrala
+
+ Upstream-ID: 89099ac4634cd477b066865acf54cb230780fd21
+
+commit 0dc74512bdb105b048883f07de538b37e5e024d4
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Oct 5 18:33:05 2015 -0700
+
+ unbreak merge botch
+
+commit fdd020e86439afa7f537e2429d29d4b744c94331
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Oct 6 01:20:59 2015 +0000
+
+ upstream commit
+
+ adapt to recent sshkey_parse_private_fileblob() API
+ change
+
+ Upstream-Regress-ID: 5c0d818da511e33e0abf6a92a31bd7163b7ad988
+
+commit 21ae8ee3b630b0925f973db647a1b9aa5fcdd4c5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Sep 24 07:15:39 2015 +0000
+
+ upstream commit
+
+ fix command-line option to match what was actually
+ committed
+
+ Upstream-Regress-ID: 3e8c24a2044e8afd37e7ce17b69002ca817ac699
+
+commit e14ac43b75e68f1ffbd3e1a5e44143c8ae578dcd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Sep 24 06:16:53 2015 +0000
+
+ upstream commit
+
+ regress test for CertificateFile; patch from Meghana Bhat
+ via bz#2436
+
+ Upstream-Regress-ID: e7a6e980cbe0f8081ba2e83de40d06c17be8bd25
+
+commit 905b054ed24e0d5b4ef226ebf2c8bfc02ae6d4ad
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Oct 5 17:11:21 2015 +0000
@@ -26,7 +1913,129 @@ Date: Mon Oct 5 17:11:21 2015 +0000
Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0
-commit 8f5b93026797b9f7fba90d0c717570421ccebbd3
+commit b007159a0acdbcf65814b3ee05dbe2cf4ea46011
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Oct 2 15:52:55 2015 +0000
+
+ upstream commit
+
+ fix email
+
+ Upstream-ID: 72150f2d54b94de14ebef1ea054ef974281bf834
+
+commit b19e1b4ab11884c4f62aee9f8ab53127a4732658
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Oct 2 01:39:52 2015 +0000
+
+ upstream commit
+
+ a sandbox using tame ok djm
+
+ Upstream-ID: 4ca24e47895e72f5daaa02f3e3d3e5ca2d820fa3
+
+commit c61b42f2678f21f05653ac2d3d241b48ab5d59ac
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Oct 2 01:39:26 2015 +0000
+
+ upstream commit
+
+ re-order system calls in order of risk, ok i'll be
+ honest, ordered this way they look like tame... ok djm
+
+ Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813
+
+commit c5f7c0843cb6e6074a93c8ac34e49ce33a6f5546
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Sep 25 18:19:54 2015 +0000
+
+ upstream commit
+
+ some certificatefile tweaks; ok djm
+
+ Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
+
+commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Sep 24 06:15:11 2015 +0000
+
+ upstream commit
+
+ add ssh_config CertificateFile option to explicitly list
+ a certificate; patch from Meghana Bhat on bz#2436; ok markus@
+
+ Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
+
+commit e3cbb06ade83c72b640a53728d362bbefa0008e2
+Author: sobrado@openbsd.org <sobrado@openbsd.org>
+Date: Tue Sep 22 08:33:23 2015 +0000
+
+ upstream commit
+
+ fix two typos.
+
+ Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709
+
+commit 8408218c1ca88cb17d15278174a24a94a6f65fe1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Sep 21 04:31:00 2015 +0000
+
+ upstream commit
+
+ fix possible hang on closed output; bz#2469 reported by Tomas
+ Kuthan ok markus@
+
+ Upstream-ID: f7afd41810f8540f524284f1be6b970859f94fe3
+
+commit 0097248f90a00865082e8c146b905a6555cc146f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 11 04:55:01 2015 +0000
+
+ upstream commit
+
+ skip if running as root; many systems (inc OpenBSD) allow
+ root to ptrace arbitrary processes
+
+ Upstream-Regress-ID: be2b925df89360dff36f972951fa0fa793769038
+
+commit 9c06c814aff925e11a5cc592c06929c258a014f6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 11 03:44:21 2015 +0000
+
+ upstream commit
+
+ try all supported key types here; bz#2455 reported by
+ Jakub Jelen
+
+ Upstream-Regress-ID: 188cb7d9031cdbac3a0fa58b428b8fa2b2482bba
+
+commit 3c019a936b43f3e2773f3edbde7c114d73caaa4c
+Author: tim@openbsd.org <tim@openbsd.org>
+Date: Sun Sep 13 14:39:16 2015 +0000
+
+ upstream commit
+
+ - Fix error message: passphrase needs to be at least 5
+ characters, not 4. - Remove unused function argument. - Remove two
+ unnecessary variables.
+
+ OK djm@
+
+ Upstream-ID: 13010c05bfa8b523da1c0dc19e81dd180662bc30
+
+commit 2681cdb6e0de7c1af549dac37a9531af202b4434
+Author: tim@openbsd.org <tim@openbsd.org>
+Date: Sun Sep 13 13:48:19 2015 +0000
+
+ upstream commit
+
+ When adding keys to the agent, don't ignore the comment
+ of keys for which the user is prompted for a passphrase.
+
+ Tweak and OK djm@
+
+ Upstream-ID: dc737c620a5a8d282cc4f66e3b9b624e9abefbec
+
+commit 14692f7b8251cdda847e648a82735eef8a4d2a33
Author: guenther@openbsd.org <guenther@openbsd.org>
Date: Fri Sep 11 08:50:04 2015 +0000
@@ -39,47 +2048,272 @@ Date: Fri Sep 11 08:50:04 2015 +0000
Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50
-commit d77148e3a3ef6c29b26ec74331455394581aa257
+commit 846f6fa4cfa8483a9195971dbdd162220f199d85
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Sep 11 06:55:46 2015 +0000
+
+ upstream commit
+
+ sync -Q in usage() to SYNOPSIS; since it's drastically
+ shorter, i've reformatted the block to sync with the man (80 cols) and saved
+ a line;
+
+ Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
+
+commit 95923e0520a8647417ee6dcdff44694703dfeef0
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Sep 11 06:51:39 2015 +0000
+
+ upstream commit
+
+ tweak previous;
+
+ Upstream-ID: f29b3cfcfd9aa31fa140c393e7bd48c1c74139d6
+
+commit 86ac462f833b05d8ed9de9c50ccb295d7faa79ff
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 11 05:27:02 2015 +0000
+
+ upstream commit
+
+ Update usage to match man page.
+
+ Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675
+
+commit 674b3b68c1d36b2562324927cd03857b565e05e8
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Nov 8 21:59:11 2015 +0000
+Date: Fri Sep 11 03:47:28 2015 +0000
upstream commit
- fix OOB read in packet code caused by missing return
- statement found by Ben Hawkes; ok markus@ deraadt@
+ expand %i in ControlPath to UID; bz#2449
- Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
+ patch from Christian Hesse w/ feedback from dtucker@
+
+ Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
+
+commit c0f55db7ee00c8202b05cb4b9ad4ce72cc45df41
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 11 03:42:32 2015 +0000
+
+ upstream commit
+
+ mention -Q key-plain and -Q key-cert; bz#2455 pointed out
+ by Jakub Jelen
+
+ Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
+
+commit cfffbdb10fdf0f02d3f4232232eef7ec3876c383
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Mon Sep 14 16:24:21 2015 +1000
+
+ Use ssh-keygen -A when generating host keys.
+
+ Use ssh-keygen -A instead of per-keytype invocations when generating host
+ keys. Add tests when doing host-key-force since we can't use ssh-keygen -A
+ since it can't specify alternate locations. bz#2459, ok djm@
+
+commit 366bada1e9e124654aac55b72b6ccf878755b0dc
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Sep 11 13:29:22 2015 +1000
+
+ Correct default value for --with-ssh1.
+
+ bz#2457, from konto-mindrot.org at walimnieto.com.
+
+commit 2bca8a43e7dd9b04d7070824ffebb823c72587b2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 11 03:13:36 2015 +0000
-commit 076d849e17ab12603627f87b301e2dca71bae518
+ upstream commit
+
+ more clarity on what AuthorizedKeysFile=none does; based
+ on diff by Thiebaud Weksteen
+
+ Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
+
+commit 61942ea4a01e6db4fdf37ad61de81312ffe310e9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Sep 9 00:52:44 2015 +0000
+
+ upstream commit
+
+ openssh_RSA_verify return type is int, so don't make it
+ size_t within the function itself with only negative numbers or zero assigned
+ to it. bz#2460
+
+ Upstream-ID: b6e794b0c7fc4f9f329509263c8668d35f83ea55
+
+commit 4f7cc2f8cc861a21e6dbd7f6c25652afb38b9b96
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 4 08:21:47 2015 +0000
+
+ upstream commit
+
+ Plug minor memory leaks when options are used more than
+ once. bz#2182, patch from Tiago Cunha, ok deraadt djm
+
+ Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
+
+commit 7ad8b287c8453a3e61dbc0d34d467632b8b06fc8
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Sep 11 13:11:02 2015 +1000
+
+ Force resolution of _res for correct detection.
+
+ bz#2259, from sconeu at yahoo.com.
+
+commit 26ad18247213ff72b4438abe7fc660c958810fa2
Author: Damien Miller <djm@mindrot.org>
-Date: Sat Nov 14 18:44:49 2015 +1100
+Date: Thu Sep 10 10:57:41 2015 +1000
- read back from libcrypto RAND when privdropping
+ allow getrandom syscall; from Felix von Leitner
+
+commit 5245bc1e6b129a10a928f73f11c3aa32656c44b4
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Sep 4 06:40:45 2015 +0000
+
+ upstream commit
- makes certain libcrypto implementations cache a /dev/urandom fd
- in preparation of sandboxing. Based on patch by Greg Hartman.
+ full stop belongs outside the brackets, not inside;
+
+ Upstream-ID: 99d098287767799ac33d2442a05b5053fa5a551a
-commit f72adc0150011a28f177617a8456e1f83733099d
+commit a85768a9321d74b41219eeb3c9be9f1702cbf6a5
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Dec 13 22:42:23 2015 +0000
+Date: Fri Sep 4 04:56:09 2015 +0000
upstream commit
- unbreak connections with peers that set
- first_kex_follows; fix from Matt Johnston va bz#2515
+ add a debug2() right before DNS resolution; it's a place
+ where ssh could previously silently hang for a while. bz#2433
- Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
+ Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
-commit 04bd8d019ccd906cac1a2b362517b8505f3759e6
+commit 46152af8d27aa34d5d26ed1c371dc8aa142d4730
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Jan 12 23:42:54 2016 +0000
+Date: Fri Sep 4 04:55:24 2015 +0000
upstream commit
- use explicit_bzero() more liberally in the buffer code; ok
- deraadt
+ correct function name in error messages
- Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
+ Upstream-ID: 92fb2798617ad9561370897f4ab60adef2ff4c0e
+
+commit a954cdb799a4d83c2d40fbf3e7b9f187fbfd72fc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 4 04:47:50 2015 +0000
+
+ upstream commit
+
+ better document ExitOnForwardFailure; bz#2444, ok
+ dtucker@
+
+ Upstream-ID: a126209b5a6d9cb3117ac7ab5bc63d284538bfc2
+
+commit f54d8ac2474b6fc3afa081cf759b48a6c89d3319
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 4 04:44:08 2015 +0000
+
+ upstream commit
+
+ don't record hostbased authentication hostkeys as user
+ keys in test for multiple authentication with the same key
+
+ Upstream-ID: 26b368fa2cff481f47f37e01b8da1ae5b57b1adc
+
+commit ac3451dd65f27ecf85dc045c46d49e2bbcb8dddd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 4 03:57:38 2015 +0000
+
+ upstream commit
+
+ remove extra newline in nethack-mode hostkey; from
+ Christian Hesse bz#2686
+
+ Upstream-ID: 4f56368b1cc47baeea0531912186f66007fd5b92
+
+commit 9e3ed9ebb1a7e47c155c28399ddf09b306ea05df
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 4 04:23:10 2015 +0000
+
+ upstream commit
+
+ trim junk from end of file; bz#2455 from Jakub Jelen
+
+ Upstream-Regress-ID: a4e64e8931e40d23874b047074444eff919cdfe6
+
+commit f3a3ea180afff080bab82087ee0b60db9fd84f6c
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Wed Sep 2 07:51:12 2015 +0000
+
+ upstream commit
+
+ Fix occurrences of "r = func() != 0" which result in the
+ wrong error codes being returned due to != having higher precedence than =.
+
+ ok deraadt@ markus@
+
+ Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840
+
+commit f498a98cf83feeb7ea01c15cd1c98b3111361f3a
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Sep 3 09:11:22 2015 +1000
+
+ don't check for yp_match; ok tim@
+
+commit 9690b78b7848b0b376980a61d51b1613e187ddb5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Aug 21 23:57:48 2015 +0000
+
+ upstream commit
+
+ Improve printing of KEX offers and decisions
+
+ The debug output now labels the client and server offers and the
+ negotiated options. ok markus@
+
+ Upstream-ID: 8db921b3f92a4565271b1c1fbce6e7f508e1a2cb
+
+commit 60a92470e21340e1a3fc10f9c7140d8e1519dc55
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Aug 21 23:53:08 2015 +0000
+
+ upstream commit
+
+ Fix printing (ssh -G ...) of HostKeyAlgorithms=+...
+ Reported by Bryan Drewery
+
+ Upstream-ID: 19ad20c41bd5971e006289b6f9af829dd46c1293
+
+commit 6310f60fffca2d1e464168e7d1f7e3b6b0268897
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Aug 21 23:52:30 2015 +0000
+
+ upstream commit
+
+ Fix expansion of HostkeyAlgorithms=+...
+
+ Reported by Bryan Drewery
+
+ Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
+
+commit e774e5ea56237fd626a8161f9005023dff3e76c9
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Aug 21 23:29:31 2015 +0000
+
+ upstream commit
+
+ Improve size == 0, count == 0 checking in mm_zalloc,
+ which is "array" like. Discussed with tedu, millert, otto.... and ok djm
+
+ Upstream-ID: 899b021be43b913fad3eca1aef44efe710c53e29
+
+commit 189de02d9ad6f3645417c0ddf359b923aae5f926
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Aug 21 15:45:02 2015 +1000
+
+ expose POLLHUP and POLLNVAL for netcat.c
commit e91346dc2bbf460246df2ab591b7613908c1b0ad
Author: Damien Miller <djm@mindrot.org>
@@ -6669,947 +8903,3 @@ Author: Damien Miller <djm@mindrot.org>
Date: Thu Mar 13 13:14:21 2014 +1100
- (djm) Release OpenSSH 6.6
-
-commit 8569eba5d7f7348ce3955eeeb399f66f25c52ece
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 4 09:35:17 2014 +1100
-
- - djm@cvs.openbsd.org 2014/03/03 22:22:30
- [session.c]
- ignore enviornment variables with embedded '=' or '\0' characters;
- spotted by Jann Horn; ok deraadt@
-
-commit 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Mar 2 04:01:00 2014 +1100
-
- - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
- no moduli file exists at the expected location.
-
-commit c83fdf30e9db865575b2521b1fe46315cf4c70ae
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:34:03 2014 +1100
-
- - (djm) [regress/host-expand.sh] Add RCS Id
-
-commit 834aeac3555e53f7d29a6fcf3db010dfb99681c7
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:25:16 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/27 21:21:25
- [agent-ptrace.sh agent.sh]
- keep return values that are printed in error messages;
- from portable
- (Id sync only)
-
-commit 4f7f1a9a0de24410c30952c7e16d433240422182
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:24:11 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/27 20:04:16
- [login-timeout.sh]
- remove any existing LoginGraceTime from sshd_config before adding
- a specific one for the test back in
-
-commit d705d987c27f68080c8798eeb5262adbdd6b4ffd
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:23:26 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/26 10:49:17
- [scp-ssh-wrapper.sh scp.sh]
- make sure $SCP is tested on the remote end rather than whichever one
- happens to be in $PATH; from portable
- (Id sync only)
-
-commit 624a3ca376e3955a4b9d936c9e899e241b65d357
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:22:37 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/26 10:22:10
- [regress/cert-hostkey.sh]
- automatically generate revoked keys from listed keys rather than
- manually specifying each type; from portable
- (Id sync only)
-
-commit b84392328425e4b9a71f8bde5fe6a4a4c48d3ec4
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:21:26 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/25 04:35:32
- [regress/Makefile regress/dhgex.sh]
- Add a test for DH GEX sizes
-
-commit 1e2aa3d90472293ea19008f02336d6d68aa05793
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:19:51 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/20 00:00:30
- [sftp-chroot.sh]
- append to rather than truncating the log file
-
-commit f483cc16fe7314e24a37aa3a4422b03c013c3213
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:19:11 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/19 23:43:02
- [regress/sftp-chroot.sh]
- Don't use -q on sftp as it suppresses logging, instead redirect the
- output to the regress logfile.
-
-commit 6486f16f1c0ebd6f39286f6ab5e08286d90a994a
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:03:52 2014 +1100
-
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
- [contrib/suse/openssh.spec] Crank version numbers
-
-commit 92cf5adea194140380e6af6ec32751f9ad540794
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:01:53 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/27 22:57:40
- [version.h]
- openssh-6.6
-
-commit fc5d6759aba71eb205b296b5f148010ffc828583
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:01:28 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/27 22:47:07
- [sshd_config.5]
- bz#2184 clarify behaviour of a keyword that appears in multiple
- matching Match blocks; ok dtucker@
-
-commit 172ec7e0af1a5f1d682f6a2dca335c6c186153d5
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:00:57 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/27 08:25:09
- [bufbn.c]
- off by one in range check
-
-commit f9a9aaba437c2787e40cf7cc928281950e161678
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 28 10:00:27 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/27 00:41:49
- [bufbn.c]
- fix unsigned overflow that could lead to reading a short ssh protocol
- 1 bignum value; found by Ben Hawkes; ok deraadt@
-
-commit fb3423b612713d9cde67c8a75f6f51188d6a3de3
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Feb 27 10:20:07 2014 +1100
-
- - markus@cvs.openbsd.org 2014/02/26 21:53:37
- [sshd.c]
- ssh_gssapi_prepare_supported_oids needs GSSAPI
-
-commit 1348129a34f0f7728c34d86c100a32dcc8d1f922
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Feb 27 10:18:32 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/26 20:29:29
- [channels.c]
- don't assume that the socks4 username is \0 terminated;
- spotted by Ben Hawkes; ok markus@
-
-commit e6a74aeeacd01d885262ff8e50eb28faee8c8039
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Feb 27 10:17:49 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/26 20:28:44
- [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
- bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
- sandboxing, as running this code in the sandbox can cause violations;
- ok markus@
-
-commit 08b57c67f3609340ff703fe2782d7058acf2529e
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Feb 27 10:17:13 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/26 20:18:37
- [ssh.c]
- bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
- ok dtucker@ markus@
-
-commit 13f97b2286142fd0b8eab94e4ce84fe124eeb752
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Feb 24 15:57:55 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/23 20:11:36
- [readconf.c readconf.h ssh.c ssh_config.5]
- reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
- the hostname. This allows users to write configurations that always
- refer to canonical hostnames, e.g.
-
- CanonicalizeHostname yes
- CanonicalDomains int.example.org example.org
- CanonicalizeFallbackLocal no
-
- Host *.int.example.org
- Compression off
- Host *.example.org
- User djm
-
- ok markus@
-
-commit bee3a234f3d1ad4244952bcff1b4b7c525330dc2
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Feb 24 15:57:22 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/23 20:03:42
- [ssh-ed25519.c]
- check for unsigned overflow; not reachable in OpenSSH but others might
- copy our code...
-
-commit 0628780abe61e7e50cba48cdafb1837f49ff23b2
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Feb 24 15:56:45 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/22 01:32:19
- [readconf.c]
- when processing Match blocks, skip 'exec' clauses if previous predicates
- failed to match; ok markus@
-
-commit 0890dc8191bb201eb01c3429feec0300a9d3a930
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Feb 24 15:56:07 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/15 23:05:36
- [channels.c]
- avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
- bz#2200, debian#738692 via Colin Watson; ok dtucker@
-
-commit d3cf67e1117c25d151d0f86396e77ee3a827045a
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Feb 24 15:55:36 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/07 06:55:54
- [cipher.c mac.c]
- remove some logging that makes ssh debugging output very verbose;
- ok markus
-
-commit 03ae081aeaa118361c81ece76eb7cc1aaa2b40c5
-Author: Tim Rice <tim@multitalents.net>
-Date: Fri Feb 21 09:09:34 2014 -0800
-
- 20140221
- - (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery.
-
-commit 4a20959d2e3c90e9d66897c0b4032c785672d815
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Feb 13 16:38:32 2014 +1100
-
- - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat
- code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
-
-commit d1a7a9c0fd1ac2e3314cceb2891959fd2cd9eabb
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 7 09:24:33 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/06 22:21:01
- [sshconnect.c]
- in ssh_create_socket(), only do the getaddrinfo for BindAddress when
- BindAddress is actually specified. Fixes regression in 6.5 for
- UsePrivilegedPort=yes; patch from Corinna Vinschen
-
-commit 6ce35b6cc4ead1bf98abec34cb2e2d6ca0abb15e
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 7 09:24:14 2014 +1100
-
- - naddy@cvs.openbsd.org 2014/02/05 20:13:25
- [ssh-keygen.1 ssh-keygen.c]
- tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
- while here, fix ordering in usage(); requested by jmc@
-
-commit 6434cb2cfbbf0a46375d2d22f2ff9927feb5e478
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Feb 6 11:17:50 2014 +1100
-
- - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
- __NR_shutdown; some go via the socketcall(2) multiplexer.
-
-commit 8d36f9ac71eff2e9f5770c0518b73d875f270647
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Feb 6 10:44:13 2014 +1100
-
- - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
- before freeing since free(NULL) is a no-op. ok djm.
-
-commit a0959da3680b4ce8cf911caf3293a6d90f88eeb7
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Feb 5 10:33:45 2014 +1100
-
- - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
- headers/libc but not supported by the kernel. Patch from Loganaden
- Velvindron @ AfriNIC
-
-commit 9c449bc183b256c84d8f740727b0bc54d247b15e
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:38:28 2014 +1100
-
- - (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
-
-commit bf7e0f03be661b6f5b3bfe325135ce19391f9c4d
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:37:50 2014 +1100
-
- - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
-
-commit eb6d870a0ea8661299bb2ea8f013d3ace04e2024
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:26:34 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/04 00:24:29
- [ssh.c]
- delay lowercasing of hostname until right before hostname
- canonicalisation to unbreak case-sensitive matching of ssh_config;
- reported by Ike Devolder; ok markus@
-
-commit d56b44d2dfa093883a5c4e91be3f72d99946b170
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:26:04 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/04 00:24:29
- [ssh.c]
- delay lowercasing of hostname until right before hostname
- canonicalisation to unbreak case-sensitive matching of ssh_config;
- reported by Ike Devolder; ok markus@
-
-commit db3c595ea74ea9ccd5aa644d7e1f8dc675710731
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:25:45 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/02 03:44:31
- [digest-libc.c digest-openssl.c]
- convert memset of potentially-private data to explicit_bzero()
-
-commit aae07e2e2000dd318418fd7fd4597760904cae32
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:20:40 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/03 23:28:00
- [ssh-ecdsa.c]
- fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
- DSA_SIG_new. Reported by Batz Spear; ok markus@
-
-commit a5103f413bde6f31bff85d6e1fd29799c647d765
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:20:14 2014 +1100
-
- - djm@cvs.openbsd.org 2014/02/02 03:44:32
- [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
- [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
- [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
- [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
- [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
- [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
- [sshd.c]
- convert memset of potentially-private data to explicit_bzero()
-
-commit 1d2c4564265ee827147af246a16f3777741411ed
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:18:20 2014 +1100
-
- - tedu@cvs.openbsd.org 2014/01/31 16:39:19
- [auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
- [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
- [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
- [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
- [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
- replace most bzero with explicit_bzero, except a few that cna be memset
- ok djm dtucker
-
-commit 3928de067c286683a95fbdbdb5fdb3c78a0e5efd
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:13:54 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/30 22:26:14
- [sandbox-systrace.c]
- allow shutdown(2) syscall in sandbox - it may be called by packet_close()
- from portable
- (Id sync only; change is already in portable)
-
-commit e1e480aee8a9af6cfbe7188667b7b940d6b57f9f
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:13:17 2014 +1100
-
- - jmc@cvs.openbsd.org 2014/01/29 14:04:51
- [sshd_config.5]
- document kbdinteractiveauthentication;
- requested From: Ross L Richardson
-
- dtucker/markus helped explain its workings;
-
-commit 7cc194f70d4a5ec9a82d19422eaf18db4a6624c6
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:12:56 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/29 06:18:35
- [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
- [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
- [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
- remove experimental, never-enabled JPAKE code; ok markus@
-
-commit b0f26544cf6f4feeb1a4f6db09fca834f5c9867d
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:10:01 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/29 00:19:26
- [sshd.c]
- use kill(0, ...) instead of killpg(0, ...); on most operating systems
- they are equivalent, but SUSv2 describes the latter as having undefined
- behaviour; from portable; ok dtucker
- (Id sync only; change is already in portable)
-
-commit f8f35bc471500348bb262039fb1fc43175d251b0
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:09:12 2014 +1100
-
- - jmc@cvs.openbsd.org 2014/01/28 14:13:39
- [ssh-keyscan.1]
- kill some bad Pa;
- From: Jan Stary
-
-commit 0ba85d696ae9daf66002c2e4ab0d6bb111e1a787
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:08:38 2014 +1100
-
- ignore a few more regress droppings
-
-commit ec93d15170b7a6ddf63fd654bd0f6a752acc19dd
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:07:13 2014 +1100
-
- - markus@cvs.openbsd.org 2014/01/27 20:13:46
- [digest.c digest-openssl.c digest-libc.c Makefile.in]
- rename digest.c to digest-openssl.c and add libc variant; ok djm@
-
-commit 4a1c7aa640fb97d3472d51b215b6a0ec0fd025c7
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:03:36 2014 +1100
-
- - markus@cvs.openbsd.org 2014/01/27 19:18:54
- [auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
- replace openssl MD5 with our ssh_digest_*; ok djm@
-
-commit 4e8d937af79ce4e253f77ec93489d098b25becc3
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 4 11:02:42 2014 +1100
-
- - markus@cvs.openbsd.org 2014/01/27 18:58:14
- [Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
- replace openssl HMAC with an implementation based on our ssh_digest_*
- ok and feedback djm@
-
-commit 69d0d09f76bab5aec86fbf78489169f63bd16475
-Author: Tim Rice <tim@multitalents.net>
-Date: Fri Jan 31 14:25:18 2014 -0800
-
- - (tim) [Makefile.in] build regress/setuid-allow.
-
-commit 0eeafcd76b972a3d159f3118227c149a4d7817fe
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 31 14:18:51 2014 +1100
-
- - (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros. Fixes
- build with HP-UX's compiler. Patch from Kevin Brott.
-
-commit 7e5cec6070673e9f9785ffc749837ada22fbe99f
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jan 31 09:25:34 2014 +1100
-
- - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
- syscall from sandboxes; it may be called by packet_close.
-
-commit cdb6c90811caa5df2df856be9b0b16db020fe31d
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 30 12:50:17 2014 +1100
-
- - (djm) Release openssh-6.5p1
-
-commit 996ea80b1884b676a901439f1f2681eb6ff68501
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 30 12:49:55 2014 +1100
-
- trim entries prior to openssh-6.0p1
-
-commit f5bbd3b657b6340551c8a95f74a70857ff8fac79
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 30 11:26:46 2014 +1100
-
- - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
- different symbols for 'read' when various compiler flags are
- in use, causing atomicio.c comparisons against it to break and
- read/write operations to hang; ok dtucker
-
-commit c2868192ddc4e1420a50389e18c05db20b0b1f32
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 30 10:21:19 2014 +1100
-
- - (djm) [configure.ac] Only check for width-specified integer types
- in headers that actually exist. patch from Tom G. Christensen;
- ok dtucker@
-
-commit c161fc90fc86e2035710570238a9e1ca7a68d2a5
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Jan 29 21:01:33 2014 +1100
-
- - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
- Tom G. Christensen
-
-commit 6f917ad376481995ab7d29fb53b08ec8d507eb9e
-Author: Tim Rice <tim@multitalents.net>
-Date: Tue Jan 28 10:26:25 2014 -0800
-
- - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
- when used as an error message inside an if statement so we display the
- correct into. agent.sh patch from Petr Lautrbach.
-
-commit ab16ef4152914d44ce6f76e48167d26d22f66a06
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Jan 28 15:08:12 2014 +1100
-
- - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
- latter being specified to have undefined behaviour in SUSv3;
- ok dtucker
-
-commit ab0394905884dc6e58c3721211c6b38fb8fc2ca8
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Jan 28 15:07:10 2014 +1100
-
- - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
- ok dtucker
-
-commit 4ab20a82d4d4168d62318923f62382f6ef242fcd
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Jan 27 17:35:04 2014 +1100
-
- - (dtucker) [Makefile.in] Remove trailing backslash which some make
- implementations (eg older Solaris) do not cope with.
-
-commit e7e8b3cfe9f8665faaf0e68b33df5bbb431bd129
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Jan 27 17:32:50 2014 +1100
-
- Welcome to 2014
-
-commit 5b447c0aac0dd444251e276f6bb3bbbe1c05331c
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Jan 26 09:46:53 2014 +1100
-
- - (djm) [configure.ac] correct AC_DEFINE for previous.
-
-commit 2035b2236d3b1f76c749c642a43e03c85eae76e6
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Jan 26 09:39:53 2014 +1100
-
- - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
- RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
- libc will attempt to open additional file descriptors for crypto
- offload and crash if they cannot be opened.
-
-commit a92ac7410475fbb00383c7402aa954dc0a75ae19
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Jan 26 09:38:03 2014 +1100
-
- - markus@cvs.openbsd.org 2014/01/25 20:35:37
- [kex.c]
- dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
- ok dtucker@, noted by mancha
-
-commit 76eea4ab4e658670ca6e76dd1e6d17f262208b57
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Jan 26 09:37:25 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/25 10:12:50
- [cipher.c cipher.h kex.c kex.h kexgexc.c]
- Add a special case for the DH group size for 3des-cbc, which has an
- effective strength much lower than the key size. This causes problems
- with some cryptlib implementations, which don't support group sizes larger
- than 4k but also don't use the largest group size it does support as
- specified in the RFC. Based on a patch from Petr Lautrbach at Redhat,
- reduced by me with input from Markus. ok djm@ markus@
-
-commit 603b8f47f1cd9ed95a2017447db8e60ca6704594
-Author: Damien Miller <djm@mindrot.org>
-Date: Sat Jan 25 13:16:59 2014 +1100
-
- - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test
- against the correct thing.
-
-commit c96d85376d779b6ac61525b5440010d344d2f23f
-Author: Damien Miller <djm@mindrot.org>
-Date: Sat Jan 25 13:12:28 2014 +1100
-
- - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
- sys/capability.h exists and cap_rights_limit is in libc. Fixes
- build on FreeBSD9x which provides the header but not the libc
- support.
-
-commit f62ecef9939cb3dbeb10602fd705d4db3976d822
-Author: Damien Miller <djm@mindrot.org>
-Date: Sat Jan 25 12:34:38 2014 +1100
-
- - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
-
-commit b0e0f760b861676a3fe5c40133b270713d5321a9
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jan 24 14:27:04 2014 +1100
-
- - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make
- the scp regress test actually test the built scp rather than the one
- in $PATH. ok dtucker@
-
-commit 42a092530159637da9cb7f9e1b5f4679e34a85e6
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Jan 23 23:14:39 2014 +1100
-
- - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously
- incompatible with OpenBSD's despite post-dating it by more than a decade.
- Declare it as broken, and document FreeBSD's as the same. ok djm@
-
-commit 617da33c20cb59f9ea6c99c881d92493371ef7b8
-Author: Tim Rice <tim@multitalents.net>
-Date: Wed Jan 22 19:16:10 2014 -0800
-
- - (tim) [session.c] Improve error reporting on set_id().
-
-commit 5c2ff5e31f57d303ebb414d84a934c02728fa568
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Jan 22 21:30:12 2014 +1100
-
- - (djm) [configure.ac aclocal.m4] More tests to detect fallout from
- platform hardening options: include some long long int arithmatic
- to detect missing support functions for -ftrapv in libgcc and
- equivalents, actually test linking when -ftrapv is supplied and
- set either both -pie/-fPIE or neither. feedback and ok dtucker@
-
-commit 852472a54b8a0dc3e53786b313baaa86850a4273
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Jan 22 16:31:18 2014 +1100
-
- - (djm) [configure.ac] Unless specifically requested, only attempt
- to build Position Independent Executables on gcc >= 4.x; ok dtucker
-
-commit ee87838786cef0194db36ae0675b3e7c4e8ec661
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Jan 22 16:30:15 2014 +1100
-
- - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a
- platform that is expected to use the reuse-argv style setproctitle
- hack surprises us by providing a setproctitle in libc; ok dtucker
-
-commit 5c96a154c7940fa67b1f11c421e390dbbc159f27
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Jan 21 13:10:26 2014 +1100
-
- - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE
- and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of
- detecting toolchain-related problems; ok dtucker
-
-commit 9464ba6fb34bb42eb3501ec3c5143662e75674bf
-Author: Tim Rice <tim@multitalents.net>
-Date: Mon Jan 20 17:59:28 2014 -0800
-
- - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced
- with sftp chroot support. Move set_id call after chroot.
-
-commit a6d573caa14d490e6c42fb991bcb5c6860ec704b
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Jan 21 12:50:46 2014 +1100
-
- - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time
- tests in the configure output. ok djm.
-
-commit 096118dc73ab14810b3c12785c0b5acb01ad6123
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Jan 21 12:48:51 2014 +1100
-
- - (dtucker) [configure.ac] Make PIE a configure-time option which defaults
- to on platforms where it's known to be reliably detected and off elsewhere.
- Works around platforms such as FreeBSD 9.1 where it does not interop with
- -ftrapv (it seems to work but fails when trying to link ssh). ok djm@
-
-commit f9df7f6f477792254eab33cdef71a6d66488cb88
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Jan 20 20:07:15 2014 +1100
-
- - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that
- skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
-
-commit c74e70eb52ccc0082bd5a70b5798bb01c114d138
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Jan 20 13:18:09 2014 +1100
-
- - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos
- implementation does not have krb5_cc_new_unique, similar to what we do
- in auth-krb5.c.
-
-commit 3510979e83b6a18ec8773c64c3fa04aa08b2e783
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Jan 20 12:41:53 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/20 00:08:48
- [digest.c]
- memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
-
-commit 7eee358d7a6580479bee5cd7e52810ebfd03e5b2
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sun Jan 19 22:37:02 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/19 11:21:51
- [addrmatch.c]
- Cast the sizeof to socklen_t so it'll work even if the supplied len is
- negative. Suggested by and ok djm, ok deraadt.
-
-commit b7e01c09b56ab26e8fac56bbce0fd25e36d12bb0
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sun Jan 19 22:36:13 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/19 04:48:08
- [ssh_config.5]
- fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
-
-commit 7b1ded04adce42efa25ada7c3a39818d3109b724
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sun Jan 19 15:30:02 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/19 04:17:29
- [canohost.c addrmatch.c]
- Cast socklen_t when comparing to size_t and use socklen_t to iterate over
- the ip options, both to prevent signed/unsigned comparison warnings.
- Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
-
-commit 293ee3c9f0796d99ebb033735f0e315f2e0180bf
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sun Jan 19 15:28:01 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/18 09:36:26
- [session.c]
- explicitly define USE_PIPES to 1 to prevent redefinition warnings in
- portable on platforms that use pipes for everything. From redhat @
- redhat.
-
-commit 2aca159d05f9e7880d1d8f1ce49a218840057f53
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sun Jan 19 15:25:34 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/17 06:23:24
- [sftp-server.c]
- fix log message statvfs. ok djm
-
-commit 841f7da89ae8b367bb502d61c5c41916c6e7ae4c
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sat Jan 18 22:12:15 2014 +1100
-
- - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the
- return value check for cap_enter() consistent with the other uses in
- FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140.
-
-commit fdce3731660699b2429e93e822f2ccbaccd163ae
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sat Jan 18 21:12:42 2014 +1100
-
- - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,
- optind) are defined in getopt.h already. Unfortunately they are defined as
- "declspec(dllimport)" for historical reasons, because the GNU linker didn't
- allow auto-import on PE/COFF targets way back when. The problem is the
- dllexport attributes collide with the definitions in the various source
- files in OpenSSH, which obviousy define the variables without
- declspec(dllimport). The least intrusive way to get rid of these warnings
- is to disable warnings for GCC compiler attributes when building on Cygwin.
- Patch from vinschen at redhat.com.
-
-commit 1411c9263f46e1ee49d0d302bf7258ebe69ce827
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sat Jan 18 21:03:59 2014 +1100
-
- - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function
- declarations that stopped being included when we stopped including
- <windows.h> from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at
- redhat.com.
-
-commit 89c532d843c95a085777c66365067d64d1937eb9
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sat Jan 18 20:43:49 2014 +1100
-
- - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch
- from vinschen at redhat.com
-
-commit 355f861022be7b23d3009fae8f3c9f6f7fc685f7
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sat Jan 18 00:12:38 2014 +1100
-
- - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after
- they're defined if we have to define them ourselves. Fixes builds on old
- AIX.
-
-commit a3357661ee1d5d553294f36e4940e8285c7f1332
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sat Jan 18 00:03:57 2014 +1100
-
- - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on
- Solaris.
-
-commit 9edcbff46ff01c8d5dee9c1aa843f09e9ad8a80e
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 21:54:32 2014 +1100
-
- - (dtucker) [configure.ac] Have --without-toolchain-hardening not turn off
- stack-protector since that has a separate flag that's been around a while.
-
-commit 6d725687c490d4ba957a1bbc0ba0a2956c09fa69
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 19:17:34 2014 +1100
-
- - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.
-
-commit 5055699c7f7c7ef21703a443ec73117da392f6ae
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 18:48:22 2014 +1100
-
- - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we
- need them to cut down on the name collisions.
-
-commit a5cf1e220def07290260e4125e74f41ac75cf88d
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 18:10:58 2014 +1100
-
- - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c
- openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
- to be useful (and for the regression tests to pass) on platforms that
- have statfs and fstatfs. ok djm@
-
-commit 1357d71d7b6d269969520aaa3e84d312ec971d5b
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 18:00:40 2014 +1100
-
- - (dtucker) Fix typo in #ifndef.
-
-commit d23a91ffb289d3553a58b7a60cec39fba9f0f506
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 17:32:30 2014 +1100
-
- - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c
- openbsd-compat/openssl-compat.h] Add compatibility layer for older
- openssl versions. ok djm@
-
-commit 868ea1ea1c1bfdbee5dbad78f81999c5983ecf31
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jan 17 16:47:04 2014 +1100
-
- - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
- [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
- [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
- using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
- Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
-
-commit a9d186a8b50d18869a10e9203abf71c83ddb1f79
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 16:30:49 2014 +1100
-
- - dtucker@cvs.openbsd.org 2014/01/17 05:26:41
- [digest.c]
- remove unused includes. ok djm@
-
-commit 5f1c57a7a7eb39c0e4fee3367712337dbcaef024
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 16:29:45 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/17 00:21:06
- [sftp-client.c]
- signed/unsigned comparison warning fix; from portable (Id sync only)
-
-commit c548722361d89fb12c108528f96b306a26477b18
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 15:12:16 2014 +1100
-
- - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into
- separate lines and alphabetize for easier diffing of changes.
-
-commit acad351a5b1c37de9130c9c1710445cc45a7f6b9
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 14:20:05 2014 +1100
-
- - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that
- don't have them.
-
-commit c3ed065ce8417aaa46490836648c173a5010f226
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 14:18:45 2014 +1100
-
- - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside
- #ifdef HAVE_STDINT_H.
-
-commit f45f78ae437062c7d9506c5f475b7215f486be44
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 12:43:43 2014 +1100
-
- - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include
- includes.h to pull in all of the compatibility stuff.
-
-commit 99df369d0340caac145d57f700d830147ff18b87
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 12:42:17 2014 +1100
-
- - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
-
-commit ac413b62ea1957e80c711acbe0c11b908273fc01
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 12:31:33 2014 +1100
-
- - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
-
-commit 1c4a011e9c939e74815346a560843e1862c300b8
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 12:23:23 2014 +1100
-
- - (dtucker) [loginrec.c] Cast to the types specfied in the format
- specification to prevent warnings.
-
-commit c3d483f9a8275be1113535a1e0d0e384f605f3c4
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jan 17 11:20:26 2014 +1100
-
- - (djm) [sftp-client.c] signed/unsigned comparison fix
-
-commit fd994379dd972417d0491767f7cd9b5bf23f4975
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jan 17 09:53:24 2014 +1100
-
- - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain
- hardening flags including -fstack-protector-strong. These default to on
- if the toolchain supports them, but there is a configure-time knob
- (--without-hardening) to disable them if necessary. ok djm@
-
-commit 366224d21768ee8ec28cfbcc5fbade1b32582d58
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 16 18:51:44 2014 +1100
-
- - (djm) [README] update release notes URL.
-
-commit 2ae77e64f8fa82cbf25c9755e8e847709b978b40
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 16 18:51:07 2014 +1100
-
- - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
- [contrib/suse/openssh.spec] Crank RPM spec version numbers.
-
-commit 0fa29e6d777c73a1b4ddd3b996b06ee20022ae8a
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 16 18:42:31 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/16 07:32:00
- [version.h]
- openssh-6.5
-
-commit 52c371cd6d2598cc73d4e633811b3012119c47e2
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 16 18:42:10 2014 +1100
-
- - djm@cvs.openbsd.org 2014/01/16 07:31:09
- [sftp-client.c]
- needless and incorrect cast to size_t can break resumption of
- large download; patch from tobias@
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
index 7acd51fbe663..43e2a743537e 100644
--- a/crypto/openssh/FREEBSD-upgrade
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -1,4 +1,3 @@
-
FreeBSD maintainer's guide to OpenSSH-portable
==============================================
@@ -166,6 +165,13 @@
ignore HPN-related configuration options to avoid breaking existing
configurations.
+A) AES-CBC
+
+ The AES-CBC ciphers were removed from the server-side proposal list
+ in 6.7p1 due to theoretical weaknesses and the availability of
+ superior ciphers (including AES-CTR and AES-GCM). We have re-added
+ them for compatibility with third-party clients.
+
This port was brought to you by (in no particular order) DARPA, NAI
diff --git a/crypto/openssh/Makefile.in b/crypto/openssh/Makefile.in
index 40cc7aae1ed0..d401787db0ae 100644
--- a/crypto/openssh/Makefile.in
+++ b/crypto/openssh/Makefile.in
@@ -91,11 +91,11 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+ platform-pledge.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
- sshconnect.o sshconnect1.o sshconnect2.o mux.o \
- roaming_common.o roaming_client.o
+ sshconnect.o sshconnect1.o sshconnect2.o mux.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
@@ -108,9 +108,9 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
- sandbox-seccomp-filter.o sandbox-capsicum.o
+ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
+ sandbox-solaris.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@@ -178,14 +178,14 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -327,10 +327,6 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
- -rm -f $(DESTDIR)$(bindir)/slogin
- ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
- ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
@@ -359,41 +355,19 @@ install-sysconf:
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
- if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
- echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
- else \
- ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
- fi ; \
- if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
- echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
- else \
- ./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
- fi ; \
- if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
- echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
- else \
- ./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
- fi ; \
- if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
- echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
- else \
- ./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
- fi ; \
- if [ -z "@COMMENT_OUT_ECC@" ] ; then \
- if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
- echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
- else \
- ./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
- fi ; \
- fi ; \
- fi ;
+ ./ssh-keygen -A; \
+ fi
-host-key-force: ssh-keygen$(EXEEXT)
- ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
+host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
+ if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
+ ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \
+ fi
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
- test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
+ if ./ssh -Q key | grep ecdsa >/dev/null ; then \
+ ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""; \
+ fi
uninstallall: uninstall
-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
@@ -407,7 +381,6 @@ uninstallall: uninstall
-rmdir $(DESTDIR)$(libexecdir)
uninstall:
- -rm -f $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
@@ -430,7 +403,6 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress-prep:
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
@@ -462,6 +434,10 @@ regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c
+ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
UNITTESTS_TEST_HELPER_OBJS=\
regress/unittests/test_helper/test_helper.o \
regress/unittests/test_helper/fuzz.o
@@ -510,8 +486,7 @@ regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
UNITTESTS_TEST_KEX_OBJS=\
regress/unittests/kex/tests.o \
- regress/unittests/kex/test_kex.o \
- roaming_dummy.o
+ regress/unittests/kex/test_kex.o
regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
regress/unittests/test_helper/libtest_helper.a libssh.a
@@ -534,6 +509,7 @@ REGRESS_BINARIES=\
regress/modpipe$(EXEEXT) \
regress/setuid-allowed$(EXEEXT) \
regress/netcat$(EXEEXT) \
+ regress/check-perm$(EXEEXT) \
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
regress/unittests/bitmap/test_bitmap$(EXEEXT) \
diff --git a/crypto/openssh/README b/crypto/openssh/README
index ea6e228dda95..86c55a554e89 100644
--- a/crypto/openssh/README
+++ b/crypto/openssh/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-7.1p2 for the release notes.
+See http://www.openssh.com/txt/release-7.2p2 for the release notes.
Please read http://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or
diff --git a/crypto/openssh/README.platform b/crypto/openssh/README.platform
index d1982321e3a9..8d75c16c1ca3 100644
--- a/crypto/openssh/README.platform
+++ b/crypto/openssh/README.platform
@@ -36,6 +36,9 @@ loginrestrictions() function, in particular that the user has the
"rlogin" attribute set. This check is not done for the root account,
instead the PermitRootLogin setting in sshd_config is used.
+If you are using the IBM compiler you probably want to use CC=xlc rather
+than the default of cc.
+
Cygwin
------
diff --git a/crypto/openssh/auth-bsdauth.c b/crypto/openssh/auth-bsdauth.c
index 37ff893e6938..e00718f2ed3f 100644
--- a/crypto/openssh/auth-bsdauth.c
+++ b/crypto/openssh/auth-bsdauth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: auth-bsdauth.c,v 1.14 2015/10/20 23:24:25 mmcc Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -103,7 +103,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
if (!authctxt->valid)
return -1;
- if (authctxt->as == 0)
+ if (authctxt->as == NULL)
error("bsdauth_respond: no bsd auth session");
if (numresponses != 1)
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
index 0089b18440a9..d1c5a2f32898 100644
--- a/crypto/openssh/auth-krb5.c
+++ b/crypto/openssh/auth-krb5.c
@@ -1,8 +1,8 @@
-/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
+/* $OpenBSD: auth-krb5.c,v 1.21 2016/01/27 06:44:58 djm Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
*
- * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
+ * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
*/
/*
* Copyright (c) 2002 Daniel Kouril. All rights reserved.
diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c
index e387697d36d0..edbaf80bbf09 100644
--- a/crypto/openssh/auth-options.c
+++ b/crypto/openssh/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -75,19 +75,45 @@ auth_clear_options(void)
free(ce->s);
free(ce);
}
- if (forced_command) {
- free(forced_command);
- forced_command = NULL;
- }
- if (authorized_principals) {
- free(authorized_principals);
- authorized_principals = NULL;
- }
+ free(forced_command);
+ forced_command = NULL;
+ free(authorized_principals);
+ authorized_principals = NULL;
forced_tun_device = -1;
channel_clear_permitted_opens();
}
/*
+ * Match flag 'opt' in *optsp, and if allow_negate is set then also match
+ * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
+ * if negated option matches.
+ * If the option or negated option matches, then *optsp is updated to
+ * point to the first character after the option and, if 'msg' is not NULL
+ * then a message based on it added via auth_debug_add().
+ */
+static int
+match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
+{
+ size_t opt_len = strlen(opt);
+ char *opts = *optsp;
+ int negate = 0;
+
+ if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
+ opts += 3;
+ negate = 1;
+ }
+ if (strncasecmp(opts, opt, opt_len) == 0) {
+ *optsp = opts + opt_len;
+ if (msg != NULL) {
+ auth_debug_add("%s %s.", msg,
+ negate ? "disabled" : "enabled");
+ }
+ return negate ? 0 : 1;
+ }
+ return -1;
+}
+
+/*
* return 1 if access is granted, 0 if not.
* side effect: sets key option flags
*/
@@ -95,7 +121,7 @@ int
auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
{
const char *cp;
- int i;
+ int i, r;
/* reset options */
auth_clear_options();
@@ -104,52 +130,48 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
return 1;
while (*opts && *opts != ' ' && *opts != '\t') {
- cp = "cert-authority";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- key_is_cert_authority = 1;
- opts += strlen(cp);
+ if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
+ key_is_cert_authority = r;
goto next_option;
}
- cp = "no-port-forwarding";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- auth_debug_add("Port forwarding disabled.");
+ if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
+ auth_debug_add("Key is restricted.");
no_port_forwarding_flag = 1;
- opts += strlen(cp);
+ no_agent_forwarding_flag = 1;
+ no_x11_forwarding_flag = 1;
+ no_pty_flag = 1;
+ no_user_rc = 1;
goto next_option;
}
- cp = "no-agent-forwarding";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- auth_debug_add("Agent forwarding disabled.");
- no_agent_forwarding_flag = 1;
- opts += strlen(cp);
+ if ((r = match_flag("port-forwarding", 1, &opts,
+ "Port forwarding")) != -1) {
+ no_port_forwarding_flag = r != 1;
goto next_option;
}
- cp = "no-X11-forwarding";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- auth_debug_add("X11 forwarding disabled.");
- no_x11_forwarding_flag = 1;
- opts += strlen(cp);
+ if ((r = match_flag("agent-forwarding", 1, &opts,
+ "Agent forwarding")) != -1) {
+ no_agent_forwarding_flag = r != 1;
goto next_option;
}
- cp = "no-pty";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- auth_debug_add("Pty allocation disabled.");
- no_pty_flag = 1;
- opts += strlen(cp);
+ if ((r = match_flag("x11-forwarding", 1, &opts,
+ "X11 forwarding")) != -1) {
+ no_x11_forwarding_flag = r != 1;
goto next_option;
}
- cp = "no-user-rc";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- auth_debug_add("User rc file execution disabled.");
- no_user_rc = 1;
- opts += strlen(cp);
+ if ((r = match_flag("pty", 1, &opts,
+ "PTY allocation")) != -1) {
+ no_pty_flag = r != 1;
+ goto next_option;
+ }
+ if ((r = match_flag("user-rc", 1, &opts,
+ "User rc execution")) != -1) {
+ no_user_rc = r != 1;
goto next_option;
}
cp = "command=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
- if (forced_command != NULL)
- free(forced_command);
+ free(forced_command);
forced_command = xmalloc(strlen(opts) + 1);
i = 0;
while (*opts) {
@@ -179,8 +201,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
cp = "principals=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
- if (authorized_principals != NULL)
- free(authorized_principals);
+ free(authorized_principals);
authorized_principals = xmalloc(strlen(opts) + 1);
i = 0;
while (*opts) {
@@ -566,8 +587,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
free(*cert_forced_command);
*cert_forced_command = NULL;
}
- if (name != NULL)
- free(name);
+ free(name);
sshbuf_free(data);
sshbuf_free(c);
return ret;
@@ -611,8 +631,7 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
no_user_rc |= cert_no_user_rc;
/* CA-specified forced command supersedes key option */
if (cert_forced_command != NULL) {
- if (forced_command != NULL)
- free(forced_command);
+ free(forced_command);
forced_command = cert_forced_command;
}
return 0;
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index d94c8285bba4..8425af1ea33a 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -45,7 +45,8 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
+/* Based on FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des */
+
#include "includes.h"
#include <sys/types.h>
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
index 8b27575b071d..2160154f495c 100644
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.84 2015/05/08 06:41:56 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.86 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -209,7 +209,7 @@ Key *get_hostkey_private_by_type(int, int, struct ssh *);
int get_hostkey_index(Key *, int, struct ssh *);
int ssh1_session_key(BIGNUM *);
int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
- const u_char *, size_t, u_int);
+ const u_char *, size_t, const char *, u_int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff --git a/crypto/openssh/auth2-pubkey.c b/crypto/openssh/auth2-pubkey.c
index 5aa319ccc117..41b34aed2417 100644
--- a/crypto/openssh/auth2-pubkey.c
+++ b/crypto/openssh/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -79,19 +79,19 @@ userauth_pubkey(Authctxt *authctxt)
{
Buffer b;
Key *key = NULL;
- char *pkalg, *userstyle;
+ char *pkalg, *userstyle, *fp = NULL;
u_char *pkblob, *sig;
u_int alen, blen, slen;
int have_sig, pktype;
int authenticated = 0;
if (!authctxt->valid) {
- debug2("userauth_pubkey: disabled because of invalid user");
+ debug2("%s: disabled because of invalid user", __func__);
return 0;
}
have_sig = packet_get_char();
if (datafellows & SSH_BUG_PKAUTH) {
- debug2("userauth_pubkey: SSH_BUG_PKAUTH");
+ debug2("%s: SSH_BUG_PKAUTH", __func__);
/* no explicit pkalg given */
pkblob = packet_get_string(&blen);
buffer_init(&b);
@@ -106,18 +106,18 @@ userauth_pubkey(Authctxt *authctxt)
pktype = key_type_from_name(pkalg);
if (pktype == KEY_UNSPEC) {
/* this is perfectly legal */
- logit("userauth_pubkey: unsupported public key algorithm: %s",
- pkalg);
+ logit("%s: unsupported public key algorithm: %s",
+ __func__, pkalg);
goto done;
}
key = key_from_blob(pkblob, blen);
if (key == NULL) {
- error("userauth_pubkey: cannot decode key: %s", pkalg);
+ error("%s: cannot decode key: %s", __func__, pkalg);
goto done;
}
if (key->type != pktype) {
- error("userauth_pubkey: type mismatch for decoded key "
- "(received %d, expected %d)", key->type, pktype);
+ error("%s: type mismatch for decoded key "
+ "(received %d, expected %d)", __func__, key->type, pktype);
goto done;
}
if (key_type_plain(key->type) == KEY_RSA &&
@@ -126,6 +126,7 @@ userauth_pubkey(Authctxt *authctxt)
"signature scheme");
goto done;
}
+ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
if (auth2_userkey_already_used(authctxt, key)) {
logit("refusing previously-used %s key", key_type(key));
goto done;
@@ -138,6 +139,8 @@ userauth_pubkey(Authctxt *authctxt)
}
if (have_sig) {
+ debug3("%s: have signature for %s %s",
+ __func__, sshkey_type(key), fp);
sig = packet_get_string(&slen);
packet_check_eom();
buffer_init(&b);
@@ -183,7 +186,8 @@ userauth_pubkey(Authctxt *authctxt)
buffer_free(&b);
free(sig);
} else {
- debug("test whether pkalg/pkblob are acceptable");
+ debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+ __func__, sshkey_type(key), fp);
packet_check_eom();
/* XXX fake reply and always send PK_OK ? */
@@ -206,11 +210,12 @@ userauth_pubkey(Authctxt *authctxt)
if (authenticated != 1)
auth_clear_options();
done:
- debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
+ debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
if (key != NULL)
key_free(key);
free(pkalg);
free(pkblob);
+ free(fp);
return authenticated;
}
@@ -796,8 +801,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
free(fp);
continue;
}
- verbose("Accepted certificate ID \"%s\" "
+ verbose("Accepted certificate ID \"%s\" (serial %llu) "
"signed by %s CA %s via %s", key->cert->key_id,
+ (unsigned long long)key->cert->serial,
key_type(found), fp, file);
free(fp);
found_key = 1;
@@ -875,8 +881,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (auth_cert_options(key, pw) != 0)
goto out;
- verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
- key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
+ verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
+ "%s CA %s via %s", key->cert->key_id,
+ (unsigned long long)key->cert->serial,
+ key_type(key->cert->signature_key), ca_fp,
options.trusted_user_ca_keys);
ret = 1;
diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c
index eaa1426485d0..a634bcb81c58 100644
--- a/crypto/openssh/authfd.c
+++ b/crypto/openssh/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -426,11 +426,24 @@ ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
}
#endif
+/* encode signature algoritm in flag bits, so we can keep the msg format */
+static u_int
+agent_encode_alg(struct sshkey *key, const char *alg)
+{
+ if (alg != NULL && key->type == KEY_RSA) {
+ if (strcmp(alg, "rsa-sha2-256") == 0)
+ return SSH_AGENT_RSA_SHA2_256;
+ else if (strcmp(alg, "rsa-sha2-512") == 0)
+ return SSH_AGENT_RSA_SHA2_512;
+ }
+ return 0;
+}
+
/* ask agent to sign data, returns err.h code on error, 0 on success */
int
ssh_agent_sign(int sock, struct sshkey *key,
u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, u_int compat)
+ const u_char *data, size_t datalen, const char *alg, u_int compat)
{
struct sshbuf *msg;
u_char *blob = NULL, type;
@@ -449,12 +462,13 @@ ssh_agent_sign(int sock, struct sshkey *key,
return SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
goto out;
+ flags |= agent_encode_alg(key, alg);
if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 ||
(r = sshbuf_put_string(msg, blob, blen)) != 0 ||
(r = sshbuf_put_string(msg, data, datalen)) != 0 ||
(r = sshbuf_put_u32(msg, flags)) != 0)
goto out;
- if ((r = ssh_request_reply(sock, msg, msg) != 0))
+ if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;
if ((r = sshbuf_get_u8(msg, &type)) != 0)
goto out;
diff --git a/crypto/openssh/authfd.h b/crypto/openssh/authfd.h
index bea20c26bc96..4b417e3f4a22 100644
--- a/crypto/openssh/authfd.h
+++ b/crypto/openssh/authfd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.38 2015/01/14 20:05:27 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.39 2015/12/04 16:41:28 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -41,7 +41,7 @@ int ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
u_char session_id[16], u_char response[16]);
int ssh_agent_sign(int sock, struct sshkey *key,
u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, u_int compat);
+ const u_char *data, size_t datalen, const char *alg, u_int compat);
/* Messages for the authentication agent connection. */
#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
@@ -86,5 +86,7 @@ int ssh_agent_sign(int sock, struct sshkey *key,
#define SSH_COM_AGENT2_FAILURE 102
#define SSH_AGENT_OLD_SIGNATURE 0x01
+#define SSH_AGENT_RSA_SHA2_256 0x02
+#define SSH_AGENT_RSA_SHA2_512 0x04
#endif /* AUTHFD_H */
diff --git a/crypto/openssh/authfile.c b/crypto/openssh/authfile.c
index 58f589a4745d..d67042411cca 100644
--- a/crypto/openssh/authfile.c
+++ b/crypto/openssh/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.116 2015/07/09 09:49:46 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.120 2015/12/11 04:21:11 mmcc Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
@@ -243,8 +243,7 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
/* success */
r = 0;
out:
- if (buffer != NULL)
- sshbuf_free(buffer);
+ sshbuf_free(buffer);
return r;
}
@@ -272,14 +271,13 @@ sshkey_load_private(const char *filename, const char *passphrase,
goto out;
}
if ((r = sshkey_load_file(fd, buffer)) != 0 ||
- (r = sshkey_parse_private_fileblob(buffer, passphrase, filename,
- keyp, commentp)) != 0)
+ (r = sshkey_parse_private_fileblob(buffer, passphrase, keyp,
+ commentp)) != 0)
goto out;
r = 0;
out:
close(fd);
- if (buffer != NULL)
- sshbuf_free(buffer);
+ sshbuf_free(buffer);
return r;
}
@@ -426,10 +424,8 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp)
r = 0;
out:
- if (file != NULL)
- free(file);
- if (pub != NULL)
- sshkey_free(pub);
+ free(file);
+ sshkey_free(pub);
return r;
}
@@ -474,10 +470,8 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
*keyp = key;
key = NULL;
out:
- if (key != NULL)
- sshkey_free(key);
- if (cert != NULL)
- sshkey_free(cert);
+ sshkey_free(key);
+ sshkey_free(cert);
return r;
}
@@ -538,8 +532,7 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type,
}
r = SSH_ERR_KEY_NOT_FOUND;
out:
- if (pub != NULL)
- sshkey_free(pub);
+ sshkey_free(pub);
fclose(f);
return r;
}
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
index a84b487e57b2..c9d2015eea39 100644
--- a/crypto/openssh/channels.c
+++ b/crypto/openssh/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.347 2015/07/01 02:26:31 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.349 2016/02/05 13:28:19 naddy Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -662,7 +662,7 @@ channel_open_message(void)
case SSH_CHANNEL_INPUT_DRAINING:
case SSH_CHANNEL_OUTPUT_DRAINING:
snprintf(buf, sizeof buf,
- " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n",
+ " #%d %.300s (t%d r%d i%u/%d o%u/%d fd %d/%d cc %d)\r\n",
c->self, c->remote_name,
c->type, c->remote_id,
c->istate, buffer_len(&c->input),
@@ -1896,13 +1896,13 @@ read_mux(Channel *c, u_int need)
if (buffer_len(&c->input) < need) {
rlen = need - buffer_len(&c->input);
len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF));
+ if (len < 0 && (errno == EINTR || errno == EAGAIN))
+ return buffer_len(&c->input);
if (len <= 0) {
- if (errno != EINTR && errno != EAGAIN) {
- debug2("channel %d: ctl read<=0 rfd %d len %d",
- c->self, c->rfd, len);
- chan_read_failed(c);
- return 0;
- }
+ debug2("channel %d: ctl read<=0 rfd %d len %d",
+ c->self, c->rfd, len);
+ chan_read_failed(c);
+ return 0;
} else
buffer_append(&c->input, buf, len);
}
diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c
index 02dae6f9fa1f..13847e5bd7b6 100644
--- a/crypto/openssh/cipher.c
+++ b/crypto/openssh/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.100 2015/01/14 10:29:45 djm Exp $ */
+/* $OpenBSD: cipher.c,v 1.101 2015/12/10 17:08:40 mmcc Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -353,8 +353,7 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
if (cipher->discard_len > 0) {
if ((junk = malloc(cipher->discard_len)) == NULL ||
(discard = malloc(cipher->discard_len)) == NULL) {
- if (junk != NULL)
- free(junk);
+ free(junk);
ret = SSH_ERR_ALLOC_FAIL;
goto bad;
}
diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c
index 87ceb3dab9e6..9820455c4293 100644
--- a/crypto/openssh/clientloop.c
+++ b/crypto/openssh/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.284 2016/02/08 10:57:07 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -111,7 +111,6 @@
#include "sshpty.h"
#include "match.h"
#include "msg.h"
-#include "roaming.h"
#include "ssherr.h"
#include "hostfile.h"
@@ -169,8 +168,6 @@ static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void);
int session_ident = -1;
-int session_resumed = 0;
-
/* Track escape per proto2 channel */
struct escape_filter_ctx {
int escape_pending;
@@ -288,6 +285,9 @@ client_x11_display_valid(const char *display)
{
size_t i, dlen;
+ if (display == NULL)
+ return 0;
+
dlen = strlen(display);
for (i = 0; i < dlen; i++) {
if (!isalnum((u_char)display[i]) &&
@@ -301,35 +301,34 @@ client_x11_display_valid(const char *display)
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
#define X11_TIMEOUT_SLACK 60
-void
+int
client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, u_int timeout, char **_proto, char **_data)
{
- char cmd[1024];
- char line[512];
- char xdisplay[512];
+ char cmd[1024], line[512], xdisplay[512];
+ char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
static char proto[512], data[512];
FILE *f;
- int got_data = 0, generated = 0, do_unlink = 0, i;
- char *xauthdir, *xauthfile;
+ int got_data = 0, generated = 0, do_unlink = 0, i, r;
struct stat st;
u_int now, x11_timeout_real;
- xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
- proto[0] = data[0] = '\0';
+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
- if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
+ if (!client_x11_display_valid(display)) {
+ if (display != NULL)
+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
+ display);
+ return -1;
+ }
+ if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
debug("No xauth program.");
- } else if (!client_x11_display_valid(display)) {
- logit("DISPLAY '%s' invalid, falling back to fake xauth data",
- display);
- } else {
- if (display == NULL) {
- debug("x11_get_proto: DISPLAY not set");
- return;
- }
+ xauth_path = NULL;
+ }
+
+ if (xauth_path != NULL) {
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
@@ -338,45 +337,60 @@ client_x11_get_proto(const char *display, const char *xauth_path,
* is not perfect.
*/
if (strncmp(display, "localhost:", 10) == 0) {
- snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
- display + 10);
+ if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+ display + 10)) < 0 ||
+ (size_t)r >= sizeof(xdisplay)) {
+ error("%s: display name too long", __func__);
+ return -1;
+ }
display = xdisplay;
}
if (trusted == 0) {
- xauthdir = xmalloc(PATH_MAX);
- xauthfile = xmalloc(PATH_MAX);
- mktemp_proto(xauthdir, PATH_MAX);
/*
+ * Generate an untrusted X11 auth cookie.
+ *
* The authentication cookie should briefly outlive
* ssh's willingness to forward X11 connections to
* avoid nasty fail-open behaviour in the X server.
*/
+ mktemp_proto(xauthdir, sizeof(xauthdir));
+ if (mkdtemp(xauthdir) == NULL) {
+ error("%s: mkdtemp: %s",
+ __func__, strerror(errno));
+ return -1;
+ }
+ do_unlink = 1;
+ if ((r = snprintf(xauthfile, sizeof(xauthfile),
+ "%s/xauthfile", xauthdir)) < 0 ||
+ (size_t)r >= sizeof(xauthfile)) {
+ error("%s: xauthfile path too long", __func__);
+ unlink(xauthfile);
+ rmdir(xauthdir);
+ return -1;
+ }
+
if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
x11_timeout_real = UINT_MAX;
else
x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
- if (mkdtemp(xauthdir) != NULL) {
- do_unlink = 1;
- snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
- xauthdir);
- snprintf(cmd, sizeof(cmd),
- "%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout %u 2>" _PATH_DEVNULL,
- xauth_path, xauthfile, display,
- x11_timeout_real);
- debug2("x11_get_proto: %s", cmd);
- if (x11_refuse_time == 0) {
- now = monotime() + 1;
- if (UINT_MAX - timeout < now)
- x11_refuse_time = UINT_MAX;
- else
- x11_refuse_time = now + timeout;
- channel_set_x11_refuse_time(
- x11_refuse_time);
- }
- if (system(cmd) == 0)
- generated = 1;
+ if ((r = snprintf(cmd, sizeof(cmd),
+ "%s -f %s generate %s " SSH_X11_PROTO
+ " untrusted timeout %u 2>" _PATH_DEVNULL,
+ xauth_path, xauthfile, display,
+ x11_timeout_real)) < 0 ||
+ (size_t)r >= sizeof(cmd))
+ fatal("%s: cmd too long", __func__);
+ debug2("%s: %s", __func__, cmd);
+ if (x11_refuse_time == 0) {
+ now = monotime() + 1;
+ if (UINT_MAX - timeout < now)
+ x11_refuse_time = UINT_MAX;
+ else
+ x11_refuse_time = now + timeout;
+ channel_set_x11_refuse_time(x11_refuse_time);
}
+ if (system(cmd) == 0)
+ generated = 1;
}
/*
@@ -398,17 +412,20 @@ client_x11_get_proto(const char *display, const char *xauth_path,
got_data = 1;
if (f)
pclose(f);
- } else
- error("Warning: untrusted X11 forwarding setup failed: "
- "xauth key data not generated");
+ }
}
if (do_unlink) {
unlink(xauthfile);
rmdir(xauthdir);
}
- free(xauthdir);
- free(xauthfile);
+
+ /* Don't fall back to fake X11 data for untrusted forwarding */
+ if (!trusted && !got_data) {
+ error("Warning: untrusted X11 forwarding setup failed: "
+ "xauth key data not generated");
+ return -1;
+ }
/*
* If we didn't get authentication data, just make up some
@@ -432,6 +449,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
rnd >>= 8;
}
}
+
+ return 0;
}
/*
@@ -735,7 +754,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
static void
client_process_net_input(fd_set *readset)
{
- int len, cont = 0;
+ int len;
char buf[SSH_IOBUFSZ];
/*
@@ -744,8 +763,8 @@ client_process_net_input(fd_set *readset)
*/
if (FD_ISSET(connection_in, readset)) {
/* Read as much as possible. */
- len = roaming_read(connection_in, buf, sizeof(buf), &cont);
- if (len == 0 && cont == 0) {
+ len = read(connection_in, buf, sizeof(buf));
+ if (len == 0) {
/*
* Received EOF. The remote host has closed the
* connection.
@@ -1483,13 +1502,43 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
{
fd_set *readset = NULL, *writeset = NULL;
double start_time, total_time;
- int r, max_fd = 0, max_fd2 = 0, len, rekeying = 0;
+ int r, max_fd = 0, max_fd2 = 0, len;
u_int64_t ibytes, obytes;
u_int nalloc = 0;
char buf[100];
debug("Entering interactive session.");
+ if (options.control_master &&
+ ! option_clear_or_none(options.control_path)) {
+ debug("pledge: id");
+ if (pledge("stdio rpath wpath cpath unix inet dns proc exec id tty",
+ NULL) == -1)
+ fatal("%s pledge(): %s", __func__, strerror(errno));
+
+ } else if (options.forward_x11 || options.permit_local_command) {
+ debug("pledge: exec");
+ if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty",
+ NULL) == -1)
+ fatal("%s pledge(): %s", __func__, strerror(errno));
+
+ } else if (options.update_hostkeys) {
+ debug("pledge: filesystem full");
+ if (pledge("stdio rpath wpath cpath unix inet dns proc tty",
+ NULL) == -1)
+ fatal("%s pledge(): %s", __func__, strerror(errno));
+
+ } else if (! option_clear_or_none(options.proxy_command)) {
+ debug("pledge: proc");
+ if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
+ fatal("%s pledge(): %s", __func__, strerror(errno));
+
+ } else {
+ debug("pledge: network");
+ if (pledge("stdio unix inet dns tty", NULL) == -1)
+ fatal("%s pledge(): %s", __func__, strerror(errno));
+ }
+
start_time = get_current_time();
/* Initialize variables. */
@@ -1568,10 +1617,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
if (compat20 && session_closed && !channel_still_open())
break;
- rekeying = (active_state->kex != NULL && !active_state->kex->done);
-
- if (rekeying) {
+ if (ssh_packet_is_rekeying(active_state)) {
debug("rekeying in progress");
+ } else if (need_rekeying) {
+ /* manual rekey request */
+ debug("need rekeying");
+ if ((r = kex_start_rekex(active_state)) != 0)
+ fatal("%s: kex_start_rekex: %s", __func__,
+ ssh_err(r));
+ need_rekeying = 0;
} else {
/*
* Make packets of buffered stdin data, and buffer
@@ -1602,23 +1656,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
*/
max_fd2 = max_fd;
client_wait_until_can_do_something(&readset, &writeset,
- &max_fd2, &nalloc, rekeying);
+ &max_fd2, &nalloc, ssh_packet_is_rekeying(active_state));
if (quit_pending)
break;
/* Do channel operations unless rekeying in progress. */
- if (!rekeying) {
+ if (!ssh_packet_is_rekeying(active_state))
channel_after_select(readset, writeset);
- if (need_rekeying || packet_need_rekeying()) {
- debug("need rekeying");
- active_state->kex->done = 0;
- if ((r = kex_send_kexinit(active_state)) != 0)
- fatal("%s: kex_send_kexinit: %s",
- __func__, ssh_err(r));
- need_rekeying = 0;
- }
- }
/* Buffer input from the connection. */
client_process_net_input(readset);
@@ -1636,14 +1681,6 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
client_process_output(writeset);
}
- if (session_resumed) {
- connection_in = packet_get_connection_in();
- connection_out = packet_get_connection_out();
- max_fd = MAX(max_fd, connection_out);
- max_fd = MAX(max_fd, connection_in);
- session_resumed = 0;
- }
-
/*
* Send as much buffered packet data as possible to the
* sender.
@@ -1737,7 +1774,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
}
/* Clear and free any buffers. */
- memset(buf, 0, sizeof(buf));
+ explicit_bzero(buf, sizeof(buf));
buffer_free(&stdin_buffer);
buffer_free(&stdout_buffer);
buffer_free(&stderr_buffer);
diff --git a/crypto/openssh/clientloop.h b/crypto/openssh/clientloop.h
index 338d45186f8b..f4d4c69b73a0 100644
--- a/crypto/openssh/clientloop.h
+++ b/crypto/openssh/clientloop.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
+/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -39,7 +39,7 @@
/* Client side main loop for the interactive session. */
int client_loop(int, int, int);
-void client_x11_get_proto(const char *, const char *, u_int, u_int,
+int client_x11_get_proto(const char *, const char *, u_int, u_int,
char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h
index f8f9444f0184..8e59833afbd0 100644
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@ -698,9 +698,6 @@
/* Define to 1 if you have the `network' library (-lnetwork). */
/* #undef HAVE_LIBNETWORK */
-/* Define to 1 if you have the `nsl' library (-lnsl). */
-/* #undef HAVE_LIBNSL */
-
/* Define to 1 if you have the `pam' library (-lpam). */
#define HAVE_LIBPAM 1
@@ -849,6 +846,9 @@
/* define if you have pid_t data type */
#define HAVE_PID_T 1
+/* Define to 1 if you have the `pledge' function. */
+/* #undef HAVE_PLEDGE */
+
/* Define to 1 if you have the `poll' function. */
#define HAVE_POLL 1
@@ -858,6 +858,12 @@
/* Define to 1 if you have the `prctl' function. */
/* #undef HAVE_PRCTL */
+/* Define to 1 if you have the `priv_basicset' function. */
+/* #undef HAVE_PRIV_BASICSET */
+
+/* Define to 1 if you have the <priv.h> header file. */
+/* #undef HAVE_PRIV_H */
+
/* Define if you have /proc/$pid/fd */
/* #undef HAVE_PROC_PID */
@@ -960,6 +966,9 @@
/* Define to 1 if you have the `setpcred' function. */
/* #undef HAVE_SETPCRED */
+/* Define to 1 if you have the `setppriv' function. */
+/* #undef HAVE_SETPPRIV */
+
/* Define to 1 if you have the `setproctitle' function. */
#define HAVE_SETPROCTITLE 1
@@ -1451,6 +1460,9 @@
/* Define if you don't want to use lastlog in session.c */
/* #undef NO_SSH_LASTLOG */
+/* Define to disable UID restoration test */
+/* #undef NO_UID_RESTORATION_TEST */
+
/* Define if X11 doesn't support AF_UNIX sockets on that system */
/* #undef NO_X11_UNIX_SOCKETS */
@@ -1530,6 +1542,9 @@
/* no privsep sandboxing */
/* #undef SANDBOX_NULL */
+/* Sandbox using pledge(2) */
+/* #undef SANDBOX_PLEDGE */
+
/* Sandbox using setrlimit(2) */
/* #undef SANDBOX_RLIMIT */
@@ -1542,6 +1557,9 @@
/* define if setrlimit RLIMIT_NOFILE breaks things */
#define SANDBOX_SKIP_RLIMIT_NOFILE 1
+/* Sandbox using Solaris/Illumos privileges */
+/* #undef SANDBOX_SOLARIS */
+
/* Sandbox using systrace(4) */
/* #undef SANDBOX_SYSTRACE */
@@ -1648,6 +1666,9 @@
/* Use PIPES instead of a socketpair() */
/* #undef USE_PIPES */
+/* Define if you have Solaris privileges */
+/* #undef USE_SOLARIS_PRIVS */
+
/* Define if you have Solaris process contracts */
/* #undef USE_SOLARIS_PROCESS_CONTRACTS */
diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index ddc9a8a6676e..05799c864f5e 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -141,7 +141,7 @@ else
fi
AC_ARG_WITH([ssh1],
- [ --without-ssh1 Enable support for SSH protocol 1],
+ [ --with-ssh1 Enable support for SSH protocol 1],
[
if test "x$withval" = "xyes" ; then
if test "x$openssl" = "xno" ; then
@@ -476,6 +476,11 @@ AC_CHECK_HEADERS([sys/un.h], [], [], [
SIA_MSG="no"
SPC_MSG="no"
SP_MSG="no"
+SPP_MSG="no"
+
+# Support for Solaris/Illumos privileges (this test is used by both
+# the --with-solaris-privs option and --with-sandbox=solaris).
+SOLARIS_PRIVS="no"
# Check for some target-specific stuff
case "$host" in
@@ -582,6 +587,8 @@ case "$host" in
LIBS="$LIBS /usr/lib/textreadmode.o"
AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
+ AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
+ [Define to disable UID restoration test])
AC_DEFINE([DISABLE_SHADOW], [1],
[Define if you want to disable shadow passwords])
AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
@@ -644,6 +651,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
supported by bsd-setproctitle.c])
AC_CHECK_FUNCS([sandbox_init])
AC_CHECK_HEADERS([sandbox.h])
+ AC_CHECK_LIB([sandbox], [sandbox_apply], [
+ SSHDLIBS="$SSHDLIBS -lsandbox"
+ ])
;;
*-*-dragonfly*)
SSHDLIBS="$SSHDLIBS -lcrypt"
@@ -896,13 +906,16 @@ mips-sony-bsd|mips-sony-newsos4)
else
AC_MSG_RESULT([no])
fi
+ AC_CHECK_FUNCS([setppriv])
+ AC_CHECK_FUNCS([priv_basicset])
+ AC_CHECK_HEADERS([priv.h])
AC_ARG_WITH([solaris-contracts],
[ --with-solaris-contracts Enable Solaris process contracts (experimental)],
[
AC_CHECK_LIB([contract], [ct_tmpl_activate],
[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
[Define if you have Solaris process contracts])
- SSHDLIBS="$SSHDLIBS -lcontract"
+ LIBS="$LIBS -lcontract"
SPC_MSG="yes" ], )
],
)
@@ -912,10 +925,29 @@ mips-sony-bsd|mips-sony-newsos4)
AC_CHECK_LIB([project], [setproject],
[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
[Define if you have Solaris projects])
- SSHDLIBS="$SSHDLIBS -lproject"
+ LIBS="$LIBS -lproject"
SP_MSG="yes" ], )
],
)
+ AC_ARG_WITH([solaris-privs],
+ [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
+ [
+ AC_MSG_CHECKING([for Solaris/Illumos privilege support])
+ if test "x$ac_cv_func_setppriv" = "xyes" -a \
+ "x$ac_cv_header_priv_h" = "xyes" ; then
+ SOLARIS_PRIVS=yes
+ AC_MSG_RESULT([found])
+ AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
+ [Define to disable UID restoration test])
+ AC_DEFINE([USE_SOLARIS_PRIVS], [1],
+ [Define if you have Solaris privileges])
+ SPP_MSG="yes"
+ else
+ AC_MSG_RESULT([not found])
+ AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
+ fi
+ ],
+ )
TEST_SHELL=$SHELL # let configure find us a capable shell
;;
*-*-sunos4*)
@@ -1129,7 +1161,6 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
dnl Checks for header files.
# Checks for libraries.
-AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])
AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
dnl IRIX and Solaris 2.5.1 have dirname() in libgen
@@ -1293,8 +1324,10 @@ AC_SEARCH_LIBS([openpty], [util bsd])
AC_SEARCH_LIBS([updwtmp], [util bsd])
AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
-# On some platforms, inet_ntop may be found in libresolv or libnsl.
+# On some platforms, inet_ntop and gethostbyname may be found in libresolv
+# or libnsl.
AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
+AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
AC_FUNC_STRFTIME
@@ -1732,6 +1765,7 @@ AC_CHECK_FUNCS([ \
nsleep \
ogetaddrinfo \
openlog_r \
+ pledge \
poll \
prctl \
pstat \
@@ -2372,10 +2406,10 @@ openssl_engine=no
AC_ARG_WITH([ssl-engine],
[ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
[
- if test "x$openssl" = "xno" ; then
- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
- fi
if test "x$withval" != "xno" ; then
+ if test "x$openssl" = "xno" ; then
+ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
+ fi
openssl_engine=yes
fi
]
@@ -2408,6 +2442,7 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_CHECKING([OpenSSL header version])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
+ #include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
@@ -2420,7 +2455,8 @@ if test "x$openssl" = "xyes" ; then
if(fd == NULL)
exit(1);
- if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+ if ((rc = fprintf(fd ,"%08lx (%s)\n",
+ (unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
exit(1);
exit(0);
@@ -2487,6 +2523,7 @@ if test "x$openssl" = "xyes" ; then
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/opensslv.h>
+ #include <openssl/crypto.h>
]], [[
exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
]])],
@@ -3061,7 +3098,7 @@ fi
# Decide which sandbox style to use
sandbox_arg=""
AC_ARG_WITH([sandbox],
- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
+ [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
[
if test "x$withval" = "xyes" ; then
sandbox_arg=""
@@ -3157,7 +3194,13 @@ AC_RUN_IFELSE(
[AC_MSG_WARN([cross compiling: assuming yes])]
)
-if test "x$sandbox_arg" = "xsystrace" || \
+if test "x$sandbox_arg" = "xpledge" || \
+ ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
+ test "x$ac_cv_func_pledge" != "xyes" && \
+ AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
+ SANDBOX_STYLE="pledge"
+ AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
+elif test "x$sandbox_arg" = "xsystrace" || \
( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
test "x$have_systr_policy_kill" != "x1" && \
AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
@@ -3210,6 +3253,10 @@ elif test "x$sandbox_arg" = "xrlimit" || \
AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
SANDBOX_STYLE="rlimit"
AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
+elif test "x$sandbox_arg" = "xsolaris" || \
+ ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
+ SANDBOX_STYLE="solaris"
+ AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
SANDBOX_STYLE="none"
@@ -4033,7 +4080,10 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <arpa/nameser.h>
#include <resolv.h>
extern struct __res_state _res;
- ]], [[ ]])],
+ ]], [[
+struct __res_state *volatile p = &_res; /* force resolution of _res */
+return 0;
+ ]],)],
[AC_MSG_RESULT([yes])
AC_DEFINE([HAVE__RES_EXTERN], [1],
[Define if you have struct __res_state _res as an extern])
@@ -4997,6 +5047,7 @@ echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
+echo " Solaris privilege support: $SPP_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/crypto/openssh/contrib/redhat/openssh.spec b/crypto/openssh/contrib/redhat/openssh.spec
index 4c55227e5e9e..eefe82df074e 100644
--- a/crypto/openssh/contrib/redhat/openssh.spec
+++ b/crypto/openssh/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 7.1p2
+%define ver 7.2p2
%define rel 1
# OpenSSH privilege separation requires a user & group ID
@@ -89,7 +89,7 @@ Requires: initscripts >= 5.20
BuildRequires: perl, openssl-devel
BuildRequires: /bin/login
%if ! %{build6x}
-BuildPreReq: glibc-devel, pam
+BuildRequires: glibc-devel, pam
%else
BuildRequires: /usr/include/security/pam_appl.h
%endif
@@ -184,7 +184,7 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
%if %{kerberos5}
-K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
+K5DIR=`rpm -ql krb5-devel | grep 'include/krb5\.h' | sed 's,\/include\/krb5.h,,'`
echo K5DIR=$K5DIR
%endif
@@ -192,7 +192,6 @@ echo K5DIR=$K5DIR
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
- --with-rsh=%{_bindir}/rsh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
diff --git a/crypto/openssh/contrib/ssh-copy-id b/crypto/openssh/contrib/ssh-copy-id
index ae88e9958d69..afde8b1703c9 100644
--- a/crypto/openssh/contrib/ssh-copy-id
+++ b/crypto/openssh/contrib/ssh-copy-id
@@ -56,10 +56,13 @@ then
fi
fi
-DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
+DEFAULT_PUB_ID_FILE="$HOME/$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)"
usage () {
- printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
+ printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
+ printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2
+ printf '\t-n: dry run -- no keys are actually copied\n' >&2
+ printf '\t-h|-?: print this help\n' >&2
exit 1
}
@@ -77,15 +80,18 @@ use_id_file() {
PUB_ID_FILE="$L_ID_FILE.pub"
fi
- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
+ [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
# check that the files are readable
- for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
- ErrMSG=$( { : < $f ; } 2>&1 ) || {
- printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
+ for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
+ ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
+ local L_PRIVMSG=""
+ [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
+ printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
exit 1
}
done
+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2
GET_ID="cat \"$PUB_ID_FILE\""
}
@@ -121,7 +127,7 @@ do
}
shift
;;
- -n|-h|-\?)
