Upgrade to OpenSSH-5.3p1.
authorPeter Avalos <pavalos@theshell.com>
Sat, 9 Jan 2010 22:06:31 +0000 (12:06 -1000)
committerPeter Avalos <pavalos@theshell.com>
Sat, 9 Jan 2010 22:06:31 +0000 (12:06 -1000)
General Bugfixes:

 * Do not limit home directory paths to 256 characters. bz#1615
 * Several minor documentation and correctness fixes.

Portable OpenSSH Bugfixes:

 * Move the deletion of PAM credentials on logout to after the
   session close. bz#1534
 * Accept ENOSYS as a fallback error when attempting
   atomic rename(). bz#1535
 * Fix detection of krb5-config. bz#1639
 * Fix test for server-assigned remote forwarding port for
   non-root users. bz#1578

56 files changed:
crypto/openssh/README
crypto/openssh/auth-pam.c
crypto/openssh/auth-passwd.c
crypto/openssh/auth1.c
crypto/openssh/auth2-kbdint.c
crypto/openssh/auth2-none.c
crypto/openssh/auth2-passwd.c
crypto/openssh/auth2-pubkey.c
crypto/openssh/auth2.c
crypto/openssh/canohost.c
crypto/openssh/canohost.h
crypto/openssh/channels.c
crypto/openssh/clientloop.c
crypto/openssh/defines.h
crypto/openssh/gss-genr.c
crypto/openssh/includes.h
crypto/openssh/jpake.h
crypto/openssh/kex.c
crypto/openssh/kex.h
crypto/openssh/kexdhs.c
crypto/openssh/kexgexs.c
crypto/openssh/monitor.c
crypto/openssh/monitor_mm.c
crypto/openssh/monitor_wrap.c
crypto/openssh/monitor_wrap.h
crypto/openssh/openbsd-compat/bsd-cygwin_util.h
crypto/openssh/openbsd-compat/getrrsetbyname.c
crypto/openssh/openbsd-compat/openssl-compat.h
crypto/openssh/openbsd-compat/port-aix.h
crypto/openssh/packet.c
crypto/openssh/packet.h
crypto/openssh/readconf.c
crypto/openssh/readconf.h
crypto/openssh/roaming.h [new file with mode: 0644]
crypto/openssh/roaming_common.c [new file with mode: 0644]
crypto/openssh/roaming_dummy.c [new file with mode: 0644]
crypto/openssh/schnorr.h [new file with mode: 0644]
crypto/openssh/servconf.c
crypto/openssh/serverloop.c
crypto/openssh/session.c
crypto/openssh/sftp-client.c
crypto/openssh/sftp-server.8
crypto/openssh/sftp-server.c
crypto/openssh/ssh-agent.1
crypto/openssh/ssh-agent.c
crypto/openssh/ssh-keygen.c
crypto/openssh/ssh.1
crypto/openssh/ssh.c
crypto/openssh/sshconnect.c
crypto/openssh/sshconnect.h
crypto/openssh/sshconnect2.c
crypto/openssh/sshd.8
crypto/openssh/sshd.c
crypto/openssh/sshd_config.5
crypto/openssh/sshlogin.c
crypto/openssh/uuencode.c

index 9de00c0..8538e8c 100644 (file)
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.2 for the release notes.
+See http://www.openssh.com/txt/release-5.3 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.70 2009/02/23 00:11:57 djm Exp $
+$Id: README,v 1.70.4.1 2009/09/26 04:11:47 djm Exp $
index ccdb993..675006e 100644 (file)
@@ -602,16 +602,16 @@ sshpam_cleanup(void)
                return;
        debug("PAM: cleanup");
        pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
-       if (sshpam_cred_established) {
-               debug("PAM: deleting credentials");
-               pam_setcred(sshpam_handle, PAM_DELETE_CRED);
-               sshpam_cred_established = 0;
-       }
        if (sshpam_session_open) {
                debug("PAM: closing session");
                pam_close_session(sshpam_handle, PAM_SILENT);
                sshpam_session_open = 0;
        }
+       if (sshpam_cred_established) {
+               debug("PAM: deleting credentials");
+               pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+               sshpam_cred_established = 0;
+       }
        sshpam_authenticated = 0;
        pam_end(sshpam_handle, sshpam_err);
        sshpam_handle = NULL;
index bdfced0..b1c6ce0 100644 (file)
@@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const char *password)
        }
 #endif
 #ifdef HAVE_CYGWIN
-       if (is_winnt) {
+       {
                HANDLE hToken = cygwin_logon_user(pw, password);
 
                if (hToken == INVALID_HANDLE_VALUE)
index b8a2558..1801661 100644 (file)
@@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt)
                }
 #endif /* _UNICOS */
 
-#ifdef HAVE_CYGWIN
-               if (authenticated &&
-                   !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
-                   authctxt->pw)) {
-                       packet_disconnect("Authentication rejected for uid %d.",
-                           authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
-                       authenticated = 0;
-               }
-#else
+#ifndef HAVE_CYGWIN
                /* Special handling for root */
                if (authenticated && authctxt->pw->pw_uid == 0 &&
                    !auth_root_allowed(meth->name)) {
index a4fc9e6..fae67da 100644 (file)
@@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt)
 
        xfree(devs);
        xfree(lang);
-#ifdef HAVE_CYGWIN
-       if (check_nt_auth(0, authctxt->pw) == 0)
-               authenticated = 0;
-#endif
        return authenticated;
 }
 
index 10accfe..08f2f93 100644 (file)
@@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt)
 {
        none_enabled = 0;
        packet_check_eom();
-#ifdef HAVE_CYGWIN
-       if (check_nt_auth(1, authctxt->pw) == 0)
-               return (0);
-#endif
        if (options.password_authentication)
                return (PRIVSEP(auth_password(authctxt, "")));
        return (0);
index 421c5c2..5f1f363 100644 (file)
@@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt)
                logit("password change not supported");
        else if (PRIVSEP(auth_password(authctxt, password)) == 1)
                authenticated = 1;
-#ifdef HAVE_CYGWIN
-       if (check_nt_auth(1, authctxt->pw) == 0)
-               authenticated = 0;
-#endif
        memset(password, 0, len);
        xfree(password);
        return authenticated;
index b1e38e5..2886f12 100644 (file)
@@ -170,10 +170,6 @@ done:
                key_free(key);
        xfree(pkalg);
        xfree(pkblob);
-#ifdef HAVE_CYGWIN
-       if (check_nt_auth(0, authctxt->pw) == 0)
-               authenticated = 0;
-#endif
        return authenticated;
 }
 
index ecf8570..5d54685 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.120 2008/11/04 08:22:12 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.121 2009/06/22 05:39:28 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -35,8 +35,8 @@
 #include <string.h>
 #include <unistd.h>
 
-#include "xmalloc.h"
 #include "atomicio.h"
+#include "xmalloc.h"
 #include "ssh2.h"
 #include "packet.h"
 #include "log.h"
index 7138f48..22b19bb 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: canohost.c,v 1.64 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: canohost.c,v 1.65 2009/05/27 06:31:25 andreas Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,6 +35,8 @@
 #include "misc.h"
 
 static void check_ip_options(int, char *);
+static char *canonical_host_ip = NULL;
+static int cached_port = -1;
 
 /*
  * Return the canonical name of the host at the other end of the socket. The
@@ -304,6 +306,16 @@ get_local_name(int sock)
        return get_socket_address(sock, 0, NI_NAMEREQD);
 }
 
+void
+clear_cached_addr(void)
+{
+       if (canonical_host_ip != NULL) {
+               xfree(canonical_host_ip);
+               canonical_host_ip = NULL;
+       }
+       cached_port = -1;
+}
+
 /*
  * Returns the IP-address of the remote host as a string.  The returned
  * string must not be freed.
@@ -312,8 +324,6 @@ get_local_name(int sock)
 const char *
 get_remote_ipaddr(void)
 {
-       static char *canonical_host_ip = NULL;
-
        /* Check whether we have cached the ipaddr. */
        if (canonical_host_ip == NULL) {
                if (packet_connection_is_on_socket()) {
@@ -402,13 +412,11 @@ get_peer_port(int sock)
 int
 get_remote_port(void)
 {
-       static int port = -1;
-
        /* Cache to avoid getpeername() on a dead connection */
-       if (port == -1)
-               port = get_port(0);
+       if (cached_port == -1)
+               cached_port = get_port(0);
 
-       return port;
+       return cached_port;
 }
 
 int
index d9b41ff..4c8636f 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: canohost.h,v 1.10 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -24,6 +24,6 @@ char          *get_local_name(int);
 int             get_remote_port(void);
 int             get_local_port(void);
 int             get_sock_port(int, int);
-
+void            clear_cached_addr(void);
 
 void            ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
index dea60ba..e8b8aa0 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.295 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.296 2009/05/25 06:48:00 andreas Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1653,6 +1653,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
                        }
                        return -1;
                }
+#ifndef BROKEN_TCGETATTR_ICANON
                if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
                        if (tcgetattr(c->wfd, &tio) == 0 &&
                            !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
@@ -1666,6 +1667,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
                                packet_send();
                        }
                }
+#endif
                buffer_consume(&c->output, len);
                if (compat20 && len > 0) {
                        c->local_consumed += len;
@@ -2431,7 +2433,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
        int id;
 
        /* Reset keepalive timeout */
-       keep_alive_timeouts = 0;
+       packet_set_alive_timeouts(0);
 
        id = packet_get_int();
        packet_check_eom();
index a2d2d1d..9a7dc0a 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.209 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.213 2009/07/05 19:28:33 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 #include "misc.h"
 #include "match.h"
 #include "msg.h"
+#include "roaming.h"
 
 /* import options */
 extern Options options;
@@ -491,13 +492,13 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
                xfree(gc);
        }
 
-       keep_alive_timeouts = 0;
+       packet_set_alive_timeouts(0);
 }
 
 static void
 server_alive_check(void)
 {
-       if (++keep_alive_timeouts > options.server_alive_count_max) {
+       if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
                logit("Timeout, server not responding.");
                cleanup_exit(255);
        }
@@ -634,8 +635,8 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
 static void
 client_process_net_input(fd_set *readset)
 {
-       int len;
-       char buf[8192];
+       int len, cont = 0;
+       char buf[SSH_IOBUFSZ];
 
        /*
         * Read input from the server, and add any such data to the buffer of
@@ -643,8 +644,8 @@ client_process_net_input(fd_set *readset)
         */
        if (FD_ISSET(connection_in, readset)) {
                /* Read as much as possible. */
-               len = read(connection_in, buf, sizeof(buf));
-               if (len == 0) {
+               len = roaming_read(connection_in, buf, sizeof(buf), &cont);
+               if (len == 0 && cont == 0) {
                        /*
                         * Received EOF.  The remote host has closed the
                         * connection.
@@ -1128,7 +1129,7 @@ static void
 client_process_input(fd_set *readset)
 {
        int len;
-       char buf[8192];
+       char buf[SSH_IOBUFSZ];
 
        /* Read input from stdin. */
        if (FD_ISSET(fileno(stdin), readset)) {
@@ -1476,6 +1477,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
        /* Stop watching for window change. */
        signal(SIGWINCH, SIG_DFL);
 
+       if (compat20) {
+               packet_start(SSH2_MSG_DISCONNECT);
+               packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
+               packet_put_cstring("disconnected by user");
+               packet_send();
+               packet_write_wait();
+       }
+
        channel_free_all();
 
        if (have_pty)
index 536ec49..2ddfd96 100644 (file)
@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.153 2009/02/01 11:19:54 dtucker Exp $ */
+/* $Id: defines.h,v 1.156 2009/08/28 01:21:07 dtucker Exp $ */
 
 
 /* Constants */
@@ -300,6 +300,9 @@ struct      sockaddr_un {
 #ifndef HAVE_IN_ADDR_T
 typedef u_int32_t      in_addr_t;
 #endif
+#ifndef HAVE_IN_PORT_T
+typedef u_int16_t      in_port_t;
+#endif
 
 #if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
 #define _STRUCT_WINSIZE
@@ -591,6 +594,10 @@ struct winsize {
 #define FSID_TO_ULONG(f) \
        ((((u_int64_t)(f).val[0] & 0xffffffffUL) << 32) | \
            ((f).val[1] & 0xffffffffUL))
+#elif defined(FSID_HAS___VAL)
+#define FSID_TO_ULONG(f) \
+       ((((u_int64_t)(f).__val[0] & 0xffffffffUL) << 32) | \
+           ((f).__val[1] & 0xffffffffUL))
 #else
 # define FSID_TO_ULONG(f) ((f))
 #endif
@@ -742,4 +749,8 @@ struct winsize {
 #define INET6_ADDRSTRLEN 46
 #endif
 
+#ifndef SSH_IOBUFSZ
+# define SSH_IOBUFSZ 8192
+#endif
+
 #endif /* _DEFINES_H */
index e919057..842f385 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
 
 /*
  * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
index f1b47f6..6bb9878 100644 (file)
@@ -31,7 +31,8 @@
 #endif
 #if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
     defined(GLOB_HAS_GL_MATCHC) && \
-    defined(HAVE_DECL_GLOB_NOMATCH) &&  HAVE_DECL_GLOB_NOMATCH != 0
+    defined(HAVE_DECL_GLOB_NOMATCH) &&  HAVE_DECL_GLOB_NOMATCH != 0 && \
+    !defined(BROKEN_GLOB)
 # include <glob.h>
 #endif
 #ifdef HAVE_ENDIAN_H
index a3d800c..a3f2cf0 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: jpake.h,v 1.1 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: jpake.h,v 1.2 2009/03/05 07:18:19 djm Exp $ */
 /*
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
  *
 # define JPAKE_DEBUG_BUF(a)
 # define JPAKE_DEBUG_CTX(a)
 #else
-# define JPAKE_DEBUG_BN(a)     jpake_debug3_bn a
-# define JPAKE_DEBUG_BUF(a)    jpake_debug3_buf a
+# define JPAKE_DEBUG_BN(a)     debug3_bn a
+# define JPAKE_DEBUG_BUF(a)    debug3_buf a
 # define JPAKE_DEBUG_CTX(a)    jpake_dump a
-#endif /* SCHNORR_DEBUG */
-
-struct jpake_group {
-       BIGNUM *p, *q, *g;
-};
+#endif /* JPAKE_DEBUG */
 
 #define KZP_ID_LEN     16      /* Length of client and server IDs */
 
 struct jpake_ctx {
        /* Parameters */
-       struct jpake_group *grp;
+       struct modp_group *grp;
 
        /* Private values shared by client and server */
        BIGNUM *s;                      /* Secret (salted, crypted password) */
@@ -83,26 +79,18 @@ struct jpake_ctx {
 };
 
 /* jpake.c */
-struct jpake_group *jpake_default_group(void);
-BIGNUM *bn_rand_range_gt_one(const BIGNUM *high);
-int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *);
-void jpake_debug3_bn(const BIGNUM *, const char *, ...)
-    __attribute__((__nonnull__ (2)))
-    __attribute__((format(printf, 2, 3)));
-void jpake_debug3_buf(const u_char *, u_int, const char *, ...)
-    __attribute__((__nonnull__ (3)))
-    __attribute__((format(printf, 3, 4)));
+struct modp_group *jpake_default_group(void);
 void jpake_dump(struct jpake_ctx *, const char *, ...)
     __attribute__((__nonnull__ (2)))
     __attribute__((format(printf, 2, 3)));
 struct jpake_ctx *jpake_new(void);
 void jpake_free(struct jpake_ctx *);
 
-void jpake_step1(struct jpake_group *, u_char **, u_int *,
+void jpake_step1(struct modp_group *, u_char **, u_int *,
     BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
     u_char **, u_int *, u_char **, u_int *);
 