+ -f|-n|-h|-\?)
OPT="$1"
OPTARG=
shift
@@ -154,6 +160,9 @@ do
-o|-p)
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
;;
+ -f)
+ FORCED=1
+ ;;
-n)
DRY_RUN=1
;;
@@ -194,27 +203,35 @@ fi
populate_new_ids() {
local L_SUCCESS="$1"
+ if [ "$FORCED" ] ; then
+ NEW_IDS=$(eval $GET_ID)
+ return
+ fi
+
# repopulate "$@" inside this function
eval set -- "$SSH_OPTS"
umask 0177
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
- echo "mktemp failed" 1>&2
+ printf '%s: ERROR: mktemp failed\n' "$0" >&2
exit 1
fi
- trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
+ local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+ trap "$L_CLEANUP" EXIT TERM INT QUIT
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
NEW_IDS=$(
eval $GET_ID | {
- while read ID ; do
- printf '%s\n' "$ID" > $L_TMP_ID_FILE
+ while read ID || [ "$ID" ] ; do
+ printf '%s\n' "$ID" > "$L_TMP_ID_FILE"
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
# assumption will break if we implement the possibility of multiple -i options.
# The point being that if file based, ssh needs the private key, which it cannot
# find if only given the contents of the .pub file in an unrelated tmpfile
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
+ -o ControlPath=none \
+ -o LogLevel=INFO \
-o PreferredAuthentications=publickey \
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
if [ "$?" = "$L_SUCCESS" ] ; then
@@ -230,20 +247,21 @@ populate_new_ids() {
done
}
)
- rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
+ eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
exit 1
fi
if [ -z "$NEW_IDS" ] ; then
- printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
+ printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
exit 0
fi
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
}
-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
+REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 |
sed -ne 's/.*remote software version //p')
case "$REMOTE_VERSION" in
@@ -269,10 +287,9 @@ case "$REMOTE_VERSION" in
*)
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
populate_new_ids 0
- [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
- umask 077 ;
- mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
- if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
+ # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; 'cd' to be at $HOME; and all on one line, because tcsh.
+ [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;
diff --git a/crypto/openssh/contrib/ssh-copy-id.1 b/crypto/openssh/contrib/ssh-copy-id.1
index 67a59e492a92..8850cceda0a9 100644
--- a/crypto/openssh/contrib/ssh-copy-id.1
+++ b/crypto/openssh/contrib/ssh-copy-id.1
@@ -29,6 +29,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.Nd use locally available keys to authorise logins on a remote machine
.Sh SYNOPSIS
.Nm
+.Op Fl f
.Op Fl n
.Op Fl i Op Ar identity_file
.Op Fl p Ar port
@@ -76,6 +77,10 @@ is used.
Note that this can be used to ensure that the keys copied have the
comment one prefers and/or extra options applied, by ensuring that the
key file has these set as preferred before the copy is attempted.
+.It Fl f
+Forced mode: doesn't check if the keys are present on the remote server.
+This means that it does not need the private key. Of course, this can result
+in more than one copy of the key being installed on the remote system.
.It Fl n
do a dry-run. Instead of installing keys on the remote system simply
prints the key(s) that would have been installed.
diff --git a/crypto/openssh/contrib/suse/openssh.spec b/crypto/openssh/contrib/suse/openssh.spec
index 3ee526805d83..f20a78656a8e 100644
--- a/crypto/openssh/contrib/suse/openssh.spec
+++ b/crypto/openssh/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 7.1p2
+Version: 7.2p2
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
diff --git a/crypto/openssh/defines.h b/crypto/openssh/defines.h
index fa0ccba7c018..a438ddd742f7 100644
--- a/crypto/openssh/defines.h
+++ b/crypto/openssh/defines.h
@@ -850,4 +850,11 @@ struct winsize {
# endif /* gcc version */
#endif /* __predict_true */
+#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
+ defined(GLOB_HAS_GL_MATCHC) && defined(GLOB_HAS_GL_STATV) && \
+ defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \
+ !defined(BROKEN_GLOB)
+# define USE_SYSTEM_GLOB
+#endif
+
#endif /* _DEFINES_H */
diff --git a/crypto/openssh/dh.h b/crypto/openssh/dh.h
index 654695315e0f..e191cfd8a25e 100644
--- a/crypto/openssh/dh.h
+++ b/crypto/openssh/dh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.h,v 1.13 2015/05/27 23:39:18 dtucker Exp $ */
+/* $OpenBSD: dh.h,v 1.14 2015/10/16 22:32:22 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
@@ -44,8 +44,11 @@ int dh_pub_is_valid(DH *, BIGNUM *);
u_int dh_estimate(int);
-/* Min and max values from RFC4419. */
-#define DH_GRP_MIN 1024
+/*
+ * Max value from RFC4419.
+ * Miniumum increased in light of DH precomputation attacks.
+ */
+#define DH_GRP_MIN 2048
#define DH_GRP_MAX 8192
/*
diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h
index 2893a54cdc6b..497a038b2373 100644
--- a/crypto/openssh/includes.h
+++ b/crypto/openssh/includes.h
@@ -32,12 +32,6 @@
#ifdef HAVE_BSTRING_H
# include <bstring.h>
#endif
-#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
- defined(GLOB_HAS_GL_MATCHC) && defined(GLOB_HAS_GL_STATV) && \
- defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \
- !defined(BROKEN_GLOB)
-# include <glob.h>
-#endif
#ifdef HAVE_ENDIAN_H
# include <endian.h>
#endif
diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c
index b777b7d50f80..d371f47c48dd 100644
--- a/crypto/openssh/kex.c
+++ b/crypto/openssh/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.109 2015/07/30 00:01:34 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.117 2016/02/08 10:57:07 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -49,7 +49,6 @@
#include "misc.h"
#include "dispatch.h"
#include "monitor.h"
-#include "roaming.h"
#include "ssherr.h"
#include "sshbuf.h"
@@ -67,6 +66,19 @@ extern const EVP_MD *evp_ssh_sha256(void);
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, void *);
+static const char *proposal_names[PROPOSAL_MAX] = {
+ "KEX algorithms",
+ "host key algorithms",
+ "ciphers ctos",
+ "ciphers stoc",
+ "MACs ctos",
+ "MACs stoc",
+ "compression ctos",
+ "compression stoc",
+ "languages ctos",
+ "languages stoc",
+};
+
struct kexalg {
char *name;
u_int type;
@@ -267,7 +279,7 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
for (i = 0; i < PROPOSAL_MAX; i++) {
if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
goto out;
- debug2("kex_parse_kexinit: %s", proposal[i]);
+ debug2("%s: %s", proposal_names[i], proposal[i]);
}
/* first kex follows / reserved */
if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */
@@ -302,7 +314,14 @@ kex_prop_free(char **proposal)
static int
kex_protocol_error(int type, u_int32_t seq, void *ctxt)
{
- error("Hm, kex protocol error: type %d seq %u", type, seq);
+ struct ssh *ssh = active_state; /* XXX */
+ int r;
+
+ error("kex protocol error: type %d seq %u", type, seq);
+ if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
+ (r = sshpkt_put_u32(ssh, seq)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ return r;
return 0;
}
@@ -314,6 +333,20 @@ kex_reset_dispatch(struct ssh *ssh)
ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
}
+static int
+kex_send_ext_info(struct ssh *ssh)
+{
+ int r;
+
+ if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
+ (r = sshpkt_put_u32(ssh, 1)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ return r;
+ return 0;
+}
+
int
kex_send_newkeys(struct ssh *ssh)
{
@@ -326,9 +359,51 @@ kex_send_newkeys(struct ssh *ssh)
debug("SSH2_MSG_NEWKEYS sent");
debug("expecting SSH2_MSG_NEWKEYS");
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
+ if (ssh->kex->ext_info_c)
+ if ((r = kex_send_ext_info(ssh)) != 0)
+ return r;
return 0;
}
+int
+kex_input_ext_info(int type, u_int32_t seq, void *ctxt)
+{
+ struct ssh *ssh = ctxt;
+ struct kex *kex = ssh->kex;
+ u_int32_t i, ninfo;
+ char *name, *val, *found;
+ int r;
+
+ debug("SSH2_MSG_EXT_INFO received");
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
+ if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
+ return r;
+ for (i = 0; i < ninfo; i++) {
+ if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
+ return r;
+ if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) {
+ free(name);
+ return r;
+ }
+ debug("%s: %s=<%s>", __func__, name, val);
+ if (strcmp(name, "server-sig-algs") == 0) {
+ found = match_list("rsa-sha2-256", val, NULL);
+ if (found) {
+ kex->rsa_sha2 = 256;
+ free(found);
+ }
+ found = match_list("rsa-sha2-512", val, NULL);
+ if (found) {
+ kex->rsa_sha2 = 512;
+ free(found);
+ }
+ }
+ free(name);
+ free(val);
+ }
+ return sshpkt_get_end(ssh);
+}
+
static int
kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
{
@@ -468,7 +543,7 @@ kex_free_newkeys(struct newkeys *newkeys)
newkeys->enc.key = NULL;
}
if (newkeys->enc.iv) {
- explicit_bzero(newkeys->enc.iv, newkeys->enc.block_size);
+ explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
free(newkeys->enc.iv);
newkeys->enc.iv = NULL;
}
@@ -511,6 +586,8 @@ kex_free(struct kex *kex)
free(kex->client_version_string);
free(kex->server_version_string);
free(kex->failed_choice);
+ free(kex->hostkey_alg);
+ free(kex->name);
free(kex);
}
@@ -529,6 +606,25 @@ kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
return 0;
}
+/*
+ * Request key re-exchange, returns 0 on success or a ssherr.h error
+ * code otherwise. Must not be called if KEX is incomplete or in-progress.
+ */
+int
+kex_start_rekex(struct ssh *ssh)
+{
+ if (ssh->kex == NULL) {
+ error("%s: no kex", __func__);
+ return SSH_ERR_INTERNAL_ERROR;
+ }
+ if (ssh->kex->done == 0) {
+ error("%s: requested twice", __func__);
+ return SSH_ERR_INTERNAL_ERROR;
+ }
+ ssh->kex->done = 0;
+ return kex_send_kexinit(ssh);
+}
+
static int
choose_enc(struct sshenc *enc, char *client, char *server)
{
@@ -593,6 +689,7 @@ choose_kex(struct kex *k, char *client, char *server)
k->name = match_list(client, server, NULL);
+ debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
if (k->name == NULL)
return SSH_ERR_NO_KEX_ALG_MATCH;
if ((kexalg = kex_alg_by_name(k->name)) == NULL)
@@ -606,15 +703,16 @@ choose_kex(struct kex *k, char *client, char *server)
static int
choose_hostkeyalg(struct kex *k, char *client, char *server)
{
- char *hostkeyalg = match_list(client, server, NULL);
+ k->hostkey_alg = match_list(client, server, NULL);
- if (hostkeyalg == NULL)
+ debug("kex: host key algorithm: %s",
+ k->hostkey_alg ? k->hostkey_alg : "(no match)");
+ if (k->hostkey_alg == NULL)
return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
- k->hostkey_type = sshkey_type_from_name(hostkeyalg);
+ k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
if (k->hostkey_type == KEY_UNSPEC)
return SSH_ERR_INTERNAL_ERROR;
- k->hostkey_nid = sshkey_ecdsa_nid_from_name(hostkeyalg);
- free(hostkeyalg);
+ k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
return 0;
}
@@ -653,8 +751,11 @@ kex_choose_conf(struct ssh *ssh)
u_int mode, ctos, need, dh_need, authlen;
int r, first_kex_follows;
- if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
- (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
+ debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
+ if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
+ goto out;
+ debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
+ if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
goto out;
if (kex->server) {
@@ -665,18 +766,30 @@ kex_choose_conf(struct ssh *ssh)
sprop=peer;
}
- /* Check whether server offers roaming */
- if (!kex->server) {
- char *roaming = match_list(KEX_RESUME,
- peer[PROPOSAL_KEX_ALGS], NULL);
+ /* Check whether client supports ext_info_c */
+ if (kex->server) {
+ char *ext;
- if (roaming) {
- kex->roaming = 1;
- free(roaming);
+ ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
+ if (ext) {
+ kex->ext_info_c = 1;
+ free(ext);
}
}
/* Algorithm Negotiation */
+ if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
+ sprop[PROPOSAL_KEX_ALGS])) != 0) {
+ kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
+ peer[PROPOSAL_KEX_ALGS] = NULL;
+ goto out;
+ }
+ if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
+ kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
+ peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
+ goto out;
+ }
for (mode = 0; mode < MODE_MAX; mode++) {
if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
@@ -709,24 +822,12 @@ kex_choose_conf(struct ssh *ssh)
peer[ncomp] = NULL;
goto out;
}
- debug("kex: %s %s %s %s",
+ debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
authlen == 0 ? newkeys->mac.name : "<implicit>",
newkeys->comp.name);
}
- if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
- sprop[PROPOSAL_KEX_ALGS])) != 0) {
- kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
- peer[PROPOSAL_KEX_ALGS] = NULL;
- goto out;
- }
- if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
- sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
- kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
- peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
- goto out;
- }
need = dh_need = 0;
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode];
@@ -812,8 +913,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
digest = NULL;
r = 0;
out:
- if (digest)
- free(digest);
+ free(digest);
ssh_digest_free(hashctx);
return r;
}
diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h
index d71b53293d8d..1c5896605059 100644
--- a/crypto/openssh/kex.h
+++ b/crypto/openssh/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.73 2015/07/30 00:01:34 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.76 2016/02/08 10:57:07 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -54,7 +54,6 @@
#define KEX_DH14 "diffie-hellman-group14-sha1"
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
-#define KEX_RESUME "resume@appgate.com"
#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
@@ -129,10 +128,12 @@ struct kex {
u_int dh_need;
int server;
char *name;
+ char *hostkey_alg;
int hostkey_type;
int hostkey_nid;
u_int kex_type;
- int roaming;
+ int rsa_sha2;
+ int ext_info_c;
struct sshbuf *my;
struct sshbuf *peer;
sig_atomic_t done;
@@ -146,8 +147,8 @@ struct kex {
struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
int (*host_key_index)(struct sshkey *, int, struct ssh *);
- int (*sign)(struct sshkey *, struct sshkey *,
- u_char **, size_t *, const u_char *, size_t, u_int);
+ int (*sign)(struct sshkey *, struct sshkey *, u_char **, size_t *,
+ const u_char *, size_t, const char *, u_int);
int (*kex[KEX_MAX])(struct ssh *);
/* kex specific state */
DH *dh; /* DH */
@@ -174,9 +175,11 @@ void kex_prop_free(char **);
int kex_send_kexinit(struct ssh *);
int kex_input_kexinit(int, u_int32_t, void *);
+int kex_input_ext_info(int, u_int32_t, void *);
int kex_derive_keys(struct ssh *, u_char *, u_int, const struct sshbuf *);
int kex_derive_keys_bn(struct ssh *, u_char *, u_int, const BIGNUM *);
int kex_send_newkeys(struct ssh *);
+int kex_start_rekex(struct ssh *);
int kexdh_client(struct ssh *);
int kexdh_server(struct ssh *);
diff --git a/crypto/openssh/kexc25519s.c b/crypto/openssh/kexc25519s.c
index 24027253363e..4e77622b0b2f 100644
--- a/crypto/openssh/kexc25519s.c
+++ b/crypto/openssh/kexc25519s.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexc25519s.c,v 1.9 2015/04/27 00:37:53 dtucker Exp $ */
+/* $OpenBSD: kexc25519s.c,v 1.10 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -134,8 +134,8 @@ input_kex_c25519_init(int type, u_int32_t seq, void *ctxt)
}
/* sign H */
- if ((r = kex->sign(server_host_private, server_host_public,
- &signature, &slen, hash, hashlen, ssh->compat)) < 0)
+ if ((r = kex->sign(server_host_private, server_host_public, &signature,
+ &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
goto out;
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
diff --git a/crypto/openssh/kexdhs.c b/crypto/openssh/kexdhs.c
index de7c05b17249..bf933e4c9013 100644
--- a/crypto/openssh/kexdhs.c
+++ b/crypto/openssh/kexdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhs.c,v 1.22 2015/01/26 06:10:03 djm Exp $ */
+/* $OpenBSD: kexdhs.c,v 1.23 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -181,8 +181,8 @@ input_kex_dh_init(int type, u_int32_t seq, void *ctxt)
}
/* sign H */
- if ((r = kex->sign(server_host_private, server_host_public,
- &signature, &slen, hash, hashlen, ssh->compat)) < 0)
+ if ((r = kex->sign(server_host_private, server_host_public, &signature,
+ &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
goto out;
/* destroy_sensitive_data(); */
diff --git a/crypto/openssh/kexecdhs.c b/crypto/openssh/kexecdhs.c
index 0adb80e6addf..ccdbf70b1cf6 100644
--- a/crypto/openssh/kexecdhs.c
+++ b/crypto/openssh/kexecdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexecdhs.c,v 1.14 2015/01/26 06:10:03 djm Exp $ */
+/* $OpenBSD: kexecdhs.c,v 1.15 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -169,8 +169,8 @@ input_kex_ecdh_init(int type, u_int32_t seq, void *ctxt)
}
/* sign H */
- if ((r = kex->sign(server_host_private, server_host_public,
- &signature, &slen, hash, hashlen, ssh->compat)) < 0)
+ if ((r = kex->sign(server_host_private, server_host_public, &signature,
+ &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
goto out;
/* destroy_sensitive_data(); */
diff --git a/crypto/openssh/kexgexs.c b/crypto/openssh/kexgexs.c
index ff6c6879e73a..8c5adf7e4305 100644
--- a/crypto/openssh/kexgexs.c
+++ b/crypto/openssh/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.25 2015/04/13 02:04:08 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.26 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -220,8 +220,8 @@ input_kex_dh_gex_init(int type, u_int32_t seq, void *ctxt)
}
/* sign H */
- if ((r = kex->sign(server_host_private, server_host_public,
- &signature, &slen, hash, hashlen, ssh->compat)) < 0)
+ if ((r = kex->sign(server_host_private, server_host_public, &signature,
+ &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
goto out;
/* destroy_sensitive_data(); */
diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c
index 0ba98b6f35bd..28d7c6207145 100644
--- a/crypto/openssh/key.c
+++ b/crypto/openssh/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */
/*
* placed in the public domain
*/
@@ -132,7 +132,7 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
int
key_sign(const Key *key, u_char **sigp, u_int *lenp,
- const u_char *data, u_int datalen)
+ const u_char *data, u_int datalen, const char *alg)
{
int r;
u_char *sig;
@@ -143,7 +143,7 @@ key_sign(const Key *key, u_char **sigp, u_int *lenp,
if (lenp != NULL)
*lenp = 0;
if ((r = sshkey_sign(key, &sig, &siglen,
- data, datalen, datafellows)) != 0) {
+ data, datalen, alg, datafellows)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return -1;
diff --git a/crypto/openssh/key.h b/crypto/openssh/key.h
index 903bdf6730de..34c992bd300b 100644
--- a/crypto/openssh/key.h
+++ b/crypto/openssh/key.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: key.h,v 1.49 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -84,7 +84,8 @@ int key_ec_validate_private(const EC_KEY *);
Key *key_from_blob(const u_char *, u_int);
int key_to_blob(const Key *, u_char **, u_int *);
-int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
+int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int,
+ const char *);
int key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
void key_private_serialize(const Key *, struct sshbuf *);
diff --git a/crypto/openssh/krl.c b/crypto/openssh/krl.c
index 4075df853fff..fff1a3f7cbaf 100644
--- a/crypto/openssh/krl.c
+++ b/crypto/openssh/krl.c
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.37 2015/12/31 00:33:52 djm Exp $ */
#include "includes.h"
@@ -723,7 +723,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
if ((r = sshbuf_put(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1)) != 0 ||
(r = sshbuf_put_u32(buf, KRL_FORMAT_VERSION)) != 0 ||
(r = sshbuf_put_u64(buf, krl->krl_version)) != 0 ||
- (r = sshbuf_put_u64(buf, krl->generated_date) != 0) ||
+ (r = sshbuf_put_u64(buf, krl->generated_date)) != 0 ||
(r = sshbuf_put_u64(buf, krl->flags)) != 0 ||
(r = sshbuf_put_string(buf, NULL, 0)) != 0 ||
(r = sshbuf_put_cstring(buf, krl->comment)) != 0)
@@ -772,7 +772,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
goto out;
if ((r = sshkey_sign(sign_keys[i], &sblob, &slen,
- sshbuf_ptr(buf), sshbuf_len(buf), 0)) != 0)
+ sshbuf_ptr(buf), sshbuf_len(buf), NULL, 0)) != 0)
goto out;
KRL_DBG(("%s: signature sig len %zu", __func__, slen));
if ((r = sshbuf_put_string(buf, sblob, slen)) != 0)
@@ -826,10 +826,8 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
goto out;
while (sshbuf_len(buf) > 0) {
- if (subsect != NULL) {
- sshbuf_free(subsect);
- subsect = NULL;
- }
+ sshbuf_free(subsect);
+ subsect = NULL;
if ((r = sshbuf_get_u8(buf, &type)) != 0 ||
(r = sshbuf_froms(buf, &subsect)) != 0)
goto out;
@@ -1017,7 +1015,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
}
/* Check signature over entire KRL up to this point */
if ((r = sshkey_verify(key, blob, blen,
- sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0)
+ sshbuf_ptr(buf), sig_off, 0)) != 0)
goto out;
/* Check if this key has already signed this KRL */
for (i = 0; i < nca_used; i++) {
@@ -1038,7 +1036,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
ca_used = tmp_ca_used;
ca_used[nca_used++] = key;
key = NULL;
- break;
}
if (sshbuf_len(copy) != 0) {
@@ -1059,10 +1056,8 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
if ((r = sshbuf_consume(copy, sects_off)) != 0)
goto out;
while (sshbuf_len(copy) > 0) {
- if (sect != NULL) {
- sshbuf_free(sect);
- sect = NULL;
- }
+ sshbuf_free(sect);
+ sect = NULL;
if ((r = sshbuf_get_u8(copy, &type)) != 0 ||
(r = sshbuf_froms(copy, &sect)) != 0)
goto out;
@@ -1105,7 +1100,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
- if (sshbuf_len(sect) > 0) {
+ if (sect != NULL && sshbuf_len(sect) > 0) {
error("KRL section contains unparsed data");
r = SSH_ERR_INVALID_FORMAT;
goto out;
diff --git a/crypto/openssh/krl.h b/crypto/openssh/krl.h
index 4e12befc3c13..675496cc48a2 100644
--- a/crypto/openssh/krl.h
+++ b/crypto/openssh/krl.h
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.h,v 1.4 2015/01/13 19:06:49 djm Exp $ */
+/* $OpenBSD: krl.h,v 1.5 2015/12/30 23:46:14 djm Exp $ */
#ifndef _KRL_H
#define _KRL_H
@@ -43,7 +43,6 @@ struct ssh_krl;
struct ssh_krl *ssh_krl_init(void);
void ssh_krl_free(struct ssh_krl *krl);
void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version);
-void ssh_krl_set_sign_key(struct ssh_krl *krl, const struct sshkey *sign_key);
int ssh_krl_set_comment(struct ssh_krl *krl, const char *comment);
int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl,
const struct sshkey *ca_key, u_int64_t serial);
diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c
index 94ae81dc6088..788553e9204d 100644
--- a/crypto/openssh/loginrec.c
+++ b/crypto/openssh/loginrec.c
@@ -150,6 +150,9 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
#include <netinet/in.h>
diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c
index ddd2b2db452f..de7e1facd68b 100644
--- a/crypto/openssh/misc.c
+++ b/crypto/openssh/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.97 2015/04/24 01:36:00 deraadt Exp $ */
+/* $OpenBSD: misc.c,v 1.101 2016/01/20 09:22:39 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -29,6 +29,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
+#include <sys/time.h>
#include <sys/un.h>
#include <limits.h>
@@ -604,6 +605,8 @@ percent_expand(const char *string, ...)
/* %% case */
if (*string == '%')
goto append;
+ if (*string == '\0')
+ fatal("%s: invalid format", __func__);
for (j = 0; j < num_keys; j++) {
if (strchr(keys[j].key, *string) != NULL) {
i = strlcat(buf, keys[j].repl, sizeof(buf));
@@ -653,62 +656,63 @@ tun_open(int tun, int mode)
struct ifreq ifr;
char name[100];
int fd = -1, sock;
+ const char *tunbase = "tun";
+
+ if (mode == SSH_TUNMODE_ETHERNET)
+ tunbase = "tap";
/* Open the tunnel device */
if (tun <= SSH_TUNID_MAX) {
- snprintf(name, sizeof(name), "/dev/tun%d", tun);
+ snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun);
fd = open(name, O_RDWR);
} else if (tun == SSH_TUNID_ANY) {
for (tun = 100; tun >= 0; tun--) {
- snprintf(name, sizeof(name), "/dev/tun%d", tun);
+ snprintf(name, sizeof(name), "/dev/%s%d",
+ tunbase, tun);
if ((fd = open(name, O_RDWR)) >= 0)
break;
}
} else {
debug("%s: invalid tunnel %u", __func__, tun);
- return (-1);
+ return -1;
}
if (fd < 0) {
- debug("%s: %s open failed: %s", __func__, name, strerror(errno));
- return (-1);
+ debug("%s: %s open: %s", __func__, name, strerror(errno));
+ return -1;
}
debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
- /* Set the tunnel device operation mode */
- snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun);
+ /* Bring interface up if it is not already */
+ snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun);
if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
goto failed;
- if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
- goto failed;
-
- /* Set interface mode */
- ifr.ifr_flags &= ~IFF_UP;
- if (mode == SSH_TUNMODE_ETHERNET)
- ifr.ifr_flags |= IFF_LINK0;
- else
- ifr.ifr_flags &= ~IFF_LINK0;
- if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
+ if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) {
+ debug("%s: get interface %s flags: %s", __func__,
+ ifr.ifr_name, strerror(errno));
goto failed;
+ }
- /* Bring interface up */
- ifr.ifr_flags |= IFF_UP;
- if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
- goto failed;
+ if (!(ifr.ifr_flags & IFF_UP)) {
+ ifr.ifr_flags |= IFF_UP;
+ if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) {
+ debug("%s: activate interface %s: %s", __func__,
+ ifr.ifr_name, strerror(errno));
+ goto failed;
+ }
+ }
close(sock);
- return (fd);
+ return fd;
failed:
if (fd >= 0)
close(fd);
if (sock >= 0)
close(sock);
- debug("%s: failed to set %s mode %d: %s", __func__, name,
- mode, strerror(errno));
- return (-1);
+ return -1;
#else
error("Tunnel interfaces are not supported on this platform");
return (-1);
@@ -1107,7 +1111,7 @@ unix_listener(const char *path, int backlog, int unlink_first)
void
sock_set_v6only(int s)
{
-#ifdef IPV6_V6ONLY
+#if defined(IPV6_V6ONLY) && !defined(__OpenBSD__)
int on = 1;
debug3("%s: set socket %d IPV6_V6ONLY", __func__, s);
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index a91420983ba8..ac7dd309974c 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.150 2015/06/22 23:42:16 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.157 2016/02/15 23:32:37 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -100,7 +100,6 @@
#include "monitor_fdpass.h"
#include "compat.h"
#include "ssh2.h"
-#include "roaming.h"
#include "authfd.h"
#include "match.h"
#include "ssherr.h"
@@ -487,15 +486,10 @@ monitor_sync(struct monitor *pmonitor)
static void *
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
- size_t len = (size_t) size * ncount;
- void *address;
-
- if (len == 0 || ncount > SIZE_MAX / size)
+ if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size)
fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
- address = mm_malloc(mm, len);
-
- return (address);
+ return mm_malloc(mm, size * ncount);
}
static void
@@ -690,17 +684,18 @@ mm_answer_sign(int sock, Buffer *m)
struct ssh *ssh = active_state; /* XXX */
extern int auth_sock; /* XXX move to state struct? */
struct sshkey *key;
- struct sshbuf *sigbuf;
- u_char *p;
- u_char *signature;
- size_t datlen, siglen;
+ struct sshbuf *sigbuf = NULL;
+ u_char *p = NULL, *signature = NULL;
+ char *alg = NULL;
+ size_t datlen, siglen, alglen;
int r, keyid, is_proof = 0;
const char proof_req[] = "hostkeys-prove-00@openssh.com";
debug3("%s", __func__);
if ((r = sshbuf_get_u32(m, &keyid)) != 0 ||
- (r = sshbuf_get_string(m, &p, &datlen)) != 0)
+ (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
+ (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
/*
@@ -727,7 +722,7 @@ mm_answer_sign(int sock, Buffer *m)
fatal("%s: sshbuf_new", __func__);
if ((r = sshbuf_put_cstring(sigbuf, proof_req)) != 0 ||
(r = sshbuf_put_string(sigbuf, session_id2,
- session_id2_len) != 0) ||
+ session_id2_len)) != 0 ||
(r = sshkey_puts(key, sigbuf)) != 0)
fatal("%s: couldn't prepare private key "
"proof buffer: %s", __func__, ssh_err(r));
@@ -747,14 +742,14 @@ mm_answer_sign(int sock, Buffer *m)
}
if ((key = get_hostkey_by_index(keyid)) != NULL) {
- if ((r = sshkey_sign(key, &signature, &siglen, p, datlen,
+ if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg,
datafellows)) != 0)
fatal("%s: sshkey_sign failed: %s",
__func__, ssh_err(r));
} else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
auth_sock > 0) {
if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen,
- p, datlen, datafellows)) != 0) {
+ p, datlen, alg, datafellows)) != 0) {
fatal("%s: ssh_agent_sign failed: %s",
__func__, ssh_err(r));
}
@@ -768,6 +763,7 @@ mm_answer_sign(int sock, Buffer *m)
if ((r = sshbuf_put_string(m, signature, siglen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ free(alg);
free(p);
free(signature);
@@ -971,7 +967,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
char *response;
int authok;
- if (authctxt->as == 0)
+ if (authctxt->as == NULL)
fatal("%s: no bsd auth session", __func__);
response = buffer_get_string(m, NULL);
@@ -1040,7 +1036,8 @@ mm_answer_skeyrespond(int sock, Buffer *m)
debug3("%s: sending authenticated: %d", __func__, authok);
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
- auth_method = "skey";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "skey";
return (authok != 0);
}
@@ -1449,7 +1446,7 @@ mm_answer_keyverify(int sock, Buffer *m)
__func__, key, (verified == 1) ? "verified" : "unverified");
/* If auth was successful then record key to ensure it isn't reused */
- if (verified == 1)
+ if (verified == 1 && key_blobtype == MM_USERKEY)
auth2_record_userkey(authctxt, key);
else
key_free(key);
@@ -1852,7 +1849,7 @@ monitor_apply_keystate(struct monitor *pmonitor)
sshbuf_free(child_state);
child_state = NULL;
- if ((kex = ssh->kex) != 0) {
+ if ((kex = ssh->kex) != NULL) {
/* XXX set callbacks */
#ifdef WITH_OPENSSL
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
index eac421ba145b..c5db6df483b7 100644
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.85 2015/05/01 03:23:51 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.87 2016/01/14 16:17:40 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -80,7 +80,6 @@
#include "channels.h"
#include "session.h"
#include "servconf.h"
-#include "roaming.h"
#include "ssherr.h"
@@ -218,7 +217,7 @@ mm_choose_dh(int min, int nbits, int max)
int
mm_key_sign(Key *key, u_char **sigp, u_int *lenp,
- const u_char *data, u_int datalen)
+ const u_char *data, u_int datalen, const char *hostkey_alg)
{
struct kex *kex = *pmonitor->m_pkex;
Buffer m;
@@ -228,6 +227,7 @@ mm_key_sign(Key *key, u_char **sigp, u_int *lenp,
buffer_init(&m);
buffer_put_int(&m, kex->host_key_index(key, 0, active_state));
buffer_put_string(&m, data, datalen);
+ buffer_put_cstring(&m, hostkey_alg);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m);
diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h
index de4a08f99ff3..eb820aeea743 100644
--- a/crypto/openssh/monitor_wrap.h
+++ b/crypto/openssh/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.27 2015/05/01 03:23:51 djm Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.29 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -40,7 +40,7 @@ struct Authctxt;
void mm_log_handler(LogLevel, const char *, void *);
int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
-int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int);
+int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
diff --git a/crypto/openssh/mux.c b/crypto/openssh/mux.c
index 1ab93396af4a..dd40b3850f36 100644
--- a/crypto/openssh/mux.c
+++ b/crypto/openssh/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.58 2016/01/13 23:04:47 djm Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
@@ -1355,16 +1355,18 @@ mux_session_confirm(int id, int success, void *arg)
char *proto, *data;
/* Get reasonable local authentication information. */
- client_x11_get_proto(display, options.xauth_location,
+ if (client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, options.forward_x11_timeout,
- &proto, &data);
- /* Request forwarding with authentication spoofing. */
- debug("Requesting X11 forwarding with authentication "
- "spoofing.");
- x11_request_forwarding_with_spoofing(id, display, proto,
- data, 1);
- client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
- /* XXX exit_on_forward_failure */
+ &proto, &data) == 0) {
+ /* Request forwarding with authentication spoofing. */
+ debug("Requesting X11 forwarding with authentication "
+ "spoofing.");
+ x11_request_forwarding_with_spoofing(id, display, proto,
+ data, 1);
+ /* XXX exit_on_forward_failure */
+ client_expect_confirm(id, "X11 forwarding",
+ CONFIRM_WARN);
+ }
}
if (cctx->want_agent_fwd && options.forward_agent) {
@@ -1745,7 +1747,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
fwd->connect_host ? fwd->connect_host : "",
fwd->connect_port);
if (muxclient_command == SSHMUX_COMMAND_FORWARD)
- fprintf(stdout, "%u\n", fwd->allocated_port);
+ fprintf(stdout, "%i\n", fwd->allocated_port);
break;
case MUX_S_PERMISSION_DENIED:
e = buffer_get_string(&m, NULL);
@@ -1890,6 +1892,10 @@ mux_client_request_session(int fd)
}
muxclient_request_id++;
+ if (pledge("stdio proc tty", NULL) == -1)
+ fatal("%s pledge(): %s", __func__, strerror(errno));
+ platform_pledge_mux();
+
signal(SIGHUP, control_client_sighandler);
signal(SIGINT, control_client_sighandler);
signal(SIGTERM, control_client_sighandler);
@@ -1997,6 +2003,10 @@ mux_client_request_stdio_fwd(int fd)
mm_send_fd(fd, STDOUT_FILENO) == -1)
fatal("%s: send fds failed", __func__);
+ if (pledge("stdio proc tty", NULL) == -1)
+ fatal("%s pledge(): %s", __func__, strerror(errno));
+ platform_pledge_mux();
+
debug3("%s: stdio forward request sent", __func__);
/* Read their reply */
@@ -2170,7 +2180,7 @@ muxclient(const char *path)
case SSHMUX_COMMAND_ALIVE_CHECK:
if ((pid = mux_client_request_alive(sock)) == 0)
fatal("%s: master alive check failed", __func__);
- fprintf(stderr, "Master running (pid=%d)\r\n", pid);
+ fprintf(stderr, "Master running (pid=%u)\r\n", pid);
exit(0);
case SSHMUX_COMMAND_TERMINATE:
mux_client_request_terminate(sock);
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
index 83fc943112a1..d286691ebb21 100644
--- a/crypto/openssh/myproposal.h
+++ b/crypto/openssh/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.47 2015/07/10 06:21:53 markus Exp $ */
+/* $OpenBSD: myproposal.h,v 1.50 2016/02/09 05:30:04 djm Exp $ */
/* $FreeBSD$ */
/*
@@ -103,6 +103,8 @@
"ssh-dss-cert-v01@openssh.com," \
HOSTKEY_ECDSA_METHODS \
"ssh-ed25519," \
+ "rsa-sha2-512," \
+ "rsa-sha2-256," \
"ssh-rsa," \
"ssh-dss"
@@ -111,12 +113,11 @@
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr" \
- AESGCM_CIPHER_MODES
+ AESGCM_CIPHER_MODES \
+ ",aes128-cbc,aes192-cbc,aes256-cbc"
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
- "arcfour256,arcfour128," \
- "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
- "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
+ "3des-cbc"
#define KEX_SERVER_MAC \
"umac-64-etm@openssh.com," \
@@ -130,18 +131,9 @@
"hmac-sha2-512," \
"hmac-sha1"
-#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
- "hmac-md5-etm@openssh.com," \
- "hmac-ripemd160-etm@openssh.com," \
- "hmac-sha1-96-etm@openssh.com," \
- "hmac-md5-96-etm@openssh.com," \
- "hmac-md5," \
- "hmac-ripemd160," \
- "hmac-ripemd160@openssh.com," \
- "hmac-sha1-96," \
- "hmac-md5-96"
+#define KEX_CLIENT_MAC KEX_SERVER_MAC
-#else
+#else /* WITH_OPENSSL */
#define KEX_SERVER_KEX \
"curve25519-sha256@libssh.org"
diff --git a/crypto/openssh/opacket.c b/crypto/openssh/opacket.c
index b9160d59def8..5970dd3771cc 100644
--- a/crypto/openssh/opacket.c
+++ b/crypto/openssh/opacket.c
@@ -235,18 +235,6 @@ packet_set_connection(int fd_in, int fd_out)
fatal("%s: ssh_packet_set_connection failed", __func__);
}
-void
-packet_backup_state(void)
-{
- ssh_packet_backup_state(active_state, backup_state);
-}
-
-void
-packet_restore_state(void)
-{
- ssh_packet_restore_state(active_state, backup_state);
-}
-
u_int
packet_get_char(void)
{
diff --git a/crypto/openssh/opacket.h b/crypto/openssh/opacket.h
index a0a60e5507e1..c26ade44c7f2 100644
--- a/crypto/openssh/opacket.h
+++ b/crypto/openssh/opacket.h
@@ -39,8 +39,6 @@ do { \
void packet_close(void);
u_int packet_get_char(void);
u_int packet_get_int(void);
-void packet_backup_state(void);
-void packet_restore_state(void);
void packet_set_connection(int, int);
int packet_read_seqnr(u_int32_t *);
int packet_read_poll_seqnr(u_int32_t *);
@@ -127,8 +125,6 @@ void packet_disconnect(const char *, ...)
sshpkt_add_padding(active_state, (pad))
#define packet_send_ignore(nbytes) \
ssh_packet_send_ignore(active_state, (nbytes))
-#define packet_need_rekeying() \
- ssh_packet_need_rekeying(active_state)
#define packet_set_server() \
ssh_packet_set_server(active_state)
#define packet_set_authenticated() \
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.c b/crypto/openssh/openbsd-compat/bsd-misc.c
index f7be415ec226..2a788e47f7dd 100644
--- a/crypto/openssh/openbsd-compat/bsd-misc.c
+++ b/crypto/openssh/openbsd-compat/bsd-misc.c
@@ -276,3 +276,11 @@ getpgid(pid_t pid)
return -1;
}
#endif
+
+#ifndef HAVE_PLEDGE
+int
+pledge(const char *promises, const char *paths[])
+{
+ return 0;
+}
+#endif
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.h b/crypto/openssh/openbsd-compat/bsd-misc.h
index ff347a24b0eb..0d81d17352ea 100644
--- a/crypto/openssh/openbsd-compat/bsd-misc.h
+++ b/crypto/openssh/openbsd-compat/bsd-misc.h
@@ -122,4 +122,8 @@ pid_t getpgid(pid_t);
# define krb5_free_error_message(a,b) do { } while(0)
#endif
+#ifndef HAVE_PLEDGE
+int pledge(const char *promises, const char *paths[]);
+#endif
+
#endif /* _BSD_MISC_H */
diff --git a/crypto/openssh/openbsd-compat/bsd-poll.h b/crypto/openssh/openbsd-compat/bsd-poll.h
index dcbb9ca40236..17945f5b46f5 100644
--- a/crypto/openssh/openbsd-compat/bsd-poll.h
+++ b/crypto/openssh/openbsd-compat/bsd-poll.h
@@ -42,11 +42,11 @@ typedef unsigned int nfds_t;
#define POLLIN 0x0001
#define POLLOUT 0x0004
#define POLLERR 0x0008
+#define POLLHUP 0x0010
+#define POLLNVAL 0x0020
#if 0
/* the following are currently not implemented */
#define POLLPRI 0x0002
-#define POLLHUP 0x0010
-#define POLLNVAL 0x0020
#define POLLRDNORM 0x0040
#define POLLNORM POLLRDNORM
#define POLLWRNORM POLLOUT
diff --git a/crypto/openssh/openbsd-compat/glob.c b/crypto/openssh/openbsd-compat/glob.c
index 742b4b954a32..7c97e67f557c 100644
--- a/crypto/openssh/openbsd-compat/glob.c
+++ b/crypto/openssh/openbsd-compat/glob.c
@@ -59,6 +59,7 @@
*/
#include "includes.h"
+#include "glob.h"
#include <sys/types.h>
#include <sys/stat.h>
diff --git a/crypto/openssh/openbsd-compat/glob.h b/crypto/openssh/openbsd-compat/glob.h
index f8a7fa5ffe3e..f069a05dc656 100644
--- a/crypto/openssh/openbsd-compat/glob.h
+++ b/crypto/openssh/openbsd-compat/glob.h
@@ -42,11 +42,15 @@
!defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0 || \
defined(BROKEN_GLOB)
-#ifndef _GLOB_H_
-#define _GLOB_H_
+#ifndef _COMPAT_GLOB_H_
+#define _COMPAT_GLOB_H_
#include <sys/stat.h>
+# define glob_t _ssh_compat_glob_t
+# define glob(a, b, c, d) _ssh__compat_glob(a, b, c, d)
+# define globfree(a) _ssh__compat_globfree(a)
+
struct stat;
typedef struct {
int gl_pathc; /* Count of total paths so far. */
diff --git a/crypto/openssh/openbsd-compat/openbsd-compat.h b/crypto/openssh/openbsd-compat/openbsd-compat.h
index 1ff7114ef3da..8cc8a11b7617 100644
--- a/crypto/openssh/openbsd-compat/openbsd-compat.h
+++ b/crypto/openssh/openbsd-compat/openbsd-compat.h
@@ -39,7 +39,6 @@
/* OpenBSD function replacements */
#include "base64.h"
#include "sigact.h"
-#include "glob.h"
#include "readpassphrase.h"
#include "vis.h"
#include "getrrsetbyname.h"
diff --git a/crypto/openssh/openbsd-compat/port-solaris.c b/crypto/openssh/openbsd-compat/port-solaris.c
index 25382f1c907c..e36e412d7325 100644
--- a/crypto/openssh/openbsd-compat/port-solaris.c
+++ b/crypto/openssh/openbsd-compat/port-solaris.c
@@ -227,3 +227,139 @@ solaris_set_default_project(struct passwd *pw)
}
}
#endif /* USE_SOLARIS_PROJECTS */
+
+#ifdef USE_SOLARIS_PRIVS
+# ifdef HAVE_PRIV_H
+# include <priv.h>
+# endif
+
+priv_set_t *
+solaris_basic_privset(void)
+{
+ priv_set_t *pset;
+
+#ifdef HAVE_PRIV_BASICSET
+ if ((pset = priv_allocset()) == NULL) {
+ error("priv_allocset: %s", strerror(errno));
+ return NULL;
+ }
+ priv_basicset(pset);
+#else
+ if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
+ error("priv_str_to_set: %s", strerror(errno));
+ return NULL;
+ }
+#endif
+ return pset;
+}
+
+void
+solaris_drop_privs_pinfo_net_fork_exec(void)
+{
+ priv_set_t *pset = NULL, *npset = NULL;
+
+ /*
+ * Note: this variant avoids dropping DAC filesystem rights, in case
+ * the process calling it is running as root and should have the
+ * ability to read/write/chown any file on the system.
+ *
+ * We start with the basic set, then *add* the DAC rights to it while
+ * taking away other parts of BASIC we don't need. Then we intersect
+ * this with our existing PERMITTED set. In this way we keep any
+ * DAC rights we had before, while otherwise reducing ourselves to
+ * the minimum set of privileges we need to proceed.
+ *
+ * This also means we drop any other parts of "root" that we don't
+ * need (e.g. the ability to kill any process, create new device nodes
+ * etc etc).
+ */
+
+ if ((pset = priv_allocset()) == NULL)
+ fatal("priv_allocset: %s", strerror(errno));
+ if ((npset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));
+
+ if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
+ priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
+ priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
+ priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
+ priv_addset(npset, PRIV_FILE_OWNER) != 0)
+ fatal("priv_addset: %s", strerror(errno));
+
+ if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
+ priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
+#endif
+ priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
+ priv_delset(npset, PRIV_PROC_FORK) != 0 ||
+ priv_delset(npset, PRIV_PROC_INFO) != 0 ||
+ priv_delset(npset, PRIV_PROC_SESSION) != 0)
+ fatal("priv_delset: %s", strerror(errno));
+
+ if (getppriv(PRIV_PERMITTED, pset) != 0)
+ fatal("getppriv: %s", strerror(errno));
+
+ priv_intersect(pset, npset);
+
+ if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
+ setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
+ setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+
+ priv_freeset(pset);
+ priv_freeset(npset);
+}
+
+void
+solaris_drop_privs_root_pinfo_net(void)
+{
+ priv_set_t *pset = NULL;
+
+ /* Start with "basic" and drop everything we don't need. */
+ if ((pset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));
+
+ if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
+ priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
+ priv_delset(pset, PRIV_PROC_INFO) != 0 ||
+ priv_delset(pset, PRIV_PROC_SESSION) != 0)
+ fatal("priv_delset: %s", strerror(errno));
+
+ if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
+ setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
+ setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+
+ priv_freeset(pset);
+}
+
+void
+solaris_drop_privs_root_pinfo_net_exec(void)
+{
+ priv_set_t *pset = NULL;
+
+
+ /* Start with "basic" and drop everything we don't need. */
+ if ((pset = solaris_basic_privset()) == NULL)
+ fatal("solaris_basic_privset: %s", strerror(errno));
+
+ if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
+ priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
+ priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
+ priv_delset(pset, PRIV_PROC_INFO) != 0 ||
+ priv_delset(pset, PRIV_PROC_SESSION) != 0)
+ fatal("priv_delset: %s", strerror(errno));
+
+ if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
+ setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
+ setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+
+ priv_freeset(pset);
+}
+
+#endif
diff --git a/crypto/openssh/openbsd-compat/port-solaris.h b/crypto/openssh/openbsd-compat/port-solaris.h
index cd442e78b10e..3a41ea8cdccd 100644
--- a/crypto/openssh/openbsd-compat/port-solaris.h
+++ b/crypto/openssh/openbsd-compat/port-solaris.h
@@ -26,5 +26,11 @@ void solaris_contract_pre_fork(void);
void solaris_contract_post_fork_child(void);
void solaris_contract_post_fork_parent(pid_t pid);
void solaris_set_default_project(struct passwd *);
+# ifdef USE_SOLARIS_PRIVS
+priv_set_t *solaris_basic_privset(void);
+void solaris_drop_privs_pinfo_net_fork_exec(void);
+void solaris_drop_privs_root_pinfo_net(void);
+void solaris_drop_privs_root_pinfo_net_exec(void);
+# endif /* USE_SOLARIS_PRIVS */
#endif
diff --git a/crypto/openssh/openbsd-compat/realpath.c b/crypto/openssh/openbsd-compat/realpath.c
index ba4cea93894f..a2f090e5512f 100644
--- a/crypto/openssh/openbsd-compat/realpath.c
+++ b/crypto/openssh/openbsd-compat/realpath.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
+/* $OpenBSD: realpath.c,v 1.20 2015/10/13 20:55:37 millert Exp $ */
/*
* Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
*
@@ -42,6 +42,13 @@
#include <stddef.h>
#include <string.h>
#include <unistd.h>
+#include <limits.h>
+
+#ifndef SYMLOOP_MAX
+# define SYMLOOP_MAX 32
+#endif
+
+/* A slightly modified copy of this file exists in libexec/ld.so */
/*
* char *realpath(const char *path, char resolved[PATH_MAX]);
@@ -51,16 +58,30 @@
* in which case the path which caused trouble is left in (resolved).
*/
char *
-realpath(const char *path, char resolved[PATH_MAX])
+realpath(const char *path, char *resolved)
{
struct stat sb;
char *p, *q, *s;
size_t left_len, resolved_len;
unsigned symlinks;
- int serrno, slen;
+ int serrno, slen, mem_allocated;
char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
+ if (path[0] == '\0') {
+ errno = ENOENT;
+ return (NULL);
+ }
+
serrno = errno;
+
+ if (resolved == NULL) {
+ resolved = malloc(PATH_MAX);
+ if (resolved == NULL)
+ return (NULL);
+ mem_allocated = 1;
+ } else
+ mem_allocated = 0;
+
symlinks = 0;
if (path[0] == '/') {
resolved[0] = '/';
@@ -71,7 +92,10 @@ realpath(const char *path, char resolved[PATH_MAX])
left_len = strlcpy(left, path + 1, sizeof(left));
} else {
if (getcwd(resolved, PATH_MAX) == NULL) {
- strlcpy(resolved, ".", PATH_MAX);
+ if (mem_allocated)
+ free(resolved);
+ else
+ strlcpy(resolved, ".", PATH_MAX);
return (NULL);
}
resolved_len = strlen(resolved);
@@ -79,7 +103,7 @@ realpath(const char *path, char resolved[PATH_MAX])
}
if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
errno = ENAMETOOLONG;
- return (NULL);
+ goto err;
}
/*
@@ -94,7 +118,7 @@ realpath(const char *path, char resolved[PATH_MAX])
s = p ? p : left + left_len;
if (s - left >= (ptrdiff_t)sizeof(next_token)) {
errno = ENAMETOOLONG;
- return (NULL);
+ goto err;
}
memcpy(next_token, left, s - left);
next_token[s - left] = '\0';
@@ -104,7 +128,7 @@ realpath(const char *path, char resolved[PATH_MAX])
if (resolved[resolved_len - 1] != '/') {
if (resolved_len + 1 >= PATH_MAX) {
errno = ENAMETOOLONG;
- return (NULL);
+ goto err;
}
resolved[resolved_len++] = '/';
resolved[resolved_len] = '\0';
@@ -135,23 +159,23 @@ realpath(const char *path, char resolved[PATH_MAX])
resolved_len = strlcat(resolved, next_token, PATH_MAX);
if (resolved_len >= PATH_MAX) {
errno = ENAMETOOLONG;
- return (NULL);
+ goto err;
}
if (lstat(resolved, &sb) != 0) {
if (errno == ENOENT && p == NULL) {
errno = serrno;
return (resolved);
}
- return (NULL);
+ goto err;
}
if (S_ISLNK(sb.st_mode)) {
- if (symlinks++ > MAXSYMLINKS) {
+ if (symlinks++ > SYMLOOP_MAX) {
errno = ELOOP;
- return (NULL);
+ goto err;
}
slen = readlink(resolved, symlink, sizeof(symlink) - 1);
if (slen < 0)
- return (NULL);
+ goto err;
symlink[slen] = '\0';
if (symlink[0] == '/') {
resolved[1] = 0;
@@ -174,15 +198,15 @@ realpath(const char *path, char resolved[PATH_MAX])
if (slen + 1 >=
(ptrdiff_t)sizeof(symlink)) {
errno = ENAMETOOLONG;
- return (NULL);
+ goto err;
}
symlink[slen] = '/';
symlink[slen + 1] = 0;
}
- left_len = strlcat(symlink, left, sizeof(left));
- if (left_len >= sizeof(left)) {
+ left_len = strlcat(symlink, left, sizeof(symlink));
+ if (left_len >= sizeof(symlink)) {
errno = ENAMETOOLONG;
- return (NULL);
+ goto err;
}
}
left_len = strlcpy(left, symlink, sizeof(left));
@@ -196,5 +220,10 @@ realpath(const char *path, char resolved[PATH_MAX])
if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
resolved[resolved_len - 1] = '\0';
return (resolved);
+
+err:
+ if (mem_allocated)
+ free(resolved);
+ return (NULL);
}
#endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
index 8c1498c1bd28..f3b3ce9cf250 100644
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.214 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: packet.c,v 1.229 2016/02/17 22:20:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -84,7 +84,6 @@ __RCSID("$FreeBSD$");
#include "channels.h"
#include "ssh.h"
#include "packet.h"
-#include "roaming.h"
#include "ssherr.h"
#include "sshbuf.h"
@@ -182,8 +181,7 @@ struct session_state {
struct packet_state p_read, p_send;
/* Volume-based rekeying */
- u_int64_t max_blocks_in, max_blocks_out;
- u_int32_t rekey_limit;
+ u_int64_t max_blocks_in, max_blocks_out, rekey_limit;
/* Time-based rekeying */
u_int32_t rekey_interval; /* how often in seconds */
@@ -262,6 +260,14 @@ ssh_alloc_session_state(void)
return NULL;
}
+/* Returns nonzero if rekeying is in progress */
+int
+ssh_packet_is_rekeying(struct ssh *ssh)
+{
+ return compat20 &&
+ (ssh->state->rekeying || (ssh->kex != NULL && ssh->kex->done == 0));
+}
+
/*
* Sets the descriptors used for communication. Disables encryption until
* packet_set_encryption_key is called.
@@ -339,7 +345,8 @@ ssh_packet_stop_discard(struct ssh *ssh)
sshbuf_ptr(state->incoming_packet), PACKET_MAX_SIZE,
NULL, 0);
}
- logit("Finished discarding for %.200s", ssh_remote_ipaddr(ssh));
+ logit("Finished discarding for %.200s port %d",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
return SSH_ERR_MAC_INVALID;
}
@@ -456,16 +463,30 @@ ssh_packet_get_connection_out(struct ssh *ssh)
const char *
ssh_remote_ipaddr(struct ssh *ssh)
{
+ const int sock = ssh->state->connection_in;
+
/* Check whether we have cached the ipaddr. */
- if (ssh->remote_ipaddr == NULL)
- ssh->remote_ipaddr = ssh_packet_connection_is_on_socket(ssh) ?
- get_peer_ipaddr(ssh->state->connection_in) :
- strdup("UNKNOWN");
- if (ssh->remote_ipaddr == NULL)
- return "UNKNOWN";
+ if (ssh->remote_ipaddr == NULL) {
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ ssh->remote_ipaddr = get_peer_ipaddr(sock);
+ ssh->remote_port = get_sock_port(sock, 0);
+ } else {
+ ssh->remote_ipaddr = strdup("UNKNOWN");
+ ssh->remote_port = 0;
+ }
+ }
return ssh->remote_ipaddr;
}
+/* Returns the port number of the remote host. */
+
+int
+ssh_remote_port(struct ssh *ssh)
+{
+ (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
+ return ssh->remote_port;
+}
+
/* Closes the connection and clears and frees internal data structures. */
void
@@ -520,10 +541,8 @@ ssh_packet_close(struct ssh *ssh)
error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
if ((r = cipher_cleanup(&state->receive_context)) != 0)
error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
- if (ssh->remote_ipaddr) {
- free(ssh->remote_ipaddr);
- ssh->remote_ipaddr = NULL;
- }
+ free(ssh->remote_ipaddr);
+ ssh->remote_ipaddr = NULL;
free(ssh->state);
ssh->state = NULL;
}
@@ -942,7 +961,12 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
max_blocks = &state->max_blocks_in;
}
if (state->newkeys[mode] != NULL) {
- debug("set_newkeys: rekeying");
+ debug("set_newkeys: rekeying, input %llu bytes %llu blocks, "
+ "output %llu bytes %llu blocks",
+ (unsigned long long)state->p_read.bytes,
+ (unsigned long long)state->p_read.blocks,
+ (unsigned long long)state->p_send.bytes,
+ (unsigned long long)state->p_send.blocks);
if ((r = cipher_cleanup(cc)) != 0)
return r;
enc = &state->newkeys[mode]->enc;
@@ -1010,9 +1034,55 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
if (state->rekey_limit)
*max_blocks = MIN(*max_blocks,
state->rekey_limit / enc->block_size);
+ debug("rekey after %llu blocks", (unsigned long long)*max_blocks);
return 0;
}
+#define MAX_PACKETS (1U<<31)
+static int
+ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+{
+ struct session_state *state = ssh->state;
+ u_int32_t out_blocks;
+
+ /* XXX client can't cope with rekeying pre-auth */
+ if (!state->after_authentication)
+ return 0;
+
+ /* Haven't keyed yet or KEX in progress. */
+ if (ssh->kex == NULL || ssh_packet_is_rekeying(ssh))
+ return 0;
+
+ /* Peer can't rekey */
+ if (ssh->compat & SSH_BUG_NOREKEY)
+ return 0;
+
+ /*
+ * Permit one packet in or out per rekey - this allows us to
+ * make progress when rekey limits are very small.
+ */
+ if (state->p_send.packets == 0 && state->p_read.packets == 0)
+ return 0;
+
+ /* Time-based rekeying */
+ if (state->rekey_interval != 0 &&
+ state->rekey_time + state->rekey_interval <= monotime())
+ return 1;
+
+ /* Always rekey when MAX_PACKETS sent in either direction */
+ if (state->p_send.packets > MAX_PACKETS ||
+ state->p_read.packets > MAX_PACKETS)
+ return 1;
+
+ /* Rekey after (cipher-specific) maxiumum blocks */
+ out_blocks = roundup(outbound_packet_len,
+ state->newkeys[MODE_OUT]->enc.block_size);
+ return (state->max_blocks_out &&
+ (state->p_send.blocks + out_blocks > state->max_blocks_out)) ||
+ (state->max_blocks_in &&
+ (state->p_read.blocks > state->max_blocks_in));
+}
+
/*
* Delayed compression for SSH2 is enabled after authentication:
* This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
@@ -1051,6 +1121,20 @@ ssh_packet_enable_delayed_compress(struct ssh *ssh)
return 0;
}
+/* Used to mute debug logging for noisy packet types */
+static int
+ssh_packet_log_type(u_char type)
+{
+ switch (type) {
+ case SSH2_MSG_CHANNEL_DATA:
+ case SSH2_MSG_CHANNEL_EXTENDED_DATA:
+ case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
+ return 0;
+ default:
+ return 1;
+ }
+}
+
/*
* Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
*/
@@ -1079,7 +1163,8 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
type = (sshbuf_ptr(state->outgoing_packet))[5];
-
+ if (ssh_packet_log_type(type))
+ debug3("send packet: type %u", type);
#ifdef PACKET_DEBUG
fprintf(stderr, "plain: ");
sshbuf_dump(state->outgoing_packet, stderr);
@@ -1201,34 +1286,58 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
return r;
}
+/* returns non-zero if the specified packet type is usec by KEX */
+static int
+ssh_packet_type_is_kex(u_char type)
+{
+ return
+ type >= SSH2_MSG_TRANSPORT_MIN &&
+ type <= SSH2_MSG_TRANSPORT_MAX &&
+ type != SSH2_MSG_SERVICE_REQUEST &&
+ type != SSH2_MSG_SERVICE_ACCEPT &&
+ type != SSH2_MSG_EXT_INFO;
+}
+
int
ssh_packet_send2(struct ssh *ssh)
{
struct session_state *state = ssh->state;
struct packet *p;
u_char type;
- int r;
+ int r, need_rekey;
+ if (sshbuf_len(state->outgoing_packet) < 6)
+ return SSH_ERR_INTERNAL_ERROR;
type = sshbuf_ptr(state->outgoing_packet)[5];
+ need_rekey = !ssh_packet_type_is_kex(type) &&
+ ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet));
- /* during rekeying we can only send key exchange messages */
- if (state->rekeying) {
- if ((type < SSH2_MSG_TRANSPORT_MIN) ||
- (type > SSH2_MSG_TRANSPORT_MAX) ||
- (type == SSH2_MSG_SERVICE_REQUEST) ||
- (type == SSH2_MSG_SERVICE_ACCEPT)) {
- debug("enqueue packet: %u", type);
- p = calloc(1, sizeof(*p));
- if (p == NULL)
- return SSH_ERR_ALLOC_FAIL;
- p->type = type;
- p->payload = state->outgoing_packet;
- TAILQ_INSERT_TAIL(&state->outgoing, p, next);
- state->outgoing_packet = sshbuf_new();
- if (state->outgoing_packet == NULL)
- return SSH_ERR_ALLOC_FAIL;
- return 0;
+ /*
+ * During rekeying we can only send key exchange messages.
+ * Queue everything else.
+ */
+ if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) {
+ if (need_rekey)
+ debug3("%s: rekex triggered", __func__);
+ debug("enqueue packet: %u", type);
+ p = calloc(1, sizeof(*p));
+ if (p == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ p->type = type;
+ p->payload = state->outgoing_packet;
+ TAILQ_INSERT_TAIL(&state->outgoing, p, next);
+ state->outgoing_packet = sshbuf_new();
+ if (state->outgoing_packet == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ if (need_rekey) {
+ /*
+ * This packet triggered a rekey, so send the
+ * KEXINIT now.
+ * NB. reenters this function via kex_start_rekex().
+ */
+ return kex_start_rekex(ssh);
}
+ return 0;
}
/* rekeying starts with sending KEXINIT */
@@ -1244,10 +1353,22 @@ ssh_packet_send2(struct ssh *ssh)
state->rekey_time = monotime();
while ((p = TAILQ_FIRST(&state->outgoing))) {
type = p->type;
+ /*
+ * If this packet triggers a rekex, then skip the
+ * remaining packets in the queue for now.
+ * NB. re-enters this function via kex_start_rekex.
+ */
+ if (ssh_packet_need_rekeying(ssh,
+ sshbuf_len(p->payload))) {
+ debug3("%s: queued packet triggered rekex",
+ __func__);
+ return kex_start_rekex(ssh);
+ }
debug("dequeue packet: %u", type);
sshbuf_free(state->outgoing_packet);
state->outgoing_packet = p->payload;
TAILQ_REMOVE(&state->outgoing, p, next);
+ memset(p, 0, sizeof(*p));
free(p);
if ((r = ssh_packet_send2_wrapped(ssh)) != 0)
return r;
@@ -1266,7 +1387,7 @@ int
ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
{
struct session_state *state = ssh->state;
- int len, r, ms_remain, cont;
+ int len, r, ms_remain;
fd_set *setp;
char buf[8192];
struct timeval timeout, start, *timeoutp = NULL;
@@ -1336,11 +1457,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
if (r == 0)
return SSH_ERR_CONN_TIMEOUT;
/* Read data from the socket. */
- do {
- cont = 0;
- len = roaming_read(state->connection_in, buf,
- sizeof(buf), &cont);
- } while (len == 0 && cont);
+ len = read(state->connection_in, buf, sizeof(buf));
if (len == 0) {
r = SSH_ERR_CONN_CLOSED;
goto out;
@@ -1735,6 +1852,8 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
*/
if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
goto out;
+ if (ssh_packet_log_type(*typep))
+ debug3("receive packet: type %u", *typep);
if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) {
if ((r = sshpkt_disconnect(ssh,
"Invalid ssh2 packet type: %d", *typep)) != 0 ||
@@ -1754,6 +1873,13 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
#endif
/* reset for next packet */
state->packlen = 0;
+
+ /* do we need to rekey? */
+ if (ssh_packet_need_rekeying(ssh, 0)) {
+ debug3("%s: rekex triggered", __func__);
+ if ((r = kex_start_rekex(ssh)) != 0)
+ return r;
+ }
out:
return r;
}
@@ -1784,8 +1910,7 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||
(r = sshpkt_get_string(ssh, &msg, NULL)) != 0 ||
(r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
- if (msg)
- free(msg);
+ free(msg);
return r;
}
debug("Remote: %.900s", msg);
@@ -1799,8 +1924,9 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
do_log2(ssh->state->server_side &&
reason == SSH2_DISCONNECT_BY_APPLICATION ?
SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
- "Received disconnect from %s: %u: %.400s",
- ssh_remote_ipaddr(ssh), reason, msg);
+ "Received disconnect from %s port %d:"
+ "%u: %.400s", ssh_remote_ipaddr(ssh),
+ ssh_remote_port(ssh), reason, msg);
free(msg);
return SSH_ERR_DISCONNECTED;
case SSH2_MSG_UNIMPLEMENTED:
@@ -1828,8 +1954,9 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
case SSH_MSG_DISCONNECT:
if ((r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
return r;
- logit("Received disconnect from %s: %.400s",
- ssh_remote_ipaddr(ssh), msg);
+ logit("Received disconnect from %s port %d: "
+ "%.400s", ssh_remote_ipaddr(ssh),
+ ssh_remote_port(ssh), msg);
free(msg);
return SSH_ERR_DISCONNECTED;
default:
@@ -1919,19 +2046,22 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
{
switch (r) {
case SSH_ERR_CONN_CLOSED:
- logit("Connection closed by %.200s", ssh_remote_ipaddr(ssh));
+ logit("Connection closed by %.200s port %d",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
cleanup_exit(255);
case SSH_ERR_CONN_TIMEOUT:
- logit("Connection to %.200s timed out", ssh_remote_ipaddr(ssh));
+ logit("Connection %s %.200s port %d timed out",
+ ssh->state->server_side ? "from" : "to",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
cleanup_exit(255);
case SSH_ERR_DISCONNECTED:
- logit("Disconnected from %.200s",
- ssh_remote_ipaddr(ssh));
+ logit("Disconnected from %.200s port %d",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
cleanup_exit(255);
case SSH_ERR_SYSTEM_ERROR:
if (errno == ECONNRESET) {
- logit("Connection reset by %.200s",
- ssh_remote_ipaddr(ssh));
+ logit("Connection reset by %.200s port %d",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
cleanup_exit(255);
}
/* FALLTHROUGH */
@@ -1941,15 +2071,17 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
- fatal("Unable to negotiate with %.200s: %s. "
+ fatal("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
- ssh_err(r), ssh->kex->failed_choice);
+ ssh_remote_port(ssh), ssh_err(r),
+ ssh->kex->failed_choice);
}
/* FALLTHROUGH */
default:
- fatal("%s%sConnection to %.200s: %s",
+ fatal("%s%sConnection %s %.200s port %d: %s",
tag != NULL ? tag : "", tag != NULL ? ": " : "",
- ssh_remote_ipaddr(ssh), ssh_err(r));
+ ssh->state->server_side ? "from" : "to",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ssh_err(r));
}
}
@@ -2006,19 +2138,18 @@ ssh_packet_write_poll(struct ssh *ssh)
{
struct session_state *state = ssh->state;
int len = sshbuf_len(state->output);
- int cont, r;
+ int r;
if (len > 0) {
- cont = 0;
- len = roaming_write(state->connection_out,
- sshbuf_ptr(state->output), len, &cont);
+ len = write(state->connection_out,
+ sshbuf_ptr(state->output), len);
if (len == -1) {
if (errno == EINTR || errno == EAGAIN ||
errno == EWOULDBLOCK)
return 0;
return SSH_ERR_SYSTEM_ERROR;
}
- if (len == 0 && !cont)
+ if (len == 0)
return SSH_ERR_CONN_CLOSED;
if ((r = sshbuf_consume(state->output, len)) != 0)
return r;
@@ -2042,7 +2173,10 @@ ssh_packet_write_wait(struct ssh *ssh)
NFDBITS), sizeof(fd_mask));
if (setp == NULL)
return SSH_ERR_ALLOC_FAIL;
- ssh_packet_write_poll(ssh);
+ if ((r = ssh_packet_write_poll(ssh)) != 0) {
+ free(setp);
+ return r;
+ }
while (ssh_packet_have_data_to_write(ssh)) {
memset(setp, 0, howmany(state->connection_out + 1,
NFDBITS) * sizeof(fd_mask));
@@ -2230,29 +2364,10 @@ ssh_packet_send_ignore(struct ssh *ssh, int nbytes)
}
}
-#define MAX_PACKETS (1U<<31)
-int
-ssh_packet_need_rekeying(struct ssh *ssh)
-{
- struct session_state *state = ssh->state;
-
- if (ssh->compat & SSH_BUG_NOREKEY)
- return 0;
- return
- (state->p_send.packets > MAX_PACKETS) ||
- (state->p_read.packets > MAX_PACKETS) ||
- (state->max_blocks_out &&
- (state->p_send.blocks > state->max_blocks_out)) ||
- (state->max_blocks_in &&
- (state->p_read.blocks > state->max_blocks_in)) ||
- (state->rekey_interval != 0 && state->rekey_time +
- state->rekey_interval <= monotime());
-}
-
void
-ssh_packet_set_rekey_limits(struct ssh *ssh, u_int32_t bytes, time_t seconds)
+ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, time_t seconds)
{
- debug3("rekey after %lld bytes, %d seconds", (long long)bytes,
+ debug3("rekey after %llu bytes, %d seconds", (unsigned long long)bytes,
(int)seconds);
ssh->state->rekey_limit = bytes;
ssh->state->rekey_interval = seconds;
@@ -2292,58 +2407,6 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output;
}
-/* XXX TODO update roaming to new API (does not work anyway) */
-/*
- * Save the state for the real connection, and use a separate state when
- * resuming a suspended connection.
- */
-void
-ssh_packet_backup_state(struct ssh *ssh,
- struct ssh *backup_state)
-{
- struct ssh *tmp;
-
- close(ssh->state->connection_in);
- ssh->state->connection_in = -1;
- close(ssh->state->connection_out);
- ssh->state->connection_out = -1;
- if (backup_state)
- tmp = backup_state;
- else
- tmp = ssh_alloc_session_state();
- backup_state = ssh;
- ssh = tmp;
-}
-
-/* XXX FIXME FIXME FIXME */
-/*
- * Swap in the old state when resuming a connecion.
- */
-void
-ssh_packet_restore_state(struct ssh *ssh,
- struct ssh *backup_state)
-{
- struct ssh *tmp;
- u_int len;
- int r;
-
- tmp = backup_state;
- backup_state = ssh;
- ssh = tmp;
- ssh->state->connection_in = backup_state->state->connection_in;
- backup_state->state->connection_in = -1;
- ssh->state->connection_out = backup_state->state->connection_out;
- backup_state->state->connection_out = -1;
- len = sshbuf_len(backup_state->state->input);
- if (len > 0) {
- if ((r = sshbuf_putb(ssh->state->input,
- backup_state->state->input)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
- sshbuf_reset(backup_state->state->input);
- add_recv_bytes(len);
- }
-}
-
/* Reset after_authentication and reset compression in post-auth privsep */
static int
ssh_packet_set_postauth(struct ssh *ssh)
@@ -2431,8 +2494,7 @@ newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode)
goto out;
r = sshbuf_put_stringb(m, b);
out:
- if (b != NULL)
- sshbuf_free(b);
+ sshbuf_free(b);
return r;
}
@@ -2463,7 +2525,7 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m)
if ((r = kex_to_blob(m, ssh->kex)) != 0 ||
(r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 ||
(r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 ||
- (r = sshbuf_put_u32(m, state->rekey_limit)) != 0 ||
+ (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 ||
(r = sshbuf_put_u32(m, state->rekey_interval)) != 0 ||
(r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 ||
(r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 ||
@@ -2494,11 +2556,6 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m)
(r = sshbuf_put_stringb(m, state->output)) != 0)
return r;
- if (compat20) {
- if ((r = sshbuf_put_u64(m, get_sent_bytes())) != 0 ||
- (r = sshbuf_put_u64(m, get_recv_bytes())) != 0)
- return r;
- }
return 0;
}
@@ -2567,10 +2624,8 @@ newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode)
newkey = NULL;
r = 0;
out:
- if (newkey != NULL)
- free(newkey);
- if (b != NULL)
- sshbuf_free(b);
+ free(newkey);
+ sshbuf_free(b);
return r;
}
@@ -2603,10 +2658,8 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
out:
if (r != 0 || kexp == NULL) {
if (kex != NULL) {
- if (kex->my != NULL)
- sshbuf_free(kex->my);
- if (kex->peer != NULL)
- sshbuf_free(kex->peer);
+ sshbuf_free(kex->my);
+ sshbuf_free(kex->peer);
free(kex);
}
if (kexp != NULL)
@@ -2629,7 +2682,6 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m)
size_t ssh1keylen, rlen, slen, ilen, olen;
int r;
u_int ssh1cipher = 0;
- u_int64_t sent_bytes = 0, recv_bytes = 0;
if (!compat20) {
if ((r = sshbuf_get_u32(m, &state->remote_protocol_flags)) != 0 ||
@@ -2652,7 +2704,7 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m)
if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
(r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
(r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
- (r = sshbuf_get_u32(m, &state->rekey_limit)) != 0 ||
+ (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 ||
(r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 ||
(r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 ||
(r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 ||
@@ -2694,12 +2746,6 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m)
(r = sshbuf_put(state->output, output, olen)) != 0)
return r;
- if (compat20) {
- if ((r = sshbuf_get_u64(m, &sent_bytes)) != 0 ||
- (r = sshbuf_get_u64(m, &recv_bytes)) != 0)
- return r;
- roam_set_bytes(sent_bytes, recv_bytes);
- }
if (sshbuf_len(m))
return SSH_ERR_INVALID_FORMAT;
debug3("%s: done", __func__);
diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h
index 7b06544e8370..28516a553a20 100644
--- a/crypto/openssh/packet.h
+++ b/crypto/openssh/packet.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.h,v 1.66 2015/01/30 01:13:33 djm Exp $ */
+/* $OpenBSD: packet.h,v 1.70 2016/02/08 10:57:07 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -86,6 +86,7 @@ int ssh_packet_get_connection_in(struct ssh *);
int ssh_packet_get_connection_out(struct ssh *);
void ssh_packet_close(struct ssh *);
void ssh_packet_set_encryption_key(struct ssh *, const u_char *, u_int, int);
+int ssh_packet_is_rekeying(struct ssh *);
void ssh_packet_set_protocol_flags(struct ssh *, u_int);
u_int ssh_packet_get_protocol_flags(struct ssh *);
int ssh_packet_start_compression(struct ssh *, int);
@@ -143,15 +144,11 @@ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
int ssh_packet_set_state(struct ssh *, struct sshbuf *);
const char *ssh_remote_ipaddr(struct ssh *);
+int ssh_remote_port(struct ssh *);
-int ssh_packet_need_rekeying(struct ssh *);
-void ssh_packet_set_rekey_limits(struct ssh *, u_int32_t, time_t);
+void ssh_packet_set_rekey_limits(struct ssh *, u_int64_t, time_t);
time_t ssh_packet_get_rekey_timeout(struct ssh *);
-/* XXX FIXME */
-void ssh_packet_backup_state(struct ssh *, struct ssh *);
-void ssh_packet_restore_state(struct ssh *, struct ssh *);
-
void *ssh_packet_get_input(struct ssh *);
void *ssh_packet_get_output(struct ssh *);
diff --git a/crypto/openssh/platform-pledge.c b/crypto/openssh/platform-pledge.c
new file mode 100644
index 000000000000..4a6ec15e1b2d
--- /dev/null
+++ b/crypto/openssh/platform-pledge.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2015 Joyent, Inc
+ * Author: Alex Wilson <alex.wilson@joyent.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <unistd.h>
+
+#include "platform.h"
+
+#include "openbsd-compat/openbsd-compat.h"
+
+/*
+ * Drop any fine-grained privileges that are not needed for post-startup
+ * operation of ssh-agent
+ *
+ * Should be as close as possible to pledge("stdio cpath unix id proc exec", ...)
+ */
+void
+platform_pledge_agent(void)
+{
+#ifdef USE_SOLARIS_PRIVS
+ /*
+ * Note: Solaris priv dropping is closer to tame() than pledge(), but
+ * we will use what we have.
+ */
+ solaris_drop_privs_root_pinfo_net();
+#endif
+}
+
+/*
+ * Drop any fine-grained privileges that are not needed for post-startup
+ * operation of sftp-server
+ */
+void
+platform_pledge_sftp_server(void)
+{
+#ifdef USE_SOLARIS_PRIVS
+ solaris_drop_privs_pinfo_net_fork_exec();
+#endif
+}
+
+/*
+ * Drop any fine-grained privileges that are not needed for the post-startup
+ * operation of the SSH client mux
+ *
+ * Should be as close as possible to pledge("stdio proc tty", ...)
+ */
+void
+platform_pledge_mux(void)
+{
+#ifdef USE_SOLARIS_PRIVS
+ solaris_drop_privs_root_pinfo_net_exec();
+#endif
+}
diff --git a/crypto/openssh/platform.h b/crypto/openssh/platform.h
index 1c7a45d8fc29..e687c99b6e55 100644
--- a/crypto/openssh/platform.h
+++ b/crypto/openssh/platform.h
@@ -31,3 +31,8 @@ void platform_setusercontext_post_groups(struct passwd *);
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
int platform_sys_dir_uid(uid_t);
+
+/* in platform-pledge.c */
+void platform_pledge_agent(void);
+void platform_pledge_sftp_server(void);
+void platform_pledge_mux(void);
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 326a59cd7191..4755473d7692 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.250 2016/02/08 23:40:12 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -139,6 +139,7 @@ typedef enum {
oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
+ oCertificateFile, oAddKeysToAgent,
oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
@@ -155,7 +156,7 @@ typedef enum {
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming,
+ oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -206,6 +207,8 @@ static struct {
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* obsolete */
{ "identitiesonly", oIdentitiesOnly },
+ { "certificatefile", oCertificateFile },
+ { "addkeystoagent", oAddKeysToAgent },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
{ "proxycommand", oProxyCommand },
@@ -264,7 +267,7 @@ static struct {
{ "localcommand", oLocalCommand },
{ "permitlocalcommand", oPermitLocalCommand },
{ "visualhostkey", oVisualHostKey },
- { "useroaming", oUseRoaming },
+ { "useroaming", oDeprecated },
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
@@ -390,6 +393,30 @@ clear_forwardings(Options *options)
}
void
+add_certificate_file(Options *options, const char *path, int userprovided)
+{
+ int i;
+
+ if (options->num_certificate_files >= SSH_MAX_CERTIFICATE_FILES)
+ fatal("Too many certificate files specified (max %d)",
+ SSH_MAX_CERTIFICATE_FILES);
+
+ /* Avoid registering duplicates */
+ for (i = 0; i < options->num_certificate_files; i++) {
+ if (options->certificate_file_userprovided[i] == userprovided &&
+ strcmp(options->certificate_files[i], path) == 0) {
+ debug2("%s: ignoring duplicate key %s", __func__, path);
+ return;
+ }
+ }
+
+ options->certificate_file_userprovided[options->num_certificate_files] =
+ userprovided;
+ options->certificate_files[options->num_certificate_files++] =
+ xstrdup(path);
+}
+
+void
add_identity_file(Options *options, const char *dir, const char *filename,
int userprovided)
{
@@ -440,7 +467,7 @@ default_ssh_port(void)
static int
execute_in_shell(const char *cmd)
{
- char *shell, *command_string;
+ char *shell;
pid_t pid;
int devnull, status;
extern uid_t original_real_uid;
@@ -448,12 +475,6 @@ execute_in_shell(const char *cmd)
if ((shell = getenv("SHELL")) == NULL)
shell = _PATH_BSHELL;
- /*
- * Use "exec" to avoid "sh -c" processes on some platforms
- * (e.g. Solaris)
- */
- xasprintf(&command_string, "exec %s", cmd);
-
/* Need this to redirect subprocess stdin/out */
if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1)
fatal("open(/dev/null): %s", strerror(errno));
@@ -478,7 +499,7 @@ execute_in_shell(const char *cmd)
argv[0] = shell;
argv[1] = "-c";
- argv[2] = command_string;
+ argv[2] = xstrdup(cmd);
argv[3] = NULL;
execv(argv[0], argv);
@@ -493,7 +514,6 @@ execute_in_shell(const char *cmd)
fatal("%s: fork: %.100s", __func__, strerror(errno));
close(devnull);
- free(command_string);
while (waitpid(pid, &status, 0) == -1) {
if (errno != EINTR && errno != EAGAIN)
@@ -526,12 +546,15 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
*/
port = options->port <= 0 ? default_ssh_port() : options->port;
ruser = options->user == NULL ? pw->pw_name : options->user;
- if (options->hostname != NULL) {
+ if (post_canon) {
+ host = xstrdup(options->hostname);
+ } else if (options->hostname != NULL) {
/* NB. Please keep in sync with ssh.c:main() */
host = percent_expand(options->hostname,
"h", host_arg, (char *)NULL);
- } else
+ } else {
host = xstrdup(host_arg);
+ }
debug2("checking match for '%s' host %s originally %s",
cp, host, original_host);
@@ -717,6 +740,15 @@ static const struct multistate multistate_yesnoask[] = {
{ "ask", 2 },
{ NULL, -1 }
};
+static const struct multistate multistate_yesnoaskconfirm[] = {
+ { "true", 1 },
+ { "false", 0 },
+ { "yes", 1 },
+ { "no", 0 },
+ { "ask", 2 },
+ { "confirm", 3 },
+ { NULL, -1 }
+};
static const struct multistate multistate_addressfamily[] = {
{ "inet", AF_INET },
{ "inet6", AF_INET6 },
@@ -971,16 +1003,12 @@ parse_time:
if (scan_scaled(arg, &val64) == -1)
fatal("%.200s line %d: Bad number '%s': %s",
filename, linenum, arg, strerror(errno));
- /* check for too-large or too-small limits */
- if (val64 > UINT_MAX)
- fatal("%.200s line %d: RekeyLimit too large",
- filename, linenum);
if (val64 != 0 && val64 < 16)
fatal("%.200s line %d: RekeyLimit too small",
filename, linenum);
}
if (*activep && options->rekey_limit == -1)
- options->rekey_limit = (u_int32_t)val64;
+ options->rekey_limit = val64;
if (s != NULL) { /* optional rekey interval present */
if (strcmp(s, "none") == 0) {
(void)strdelim(&s); /* discard */
@@ -1005,6 +1033,24 @@ parse_time:
}
break;
+ case oCertificateFile:
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (*activep) {
+ intptr = &options->num_certificate_files;
+ if (*intptr >= SSH_MAX_CERTIFICATE_FILES) {
+ fatal("%.200s line %d: Too many certificate "
+ "files specified (max %d).",
+ filename, linenum,
+ SSH_MAX_CERTIFICATE_FILES);
+ }
+ add_certificate_file(options, arg,
+ flags & SSHCONF_USERCONF);
+ }
+ break;
+
case oXAuthLocation:
charptr=&options->xauth_location;
goto parse_string;
@@ -1402,10 +1448,6 @@ parse_keytypes:
}
break;
- case oUseRoaming:
- intptr = &options->use_roaming;
- goto parse_flag;
-
case oRequestTTY:
intptr = &options->request_tty;
multistate_ptr = multistate_requesttty;
@@ -1536,6 +1578,11 @@ parse_keytypes:
charptr = &options->pubkey_key_types;
goto parse_keytypes;
+ case oAddKeysToAgent:
+ intptr = &options->add_keys_to_agent;
+ multistate_ptr = multistate_yesnoaskconfirm;
+ goto parse_multistate;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@@ -1666,6 +1713,7 @@ initialize_options(Options * options)
options->hostkeyalgorithms = NULL;
options->protocol = SSH_PROTO_UNKNOWN;
options->num_identity_files = 0;
+ options->num_certificate_files = 0;
options->hostname = NULL;
options->host_key_alias = NULL;
options->proxy_command = NULL;
@@ -1701,7 +1749,7 @@ initialize_options(Options * options)
options->tun_remote = -1;
options->local_command = NULL;
options->permit_local_command = -1;
- options->use_roaming = 0;
+ options->add_keys_to_agent = -1;
options->visual_host_key = -1;
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
@@ -1806,6 +1854,8 @@ fill_default_options(Options * options)
/* options->hostkeyalgorithms, default set in myproposals.h */
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_2;
+ if (options->add_keys_to_agent == -1)
+ options->add_keys_to_agent = 0;
if (options->num_identity_files == 0) {
if (options->protocol & SSH_PROTO_1) {
add_identity_file(options, "~/",
@@ -1880,7 +1930,6 @@ fill_default_options(Options * options)
options->tun_remote = SSH_TUNID_ANY;
if (options->permit_local_command == -1)
options->permit_local_command = 0;
- options->use_roaming = 0;
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
@@ -2291,6 +2340,10 @@ dump_client_config(Options *o, const char *host)
int i;
char vbuf[5];
+ /* This is normally prepared in ssh_kex2 */
+ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
+ fatal("%s: kex_assemble_names failed", __func__);
+
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);
dump_cfg_string(oHostName, host);
@@ -2351,7 +2404,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oBindAddress, o->bind_address);
dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
dump_cfg_string(oControlPath, o->control_path);
- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
dump_cfg_string(oHostKeyAlias, o->host_key_alias);
dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
@@ -2362,6 +2415,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
dump_cfg_string(oProxyCommand, o->proxy_command);
+ dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
dump_cfg_string(oXAuthLocation, o->xauth_location);
@@ -2430,8 +2484,8 @@ dump_client_config(Options *o, const char *host)
printf("%s\n", iptos2str(o->ip_qos_bulk));
/* oRekeyLimit */
- printf("rekeylimit %lld %d\n",
- (long long)o->rekey_limit, o->rekey_interval);
+ printf("rekeylimit %llu %d\n",
+ (unsigned long long)o->rekey_limit, o->rekey_interval);
/* oStreamLocalBindMask */
printf("streamlocalbindmask 0%o\n",
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
index 33606671bb16..c2cc2a4bdb92 100644
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.110 2015/07/10 06:21:53 markus Exp $ */
+/* $OpenBSD: readconf.h,v 1.113 2016/01/14 16:17:40 markus Exp $ */
/* $FreeBSD$ */
/*
@@ -96,6 +96,13 @@ typedef struct {
int identity_file_userprovided[SSH_MAX_IDENTITY_FILES];
struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES];
+ int num_certificate_files; /* Number of extra certificates for ssh. */
+ char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
+ int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES];
+ struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
+
+ int add_keys_to_agent;
+
/* Local TCP/IP forward requests. */
int num_local_forwards;
struct Forward *local_forwards;
@@ -131,8 +138,6 @@ typedef struct {
int permit_local_command;
int visual_host_key;
- int use_roaming;
-
int request_tty;
int proxy_use_fdpass;
@@ -197,5 +202,6 @@ void dump_client_config(Options *o, const char *host);
void add_local_forward(Options *, const struct Forward *);
void add_remote_forward(Options *, const struct Forward *);
void add_identity_file(Options *, const char *, const char *, int);
+void add_certificate_file(Options *, const char *, int);
#endif /* READCONF_H */
diff --git a/crypto/openssh/readpass.c b/crypto/openssh/readpass.c
index 869d86425c02..05c8cac1cc03 100644
--- a/crypto/openssh/readpass.c
+++ b/crypto/openssh/readpass.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readpass.c,v 1.50 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: readpass.c,v 1.51 2015/12/11 00:20:04 mmcc Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -76,7 +76,7 @@ ssh_askpass(char *askpass, const char *msg)
close(p[0]);
if (dup2(p[1], STDOUT_FILENO) < 0)
fatal("ssh_askpass: dup2: %s", strerror(errno));
- execlp(askpass, askpass, msg, (char *) 0);
+ execlp(askpass, askpass, msg, (char *)NULL);
fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno));
}
close(p[1]);
diff --git a/crypto/openssh/regress/Makefile b/crypto/openssh/regress/Makefile
index cba83f4d6b06..451909c1a4b1 100644
--- a/crypto/openssh/regress/Makefile
+++ b/crypto/openssh/regress/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $
+# $OpenBSD: Makefile,v 1.82 2015/09/24 06:16:53 djm Exp $
REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
tests: prep $(REGRESS_TARGETS)
@@ -74,7 +74,8 @@ LTESTS= connect \
hostkey-agent \
keygen-knownhosts \
hostkey-rotate \
- principals-command
+ principals-command \
+ cert-file
# dhgex \
diff --git a/crypto/openssh/regress/agent-ptrace.sh b/crypto/openssh/regress/agent-ptrace.sh
index 1912ca8f9bb0..bb676d631574 100644
--- a/crypto/openssh/regress/agent-ptrace.sh
+++ b/crypto/openssh/regress/agent-ptrace.sh
@@ -12,6 +12,11 @@ if have_prog uname ; then
esac
fi
+if [ "x$USER" = "xroot" ]; then
+ echo "Skipped: running as root"
+ exit 0
+fi
+
if have_prog gdb ; then
: ok
else
diff --git a/crypto/openssh/regress/cert-file.sh b/crypto/openssh/regress/cert-file.sh
new file mode 100755
index 000000000000..bad923ad0ac7
--- /dev/null
+++ b/crypto/openssh/regress/cert-file.sh
@@ -0,0 +1,138 @@
+# $OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $
+# Placed in the Public Domain.
+
+tid="ssh with certificates"
+
+rm -f $OBJ/user_ca_key* $OBJ/user_key*
+rm -f $OBJ/cert_user_key*
+
+# Create a CA key
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\
+ fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\
+ fatal "ssh-keygen failed"
+
+# Make some keys and certificates.
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
+ fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \
+ fatal "ssh-keygen failed"
+# Move the certificate to a different address to better control
+# when it is offered.
+${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \
+ -z $$ -n ${USER} $OBJ/user_key1 ||
+ fail "couldn't sign user_key1 with user_ca_key1"
+mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub
+${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \
+ -z $$ -n ${USER} $OBJ/user_key1 ||
+ fail "couldn't sign user_key1 with user_ca_key2"
+mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub
+
+trace 'try with identity files'
+opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
+opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2"
+echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER
+
+for p in ${SSH_PROTOCOLS}; do
+ # Just keys should fail
+ ${SSH} $opts2 somehost exit 5$p
+ r=$?
+ if [ $r -eq 5$p ]; then
+ fail "ssh succeeded with no certs in protocol $p"
+ fi
+
+ # Keys with untrusted cert should fail.
+ opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+ ${SSH} $opts3 somehost exit 5$p
+ r=$?
+ if [ $r -eq 5$p ]; then
+ fail "ssh succeeded with bad cert in protocol $p"
+ fi
+
+ # Good cert with bad key should fail.
+ opts3="$opts -i $OBJ/user_key2"
+ opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+ ${SSH} $opts3 somehost exit 5$p
+ r=$?
+ if [ $r -eq 5$p ]; then
+ fail "ssh succeeded with no matching key in protocol $p"
+ fi
+
+ # Keys with one trusted cert, should succeed.
+ opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+ ${SSH} $opts3 somehost exit 5$p
+ r=$?
+ if [ $r -ne 5$p ]; then
+ fail "ssh failed with trusted cert and key in protocol $p"
+ fi
+
+ # Multiple certs and keys, with one trusted cert, should succeed.
+ opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+ opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+ ${SSH} $opts3 somehost exit 5$p
+ r=$?
+ if [ $r -ne 5$p ]; then
+ fail "ssh failed with multiple certs in protocol $p"
+ fi
+
+ #Keys with trusted certificate specified in config options, should succeed.
+ opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+ ${SSH} $opts3 somehost exit 5$p
+ r=$?
+ if [ $r -ne 5$p ]; then
+ fail "ssh failed with trusted cert in config in protocol $p"
+ fi
+done
+
+#next, using an agent in combination with the keys
+SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
+if [ $? -ne 2 ]; then
+ fatal "ssh-add -l did not fail with exit code 2"
+fi
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+ fatal "could not start ssh-agent: exit code $r"
+fi
+
+# add private keys to agent
+${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+ fatal "ssh-add did not succeed with exit code 0"
+fi
+${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+ fatal "ssh-add did not succeed with exit code 0"
+fi
+
+# try ssh with the agent and certificates
+# note: ssh agent only uses certificates in protocol 2
+opts="-F $OBJ/ssh_proxy"
+# with no certificates, shoud fail
+${SSH} -2 $opts somehost exit 52
+if [ $? -eq 52 ]; then
+ fail "ssh connect with agent in protocol 2 succeeded with no cert"
+fi
+
+#with an untrusted certificate, should fail
+opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+${SSH} -2 $opts somehost exit 52
+if [ $? -eq 52 ]; then
+ fail "ssh connect with agent in protocol 2 succeeded with bad cert"
+fi
+
+#with an additional trusted certificate, should succeed
+opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} -2 $opts somehost exit 52
+if [ $? -ne 52 ]; then
+ fail "ssh connect with agent in protocol 2 failed with good cert"
+fi
+
+trace "kill agent"
+${SSHAGENT} -k > /dev/null
+
+#cleanup
+rm -f $OBJ/user_ca_key* $OBJ/user_key*
+rm -f $OBJ/cert_user_key*
diff --git a/crypto/openssh/regress/check-perm.c b/crypto/openssh/regress/check-perm.c
new file mode 100644
index 000000000000..dac307d24464
--- /dev/null
+++ b/crypto/openssh/regress/check-perm.c
@@ -0,0 +1,205 @@
+/*
+ * Placed in the public domain
+ */
+
+/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <pwd.h>
+#ifdef HAVE_LIBGEN_H
+#include <libgen.h>
+#endif
+
+static void
+fatal(const char *fmt, ...)
+{
+ va_list args;
+
+ va_start(args, fmt);
+ vfprintf(stderr, fmt, args);
+ fputc('\n', stderr);
+ va_end(args);
+ exit(1);
+}
+/* Based on session.c. NB. keep tests in sync */
+static void
+safely_chroot(const char *path, uid_t uid)
+{
+ const char *cp;
+ char component[PATH_MAX];
+ struct stat st;
+
+ if (*path != '/')
+ fatal("chroot path does not begin at root");
+ if (strlen(path) >= sizeof(component))
+ fatal("chroot path too long");
+
+ /*
+ * Descend the path, checking that each component is a
+ * root-owned directory with strict permissions.
+ */
+ for (cp = path; cp != NULL;) {
+ if ((cp = strchr(cp, '/')) == NULL)
+ strlcpy(component, path, sizeof(component));
+ else {
+ cp++;
+ memcpy(component, path, cp - path);
+ component[cp - path] = '\0';
+ }
+
+ /* debug3("%s: checking '%s'", __func__, component); */
+
+ if (stat(component, &st) != 0)
+ fatal("%s: stat(\"%s\"): %s", __func__,
+ component, strerror(errno));
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0)
+ fatal("bad ownership or modes for chroot "
+ "directory %s\"%s\"",
+ cp == NULL ? "" : "component ", component);
+ if (!S_ISDIR(st.st_mode))
+ fatal("chroot path %s\"%s\" is not a directory",
+ cp == NULL ? "" : "component ", component);
+
+ }
+
+ if (chdir(path) == -1)
+ fatal("Unable to chdir to chroot path \"%s\": "
+ "%s", path, strerror(errno));
+}
+
+/* from platform.c */
+int
+platform_sys_dir_uid(uid_t uid)
+{
+ if (uid == 0)
+ return 1;
+#ifdef PLATFORM_SYS_DIR_UID
+ if (uid == PLATFORM_SYS_DIR_UID)
+ return 1;
+#endif
+ return 0;
+}
+
+/* from auth.c */
+int
+auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+ uid_t uid, char *err, size_t errlen)
+{
+ char buf[PATH_MAX], homedir[PATH_MAX];
+ char *cp;
+ int comparehome = 0;
+ struct stat st;
+
+ if (realpath(name, buf) == NULL) {
+ snprintf(err, errlen, "realpath %s failed: %s", name,
+ strerror(errno));
+ return -1;
+ }
+ if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
+ comparehome = 1;
+
+ if (!S_ISREG(stp->st_mode)) {
+ snprintf(err, errlen, "%s is not a regular file", buf);
+ return -1;
+ }
+ if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
+ (stp->st_mode & 022) != 0) {
+ snprintf(err, errlen, "bad ownership or modes for file %s",
+ buf);
+ return -1;
+ }
+
+ /* for each component of the canonical path, walking upwards */
+ for (;;) {
+ if ((cp = dirname(buf)) == NULL) {
+ snprintf(err, errlen, "dirname() failed");
+ return -1;
+ }
+ strlcpy(buf, cp, sizeof(buf));
+
+ if (stat(buf, &st) < 0 ||
+ (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
+ (st.st_mode & 022) != 0) {
+ snprintf(err, errlen,
+ "bad ownership or modes for directory %s", buf);
+ return -1;
+ }
+
+ /* If are past the homedir then we can stop */
+ if (comparehome && strcmp(homedir, buf) == 0)
+ break;
+
+ /*
+ * dirname should always complete with a "/" path,
+ * but we can be paranoid and check for "." too
+ */
+ if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
+ break;
+ }
+ return 0;
+}
+
+static void
+usage(void)
+{
+ fprintf(stderr, "check-perm -m [chroot | keys-command] [path]\n");
+ exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+ const char *path = ".";
+ char errmsg[256];
+ int ch, mode = -1;
+ extern char *optarg;
+ extern int optind;
+ struct stat st;
+
+ while ((ch = getopt(argc, argv, "hm:")) != -1) {
+ switch (ch) {
+ case 'm':
+ if (strcasecmp(optarg, "chroot") == 0)
+ mode = 1;
+ else if (strcasecmp(optarg, "keys-command") == 0)
+ mode = 2;
+ else {
+ fprintf(stderr, "Invalid -m option\n"),
+ usage();
+ }
+ break;
+ default:
+ usage();
+ }
+ }
+ argc -= optind;
+ argv += optind;
+
+ if (argc > 1)
+ usage();
+ else if (argc == 1)
+ path = argv[0];
+
+ if (mode == 1)
+ safely_chroot(path, getuid());
+ else if (mode == 2) {
+ if (stat(path, &st) < 0)
+ fatal("Could not stat %s: %s", path, strerror(errno));
+ if (auth_secure_path(path, &st, NULL, 0,
+ errmsg, sizeof(errmsg)) != 0)
+ fatal("Unsafe %s: %s", path, errmsg);
+ } else {
+ fprintf(stderr, "Invalid mode\n");
+ usage();
+ }
+ return 0;
+}
diff --git a/crypto/openssh/regress/dhgex.sh b/crypto/openssh/regress/dhgex.sh
index 57fca4a32e94..e7c5733974a7 100755
--- a/crypto/openssh/regress/dhgex.sh
+++ b/crypto/openssh/regress/dhgex.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: dhgex.sh,v 1.2 2014/04/21 22:15:37 djm Exp $
+# $OpenBSD: dhgex.sh,v 1.3 2015/10/23 02:22:01 dtucker Exp $
# Placed in the Public Domain.
tid="dhgex"
@@ -20,7 +20,9 @@ ssh_test_dhgex()
echo "Ciphers=$cipher" >> $OBJ/sshd_proxy
rm -f ${LOG}
opts="-oKexAlgorithms=$kex -oCiphers=$cipher"
- groupsz="1024<$bits<8192"
+ min=2048
+ max=8192
+ groupsz="$min<$bits<$max"
verbose "$tid bits $bits $kex $cipher"
${SSH} ${opts} $@ -vvv -F ${OBJ}/ssh_proxy somehost true
if [ $? -ne 0 ]; then
diff --git a/crypto/openssh/regress/hostkey-rotate.sh b/crypto/openssh/regress/hostkey-rotate.sh
index 3aa8c40c0adf..d69de32557a6 100755
--- a/crypto/openssh/regress/hostkey-rotate.sh
+++ b/crypto/openssh/regress/hostkey-rotate.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
+# $OpenBSD: hostkey-rotate.sh,v 1.5 2015/09/04 04:23:10 djm Exp $
# Placed in the Public Domain.
tid="hostkey rotate"
@@ -108,21 +108,3 @@ verbose "check rotate primary hostkey"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
expect_nkeys 1 "learn hostkeys"
check_key_present ssh-rsa || fail "didn't learn changed key"
-
-# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
-# Placed in the Public Domain.
-
-tid="hostkey rotate"
-
-# Prepare hostkeys file with one key
-
-# Connect to sshd
-
-# Check that other keys learned
-
-# Change one hostkey (non primary)
-
-# Connect to sshd
-
-# Check that the key was replaced
-
diff --git a/crypto/openssh/regress/keys-command.sh b/crypto/openssh/regress/keys-command.sh
index 700273b66642..af68cf15c7a5 100755
--- a/crypto/openssh/regress/keys-command.sh
+++ b/crypto/openssh/regress/keys-command.sh
@@ -36,6 +36,12 @@ exec cat "$OBJ/authorized_keys_${LOGNAME}"
_EOF
$SUDO chmod 0755 "$KEY_COMMAND"
+if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
+ echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
+ $SUDO rm -f $KEY_COMMAND
+ exit 0
+fi
+
if [ -x $KEY_COMMAND ]; then
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
diff --git a/crypto/openssh/regress/keyscan.sh b/crypto/openssh/regress/keyscan.sh
index 886f3295ae7c..f97364b76e7d 100644
--- a/crypto/openssh/regress/keyscan.sh
+++ b/crypto/openssh/regress/keyscan.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keyscan.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $
# Placed in the Public Domain.
tid="keyscan"
@@ -8,7 +8,7 @@ rm -f ${OBJ}/host.dsa
start_sshd
-KEYTYPES="rsa dsa"
+KEYTYPES=`${SSH} -Q key-plain`
if ssh_version 1; then
KEYTYPES="${KEYTYPES} rsa1"
fi
diff --git a/crypto/openssh/regress/limit-keytype.sh b/crypto/openssh/regress/limit-keytype.sh
index 2de037bd1edb..c0cf2fed6d86 100755
--- a/crypto/openssh/regress/limit-keytype.sh
+++ b/crypto/openssh/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $
+# $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $
# Placed in the Public Domain.
tid="restrict pubkey type"
@@ -20,18 +20,19 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \
fatal "ssh-keygen failed"
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \
fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t dsa -f $OBJ/user_key4 || \
+ fatal "ssh-keygen failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
fatal "couldn't sign user_key1"
# Copy the private key alongside the cert to allow better control of when
# it is offered.
mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub
-cp -p $OBJ/user_key3 $OBJ/cert_user_key3
grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
-fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2"
+certopts="$opts -i $OBJ/user_key3 -oCertificateFile=$OBJ/cert_user_key3.pub"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
@@ -53,28 +54,44 @@ prepare_config() {
prepare_config
# Check we can log in with all key types.
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed"
+${SSH} $certopts proxy true || fatal "cert failed"
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
# Allow plain Ed25519 and RSA. The certificate should fail.
-verbose "privsep=$privsep allow rsa,ed25519"
+verbose "allow rsa,ed25519"
prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
+${SSH} $certopts proxy true && fatal "cert succeeded"
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
# Allow Ed25519 only.
-verbose "privsep=$privsep allow ed25519"
+verbose "allow ed25519"
prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519"
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
+${SSH} $certopts proxy true && fatal "cert succeeded"
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
# Allow all certs. Plain keys should fail.
-verbose "privsep=$privsep allow cert only"
+verbose "allow cert only"
prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed"
+${SSH} $certopts proxy true || fatal "cert failed"
${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
+# Allow RSA in main config, Ed25519 for non-existent user.
+verbose "match w/ no match"
+prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \
+ "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
+${SSH} $certopts proxy true && fatal "cert succeeded"
+${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
+${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
+
+# Allow only DSA in main config, Ed25519 for user.
+verbose "match w/ matching"
+prepare_config "PubkeyAcceptedKeyTypes ssh-dss" \
+ "Match user $USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
+${SSH} $certopts proxy true || fatal "cert failed"
+${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
+${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded"
+
diff --git a/crypto/openssh/regress/principals-command.sh b/crypto/openssh/regress/principals-command.sh
index b90a8cf2cb44..c0be7e747761 100755
--- a/crypto/openssh/regress/principals-command.sh
+++ b/crypto/openssh/regress/principals-command.sh
@@ -24,6 +24,13 @@ _EOF
test $? -eq 0 || fatal "couldn't prepare principals command"
$SUDO chmod 0755 "$PRINCIPALS_CMD"
+if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then
+ echo "skipping: $PRINCIPALS_CMD is unsuitable as " \
+ "AuthorizedPrincipalsCommand"
+ $SUDO rm -f $PRINCIPALS_CMD
+ exit 0
+fi
+
# Create a CA key and a user certificate.
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
fatal "ssh-keygen of user_ca_key failed"
diff --git a/crypto/openssh/regress/proxy-connect.sh b/crypto/openssh/regress/proxy-connect.sh
index f816962b592a..b7a43fabe782 100644
--- a/crypto/openssh/regress/proxy-connect.sh
+++ b/crypto/openssh/regress/proxy-connect.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: proxy-connect.sh,v 1.8 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $
# Placed in the Public Domain.
tid="proxy connect"
@@ -18,7 +18,8 @@ for ps in no yes; do
fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
- fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c"
+ fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \
+ "$SSH_CONNECTION"
fi
done
done
diff --git a/crypto/openssh/regress/rekey.sh b/crypto/openssh/regress/rekey.sh
index 0d4444d03fed..ae145bc8b92e 100644
--- a/crypto/openssh/regress/rekey.sh
+++ b/crypto/openssh/regress/rekey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: rekey.sh,v 1.16 2015/02/14 12:43:16 markus Exp $
+# $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $
# Placed in the Public Domain.
tid="rekey"
@@ -137,13 +137,15 @@ for s in 5 10; do
done
verbose "rekeylimit parsing"
-for size in 16 1k 1K 1m 1M 1g 1G; do
+for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
case $size in
16) bytes=16 ;;
1k|1K) bytes=1024 ;;
1m|1M) bytes=1048576 ;;
1g|1G) bytes=1073741824 ;;
+ 4g|4G) bytes=4294967296 ;;
+ 8g|8G) bytes=8589934592 ;;
esac
case $time in
1) seconds=1 ;;
diff --git a/crypto/openssh/regress/setuid-allowed.c b/crypto/openssh/regress/setuid-allowed.c
index 676d2661c044..7a0527fd064c 100644
--- a/crypto/openssh/regress/setuid-allowed.c
+++ b/crypto/openssh/regress/setuid-allowed.c
@@ -26,7 +26,7 @@
#include <string.h>
#include <errno.h>
-void
+static void
usage(void)
{
fprintf(stderr, "check-setuid [path]\n");
diff --git a/crypto/openssh/regress/sftp-chroot.sh b/crypto/openssh/regress/sftp-chroot.sh
index 23f7456e8e61..9c26eb6807f0 100755
--- a/crypto/openssh/regress/sftp-chroot.sh
+++ b/crypto/openssh/regress/sftp-chroot.sh
@@ -12,6 +12,11 @@ if [ -z "$SUDO" ]; then
exit 0
fi
+if ! $OBJ/check-perm -m chroot "$CHROOT" ; then
+ echo "skipped: $CHROOT is unsuitable as ChrootDirectory"
+ exit 0
+fi
+
$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \
fatal "create $PRIVDATA failed"
diff --git a/crypto/openssh/regress/unittests/sshkey/test_file.c b/crypto/openssh/regress/unittests/sshkey/test_file.c
index c8a2369373b4..906491f2bc31 100644
--- a/crypto/openssh/regress/unittests/sshkey/test_file.c
+++ b/crypto/openssh/regress/unittests/sshkey/test_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_file.c,v 1.4 2015/07/07 14:53:30 markus Exp $ */
+/* $OpenBSD: test_file.c,v 1.5 2015/10/06 01:20:59 djm Exp $ */
/*
* Regress test for sshkey.h key management API
*
@@ -54,8 +54,7 @@ sshkey_file_tests(void)
#ifdef WITH_SSH1
TEST_START("parse RSA1 from private");
buf = load_file("rsa1_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa1_1",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("rsa1_1.param.n");
@@ -66,7 +65,7 @@ sshkey_file_tests(void)
TEST_START("parse RSA1 from private w/ passphrase");
buf = load_file("rsa1_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "rsa1_1_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -104,8 +103,7 @@ sshkey_file_tests(void)
TEST_START("parse RSA from private");
buf = load_file("rsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa_1",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("rsa_1.param.n");
@@ -122,7 +120,7 @@ sshkey_file_tests(void)
TEST_START("parse RSA from private w/ passphrase");
buf = load_file("rsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "rsa_1_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -131,8 +129,7 @@ sshkey_file_tests(void)
TEST_START("parse RSA from new-format");
buf = load_file("rsa_n");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- "", "rsa_n", &k2, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -142,7 +139,7 @@ sshkey_file_tests(void)
TEST_START("parse RSA from new-format w/ passphrase");
buf = load_file("rsa_n_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "rsa_n_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -197,8 +194,7 @@ sshkey_file_tests(void)
TEST_START("parse DSA from private");
buf = load_file("dsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "dsa_1",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("dsa_1.param.g");
@@ -215,7 +211,7 @@ sshkey_file_tests(void)
TEST_START("parse DSA from private w/ passphrase");
buf = load_file("dsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "dsa_1_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -224,8 +220,7 @@ sshkey_file_tests(void)
TEST_START("parse DSA from new-format");
buf = load_file("dsa_n");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- "", "dsa_n", &k2, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -235,7 +230,7 @@ sshkey_file_tests(void)
TEST_START("parse DSA from new-format w/ passphrase");
buf = load_file("dsa_n_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "dsa_n_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -291,8 +286,7 @@ sshkey_file_tests(void)
#ifdef OPENSSL_HAS_ECC
TEST_START("parse ECDSA from private");
buf = load_file("ecdsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ecdsa_1",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
buf = load_text_file("ecdsa_1.param.curve");
@@ -315,7 +309,7 @@ sshkey_file_tests(void)
TEST_START("parse ECDSA from private w/ passphrase");
buf = load_file("ecdsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "ecdsa_1_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -324,8 +318,7 @@ sshkey_file_tests(void)
TEST_START("parse ECDSA from new-format");
buf = load_file("ecdsa_n");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- "", "ecdsa_n", &k2, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -335,7 +328,7 @@ sshkey_file_tests(void)
TEST_START("parse ECDSA from new-format w/ passphrase");
buf = load_file("ecdsa_n_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "ecdsa_n_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -391,8 +384,7 @@ sshkey_file_tests(void)
TEST_START("parse Ed25519 from private");
buf = load_file("ed25519_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ed25519_1",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
ASSERT_INT_EQ(k1->type, KEY_ED25519);
@@ -402,7 +394,7 @@ sshkey_file_tests(void)
TEST_START("parse Ed25519 from private w/ passphrase");
buf = load_file("ed25519_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
- (const char *)sshbuf_ptr(pw), "ed25519_1_pw", &k2, NULL), 0);
+ (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
diff --git a/crypto/openssh/regress/unittests/sshkey/test_fuzz.c b/crypto/openssh/regress/unittests/sshkey/test_fuzz.c
index 1f08a2e432bb..1f414e0acaa2 100644
--- a/crypto/openssh/regress/unittests/sshkey/test_fuzz.c
+++ b/crypto/openssh/regress/unittests/sshkey/test_fuzz.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_fuzz.c,v 1.4 2015/03/04 23:22:35 djm Exp $ */
+/* $OpenBSD: test_fuzz.c,v 1.6 2015/12/07 02:20:46 djm Exp $ */
/*
* Fuzz tests for key parsing
*
@@ -72,13 +72,13 @@ public_fuzz(struct sshkey *k)
}
static void
-sig_fuzz(struct sshkey *k)
+sig_fuzz(struct sshkey *k, const char *sig_alg)
{
struct fuzz *fuzz;
u_char *sig, c[] = "some junk to be signed";
size_t l;
- ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), 0), 0);
+ ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), sig_alg, 0), 0);
ASSERT_SIZE_T_GT(l, 0);
fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */
FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
@@ -110,8 +110,7 @@ sshkey_fuzz_tests(void)
fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
sshbuf_mutable_ptr(buf), sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -119,8 +118,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -154,8 +152,7 @@ sshkey_fuzz_tests(void)
buf = load_file("rsa_1");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -163,8 +160,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -176,8 +172,7 @@ sshkey_fuzz_tests(void)
buf = load_file("rsa_n");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -185,8 +180,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -198,8 +192,7 @@ sshkey_fuzz_tests(void)
buf = load_file("dsa_1");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -207,8 +200,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -220,8 +212,7 @@ sshkey_fuzz_tests(void)
buf = load_file("dsa_n");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -229,8 +220,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -243,8 +233,7 @@ sshkey_fuzz_tests(void)
buf = load_file("ecdsa_1");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -252,8 +241,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -265,8 +253,7 @@ sshkey_fuzz_tests(void)
buf = load_file("ecdsa_n");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -274,8 +261,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -288,8 +274,7 @@ sshkey_fuzz_tests(void)
buf = load_file("ed25519_1");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
sshbuf_len(buf));
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshkey_free(k1);
sshbuf_free(buf);
ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -297,8 +282,7 @@ sshkey_fuzz_tests(void)
for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
ASSERT_INT_EQ(r, 0);
- if (sshkey_parse_private_fileblob(fuzzed, "", "key",
- &k1, NULL) == 0)
+ if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
sshkey_free(k1);
sshbuf_reset(fuzzed);
}
@@ -308,8 +292,7 @@ sshkey_fuzz_tests(void)
TEST_START("fuzz RSA public");
buf = load_file("rsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
public_fuzz(k1);
sshkey_free(k1);
@@ -323,8 +306,7 @@ sshkey_fuzz_tests(void)
TEST_START("fuzz DSA public");
buf = load_file("dsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
public_fuzz(k1);
sshkey_free(k1);
@@ -339,8 +321,7 @@ sshkey_fuzz_tests(void)
#ifdef OPENSSL_HAS_ECC
TEST_START("fuzz ECDSA public");
buf = load_file("ecdsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
public_fuzz(k1);
sshkey_free(k1);
@@ -355,8 +336,7 @@ sshkey_fuzz_tests(void)
TEST_START("fuzz Ed25519 public");
buf = load_file("ed25519_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
public_fuzz(k1);
sshkey_free(k1);
@@ -370,39 +350,51 @@ sshkey_fuzz_tests(void)
TEST_START("fuzz RSA sig");
buf = load_file("rsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
- sig_fuzz(k1);
+ sig_fuzz(k1, "ssh-rsa");
+ sshkey_free(k1);
+ TEST_DONE();
+
+ TEST_START("fuzz RSA SHA256 sig");
+ buf = load_file("rsa_1");
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
+ sshbuf_free(buf);
+ sig_fuzz(k1, "rsa-sha2-256");
+ sshkey_free(k1);
+ TEST_DONE();
+
+ TEST_START("fuzz RSA SHA512 sig");
+ buf = load_file("rsa_1");
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
+ sshbuf_free(buf);
+ sig_fuzz(k1, "rsa-sha2-512");
sshkey_free(k1);
TEST_DONE();
TEST_START("fuzz DSA sig");
buf = load_file("dsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
- sig_fuzz(k1);
+ sig_fuzz(k1, NULL);
sshkey_free(k1);
TEST_DONE();
#ifdef OPENSSL_HAS_ECC
TEST_START("fuzz ECDSA sig");
buf = load_file("ecdsa_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
- sig_fuzz(k1);
+ sig_fuzz(k1, NULL);
sshkey_free(k1);
TEST_DONE();
#endif
TEST_START("fuzz Ed25519 sig");
buf = load_file("ed25519_1");
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
- &k1, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
- sig_fuzz(k1);
+ sig_fuzz(k1, NULL);
sshkey_free(k1);
TEST_DONE();
diff --git a/crypto/openssh/regress/unittests/sshkey/test_sshkey.c b/crypto/openssh/regress/unittests/sshkey/test_sshkey.c
index 9b3ce7ee43bb..1f160d1a7917 100644
--- a/crypto/openssh/regress/unittests/sshkey/test_sshkey.c
+++ b/crypto/openssh/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_sshkey.c,v 1.7 2015/08/05 05:27:33 djm Exp $ */
+/* $OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */
/*
* Regress test for sshkey.h key management API
*
@@ -52,7 +52,8 @@ put_opt(struct sshbuf *b, const char *name, const char *value)
static void
build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
- const struct sshkey *sign_key, const struct sshkey *ca_key)
+ const struct sshkey *sign_key, const struct sshkey *ca_key,
+ const char *sig_alg)
{
struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts;
u_char *sigblob;
@@ -99,7 +100,7 @@ build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */
ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */
ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen,
- sshbuf_ptr(b), sshbuf_len(b), 0), 0);
+ sshbuf_ptr(b), sshbuf_len(b), sig_alg, 0), 0);
ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
free(sigblob);
@@ -111,12 +112,13 @@ build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
}
static void
-signature_test(struct sshkey *k, struct sshkey *bad, const u_char *d, size_t l)
+signature_test(struct sshkey *k, struct sshkey *bad, const char *sig_alg,
+ const u_char *d, size_t l)
{
size_t len;
u_char *sig;
- ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, 0), 0);
+ ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, 0), 0);
ASSERT_SIZE_T_GT(len, 8);
ASSERT_PTR_NE(sig, NULL);
ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, 0), 0);
@@ -143,7 +145,7 @@ banana(u_char *s, size_t l)
}
static void
-signature_tests(struct sshkey *k, struct sshkey *bad)
+signature_tests(struct sshkey *k, struct sshkey *bad, const char *sig_alg)
{
u_char i, buf[2049];
size_t lens[] = {
@@ -155,7 +157,7 @@ signature_tests(struct sshkey *k, struct sshkey *bad)
test_subtest_info("%s key, banana length %zu",
sshkey_type(k), lens[i]);
banana(buf, lens[i]);
- signature_test(k, bad, buf, lens[i]);
+ signature_test(k, bad, sig_alg, buf, lens[i]);
}
}
@@ -166,7 +168,7 @@ get_private(const char *n)
struct sshkey *ret;
b = load_file(n);
- ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", n, &ret, NULL), 0);
+ ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", &ret, NULL), 0);
sshbuf_free(b);
return ret;
}
@@ -469,7 +471,25 @@ sshkey_tests(void)
k1 = get_private("rsa_1");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2,
NULL), 0);
- signature_tests(k1, k2);
+ signature_tests(k1, k2, "ssh-rsa");
+ sshkey_free(k1);
+ sshkey_free(k2);
+ TEST_DONE();
+
+ TEST_START("sign and verify RSA-SHA256");
+ k1 = get_private("rsa_1");
+ ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2,
+ NULL), 0);
+ signature_tests(k1, k2, "rsa-sha2-256");
+ sshkey_free(k1);
+ sshkey_free(k2);
+ TEST_DONE();
+
+ TEST_START("sign and verify RSA-SHA512");
+ k1 = get_private("rsa_1");
+ ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2,
+ NULL), 0);
+ signature_tests(k1, k2, "rsa-sha2-512");
sshkey_free(k1);
sshkey_free(k2);
TEST_DONE();
@@ -478,7 +498,7 @@ sshkey_tests(void)
k1 = get_private("dsa_1");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2,
NULL), 0);
- signature_tests(k1, k2);
+ signature_tests(k1, k2, NULL);
sshkey_free(k1);
sshkey_free(k2);
TEST_DONE();
@@ -488,7 +508,7 @@ sshkey_tests(void)
k1 = get_private("ecdsa_1");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("ecdsa_2.pub"), &k2,
NULL), 0);
- signature_tests(k1, k2);
+ signature_tests(k1, k2, NULL);
sshkey_free(k1);
sshkey_free(k2);
TEST_DONE();
@@ -498,7 +518,7 @@ sshkey_tests(void)
k1 = get_private("ed25519_1");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_2.pub"), &k2,
NULL), 0);
- signature_tests(k1, k2);
+ signature_tests(k1, k2, NULL);
sshkey_free(k1);
sshkey_free(k2);
TEST_DONE();
@@ -508,7 +528,7 @@ sshkey_tests(void)
ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
NULL), 0);
k3 = get_private("rsa_1");
- build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1);
+ build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, NULL);
ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);
ASSERT_PTR_EQ(k4, NULL);
diff --git a/crypto/openssh/roaming.h b/crypto/openssh/roaming.h
index da069f878736..e69de29bb2d1 100644
--- a/crypto/openssh/roaming.h
+++ b/crypto/openssh/roaming.h
@@ -1,45 +0,0 @@
-/* $OpenBSD: roaming.h,v 1.6 2011/12/07 05:44:38 djm Exp $ */
-/*
- * Copyright (c) 2004-2009 AppGate Network Security AB
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef ROAMING_H
-#define ROAMING_H
-
-#define DEFAULT_ROAMBUF 65536
-#define MAX_ROAMBUF (2*1024*1024) /* XXX arbitrary */
-#define ROAMING_REQUEST "roaming@appgate.com"
-
-extern int roaming_enabled;
-extern int resume_in_progress;
-
-void request_roaming(void);
-int get_snd_buf_size(void);
-int get_recv_buf_size(void);
-void add_recv_bytes(u_int64_t);
-int wait_for_roaming_reconnect(void);
-void roaming_reply(int, u_int32_t, void *);
-void set_out_buffer_size(size_t);
-ssize_t roaming_write(int, const void *, size_t, int *);
-ssize_t roaming_read(int, void *, size_t, int *);
-size_t roaming_atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
-u_int64_t get_recv_bytes(void);
-u_int64_t get_sent_bytes(void);
-void roam_set_bytes(u_int64_t, u_int64_t);
-void resend_bytes(int, u_int64_t *);
-void calculate_new_key(u_int64_t *, u_int64_t, u_int64_t);
-int resume_kex(void);
-
-#endif /* ROAMING */
diff --git a/crypto/openssh/roaming_client.c b/crypto/openssh/roaming_client.c
deleted file mode 100644
index cb1328574140..000000000000
--- a/crypto/openssh/roaming_client.c
+++ /dev/null
@@ -1,271 +0,0 @@
-/* $OpenBSD: roaming_client.c,v 1.9 2015/01/27 12:54:06 okan Exp $ */
-/*
- * Copyright (c) 2004-2009 AppGate Network Security AB
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include "openbsd-compat/sys-queue.h"
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <signal.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "channels.h"
-#include "cipher.h"
-#include "dispatch.h"
-#include "clientloop.h"
-#include "log.h"
-#include "match.h"
-#include "misc.h"
-#include "packet.h"
-#include "ssh.h"
-#include "key.h"
-#include "kex.h"
-#include "readconf.h"
-#include "roaming.h"
-#include "ssh2.h"
-#include "sshconnect.h"
-#include "digest.h"
-
-/* import */
-extern Options options;
-extern char *host;
-extern struct sockaddr_storage hostaddr;
-extern int session_resumed;
-
-static u_int32_t roaming_id;
-static u_int64_t cookie;
-static u_int64_t lastseenchall;
-static u_int64_t key1, key2, oldkey1, oldkey2;
-
-void
-roaming_reply(int type, u_int32_t seq, void *ctxt)
-{
- if (type == SSH2_MSG_REQUEST_FAILURE) {
- logit("Server denied roaming");
- return;
- }
- verbose("Roaming enabled");
- roaming_id = packet_get_int();
- cookie = packet_get_int64();
- key1 = oldkey1 = packet_get_int64();
- key2 = oldkey2 = packet_get_int64();
- set_out_buffer_size(packet_get_int() + get_snd_buf_size());
- roaming_enabled = 1;
-}
-
-void
-request_roaming(void)
-{
- packet_start(SSH2_MSG_GLOBAL_REQUEST);
- packet_put_cstring(ROAMING_REQUEST);
- packet_put_char(1);
- packet_put_int(get_recv_buf_size());
- packet_send();
- client_register_global_confirm(roaming_reply, NULL);
-}
-
-static void
-roaming_auth_required(void)
-{
- u_char digest[SSH_DIGEST_MAX_LENGTH];
- Buffer b;
- u_int64_t chall, oldchall;
-
- chall = packet_get_int64();
- oldchall = packet_get_int64();
- if (oldchall != lastseenchall) {
- key1 = oldkey1;
- key2 = oldkey2;
- }
- lastseenchall = chall;
-
- buffer_init(&b);
- buffer_put_int64(&b, cookie);
- buffer_put_int64(&b, chall);
- if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0)
- fatal("%s: ssh_digest_buffer failed", __func__);
- buffer_free(&b);
-
- packet_start(SSH2_MSG_KEX_ROAMING_AUTH);
- packet_put_int64(key1 ^ get_recv_bytes());
- packet_put_raw(digest, ssh_digest_bytes(SSH_DIGEST_SHA1));
- packet_send();
-
- oldkey1 = key1;
- oldkey2 = key2;
- calculate_new_key(&key1, cookie, chall);
- calculate_new_key(&key2, cookie, chall);
-
- debug("Received %llu bytes", (unsigned long long)get_recv_bytes());
- debug("Sent roaming_auth packet");
-}
-
-int
-resume_kex(void)
-{
- /*
- * This should not happen - if the client sends the kex method
- * resume@appgate.com then the kex is done in roaming_resume().
- */
- return 1;
-}
-
-static int
-roaming_resume(void)
-{
- u_int64_t recv_bytes;
- char *str = NULL, *kexlist = NULL, *c;
- int i, type;
- int timeout_ms = options.connection_timeout * 1000;
- u_int len;
- u_int32_t rnd = 0;
-
- resume_in_progress = 1;
-
- /* Exchange banners */
- ssh_exchange_identification(timeout_ms);
- packet_set_nonblocking();
-
- /* Send a kexinit message with resume@appgate.com as only kex algo */
- packet_start(SSH2_MSG_KEXINIT);
- for (i = 0; i < KEX_COOKIE_LEN; i++) {
- if (i % 4 == 0)
- rnd = arc4random();
- packet_put_char(rnd & 0xff);
- rnd >>= 8;
- }
- packet_put_cstring(KEX_RESUME);
- for (i = 1; i < PROPOSAL_MAX; i++) {
- /* kex algorithm added so start with i=1 and not 0 */
- packet_put_cstring(""); /* Not used when we resume */
- }
- packet_put_char(1); /* first kex_packet follows */
- packet_put_int(0); /* reserved */
- packet_send();
-
- /* Assume that resume@appgate.com will be accepted */
- packet_start(SSH2_MSG_KEX_ROAMING_RESUME);
- packet_put_int(roaming_id);
- packet_send();
-
- /* Read the server's kexinit and check for resume@appgate.com */
- if ((type = packet_read()) != SSH2_MSG_KEXINIT) {
- debug("expected kexinit on resume, got %d", type);
- goto fail;
- }
- for (i = 0; i < KEX_COOKIE_LEN; i++)
- (void)packet_get_char();
- kexlist = packet_get_string(&len);
- if (!kexlist
- || (str = match_list(KEX_RESUME, kexlist, NULL)) == NULL) {
- debug("server doesn't allow resume");
- goto fail;
- }
- free(str);
- for (i = 1; i < PROPOSAL_MAX; i++) {
- /* kex algorithm taken care of so start with i=1 and not 0 */
- free(packet_get_string(&len));
- }
- i = packet_get_char(); /* first_kex_packet_follows */
- if (i && (c = strchr(kexlist, ',')))
- *c = 0;
- if (i && strcmp(kexlist, KEX_RESUME)) {
- debug("server's kex guess (%s) was wrong, skipping", kexlist);
- (void)packet_read(); /* Wrong guess - discard packet */
- }
-
- /*
- * Read the ROAMING_AUTH_REQUIRED challenge from the server and
- * send ROAMING_AUTH
- */
- if ((type = packet_read()) != SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED) {
- debug("expected roaming_auth_required, got %d", type);
- goto fail;
- }
- roaming_auth_required();
-
- /* Read ROAMING_AUTH_OK from the server */
- if ((type = packet_read()) != SSH2_MSG_KEX_ROAMING_AUTH_OK) {
- debug("expected roaming_auth_ok, got %d", type);
- goto fail;
- }
- recv_bytes = packet_get_int64() ^ oldkey2;
- debug("Peer received %llu bytes", (unsigned long long)recv_bytes);
- resend_bytes(packet_get_connection_out(), &recv_bytes);
-
- resume_in_progress = 0;
-
- session_resumed = 1; /* Tell clientloop */
-
- return 0;
-
-fail:
- free(kexlist);
- if (packet_get_connection_in() == packet_get_connection_out())
- close(packet_get_connection_in());
- else {
- close(packet_get_connection_in());
- close(packet_get_connection_out());
- }
- return 1;
-}
-
-int
-wait_for_roaming_reconnect(void)
-{
- static int reenter_guard = 0;
- int timeout_ms = options.connection_timeout * 1000;
- int c;
-
- if (reenter_guard != 0)
- fatal("Server refused resume, roaming timeout may be exceeded");
- reenter_guard = 1;
-
- fprintf(stderr, "[connection suspended, press return to resume]");
- fflush(stderr);
- packet_backup_state();
- /* TODO Perhaps we should read from tty here */
- while ((c = fgetc(stdin)) != EOF) {
- if (c == 'Z' - 64) {
- kill(getpid(), SIGTSTP);
- continue;
- }
- if (c != '\n' && c != '\r')
- continue;
-
- if (ssh_connect(host, NULL, &hostaddr, options.port,
- options.address_family, 1, &timeout_ms,
- options.tcp_keep_alive, options.use_privileged_port) == 0 &&
- roaming_resume() == 0) {
- packet_restore_state();
- reenter_guard = 0;
- fprintf(stderr, "[connection resumed]\n");
- fflush(stderr);
- return 0;
- }
-
- fprintf(stderr, "[reconnect failed, press return to retry]");
- fflush(stderr);
- }
- fprintf(stderr, "[exiting]\n");
- fflush(stderr);
- exit(0);
-}
diff --git a/crypto/openssh/roaming_common.c b/crypto/openssh/roaming_common.c
deleted file mode 100644
index ea064605cec4..000000000000
--- a/crypto/openssh/roaming_common.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/* $OpenBSD: roaming_common.c,v 1.13 2015/01/27 12:54:06 okan Exp $ */
-/*
- * Copyright (c) 2004-2009 AppGate Network Security AB
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "atomicio.h"
-#include "log.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "cipher.h"
-#include "buffer.h"
-#include "roaming.h"
-#include "digest.h"
-
-static size_t out_buf_size = 0;
-static char *out_buf = NULL;
-static size_t out_start;
-static size_t out_last;
-
-static u_int64_t write_bytes = 0;
-static u_int64_t read_bytes = 0;
-
-int roaming_enabled = 0;
-int resume_in_progress = 0;
-
-int
-get_snd_buf_size(void)
-{
- int fd = packet_get_connection_out();
- int optval;
- socklen_t optvallen = sizeof(optval);
-
- if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &optval, &optvallen) != 0)
- optval = DEFAULT_ROAMBUF;
- return optval;
-}
-
-int
-get_recv_buf_size(void)
-{
- int fd = packet_get_connection_in();
- int optval;
- socklen_t optvallen = sizeof(optval);
-
- if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &optval, &optvallen) != 0)
- optval = DEFAULT_ROAMBUF;
- return optval;
-}
-
-void
-set_out_buffer_size(size_t size)
-{
- if (size == 0 || size > MAX_ROAMBUF)
- fatal("%s: bad buffer size %lu", __func__, (u_long)size);
- /*
- * The buffer size can only be set once and the buffer will live
- * as long as the session lives.
- */
- if (out_buf == NULL) {
- out_buf_size = size;
- out_buf = xmalloc(size);
- out_start = 0;
- out_last = 0;
- }
-}
-
-u_int64_t
-get_recv_bytes(void)
-{
- return read_bytes;
-}
-
-void
-add_recv_bytes(u_int64_t num)
-{
- read_bytes += num;
-}
-
-u_int64_t
-get_sent_bytes(void)
-{
- return write_bytes;
-}
-
-void
-roam_set_bytes(u_int64_t sent, u_int64_t recvd)
-{
- read_bytes = recvd;
- write_bytes = sent;
-}
-
-static void
-buf_append(const char *buf, size_t count)
-{
- if (count > out_buf_size) {
- buf += count - out_buf_size;
- count = out_buf_size;
- }
- if (count < out_buf_size - out_last) {
- memcpy(out_buf + out_last, buf, count);
- if (out_start > out_last)
- out_start += count;
- out_last += count;
- } else {
- /* data will wrap */
- size_t chunk = out_buf_size - out_last;
- memcpy(out_buf + out_last, buf, chunk);
- memcpy(out_buf, buf + chunk, count - chunk);
- out_last = count - chunk;
- out_start = out_last + 1;
- }
-}
-
-ssize_t
-roaming_write(int fd, const void *buf, size_t count, int *cont)
-{
- ssize_t ret;
-
- ret = write(fd, buf, count);
- if (ret > 0 && !resume_in_progress) {
- write_bytes += ret;
- if (out_buf_size > 0)
- buf_append(buf, ret);
- }
- if (out_buf_size > 0 &&
- (ret == 0 || (ret == -1 && errno == EPIPE))) {
- if (wait_for_roaming_reconnect() != 0) {
- ret = 0;
- *cont = 1;
- } else {
- ret = -1;
- errno = EAGAIN;
- }
- }
- return ret;
-}
-
-ssize_t
-roaming_read(int fd, void *buf, size_t count, int *cont)
-{
- ssize_t ret = read(fd, buf, count);
- if (ret > 0) {
- if (!resume_in_progress) {
- read_bytes += ret;
- }
- } else if (out_buf_size > 0 &&
- (ret == 0 || (ret == -1 && (errno == ECONNRESET
- || errno == ECONNABORTED || errno == ETIMEDOUT
- || errno == EHOSTUNREACH)))) {
- debug("roaming_read failed for %d ret=%ld errno=%d",
- fd, (long)ret, errno);
- ret = 0;
- if (wait_for_roaming_reconnect() == 0)
- *cont = 1;
- }
- return ret;
-}
-
-size_t
-roaming_atomicio(ssize_t(*f)(int, void*, size_t), int fd, void *buf,
- size_t count)
-{
- size_t ret = atomicio(f, fd, buf, count);
-
- if (f == vwrite && ret > 0 && !resume_in_progress) {
- write_bytes += ret;
- } else if (f == read && ret > 0 && !resume_in_progress) {
- read_bytes += ret;
- }
- return ret;
-}
-
-void
-resend_bytes(int fd, u_int64_t *offset)
-{
- size_t available, needed;
-
- if (out_start < out_last)
- available = out_last - out_start;
- else
- available = out_buf_size;
- needed = write_bytes - *offset;
- debug3("resend_bytes: resend %lu bytes from %llu",
- (unsigned long)needed, (unsigned long long)*offset);
- if (needed > available)
- fatal("Needed to resend more data than in the cache");
- if (out_last < needed) {
- int chunkend = needed - out_last;
- atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,
- chunkend);
- atomicio(vwrite, fd, out_buf, out_last);
- } else {
- atomicio(vwrite, fd, out_buf + (out_last - needed), needed);
- }
-}
-
-/*
- * Caclulate a new key after a reconnect
- */
-void
-calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge)
-{
- u_char hash[SSH_DIGEST_MAX_LENGTH];
- Buffer b;
-
- buffer_init(&b);
- buffer_put_int64(&b, *key);
- buffer_put_int64(&b, cookie);
- buffer_put_int64(&b, challenge);
-
- if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0)
- fatal("%s: digest_buffer failed", __func__);
-
- buffer_clear(&b);
- buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
- *key = buffer_get_int64(&b);
- buffer_free(&b);
-}
diff --git a/crypto/openssh/roaming_dummy.c b/crypto/openssh/roaming_dummy.c
deleted file mode 100644
index 837de695ddf1..000000000000
--- a/crypto/openssh/roaming_dummy.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* $OpenBSD: roaming_dummy.c,v 1.4 2015/01/19 19:52:16 markus Exp $ */
-/*
- * Copyright (c) 2004-2009 AppGate Network Security AB
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * This file is included in the client programs which should not
- * support roaming.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "roaming.h"
-
-int resume_in_progress = 0;
-
-u_int64_t
-get_recv_bytes(void)
-{
- return 0;
-}
-
-u_int64_t
-get_sent_bytes(void)
-{
- return 0;
-}
-
-void
-roam_set_bytes(u_int64_t sent, u_int64_t recvd)
-{
-}
-
-ssize_t
-roaming_write(int fd, const void *buf, size_t count, int *cont)
-{
- return write(fd, buf, count);
-}
-
-ssize_t
-roaming_read(int fd, void *buf, size_t count, int *cont)
-{
- if (cont)
- *cont = 0;
- return read(fd, buf, count);
-}
-
-void
-add_recv_bytes(u_int64_t num)
-{
-}
-
-int
-resume_kex(void)
-{
- return 1;
-}
diff --git a/crypto/openssh/roaming_serv.c b/crypto/openssh/roaming_serv.c
deleted file mode 100644
index 511ca846101b..000000000000
--- a/crypto/openssh/roaming_serv.c
+++ /dev/null
@@ -1,31 +0,0 @@
-/* $OpenBSD: roaming_serv.c,v 1.1 2009/10/24 11:18:23 andreas Exp $ */
-/*
- * Copyright (c) 2004-2009 AppGate Network Security AB
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include "roaming.h"
-
-/*
- * Wait for the roaming client to reconnect. Returns 0 if a connect ocurred.
- */
-int
-wait_for_roaming_reconnect(void)
-{
- return 1;
-}
diff --git a/crypto/openssh/sandbox-pledge.c b/crypto/openssh/sandbox-pledge.c
new file mode 100644
index 000000000000..d28fc27274e2
--- /dev/null
+++ b/crypto/openssh/sandbox-pledge.c
@@ -0,0 +1,77 @@
+/* $OpenBSD: sandbox-pledge.c,v 1.1 2015/10/09 01:37:08 deraadt Exp $ */
+/*
+ * Copyright (c) 2015 Theo de Raadt <deraadt@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef SANDBOX_PLEDGE
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <pwd.h>
+
+#include "log.h"
+#include "ssh-sandbox.h"
+#include "xmalloc.h"
+
+struct ssh_sandbox {
+ pid_t child_pid;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(struct monitor *m)
+{
+ struct ssh_sandbox *box;
+
+ debug3("%s: preparing pledge sandbox", __func__);
+ box = xcalloc(1, sizeof(*box));
+ box->child_pid = 0;
+
+ return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+ if (pledge("stdio", NULL) == -1)
+ fatal("%s: pledge()", __func__);
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+ free(box);
+ debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+ box->child_pid = child_pid;
+ /* Nothing to do here */
+}
+
+#endif /* SANDBOX_PLEDGE */
diff --git a/crypto/openssh/sandbox-seccomp-filter.c b/crypto/openssh/sandbox-seccomp-filter.c
index 2462bcc88f32..d132e26460de 100644
--- a/crypto/openssh/sandbox-seccomp-filter.c
+++ b/crypto/openssh/sandbox-seccomp-filter.c
@@ -147,6 +147,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_getpid
SC_ALLOW(getpid),
#endif
+#ifdef __NR_getrandom
+ SC_ALLOW(getrandom),
+#endif
#ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday),
#endif
diff --git a/crypto/openssh/sandbox-solaris.c b/crypto/openssh/sandbox-solaris.c
new file mode 100644
index 000000000000..343a01022850
--- /dev/null
+++ b/crypto/openssh/sandbox-solaris.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2015 Joyent, Inc
+ * Author: Alex Wilson <alex.wilson@joyent.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef SANDBOX_SOLARIS
+#ifndef USE_SOLARIS_PRIVS
+# error "--with-solaris-privs must be used with the Solaris sandbox"
+#endif
+
+#include <sys/types.h>
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef HAVE_PRIV_H
+# include <priv.h>
+#endif
+
+#include "log.h"
+#include "ssh-sandbox.h"
+#include "xmalloc.h"
+
+struct ssh_sandbox {
+ priv_set_t *pset;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(struct monitor *monitor)
+{
+ struct ssh_sandbox *box = NULL;
+
+ box = xcalloc(1, sizeof(*box));
+
+ /* Start with "basic" and drop everything we don't need. */
+ box->pset = solaris_basic_privset();
+
+ if (box->pset == NULL) {
+ free(box);
+ return NULL;
+ }
+
+ /* Drop everything except the ability to use already-opened files */
+ if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
+ priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
+#endif
+ priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
+ priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
+ priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||
+ priv_delset(box->pset, PRIV_PROC_SESSION) != 0) {
+ free(box);
+ return NULL;
+ }
+
+ /* These may not be available on older Solaris-es */
+# if defined(PRIV_FILE_READ) && defined(PRIV_FILE_WRITE)
+ if (priv_delset(box->pset, PRIV_FILE_READ) != 0 ||
+ priv_delset(box->pset, PRIV_FILE_WRITE) != 0) {
+ free(box);
+ return NULL;
+ }
+# endif
+
+ return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+ if (setppriv(PRIV_SET, PRIV_PERMITTED, box->pset) != 0 ||
+ setppriv(PRIV_SET, PRIV_LIMIT, box->pset) != 0 ||
+ setppriv(PRIV_SET, PRIV_INHERITABLE, box->pset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+ priv_freeset(box->pset);
+ box->pset = NULL;
+ free(box);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+ /* Nothing to do here */
+}
+
+#endif /* SANDBOX_SOLARIS */
diff --git a/crypto/openssh/sandbox-systrace.c b/crypto/openssh/sandbox-systrace.c
index 3830ed16c63e..b4d8d04cae3a 100644
--- a/crypto/openssh/sandbox-systrace.c
+++ b/crypto/openssh/sandbox-systrace.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sandbox-systrace.c,v 1.17 2015/07/27 16:29:23 guenther Exp $ */
+/* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */
/*
* Copyright (c) 2011 Damien Miller <djm@mindrot.org>
*
@@ -50,9 +50,17 @@ struct sandbox_policy {
/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
static const struct sandbox_policy preauth_policy[] = {
- { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
- { SYS_close, SYSTR_POLICY_PERMIT },
{ SYS_exit, SYSTR_POLICY_PERMIT },
+#ifdef SYS_kbind
+ { SYS_kbind, SYSTR_POLICY_PERMIT },
+#endif
+
+ { SYS_getpid, SYSTR_POLICY_PERMIT },
+ { SYS_getpgid, SYSTR_POLICY_PERMIT },
+ { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
+ { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
+ { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
+
#ifdef SYS_getentropy
/* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
{ SYS_getentropy, SYSTR_POLICY_PERMIT },
@@ -60,27 +68,25 @@ static const struct sandbox_policy preauth_policy[] = {
/* Previous releases used sysctl(3)'s kern.arnd variable. */
{ SYS___sysctl, SYSTR_POLICY_PERMIT },
#endif
- { SYS_getpid, SYSTR_POLICY_PERMIT },
- { SYS_getpgid, SYSTR_POLICY_PERMIT },
- { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
-#ifdef SYS_kbind
- { SYS_kbind, SYSTR_POLICY_PERMIT },
+#ifdef SYS_sendsyslog
+ { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
#endif
+
{ SYS_madvise, SYSTR_POLICY_PERMIT },
{ SYS_mmap, SYSTR_POLICY_PERMIT },
{ SYS_mprotect, SYSTR_POLICY_PERMIT },
{ SYS_mquery, SYSTR_POLICY_PERMIT },
{ SYS_munmap, SYSTR_POLICY_PERMIT },
- { SYS_open, SYSTR_POLICY_NEVER },
+
{ SYS_poll, SYSTR_POLICY_PERMIT },
- { SYS_read, SYSTR_POLICY_PERMIT },
{ SYS_select, SYSTR_POLICY_PERMIT },
-#ifdef SYS_sendsyslog
- { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
-#endif
- { SYS_shutdown, SYSTR_POLICY_PERMIT },
- { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
+ { SYS_read, SYSTR_POLICY_PERMIT },
{ SYS_write, SYSTR_POLICY_PERMIT },
+ { SYS_shutdown, SYSTR_POLICY_PERMIT },
+ { SYS_close, SYSTR_POLICY_PERMIT },
+
+ { SYS_open, SYSTR_POLICY_NEVER },
+
{ -1, -1 }
};
diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1
index 279b0d70b7be..54ea352ce1ae 100644
--- a/crypto/openssh/scp.1
+++ b/crypto/openssh/scp.1
@@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.67 2015/07/10 06:21:53 markus Exp $
+.\" $OpenBSD: scp.1,v 1.68 2015/09/25 18:19:54 jmc Exp $
.\"
-.Dd $Mdocdate: July 10 2015 $
+.Dd $Mdocdate: September 25 2015 $
.Dt SCP 1
.Os
.Sh NAME
@@ -133,6 +133,7 @@ For full details of the options listed below, and their possible values, see
.It CanonicalizeHostname
.It CanonicalizeMaxDots
.It CanonicalizePermittedCNAMEs
+.It CertificateFile
.It ChallengeResponseAuthentication
.It CheckHostIP
.It Cipher
diff --git a/crypto/openssh/scp.c b/crypto/openssh/scp.c
index 593fe89bded2..0bdd7cb0b29d 100644
--- a/crypto/openssh/scp.c
+++ b/crypto/openssh/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.182 2015/04/24 01:36:00 deraadt Exp $ */
+/* $OpenBSD: scp.c,v 1.184 2015/11/27 00:49:31 deraadt Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -484,6 +484,16 @@ main(int argc, char **argv)
if (!isatty(STDOUT_FILENO))
showprogress = 0;
+ if (pflag) {
+ /* Cannot pledge: -p allows setuid/setgid files... */
+ } else {
+ if (pledge("stdio rpath wpath cpath fattr tty proc exec",
+ NULL) == -1) {
+ perror("pledge");
+ exit(1);
+ }
+ }
+
remin = STDIN_FILENO;
remout = STDOUT_FILENO;
@@ -866,7 +876,7 @@ rsource(char *name, struct stat *statp)
return;
}
last = strrchr(name, '/');
- if (last == 0)
+ if (last == NULL)
last = name;
else
last++;
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 6f5c07d7a559..e1e6903eb463 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */
+/* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -180,6 +180,20 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
+static void
+assemble_algorithms(ServerOptions *o)
+{
+ if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
+ kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
+ kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ &o->hostkeyalgorithms) != 0 ||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ &o->hostbased_key_types) != 0 ||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
+ fatal("kex_assemble_names failed");
+}
+
void
fill_default_server_options(ServerOptions *options)
{
@@ -263,8 +277,6 @@ fill_default_server_options(ServerOptions *options)
options->hostbased_authentication = 0;
if (options->hostbased_uses_name_from_packet_only == -1)
options->hostbased_uses_name_from_packet_only = 0;
- if (options->hostkeyalgorithms == NULL)
- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
@@ -346,16 +358,9 @@ fill_default_server_options(ServerOptions *options)
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
- kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
- &options->hostbased_key_types) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
- &options->pubkey_key_types) != 0)
- fatal("%s: kex_assemble_names failed", __func__);
+ assemble_algorithms(options);
- /* Turn privilege separation on by default */
+ /* Turn privilege separation and sandboxing on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_ON;
@@ -372,6 +377,8 @@ fill_default_server_options(ServerOptions *options)
CLEAR_ON_NONE(options->trusted_user_ca_keys);
CLEAR_ON_NONE(options->revoked_keys_file);
CLEAR_ON_NONE(options->authorized_principals_file);
+ CLEAR_ON_NONE(options->adm_forced_command);
+ CLEAR_ON_NONE(options->chroot_directory);
for (i = 0; i < options->num_host_key_files; i++)
CLEAR_ON_NONE(options->host_key_files[i]);
for (i = 0; i < options->num_host_cert_files; i++)
@@ -503,7 +510,11 @@ static struct {
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
+#ifdef DISABLE_LASTLOG
+ { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
+#else
{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
+#endif
{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
@@ -1327,16 +1338,12 @@ process_server_config_line(ServerOptions *options, char *line,
if (scan_scaled(arg, &val64) == -1)
fatal("%.200s line %d: Bad number '%s': %s",
filename, linenum, arg, strerror(errno));
- /* check for too-large or too-small limits */
- if (val64 > UINT_MAX)
- fatal("%.200s line %d: RekeyLimit too large",
- filename, linenum);
if (val64 != 0 && val64 < 16)
fatal("%.200s line %d: RekeyLimit too small",
filename, linenum);
}
if (*activep && options->rekey_limit == -1)
- options->rekey_limit = (u_int32_t)val64;
+ options->rekey_limit = val64;
if (cp != NULL) { /* optional rekey interval present */
if (strcmp(cp, "none") == 0) {
(void)strdelim(&cp); /* discard */
@@ -2023,6 +2030,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
/* See comment in servconf.h */
COPY_MATCH_STRING_OPTS();
+ /* Arguments that accept '+...' need to be expanded */
+ assemble_algorithms(dst);
+
/*
* The only things that should be below this point are string options
* which are only used after authentication.
@@ -2030,8 +2040,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
if (preauth)
return;
+ /* These options may be "none" to clear a global setting */
M_CP_STROPT(adm_forced_command);
+ if (option_clear_or_none(dst->adm_forced_command)) {
+ free(dst->adm_forced_command);
+ dst->adm_forced_command = NULL;
+ }
M_CP_STROPT(chroot_directory);
+ if (option_clear_or_none(dst->chroot_directory)) {
+ free(dst->chroot_directory);
+ dst->chroot_directory = NULL;
+ }
}
#undef M_CP_INTOPT
@@ -2262,7 +2281,9 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sChallengeResponseAuthentication,
o->challenge_response_authentication);
dump_cfg_fmtint(sPrintMotd, o->print_motd);
+#ifndef DISABLE_LASTLOG
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
+#endif
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
dump_cfg_fmtint(sPermitTTY, o->permit_tty);
@@ -2346,7 +2367,7 @@ dump_config(ServerOptions *o)
printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
printf("%s\n", iptos2str(o->ip_qos_bulk));
- printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
+ printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
o->rekey_interval);
channel_print_adm_permitted_opens();
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
index 306ac36be670..80d1db5490bc 100644
--- a/crypto/openssh/serverloop.c
+++ b/crypto/openssh/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.178 2015/02/20 22:17:21 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.182 2016/02/08 10:57:07 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -78,7 +78,6 @@
#include "dispatch.h"
#include "auth-options.h"
#include "serverloop.h"
-#include "roaming.h"
#include "ssherr.h"
extern ServerOptions options;
@@ -399,11 +398,8 @@ process_input(fd_set *readset)
/* Read and buffer any input data from the client. */
if (FD_ISSET(connection_in, readset)) {
- int cont = 0;
- len = roaming_read(connection_in, buf, sizeof(buf), &cont);
+ len = read(connection_in, buf, sizeof(buf));
if (len == 0) {
- if (cont)
- return;
verbose("Connection closed by %.100s",
get_remote_ipaddr());
connection_closed = 1;
@@ -824,7 +820,7 @@ void
server_loop2(Authctxt *authctxt)
{
fd_set *readset = NULL, *writeset = NULL;
- int rekeying = 0, max_fd;
+ int max_fd;
u_int nalloc = 0;
u_int64_t rekey_timeout_ms = 0;
@@ -851,11 +847,11 @@ server_loop2(Authctxt *authctxt)
for (;;) {
process_buffered_input_packets();
- rekeying = (active_state->kex != NULL && !active_state->kex->done);
-
- if (!rekeying && packet_not_very_much_data_to_write())
+ if (!ssh_packet_is_rekeying(active_state) &&
+ packet_not_very_much_data_to_write())
channel_output_poll();
- if (options.rekey_interval > 0 && compat20 && !rekeying)
+ if (options.rekey_interval > 0 && compat20 &&
+ !ssh_packet_is_rekeying(active_state))
rekey_timeout_ms = packet_get_rekey_timeout() * 1000;
else
rekey_timeout_ms = 0;
@@ -870,14 +866,8 @@ server_loop2(Authctxt *authctxt)
}
collect_children();
- if (!rekeying) {
+ if (!ssh_packet_is_rekeying(active_state))
channel_after_select(readset, writeset);
- if (packet_need_rekeying()) {
- debug("need rekeying");
- active_state->kex->done = 0;
- kex_send_kexinit(active_state);
- }
- }
process_input(readset);
if (connection_closed)
break;
@@ -1201,7 +1191,7 @@ server_input_hostkeys_prove(struct sshbuf **respp)
ssh->kex->session_id, ssh->kex->session_id_len)) != 0 ||
(r = sshkey_puts(key, sigbuf)) != 0 ||
(r = ssh->kex->sign(key_prv, key_pub, &sig, &slen,
- sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), 0)) != 0 ||
+ sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), NULL, 0)) != 0 ||
(r = sshbuf_put_string(resp, sig, slen)) != 0) {
error("%s: couldn't prepare signature: %s",
__func__, ssh_err(r));
@@ -1265,7 +1255,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
free(fwd.listen_host);
if ((resp = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new", __func__);
- if ((r = sshbuf_put_u32(resp, allocated_listen_port)) != 0)
+ if (allocated_listen_port != 0 &&
+ (r = sshbuf_put_u32(resp, allocated_listen_port)) != 0)
fatal("%s: sshbuf_put_u32: %s", __func__, ssh_err(r));
} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
struct Forward fwd;
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index d99576b41b67..b3ce83ce7ae2 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.278 2015/04/24 01:36:00 deraadt Exp $ */
+/* $OpenBSD: session.c,v 1.280 2016/02/16 03:37:48 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -47,6 +47,7 @@ __RCSID("$FreeBSD$");
#include <arpa/inet.h>
+#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
@@ -161,6 +162,7 @@ login_cap_t *lc;
#endif
static int is_child = 0;
+static int in_chroot = 0;
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
@@ -274,6 +276,21 @@ do_authenticated(Authctxt *authctxt)
do_cleanup(authctxt);
}
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+ size_t i;
+
+ for (i = 0; s[i] != '\0'; i++) {
+ if (!isalnum((u_char)s[i]) &&
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+ s[i] != '-' && s[i] != '_')
+ return 0;
+ }
+ return 1;
+}
+
/*
* Prepares for an interactive session. This is called after the user has
* been successfully authenticated. During this message exchange, pseudo
@@ -347,7 +364,13 @@ do_authenticated1(Authctxt *authctxt)
s->screen = 0;
}
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
@@ -779,8 +802,8 @@ int
do_exec(Session *s, const char *command)
{
int ret;
- const char *forced = NULL;
- char session_type[1024], *tty = NULL;
+ const char *forced = NULL, *tty = NULL;
+ char session_type[1024];
if (options.adm_forced_command) {
original_command = command;
@@ -815,13 +838,14 @@ do_exec(Session *s, const char *command)
tty += 5;
}
- verbose("Starting session: %s%s%s for %s from %.200s port %d",
+ verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type,
tty == NULL ? "" : " on ",
tty == NULL ? "" : tty,
s->pw->pw_name,
get_remote_ipaddr(),
- get_remote_port());
+ get_remote_port(),
+ s->self);
#ifdef SSH_AUDIT_EVENTS
if (command != NULL)
@@ -1502,9 +1526,6 @@ void
do_setusercontext(struct passwd *pw)
{
char *chroot_path, *tmp;
-#ifdef USE_LIBIAF
- int doing_chroot = 0;
-#endif
platform_setusercontext(pw);
@@ -1532,7 +1553,7 @@ do_setusercontext(struct passwd *pw)
platform_setusercontext_post_groups(pw);
- if (options.chroot_directory != NULL &&
+ if (!in_chroot && options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
pw->pw_uid);
@@ -1544,9 +1565,7 @@ do_setusercontext(struct passwd *pw)
/* Make sure we don't attempt to chroot again */
free(options.chroot_directory);
options.chroot_directory = NULL;
-#ifdef USE_LIBIAF
- doing_chroot = 1;
-#endif
+ in_chroot = 1;
}
#ifdef HAVE_LOGIN_CAP
@@ -1561,16 +1580,16 @@ do_setusercontext(struct passwd *pw)
(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
#else
# ifdef USE_LIBIAF
-/* In a chroot environment, the set_id() will always fail; typically
- * because of the lack of necessary authentication services and runtime
- * such as ./usr/lib/libiaf.so, ./usr/lib/libpam.so.1, and ./etc/passwd
- * We skip it in the internal sftp chroot case.
- * We'll lose auditing and ACLs but permanently_set_uid will
- * take care of the rest.
- */
- if ((doing_chroot == 0) && set_id(pw->pw_name) != 0) {
- fatal("set_id(%s) Failed", pw->pw_name);
- }
+ /*
+ * In a chroot environment, the set_id() will always fail;
+ * typically because of the lack of necessary authentication
+ * services and runtime such as ./usr/lib/libiaf.so,
+ * ./usr/lib/libpam.so.1, and ./etc/passwd We skip it in the
+ * internal sftp chroot case. We'll lose auditing and ACLs but
+ * permanently_set_uid will take care of the rest.
+ */
+ if (!in_chroot && set_id(pw->pw_name) != 0)
+ fatal("set_id(%s) Failed", pw->pw_name);
# endif /* USE_LIBIAF */
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
@@ -1802,11 +1821,11 @@ do_child(Session *s, const char *command)
#ifdef HAVE_LOGIN_CAP
r = login_getcapbool(lc, "requirehome", 0);
#endif
- if (r || options.chroot_directory == NULL ||
- strcasecmp(options.chroot_directory, "none") == 0)
+ if (r || !in_chroot) {
fprintf(stderr, "Could not chdir to home "
"directory %s: %s\n", pw->pw_dir,
strerror(errno));
+ }
if (r)
exit(1);
}
@@ -2193,7 +2212,13 @@ session_x11_req(Session *s)
s->screen = packet_get_int();
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
@@ -2515,7 +2540,12 @@ session_close(Session *s)
{
u_int i;
- debug("session_close: session %d pid %ld", s->self, (long)s->pid);
+ verbose("Close session: user %s from %.200s port %d id %d",
+ s->pw->pw_name,
+ get_remote_ipaddr(),
+ get_remote_port(),
+ s->self);
+
if (s->ttyfd != -1)
session_pty_cleanup(s);
free(s->term);
diff --git a/crypto/openssh/sftp-client.c b/crypto/openssh/sftp-client.c
index 5dbeb47c0624..d49bfaabac90 100644
--- a/crypto/openssh/sftp-client.c
+++ b/crypto/openssh/sftp-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.120 2015/05/28 04:50:53 djm Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.121 2016/02/11 02:21:34 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@@ -1760,7 +1760,7 @@ do_upload(struct sftp_conn *conn, const char *local_path,
if (fsync_flag)
(void)do_fsync(conn, handle, handle_len);
- if (do_close(conn, handle, handle_len) != SSH2_FX_OK)
+ if (do_close(conn, handle, handle_len) != 0)
status = SSH2_FX_FAILURE;
free(handle);
@@ -1773,12 +1773,11 @@ upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
int depth, int preserve_flag, int print_flag, int resume, int fsync_flag)
{
int ret = 0;
- u_int status;
DIR *dirp;
struct dirent *dp;
char *filename, *new_src, *new_dst;
struct stat sb;
- Attrib a;
+ Attrib a, *dirattrib;
if (depth >= MAX_DIR_DEPTH) {
error("Maximum directory depth exceeded: %d levels", depth);
@@ -1805,17 +1804,18 @@ upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
if (!preserve_flag)
a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME;
- status = do_mkdir(conn, dst, &a, 0);
/*
- * we lack a portable status for errno EEXIST,
- * so if we get a SSH2_FX_FAILURE back we must check
- * if it was created successfully.
+ * sftp lacks a portable status value to match errno EEXIST,
+ * so if we get a failure back then we must check whether
+ * the path already existed and is a directory.
*/
- if (status != SSH2_FX_OK) {
- if (status != SSH2_FX_FAILURE)
+ if (do_mkdir(conn, dst, &a, 0) != 0) {
+ if ((dirattrib = do_stat(conn, dst, 0)) == NULL)
return -1;
- if (do_stat(conn, dst, 0) == NULL)
+ if (!S_ISDIR(dirattrib->perm)) {
+ error("\"%s\" exists but is not a directory", dst);
return -1;
+ }
}
if ((dirp = opendir(src)) == NULL) {
diff --git a/crypto/openssh/sftp-client.h b/crypto/openssh/sftp-client.h
index f814b07d6c88..14a3b8182c49 100644
--- a/crypto/openssh/sftp-client.h
+++ b/crypto/openssh/sftp-client.h
@@ -21,6 +21,12 @@
#ifndef _SFTP_CLIENT_H
#define _SFTP_CLIENT_H
+#ifdef USE_SYSTEM_GLOB
+# include <glob.h>
+#else
+# include "openbsd-compat/glob.h"
+#endif
+
typedef struct SFTP_DIRENT SFTP_DIRENT;
struct SFTP_DIRENT {
diff --git a/crypto/openssh/sftp-server-main.c b/crypto/openssh/sftp-server-main.c
index 7e644ab8982b..c6ccd623eab9 100644
--- a/crypto/openssh/sftp-server-main.c
+++ b/crypto/openssh/sftp-server-main.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server-main.c,v 1.4 2009/02/21 19:32:04 tobias Exp $ */
+/* $OpenBSD: sftp-server-main.c,v 1.5 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Copyright (c) 2008 Markus Friedl. All rights reserved.
*
@@ -26,6 +26,7 @@
#include "log.h"
#include "sftp.h"
#include "misc.h"
+#include "xmalloc.h"
void
cleanup_exit(int i)
@@ -38,6 +39,7 @@ main(int argc, char **argv)
{
struct passwd *user_pw;
+ ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
diff --git a/crypto/openssh/sftp-server.c b/crypto/openssh/sftp-server.c
index eac11d7e695d..e11a1b89bdb6 100644
--- a/crypto/openssh/sftp-server.c
+++ b/crypto/openssh/sftp-server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.107 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.109 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@@ -1513,6 +1513,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
extern char *optarg;
extern char *__progname;
+ ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
@@ -1598,6 +1599,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
fatal("unable to make the process undumpable");
#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
+ /* Drop any fine-grained privileges we don't need */
+ platform_pledge_sftp_server();
+
if ((cp = getenv("SSH_CONNECTION")) != NULL) {
client_addr = xstrdup(cp);
if ((cp = strchr(client_addr, ' ')) == NULL) {
@@ -1631,9 +1635,8 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
if ((oqueue = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
- set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
- rset = xmalloc(set_size);
- wset = xmalloc(set_size);
+ rset = xcalloc(howmany(max + 1, NFDBITS), sizeof(fd_mask));
+ wset = xcalloc(howmany(max + 1, NFDBITS), sizeof(fd_mask));
if (homedir != NULL) {
if (chdir(homedir) != 0) {
@@ -1642,6 +1645,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
}
}
+ set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
for (;;) {
memset(rset, 0, set_size);
memset(wset, 0, set_size);
diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1
index 214f0118c0bb..edc5a85e6be5 100644
--- a/crypto/openssh/sftp.1
+++ b/crypto/openssh/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.101 2015/01/30 11:43:14 djm Exp $
+.\" $OpenBSD: sftp.1,v 1.102 2015/09/25 18:19:54 jmc Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: January 30 2015 $
+.Dd $Mdocdate: September 25 2015 $
.Dt SFTP 1
.Os
.Sh NAME
@@ -198,6 +198,7 @@ For full details of the options listed below, and their possible values, see
.It CanonicalizeHostname
.It CanonicalizeMaxDots
.It CanonicalizePermittedCNAMEs
+.It CertificateFile
.It ChallengeResponseAuthentication
.It CheckHostIP
.It Cipher
diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c
index 788601a8d7fd..2077219fa4e8 100644
--- a/crypto/openssh/sftp.c
+++ b/crypto/openssh/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.171 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: sftp.c,v 1.172 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@@ -2248,6 +2248,7 @@ main(int argc, char **argv)
size_t num_requests = DEFAULT_NUM_REQUESTS;
long long limit_kbps = 0;
+ ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
setlocale(LC_CTYPE, "");
diff --git a/crypto/openssh/ssh-add.c b/crypto/openssh/ssh-add.c
index d6271d78ef79..fb9a53e64cfe 100644
--- a/crypto/openssh/ssh-add.c
+++ b/crypto/openssh/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.128 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -93,7 +93,7 @@ static int lifetime = 0;
/* User has to confirm key use */
static int confirm = 0;
-/* we keep a cache of one passphrases */
+/* we keep a cache of one passphrase */
static char *pass = NULL;
static void
clear_pass(void)
@@ -150,10 +150,8 @@ delete_file(int agent_fd, const char *filename, int key_only)
certpath, ssh_err(r));
out:
- if (cert != NULL)
- sshkey_free(cert);
- if (public != NULL)
- sshkey_free(public);
+ sshkey_free(cert);
+ sshkey_free(public);
free(certpath);
free(comment);
@@ -218,35 +216,32 @@ add_file(int agent_fd, const char *filename, int key_only)
close(fd);
/* At first, try empty passphrase */
- if ((r = sshkey_parse_private_fileblob(keyblob, "", filename,
- &private, &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE) {
+ if ((r = sshkey_parse_private_fileblob(keyblob, "", &private,
+ &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE) {
fprintf(stderr, "Error loading key \"%s\": %s\n",
filename, ssh_err(r));
goto fail_load;
}
/* try last */
if (private == NULL && pass != NULL) {
- if ((r = sshkey_parse_private_fileblob(keyblob, pass, filename,
- &private, &comment)) != 0 &&
- r != SSH_ERR_KEY_WRONG_PASSPHRASE) {
+ if ((r = sshkey_parse_private_fileblob(keyblob, pass, &private,
+ &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE) {
fprintf(stderr, "Error loading key \"%s\": %s\n",
filename, ssh_err(r));
goto fail_load;
}
}
- if (comment == NULL)
- comment = xstrdup(filename);
if (private == NULL) {
/* clear passphrase since it did not work */
clear_pass();
- snprintf(msg, sizeof msg, "Enter passphrase for %.200s%s: ",
- comment, confirm ? " (will confirm each use)" : "");
+ snprintf(msg, sizeof msg, "Enter passphrase for %s%s: ",
+ filename, confirm ? " (will confirm each use)" : "");
for (;;) {
pass = read_passphrase(msg, RP_ALLOW_STDIN);
if (strcmp(pass, "") == 0)
goto fail_load;
if ((r = sshkey_parse_private_fileblob(keyblob, pass,
- filename, &private, NULL)) == 0)
+ &private, &comment)) == 0)
break;
else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) {
fprintf(stderr,
@@ -254,16 +249,17 @@ add_file(int agent_fd, const char *filename, int key_only)
filename, ssh_err(r));
fail_load:
clear_pass();
- free(comment);
sshbuf_free(keyblob);
return -1;
}
clear_pass();
snprintf(msg, sizeof msg,
- "Bad passphrase, try again for %.200s%s: ", comment,
+ "Bad passphrase, try again for %s%s: ", filename,
confirm ? " (will confirm each use)" : "");
}
}
+ if (comment == NULL || *comment == '\0')
+ comment = xstrdup(filename);
sshbuf_free(keyblob);
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
@@ -386,7 +382,7 @@ list_identities(int agent_fd, int do_fp)
if (do_fp) {
fp = sshkey_fingerprint(idlist->keys[i],
fingerprint_hash, SSH_FP_DEFAULT);
- printf("%d %s %s (%s)\n",
+ printf("%u %s %s (%s)\n",
sshkey_size(idlist->keys[i]),
fp == NULL ? "(null)" : fp,
idlist->comments[i],
@@ -485,6 +481,7 @@ main(int argc, char **argv)
int r, i, ch, deleting = 0, ret = 0, key_only = 0;
int xflag = 0, lflag = 0, Dflag = 0;
+ ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
index b5e6b0e5a897..b8cd0c554b35 100644
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.59 2015/04/24 06:26:49 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $
.\" $FreeBSD$
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: April 24 2015 $
+.Dd $Mdocdate: November 15 2015 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -44,7 +44,7 @@
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
-.Op Fl Ddx
+.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
@@ -67,6 +67,13 @@ machines using
.Pp
The agent initially does not have any private keys.