-void jpake_step2(struct jpake_group *, BIGNUM *,
+void jpake_step2(struct modp_group *, BIGNUM *,
     BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
     const u_char *, u_int, const u_char *, u_int,
     const u_char *, u_int, const u_char *, u_int,
@@ -113,7 +101,7 @@ void jpake_confirm_hash(const BIGNUM *,
     const u_char *, u_int,
     u_char **, u_int *);
 
-void jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
+void jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
     BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
     const u_char *, u_int, const u_char *, u_int,
     const u_char *, u_int, const u_char *, u_int,
@@ -122,13 +110,5 @@ void jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
 int jpake_check_confirm(const BIGNUM *, const u_char *, u_int,
     const u_char *, u_int, const u_char *, u_int);
 
-/* schnorr.c */
-int schnorr_sign(const BIGNUM *, const BIGNUM *, const BIGNUM *,
-    const BIGNUM *, const BIGNUM *, const u_char *, u_int ,
-    u_char **, u_int *);
-int schnorr_verify(const BIGNUM *, const BIGNUM *, const BIGNUM *, 
-    const BIGNUM *, const u_char *, u_int,
-    const u_char *, u_int);
-
 #endif /* JPAKE_H */
 
index 48b54f5..f4f44f0 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.80 2008/09/06 12:24:13 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.81 2009/05/27 06:34:36 andreas Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -49,8 +49,6 @@
 #include "dispatch.h"
 #include "monitor.h"
 
-#define KEX_COOKIE_LEN 16
-
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
index 8e29c90..68c80c5 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */
+/* $OpenBSD: kex.h,v 1.47 2009/05/27 06:34:36 andreas Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -30,6 +30,8 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 
+#define KEX_COOKIE_LEN 16
+
 #define        KEX_DH1                 "diffie-hellman-group1-sha1"
 #define        KEX_DH14                "diffie-hellman-group14-sha1"
 #define        KEX_DHGEX_SHA1          "diffie-hellman-group-exchange-sha1"
index 8617088..a6719f6 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */
+/* $OpenBSD: kexdhs.c,v 1.10 2009/06/21 07:37:15 dtucker Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -137,7 +137,9 @@ kexdh_server(Kex *kex)
        }
 
        /* sign H */
-       PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
+       if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
+           hashlen)) < 0)
+               fatal("kexdh_server: key_sign failed");
 
        /* destroy_sensitive_data(); */
 
index 76a0f8c..8515568 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.11 2009/01/01 21:17:36 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.12 2009/06/21 07:37:15 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -179,7 +179,9 @@ kexgex_server(Kex *kex)
        }
 
        /* sign H */
-       PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
+       if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
+           hashlen)) < 0)
+               fatal("kexgex_server: key_sign failed");
 
        /* destroy_sensitive_data(); */
 
index f57e74b..ace25c4 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.104 2009/06/12 20:43:22 andreas Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -88,6 +88,7 @@
 #include "compat.h"
 #include "ssh2.h"
 #include "jpake.h"
+#include "roaming.h"
 
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
@@ -100,7 +101,6 @@ extern Newkeys *current_keys[];
 extern z_stream incoming_stream;
 extern z_stream outgoing_stream;
 extern u_char session_id[];
-extern Buffer input, output;
 extern Buffer auth_debug;
 extern int auth_debug_init;
 extern Buffer loginmsg;
@@ -126,6 +126,8 @@ struct {
        u_int ilen;
        u_char *output;
        u_int olen;
+       u_int64_t sent_bytes;
+       u_int64_t recv_bytes;
 } child_state;
 
 /* Functions on the monitor that answer unprivileged requests */
@@ -1670,15 +1672,20 @@ monitor_apply_keystate(struct monitor *pmonitor)
 
        /* Network I/O buffers */
        /* XXX inefficient for large buffers, need: buffer_init_from_string */
-       buffer_clear(&input);
-       buffer_append(&input, child_state.input, child_state.ilen);
+       buffer_clear(packet_get_input());
+       buffer_append(packet_get_input(), child_state.input, child_state.ilen);
        memset(child_state.input, 0, child_state.ilen);
        xfree(child_state.input);
 
-       buffer_clear(&output);
-       buffer_append(&output, child_state.output, child_state.olen);
+       buffer_clear(packet_get_output());
+       buffer_append(packet_get_output(), child_state.output,
+                     child_state.olen);
        memset(child_state.output, 0, child_state.olen);
        xfree(child_state.output);
+
+       /* Roaming */
+       if (compat20)
+               roam_set_bytes(child_state.sent_bytes, child_state.recv_bytes);
 }
 
 static Kex *
@@ -1794,6 +1801,12 @@ mm_get_keystate(struct monitor *pmonitor)
        child_state.input = buffer_get_string(&m, &child_state.ilen);
        child_state.output = buffer_get_string(&m, &child_state.olen);
 
+       /* Roaming */
+       if (compat20) {
+               child_state.sent_bytes = buffer_get_int64(&m);
+               child_state.recv_bytes = buffer_get_int64(&m);
+       }
+
        buffer_free(&m);
 }
 
index dab7475..faf9f3d 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_mm.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
index 0986fc5..b8e8710 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.64 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.68 2009/06/22 05:39:28 dtucker Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
 #include "atomicio.h"
 #include "monitor_fdpass.h"
 #include "misc.h"
+#include "schnorr.h"
 #include "jpake.h"
 
 #include "channels.h"
 #include "session.h"
 #include "servconf.h"
+#include "roaming.h"
 
 /* Imports */
 extern int compat20;
-extern Newkeys *newkeys[];
 extern z_stream incoming_stream;
 extern z_stream outgoing_stream;
 extern struct monitor *pmonitor;
-extern Buffer input, output;
 extern Buffer loginmsg;
 extern ServerOptions options;
 
@@ -508,7 +508,7 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
        Enc *enc;
        Mac *mac;
        Comp *comp;
-       Newkeys *newkey = newkeys[mode];
+       Newkeys *newkey = (Newkeys *)packet_get_newkeys(mode);
 
        debug3("%s: converting %p", __func__, newkey);
 
@@ -570,7 +570,7 @@ mm_send_kex(Buffer *m, Kex *kex)
 void
 mm_send_keystate(struct monitor *monitor)
 {
-       Buffer m;
+       Buffer m, *input, *output;
        u_char *blob, *p;
        u_int bloblen, plen;
        u_int32_t seqnr, packets;
@@ -608,7 +608,8 @@ mm_send_keystate(struct monitor *monitor)
        }
 
        debug3("%s: Sending new keys: %p %p",
-           __func__, newkeys[MODE_OUT], newkeys[MODE_IN]);
+           __func__, packet_get_newkeys(MODE_OUT),
+           packet_get_newkeys(MODE_IN));
 
        /* Keys from Kex */
        if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen))
@@ -655,8 +656,16 @@ mm_send_keystate(struct monitor *monitor)
        buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream));
 
        /* Network I/O buffers */
-       buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input));
-       buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output));
+       input = (Buffer *)packet_get_input();
+       output = (Buffer *)packet_get_output();
+       buffer_put_string(&m, buffer_ptr(input), buffer_len(input));
+       buffer_put_string(&m, buffer_ptr(output), buffer_len(output));
+
+       /* Roaming */
+       if (compat20) {
+               buffer_put_int64(&m, get_sent_bytes());
+               buffer_put_int64(&m, get_recv_bytes());
+       }
 
        mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m);
        debug3("%s: Finished sending state", __func__);
@@ -1282,7 +1291,7 @@ mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
 }
 
 void
-mm_jpake_step1(struct jpake_group *grp,
+mm_jpake_step1(struct modp_group *grp,
     u_char **id, u_int *id_len,
     BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
     u_char **priv1_proof, u_int *priv1_proof_len,
@@ -1317,7 +1326,7 @@ mm_jpake_step1(struct jpake_group *grp,
 }
 
 void
-mm_jpake_step2(struct jpake_group *grp, BIGNUM *s,
+mm_jpake_step2(struct modp_group *grp, BIGNUM *s,
     BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
     const u_char *theirid, u_int theirid_len,
     const u_char *myid, u_int myid_len,
@@ -1357,7 +1366,7 @@ mm_jpake_step2(struct jpake_group *grp, BIGNUM *s,
 }
 
 void
-mm_jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
+mm_jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
     BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
     BIGNUM *theirpub1, BIGNUM *theirpub2,
     const u_char *my_id, u_int my_id_len,
index 55c4b99..de2d16f 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.21 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.22 2009/03/05 07:18:19 djm Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -102,17 +102,17 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
 
 /* jpake */
-struct jpake_group;
+struct modp_group;
 void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **);
-void mm_jpake_step1(struct jpake_group *, u_char **, u_int *,
+void mm_jpake_step1(struct modp_group *, u_char **, u_int *,
     BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
     u_char **, u_int *, u_char **, u_int *);
-void mm_jpake_step2(struct jpake_group *, BIGNUM *,
+void mm_jpake_step2(struct modp_group *, BIGNUM *,
     BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
     const u_char *, u_int, const u_char *, u_int,
     const u_char *, u_int, const u_char *, u_int,
     BIGNUM **, u_char **, u_int *);
-void mm_jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
+void mm_jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
     BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
     const u_char *, u_int, const u_char *, u_int,
     const u_char *, u_int, const u_char *, u_int,
index 6719b8a..39b8eb7 100644 (file)
@@ -1,4 +1,4 @@
-/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */
+/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
@@ -35,7 +35,6 @@
 #ifdef HAVE_CYGWIN
 
 #undef ERROR
-#define is_winnt       (GetVersion() < 0x80000000)
 
 #include <windows.h>
 #include <sys/cygwin.h>
@@ -43,9 +42,7 @@
 
 int binary_open(const char *, int , ...);
 int binary_pipe(int fd[2]);
-int check_nt_auth(int, struct passwd *);
 int check_ntsec(const char *);
-void register_9x_service(void);
 char **fetch_windows_environment(void);
 void free_windows_environment(char **);
 
index 785b225..9887667 100644 (file)
@@ -143,7 +143,7 @@ u_int32_t _getlong(register const u_char *);
 
 /* ************** */
 
-#define ANSWER_BUFFER_SIZE 1024*64
+#define ANSWER_BUFFER_SIZE 0xffff
 
 struct dns_query {
        char                    *name;
index 6a1bed5..fcc7628 100644 (file)
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.12 2008/02/28 08:22:04 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.14 2009/03/07 11:22:35 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -80,6 +80,10 @@ extern const EVP_CIPHER *evp_acss(void);
 #  define EVP_CIPHER_CTX_cleanup(a)    ssh_EVP_CIPHER_CTX_cleanup((a))
 # endif /* SSH_OLD_EVP */
 
+# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
+#  define EVP_DigestUpdate(a,b,c)      ssh_EVP_DigestUpdate((a),(b),(c))
+#  endif
+
 # ifdef USE_OPENSSL_ENGINE
 #  ifdef SSLeay_add_all_algorithms
 #   undef SSLeay_add_all_algorithms
index ecb9fea..3ac76ae 100644 (file)
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.29 2008/03/09 05:36:55 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */
 
 /*
  *
@@ -71,6 +71,11 @@ int passwdexpired(char *, char **);
 # include <sys/timers.h>
 #endif
 
+/* for setpcred and friends */
+#ifdef HAVE_USERSEC_H
+# include <usersec.h>
+#endif
+
 /*
  * According to the setauthdb man page, AIX password registries must be 15
  * chars or less plus terminating NUL.
@@ -87,6 +92,8 @@ void aix_usrinfo(struct passwd *);
 int sys_auth_allowed_user(struct passwd *, Buffer *);
 # define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
 int sys_auth_record_login(const char *, const char *, const char *, Buffer *);
+# define CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
+char *sys_auth_get_lastlogin_msg(const char *, uid_t);
 # define CUSTOM_FAILED_LOGIN 1
 #endif
 
index 5afc84c..994e35b 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.160 2009/02/13 11:50:21 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.166 2009/06/27 09:29:06 andreas Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -77,6 +77,7 @@
 #include "canohost.h"
 #include "misc.h"
 #include "ssh.h"
+#include "roaming.h"
 
 #ifdef PACKET_DEBUG
 #define DBG(x) x
 
 #define PACKET_MAX_SIZE (256 * 1024)
 
-/*
- * This variable contains the file descriptors used for communicating with
- * the other side.  connection_in is used for reading; connection_out for
- * writing.  These can be the same descriptor, in which case it is assumed to
- * be a socket.
- */
-static int connection_in = -1;
-static int connection_out = -1;
+struct packet_state {
+       u_int32_t seqnr;
+       u_int32_t packets;
+       u_int64_t blocks;
+       u_int64_t bytes;
+};
 
-/* Protocol flags for the remote side. */
-static u_int remote_protocol_flags = 0;
+struct packet {
+       TAILQ_ENTRY(packet) next;
+       u_char type;
+       Buffer payload;
+};
 
-/* Encryption context for receiving data.  This is only used for decryption. */
-static CipherContext receive_context;
+struct session_state {
+       /*
+        * This variable contains the file descriptors used for
+        * communicating with the other side.  connection_in is used for
+        * reading; connection_out for writing.  These can be the same
+        * descriptor, in which case it is assumed to be a socket.
+        */
+       int connection_in;
+       int connection_out;
 
-/* Encryption context for sending data.  This is only used for encryption. */
-static CipherContext send_context;
+       /* Protocol flags for the remote side. */
+       u_int remote_protocol_flags;
 
-/* Buffer for raw input data from the socket. */
-Buffer input;
+       /* Encryption context for receiving data.  Only used for decryption. */
+       CipherContext receive_context;
 
-/* Buffer for raw output data going to the socket. */
-Buffer output;
+       /* Encryption context for sending data.  Only used for encryption. */
+       CipherContext send_context;
 
-/* Buffer for the partial outgoing packet being constructed. */
-static Buffer outgoing_packet;
+       /* Buffer for raw input data from the socket. */
+       Buffer input;
 
-/* Buffer for the incoming packet currently being processed. */
-static Buffer incoming_packet;
+       /* Buffer for raw output data going to the socket. */
+       Buffer output;
 
-/* Scratch buffer for packet compression/decompression. */
-static Buffer compression_buffer;
-static int compression_buffer_ready = 0;
+       /* Buffer for the partial outgoing packet being constructed. */
+       Buffer outgoing_packet;
 
-/* Flag indicating whether packet compression/decompression is enabled. */
-static int packet_compression = 0;
+       /* Buffer for the incoming packet currently being processed. */
+       Buffer incoming_packet;
 
-/* default maximum packet size */
-u_int max_packet_size = 32768;
+       /* Scratch buffer for packet compression/decompression. */
+       Buffer compression_buffer;
+       int compression_buffer_ready;
 
-/* Flag indicating whether this module has been initialized. */
-static int initialized = 0;
+       /*
+        * Flag indicating whether packet compression/decompression is
+        * enabled.
+        */
+       int packet_compression;
 
-/* Set to true if the connection is interactive. */
-static int interactive_mode = 0;
+       /* default maximum packet size */
+       u_int max_packet_size;
 
-/* Set to true if we are the server side. */
-static int server_side = 0;
+       /* Flag indicating whether this module has been initialized. */
+       int initialized;
 
-/* Set to true if we are authenticated. */
-static int after_authentication = 0;
+       /* Set to true if the connection is interactive. */
+       int interactive_mode;
 
-int keep_alive_timeouts = 0;
+       /* Set to true if we are the server side. */
+       int server_side;
 
-/* Set to the maximum time that we will wait to send or receive a packet */
-static int packet_timeout_ms = -1;
+       /* Set to true if we are authenticated. */
+       int after_authentication;
 
-/* Session key information for Encryption and MAC */
-Newkeys *newkeys[MODE_MAX];
-static struct packet_state {
-       u_int32_t seqnr;
-       u_int32_t packets;
-       u_int64_t blocks;
-       u_int64_t bytes;
-} p_read, p_send;
+       int keep_alive_timeouts;
 
-static u_int64_t max_blocks_in, max_blocks_out;
-static u_int32_t rekey_limit;
+       /* The maximum time that we will wait to send or receive a packet */
+       int packet_timeout_ms;
 
-/* Session key for protocol v1 */
-static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
-static u_int ssh1_keylen;
+       /* Session key information for Encryption and MAC */
+       Newkeys *newkeys[MODE_MAX];
+       struct packet_state p_read, p_send;
 
-/* roundup current message to extra_pad bytes */
-static u_char extra_pad = 0;
+       u_int64_t max_blocks_in, max_blocks_out;
+       u_int32_t rekey_limit;
 
-/* XXX discard incoming data after MAC error */
-static u_int packet_discard = 0;
-static Mac *packet_discard_mac = NULL;
+       /* Session key for protocol v1 */
+       u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
+       u_int ssh1_keylen;
 
-struct packet {
-       TAILQ_ENTRY(packet) next;
-       u_char type;
-       Buffer payload;
+       /* roundup current message to extra_pad bytes */
+       u_char extra_pad;
+
+       /* XXX discard incoming data after MAC error */
+       u_int packet_discard;
+       Mac *packet_discard_mac;
+
+       /* Used in packet_read_poll2() */
+       u_int packlen;
+
+       /* Used in packet_send2 */
+       int rekeying;
+
+       /* Used in packet_set_interactive */
+       int set_interactive_called;
+
+       /* Used in packet_set_maxsize */
+       int set_maxsize_called;
+
+       TAILQ_HEAD(, packet) outgoing;
 };
-TAILQ_HEAD(, packet) outgoing;
+
+static struct session_state *active_state, *backup_state;
+
+static struct session_state *
+alloc_session_state(void)
+{
+    struct session_state *s = xcalloc(1, sizeof(*s));
+
+    s->connection_in = -1;
+    s->connection_out = -1;
+    s->max_packet_size = 32768;
+    s->packet_timeout_ms = -1;
+    return s;
+}
 
 /*
  * Sets the descriptors used for communication.  Disables encryption until
@@ -184,21 +219,23 @@ packet_set_connection(int fd_in, int fd_out)
 
        if (none == NULL)
                fatal("packet_set_connection: cannot load cipher 'none'");
-       connection_in = fd_in;
-       connection_out = fd_out;
-       cipher_init(&send_context, none, (const u_char *)"",
+       if (active_state == NULL)
+               active_state = alloc_session_state();
+       active_state->connection_in = fd_in;
+       active_state->connection_out = fd_out;
+       cipher_init(&active_state->send_context, none, (const u_char *)"",
            0, NULL, 0, CIPHER_ENCRYPT);
-       cipher_init(&receive_context, none, (const u_char *)"",
+       cipher_init(&active_state->receive_context, none, (const u_char *)"",
            0, NULL, 0, CIPHER_DECRYPT);
-       newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
-       if (!initialized) {
-               initialized = 1;
-               buffer_init(&input);
-               buffer_init(&output);
-               buffer_init(&outgoing_packet);
-               buffer_init(&incoming_packet);
-               TAILQ_INIT(&outgoing);
-               p_send.packets = p_read.packets = 0;
+       active_state->newkeys[MODE_IN] = active_state->newkeys[MODE_OUT] = NULL;
+       if (!active_state->initialized) {
+               active_state->initialized = 1;
+               buffer_init(&active_state->input);
+               buffer_init(&active_state->output);
+               buffer_init(&active_state->outgoing_packet);
+               buffer_init(&active_state->incoming_packet);
+               TAILQ_INIT(&active_state->outgoing);
+               active_state->p_send.packets = active_state->p_read.packets = 0;
        }
 }
 
@@ -206,27 +243,29 @@ void
 packet_set_timeout(int timeout, int count)
 {
        if (timeout == 0 || count == 0) {
-               packet_timeout_ms = -1;
+               active_state->packet_timeout_ms = -1;
                return;
        }
        if ((INT_MAX / 1000) / count < timeout)
-               packet_timeout_ms = INT_MAX;
+               active_state->packet_timeout_ms = INT_MAX;
        else
-               packet_timeout_ms = timeout * count * 1000;
+               active_state->packet_timeout_ms = timeout * count * 1000;
 }
 
 static void
 packet_stop_discard(void)
 {
-       if (packet_discard_mac) {
+       if (active_state->packet_discard_mac) {
                char buf[1024];
                
                memset(buf, 'a', sizeof(buf));
-               while (buffer_len(&incoming_packet) < PACKET_MAX_SIZE)
-                       buffer_append(&incoming_packet, buf, sizeof(buf));
-               (void) mac_compute(packet_discard_mac,
-                   p_read.seqnr,
-                   buffer_ptr(&incoming_packet),
+               while (buffer_len(&active_state->incoming_packet) <
+                   PACKET_MAX_SIZE)
+                       buffer_append(&active_state->incoming_packet, buf,
+                           sizeof(buf));
+               (void) mac_compute(active_state->packet_discard_mac,
+                   active_state->p_read.seqnr,
+                   buffer_ptr(&active_state->incoming_packet),
                    PACKET_MAX_SIZE);
        }
        logit("Finished discarding for %.200s", get_remote_ipaddr());
@@ -239,10 +278,11 @@ packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard)
        if (enc == NULL || !cipher_is_cbc(enc->cipher))
                packet_disconnect("Packet corrupt");
        if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled)
-               packet_discard_mac = mac;
-       if (buffer_len(&input) >= discard)
+               active_state->packet_discard_mac = mac;
+       if (buffer_len(&active_state->input) >= discard)
                packet_stop_discard();
-       packet_discard = discard - buffer_len(&input);
+       active_state->packet_discard = discard -
+           buffer_len(&active_state->input);
 }
 
 /* Returns 1 if remote host is connected via socket, 0 if not. */
@@ -254,15 +294,17 @@ packet_connection_is_on_socket(void)
        socklen_t fromlen, tolen;
 
        /* filedescriptors in and out are the same, so it's a socket */
-       if (connection_in == connection_out)
+       if (active_state->connection_in == active_state->connection_out)
                return 1;
        fromlen = sizeof(from);
        memset(&from, 0, sizeof(from));
-       if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
+       if (getpeername(active_state->connection_in, (struct sockaddr *)&from,
+           &fromlen) < 0)
                return 0;
        tolen = sizeof(to);
        memset(&to, 0, sizeof(to));
-       if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
+       if (getpeername(active_state->connection_out, (struct sockaddr *)&to,
+           &tolen) < 0)
                return 0;
        if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
                return 0;
@@ -283,9 +325,9 @@ packet_get_keyiv(int mode, u_char *iv, u_int len)
        CipherContext *cc;
 
        if (mode == MODE_OUT)
-               cc = &send_context;
+               cc = &active_state->send_context;
        else
-               cc = &receive_context;
+               cc = &active_state->receive_context;
 
        cipher_get_keyiv(cc, iv, len);
 }
@@ -296,9 +338,9 @@ packet_get_keycontext(int mode, u_char *dat)
        CipherContext *cc;
 
        if (mode == MODE_OUT)
-               cc = &send_context;
+               cc = &active_state->send_context;
        else
-               cc = &receive_context;
+               cc = &active_state->receive_context;
 
        return (cipher_get_keycontext(cc, dat));
 }
@@ -309,9 +351,9 @@ packet_set_keycontext(int mode, u_char *dat)
        CipherContext *cc;
 
        if (mode == MODE_OUT)
-               cc = &send_context;
+               cc = &active_state->send_context;
        else
-               cc = &receive_context;
+               cc = &active_state->receive_context;
 
        cipher_set_keycontext(cc, dat);
 }
@@ -322,9 +364,9 @@ packet_get_keyiv_len(int mode)
        CipherContext *cc;
 
        if (mode == MODE_OUT)
-               cc = &send_context;
+               cc = &active_state->send_context;
        else
-               cc = &receive_context;
+               cc = &active_state->receive_context;
 
        return (cipher_get_keyiv_len(cc));
 }
@@ -335,9 +377,9 @@ packet_set_iv(int mode, u_char *dat)
        CipherContext *cc;
 
        if (mode == MODE_OUT)
-               cc = &send_context;
+               cc = &active_state->send_context;
        else
-               cc = &receive_context;
+               cc = &active_state->receive_context;
 
        cipher_set_keyiv(cc, dat);
 }
@@ -345,7 +387,7 @@ packet_set_iv(int mode, u_char *dat)
 int
 packet_get_ssh1_cipher(void)
 {
-       return (cipher_get_number(receive_context.cipher));
+       return (cipher_get_number(active_state->receive_context.cipher));
 }
 
 void
@@ -354,7 +396,8 @@ packet_get_state(int mode, u_int32_t *seqnr, u_int64_t *blocks, u_int32_t *packe
 {
        struct packet_state *state;
 
-       state = (mode == MODE_IN) ? &p_read : &p_send;
+       state = (mode == MODE_IN) ?
+           &active_state->p_read : &active_state->p_send;
        if (seqnr)
                *seqnr = state->seqnr;
        if (blocks)
@@ -371,7 +414,8 @@ packet_set_state(int mode, u_int32_t seqnr, u_int64_t blocks, u_int32_t packets,
 {
        struct packet_state *state;
 
-       state = (mode == MODE_IN) ? &p_read : &p_send;
+       state = (mode == MODE_IN) ?
+           &active_state->p_read : &active_state->p_send;
        state->seqnr = seqnr;
        state->blocks = blocks;
        state->packets = packets;
@@ -387,7 +431,8 @@ packet_connection_is_ipv4(void)
        socklen_t tolen = sizeof(to);
 
        memset(&to, 0, sizeof(to));
-       if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
+       if (getsockname(active_state->connection_out, (struct sockaddr *)&to,
+           &tolen) < 0)
                return 0;
        if (to.ss_family == AF_INET)
                return 1;
@@ -405,10 +450,10 @@ void
 packet_set_nonblocking(void)
 {
        /* Set the socket into non-blocking mode. */
-       set_nonblock(connection_in);
+       set_nonblock(active_state->connection_in);
 
-       if (connection_out != connection_in)
-               set_nonblock(connection_out);
+       if (active_state->connection_out != active_state->connection_in)
+               set_nonblock(active_state->connection_out);
 }
 
 /* Returns the socket used for reading. */
@@ -416,7 +461,7 @@ packet_set_nonblocking(void)
 int
 packet_get_connection_in(void)
 {
-       return connection_in;
+       return active_state->connection_in;
 }
 
 /* Returns the descriptor used for writing. */
@@ -424,7 +469,7 @@ packet_get_connection_in(void)
 int
 packet_get_connection_out(void)
 {
-       return connection_out;
+       return active_state->connection_out;
 }
 
 /* Closes the connection and clears and frees internal data structures. */
@@ -432,26 +477,26 @@ packet_get_connection_out(void)
 void
 packet_close(void)
 {
-       if (!initialized)
+       if (!active_state->initialized)
                return;
-       initialized = 0;
-       if (connection_in == connection_out) {
-               shutdown(connection_out, SHUT_RDWR);
-               close(connection_out);
+       active_state->initialized = 0;
+       if (active_state->connection_in == active_state->connection_out) {
+               shutdown(active_state->connection_out, SHUT_RDWR);
+               close(active_state->connection_out);
        } else {
-               close(connection_in);
-               close(connection_out);
+               close(active_state->connection_in);
+               close(active_state->connection_out);
        }
-       buffer_free(&input);
-       buffer_free(&output);
-       buffer_free(&outgoing_packet);
-       buffer_free(&incoming_packet);
-       if (compression_buffer_ready) {
-               buffer_free(&compression_buffer);
+       buffer_free(&active_state->input);
+       buffer_free(&active_state->output);
+       buffer_free(&active_state->outgoing_packet);
+       buffer_free(&active_state->incoming_packet);
+       if (active_state->compression_buffer_ready) {
+               buffer_free(&active_state->compression_buffer);
                buffer_compress_uninit();
        }
-       cipher_cleanup(&send_context);
-       cipher_cleanup(&receive_context);
+       cipher_cleanup(&active_state->send_context);
+       cipher_cleanup(&active_state->receive_context);
 }
 
 /* Sets remote side protocol flags. */
@@ -459,7 +504,7 @@ packet_close(void)
 void
 packet_set_protocol_flags(u_int protocol_flags)
 {
-       remote_protocol_flags = protocol_flags;
+       active_state->remote_protocol_flags = protocol_flags;
 }
 
 /* Returns the remote protocol flags set earlier by the above function. */
@@ -467,7 +512,7 @@ packet_set_protocol_flags(u_int protocol_flags)
 u_int
 packet_get_protocol_flags(void)
 {
-       return remote_protocol_flags;
+       return active_state->remote_protocol_flags;
 }
 
 /*
@@ -478,18 +523,18 @@ packet_get_protocol_flags(void)
 static void
 packet_init_compression(void)
 {
-       if (compression_buffer_ready == 1)
+       if (active_state->compression_buffer_ready == 1)
                return;
-       compression_buffer_ready = 1;
-       buffer_init(&compression_buffer);
+       active_state->compression_buffer_ready = 1;
+       buffer_init(&active_state->compression_buffer);
 }
 
 void
 packet_start_compression(int level)
 {
-       if (packet_compression && !compat20)
+       if (active_state->packet_compression && !compat20)
                fatal("Compression already enabled.");
-       packet_compression = 1;
+       active_state->packet_compression = 1;
        packet_init_compression();
        buffer_compress_init_send(level);
        buffer_compress_init_recv();
@@ -513,19 +558,21 @@ packet_set_encryption_key(const u_char *key, u_int keylen,
                fatal("packet_set_encryption_key: keylen too small: %d", keylen);
        if (keylen > SSH_SESSION_KEY_LENGTH)
                fatal("packet_set_encryption_key: keylen too big: %d", keylen);
-       memcpy(ssh1_key, key, keylen);
-       ssh1_keylen = keylen;
-       cipher_init(&send_context, cipher, key, keylen, NULL, 0, CIPHER_ENCRYPT);
-       cipher_init(&receive_context, cipher, key, keylen, NULL, 0, CIPHER_DECRYPT);
+       memcpy(active_state->ssh1_key, key, keylen);
+       active_state->ssh1_keylen = keylen;
+       cipher_init(&active_state->send_context, cipher, key, keylen, NULL,
+           0, CIPHER_ENCRYPT);
+       cipher_init(&active_state->receive_context, cipher, key, keylen, NULL,
+           0, CIPHER_DECRYPT);
 }
 
 u_int
 packet_get_encryption_key(u_char *key)
 {
        if (key == NULL)
-               return (ssh1_keylen);
-       memcpy(key, ssh1_key, ssh1_keylen);
-       return (ssh1_keylen);
+               return (active_state->ssh1_keylen);
+       memcpy(key, active_state->ssh1_key, active_state->ssh1_keylen);
+       return (active_state->ssh1_keylen);
 }
 
 /* Start constructing a packet to send. */
@@ -539,8 +586,8 @@ packet_start(u_char type)
        len = compat20 ? 6 : 9;
        memset(buf, 0, len - 1);
        buf[len - 1] = type;
-       buffer_clear(&outgoing_packet);
-       buffer_append(&outgoing_packet, buf, len);
+       buffer_clear(&active_state->outgoing_packet);
+       buffer_append(&active_state->outgoing_packet, buf, len);
 }
 
 /* Append payload. */
@@ -549,43 +596,49 @@ packet_put_char(int value)
 {
        char ch = value;
 