Keys are added using
+.Xr ssh 1
+(see
+.Cm AddKeysToAgent
+in
+.Xr ssh_config 5
+for details)
+or
.Xr ssh-add 1 .
Multiple identities may be stored in
.Nm
@@ -133,7 +140,7 @@ Without this option the default maximum lifetime is forever.
Exit after the last client has disconnected.
.El
.Pp
-If a commandline is given, this is executed as a subprocess of the agent.
+If a command line is given, this is executed as a subprocess of the agent.
When the command dies, so does the agent.
.Pp
The idea is that the agent is run in the user's local PC, laptop, or
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index 52293db6c0ba..8113022ec723 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.204 2015/07/08 20:24:02 markus Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.212 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -388,6 +388,18 @@ process_authentication_challenge1(SocketEntry *e)
}
#endif
+static char *
+agent_decode_alg(struct sshkey *key, u_int flags)
+{
+ if (key->type == KEY_RSA) {
+ if (flags & SSH_AGENT_RSA_SHA2_256)
+ return "rsa-sha2-256";
+ else if (flags & SSH_AGENT_RSA_SHA2_512)
+ return "rsa-sha2-512";
+ }
+ return NULL;
+}
+
/* ssh2 only */
static void
process_sign_request2(SocketEntry *e)
@@ -409,7 +421,7 @@ process_sign_request2(SocketEntry *e)
if (flags & SSH_AGENT_OLD_SIGNATURE)
compat = SSH_BUG_SIGBLOB;
if ((r = sshkey_from_blob(blob, blen, &key)) != 0) {
- error("%s: cannot parse key blob: %s", __func__, ssh_err(ok));
+ error("%s: cannot parse key blob: %s", __func__, ssh_err(r));
goto send;
}
if ((id = lookup_identity(key, 2)) == NULL) {
@@ -421,8 +433,8 @@ process_sign_request2(SocketEntry *e)
goto send;
}
if ((r = sshkey_sign(id->key, &signature, &slen,
- data, dlen, compat)) != 0) {
- error("%s: sshkey_sign: %s", __func__, ssh_err(ok));
+ data, dlen, agent_decode_alg(key, flags), compat)) != 0) {
+ error("%s: sshkey_sign: %s", __func__, ssh_err(r));
goto send;
}
/* Success */
@@ -1213,6 +1225,7 @@ main(int ac, char **av)
size_t len;
mode_t prev_mask;
+ ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -1359,6 +1372,7 @@ main(int ac, char **av)
printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
SSH_AUTHSOCKET_ENV_NAME);
printf("echo Agent pid %ld;\n", (long)parent_pid);
+ fflush(stdout);
goto skip;
}
pid = fork();
@@ -1431,6 +1445,10 @@ skip:
signal(SIGTERM, cleanup_handler);
nalloc = 0;
+ if (pledge("stdio cpath unix id proc exec", NULL) == -1)
+ fatal("%s: pledge: %s", __progname, strerror(errno));
+ platform_pledge_agent();
+
while (1) {
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
diff --git a/crypto/openssh/ssh-dss.c b/crypto/openssh/ssh-dss.c
index 8ed19d84977f..cc47dcf5f14f 100644
--- a/crypto/openssh/ssh-dss.c
+++ b/crypto/openssh/ssh-dss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-dss.c,v 1.32 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: ssh-dss.c,v 1.34 2015/12/11 04:21:12 mmcc Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -122,8 +122,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
explicit_bzero(digest, sizeof(digest));
if (sig != NULL)
DSA_SIG_free(sig);
- if (b != NULL)
- sshbuf_free(b);
+ sshbuf_free(b);
return ret;
}
@@ -209,10 +208,8 @@ ssh_dss_verify(const struct sshkey *key,
explicit_bzero(digest, sizeof(digest));
if (sig != NULL)
DSA_SIG_free(sig);
- if (b != NULL)
- sshbuf_free(b);
- if (ktype != NULL)
- free(ktype);
+ sshbuf_free(b);
+ free(ktype);
if (sigblob != NULL) {
explicit_bzero(sigblob, len);
free(sigblob);
diff --git a/crypto/openssh/ssh-ecdsa.c b/crypto/openssh/ssh-ecdsa.c
index 2c76f8b43793..74912dfd906c 100644
--- a/crypto/openssh/ssh-ecdsa.c
+++ b/crypto/openssh/ssh-ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-ecdsa.c,v 1.11 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: ssh-ecdsa.c,v 1.12 2015/12/11 04:21:12 mmcc Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -99,10 +99,8 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
ret = 0;
out:
explicit_bzero(digest, sizeof(digest));
- if (b != NULL)
- sshbuf_free(b);
- if (bb != NULL)
- sshbuf_free(bb);
+ sshbuf_free(b);
+ sshbuf_free(bb);
if (sig != NULL)
ECDSA_SIG_free(sig);
return ret;
@@ -179,10 +177,8 @@ ssh_ecdsa_verify(const struct sshkey *key,
out:
explicit_bzero(digest, sizeof(digest));
- if (sigbuf != NULL)
- sshbuf_free(sigbuf);
- if (b != NULL)
- sshbuf_free(b);
+ sshbuf_free(sigbuf);
+ sshbuf_free(b);
if (sig != NULL)
ECDSA_SIG_free(sig);
free(ktype);
diff --git a/crypto/openssh/ssh-keygen.1 b/crypto/openssh/ssh-keygen.1
index ed17a08fab28..37a4fc2b226d 100644
--- a/crypto/openssh/ssh-keygen.1
+++ b/crypto/openssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.130 2016/02/17 07:38:19 jmc Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: August 20 2015 $
+.Dd $Mdocdate: February 17 2016 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -141,8 +141,12 @@
generates, manages and converts authentication keys for
.Xr ssh 1 .
.Nm
-can create RSA keys for use by SSH protocol version 1 and
-DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
+can create keys for use by SSH protocol versions 1 and 2.
+Protocol 1 should not be used
+and is only offered to support legacy devices.
+It suffers from a number of cryptographic weaknesses
+and doesn't support many of the advanced features available for protocol 2.
+.Pp
The type of key to be generated is specified with the
.Fl t
option.
@@ -376,7 +380,7 @@ using the format described in the
.Sx KEY REVOCATION LISTS
section.
.It Fl L
-Prints the contents of a certificate.
+Prints the contents of one or more certificates.
.It Fl l
Show fingerprint of specified public key file.
Private RSA1 keys are also supported.
@@ -474,7 +478,7 @@ At present, no options are valid for host keys.
.It Fl o
Causes
.Nm
-to save SSH protocol 2 private keys using the new OpenSSH format rather than
+to save private keys using the new OpenSSH format rather than
the more compatible PEM format.
The new format has increased resistance to brute-force password cracking
but is not supported by versions of OpenSSH prior to 6.5.
@@ -781,7 +785,7 @@ It is also possible, given a KRL, to test whether it revokes a particular key
(or keys).
The
.Fl Q
-flag will query an existing KRL, testing each key specified on the commandline.
+flag will query an existing KRL, testing each key specified on the command line.
If any key listed on the command line has been revoked (or an error encountered)
then
.Nm
diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c
index 4e0a8555434c..478520123e10 100644
--- a/crypto/openssh/ssh-keygen.c
+++ b/crypto/openssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.288 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -523,7 +523,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
sshbuf_free(b);
/* try the key */
- if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 ||
+ if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 ||
sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) {
sshkey_free(key);
free(sig);
@@ -808,116 +808,162 @@ do_download(struct passwd *pw)
#endif /* ENABLE_PKCS11 */
}
+static struct sshkey *
+try_read_key(char **cpp)
+{
+ struct sshkey *ret;
+ int r;
+
+ if ((ret = sshkey_new(KEY_RSA1)) == NULL)
+ fatal("sshkey_new failed");
+ /* Try RSA1 */
+ if ((r = sshkey_read(ret, cpp)) == 0)
+ return ret;
+ /* Try modern */
+ sshkey_free(ret);
+ if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)
+ fatal("sshkey_new failed");
+ if ((r = sshkey_read(ret, cpp)) == 0)
+ return ret;
+ /* Not a key */
+ sshkey_free(ret);
+ return NULL;
+}
+
static void
-do_fingerprint(struct passwd *pw)
+fingerprint_one_key(const struct sshkey *public, const char *comment)
{
- FILE *f;
- struct sshkey *public;
- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
- int r, i, skip = 0, num = 0, invalid = 1;
+ char *fp = NULL, *ra = NULL;
enum sshkey_fp_rep rep;
int fptype;
- struct stat st;
fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
- if (!have_identity)
- ask_filename(pw, "Enter file in which the key is");
+ fp = sshkey_fingerprint(public, fptype, rep);
+ ra = sshkey_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART);
+ if (fp == NULL || ra == NULL)
+ fatal("%s: sshkey_fingerprint failed", __func__);
+ printf("%u %s %s (%s)\n", sshkey_size(public), fp,
+ comment ? comment : "no comment", sshkey_type(public));
+ if (log_level >= SYSLOG_LEVEL_VERBOSE)
+ printf("%s\n", ra);
+ free(ra);
+ free(fp);
+}
+
+static void
+fingerprint_private(const char *path)
+{
+ struct stat st;
+ char *comment = NULL;
+ struct sshkey *public = NULL;
+ int r;
+
if (stat(identity_file, &st) < 0)
- fatal("%s: %s", identity_file, strerror(errno));
- if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0)
- debug2("Error loading public key \"%s\": %s",
- identity_file, ssh_err(r));
- else {
- fp = sshkey_fingerprint(public, fptype, rep);
- ra = sshkey_fingerprint(public, fingerprint_hash,
- SSH_FP_RANDOMART);
- if (fp == NULL || ra == NULL)
- fatal("%s: sshkey_fingerprint fail", __func__);
- printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,
- sshkey_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
- printf("%s\n", ra);
- sshkey_free(public);
- free(comment);
- free(ra);
- free(fp);
- exit(0);
- }
- if (comment) {
- free(comment);
- comment = NULL;
+ fatal("%s: %s", path, strerror(errno));
+ if ((r = sshkey_load_public(path, &public, &comment)) != 0) {
+ debug("load public \"%s\": %s", path, ssh_err(r));
+ if ((r = sshkey_load_private(path, NULL,
+ &public, &comment)) != 0) {
+ debug("load private \"%s\": %s", path, ssh_err(r));
+ fatal("%s is not a key file.", path);
+ }
}
- if ((f = fopen(identity_file, "r")) == NULL)
- fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
+ fingerprint_one_key(public, comment);
+ sshkey_free(public);
+ free(comment);
+}
- while (fgets(line, sizeof(line), f)) {
- if ((cp = strchr(line, '\n')) == NULL) {
- error("line %d too long: %.40s...",
- num + 1, line);
- skip = 1;
+static void
+do_fingerprint(struct passwd *pw)
+{
+ FILE *f;
+ struct sshkey *public = NULL;
+ char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];
+ int i, invalid = 1;
+ const char *path;
+ long int lnum = 0;
+
+ if (!have_identity)
+ ask_filename(pw, "Enter file in which the key is");
+ path = identity_file;
+
+ if (strcmp(identity_file, "-") == 0) {
+ f = stdin;
+ path = "(stdin)";
+ } else if ((f = fopen(path, "r")) == NULL)
+ fatal("%s: %s: %s", __progname, path, strerror(errno));
+
+ while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {
+ cp = line;
+ cp[strcspn(cp, "\n")] = '\0';
+ /* Trim leading space and comments */
+ cp = line + strspn(line, " \t");
+ if (*cp == '#' || *cp == '\0')
continue;
+
+ /*
+ * Input may be plain keys, private keys, authorized_keys
+ * or known_hosts.
+ */
+
+ /*
+ * Try private keys first. Assume a key is private if
+ * "SSH PRIVATE KEY" appears on the first line and we're
+ * not reading from stdin (XXX support private keys on stdin).
+ */
+ if (lnum == 1 && strcmp(identity_file, "-") != 0 &&
+ strstr(cp, "PRIVATE KEY") != NULL) {
+ fclose(f);
+ fingerprint_private(path);
+ exit(0);
}
- num++;
- if (skip) {
- skip = 0;
+
+ /*
+ * If it's not a private key, then this must be prepared to
+ * accept a public key prefixed with a hostname or options.
+ * Try a bare key first, otherwise skip the leading stuff.
+ */
+ if ((public = try_read_key(&cp)) == NULL) {
+ i = strtol(cp, &ep, 10);
+ if (i == 0 || ep == NULL ||
+ (*ep != ' ' && *ep != '\t')) {
+ int quoted = 0;
+
+ comment = cp;
+ for (; *cp && (quoted || (*cp != ' ' &&
+ *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ cp++; /* Skip both */
+ else if (*cp == '"')
+ quoted = !quoted;
+ }
+ if (!*cp)
+ continue;
+ *cp++ = '\0';
+ }
+ }
+ /* Retry after parsing leading hostname/key options */
+ if (public == NULL && (public = try_read_key(&cp)) == NULL) {
+ debug("%s:%ld: not a public key", path, lnum);
continue;
}
- *cp = '\0';
- /* Skip leading whitespace, empty and comment lines. */
- for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+ /* Find trailing comment, if any */
+ for (; *cp == ' ' || *cp == '\t'; cp++)
;
- if (!*cp || *cp == '\n' || *cp == '#')
- continue;
- i = strtol(cp, &ep, 10);
- if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
- int quoted = 0;
+ if (*cp != '\0' && *cp != '#')
comment = cp;
- for (; *cp && (quoted || (*cp != ' ' &&
- *cp != '\t')); cp++) {
- if (*cp == '\\' && cp[1] == '"')
- cp++; /* Skip both */
- else if (*cp == '"')
- quoted = !quoted;
- }
- if (!*cp)
- continue;
- *cp++ = '\0';
- }
- ep = cp;
- if ((public = sshkey_new(KEY_RSA1)) == NULL)
- fatal("sshkey_new failed");
- if ((r = sshkey_read(public, &cp)) != 0) {
- cp = ep;
- sshkey_free(public);
- if ((public = sshkey_new(KEY_UNSPEC)) == NULL)
- fatal("sshkey_new failed");
- if ((r = sshkey_read(public, &cp)) != 0) {
- sshkey_free(public);
- continue;
- }
- }
- comment = *cp ? cp : comment;
- fp = sshkey_fingerprint(public, fptype, rep);
- ra = sshkey_fingerprint(public, fingerprint_hash,
- SSH_FP_RANDOMART);
- if (fp == NULL || ra == NULL)
- fatal("%s: sshkey_fingerprint fail", __func__);
- printf("%u %s %s (%s)\n", sshkey_size(public), fp,
- comment ? comment : "no comment", sshkey_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
- printf("%s\n", ra);
- free(ra);
- free(fp);
+
+ fingerprint_one_key(public, comment);
sshkey_free(public);
- invalid = 0;
+ invalid = 0; /* One good key in the file is sufficient */
}
fclose(f);
if (invalid)
- fatal("%s is not a public key file.", identity_file);
+ fatal("%s is not a public key file.", path);
exit(0);
}
@@ -1185,8 +1231,11 @@ do_known_hosts(struct passwd *pw, const char *name)
foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0;
if ((r = hostkeys_foreach(identity_file,
hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,
- name, NULL, foreach_options)) != 0)
+ name, NULL, foreach_options)) != 0) {
+ if (inplace)
+ unlink(tmp);
fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
+ }
if (inplace)
fclose(ctx.out);
@@ -1383,9 +1432,11 @@ do_change_comment(struct passwd *pw)
identity_file, ssh_err(r));
}
}
- /* XXX what about new-format keys? */
- if (private->type != KEY_RSA1) {
- error("Comments are only supported for RSA1 keys.");
+
+ if (private->type != KEY_RSA1 && private->type != KEY_ED25519 &&
+ !use_new_format) {
+ error("Comments are only supported for RSA1 or keys stored in "
+ "the new format (-o).");
explicit_bzero(passphrase, strlen(passphrase));
sshkey_free(private);
exit(1);
@@ -1441,44 +1492,6 @@ do_change_comment(struct passwd *pw)
exit(0);
}
-static const char *
-fmt_validity(u_int64_t valid_from, u_int64_t valid_to)
-{
- char from[32], to[32];
- static char ret[64];
- time_t tt;
- struct tm *tm;
-
- *from = *to = '\0';
- if (valid_from == 0 && valid_to == 0xffffffffffffffffULL)
- return "forever";
-
- if (valid_from != 0) {
- /* XXX revisit INT_MAX in 2038 :) */
- tt = valid_from > INT_MAX ? INT_MAX : valid_from;
- tm = localtime(&tt);
- strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
- }
- if (valid_to != 0xffffffffffffffffULL) {
- /* XXX revisit INT_MAX in 2038 :) */
- tt = valid_to > INT_MAX ? INT_MAX : valid_to;
- tm = localtime(&tt);
- strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
- }
-
- if (valid_from == 0) {
- snprintf(ret, sizeof(ret), "before %s", to);
- return ret;
- }
- if (valid_to == 0xffffffffffffffffULL) {
- snprintf(ret, sizeof(ret), "after %s", from);
- return ret;
- }
-
- snprintf(ret, sizeof(ret), "from %s to %s", from, to);
- return ret;
-}
-
static void
add_flag_option(struct sshbuf *c, const char *name)
{
@@ -1572,7 +1585,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
int r, i, fd;
u_int n;
struct sshkey *ca, *public;
- char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
+ char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
FILE *f;
#ifdef ENABLE_PKCS11
@@ -1647,13 +1660,15 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
fclose(f);
if (!quiet) {
+ sshkey_format_cert_validity(public->cert,
+ valid, sizeof(valid));
logit("Signed %s key %s: id \"%s\" serial %llu%s%s "
- "valid %s", sshkey_cert_type(public),
+ "valid %s", sshkey_cert_type(public),
out, public->cert->key_id,
(unsigned long long)public->cert->serial,
cert_principals != NULL ? " for " : "",
cert_principals != NULL ? cert_principals : "",
- fmt_validity(cert_valid_from, cert_valid_to));
+ valid);
}
sshkey_free(public);
@@ -1687,7 +1702,7 @@ parse_absolute_time(const char *s)
char buf[32], *fmt;
/*
- * POSIX strptime says "The application shall ensure that there
+ * POSIX strptime says "The application shall ensure that there
* is white-space or other non-alphanumeric characters between
* any two conversion specifications" so arrange things this way.
*/
@@ -1851,31 +1866,18 @@ show_options(struct sshbuf *optbuf, int in_critical)
}
static void
-do_show_cert(struct passwd *pw)
+print_cert(struct sshkey *key)
{
- struct sshkey *key;
- struct stat st;
- char *key_fp, *ca_fp;
+ char valid[64], *key_fp, *ca_fp;
u_int i;
- int r;
-
- if (!have_identity)
- ask_filename(pw, "Enter file in which the key is");
- if (stat(identity_file, &st) < 0)
- fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
- if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0)
- fatal("Cannot load public key \"%s\": %s",
- identity_file, ssh_err(r));
- if (!sshkey_is_cert(key))
- fatal("%s is not a certificate", identity_file);
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
ca_fp = sshkey_fingerprint(key->cert->signature_key,
fingerprint_hash, SSH_FP_DEFAULT);
if (key_fp == NULL || ca_fp == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
+ sshkey_format_cert_validity(key->cert, valid, sizeof(valid));
- printf("%s:\n", identity_file);
printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),
sshkey_cert_type(key));
printf(" Public key: %s %s\n", sshkey_type(key), key_fp);
@@ -1883,8 +1885,7 @@ do_show_cert(struct passwd *pw)
sshkey_type(key->cert->signature_key), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id);
printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);
- printf(" Valid: %s\n",
- fmt_validity(key->cert->valid_after, key->cert->valid_before));
+ printf(" Valid: %s\n", valid);
printf(" Principals: ");
if (key->cert->nprincipals == 0)
printf("(none)\n");
@@ -1908,7 +1909,60 @@ do_show_cert(struct passwd *pw)
printf("\n");
show_options(key->cert->extensions, 0);
}
- exit(0);
+}
+
+static void
+do_show_cert(struct passwd *pw)
+{
+ struct sshkey *key = NULL;
+ struct stat st;
+ int r, is_stdin = 0, ok = 0;
+ FILE *f;
+ char *cp, line[SSH_MAX_PUBKEY_BYTES];
+ const char *path;
+ long int lnum = 0;
+
+ if (!have_identity)
+ ask_filename(pw, "Enter file in which the key is");
+ if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0)
+ fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
+
+ path = identity_file;
+ if (strcmp(path, "-") == 0) {
+ f = stdin;
+ path = "(stdin)";
+ is_stdin = 1;
+ } else if ((f = fopen(identity_file, "r")) == NULL)
+ fatal("fopen %s: %s", identity_file, strerror(errno));
+
+ while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {
+ sshkey_free(key);
+ key = NULL;
+ /* Trim leading space and comments */
+ cp = line + strspn(line, " \t");
+ if (*cp == '#' || *cp == '\0')
+ continue;
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
+ fatal("key_new");
+ if ((r = sshkey_read(key, &cp)) != 0) {
+ error("%s:%lu: invalid key: %s", path,
+ lnum, ssh_err(r));
+ continue;
+ }
+ if (!sshkey_is_cert(key)) {
+ error("%s:%lu is not a certificate", path, lnum);
+ continue;
+ }
+ ok = 1;
+ if (!is_stdin && lnum == 1)
+ printf("%s:\n", path);
+ else
+ printf("%s:%lu:\n", path, lnum);
+ print_cert(key);
+ }
+ sshkey_free(key);
+ fclose(f);
+ exit(ok ? 0 : 1);
}
static void
@@ -2112,8 +2166,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
close(fd);
sshbuf_free(kbuf);
ssh_krl_free(krl);
- if (ca != NULL)
- sshkey_free(ca);
+ sshkey_free(ca);
}
static void
@@ -2208,6 +2261,7 @@ main(int argc, char **argv)
extern int optind;
extern char *optarg;
+ ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
diff --git a/crypto/openssh/ssh-keyscan.1 b/crypto/openssh/ssh-keyscan.1
index 6bbc480cd5c6..d29d9d906479 100644
--- a/crypto/openssh/ssh-keyscan.1
+++ b/crypto/openssh/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.38 2015/11/08 23:24:03 jmc Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
@@ -6,7 +6,7 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
-.Dd $Mdocdate: August 30 2014 $
+.Dd $Mdocdate: November 8 2015 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
@@ -15,7 +15,7 @@
.Sh SYNOPSIS
.Nm ssh-keyscan
.Bk -words
-.Op Fl 46Hv
+.Op Fl 46cHv
.Op Fl f Ar file
.Op Fl p Ar port
.Op Fl T Ar timeout
@@ -54,6 +54,8 @@ to use IPv4 addresses only.
Forces
.Nm
to use IPv6 addresses only.
+.It Fl c
+Request certificates from target hosts instead of plain keys.
.It Fl f Ar file
Read hosts or
.Dq addrlist namelist
diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c
index 57d88429b059..7fe61e4e1a0e 100644
--- a/crypto/openssh/ssh-keyscan.c
+++ b/crypto/openssh/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.101 2015/04/10 00:08:55 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.105 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
@@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT;
#define KT_ECDSA 8
#define KT_ED25519 16
+int get_cert = 0;
int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
int hash_hosts = 0; /* Hash hostname on output */
@@ -267,11 +268,32 @@ keygrab_ssh2(con *c)
int r;
enable_compat20();
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- c->c_keytype == KT_DSA ? "ssh-dss" :
- (c->c_keytype == KT_RSA ? "ssh-rsa" :
- (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
- "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
+ switch (c->c_keytype) {
+ case KT_DSA:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ssh-dss-cert-v01@openssh.com" : "ssh-dss";
+ break;
+ case KT_RSA:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
+ break;
+ case KT_ED25519:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
+ break;
+ case KT_ECDSA:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com" :
+ "ecdsa-sha2-nistp256,"
+ "ecdsa-sha2-nistp384,"
+ "ecdsa-sha2-nistp521";
+ break;
+ default:
+ fatal("unknown key type %d", c->c_keytype);
+ break;
+ }
if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
free(c->c_ssh);
fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
@@ -296,23 +318,39 @@ keygrab_ssh2(con *c)
}
static void
-keyprint(con *c, struct sshkey *key)
+keyprint_one(char *host, struct sshkey *key)
{
- char *host = c->c_output_name ? c->c_output_name : c->c_name;
- char *hostport = NULL;
+ char *hostport;
- if (!key)
- return;
if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
fatal("host_hash failed");
hostport = put_host_port(host, ssh_port);
- fprintf(stdout, "%s ", hostport);
+ if (!get_cert)
+ fprintf(stdout, "%s ", hostport);
sshkey_write(key, stdout);
fputs("\n", stdout);
free(hostport);
}
+static void
+keyprint(con *c, struct sshkey *key)
+{
+ char *hosts = c->c_output_name ? c->c_output_name : c->c_name;
+ char *host, *ohosts;
+
+ if (key == NULL)
+ return;
+ if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
+ keyprint_one(hosts, key);
+ return;
+ }
+ ohosts = hosts = xstrdup(hosts);
+ while ((host = strsep(&hosts, ",")) != NULL)
+ keyprint_one(host, key);
+ free(ohosts);
+}
+
static int
tcpconnect(char *host)
{
@@ -369,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype)
if (fdcon[s].c_status)
fatal("conalloc: attempt to reuse fdno %d", s);
+ debug3("%s: oname %s kt %d", __func__, oname, keytype);
fdcon[s].c_fd = s;
fdcon[s].c_status = CS_CON;
fdcon[s].c_namebase = namebase;
@@ -639,7 +678,7 @@ static void
usage(void)
{
fprintf(stderr,
- "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
+ "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n"
"\t\t [host | addrlist namelist] ...\n",
__progname);
exit(1);
@@ -657,6 +696,7 @@ main(int argc, char **argv)
extern int optind;
extern char *optarg;
+ ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
seed_rng();
TAILQ_INIT(&tq);
@@ -667,11 +707,14 @@ main(int argc, char **argv)
if (argc <= 1)
usage();
- while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
+ while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
switch (opt) {
case 'H':
hash_hosts = 1;
break;
+ case 'c':
+ get_cert = 1;
+ break;
case 'p':
ssh_port = a2port(optarg);
if (ssh_port <= 0) {
diff --git a/crypto/openssh/ssh-keysign.8 b/crypto/openssh/ssh-keysign.8
index 69d082954df6..19b0dbc533c8 100644
--- a/crypto/openssh/ssh-keysign.8
+++ b/crypto/openssh/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.14 2013/12/07 11:58:46 naddy Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.15 2016/02/17 07:38:19 jmc Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: December 7 2013 $
+.Dd $Mdocdate: February 17 2016 $
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME
@@ -35,7 +35,7 @@
is used by
.Xr ssh 1
to access the local host keys and generate the digital signature
-required during host-based authentication with SSH protocol version 2.
+required during host-based authentication.
.Pp
.Nm
is disabled by default and can only be enabled in the
diff --git a/crypto/openssh/ssh-keysign.c b/crypto/openssh/ssh-keysign.c
index 1dca3e289f1e..ac5034de860f 100644
--- a/crypto/openssh/ssh-keysign.c
+++ b/crypto/openssh/ssh-keysign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keysign.c,v 1.49 2015/07/03 03:56:25 djm Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.52 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@@ -34,6 +34,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <errno.h>
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
@@ -59,6 +60,8 @@
struct ssh *active_state = NULL; /* XXX needed for linking */
+extern char *__progname;
+
/* XXX readconf.c needs these */
uid_t original_real_uid;
@@ -179,6 +182,10 @@ main(int argc, char **argv)
u_int32_t rnd[256];
#endif
+ ssh_malloc_init(); /* must be called before any mallocs */
+ if (pledge("stdio rpath getpw dns id", NULL) != 0)
+ fatal("%s: pledge: %s", __progname, strerror(errno));
+
/* Ensure that stdin and stdout are connected */
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
exit(1);
@@ -245,23 +252,26 @@ main(int argc, char **argv)
if (!found)
fatal("no hostkey found");
+ if (pledge("stdio dns", NULL) != 0)
+ fatal("%s: pledge: %s", __progname, strerror(errno));
+
if ((b = sshbuf_new()) == NULL)
- fatal("%s: sshbuf_new failed", __func__);
+ fatal("%s: sshbuf_new failed", __progname);
if (ssh_msg_recv(STDIN_FILENO, b) < 0)
fatal("ssh_msg_recv failed");
if ((r = sshbuf_get_u8(b, &rver)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (rver != version)
fatal("bad version: received %d, expected %d", rver, version);
if ((r = sshbuf_get_u32(b, (u_int *)&fd)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (fd < 0 || fd == STDIN_FILENO || fd == STDOUT_FILENO)
fatal("bad fd");
if ((host = get_local_name(fd)) == NULL)
fatal("cannot get local name for fd");
if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (valid_request(pw, host, &key, data, dlen) < 0)
fatal("not a valid request");
free(host);
@@ -277,19 +287,20 @@ main(int argc, char **argv)
if (!found) {
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL)
- fatal("%s: sshkey_fingerprint failed", __func__);
+ fatal("%s: sshkey_fingerprint failed", __progname);
fatal("no matching hostkey found for key %s %s",
sshkey_type(key), fp ? fp : "");
}
- if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, 0)) != 0)
+ if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, NULL, 0))
+ != 0)
fatal("sshkey_sign failed: %s", ssh_err(r));
free(data);
/* send reply */
sshbuf_reset(b);
if ((r = sshbuf_put_string(b, signature, slen)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (ssh_msg_send(STDOUT_FILENO, version, b) == -1)
fatal("ssh_msg_send failed");
diff --git a/crypto/openssh/ssh-pkcs11-client.c b/crypto/openssh/ssh-pkcs11-client.c
index 8c74864aa362..fac0167e6f14 100644
--- a/crypto/openssh/ssh-pkcs11-client.c
+++ b/crypto/openssh/ssh-pkcs11-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-client.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-client.c,v 1.6 2015/12/11 00:20:04 mmcc Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -173,7 +173,7 @@ pkcs11_start_helper(void)
close(pair[0]);
close(pair[1]);
execlp(_PATH_SSH_PKCS11_HELPER, _PATH_SSH_PKCS11_HELPER,
- (char *) 0);
+ (char *)NULL);
fprintf(stderr, "exec: %s: %s\n", _PATH_SSH_PKCS11_HELPER,
strerror(errno));
_exit(1);
diff --git a/crypto/openssh/ssh-pkcs11-helper.c b/crypto/openssh/ssh-pkcs11-helper.c
index f2d586395472..53f41c555f40 100644
--- a/crypto/openssh/ssh-pkcs11-helper.c
+++ b/crypto/openssh/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-helper.c,v 1.11 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: ssh-pkcs11-helper.c,v 1.12 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -280,6 +280,7 @@ main(int argc, char **argv)
extern char *__progname;
+ ssh_malloc_init(); /* must be called before any mallocs */
TAILQ_INIT(&pkcs11_keylist);
pkcs11_init(0);
diff --git a/crypto/openssh/ssh-pkcs11.c b/crypto/openssh/ssh-pkcs11.c
index 92614a52d64d..d1f750db0410 100644
--- a/crypto/openssh/ssh-pkcs11.c
+++ b/crypto/openssh/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.21 2015/07/18 08:02:17 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.22 2016/02/12 00:20:30 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -322,8 +322,10 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
k11->slotidx = slotidx;
/* identify key object on smartcard */
k11->keyid_len = keyid_attrib->ulValueLen;
- k11->keyid = xmalloc(k11->keyid_len);
- memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
+ if (k11->keyid_len > 0) {
+ k11->keyid = xmalloc(k11->keyid_len);
+ memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
+ }
k11->orig_finish = def->finish;
memcpy(&k11->rsa_method, def, sizeof(k11->rsa_method));
k11->rsa_method.name = "pkcs11";
diff --git a/crypto/openssh/ssh-rsa.c b/crypto/openssh/ssh-rsa.c
index cdc18a4162c7..53d44d1f31a2 100644
--- a/crypto/openssh/ssh-rsa.c
+++ b/crypto/openssh/ssh-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-rsa.c,v 1.53 2015/06/15 01:32:50 djm Exp $ */
+/* $OpenBSD: ssh-rsa.c,v 1.58 2015/12/11 04:21:12 mmcc Exp $ */
/*
* Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
*
@@ -36,16 +36,56 @@
static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
+static const char *
+rsa_hash_alg_ident(int hash_alg)
+{
+ switch (hash_alg) {
+ case SSH_DIGEST_SHA1:
+ return "ssh-rsa";
+ case SSH_DIGEST_SHA256:
+ return "rsa-sha2-256";
+ case SSH_DIGEST_SHA512:
+ return "rsa-sha2-512";
+ }
+ return NULL;
+}
+
+static int
+rsa_hash_alg_from_ident(const char *ident)
+{
+ if (strcmp(ident, "ssh-rsa") == 0)
+ return SSH_DIGEST_SHA1;
+ if (strcmp(ident, "rsa-sha2-256") == 0)
+ return SSH_DIGEST_SHA256;
+ if (strcmp(ident, "rsa-sha2-512") == 0)
+ return SSH_DIGEST_SHA512;
+ return -1;
+}
+
+static int
+rsa_hash_alg_nid(int type)
+{
+ switch (type) {
+ case SSH_DIGEST_SHA1:
+ return NID_sha1;
+ case SSH_DIGEST_SHA256:
+ return NID_sha256;
+ case SSH_DIGEST_SHA512:
+ return NID_sha512;
+ default:
+ return -1;
+ }
+}
+
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
int
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, u_int compat)
+ const u_char *data, size_t datalen, const char *alg_ident)
{
- int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
size_t slen;
u_int dlen, len;
- int nid, ret = SSH_ERR_INTERNAL_ERROR;
+ int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
if (lenp != NULL)
@@ -53,16 +93,21 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
if (sigp != NULL)
*sigp = NULL;
- if (key == NULL || key->rsa == NULL ||
- sshkey_type_plain(key->type) != KEY_RSA)
+ if (alg_ident == NULL || strlen(alg_ident) == 0 ||
+ strncmp(alg_ident, "ssh-rsa-cert", strlen("ssh-rsa-cert")) == 0)
+ hash_alg = SSH_DIGEST_SHA1;
+ else
+ hash_alg = rsa_hash_alg_from_ident(alg_ident);
+ if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
+ sshkey_type_plain(key->type) != KEY_RSA ||
+ BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
return SSH_ERR_INVALID_ARGUMENT;
slen = RSA_size(key->rsa);
if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
return SSH_ERR_INVALID_ARGUMENT;
/* hash the data */
- hash_alg = SSH_DIGEST_SHA1;
- nid = NID_sha1;
+ nid = rsa_hash_alg_nid(hash_alg);
if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
@@ -91,7 +136,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((ret = sshbuf_put_cstring(b, "ssh-rsa")) != 0 ||
+ if ((ret = sshbuf_put_cstring(b, rsa_hash_alg_ident(hash_alg))) != 0 ||
(ret = sshbuf_put_string(b, sig, slen)) != 0)
goto out;
len = sshbuf_len(b);
@@ -111,15 +156,13 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
explicit_bzero(sig, slen);
free(sig);
}
- if (b != NULL)
- sshbuf_free(b);
+ sshbuf_free(b);
return ret;
}
int
ssh_rsa_verify(const struct sshkey *key,
- const u_char *signature, size_t signaturelen,
- const u_char *data, size_t datalen, u_int compat)
+ const u_char *sig, size_t siglen, const u_char *data, size_t datalen)
{
char *ktype = NULL;
int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
@@ -132,13 +175,13 @@ ssh_rsa_verify(const struct sshkey *key,
BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
return SSH_ERR_INVALID_ARGUMENT;
- if ((b = sshbuf_from(signature, signaturelen)) == NULL)
+ if ((b = sshbuf_from(sig, siglen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
- if (strcmp("ssh-rsa", ktype) != 0) {
+ if ((hash_alg = rsa_hash_alg_from_ident(ktype)) == -1) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
@@ -167,7 +210,6 @@ ssh_rsa_verify(const struct sshkey *key,
explicit_bzero(sigblob, diff);
len = modlen;
}
- hash_alg = SSH_DIGEST_SHA1;
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
@@ -183,10 +225,8 @@ ssh_rsa_verify(const struct sshkey *key,
explicit_bzero(sigblob, len);
free(sigblob);
}
- if (ktype != NULL)
- free(ktype);
- if (b != NULL)
- sshbuf_free(b);
+ free(ktype);
+ sshbuf_free(b);
explicit_bzero(digest, sizeof(digest));
return ret;
}
@@ -196,6 +236,7 @@ ssh_rsa_verify(const struct sshkey *key,
* http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
* ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
*/
+
/*
* id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
* oiw(14) secsig(3) algorithms(2) 26 }
@@ -209,25 +250,71 @@ static const u_char id_sha1[] = {
0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
};
+/*
+ * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
+ * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
+ * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
+ * id-sha256(1) }
+ */
+static const u_char id_sha256[] = {
+ 0x30, 0x31, /* type Sequence, length 0x31 (49) */
+ 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
+ 0x06, 0x09, /* type OID, length 0x09 */
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
+ 0x05, 0x00, /* NULL */
+ 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */
+};
+
+/*
+ * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
+ * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
+ * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
+ * id-sha256(3) }
+ */
+static const u_char id_sha512[] = {
+ 0x30, 0x51, /* type Sequence, length 0x51 (81) */
+ 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
+ 0x06, 0x09, /* type OID, length 0x09 */
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
+ 0x05, 0x00, /* NULL */
+ 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */
+};
+
+static int
+rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp)
+{
+ switch (hash_alg) {
+ case SSH_DIGEST_SHA1:
+ *oidp = id_sha1;
+ *oidlenp = sizeof(id_sha1);
+ break;
+ case SSH_DIGEST_SHA256:
+ *oidp = id_sha256;
+ *oidlenp = sizeof(id_sha256);
+ break;
+ case SSH_DIGEST_SHA512:
+ *oidp = id_sha512;
+ *oidlenp = sizeof(id_sha512);
+ break;
+ default:
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
+ return 0;
+}
+
static int
openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
u_char *sigbuf, size_t siglen, RSA *rsa)
{
- size_t ret, rsasize = 0, oidlen = 0, hlen = 0;
- int len, oidmatch, hashmatch;
+ size_t rsasize = 0, oidlen = 0, hlen = 0;
+ int ret, len, oidmatch, hashmatch;
const u_char *oid = NULL;
u_char *decrypted = NULL;
+ if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
+ return ret;
ret = SSH_ERR_INTERNAL_ERROR;
- switch (hash_alg) {
- case SSH_DIGEST_SHA1:
- oid = id_sha1;
- oidlen = sizeof(id_sha1);
- hlen = 20;
- break;
- default:
- goto done;
- }
+ hlen = ssh_digest_bytes(hash_alg);
if (hashlen != hlen) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto done;
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1
index 9bb6c5783b55..a434ab056185 100644
--- a/crypto/openssh/ssh.1
+++ b/crypto/openssh/ssh.1
@@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.361 2015/07/20 18:44:12 millert Exp $
+.\" $OpenBSD: ssh.1,v 1.369 2016/02/17 07:38:19 jmc Exp $
.\" $FreeBSD$
-.Dd $Mdocdate: July 20 2015 $
+.Dd $Mdocdate: February 17 2016 $
.Dt SSH 1
.Os
.Sh NAME
@@ -59,7 +59,7 @@
.Op Fl O Ar ctl_cmd
.Op Fl o Ar option
.Op Fl p Ar port
-.Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version
+.Op Fl Q Ar query_option
.Op Fl R Ar address
.Op Fl S Ar ctl_path
.Op Fl W Ar host : Ns Ar port
@@ -71,8 +71,7 @@
.Nm
(SSH client) is a program for logging into a remote machine and for
executing commands on a remote machine.
-It is intended to replace rlogin and rsh,
-and provide secure encrypted communications between
+It is intended to provide secure encrypted communications between
two untrusted hosts over an insecure network.
X11 connections, arbitrary TCP ports and
.Ux Ns -domain
@@ -86,7 +85,7 @@ connects and logs into the specified
name).
The user must prove
his/her identity to the remote machine using one of several methods
-depending on the protocol version used (see below).
+(see below).
.Pp
If
.Ar command
@@ -305,6 +304,9 @@ It is possible to have multiple
.Fl i
options (and multiple identities specified in
configuration files).
+If no certificates have been explicitly specified by the
+.Cm CertificateFile
+directive,
.Nm
will also try to load certificate information from the filename obtained
by appending
@@ -401,17 +403,15 @@ in
for details.
.Pp
.It Fl m Ar mac_spec
-Additionally, for protocol version 2 a comma-separated list of MAC
-(message authentication code) algorithms can
-be specified in order of preference.
+A comma-separated list of MAC (message authentication code) algorithms,
+specified in order of preference.
See the
.Cm MACs
keyword for more information.
.Pp
.It Fl N
Do not execute a remote command.
-This is useful for just forwarding ports
-(protocol version 2 only).
+This is useful for just forwarding ports.
.Pp
.It Fl n
Redirects stdin from
@@ -461,6 +461,7 @@ For full details of the options listed below, and their possible values, see
.Xr ssh_config 5 .
.Pp
.Bl -tag -width Ds -offset indent -compact
+.It AddKeysToAgent
.It AddressFamily
.It BatchMode
.It BindAddress
@@ -469,6 +470,7 @@ For full details of the options listed below, and their possible values, see
.It CanonicalizeHostname
.It CanonicalizeMaxDots
.It CanonicalizePermittedCNAMEs
+.It CertificateFile
.It ChallengeResponseAuthentication
.It CheckHostIP
.It Cipher
@@ -552,7 +554,7 @@ Port to connect to on the remote host.
This can be specified on a
per-host basis in the configuration file.
.Pp
-.It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version
+.It Fl Q Ar query_option
Queries
.Nm
for the algorithms supported for the specified version 2.
@@ -566,7 +568,11 @@ The available features are:
.Ar kex
(key exchange algorithms),
.Ar key
-(key types) and
+(key types),
+.Ar key-cert
+(certificate key types),
+.Ar key-plain
+(non-certificate key types), and
.Ar protocol-version
(supported SSH protocol versions).
.Pp
@@ -658,8 +664,8 @@ for details.
.Pp
.It Fl s
May be used to request invocation of a subsystem on the remote system.
-Subsystems are a feature of the SSH2 protocol which facilitate the use
-of SSH as a secure transport for other applications (eg.\&
+Subsystems facilitate the use of SSH
+as a secure transport for other applications (e.g.\&
.Xr sftp 1 ) .
The subsystem is specified as the remote command.
.Pp
@@ -704,7 +710,6 @@ Implies
.Cm ExitOnForwardFailure
and
.Cm ClearAllForwardings .
-Works with Protocol version 2 only.
.Pp
.It Fl w Xo
.Ar local_tun Ns Op : Ns Ar remote_tun
@@ -789,15 +794,10 @@ or the
and
.Fl 2
options (see above).
-Both protocols support similar authentication methods,
-but protocol 2 is the default since
-it provides additional mechanisms for confidentiality
-(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
-and integrity (hmac-md5, hmac-sha1,
-hmac-sha2-256, hmac-sha2-512,
-umac-64, umac-128, hmac-ripemd160).
-Protocol 1 lacks a strong mechanism for ensuring the
-integrity of the connection.
+Protocol 1 should not be used
+and is only offered to support legacy devices.
+It suffers from a number of cryptographic weaknesses
+and doesn't support many of the advanced features available for protocol 2.
.Pp
The methods available for authentication are:
GSSAPI-based authentication,
@@ -806,8 +806,9 @@ public key authentication,
challenge-response authentication,
and password authentication.
Authentication methods are tried in the order specified above,
-though protocol 2 has a configuration option to change the default order:
-.Cm PreferredAuthentications .
+though
+.Cm PreferredAuthentications
+can be used to change the default order.
.Pp
Host-based authentication works as follows:
If the machine the user logs in from is listed in
@@ -851,8 +852,6 @@ The server knows the public key, and only the user knows the private key.
.Nm
implements public key authentication protocol automatically,
using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
-Protocol 1 is restricted to using only RSA keys,
-but protocol 2 may use any.
The HISTORY section of
.Xr ssl 8
contains a brief discussion of the DSA and RSA algorithms.
@@ -874,26 +873,26 @@ This stores the private key in
.Pa ~/.ssh/identity
(protocol 1),
.Pa ~/.ssh/id_dsa
-(protocol 2 DSA),
+(DSA),
.Pa ~/.ssh/id_ecdsa
-(protocol 2 ECDSA),
+(ECDSA),
.Pa ~/.ssh/id_ed25519
-(protocol 2 Ed25519),
+(Ed25519),
or
.Pa ~/.ssh/id_rsa
-(protocol 2 RSA)
+(RSA)
and stores the public key in
.Pa ~/.ssh/identity.pub
(protocol 1),
.Pa ~/.ssh/id_dsa.pub
-(protocol 2 DSA),
+(DSA),
.Pa ~/.ssh/id_ecdsa.pub
-(protocol 2 ECDSA),
+(ECDSA),
.Pa ~/.ssh/id_ed25519.pub
-(protocol 2 Ed25519),
+(Ed25519),
or
.Pa ~/.ssh/id_rsa.pub
-(protocol 2 RSA)
+(RSA)
in the user's home directory.
The user should then copy the public key
to
@@ -921,14 +920,16 @@ The most convenient way to use public key or certificate authentication
may be with an authentication agent.
See
.Xr ssh-agent 1
+and (optionally) the
+.Cm AddKeysToAgent
+directive in
+.Xr ssh_config 5
for more information.
.Pp
Challenge-response authentication works as follows:
The server sends an arbitrary
.Qq challenge
text, and prompts for a response.
-Protocol 2 allows multiple challenges and responses;
-protocol 1 is restricted to just one challenge/response.
Examples of challenge-response authentication include
.Bx
Authentication (see
@@ -1027,7 +1028,7 @@ at logout when waiting for forwarded connection / X11 sessions to terminate.
Display a list of escape characters.
.It Cm ~B
Send a BREAK to the remote system
-(only useful for SSH protocol version 2 and if the peer supports it).
+(only useful if the peer supports it).
.It Cm ~C
Open command line.
Currently this allows the addition of port forwardings using the
@@ -1060,7 +1061,7 @@ Basic help is available, using the
option.
.It Cm ~R
Request rekeying of the connection
-(only useful for SSH protocol version 2 and if the peer supports it).
+(only useful if the peer supports it).
.It Cm ~V
Decrease the verbosity
.Pq Ic LogLevel
@@ -1528,20 +1529,6 @@ The file format and configuration options are described in
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys
and are used for host-based authentication.
-If protocol version 1 is used,
-.Nm
-must be setuid root, since the host key is readable only by root.
-For protocol version 2,
-.Nm
-uses
-.Xr ssh-keysign 8
-to access the host keys,
-eliminating the requirement that
-.Nm
-be setuid root when host-based authentication is used.
-By default
-.Nm
-is not setuid root.
.Pp
.It Pa /etc/ssh/ssh_known_hosts
Systemwide list of known host keys.
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
index 046dc9d9d1c5..7e254f49f93c 100644
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.436 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -106,7 +106,6 @@ __RCSID("$FreeBSD$");
#include "match.h"
#include "msg.h"
#include "uidswap.h"
-#include "roaming.h"
#include "version.h"
#include "ssherr.h"
#include "myproposal.h"
@@ -204,11 +203,9 @@ usage(void)
fprintf(stderr,
"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
-" [-F configfile] [-I pkcs11] [-i identity_file]\n"
-" [-L address] [-l login_name] [-m mac_spec]\n"
-" [-O ctl_cmd] [-o option] [-p port]\n"
-" [-Q cipher | cipher-auth | mac | kex | key]\n"
-" [-R address] [-S ctl_path] [-W host:port]\n"
+" [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n"
+" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
+" [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
" [-w local_tun[:remote_tun]] [user@]hostname [command]\n"
);
exit(255);
@@ -253,7 +250,7 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen)
if (port <= 0)
port = default_ssh_port();
- snprintf(strport, sizeof strport, "%u", port);
+ snprintf(strport, sizeof strport, "%d", port);
memset(&hints, 0, sizeof(hints));
hints.ai_family = options.address_family == -1 ?
AF_UNSPEC : options.address_family;
@@ -407,6 +404,17 @@ resolve_canonicalize(char **hostp, int port)
return addrs;
}
+ /* If domain name is anchored, then resolve it now */
+ if ((*hostp)[strlen(*hostp) - 1] == '.') {
+ debug3("%s: name is fully qualified", __func__);
+ fullhost = xstrdup(*hostp);
+ if ((addrs = resolve_host(fullhost, port, 0,
+ newname, sizeof(newname))) != NULL)
+ goto found;
+ free(fullhost);
+ goto notfound;
+ }
+
/* Don't apply canonicalization to sufficiently-qualified hostnames */
ndots = 0;
for (cp = *hostp; *cp != '\0'; cp++) {
@@ -430,6 +438,7 @@ resolve_canonicalize(char **hostp, int port)
free(fullhost);
continue;
}
+ found:
/* Remove trailing '.' */
fullhost[strlen(fullhost) - 1] = '\0';
/* Follow CNAME if requested */
@@ -441,6 +450,7 @@ resolve_canonicalize(char **hostp, int port)
*hostp = fullhost;
return addrs;
}
+ notfound:
if (!options.canonicalize_fallback_local)
fatal("%s: Could not resolve host \"%s\"", __progname, *hostp);
debug2("%s: host %s not found in any suffix", __func__, *hostp);
@@ -507,7 +517,7 @@ main(int ac, char **av)
int i, r, opt, exit_status, use_syslog, config_test = 0;
char *p, *cp, *line, *argv0, buf[PATH_MAX], *host_arg, *logfile;
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
- char cname[NI_MAXHOST];
+ char cname[NI_MAXHOST], uidstr[32], *conn_hash_hex;
struct stat st;
struct passwd *pw;
int timeout_ms;
@@ -517,8 +527,8 @@ main(int ac, char **av)
struct addrinfo *addrs = NULL;
struct ssh_digest_ctx *md;
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
- char *conn_hash_hex;
+ ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -628,7 +638,7 @@ main(int ac, char **av)
use_syslog = 1;
break;
case 'E':
- logfile = xstrdup(optarg);
+ logfile = optarg;
break;
case 'G':
config_test = 1;
@@ -705,16 +715,18 @@ main(int ac, char **av)
options.gss_deleg_creds = 1;
break;
case 'i':
- if (stat(optarg, &st) < 0) {
+ p = tilde_expand_filename(optarg, original_real_uid);
+ if (stat(p, &st) < 0)
fprintf(stderr, "Warning: Identity file %s "
- "not accessible: %s.\n", optarg,
+ "not accessible: %s.\n", p,
strerror(errno));
- break;
- }
- add_identity_file(&options, NULL, optarg, 1);
+ else
+ add_identity_file(&options, NULL, p, 1);
+ free(p);
break;
case 'I':
#ifdef ENABLE_PKCS11
+ free(options.pkcs11_provider);
options.pkcs11_provider = xstrdup(optarg);
#else
fprintf(stderr, "no support for PKCS#11.\n");
@@ -799,6 +811,7 @@ main(int ac, char **av)
if (ciphers_valid(*optarg == '+' ?
optarg + 1 : optarg)) {
/* SSH2 only */
+ free(options.ciphers);
options.ciphers = xstrdup(optarg);
options.cipher = SSH_CIPHER_INVALID;
break;
@@ -818,9 +831,10 @@ main(int ac, char **av)
options.ciphers = xstrdup(KEX_CLIENT_ENCRYPT);
break;
case 'm':
- if (mac_valid(optarg))
+ if (mac_valid(optarg)) {
+ free(options.macs);
options.macs = xstrdup(optarg);
- else {
+ } else {
fprintf(stderr, "Unknown mac type '%s'\n",
optarg);
exit(255);
@@ -898,8 +912,7 @@ main(int ac, char **av)
subsystem_flag = 1;
break;
case 'S':
- if (options.control_path != NULL)
- free(options.control_path);
+ free(options.control_path);
options.control_path = xstrdup(optarg);
break;
case 'b':
@@ -981,10 +994,8 @@ main(int ac, char **av)
*/
if (use_syslog && logfile != NULL)
fatal("Can't specify both -y and -E");
- if (logfile != NULL) {
+ if (logfile != NULL)
log_redirect_stderr_to(logfile);
- free(logfile);
- }
log_init(argv0,
options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
SYSLOG_FACILITY_USER, !use_syslog);
@@ -1080,6 +1091,8 @@ main(int ac, char **av)
"disabling");
options.update_hostkeys = 0;
}
+ if (options.connection_attempts <= 0)
+ fatal("Invalid number of ConnectionAttempts");
#ifndef HAVE_CYGWIN
if (original_effective_uid != 0)
options.use_privileged_port = 0;
@@ -1118,6 +1131,7 @@ main(int ac, char **av)
strlcpy(shorthost, thishost, sizeof(shorthost));
shorthost[strcspn(thishost, ".")] = '\0';
snprintf(portstr, sizeof(portstr), "%d", options.port);
+ snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid);
/* Find canonic host name. */
if (strchr(host, '.') == 0) {
@@ -1177,6 +1191,7 @@ main(int ac, char **av)
"p", portstr,
"r", options.user,
"u", pw->pw_name,
+ "i", uidstr,
(char *)NULL);
free(cp);
}
@@ -1197,6 +1212,7 @@ main(int ac, char **av)
* have yet resolved the hostname. Do so now.
*/
if (addrs == NULL && options.proxy_command == NULL) {
+ debug2("resolving \"%s\" port %d", host, options.port);
if ((addrs = resolve_host(host, options.port, 1,
cname, sizeof(cname))) == NULL)
cleanup_exit(255); /* resolve_host logs the error */
@@ -1240,8 +1256,10 @@ main(int ac, char **av)
sensitive_data.keys[i] = NULL;
PRIV_START;
+#if WITH_SSH1
sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
_PATH_HOST_KEY_FILE, "", NULL, NULL);
+#endif
#ifdef OPENSSL_HAS_ECC
sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA,
_PATH_HOST_ECDSA_KEY_FILE, "", NULL);
@@ -1366,6 +1384,10 @@ main(int ac, char **av)
options.identity_keys[i] = NULL;
}
}
+ for (i = 0; i < options.num_certificate_files; i++) {
+ free(options.certificate_files[i]);
+ options.certificate_files[i] = NULL;
+ }
exit_status = compat20 ? ssh_session2() : ssh_session();
packet_close();
@@ -1617,6 +1639,7 @@ ssh_session(void)
struct winsize ws;
char *cp;
const char *display;
+ char *proto = NULL, *data = NULL;
/* Enable compression if requested. */
if (options.compression) {
@@ -1687,13 +1710,9 @@ ssh_session(void)
display = getenv("DISPLAY");
if (display == NULL && options.forward_x11)
debug("X11 forwarding requested but DISPLAY not set");
- if (options.forward_x11 && display != NULL) {
- char *proto, *data;
- /* Get reasonable local authentication information. */
- client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted,
- options.forward_x11_timeout,
- &proto, &data);
+ if (options.forward_x11 && client_x11_get_proto(display,
+ options.xauth_location, options.forward_x11_trusted,
+ options.forward_x11_timeout, &proto, &data) == 0) {
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
@@ -1783,6 +1802,7 @@ ssh_session2_setup(int id, int success, void *arg)
extern char **environ;
const char *display;
int interactive = tty_flag;
+ char *proto = NULL, *data = NULL;
if (!success)
return; /* No need for error message, channels code sens one */
@@ -1790,12 +1810,9 @@ ssh_session2_setup(int id, int success, void *arg)
display = getenv("DISPLAY");
if (display == NULL && options.forward_x11)
debug("X11 forwarding requested but DISPLAY not set");
- if (options.forward_x11 && display != NULL) {
- char *proto, *data;
- /* Get reasonable local authentication information. */
- client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted,
- options.forward_x11_timeout, &proto, &data);
+ if (options.forward_x11 && client_x11_get_proto(display,
+ options.xauth_location, options.forward_x11_trusted,
+ options.forward_x11_timeout, &proto, &data) == 0) {
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
@@ -1949,25 +1966,30 @@ ssh_session2(void)
options.escape_char : SSH_ESCAPECHAR_NONE, id);
}
+/* Loads all IdentityFile and CertificateFile keys */
static void
load_public_identity_files(void)
{
char *filename, *cp, thishost[NI_MAXHOST];
char *pwdir = NULL, *pwname = NULL;
- int i = 0;
Key *public;
struct passwd *pw;
- u_int n_ids;
+ int i;
+ u_int n_ids, n_certs;
char *identity_files[SSH_MAX_IDENTITY_FILES];
Key *identity_keys[SSH_MAX_IDENTITY_FILES];
+ char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
+ struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
#ifdef ENABLE_PKCS11
Key **keys;
int nkeys;
#endif /* PKCS11 */
- n_ids = 0;
+ n_ids = n_certs = 0;
memset(identity_files, 0, sizeof(identity_files));
memset(identity_keys, 0, sizeof(identity_keys));
+ memset(certificate_files, 0, sizeof(certificate_files));
+ memset(certificates, 0, sizeof(certificates));
#ifdef ENABLE_PKCS11
if (options.pkcs11_provider != NULL &&
@@ -1999,6 +2021,7 @@ load_public_identity_files(void)
if (n_ids >= SSH_MAX_IDENTITY_FILES ||
strcasecmp(options.identity_files[i], "none") == 0) {
free(options.identity_files[i]);
+ options.identity_files[i] = NULL;
continue;
}
cp = tilde_expand_filename(options.identity_files[i],
@@ -2017,7 +2040,12 @@ load_public_identity_files(void)
if (++n_ids >= SSH_MAX_IDENTITY_FILES)
continue;
- /* Try to add the certificate variant too */
+ /*
+ * If no certificates have been explicitly listed then try
+ * to add the default certificate variant too.
+ */
+ if (options.num_certificate_files != 0)
+ continue;
xasprintf(&cp, "%s-cert", filename);
public = key_load_public(cp, NULL);
debug("identity file %s type %d", cp,
@@ -2034,14 +2062,50 @@ load_public_identity_files(void)
continue;
}
identity_keys[n_ids] = public;
- /* point to the original path, most likely the private key */
- identity_files[n_ids] = xstrdup(filename);
+ identity_files[n_ids] = cp;
n_ids++;
}
+
+ if (options.num_certificate_files > SSH_MAX_CERTIFICATE_FILES)
+ fatal("%s: too many certificates", __func__);
+ for (i = 0; i < options.num_certificate_files; i++) {
+ cp = tilde_expand_filename(options.certificate_files[i],
+ original_real_uid);
+ filename = percent_expand(cp, "d", pwdir,
+ "u", pwname, "l", thishost, "h", host,
+ "r", options.user, (char *)NULL);
+ free(cp);
+
+ public = key_load_public(filename, NULL);
+ debug("certificate file %s type %d", filename,
+ public ? public->type : -1);
+ free(options.certificate_files[i]);
+ options.certificate_files[i] = NULL;
+ if (public == NULL) {
+ free(filename);
+ continue;
+ }
+ if (!key_is_cert(public)) {
+ debug("%s: key %s type %s is not a certificate",
+ __func__, filename, key_type(public));
+ key_free(public);
+ free(filename);
+ continue;
+ }
+ certificate_files[n_certs] = filename;
+ certificates[n_certs] = public;
+ ++n_certs;
+ }
+
options.num_identity_files = n_ids;
memcpy(options.identity_files, identity_files, sizeof(identity_files));
memcpy(options.identity_keys, identity_keys, sizeof(identity_keys));
+ options.num_certificate_files = n_certs;
+ memcpy(options.certificate_files,
+ certificate_files, sizeof(certificate_files));
+ memcpy(options.certificates, certificates, sizeof(certificates));
+
explicit_bzero(pwname, strlen(pwname));
free(pwname);
explicit_bzero(pwdir, strlen(pwdir));
diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h
index 39c7e18af10f..50467a792bdf 100644
--- a/crypto/openssh/ssh.h
+++ b/crypto/openssh/ssh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.h,v 1.81 2015/08/04 05:23:06 djm Exp $ */
+/* $OpenBSD: ssh.h,v 1.83 2015/12/11 03:19:09 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -19,6 +19,12 @@
#define SSH_DEFAULT_PORT 22
/*
+ * Maximum number of certificate files that can be specified
+ * in configuration files or on the command line.
+ */
+#define SSH_MAX_CERTIFICATE_FILES 100
+
+/*
* Maximum number of RSA authentication identity files that can be specified
* in configuration files or on the command line.
*/
@@ -29,7 +35,7 @@
* Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
* some room for options and comments.
*/
-#define SSH_MAX_PUBKEY_BYTES 8192
+#define SSH_MAX_PUBKEY_BYTES 16384
/*
* Major protocol version. Different version indicates major incompatibility
diff --git a/crypto/openssh/ssh2.h b/crypto/openssh/ssh2.h
index 59417e6121d1..5d1918bf8012 100644
--- a/crypto/openssh/ssh2.h
+++ b/crypto/openssh/ssh2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh2.h,v 1.15 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: ssh2.h,v 1.17 2016/01/14 16:17:40 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -80,6 +80,7 @@
#define SSH2_MSG_DEBUG 4
#define SSH2_MSG_SERVICE_REQUEST 5
#define SSH2_MSG_SERVICE_ACCEPT 6
+#define SSH2_MSG_EXT_INFO 7
/* transport layer: alg negotiation */
@@ -164,13 +165,6 @@
#define SSH2_EXTENDED_DATA_STDERR 1
-/* kex messages for resume@appgate.com */
-#define SSH2_MSG_KEX_ROAMING_RESUME 30
-#define SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED 31
-#define SSH2_MSG_KEX_ROAMING_AUTH 32
-#define SSH2_MSG_KEX_ROAMING_AUTH_OK 33
-#define SSH2_MSG_KEX_ROAMING_AUTH_FAIL 34
-
/* Certificate types for OpenSSH certificate keys extension */
#define SSH2_CERT_TYPE_USER 1
#define SSH2_CERT_TYPE_HOST 2
diff --git a/crypto/openssh/ssh_api.c b/crypto/openssh/ssh_api.c
index 6c712584f49e..f544f006b20f 100644
--- a/crypto/openssh/ssh_api.c
+++ b/crypto/openssh/ssh_api.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh_api.c,v 1.4 2015/02/16 22:13:32 djm Exp $ */
+/* $OpenBSD: ssh_api.c,v 1.5 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2012 Markus Friedl. All rights reserved.
*
@@ -40,8 +40,8 @@ int _ssh_order_hostkeyalgs(struct ssh *);
int _ssh_verify_host_key(struct sshkey *, struct ssh *);
struct sshkey *_ssh_host_public_key(int, int, struct ssh *);
struct sshkey *_ssh_host_private_key(int, int, struct ssh *);
-int _ssh_host_key_sign(struct sshkey *, struct sshkey *, u_char **,
- size_t *, const u_char *, size_t, u_int);
+int _ssh_host_key_sign(struct sshkey *, struct sshkey *,
+ u_char **, size_t *, const u_char *, size_t, const char *, u_int);
/*
* stubs for the server side implementation of kex.
@@ -49,7 +49,7 @@ int _ssh_host_key_sign(struct sshkey *, struct sshkey *, u_char **,
*/
int use_privsep = 0;
int mm_sshkey_sign(struct sshkey *, u_char **, u_int *,
- u_char *, u_int, u_int);
+ u_char *, u_int, char *, u_int);
DH *mm_choose_dh(int, int, int);
/* Define these two variables here so that they are part of the library */
@@ -58,7 +58,7 @@ u_int session_id2_len = 0;
int
mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp,
- u_char *data, u_int datalen, u_int compat)
+ u_char *data, u_int datalen, char *alg, u_int compat)
{
return (-1);
}
@@ -530,8 +530,8 @@ _ssh_order_hostkeyalgs(struct ssh *ssh)
int
_ssh_host_key_sign(struct sshkey *privkey, struct sshkey *pubkey,
- u_char **signature, size_t *slen,
- const u_char *data, size_t dlen, u_int compat)
+ u_char **signature, size_t *slen, const u_char *data, size_t dlen,
+ const char *alg, u_int compat)
{
- return sshkey_sign(privkey, signature, slen, data, dlen, compat);
+ return sshkey_sign(privkey, signature, slen, data, dlen, alg, compat);
}
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index a07bf296bc24..8eca3453e298 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
+# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
# $FreeBSD$
# This is the ssh client system-wide configuration file. See
@@ -35,8 +35,10 @@
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
+# IdentityFile ~/.ssh/id_ecdsa
+# IdentityFile ~/.ssh/id_ed25519
# Port 22
-# Protocol 2,1
+# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
@@ -48,4 +50,4 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# VerifyHostKeyDNS yes
-# VersionAddendum FreeBSD-20160121
+# VersionAddendum FreeBSD-20160310
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 9f67608314b7..226a802bec98 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.228 2016/02/20 23:01:46 sobrado Exp $
.\" $FreeBSD$
-.Dd $Mdocdate: August 14 2015 $
+.Dd $Mdocdate: February 20 2016 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -140,7 +140,7 @@ or
keyword) to be used only when the conditions following the
.Cm Match
keyword are satisfied.
-Match conditions are specified using one or more critera
+Match conditions are specified using one or more criteria
or the single token
.Cm all
which always matches.
@@ -222,6 +222,39 @@ keyword matches against the name of the local user running
(this keyword may be useful in system-wide
.Nm
files).
+.It Cm AddKeysToAgent
+Specifies whether keys should be automatically added to a running
+.Xr ssh-agent 1 .
+If this option is set to
+.Dq yes
+and a key is loaded from a file, the key and its passphrase are added to
+the agent with the default lifetime, as if by
+.Xr ssh-add 1 .
+If this option is set to
+.Dq ask ,
+.Nm ssh
+will require confirmation using the
+.Ev SSH_ASKPASS
+program before adding a key (see
+.Xr ssh-add 1
+for details).
+If this option is set to
+.Dq confirm ,
+each use of the key must be confirmed, as if the
+.Fl c
+option was specified to
+.Xr ssh-add 1 .
+If this option is set to
+.Dq no ,
+no keys are added to the agent.
+The argument must be
+.Dq yes ,
+.Dq confirm ,
+.Dq ask ,
+or
+.Dq no .
+The default is
+.Dq no .
.It Cm AddressFamily
Specifies which address family to use when connecting.
Valid arguments are
@@ -230,6 +263,8 @@ Valid arguments are
(use IPv4 only), or
.Dq inet6
(use IPv6 only).
+The default is
+.Dq any .
.It Cm BatchMode
If set to
.Dq yes ,
@@ -326,6 +361,41 @@ to be canonicalized to names in the
or
.Dq *.c.example.com
domains.
+.It Cm CertificateFile
+Specifies a file from which the user's certificate is read.
+A corresponding private key must be provided separately in order
+to use this certificate either
+from an
+.Cm IdentityFile
+directive or
+.Fl i
+flag to
+.Xr ssh 1 ,
+via
+.Xr ssh-agent 1 ,
+or via a
+.Cm PKCS11Provider .
+.Pp
+The file name may use the tilde
+syntax to refer to a user's home directory or one of the following
+escape characters:
+.Ql %d
+(local user's home directory),
+.Ql %u
+(local user name),
+.Ql %l
+(local host name),
+.Ql %h
+(remote host name) or
+.Ql %r
+(remote user name).
+.Pp
+It is possible to have multiple certificate files specified in
+configuration files; these certificates will be tried in sequence.
+Multiple
+.Cm CertificateFile
+directives will add to the list of certificates used for
+authentication.
.It Cm ChallengeResponseAuthentication
Specifies whether to use challenge-response authentication.
The argument to this keyword must be
@@ -419,9 +489,7 @@ The default is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-arcfour256,arcfour128,
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
-aes192-cbc,aes256-cbc,arcfour
+aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
.Ed
.Pp
The list of available ciphers may also be obtained using the
@@ -539,8 +607,11 @@ the destination port,
.Ql %r
by the remote login username,
.Ql %u
-by the username of the user running
-.Xr ssh 1 , and
+by the username and
+.Ql %i
+by the numeric user ID (uid) of the user running
+.Xr ssh 1 ,
+and
.Ql \&%C
by a hash of the concatenation: %l%h%p%r.
It is recommended that any
@@ -640,7 +711,14 @@ data).
Specifies whether
.Xr ssh 1
should terminate the connection if it cannot set up all requested
-dynamic, tunnel, local, and remote port forwardings.
+dynamic, tunnel, local, and remote port forwardings, (e.g.\&
+if either end is unable to bind and listen on a specified port).
+Note that
+.Cm ExitOnForwardFailure
+does not apply to connections made over port forwardings and will not,
+for example, cause
+.Xr ssh 1
+to exit if TCP connections to the ultimate forwarding destination fail.
The argument must be
.Dq yes
or
@@ -749,12 +827,10 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Dq no .
-Note that this option applies to protocol version 2 only.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
.Dq no .
-Note that this option applies to protocol version 2 only.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -781,9 +857,6 @@ or
.Dq no .
The default is
.Dq no .
-This option applies to protocol version 2 only and
-is similar to
-.Cm RhostsRSAAuthentication .
.It Cm HostbasedKeyTypes
Specifies the key types that will be used for hostbased authentication
as a comma-separated pattern list.
@@ -810,7 +883,7 @@ option of
.Xr ssh 1
may be used to list supported key types.
.It Cm HostKeyAlgorithms
-Specifies the protocol version 2 host key algorithms
+Specifies the host key algorithms
that the client wants to use in order of preference.
Alternately if the specified value begins with a
.Sq +
@@ -864,9 +937,13 @@ specifications).
.It Cm IdentitiesOnly
Specifies that
.Xr ssh 1
-should only use the authentication identity files configured in the
+should only use the authentication identity and certificate files explicitly
+configured in the
.Nm
-files,
+files
+or passed on the
+.Xr ssh 1
+command-line,
even if
.Xr ssh-agent 1
or a
@@ -896,6 +973,8 @@ Additionally, any identities represented by the authentication agent
will be used for authentication unless
.Cm IdentitiesOnly
is set.
+If no certificates have been explicitly specified by
+.Cm CertificateFile ,
.Xr ssh 1
will try to load certificate information from the filename obtained by
appending
@@ -929,6 +1008,11 @@ differs from that of other configuration directives).
may be used in conjunction with
.Cm IdentitiesOnly
to select which identities in an agent are offered during authentication.
+.Cm IdentityFile
+may also be used in conjunction with
+.Cm CertificateFile
+in order to provide any certificate also needed for authentication with
+the identity.
.It Cm IgnoreUnknown
Specifies a pattern-list of unknown options to be ignored if they are
encountered in configuration parsing.
@@ -1088,8 +1172,7 @@ DEBUG2 and DEBUG3 each specify higher levels of verbose output.
.It Cm MACs
Specifies the MAC (message authentication code) algorithms
in order of preference.
-The MAC algorithm is used in protocol version 2
-for data integrity protection.
+The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified value begins with a
.Sq +
@@ -1105,13 +1188,9 @@ The default is:
.Bd -literal -offset indent
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-sha1-etm@openssh.com,
umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,
-hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
-hmac-md5,hmac-sha1,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
+hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
The list of available MAC algorithms may also be obtained using the
@@ -1165,8 +1244,7 @@ private RSA key.
Specifies the port number to connect on the remote host.
The default is 22.
.It Cm PreferredAuthentications
-Specifies the order in which the client should try protocol 2
-authentication methods.
+Specifies the order in which the client should try authentication methods.
This allows a client to prefer one method (e.g.\&
.Cm keyboard-interactive )
over another method (e.g.\&
@@ -1192,6 +1270,9 @@ will try version 2 and fall back to version 1
if version 2 is not available.
The default is
.Sq 2 .
+Protocol 1 suffers from a number of cryptographic weaknesses and should
+not be used.
+It is only offered to support legacy devices.
.It Cm ProxyCommand
Specifies the command to use to connect to the server.
The command
@@ -1274,7 +1355,6 @@ or
.Dq no .
The default is
.Dq yes .
-This option applies to protocol version 2 only.
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted before the
session key is renegotiated, optionally followed a maximum amount of
@@ -1300,7 +1380,6 @@ is
.Dq default none ,
which means that rekeying is performed after the cipher's default amount
of data has been sent or received and no time based rekeying is done.
-This option applies to protocol version 2 only.
.It Cm RemoteForward
Specifies that a TCP port on the remote machine be forwarded over
the secure channel to the specified host and port from the local machine.
@@ -1393,7 +1472,6 @@ Note that this option applies to protocol version 1 only.
Specifies what variables from the local
.Xr environ 7
should be sent to the server.
-Note that environment passing is only supported for protocol 2.
The server must also support it, and the server must be configured to
accept these environment variables.
Note that the
@@ -1441,7 +1519,6 @@ If, for example,
.Cm ServerAliveCountMax
is left at the default, if the server becomes unresponsive,
ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
.It Cm ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the server,
@@ -1450,7 +1527,6 @@ will send a message through the encrypted
channel to request a response from the server.
The default
is 0, indicating that these messages will not be sent to the server.
-This option applies to protocol version 2 only.
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
@@ -1582,7 +1658,7 @@ Enabling this option allows learning alternate hostkeys for a server
and supports graceful key rotation by allowing a server to send replacement
public keys before old ones are removed.
Additional hostkeys are only accepted if the key used to authenticate the
-host was already trusted or explicity accepted by the user.
+host was already trusted or explicitly accepted by the user.
If
.Cm UpdateHostKeys
is set to
@@ -1650,7 +1726,6 @@ The default is
if compiled with LDNS and
.Dq no
otherwise.
-Note that this option applies to protocol version 2 only.
.Pp
See also VERIFYING HOST KEYS in
.Xr ssh 1 .
@@ -1658,7 +1733,7 @@ See also VERIFYING HOST KEYS in
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
-.Dq FreeBSD-20160121 .
+.Dq FreeBSD-20160310 .
The value
.Dq none
may be used to disable this.
diff --git a/crypto/openssh/ssh_namespace.h b/crypto/openssh/ssh_namespace.h
index 30e8f187cc30..ed93f745b37a 100644
--- a/crypto/openssh/ssh_namespace.h
+++ b/crypto/openssh/ssh_namespace.h
@@ -21,6 +21,8 @@
#define Blowfish_expandstate Fssh_Blowfish_expandstate
#define Blowfish_initstate Fssh_Blowfish_initstate
#define Blowfish_stream2word Fssh_Blowfish_stream2word
+#define _ssh__compat_glob Fssh__ssh__compat_glob
+#define _ssh__compat_globfree Fssh__ssh__compat_globfree
#define _ssh_compat_realpath Fssh__ssh_compat_realpath
#define _ssh_exchange_banner Fssh__ssh_exchange_banner
#define _ssh_host_key_sign Fssh__ssh_host_key_sign
@@ -355,12 +357,10 @@
#define get_u32_le Fssh_get_u32_le
#define get_u64 Fssh_get_u64
#define getrrsetbyname Fssh_getrrsetbyname
-#define glob Fssh_glob
#define glob0 Fssh_glob0
#define glob2 Fssh_glob2
#define globexp1 Fssh_globexp1
#define globextend Fssh_globextend
-#define globfree Fssh_globfree
#define host_delete Fssh_host_delete
#define host_hash Fssh_host_hash
#define hostfile_read_key Fssh_hostfile_read_key
@@ -392,6 +392,7 @@
#define kex_ecdh_hash Fssh_kex_ecdh_hash
#define kex_free Fssh_kex_free
#define kex_free_newkeys Fssh_kex_free_newkeys
+#define kex_input_ext_info Fssh_kex_input_ext_info
#define kex_input_kexinit Fssh_kex_input_kexinit
#define kex_input_newkeys Fssh_kex_input_newkeys
#define kex_names_cat Fssh_kex_names_cat
@@ -403,6 +404,7 @@
#define kex_send_kexinit Fssh_kex_send_kexinit
#define kex_send_newkeys Fssh_kex_send_newkeys
#define kex_setup Fssh_kex_setup
+#define kex_start_rekex Fssh_kex_start_rekex
#define kexc25519_client Fssh_kexc25519_client
#define kexc25519_keygen Fssh_kexc25519_keygen
#define kexc25519_server Fssh_kexc25519_server
@@ -483,7 +485,6 @@
#define newkeys_to_blob Fssh_newkeys_to_blob
#define nh_aux Fssh_nh_aux
#define nh_final Fssh_nh_final
-#define packet_backup_state Fssh_packet_backup_state
#define packet_close Fssh_packet_close
#define packet_disconnect Fssh_packet_disconnect
#define packet_get_char Fssh_packet_get_char
@@ -492,7 +493,6 @@
#define packet_read_expect Fssh_packet_read_expect
#define packet_read_poll_seqnr Fssh_packet_read_poll_seqnr
#define packet_read_seqnr Fssh_packet_read_seqnr
-#define packet_restore_state Fssh_packet_restore_state
#define packet_send_debug Fssh_packet_send_debug
#define packet_set_connection Fssh_packet_set_connection
#define packet_write_poll Fssh_packet_write_poll
@@ -515,6 +515,10 @@
#define pkcs11_rsa_private_encrypt Fssh_pkcs11_rsa_private_encrypt
#define pkcs11_terminate Fssh_pkcs11_terminate
#define plain_key_blob Fssh_plain_key_blob
+#define platform_pledge_agent Fssh_platform_pledge_agent
+#define platform_pledge_mux Fssh_platform_pledge_mux
+#define platform_pledge_sftp_server Fssh_platform_pledge_sftp_server
+#define pledge Fssh_pledge
#define poly1305_auth Fssh_poly1305_auth
#define poly64 Fssh_poly64
#define poly_hash Fssh_poly_hash
@@ -627,12 +631,12 @@
#define ssh_krl_set_version Fssh_ssh_krl_set_version
#define ssh_krl_to_blob Fssh_ssh_krl_to_blob
#define ssh_lock_agent Fssh_ssh_lock_agent
+#define ssh_malloc_init Fssh_ssh_malloc_init
#define ssh_msg_recv Fssh_ssh_msg_recv
#define ssh_msg_send Fssh_ssh_msg_send
#define ssh_output_consume Fssh_ssh_output_consume
#define ssh_output_ptr Fssh_ssh_output_ptr
#define ssh_output_space Fssh_ssh_output_space
-#define ssh_packet_backup_state Fssh_ssh_packet_backup_state
#define ssh_packet_close Fssh_ssh_packet_close
#define ssh_packet_connection_af Fssh_ssh_packet_connection_af
#define ssh_packet_connection_is_on_socket Fssh_ssh_packet_connection_is_on_socket
@@ -659,6 +663,7 @@
#define ssh_packet_have_data_to_write Fssh_ssh_packet_have_data_to_write
#define ssh_packet_inc_alive_timeouts Fssh_ssh_packet_inc_alive_timeouts
#define ssh_packet_is_interactive Fssh_ssh_packet_is_interactive
+#define ssh_packet_is_rekeying Fssh_ssh_packet_is_rekeying
#define ssh_packet_need_rekeying Fssh_ssh_packet_need_rekeying
#define ssh_packet_next Fssh_ssh_packet_next
#define ssh_packet_not_very_much_data_to_write Fssh_ssh_packet_not_very_much_data_to_write
@@ -681,7 +686,6 @@
#define ssh_packet_read_poll_seqnr Fssh_ssh_packet_read_poll_seqnr
#define ssh_packet_read_seqnr Fssh_ssh_packet_read_seqnr
#define ssh_packet_remaining Fssh_ssh_packet_remaining
-#define ssh_packet_restore_state Fssh_ssh_packet_restore_state
#define ssh_packet_send Fssh_ssh_packet_send
#define ssh_packet_send1 Fssh_ssh_packet_send1
#define ssh_packet_send2 Fssh_ssh_packet_send2
@@ -709,6 +713,7 @@
#define ssh_packet_write_poll Fssh_ssh_packet_write_poll
#define ssh_packet_write_wait Fssh_ssh_packet_write_wait
#define ssh_remote_ipaddr Fssh_ssh_remote_ipaddr
+#define ssh_remote_port Fssh_ssh_remote_port
#define ssh_remove_all_identities Fssh_ssh_remove_all_identities
#define ssh_remove_identity Fssh_ssh_remove_identity
#define ssh_request_reply Fssh_ssh_request_reply
@@ -798,6 +803,7 @@
#define sshkey_equal_public Fssh_sshkey_equal_public
#define sshkey_fingerprint Fssh_sshkey_fingerprint
#define sshkey_fingerprint_raw Fssh_sshkey_fingerprint_raw
+#define sshkey_format_cert_validity Fssh_sshkey_format_cert_validity
#define sshkey_free Fssh_sshkey_free
#define sshkey_from_blob Fssh_sshkey_from_blob
#define sshkey_from_blob_internal Fssh_sshkey_from_blob_internal
diff --git a/crypto/openssh/sshbuf-getput-basic.c b/crypto/openssh/sshbuf-getput-basic.c
index 8ff8a0a28893..23e0fd7c1cf4 100644
--- a/crypto/openssh/sshbuf-getput-basic.c
+++ b/crypto/openssh/sshbuf-getput-basic.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshbuf-getput-basic.c,v 1.4 2015/01/14 15:02:39 djm Exp $ */
+/* $OpenBSD: sshbuf-getput-basic.c,v 1.5 2015/10/20 23:24:25 mmcc Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
@@ -131,7 +131,7 @@ sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp, size_t *lenp)
*lenp = 0;
if ((r = sshbuf_peek_string_direct(buf, &p, &len)) < 0)
return r;
- if (valp != 0)
+ if (valp != NULL)
*valp = p;
if (lenp != NULL)
*lenp = len;
@@ -168,7 +168,7 @@ sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp,
SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
return SSH_ERR_MESSAGE_INCOMPLETE;
}
- if (valp != 0)
+ if (valp != NULL)
*valp = p + 4;
if (lenp != NULL)
*lenp = len;
@@ -448,7 +448,7 @@ sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf,
d++;
len--;
}
- if (valp != 0)
+ if (valp != NULL)
*valp = d;
if (lenp != NULL)
*lenp = len;
diff --git a/crypto/openssh/sshbuf.c b/crypto/openssh/sshbuf.c
index 19e162c0748e..4d6e0ea0acb0 100644
--- a/crypto/openssh/sshbuf.c
+++ b/crypto/openssh/sshbuf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshbuf.c,v 1.4 2015/10/05 17:11:21 djm Exp $ */
+/* $OpenBSD: sshbuf.c,v 1.6 2016/01/12 23:42:54 djm Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
@@ -163,10 +163,8 @@ sshbuf_free(struct sshbuf *buf)
* If we are a child, the free our parent to decrement its reference
* count and possibly free it.
*/
- if (buf->parent != NULL) {
- sshbuf_free(buf->parent);
- buf->parent = NULL;
- }
+ sshbuf_free(buf->parent);
+ buf->parent = NULL;
/*
* If we are a parent with still-extant children, then don't free just
* yet. The last child's call to sshbuf_free should decrement our
diff --git a/crypto/openssh/sshbuf.h b/crypto/openssh/sshbuf.h
index eb0d92e10211..63495fbb075a 100644
--- a/crypto/openssh/sshbuf.h
+++ b/crypto/openssh/sshbuf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshbuf.h,v 1.4 2015/01/14 15:02:39 djm Exp $ */
+/* $OpenBSD: sshbuf.h,v 1.6 2015/12/10 07:01:35 mmcc Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
@@ -120,12 +120,12 @@ size_t sshbuf_len(const struct sshbuf *buf);
size_t sshbuf_avail(const struct sshbuf *buf);
/*
- * Returns a read-only pointer to the start of the the data in buf
+ * Returns a read-only pointer to the start of the data in buf
*/
const u_char *sshbuf_ptr(const struct sshbuf *buf);
/*
- * Returns a mutable pointer to the start of the the data in buf, or
+ * Returns a mutable pointer to the start of the data in buf, or
* NULL if the buffer is read-only.
*/
u_char *sshbuf_mutable_ptr(const struct sshbuf *buf);
@@ -241,45 +241,48 @@ int sshbuf_b64tod(struct sshbuf *buf, const char *b64);
/* Macros for decoding/encoding integers */
#define PEEK_U64(p) \
- (((u_int64_t)(((u_char *)(p))[0]) << 56) | \
- ((u_int64_t)(((u_char *)(p))[1]) << 48) | \
- ((u_int64_t)(((u_char *)(p))[2]) << 40) | \
- ((u_int64_t)(((u_char *)(p))[3]) << 32) | \
- ((u_int64_t)(((u_char *)(p))[4]) << 24) | \
- ((u_int64_t)(((u_char *)(p))[5]) << 16) | \
- ((u_int64_t)(((u_char *)(p))[6]) << 8) | \
- (u_int64_t)(((u_char *)(p))[7]))
+ (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
+ ((u_int64_t)(((const u_char *)(p))[1]) << 48) | \
+ ((u_int64_t)(((const u_char *)(p))[2]) << 40) | \
+ ((u_int64_t)(((const u_char *)(p))[3]) << 32) | \
+ ((u_int64_t)(((const u_char *)(p))[4]) << 24) | \
+ ((u_int64_t)(((const u_char *)(p))[5]) << 16) | \
+ ((u_int64_t)(((const u_char *)(p))[6]) << 8) | \
+ (u_int64_t)(((const u_char *)(p))[7]))
#define PEEK_U32(p) \
- (((u_int32_t)(((u_char *)(p))[0]) << 24) | \
- ((u_int32_t)(((u_char *)(p))[1]) << 16) | \
- ((u_int32_t)(((u_char *)(p))[2]) << 8) | \
- (u_int32_t)(((u_char *)(p))[3]))
+ (((u_int32_t)(((const u_char *)(p))[0]) << 24) | \
+ ((u_int32_t)(((const u_char *)(p))[1]) << 16) | \
+ ((u_int32_t)(((const u_char *)(p))[2]) << 8) | \
+ (u_int32_t)(((const u_char *)(p))[3]))
#define PEEK_U16(p) \
- (((u_int16_t)(((u_char *)(p))[0]) << 8) | \
- (u_int16_t)(((u_char *)(p))[1]))
+ (((u_int16_t)(((const u_char *)(p))[0]) << 8) | \
+ (u_int16_t)(((const u_char *)(p))[1]))
#define POKE_U64(p, v) \
do { \
- ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 56) & 0xff; \
- ((u_char *)(p))[1] = (((u_int64_t)(v)) >> 48) & 0xff; \
- ((u_char *)(p))[2] = (((u_int64_t)(v)) >> 40) & 0xff; \
- ((u_char *)(p))[3] = (((u_int64_t)(v)) >> 32) & 0xff; \
- ((u_char *)(p))[4] = (((u_int64_t)(v)) >> 24) & 0xff; \
- ((u_char *)(p))[5] = (((u_int64_t)(v)) >> 16) & 0xff; \
- ((u_char *)(p))[6] = (((u_int64_t)(v)) >> 8) & 0xff; \
- ((u_char *)(p))[7] = ((u_int64_t)(v)) & 0xff; \
+ const u_int64_t __v = (v); \
+ ((u_char *)(p))[0] = (__v >> 56) & 0xff; \
+ ((u_char *)(p))[1] = (__v >> 48) & 0xff; \
+ ((u_char *)(p))[2] = (__v >> 40) & 0xff; \
+ ((u_char *)(p))[3] = (__v >> 32) & 0xff; \
+ ((u_char *)(p))[4] = (__v >> 24) & 0xff; \
+ ((u_char *)(p))[5] = (__v >> 16) & 0xff; \
+ ((u_char *)(p))[6] = (__v >> 8) & 0xff; \
+ ((u_char *)(p))[7] = __v & 0xff; \
} while (0)
#define POKE_U32(p, v) \
do { \
- ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 24) & 0xff; \
- ((u_char *)(p))[1] = (((u_int64_t)(v)) >> 16) & 0xff; \
- ((u_char *)(p))[2] = (((u_int64_t)(v)) >> 8) & 0xff; \
- ((u_char *)(p))[3] = ((u_int64_t)(v)) & 0xff; \
+ const u_int32_t __v = (v); \
+ ((u_char *)(p))[0] = (__v >> 24) & 0xff; \
+ ((u_char *)(p))[1] = (__v >> 16) & 0xff; \
+ ((u_char *)(p))[2] = (__v >> 8) & 0xff; \
+ ((u_char *)(p))[3] = __v & 0xff; \
} while (0)
#define POKE_U16(p, v) \
do { \
- ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 8) & 0xff; \
- ((u_char *)(p))[1] = ((u_int64_t)(v)) & 0xff; \
+ const u_int16_t __v = (v); \
+ ((u_char *)(p))[0] = (__v >> 8) & 0xff; \
+ ((u_char *)(p))[1] = __v & 0xff; \
} while (0)
/* Internal definitions follow. Exposed for regress tests */
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index 11a9cf651cb6..d0b70eae60ec 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.271 2016/01/14 22:56:56 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -61,12 +61,12 @@ __RCSID("$FreeBSD$");
#include "readconf.h"
#include "atomicio.h"
#include "dns.h"
-#include "roaming.h"
#include "monitor_fdpass.h"
#include "ssh2.h"
#include "version.h"
#include "authfile.h"
#include "ssherr.h"
+#include "authfd.h"
char *client_version_string = NULL;
char *server_version_string = NULL;
@@ -169,6 +169,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port,
if ((sock = mm_receive_fd(sp[1])) == -1)
fatal("proxy dialer did not pass back a connection");
+ close(sp[1]);
while (waitpid(pid, NULL, 0) == -1)
if (errno != EINTR)
@@ -434,7 +435,9 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
struct addrinfo *ai;
- debug2("ssh_connect: needpriv %d", needpriv);
+ debug2("%s: needpriv %d", __func__, needpriv);
+ memset(ntop, 0, sizeof(ntop));
+ memset(strport, 0, sizeof(strport));
for (attempt = 0; attempt < connection_attempts; attempt++) {
if (attempt > 0) {
@@ -453,7 +456,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
ntop, sizeof(ntop), strport, sizeof(strport),
NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
- error("ssh_connect: getnameinfo failed");
+ error("%s: getnameinfo failed", __func__);
continue;
}
debug("Connecting to %.200s [%.100s] port %s.",
@@ -530,7 +533,7 @@ send_client_banner(int connection_out, int minor1)
SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, compat20 ? "\r\n" : "\n");
- if (roaming_atomicio(vwrite, connection_out, client_version_string,
+ if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
fatal("write: %.100s", strerror(errno));
chop(client_version_string);
@@ -590,7 +593,7 @@ ssh_exchange_identification(int timeout_ms)
}
}
- len = roaming_atomicio(read, connection_in, &buf[i], 1);
+ len = atomicio(read, connection_in, &buf[i], 1);
if (len != 1 && errno == EPIPE)
fatal("ssh_exchange_identification: "
@@ -926,7 +929,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
options.fingerprint_hash, SSH_FP_RANDOMART);
if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
+ logit("Host key fingerprint is %s\n%s", fp, ra);
free(ra);
free(fp);
}
@@ -1237,8 +1240,9 @@ fail:
int
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
+ u_int i;
int r = -1, flags = 0;
- char *fp = NULL;
+ char valid[64], *fp = NULL, *cafp = NULL;
struct sshkey *plain = NULL;
if ((fp = sshkey_fingerprint(host_key,
@@ -1248,8 +1252,31 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
goto out;
}
- debug("Server host key: %s %s",
- compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);
+ if (sshkey_is_cert(host_key)) {
+ if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ error("%s: fingerprint CA key: %s",
+ __func__, ssh_err(r));
+ r = -1;
+ goto out;
+ }
+ sshkey_format_cert_validity(host_key->cert,
+ valid, sizeof(valid));
+ debug("Server host certificate: %s %s, serial %llu "
+ "ID \"%s\" CA %s %s valid %s",
+ sshkey_ssh_name(host_key), fp,
+ (unsigned long long)host_key->cert->serial,
+ host_key->cert->key_id,
+ sshkey_ssh_name(host_key->cert->signature_key), cafp,
+ valid);
+ for (i = 0; i < host_key->cert->nprincipals; i++) {
+ debug2("Server host certificate hostname: %s",
+ host_key->cert->principals[i]);
+ }
+ } else {
+ debug("Server host key: %s %s", compat20 ?
+ sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);
+ }
if (sshkey_equal(previous_host_key, host_key)) {
debug2("%s: server host key %s %s matches cached key",
@@ -1314,6 +1341,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
out:
sshkey_free(plain);
free(fp);
+ free(cafp);
if (r == 0 && host_key != NULL) {
key_free(previous_host_key);
previous_host_key = key_from_private(host_key);
@@ -1488,3 +1516,30 @@ ssh_local_cmd(const char *args)
return (WEXITSTATUS(status));
}
+
+void
+maybe_add_key_to_agent(char *authfile, Key *private, char *comment,
+ char *passphrase)
+{
+ int auth_sock = -1, r;
+
+ if (options.add_keys_to_agent == 0)
+ return;
+
+ if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) {
+ debug3("no authentication agent, not adding key");
+ return;
+ }
+
+ if (options.add_keys_to_agent == 2 &&
+ !ask_permission("Add key %s (%s) to agent?", authfile, comment)) {
+ debug3("user denied adding this key");
+ return;
+ }
+
+ if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
+ (options.add_keys_to_agent == 3))) == 0)
+ debug("identity added to agent: %s", authfile);
+ else
+ debug("could not add identity to agent: %s (%d)", authfile, r);
+}
diff --git a/crypto/openssh/sshconnect.h b/crypto/openssh/sshconnect.h
index 0ea6e99f6171..cf1851a959b7 100644
--- a/crypto/openssh/sshconnect.h
+++ b/crypto/openssh/sshconnect.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.h,v 1.28 2013/10/16 02:31:47 djm Exp $ */
+/* $OpenBSD: sshconnect.h,v 1.29 2015/11/15 22:26:49 jcs Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -55,6 +55,8 @@ void ssh_userauth2(const char *, const char *, char *, Sensitive *);
void ssh_put_password(char *);
int ssh_local_cmd(const char *);
+void maybe_add_key_to_agent(char *, Key *, char *, char *);
+
/*
* Macros to raise/lower permissions.
*/
diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c
index 016abbce5fbd..bfc523bde317 100644
--- a/crypto/openssh/sshconnect1.c
+++ b/crypto/openssh/sshconnect1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect1.c,v 1.77 2015/01/14 20:05:27 djm Exp $ */
+/* $OpenBSD: sshconnect1.c,v 1.78 2015/11/15 22:26:49 jcs Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -221,7 +221,7 @@ try_rsa_authentication(int idx)
{
BIGNUM *challenge;
Key *public, *private;
- char buf[300], *passphrase, *comment, *authfile;
+ char buf[300], *passphrase = NULL, *comment, *authfile;
int i, perm_ok = 1, type, quit;
public = options.identity_keys[idx];
@@ -283,13 +283,20 @@ try_rsa_authentication(int idx)
debug2("no passphrase given, try next key");
quit = 1;
}
- explicit_bzero(passphrase, strlen(passphrase));
- free(passphrase);
if (private != NULL || quit)
break;
debug2("bad passphrase given, try again...");
}
}
+
+ if (private != NULL)
+ maybe_add_key_to_agent(authfile, private, comment, passphrase);
+
+ if (passphrase != NULL) {
+ explicit_bzero(passphrase, strlen(passphrase));
+ free(passphrase);
+ }
+
/* We no longer need the comment. */
free(comment);
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
index 775103185edd..f79c96beb243 100644
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -157,14 +157,16 @@ void
ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
{
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ char *s;
struct kex *kex;
int r;
xxx_host = host;
xxx_hostaddr = hostaddr;
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
- options.kex_algorithms);
+ if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
+ fatal("%s: kex_names_cat", __func__);
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(options.ciphers);
myproposal[PROPOSAL_ENC_ALGS_STOC] =
@@ -217,10 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
- if (options.use_roaming && !kex->roaming) {
- debug("Roaming not allowed by server");
- options.use_roaming = 0;
- }
+ /* remove ext-info from the KEX proposals for rekeying */
+ myproposal[PROPOSAL_KEX_ALGS] =
+ compat_kex_proposal(options.kex_algorithms);
+ if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
+ fatal("kex_prop2buf: %s", ssh_err(r));
session_id2 = kex->session_id;
session_id2_len = kex->session_id_len;
@@ -284,6 +287,8 @@ struct cauthmethod {
int *batch_flag; /* flag in option struct that disables method */
};
+int input_userauth_service_accept(int, u_int32_t, void *);
+int input_userauth_ext_info(int, u_int32_t, void *);
int input_userauth_success(int, u_int32_t, void *);
int input_userauth_success_unexpected(int, u_int32_t, void *);
int input_userauth_failure(int, u_int32_t, void *);
@@ -313,7 +318,7 @@ void userauth(Authctxt *, char *);
static int sign_and_send_pubkey(Authctxt *, Identity *);
static void pubkey_prepare(Authctxt *);
static void pubkey_cleanup(Authctxt *);
-static Key *load_identity_file(char *, int);
+static Key *load_identity_file(Identity *);
static Authmethod *authmethod_get(char *authlist);
static Authmethod *authmethod_lookup(const char *name);
@@ -359,30 +364,12 @@ void
ssh_userauth2(const char *local_user, const char *server_user, char *host,
Sensitive *sensitive)
{
+ struct ssh *ssh = active_state;
Authctxt authctxt;
- int type;
+ int r;
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-
- packet_start(SSH2_MSG_SERVICE_REQUEST);
- packet_put_cstring("ssh-userauth");
- packet_send();
- debug("SSH2_MSG_SERVICE_REQUEST sent");
- packet_write_wait();
- type = packet_read();
- if (type != SSH2_MSG_SERVICE_ACCEPT)
- fatal("Server denied authentication request: %d", type);
- if (packet_remaining() > 0) {
- char *reply = packet_get_string(NULL);
- debug2("service_accept: %s", reply);
- free(reply);
- } else {
- debug2("buggy server: service_accept w/o service");
- }
- packet_check_eom();
- debug("SSH2_MSG_SERVICE_ACCEPT received");
-
if (options.preferred_authentications == NULL)
options.preferred_authentications = authmethods_get();
@@ -404,21 +391,63 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
if (authctxt.method == NULL)
fatal("ssh_userauth2: internal error: cannot send userauth none request");
- /* initial userauth request */
- userauth_none(&authctxt);
+ if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_REQUEST)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "ssh-userauth")) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r));
- dispatch_init(&input_userauth_error);
- dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
- dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
- dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
- dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */
+ ssh_dispatch_init(ssh, &input_userauth_error);
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
+ ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
+ ssh_dispatch_run(ssh, DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */
pubkey_cleanup(&authctxt);
- dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+ ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
debug("Authentication succeeded (%s).", authctxt.method->name);
}
+/* ARGSUSED */
+int
+input_userauth_service_accept(int type, u_int32_t seqnr, void *ctxt)
+{
+ Authctxt *authctxt = ctxt;
+ struct ssh *ssh = active_state;
+ int r;
+
+ if (ssh_packet_remaining(ssh) > 0) {
+ char *reply;
+
+ if ((r = sshpkt_get_cstring(ssh, &reply, NULL)) != 0)
+ goto out;
+ debug2("service_accept: %s", reply);
+ free(reply);
+ } else {
+ debug2("buggy server: service_accept w/o service");
+ }
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ goto out;
+ debug("SSH2_MSG_SERVICE_ACCEPT received");
+
+ /* initial userauth request */
+ userauth_none(authctxt);
+
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_error);
+ ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
+ ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
+ ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
+ r = 0;
+ out:
+ return r;
+}
+
+/* ARGSUSED */
+int
+input_userauth_ext_info(int type, u_int32_t seqnr, void *ctxt)
+{
+ return kex_input_ext_info(type, seqnr, active_state);
+}
+
void
userauth(Authctxt *authctxt, char *authlist)
{
@@ -970,29 +999,48 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
return 0;
}
+static const char *
+identity_sign_encode(struct identity *id)
+{
+ struct ssh *ssh = active_state;
+
+ if (id->key->type == KEY_RSA) {
+ switch (ssh->kex->rsa_sha2) {
+ case 256:
+ return "rsa-sha2-256";
+ case 512:
+ return "rsa-sha2-512";
+ }
+ }
+ return key_ssh_name(id->key);
+}
+
static int
identity_sign(struct identity *id, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
Key *prv;
int ret;
+ const char *alg;
+
+ alg = identity_sign_encode(id);
/* the agent supports this key */
- if (id->agent_fd)
+ if (id->agent_fd != -1)
return ssh_agent_sign(id->agent_fd, id->key, sigp, lenp,
- data, datalen, compat);
+ data, datalen, alg, compat);
/*
* we have already loaded the private key or
* the private key is stored in external hardware
*/
if (id->isprivate || (id->key->flags & SSHKEY_FLAG_EXT))
- return (sshkey_sign(id->key, sigp, lenp, data, datalen,
+ return (sshkey_sign(id->key, sigp, lenp, data, datalen, alg,
compat));
/* load the private key from the file */
- if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL)
- return (-1); /* XXX return decent error code */
- ret = sshkey_sign(prv, sigp, lenp, data, datalen, compat);
+ if ((prv = load_identity_file(id)) == NULL)
+ return SSH_ERR_KEY_NOT_FOUND;
+ ret = sshkey_sign(prv, sigp, lenp, data, datalen, alg, compat);
sshkey_free(prv);
return (ret);
}
@@ -1001,18 +1049,17 @@ static int
sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
{
Buffer b;
+ Identity *private_id;
u_char *blob, *signature;
- u_int bloblen;
size_t slen;
- u_int skip = 0;
- int ret = -1;
- int have_sig = 1;
+ u_int bloblen, skip = 0;
+ int matched, ret = -1, have_sig = 1;
char *fp;
if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL)
return 0;
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+ debug3("%s: %s %s", __func__, key_type(id->key), fp);
free(fp);
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
@@ -1040,14 +1087,46 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
} else {
buffer_put_cstring(&b, authctxt->method->name);
buffer_put_char(&b, have_sig);
- buffer_put_cstring(&b, key_ssh_name(id->key));
+ buffer_put_cstring(&b, identity_sign_encode(id));
}
buffer_put_string(&b, blob, bloblen);
+ /*
+ * If the key is an certificate, try to find a matching private key
+ * and use it to complete the signature.
+ * If no such private key exists, return failure and continue with
+ * other methods of authentication.
+ */
+ if (key_is_cert(id->key)) {
+ matched = 0;
+ TAILQ_FOREACH(private_id, &authctxt->keys, next) {
+ if (sshkey_equal_public(id->key, private_id->key) &&
+ id->key->type != private_id->key->type) {
+ id = private_id;
+ matched = 1;
+ break;
+ }
+ }
+ if (matched) {
+ debug2("%s: using private key \"%s\"%s for "
+ "certificate", __func__, id->filename,
+ id->agent_fd != -1 ? " from agent" : "");
+ } else {
+ /* XXX maybe verbose/error? */
+ debug("%s: no private key for certificate "
+ "\"%s\"", __func__, id->filename);
+ free(blob);
+ buffer_free(&b);
+ return 0;
+ }
+ }
+
/* generate signature */
ret = identity_sign(id, &signature, &slen,
buffer_ptr(&b), buffer_len(&b), datafellows);
if (ret != 0) {
+ if (ret != SSH_ERR_KEY_NOT_FOUND)
+ error("%s: signing failed: %s", __func__, ssh_err(ret));
free(blob);
buffer_free(&b);
return 0;
@@ -1110,7 +1189,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
packet_put_cstring(authctxt->method->name);
packet_put_char(have_sig);
if (!(datafellows & SSH_BUG_PKAUTH))
- packet_put_cstring(key_ssh_name(id->key));
+ packet_put_cstring(identity_sign_encode(id));
packet_put_string(blob, bloblen);
free(blob);
packet_send();
@@ -1118,20 +1197,20 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
}
static Key *
-load_identity_file(char *filename, int userprovided)
+load_identity_file(Identity *id)
{
- Key *private;
- char prompt[300], *passphrase;
+ Key *private = NULL;
+ char prompt[300], *passphrase, *comment;
int r, perm_ok = 0, quit = 0, i;
struct stat st;
- if (stat(filename, &st) < 0) {
- (userprovided ? logit : debug3)("no such identity: %s: %s",
- filename, strerror(errno));
+ if (stat(id->filename, &st) < 0) {
+ (id->userprovided ? logit : debug3)("no such identity: %s: %s",
+ id->filename, strerror(errno));
return NULL;
}
snprintf(prompt, sizeof prompt,
- "Enter passphrase for key '%.100s': ", filename);
+ "Enter passphrase for key '%.100s': ", id->filename);
for (i = 0; i <= options.number_of_password_prompts; i++) {
if (i == 0)
passphrase = "";
@@ -1143,8 +1222,8 @@ load_identity_file(char *filename, int userprovided)
break;
}
}
- switch ((r = sshkey_load_private_type(KEY_UNSPEC, filename,
- passphrase, &private, NULL, &perm_ok))) {
+ switch ((r = sshkey_load_private_type(KEY_UNSPEC, id->filename,
+ passphrase, &private, &comment, &perm_ok))) {
case 0:
break;
case SSH_ERR_KEY_WRONG_PASSPHRASE:
@@ -1158,20 +1237,25 @@ load_identity_file(char *filename, int userprovided)
case SSH_ERR_SYSTEM_ERROR:
if (errno == ENOENT) {
debug2("Load key \"%s\": %s",
- filename, ssh_err(r));
+ id->filename, ssh_err(r));
quit = 1;
break;
}
/* FALLTHROUGH */
default:
- error("Load key \"%s\": %s", filename, ssh_err(r));
+ error("Load key \"%s\": %s", id->filename, ssh_err(r));
quit = 1;
break;
}
+ if (!quit && private != NULL && id->agent_fd == -1 &&
+ !(id->key && id->isprivate))
+ maybe_add_key_to_agent(id->filename, private, comment,
+ passphrase);
if (i > 0) {
explicit_bzero(passphrase, strlen(passphrase));
free(passphrase);
}
+ free(comment);
if (private != NULL || quit)
break;
}
@@ -1180,9 +1264,11 @@ load_identity_file(char *filename, int userprovided)
/*
* try keys in the following order:
- * 1. agent keys that are found in the config file
- * 2. other agent keys
- * 3. keys that are only listed in the config file
+ * 1. certificates listed in the config file
+ * 2. other input certificates
+ * 3. agent keys that are found in the config file
+ * 4. other agent keys
+ * 5. keys that are only listed in the config file
*/
static void
pubkey_prepare(Authctxt *authctxt)
@@ -1190,7 +1276,7 @@ pubkey_prepare(Authctxt *authctxt)
struct identity *id, *id2, *tmp;
struct idlist agent, files, *preferred;
struct sshkey *key;
- int agent_fd, i, r, found;
+ int agent_fd = -1, i, r, found;
size_t j;
struct ssh_identitylist *idlist;
@@ -1208,6 +1294,7 @@ pubkey_prepare(Authctxt *authctxt)
continue;
options.identity_keys[i] = NULL;
id = xcalloc(1, sizeof(*id));
+ id->agent_fd = -1;
id->key = key;
id->filename = xstrdup(options.identity_files[i]);
id->userprovided = options.identity_file_userprovided[i];
@@ -1236,6 +1323,19 @@ pubkey_prepare(Authctxt *authctxt)
free(id);
}
}
+ /* list of certificates specified by user */
+ for (i = 0; i < options.num_certificate_files; i++) {
+ key = options.certificates[i];
+ if (!key_is_cert(key) || key->cert == NULL ||
+ key->cert->type != SSH2_CERT_TYPE_USER)
+ continue;
+ id = xcalloc(1, sizeof(*id));
+ id->agent_fd = -1;
+ id->key = key;
+ id->filename = xstrdup(options.certificate_files[i]);
+ id->userprovided = options.certificate_file_userprovided[i];
+ TAILQ_INSERT_TAIL(preferred, id, next);
+ }
/* list of keys supported by the agent */
if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
if (r != SSH_ERR_AGENT_NOT_PRESENT)
@@ -1245,6 +1345,7 @@ pubkey_prepare(Authctxt *authctxt)
if (r != SSH_ERR_AGENT_NO_IDENTITIES)
debug("%s: ssh_fetch_identitylist: %s",
__func__, ssh_err(r));
+ close(agent_fd);
} else {
for (j = 0; j < idlist->nkeys; j++) {
found = 0;
@@ -1285,9 +1386,23 @@ pubkey_prepare(Authctxt *authctxt)
TAILQ_REMOVE(&files, id, next);
TAILQ_INSERT_TAIL(preferred, id, next);
}
- TAILQ_FOREACH(id, preferred, next) {
- debug2("key: %s (%p),%s", id->filename, id->key,
- id->userprovided ? " explicit" : "");
+ /* finally, filter by PubkeyAcceptedKeyTypes */
+ TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
+ if (id->key != NULL &&
+ match_pattern_list(sshkey_ssh_name(id->key),
+ options.pubkey_key_types, 0) != 1) {
+ debug("Skipping %s key %s - "
+ "not in PubkeyAcceptedKeyTypes",
+ sshkey_ssh_name(id->key), id->filename);
+ TAILQ_REMOVE(preferred, id, next);
+ sshkey_free(id->key);
+ free(id->filename);
+ memset(id, 0, sizeof(*id));
+ continue;
+ }
+ debug2("key: %s (%p)%s%s", id->filename, id->key,
+ id->userprovided ? ", explicit" : "",
+ id->agent_fd != -1 ? ", agent" : "");
}
}
@@ -1301,8 +1416,7 @@ pubkey_cleanup(Authctxt *authctxt)
for (id = TAILQ_FIRST(&authctxt->keys); id;
id = TAILQ_FIRST(&authctxt->keys)) {
TAILQ_REMOVE(&authctxt->keys, id, next);
- if (id->key)
- sshkey_free(id->key);
+ sshkey_free(id->key);
free(id->filename);
free(id);
}
@@ -1313,12 +1427,6 @@ try_identity(Identity *id)
{
if (!id->key)
return (0);
- if (match_pattern_list(sshkey_ssh_name(id->key),
- options.pubkey_key_types, 0) != 1) {
- debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes",
- sshkey_ssh_name(id->key), id->filename);
- return (0);
- }
if (key_type_plain(id->key->type) == KEY_RSA &&
(datafellows & SSH_BUG_RSASIGMD5) != 0) {
debug("Skipped %s key %s for RSA/MD5 server",
@@ -1353,8 +1461,7 @@ userauth_pubkey(Authctxt *authctxt)
}
} else {
debug("Trying private key: %s", id->filename);
- id->key = load_identity_file(id->filename,
- id->userprovided);
+ id->key = load_identity_file(id);
if (id->key != NULL) {
if (try_identity(id)) {
id->isprivate = 1;
@@ -1513,7 +1620,7 @@ ssh_keysign(struct sshkey *key, u_char **sigp, size_t *lenp,
closefrom(sock + 1);
debug3("%s: [child] pid=%ld, exec %s",
__func__, (long)getpid(), _PATH_SSH_KEY_SIGN);
- execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
+ execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN,
strerror(errno));
}
@@ -1685,7 +1792,7 @@ userauth_hostbased(Authctxt *authctxt)
r = ssh_keysign(private, &sig, &siglen,
sshbuf_ptr(b), sshbuf_len(b));
else if ((r = sshkey_sign(private, &sig, &siglen,
- sshbuf_ptr(b), sshbuf_len(b), datafellows)) != 0)
+ sshbuf_ptr(b), sshbuf_len(b), NULL, datafellows)) != 0)
debug("%s: sshkey_sign: %s", __func__, ssh_err(r));
if (r != 0) {
error("sign using hostkey %s %s failed",
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8
index 517ecbdf78cf..31b822e0143f 100644
--- a/crypto/openssh/sshd.8
+++ b/crypto/openssh/sshd.8
@@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
.\" $FreeBSD$
-.Dd $Mdocdate: July 3 2015 $
+.Dd $Mdocdate: February 17 2016 $
.Dt SSHD 8
.Os
.Sh NAME
@@ -276,14 +276,12 @@ though this can be changed via the
.Cm Protocol
option in
.Xr sshd_config 5 .
-Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
-protocol 1 only supports RSA keys.
-For both protocols,
-each host has a host-specific key,
-normally 2048 bits,
-used to identify the host.
+Protocol 1 should not be used
+and is only offered to support legacy devices.
.Pp
-Forward security for protocol 1 is provided through
+Each host has a host-specific key,
+used to identify the host.
+Partial forward security for protocol 1 is provided through
an additional server key,
normally 1024 bits,
generated when the server starts.
@@ -473,7 +471,7 @@ does not exist either, xauth is used to add the cookie.
.Cm AuthorizedKeysFile
specifies the files containing public keys for
public key authentication;
-if none is specified, the default is
+if this option is not specified, the default is
.Pa ~/.ssh/authorized_keys
and
.Pa ~/.ssh/authorized_keys2 .
@@ -525,6 +523,10 @@ No spaces are permitted, except within double quotes.
The following option specifications are supported (note
that option keywords are case-insensitive):
.Bl -tag -width Ds
+.It Cm agent-forwarding
+Enable authentication agent forwarding previously disabled by the
+.Cm restrict
+option.
.It Cm cert-authority
Specifies that the listed key is a certification authority (CA) that is
trusted to validate signed certificates for user authentication.
@@ -619,6 +621,9 @@ they must be literal domains or addresses.
A port specification of
.Cm *
matches any port.
+.It Cm port-forwarding
+Enable port forwarding previously disabled by the
+.Cm restrict
.It Cm principals="principals"
On a
.Cm cert-authority
@@ -630,12 +635,33 @@ This option is ignored for keys that are not marked as trusted certificate
signers using the
.Cm cert-authority
option.
+.It Cm pty
+Permits tty allocation previously disabled by the
+.Cm restrict
+option.
+.It Cm restrict
+Enable all restrictions, i.e. disable port, agent and X11 forwarding,
+as well as disabling PTY allocation
+and execution of
+.Pa ~/.ssh/rc .
+If any future restriction capabilities are added to authorized_keys files
+they will be included in this set.
.It Cm tunnel="n"
Force a
.Xr tun 4
device on the server.
Without this option, the next available device will be used if
the client requests a tunnel.
+.It Cm user-rc
+Enables execution of
+.Pa ~/.ssh/rc
+previously disabled by the
+.Cm restrict
+option.
+.It Cm X11-forwarding
+Permits X11 forwarding previously disabled by the
+.Cm restrict
+option.
.El
.Pp
An example authorized_keys file:
@@ -650,6 +676,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
AAAAB5...21S==
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
jane@example.net
+restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
+user@example.net
+restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
+user@example.net
.Ed
.Sh SSH_KNOWN_HOSTS FILE FORMAT
The
@@ -865,9 +895,12 @@ This file is for host-based authentication (see
It should only be writable by root.
.Pp
.It Pa /etc/moduli
-Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
+key exchange method.
The file format is described in
.Xr moduli 5 .
+If no usable groups are found in this file then fixed internal groups will
+be used.
.Pp
.It Pa /etc/motd
See
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index 3db3551f1f07..dd7fcdda3e94 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.458 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: sshd.c,v 1.465 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -132,7 +132,6 @@ __RCSID("$FreeBSD$");
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
-#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
#include "ssherr.h"
@@ -455,7 +454,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
options.version_addendum, newline);
/* Send our protocol version identification. */
- if (roaming_atomicio(vwrite, sock_out, server_version_string,
+ if (atomicio(vwrite, sock_out, server_version_string,
strlen(server_version_string))
!= strlen(server_version_string)) {
logit("Could not write ident string to %s", get_remote_ipaddr());
@@ -465,7 +464,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
/* Read other sides version identification. */
memset(buf, 0, sizeof(buf));
for (i = 0; i < sizeof(buf) - 1; i++) {
- if (roaming_atomicio(read, sock_in, &buf[i], 1) != 1) {
+ if (atomicio(read, sock_in, &buf[i], 1) != 1) {
logit("Did not receive identification string from %s",
get_remote_ipaddr());
cleanup_exit(255);
@@ -650,25 +649,23 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
- /* Change our root directory */
- if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
- fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
- strerror(errno));
- if (chdir("/") == -1)
- fatal("chdir(\"/\"): %s", strerror(errno));
-
- /* Drop our privileges */
- debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
- (u_int)privsep_pw->pw_gid);
-#if 0
- /* XXX not ready, too heavy after chroot */
- do_setusercontext(privsep_pw);
-#else
- gidset[0] = privsep_pw->pw_gid;
- if (setgroups(1, gidset) < 0)
- fatal("setgroups: %.100s", strerror(errno));
- permanently_set_uid(privsep_pw);
-#endif
+ /* Demote the child */
+ if (getuid() == 0 || geteuid() == 0) {
+ /* Change our root directory */
+ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+ fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+ strerror(errno));
+ if (chdir("/") == -1)
+ fatal("chdir(\"/\"): %s", strerror(errno));
+
+ /* Drop our privileges */
+ debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+ (u_int)privsep_pw->pw_gid);
+ gidset[0] = privsep_pw->pw_gid;
+ if (setgroups(1, gidset) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
+ permanently_set_uid(privsep_pw);
+ }
}
static int
@@ -734,9 +731,7 @@ privsep_preauth(Authctxt *authctxt)
/* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
- /* Demote the child */
- if (getuid() == 0 || geteuid() == 0)
- privsep_preauth_child();
+ privsep_preauth_child();
setproctitle("%s", "[net]");
if (box != NULL)
ssh_sandbox_child(box);
@@ -838,6 +833,12 @@ list_hostkey_types(void)
buffer_append(&b, ",", 1);
p = key_ssh_name(key);
buffer_append(&b, p, strlen(p));
+
+ /* for RSA we also support SHA2 signatures */
+ if (key->type == KEY_RSA) {
+ p = ",rsa-sha2-512,rsa-sha2-256";
+ buffer_append(&b, p, strlen(p));
+ }
break;
}
/* If the private key has a cert peer, then list that too */
@@ -1278,8 +1279,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
for (;;) {
if (received_sighup)
sighup_restart();
- if (fdset != NULL)
- free(fdset);
+ free(fdset);
fdset = xcalloc(howmany(maxfd + 1, NFDBITS),
sizeof(fd_mask));
@@ -1499,6 +1499,8 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = get_connection_info(0, 0);
+ ssh_malloc_init(); /* must be called before any mallocs */
+
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
@@ -1559,7 +1561,7 @@ main(int ac, char **av)
no_daemon_flag = 1;
break;
case 'E':
- logfile = xstrdup(optarg);
+ logfile = optarg;
/* FALLTHROUGH */
case 'e':
log_stderr = 1;
@@ -1661,10 +1663,8 @@ main(int ac, char **av)
#endif
/* If requested, redirect the logs to the specified logfile. */
- if (logfile != NULL) {
+ if (logfile != NULL)
log_redirect_stderr_to(logfile);
- free(logfile);
- }
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)
@@ -2581,24 +2581,26 @@ do_ssh1_kex(void)
int
sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen,
- const u_char *data, size_t dlen, u_int flag)
+ const u_char *data, size_t dlen, const char *alg, u_int flag)
{
int r;
u_int xxx_slen, xxx_dlen = dlen;
if (privkey) {
- if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen) < 0))
+ if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen,
+ alg) < 0))
fatal("%s: key_sign failed", __func__);
if (slen)
*slen = xxx_slen;
} else if (use_privsep) {
- if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen) < 0)
+ if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen,
+ alg) < 0)
fatal("%s: pubkey_sign failed", __func__);
if (slen)
*slen = xxx_slen;
} else {
if ((r = ssh_agent_sign(auth_sock, pubkey, signature, slen,
- data, dlen, datafellows)) != 0)
+ data, dlen, alg, datafellows)) != 0)
fatal("%s: ssh_agent_sign failed: %s",
__func__, ssh_err(r));
}
@@ -2631,7 +2633,7 @@ do_ssh2_kex(void)
}
if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ packet_set_rekey_limits(options.rekey_limit,
(time_t)options.rekey_interval);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 5cf3d4f6ea97..6ea0b0885732 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
# $FreeBSD$
# This is the sshd server system-wide configuration file. See
@@ -120,7 +120,7 @@
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
-#VersionAddendum FreeBSD-20160121
+#VersionAddendum FreeBSD-20160310
# no default banner path
#Banner none
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index e9e460b5e297..cc43aad6c86a 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
.\" $FreeBSD$
-.Dd $Mdocdate: August 14 2015 $
+.Dd $Mdocdate: February 17 2016 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -71,8 +71,7 @@ See
in
.Xr ssh_config 5
for how to configure the client.
-Note that environment passing is only supported for protocol 2, and
-that the
+The
.Ev TERM
environment variable is always sent whenever the client
requests a pseudo-terminal as it is required by the protocol.
@@ -227,7 +226,7 @@ of
.Dq publickey,publickey
will require successful authentication using two different public keys.
.Pp
-This option is only available for SSH protocol 2 and will yield a fatal
+This option will yield a fatal
error if enabled if protocol 1 is also enabled.
Note that each authentication method listed should also be explicitly enabled
in the configuration.
@@ -286,6 +285,9 @@ After expansion,
is taken to be an absolute path or one relative to the user's home
directory.
Multiple files may be listed, separated by whitespace.
+Alternately this option may be set to
+.Dq none
+to skip checking for user keys in files.
The default is
.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
.It Cm AuthorizedPrincipalsCommand
@@ -371,7 +373,6 @@ authentication is allowed.
If the argument is
.Dq none
then no banner is displayed.
-This option is only available for protocol version 2.
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
@@ -430,10 +431,12 @@ Misconfiguration can lead to unsafe environments which
.Xr sshd 8
cannot detect.
.Pp
-The default is not to
+The default is
+.Dq none ,
+indicating not to
.Xr chroot 2 .
.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2.
+Specifies the ciphers allowed.
Multiple ciphers must be comma-separated.
If the specified value begins with a
.Sq +
@@ -479,7 +482,8 @@ The default is:
.Bd -literal -offset indent
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+aes128-gcm@openssh.com,aes256-gcm@openssh.com,
+aes128-cbc,aes192-cbc,aes256-cbc
.Ed
.Pp
The list of available ciphers may also be obtained using the
@@ -514,7 +518,6 @@ If
.Cm ClientAliveCountMax
is left at the default, unresponsive SSH clients
will be disconnected after approximately 45 seconds.
-This option applies to protocol version 2 only.
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
@@ -523,7 +526,6 @@ will send a message through the encrypted
channel to request a response from the client.
The default
is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.
.It Cm Compression
Specifies whether compression is allowed, or delayed until
the user has authenticated successfully.
@@ -597,6 +599,8 @@ Specifying a command of
will force the use of an in-process sftp server that requires no support
files when used with
.Cm ChrootDirectory .
+The default is
+.Dq none .
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
@@ -621,13 +625,11 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Dq no .
-Note that this option applies to protocol version 2 only.
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
The default is
.Dq yes .
-Note that this option applies to protocol version 2 only.
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
@@ -672,9 +674,6 @@ may be used to list supported key types.
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
(host-based authentication).
-This option is similar to
-.Cm RhostsRSAAuthentication
-and applies to protocol version 2 only.
The default is
.Dq no .
.It Cm HostbasedUsesNameFromPacketOnly
@@ -745,7 +744,7 @@ is specified, the location of the socket will be read from the
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
-Specifies the protocol version 2 host key algorithms
+Specifies the host key algorithms
that the server offers.
The default for this option is:
.Bd -literal -offset 3n
@@ -968,8 +967,7 @@ DEBUG2 and DEBUG3 each specify higher levels of debugging output.
Logging with a DEBUG level violates the privacy of users and is not recommended.
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
-The MAC algorithm is used in protocol version 2
-for data integrity protection.
+The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified value begins with a
.Sq +
@@ -1025,8 +1023,9 @@ The default is:
.Bd -literal -offset indent
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-sha1-etm@openssh.com,
umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512
+hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
The list of available MAC algorithms may also be obtained using the
@@ -1096,6 +1095,8 @@ Available keywords are
.Cm AuthorizedKeysCommand ,
.Cm AuthorizedKeysCommandUser ,
.Cm AuthorizedKeysFile ,
+.Cm AuthorizedPrincipalsCommand ,
+.Cm AuthorizedPrincipalsCommandUser ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
@@ -1139,7 +1140,15 @@ Once the number of failures reaches half this value,
additional failures are logged.
The default is 6.
.It Cm MaxSessions
-Specifies the maximum number of open sessions permitted per network connection.
+Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
+sessions permitted per network connection.
+Multiple sessions may be established by clients that support connection
+multiplexing.
+Setting
+.Cm MaxSessions
+to 1 will effectively disable session multiplexing, whereas setting it to 0
+will prevent all shell, login and subsystem sessions while still permitting
+forwarding.
The default is 10.
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
@@ -1338,6 +1347,10 @@ and
Multiple versions must be comma-separated.
The default is
.Sq 2 .
+Protocol 1 suffers from a number of cryptographic weaknesses and should
+not be used.
+It is only offered to support legacy devices.
+.Pp
Note that the order of the protocol list does not indicate preference,
because the client selects among multiple protocol versions offered
by the server.
@@ -1374,7 +1387,6 @@ may be used to list supported key types.
Specifies whether public key authentication is allowed.
The default is
.Dq yes .
-Note that this option applies to protocol version 2 only.
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted before the
session key is renegotiated, optionally followed a maximum amount of
@@ -1400,7 +1412,6 @@ is
.Dq default none ,
which means that rekeying is performed after the cipher's default amount
of data has been sent or received and no time based rekeying is done.
-This option applies to protocol version 2 only.
.It Cm RevokedKeys
Specifies revoked public keys file, or
.Dq none
@@ -1489,7 +1500,6 @@ This may simplify configurations using
to force a different filesystem root on clients.
.Pp
By default no subsystems are defined.
-Note that this option applies to protocol version 2 only.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
@@ -1604,7 +1614,10 @@ After successful authentication, another process will be created that has
the privilege of the authenticated user.
The goal of privilege separation is to prevent privilege
escalation by containing any corruption within the unprivileged processes.
-The default is
+The argument must be
+.Dq yes ,
+.Dq no ,
+or
.Dq sandbox .
If
.Cm UsePrivilegeSeparation
@@ -1612,11 +1625,13 @@ is set to
.Dq sandbox
then the pre-authentication unprivileged process is subject to additional
restrictions.
+The default is
+.Dq sandbox .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
-.Dq FreeBSD-20160121 .
+.Dq FreeBSD-20160310 .
The value
.Dq none
may be used to disable this.
diff --git a/crypto/openssh/ssherr.c b/crypto/openssh/ssherr.c
index 4ca7939926c9..68020706381c 100644
--- a/crypto/openssh/ssherr.c
+++ b/crypto/openssh/ssherr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssherr.c,v 1.4 2015/02/16 22:13:32 djm Exp $ */
+/* $OpenBSD: ssherr.c,v 1.5 2015/09/13 14:39:16 tim Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
@@ -104,7 +104,7 @@ ssh_err(int n)
case SSH_ERR_NEED_REKEY:
return "rekeying not supported by peer";
case SSH_ERR_PASSPHRASE_TOO_SHORT:
- return "passphrase is too short (minimum four characters)";
+ return "passphrase is too short (minimum five characters)";
case SSH_ERR_FILE_CHANGED:
return "file changed while reading";
case SSH_ERR_KEY_UNKNOWN_CIPHER:
diff --git a/crypto/openssh/sshkey.c b/crypto/openssh/sshkey.c
index 32dd8f2254a2..87b093e91d26 100644
--- a/crypto/openssh/sshkey.c
+++ b/crypto/openssh/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.31 2015/12/11 04:21:12 mmcc Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -83,36 +83,39 @@ struct keytype {
int type;
int nid;
int cert;
+ int sigonly;
};
static const struct keytype keytypes[] = {
- { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
+ { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
- KEY_ED25519_CERT, 0, 1 },
+ KEY_ED25519_CERT, 0, 1, 0 },
#ifdef WITH_OPENSSL
- { NULL, "RSA1", KEY_RSA1, 0, 0 },
- { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
- { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
+ { NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
+ { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
+ { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
+ { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
+ { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
# ifdef OPENSSL_HAS_ECC
- { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
- { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
+ { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
+ { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
# ifdef OPENSSL_HAS_NISTP521
- { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
+ { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
- { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
- { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
+ { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
+ { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
# ifdef OPENSSL_HAS_ECC
{ "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
- KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
+ KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
{ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
- KEY_ECDSA_CERT, NID_secp384r1, 1 },
+ KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
# ifdef OPENSSL_HAS_NISTP521
{ "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
- KEY_ECDSA_CERT, NID_secp521r1, 1 },
+ KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
- { NULL, NULL, -1, -1, 0 }
+ { NULL, NULL, -1, -1, 0, 0 }
};
const char *
@@ -200,7 +203,7 @@ key_alg_list(int certs_only, int plain_only)
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
- if (kt->name == NULL)
+ if (kt->name == NULL || kt->sigonly)
continue;
if ((certs_only && !kt->cert) || (plain_only && kt->cert))
continue;
@@ -417,20 +420,14 @@ cert_free(struct sshkey_cert *cert)
if (cert == NULL)
return;
- if (cert->certblob != NULL)
- sshbuf_free(cert->certblob);
- if (cert->critical != NULL)
- sshbuf_free(cert->critical);
- if (cert->extensions != NULL)
- sshbuf_free(cert->extensions);
- if (cert->key_id != NULL)
- free(cert->key_id);
+ sshbuf_free(cert->certblob);
+ sshbuf_free(cert->critical);
+ sshbuf_free(cert->extensions);
+ free(cert->key_id);
for (i = 0; i < cert->nprincipals; i++)
free(cert->principals[i]);
- if (cert->principals != NULL)
- free(cert->principals);
- if (cert->signature_key != NULL)
- sshkey_free(cert->signature_key);
+ free(cert->principals);
+ sshkey_free(cert->signature_key);
explicit_bzero(cert, sizeof(*cert));
free(cert);
}
@@ -1216,7 +1213,7 @@ read_decimal_bignum(char **cpp, BIGNUM *v)
return SSH_ERR_BIGNUM_TOO_LARGE;
if (cp[e] == '\0')
skip = 0;
- else if (index(" \t\r\n", cp[e]) == NULL)
+ else if (strchr(" \t\r\n", cp[e]) == NULL)
return SSH_ERR_INVALID_FORMAT;
cp[e] = '\0';
if (BN_dec2bn(&v, cp) <= 0)
@@ -1232,11 +1229,10 @@ sshkey_read(struct sshkey *ret, char **cpp)
{
struct sshkey *k;
int retval = SSH_ERR_INVALID_FORMAT;
- char *cp, *space;
+ char *ep, *cp, *space;
int r, type, curve_nid = -1;
struct sshbuf *blob;
#ifdef WITH_SSH1
- char *ep;
u_long bits;
#endif /* WITH_SSH1 */
@@ -1247,7 +1243,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
#ifdef WITH_SSH1
/* Get number of bits. */
bits = strtoul(cp, &ep, 10);
- if (*cp == '\0' || index(" \t\r\n", *ep) == NULL ||
+ if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL ||
bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
/* Get public exponent, public modulus. */
@@ -1255,10 +1251,10 @@ sshkey_read(struct sshkey *ret, char **cpp)
return r;
if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
return r;
- *cpp = ep;
/* validate the claimed number of bits */
if (BN_num_bits(ret->rsa->n) != (int)bits)
return SSH_ERR_KEY_BITS_MISMATCH;
+ *cpp = ep;
retval = 0;
#endif /* WITH_SSH1 */
break;
@@ -1296,9 +1292,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
*space++ = '\0';
while (*space == ' ' || *space == '\t')
space++;
- *cpp = space;
+ ep = space;
} else
- *cpp = cp + strlen(cp);
+ ep = cp + strlen(cp);
if ((r = sshbuf_b64tod(blob, cp)) != 0) {
sshbuf_free(blob);
return r;
@@ -1329,8 +1325,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
ret->cert = k->cert;
k->cert = NULL;
}
+ switch (sshkey_type_plain(ret->type)) {
#ifdef WITH_OPENSSL
- if (sshkey_type_plain(ret->type) == KEY_RSA) {
+ case KEY_RSA:
if (ret->rsa != NULL)
RSA_free(ret->rsa);
ret->rsa = k->rsa;
@@ -1338,8 +1335,8 @@ sshkey_read(struct sshkey *ret, char **cpp)
#ifdef DEBUG_PK
RSA_print_fp(stderr, ret->rsa, 8);
#endif
- }
- if (sshkey_type_plain(ret->type) == KEY_DSA) {
+ break;
+ case KEY_DSA:
if (ret->dsa != NULL)
DSA_free(ret->dsa);
ret->dsa = k->dsa;
@@ -1347,9 +1344,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
#ifdef DEBUG_PK
DSA_print_fp(stderr, ret->dsa, 8);
#endif
- }
+ break;
# ifdef OPENSSL_HAS_ECC
- if (sshkey_type_plain(ret->type) == KEY_ECDSA) {
+ case KEY_ECDSA:
if (ret->ecdsa != NULL)
EC_KEY_free(ret->ecdsa);
ret->ecdsa = k->ecdsa;
@@ -1359,17 +1356,19 @@ sshkey_read(struct sshkey *ret, char **cpp)
#ifdef DEBUG_PK
sshkey_dump_ec_key(ret->ecdsa);
#endif
- }
+ break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
- if (sshkey_type_plain(ret->type) == KEY_ED25519) {
+ case KEY_ED25519:
free(ret->ed25519_pk);
ret->ed25519_pk = k->ed25519_pk;
k->ed25519_pk = NULL;
#ifdef DEBUG_PK
/* XXX */
#endif
+ break;
}
+ *cpp = ep;
retval = 0;
/*XXXX*/
sshkey_free(k);
@@ -1717,7 +1716,7 @@ sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
(ret = sshbuf_putb(to->critical, from->critical)) != 0 ||
- (ret = sshbuf_putb(to->extensions, from->extensions) != 0))
+ (ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
return ret;
to->serial = from->serial;
@@ -1758,9 +1757,7 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
struct sshkey *n = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;
- if (pkp != NULL)
- *pkp = NULL;
-
+ *pkp = NULL;
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
@@ -2174,7 +2171,7 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
int
sshkey_sign(const struct sshkey *key,
u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, u_int compat)
+ const u_char *data, size_t datalen, const char *alg, u_int compat)
{
if (sigp != NULL)
*sigp = NULL;
@@ -2194,7 +2191,7 @@ sshkey_sign(const struct sshkey *key,
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
case KEY_RSA:
- return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
+ return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
@@ -2226,7 +2223,7 @@ sshkey_verify(const struct sshkey *key,
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
case KEY_RSA:
- return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
+ return ssh_rsa_verify(key, sig, siglen, data, dlen);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
@@ -2243,9 +2240,7 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
struct sshkey *pk;
int ret = SSH_ERR_INTERNAL_ERROR;
- if (dkp != NULL)
- *dkp = NULL;
-
+ *dkp = NULL;
if ((pk = calloc(1, sizeof(*pk))) == NULL)
return SSH_ERR_ALLOC_FAIL;
pk->type = k->type;
@@ -2462,7 +2457,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
/* Sign the whole mess */
if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
- sshbuf_len(cert), 0)) != 0)
+ sshbuf_len(cert), NULL, 0)) != 0)
goto out;
/* Append signature and we are done */
@@ -2472,12 +2467,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
out:
if (ret != 0)
sshbuf_reset(cert);
- if (sig_blob != NULL)
- free(sig_blob);
- if (ca_blob != NULL)
- free(ca_blob);
- if (principals != NULL)
- sshbuf_free(principals);
+ free(sig_blob);
+ free(ca_blob);
+ sshbuf_free(principals);
return ret;
}
@@ -2538,6 +2530,43 @@ sshkey_cert_check_authority(const struct sshkey *k,
return 0;
}
+size_t
+sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
+{
+ char from[32], to[32], ret[64];
+ time_t tt;
+ struct tm *tm;
+
+ *from = *to = '\0';
+ if (cert->valid_after == 0 &&
+ cert->valid_before == 0xffffffffffffffffULL)
+ return strlcpy(s, "forever", l);
+
+ if (cert->valid_after != 0) {
+ /* XXX revisit INT_MAX in 2038 :) */
+ tt = cert->valid_after > INT_MAX ?
+ INT_MAX : cert->valid_after;
+ tm = localtime(&tt);
+ strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
+ }
+ if (cert->valid_before != 0xffffffffffffffffULL) {
+ /* XXX revisit INT_MAX in 2038 :) */
+ tt = cert->valid_before > INT_MAX ?
+ INT_MAX : cert->valid_before;
+ tm = localtime(&tt);
+ strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
+ }
+
+ if (cert->valid_after == 0)
+ snprintf(ret, sizeof(ret), "before %s", to);
+ else if (cert->valid_before == 0xffffffffffffffffULL)
+ snprintf(ret, sizeof(ret), "after %s", from);
+ else
+ snprintf(ret, sizeof(ret), "from %s to %s", from, to);
+
+ return strlcpy(s, ret, l);
+}
+
int
sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
{
@@ -2701,7 +2730,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
goto out;
}
if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
- EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
+ EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
goto out;
break;
@@ -2719,7 +2748,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
goto out;
}
if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
- EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
+ EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
goto out;
break;
@@ -2741,10 +2770,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
case KEY_RSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshkey_add_private(k)) != 0 ||
- (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
- (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
- (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
- (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
+ (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
+ (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
+ (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
+ (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
(r = rsa_generate_additional_parameters(k->rsa)) != 0)
goto out;
break;
@@ -3431,9 +3460,9 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
/* Store public key. This will be in plain text. */
if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
- (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) ||
- (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) ||
- (r = sshbuf_put_cstring(encrypted, comment) != 0))
+ (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 ||
+ (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 ||
+ (r = sshbuf_put_cstring(encrypted, comment)) != 0)
goto out;
/* Allocate space for the private part of the key in the buffer. */
@@ -3454,10 +3483,8 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
out:
explicit_bzero(&ciphercontext, sizeof(ciphercontext));
explicit_bzero(buf, sizeof(buf));
- if (buffer != NULL)
- sshbuf_free(buffer);
- if (encrypted != NULL)
- sshbuf_free(encrypted);
+ sshbuf_free(buffer);
+ sshbuf_free(encrypted);
return r;
}
@@ -3611,10 +3638,8 @@ sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
pub = NULL;
out:
- if (copy != NULL)
- sshbuf_free(copy);
- if (pub != NULL)
- sshkey_free(pub);
+ sshbuf_free(copy);
+ sshkey_free(pub);
return r;
}
@@ -3726,14 +3751,10 @@ sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
}
out:
explicit_bzero(&ciphercontext, sizeof(ciphercontext));
- if (comment != NULL)
- free(comment);
- if (prv != NULL)
- sshkey_free(prv);
- if (copy != NULL)
- sshbuf_free(copy);
- if (decrypted != NULL)
- sshbuf_free(decrypted);
+ free(comment);
+ sshkey_free(prv);
+ sshbuf_free(copy);
+ sshbuf_free(decrypted);
return r;
}
#endif /* WITH_SSH1 */
@@ -3823,8 +3844,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
BIO_free(bio);
if (pk != NULL)
EVP_PKEY_free(pk);
- if (prv != NULL)
- sshkey_free(prv);
+ sshkey_free(prv);
return r;
}
#endif /* WITH_OPENSSL */
@@ -3833,8 +3853,6 @@ int
sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
const char *passphrase, struct sshkey **keyp, char **commentp)
{
- int r;
-
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
@@ -3856,8 +3874,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
return sshkey_parse_private2(blob, type, passphrase,
keyp, commentp);
case KEY_UNSPEC:
- if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
- commentp)) == 0)
+ if (sshkey_parse_private2(blob, type, passphrase, keyp,
+ commentp) == 0)
return 0;
#ifdef WITH_OPENSSL
return sshkey_parse_private_pem_fileblob(blob, type,
@@ -3872,10 +3890,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
int
sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
- const char *filename, struct sshkey **keyp, char **commentp)
+ struct sshkey **keyp, char **commentp)
{
- int r;
-
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
@@ -3883,13 +3899,11 @@ sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
#ifdef WITH_SSH1
/* it's a SSH v1 key if the public key part is readable */
- if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) {
+ if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
passphrase, keyp, commentp);
}
#endif /* WITH_SSH1 */
- if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
- passphrase, keyp, commentp)) == 0)
- return 0;
- return r;
+ return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
+ passphrase, keyp, commentp);
}
diff --git a/crypto/openssh/sshkey.h b/crypto/openssh/sshkey.h
index c8d3cddca595..a20a14f9e74b 100644
--- a/crypto/openssh/sshkey.h
+++ b/crypto/openssh/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.9 2015/08/04 05:23:06 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.12 2015/12/04 16:41:28 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -141,6 +141,8 @@ int sshkey_certify(struct sshkey *, struct sshkey *);
int sshkey_cert_copy(const struct sshkey *, struct sshkey *);
int sshkey_cert_check_authority(const struct sshkey *, int, int,
const char *, const char **);
+size_t sshkey_format_cert_validity(const struct sshkey_cert *,
+ char *, size_t) __attribute__((__bounded__(__string__, 2, 3)));
int sshkey_ecdsa_nid_from_name(const char *);
int sshkey_curve_name_to_nid(const char *);
@@ -167,7 +169,7 @@ int sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *);
int sshkey_putb_plain(const struct sshkey *, struct sshbuf *);
int sshkey_sign(const struct sshkey *, u_char **, size_t *,
- const u_char *, size_t, u_int);
+ const u_char *, size_t, const char *, u_int);
int sshkey_verify(const struct sshkey *, const u_char *, size_t,
const u_char *, size_t, u_int);
@@ -186,17 +188,16 @@ int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
int sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
struct sshkey **keyp, char **commentp);
int sshkey_parse_private_fileblob(struct sshbuf *buffer,
- const char *passphrase, const char *filename, struct sshkey **keyp,
- char **commentp);
+ const char *passphrase, struct sshkey **keyp, char **commentp);
int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
const char *passphrase, struct sshkey **keyp, char **commentp);
#ifdef SSHKEY_INTERNAL
-int ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, u_int compat);
+int ssh_rsa_sign(const struct sshkey *key,
+ u_char **sigp, size_t *lenp, const u_char *data, size_t datalen,
+ const char *ident);
int ssh_rsa_verify(const struct sshkey *key,
- const u_char *signature, size_t signaturelen,
- const u_char *data, size_t datalen, u_int compat);
+ const u_char *sig, size_t siglen, const u_char *data, size_t datalen);
int ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat);
int ssh_dss_verify(const struct sshkey *key,
diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c
index 818312ff129b..cea3e7697401 100644
--- a/crypto/openssh/sshlogin.c
+++ b/crypto/openssh/sshlogin.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshlogin.c,v 1.31 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: sshlogin.c,v 1.32 2015/12/26 20:51:35 guenther Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
diff --git a/crypto/openssh/uidswap.c b/crypto/openssh/uidswap.c
index 0702e1d9e1b8..8bf6b244e5c7 100644
--- a/crypto/openssh/uidswap.c
+++ b/crypto/openssh/uidswap.c
@@ -134,7 +134,7 @@ temporarily_use_uid(struct passwd *pw)
void
permanently_drop_suid(uid_t uid)
{
-#ifndef HAVE_CYGWIN
+#ifndef NO_UID_RESTORATION_TEST
uid_t old_uid = getuid();
#endif
@@ -142,8 +142,14 @@ permanently_drop_suid(uid_t uid)
if (setresuid(uid, uid, uid) < 0)
fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
-#ifndef HAVE_CYGWIN
- /* Try restoration of UID if changed (test clearing of saved uid) */
+#ifndef NO_UID_RESTORATION_TEST
+ /*
+ * Try restoration of UID if changed (test clearing of saved uid).
+ *
+ * Note that we don't do this on Cygwin, or on Solaris-based platforms
+ * where fine-grained privileges are available (the user might be
+ * deliberately allowed the right to setuid back to root).
+ */
if (old_uid != uid &&
(setuid(old_uid) != -1 || seteuid(old_uid) != -1))
fatal("%s: was able to restore old [e]uid", __func__);
@@ -199,7 +205,7 @@ restore_uid(void)
void
permanently_set_uid(struct passwd *pw)
{
-#ifndef HAVE_CYGWIN
+#ifndef NO_UID_RESTORATION_TEST
uid_t old_uid = getuid();
gid_t old_gid = getgid();
#endif
@@ -227,7 +233,7 @@ permanently_set_uid(struct passwd *pw)
if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
-#ifndef HAVE_CYGWIN
+#ifndef NO_UID_RESTORATION_TEST
/* Try restoration of GID if changed (test clearing of saved gid) */
if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
(setgid(old_gid) != -1 || setegid(old_gid) != -1))
@@ -241,7 +247,7 @@ permanently_set_uid(struct passwd *pw)
(u_int)pw->pw_gid);
}
-#ifndef HAVE_CYGWIN
+#ifndef NO_UID_RESTORATION_TEST
/* Try restoration of UID if changed (test clearing of saved uid) */
if (old_uid != pw->pw_uid &&
(setuid(old_uid) != -1 || seteuid(old_uid) != -1))
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index eb4c3b1f43ee..031bb87ea6b8 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -1,12 +1,12 @@
-/* $OpenBSD: version.h,v 1.75 2015/08/21 03:45:26 djm Exp $ */
+/* $OpenBSD: version.h,v 1.76 2016/02/23 09:14:34 djm Exp $ */
/* $FreeBSD$ */
-#define SSH_VERSION "OpenSSH_7.1"
+#define SSH_VERSION "OpenSSH_7.2"
#define SSH_PORTABLE "p2"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-#define SSH_VERSION_FREEBSD "FreeBSD-20160121"
+#define SSH_VERSION_FREEBSD "FreeBSD-20160310"
#ifdef WITH_OPENSSL
#define OPENSSL_VERSION SSLeay_version(SSLEAY_VERSION)
diff --git a/crypto/openssh/xmalloc.c b/crypto/openssh/xmalloc.c
index 98cbf8776bd6..b58323677ee7 100644
--- a/crypto/openssh/xmalloc.c
+++ b/crypto/openssh/xmalloc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xmalloc.c,v 1.32 2015/04/24 01:36:01 deraadt Exp $ */
+/* $OpenBSD: xmalloc.c,v 1.33 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -26,6 +26,16 @@
#include "xmalloc.h"
#include "log.h"
+void
+ssh_malloc_init(void)
+{
+#if defined(__OpenBSD__)
+ extern char *malloc_options;
+
+ malloc_options = "S";
+#endif /* __OpenBSD__ */
+}
+
void *
xmalloc(size_t size)
{
diff --git a/crypto/openssh/xmalloc.h b/crypto/openssh/xmalloc.h
index 2bec77ba8d3b..e4992893276d 100644
--- a/crypto/openssh/xmalloc.h
+++ b/crypto/openssh/xmalloc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: xmalloc.h,v 1.15 2015/04/24 01:36:01 deraadt Exp $ */
+/* $OpenBSD: xmalloc.h,v 1.16 2016/02/15 09:47:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,6 +16,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
+void ssh_malloc_init(void);
void *xmalloc(size_t);
void *xcalloc(size_t, size_t);
void *xreallocarray(void *, size_t, size_t);
diff --git a/etc/Makefile b/etc/Makefile
index 3de8f974ba98..d7e30c51815f 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -5,6 +5,8 @@
FILESGROUPS= FILES
+# No need as it is empty and just causes rebuilds since this file does so much.
+UPDATE_DEPENDFILE= no
SUBDIR= \
newsyslog.conf.d
@@ -461,11 +463,14 @@ distrib-dirs: ${MTREES:N/*} distrib-cleanup .PHONY
done
.endif
-etc-examples:
+etc-examples-install: ${META_DEPS}
cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \
${BIN1} ${BIN2} nsmb.conf opieaccess \
${DESTDIR}${SHAREDIR}/examples/etc
- ${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \
+
+etc-examples: etc-examples-install
+ ${_+_}cd ${.CURDIR}/defaults; \
+ ${MAKE} ${${MK_STAGING} == "yes":?all:install} \
DESTDIR=${DESTDIR}${SHAREDIR}/examples
.include <bsd.prog.mk>
diff --git a/etc/autofs/special_media b/etc/autofs/special_media
index 2a654b1d5a9b..32f947825aa9 100755
--- a/etc/autofs/special_media
+++ b/etc/autofs/special_media
@@ -19,6 +19,9 @@ print_available() {
_fstype="${_fstype_and_label%% *}"
if [ "${_fstype}" != "${_fstype_and_label}" ]; then
_label="${_fstype_and_label#* }"
+ # Replace plus signs and slashes with minuses;
+ # leading plus signs have special meaning in maps,
+ _label="$(echo ${_label} | sed 's,[+/],-,g')"
echo "${_label}"
continue
fi
@@ -54,6 +57,10 @@ print_one() {
fi
_label="${_fstype_and_label#* }"
+ # Replace plus signs and slashes with minuses;
+ # leading plus signs have special meaning in maps,
+ # and multi-component keys are just not supported.
+ _label="$(echo ${_label} | sed 's,[+/],-,g')"
if [ "${_label}" != "${_key}" ]; then
# Labels don't match, try another device.
continue
diff --git a/etc/defaults/Makefile b/etc/defaults/Makefile
index 1f6ac5ee3f88..4b3a4cea502f 100644
--- a/etc/defaults/Makefile
+++ b/etc/defaults/Makefile
@@ -3,7 +3,6 @@
.include <src.opts.mk>
FILES= devfs.rules periodic.conf rc.conf
-NO_OBJ=
FILESDIR= /etc/defaults
.if ${MK_BLUETOOTH} != "no"
diff --git a/etc/defaults/Makefile.depend b/etc/defaults/Makefile.depend
new file mode 100644
index 000000000000..f80275d86ab1
--- /dev/null
+++ b/etc/defaults/Makefile.depend
@@ -0,0 +1,11 @@
+# $FreeBSD$
+# Autogenerated - do NOT edit!
+
+DIRDEPS = \
+
+
+.include <dirdeps.mk>
+
+.if ${DEP_RELDIR} == ${_DEP_RELDIR}
+# local dependencies - needed for -jN in clean tree
+.endif
diff --git a/etc/login.conf b/etc/login.conf
index 2cc67309ed39..e352f7f7aaf5 100644
--- a/etc/login.conf
+++ b/etc/login.conf
@@ -43,6 +43,7 @@ default:\
:swapuse=unlimited:\
:pseudoterminals=unlimited:\
:kqueues=unlimited:\
+ :umtxp=unlimited:\
:priority=0:\
:ignoretime@:\
:umask=022:
diff --git a/etc/rc.d/netwait b/etc/rc.d/netwait
index 6ccca043c55b..e9c23ca40127 100755
--- a/etc/rc.d/netwait
+++ b/etc/rc.d/netwait
@@ -3,7 +3,7 @@
# $FreeBSD$
#
# PROVIDE: netwait
-# REQUIRE: devd routing
+# REQUIRE: devd ipfilter ipfw pf routing
# KEYWORD: nojail
#
# The netwait script helps handle two situations:
diff --git a/include/Makefile b/include/Makefile
index d8213ef8bf50..d014681f1dd1 100644
--- a/include/Makefile
+++ b/include/Makefile
@@ -130,35 +130,16 @@ _MARCHS= ${MACHINE_CPUARCH}
_MARCHS+= x86
.endif
-.if ${MK_STAGING} == "yes"
-# tell bsd.incs.mk that we have it covered
-NO_STAGE_INCLUDES=
-.endif
+META_TARGETS+= compat copies symlinks
+stage_includes: ${SHARED}
.include <bsd.prog.mk>
-.if ${MK_STAGING} != "no" && !defined(_SKIP_BUILD)
-.if make(all)
-DESTDIR= ${STAGE_OBJTOP}
-
-all: stage_include
-installincludes: buildincludes
-buildincludes: stage_prep
-
-stage_prep:
- @mkdir -p ${DESTDIR}${INCLUDEDIR}
- @touch $@
-
-stage_include: .dirdep installincludes
- @touch $@
-.endif
-.endif
-
installincludes: ${SHARED}
${SHARED}: compat
# Take care of stale directory-level symlinks.
-compat:
+compat: ${META_DEPS}
.for i in ${LDIRS} ${LSUBDIRS} machine ${_MARCHS} crypto
if [ -L ${DESTDIR}${INCLUDEDIR}/$i ]; then \
rm -f ${DESTDIR}${INCLUDEDIR}/$i; \
@@ -167,11 +148,8 @@ compat:
mtree -deU ${MTREE_FOLLOWS_SYMLINKS} \
-f ${.CURDIR}/../etc/mtree/BSD.include.dist \
-p ${DESTDIR}${INCLUDEDIR} > /dev/null
-.if ${MK_DIRDEPS_BUILD} == "yes"
- @touch ${.TARGET}
-.endif
-copies:
+copies: ${META_DEPS}
.for i in ${LDIRS} ${LSUBDIRS} ${LSUBSUBDIRS} crypto machine machine/pc \
${_MARCHS}
if [ -d ${DESTDIR}${INCLUDEDIR}/$i ]; then \
@@ -256,11 +234,8 @@ copies:
cd ${.CURDIR}/../sys/teken; \
${INSTALL} -C ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 teken.h \
${DESTDIR}${INCLUDEDIR}/teken
-.if ${MK_DIRDEPS_BUILD} == "yes"
- @touch ${.OBJDIR}/${.TARGET}
-.endif
-symlinks:
+symlinks: ${META_DEPS}
@${ECHO} "Setting up symlinks to kernel source tree..."
.for i in ${LDIRS}
cd ${.CURDIR}/../sys/$i; \
@@ -373,9 +348,6 @@ symlinks:
${INSTALL_SYMLINK} ${TAG_ARGS} ../../../sys/rpc/$$h \
${DESTDIR}${INCLUDEDIR}/rpc; \
done
-.if ${MK_DIRDEPS_BUILD} == "yes"
- @touch ${.OBJDIR}/${.TARGET}
-.endif
.if ${MACHINE} == "host" && !defined(_SKIP_BUILD)
# we're here because we are building a sysroot...
diff --git a/lib/Makefile b/lib/Makefile
index cdcce9091a0c..0c8120c62961 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -173,7 +173,7 @@ _libbsnmp= libbsnmp
_libcasper= libcasper
.endif
-.if ${MK_CLANG} != "no" && !defined(COMPAT_32BIT)
+.if ${MK_CLANG} != "no" && !defined(COMPAT_32BIT) && !defined(COMPAT_SOFTFP)
_clang= clang
.endif
diff --git a/lib/atf/Makefile b/lib/atf/Makefile
index 0772065f0822..481bce97f13e 100644
--- a/lib/atf/Makefile
+++ b/lib/atf/Makefile
@@ -35,6 +35,4 @@ SUBDIR= libatf-c \
_tests= tests
.endif
-.ORDER: ${SUBDIR}
-
.include <bsd.subdir.mk>
diff --git a/lib/clang/clang.build.mk b/lib/clang/clang.build.mk
index 8ab23999b731..5a3d169f0bb4 100644
--- a/lib/clang/clang.build.mk
+++ b/lib/clang/clang.build.mk
@@ -240,11 +240,15 @@ Checkers.inc.h: ${CLANG_SRCS}/lib/StaticAnalyzer/Checkers/Checkers.td
-I ${CLANG_SRCS}/include -d ${.TARGET:C/\.h$/.d/} -o ${.TARGET} \
${CLANG_SRCS}/lib/StaticAnalyzer/Checkers/Checkers.td
-.if !make(depend)
-. for dep in ${TGHDRS:C/$/.inc.d/}
-. sinclude "${dep}"
-. endfor
-.endif
+.for dep in ${TGHDRS:C/$/.inc.d/}
+. if ${MAKE_VERSION} < 20160220
+. if !make(depend)
+. sinclude "${dep}"
+. endif
+. else
+. dinclude "${dep}"
+. endif
+.endfor
SRCS+= ${TGHDRS:C/$/.inc.h/}
CLEANFILES+= ${TGHDRS:C/$/.inc.h/} ${TGHDRS:C/$/.inc.d/}
diff --git a/lib/libc++/Makefile b/lib/libc++/Makefile
index 7794928bc328..e4d3bdad9c83 100644
--- a/lib/libc++/Makefile
+++ b/lib/libc++/Makefile
@@ -55,6 +55,7 @@ CXXRT_SRCS+= libelftc_dem_gnu3.c\
guard.cc
.for _S in ${CXXRT_SRCS}
+CLEANFILES+= cxxrt_${_S}
STATICOBJS+= cxxrt_${_S:R}.o
cxxrt_${_S}: ${_LIBCXXRTDIR}/${_S} .NOMETA
ln -sf ${.ALLSRC} ${.TARGET}
diff --git a/lib/libc/sys/Symbol.map b/lib/libc/sys/Symbol.map
index dc2ed0ed6e57..c1532ac94bc4 100644
--- a/lib/libc/sys/Symbol.map
+++ b/lib/libc/sys/Symbol.map
@@ -200,9 +200,6 @@ FBSD_1.0 {
nstat;
ntp_adjtime;
ntp_gettime;
- oaio_read;
- oaio_write;
- olio_listio;
open;
pathconf;
pipe;
@@ -809,12 +806,6 @@ FBSDprivate_1.0 {
__sys_ntp_adjtime;
_ntp_gettime;
__sys_ntp_gettime;
- _oaio_read;
- __sys_oaio_read;
- _oaio_write;
- __sys_oaio_write;
- _olio_listio;
- __sys_olio_listio;
_open;
__sys_open;
_openat;
diff --git a/lib/libpam/modules/pam_ssh/Makefile b/lib/libpam/modules/pam_ssh/Makefile
index 8965018e32b2..8de1bdfadc86 100644
--- a/lib/libpam/modules/pam_ssh/Makefile
+++ b/lib/libpam/modules/pam_ssh/Makefile
@@ -8,10 +8,7 @@ MAN= pam_ssh.8
SRCS= pam_ssh.c
PACKAGE= ssh
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-
-WARNS?= 3
+WARNS?= 5
CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
diff --git a/lib/libpam/modules/pam_ssh/Makefile.depend b/lib/libpam/modules/pam_ssh/Makefile.depend
index 08fb149ea124..6b7118bcd2a0 100644
--- a/lib/libpam/modules/pam_ssh/Makefile.depend
+++ b/lib/libpam/modules/pam_ssh/Makefile.depend
@@ -5,13 +5,11 @@ DIRDEPS = \
gnu/lib/csu \
gnu/lib/libgcc \
include \
- include/arpa \
include/xlocale \
lib/${CSU_DIR} \
lib/libc \
lib/libcompiler_rt \
lib/libpam/libpam \
- lib/libutil \
secure/lib/libcrypto \
secure/lib/libssh \
diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c
index 8fc68fd324f4..f95c73768baa 100644
--- a/lib/libpam/modules/pam_ssh/pam_ssh.c
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.c
@@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$");
#include <openssl/evp.h>
+#define __bounded__(x, y, z)
#include "key.h"
#include "buffer.h"
#include "authfd.h"
@@ -84,7 +85,9 @@ static const char *pam_ssh_keyfiles[] = {
};
static const char *pam_ssh_agent = "/usr/bin/ssh-agent";
-static char *const pam_ssh_agent_argv[] = { "ssh_agent", "-s", NULL };
+static char str_ssh_agent[] = "ssh-agent";
+static char str_dash_s[] = "-s";
+static char *const pam_ssh_agent_argv[] = { str_ssh_agent, str_dash_s, NULL };
static char *const pam_ssh_agent_envp[] = { NULL };
/*
diff --git a/lib/libunbound/Makefile b/lib/libunbound/Makefile
index f16824485399..aeb590959264 100644
--- a/lib/libunbound/Makefile
+++ b/lib/libunbound/Makefile
@@ -12,7 +12,7 @@ LIB= unbound
PRIVATELIB=
PACKAGE= unbound
-CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR}
+CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR}
SRCS= alloc.c as112.c autotrust.c config_file.c configlexer.l configparser.y \
context.c dname.c dns.c dns64.c dnstree.c fptr_wlist.c infra.c \
diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5
index e780940b7643..1c3cfee02e74 100644
--- a/lib/libutil/login.conf.5
+++ b/lib/libutil/login.conf.5
@@ -199,6 +199,7 @@ notation may be used.
.It "stacksize size Maximum stack size limit."
.It "pseudoterminals number Maximum number of pseudo-terminals."
.It "swapuse size Maximum swap space size limit."
+.It "umtxp number Maximum number of process-shared pthread locks."
.El
.Pp
These resource limit entries actually specify both the maximum
diff --git a/lib/libutil/login_class.3 b/lib/libutil/login_class.3
index c87faaeb8814..ab2e8af02db4 100644
--- a/lib/libutil/login_class.3
+++ b/lib/libutil/login_class.3
@@ -119,6 +119,7 @@ vmemoryuse RLIMIT_VMEM
pseudoterminals RLIMIT_NPTS
swapuse RLIMIT_SWAP
kqueues RLIMIT_KQUEUES
+umtxp RLIMIT_UMTXP
.Ed
.It LOGIN_SETPRIORITY
Set the scheduling priority for the current process based on the
diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c
index 9ffca8ea3628..ceee5c8912f7 100644
--- a/lib/libutil/login_class.c
+++ b/lib/libutil/login_class.c
@@ -67,6 +67,7 @@ static struct login_res {
{ "pseudoterminals", login_getcapnum, RLIMIT_NPTS },
{ "swapuse", login_getcapsize, RLIMIT_SWAP },
{ "kqueues", login_getcapsize, RLIMIT_KQUEUES },
+ { "umtxp", login_getcapnum, RLIMIT_UMTXP },
{ NULL, 0, 0 }
};
diff --git a/sbin/geom/core/geom.c b/sbin/geom/core/geom.c
index 5d23d933ec94..e0b77baeec09 100644
--- a/sbin/geom/core/geom.c
+++ b/sbin/geom/core/geom.c
@@ -635,8 +635,7 @@ get_class(int *argc, char ***argv)
} else if (!strcasecmp(class_name, "label")) {
version = &glabel_version;
class_commands = glabel_class_commands;
- } else
- errx(EXIT_FAILURE, "Invalid class name.");
+ }
#endif /* !STATIC_GEOM_CLASSES */
set_class_name();
diff --git a/sbin/ifconfig/ifieee80211.c b/sbin/ifconfig/ifieee80211.c
index 72145d15cfdc..5ababf369880 100644
--- a/sbin/ifconfig/ifieee80211.c
+++ b/sbin/ifconfig/ifieee80211.c
@@ -3072,6 +3072,7 @@ iename(int elemid)
case IEEE80211_ELEMID_CFPARMS: return " CFPARMS";
case IEEE80211_ELEMID_TIM: return " TIM";
case IEEE80211_ELEMID_IBSSPARMS:return " IBSSPARMS";
+ case IEEE80211_ELEMID_BSSLOAD: return " BSSLOAD";
case IEEE80211_ELEMID_CHALLENGE:return " CHALLENGE";
case IEEE80211_ELEMID_PWRCNSTR: return " PWRCNSTR";
case IEEE80211_ELEMID_PWRCAP: return " PWRCAP";
@@ -3083,6 +3084,7 @@ iename(int elemid)
case IEEE80211_ELEMID_MEASREP: return " MEASREP";
case IEEE80211_ELEMID_QUIET: return " QUIET";
case IEEE80211_ELEMID_IBSSDFS: return " IBSSDFS";
+ case IEEE80211_ELEMID_APCHANREP:return " APCHANREP";
case IEEE80211_ELEMID_TPC: return " TPC";
case IEEE80211_ELEMID_CCKM: return " CCKM";
}
diff --git a/sbin/mdmfs/mdmfs.8 b/sbin/mdmfs/mdmfs.8
index f38d29d4b686..a91cab260dc8 100644
--- a/sbin/mdmfs/mdmfs.8
+++ b/sbin/mdmfs/mdmfs.8
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 7, 2016
+.Dd March 9, 2016
.Dt MDMFS 8
.Os
.Sh NAME
@@ -36,7 +36,7 @@
driver
.Sh SYNOPSIS
.Nm
-.Op Fl DLlMNnPStUX
+.Op Fl DLlMNnPStTUX
.Op Fl a Ar maxcontig
.Op Fl b Ar block-size
.Op Fl c Ar blocks-per-cylinder-group
@@ -51,6 +51,7 @@ driver
.Op Fl o Ar mount-options
.Op Fl p Ar permissions
.Op Fl s Ar size
+.Op Fl T Ar fstype
.Op Fl v Ar version
.Op Fl w Ar user : Ns Ar group
.Ar md-device
@@ -228,10 +229,19 @@ backed disks
.It Fl t
Turn on the TRIM enable flag for
.Xr newfs 8 .