-       buffer_append(&outgoing_packet, &ch, 1);
+       buffer_append(&active_state->outgoing_packet, &ch, 1);
 }
 
 void
 packet_put_int(u_int value)
 {
-       buffer_put_int(&outgoing_packet, value);
+       buffer_put_int(&active_state->outgoing_packet, value);
+}
+
+void
+packet_put_int64(u_int64_t value)
+{
+       buffer_put_int64(&active_state->outgoing_packet, value);
 }
 
 void
 packet_put_string(const void *buf, u_int len)
 {
-       buffer_put_string(&outgoing_packet, buf, len);
+       buffer_put_string(&active_state->outgoing_packet, buf, len);
 }
 
 void
 packet_put_cstring(const char *str)
 {
-       buffer_put_cstring(&outgoing_packet, str);
+       buffer_put_cstring(&active_state->outgoing_packet, str);
 }
 
 void
 packet_put_raw(const void *buf, u_int len)
 {
-       buffer_append(&outgoing_packet, buf, len);
+       buffer_append(&active_state->outgoing_packet, buf, len);
 }
 
 void
 packet_put_bignum(BIGNUM * value)
 {
-       buffer_put_bignum(&outgoing_packet, value);
+       buffer_put_bignum(&active_state->outgoing_packet, value);
 }
 
 void
 packet_put_bignum2(BIGNUM * value)
 {
-       buffer_put_bignum2(&outgoing_packet, value);
+       buffer_put_bignum2(&active_state->outgoing_packet, value);
 }
 
 /*
@@ -605,24 +658,27 @@ packet_send1(void)
         * If using packet compression, compress the payload of the outgoing
         * packet.
         */
-       if (packet_compression) {
-               buffer_clear(&compression_buffer);
+       if (active_state->packet_compression) {
+               buffer_clear(&active_state->compression_buffer);
                /* Skip padding. */
-               buffer_consume(&outgoing_packet, 8);
+               buffer_consume(&active_state->outgoing_packet, 8);
                /* padding */
-               buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
-               buffer_compress(&outgoing_packet, &compression_buffer);
-               buffer_clear(&outgoing_packet);
-               buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
-                   buffer_len(&compression_buffer));
+               buffer_append(&active_state->compression_buffer,
+                   "\0\0\0\0\0\0\0\0", 8);
+               buffer_compress(&active_state->outgoing_packet,
+                   &active_state->compression_buffer);
+               buffer_clear(&active_state->outgoing_packet);
+               buffer_append(&active_state->outgoing_packet,
+                   buffer_ptr(&active_state->compression_buffer),
+                   buffer_len(&active_state->compression_buffer));
        }
        /* Compute packet length without padding (add checksum, remove padding). */
-       len = buffer_len(&outgoing_packet) + 4 - 8;
+       len = buffer_len(&active_state->outgoing_packet) + 4 - 8;
 
        /* Insert padding. Initialized to zero in packet_start1() */
        padding = 8 - len % 8;
-       if (!send_context.plaintext) {
-               cp = buffer_ptr(&outgoing_packet);
+       if (!active_state->send_context.plaintext) {
+               cp = buffer_ptr(&active_state->outgoing_packet);
                for (i = 0; i < padding; i++) {
                        if (i % 4 == 0)
                                rnd = arc4random();
@@ -630,33 +686,36 @@ packet_send1(void)
                        rnd >>= 8;
                }
        }
-       buffer_consume(&outgoing_packet, 8 - padding);
+       buffer_consume(&active_state->outgoing_packet, 8 - padding);
 
        /* Add check bytes. */
-       checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
-           buffer_len(&outgoing_packet));
+       checksum = ssh_crc32(buffer_ptr(&active_state->outgoing_packet),
+           buffer_len(&active_state->outgoing_packet));
        put_u32(buf, checksum);
-       buffer_append(&outgoing_packet, buf, 4);
+       buffer_append(&active_state->outgoing_packet, buf, 4);
 
 #ifdef PACKET_DEBUG
        fprintf(stderr, "packet_send plain: ");
-       buffer_dump(&outgoing_packet);
+       buffer_dump(&active_state->outgoing_packet);
 #endif
 
        /* Append to output. */
        put_u32(buf, len);
-       buffer_append(&output, buf, 4);
-       cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
-       cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
-           buffer_len(&outgoing_packet));
+       buffer_append(&active_state->output, buf, 4);
+       cp = buffer_append_space(&active_state->output,
+           buffer_len(&active_state->outgoing_packet));
+       cipher_crypt(&active_state->send_context, cp,
+           buffer_ptr(&active_state->outgoing_packet),
+           buffer_len(&active_state->outgoing_packet));
 
 #ifdef PACKET_DEBUG
        fprintf(stderr, "encrypted: ");
-       buffer_dump(&output);
+       buffer_dump(&active_state->output);
 #endif
-       p_send.packets++;
-       p_send.bytes += len + buffer_len(&outgoing_packet);
-       buffer_clear(&outgoing_packet);
+       active_state->p_send.packets++;
+       active_state->p_send.bytes += len +
+           buffer_len(&active_state->outgoing_packet);
+       buffer_clear(&active_state->outgoing_packet);
 
        /*
         * Note that the packet is now only buffered in output.  It won't be
@@ -678,22 +737,22 @@ set_newkeys(int mode)
        debug2("set_newkeys: mode %d", mode);
 
        if (mode == MODE_OUT) {
-               cc = &send_context;
+               cc = &active_state->send_context;
                crypt_type = CIPHER_ENCRYPT;
-               p_send.packets = p_send.blocks = 0;
-               max_blocks = &max_blocks_out;
+               active_state->p_send.packets = active_state->p_send.blocks = 0;
+               max_blocks = &active_state->max_blocks_out;
        } else {
-               cc = &receive_context;
+               cc = &active_state->receive_context;
                crypt_type = CIPHER_DECRYPT;
-               p_read.packets = p_read.blocks = 0;
-               max_blocks = &max_blocks_in;
+               active_state->p_read.packets = active_state->p_read.blocks = 0;
+               max_blocks = &active_state->max_blocks_in;
        }
-       if (newkeys[mode] != NULL) {
+       if (active_state->newkeys[mode] != NULL) {
                debug("set_newkeys: rekeying");
                cipher_cleanup(cc);
-               enc  = &newkeys[mode]->enc;
-               mac  = &newkeys[mode]->mac;
-               comp = &newkeys[mode]->comp;
+               enc  = &active_state->newkeys[mode]->enc;
+               mac  = &active_state->newkeys[mode]->mac;
+               comp = &active_state->newkeys[mode]->comp;
                mac_clear(mac);
                xfree(enc->name);
                xfree(enc->iv);
@@ -701,14 +760,14 @@ set_newkeys(int mode)
                xfree(mac->name);
                xfree(mac->key);
                xfree(comp->name);
-               xfree(newkeys[mode]);
+               xfree(active_state->newkeys[mode]);
        }
-       newkeys[mode] = kex_get_newkeys(mode);
-       if (newkeys[mode] == NULL)
+       active_state->newkeys[mode] = kex_get_newkeys(mode);
+       if (active_state->newkeys[mode] == NULL)
                fatal("newkeys: no keys for mode %d", mode);
-       enc  = &newkeys[mode]->enc;
-       mac  = &newkeys[mode]->mac;
-       comp = &newkeys[mode]->comp;
+       enc  = &active_state->newkeys[mode]->enc;
+       mac  = &active_state->newkeys[mode]->mac;
+       comp = &active_state->newkeys[mode]->comp;
        if (mac_init(mac) == 0)
                mac->enabled = 1;
        DBG(debug("cipher_init_context: %d", mode));
@@ -719,8 +778,8 @@ set_newkeys(int mode)
           memset(enc->key, 0, enc->key_len);
           memset(mac->key, 0, mac->key_len); */
        if ((comp->type == COMP_ZLIB ||
-           (comp->type == COMP_DELAYED && after_authentication)) &&
-           comp->enabled == 0) {
+           (comp->type == COMP_DELAYED &&
+            active_state->after_authentication)) && comp->enabled == 0) {
                packet_init_compression();
                if (mode == MODE_OUT)
                        buffer_compress_init_send(6);
@@ -736,8 +795,9 @@ set_newkeys(int mode)
                *max_blocks = (u_int64_t)1 << (enc->block_size*2);
        else
                *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
-       if (rekey_limit)
-               *max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
+       if (active_state->rekey_limit)
+               *max_blocks = MIN(*max_blocks,
+                   active_state->rekey_limit / enc->block_size);
 }
 
 /*
@@ -755,12 +815,12 @@ packet_enable_delayed_compress(void)
         * Remember that we are past the authentication step, so rekeying
         * with COMP_DELAYED will turn on compression immediately.
         */
-       after_authentication = 1;
+       active_state->after_authentication = 1;
        for (mode = 0; mode < MODE_MAX; mode++) {
                /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
-               if (newkeys[mode] == NULL)
+               if (active_state->newkeys[mode] == NULL)
                        continue;
-               comp = &newkeys[mode]->comp;
+               comp = &active_state->newkeys[mode]->comp;
                if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
                        packet_init_compression();
                        if (mode == MODE_OUT)
@@ -788,37 +848,39 @@ packet_send2_wrapped(void)
        Comp *comp = NULL;
        int block_size;
 
-       if (newkeys[MODE_OUT] != NULL) {
-               enc  = &newkeys[MODE_OUT]->enc;
-               mac  = &newkeys[MODE_OUT]->mac;
-               comp = &newkeys[MODE_OUT]->comp;
+       if (active_state->newkeys[MODE_OUT] != NULL) {
+               enc  = &active_state->newkeys[MODE_OUT]->enc;
+               mac  = &active_state->newkeys[MODE_OUT]->mac;
+               comp = &active_state->newkeys[MODE_OUT]->comp;
        }
        block_size = enc ? enc->block_size : 8;
 
-       cp = buffer_ptr(&outgoing_packet);
+       cp = buffer_ptr(&active_state->outgoing_packet);
        type = cp[5];
 
 #ifdef PACKET_DEBUG
        fprintf(stderr, "plain:     ");
-       buffer_dump(&outgoing_packet);
+       buffer_dump(&active_state->outgoing_packet);
 #endif
 
        if (comp && comp->enabled) {
-               len = buffer_len(&outgoing_packet);
+               len = buffer_len(&active_state->outgoing_packet);
                /* skip header, compress only payload */
-               buffer_consume(&outgoing_packet, 5);
-               buffer_clear(&compression_buffer);
-               buffer_compress(&outgoing_packet, &compression_buffer);
-               buffer_clear(&outgoing_packet);
-               buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
-               buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
-                   buffer_len(&compression_buffer));
+               buffer_consume(&active_state->outgoing_packet, 5);
+               buffer_clear(&active_state->compression_buffer);
+               buffer_compress(&active_state->outgoing_packet,
+                   &active_state->compression_buffer);
+               buffer_clear(&active_state->outgoing_packet);
+               buffer_append(&active_state->outgoing_packet, "\0\0\0\0\0", 5);
+               buffer_append(&active_state->outgoing_packet,
+                   buffer_ptr(&active_state->compression_buffer),
+                   buffer_len(&active_state->compression_buffer));
                DBG(debug("compression: raw %d compressed %d", len,
-                   buffer_len(&outgoing_packet)));
+                   buffer_len(&active_state->outgoing_packet)));
        }
 
        /* sizeof (packet_len + pad_len + payload) */
-       len = buffer_len(&outgoing_packet);
+       len = buffer_len(&active_state->outgoing_packet);
 
        /*
         * calc size of padding, alloc space, get random data,
@@ -827,17 +889,19 @@ packet_send2_wrapped(void)
        padlen = block_size - (len % block_size);
        if (padlen < 4)
                padlen += block_size;
-       if (extra_pad) {
+       if (active_state->extra_pad) {
                /* will wrap if extra_pad+padlen > 255 */
-               extra_pad  = roundup(extra_pad, block_size);
-               pad = extra_pad - ((len + padlen) % extra_pad);
+               active_state->extra_pad =
+                   roundup(active_state->extra_pad, block_size);
+               pad = active_state->extra_pad -
+                   ((len + padlen) % active_state->extra_pad);
                debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
-                   pad, len, padlen, extra_pad);
+                   pad, len, padlen, active_state->extra_pad);
                padlen += pad;
-               extra_pad = 0;
+               active_state->extra_pad = 0;
        }
-       cp = buffer_append_space(&outgoing_packet, padlen);
-       if (enc && !send_context.plaintext) {
+       cp = buffer_append_space(&active_state->outgoing_packet, padlen);
+       if (enc && !active_state->send_context.plaintext) {
                /* random padding */
                for (i = 0; i < padlen; i++) {
                        if (i % 4 == 0)
@@ -850,86 +914,88 @@ packet_send2_wrapped(void)
                memset(cp, 0, padlen);
        }
        /* packet_length includes payload, padding and padding length field */
-       packet_length = buffer_len(&outgoing_packet) - 4;
-       cp = buffer_ptr(&outgoing_packet);
+       packet_length = buffer_len(&active_state->outgoing_packet) - 4;
+       cp = buffer_ptr(&active_state->outgoing_packet);
        put_u32(cp, packet_length);
        cp[4] = padlen;
        DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
 
        /* compute MAC over seqnr and packet(length fields, payload, padding) */
        if (mac && mac->enabled) {
-               macbuf = mac_compute(mac, p_send.seqnr,
-                   buffer_ptr(&outgoing_packet),
-                   buffer_len(&outgoing_packet));
-               DBG(debug("done calc MAC out #%d", p_send.seqnr));
+               macbuf = mac_compute(mac, active_state->p_send.seqnr,
+                   buffer_ptr(&active_state->outgoing_packet),
+                   buffer_len(&active_state->outgoing_packet));
+               DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr));
        }
        /* encrypt packet and append to output buffer. */
-       cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
-       cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
-           buffer_len(&outgoing_packet));
+       cp = buffer_append_space(&active_state->output,
+           buffer_len(&active_state->outgoing_packet));
+       cipher_crypt(&active_state->send_context, cp,
+           buffer_ptr(&active_state->outgoing_packet),
+           buffer_len(&active_state->outgoing_packet));
        /* append unencrypted MAC */
        if (mac && mac->enabled)
-               buffer_append(&output, macbuf, mac->mac_len);
+               buffer_append(&active_state->output, macbuf, mac->mac_len);
 #ifdef PACKET_DEBUG
        fprintf(stderr, "encrypted: ");
-       buffer_dump(&output);
+       buffer_dump(&active_state->output);
 #endif
        /* increment sequence number for outgoing packets */
-       if (++p_send.seqnr == 0)
+       if (++active_state->p_send.seqnr == 0)
                logit("outgoing seqnr wraps around");
-       if (++p_send.packets == 0)
+       if (++active_state->p_send.packets == 0)
                if (!(datafellows & SSH_BUG_NOREKEY))
                        fatal("XXX too many packets with same key");
-       p_send.blocks += (packet_length + 4) / block_size;
-       p_send.bytes += packet_length + 4;
-       buffer_clear(&outgoing_packet);
+       active_state->p_send.blocks += (packet_length + 4) / block_size;
+       active_state->p_send.bytes += packet_length + 4;
+       buffer_clear(&active_state->outgoing_packet);
 
        if (type == SSH2_MSG_NEWKEYS)
                set_newkeys(MODE_OUT);
-       else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
+       else if (type == SSH2_MSG_USERAUTH_SUCCESS && active_state->server_side)
                packet_enable_delayed_compress();
 }
 
 static void
 packet_send2(void)
 {
-       static int rekeying = 0;
        struct packet *p;
        u_char type, *cp;
 
-       cp = buffer_ptr(&outgoing_packet);
+       cp = buffer_ptr(&active_state->outgoing_packet);
        type = cp[5];
 