-The
+When used with a file system that issue BIO_DELETE bio requests,
.Xr md 4
-device supports the BIO_DELETE command, enabling the TRIM on created
-filesystem allows return of freed memory to the system pool.
+returns deleted blocks to the system memory pool.
+.It Fl T Ar fstype
+Specify a file system type for a vnode-backed memory disk.
+Any file system supported by
+.Xr mount 8
+command can be specified.
+This option only makes sense when
+.Fl F
+and
+.Fl P
+are used.
.It Fl U
Enable soft-updates on the file system.
This is the default, and is accepted only
@@ -283,8 +293,8 @@ and
.Fl n
options are passed to
.Xr newfs 8
-with the same letter;
-the
+with the same letter.
+The
.Fl O
option is passed to
.Xr newfs 8
@@ -295,6 +305,12 @@ The
option is passed to
.Xr mount 8
with the same letter.
+The
+.Fl T
+option is passed to
+.Xr mount 8
+as
+.Fl t .
See the programs that the options are passed to for more information
on their semantics.
.Sh EXAMPLES
@@ -335,6 +351,10 @@ Configure a vnode-backed file system and mount its first partition,
using automatic device numbering:
.Pp
.Dl "mdmfs -P -F foo.img mds1a /tmp/"
+.Pp
+Mount a vnode-backed cd9660 file system using automatic device numbering:
+.Pp
+.Dl "mdmfs -T cd9660 -P -F foo.iso md /tmp"
.Sh COMPATIBILITY
The
.Nm
diff --git a/sbin/mdmfs/mdmfs.c b/sbin/mdmfs/mdmfs.c
index 66a6911a5499..4b3a012ff50f 100644
--- a/sbin/mdmfs/mdmfs.c
+++ b/sbin/mdmfs/mdmfs.c
@@ -129,7 +129,7 @@ main(int argc, char **argv)
}
while ((ch = getopt(argc, argv,
- "a:b:Cc:Dd:E:e:F:f:hi:LlMm:NnO:o:Pp:Ss:tUv:w:X")) != -1)
+ "a:b:Cc:Dd:E:e:F:f:hi:LlMm:NnO:o:Pp:Ss:tT:Uv:w:X")) != -1)
switch (ch) {
case 'a':
argappend(&newfs_arg, "-a %s", optarg);
@@ -218,6 +218,9 @@ main(int argc, char **argv)
case 't':
argappend(&newfs_arg, "-t");
break;
+ case 'T':
+ argappend(&mount_arg, "-t %s", optarg);
+ break;
case 'U':
softdep = true;
break;
diff --git a/sbin/nvmecontrol/power.c b/sbin/nvmecontrol/power.c
index e681ccd14dcc..bf2b882c854a 100644
--- a/sbin/nvmecontrol/power.c
+++ b/sbin/nvmecontrol/power.c
@@ -87,7 +87,7 @@ power_list(struct nvme_controller_data *cdata)
}
static void
-power_set(int fd, int power, int workload, int perm)
+power_set(int fd, int power_val, int workload, int perm)
{
struct nvme_pt_command pt;
uint32_t p;
@@ -96,7 +96,7 @@ power_set(int fd, int power, int workload, int perm)
memset(&pt, 0, sizeof(pt));
pt.cmd.opc = NVME_OPC_SET_FEATURES;
pt.cmd.cdw10 = NVME_FEAT_POWER_MANAGEMENT | p;
- pt.cmd.cdw11 = power | (workload << 5);
+ pt.cmd.cdw11 = power_val | (workload << 5);
if (ioctl(fd, NVME_PASSTHROUGH_CMD, &pt) < 0)
err(1, "set feature power mgmt request failed");
@@ -127,7 +127,7 @@ void
power(int argc, char *argv[])
{
struct nvme_controller_data cdata;
- int ch, listflag = 0, powerflag = 0, power = 0, fd;
+ int ch, listflag = 0, powerflag = 0, power_val = 0, fd;
int workload = 0;
char *end;
@@ -138,7 +138,7 @@ power(int argc, char *argv[])
break;
case 'p':
powerflag = 1;
- power = strtol(optarg, &end, 0);
+ power_val = strtol(optarg, &end, 0);
if (*end != '\0') {
fprintf(stderr, "Invalid power state number: %s\n", optarg);
power_usage();
@@ -174,7 +174,7 @@ power(int argc, char *argv[])
}
if (powerflag) {
- power_set(fd, power, workload, 0);
+ power_set(fd, power_val, workload, 0);
goto out;
}
power_show(fd);
diff --git a/sbin/ping/ping.8 b/sbin/ping/ping.8
index 76175855bcc2..9e2fe37a73e0 100644
--- a/sbin/ping/ping.8
+++ b/sbin/ping/ping.8
@@ -28,7 +28,7 @@
.\" @(#)ping.8 8.2 (Berkeley) 12/11/93
.\" $FreeBSD$
.\"
-.Dd April 4, 2006
+.Dd March 11, 2016
.Dt PING 8
.Os
.Sh NAME
@@ -201,10 +201,17 @@ print the netmask of the remote machine.
Set the
.Va net.inet.icmp.maskrepl
MIB variable to enable
-.Dv ICMP_MASKREPLY .
+.Dv ICMP_MASKREPLY
+and
+.Va net.inet.icmp.maskfake
+if you want to override the netmask in the response.
For
.Cm time ,
print the origination, reception and transmission timestamps.
+Set the
+.Va net.inet.icmp.tstamprepl
+MIB variable to enable or disable
+.Dv ICMP_TSTAMPREPLY .
.It Fl m Ar ttl
Set the IP Time To Live for outgoing packets.
If not specified, the kernel uses the value of the
@@ -520,6 +527,7 @@ These values are defined in
.El
.Sh SEE ALSO
.Xr netstat 1 ,
+.Xr icmp 4 ,
.Xr ifconfig 8 ,
.Xr routed 8 ,
.Xr traceroute 8
diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 1831cb71b30a..a5f860271383 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -793,8 +793,8 @@ main(int argc, char *const *argv)
}
#endif
if (sweepmax) {
- if (sweepmin >= sweepmax)
- errx(EX_USAGE, "Maximum packet size must be greater than the minimum packet size");
+ if (sweepmin > sweepmax)
+ errx(EX_USAGE, "Maximum packet size must be no less than the minimum packet size");
if (datalen != DEFDATALEN)
errx(EX_USAGE, "Packet size and ping sweep are mutually exclusive");
@@ -807,7 +807,7 @@ main(int argc, char *const *argv)
datalen = sweepmin;
send_len = icmp_len + sweepmin;
}
- if (options & F_SWEEP && !sweepmax)
+ if (options & F_SWEEP && !sweepmax)
errx(EX_USAGE, "Maximum sweep size must be specified");
/*
@@ -845,9 +845,9 @@ main(int argc, char *const *argv)
if (sweepmax)
(void)printf(": (%d ... %d) data bytes\n",
sweepmin, sweepmax);
- else
+ else
(void)printf(": %d data bytes\n", datalen);
-
+
} else {
if (sweepmax)
(void)printf("PING %s: (%d ... %d) data bytes\n",
@@ -969,14 +969,14 @@ main(int argc, char *const *argv)
}
if (n == 0 || options & F_FLOOD) {
if (sweepmax && sntransmitted == snpackets) {
- for (i = 0; i < sweepincr ; ++i)
+ for (i = 0; i < sweepincr ; ++i)
*datap++ = i;
datalen += sweepincr;
if (datalen > sweepmax)
break;
send_len = icmp_len + datalen;
sntransmitted = 0;
- }
+ }
if (!npackets || ntransmitted < npackets)
pinger();
else {
@@ -1179,7 +1179,7 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
if (options & F_QUIET)
return;
-
+
if (options & F_WAITTIME && triptime > waittime) {
++nrcvtimeout;
return;
diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile
index 35e291b37327..a352cbc03790 100644
--- a/secure/lib/libssh/Makefile
+++ b/secure/lib/libssh/Makefile
@@ -22,7 +22,8 @@ SRCS+= authfd.c authfile.c bufaux.c bufbn.c bufec.c buffer.c \
sc25519.c ge25519.c fe25519.c ed25519.c verify.c hash.c blocks.c \
kex.c kexdh.c kexgex.c kexecdh.c kexc25519.c \
kexdhc.c kexgexc.c kexecdhc.c kexc25519c.c \
- kexdhs.c kexgexs.c kexecdhs.c kexc25519s.c
+ kexdhs.c kexgexs.c kexecdhs.c kexc25519s.c \
+ platform-pledge.c
PACKAGE= ssh
# gss-genr.c should be in $SRCS but causes linking problems, so it is
diff --git a/secure/libexec/sftp-server/Makefile b/secure/libexec/sftp-server/Makefile
index f0bedff797d7..24d675e0cf16 100644
--- a/secure/libexec/sftp-server/Makefile
+++ b/secure/libexec/sftp-server/Makefile
@@ -8,11 +8,6 @@ MAN= sftp-server.8
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
-.if !defined(NO_SHARED)
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-.endif
-
LIBADD= ssh
.if ${MK_LDNS} != "no"
diff --git a/secure/libexec/ssh-keysign/Makefile b/secure/libexec/ssh-keysign/Makefile
index c546e835e4e6..c38b6dce8048 100644
--- a/secure/libexec/ssh-keysign/Makefile
+++ b/secure/libexec/ssh-keysign/Makefile
@@ -3,7 +3,7 @@
.include <src.opts.mk>
PROG= ssh-keysign
-SRCS= ssh-keysign.c roaming_dummy.c readconf.c
+SRCS= ssh-keysign.c readconf.c
MAN= ssh-keysign.8
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
diff --git a/secure/libexec/ssh-pkcs11-helper/Makefile b/secure/libexec/ssh-pkcs11-helper/Makefile
index d8046d1994f6..19e114be935d 100644
--- a/secure/libexec/ssh-pkcs11-helper/Makefile
+++ b/secure/libexec/ssh-pkcs11-helper/Makefile
@@ -8,11 +8,6 @@ MAN= ssh-pkcs11-helper.8
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
-.if !defined(NO_SHARED)
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-.endif
-
LIBADD= ssh
.if ${MK_LDNS} != "no"
diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile
index ca00921f5e62..34469a443287 100644
--- a/secure/usr.bin/scp/Makefile
+++ b/secure/usr.bin/scp/Makefile
@@ -8,11 +8,6 @@ PACKAGE= ssh
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
-.if !defined(NO_SHARED)
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-.endif
-
LIBADD= ssh
.if ${MK_LDNS} != "no"
diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile
index 4b1f24ebd9ca..249fef233d37 100644
--- a/secure/usr.bin/sftp/Makefile
+++ b/secure/usr.bin/sftp/Makefile
@@ -8,11 +8,6 @@ PACKAGE= ssh
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
-.if !defined(NO_SHARED)
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-.endif
-
LIBADD= ssh edit
.if ${MK_LDNS} != "no"
diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile
index 70feb8b00865..acce73d3841d 100644
--- a/secure/usr.bin/ssh-add/Makefile
+++ b/secure/usr.bin/ssh-add/Makefile
@@ -8,11 +8,6 @@ PACKAGE= ssh
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
-.if !defined(NO_SHARED)
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-.endif
-
LIBADD= ssh
.if ${MK_LDNS} != "no"
diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile
index 1e77d96ff020..50eafa6ba621 100644
--- a/secure/usr.bin/ssh-agent/Makefile
+++ b/secure/usr.bin/ssh-agent/Makefile
@@ -8,11 +8,6 @@ PACKAGE= ssh
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
-.if !defined(NO_SHARED)
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-.endif
-
LIBADD= ssh
.if ${MK_LDNS} != "no"
diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile
index 5cd6e2f9cc90..d6b5616dfc0a 100644
--- a/secure/usr.bin/ssh-keygen/Makefile
+++ b/secure/usr.bin/ssh-keygen/Makefile
@@ -8,11 +8,6 @@ PACKAGE= ssh
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
-.if !defined(NO_SHARED)
-# required when linking with a dynamic libssh
-SRCS+= roaming_dummy.c
-.endif
-
LIBADD= ssh
.if ${MK_LDNS} != "no"
diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile
index 95b85e45b82e..ade1e4237ff5 100644
--- a/secure/usr.bin/ssh-keyscan/Makefile
+++ b/secure/usr.bin/ssh-keyscan/Makefile
@@ -3,7 +3,7 @@
.include <src.opts.mk>
PROG= ssh-keyscan
-SRCS= ssh-keyscan.c roaming_dummy.c
+SRCS= ssh-keyscan.c
PACKAGE= ssh
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
SRCS+= ssh_namespace.h
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index 38eab11e3d6c..8d82148ec248 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -9,8 +9,7 @@ MLINKS= ssh.1 slogin.1
PACKAGE= ssh
SRCS= ssh.c readconf.c clientloop.c sshtty.c \
- sshconnect.c sshconnect1.c sshconnect2.c mux.c \
- roaming_common.c roaming_client.c
+ sshconnect.c sshconnect1.c sshconnect2.c mux.c
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
SRCS+= gss-genr.c
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index c9fd159ee658..f9589a37ae37 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -14,9 +14,9 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
auth2-gss.c gss-serv.c gss-serv-krb5.c \
loginrec.c auth-pam.c auth-shadow.c auth-sia.c md5crypt.c \
sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c \
sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c \
- sandbox-seccomp-filter.c sandbox-capsicum.c
+ sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-pledge.c \
+ sandbox-solaris.c
PACKAGE= ssh
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
diff --git a/share/examples/Makefile b/share/examples/Makefile
index c71604e827b3..827afa90eb4b 100644
--- a/share/examples/Makefile
+++ b/share/examples/Makefile
@@ -220,9 +220,10 @@ PACKAGE_bhyve/vmrun.sh= bhyve
SHARED?= copies
beforeinstall: ${SHARED} etc-examples
+META_TARGETS+= copies symlinks
.ORDER: ${SHARED} etc-examples
-copies:
+copies: ${META_DEPS}
.for i in ${LDIRS}
if [ -L ${DESTDIR}${BINDIR}/$i ]; then \
rm -f ${DESTDIR}${BINDIR}/$i; \
@@ -235,7 +236,7 @@ copies:
${.CURDIR}/${file} ${DESTDIR}${BINDIR}/${file}
.endfor
-symlinks:
+symlinks: ${META_DEPS}
.for i in ${LDIRS}
rm -rf ${DESTDIR}${BINDIR}/$i
ln -s ${.CURDIR}/$i ${DESTDIR}${BINDIR}/$i
@@ -243,7 +244,7 @@ symlinks:
etc-examples:
.if ${SHARED} != "symlinks"
- (cd ${.CURDIR}/../../etc; ${MAKE} etc-examples)
+ ${_+_}(cd ${.CURDIR}/../../etc; ${MAKE} etc-examples)
.endif
.if ${SHARED} != "symlinks"
@@ -262,4 +263,4 @@ SUBDIR+=tests
SUBDIR_PARALLEL=
-.include <bsd.subdir.mk>
+.include <bsd.prog.mk>
diff --git a/share/examples/Makefile.depend b/share/examples/Makefile.depend
new file mode 100644
index 000000000000..d7cfba0e4f6e
--- /dev/null
+++ b/share/examples/Makefile.depend
@@ -0,0 +1,12 @@
+# $FreeBSD$
+# Autogenerated - do NOT edit!
+
+DIRDEPS = \
+ usr.bin/xinstall.host \
+
+
+.include <dirdeps.mk>
+
+.if ${DEP_RELDIR} == ${_DEP_RELDIR}
+# local dependencies - needed for -jN in clean tree
+.endif
diff --git a/share/i18n/esdb/BIG5/Makefile b/share/i18n/esdb/BIG5/Makefile
index 4852b833ff51..f7b1512893f4 100644
--- a/share/i18n/esdb/BIG5/Makefile
+++ b/share/i18n/esdb/BIG5/Makefile
@@ -13,12 +13,10 @@ Big5_$i_variable!= sed \
${.CURDIR}/Big5.variable
.endfor
.for i in ${PART}
-.if !exists(Big5-${i:S/:/@/}.src)
# XXX: FIXME
Big5-${i:S/:/@/}.src: Big5.src Big5.variable
sed -e 's/encoding/Big5-$i/' \
-e 's/variable/${Big5_$i_variable}/' \
${.CURDIR}/Big5.src > $@
- @echo Big5-${i:S/:/@/}.src >>.tmpfiles
-.endif
+ @echo ${.TARGET} >>.tmpfiles
.endfor
diff --git a/share/i18n/esdb/Makefile.part b/share/i18n/esdb/Makefile.part
index 60048c2073d6..8de404565800 100644
--- a/share/i18n/esdb/Makefile.part
+++ b/share/i18n/esdb/Makefile.part
@@ -60,16 +60,16 @@ esdb.alias.${ESUBDIR}: ${PARTFILE} ${ALIASFILE}
.endfor
echo >>${.TARGET}
+.if !defined(_SKIP_BUILD)
all: esdb.dir.${ESUBDIR} esdb.alias.${ESUBDIR} codesets
+.endif
codesets: ${ESDB}
.if !defined(NO_PREPROC)
.for i in ${PART}
-.if !exists(${EPREFIX}${i:S/:/@/}.src)
${EPREFIX}${i:S/:/@/}.src: ${CODE}.src
- sed ${SED_EXP:S@%%PART%%@${i}@} ${.CURDIR}/${CODE}.src > ${EPREFIX}${i:S/:/@/}.src
- @echo ${EPREFIX}${i:S/:/@/}.src >>.tmpfiles
-.endif
+ sed ${SED_EXP:S@%%PART%%@${i}@} ${.ALLSRC} > ${.TARGET}
+ @echo ${.TARGET} >>.tmpfiles
.endfor
.endif
diff --git a/share/i18n/esdb/UTF/Makefile b/share/i18n/esdb/UTF/Makefile
index 92ddcdd123ad..a8e21efdd201 100644
--- a/share/i18n/esdb/UTF/Makefile
+++ b/share/i18n/esdb/UTF/Makefile
@@ -36,6 +36,6 @@ ${EPREFIX}${i}.src: ${CODE}.src
sed -e 's/UTF-x/UTF-${i}/' \
-e 's/UTF-mod/${UTF-${i}-mod}/' \
-e 's/UTF-var/${UTF-${i}-var}/' \
- ${.CURDIR}/${CODE}.src > ${EPREFIX}${i:S/:/@/}.src
- @echo ${EPREFIX}${i:S/:/@/}.src >>.tmpfiles
+ ${.ALLSRC} > ${.TARGET}
+ @echo ${.TARGET} >>.tmpfiles
.endfor
diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5
index 62c288b0d991..b6d9bb485a6f 100644
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@@ -1,7 +1,7 @@
.\" DO NOT EDIT-- this file is automatically generated.
.\" from FreeBSD: head/tools/build/options/makeman 292283 2015-12-15 18:42:30Z bdrewery
.\" $FreeBSD$
-.Dd March 1, 2016
+.Dd March 11, 2016
.Dt SRC.CONF 5
.Os
.Sh NAME
@@ -618,14 +618,12 @@ An alternate bootstrap tool chain must be provided.
.\" from FreeBSD: head/tools/build/options/WITHOUT_EXAMPLES 156938 2006-03-21 09:06:24Z ru
Set to avoid installing examples to
.Pa /usr/share/examples/ .
-.It Va WITH_FAST_DEPEND
-.\" from FreeBSD: head/tools/build/options/WITH_FAST_DEPEND 290433 2015-11-06 04:45:29Z bdrewery
-Set to generate
-.Sy .depend
-files in the build during compilation instead of the
-historial
+.It Va WITHOUT_FAST_DEPEND
+.\" from FreeBSD: head/tools/build/options/WITHOUT_FAST_DEPEND 296669 2016-03-11 17:00:42Z bdrewery
+Set to use the historical
.Xr mkdep 1
-call during the "make depend" phase.
+for the "make depend" phase of the build.
+This option is deprecated and will be removed soon.
.It Va WITHOUT_FDT
.\" from FreeBSD: head/tools/build/options/WITHOUT_FDT 221539 2011-05-06 19:10:27Z ru
Set to not build Flattened Device Tree support as part of the base system.
diff --git a/share/man/man9/sx.9 b/share/man/man9/sx.9
index 49a064e39898..a9931a943908 100644
--- a/share/man/man9/sx.9
+++ b/share/man/man9/sx.9
@@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd December 13, 2014
+.Dd March 13, 2016
.Dt SX 9
.Os
.Sh NAME
@@ -124,12 +124,10 @@ specifies a set of optional flags to alter the behavior of
It contains one or more of the following flags:
.Bl -tag -width SX_NOADAPTIVE
.It Dv SX_NOADAPTIVE
-If the kernel is not compiled with
-.Cd "options NO_ADAPTIVE_SX" ,
-then lock operations for
-.Fa sx
-will spin instead of sleeping while an exclusive lock holder is executing on
-another CPU.
+Disable adaptive spinning, rather than sleeping, for lock operations
+while an exclusive lock holder is executing on another CPU.
+Adaptive spinning is the default unless the kernel is compiled with
+.Cd "options NO_ADAPTIVE_SX" .
.It Dv SX_DUPOK
Witness should not log messages about duplicate locks being acquired.
.It Dv SX_NOWITNESS
diff --git a/share/mk/bsd.dep.mk b/share/mk/bsd.dep.mk
index 19ab9e558aa1..92c10a4a90b4 100644
--- a/share/mk/bsd.dep.mk
+++ b/share/mk/bsd.dep.mk
@@ -176,7 +176,9 @@ ${_D}.po: ${_DSRC} ${POBJS:S/^${_D}.po$//}
_meta_filemon= 1
.endif
.if ${MK_FAST_DEPEND} == "yes"
+.if ${MAKE_VERSION} < 20160220
DEPEND_MP?= -MP
+.endif
# Handle OBJS=../somefile.o hacks. Just replace '/' rather than use :T to
# avoid collisions.
DEPEND_FILTER= C,/,_,g
@@ -200,7 +202,11 @@ CFLAGS+= ${DEPEND_CFLAGS}
.endif
.if !defined(_SKIP_READ_DEPEND)
.for __depend_obj in ${DEPENDFILES_OBJS}
+.if ${MAKE_VERSION} < 20160220
.sinclude "${.OBJDIR}/${__depend_obj}"
+.else
+.dinclude "${.OBJDIR}/${__depend_obj}"
+.endif
.endfor
.endif # !defined(_SKIP_READ_DEPEND)
.endif # !defined(_meta_filemon)
diff --git a/share/mk/bsd.files.mk b/share/mk/bsd.files.mk
index d4fd5095c0d4..fa395f8885fb 100644
--- a/share/mk/bsd.files.mk
+++ b/share/mk/bsd.files.mk
@@ -30,9 +30,7 @@ ${group}OWN?= ${SHAREOWN}
${group}GRP?= ${SHAREGRP}
${group}MODE?= ${SHAREMODE}
${group}DIR?= ${BINDIR}
-.if !make(buildincludes)
STAGE_SETS+= ${group}
-.endif
STAGE_DIR.${group}= ${STAGE_OBJTOP}${${group}DIR}
.if defined(NO_ROOT)
@@ -57,9 +55,7 @@ ${group}NAME_${file:T}?= ${${group}NAME}
.else
${group}NAME_${file:T}?= ${file:T}
.endif
-.if !make(buildincludes)
STAGE_AS_SETS+= ${file:T}
-.endif
STAGE_AS_${file:T}= ${${group}NAME_${file:T}}
# XXX {group}OWN,GRP,MODE
STAGE_DIR.${file:T}= ${STAGE_OBJTOP}${${group}DIR_${file:T}}
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
index b073782d934b..0fae1559f74b 100644
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -52,6 +52,7 @@ __DEFAULT_YES_OPTIONS = \
ASSERT_DEBUG \
DEBUG_FILES \
DOCCOMPRESS \
+ FAST_DEPEND \
INCLUDES \
INSTALLLIB \
KERBEROS \
@@ -68,7 +69,6 @@ __DEFAULT_YES_OPTIONS = \
__DEFAULT_NO_OPTIONS = \
CCACHE_BUILD \
- FAST_DEPEND \
CTF \
INSTALL_AS_USER \
STALE_STAGED
diff --git a/share/mk/bsd.subdir.mk b/share/mk/bsd.subdir.mk
index 290f8942970e..fa6c6d49292a 100644
--- a/share/mk/bsd.subdir.mk
+++ b/share/mk/bsd.subdir.mk
@@ -131,7 +131,8 @@ ${SUBDIR:N.WAIT}: .PHONY .MAKE
# such as 'install' becoming {before,real,after}install, just recurse
# 'install'. Despite that, 'realinstall' is special due to ordering issues
# with 'afterinstall'.
-.if make(${__target}) || (${__target} == realinstall && make(install))
+.if !defined(NO_SUBDIR) && (make(${__target}) || \
+ (${__target} == realinstall && make(install)))
# Can ordering be skipped for this and SUBDIR_PARALLEL forced?
.if ${STANDALONE_SUBDIR_TARGETS:M${__target}}
_is_standalone_target= 1
@@ -153,12 +154,10 @@ __deps+= ${__target}_subdir_${DIRPRFX}${__dep}
.endfor
.endif
${__target}_subdir_${DIRPRFX}${__dir}: .PHONY .MAKE .SILENT ${__deps}
-.if !defined(NO_SUBDIR)
@${_+_}target=${__target:realinstall=install}; \
dir=${__dir}; \
${_SUBDIR_SH};
.endif
-.endif
.endfor # __dir in ${SUBDIR}
${__target}: ${__subdir_targets}
.else
diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
index be4c52fe471f..cf53d861fe23 100644
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -197,8 +197,9 @@ staging stage_libs stage_files stage_as stage_links stage_symlinks:
.else
# allow targets like beforeinstall to be leveraged
DESTDIR= ${STAGE_OBJTOP}
+.export DESTDIR
-.if commands(beforeinstall)
+.if target(beforeinstall)
.if !empty(_LIBS) || (${MK_STAGING_PROG} != "no" && !defined(INTERNALPROG))
staging: beforeinstall
.endif
diff --git a/share/mk/dirdeps.mk b/share/mk/dirdeps.mk
index a989f953b265..efc729c0f2e7 100644
--- a/share/mk/dirdeps.mk
+++ b/share/mk/dirdeps.mk
@@ -1,5 +1,5 @@
# $FreeBSD$
-# $Id: dirdeps.mk,v 1.55 2015/10/20 22:04:53 sjg Exp $
+# $Id: dirdeps.mk,v 1.59 2016/02/26 23:32:29 sjg Exp $
# Copyright (c) 2010-2013, Juniper Networks, Inc.
# All rights reserved.
@@ -122,6 +122,9 @@ _DIRDEP_USE_LEVEL?= 0
# and non-specific Makefile.depend*
.if !target(_DIRDEP_USE)
+# make sure we get the behavior we expect
+.MAKE.SAVE_DOLLARS = no
+
# do some setup we only need once
_CURDIR ?= ${.CURDIR}
_OBJDIR ?= ${.OBJDIR}
@@ -257,11 +260,8 @@ DEP_RELDIR := ${DIRDEPS:R:[1]}
MK_DIRDEPS_CACHE = no
.endif
-
-# pickup customizations
-# as below you can use !target(_DIRDEP_USE) to protect things
-# which should only be done once.
-.-include "local.dirdeps.mk"
+# reset each time through
+_build_all_dirs =
# the first time we are included the _DIRDEP_USE target will not be defined
# we can use this as a clue to do initialization and other one time things.
@@ -281,6 +281,14 @@ DEBUG_DIRDEPS ?= no
# remember the initial value of DEP_RELDIR - we test for it below.
_DEP_RELDIR := ${DEP_RELDIR}
+.endif
+
+# pickup customizations
+# as below you can use !target(_DIRDEP_USE) to protect things
+# which should only be done once.
+.-include "local.dirdeps.mk"
+
+.if !target(_DIRDEP_USE)
# things we skip for host tools
SKIP_HOSTDIR ?=
@@ -400,6 +408,7 @@ ${DIRDEPS_CACHE}: .META .NOMETA_CMP
MAKEFLAGS= ${.MAKE} -C ${_CURDIR} -f ${BUILD_DIRDEPS_MAKEFILE} \
${BUILD_DIRDEPS_TARGETS} BUILD_DIRDEPS_CACHE=yes \
.MAKE.DEPENDFILE=.none \
+ ${.MAKEFLAGS:tW:S,-D ,-D,g:tw:M*WITH*} \
3>&1 1>&2 | sed 's,${SRCTOP},$${SRCTOP},g' >> ${.TARGET}.new && \
mv ${.TARGET}.new ${.TARGET}
@@ -480,7 +489,11 @@ _build_dirs += ${_machines:@m@${_CURDIR}.$m@}
_build_dirs += ${_machines:N${DEP_TARGET_SPEC}:@m@${_CURDIR}.$m@}
.if ${DEP_TARGET_SPEC} == ${TARGET_SPEC}
# pickup local dependencies now
+.if ${MAKE_VERSION} < 20160220
.-include <.depend>
+.else
+.dinclude <.depend>
+.endif
.endif
.endif
.endif
@@ -532,22 +545,25 @@ _build_dirs += \
# qualify everything now
_build_dirs := ${_build_dirs:${M_dep_qual_fixes:ts:}:O:u}
+_build_all_dirs += ${_build_dirs}
+_build_all_dirs := ${_build_all_dirs:O:u}
+
.endif # empty DIRDEPS
# Normally if doing make -V something,
# we do not want to waste time chasing DIRDEPS
# but if we want to count the number of Makefile.depend* read, we do.
.if ${.MAKEFLAGS:M-V${_V_READ_DIRDEPS}} == ""
-.if !empty(_build_dirs)
+.if !empty(_build_all_dirs)
.if ${BUILD_DIRDEPS_CACHE} == "yes"
x!= { echo; echo '\# ${DEP_RELDIR}.${DEP_TARGET_SPEC}'; \
- echo 'dirdeps: ${_build_dirs:${M_oneperline}}'; echo; } >&3; echo
-x!= { ${_build_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo
+ echo 'dirdeps: ${_build_all_dirs:${M_oneperline}}'; echo; } >&3; echo
+x!= { ${_build_all_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo
.else
# this makes it all happen
-dirdeps: ${_build_dirs}
+dirdeps: ${_build_all_dirs}
.endif
-${_build_dirs}: _DIRDEP_USE
+${_build_all_dirs}: _DIRDEP_USE
.if ${_debug_reldir}
.info ${DEP_RELDIR}.${DEP_TARGET_SPEC}: needs: ${_build_dirs}
@@ -581,14 +597,14 @@ ${_this_dir}.$m: ${_build_dirs:M*.$m:N${_this_dir}.$m}
.endif
# Now find more dependencies - and recurse.
-.for d in ${_build_dirs}
+.for d in ${_build_all_dirs}
.if ${_DIRDEP_CHECKED:M$d} == ""
# once only
_DIRDEP_CHECKED += $d
.if ${_debug_search}
.info checking $d
.endif
-# Note: _build_dirs is fully qualifed so d:R is always the directory
+# Note: _build_all_dirs is fully qualifed so d:R is always the directory
.if exists(${d:R})
# Warning: there is an assumption here that MACHINE is always
# the first entry in TARGET_SPEC_VARS.
@@ -628,28 +644,37 @@ DIRDEPS =
DEP_RELDIR := ${RELDIR}
_DEP_RELDIR := ${RELDIR}
# pickup local dependencies
+.if ${MAKE_VERSION} < 20160220
.-include <.depend>
+.else
+.dinclude <.depend>
+.endif
.endif
# bootstrapping new dependencies made easy?
-.if (make(bootstrap) || make(bootstrap-recurse)) && !target(bootstrap)
+.if !target(bootstrap) && (make(bootstrap) || \
+ make(bootstrap-this) || \
+ make(bootstrap-recurse) || \
+ make(bootstrap-empty))
.if exists(${.CURDIR}/${.MAKE.DEPENDFILE:T})
# stop here
${.TARGETS:Mboot*}:
-.else
+.elif !make(bootstrap-empty)
# find a Makefile.depend to use as _src
_src != cd ${.CURDIR} && for m in ${.MAKE.DEPENDFILE_PREFERENCE:T:S,${MACHINE},*,}; do test -s $$m || continue; echo $$m; break; done; echo
.if empty(_src)
-.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T}
+.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T}${.newline}Use: bootstrap-empty
.endif
_src?= ${.MAKE.DEPENDFILE:T}
+# just create Makefile.depend* for this dir
bootstrap-this: .NOTMAIN
@echo Bootstrapping ${RELDIR}/${.MAKE.DEPENDFILE:T} from ${_src:T}
(cd ${.CURDIR} && sed 's,${_src:E},${MACHINE},g' ${_src} > ${.MAKE.DEPENDFILE:T})
+# create Makefile.depend* for this dir and its dependencies
bootstrap: bootstrap-recurse
bootstrap-recurse: bootstrap-this
@@ -664,4 +689,11 @@ bootstrap-recurse: .NOTMAIN .MAKE
done
.endif
+
+# create an empty Makefile.depend* to get the ball rolling.
+bootstrap-empty: .NOTMAIN .NOMETA
+ @echo Creating empty ${RELDIR}/${.MAKE.DEPENDFILE:T}; \
+ echo You need to build ${RELDIR} to correctly populate it.
+ @{ echo DIRDEPS=; echo ".include <dirdeps.mk>"; } > ${.CURDIR}/${.MAKE.DEPENDFILE:T}
+
.endif
diff --git a/share/mk/gendirdeps.mk b/share/mk/gendirdeps.mk
index b4d1386b6362..cacb57056076 100644
--- a/share/mk/gendirdeps.mk
+++ b/share/mk/gendirdeps.mk
@@ -1,5 +1,5 @@
# $FreeBSD$
-# $Id: gendirdeps.mk,v 1.29 2015/10/03 05:00:46 sjg Exp $
+# $Id: gendirdeps.mk,v 1.30 2016/02/27 00:20:39 sjg Exp $
# Copyright (c) 2010-2013, Juniper Networks, Inc.
# All rights reserved.
@@ -310,7 +310,7 @@ CAT_DEPEND ?= .depend
# .depend may contain things we don't want.
# The sed command at the end of the stream, allows for the filters
# to output _{VAR} tokens which we will turn into proper ${VAR} references.
-${_DEPENDFILE}: ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS}
+${_DEPENDFILE}: .NOMETA ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS}
@(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \
echo 'DIRDEPS = \'; \
echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \
@@ -330,7 +330,7 @@ DIRDEPS := ${SUBDIR:S,^,${RELDIR}/,:O:u}
all: ${_DEPENDFILE}
-${_DEPENDFILE}: ${MAKEFILE} ${_this}
+${_DEPENDFILE}: .NOMETA ${MAKEFILE} ${_this}
@(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \
echo 'DIRDEPS = \'; \
echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \
diff --git a/share/mk/local.meta.sys.mk b/share/mk/local.meta.sys.mk
index 9f000f58b803..14bfb64d9c35 100644
--- a/share/mk/local.meta.sys.mk
+++ b/share/mk/local.meta.sys.mk
@@ -132,6 +132,16 @@ PYTHON ?= /usr/local/bin/python
.export PYTHON
# this works best if share/mk is ready for it.
BUILD_AT_LEVEL0= no
+# _SKIP_BUILD is not 100% as it requires wrapping all 'all:' targets to avoid
+# building in MAKELEVEL0. Just prohibit 'all' entirely in this case to avoid
+# problems.
+.if ${MK_DIRDEPS_BUILD} == "yes" && \
+ ${.MAKE.LEVEL} == 0 && ${BUILD_AT_LEVEL0:Uyes:tl} == "no"
+.MAIN: dirdeps
+.if make(all)
+.error DIRDEPS_BUILD: Please run '${MAKE}' instead of '${MAKE} all'.
+.endif
+.endif
# we want to end up with a singe stage tree for all machines
.if ${MK_STAGING} == "yes"
@@ -236,8 +246,7 @@ PATH:= ${TOOLSDIR}${dir}:${PATH}
_toolchain_bin.${var}= ${TOOLSDIR}${_toolchain_bin_${var}:U/usr/bin/${var:tl}}
.if exists(${_toolchain_bin.${var}})
HOST_${var}?= ${_toolchain_bin.${var}}
-${var}?= ${HOST_${var}}
-.export HOST_${var} ${var}
+.export HOST_${var}
.endif
.endfor
.endif
diff --git a/share/mk/local.sys.mk b/share/mk/local.sys.mk
index c1baee50bcb1..ae022a19d4b7 100644
--- a/share/mk/local.sys.mk
+++ b/share/mk/local.sys.mk
@@ -27,12 +27,26 @@ MAKE_PRINT_VAR_ON_ERROR += .MAKE.MAKEFILES .PATH
.if ${.MAKE.MODE:Mmeta*} != ""
# we can afford to use cookies to prevent some targets
-# re-running needlessly
-META_COOKIE_TOUCH= touch ${COOKIE.${.TARGET}:U${.OBJDIR}/${.TARGET}}
-# some targets need to be .PHONY - but not in meta mode
-META_NOPHONY=
+# re-running needlessly but only when using filemon.
+.if ${.MAKE.MODE:Mnofilemon} == ""
+META_COOKIE= ${COOKIE.${.TARGET}:U${.OBJDIR}/${.TARGET}}
+META_COOKIE_RM= @rm -f ${META_COOKIE}
+META_COOKIE_TOUCH= @touch ${META_COOKIE}
+CLEANFILES+= ${META_TARGETS}
+_meta_dep_before: .USEBEFORE .NOTMAIN
+ ${META_COOKIE_RM}
+_meta_dep_after: .USE .NOTMAIN
+ ${META_COOKIE_TOUCH}
+# Attach this to a target to allow it to benefit from meta mode's
+# not rerunning a command if it doesn't need to be considering its
+# metafile/filemon-tracked dependencies.
+META_DEPS= _meta_dep_before _meta_dep_after .META
+.endif
.else
-META_COOKIE_TOUCH=
-META_NOPHONY= .PHONY
+# some targets need to be .PHONY - but not in meta mode
+META_NOPHONY= .PHONY
.endif
-
+META_NOPHONY?=
+META_COOKIE_RM?=
+META_COOKIE_TOUCH?=
+META_DEPS+= ${META_NOPHONY}
diff --git a/share/mk/meta.autodep.mk b/share/mk/meta.autodep.mk
index aa41c6e2041c..ac0c40892e98 100644
--- a/share/mk/meta.autodep.mk
+++ b/share/mk/meta.autodep.mk
@@ -1,5 +1,5 @@
# $FreeBSD$
-# $Id: meta.autodep.mk,v 1.36 2014/08/02 23:10:29 sjg Exp $
+# $Id: meta.autodep.mk,v 1.40 2016/02/22 22:44:58 sjg Exp $
#
# @(#) Copyright (c) 2010, Simon J. Gerraty
@@ -87,7 +87,7 @@ WANT_UPDATE_DEPENDFILE ?= yes
.endif
.if ${WANT_UPDATE_DEPENDFILE:Uno:tl} != "no"
-.if ${.MAKE.MODE:Mmeta*} == "" || ${.MAKE.MODE:M*read*} != ""
+.if ${.MAKE.MODE:Uno:Mmeta*} == "" || ${.MAKE.MODE:Uno:M*read*} != ""
UPDATE_DEPENDFILE = no
.endif
diff --git a/share/mk/meta.stage.mk b/share/mk/meta.stage.mk
index 0f5f37dab069..e31582837359 100644
--- a/share/mk/meta.stage.mk
+++ b/share/mk/meta.stage.mk
@@ -1,5 +1,5 @@
# $FreeBSD$
-# $Id: meta.stage.mk,v 1.35 2015/05/20 06:40:33 sjg Exp $
+# $Id: meta.stage.mk,v 1.43 2016/02/24 18:46:32 sjg Exp $
#
# @(#) Copyright (c) 2011, Simon J. Gerraty
#
@@ -27,7 +27,7 @@ _dirdep = ${RELDIR}
CLEANFILES+= .dirdep
# this allows us to trace dependencies back to their src dir
-.dirdep:
+.dirdep: .NOPATH
@echo '${_dirdep}' > $@
.if defined(NO_POSIX_SHELL) || ${type printf:L:sh:Mbuiltin} == ""
@@ -242,7 +242,7 @@ CLEANFILES += ${STAGE_TARGETS} stage_incs stage_includes
# for non-jobs mode the order here matters
staging: ${STAGE_TARGETS:N*_links} ${STAGE_TARGETS:M*_links}
-.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:M*_links} != ""
+.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:U:M*_links} != ""
# the above isn't sufficient
.for t in ${STAGE_TARGETS:N*links:O:u}
.ORDER: $t stage_links
diff --git a/share/mk/meta.sys.mk b/share/mk/meta.sys.mk
index 8a42b6cf7de3..5c68c888c71b 100644
--- a/share/mk/meta.sys.mk
+++ b/share/mk/meta.sys.mk
@@ -111,7 +111,7 @@ _metaError: .NOMETA .NOTMAIN
.endif
# Are we, after all, in meta mode?
-.if ${.MAKE.MODE:Mmeta*} != ""
+.if ${.MAKE.MODE:Uno:Mmeta*} != ""
MKDEP_MK = meta.autodep.mk
# if we think we are updating dependencies,
diff --git a/share/mk/sys.dependfile.mk b/share/mk/sys.dependfile.mk
index d12d939750b8..745873f6bfeb 100644
--- a/share/mk/sys.dependfile.mk
+++ b/share/mk/sys.dependfile.mk
@@ -1,5 +1,5 @@
# $FreeBSD$
-# $Id: sys.dependfile.mk,v 1.6 2014/08/02 18:02:06 sjg Exp $
+# $Id: sys.dependfile.mk,v 1.7 2016/02/20 01:57:39 sjg Exp $
#
# @(#) Copyright (c) 2012, Simon J. Gerraty
#
@@ -49,8 +49,10 @@ _e := ${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@}
# MACHINE specific depend files are supported, but *not* default.
# If any already exist, we should follow suit.
_aml = ${ALL_MACHINE_LIST:Uarm amd64 i386 powerpc:N${MACHINE}} ${MACHINE}
-# MACHINE must be the last entry in _aml ;-)
+# make sure we restore MACHINE
+_m := ${MACHINE}
_e := ${_aml:@MACHINE@${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@}@}
+MACHINE := ${_m}
.if !empty(_e)
.MAKE.DEPENDFILE ?= ${.MAKE.DEPENDFILE_PREFERENCE:M*${MACHINE}:[1]}
.endif
diff --git a/share/sendmail/Makefile b/share/sendmail/Makefile
index 0e1a27dd3018..2b1ae071c3d9 100644
--- a/share/sendmail/Makefile
+++ b/share/sendmail/Makefile
@@ -17,8 +17,9 @@ SHARED?= copies
all clean cleandir depend lint tags:
beforeinstall: ${SHARED}
+META_TARGETS+= copies symlinks
-copies::
+copies: ${META_DEPS}
if [ -L ${DDIR}/${CFDIR} ]; then rm -f ${DDIR}/${CFDIR}; fi
.for dir in ${CFDIRS}
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 -d ${DDIR}/${dir}
@@ -27,7 +28,7 @@ copies::
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 ${SENDMAIL_DIR}/${file} ${DDIR}/${file}
.endfor
-symlinks::
+symlinks: ${META_DEPS}
rm -rf ${DDIR}/${CFDIR}; ln -s ${SENDMAIL_DIR}/${CFDIR} ${DDIR}/${CFDIR}
.include <bsd.prog.mk>
diff --git a/share/sendmail/Makefile.depend b/share/sendmail/Makefile.depend
index f80275d86ab1..d7cfba0e4f6e 100644
--- a/share/sendmail/Makefile.depend
+++ b/share/sendmail/Makefile.depend
@@ -2,6 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
+ usr.bin/xinstall.host \
.include <dirdeps.mk>
diff --git a/share/zoneinfo/Makefile b/share/zoneinfo/Makefile
index b3d968dc4b4e..1ca7ea6cd95d 100644
--- a/share/zoneinfo/Makefile
+++ b/share/zoneinfo/Makefile
@@ -67,17 +67,20 @@ TZBUILDSUBDIRS= \
Pacific \
SystemV
+.if !defined(_SKIP_BUILD)
all: zoneinfo
+.endif
+META_TARGETS+= zoneinfo install-zoneinfo
-.PHONY: zoneinfo
-zoneinfo: yearistype ${TDATA}
+zoneinfo: yearistype ${TDATA} ${META_DEPS}
mkdir -p ${TZBUILDDIR}
cd ${TZBUILDDIR}; mkdir -p ${TZBUILDSUBDIRS}
umask 022; cd ${.CURDIR}; \
zic -D -d ${TZBUILDDIR} -p ${POSIXRULES} -m ${NOBINMODE} \
${LEAPFILE} -y ${.OBJDIR}/yearistype ${TZFILES}
-beforeinstall:
+beforeinstall: install-zoneinfo
+install-zoneinfo: ${META_DEPS}
cd ${TZBUILDDIR} && \
find -s * -type f -print -exec ${INSTALL} \
-o ${BINOWN} -g ${BINGRP} -m ${NOBINMODE} \
diff --git a/share/zoneinfo/Makefile.depend b/share/zoneinfo/Makefile.depend
index f80275d86ab1..d7cfba0e4f6e 100644
--- a/share/zoneinfo/Makefile.depend
+++ b/share/zoneinfo/Makefile.depend
@@ -2,6 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
+ usr.bin/xinstall.host \
.include <dirdeps.mk>
diff --git a/sys/arm/allwinner/a10_hdmi.c b/sys/arm/allwinner/a10_hdmi.c
index cf36ea902094..9bb9869d6e17 100644
--- a/sys/arm/allwinner/a10_hdmi.c
+++ b/sys/arm/allwinner/a10_hdmi.c
@@ -203,6 +203,7 @@ struct a10hdmi_softc {
uint8_t edid[EDID_LENGTH];
+ int has_hdmi;
int has_audio;
};
@@ -371,27 +372,29 @@ a10hdmi_ddc_read(struct a10hdmi_softc *sc, int block, uint8_t *edid)
return (0);
}
-static int
-a10hdmi_detect_audio(struct a10hdmi_softc *sc)
+static void
+a10hdmi_detect_hdmi(struct a10hdmi_softc *sc, int *phdmi, int *paudio)
{
struct edid_info ei;
uint8_t edid[EDID_LENGTH];
int block;
+ *phdmi = *paudio = 0;
+
if (edid_parse(sc->edid, &ei) != 0)
- return (0);
+ return;
/* Scan through extension blocks, looking for a CEA-861 block. */
for (block = 1; block <= ei.edid_ext_block_count; block++) {
if (a10hdmi_ddc_read(sc, block, edid) != 0)
- break;
+ return;
- if (edid[EXT_TAG] == CEA_TAG_ID)
- return ((edid[CEA_DTD] & DTD_BASIC_AUDIO) != 0);
+ if (edid[EXT_TAG] == CEA_TAG_ID) {
+ *phdmi = 1;
+ *paudio = ((edid[CEA_DTD] & DTD_BASIC_AUDIO) != 0);
+ return;
+ }
}
-
- /* No CEA-861 block found */
- return (0);
}
static int
@@ -426,9 +429,9 @@ a10hdmi_get_edid(device_t dev, uint8_t **edid, uint32_t *edid_len)
}
if (error == 0)
- sc->has_audio = a10hdmi_detect_audio(sc);
+ a10hdmi_detect_hdmi(sc, &sc->has_hdmi, &sc->has_audio);
else
- sc->has_audio = 0;
+ sc->has_hdmi = sc->has_audio = 0;
return (error);
}
@@ -515,7 +518,9 @@ a10hdmi_set_videomode(device_t dev, const struct videomode *mode)
PLLCTRL0_VCO_S);
/* Setup display settings */
- val = VID_CTRL_HDMI_MODE;
+ val = 0;
+ if (sc->has_hdmi)
+ val |= VID_CTRL_HDMI_MODE;
if (mode->flags & VID_INTERLACE)
val |= VID_CTRL_INTERLACE;
if (mode->flags & VID_DBLSCAN)
diff --git a/sys/arm/arm/gic.c b/sys/arm/arm/gic.c
index 2b0abf637908..cf72820a95db 100644
--- a/sys/arm/arm/gic.c
+++ b/sys/arm/arm/gic.c
@@ -755,7 +755,7 @@ gic_map_fdt(struct arm_gic_softc *sc, struct intr_irqsrc *isrc, u_int *irqp)
* The hardware only supports active-high-level or rising-edge.
*/
tripol = isrc->isrc_cells[2];
- if (tripol & 0x0a) {
+ if (tripol & 0x0a && irq >= GIC_FIRST_SPI) {
device_printf(sc->gic_dev,
"unsupported trigger/polarity configuration "
"0x%02x\n", tripol & 0x0f);
diff --git a/sys/arm/arm/vm_machdep.c b/sys/arm/arm/vm_machdep.c
index 6a70cbf403e0..70d6c705897b 100644
--- a/sys/arm/arm/vm_machdep.c
+++ b/sys/arm/arm/vm_machdep.c
@@ -40,6 +40,8 @@
* Utah $Hdr: vm_machdep.c 1.16.1.1 89/06/23$
*/
+#include "opt_compat.h"
+
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
@@ -180,7 +182,7 @@ cpu_set_syscall_retval(struct thread *td, int error)
/*
* __syscall returns an off_t while most other syscalls return an
* int. As an off_t is 64-bits and an int is 32-bits we need to
- * place the returned data into r1. As the lseek and frerebsd6_lseek
+ * place the returned data into r1. As the lseek and freebsd6_lseek
* syscalls also return an off_t they do not need this fixup.
*/
call = frame->tf_r7;
@@ -189,8 +191,11 @@ cpu_set_syscall_retval(struct thread *td, int error)
register_t code = ap[_QUAD_LOWWORD];
if (td->td_proc->p_sysent->sv_mask)
code &= td->td_proc->p_sysent->sv_mask;
- fixup = (code != SYS_freebsd6_lseek && code != SYS_lseek)
- ? 1 : 0;
+ fixup = (
+#if defined(COMPAT_FREEBSD6) && defined(SYS_freebsd6_lseek)
+ code != SYS_freebsd6_lseek &&
+#endif
+ code != SYS_lseek) ? 1 : 0;
}
#endif
diff --git a/sys/arm/conf/ARMADA38X b/sys/arm/conf/ARMADA38X
index d6b36642e940..7cc7702bc732 100644
--- a/sys/arm/conf/ARMADA38X
+++ b/sys/arm/conf/ARMADA38X
@@ -23,6 +23,7 @@ options SCHED_ULE # ULE scheduler
#options SCHED_4BSD # 4BSD scheduler
options SMP
+options ARM_INTRNG
# Debugging
#options DEBUG
@@ -70,6 +71,7 @@ device mpcore_timer
# USB
device usb
device ehci
+device xhci
device umass
device scbus
device pass
diff --git a/sys/arm/mv/armada38x/files.armada38x b/sys/arm/mv/armada38x/files.armada38x
index e246f585127e..599919d1a62f 100644
--- a/sys/arm/mv/armada38x/files.armada38x
+++ b/sys/arm/mv/armada38x/files.armada38x
@@ -1,4 +1,5 @@
# $FreeBSD$
+arm/mv/mpic.c standard
arm/mv/armada38x/armada38x.c standard
arm/mv/armada38x/armada38x_mp.c optional smp
diff --git a/sys/arm/mv/files.mv b/sys/arm/mv/files.mv
index 29edffbb13f0..635173da86dc 100644
--- a/sys/arm/mv/files.mv
+++ b/sys/arm/mv/files.mv
@@ -27,5 +27,6 @@ dev/nand/nfc_mv.c optional nand
dev/mvs/mvs_soc.c optional mvs
dev/uart/uart_dev_ns8250.c optional uart
dev/usb/controller/ehci_mv.c optional ehci
+dev/usb/controller/xhci_mv.c optional xhci
kern/kern_clocksource.c standard
diff --git a/sys/arm/mv/mpic.c b/sys/arm/mv/mpic.c
index ebd14773913a..e81820c5047f 100644
--- a/sys/arm/mv/mpic.c
+++ b/sys/arm/mv/mpic.c
@@ -33,14 +33,20 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_platform.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/bus.h>
#include <sys/kernel.h>
#include <sys/cpuset.h>
#include <sys/ktr.h>
+#include <sys/kdb.h>
#include <sys/module.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
#include <sys/rman.h>
+#include <sys/proc.h>
#include <machine/bus.h>
#include <machine/intr.h>
@@ -48,11 +54,16 @@ __FBSDID("$FreeBSD$");
#include <machine/smp.h>
#include <arm/mv/mvvar.h>
+#include <arm/mv/mvreg.h>
#include <dev/ofw/ofw_bus.h>
#include <dev/ofw/ofw_bus_subr.h>
#include <dev/fdt/fdt_common.h>
+#ifdef ARM_INTRNG
+#include "pic_if.h"
+#endif
+
#ifdef DEBUG
#define debugf(fmt, args...) do { printf("%s(): ", __func__); \
printf(fmt,##args); } while (0)
@@ -60,46 +71,63 @@ __FBSDID("$FreeBSD$");
#define debugf(fmt, args...)
#endif
-#define MPIC_INT_ERR 4
-#define MPIC_INT_MSI 96
+#define MPIC_INT_ERR 4
+#define MPIC_INT_MSI 96
-#define IRQ_MASK 0x3ff
+#define IRQ_MASK 0x3ff
-#define MPIC_CTRL 0x0
-#define MPIC_SOFT_INT 0x4
-#define MPIC_SOFT_INT_DRBL1 (1 << 5)
-#define MPIC_ERR_CAUSE 0x20
-#define MPIC_ISE 0x30
-#define MPIC_ICE 0x34
+#define MPIC_CTRL 0x0
+#define MPIC_SOFT_INT 0x4
+#define MPIC_SOFT_INT_DRBL1 (1 << 5)
+#define MPIC_ERR_CAUSE 0x20
+#define MPIC_ISE 0x30
+#define MPIC_ICE 0x34
+#define MPIC_INT_CTL(irq) (0x100 + (irq)*4)
+#define MPIC_INT_IRQ_FIQ_MASK(cpuid) (0x101 << (cpuid))
+#define MPIC_CTRL_NIRQS(ctrl) (((ctrl) >> 2) & 0x3ff)
-#define MPIC_IN_DRBL 0x78
-#define MPIC_IN_DRBL_MASK 0x7c
-#define MPIC_CTP 0xb0
-#define MPIC_CTP 0xb0
-#define MPIC_IIACK 0xb4
-#define MPIC_ISM 0xb8
-#define MPIC_ICM 0xbc
-#define MPIC_ERR_MASK 0xec0
+#define MPIC_IN_DRBL 0x08
+#define MPIC_IN_DRBL_MASK 0x0c
+#define MPIC_PPI_CAUSE 0x10
+#define MPIC_CTP 0x40
+#define MPIC_IIACK 0x44
+#define MPIC_ISM 0x48
+#define MPIC_ICM 0x4c
+#define MPIC_ERR_MASK 0xe50
+
+#define MPIC_PPI 32
struct mv_mpic_softc {
device_t sc_dev;
- struct resource * mpic_res[3];
+ struct resource * mpic_res[4];
bus_space_tag_t mpic_bst;
bus_space_handle_t mpic_bsh;
bus_space_tag_t cpu_bst;
bus_space_handle_t cpu_bsh;
bus_space_tag_t drbl_bst;
bus_space_handle_t drbl_bsh;
+ struct mtx mtx;
+
+ struct intr_irqsrc ** mpic_isrcs;
+ int nirqs;
+ void * intr_hand;
};
static struct resource_spec mv_mpic_spec[] = {
{ SYS_RES_MEMORY, 0, RF_ACTIVE },
{ SYS_RES_MEMORY, 1, RF_ACTIVE },
- { SYS_RES_MEMORY, 2, RF_ACTIVE },
+ { SYS_RES_MEMORY, 2, RF_ACTIVE | RF_OPTIONAL },
+ { SYS_RES_IRQ, 0, RF_ACTIVE | RF_OPTIONAL },
{ -1, 0 }
};
+static struct ofw_compat_data compat_data[] = {
+ {"mrvl,mpic", true},
+ {"marvell,mpic", true},
+ {NULL, false}
+};
+
static struct mv_mpic_softc *mv_mpic_sc = NULL;
void mpic_send_ipi(int cpus, u_int ipi);
@@ -109,9 +137,21 @@ static int mv_mpic_attach(device_t);
uint32_t mv_mpic_get_cause(void);
uint32_t mv_mpic_get_cause_err(void);
uint32_t mv_mpic_get_msi(void);
+static void mpic_unmask_irq(uintptr_t nb);
+static void mpic_mask_irq(uintptr_t nb);
+static void mpic_mask_irq_err(uintptr_t nb);
+static void mpic_unmask_irq_err(uintptr_t nb);
+static int mpic_intr(void *arg);
+static void mpic_unmask_msi(void);
+#ifndef ARM_INTRNG
static void arm_mask_irq_err(uintptr_t);
static void arm_unmask_irq_err(uintptr_t);
-static void arm_unmask_msi(void);
+#endif
+
+#define MPIC_WRITE(softc, reg, val) \
+ bus_space_write_4((softc)->mpic_bst, (softc)->mpic_bsh, (reg), (val))
+#define MPIC_READ(softc, reg) \
+ bus_space_read_4((softc)->mpic_bst, (softc)->mpic_bsh, (reg))
#define MPIC_CPU_WRITE(softc, reg, val) \
bus_space_write_4((softc)->cpu_bst, (softc)->cpu_bsh, (reg), (val))
@@ -130,7 +170,7 @@ mv_mpic_probe(device_t dev)
if (!ofw_bus_status_okay(dev))
return (ENXIO);
- if (!ofw_bus_is_compatible(dev, "mrvl,mpic"))
+ if (!ofw_bus_search_compatible(dev, compat_data)->ocd_data)
return (ENXIO);
device_set_desc(dev, "Marvell Integrated Interrupt Controller");
@@ -142,6 +182,7 @@ mv_mpic_attach(device_t dev)
{
struct mv_mpic_softc *sc;
int error;
+ uint32_t val;
sc = (struct mv_mpic_softc *)device_get_softc(dev);
@@ -151,11 +192,20 @@ mv_mpic_attach(device_t dev)
sc->sc_dev = dev;
+ mtx_init(&sc->mtx, "MPIC lock", NULL, MTX_SPIN);
+
error = bus_alloc_resources(dev, mv_mpic_spec, sc->mpic_res);
if (error) {
device_printf(dev, "could not allocate resources\n");
return (ENXIO);
}
+#ifdef ARM_INTRNG
+ if (sc->mpic_res[3] == NULL)
+ device_printf(dev, "No interrupt to use.\n");
+ else
+ bus_setup_intr(dev, sc->mpic_res[3], INTR_TYPE_CLK,
+ mpic_intr, NULL, sc, &sc->intr_hand);
+#endif
sc->mpic_bst = rman_get_bustag(sc->mpic_res[0]);
sc->mpic_bsh = rman_get_bushandle(sc->mpic_res[0]);
@@ -163,21 +213,182 @@ mv_mpic_attach(device_t dev)
sc->cpu_bst = rman_get_bustag(sc->mpic_res[1]);
sc->cpu_bsh = rman_get_bushandle(sc->mpic_res[1]);
- sc->drbl_bst = rman_get_bustag(sc->mpic_res[2]);
- sc->drbl_bsh = rman_get_bushandle(sc->mpic_res[2]);
+ if (sc->mpic_res[2] != NULL) {
+ /* This is required only if MSIs are used. */
+ sc->drbl_bst = rman_get_bustag(sc->mpic_res[2]);
+ sc->drbl_bsh = rman_get_bushandle(sc->mpic_res[2]);
+ }
bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh,
MPIC_CTRL, 1);
MPIC_CPU_WRITE(mv_mpic_sc, MPIC_CTP, 0);
- arm_unmask_msi();
+ val = MPIC_READ(mv_mpic_sc, MPIC_CTRL);
+ sc->nirqs = MPIC_CTRL_NIRQS(val);
+
+#ifdef ARM_INTRNG
+ sc->mpic_isrcs = malloc(sc->nirqs * sizeof (*sc->mpic_isrcs), M_DEVBUF,
+ M_WAITOK | M_ZERO);
+
+ if (intr_pic_register(dev, OF_xref_from_device(dev)) != 0) {
+ device_printf(dev, "could not register PIC\n");
+ bus_release_resources(dev, mv_mpic_spec, sc->mpic_res);
+ return (ENXIO);
+ }
+#endif
+
+ mpic_unmask_msi();
+
+ return (0);
+}
+
+#ifdef ARM_INTRNG
+static int
+mpic_intr(void *arg)
+{
+ struct mv_mpic_softc *sc;
+ struct trapframe *tf;
+ struct intr_irqsrc *isrc;
+ uint32_t cause, irqsrc;
+ unsigned int irq;
+ u_int cpuid;
+
+ sc = arg;
+ tf = curthread->td_intr_frame;
+ cpuid = PCPU_GET(cpuid);
+ irq = 0;
+
+ for (cause = MPIC_CPU_READ(sc, MPIC_PPI_CAUSE); cause > 0;
+ cause >>= 1, irq++) {
+ if (cause & 1) {
+ irqsrc = MPIC_READ(sc, MPIC_INT_CTL(irq));
+ if ((irqsrc & MPIC_INT_IRQ_FIQ_MASK(cpuid)) == 0)
+ continue;
+ isrc = sc->mpic_isrcs[irq];
+ if (isrc == NULL) {
+ device_printf(sc->sc_dev, "Stray interrupt %u detected\n", irq);
+ mpic_mask_irq(irq);
+ continue;
+ }
+ intr_irq_dispatch(isrc, tf);
+ }
+ }
+
+ return (FILTER_HANDLED);
+}
+
+static int
+mpic_attach_isrc(struct mv_mpic_softc *sc, struct intr_irqsrc *isrc, u_int irq)
+{
+ const char *name;
+
+ mtx_lock_spin(&sc->mtx);
+ if (sc->mpic_isrcs[irq] != NULL) {
+ mtx_unlock_spin(&sc->mtx);
+ return (sc->mpic_isrcs[irq] == isrc ? 0 : EEXIST);
+ }
+ sc->mpic_isrcs[irq] = isrc;
+ isrc->isrc_data = irq;
+ mtx_unlock_spin(&sc->mtx);
+
+ name = device_get_nameunit(sc->sc_dev);
+ intr_irq_set_name(isrc, "%s", name);
+
+ return (0);
+}
+
+#ifdef FDT
+static int
+mpic_map_fdt(struct mv_mpic_softc *sc, struct intr_irqsrc *isrc, u_int *irqp)
+{
+ u_int irq;
+ int error;
+
+ if (isrc->isrc_ncells != 1)
+ return (EINVAL);
+
+ irq = isrc->isrc_cells[0];
+
+ error = mpic_attach_isrc(sc, isrc, irq);
+ if (error != 0)
+ return (error);
+
+ isrc->isrc_nspc_num = irq;
+ isrc->isrc_trig = INTR_TRIGGER_CONFORM;
+ isrc->isrc_pol = INTR_POLARITY_CONFORM;
+ isrc->isrc_nspc_type = INTR_IRQ_NSPC_PLAIN;
+
+ *irqp = irq;
return (0);
}
+#endif
+
+static int
+mpic_register(device_t dev, struct intr_irqsrc *isrc, boolean_t *is_percpu)
+{
+ struct mv_mpic_softc *sc;
+ int error;
+ u_int irq = 0;
+
+ sc = device_get_softc(dev);
+
+#ifdef FDT
+ if (isrc->isrc_type == INTR_ISRCT_FDT)
+ error = mpic_map_fdt(sc, isrc, &irq);
+ else
+#endif
+ error = EINVAL;
+
+ if (error == 0)
+ *is_percpu = irq < MPIC_PPI;
+
+ return (error);
+}
+
+static void
+mpic_disable_source(device_t dev, struct intr_irqsrc *isrc)
+{
+ u_int irq;
+
+ irq = isrc->isrc_data;
+ mpic_mask_irq(irq);
+}
+
+static void
+mpic_enable_source(device_t dev, struct intr_irqsrc *isrc)
+{
+ u_int irq;
+
+ irq = isrc->isrc_data;
+ mpic_unmask_irq(irq);
+}
+static void
+mpic_pre_ithread(device_t dev, struct intr_irqsrc *isrc)
+{
+
+ mpic_disable_source(dev, isrc);
+}
+
+static void
+mpic_post_ithread(device_t dev, struct intr_irqsrc *isrc)
+{
+
+ mpic_enable_source(dev, isrc);
+}
+#endif
static device_method_t mv_mpic_methods[] = {
DEVMETHOD(device_probe, mv_mpic_probe),
DEVMETHOD(device_attach, mv_mpic_attach),
+
+#ifdef ARM_INTRNG
+ DEVMETHOD(pic_register, mpic_register),
+ DEVMETHOD(pic_disable_source, mpic_disable_source),
+ DEVMETHOD(pic_enable_source, mpic_enable_source),
+ DEVMETHOD(pic_post_ithread, mpic_post_ithread),
+ DEVMETHOD(pic_pre_ithread, mpic_pre_ithread),
+#endif
{ 0, 0 }
};
@@ -189,8 +400,10 @@ static driver_t mv_mpic_driver = {
static devclass_t mv_mpic_devclass;
-DRIVER_MODULE(mpic, simplebus, mv_mpic_driver, mv_mpic_devclass, 0, 0);
+EARLY_DRIVER_MODULE(mpic, simplebus, mv_mpic_driver, mv_mpic_devclass, 0, 0,
+ BUS_PASS_INTERRUPT);
+#ifndef ARM_INTRNG
int
arm_get_next_irq(int last)
{
@@ -219,49 +432,42 @@ void
arm_mask_irq(uintptr_t nb)
{
- MPIC_CPU_WRITE(mv_mpic_sc, MPIC_CTP, 1);
-
- if (nb < ERR_IRQ) {
- bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh,
- MPIC_ICE, nb);
- MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ISM, nb);
- } else if (nb < MSI_IRQ)
- arm_mask_irq_err(nb);
+ mpic_mask_irq(nb);
}
static void
arm_mask_irq_err(uintptr_t nb)
{
- uint32_t mask;
- uint8_t bit_off;
- bit_off = nb - ERR_IRQ;
- mask = MPIC_CPU_READ(mv_mpic_sc, MPIC_ERR_MASK);
- mask &= ~(1 << bit_off);
- MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ERR_MASK, mask);
+ mpic_mask_irq_err(nb);
}
void
arm_unmask_irq(uintptr_t nb)
{
- MPIC_CPU_WRITE(mv_mpic_sc, MPIC_CTP, 0);
-
- if (nb < ERR_IRQ) {
- bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh,
- MPIC_ISE, nb);
- MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ICM, nb);
- } else if (nb < MSI_IRQ)
- arm_unmask_irq_err(nb);
-
- if (nb == 0)
- MPIC_CPU_WRITE(mv_mpic_sc, MPIC_IN_DRBL_MASK, 0xffffffff);
+ mpic_unmask_irq(nb);
}
void
arm_unmask_irq_err(uintptr_t nb)
{
+
+ mpic_unmask_irq_err(nb);
+}
+#endif
+
+static void
+mpic_unmask_msi(void)
+{
+
+ mpic_unmask_irq(MPIC_INT_MSI);
+}
+
+static void
+mpic_unmask_irq_err(uintptr_t nb)
+{
uint32_t mask;
uint8_t bit_off;
@@ -276,10 +482,42 @@ arm_unmask_irq_err(uintptr_t nb)
}
static void
-arm_unmask_msi(void)
+mpic_mask_irq_err(uintptr_t nb)
+{
+ uint32_t mask;
+ uint8_t bit_off;
+
+ bit_off = nb - ERR_IRQ;
+ mask = MPIC_CPU_READ(mv_mpic_sc, MPIC_ERR_MASK);
+ mask &= ~(1 << bit_off);
+ MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ERR_MASK, mask);
+}
+
+static void
+mpic_unmask_irq(uintptr_t nb)
+{
+
+ if (nb < ERR_IRQ) {
+ bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh,
+ MPIC_ISE, nb);
+ MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ICM, nb);
+ } else if (nb < MSI_IRQ)
+ mpic_unmask_irq_err(nb);
+
+ if (nb == 0)
+ MPIC_CPU_WRITE(mv_mpic_sc, MPIC_IN_DRBL_MASK, 0xffffffff);
+}
+
+static void
+mpic_mask_irq(uintptr_t nb)
{
- arm_unmask_irq(MPIC_INT_MSI);
+ if (nb < ERR_IRQ) {
+ bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh,
+ MPIC_ICE, nb);
+ MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ISM, nb);
+ } else if (nb < MSI_IRQ)
+ mpic_mask_irq_err(nb);
}
uint32_t
@@ -313,6 +551,7 @@ mv_mpic_get_msi(void)
uint32_t cause;
uint8_t bit_off;
+ KASSERT(mv_mpic_sc->drbl_bst != NULL, ("No doorbell in mv_mpic_get_msi"));
cause = MPIC_DRBL_READ(mv_mpic_sc, 0);
if (cause)
@@ -359,7 +598,8 @@ mv_msi_data(int irq, uint64_t *addr, uint32_t *data)
return (0);
}
-#if defined(SMP)
+
+#if defined(SMP) && defined(SOC_MV_ARMADAXP)
void
intr_pic_init_secondary(void)
{
diff --git a/sys/arm/mv/mv_common.c b/sys/arm/mv/mv_common.c
index 31fa748f58b8..a1d2a2d12667 100644
--- a/sys/arm/mv/mv_common.c
+++ b/sys/arm/mv/mv_common.c
@@ -79,6 +79,7 @@ static int win_eth_can_remap(int i);
static int decode_win_cpu_valid(void);
#endif
static int decode_win_usb_valid(void);
+static int decode_win_usb3_valid(void);
static int decode_win_eth_valid(void);
static int decode_win_pcie_valid(void);
static int decode_win_sata_valid(void);
@@ -93,6 +94,7 @@ static void decode_win_cpu_setup(void);
static int decode_win_sdram_fixup(void);
#endif
static void decode_win_usb_setup(u_long);
+static void decode_win_usb3_setup(u_long);
static void decode_win_eth_setup(u_long);
static void decode_win_sata_setup(u_long);
@@ -100,6 +102,7 @@ static void decode_win_idma_setup(u_long);
static void decode_win_xor_setup(u_long);
static void decode_win_usb_dump(u_long);
+static void decode_win_usb3_dump(u_long);
static void decode_win_eth_dump(u_long base);
static void decode_win_idma_dump(u_long base);
static void decode_win_xor_dump(u_long base);
@@ -134,6 +137,7 @@ struct soc_node_spec {
static struct soc_node_spec soc_nodes[] = {
{ "mrvl,ge", &decode_win_eth_setup, &decode_win_eth_dump },
{ "mrvl,usb-ehci", &decode_win_usb_setup, &decode_win_usb_dump },
+ { "marvell,armada-380-xhci", &decode_win_usb3_setup, &decode_win_usb3_dump },
{ "mrvl,sata", &decode_win_sata_setup, NULL },
{ "mrvl,xor", &decode_win_xor_setup, &decode_win_xor_dump },
{ "mrvl,idma", &decode_win_idma_setup, &decode_win_idma_dump },
@@ -559,7 +563,7 @@ soc_decode_win(void)
if (!decode_win_cpu_valid() || !decode_win_usb_valid() ||
!decode_win_eth_valid() || !decode_win_idma_valid() ||
!decode_win_pcie_valid() || !decode_win_sata_valid() ||
- !decode_win_xor_valid())
+ !decode_win_xor_valid() || !decode_win_usb3_valid())
return (EINVAL);
decode_win_cpu_setup();
@@ -567,7 +571,7 @@ soc_decode_win(void)
if (!decode_win_usb_valid() ||
!decode_win_eth_valid() || !decode_win_idma_valid() ||
!decode_win_pcie_valid() || !decode_win_sata_valid() ||
- !decode_win_xor_valid())
+ !decode_win_xor_valid() || !decode_win_usb3_valid())
return (EINVAL);
#endif
if (MV_DUMP_WIN)
@@ -600,6 +604,13 @@ WIN_REG_BASE_IDX_RD(win_usb, br, MV_WIN_USB_BASE)
WIN_REG_BASE_IDX_WR(win_usb, cr, MV_WIN_USB_CTRL)
WIN_REG_BASE_IDX_WR(win_usb, br, MV_WIN_USB_BASE)
+#ifdef SOC_MV_ARMADA38X
+WIN_REG_BASE_IDX_RD(win_usb3, cr, MV_WIN_USB3_CTRL)
+WIN_REG_BASE_IDX_RD(win_usb3, br, MV_WIN_USB3_BASE)
+WIN_REG_BASE_IDX_WR(win_usb3, cr, MV_WIN_USB3_CTRL)
+WIN_REG_BASE_IDX_WR(win_usb3, br, MV_WIN_USB3_BASE)
+#endif
+
WIN_REG_BASE_IDX_RD(win_eth, br, MV_WIN_ETH_BASE)
WIN_REG_BASE_IDX_RD(win_eth, sz, MV_WIN_ETH_SIZE)
WIN_REG_BASE_IDX_RD(win_eth, har, MV_WIN_ETH_REMAP)
@@ -1118,6 +1129,85 @@ decode_win_usb_setup(u_long base)
}
/**************************************************************************
+ * USB3 windows routines
+ **************************************************************************/
+#ifdef SOC_MV_ARMADA38X
+static int
+decode_win_usb3_valid(void)
+{
+
+ return (decode_win_can_cover_ddr(MV_WIN_USB3_MAX));
+}
+
+static void
+decode_win_usb3_dump(u_long base)
+{
+ int i;
+
+ for (i = 0; i < MV_WIN_USB3_MAX; i++)
+ printf("USB3.0 window#%d: c 0x%08x, b 0x%08x\n", i,
+ win_usb3_cr_read(base, i), win_usb3_br_read(base, i));
+}
+
+/*
+ * Set USB3 decode windows
+ */
+static void
+decode_win_usb3_setup(u_long base)
+{
+ uint32_t br, cr;
+ int i, j;
+
+ for (i = 0; i < MV_WIN_USB3_MAX; i++) {
+ win_usb3_cr_write(base, i, 0);
+ win_usb3_br_write(base, i, 0);
+ }
+
+ /* Only access to active DRAM banks is required */
+ for (i = 0; i < MV_WIN_DDR_MAX; i++) {
+ if (ddr_is_active(i)) {
+ br = ddr_base(i);
+ cr = (((ddr_size(i) - 1) &
+ (IO_WIN_SIZE_MASK << IO_WIN_SIZE_SHIFT)) |
+ (ddr_attr(i) << IO_WIN_ATTR_SHIFT) |
+ (ddr_target(i) << IO_WIN_TGT_SHIFT) |
+ IO_WIN_ENA_MASK);
+
+ /* Set the first free USB3.0 window */
+ for (j = 0; j < MV_WIN_USB3_MAX; j++) {
+ if (win_usb3_cr_read(base, j) & IO_WIN_ENA_MASK)
+ continue;
+
+ win_usb3_br_write(base, j, br);
+ win_usb3_cr_write(base, j, cr);
+ break;
+ }
+ }
+ }
+}
+#else
+/*
+ * Provide dummy functions to satisfy the build
+ * for SoCs not equipped with USB3
+ */
+static int
+decode_win_usb3_valid(void)
+{
+
+ return (1);
+}
+
+static void
+decode_win_usb3_setup(u_long base)
+{
+}
+
+static void
+decode_win_usb3_dump(u_long base)
+{
+}
+#endif
+/**************************************************************************
* ETH windows routines
**************************************************************************/
@@ -2077,6 +2167,17 @@ fdt_win_setup(void)
return (ENXIO);
child = OF_child(node);
}
+ /*
+ * Next, move one more level down to internal-regs node (if
+ * it is present) and its children. This node also have
+ * "simple-bus" compatible.
+ */
+ if ((child == 0) && (node == OF_finddevice("simple-bus"))) {
+ node = fdt_find_compatible(node, "simple-bus", 0);
+ if (node == 0)
+ return (0);
+ child = OF_child(node);
+ }
}
return (0);
diff --git a/sys/arm/mv/mvreg.h b/sys/arm/mv/mvreg.h
index 65151c1e7cb5..abfefc186f7f 100644
--- a/sys/arm/mv/mvreg.h
+++ b/sys/arm/mv/mvreg.h
@@ -67,7 +67,10 @@
#elif defined (SOC_MV_ARMADAXP)
#define IRQ_CAUSE 0x18
#define IRQ_MASK 0x30
-#else /* !SOC_MV_DISCOVERY && !SOC_MV_LOKIPLUS */
+#elif defined (SOC_MV_ARMADA38X)
+#define MSI_IRQ 0x3ff
+#define ERR_IRQ 0x3ff
+#else
#define IRQ_CAUSE 0x0
#define IRQ_MASK 0x4
#define FIQ_MASK 0x8
diff --git a/sys/arm/mv/mvwin.h b/sys/arm/mv/mvwin.h
index a7a5bf3cda6d..a9c2b8c8d0a5 100644
--- a/sys/arm/mv/mvwin.h
+++ b/sys/arm/mv/mvwin.h
@@ -242,6 +242,10 @@
#define MV_WIN_USB_BASE(n) (0x10 * (n) + 0x324)
#define MV_WIN_USB_MAX 4
+#define MV_WIN_USB3_CTRL(n) (0x8 * (n))
+#define MV_WIN_USB3_BASE(n) (0x8 * (n) + 0x4)
+#define MV_WIN_USB3_MAX 8
+
#define MV_WIN_ETH_BASE(n) (0x8 * (n) + 0x200)
#define MV_WIN_ETH_SIZE(n) (0x8 * (n) + 0x204)
#define MV_WIN_ETH_REMAP(n) (0x4 * (n) + 0x280)
diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c
index abc65814e6d1..5db731d13be0 100644
--- a/sys/arm64/arm64/pmap.c
+++ b/sys/arm64/arm64/pmap.c
@@ -772,12 +772,10 @@ pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
vm_offset_t addr;
sched_pin();
- sva >>= PAGE_SHIFT;
- eva >>= PAGE_SHIFT;
__asm __volatile("dsb sy");
- for (addr = sva; addr < eva; addr++) {
+ for (addr = sva; addr < eva; addr += PAGE_SIZE) {
__asm __volatile(
- "tlbi vaae1is, %0" : : "r"(addr));
+ "tlbi vaae1is, %0" : : "r"(addr >> PAGE_SHIFT));
}
__asm __volatile(
"dsb sy \n"
diff --git a/sys/boot/efi/boot1/Makefile b/sys/boot/efi/boot1/Makefile
index c4c92cba8932..0c2394524b09 100644
--- a/sys/boot/efi/boot1/Makefile
+++ b/sys/boot/efi/boot1/Makefile
@@ -73,8 +73,8 @@ LDADD+= -lstand
DPADD+= ${LDSCRIPT}
+NM?= nm
OBJCOPY?= objcopy
-OBJDUMP?= objdump
.if ${MACHINE_CPUARCH} == "amd64"
EFI_TARGET= efi-app-x86_64
@@ -85,8 +85,8 @@ EFI_TARGET= binary
.endif
boot1.efi: ${PROG}
- if [ `${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*' | wc -l` != 0 ]; then \
- ${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*'; \
+ if ${NM} ${.ALLSRC} | grep ' U '; then \
+ echo "Undefined symbols in ${.ALLSRC}"; \
exit 1; \
fi
${OBJCOPY} -j .peheader -j .text -j .sdata -j .data \
@@ -124,13 +124,13 @@ beforedepend ${OBJS}: machine
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../${MACHINE}/include machine
.if ${MACHINE_CPUARCH} == "amd64" || ${MACHINE_CPUARCH} == "i386"
beforedepend ${OBJS}: x86
CLEANFILES+= x86
-x86:
+x86: .NOMETA
ln -sf ${.CURDIR}/../../../x86/include x86
.endif
diff --git a/sys/boot/efi/boot1/boot1.c b/sys/boot/efi/boot1/boot1.c
index 1161b0a1e58a..1b84d4189e10 100644
--- a/sys/boot/efi/boot1/boot1.c
+++ b/sys/boot/efi/boot1/boot1.c
@@ -405,7 +405,7 @@ try_boot()
if ((status = bs->LoadImage(TRUE, image, devpath_last(dev->devpath),
loaderbuf, loadersize, &loaderhandle)) != EFI_SUCCESS) {
printf("Failed to load image provided by %s, size: %zu, (%lu)\n",
- mod->name, bufsize, EFI_ERROR_CODE(status));
+ mod->name, loadersize, EFI_ERROR_CODE(status));
goto errout;
}
diff --git a/sys/boot/efi/fdt/Makefile b/sys/boot/efi/fdt/Makefile
index 15862dc2957e..65f6e6336bab 100644
--- a/sys/boot/efi/fdt/Makefile
+++ b/sys/boot/efi/fdt/Makefile
@@ -27,7 +27,7 @@ CFLAGS+= -I${.CURDIR}/../../fdt
# Pick up the bootstrap header for some interface items
CFLAGS+= -I${.CURDIR}/../../common -I${.CURDIR}/../../.. -I.