        /* during rekeying we can only send key exchange messages */
-       if (rekeying) {
+       if (active_state->rekeying) {
                if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
                    (type <= SSH2_MSG_TRANSPORT_MAX))) {
                        debug("enqueue packet: %u", type);
                        p = xmalloc(sizeof(*p));
                        p->type = type;
-                       memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
-                       buffer_init(&outgoing_packet);
-                       TAILQ_INSERT_TAIL(&outgoing, p, next);
+                       memcpy(&p->payload, &active_state->outgoing_packet,
+                           sizeof(Buffer));
+                       buffer_init(&active_state->outgoing_packet);
+                       TAILQ_INSERT_TAIL(&active_state->outgoing, p, next);
                        return;
                }
        }
 
        /* rekeying starts with sending KEXINIT */
        if (type == SSH2_MSG_KEXINIT)
-               rekeying = 1;
+               active_state->rekeying = 1;
 
        packet_send2_wrapped();
 
        /* after a NEWKEYS message we can send the complete queue */
        if (type == SSH2_MSG_NEWKEYS) {
-               rekeying = 0;
-               while ((p = TAILQ_FIRST(&outgoing))) {
+               active_state->rekeying = 0;
+               while ((p = TAILQ_FIRST(&active_state->outgoing))) {
                        type = p->type;
                        debug("dequeue packet: %u", type);
-                       buffer_free(&outgoing_packet);
-                       memcpy(&outgoing_packet, &p->payload,
+                       buffer_free(&active_state->outgoing_packet);
+                       memcpy(&active_state->outgoing_packet, &p->payload,
                            sizeof(Buffer));
-                       TAILQ_REMOVE(&outgoing, p, next);
+                       TAILQ_REMOVE(&active_state->outgoing, p, next);
                        xfree(p);
                        packet_send2_wrapped();
                }
@@ -955,15 +1021,15 @@ packet_send(void)
 int
 packet_read_seqnr(u_int32_t *seqnr_p)
 {
-       int type, len, ret, ms_remain;
+       int type, len, ret, ms_remain, cont;
        fd_set *setp;
        char buf[8192];
        struct timeval timeout, start, *timeoutp = NULL;
 
        DBG(debug("packet_read()"));
 
-       setp = (fd_set *)xcalloc(howmany(connection_in+1, NFDBITS),
-           sizeof(fd_mask));
+       setp = (fd_set *)xcalloc(howmany(active_state->connection_in + 1,
+           NFDBITS), sizeof(fd_mask));
 
        /* Since we are blocking, ensure that all written packets have been sent. */
        packet_write_wait();
@@ -987,27 +1053,27 @@ packet_read_seqnr(u_int32_t *seqnr_p)
                 * Otherwise, wait for some data to arrive, add it to the
                 * buffer, and try again.
                 */
-               memset(setp, 0, howmany(connection_in + 1, NFDBITS) *
-                   sizeof(fd_mask));
-               FD_SET(connection_in, setp);
+               memset(setp, 0, howmany(active_state->connection_in + 1,
+                   NFDBITS) * sizeof(fd_mask));
+               FD_SET(active_state->connection_in, setp);
 
-               if (packet_timeout_ms > 0) {
-                       ms_remain = packet_timeout_ms;
+               if (active_state->packet_timeout_ms > 0) {
+                       ms_remain = active_state->packet_timeout_ms;
                        timeoutp = &timeout;
                }
                /* Wait for some data to arrive. */
                for (;;) {
-                       if (packet_timeout_ms != -1) {
+                       if (active_state->packet_timeout_ms != -1) {
                                ms_to_timeval(&timeout, ms_remain);
                                gettimeofday(&start, NULL);
                        }
-                       if ((ret = select(connection_in + 1, setp, NULL,
-                           NULL, timeoutp)) >= 0)
+                       if ((ret = select(active_state->connection_in + 1, setp,
+                           NULL, NULL, timeoutp)) >= 0)
                                break;
-                       if (errno != EAGAIN && errno != EINTR &&
+                       if (errno != EAGAIN && errno != EINTR &&
                            errno != EWOULDBLOCK)
                                break;
-                       if (packet_timeout_ms == -1)
+                       if (active_state->packet_timeout_ms == -1)
                                continue;
                        ms_subtract_diff(&start, &ms_remain);
                        if (ms_remain <= 0) {
@@ -1021,7 +1087,11 @@ packet_read_seqnr(u_int32_t *seqnr_p)
                        cleanup_exit(255);
                }
                /* Read data from the socket. */
-               len = read(connection_in, buf, sizeof(buf));
+               do {
+                       cont = 0;
+                       len = roaming_read(active_state->connection_in, buf,
+                           sizeof(buf), &cont);
+               } while (len == 0 && cont);
                if (len == 0) {
                        logit("Connection closed by %.200s", get_remote_ipaddr());
                        cleanup_exit(255);
@@ -1073,31 +1143,32 @@ packet_read_poll1(void)
        u_int checksum, stored_checksum;
 
        /* Check if input size is less than minimum packet size. */
-       if (buffer_len(&input) < 4 + 8)
+       if (buffer_len(&active_state->input) < 4 + 8)
                return SSH_MSG_NONE;
        /* Get length of incoming packet. */
-       cp = buffer_ptr(&input);
+       cp = buffer_ptr(&active_state->input);
        len = get_u32(cp);
        if (len < 1 + 2 + 2 || len > 256 * 1024)
                packet_disconnect("Bad packet length %u.", len);
        padded_len = (len + 8) & ~7;
 
        /* Check if the packet has been entirely received. */
-       if (buffer_len(&input) < 4 + padded_len)
+       if (buffer_len(&active_state->input) < 4 + padded_len)
                return SSH_MSG_NONE;
 
        /* The entire packet is in buffer. */
 
        /* Consume packet length. */
-       buffer_consume(&input, 4);
+       buffer_consume(&active_state->input, 4);
 
        /*
         * Cryptographic attack detector for ssh
         * (C)1998 CORE-SDI, Buenos Aires Argentina
         * Ariel Futoransky(futo@core-sdi.com)
         */
-       if (!receive_context.plaintext) {
-               switch (detect_attack(buffer_ptr(&input), padded_len)) {
+       if (!active_state->receive_context.plaintext) {
+               switch (detect_attack(buffer_ptr(&active_state->input),
+                   padded_len)) {
                case DEATTACK_DETECTED:
                        packet_disconnect("crc32 compensation attack: "
                            "network attack detected");
@@ -1108,45 +1179,48 @@ packet_read_poll1(void)
        }
 
        /* Decrypt data to incoming_packet. */
-       buffer_clear(&incoming_packet);
-       cp = buffer_append_space(&incoming_packet, padded_len);
-       cipher_crypt(&receive_context, cp, buffer_ptr(&input), padded_len);
+       buffer_clear(&active_state->incoming_packet);
+       cp = buffer_append_space(&active_state->incoming_packet, padded_len);
+       cipher_crypt(&active_state->receive_context, cp,
+           buffer_ptr(&active_state->input), padded_len);
 
-       buffer_consume(&input, padded_len);
+       buffer_consume(&active_state->input, padded_len);
 
 #ifdef PACKET_DEBUG
        fprintf(stderr, "read_poll plain: ");
-       buffer_dump(&incoming_packet);
+       buffer_dump(&active_state->incoming_packet);
 #endif
 
        /* Compute packet checksum. */
-       checksum = ssh_crc32(buffer_ptr(&incoming_packet),
-           buffer_len(&incoming_packet) - 4);
+       checksum = ssh_crc32(buffer_ptr(&active_state->incoming_packet),
+           buffer_len(&active_state->incoming_packet) - 4);
 
        /* Skip padding. */
-       buffer_consume(&incoming_packet, 8 - len % 8);
+       buffer_consume(&active_state->incoming_packet, 8 - len % 8);
 
        /* Test check bytes. */
-       if (len != buffer_len(&incoming_packet))
+       if (len != buffer_len(&active_state->incoming_packet))
                packet_disconnect("packet_read_poll1: len %d != buffer_len %d.",
-                   len, buffer_len(&incoming_packet));
+                   len, buffer_len(&active_state->incoming_packet));
 
-       cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
+       cp = (u_char *)buffer_ptr(&active_state->incoming_packet) + len - 4;
        stored_checksum = get_u32(cp);
        if (checksum != stored_checksum)
                packet_disconnect("Corrupted check bytes on input.");
-       buffer_consume_end(&incoming_packet, 4);
-
-       if (packet_compression) {
-               buffer_clear(&compression_buffer);
-               buffer_uncompress(&incoming_packet, &compression_buffer);
-               buffer_clear(&incoming_packet);
-               buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
-                   buffer_len(&compression_buffer));
+       buffer_consume_end(&active_state->incoming_packet, 4);
+
+       if (active_state->packet_compression) {
+               buffer_clear(&active_state->compression_buffer);
+               buffer_uncompress(&active_state->incoming_packet,
+                   &active_state->compression_buffer);
+               buffer_clear(&active_state->incoming_packet);
+               buffer_append(&active_state->incoming_packet,
+                   buffer_ptr(&active_state->compression_buffer),
+                   buffer_len(&active_state->compression_buffer));
        }
-       p_read.packets++;
-       p_read.bytes += padded_len + 4;
-       type = buffer_get_char(&incoming_packet);
+       active_state->p_read.packets++;
+       active_state->p_read.bytes += padded_len + 4;
+       type = buffer_get_char(&active_state->incoming_packet);
        if (type < SSH_MSG_MIN || type > SSH_MSG_MAX)
                packet_disconnect("Invalid ssh1 packet type: %d", type);
        return type;
@@ -1155,7 +1229,6 @@ packet_read_poll1(void)
 static int
 packet_read_poll2(u_int32_t *seqnr_p)
 {
-       static u_int packet_length = 0;
        u_int padlen, need;
        u_char *macbuf, *cp, type;
        u_int maclen, block_size;
@@ -1163,50 +1236,52 @@ packet_read_poll2(u_int32_t *seqnr_p)
        Mac *mac   = NULL;
        Comp *comp = NULL;
 
-       if (packet_discard)
+       if (active_state->packet_discard)
                return SSH_MSG_NONE;
 
-       if (newkeys[MODE_IN] != NULL) {
-               enc  = &newkeys[MODE_IN]->enc;
-               mac  = &newkeys[MODE_IN]->mac;
-               comp = &newkeys[MODE_IN]->comp;
+       if (active_state->newkeys[MODE_IN] != NULL) {
+               enc  = &active_state->newkeys[MODE_IN]->enc;
+               mac  = &active_state->newkeys[MODE_IN]->mac;
+               comp = &active_state->newkeys[MODE_IN]->comp;
        }
        maclen = mac && mac->enabled ? mac->mac_len : 0;
        block_size = enc ? enc->block_size : 8;
 
-       if (packet_length == 0) {
+       if (active_state->packlen == 0) {
                /*
                 * check if input size is less than the cipher block size,
                 * decrypt first block and extract length of incoming packet
                 */
-               if (buffer_len(&input) < block_size)
+               if (buffer_len(&active_state->input) < block_size)
                        return SSH_MSG_NONE;
-               buffer_clear(&incoming_packet);
-               cp = buffer_append_space(&incoming_packet, block_size);
-               cipher_crypt(&receive_context, cp, buffer_ptr(&input),
+               buffer_clear(&active_state->incoming_packet);
+               cp = buffer_append_space(&active_state->incoming_packet,
                    block_size);
-               cp = buffer_ptr(&incoming_packet);
-               packet_length = get_u32(cp);
-               if (packet_length < 1 + 4 || packet_length > PACKET_MAX_SIZE) {
+               cipher_crypt(&active_state->receive_context, cp,
+                   buffer_ptr(&active_state->input), block_size);
+               cp = buffer_ptr(&active_state->incoming_packet);
+               active_state->packlen = get_u32(cp);
+               if (active_state->packlen < 1 + 4 ||
+                   active_state->packlen > PACKET_MAX_SIZE) {
 #ifdef PACKET_DEBUG
-                       buffer_dump(&incoming_packet);
+                       buffer_dump(&active_state->incoming_packet);
 #endif
-                       logit("Bad packet length %u.", packet_length);
-                       packet_start_discard(enc, mac, packet_length,
+                       logit("Bad packet length %u.", active_state->packlen);
+                       packet_start_discard(enc, mac, active_state->packlen,
                            PACKET_MAX_SIZE);
                        return SSH_MSG_NONE;
                }
-               DBG(debug("input: packet len %u", packet_length+4));
-               buffer_consume(&input, block_size);
+               DBG(debug("input: packet len %u", active_state->packlen+4));
+               buffer_consume(&active_state->input, block_size);
        }
        /* we have a partial packet of block_size bytes */
-       need = 4 + packet_length - block_size;
+       need = 4 + active_state->packlen - block_size;
        DBG(debug("partial packet %d, need %d, maclen %d", block_size,
            need, maclen));
        if (need % block_size != 0) {
                logit("padding error: need %d block %d mod %d",
                    need, block_size, need % block_size);
-               packet_start_discard(enc, mac, packet_length,
+               packet_start_discard(enc, mac, active_state->packlen,
                    PACKET_MAX_SIZE - block_size);
                return SSH_MSG_NONE;
        }
@@ -1214,84 +1289,90 @@ packet_read_poll2(u_int32_t *seqnr_p)
         * check if the entire packet has been received and
         * decrypt into incoming_packet
         */
-       if (buffer_len(&input) < need + maclen)
+       if (buffer_len(&active_state->input) < need + maclen)
                return SSH_MSG_NONE;
 #ifdef PACKET_DEBUG
        fprintf(stderr, "read_poll enc/full: ");
-       buffer_dump(&input);
+       buffer_dump(&active_state->input);
 #endif
-       cp = buffer_append_space(&incoming_packet, need);
-       cipher_crypt(&receive_context, cp, buffer_ptr(&input), need);
-       buffer_consume(&input, need);
+       cp = buffer_append_space(&active_state->incoming_packet, need);
+       cipher_crypt(&active_state->receive_context, cp,
+           buffer_ptr(&active_state->input), need);
+       buffer_consume(&active_state->input, need);
        /*
         * compute MAC over seqnr and packet,
         * increment sequence number for incoming packet
         */
        if (mac && mac->enabled) {
-               macbuf = mac_compute(mac, p_read.seqnr,
-                   buffer_ptr(&incoming_packet),
-                   buffer_len(&incoming_packet));
-               if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) {
+               macbuf = mac_compute(mac, active_state->p_read.seqnr,
+                   buffer_ptr(&active_state->incoming_packet),
+                   buffer_len(&active_state->incoming_packet));
+               if (memcmp(macbuf, buffer_ptr(&active_state->input),
+                   mac->mac_len) != 0) {
                        logit("Corrupted MAC on input.");
                        if (need > PACKET_MAX_SIZE)
                                fatal("internal error need %d", need);
-                       packet_start_discard(enc, mac, packet_length,
+                       packet_start_discard(enc, mac, active_state->packlen,
                            PACKET_MAX_SIZE - need);
                        return SSH_MSG_NONE;
                }
                                
-               DBG(debug("MAC #%d ok", p_read.seqnr));
-               buffer_consume(&input, mac->mac_len);
+               DBG(debug("MAC #%d ok", active_state->p_read.seqnr));
+               buffer_consume(&active_state->input, mac->mac_len);
        }
        /* XXX now it's safe to use fatal/packet_disconnect */
        if (seqnr_p != NULL)
-               *seqnr_p = p_read.seqnr;
-       if (++p_read.seqnr == 0)
+               *seqnr_p = active_state->p_read.seqnr;
+       if (++active_state->p_read.seqnr == 0)
                logit("incoming seqnr wraps around");
-       if (++p_read.packets == 0)
+       if (++active_state->p_read.packets == 0)
                if (!(datafellows & SSH_BUG_NOREKEY))
                        fatal("XXX too many packets with same key");
-       p_read.blocks += (packet_length + 4) / block_size;
-       p_read.bytes += packet_length + 4;
+       active_state->p_read.blocks += (active_state->packlen + 4) / block_size;
+       active_state->p_read.bytes += active_state->packlen + 4;
 
        /* get padlen */
-       cp = buffer_ptr(&incoming_packet);
+       cp = buffer_ptr(&active_state->incoming_packet);
        padlen = cp[4];
        DBG(debug("input: padlen %d", padlen));
        if (padlen < 4)
                packet_disconnect("Corrupted padlen %d on input.", padlen);
 
        /* skip packet size + padlen, discard padding */
-       buffer_consume(&incoming_packet, 4 + 1);
-       buffer_consume_end(&incoming_packet, padlen);
+       buffer_consume(&active_state->incoming_packet, 4 + 1);
+       buffer_consume_end(&active_state->incoming_packet, padlen);
 
-       DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
+       DBG(debug("input: len before de-compress %d",
+           buffer_len(&active_state->incoming_packet)));
        if (comp && comp->enabled) {
-               buffer_clear(&compression_buffer);
-               buffer_uncompress(&incoming_packet, &compression_buffer);
-               buffer_clear(&incoming_packet);
-               buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
-                   buffer_len(&compression_buffer));
+               buffer_clear(&active_state->compression_buffer);
+               buffer_uncompress(&active_state->incoming_packet,
+                   &active_state->compression_buffer);
+               buffer_clear(&active_state->incoming_packet);
+               buffer_append(&active_state->incoming_packet,
+                   buffer_ptr(&active_state->compression_buffer),
+                   buffer_len(&active_state->compression_buffer));
                DBG(debug("input: len after de-compress %d",
-                   buffer_len(&incoming_packet)));
+                   buffer_len(&active_state->incoming_packet)));
        }
        /*
         * get packet type, implies consume.
         * return length of payload (without type field)
         */
-       type = buffer_get_char(&incoming_packet);
+       type = buffer_get_char(&active_state->incoming_packet);
        if (type < SSH2_MSG_MIN || type >= SSH2_MSG_LOCAL_MIN)
                packet_disconnect("Invalid ssh2 packet type: %d", type);
        if (type == SSH2_MSG_NEWKEYS)
                set_newkeys(MODE_IN);
-       else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side)
+       else if (type == SSH2_MSG_USERAUTH_SUCCESS &&
+           !active_state->server_side)
                packet_enable_delayed_compress();
 #ifdef PACKET_DEBUG
        fprintf(stderr, "read/plain[%d]:\r\n", type);
-       buffer_dump(&incoming_packet);
+       buffer_dump(&active_state->incoming_packet);
 #endif
        /* reset for next packet */
-       packet_length = 0;
+       active_state->packlen = 0;
        return type;
 }
 
@@ -1306,7 +1387,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
                if (compat20) {
                        type = packet_read_poll2(seqnr_p);
                        if (type) {
-                               keep_alive_timeouts = 0;
+                               active_state->keep_alive_timeouts = 0;
                                DBG(debug("received packet type %d", type));
                        }
                        switch (type) {
@@ -1376,14 +1457,14 @@ packet_read_poll(void)
 void
 packet_process_incoming(const char *buf, u_int len)
 {
-       if (packet_discard) {
-               keep_alive_timeouts = 0; /* ?? */
-               if (len >= packet_discard)
+       if (active_state->packet_discard) {
+               active_state->keep_alive_timeouts = 0; /* ?? */
+               if (len >= active_state->packet_discard)
                        packet_stop_discard();
-               packet_discard -= len;
+               active_state->packet_discard -= len;
                return;
        }
-       buffer_append(&input, buf, len);
+       buffer_append(&active_state->input, buf, len);
 }
 
 /* Returns a character from the packet. */
@@ -1393,7 +1474,7 @@ packet_get_char(void)
 {
        char ch;
 
-       buffer_get(&incoming_packet, &ch, 1);
+       buffer_get(&active_state->incoming_packet, &ch, 1);
        return (u_char) ch;
 }
 
@@ -1402,7 +1483,15 @@ packet_get_char(void)
 u_int
 packet_get_int(void)
 {
-       return buffer_get_int(&incoming_packet);
+       return buffer_get_int(&active_state->incoming_packet);
+}
+
+/* Returns an 64 bit integer from the packet data. */
+
+u_int64_t
+packet_get_int64(void)
+{
+       return buffer_get_int64(&active_state->incoming_packet);
 }
 
 /*
@@ -1413,29 +1502,29 @@ packet_get_int(void)
 void
 packet_get_bignum(BIGNUM * value)
 {
-       buffer_get_bignum(&incoming_packet, value);
+       buffer_get_bignum(&active_state->incoming_packet, value);
 }
 
 void
 packet_get_bignum2(BIGNUM * value)
 {
-       buffer_get_bignum2(&incoming_packet, value);
+       buffer_get_bignum2(&active_state->incoming_packet, value);
 }
 
 void *
 packet_get_raw(u_int *length_ptr)
 {
-       u_int bytes = buffer_len(&incoming_packet);
+       u_int bytes = buffer_len(&active_state->incoming_packet);
 
        if (length_ptr != NULL)
                *length_ptr = bytes;
-       return buffer_ptr(&incoming_packet);
+       return buffer_ptr(&active_state->incoming_packet);
 }
 
 int
 packet_remaining(void)
 {
-       return buffer_len(&incoming_packet);
+       return buffer_len(&active_state->incoming_packet);
 }
 
 /*
@@ -1448,13 +1537,13 @@ packet_remaining(void)
 void *
 packet_get_string(u_int *length_ptr)
 {
-       return buffer_get_string(&incoming_packet, length_ptr);
+       return buffer_get_string(&active_state->incoming_packet, length_ptr);
 }
 
 void *
 packet_get_string_ptr(u_int *length_ptr)
 {
-       return buffer_get_string_ptr(&incoming_packet, length_ptr);
+       return buffer_get_string_ptr(&active_state->incoming_packet, length_ptr);
 }
 
 /*
@@ -1547,23 +1636,25 @@ packet_disconnect(const char *fmt,...)
 void
 packet_write_poll(void)
 {
-       int len = buffer_len(&output);
+       int len = buffer_len(&active_state->output);
+       int cont;
 
        if (len > 0) {
-               len = write(connection_out, buffer_ptr(&output), len);
+               cont = 0;
+               len = roaming_write(active_state->connection_out,
+                   buffer_ptr(&active_state->output), len, &cont);
                if (len == -1) {
                        if (errno == EINTR || errno == EAGAIN ||
                            errno == EWOULDBLOCK)
                                return;
                        fatal("Write failed: %.100s", strerror(errno));
                }
-               if (len == 0)
+               if (len == 0 && !cont)
                        fatal("Write connection closed");
-               buffer_consume(&output, len);
+               buffer_consume(&active_state->output, len);
        }
 }
 
-
 /*
  * Calls packet_write_poll repeatedly until all pending output data has been
  * written.
@@ -1576,30 +1667,30 @@ packet_write_wait(void)
        int ret, ms_remain;
        struct timeval start, timeout, *timeoutp = NULL;
 
-       setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
-           sizeof(fd_mask));
+       setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
+           NFDBITS), sizeof(fd_mask));
        packet_write_poll();
        while (packet_have_data_to_write()) {
-               memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
-                   sizeof(fd_mask));
-               FD_SET(connection_out, setp);
+               memset(setp, 0, howmany(active_state->connection_out + 1,
+                   NFDBITS) * sizeof(fd_mask));
+               FD_SET(active_state->connection_out, setp);
 
-               if (packet_timeout_ms > 0) {
-                       ms_remain = packet_timeout_ms;
+               if (active_state->packet_timeout_ms > 0) {
+                       ms_remain = active_state->packet_timeout_ms;
                        timeoutp = &timeout;
                }
                for (;;) {
-                       if (packet_timeout_ms != -1) {
+                       if (active_state->packet_timeout_ms != -1) {
                                ms_to_timeval(&timeout, ms_remain);
                                gettimeofday(&start, NULL);
                        }
-                       if ((ret = select(connection_out + 1, NULL, setp,
-                           NULL, timeoutp)) >= 0)
+                       if ((ret = select(active_state->connection_out + 1,
+                           NULL, setp, NULL, timeoutp)) >= 0)
                                break;
-                       if (errno != EAGAIN && errno != EINTR &&
+                       if (errno != EAGAIN && errno != EINTR &&
                            errno != EWOULDBLOCK)
                                break;
-                       if (packet_timeout_ms == -1)
+                       if (active_state->packet_timeout_ms == -1)
                                continue;
                        ms_subtract_diff(&start, &ms_remain);
                        if (ms_remain <= 0) {
@@ -1622,7 +1713,7 @@ packet_write_wait(void)
 int
 packet_have_data_to_write(void)
 {
-       return buffer_len(&output) != 0;
+       return buffer_len(&active_state->output) != 0;
 }
 
 /* Returns true if there is not too much data to write to the connection. */
@@ -1630,13 +1721,12 @@ packet_have_data_to_write(void)
 int
 packet_not_very_much_data_to_write(void)
 {
-       if (interactive_mode)
-               return buffer_len(&output) < 16384;
+       if (active_state->interactive_mode)
+               return buffer_len(&active_state->output) < 16384;
        else
-               return buffer_len(&output) < 128 * 1024;
+               return buffer_len(&active_state->output) < 128 * 1024;
 }
 
-
 static void
 packet_set_tos(int interactive)
 {
@@ -1646,7 +1736,7 @@ packet_set_tos(int interactive)
        if (!packet_connection_is_on_socket() ||
            !packet_connection_is_ipv4())
                return;
-       if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &tos,
+       if (setsockopt(active_state->connection_in, IPPROTO_IP, IP_TOS, &tos,
            sizeof(tos)) < 0)
                error("setsockopt IP_TOS %d: %.100s:",
                    tos, strerror(errno));
@@ -1658,19 +1748,17 @@ packet_set_tos(int interactive)
 void
 packet_set_interactive(int interactive)
 {
-       static int called = 0;
-
-       if (called)
+       if (active_state->set_interactive_called)
                return;
-       called = 1;
+       active_state->set_interactive_called = 1;
 
        /* Record that we are in interactive mode. */
-       interactive_mode = interactive;
+       active_state->interactive_mode = interactive;
 
        /* Only set socket options if using a socket.  */
        if (!packet_connection_is_on_socket())
                return;
-       set_nodelay(connection_in);
+       set_nodelay(active_state->connection_in);
        packet_set_tos(interactive);
 }
 
@@ -1679,34 +1767,50 @@ packet_set_interactive(int interactive)
 int
 packet_is_interactive(void)
 {
-       return interactive_mode;
+       return active_state->interactive_mode;
 }
 
 int
 packet_set_maxsize(u_int s)
 {
-       static int called = 0;
-
-       if (called) {
+       if (active_state->set_maxsize_called) {
                logit("packet_set_maxsize: called twice: old %d new %d",
-                   max_packet_size, s);
+                   active_state->max_packet_size, s);
                return -1;
        }
        if (s < 4 * 1024 || s > 1024 * 1024) {
                logit("packet_set_maxsize: bad size %d", s);
                return -1;
        }
-       called = 1;
+       active_state->set_maxsize_called = 1;
        debug("packet_set_maxsize: setting to %d", s);
-       max_packet_size = s;
+       active_state->max_packet_size = s;
        return s;
 }
 
+int
+packet_inc_alive_timeouts(void)
+{
+       return ++active_state->keep_alive_timeouts;
+}
+
+void
+packet_set_alive_timeouts(int ka)
+{
+       active_state->keep_alive_timeouts = ka;
+}
+
+u_int
+packet_get_maxsize(void)
+{
+       return active_state->max_packet_size;
+}
+
 /* roundup current message to pad bytes */
 void
 packet_add_padding(u_char pad)
 {
-       extra_pad = pad;
+       active_state->extra_pad = pad;
 }
 
 /*
@@ -1743,26 +1847,93 @@ packet_need_rekeying(void)
        if (datafellows & SSH_BUG_NOREKEY)
                return 0;
        return
-           (p_send.packets > MAX_PACKETS) ||
-           (p_read.packets > MAX_PACKETS) ||
-           (max_blocks_out && (p_send.blocks > max_blocks_out)) ||
-           (max_blocks_in  && (p_read.blocks > max_blocks_in));
+           (active_state->p_send.packets > MAX_PACKETS) ||
+           (active_state->p_read.packets > MAX_PACKETS) ||
+           (active_state->max_blocks_out &&
+               (active_state->p_send.blocks > active_state->max_blocks_out)) ||
+           (active_state->max_blocks_in &&
+               (active_state->p_read.blocks > active_state->max_blocks_in));
 }
 
 void
 packet_set_rekey_limit(u_int32_t bytes)
 {
-       rekey_limit = bytes;
+       active_state->rekey_limit = bytes;
 }
 
 void
 packet_set_server(void)
 {
-       server_side = 1;
+       active_state->server_side = 1;
 }
 
 void
 packet_set_authenticated(void)
 {
-       after_authentication = 1;
+       active_state->after_authentication = 1;
+}
+
+void *
+packet_get_input(void)
+{
+       return (void *)&active_state->input;
+}
+
+void *
+packet_get_output(void)
+{
+       return (void *)&active_state->output;
+}
+
+void *
+packet_get_newkeys(int mode)
+{
+       return (void *)active_state->newkeys[mode];
+}
+
+/*
+ * Save the state for the real connection, and use a separate state when
+ * resuming a suspended connection.
+ */
+void
+packet_backup_state(void)
+{
+       struct session_state *tmp;
+
+       close(active_state->connection_in);
+       active_state->connection_in = -1;
+       close(active_state->connection_out);
+       active_state->connection_out = -1;
+       if (backup_state)
+               tmp = backup_state;
+       else
+               tmp = alloc_session_state();
+       backup_state = active_state;
+       active_state = tmp;
+}
+
+/*
+ * Swap in the old state when resuming a connecion.
+ */
+void
+packet_restore_state(void)
+{
+       struct session_state *tmp;
+       void *buf;
+       u_int len;
+
+       tmp = backup_state;
+       backup_state = active_state;
+       active_state = tmp;
+       active_state->connection_in = backup_state->connection_in;
+       backup_state->connection_in = -1;
+       active_state->connection_out = backup_state->connection_out;
+       backup_state->connection_out = -1;
+       len = buffer_len(&backup_state->input);
+       if (len > 0) {
+               buf = buffer_ptr(&backup_state->input);
+               buffer_append(&active_state->input, buf, len);
+               buffer_clear(&backup_state->input);
+               add_recv_bytes(len);
+       }
 }
index 03bb87c..33523d7 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.h,v 1.49 2008/07/10 18:08:11 markus Exp $ */
+/* $OpenBSD: packet.h,v 1.52 2009/06/27 09:29:06 andreas Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -39,6 +39,7 @@ void     packet_set_authenticated(void);
 void     packet_start(u_char);
 void     packet_put_char(int ch);
 void     packet_put_int(u_int value);
+void     packet_put_int64(u_int64_t value);
 void     packet_put_bignum(BIGNUM * value);
 void     packet_put_bignum2(BIGNUM * value);
 void     packet_put_string(const void *buf, u_int len);
@@ -55,6 +56,7 @@ int      packet_read_poll_seqnr(u_int32_t *seqnr_p);
 
 u_int   packet_get_char(void);
 u_int   packet_get_int(void);
+u_int64_t packet_get_int64(void);
 void     packet_get_bignum(BIGNUM * value);
 void     packet_get_bignum2(BIGNUM * value);
 void   *packet_get_raw(u_int *length_ptr);
@@ -72,6 +74,7 @@ void   packet_get_state(int, u_int32_t *, u_int64_t *, u_int32_t *, u_int64_t *);
 void    packet_set_state(int, u_int32_t, u_int64_t, u_int32_t, u_int64_t);
 int     packet_get_ssh1_cipher(void);
 void    packet_set_iv(int, u_char *);
+void   *packet_get_newkeys(int);
 
 void     packet_write_poll(void);
 void     packet_write_wait(void);
@@ -87,10 +90,10 @@ void         packet_add_padding(u_char);
 void    tty_make_modes(int, struct termios *);
 void    tty_parse_modes(int, int *);
 