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../${MACHINE}/include machine
CLEANFILES+= machine
diff --git a/sys/boot/efi/loader/Makefile b/sys/boot/efi/loader/Makefile
index d36e54bc077d..f4f6cbf6a44d 100644
--- a/sys/boot/efi/loader/Makefile
+++ b/sys/boot/efi/loader/Makefile
@@ -98,8 +98,8 @@ NEWVERSWHAT= "EFI loader" ${MACHINE}
vers.c: ${.CURDIR}/../../common/newvers.sh ${.CURDIR}/../../efi/loader/version
sh ${.CURDIR}/../../common/newvers.sh ${.CURDIR}/version ${NEWVERSWHAT}
+NM?= nm
OBJCOPY?= objcopy
-OBJDUMP?= objdump
.if ${MACHINE_CPUARCH} == "amd64"
EFI_TARGET= efi-app-x86_64
@@ -110,8 +110,8 @@ EFI_TARGET= binary
.endif
loader.efi: ${PROG}
- if [ `${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*' | wc -l` != 0 ]; then \
- ${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*'; \
+ if ${NM} ${.ALLSRC} | grep ' U '; then \
+ echo "Undefined symbols in ${.ALLSRC}"; \
exit 1; \
fi
${OBJCOPY} -j .peheader -j .text -j .sdata -j .data \
@@ -131,13 +131,13 @@ beforedepend ${OBJS}: machine
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../${MACHINE}/include machine
.if ${MACHINE_CPUARCH} == "amd64" || ${MACHINE_CPUARCH} == "i386"
beforedepend ${OBJS}: x86
CLEANFILES+= x86
-x86:
+x86: .NOMETA
ln -sf ${.CURDIR}/../../../x86/include x86
.endif
diff --git a/sys/boot/fdt/dts/arm/bananapi.dts b/sys/boot/fdt/dts/arm/bananapi.dts
index 0bd1b3839477..a1017203c811 100644
--- a/sys/boot/fdt/dts/arm/bananapi.dts
+++ b/sys/boot/fdt/dts/arm/bananapi.dts
@@ -74,6 +74,21 @@
ahci: sata@01c18000 {
status = "okay";
};
+
+ hdmi: hdmi@01c16000 {
+ compatible = "allwinner,sun7i-a20-hdmi";
+ reg = <0x01c16000 0x1000>;
+ };
+
+ hdmiaudio {
+ compatible = "allwinner,sun7i-a20-hdmiaudio";
+ };
+
+ fb: fb@01e60000 {
+ compatible = "allwinner,sun7i-a20-fb";
+ reg = <0x01e60000 0x10000>, /* DEBE0 */
+ <0x01c0c000 0x1000>; /* LCD0 */
+ };
};
leds {
diff --git a/sys/boot/fdt/dts/arm/db78460.dts b/sys/boot/fdt/dts/arm/db78460.dts
index 8bc04f8dfa3e..9b4d08fddd15 100644
--- a/sys/boot/fdt/dts/arm/db78460.dts
+++ b/sys/boot/fdt/dts/arm/db78460.dts
@@ -75,7 +75,7 @@
interrupt-controller;
#address-cells = <0>;
#interrupt-cells = <1>;
- reg = <0x20a00 0x500 0x21000 0x800 0x20400 0x100>;
+ reg = <0x20a00 0x500 0x21870 0x58 0x20400 0x100>;
compatible = "mrvl,mpic";
};
diff --git a/sys/boot/ficl/Makefile b/sys/boot/ficl/Makefile
index 0451aa9835cc..bce9ffa78870 100644
--- a/sys/boot/ficl/Makefile
+++ b/sys/boot/ficl/Makefile
@@ -75,7 +75,7 @@ ${SRCS:M*.c:R:S/$/.o/g}: machine
beforedepend ${OBJS}: machine
.endif
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../i386/include machine
CLEANFILES+= machine
diff --git a/sys/boot/i386/gptboot/Makefile b/sys/boot/i386/gptboot/Makefile
index 71814c14e1d7..1aafe0bfb13b 100644
--- a/sys/boot/i386/gptboot/Makefile
+++ b/sys/boot/i386/gptboot/Makefile
@@ -74,7 +74,7 @@ gptboot.o: ${.CURDIR}/../../common/ufsread.c
.if ${MACHINE_CPUARCH} == "amd64"
beforedepend gptboot.o: machine
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../i386/include machine
.endif
diff --git a/sys/boot/i386/gptzfsboot/Makefile b/sys/boot/i386/gptzfsboot/Makefile
index 91a637f12755..140633320b5c 100644
--- a/sys/boot/i386/gptzfsboot/Makefile
+++ b/sys/boot/i386/gptzfsboot/Makefile
@@ -72,7 +72,7 @@ zfsboot.o: ${.CURDIR}/../../zfs/zfsimpl.c
.if ${MACHINE_CPUARCH} == "amd64"
beforedepend zfsboot.o: machine
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../i386/include machine
.endif
diff --git a/sys/boot/i386/libfirewire/Makefile b/sys/boot/i386/libfirewire/Makefile
index 191b95479e25..904f4abccae9 100644
--- a/sys/boot/i386/libfirewire/Makefile
+++ b/sys/boot/i386/libfirewire/Makefile
@@ -18,7 +18,7 @@ CFLAGS+= -Wformat -Wall
.if ${MACHINE_CPUARCH} == "amd64"
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../i386/include machine
.endif
diff --git a/sys/boot/i386/libi386/Makefile b/sys/boot/i386/libi386/Makefile
index 3e61a1b96868..f3c1d8d1cff3 100644
--- a/sys/boot/i386/libi386/Makefile
+++ b/sys/boot/i386/libi386/Makefile
@@ -60,7 +60,7 @@ CFLAGS+= ${FORMAT_EXTENSIONS}
.if ${MACHINE_CPUARCH} == "amd64"
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../i386/include machine
.endif
diff --git a/sys/boot/i386/loader/Makefile b/sys/boot/i386/loader/Makefile
index bcbe0b86c627..776ba92f4a27 100644
--- a/sys/boot/i386/loader/Makefile
+++ b/sys/boot/i386/loader/Makefile
@@ -125,6 +125,6 @@ LDADD= ${LIBFICL} ${LIBFIREWIRE} ${LIBZFSBOOT} ${LIBI386} ${LIBSTAND}
beforedepend ${OBJS}: machine
CLEANFILES+= machine
CFLAGS+= -DLOADER_PREFER_AMD64
-machine: .NOPATH
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../i386/include machine
.endif
diff --git a/sys/boot/i386/zfsboot/Makefile b/sys/boot/i386/zfsboot/Makefile
index 5ecf13c25d5e..f65e0ad28435 100644
--- a/sys/boot/i386/zfsboot/Makefile
+++ b/sys/boot/i386/zfsboot/Makefile
@@ -85,7 +85,7 @@ SRCS= zfsboot.c
.if ${MACHINE_CPUARCH} == "amd64"
beforedepend zfsboot.o: machine
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../i386/include machine
.endif
diff --git a/sys/boot/libstand32/Makefile b/sys/boot/libstand32/Makefile
index 66798d75e44f..6dbf1f420910 100644
--- a/sys/boot/libstand32/Makefile
+++ b/sys/boot/libstand32/Makefile
@@ -23,6 +23,6 @@ CFLAGS+= -m32 -I.
.if ${MACHINE_CPUARCH} == "amd64"
CLEANFILES+= machine
beforedepend ${OBJS}: machine
-machine:
+machine: .NOMETA
ln -fs ${.CURDIR}/../../i386/include machine
.endif
diff --git a/sys/boot/ofw/libofw/Makefile b/sys/boot/ofw/libofw/Makefile
index 751ebfda75bf..3b91ea28d37a 100644
--- a/sys/boot/ofw/libofw/Makefile
+++ b/sys/boot/ofw/libofw/Makefile
@@ -25,7 +25,7 @@ SRCS+= ppc64_elf_freebsd.c
CFLAGS+= -DDISK_DEBUG
.endif
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../${MACHINE_CPUARCH}/include machine
CLEANFILES+= machine
diff --git a/sys/boot/uboot/fdt/Makefile b/sys/boot/uboot/fdt/Makefile
index 6f68665cc625..95c0800789a2 100644
--- a/sys/boot/uboot/fdt/Makefile
+++ b/sys/boot/uboot/fdt/Makefile
@@ -23,7 +23,7 @@ CFLAGS+= -I${.CURDIR}/../../fdt
# Pick up the bootstrap header for some interface items
CFLAGS+= -I${.CURDIR}/../../common -I${.CURDIR}/../../.. -I.
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../${MACHINE_CPUARCH}/include machine
CLEANFILES+= machine
diff --git a/sys/boot/uboot/lib/Makefile b/sys/boot/uboot/lib/Makefile
index b56c06021c91..982da713c66b 100644
--- a/sys/boot/uboot/lib/Makefile
+++ b/sys/boot/uboot/lib/Makefile
@@ -41,7 +41,7 @@ CFLAGS+= -I${.CURDIR}/../../common -I${.CURDIR}/../../.. -I.
CFLAGS+= -DDISK_DEBUG
.endif
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../../${MACHINE_CPUARCH}/include machine
CLEANFILES+= machine
diff --git a/sys/boot/userboot/ficl/Makefile b/sys/boot/userboot/ficl/Makefile
index d8f749f9c6eb..fd6c7f07056f 100644
--- a/sys/boot/userboot/ficl/Makefile
+++ b/sys/boot/userboot/ficl/Makefile
@@ -53,7 +53,7 @@ softcore.c: ${SOFTWORDS} softcore.awk
#
#beforedepend ${OBJS}: machine
#
-#machine:
+#machine: .NOMETA
# ln -sf ${.CURDIR}/../../i386/include machine
#
#CLEANFILES+= machine
diff --git a/sys/boot/zfs/Makefile b/sys/boot/zfs/Makefile
index 6f8c26b01139..3ab2251ddbe5 100644
--- a/sys/boot/zfs/Makefile
+++ b/sys/boot/zfs/Makefile
@@ -21,7 +21,7 @@ CFLAGS+= -Wformat -Wall
.if ${MACHINE_CPUARCH} == "amd64"
CLEANFILES+= machine
-machine:
+machine: .NOMETA
ln -sf ${.CURDIR}/../../i386/include machine
.endif
diff --git a/sys/compat/freebsd32/freebsd32_syscall.h b/sys/compat/freebsd32/freebsd32_syscall.h
index 54851d35b8e3..ce56b1591f1a 100644
--- a/sys/compat/freebsd32/freebsd32_syscall.h
+++ b/sys/compat/freebsd32/freebsd32_syscall.h
@@ -24,7 +24,7 @@
#define FREEBSD32_SYS_chmod 15
#define FREEBSD32_SYS_chown 16
#define FREEBSD32_SYS_break 17
-#define FREEBSD32_SYS_freebsd4_freebsd32_getfsstat 18
+ /* 18 is freebsd4 freebsd32_getfsstat */
/* 19 is old freebsd32_lseek */
#define FREEBSD32_SYS_getpid 20
#define FREEBSD32_SYS_mount 21
@@ -155,8 +155,8 @@
/* 149 is obsolete oquota */
/* 150 is obsolete ogetsockname */
/* 156 is old freebsd32_getdirentries */
-#define FREEBSD32_SYS_freebsd4_freebsd32_statfs 157
-#define FREEBSD32_SYS_freebsd4_freebsd32_fstatfs 158
+ /* 157 is freebsd4 freebsd32_statfs */
+ /* 158 is freebsd4 freebsd32_fstatfs */
#define FREEBSD32_SYS_getfh 161
/* 162 is obsolete getdomainname */
/* 163 is obsolete setdomainname */
@@ -166,8 +166,8 @@
#define FREEBSD32_SYS_freebsd32_semsys 169
#define FREEBSD32_SYS_freebsd32_msgsys 170
#define FREEBSD32_SYS_freebsd32_shmsys 171
-#define FREEBSD32_SYS_freebsd6_freebsd32_pread 173
-#define FREEBSD32_SYS_freebsd6_freebsd32_pwrite 174
+ /* 173 is freebsd6 freebsd32_pread */
+ /* 174 is freebsd6 freebsd32_pwrite */
#define FREEBSD32_SYS_ntp_adjtime 176
#define FREEBSD32_SYS_setgid 181
#define FREEBSD32_SYS_setegid 182
@@ -180,11 +180,11 @@
#define FREEBSD32_SYS_getrlimit 194
#define FREEBSD32_SYS_setrlimit 195
#define FREEBSD32_SYS_freebsd32_getdirentries 196
-#define FREEBSD32_SYS_freebsd6_freebsd32_mmap 197
+ /* 197 is freebsd6 freebsd32_mmap */
#define FREEBSD32_SYS___syscall 198
-#define FREEBSD32_SYS_freebsd6_freebsd32_lseek 199
-#define FREEBSD32_SYS_freebsd6_freebsd32_truncate 200
-#define FREEBSD32_SYS_freebsd6_freebsd32_ftruncate 201
+ /* 199 is freebsd6 freebsd32_lseek */
+ /* 200 is freebsd6 freebsd32_truncate */
+ /* 201 is freebsd6 freebsd32_ftruncate */
#define FREEBSD32_SYS_freebsd32_sysctl 202
#define FREEBSD32_SYS_mlock 203
#define FREEBSD32_SYS_munlock 204
@@ -234,7 +234,7 @@
#define FREEBSD32_SYS_nlstat 280
#define FREEBSD32_SYS_freebsd32_preadv 289
#define FREEBSD32_SYS_freebsd32_pwritev 290
-#define FREEBSD32_SYS_freebsd4_freebsd32_fhstatfs 297
+ /* 297 is freebsd4 freebsd32_fhstatfs */
#define FREEBSD32_SYS_fhopen 298
#define FREEBSD32_SYS_fhstat 299
#define FREEBSD32_SYS_modnext 300
@@ -255,9 +255,9 @@
#define FREEBSD32_SYS_freebsd32_aio_suspend 315
#define FREEBSD32_SYS_aio_cancel 316
#define FREEBSD32_SYS_freebsd32_aio_error 317
-#define FREEBSD32_SYS_freebsd6_freebsd32_aio_read 318
-#define FREEBSD32_SYS_freebsd6_freebsd32_aio_write 319
-#define FREEBSD32_SYS_freebsd6_freebsd32_lio_listio 320
+ /* 318 is freebsd6 freebsd32_aio_read */
+ /* 319 is freebsd6 freebsd32_aio_write */
+ /* 320 is freebsd6 freebsd32_lio_listio */
#define FREEBSD32_SYS_yield 321
/* 322 is obsolete thr_sleep */
/* 323 is obsolete thr_wakeup */
@@ -273,14 +273,14 @@
#define FREEBSD32_SYS_sched_get_priority_min 333
#define FREEBSD32_SYS_sched_rr_get_interval 334
#define FREEBSD32_SYS_utrace 335
-#define FREEBSD32_SYS_freebsd4_freebsd32_sendfile 336
+ /* 336 is freebsd4 freebsd32_sendfile */
#define FREEBSD32_SYS_kldsym 337
#define FREEBSD32_SYS_freebsd32_jail 338
#define FREEBSD32_SYS_sigprocmask 340
#define FREEBSD32_SYS_sigsuspend 341
-#define FREEBSD32_SYS_freebsd4_freebsd32_sigaction 342
+ /* 342 is freebsd4 freebsd32_sigaction */
#define FREEBSD32_SYS_sigpending 343
-#define FREEBSD32_SYS_freebsd4_freebsd32_sigreturn 344
+ /* 344 is freebsd4 freebsd32_sigreturn */
#define FREEBSD32_SYS_freebsd32_sigtimedwait 345
#define FREEBSD32_SYS_freebsd32_sigwaitinfo 346
#define FREEBSD32_SYS___acl_get_file 347
diff --git a/sys/conf/config.mk b/sys/conf/config.mk
index b95b7814813c..433f420c6a7a 100644
--- a/sys/conf/config.mk
+++ b/sys/conf/config.mk
@@ -49,6 +49,12 @@ KERN_OPTS+= INET6
.if ${MK_EISA} != "no"
KERN_OPTS+= DEV_EISA
.endif
-.else
+.elif !defined(KERN_OPTS)
KERN_OPTS!=cat ${KERNBUILDDIR}/opt*.h | awk '{print $$2;}' | sort -u
+.export KERN_OPTS
+.endif
+
+.if !defined(__MPATH)
+__MPATH!=find ${SYSDIR:tA}/ -name \*_if.m
+.export __MPATH
.endif
diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk
index 085d78f84c7c..f561f8aead39 100644
--- a/sys/conf/kern.mk
+++ b/sys/conf/kern.mk
@@ -42,10 +42,9 @@ CLANG_NO_IAS34= -no-integrated-as
.endif
.if ${COMPILER_TYPE} == "gcc"
-.if ${COMPILER_VERSION} >= 40300
+.if ${COMPILER_VERSION} >= 40800
# Catch-all for all the things that are in our tree, but for which we're
-# not yet ready for this compiler. Note: we likely only really "support"
-# building with gcc 4.8 and newer. Nothing older has been tested.
+# not yet ready for this compiler.
CWARNEXTRA?= -Wno-error=inline -Wno-error=enum-compare -Wno-error=unused-but-set-variable \
-Wno-error=aggressive-loop-optimizations -Wno-error=maybe-uninitialized \
-Wno-error=array-bounds -Wno-error=address \
diff --git a/sys/conf/kern.opts.mk b/sys/conf/kern.opts.mk
index a1906cf5b7de..d1d2d045c3f0 100644
--- a/sys/conf/kern.opts.mk
+++ b/sys/conf/kern.opts.mk
@@ -30,6 +30,7 @@ __DEFAULT_YES_OPTIONS = \
CDDL \
CRYPT \
CUSE \
+ FAST_DEPEND \
FORMAT_EXTENSIONS \
INET \
INET6 \
@@ -45,7 +46,6 @@ __DEFAULT_YES_OPTIONS = \
__DEFAULT_NO_OPTIONS = \
EISA \
- FAST_DEPEND \
NAND \
OFED
@@ -144,7 +144,10 @@ MK_${var}:= no
MK_${var}_SUPPORT:= no
.else
.if defined(KERNBUILDDIR) # See if there's an opt_foo.h
+.if !defined(OPT_${var})
OPT_${var}!= cat ${KERNBUILDDIR}/opt_${var:tl}.h; echo
+.export OPT_${var}
+.endif
.if ${OPT_${var}} == "" # nothing -> no
MK_${var}_SUPPORT:= no
.else
diff --git a/sys/conf/kern.post.mk b/sys/conf/kern.post.mk
index ba2c7928fbe3..d5047a840344 100644
--- a/sys/conf/kern.post.mk
+++ b/sys/conf/kern.post.mk
@@ -231,7 +231,10 @@ _meta_filemon= 1
.if ${MK_FAST_DEPEND} == "yes"
DEPENDOBJS+= ${SYSTEM_OBJS} genassym.o
DEPENDFILES_OBJS= ${DEPENDOBJS:O:u:C/^/.depend./}
-DEPEND_CFLAGS+= -MD -MP -MF.depend.${.TARGET}
+.if ${MAKE_VERSION} < 20160220
+DEPEND_MP?= -MP
+.endif
+DEPEND_CFLAGS+= -MD ${DEPEND_MP} -MF.depend.${.TARGET}
DEPEND_CFLAGS+= -MT${.TARGET}
.if !defined(_meta_filemon)
.if defined(.PARSEDIR)
@@ -244,7 +247,11 @@ CFLAGS+= ${DEPEND_CFLAGS}
.endif
.if !defined(_SKIP_READ_DEPEND)
.for __depend_obj in ${DEPENDFILES_OBJS}
+.if ${MAKE_VERSION} < 20160220
.sinclude "${.OBJDIR}/${__depend_obj}"
+.else
+.dinclude "${.OBJDIR}/${__depend_obj}"
+.endif
.endfor
.endif # !defined(_SKIP_READ_DEPEND)
.endif # !defined(_meta_filemon)
diff --git a/sys/conf/kmod.mk b/sys/conf/kmod.mk
index 10b7dedc7772..6a3e1eb83e6e 100644
--- a/sys/conf/kmod.mk
+++ b/sys/conf/kmod.mk
@@ -386,11 +386,7 @@ vnode_if_typedef.h:
.endif
# Build _if.[ch] from _if.m, and clean them when we're done.
-# This is duplicated in sys/modules/Makefile.
-.if !defined(__MPATH)
-__MPATH!=find ${SYSDIR:tA}/ -name \*_if.m
-.export __MPATH
-.endif
+# __MPATH defined in config.mk
_MFILES=${__MPATH:T:O}
_MPATH=${__MPATH:H:O:u}
.PATH.m: ${_MPATH}
diff --git a/sys/dev/agp/agp_i810.c b/sys/dev/agp/agp_i810.c
index c9ebcc5f327b..7df5d84780d1 100644
--- a/sys/dev/agp/agp_i810.c
+++ b/sys/dev/agp/agp_i810.c
@@ -86,7 +86,6 @@ struct agp_i810_match;
static int agp_i810_check_active(device_t bridge_dev);
static int agp_i830_check_active(device_t bridge_dev);
static int agp_i915_check_active(device_t bridge_dev);
-static int agp_sb_check_active(device_t bridge_dev);
static void agp_82852_set_desc(device_t dev,
const struct agp_i810_match *match);
@@ -97,12 +96,10 @@ static void agp_i830_dump_regs(device_t dev);
static void agp_i855_dump_regs(device_t dev);
static void agp_i915_dump_regs(device_t dev);
static void agp_i965_dump_regs(device_t dev);
-static void agp_sb_dump_regs(device_t dev);
static int agp_i810_get_stolen_size(device_t dev);
static int agp_i830_get_stolen_size(device_t dev);
static int agp_i915_get_stolen_size(device_t dev);
-static int agp_sb_get_stolen_size(device_t dev);
static int agp_i810_get_gtt_mappable_entries(device_t dev);
static int agp_i830_get_gtt_mappable_entries(device_t dev);
@@ -111,7 +108,6 @@ static int agp_i915_get_gtt_mappable_entries(device_t dev);
static int agp_i810_get_gtt_total_entries(device_t dev);
static int agp_i965_get_gtt_total_entries(device_t dev);
static int agp_gen5_get_gtt_total_entries(device_t dev);
-static int agp_sb_get_gtt_total_entries(device_t dev);
static int agp_i810_install_gatt(device_t dev);
static int agp_i830_install_gatt(device_t dev);
@@ -131,14 +127,11 @@ static void agp_i965_install_gtt_pte(device_t dev, u_int index,
vm_offset_t physical, int flags);
static void agp_g4x_install_gtt_pte(device_t dev, u_int index,
vm_offset_t physical, int flags);
-static void agp_sb_install_gtt_pte(device_t dev, u_int index,
- vm_offset_t physical, int flags);
static void agp_i810_write_gtt(device_t dev, u_int index, uint32_t pte);
static void agp_i915_write_gtt(device_t dev, u_int index, uint32_t pte);
static void agp_i965_write_gtt(device_t dev, u_int index, uint32_t pte);
static void agp_g4x_write_gtt(device_t dev, u_int index, uint32_t pte);
-static void agp_sb_write_gtt(device_t dev, u_int index, uint32_t pte);
static u_int32_t agp_i810_read_gtt_pte(device_t dev, u_int index);
static u_int32_t agp_i915_read_gtt_pte(device_t dev, u_int index);
@@ -147,7 +140,6 @@ static u_int32_t agp_g4x_read_gtt_pte(device_t dev, u_int index);
static vm_paddr_t agp_i810_read_gtt_pte_paddr(device_t dev, u_int index);
static vm_paddr_t agp_i915_read_gtt_pte_paddr(device_t dev, u_int index);
-static vm_paddr_t agp_sb_read_gtt_pte_paddr(device_t dev, u_int index);
static int agp_i810_set_aperture(device_t dev, u_int32_t aperture);
static int agp_i830_set_aperture(device_t dev, u_int32_t aperture);
@@ -174,7 +166,6 @@ enum {
CHIP_G33, /* G33/Q33/Q35 */
CHIP_IGD, /* Pineview */
CHIP_G4X, /* G45/Q45 */
- CHIP_SB, /* SandyBridge */
};
/* The i810 through i855 have the registers at BAR 1, and the GATT gets
@@ -196,12 +187,7 @@ static struct resource_spec agp_i915_res_spec[] = {
static struct resource_spec agp_i965_res_spec[] = {
{ SYS_RES_MEMORY, AGP_I965_GTTMMADR, RF_ACTIVE | RF_SHAREABLE },
- { -1, 0 }
-};
-
-static struct resource_spec agp_g4x_res_spec[] = {
- { SYS_RES_MEMORY, AGP_G4X_MMADR, RF_ACTIVE | RF_SHAREABLE },
- { SYS_RES_MEMORY, AGP_G4X_GTTADR, RF_ACTIVE | RF_SHAREABLE },
+ { SYS_RES_MEMORY, AGP_I965_APBASE, RF_ACTIVE | RF_SHAREABLE },
{ -1, 0 }
};
@@ -392,22 +378,22 @@ static const struct agp_i810_driver agp_i810_i915_driver = {
.chipset_flush = agp_i915_chipset_flush,
};
-static const struct agp_i810_driver agp_i810_g965_driver = {
- .chiptype = CHIP_I965,
- .gen = 4,
+static const struct agp_i810_driver agp_i810_g33_driver = {
+ .chiptype = CHIP_G33,
+ .gen = 3,
.busdma_addr_mask_sz = 36,
- .res_spec = agp_i965_res_spec,
+ .res_spec = agp_i915_res_spec,
.check_active = agp_i915_check_active,
.set_desc = agp_i810_set_desc,
.dump_regs = agp_i965_dump_regs,
.get_stolen_size = agp_i915_get_stolen_size,
.get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries,
.get_gtt_total_entries = agp_i965_get_gtt_total_entries,
- .install_gatt = agp_i965_install_gatt,
+ .install_gatt = agp_i830_install_gatt,
.deinstall_gatt = agp_i830_deinstall_gatt,
- .write_gtt = agp_i965_write_gtt,
- .install_gtt_pte = agp_i965_install_gtt_pte,
- .read_gtt_pte = agp_i965_read_gtt_pte,
+ .write_gtt = agp_i915_write_gtt,
+ .install_gtt_pte = agp_i915_install_gtt_pte,
+ .read_gtt_pte = agp_i915_read_gtt_pte,
.read_gtt_pte_paddr = agp_i915_read_gtt_pte_paddr,
.set_aperture = agp_i915_set_aperture,
.chipset_flush_setup = agp_i965_chipset_flush_setup,
@@ -415,14 +401,14 @@ static const struct agp_i810_driver agp_i810_g965_driver = {
.chipset_flush = agp_i915_chipset_flush,
};
-static const struct agp_i810_driver agp_i810_g33_driver = {
- .chiptype = CHIP_G33,
+static const struct agp_i810_driver agp_i810_igd_driver = {
+ .chiptype = CHIP_IGD,
.gen = 3,
.busdma_addr_mask_sz = 36,
.res_spec = agp_i915_res_spec,
.check_active = agp_i915_check_active,
.set_desc = agp_i810_set_desc,
- .dump_regs = agp_i965_dump_regs,
+ .dump_regs = agp_i915_dump_regs,
.get_stolen_size = agp_i915_get_stolen_size,
.get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries,
.get_gtt_total_entries = agp_i965_get_gtt_total_entries,
@@ -438,22 +424,22 @@ static const struct agp_i810_driver agp_i810_g33_driver = {
.chipset_flush = agp_i915_chipset_flush,
};
-static const struct agp_i810_driver agp_i810_igd_driver = {
- .chiptype = CHIP_IGD,
- .gen = 3,
+static const struct agp_i810_driver agp_i810_g965_driver = {
+ .chiptype = CHIP_I965,
+ .gen = 4,
.busdma_addr_mask_sz = 36,
- .res_spec = agp_i915_res_spec,
+ .res_spec = agp_i965_res_spec,
.check_active = agp_i915_check_active,
.set_desc = agp_i810_set_desc,
- .dump_regs = agp_i915_dump_regs,
+ .dump_regs = agp_i965_dump_regs,
.get_stolen_size = agp_i915_get_stolen_size,
.get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries,
.get_gtt_total_entries = agp_i965_get_gtt_total_entries,
- .install_gatt = agp_i830_install_gatt,
+ .install_gatt = agp_i965_install_gatt,
.deinstall_gatt = agp_i830_deinstall_gatt,
- .write_gtt = agp_i915_write_gtt,
- .install_gtt_pte = agp_i915_install_gtt_pte,
- .read_gtt_pte = agp_i915_read_gtt_pte,
+ .write_gtt = agp_i965_write_gtt,
+ .install_gtt_pte = agp_i965_install_gtt_pte,
+ .read_gtt_pte = agp_i965_read_gtt_pte,
.read_gtt_pte_paddr = agp_i915_read_gtt_pte_paddr,
.set_aperture = agp_i915_set_aperture,
.chipset_flush_setup = agp_i965_chipset_flush_setup,
@@ -484,75 +470,6 @@ static const struct agp_i810_driver agp_i810_g4x_driver = {
.chipset_flush = agp_i915_chipset_flush,
};
-static const struct agp_i810_driver agp_i810_sb_driver = {
- .chiptype = CHIP_SB,
- .gen = 6,
- .busdma_addr_mask_sz = 40,
- .res_spec = agp_g4x_res_spec,
- .check_active = agp_sb_check_active,
- .set_desc = agp_i810_set_desc,
- .dump_regs = agp_sb_dump_regs,
- .get_stolen_size = agp_sb_get_stolen_size,
- .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries,
- .get_gtt_total_entries = agp_sb_get_gtt_total_entries,
- .install_gatt = agp_g4x_install_gatt,
- .deinstall_gatt = agp_i830_deinstall_gatt,
- .write_gtt = agp_sb_write_gtt,
- .install_gtt_pte = agp_sb_install_gtt_pte,
- .read_gtt_pte = agp_g4x_read_gtt_pte,
- .read_gtt_pte_paddr = agp_sb_read_gtt_pte_paddr,
- .set_aperture = agp_i915_set_aperture,
- .chipset_flush_setup = agp_i810_chipset_flush_setup,
- .chipset_flush_teardown = agp_i810_chipset_flush_teardown,
- .chipset_flush = agp_i810_chipset_flush,
-};
-
-static const struct agp_i810_driver agp_i810_hsw_driver = {
- .chiptype = CHIP_SB,
- .gen = 7,
- .busdma_addr_mask_sz = 40,
- .res_spec = agp_g4x_res_spec,
- .check_active = agp_sb_check_active,
- .set_desc = agp_i810_set_desc,
- .dump_regs = agp_sb_dump_regs,
- .get_stolen_size = agp_sb_get_stolen_size,
- .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries,
- .get_gtt_total_entries = agp_sb_get_gtt_total_entries,
- .install_gatt = agp_g4x_install_gatt,
- .deinstall_gatt = agp_i830_deinstall_gatt,
- .write_gtt = agp_sb_write_gtt,
- .install_gtt_pte = agp_sb_install_gtt_pte,
- .read_gtt_pte = agp_g4x_read_gtt_pte,
- .read_gtt_pte_paddr = agp_sb_read_gtt_pte_paddr,
- .set_aperture = agp_i915_set_aperture,
- .chipset_flush_setup = agp_i810_chipset_flush_setup,
- .chipset_flush_teardown = agp_i810_chipset_flush_teardown,
- .chipset_flush = agp_i810_chipset_flush,
-};
-
-static const struct agp_i810_driver agp_i810_valleyview_driver = {
- .chiptype = CHIP_SB,
- .gen = 7,
- .busdma_addr_mask_sz = 40,
- .res_spec = agp_g4x_res_spec,
- .check_active = agp_sb_check_active,
- .set_desc = agp_i810_set_desc,
- .dump_regs = agp_sb_dump_regs,
- .get_stolen_size = agp_sb_get_stolen_size,
- .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries,
- .get_gtt_total_entries = agp_sb_get_gtt_total_entries,
- .install_gatt = agp_g4x_install_gatt,
- .deinstall_gatt = agp_i830_deinstall_gatt,
- .write_gtt = agp_sb_write_gtt,
- .install_gtt_pte = agp_sb_install_gtt_pte,
- .read_gtt_pte = agp_g4x_read_gtt_pte,
- .read_gtt_pte_paddr = agp_sb_read_gtt_pte_paddr,
- .set_aperture = agp_i915_set_aperture,
- .chipset_flush_setup = agp_i810_chipset_flush_setup,
- .chipset_flush_teardown = agp_i810_chipset_flush_teardown,
- .chipset_flush = agp_i810_chipset_flush,
-};
-
/* For adding new devices, devid is the id of the graphics controller
* (pci:0:2:0, for example). The placeholder (usually at pci:0:2:1) for the
* second head should never be added. The bridge_offset is the offset to
@@ -724,266 +641,6 @@ static const struct agp_i810_match {
.driver = &agp_i810_g4x_driver
},
{
- .devid = 0x01028086,
- .name = "SandyBridge desktop GT1 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01128086,
- .name = "SandyBridge desktop GT2 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01228086,
- .name = "SandyBridge desktop GT2+ IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01068086,
- .name = "SandyBridge mobile GT1 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01168086,
- .name = "SandyBridge mobile GT2 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01268086,
- .name = "SandyBridge mobile GT2+ IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x010a8086,
- .name = "SandyBridge server IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01528086,
- .name = "IvyBridge desktop GT1 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01628086,
- .name = "IvyBridge desktop GT2 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01568086,
- .name = "IvyBridge mobile GT1 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x01668086,
- .name = "IvyBridge mobile GT2 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x015a8086,
- .name = "IvyBridge server GT1 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x016a8086,
- .name = "IvyBridge server GT2 IG",
- .driver = &agp_i810_sb_driver
- },
- {
- .devid = 0x04028086,
- .name = "Haswell GT1 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x04068086,
- .name = "Haswell GT1 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x040A8086,
- .name = "Haswell GT1 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x04128086,
- .name = "Haswell GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x04168086,
- .name = "Haswell GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x041A8086,
- .name = "Haswell GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x04228086,
- .name = "Haswell GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x04268086,
- .name = "Haswell GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x042A8086,
- .name = "Haswell GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A028086,
- .name = "Haswell ULT GT1 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A068086,
- .name = "Haswell ULT GT1 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A0A8086,
- .name = "Haswell ULT GT1 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A128086,
- .name = "Haswell ULT GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A168086,
- .name = "Haswell ULT GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A1A8086,
- .name = "Haswell ULT GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A228086,
- .name = "Haswell ULT GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A268086,
- .name = "Haswell ULT GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0A2A8086,
- .name = "Haswell ULT GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C028086,
- .name = "Haswell SDV GT1 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C068086,
- .name = "Haswell SDV GT1 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C0A8086,
- .name = "Haswell SDV GT1 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C128086,
- .name = "Haswell SDV GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C168086,
- .name = "Haswell SDV GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C1A8086,
- .name = "Haswell SDV GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C228086,
- .name = "Haswell SDV GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C268086,
- .name = "Haswell SDV GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0C2A8086,
- .name = "Haswell SDV GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D028086,
- .name = "Haswell CRW GT1 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D068086,
- .name = "Haswell CRW GT1 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D0A8086,
- .name = "Haswell CRW GT1 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D128086,
- .name = "Haswell CRW GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D168086,
- .name = "Haswell CRW GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D1A8086,
- .name = "Haswell CRW GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D228086,
- .name = "Haswell CRW GT2 desktop",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D268086,
- .name = "Haswell CRW GT2 mobile",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x0D2A8086,
- .name = "Haswell CRW GT2 server",
- .driver = &agp_i810_hsw_driver
- },
- {
- .devid = 0x01558086,
- .name = "Valleyview (desktop)",
- .driver = &agp_i810_valleyview_driver
- },
- {
- .devid = 0x01578086,
- .name = "Valleyview (mobile)",
- .driver = &agp_i810_valleyview_driver
- },
- {
- .devid = 0x0F308086,
- .name = "Valleyview (mobile)",
- .driver = &agp_i810_valleyview_driver
- },
- {
.devid = 0,
}
};
@@ -1061,17 +718,6 @@ agp_i915_check_active(device_t bridge_dev)
return (0);
}
-static int
-agp_sb_check_active(device_t bridge_dev)
-{
- int deven;
-
- deven = pci_read_config(bridge_dev, AGP_I915_DEVEN, 4);
- if ((deven & AGP_SB_DEVEN_D2EN) == AGP_SB_DEVEN_D2EN_DISABLED)
- return (ENXIO);
- return (0);
-}
-
static void
agp_82852_set_desc(device_t dev, const struct agp_i810_match *match)
{
@@ -1200,17 +846,6 @@ agp_i965_dump_regs(device_t dev)
pci_read_config(sc->bdev, AGP_I965_MSAC, 1));
}
-static void
-agp_sb_dump_regs(device_t dev)
-{
- struct agp_i810_softc *sc = device_get_softc(dev);
-
- device_printf(dev, "AGP_SNB_GFX_MODE: %08x\n",
- bus_read_4(sc->sc_res[0], AGP_SNB_GFX_MODE));
- device_printf(dev, "AGP_SNB_GCC1: 0x%04x\n",
- pci_read_config(sc->bdev, AGP_SNB_GCC1, 2));
-}
-
static int
agp_i810_get_stolen_size(device_t dev)
{
@@ -1236,11 +871,11 @@ agp_i830_get_stolen_size(device_t dev)
sc->stolen = (512 - 132) * 1024 / 4096;
sc->stolen_size = 512 * 1024;
break;
- case AGP_I830_GCC1_GMS_STOLEN_1024:
+ case AGP_I830_GCC1_GMS_STOLEN_1024:
sc->stolen = (1024 - 132) * 1024 / 4096;
sc->stolen_size = 1024 * 1024;
break;
- case AGP_I830_GCC1_GMS_STOLEN_8192:
+ case AGP_I830_GCC1_GMS_STOLEN_8192:
sc->stolen = (8192 - 132) * 1024 / 4096;
sc->stolen_size = 8192 * 1024;
break;
@@ -1396,68 +1031,6 @@ agp_i915_get_stolen_size(device_t dev)
}
static int
-agp_sb_get_stolen_size(device_t dev)
-{
- struct agp_i810_softc *sc;
- uint16_t gmch_ctl;
-
- sc = device_get_softc(dev);
- gmch_ctl = pci_read_config(sc->bdev, AGP_SNB_GCC1, 2);
- switch (gmch_ctl & AGP_SNB_GMCH_GMS_STOLEN_MASK) {
- case AGP_SNB_GMCH_GMS_STOLEN_32M:
- sc->stolen_size = 32 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_64M:
- sc->stolen_size = 64 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_96M:
- sc->stolen_size = 96 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_128M:
- sc->stolen_size = 128 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_160M:
- sc->stolen_size = 160 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_192M:
- sc->stolen_size = 192 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_224M:
- sc->stolen_size = 224 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_256M:
- sc->stolen_size = 256 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_288M:
- sc->stolen_size = 288 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_320M:
- sc->stolen_size = 320 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_352M:
- sc->stolen_size = 352 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_384M:
- sc->stolen_size = 384 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_416M:
- sc->stolen_size = 416 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_448M:
- sc->stolen_size = 448 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_480M:
- sc->stolen_size = 480 * 1024 * 1024;
- break;
- case AGP_SNB_GMCH_GMS_STOLEN_512M:
- sc->stolen_size = 512 * 1024 * 1024;
- break;
- }
- sc->stolen = (sc->stolen_size - 4) / 4096;
- return (0);
-}
-
-static int
agp_i810_get_gtt_mappable_entries(device_t dev)
{
struct agp_i810_softc *sc;
@@ -1600,30 +1173,6 @@ agp_gen5_get_gtt_total_entries(device_t dev)
}
static int
-agp_sb_get_gtt_total_entries(device_t dev)
-{
- struct agp_i810_softc *sc;
- uint16_t gcc1;
-
- sc = device_get_softc(dev);
-
- gcc1 = pci_read_config(sc->bdev, AGP_SNB_GCC1, 2);
- switch (gcc1 & AGP_SNB_GTT_SIZE_MASK) {
- default:
- case AGP_SNB_GTT_SIZE_0M:
- printf("Bad GTT size mask: 0x%04x\n", gcc1);
- return (ENXIO);
- case AGP_SNB_GTT_SIZE_1M:
- sc->gtt_total_entries = 1024 * 1024 / 4;
- break;
- case AGP_SNB_GTT_SIZE_2M:
- sc->gtt_total_entries = 2 * 1024 * 1024 / 4;
- break;
- }
- return (0);
-}
-
-static int
agp_i810_install_gatt(device_t dev)
{
struct agp_i810_softc *sc;
@@ -2024,38 +1573,6 @@ agp_g4x_write_gtt(device_t dev, u_int index, uint32_t pte)
CTR2(KTR_AGP_I810, "g4x_pte %x %x", index, pte);
}
-static void
-agp_sb_install_gtt_pte(device_t dev, u_int index, vm_offset_t physical,
- int flags)
-{
- int type_mask, gfdt;
- uint32_t pte;
-
- pte = (u_int32_t)physical | I810_PTE_VALID;
- type_mask = flags & ~AGP_USER_CACHED_MEMORY_GFDT;
- gfdt = (flags & AGP_USER_CACHED_MEMORY_GFDT) != 0 ? GEN6_PTE_GFDT : 0;
-
- if (type_mask == AGP_USER_MEMORY)
- pte |= GEN6_PTE_UNCACHED;
- else if (type_mask == AGP_USER_CACHED_MEMORY_LLC_MLC)
- pte |= GEN6_PTE_LLC_MLC | gfdt;
- else
- pte |= GEN6_PTE_LLC | gfdt;
-
- pte |= (physical & 0x000000ff00000000ull) >> 28;
- agp_sb_write_gtt(dev, index, pte);
-}
-
-static void
-agp_sb_write_gtt(device_t dev, u_int index, uint32_t pte)
-{
- struct agp_i810_softc *sc;
-
- sc = device_get_softc(dev);
- bus_write_4(sc->sc_res[0], index * 4 + (2 * 1024 * 1024), pte);
- CTR2(KTR_AGP_I810, "sb_pte %x %x", index, pte);
-}
-
static int
agp_i810_bind_page(device_t dev, vm_offset_t offset, vm_offset_t physical)
{
@@ -2165,19 +1682,6 @@ agp_i915_read_gtt_pte_paddr(device_t dev, u_int index)
return (res);
}
-static vm_paddr_t
-agp_sb_read_gtt_pte_paddr(device_t dev, u_int index)
-{
- struct agp_i810_softc *sc;
- u_int32_t pte;
- vm_paddr_t res;
-
- sc = device_get_softc(dev);
- pte = sc->match->driver->read_gtt_pte(dev, index);
- res = (pte & ~PAGE_MASK) | ((pte & 0xff0) << 28);
- return (res);
-}
-
/*
* Writing via memory mapped registers already flushes all TLBs.
*/
diff --git a/sys/dev/agp/agpreg.h b/sys/dev/agp/agpreg.h
index dfa93a502b7e..3f473da67e03 100644
--- a/sys/dev/agp/agpreg.h
+++ b/sys/dev/agp/agpreg.h
@@ -296,9 +296,19 @@
#define AGP_I915_IFPADDR 0x60
/*
+ * G33 registers
+ */
+#define AGP_G33_MGGC_GGMS_MASK (3 << 8)
+#define AGP_G33_MGGC_GGMS_SIZE_1M (1 << 8)
+#define AGP_G33_MGGC_GGMS_SIZE_2M (2 << 8)
+#define AGP_G33_GCC1_GMS_STOLEN_128M 0x80
+#define AGP_G33_GCC1_GMS_STOLEN_256M 0x90
+
+/*
* G965 registers
*/
#define AGP_I965_GTTMMADR 0x10
+#define AGP_I965_APBASE 0x18
#define AGP_I965_MSAC 0x62
#define AGP_I965_MSAC_GMASIZE_128 0x00
#define AGP_I965_MSAC_GMASIZE_256 0x02
@@ -310,20 +320,8 @@
#define AGP_I965_IFPADDR 0x70
/*
- * G33 registers
- */
-#define AGP_G33_MGGC_GGMS_MASK (3 << 8)
-#define AGP_G33_MGGC_GGMS_SIZE_1M (1 << 8)
-#define AGP_G33_MGGC_GGMS_SIZE_2M (2 << 8)
-#define AGP_G33_GCC1_GMS_STOLEN_128M 0x80
-#define AGP_G33_GCC1_GMS_STOLEN_256M 0x90
-
-/*
* G4X registers
*/
-#define AGP_G4X_GMADR 0x20
-#define AGP_G4X_MMADR 0x10
-#define AGP_G4X_GTTADR 0x18
#define AGP_G4X_GCC1_GMS_STOLEN_96M 0xa0
#define AGP_G4X_GCC1_GMS_STOLEN_160M 0xb0
#define AGP_G4X_GCC1_GMS_STOLEN_224M 0xc0
diff --git a/sys/dev/cxgbe/adapter.h b/sys/dev/cxgbe/adapter.h
index 32c9c2b876b4..ee147122fbed 100644
--- a/sys/dev/cxgbe/adapter.h
+++ b/sys/dev/cxgbe/adapter.h
@@ -803,17 +803,22 @@ struct adapter {
int tracer_valid; /* bitmap of valid tracers */
int tracer_enabled; /* bitmap of enabled tracers */
- char fw_version[32];
+ char fw_version[16];
+ char tp_version[16];
+ char exprom_version[16];
char cfg_file[32];
u_int cfcsum;
struct adapter_params params;
const struct chip_params *chip_params;
struct t4_virt_res vres;
+ uint16_t nbmcaps;
uint16_t linkcaps;
+ uint16_t switchcaps;
uint16_t niccaps;
uint16_t toecaps;
uint16_t rdmacaps;
+ uint16_t tlscaps;
uint16_t iscsicaps;
uint16_t fcoecaps;
diff --git a/sys/dev/cxgbe/common/common.h b/sys/dev/cxgbe/common/common.h
index d499f7455a56..cc6edf32a3c7 100644
--- a/sys/dev/cxgbe/common/common.h
+++ b/sys/dev/cxgbe/common/common.h
@@ -262,6 +262,7 @@ struct devlog_params {
u32 memtype; /* which memory (FW_MEMTYPE_* ) */
u32 start; /* start of log in firmware memory */
u32 size; /* size of log */
+ u32 addr; /* start address in flat addr space */
};
/* Stores chip specific parameters */
@@ -289,6 +290,7 @@ struct adapter_params {
unsigned int fw_vers;
unsigned int tp_vers;
+ unsigned int exprom_vers;
unsigned short mtus[NMTUS];
unsigned short a_wnd[NCCTRL_WIN];
diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c
index 05a82b7113b5..77777f8662df 100644
--- a/sys/dev/cxgbe/t4_main.c
+++ b/sys/dev/cxgbe/t4_main.c
@@ -328,9 +328,15 @@ TUNABLE_INT("hw.cxgbe.fw_install", &t4_fw_install);
* ASIC features that will be used. Disable the ones you don't want so that the
* chip resources aren't wasted on features that will not be used.
*/
+static int t4_nbmcaps_allowed = 0;
+TUNABLE_INT("hw.cxgbe.nbmcaps_allowed", &t4_nbmcaps_allowed);
+
static int t4_linkcaps_allowed = 0; /* No DCBX, PPP, etc. by default */
TUNABLE_INT("hw.cxgbe.linkcaps_allowed", &t4_linkcaps_allowed);
+static int t4_switchcaps_allowed = 0;
+TUNABLE_INT("hw.cxgbe.switchcaps_allowed", &t4_switchcaps_allowed);
+
static int t4_niccaps_allowed = FW_CAPS_CONFIG_NIC;
TUNABLE_INT("hw.cxgbe.niccaps_allowed", &t4_niccaps_allowed);
@@ -340,6 +346,9 @@ TUNABLE_INT("hw.cxgbe.toecaps_allowed", &t4_toecaps_allowed);
static int t4_rdmacaps_allowed = 0;
TUNABLE_INT("hw.cxgbe.rdmacaps_allowed", &t4_rdmacaps_allowed);
+static int t4_tlscaps_allowed = 0;
+TUNABLE_INT("hw.cxgbe.tlscaps_allowed", &t4_tlscaps_allowed);
+
static int t4_iscsicaps_allowed = 0;
TUNABLE_INT("hw.cxgbe.iscsicaps_allowed", &t4_iscsicaps_allowed);
@@ -409,6 +418,7 @@ static int validate_mem_range(struct adapter *, uint32_t, int);
static int fwmtype_to_hwmtype(int);
static int validate_mt_off_len(struct adapter *, int, uint32_t, int,
uint32_t *);
+static int fixup_devlog_params(struct adapter *);
static int cfg_itype_and_nqueues(struct adapter *, int, int, int,
struct intrs_and_queues *);
static int prep_firmware(struct adapter *);
@@ -475,11 +485,17 @@ static int sysctl_rdma_stats(SYSCTL_HANDLER_ARGS);
static int sysctl_tcp_stats(SYSCTL_HANDLER_ARGS);
static int sysctl_tids(SYSCTL_HANDLER_ARGS);
static int sysctl_tp_err_stats(SYSCTL_HANDLER_ARGS);
+static int sysctl_tp_la_mask(SYSCTL_HANDLER_ARGS);
static int sysctl_tp_la(SYSCTL_HANDLER_ARGS);
static int sysctl_tx_rate(SYSCTL_HANDLER_ARGS);
static int sysctl_ulprx_la(SYSCTL_HANDLER_ARGS);
static int sysctl_wcwr_stats(SYSCTL_HANDLER_ARGS);
#endif
+#ifdef TCP_OFFLOAD
+static int sysctl_tp_tick(SYSCTL_HANDLER_ARGS);
+static int sysctl_tp_dack_timer(SYSCTL_HANDLER_ARGS);
+static int sysctl_tp_timer(SYSCTL_HANDLER_ARGS);
+#endif
static uint32_t fconf_iconf_to_mode(uint32_t, uint32_t);
static uint32_t mode_to_fconf(uint32_t);
static uint32_t mode_to_iconf(uint32_t);
@@ -733,6 +749,8 @@ t4_attach(device_t dev)
* will work even in "recovery mode".
*/
setup_memwin(sc);
+ if (t4_init_devlog_params(sc, 0) == 0)
+ fixup_devlog_params(sc);
sc->cdev = make_dev(is_t4(sc) ? &t4_cdevsw : &t5_cdevsw,
device_get_unit(dev), UID_ROOT, GID_WHEEL, 0600, "%s",
device_get_nameunit(dev));
@@ -2333,6 +2351,18 @@ validate_mt_off_len(struct adapter *sc, int mtype, uint32_t off, int len,
}
static int
+fixup_devlog_params(struct adapter *sc)
+{
+ struct devlog_params *dparams = &sc->params.devlog;
+ int rc;
+
+ rc = validate_mt_off_len(sc, dparams->memtype, dparams->start,
+ dparams->size, &dparams->addr);
+
+ return (rc);
+}
+
+static int
cfg_itype_and_nqueues(struct adapter *sc, int n10g, int n1g, int num_vis,
struct intrs_and_queues *iaq)
{
@@ -2810,7 +2840,24 @@ prep_firmware(struct adapter *sc)
G_FW_HDR_FW_VER_MINOR(sc->params.fw_vers),
G_FW_HDR_FW_VER_MICRO(sc->params.fw_vers),
G_FW_HDR_FW_VER_BUILD(sc->params.fw_vers));
+
t4_get_tp_version(sc, &sc->params.tp_vers);
+ snprintf(sc->tp_version, sizeof(sc->tp_version), "%u.%u.%u.%u",
+ G_FW_HDR_FW_VER_MAJOR(sc->params.tp_vers),
+ G_FW_HDR_FW_VER_MINOR(sc->params.tp_vers),
+ G_FW_HDR_FW_VER_MICRO(sc->params.tp_vers),
+ G_FW_HDR_FW_VER_BUILD(sc->params.tp_vers));
+
+ if (t4_get_exprom_version(sc, &sc->params.exprom_vers) != 0)
+ sc->params.exprom_vers = 0;
+ else {
+ snprintf(sc->exprom_version, sizeof(sc->exprom_version),
+ "%u.%u.%u.%u",
+ G_FW_HDR_FW_VER_MAJOR(sc->params.exprom_vers),
+ G_FW_HDR_FW_VER_MINOR(sc->params.exprom_vers),
+ G_FW_HDR_FW_VER_MICRO(sc->params.exprom_vers),
+ G_FW_HDR_FW_VER_BUILD(sc->params.exprom_vers));
+ }
/* Reset device */
if (need_fw_reset &&
@@ -3022,10 +3069,13 @@ use_config_on_flash:
* Let the firmware know what features will (not) be used so it can tune
* things accordingly.
*/
+ LIMIT_CAPS(nbmcaps);
LIMIT_CAPS(linkcaps);
+ LIMIT_CAPS(switchcaps);
LIMIT_CAPS(niccaps);
LIMIT_CAPS(toecaps);
LIMIT_CAPS(rdmacaps);
+ LIMIT_CAPS(tlscaps);
LIMIT_CAPS(iscsicaps);
LIMIT_CAPS(fcoecaps);
#undef LIMIT_CAPS
@@ -3052,8 +3102,6 @@ get_params__pre_init(struct adapter *sc)
{
int rc;
uint32_t param[2], val[2];
- struct fw_devlog_cmd cmd;
- struct devlog_params *dlog = &sc->params.devlog;
param[0] = FW_PARAM_DEV(PORTVEC);
param[1] = FW_PARAM_DEV(CCLK);
@@ -3069,21 +3117,13 @@ get_params__pre_init(struct adapter *sc)
sc->params.vpd.cclk = val[1];
/* Read device log parameters. */
- bzero(&cmd, sizeof(cmd));
- cmd.op_to_write = htobe32(V_FW_CMD_OP(FW_DEVLOG_CMD) |
- F_FW_CMD_REQUEST | F_FW_CMD_READ);
- cmd.retval_len16 = htobe32(FW_LEN16(cmd));
- rc = -t4_wr_mbox(sc, sc->mbox, &cmd, sizeof(cmd), &cmd);
- if (rc != 0) {
+ rc = -t4_init_devlog_params(sc, 1);
+ if (rc == 0)
+ fixup_devlog_params(sc);
+ else {
device_printf(sc->dev,
"failed to get devlog parameters: %d.\n", rc);
- bzero(dlog, sizeof (*dlog));
rc = 0; /* devlog isn't critical for device operation */
- } else {
- val[0] = be32toh(cmd.memtype_devlog_memaddr16_devlog);
- dlog->memtype = G_FW_DEVLOG_CMD_MEMTYPE_DEVLOG(val[0]);
- dlog->start = G_FW_DEVLOG_CMD_MEMADDR16_DEVLOG(val[0]) << 4;
- dlog->size = be32toh(cmd.memsize_devlog);
}
return (rc);
@@ -3140,10 +3180,13 @@ get_params__post_init(struct adapter *sc)
#define READ_CAPS(x) do { \
sc->x = htobe16(caps.x); \
} while (0)
+ READ_CAPS(nbmcaps);
READ_CAPS(linkcaps);
+ READ_CAPS(switchcaps);
READ_CAPS(niccaps);
READ_CAPS(toecaps);
READ_CAPS(rdmacaps);
+ READ_CAPS(tlscaps);
READ_CAPS(iscsicaps);
READ_CAPS(fcoecaps);
@@ -4550,24 +4593,33 @@ t4_register_fw_msg_handler(struct adapter *sc, int type, fw_msg_handler_t h)
return (0);
}
+/*
+ * Should match fw_caps_config_<foo> enums in t4fw_interface.h
+ */
+static char *caps_decoder[] = {
+ "\20\001IPMI\002NCSI", /* 0: NBM */
+ "\20\001PPP\002QFC\003DCBX", /* 1: link */
+ "\20\001INGRESS\002EGRESS", /* 2: switch */
+ "\20\001NIC\002VM\003IDS\004UM\005UM_ISGL" /* 3: NIC */
+ "\006HASHFILTER\007ETHOFLD",
+ "\20\001TOE", /* 4: TOE */
+ "\20\001RDDP\002RDMAC", /* 5: RDMA */
+ "\20\001INITIATOR_PDU\002TARGET_PDU" /* 6: iSCSI */
+ "\003INITIATOR_CNXOFLD\004TARGET_CNXOFLD"
+ "\005INITIATOR_SSNOFLD\006TARGET_SSNOFLD"
+ "\007T10DIF"
+ "\010INITIATOR_CMDOFLD\011TARGET_CMDOFLD",
+ "\20\00KEYS", /* 7: TLS */
+ "\20\001INITIATOR\002TARGET\003CTRL_OFLD" /* 8: FCoE */
+ "\004PO_INITIATOR\005PO_TARGET",
+};
+
static void
t4_sysctls(struct adapter *sc)
{
struct sysctl_ctx_list *ctx;
struct sysctl_oid *oid;
struct sysctl_oid_list *children, *c0;
- static char *caps[] = {
- "\20\1PPP\2QFC\3DCBX", /* caps[0] linkcaps */
- "\20\1NIC\2VM\3IDS\4UM\5UM_ISGL" /* caps[1] niccaps */
- "\6HASHFILTER\7ETHOFLD",
- "\20\1TOE", /* caps[2] toecaps */
- "\20\1RDDP\2RDMAC", /* caps[3] rdmacaps */
- "\20\1INITIATOR_PDU\2TARGET_PDU" /* caps[4] iscsicaps */
- "\3INITIATOR_CNXOFLD\4TARGET_CNXOFLD"
- "\5INITIATOR_SSNOFLD\6TARGET_SSNOFLD",
- "\20\1INITIATOR\2TARGET\3CTRL_OFLD" /* caps[5] fcoecaps */
- "\4PO_INITIAOR\5PO_TARGET"
- };
static char *doorbells = {"\20\1UDB\2WCWR\3UDBWC\4KDB"};
ctx = device_get_sysctl_ctx(sc->dev);
@@ -4588,6 +4640,14 @@ t4_sysctls(struct adapter *sc)
SYSCTL_ADD_INT(ctx, children, OID_AUTO, "hw_revision", CTLFLAG_RD,
NULL, chip_rev(sc), "chip hardware revision");
+ SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "tp_version",
+ CTLFLAG_RD, sc->tp_version, 0, "TP microcode version");
+
+ if (sc->params.exprom_vers != 0) {
+ SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "exprom_version",
+ CTLFLAG_RD, sc->exprom_version, 0, "expansion ROM version");
+ }
+
SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "firmware_version",
CTLFLAG_RD, sc->fw_version, 0, "firmware version");
@@ -4601,29 +4661,21 @@ t4_sysctls(struct adapter *sc)
CTLTYPE_STRING | CTLFLAG_RD, doorbells, sc->doorbells,
sysctl_bitfield, "A", "available doorbells");
- SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "linkcaps",
- CTLTYPE_STRING | CTLFLAG_RD, caps[0], sc->linkcaps,
- sysctl_bitfield, "A", "available link capabilities");
-
- SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "niccaps",
- CTLTYPE_STRING | CTLFLAG_RD, caps[1], sc->niccaps,
- sysctl_bitfield, "A", "available NIC capabilities");
-
- SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "toecaps",
- CTLTYPE_STRING | CTLFLAG_RD, caps[2], sc->toecaps,
- sysctl_bitfield, "A", "available TCP offload capabilities");
-
- SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "rdmacaps",
- CTLTYPE_STRING | CTLFLAG_RD, caps[3], sc->rdmacaps,
- sysctl_bitfield, "A", "available RDMA capabilities");
-
- SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "iscsicaps",
- CTLTYPE_STRING | CTLFLAG_RD, caps[4], sc->iscsicaps,
- sysctl_bitfield, "A", "available iSCSI capabilities");
-
- SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "fcoecaps",
- CTLTYPE_STRING | CTLFLAG_RD, caps[5], sc->fcoecaps,
- sysctl_bitfield, "A", "available FCoE capabilities");
+#define SYSCTL_CAP(name, n, text) \
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, #name, \
+ CTLTYPE_STRING | CTLFLAG_RD, caps_decoder[n], sc->name, \
+ sysctl_bitfield, "A", "available " text "capabilities")
+
+ SYSCTL_CAP(nbmcaps, 0, "NBM");
+ SYSCTL_CAP(linkcaps, 1, "link");
+ SYSCTL_CAP(switchcaps, 2, "switch");
+ SYSCTL_CAP(niccaps, 3, "NIC");
+ SYSCTL_CAP(toecaps, 4, "TCP offload");
+ SYSCTL_CAP(rdmacaps, 5, "RDMA");
+ SYSCTL_CAP(iscsicaps, 6, "iSCSI");
+ SYSCTL_CAP(tlscaps, 7, "TLS");
+ SYSCTL_CAP(fcoecaps, 8, "FCoE");
+#undef SYSCTL_CAP
SYSCTL_ADD_INT(ctx, children, OID_AUTO, "core_clock", CTLFLAG_RD, NULL,
sc->params.vpd.cclk, "core clock frequency (in KHz)");
@@ -4803,6 +4855,10 @@ t4_sysctls(struct adapter *sc)
CTLTYPE_STRING | CTLFLAG_RD, sc, 0,
sysctl_tp_err_stats, "A", "TP error statistics");
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "tp_la_mask",
+ CTLTYPE_INT | CTLFLAG_RW, sc, 0, sysctl_tp_la_mask, "I",
+ "TP logic analyzer event capture mask");
+
SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "tp_la",
CTLTYPE_STRING | CTLFLAG_RD, sc, 0,
sysctl_tp_la, "A", "TP logic analyzer");
@@ -4855,6 +4911,54 @@ t4_sysctls(struct adapter *sc)
sc->tt.tx_align = 1;
SYSCTL_ADD_INT(ctx, children, OID_AUTO, "tx_align",
CTLFLAG_RW, &sc->tt.tx_align, 0, "chop and align payload");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "timer_tick",
+ CTLTYPE_STRING | CTLFLAG_RD, sc, 0, sysctl_tp_tick, "A",
+ "TP timer tick (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "timestamp_tick",
+ CTLTYPE_STRING | CTLFLAG_RD, sc, 1, sysctl_tp_tick, "A",
+ "TCP timestamp tick (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "dack_tick",
+ CTLTYPE_STRING | CTLFLAG_RD, sc, 2, sysctl_tp_tick, "A",
+ "DACK tick (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "dack_timer",
+ CTLTYPE_UINT | CTLFLAG_RD, sc, 0, sysctl_tp_dack_timer,
+ "IU", "DACK timer (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "rexmt_min",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_RXT_MIN,
+ sysctl_tp_timer, "LU", "Retransmit min (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "rexmt_max",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_RXT_MAX,
+ sysctl_tp_timer, "LU", "Retransmit max (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "persist_min",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_PERS_MIN,
+ sysctl_tp_timer, "LU", "Persist timer min (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "persist_max",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_PERS_MAX,
+ sysctl_tp_timer, "LU", "Persist timer max (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "keepalive_idle",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_KEEP_IDLE,
+ sysctl_tp_timer, "LU", "Keepidle idle timer (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "keepalive_intvl",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_KEEP_INTVL,
+ sysctl_tp_timer, "LU", "Keepidle interval (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "initial_srtt",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_INIT_SRTT,
+ sysctl_tp_timer, "LU", "Initial SRTT (us)");
+
+ SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "finwait2_timer",
+ CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_FINWAIT2_TIMER,
+ sysctl_tp_timer, "LU", "FINWAIT2 timer (us)");
}
#endif
}
@@ -5875,7 +5979,7 @@ sysctl_ddp_stats(SYSCTL_HANDLER_ARGS)
return (rc);
}
-const char *devlog_level_strings[] = {
+static const char * const devlog_level_strings[] = {
[FW_DEVLOG_LEVEL_EMERG] = "EMERG",
[FW_DEVLOG_LEVEL_CRIT] = "CRIT",
[FW_DEVLOG_LEVEL_ERR] = "ERR",
@@ -5884,7 +5988,7 @@ const char *devlog_level_strings[] = {
[FW_DEVLOG_LEVEL_DEBUG] = "DEBUG"
};
-const char *devlog_facility_strings[] = {
+static const char * const devlog_facility_strings[] = {
[FW_DEVLOG_FACILITY_CORE] = "CORE",
[FW_DEVLOG_FACILITY_CF] = "CF",
[FW_DEVLOG_FACILITY_SCHED] = "SCHED",
@@ -5908,7 +6012,8 @@ const char *devlog_facility_strings[] = {
[FW_DEVLOG_FACILITY_ISCSI] = "ISCSI",
[FW_DEVLOG_FACILITY_FCOE] = "FCOE",
[FW_DEVLOG_FACILITY_FOISCSI] = "FOISCSI",
- [FW_DEVLOG_FACILITY_FOFCOE] = "FOFCOE"
+ [FW_DEVLOG_FACILITY_FOFCOE] = "FOFCOE",
+ [FW_DEVLOG_FACILITY_CHNET] = "CHNET",
};
static int
@@ -5917,27 +6022,22 @@ sysctl_devlog(SYSCTL_HANDLER_ARGS)
struct adapter *sc = arg1;
struct devlog_params *dparams = &sc->params.devlog;
struct fw_devlog_e *buf, *e;
- int i, j, rc, nentries, first = 0, m;
+ int i, j, rc, nentries, first = 0;
struct sbuf *sb;
uint64_t ftstamp = UINT64_MAX;
- if (dparams->start == 0) {
- dparams->memtype = FW_MEMTYPE_EDC0;
- dparams->start = 0x84000;
- dparams->size = 32768;
- }
-
- nentries = dparams->size / sizeof(struct fw_devlog_e);
+ if (dparams->addr == 0)
+ return (ENXIO);
buf = malloc(dparams->size, M_CXGBE, M_NOWAIT);
if (buf == NULL)
return (ENOMEM);
- m = fwmtype_to_hwmtype(dparams->memtype);
- rc = -t4_mem_read(sc, m, dparams->start, dparams->size, (void *)buf);
+ rc = read_via_memwin(sc, 1, dparams->addr, (void *)buf, dparams->size);
if (rc != 0)
goto done;
+ nentries = dparams->size / sizeof(struct fw_devlog_e);
for (i = 0; i < nentries; i++) {
e = &buf[i];
@@ -6993,6 +7093,26 @@ sysctl_tp_err_stats(SYSCTL_HANDLER_ARGS)
return (rc);
}
+static int
+sysctl_tp_la_mask(SYSCTL_HANDLER_ARGS)
+{
+ struct adapter *sc = arg1;
+ struct tp_params *tpp = &sc->params.tp;
+ u_int mask;
+ int rc;
+
+ mask = tpp->la_mask >> 16;
+ rc = sysctl_handle_int(oidp, &mask, 0, req);
+ if (rc != 0 || req->newptr == NULL)
+ return (rc);
+ if (mask > 0xffff)
+ return (EINVAL);
+ tpp->la_mask = mask << 16;
+ t4_set_reg_field(sc, A_TP_DBG_LA_CONFIG, 0xffff0000U, tpp->la_mask);
+
+ return (0);
+}
+
struct field_desc {
const char *name;
u_int start;
@@ -7337,6 +7457,92 @@ sysctl_wcwr_stats(SYSCTL_HANDLER_ARGS)
}
#endif
+#ifdef TCP_OFFLOAD
+static void
+unit_conv(char *buf, size_t len, u_int val, u_int factor)
+{
+ u_int rem = val % factor;
+
+ if (rem == 0)
+ snprintf(buf, len, "%u", val / factor);
+ else {
+ while (rem % 10 == 0)
+ rem /= 10;
+ snprintf(buf, len, "%u.%u", val / factor, rem);
+ }
+}
+
+static int
+sysctl_tp_tick(SYSCTL_HANDLER_ARGS)
+{
+ struct adapter *sc = arg1;
+ char buf[16];
+ u_int res, re;
+ u_int cclk_ps = 1000000000 / sc->params.vpd.cclk;
+
+ res = t4_read_reg(sc, A_TP_TIMER_RESOLUTION);
+ switch (arg2) {
+ case 0:
+ /* timer_tick */
+ re = G_TIMERRESOLUTION(res);
+ break;
+ case 1:
+ /* TCP timestamp tick */
+ re = G_TIMESTAMPRESOLUTION(res);
+ break;
+ case 2:
+ /* DACK tick */
+ re = G_DELAYEDACKRESOLUTION(res);
+ break;
+ default:
+ return (EDOOFUS);
+ }
+
+ unit_conv(buf, sizeof(buf), (cclk_ps << re), 1000000);
+
+ return (sysctl_handle_string(oidp, buf, sizeof(buf), req));
+}
+
+static int
+sysctl_tp_dack_timer(SYSCTL_HANDLER_ARGS)
+{
+ struct adapter *sc = arg1;
+ u_int res, dack_re, v;
+ u_int cclk_ps = 1000000000 / sc->params.vpd.cclk;
+
+ res = t4_read_reg(sc, A_TP_TIMER_RESOLUTION);
+ dack_re = G_DELAYEDACKRESOLUTION(res);
+ v = ((cclk_ps << dack_re) / 1000000) * t4_read_reg(sc, A_TP_DACK_TIMER);
+
+ return (sysctl_handle_int(oidp, &v, 0, req));
+}
+
+static int
+sysctl_tp_timer(SYSCTL_HANDLER_ARGS)
+{
+ struct adapter *sc = arg1;
+ int reg = arg2;
+ u_int tre;
+ u_long tp_tick_us, v;
+ u_int cclk_ps = 1000000000 / sc->params.vpd.cclk;
+
+ MPASS(reg == A_TP_RXT_MIN || reg == A_TP_RXT_MAX ||
+ reg == A_TP_PERS_MIN || reg == A_TP_PERS_MAX ||
+ reg == A_TP_KEEP_IDLE || A_TP_KEEP_INTVL || reg == A_TP_INIT_SRTT ||
+ reg == A_TP_FINWAIT2_TIMER);
+
+ tre = G_TIMERRESOLUTION(t4_read_reg(sc, A_TP_TIMER_RESOLUTION));
+ tp_tick_us = (cclk_ps << tre) / 1000000;
+
+ if (reg == A_TP_INIT_SRTT)
+ v = tp_tick_us * G_INITSRTT(t4_read_reg(sc, reg));
+ else
+ v = tp_tick_us * t4_read_reg(sc, reg);
+
+ return (sysctl_handle_long(oidp, &v, 0, req));
+}
+#endif
+
static uint32_t
fconf_iconf_to_mode(uint32_t fconf, uint32_t iconf)
{
diff --git a/sys/dev/drm2/drm_drv.c b/sys/dev/drm2/drm_drv.c
index c3e6869aebf3..9529ac3dfa4b 100644
--- a/sys/dev/drm2/drm_drv.c
+++ b/sys/dev/drm2/drm_drv.c
@@ -386,17 +386,21 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags,
switch (cmd) {
case FIONBIO:
case FIOASYNC:
+ atomic_dec(&dev->ioctl_count);
return 0;
case FIOSETOWN:
+ atomic_dec(&dev->ioctl_count);
return fsetown(*(int *)data, &file_priv->minor->buf_sigio);
case FIOGETOWN:
+ atomic_dec(&dev->ioctl_count);
*(int *) data = fgetown(&file_priv->minor->buf_sigio);
return 0;
}
if (IOCGROUP(cmd) != DRM_IOCTL_BASE) {
+ atomic_dec(&dev->ioctl_count);
DRM_DEBUG("Bad ioctl group 0x%x\n", (int)IOCGROUP(cmd));
return EINVAL;
}
diff --git a/sys/dev/drm2/i915/i915_dma.c b/sys/dev/drm2/i915/i915_dma.c
index e2d8e4c918e0..97a0eb938112 100644
--- a/sys/dev/drm2/i915/i915_dma.c
+++ b/sys/dev/drm2/i915/i915_dma.c
@@ -1810,6 +1810,12 @@ int i915_driver_unload(struct drm_device *dev)
if (dev_priv->mmio_map != NULL)
drm_rmmap(dev, dev_priv->mmio_map);
+ /*
+ * NOTE Linux<->FreeBSD: Linux forgots to call
+ * i915_gem_gtt_fini(), causing memory leaks.
+ */
+ i915_gem_gtt_fini(dev);
+
if (dev_priv->wq != NULL)
taskqueue_free(dev_priv->wq);
diff --git a/sys/dev/drm2/i915/i915_gem.c b/sys/dev/drm2/i915/i915_gem.c
index bece6b2203a6..7789e360326e 100644
--- a/sys/dev/drm2/i915/i915_gem.c
+++ b/sys/dev/drm2/i915/i915_gem.c
@@ -1619,6 +1619,13 @@ out:
KASSERT(ret != 0, ("i915_gem_pager_fault: wrong return"));
CTR4(KTR_DRM, "fault_fail %p %jx %x err %d", gem_obj, offset, prot,
-ret);
+ if (ret == -ERESTARTSYS) {
+ /*
+ * NOTE Linux<->FreeBSD: Convert Linux' -ERESTARTSYS to
+ * the more common -EINTR, so the page fault is retried.
+ */
+ ret = -EINTR;
+ }
if (ret == -EAGAIN || ret == -EIO || ret == -EINTR) {
kern_yield(PRI_USER);
goto retry;
@@ -3263,7 +3270,7 @@ i915_gem_object_bind_to_gtt(struct drm_i915_gem_object *obj,
i915_gem_object_pin_pages(obj);
- node = malloc(sizeof(*node), DRM_I915_GEM, M_NOWAIT | M_ZERO);
+ node = malloc(sizeof(*node), DRM_MEM_MM, M_NOWAIT | M_ZERO);
if (node == NULL) {
i915_gem_object_unpin_pages(obj);
return -ENOMEM;
@@ -3286,7 +3293,7 @@ i915_gem_object_bind_to_gtt(struct drm_i915_gem_object *obj,
goto search_free;
i915_gem_object_unpin_pages(obj);
- free(node, DRM_I915_GEM);
+ free(node, DRM_MEM_MM);
return ret;
}
if (WARN_ON(!i915_gem_valid_gtt_space(dev, node, obj->cache_level))) {
diff --git a/sys/dev/drm2/i915/i915_gem_context.c b/sys/dev/drm2/i915/i915_gem_context.c
index 5ab9af1905bc..4a94c28a94dc 100644
--- a/sys/dev/drm2/i915/i915_gem_context.c
+++ b/sys/dev/drm2/i915/i915_gem_context.c
@@ -297,6 +297,14 @@ void i915_gem_context_fini(struct drm_device *dev)
i915_gem_object_unpin(dev_priv->ring[RCS].default_context->obj);
+ /* When default context is created and switched to, base object refcount
+ * will be 2 (+1 from object creation and +1 from do_switch()).
+ * i915_gem_context_fini() will be called after gpu_idle() has switched
+ * to default context. So we need to unreference the base object once
+ * to offset the do_switch part, so that i915_gem_context_unreference()
+ * can then free the base object correctly. */
+ drm_gem_object_unreference(&dev_priv->ring[RCS].default_context->obj->base);
+
do_destroy(dev_priv->ring[RCS].default_context);
}
diff --git a/sys/dev/drm2/i915/i915_gem_gtt.c b/sys/dev/drm2/i915/i915_gem_gtt.c
index 4b8163d3a916..f0e7f7a977a9 100644
--- a/sys/dev/drm2/i915/i915_gem_gtt.c
+++ b/sys/dev/drm2/i915/i915_gem_gtt.c
@@ -565,9 +565,10 @@ void i915_gem_init_global_gtt(struct drm_device *dev,
i915_ggtt_clear_range(dev, start / PAGE_SIZE, (end-start) / PAGE_SIZE);
device_printf(dev->dev,
- "taking over the fictitious range 0x%lx-0x%lx\n",
- dev_priv->mm.gtt_base_addr + start,
- dev_priv->mm.gtt_base_addr + start + dev_priv->mm.mappable_gtt_total);
+ "taking over the fictitious range 0x%jx-0x%jx\n",
+ (uintmax_t)(dev_priv->mm.gtt_base_addr + start),
+ (uintmax_t)(dev_priv->mm.gtt_base_addr + start +
+ dev_priv->mm.mappable_gtt_total));
vm_phys_fictitious_reg_range(dev_priv->mm.gtt_base_addr + start,
dev_priv->mm.gtt_base_addr + start + dev_priv->mm.mappable_gtt_total,
VM_MEMATTR_WRITE_COMBINING);
diff --git a/sys/dev/pci/pci_iov.c b/sys/dev/pci/pci_iov.c
index 6d66498e8a25..8189ffbc3377 100644
--- a/sys/dev/pci/pci_iov.c
+++ b/sys/dev/pci/pci_iov.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2013-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/sys/dev/pci/pci_iov_private.h b/sys/dev/pci/pci_iov_private.h
index 99fff1a9aa4e..6938e2e9f770 100644
--- a/sys/dev/pci/pci_iov_private.h
+++ b/sys/dev/pci/pci_iov_private.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2013-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/sys/dev/pci/pci_iov_schema.c b/sys/dev/pci/pci_iov_schema.c
index 36d56d06474e..e324a1d368e8 100644
--- a/sys/dev/pci/pci_iov_schema.c
+++ b/sys/dev/pci/pci_iov_schema.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2014-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/sys/dev/pci/schema_private.h b/sys/dev/pci/schema_private.h
index 66503314d9df..a61fa1c4bc6f 100644
--- a/sys/dev/pci/schema_private.h
+++ b/sys/dev/pci/schema_private.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2014 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2014 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/sys/dev/usb/controller/xhci_mv.c b/sys/dev/usb/controller/xhci_mv.c
new file mode 100644
index 000000000000..06b35ce337bc
--- /dev/null
+++ b/sys/dev/usb/controller/xhci_mv.c
@@ -0,0 +1,232 @@
+/*-
+ * Copyright (c) 2015 Semihalf.
+ * Copyright (c) 2015 Stormshield.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_bus.h"
+
+#include <sys/stdint.h>
+#include <sys/stddef.h>
+#include <sys/param.h>
+#include <sys/queue.h>
+#include <sys/types.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/bus.h>
+#include <sys/module.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/condvar.h>
+#include <sys/sysctl.h>
+#include <sys/sx.h>
+#include <sys/unistd.h>
+#include <sys/priv.h>
+#include <sys/rman.h>
+
+#include <dev/ofw/ofw_bus.h>
+#include <dev/ofw/ofw_bus_subr.h>
+
+#include <dev/usb/usb.h>
+#include <dev/usb/usbdi.h>
+
+#include <dev/usb/usb_core.h>
+#include <dev/usb/usb_busdma.h>
+#include <dev/usb/usb_process.h>
+#include <dev/usb/usb_util.h>
+
+#include <dev/usb/usb_controller.h>
+#include <dev/usb/usb_bus.h>
+#include <dev/usb/controller/xhci.h>
+#include <dev/usb/controller/xhcireg.h>
+
+#define XHCI_HC_DEVSTR "Marvell Integrated USB 3.0 controller"
+#define XHCI_HC_VENDOR "Marvell"
+
+#define IS_DMA_32B 1
+
+static device_attach_t xhci_attach;
+static device_detach_t xhci_detach;
+
+static struct ofw_compat_data compat_data[] = {
+ {"marvell,armada-380-xhci", true},
+ {NULL, false}
+};
+
+static int
+xhci_probe(device_t dev)
+{
+
+ if (!ofw_bus_status_okay(dev))
+ return (ENXIO);
+
+ if (!ofw_bus_search_compatible(dev, compat_data)->ocd_data)
+ return (ENXIO);
+
+ device_set_desc(dev, XHCI_HC_DEVSTR);
+
+ return (BUS_PROBE_DEFAULT);
+}
+
+static int
+xhci_attach(device_t dev)
+{
+ struct xhci_softc *sc = device_get_softc(dev);
+ int err = 0, rid = 0;
+
+ sc->sc_bus.parent = dev;
+ sc->sc_bus.devices = sc->sc_devices;
+ sc->sc_bus.devices_max = XHCI_MAX_DEVICES;
+
+ sc->sc_io_res = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &rid,
+ RF_ACTIVE);
+ if (sc->sc_io_res == NULL) {
+ device_printf(dev, "Failed to map memory\n");
+ xhci_detach(dev);
+ return (ENXIO);
+ }
+
+ sc->sc_io_tag = rman_get_bustag(sc->sc_io_res);
+ sc->sc_io_hdl = rman_get_bushandle(sc->sc_io_res);
+ sc->sc_io_size = rman_get_size(sc->sc_io_res);
+
+ sc->sc_irq_res = bus_alloc_resource_any(dev, SYS_RES_IRQ, &rid,
+ RF_SHAREABLE | RF_ACTIVE);
+ if (sc->sc_irq_res == NULL) {
+ device_printf(dev, "Failed to allocate IRQ\n");
+ xhci_detach(dev);
+ return (ENXIO);
+ }
+
+ sc->sc_bus.bdev = device_add_child(dev, "usbus", -1);
+ if (sc->sc_bus.bdev == NULL) {
+ device_printf(dev, "Failed to add USB device\n");
+ xhci_detach(dev);
+ return (ENXIO);
+ }
+
+ device_set_ivars(sc->sc_bus.bdev, &sc->sc_bus);
+
+ sprintf(sc->sc_vendor, XHCI_HC_VENDOR);
+ device_set_desc(sc->sc_bus.bdev, XHCI_HC_DEVSTR);
+
+ err = bus_setup_intr(dev, sc->sc_irq_res, INTR_TYPE_BIO | INTR_MPSAFE,
+ NULL, (driver_intr_t *)xhci_interrupt, sc, &sc->sc_intr_hdl);
+ if (err != 0) {
+ device_printf(dev, "Failed to setup error IRQ, %d\n", err);
+ sc->sc_intr_hdl = NULL;
+ xhci_detach(dev);
+ return (err);
+ }
+
+ err = xhci_init(sc, dev, IS_DMA_32B);
+ if (err != 0) {
+ device_printf(dev, "Failed to init XHCI, with error %d\n", err);
+ xhci_detach(dev);
+ return (ENXIO);
+ }
+
+ err = xhci_start_controller(sc);
+ if (err != 0) {
+ device_printf(dev, "Failed to start XHCI controller, with error %d\n", err);
+ xhci_detach(dev);
+ return (ENXIO);
+ }
+
+ err = device_probe_and_attach(sc->sc_bus.bdev);
+ if (err != 0) {
+ device_printf(dev, "Failed to initialize USB, with error %d\n", err);
+ xhci_detach(dev);
+ return (ENXIO);
+ }
+
+ return (0);
+}
+
+static int
+xhci_detach(device_t dev)
+{
+ struct xhci_softc *sc = device_get_softc(dev);
+ device_t bdev;
+ int err;
+
+ if (sc->sc_bus.bdev != NULL) {
+ bdev = sc->sc_bus.bdev;
+ device_detach(bdev);
+ device_delete_child(dev, bdev);
+ }
+
+ /* during module unload there are lots of children leftover */
+ device_delete_children(dev);
+
+ if (sc->sc_irq_res != NULL && sc->sc_intr_hdl != NULL) {
+ err = bus_teardown_intr(dev, sc->sc_irq_res, sc->sc_intr_hdl);
+ if (err != 0)
+ device_printf(dev, "Could not tear down irq, %d\n",
+ err);
+ sc->sc_intr_hdl = NULL;
+ }
+
+ if (sc->sc_irq_res != NULL) {
+ bus_release_resource(dev, SYS_RES_IRQ,
+ rman_get_rid(sc->sc_irq_res), sc->sc_irq_res);
+ sc->sc_irq_res = NULL;
+ }
+
+ if (sc->sc_io_res != NULL) {
+ bus_release_resource(dev, SYS_RES_MEMORY,
+ rman_get_rid(sc->sc_io_res), sc->sc_io_res);
+ sc->sc_io_res = NULL;
+ }
+
+ xhci_uninit(sc);
+
+ return (0);
+}
+
+static device_method_t xhci_methods[] = {
+ /* Device interface */
+ DEVMETHOD(device_probe, xhci_probe),
+ DEVMETHOD(device_attach, xhci_attach),
+ DEVMETHOD(device_detach, xhci_detach),
+ DEVMETHOD(device_suspend, bus_generic_suspend),
+ DEVMETHOD(device_resume, bus_generic_resume),
+ DEVMETHOD(device_shutdown, bus_generic_shutdown),
+
+ DEVMETHOD_END
+};
+
+static driver_t xhci_driver = {
+ "xhci",
+ xhci_methods,
+ sizeof(struct xhci_softc),
+};
+
+static devclass_t xhci_devclass;
+
+DRIVER_MODULE(xhci, simplebus, xhci_driver, xhci_devclass, 0, 0);
+MODULE_DEPEND(xhci, usb, 1, 1, 1);
diff --git a/sys/fs/autofs/autofs.h b/sys/fs/autofs/autofs.h
index 4d1650950739..27e380bd9bb7 100644
--- a/sys/fs/autofs/autofs.h
+++ b/sys/fs/autofs/autofs.h
@@ -120,13 +120,6 @@ struct autofs_softc {
int sc_last_request_id;
};
-/*
- * Limits and constants
- */
-#define AUTOFS_NAMELEN 24
-#define AUTOFS_FSNAMELEN 16 /* equal to MFSNAMELEN */
-#define AUTOFS_DELEN (8 + AUTOFS_NAMELEN)
-
int autofs_init(struct vfsconf *vfsp);
int autofs_uninit(struct vfsconf *vfsp);
int autofs_trigger(struct autofs_node *anp, const char *component,
diff --git a/sys/fs/autofs/autofs_vfsops.c b/sys/fs/autofs/autofs_vfsops.c
index e84f6b8fe09d..722ff24fb362 100644
--- a/sys/fs/autofs/autofs_vfsops.c
+++ b/sys/fs/autofs/autofs_vfsops.c
@@ -39,6 +39,7 @@
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/mount.h>
+#include <sys/stat.h>
#include <sys/sx.h>
#include <sys/taskqueue.h>
#include <sys/vnode.h>
@@ -192,7 +193,7 @@ static int
autofs_statfs(struct mount *mp, struct statfs *sbp)
{
- sbp->f_bsize = 512;
+ sbp->f_bsize = S_BLKSIZE;
sbp->f_iosize = 0;
sbp->f_blocks = 0;
sbp->f_bfree = 0;
diff --git a/sys/fs/autofs/autofs_vnops.c b/sys/fs/autofs/autofs_vnops.c
index 550c5146beb2..515d2286f4a6 100644
--- a/sys/fs/autofs/autofs_vnops.c
+++ b/sys/fs/autofs/autofs_vnops.c
@@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mutex.h>
#include <sys/namei.h>
#include <sys/signalvar.h>
+#include <sys/stat.h>
#include <sys/systm.h>
#include <sys/taskqueue.h>
#include <sys/vnode.h>
@@ -110,8 +111,8 @@ autofs_getattr(struct vop_getattr_args *ap)
vap->va_rdev = NODEV;
vap->va_fsid = mp->mnt_stat.f_fsid.val[0];
vap->va_fileid = anp->an_fileno;
- vap->va_size = 512; /* XXX */
- vap->va_blocksize = 512;
+ vap->va_size = S_BLKSIZE;
+ vap->va_blocksize = S_BLKSIZE;
vap->va_mtime = anp->an_ctime;
vap->va_atime = anp->an_ctime;
vap->va_ctime = anp->an_ctime;
@@ -119,7 +120,7 @@ autofs_getattr(struct vop_getattr_args *ap)
vap->va_gen = 0;
vap->va_flags = 0;
vap->va_rdev = 0;
- vap->va_bytes = 512; /* XXX */
+ vap->va_bytes = S_BLKSIZE;
vap->va_filerev = 0;
vap->va_spare = 0;
@@ -214,7 +215,7 @@ autofs_lookup(struct vop_lookup_args *ap)
struct autofs_mount *amp;
struct autofs_node *anp, *child;
struct componentname *cnp;
- int error, lock_flags;
+ int error;
dvp = ap->a_dvp;
vpp = ap->a_vpp;
@@ -257,23 +258,13 @@ autofs_lookup(struct vop_lookup_args *ap)
return (error);
if (newvp != NULL) {
- error = VOP_LOOKUP(newvp, ap->a_vpp, ap->a_cnp);
-
/*
- * Instead of figuring out whether our vnode should
- * be locked or not given the error and cnp flags,
- * just "copy" the lock status from vnode returned
- * by mounted filesystem's VOP_LOOKUP(). Get rid
- * of that new vnode afterwards.