-extern u_int max_packet_size;
-extern int keep_alive_timeouts;
+void    packet_set_alive_timeouts(int);
+int     packet_inc_alive_timeouts(void);
 int     packet_set_maxsize(u_int);
-#define  packet_get_maxsize() max_packet_size
+u_int   packet_get_maxsize(void);
 
 /* don't allow remaining bytes after the end of the message */
 #define packet_check_eom() \
@@ -106,4 +109,10 @@ do { \
 int     packet_need_rekeying(void);
 void    packet_set_rekey_limit(u_int32_t);
 
+void    packet_backup_state(void);
+void    packet_restore_state(void);
+
+void   *packet_get_input(void);
+void   *packet_get_output(void);
+
 #endif                         /* PACKET_H */
index 53fc6c7..0bf5d7c 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.177 2009/06/27 09:35:06 andreas Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -130,7 +130,7 @@ typedef enum {
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-       oVisualHostKey, oZeroKnowledgePasswordAuthentication,
+       oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
        oDeprecated, oUnsupported
 } OpCodes;
 
@@ -228,6 +228,7 @@ static struct {
        { "localcommand", oLocalCommand },
        { "permitlocalcommand", oPermitLocalCommand },
        { "visualhostkey", oVisualHostKey },
+       { "useroaming", oUseRoaming },
 #ifdef JPAKE
        { "zeroknowledgepasswordauthentication",
            oZeroKnowledgePasswordAuthentication },
@@ -914,6 +915,10 @@ parse_int:
                intptr = &options->visual_host_key;
                goto parse_flag;
 
+       case oUseRoaming:
+               intptr = &options->use_roaming;
+               goto parse_flag;
+
        case oDeprecated:
                debug("%s line %d: Deprecated option \"%s\"",
                    filename, linenum, keyword);
@@ -1063,6 +1068,7 @@ initialize_options(Options * options)
        options->tun_remote = -1;
        options->local_command = NULL;
        options->permit_local_command = -1;
+       options->use_roaming = -1;
        options->visual_host_key = -1;
        options->zero_knowledge_password_authentication = -1;
 }
@@ -1199,6 +1205,8 @@ fill_default_options(Options * options)
                options->tun_remote = SSH_TUNID_ANY;
        if (options->permit_local_command == -1)
                options->permit_local_command = 0;
+       if (options->use_roaming == -1)
+               options->use_roaming = 1;
        if (options->visual_host_key == -1)
                options->visual_host_key = 0;
        if (options->zero_knowledge_password_authentication == -1)
index 8fb3a85..2ebfebe 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.78 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.79 2009/06/27 09:35:06 andreas Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -123,6 +123,8 @@ typedef struct {
        int     permit_local_command;
        int     visual_host_key;
 
+       int     use_roaming;
+
 }       Options;
 
 #define SSHCTL_MASTER_NO       0
diff --git a/crypto/openssh/roaming.h b/crypto/openssh/roaming.h
new file mode 100644 (file)
index 0000000..e517161
--- /dev/null
@@ -0,0 +1,38 @@
+/* $OpenBSD: roaming.h,v 1.4 2009/06/27 09:32:43 andreas Exp $ */
+/*
+ * Copyright (c) 2004-2009 AppGate Network Security AB
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ROAMING_H
+#define ROAMING_H
+
+#define DEFAULT_ROAMBUF 65536
+
+extern int resume_in_progress;
+
+int    get_snd_buf_size(void);
+int    get_recv_buf_size(void);
+void   add_recv_bytes(u_int64_t);
+void   set_out_buffer_size(size_t);
+ssize_t        roaming_write(int, const void *, size_t, int *);
+ssize_t        roaming_read(int, void *, size_t, int *);
+size_t roaming_atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
+u_int64_t      get_recv_bytes(void);
+u_int64_t      get_sent_bytes(void);
+void   roam_set_bytes(u_int64_t, u_int64_t);
+void   resend_bytes(int, u_int64_t *);
+int    resume_kex(void);
+
+#endif /* ROAMING */
diff --git a/crypto/openssh/roaming_common.c b/crypto/openssh/roaming_common.c
new file mode 100644 (file)
index 0000000..73db09d
--- /dev/null
@@ -0,0 +1,201 @@
+/* $OpenBSD: roaming_common.c,v 1.5 2009/06/27 09:32:43 andreas Exp $ */
+/*
+ * Copyright (c) 2004-2009 AppGate Network Security AB
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "atomicio.h"
+#include "log.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "cipher.h"
+#include "buffer.h"
+#include "roaming.h"
+
+static size_t out_buf_size = 0;
+static char *out_buf = NULL;
+static size_t out_start;
+static size_t out_last;
+
+static u_int64_t write_bytes = 0;
+static u_int64_t read_bytes = 0;
+
+int roaming_enabled = 0;
+int resume_in_progress = 0;
+
+int
+get_snd_buf_size()
+{
+       int fd = packet_get_connection_out();
+       int optval, optvallen;
+
+       optvallen = sizeof(optval);
+       if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &optval, &optvallen) != 0)
+               optval = DEFAULT_ROAMBUF;
+       return optval;
+}
+
+int
+get_recv_buf_size()
+{
+       int fd = packet_get_connection_in();
+       int optval, optvallen;
+
+       optvallen = sizeof(optval);
+       if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &optval, &optvallen) != 0)
+               optval = DEFAULT_ROAMBUF;
+       return optval;
+}
+
+void
+set_out_buffer_size(size_t size)
+{
+       /*
+        * The buffer size can only be set once and the buffer will live
+        * as long as the session lives.
+        */
+       if (out_buf == NULL) {
+               out_buf_size = size;
+               out_buf = xmalloc(size);
+               out_start = 0;
+               out_last = 0;
+       }
+}
+
+u_int64_t
+get_recv_bytes(void)
+{
+       return read_bytes;
+}
+
+void
+add_recv_bytes(u_int64_t num)
+{
+       read_bytes += num;
+}
+
+u_int64_t
+get_sent_bytes(void)
+{
+       return write_bytes;
+}
+
+void
+roam_set_bytes(u_int64_t sent, u_int64_t recvd)
+{
+       read_bytes = recvd;
+       write_bytes = sent;
+}
+
+static void
+buf_append(const char *buf, size_t count)
+{
+       if (count > out_buf_size) {
+               buf += count - out_buf_size;
+               count = out_buf_size;
+       }
+       if (count < out_buf_size - out_last) {
+               memcpy(out_buf + out_last, buf, count);
+               if (out_start > out_last)
+                       out_start += count;
+               out_last += count;
+       } else {
+               /* data will wrap */
+               size_t chunk = out_buf_size - out_last;
+               memcpy(out_buf + out_last, buf, chunk);
+               memcpy(out_buf, buf + chunk, count - chunk);
+               out_last = count - chunk;
+               out_start = out_last + 1;
+       }
+}
+
+ssize_t
+roaming_write(int fd, const void *buf, size_t count, int *cont)
+{
+       ssize_t ret;
+
+       ret = write(fd, buf, count);
+       if (ret > 0 && !resume_in_progress) {
+               write_bytes += ret;
+               if (out_buf_size > 0)
+                       buf_append(buf, ret);
+       }
+       debug3("Wrote %ld bytes for a total of %llu", (long)ret,
+           (unsigned long long)write_bytes);
+       return ret;
+}
+
+ssize_t
+roaming_read(int fd, void *buf, size_t count, int *cont)
+{
+       ssize_t ret = read(fd, buf, count);
+       if (ret > 0) {
+               if (!resume_in_progress) {
+                       read_bytes += ret;
+               }
+       }
+       return ret;
+}
+
+size_t
+roaming_atomicio(ssize_t(*f)(int, void*, size_t), int fd, void *buf,
+    size_t count)
+{
+       size_t ret = atomicio(f, fd, buf, count);
+
+       if (f == vwrite && ret > 0 && !resume_in_progress) {
+               write_bytes += ret;
+       } else if (f == read && ret > 0 && !resume_in_progress) {
+               read_bytes += ret;
+       }
+       return ret;
+}
+
+void
+resend_bytes(int fd, u_int64_t *offset)
+{
+       size_t available, needed;
+
+       if (out_start < out_last)
+               available = out_last - out_start;
+       else
+               available = out_buf_size;
+       needed = write_bytes - *offset;
+       debug3("resend_bytes: resend %lu bytes from %llu",
+           (unsigned long)needed, (unsigned long long)*offset);
+       if (needed > available)
+               fatal("Needed to resend more data than in the cache");
+       if (out_last < needed) {
+               int chunkend = needed - out_last;
+               atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,
+                   chunkend);
+               atomicio(vwrite, fd, out_buf, out_last);
+       } else {
+               atomicio(vwrite, fd, out_buf + (out_last - needed), needed);
+       }
+}
diff --git a/crypto/openssh/roaming_dummy.c b/crypto/openssh/roaming_dummy.c
new file mode 100644 (file)
index 0000000..45c4008
--- /dev/null
@@ -0,0 +1,61 @@
+/* $OpenBSD: roaming_dummy.c,v 1.3 2009/06/21 09:04:03 dtucker Exp $ */
+/*
+ * Copyright (c) 2004-2009 AppGate Network Security AB
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This file is included in the client programs which should not
+ * support roaming.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "roaming.h"
+
+int resume_in_progress = 0;
+
+u_int64_t
+get_recv_bytes(void)
+{
+       return 0;
+}
+
+ssize_t
+roaming_write(int fd, const void *buf, size_t count, int *cont)
+{
+       return write(fd, buf, count);
+}
+
+ssize_t
+roaming_read(int fd, void *buf, size_t count, int *cont)
+{
+       if (cont)
+               *cont = 0;
+       return read(fd, buf, count);
+}
+
+void
+add_recv_bytes(u_int64_t num)
+{
+}
+
+int
+resume_kex(void)
+{
+       return 1;
+}
diff --git a/crypto/openssh/schnorr.h b/crypto/openssh/schnorr.h
new file mode 100644 (file)
index 0000000..9730b47
--- /dev/null
@@ -0,0 +1,60 @@
+/* $OpenBSD: schnorr.h,v 1.1 2009/03/05 07:18:19 djm Exp $ */
+/*
+ * Copyright (c) 2009 Damien Miller.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef SCHNORR_H
+#define SCHNORR_H
+
+#include <sys/types.h>
+
+#include <openssl/bn.h>
+
+struct modp_group {
+       BIGNUM *p, *q, *g;
+};
+
+BIGNUM *bn_rand_range_gt_one(const BIGNUM *high);
+int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *);
+void debug3_bn(const BIGNUM *, const char *, ...)
+    __attribute__((__nonnull__ (2)))
+    __attribute__((format(printf, 2, 3)));
+void debug3_buf(const u_char *, u_int, const char *, ...)
+    __attribute__((__nonnull__ (3)))
+    __attribute__((format(printf, 3, 4)));
+struct modp_group *modp_group_from_g_and_safe_p(const char *, const char *);
+void modp_group_free(struct modp_group *);
+
+/* Signature and verification functions */
+int
+schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
+    const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x,
+    const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p);
+int
+schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
+    const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
+    u_char **sig, u_int *siglen);
+int
+schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
+    const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen,
+    const BIGNUM *r, const BIGNUM *e);
+int
+schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
+    const BIGNUM *grp_g,
+    const BIGNUM *g_x, const u_char *id, u_int idlen,
+    const u_char *sig, u_int siglen);
+
+#endif /* JPAKE_H */
+
index e7fc2a7..b51b86a 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -343,7 +343,7 @@ static struct {
        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
        { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
        { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
-       { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },  /* alias */
+       { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
 #ifdef KRB5
        { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
@@ -417,10 +417,10 @@ static struct {
        { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
        { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
        { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
-       { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
+       { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
        { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
        { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
-       { "match", sMatch, SSHCFG_ALL },
+       { "match", sMatch, SSHCFG_ALL },
        { "permitopen", sPermitOpen, SSHCFG_ALL },
        { "forcecommand", sForceCommand, SSHCFG_ALL },
        { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
@@ -1376,7 +1376,7 @@ parse_server_match_config(ServerOptions *options, const char *user,
 /*
  * Copy any supported values that are set.
  *
- * If the preauth flag is set, we do not bother copying the the string or
+ * If the preauth flag is set, we do not bother copying the string or
  * array values that are not used pre-authentication, because any that we
  * do use must be explictly sent in mm_getpwnamallow().
  */
index 81cafe6..8be01c5 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.157 2009/02/12 03:16:01 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.159 2009/05/28 16:50:16 andreas Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -78,6 +78,7 @@
 #include "auth-options.h"
 #include "serverloop.h"
 #include "misc.h"
+#include "roaming.h"
 
 extern ServerOptions options;
 
@@ -249,7 +250,7 @@ client_alive_check(void)
        int channel_id;
 
        /* timeout, check to see how many we have had */
-       if (++keep_alive_timeouts > options.client_alive_count_max) {
+       if (packet_inc_alive_timeouts() > options.client_alive_count_max) {
                logit("Timeout, client not responding.");
                cleanup_exit(255);
        }
@@ -391,8 +392,11 @@ process_input(fd_set *readset)
 
        /* Read and buffer any input data from the client. */
        if (FD_ISSET(connection_in, readset)) {
-               len = read(connection_in, buf, sizeof(buf));
+               int cont = 0;
+               len = roaming_read(connection_in, buf, sizeof(buf), &cont);
                if (len == 0) {
+                       if (cont)
+                               return;
                        verbose("Connection closed by %.100s",
                            get_remote_ipaddr());
                        connection_closed = 1;
@@ -890,7 +894,7 @@ server_input_keep_alive(int type, u_int32_t seq, void *ctxt)
         * even if this was generated by something other than
         * the bogus CHANNEL_REQUEST we send for keepalives.
         */
-       keep_alive_timeouts = 0;
+       packet_set_alive_timeouts(0);
 }
 
 static void
@@ -1120,7 +1124,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                    no_port_forwarding_flag ||
                    (!want_reply && listen_port == 0)
 #ifndef NO_IPPORT_RESERVED_CONCEPT
-                   || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
+                   || (listen_port != 0 && listen_port < IPPORT_RESERVED &&
+                    pw->pw_uid != 0)
 #endif
                    ) {
                        success = 0;
index f2549e0..f4a3635 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.245 2009/01/22 09:46:01 djm Exp $ */
+/* $OpenBSD: session.c,v 1.246 2009/04/17 19:23:06 stevesk Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -571,8 +571,7 @@ do_exec_no_pty(Session *s, const char *command)
        signal(WJSIGNAL, cray_job_termination_handler);
 #endif /* _UNICOS */
 #ifdef HAVE_CYGWIN
-       if (is_winnt)
-               cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
+       cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
 #endif
 
        s->pid = pid;
@@ -716,8 +715,8 @@ do_exec_pty(Session *s, const char *command)
                 * Do common processing for the child, such as execing
                 * the command.
                 */
-               do_child(s, command);
-               /* NOTREACHED */
+               do_child(s, command);
+               /* NOTREACHED */
        default:
                break;
        }
@@ -726,8 +725,7 @@ do_exec_pty(Session *s, const char *command)
        signal(WJSIGNAL, cray_job_termination_handler);
 #endif /* _UNICOS */
 #ifdef HAVE_CYGWIN
-       if (is_winnt)
-               cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
+       cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
 #endif
 
        s->pid = pid;
@@ -847,7 +845,7 @@ do_login(Session *s, const char *command)
        fromlen = sizeof(from);
        if (packet_connection_is_on_socket()) {
                if (getpeername(packet_get_connection_in(),
-                   (struct sockaddr *) & from, &fromlen) < 0) {
+                   (struct sockaddr *)&from, &fromlen) < 0) {
                        debug("getpeername: %.100s", strerror(errno));
                        cleanup_exit(255);
                }
@@ -1116,7 +1114,7 @@ do_setup_env(Session *s, const char *shell)
        u_int i, envsize;
        char **env, *laddr;
        struct passwd *pw = s->pw;
-#ifndef HAVE_LOGIN_CAP
+#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
        char *path = NULL;
 #endif
 