+ * The target filesystem got automounted.
+ * Let the lookup(9) go around with the same
+ * path component.
*/
- lock_flags = VOP_ISLOCKED(newvp);
- if (lock_flags == 0) {
- VOP_UNLOCK(dvp, 0);
- vrele(newvp);
- } else {
- vput(newvp);
- }
- return (error);
+ vput(newvp);
+ return (ERELOOKUP);
}
}
@@ -339,26 +330,52 @@ autofs_mkdir(struct vop_mkdir_args *ap)
return (error);
}
+/*
+ * Write out a single 'struct dirent', based on 'name' and 'fileno' arguments.
+ */
static int
-autofs_readdir_one(struct uio *uio, const char *name, int fileno)
+autofs_readdir_one(struct uio *uio, const char *name, int fileno,
+ size_t *reclenp)
{
struct dirent dirent;
- int error, i;
+ size_t namlen, padded_namlen, reclen;
+ int error;
+
+ namlen = strlen(name);
+ padded_namlen = roundup2(namlen + 1, __alignof(struct dirent));
+ KASSERT(padded_namlen <= MAXNAMLEN, ("%zd > MAXNAMLEN", padded_namlen));
+ reclen = offsetof(struct dirent, d_name) + padded_namlen;
+
+ if (reclenp != NULL)
+ *reclenp = reclen;
+
+ if (uio == NULL)
+ return (0);
+
+ if (uio->uio_resid < reclen)
+ return (EINVAL);
- memset(&dirent, 0, sizeof(dirent));
- dirent.d_type = DT_DIR;
- dirent.d_reclen = AUTOFS_DELEN;
dirent.d_fileno = fileno;
- /* PFS_DELEN was picked to fit PFS_NAMLEN */
- for (i = 0; i < AUTOFS_NAMELEN - 1 && name[i] != '\0'; ++i)
- dirent.d_name[i] = name[i];
- dirent.d_name[i] = 0;
- dirent.d_namlen = i;
+ dirent.d_reclen = reclen;
+ dirent.d_type = DT_DIR;
+ dirent.d_namlen = namlen;
+ memcpy(dirent.d_name, name, namlen);
+ memset(dirent.d_name + namlen, 0, padded_namlen - namlen);
+ error = uiomove(&dirent, reclen, uio);
- error = uiomove(&dirent, AUTOFS_DELEN, uio);
return (error);
}
+static size_t
+autofs_dirent_reclen(const char *name)
+{
+ size_t reclen;
+
+ autofs_readdir_one(NULL, name, -1, &reclen);
+
+ return (reclen);
+}
+
static int
autofs_readdir(struct vop_readdir_args *ap)
{
@@ -366,13 +383,15 @@ autofs_readdir(struct vop_readdir_args *ap)
struct autofs_mount *amp;
struct autofs_node *anp, *child;
struct uio *uio;
- off_t offset;
- int error, i, resid;
+ size_t reclen, reclens;
+ ssize_t initial_resid;
+ int error;
vp = ap->a_vp;
amp = VFSTOAUTOFS(vp->v_mount);
anp = vp->v_data;
uio = ap->a_uio;
+ initial_resid = ap->a_uio->uio_resid;
KASSERT(vp->v_type == VDIR, ("!VDIR"));
@@ -390,70 +409,94 @@ autofs_readdir(struct vop_readdir_args *ap)
}
}
- /* only allow reading entire entries */
- offset = uio->uio_offset;
- resid = uio->uio_resid;
- if (offset < 0 || offset % AUTOFS_DELEN != 0 ||
- (resid && resid < AUTOFS_DELEN))
+ if (uio->uio_offset < 0)
return (EINVAL);
- if (resid == 0)
- return (0);
if (ap->a_eofflag != NULL)
- *ap->a_eofflag = TRUE;
+ *ap->a_eofflag = FALSE;
- if (offset == 0 && resid >= AUTOFS_DELEN) {
- error = autofs_readdir_one(uio, ".", anp->an_fileno);
+ /*
+ * Write out the directory entry for ".". This is conditional
+ * on the current offset into the directory; same applies to the
+ * other two cases below.
+ */
+ if (uio->uio_offset == 0) {
+ error = autofs_readdir_one(uio, ".", anp->an_fileno, &reclen);
if (error != 0)
- return (error);
- offset += AUTOFS_DELEN;
- resid -= AUTOFS_DELEN;
+ goto out;
}
+ reclens = autofs_dirent_reclen(".");
- if (offset == AUTOFS_DELEN && resid >= AUTOFS_DELEN) {
+ /*
+ * Write out the directory entry for "..".
+ */
+ if (uio->uio_offset <= reclens) {
+ if (uio->uio_offset != reclens)
+ return (EINVAL);
if (anp->an_parent == NULL) {
- /*
- * XXX: Right?
- */
- error = autofs_readdir_one(uio, "..", anp->an_fileno);
+ error = autofs_readdir_one(uio, "..",
+ anp->an_fileno, &reclen);
} else {
error = autofs_readdir_one(uio, "..",
- anp->an_parent->an_fileno);
+ anp->an_parent->an_fileno, &reclen);
}
if (error != 0)
- return (error);
- offset += AUTOFS_DELEN;
- resid -= AUTOFS_DELEN;
+ goto out;
}
- i = 2; /* Account for "." and "..". */
+ reclens += autofs_dirent_reclen("..");
+
+ /*
+ * Write out the directory entries for subdirectories.
+ */
AUTOFS_SLOCK(amp);
TAILQ_FOREACH(child, &anp->an_children, an_next) {
- if (resid < AUTOFS_DELEN) {
- if (ap->a_eofflag != NULL)
- *ap->a_eofflag = 0;
- break;
+ /*
+ * Check the offset to skip entries returned by previous
+ * calls to getdents().
+ */
+ if (uio->uio_offset > reclens) {
+ reclens += autofs_dirent_reclen(child->an_name);
+ continue;
}
/*
- * Skip entries returned by previous call to getdents().
+ * Prevent seeking into the middle of dirent.
*/
- i++;
- if (i * AUTOFS_DELEN <= offset)
- continue;
+ if (uio->uio_offset != reclens) {
+ AUTOFS_SUNLOCK(amp);
+ return (EINVAL);
+ }
error = autofs_readdir_one(uio, child->an_name,
- child->an_fileno);
+ child->an_fileno, &reclen);
+ reclens += reclen;
if (error != 0) {
AUTOFS_SUNLOCK(amp);
- return (error);
+ goto out;
}
- offset += AUTOFS_DELEN;
- resid -= AUTOFS_DELEN;
}
-
AUTOFS_SUNLOCK(amp);
+
+ if (ap->a_eofflag != NULL)
+ *ap->a_eofflag = TRUE;
+
return (0);
+
+out:
+ /*
+ * Return error if the initial buffer was too small to do anything.
+ */
+ if (uio->uio_resid == initial_resid)
+ return (error);
+
+ /*
+ * Don't return an error if we managed to copy out some entries.
+ */
+ if (uio->uio_resid < reclen)
+ return (0);
+
+ return (error);
}
static int
diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c
index f00b4b2ad5e4..7a9ec7b5e7f8 100644
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@@ -104,7 +104,8 @@ pfs_visible_proc(struct thread *td, struct pfs_node *pn, struct proc *proc)
}
static int
-pfs_visible(struct thread *td, struct pfs_node *pn, pid_t pid, struct proc **p)
+pfs_visible(struct thread *td, struct pfs_node *pn, pid_t pid,
+ bool allproc_locked, struct proc **p)
{
struct proc *proc;
@@ -115,7 +116,8 @@ pfs_visible(struct thread *td, struct pfs_node *pn, pid_t pid, struct proc **p)
*p = NULL;
if (pid == NO_PID)
PFS_RETURN (1);
- if ((proc = pfind(pid)) == NULL)
+ proc = allproc_locked ? pfind_locked(pid) : pfind(pid);
+ if (proc == NULL)
PFS_RETURN (0);
if (pfs_visible_proc(td, pn, proc)) {
if (p)
@@ -202,7 +204,7 @@ pfs_getattr(struct vop_getattr_args *va)
PFS_TRACE(("%s", pn->pn_name));
pfs_assert_not_owned(pn);
- if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc))
+ if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc))
PFS_RETURN (ENOENT);
vap->va_type = vn->v_type;
@@ -293,7 +295,7 @@ pfs_ioctl(struct vop_ioctl_args *va)
* This is necessary because process' privileges may
* have changed since the open() call.
*/
- if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) {
+ if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc)) {
VOP_UNLOCK(vn, 0);
PFS_RETURN (EIO);
}
@@ -326,7 +328,7 @@ pfs_getextattr(struct vop_getextattr_args *va)
* This is necessary because either process' privileges may
* have changed since the open() call.
*/
- if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc))
+ if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc))
PFS_RETURN (EIO);
if (pn->pn_getextattr == NULL)
@@ -462,7 +464,7 @@ pfs_lookup(struct vop_cachedlookup_args *va)
PFS_RETURN (ENOENT);
/* check that parent directory is visible... */
- if (!pfs_visible(curthread, pd, pvd->pvd_pid, NULL))
+ if (!pfs_visible(curthread, pd, pvd->pvd_pid, false, NULL))
PFS_RETURN (ENOENT);
/* self */
@@ -546,7 +548,7 @@ pfs_lookup(struct vop_cachedlookup_args *va)
got_pnode:
pfs_assert_not_owned(pd);
pfs_assert_not_owned(pn);
- visible = pfs_visible(curthread, pn, pid, NULL);
+ visible = pfs_visible(curthread, pn, pid, false, NULL);
if (!visible) {
error = ENOENT;
goto failed;
@@ -635,7 +637,7 @@ pfs_read(struct vop_read_args *va)
* This is necessary because either process' privileges may
* have changed since the open() call.
*/
- if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc))
+ if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc))
PFS_RETURN (EIO);
if (proc != NULL) {
_PHOLD(proc);
@@ -791,7 +793,7 @@ pfs_readdir(struct vop_readdir_args *va)
pfs_lock(pd);
/* check if the directory is visible to the caller */
- if (!pfs_visible(curthread, pd, pid, &proc)) {
+ if (!pfs_visible(curthread, pd, pid, true, &proc)) {
sx_sunlock(&allproc_lock);
pfs_unlock(pd);
PFS_RETURN (ENOENT);
@@ -995,7 +997,7 @@ pfs_write(struct vop_write_args *va)
* This is necessary because either process' privileges may
* have changed since the open() call.
*/
- if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc))
+ if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc))
PFS_RETURN (EIO);
if (proc != NULL) {
_PHOLD(proc);
diff --git a/sys/fs/unionfs/union_subr.c b/sys/fs/unionfs/union_subr.c
index 74192dcfbb32..951d7752c553 100644
--- a/sys/fs/unionfs/union_subr.c
+++ b/sys/fs/unionfs/union_subr.c
@@ -530,7 +530,6 @@ unionfs_relookup(struct vnode *dvp, struct vnode **vpp,
cn->cn_cred = cnp->cn_cred;
cn->cn_nameptr = cn->cn_pnbuf;
- cn->cn_consume = cnp->cn_consume;
if (nameiop == DELETE)
cn->cn_flags |= (cnp->cn_flags & (DOWHITEOUT | SAVESTART));
@@ -918,7 +917,6 @@ unionfs_vn_create_on_upper(struct vnode **vpp, struct vnode *udvp,
cn.cn_thread = td;
cn.cn_cred = cred;
cn.cn_nameptr = cn.cn_pnbuf;
- cn.cn_consume = 0;
vref(udvp);
if ((error = relookup(udvp, &vp, &cn)) != 0)
@@ -1184,7 +1182,6 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td)
cn.cn_lkflags = LK_EXCLUSIVE;
cn.cn_thread = td;
cn.cn_cred = cred;
- cn.cn_consume = 0;
/*
* check entry in lower.
diff --git a/sys/kern/kern_alq.c b/sys/kern/kern_alq.c
index 7f8c60330528..21508d2cdfe1 100644
--- a/sys/kern/kern_alq.c
+++ b/sys/kern/kern_alq.c
@@ -969,5 +969,5 @@ static moduledata_t alq_mod =
NULL
};
-DECLARE_MODULE(alq, alq_mod, SI_SUB_SMP, SI_ORDER_ANY);
+DECLARE_MODULE(alq, alq_mod, SI_SUB_LAST, SI_ORDER_ANY);
MODULE_VERSION(alq, 1);
diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 0b6f7daeb513..5abba169fa41 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -564,34 +564,59 @@ knote_fork(struct knlist *list, int pid)
#define NOTE_TIMER_PRECMASK (NOTE_SECONDS|NOTE_MSECONDS|NOTE_USECONDS| \
NOTE_NSECONDS)
-static __inline sbintime_t
+static sbintime_t
timer2sbintime(intptr_t data, int flags)
{
- sbintime_t modifier;
+ /*
+ * Macros for converting to the fractional second portion of an
+ * sbintime_t using 64bit multiplication to improve precision.
+ */
+#define NS_TO_SBT(ns) (((ns) * (((uint64_t)1 << 63) / 500000000)) >> 32)
+#define US_TO_SBT(us) (((us) * (((uint64_t)1 << 63) / 500000)) >> 32)
+#define MS_TO_SBT(ms) (((ms) * (((uint64_t)1 << 63) / 500)) >> 32)
switch (flags & NOTE_TIMER_PRECMASK) {
case NOTE_SECONDS:
- modifier = SBT_1S;
- break;
+#ifdef __LP64__
+ if (data > (SBT_MAX / SBT_1S))
+ return SBT_MAX;
+#endif
+ return ((sbintime_t)data << 32);
case NOTE_MSECONDS: /* FALLTHROUGH */
case 0:
- modifier = SBT_1MS;
- break;
+ if (data >= 1000) {
+ int64_t secs = data / 1000;
+#ifdef __LP64__
+ if (secs > (SBT_MAX / SBT_1S))
+ return SBT_MAX;
+#endif
+ return (secs << 32 | MS_TO_SBT(data % 1000));
+ }
+ return MS_TO_SBT(data);
case NOTE_USECONDS:
- modifier = SBT_1US;
- break;
+ if (data >= 1000000) {
+ int64_t secs = data / 1000000;
+#ifdef __LP64__
+ if (secs > (SBT_MAX / SBT_1S))
+ return SBT_MAX;
+#endif
+ return (secs << 32 | US_TO_SBT(data % 1000000));
+ }
+ return US_TO_SBT(data);
case NOTE_NSECONDS:
- modifier = SBT_1NS;
- break;
- default:
- return (-1);
- }
-
+ if (data >= 1000000000) {
+ int64_t secs = data / 1000000000;
#ifdef __LP64__
- if (data > SBT_MAX / modifier)
- return (SBT_MAX);
+ if (secs > (SBT_MAX / SBT_1S))
+ return SBT_MAX;
#endif
- return (modifier * data);
+ return (secs << 32 | US_TO_SBT(data % 1000000000));
+ }
+ return NS_TO_SBT(data);
+ default:
+ break;
+ }
+ return (-1);
}
static void
diff --git a/sys/kern/makesyscalls.sh b/sys/kern/makesyscalls.sh
index 75289e5bcc5c..e586602c85e9 100644
--- a/sys/kern/makesyscalls.sh
+++ b/sys/kern/makesyscalls.sh
@@ -131,7 +131,7 @@ s/\$//g
printf "/*\n * System call numbers.\n *\n" > syshdr
printf " * DO NOT EDIT-- this file is automatically generated.\n" > syshdr
printf " * $%s$\n", "FreeBSD" > syshdr
- printf "# FreeBSD system call names.\n" > sysmk
+ printf "# FreeBSD system call object files.\n" > sysmk
printf "# DO NOT EDIT-- this file is automatically generated.\n" > sysmk
printf "# $%s$\n", "FreeBSD" > sysmk
@@ -559,9 +559,9 @@ s/\$//g
printf("/* %d = %s %s */\n", syscall, descr, funcalias) > sysent
printf("\t\"%s.%s\",\t\t/* %d = %s %s */\n",
wrap, funcalias, syscall, descr, funcalias) > sysnames
- if (flag("COMPAT")) {
- printf("\t\t\t\t/* %d is old %s */\n",
- syscall, funcalias) > syshdr
+ if (flag("COMPAT") || flag("COMPAT4") || flag("COMPAT6")) {
+ printf("\t\t\t\t/* %d is %s %s */\n",
+ syscall, descr, funcalias) > syshdr
} else if (!flag("NODEF")) {
printf("#define\t%s%s%s\t%d\n", syscallprefix,
prefix, funcalias, syscall) > syshdr
diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c
index 9a2a1db5bbb5..f4b0596eb233 100644
--- a/sys/kern/vfs_lookup.c
+++ b/sys/kern/vfs_lookup.c
@@ -495,6 +495,7 @@ lookup(struct nameidata *ndp)
int rdonly; /* lookup read-only flag bit */
int error = 0;
int dpunlocked = 0; /* dp has already been unlocked */
+ int relookup = 0; /* do not consume the path component */
struct componentname *cnp = &ndp->ni_cnd;
int lkflags_save;
int ni_dvp_unlocked;
@@ -537,7 +538,6 @@ dirloop:
* the name set the SAVENAME flag. When done, they assume
* responsibility for freeing the pathname buffer.
*/
- cnp->cn_consume = 0;
for (cp = cnp->cn_nameptr; *cp != 0 && *cp != '/'; cp++)
continue;
cnp->cn_namelen = cp - cnp->cn_nameptr;
@@ -726,8 +726,9 @@ unionlookup:
lkflags_save = cnp->cn_lkflags;
cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags,
cnp->cn_flags);
- if ((error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp)) != 0) {
- cnp->cn_lkflags = lkflags_save;
+ error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp);
+ cnp->cn_lkflags = lkflags_save;
+ if (error != 0) {
KASSERT(ndp->ni_vp == NULL, ("leaf should be empty"));
#ifdef NAMEI_DIAGNOSTIC
printf("not found\n");
@@ -745,6 +746,14 @@ unionlookup:
goto unionlookup;
}
+ if (error == ERELOOKUP) {
+ vref(dp);
+ ndp->ni_vp = dp;
+ error = 0;
+ relookup = 1;
+ goto good;
+ }
+
if (error != EJUSTRETURN)
goto bad;
/*
@@ -775,22 +784,12 @@ unionlookup:
VREF(ndp->ni_startdir);
}
goto success;
- } else
- cnp->cn_lkflags = lkflags_save;
+ }
+
+good:
#ifdef NAMEI_DIAGNOSTIC
printf("found\n");
#endif
- /*
- * Take into account any additional components consumed by
- * the underlying filesystem.
- */
- if (cnp->cn_consume > 0) {
- cnp->cn_nameptr += cnp->cn_consume;
- ndp->ni_next += cnp->cn_consume;
- ndp->ni_pathlen -= cnp->cn_consume;
- cnp->cn_consume = 0;
- }
-
dp = ndp->ni_vp;
/*
@@ -856,6 +855,14 @@ nextname:
*/
KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/',
("lookup: invalid path state."));
+ if (relookup) {
+ relookup = 0;
+ if (ndp->ni_dvp != dp)
+ vput(ndp->ni_dvp);
+ else
+ vrele(ndp->ni_dvp);
+ goto dirloop;
+ }
if (*ndp->ni_next == '/') {
cnp->cn_nameptr = ndp->ni_next;
while (*cnp->cn_nameptr == '/') {
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
index f2cf93a01d6a..8d9e49973c5f 100644
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -775,12 +775,6 @@ afterinstall:
.include "${SYSDIR}/conf/config.mk"
-# Use sys/conf/kmod.mk's MPATH to avoid redundantly running in every subdir.
-.if !defined(__MPATH)
-__MPATH!=find ${SYSDIR:tA}/ -name \*_if.m
-.export __MPATH
-.endif
-
SUBDIR:= ${SUBDIR:u:O}
.include <bsd.subdir.mk>
diff --git a/sys/net80211/ieee80211.h b/sys/net80211/ieee80211.h
index 925b451e455e..0a25392a2f9f 100644
--- a/sys/net80211/ieee80211.h
+++ b/sys/net80211/ieee80211.h
@@ -708,6 +708,7 @@ enum {
IEEE80211_ELEMID_TIM = 5,
IEEE80211_ELEMID_IBSSPARMS = 6,
IEEE80211_ELEMID_COUNTRY = 7,
+ IEEE80211_ELEMID_BSSLOAD = 11,
IEEE80211_ELEMID_CHALLENGE = 16,
/* 17-31 reserved for challenge text extension */
IEEE80211_ELEMID_PWRCNSTR = 32,
@@ -725,6 +726,7 @@ enum {
IEEE80211_ELEMID_QOS = 46,
IEEE80211_ELEMID_RSN = 48,
IEEE80211_ELEMID_XRATES = 50,
+ IEEE80211_ELEMID_APCHANREP = 51,
IEEE80211_ELEMID_HTINFO = 61,
IEEE80211_ELEMID_TPC = 150,
IEEE80211_ELEMID_CCKM = 156,
@@ -749,6 +751,7 @@ enum {
IEEE80211_ELEMID_MESHGANN = 125,
IEEE80211_ELEMID_MESHRANN = 126,
/* 127 Extended Capabilities */
+ IEEE80211_ELEMID_MESHEXTCAP = 127,
/* 128-129 reserved */
IEEE80211_ELEMID_MESHPREQ = 130,
IEEE80211_ELEMID_MESHPREP = 131,
@@ -783,6 +786,78 @@ struct ieee80211_country_ie {
#define IEEE80211_COUNTRY_MAX_SIZE \
(sizeof(struct ieee80211_country_ie) + 3*(IEEE80211_COUNTRY_MAX_BANDS-1))
+struct ieee80211_bss_load_ie {
+ uint8_t ie;
+ uint8_t len;
+ uint16_t sta_count; /* station count */
+ uint8_t chan_load; /* channel utilization */
+ uint8_t aac; /* available admission capacity */
+} __packed;
+
+struct ieee80211_ap_chan_report_ie {
+ uint8_t ie;
+ uint8_t len;
+ uint8_t i_class; /* operating class */
+ /* Annex E, E.1 Country information and operating classes */
+ uint8_t chan_list[0];
+} __packed;
+
+#define IEEE80211_EXTCAP_CMS (1ULL << 0) /* 20/40 BSS coexistence management support */
+#define IEEE80211_EXTCAP_RSVD_1 (1ULL << 1)
+#define IEEE80211_EXTCAP_ECS (1ULL << 2) /* extended channel switching */
+#define IEEE80211_EXTCAP_RSVD_3 (1ULL << 3)
+#define IEEE80211_EXTCAP_PSMP_CAP (1ULL << 4) /* PSMP capability */
+#define IEEE80211_EXTCAP_RSVD_5 (1ULL << 5)
+#define IEEE80211_EXTCAP_S_PSMP_SUPP (1ULL << 6)
+#define IEEE80211_EXTCAP_EVENT (1ULL << 7)
+#define IEEE80211_EXTCAP_DIAGNOSTICS (1ULL << 8)
+#define IEEE80211_EXTCAP_MCAST_DIAG (1ULL << 9)
+#define IEEE80211_EXTCAP_LOC_TRACKING (1ULL << 10)
+#define IEEE80211_EXTCAP_FMS (1ULL << 11)
+#define IEEE80211_EXTCAP_PROXY_ARP (1ULL << 12)
+#define IEEE80211_EXTCAP_CIR (1ULL << 13) /* collocated interference reporting */
+#define IEEE80211_EXTCAP_CIVIC_LOC (1ULL << 14)
+#define IEEE80211_EXTCAP_GEOSPATIAL_LOC (1ULL << 15)
+#define IEEE80211_EXTCAP_TFS (1ULL << 16)
+#define IEEE80211_EXTCAP_WNM_SLEEPMODE (1ULL << 17)
+#define IEEE80211_EXTCAP_TIM_BROADCAST (1ULL << 18)
+#define IEEE80211_EXTCAP_BSS_TRANSITION (1ULL << 19)
+#define IEEE80211_EXTCAP_QOS_TRAF_CAP (1ULL << 20)
+#define IEEE80211_EXTCAP_AC_STA_COUNT (1ULL << 21)
+#define IEEE80211_EXTCAP_M_BSSID (1ULL << 22) /* multiple BSSID field */
+#define IEEE80211_EXTCAP_TIMING_MEAS (1ULL << 23)
+#define IEEE80211_EXTCAP_CHAN_USAGE (1ULL << 24)
+#define IEEE80211_EXTCAP_SSID_LIST (1ULL << 25)
+#define IEEE80211_EXTCAP_DMS (1ULL << 26)
+#define IEEE80211_EXTCAP_UTC_TSF_OFFSET (1ULL << 27)
+#define IEEE80211_EXTCAP_TLDS_BUF_STA_SUPP (1ULL << 28) /* TDLS peer U-APSP buffer STA support */
+#define IEEE80211_EXTCAP_TLDS_PPSM_SUPP (1ULL << 29) /* TDLS peer PSM support */
+#define IEEE80211_EXTCAP_TLDS_CH_SW (1ULL << 30) /* TDLS channel switching */
+#define IEEE80211_EXTCAP_INTERWORKING (1ULL << 31)
+#define IEEE80211_EXTCAP_QOSMAP (1ULL << 32)
+#define IEEE80211_EXTCAP_EBR (1ULL << 33)
+#define IEEE80211_EXTCAP_SSPN_IF (1ULL << 34)
+#define IEEE80211_EXTCAP_RSVD_35 (1ULL << 35)
+#define IEEE80211_EXTCAP_MSGCF_CAP (1ULL << 36)
+#define IEEE80211_EXTCAP_TLDS_SUPP (1ULL << 37)
+#define IEEE80211_EXTCAP_TLDS_PROHIB (1ULL << 38)
+#define IEEE80211_EXTCAP_TLDS_CH_SW_PROHIB (1ULL << 39) /* TDLS channel switching prohibited */
+#define IEEE80211_EXTCAP_RUF (1ULL << 40) /* reject unadmitted frame */
+/* service interval granularity */
+#define IEEE80211_EXTCAP_SIG \
+ ((1ULL << 41) | (1ULL << 42) | (1ULL << 43))
+#define IEEE80211_EXTCAP_ID_LOC (1ULL << 44)
+#define IEEE80211_EXTCAP_U_APSD_COEX (1ULL << 45)
+#define IEEE80211_EXTCAP_WNM_NOTIFICATION (1ULL << 46)
+#define IEEE80211_EXTCAP_RSVD_47 (1ULL << 47)
+#define IEEE80211_EXTCAP_SSID (1ULL << 48) /* UTF-8 SSID */
+/* bits 49-n are reserved */
+
+struct ieee80211_extcap_ie {
+ uint8_t ie;
+ uint8_t len;
+} __packed;
+
/*
* 802.11h Quiet Time Element.
*/
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index f1f70a2d38b1..3b4379f3371e 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -570,6 +570,8 @@ ieee80211_parse_beacon(struct ieee80211_node *ni, struct mbuf *m,
case IEEE80211_ELEMID_IBSSPARMS:
case IEEE80211_ELEMID_CFPARMS:
case IEEE80211_ELEMID_PWRCNSTR:
+ case IEEE80211_ELEMID_BSSLOAD:
+ case IEEE80211_ELEMID_APCHANREP:
/* NB: avoid debugging complaints */
break;
case IEEE80211_ELEMID_XRATES:
@@ -601,6 +603,8 @@ ieee80211_parse_beacon(struct ieee80211_node *ni, struct mbuf *m,
case IEEE80211_ELEMID_MESHCONF:
scan->meshconf = frm;
break;
+ case IEEE80211_ELEMID_MESHEXTCAP:
+ break;
#endif
case IEEE80211_ELEMID_VENDOR:
if (iswpaoui(frm))
diff --git a/sys/netinet/siftr.c b/sys/netinet/siftr.c
index 6b31d7b6a8e5..c484e983734e 100644
--- a/sys/netinet/siftr.c
+++ b/sys/netinet/siftr.c
@@ -1561,6 +1561,6 @@ static moduledata_t siftr_mod = {
* Defines the initialisation order of this kld relative to others
* within the same subsystem as defined by param 3
*/
-DECLARE_MODULE(siftr, siftr_mod, SI_SUB_SMP, SI_ORDER_ANY);
+DECLARE_MODULE(siftr, siftr_mod, SI_SUB_LAST, SI_ORDER_ANY);
MODULE_DEPEND(siftr, alq, 1, 1, 1);
MODULE_VERSION(siftr, MODVERSION);
diff --git a/sys/netinet/tcp_stacks/fastpath.c b/sys/netinet/tcp_stacks/fastpath.c
index 5eddccfbdccf..a447b88669b4 100644
--- a/sys/netinet/tcp_stacks/fastpath.c
+++ b/sys/netinet/tcp_stacks/fastpath.c
@@ -124,8 +124,6 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_framework.h>
-extern const int tcprexmtthresh;
-
VNET_DECLARE(int, tcp_autorcvbuf_inc);
#define V_tcp_autorcvbuf_inc VNET(tcp_autorcvbuf_inc)
VNET_DECLARE(int, tcp_autorcvbuf_max);
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
index 32aa0bbf912c..2f238814bbb8 100644
--- a/sys/netinet/tcp_var.h
+++ b/sys/netinet/tcp_var.h
@@ -666,7 +666,7 @@ struct xtcpcb {
*/
#define TCPCTL_DO_RFC1323 1 /* use RFC-1323 extensions */
#define TCPCTL_MSSDFLT 3 /* MSS default */
-#define TCPCTL_STATS 4 /* statistics (read-only) */
+#define TCPCTL_STATS 4 /* statistics */
#define TCPCTL_RTTDFLT 5 /* default RTT estimate */
#define TCPCTL_KEEPIDLE 6 /* keepalive idle timer */
#define TCPCTL_KEEPINTVL 7 /* interval to send keepalives */
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index ff580c78711e..865a63084bcc 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -7640,7 +7640,8 @@ key_init(void)
/* initialize key statistics */
keystat.getspi_count = 1;
- printf("IPsec: Initialized Security Association Processing.\n");
+ if (bootverbose)
+ printf("IPsec: Initialized Security Association Processing.\n");
}
#ifdef VIMAGE
diff --git a/sys/ofed/drivers/infiniband/core/device.c b/sys/ofed/drivers/infiniband/core/device.c
index db3b831eb422..a3aee411e39d 100644
--- a/sys/ofed/drivers/infiniband/core/device.c
+++ b/sys/ofed/drivers/infiniband/core/device.c
@@ -790,4 +790,4 @@ static moduledata_t ibcore_mod = {
MODULE_VERSION(ibcore, 1);
MODULE_DEPEND(ibcore, linuxkpi, 1, 1, 1);
-DECLARE_MODULE(ibcore, ibcore_mod, SI_SUB_SMP, SI_ORDER_ANY);
+DECLARE_MODULE(ibcore, ibcore_mod, SI_SUB_LAST, SI_ORDER_ANY);
diff --git a/sys/ofed/drivers/infiniband/hw/mlx4/main.c b/sys/ofed/drivers/infiniband/hw/mlx4/main.c
index 68440df93fa7..1f14e5cf887b 100644
--- a/sys/ofed/drivers/infiniband/hw/mlx4/main.c
+++ b/sys/ofed/drivers/infiniband/hw/mlx4/main.c
@@ -2881,7 +2881,7 @@ static moduledata_t mlx4ib_mod = {
.evhand = mlx4ib_evhand,
};
-DECLARE_MODULE(mlx4ib, mlx4ib_mod, SI_SUB_SMP, SI_ORDER_ANY);
+DECLARE_MODULE(mlx4ib, mlx4ib_mod, SI_SUB_LAST, SI_ORDER_ANY);
MODULE_DEPEND(mlx4ib, mlx4, 1, 1, 1);
MODULE_DEPEND(mlx4ib, ibcore, 1, 1, 1);
MODULE_DEPEND(mlx4ib, linuxkpi, 1, 1, 1);
diff --git a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 6326bd211e1b..5e69a527d3d1 100644
--- a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -1535,6 +1535,6 @@ static moduledata_t ipoib_mod = {
.evhand = ipoib_evhand,
};
-DECLARE_MODULE(ipoib, ipoib_mod, SI_SUB_SMP, SI_ORDER_ANY);
+DECLARE_MODULE(ipoib, ipoib_mod, SI_SUB_LAST, SI_ORDER_ANY);
MODULE_DEPEND(ipoib, ibcore, 1, 1, 1);
MODULE_DEPEND(ipoib, linuxkpi, 1, 1, 1);
diff --git a/sys/powerpc/powerpc/exec_machdep.c b/sys/powerpc/powerpc/exec_machdep.c
index 4e56429ea0bb..1acc1803d406 100644
--- a/sys/powerpc/powerpc/exec_machdep.c
+++ b/sys/powerpc/powerpc/exec_machdep.c
@@ -879,8 +879,11 @@ cpu_set_syscall_retval(struct thread *td, int error)
int code = tf->fixreg[FIRSTARG + 1];
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
- fixup = (code != SYS_freebsd6_lseek && code != SYS_lseek) ?
- 1 : 0;
+ fixup = (
+#if defined(COMPAT_FREEBSD6) && defined(SYS_freebsd6_lseek)
+ code != SYS_freebsd6_lseek &&
+#endif
+ code != SYS_lseek) ? 1 : 0;
} else
fixup = 0;
diff --git a/sys/sys/errno.h b/sys/sys/errno.h
index d4c59504cc6a..52efd3193a0e 100644
--- a/sys/sys/errno.h
+++ b/sys/sys/errno.h
@@ -190,6 +190,7 @@ __END_DECLS
#define EJUSTRETURN (-2) /* don't modify regs, just return */
#define ENOIOCTL (-3) /* ioctl not handled by this layer */
#define EDIRIOCTL (-4) /* do direct ioctl in GEOM */
+#define ERELOOKUP (-5) /* retry the directory lookup */
#endif
#endif
diff --git a/sys/sys/iov.h b/sys/sys/iov.h
index 139bf4ede1a6..6dfed1b84b5c 100644
--- a/sys/sys/iov.h
+++ b/sys/sys/iov.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2013-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/sys/sys/iov_schema.h b/sys/sys/iov_schema.h
index 45c08afa7fc7..7157f63b9b7c 100644
--- a/sys/sys/iov_schema.h
+++ b/sys/sys/iov_schema.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2014-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/sys/sys/namei.h b/sys/sys/namei.h
index f1b1223b6ca5..bb1631b5cc79 100644
--- a/sys/sys/namei.h
+++ b/sys/sys/namei.h
@@ -53,7 +53,6 @@ struct componentname {
char *cn_pnbuf; /* pathname buffer */
char *cn_nameptr; /* pointer to looked up name */
long cn_namelen; /* length of looked up component */
- long cn_consume; /* chars to consume in lookup() */
};
/*
diff --git a/sys/sys/param.h b/sys/sys/param.h
index 28ee0a2c5d6b..910857632a17 100644
--- a/sys/sys/param.h
+++ b/sys/sys/param.h
@@ -58,7 +58,7 @@
* in the range 5 to 9.
*/
#undef __FreeBSD_version
-#define __FreeBSD_version 1100101 /* Master, propagated to newvers */
+#define __FreeBSD_version 1100102 /* Master, propagated to newvers */
/*
* __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD,
diff --git a/sys/sys/syscall.h b/sys/sys/syscall.h
index ff2e219af477..fef33b8bea0e 100644
--- a/sys/sys/syscall.h
+++ b/sys/sys/syscall.h
@@ -24,7 +24,7 @@
#define SYS_chmod 15
#define SYS_chown 16
#define SYS_break 17
-#define SYS_freebsd4_getfsstat 18
+ /* 18 is freebsd4 getfsstat */
/* 19 is old lseek */
#define SYS_getpid 20
#define SYS_mount 21
@@ -157,20 +157,20 @@
#define SYS_nlm_syscall 154
#define SYS_nfssvc 155
/* 156 is old getdirentries */
-#define SYS_freebsd4_statfs 157
-#define SYS_freebsd4_fstatfs 158
+ /* 157 is freebsd4 statfs */
+ /* 158 is freebsd4 fstatfs */
#define SYS_lgetfh 160
#define SYS_getfh 161
-#define SYS_freebsd4_getdomainname 162
-#define SYS_freebsd4_setdomainname 163
-#define SYS_freebsd4_uname 164
+ /* 162 is freebsd4 getdomainname */
+ /* 163 is freebsd4 setdomainname */
+ /* 164 is freebsd4 uname */
#define SYS_sysarch 165
#define SYS_rtprio 166
#define SYS_semsys 169
#define SYS_msgsys 170
#define SYS_shmsys 171
-#define SYS_freebsd6_pread 173
-#define SYS_freebsd6_pwrite 174
+ /* 173 is freebsd6 pread */
+ /* 174 is freebsd6 pwrite */
#define SYS_setfib 175
#define SYS_ntp_adjtime 176
#define SYS_setgid 181
@@ -184,11 +184,11 @@
#define SYS_getrlimit 194
#define SYS_setrlimit 195
#define SYS_getdirentries 196
-#define SYS_freebsd6_mmap 197
+ /* 197 is freebsd6 mmap */
#define SYS___syscall 198
-#define SYS_freebsd6_lseek 199
-#define SYS_freebsd6_truncate 200
-#define SYS_freebsd6_ftruncate 201
+ /* 199 is freebsd6 lseek */
+ /* 200 is freebsd6 truncate */
+ /* 201 is freebsd6 ftruncate */
#define SYS___sysctl 202
#define SYS_mlock 203
#define SYS_munlock 204
@@ -239,7 +239,7 @@
#define SYS_nlstat 280
#define SYS_preadv 289
#define SYS_pwritev 290
-#define SYS_freebsd4_fhstatfs 297
+ /* 297 is freebsd4 fhstatfs */
#define SYS_fhopen 298
#define SYS_fhstat 299
#define SYS_modnext 300
@@ -260,9 +260,9 @@
#define SYS_aio_suspend 315
#define SYS_aio_cancel 316
#define SYS_aio_error 317
-#define SYS_freebsd6_aio_read 318
-#define SYS_freebsd6_aio_write 319
-#define SYS_freebsd6_lio_listio 320
+ /* 318 is freebsd6 aio_read */
+ /* 319 is freebsd6 aio_write */
+ /* 320 is freebsd6 lio_listio */
#define SYS_yield 321
/* 322 is obsolete thr_sleep */
/* 323 is obsolete thr_wakeup */
@@ -278,15 +278,15 @@
#define SYS_sched_get_priority_min 333
#define SYS_sched_rr_get_interval 334
#define SYS_utrace 335
-#define SYS_freebsd4_sendfile 336
+ /* 336 is freebsd4 sendfile */
#define SYS_kldsym 337
#define SYS_jail 338
#define SYS_nnpfs_syscall 339
#define SYS_sigprocmask 340
#define SYS_sigsuspend 341
-#define SYS_freebsd4_sigaction 342
+ /* 342 is freebsd4 sigaction */
#define SYS_sigpending 343
-#define SYS_freebsd4_sigreturn 344
+ /* 344 is freebsd4 sigreturn */
#define SYS_sigtimedwait 345
#define SYS_sigwaitinfo 346
#define SYS___acl_get_file 347
diff --git a/sys/sys/syscall.mk b/sys/sys/syscall.mk
index 379dee5c017a..3f62141a409d 100644
--- a/sys/sys/syscall.mk
+++ b/sys/sys/syscall.mk
@@ -1,4 +1,4 @@
-# FreeBSD system call names.
+# FreeBSD system call object files.
# DO NOT EDIT-- this file is automatically generated.
# $FreeBSD$
# created from FreeBSD: head/sys/kern/syscalls.master 296572 2016-03-09 19:05:11Z jhb
@@ -19,7 +19,6 @@ MIASM = \
chmod.o \
chown.o \
break.o \
- freebsd4_getfsstat.o \
getpid.o \
mount.o \
unmount.o \
@@ -109,20 +108,13 @@ MIASM = \
quotactl.o \
nlm_syscall.o \
nfssvc.o \
- freebsd4_statfs.o \
- freebsd4_fstatfs.o \
lgetfh.o \
getfh.o \
- freebsd4_getdomainname.o \
- freebsd4_setdomainname.o \
- freebsd4_uname.o \
sysarch.o \
rtprio.o \
semsys.o \
msgsys.o \
shmsys.o \
- freebsd6_pread.o \
- freebsd6_pwrite.o \
setfib.o \
ntp_adjtime.o \
setgid.o \
@@ -136,11 +128,7 @@ MIASM = \
getrlimit.o \
setrlimit.o \
getdirentries.o \
- freebsd6_mmap.o \
__syscall.o \
- freebsd6_lseek.o \
- freebsd6_truncate.o \
- freebsd6_ftruncate.o \
__sysctl.o \
mlock.o \
munlock.o \
@@ -191,7 +179,6 @@ MIASM = \
nlstat.o \
preadv.o \
pwritev.o \
- freebsd4_fhstatfs.o \
fhopen.o \
fhstat.o \
modnext.o \
@@ -211,9 +198,6 @@ MIASM = \
aio_suspend.o \
aio_cancel.o \
aio_error.o \
- freebsd6_aio_read.o \
- freebsd6_aio_write.o \
- freebsd6_lio_listio.o \
yield.o \
mlockall.o \
munlockall.o \
@@ -227,15 +211,12 @@ MIASM = \
sched_get_priority_min.o \
sched_rr_get_interval.o \
utrace.o \
- freebsd4_sendfile.o \
kldsym.o \
jail.o \
nnpfs_syscall.o \
sigprocmask.o \
sigsuspend.o \
- freebsd4_sigaction.o \
sigpending.o \
- freebsd4_sigreturn.o \
sigtimedwait.o \
sigwaitinfo.o \
__acl_get_file.o \
diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h
index ec40d2955a32..7c1e79cfb1fb 100644
--- a/sys/sys/sysctl.h
+++ b/sys/sys/sysctl.h
@@ -640,12 +640,11 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry);
#define SYSCTL_ADD_COUNTER_U64(ctx, parent, nbr, name, access, ptr, descr) \
({ \
- counter_u64_t *__ptr = (ptr); \
CTASSERT(((access) & CTLTYPE) == 0 || \
((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_U64); \
sysctl_add_oid(ctx, parent, nbr, name, \
CTLTYPE_U64 | CTLFLAG_MPSAFE | (access), \
- __ptr, 0, sysctl_handle_counter_u64, "QU", __DESCR(descr)); \
+ ptr, 0, sysctl_handle_counter_u64, "QU", __DESCR(descr)); \
})
/* Oid for an opaque object. Specified by a pointer and a length. */
diff --git a/targets/pseudo/bootstrap-tools/Makefile b/targets/pseudo/bootstrap-tools/Makefile
index 2d38a70155a3..1b9b339e2907 100644
--- a/targets/pseudo/bootstrap-tools/Makefile
+++ b/targets/pseudo/bootstrap-tools/Makefile
@@ -49,22 +49,20 @@ BSARGS+= OBJTOP=${BTOOLSDIR}${SRCTOP} OBJROOT='$${OBJTOP}/'
BSARGS+= MK_CROSS_COMPILER=no MK_CLANG=no MK_GCC=no
DISTRIB_ENV= INSTALL="sh ${SRCTOP}/tools/install.sh" NO_FSCHG=1 MK_TESTS=no
-legacy: .MAKE .META
+legacy: .MAKE ${META_DEPS}
mkdir -p ${LEGACY_TOOLS}
${DISTRIB_ENV} ${MAKE} -C ${SRCTOP}/etc distrib-dirs \
DESTDIR=${BTOOLSDIR} > $@.distrib-dirs_btoolsdir
${DISTRIB_ENV} ${MAKE} -C ${SRCTOP}/etc distrib-dirs \
DESTDIR=${LEGACY_TOOLS} > $@.distrib-dirs_legacy_tools
${BSENV} ${MAKE} -C ${SRCTOP} -f Makefile.inc1 ${BSARGS} $@
- touch $@
bootstrap-tools: legacy
build-tools: bootstrap-tools
cross-tools: build-tools
-cross-tools build-tools bootstrap-tools: .MAKE .META
+cross-tools build-tools bootstrap-tools: .MAKE ${META_DEPS}
${BSENV} ${MAKE} -C ${SRCTOP} -f Makefile.inc1 ${BSARGS} $@
- touch $@
# MAKELEVEL=0 so that dirdeps.mk does its thing
# BSENV:MPATH=* lets us use the bootstrapped stuff in LEGACY_TOOLS above.
diff --git a/targets/pseudo/kernel/Makefile b/targets/pseudo/kernel/Makefile
index 502c830eeabe..8783d358750e 100644
--- a/targets/pseudo/kernel/Makefile
+++ b/targets/pseudo/kernel/Makefile
@@ -10,11 +10,10 @@ KERN_CONFDIR= ${SRCTOP}/sys/${TARGET}/conf
CONFIG= ${STAGE_HOST_OBJTOP}/usr/sbin/config
-${KERNCONF}.config: .MAKE .META
+${KERNCONF}.config: .MAKE ${META_DEPS}
mkdir -p ${KERN_OBJDIR:H}
(cd ${KERN_CONFDIR} && \
${CONFIG} ${CONFIGARGS} -d ${KERN_OBJDIR} ${KERNCONF})
- @touch $@
# we need to pass curdirOk=yes to meta mode, since we want .meta files
# in ${KERN_OBJDIR}
diff --git a/targets/pseudo/stage/Makefile b/targets/pseudo/stage/Makefile
index daa352d9257a..ed3217d9f743 100644
--- a/targets/pseudo/stage/Makefile
+++ b/targets/pseudo/stage/Makefile
@@ -6,11 +6,10 @@ all:
# mtree makes a lot of noise if we are not root,
# we don't need to see it.
-stage-distrib-dirs: .META
+stage-distrib-dirs: .META ${META_DEPS}
mkdir -p ${STAGE_OBJTOP}
INSTALL="sh ${SRCTOP}/tools/install.sh" ${.MAKE} -C ${SRCTOP}/etc \
distrib-dirs -DNO_FSCHG -DWITH_TESTS DESTDIR=${STAGE_OBJTOP}
- touch $@
.include <bsd.prog.mk>
diff --git a/targets/pseudo/userland/share/Makefile.depend b/targets/pseudo/userland/share/Makefile.depend
index 4e7c9e1c72f7..3589a107ade3 100644
--- a/targets/pseudo/userland/share/Makefile.depend
+++ b/targets/pseudo/userland/share/Makefile.depend
@@ -85,6 +85,7 @@ DIRDEPS = \
share/doc/usd/title \
share/dtrace \
share/dtrace/toolkit \
+ share/examples \
share/examples/atf \
share/examples/ipfilter \
share/examples/pf \
diff --git a/tools/build/options/WITHOUT_FAST_DEPEND b/tools/build/options/WITHOUT_FAST_DEPEND
new file mode 100644
index 000000000000..2e6ca4424fc5
--- /dev/null
+++ b/tools/build/options/WITHOUT_FAST_DEPEND
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Set to use the historical
+.Xr mkdep 1
+for the "make depend" phase of the build.
+This option is deprecated and will be removed soon.
diff --git a/usr.bin/bmake/Makefile b/usr.bin/bmake/Makefile
index 7b18da684b85..b3291edb7e90 100644
--- a/usr.bin/bmake/Makefile
+++ b/usr.bin/bmake/Makefile
@@ -14,10 +14,10 @@ CFLAGS+= -I${.CURDIR}
CLEANDIRS+= FreeBSD
CLEANFILES+= bootstrap
-# $Id: Makefile,v 1.49 2015/12/20 22:54:40 sjg Exp $
+# $Id: Makefile,v 1.55 2016/03/07 22:02:47 sjg Exp $
# Base version on src date
-MAKE_VERSION= 20151220
+_MAKE_VERSION= 20160307
PROG?= ${.CURDIR:T}
@@ -92,7 +92,7 @@ CFLAGS+= ${CPPFLAGS}
CFLAGS+= -D_PATH_DEFSYSPATH=\"${DEFAULT_SYS_PATH}\"
CFLAGS+= -I. -I${srcdir} ${XDEFS} -DMAKE_NATIVE
CFLAGS+= ${COPTS.${.ALLSRC:M*.c:T:u}}
-COPTS.main.c+= "-DMAKE_VERSION=\"${MAKE_VERSION}\""
+COPTS.main.c+= "-DMAKE_VERSION=\"${_MAKE_VERSION}\""
# meta mode can be useful even without filemon
FILEMON_H ?= /usr/include/dev/filemon/filemon.h
diff --git a/usr.bin/grep/regex/glue.h b/usr.bin/grep/regex/glue.h
index 2fea4fd542c2..0c54e98bd79b 100644
--- a/usr.bin/grep/regex/glue.h
+++ b/usr.bin/grep/regex/glue.h
@@ -50,7 +50,7 @@ typedef enum { STR_WIDE, STR_BYTE, STR_MBS, STR_USER } tre_str_type_t;
if ((long long)pmatch[0].rm_eo - pmatch[0].rm_so < 0) \
return REG_NOMATCH; \
ret = fn; \
- for (unsigned i = 0; (!(eflags & REG_NOSUB) && (i < nmatch)); i++)\
+ for (unsigned i = 0; (!preg->nosub && (i < nmatch)); i++) \
{ \
pmatch[i].rm_so += offset; \
pmatch[i].rm_eo += offset; \
diff --git a/usr.bin/limits/limits.1 b/usr.bin/limits/limits.1
index 3962feff1943..99136a4d36b2 100644
--- a/usr.bin/limits/limits.1
+++ b/usr.bin/limits/limits.1
@@ -30,11 +30,11 @@
.Op Fl C Ar class | Fl P Ar pid | Fl U Ar user
.Op Fl SHB
.Op Fl ea
-.Op Fl bcdfklmnstuvpw Op Ar val
+.Op Fl bcdfklmnopstuvw Op Ar val
.Nm
.Op Fl C Ar class | Fl U Ar user
.Op Fl SHB
-.Op Fl bcdfklmnstuvpw Op Ar val
+.Op Fl bcdfklmnopstuvw Op Ar val
.Op Fl E
.Oo
.Op Ar name Ns = Ns Ar value ...
@@ -233,6 +233,18 @@ system is limited to the value displayed by the
.Va kern.maxfiles
.Xr sysctl 8
variable.
+.It Fl o Op Ar val
+Select or set the
+.Va umtxp
+resource limit.
+The limit determines the maximal number of the process-shared locks
+which may be simultaneously created by the processes owned by the
+user, see
+.Xr pthread 3 .
+.It Fl p Op Ar val
+Select or set the
+.Va pseudoterminals
+resource limit.
.It Fl s Op Ar val
Select or set the
.Va stacksize
@@ -266,10 +278,6 @@ and is inclusive of text, data, bss, stack,
and
.Xr mmap 2 Ns 'd
space.
-.It Fl p Op Ar val
-Select or set the
-.Va pseudoterminals
-resource limit.
.It Fl w Op Ar val
Select or set the
.Va swapuse
diff --git a/usr.bin/limits/limits.c b/usr.bin/limits/limits.c
index 093a367bad4c..3dd7a7169e84 100644
--- a/usr.bin/limits/limits.c
+++ b/usr.bin/limits/limits.c
@@ -254,7 +254,7 @@ static struct {
* to be modified accordingly!
*/
-#define RCS_STRING "tfdscmlunbvpwk"
+#define RCS_STRING "tfdscmlunbvpwko"
static rlim_t resource_num(int which, int ch, const char *str);
static void usage(void);
@@ -551,7 +551,7 @@ usage(void)
{
(void)fprintf(stderr,
"usage: limits [-C class|-P pid|-U user] [-eaSHBE] "
- "[-bcdflmnstuvpwk [val]] [[name=val ...] cmd]\n");
+ "[-bcdfklmnostuvpw [val]] [[name=val ...] cmd]\n");
exit(EXIT_FAILURE);
}
@@ -660,6 +660,7 @@ resource_num(int which, int ch, const char *str)
case RLIMIT_NOFILE:
case RLIMIT_NPTS:
case RLIMIT_KQUEUES:
+ case RLIMIT_UMTXP:
res = strtoq(s, &e, 0);
s = e;
break;
diff --git a/usr.bin/mkuzip/mkuz_blockcache.c b/usr.bin/mkuzip/mkuz_blockcache.c
index a3ac564388f1..204fce2d8e86 100644
--- a/usr.bin/mkuzip/mkuz_blockcache.c
+++ b/usr.bin/mkuzip/mkuz_blockcache.c
@@ -29,7 +29,9 @@
__FBSDID("$FreeBSD$");
#include <sys/types.h>
+#include <err.h>
#include <md5.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -49,6 +51,35 @@ struct mkuz_blkcache {
static struct mkuz_blkcache blkcache;
+static int
+verify_match(int fd, off_t data_offset, void *data, ssize_t len,
+ struct mkuz_blkcache *bcep)
+{
+ void *vbuf;
+ ssize_t rlen;
+ int rval;
+
+ rval = -1;
+ vbuf = malloc(len);
+ if (vbuf == NULL) {
+ goto e0;
+ }
+ if (lseek(fd, bcep->data_offset, SEEK_SET) < 0) {
+ goto e1;
+ }
+ rlen = read(fd, vbuf, len);
+ if (rlen != len) {
+ goto e2;
+ }
+ rval = (memcmp(data, vbuf, len) == 0) ? 1 : 0;
+e2:
+ lseek(fd, data_offset, SEEK_SET);
+e1:
+ free(vbuf);
+e0:
+ return (rval);
+}
+
struct mkuz_blkcache_hit *
mkuz_blkcache_regblock(int fd, uint32_t blkno, off_t offset, ssize_t len,
void *data)
@@ -57,6 +88,7 @@ mkuz_blkcache_regblock(int fd, uint32_t blkno, off_t offset, ssize_t len,
MD5_CTX mcontext;
off_t data_offset;
unsigned char mdigest[16];
+ int rval;
data_offset = lseek(fd, 0, SEEK_CUR);
if (data_offset < 0) {
@@ -76,10 +108,23 @@ mkuz_blkcache_regblock(int fd, uint32_t blkno, off_t offset, ssize_t len,
}
}
if (bcep != NULL) {
+ rval = verify_match(fd, data_offset, data, len, bcep);
+ if (rval == 1) {
+#if defined(MKUZ_DEBUG)
+ fprintf(stderr, "cache hit %d, %d, %d\n",
+ (int)bcep->hit.offset, (int)data_offset, (int)len);
+#endif
+ return (&bcep->hit);
+ }
+ if (rval == 0) {
#if defined(MKUZ_DEBUG)
- printf("cache hit %d, %d, %d\n", (int)bcep->hit.offset, (int)data_offset, (int)len);
+ fprintf(stderr, "block MD5 collision, you should try lottery, "
+ "man!\n");
#endif
- return (&bcep->hit);
+ return (NULL);
+ }
+ warn("verify_match");
+ return (NULL);
}
bcep = malloc(sizeof(struct mkuz_blkcache));
if (bcep == NULL)
diff --git a/usr.bin/mkuzip/mkuzip.8 b/usr.bin/mkuzip/mkuzip.8
index c8395512d34e..cb05098be368 100644
--- a/usr.bin/mkuzip/mkuzip.8
+++ b/usr.bin/mkuzip/mkuzip.8
@@ -118,6 +118,9 @@ detects identical blocks in the input and replaces each subsequent occurence
of such block with pointer to the very first one in the output.
Setting this option results is moderate decrease of compressed image size,
typically around 3-5% of a final size of the compressed image.
+.It Fl S
+Print summary about the compression ratio as well as output
+file size after file has been processed.
.El
.Sh NOTES
The compression ratio largely depends on the cluster size used.
diff --git a/usr.bin/mkuzip/mkuzip.c b/usr.bin/mkuzip/mkuzip.c
index 1e3a204ebcd1..c43607529980 100644
--- a/usr.bin/mkuzip/mkuzip.c
+++ b/usr.bin/mkuzip/mkuzip.c
@@ -90,6 +90,10 @@ int main(int argc, char **argv)
char *iname, *oname, *obuf, *ibuf;
uint64_t *toc;
int fdr, fdw, i, opt, verbose, no_zcomp, tmp, en_dedup;
+ struct {
+ int en;
+ FILE *f;
+ } summary;
struct iovec iov[2];
struct stat sb;
uint32_t destlen;
@@ -104,9 +108,11 @@ int main(int argc, char **argv)
verbose = 0;
no_zcomp = 0;
en_dedup = 0;
+ summary.en = 0;
+ summary.f = stderr;
handler = &uzip_fmt;
- while((opt = getopt(argc, argv, "o:s:vZdL")) != -1) {
+ while((opt = getopt(argc, argv, "o:s:vZdLS")) != -1) {
switch(opt) {
case 'o':
oname = optarg;
@@ -138,6 +144,11 @@ int main(int argc, char **argv)
handler = &ulzma_fmt;
break;
+ case 'S':
+ summary.en = 1;
+ summary.f = stdout;
+ break;
+
default:
usage();
/* Not reached */
@@ -210,7 +221,7 @@ int main(int argc, char **argv)
}
toc = mkuz_safe_malloc((hdr.nblocks + 1) * sizeof(*toc));
- fdw = open(oname, O_WRONLY | O_TRUNC | O_CREAT,
+ fdw = open(oname, (en_dedup ? O_RDWR : O_WRONLY) | O_TRUNC | O_CREAT,
S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
if (fdw < 0) {
err(1, "open(%s)", oname);
@@ -294,8 +305,8 @@ int main(int argc, char **argv)
}
close(fdr);
- if (verbose != 0)
- fprintf(stderr, "compressed data to %ju bytes, saved %lld "
+ if (verbose != 0 || summary.en != 0)
+ fprintf(summary.f, "compressed data to %ju bytes, saved %lld "
"bytes, %.2f%% decrease.\n", offset,
(long long)(sb.st_size - offset),
100.0 * (long long)(sb.st_size - offset) /
@@ -337,7 +348,7 @@ static void
usage(void)
{
- fprintf(stderr, "usage: mkuzip [-vZdL] [-o outfile] [-s cluster_size] "
+ fprintf(stderr, "usage: mkuzip [-vZdLS] [-o outfile] [-s cluster_size] "
"infile\n");
exit(1);
}
diff --git a/usr.sbin/bhyve/pci_virtio_net.c b/usr.sbin/bhyve/pci_virtio_net.c
index 6f264a73788a..9f220d17284b 100644
--- a/usr.sbin/bhyve/pci_virtio_net.c
+++ b/usr.sbin/bhyve/pci_virtio_net.c
@@ -381,7 +381,7 @@ pci_vtnet_tap_rx(struct pci_vtnet_softc *sc)
vq_endchains(vq, 1);
}
-static int
+static __inline int
pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt)
{
int r, i;
@@ -396,7 +396,7 @@ pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt)
r++;
if (r > nmd->last_tx_ring)
r = nmd->first_tx_ring;
- if (r == nmd->cur_rx_ring)
+ if (r == nmd->cur_tx_ring)
break;
continue;
}
@@ -405,6 +405,8 @@ pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt)
buf = NETMAP_BUF(ring, idx);
for (i = 0; i < iovcnt; i++) {
+ if (len + iov[i].iov_len > 2048)
+ break;
memcpy(&buf[len], iov[i].iov_base, iov[i].iov_len);
len += iov[i].iov_len;
}
@@ -418,7 +420,7 @@ pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt)
return (len);
}
-static inline int
+static __inline int
pci_vtnet_netmap_readv(struct nm_desc *nmd, struct iovec *iov, int iovcnt)
{
int len = 0;
@@ -548,6 +550,7 @@ pci_vtnet_netmap_rx(struct pci_vtnet_softc *sc)
* No more packets, but still some avail ring
* entries. Interrupt if needed/appropriate.
*/
+ vq_retchain(vq);
vq_endchains(vq, 0);
return;
}
@@ -884,8 +887,9 @@ pci_vtnet_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts)
pci_set_cfgdata16(pi, PCIR_SUBDEV_0, VIRTIO_TYPE_NET);
pci_set_cfgdata16(pi, PCIR_SUBVEND_0, VIRTIO_VENDOR);
- /* Link is up if we managed to open tap device. */
- sc->vsc_config.status = (opts == NULL || sc->vsc_tapfd >= 0);
+ /* Link is up if we managed to open tap device or vale port. */
+ sc->vsc_config.status = (opts == NULL || sc->vsc_tapfd >= 0 ||
+ sc->vsc_nmd != NULL);
/* use BAR 1 to map MSI-X table and PBA, if we're using MSI-X */
if (vi_intr_init(&sc->vsc_vs, 1, fbsdrun_virtio_msix()))
diff --git a/usr.sbin/ctld/uclparse.c b/usr.sbin/ctld/uclparse.c
index fb2cce0a144e..3cf95cf81ffa 100644
--- a/usr.sbin/ctld/uclparse.c
+++ b/usr.sbin/ctld/uclparse.c
@@ -886,9 +886,8 @@ uclparse_conf(struct conf *newconf, const char *path)
conf = newconf;
parser = ucl_parser_new(0);
- ucl_parser_add_file(parser, path);
- if (ucl_parser_get_error(parser)) {
+ if (!ucl_parser_add_file(parser, path)) {
log_warn("unable to parse configuration file %s: %s", path,
ucl_parser_get_error(parser));
return (1);
diff --git a/usr.sbin/gpioctl/gpioctl.8 b/usr.sbin/gpioctl/gpioctl.8
index dc2a5541fb0e..358f75e37283 100644
--- a/usr.sbin/gpioctl/gpioctl.8
+++ b/usr.sbin/gpioctl/gpioctl.8
@@ -27,7 +27,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 8, 2015
+.Dd March 11, 2016
.Dt GPIOCTL 1
.Os
.Sh NAME
@@ -40,21 +40,25 @@
.Op Fl v
.Nm
.Op Fl f Ar ctldev
+.Op Fl pN
.Cm -t
.Ar pin
.Nm
.Op Fl f Ar ctldev
+.Op Fl pN
.Cm -c
.Ar pin
.Ar flag
.Op flag ...
.Nm
.Op Fl f Ar ctldev
+.Op Fl pN
.Cm -n
.Ar pin
.Ar pin-name
.Nm
.Op Cm -f Ar ctldev
+.Op Fl pN
.Ar pin
.Ar [0|1]
.Sh DESCRIPTION
@@ -62,6 +66,20 @@ The
.Nm
utility could be used to manage GPIO pins from userland and list available pins.
.Pp
+The
+.Pa pin
+argument can either be a
+.Pa pin-number
+or a
+.Pa pin-name .
+If it is a number and a pin has this number as its name and you did not use
+.Fl N
+or
+.Fl p
+, then
+.Nm
+exits.
+.Pp
The options are as follows:
.Bl -tag -width ".Fl f Ar ctldev"
.It Fl c Ar pin Ar flag Op flag ...
@@ -96,9 +114,17 @@ list available pins
.It Fl n Ar pin Ar pin-name
set the name used to describe the pin
.It Fl t Ar pin
-toggle value of provided pin number
+toggle value of provided pin
.It Fl v
be verbose: for each listed pin print current configuration
+.It Fl p
+Force
+.Pa pin
+to be interpreted as a pin number
+.It Fl N
+Force
+.Pa pin
+to be interpreted as a pin name
.El
.Sh EXAMPLES
.Bl -bullet
@@ -114,6 +140,18 @@ gpioctl -f /dev/gpioc0 12 1
Configure pin 12 to be input pin
.Pp
gpioctl -f /dev/gpioc0 -c 12 IN
+.It
+Set the name of pin 12 to test
+.Pp
+gpioctl -f /dev/gpioc0 -n 12 test
+.It
+Toggle the value the pin named test
+.Pp
+gpioctl -f /dev/gpioc0 -t test
+.It
+Toggle the value of pin number 12 even if another pin has the name 12
+.Pp
+gpioctl -f /dev/gpioc0 -pt 12
.El
.Sh SEE ALSO
.Xr gpio 4 ,
diff --git a/usr.sbin/gpioctl/gpioctl.c b/usr.sbin/gpioctl/gpioctl.c
index 38e53e7f2fee..f786ef6b53b9 100644
--- a/usr.sbin/gpioctl/gpioctl.c
+++ b/usr.sbin/gpioctl/gpioctl.c
@@ -1,6 +1,7 @@
/*-
* Copyright (c) 2009, Oleksandr Tymoshenko <gonzo@FreeBSD.org>
* Copyright (c) 2014, Rui Paulo <rpaulo@FreeBSD.org>
+ * Copyright (c) 2015, Emmanuel Vadot <manu@bidouilliste.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -40,6 +41,9 @@ __FBSDID("$FreeBSD$");
#include <libgpio.h>
+#define PIN_TYPE_NUMBER 1
+#define PIN_TYPE_NAME 2
+
struct flag_desc {
const char *name;
uint32_t flag;
@@ -66,10 +70,10 @@ usage(void)
{
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\tgpioctl [-f ctldev] -l [-v]\n");
- fprintf(stderr, "\tgpioctl [-f ctldev] -t pin\n");
- fprintf(stderr, "\tgpioctl [-f ctldev] -c pin flag ...\n");
- fprintf(stderr, "\tgpioctl [-f ctldev] -n pin pin-name\n");
- fprintf(stderr, "\tgpioctl [-f ctldev] pin [0|1]\n");
+ fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] -t pin\n");
+ fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] -c pin flag ...\n");
+ fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] -n pin pin-name\n");
+ fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] pin [0|1]\n");
exit(1);
}
@@ -163,6 +167,32 @@ dump_pins(gpio_handle_t handle, int verbose)
free(cfgs);
}
+static int
+get_pinnum_by_name(gpio_handle_t handle, const char *name) {
+ int i, maxpin, pinn;
+ gpio_config_t *cfgs;
+ gpio_config_t *pin;
+
+ pinn = -1;
+ maxpin = gpio_pin_list(handle, &cfgs);
+ if (maxpin < 0) {
+ perror("gpio_pin_list");
+ exit(1);
+ }
+
+ for (i = 0; i <= maxpin; i++) {
+ pin = cfgs + i;
+ gpio_pin_get(handle, pin->g_pin);
+ if (!strcmp(name, pin->g_name)) {
+ pinn = i;
+ break;
+ }
+ }
+ free(cfgs);
+
+ return pinn;
+}
+
static void
fail(const char *fmt, ...)
{
@@ -181,19 +211,16 @@ main(int argc, char **argv)
gpio_config_t pin;
gpio_handle_t handle;
char *ctlfile = NULL;
- int pinn, pinv, ch;
+ int pinn, pinv, pin_type, ch;
int flags, flag, ok;
int config, list, name, toggle, verbose;
- config = toggle = verbose = list = name = pinn = 0;
+ config = toggle = verbose = list = name = pin_type = 0;
- while ((ch = getopt(argc, argv, "c:f:ln:t:v")) != -1) {
+ while ((ch = getopt(argc, argv, "cf:lntvNp")) != -1) {
switch (ch) {
case 'c':
config = 1;
- pinn = str2int(optarg, &ok);
- if (!ok)
- fail("Invalid pin number: %s\n", optarg);
break;
case 'f':
ctlfile = optarg;
@@ -203,15 +230,15 @@ main(int argc, char **argv)
break;
case 'n':
name = 1;
- pinn = str2int(optarg, &ok);
- if (!ok)
- fail("Invalid pin number: %s\n", optarg);
+ break;
+ case 'N':
+ pin_type = PIN_TYPE_NAME;
+ break;
+ case'p':
+ pin_type = PIN_TYPE_NUMBER;
break;
case 't':
toggle = 1;
- pinn = str2int(optarg, &ok);
- if (!ok)
- fail("Invalid pin number: %s\n", optarg);
break;
case 'v':
verbose = 1;
@@ -232,33 +259,58 @@ main(int argc, char **argv)
exit(1);
}
+ if (list) {
+ dump_pins(handle, verbose);
+ gpio_close(handle);
+ exit(0);
+ }
+
+ if (argc == 0)
+ usage();
+
+ /* Find the pin number by the name */
+ switch (pin_type) {
+ default:
+ /* First test if it is a pin number */
+ pinn = str2int(argv[0], &ok);
+ if (ok) {
+ /* Test if we have any pin named by this number and tell the user */
+ if (get_pinnum_by_name(handle, argv[0]) != -1)
+ fail("%s is also a pin name, use -p or -N\n", argv[0]);
+ } else {
+ /* Test if it is a name */
+ if ((pinn = get_pinnum_by_name(handle, argv[0])) == -1)
+ fail("Can't find pin named \"%s\"\n", argv[0]);
+ }
+ break;
+ case PIN_TYPE_NUMBER:
+ pinn = str2int(argv[0], &ok);
+ if (!ok)
+ fail("Invalid pin number: %s\n", argv[0]);
+ break;
+ case PIN_TYPE_NAME:
+ if ((pinn = get_pinnum_by_name(handle, argv[0])) == -1)
+ fail("Can't find pin named \"%s\"\n", argv[0]);
+ break;
+ }
+
/* Set the pin name. */
if (name) {
- if (argc == 0) {
+ if (argc != 2)
usage();
- exit(1);
- }
- if (gpio_pin_set_name(handle, pinn, argv[0]) < 0) {
+ if (gpio_pin_set_name(handle, pinn, argv[1]) < 0) {
perror("gpio_pin_set_name");
exit(1);
}
exit(0);
}
- if (list) {
- dump_pins(handle, verbose);
- gpio_close(handle);
- exit(0);
- }
-
if (toggle) {
/*
- * -t pin assumes no additional arguments
- */
- if (argc > 0) {
+ * -t pin assumes no additional arguments
+ */
+ if (argc > 1)
usage();
- exit(1);
- }
if (gpio_pin_toggle(handle, pinn) < 0) {
perror("gpio_pin_toggle");
exit(1);
@@ -269,7 +321,7 @@ main(int argc, char **argv)
if (config) {
flags = 0;
- for (i = 0; i < argc; i++) {
+ for (i = 1; i < argc; i++) {
flag = str2cap(argv[i]);
if (flag < 0)
fail("Invalid flag: %s\n", argv[i]);
@@ -287,14 +339,8 @@ main(int argc, char **argv)
/*
* Last two cases - set value or print value
*/
- if ((argc == 0) || (argc > 2)) {
+ if ((argc == 0) || (argc > 2))
usage();
- exit(1);
- }
-
- pinn = str2int(argv[0], &ok);
- if (!ok)
- fail("Invalid pin number: %s\n", argv[0]);
/*
* Read pin value
@@ -311,7 +357,7 @@ main(int argc, char **argv)
/* Is it valid number (0 or 1) ? */
pinv = str2int(argv[1], &ok);
- if (!ok || ((pinv != 0) && (pinv != 1)))
+ if (ok == 0 || ((pinv != 0) && (pinv != 1)))
fail("Invalid pin value: %s\n", argv[1]);
/*
diff --git a/usr.sbin/iovctl/iovctl.c b/usr.sbin/iovctl/iovctl.c
index 6c69f529a4b4..e25320e9b932 100644
--- a/usr.sbin/iovctl/iovctl.c
+++ b/usr.sbin/iovctl/iovctl.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2013-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/usr.sbin/iovctl/iovctl.h b/usr.sbin/iovctl/iovctl.h
index 21d7e5cd7fb9..20b2da011c91 100644
--- a/usr.sbin/iovctl/iovctl.h
+++ b/usr.sbin/iovctl/iovctl.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2013-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/usr.sbin/iovctl/parse.c b/usr.sbin/iovctl/parse.c
index b2ec395bc57d..347b35fb417a 100644
--- a/usr.sbin/iovctl/parse.c
+++ b/usr.sbin/iovctl/parse.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2014-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/usr.sbin/iovctl/validate.c b/usr.sbin/iovctl/validate.c
index 789175a9ed4c..6658a8c0c281 100644
--- a/usr.sbin/iovctl/validate.c
+++ b/usr.sbin/iovctl/validate.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved.
+ * Copyright (c) 2014-2015 Sandvine Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/usr.sbin/pc-sysinstall/backend-query/disk-list.sh b/usr.sbin/pc-sysinstall/backend-query/disk-list.sh
index 2616ef9bf5e8..875b330ef64b 100755
--- a/usr.sbin/pc-sysinstall/backend-query/disk-list.sh
+++ b/usr.sbin/pc-sysinstall/backend-query/disk-list.sh
@@ -82,8 +82,8 @@ do
esac
fi
- # Try and find some identification information with camcontrol
- NEWLINE=$(camcontrol identify $DEV 2>/dev/null | sed -ne 's/^device model *//p')
+ # Try and get some identification information from GEOM
+ NEWLINE=$(geom disk list $DEV 2>/dev/null | sed -ne 's/^ descr: *//p')
if [ -z "$NEWLINE" ]; then
NEWLINE=" <Unknown Device>"
fi
diff --git a/usr.sbin/pc-sysinstall/backend/functions-disk.sh b/usr.sbin/pc-sysinstall/backend/functions-disk.sh
index eac10d962ad9..03b6cde7d5f1 100755
--- a/usr.sbin/pc-sysinstall/backend/functions-disk.sh
+++ b/usr.sbin/pc-sysinstall/backend/functions-disk.sh
@@ -257,17 +257,15 @@ delete_all_gpart()
# Destroy the disk geom
rc_nohalt "gpart destroy ${DISK}"
- # Make sure we clear any hidden gpt tables
- clear_backup_gpt_table "${DISK}"
-
- # Wipe out front of disk
- rc_nohalt "dd if=/dev/zero of=${DISK} count=3000"
-
+ wipe_metadata "${DISK}"
};
# Function to export all zpools before starting an install
stop_all_zfs()
{
+ if [ ! -c /dev/zfs ]; then
+ return;
+ fi
local DISK="`echo ${1} | sed 's|/dev/||g'`"
# Export any zpools using this device so we can overwrite
@@ -283,6 +281,9 @@ stop_all_zfs()
# Function which stops all gmirrors before doing any disk manipulation
stop_all_gmirror()
{
+ if [ ! -d /dev/mirror ]; then
+ return;
+ fi
local DISK="`echo ${1} | sed 's|/dev/||g'`"
GPROV="`gmirror list | grep ". Name: mirror/" | cut -d '/' -f 2`"
for gprov in $GPROV
@@ -292,7 +293,7 @@ stop_all_gmirror()
then
echo_log "Stopping mirror $gprov $DISK"
rc_nohalt "gmirror remove $gprov $DISK"
- rc_nohalt "dd if=/dev/zero of=/dev/${DISK} count=4096"
+ wipe_metadata "${DISK}"
fi
done
};
@@ -611,12 +612,17 @@ stop_gjournal()
} ;
-# Function to wipe the potential backup gpt table from a disk
-clear_backup_gpt_table()
+# Function to wipe the potential metadata from a disk
+wipe_metadata()
{
- echo_log "Clearing gpt backup table location on disk"
- rc_nohalt "dd if=/dev/zero of=${1} bs=1m count=1"
- rc_nohalt "dd if=/dev/zero of=${1} bs=1m oseek=`diskinfo ${1} | awk '{print int($3 / (1024*1024)) - 4;}'`"
+ echo_log "Wiping possible metadata on ${1}"
+ local SIZE="`diskinfo ${1} | awk '{print int($3/(1024*1024)) }'`"
+ if [ "$SIZE" -gt "5" ] ; then
+ rc_halt "dd if=/dev/zero of=${1} bs=1m count=1"
+ rc_nohalt "dd if=/dev/zero of=${1} bs=1m oseek=$((SIZE-4))"
+ else
+ rc_nohalt "dd if=/dev/zero of=${1} bs=128k"
+ fi
} ;
# Function which runs gpart and creates a single large APM partition scheme
@@ -696,8 +702,7 @@ init_mbr_full_disk()
rc_halt "gpart add -a 4k -t freebsd -i 1 ${_intDISK}"
sleep 2
- echo_log "Cleaning up ${_intDISK}s1"
- rc_halt "dd if=/dev/zero of=${_intDISK}s1 count=1024"
+ wipe_metadata "${_intDISK}s1"
# Make the partition active
rc_halt "gpart set -a active -i 1 ${_intDISK}"
@@ -770,9 +775,7 @@ run_gpart_gpt_part()
rc_halt "gpart modify -t freebsd -i ${slicenum} ${DISK}"
sleep 2
- # Clean up old partition
- echo_log "Cleaning up $slice"
- rc_halt "dd if=/dev/zero of=${DISK}p${slicenum} count=1024"
+ wipe_metadata "${slice}"
sleep 4
@@ -830,9 +833,7 @@ run_gpart_slice()
rc_halt "gpart modify -t freebsd -i ${slicenum} ${DISK}"
sleep 2
- # Clean up old partition
- echo_log "Cleaning up $slice"
- rc_halt "dd if=/dev/zero of=${DISK}s${slicenum} count=1024"
+ wipe_metadata "${slice}"
sleep 1
@@ -883,9 +884,8 @@ run_gpart_free()
echo_log "Running gpart on ${DISK}"
rc_halt "gpart add -a 4k -t freebsd -i ${slicenum} ${DISK}"
sleep 2
-
- echo_log "Cleaning up $slice"
- rc_halt "dd if=/dev/zero of=${slice} count=1024"
+
+ wipe_metadata "${slice}"
sleep 1
diff --git a/usr.sbin/unbound/anchor/Makefile b/usr.sbin/unbound/anchor/Makefile
index 64e01d2ef836..d2431eb6d19a 100644
--- a/usr.sbin/unbound/anchor/Makefile
+++ b/usr.sbin/unbound/anchor/Makefile
@@ -9,7 +9,7 @@ EXPATDIR= ${.CURDIR}/../../../contrib/expat
PROG= unbound-anchor
SRCS= unbound-anchor.c
-CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} -I${EXPATDIR}/lib
+CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} -I${EXPATDIR}/lib
LIBADD= unbound bsdxml ssl crypto pthread
MAN= unbound-anchor.8
diff --git a/usr.sbin/unbound/checkconf/Makefile b/usr.sbin/unbound/checkconf/Makefile
index 884465ba70a0..98ac3bb6f856 100644
--- a/usr.sbin/unbound/checkconf/Makefile
+++ b/usr.sbin/unbound/checkconf/Makefile
@@ -8,7 +8,7 @@ UNBOUNDDIR= ${.CURDIR}/../../../contrib/unbound
PROG= unbound-checkconf
SRCS= unbound-checkconf.c worker_cb.c
-CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR}
+CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR}
LIBADD= unbound pthread
MAN= unbound-checkconf.8
diff --git a/usr.sbin/unbound/control/Makefile b/usr.sbin/unbound/control/Makefile
index 824e44111fc0..9aab04a4c43d 100644
--- a/usr.sbin/unbound/control/Makefile
+++ b/usr.sbin/unbound/control/Makefile
@@ -8,7 +8,7 @@ UNBOUNDDIR= ${.CURDIR}/../../../contrib/unbound
PROG= unbound-control
SRCS= unbound-control.c worker_cb.c
-CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR}
+CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR}
LIBADD= unbound crypto ssl pthread
MAN= unbound-control.8
diff --git a/usr.sbin/unbound/daemon/Makefile b/usr.sbin/unbound/daemon/Makefile
index f90e06ee17cd..af42975b10eb 100644
--- a/usr.sbin/unbound/daemon/Makefile
+++ b/usr.sbin/unbound/daemon/Makefile
@@ -8,7 +8,7 @@ UNBOUNDDIR= ${.CURDIR}/../../../contrib/unbound
PROG= unbound
SRCS= acl_list.c cachedump.c daemon.c remote.c stats.c unbound.c worker.c
-CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR}
+CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR}
LIBADD= unbound util ssl crypto pthread
MAN= unbound.8 unbound.conf.5