@@ -1468,11 +1466,6 @@ do_setusercontext(struct passwd *pw)
        if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
        {
-
-#ifdef HAVE_SETPCRED
-               if (setpcred(pw->pw_name, (char **)NULL) == -1)
-                       fatal("Failed to set process credentials");
-#endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
 # ifdef __bsdi__
                setpgid(0, 0);
@@ -1540,6 +1533,10 @@ do_setusercontext(struct passwd *pw)
                        free(chroot_path);
                }
 
+#ifdef HAVE_SETPCRED
+               if (setpcred(pw->pw_name, (char **)NULL) == -1)
+                       fatal("Failed to set process credentials");
+#endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
                if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
                        perror("unable to set user context (setuser)");
@@ -1551,9 +1548,6 @@ do_setusercontext(struct passwd *pw)
 #endif
        }
 
-#ifdef HAVE_CYGWIN
-       if (is_winnt)
-#endif
        if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
 
@@ -1794,7 +1788,7 @@ do_child(Session *s, const char *command)
                int i;
                char *p, *args;
 
-               setproctitle("%s@internal-sftp-server", s->pw->pw_name);
+               setproctitle("%s@%s", s->pw->pw_name, INTERNAL_SFTP_NAME);
                args = xstrdup(command ? command : "sftp-server");
                for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " ")))
                        if (i < ARGV_MAX - 1)
index 5e39aa7..0990b79 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.86 2008/06/26 06:10:09 djm Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.87 2009/06/22 05:39:28 dtucker Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
index 74c1e4b..372b077 100644 (file)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp-server.8,v 1.14 2008/07/18 22:51:01 jmc Exp $
+.\" $OpenBSD: sftp-server.8,v 1.15 2009/03/26 08:38:39 sobrado Exp $
 .\"
 .\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 18 2008 $
+.Dd $Mdocdate: March 26 2009 $
 .Dt SFTP-SERVER 8
 .Os
 .Sh NAME
@@ -79,7 +79,7 @@ must be able to access
 .Pa /dev/log .
 Use of
 .Nm
-in a chroot configuation therefore requires that
+in a chroot configuration therefore requires that
 .Xr syslogd 8
 establish a logging socket inside the chroot directory.
 .Sh SEE ALSO
index 24c4ff7..d984e60 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.84 2008/06/26 06:10:09 djm Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.85 2009/04/14 16:33:42 stevesk Exp $ */
 /*
  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
  *
@@ -1041,7 +1041,7 @@ process_rename(void)
        else if (S_ISREG(sb.st_mode)) {
                /* Race-free rename of regular files */
                if (link(oldpath, newpath) == -1) {
-                       if (errno == EOPNOTSUPP
+                       if (errno == EOPNOTSUPP || errno == ENOSYS
 #ifdef EXDEV
                            || errno == EXDEV
 #endif
@@ -1341,7 +1341,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
        __progname = ssh_get_progname(argv[0]);
        log_init(__progname, log_level, log_facility, log_stderr);
 
-       while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) {
+       while (!skipargs && (ch = getopt(argc, argv, "f:l:che")) != -1) {
                switch (ch) {
                case 'c':
                        /*
index 6a5dc62..533cd6f 100644 (file)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.46 2007/09/09 11:38:01 sobrado Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.47 2009/03/26 08:38:39 sobrado Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 5 2007 $
+.Dd $Mdocdate: March 26 2009 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -141,7 +141,7 @@ The second is that the agent prints the needed shell commands (either
 .Xr sh 1
 or
 .Xr csh 1
-syntax can be generated) which can be evalled in the calling shell, eg
+syntax can be generated) which can be evaluated in the calling shell, eg
 .Cm eval `ssh-agent -s`
 for Bourne-type shells such as
 .Xr sh 1
index 9123cfe..f77dea3 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.159 2008/06/28 14:05:15 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.161 2009/03/23 19:38:04 tobias Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1061,6 +1061,7 @@ main(int ac, char **av)
        pid_t pid;
        char pidstrbuf[1 + 3 * sizeof pid];
        struct timeval *tvp = NULL;
+       size_t len;
 
        /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
        sanitise_stdfd();
@@ -1121,8 +1122,8 @@ main(int ac, char **av)
 
        if (ac == 0 && !c_flag && !s_flag) {
                shell = getenv("SHELL");
-               if (shell != NULL &&
-                   strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
+               if (shell != NULL && (len = strlen(shell)) > 2 &&
+                   strncmp(shell + len - 3, "csh", 3) == 0)
                        c_flag = 1;
        }
        if (k_flag) {
index 5765cff..da5db98 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.173 2009/02/21 19:32:04 tobias Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.174 2009/06/22 05:39:28 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
index 421783b..6c6271e 100644 (file)
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.282 2009/02/12 03:44:25 djm Exp $
-.Dd $Mdocdate: February 12 2009 $
+.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $
+.Dd $Mdocdate: March 19 2009 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -191,26 +191,9 @@ For protocol version 2,
 .Ar cipher_spec
 is a comma-separated list of ciphers
 listed in order of preference.
-The supported ciphers are:
-3des-cbc,
-aes128-cbc,
-aes192-cbc,
-aes256-cbc,
-aes128-ctr,
-aes192-ctr,
-aes256-ctr,
-arcfour128,
-arcfour256,
-arcfour,
-blowfish-cbc,
-and
-cast128-cbc.
-The default is:
-.Bd -literal -offset indent
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
-.Ed
+See the
+.Cm Ciphers
+keyword for more information.
 .It Fl D Xo
 .Sm off
 .Oo Ar bind_address : Oc
index 9d43bb7..adfe60e 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.324 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.326 2009/07/02 02:11:47 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -48,6 +48,7 @@
 #endif
 #include <sys/resource.h>
 #include <sys/ioctl.h>
+#include <sys/param.h>
 #include <sys/socket.h>
 
 #include <ctype.h>
@@ -203,8 +204,8 @@ void muxserver_listen(void);
 int
 main(int ac, char **av)
 {
-       int i, opt, exit_status, use_syslog;
-       char *p, *cp, *line, buf[256];
+       int i, r, opt, exit_status, use_syslog;
+       char *p, *cp, *line, *argv0, buf[MAXPATHLEN];
        struct stat st;
        struct passwd *pw;
        int dummy, timeout_ms;
@@ -270,6 +271,7 @@ main(int ac, char **av)
        /* Parse command-line arguments. */
        host = NULL;
        use_syslog = 0;
+       argv0 = av[0];
 
  again:
        while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
@@ -600,7 +602,7 @@ main(int ac, char **av)
         * Initialize "log" output.  Since we are the client all output
         * actually goes to stderr.
         */
-       log_init(av[0],
+       log_init(argv0,
            options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
            SYSLOG_FACILITY_USER, !use_syslog);
 
@@ -613,9 +615,10 @@ main(int ac, char **av)
                        fatal("Can't open user config file %.100s: "
                            "%.100s", config, strerror(errno));
        } else {
-               snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
+               r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
                    _PATH_SSH_USER_CONFFILE);
-               (void)read_config_file(buf, host, &options, 1);
+               if (r > 0 && (size_t)r < sizeof(buf))
+                       (void)read_config_file(buf, host, &options, 1);
 
                /* Read systemwide configuration file after use config. */
                (void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
@@ -628,7 +631,7 @@ main(int ac, char **av)
        channel_set_af(options.address_family);
 
        /* reinit */
-       log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
+       log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
 
        seed_rng();
 
@@ -766,9 +769,9 @@ main(int ac, char **av)
         * Now that we are back to our own permissions, create ~/.ssh
         * directory if it doesn't already exist.
         */
-       snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
+       r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
            strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
-       if (stat(buf, &st) < 0)
+       if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
                if (mkdir(buf, 0700) < 0)
                        error("Could not create directory '%.200s'.", buf);
 
index c04aa10..3e57e85 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.212 2008/10/14 18:11:33 stevesk Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.214 2009/05/28 16:50:16 andreas Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -56,6 +56,7 @@
 #include "atomicio.h"
 #include "misc.h"
 #include "dns.h"
+#include "roaming.h"
 #include "version.h"
 
 char *client_version_string = NULL;
@@ -413,7 +414,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
  * Waits for the server identification string, and sends our own
  * identification string.
  */
-static void
+void
 ssh_exchange_identification(int timeout_ms)
 {
        char buf[256], remote_version[256];     /* must be same size! */
@@ -452,7 +453,7 @@ ssh_exchange_identification(int timeout_ms)
                                }
                        }
 
-                       len = atomicio(read, connection_in, &buf[i], 1);
+                       len = roaming_atomicio(read, connection_in, &buf[i], 1);
 
                        if (len != 1 && errno == EPIPE)
                                fatal("ssh_exchange_identification: "
@@ -537,7 +538,8 @@ ssh_exchange_identification(int timeout_ms)
            compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
            compat20 ? PROTOCOL_MINOR_2 : minor1,
            SSH_VERSION, compat20 ? "\r\n" : "\n");
-       if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
+       if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
+           != strlen(buf))
                fatal("write: %.100s", strerror(errno));
        client_version_string = xstrdup(buf);
        chop(client_version_string);
index 75bde1a..c59a097 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.h,v 1.24 2007/09/04 11:15:56 djm Exp $ */
+/* $OpenBSD: sshconnect.h,v 1.25 2009/05/27 06:38:16 andreas Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -38,6 +38,8 @@ ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
 void
 ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *, int);
 
+void    ssh_exchange_identification(int);
+
 int     verify_host_key(char *, struct sockaddr *, Key *);
 
 void    ssh_kex(char *, struct sockaddr *);
index a762eec..260c630 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -68,6 +68,7 @@
 #include "msg.h"
 #include "pathnames.h"
 #include "uidswap.h"
+#include "schnorr.h"
 #include "jpake.h"
 
 #ifdef GSSAPI
index a4b9e90..111d491 100644 (file)
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.247 2008/10/03 13:08:12 jmc Exp $
-.Dd $Mdocdate: October 3 2008 $
+.\" $OpenBSD: sshd.8,v 1.248 2009/03/26 08:38:39 sobrado Exp $
+.Dd $Mdocdate: March 26 2009 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -543,7 +543,7 @@ for more information on patterns.
 In addition to the wildcard matching that may be applied to hostnames or
 addresses, a
 .Cm from
-stanza may match IP addressess using CIDR address/masklen notation.
+stanza may match IP addresses using CIDR address/masklen notation.
 .Pp
 The purpose of this option is to optionally increase security: public key
 authentication by itself does not trust the network or name servers or
index 3b5cd3c..13a455d 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.366 2009/01/22 10:02:34 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.367 2009/05/28 16:50:16 andreas Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
+#include "roaming.h"
 #include "version.h"
 
 #ifdef LIBWRAP
@@ -419,7 +420,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
        server_version_string = xstrdup(buf);
 
        /* Send our protocol version identification. */
-       if (atomicio(vwrite, sock_out, server_version_string,
+       if (roaming_atomicio(vwrite, sock_out, server_version_string,
            strlen(server_version_string))
            != strlen(server_version_string)) {
                logit("Could not write ident string to %s", get_remote_ipaddr());
@@ -429,7 +430,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
        /* Read other sides version identification. */
        memset(buf, 0, sizeof(buf));
        for (i = 0; i < sizeof(buf) - 1; i++) {
-               if (atomicio(read, sock_in, &buf[i], 1) != 1) {
+               if (roaming_atomicio(read, sock_in, &buf[i], 1) != 1) {
                        logit("Did not receive identification string from %s",
                            get_remote_ipaddr());
                        cleanup_exit(255);
@@ -577,7 +578,7 @@ demote_sensitive_data(void)
 static void
 privsep_preauth_child(void)
 {
-       u_int32_t rnd[256];
+       u_int32_t rnd[256];
        gid_t gidset[1];
 
        /* Enable challenge-response authentication for privilege separation */
index dfd07b7..588aed5 100644 (file)
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.102 2009/02/22 23:59:25 djm Exp $
-.Dd $Mdocdate: February 22 2009 $
+.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $
+.Dd $Mdocdate: April 21 2009 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -176,10 +176,9 @@ then no banner is displayed.
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed (e.g. via
+PAM or though authentication styles supported in
+.Xr login.conf 5 )
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
@@ -188,6 +187,9 @@ Specifies a path to
 to after authentication.
 This path, and all its components, must be root-owned directories that are
 not writable by any other user or group.
+After the chroot,
+.Xr sshd 8
+changes the working directory to the user's home directory.
 .Pp
 The path may contain the following tokens that are expanded at runtime once
 the connecting user has been authenticated: %% is replaced by a literal '%',
@@ -197,7 +199,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%',
 The
 .Cm ChrootDirectory
 must contain the necessary files and directories to support the
-users' session.
+user's session.
 For an interactive session this requires at least a shell, typically
 .Xr sh 1 ,
 and basic
@@ -215,8 +217,11 @@ devices.
 For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the
-in-process sftp server is used (see
-.Cm Subsystem
+in-process sftp server is used,
+though sessions which use logging do require
+.Pa /dev/log
+inside the chroot directory (see
+.Xr sftp-server 8
 for details).
 .Pp
 The default is not to
index cc35d60..33bd652 100644 (file)
@@ -86,13 +86,20 @@ get_last_login_time(uid_t uid, const char *logname,
 static void
 store_lastlog_message(const char *user, uid_t uid)
 {
+#ifndef NO_SSH_LASTLOG
        char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512];
        time_t last_login_time;
 
-#ifndef NO_SSH_LASTLOG
        if (!options.print_lastlog)
                return;
 
+# ifdef CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
+       time_string = sys_auth_get_lastlogin_msg(user, uid);
+       if (time_string != NULL) {
+               buffer_append(&loginmsg, time_string, strlen(time_string));
+               xfree(time_string);
+       }
+# else
        last_login_time = get_last_login_time(uid, user, hostname,
            sizeof(hostname));
 
@@ -107,6 +114,7 @@ store_lastlog_message(const char *user, uid_t uid)
                            time_string, hostname);
                buffer_append(&loginmsg, buf, strlen(buf));
        }
+# endif /* CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG */
 #endif /* NO_SSH_LASTLOG */
 }
 
index a139495..b9e57e9 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: uuencode.c,v 1.24 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: uuencode.c,v 1.25 2009/03/05 11:30:50 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
 #include "xmalloc.h"
 #include "uuencode.h"
 
+/*
+ * Encode binary 'src' of length 'srclength', writing base64-encoded text
+ * to 'target' of size 'targsize'. Will always nul-terminate 'target'.
+ * Returns the number of bytes stored in 'target' or -1 on error (inc.
+ * 'targsize' too small).
+ */
 int
 uuencode(const u_char *src, u_int srclength,
     char *target, size_t targsize)
@@ -40,6 +46,11 @@ uuencode(const u_char *src, u_int srclength,
        return __b64_ntop(src, srclength, target, targsize);
 }
 
+/*
+ * Decode base64-encoded 'src' into buffer 'target' of 'targsize' bytes.
+ * Will skip leading and trailing whitespace. Returns the number of bytes
+ * stored in 'target' or -1 on error (inc. targsize too small).
+ */
 int
 uudecode(const char *src, u_char *target, size_t targsize)
 {