diff -ruN openssh-4.5p1+x509-5.5.2/config.h.in openssh-4.5p1+x509-6.0/config.h.in --- openssh-4.5p1+x509-5.5.2/config.h.in 2006-11-08 09:06:01.000000000 +0200 +++ openssh-4.5p1+x509-6.0/config.h.in 2007-08-07 09:06:01.000000000 +0300 @@ -285,6 +285,18 @@ /* Define if your system has /etc/default/login */ #undef HAVE_ETC_DEFAULT_LOGIN +/* Define to 1 if `cleanup' is member of `EVP_MD'. */ +#undef HAVE_EVP_MD_CLEANUP + +/* Define to 1 if `copy' is member of `EVP_MD'. */ +#undef HAVE_EVP_MD_COPY + +/* Define to 1 if `md_data' is member of `EVP_MD_CTX'. */ +#undef HAVE_EVP_MD_CTX_MD_DATA + +/* Define to 1 if `flags' is member of `EVP_MD'. */ +#undef HAVE_EVP_MD_FLAGS + /* Define to 1 if you have the `EVP_sha256' function. */ #undef HAVE_EVP_SHA256 diff -ruN openssh-4.5p1+x509-5.5.2/configure openssh-4.5p1+x509-6.0/configure --- openssh-4.5p1+x509-5.5.2/configure 2006-11-08 09:06:02.000000000 +0200 +++ openssh-4.5p1+x509-6.0/configure 2007-08-07 09:06:02.000000000 +0300 @@ -32359,11 +32359,12 @@ { echo "$as_me:$LINENO: checking for Email in X.509 'Distinguished Name'" >&5 echo $ECHO_N "checking for Email in X.509 'Distinguished Name'... $ECHO_C" >&6; } if test "$cross_compiling" = yes; then - { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } + + { echo "$as_me:$LINENO: WARNING: cross compiling: assuming no" >&5 +echo "$as_me: WARNING: cross compiling: assuming no" >&2;} + ssh_x509dn_email="no" + + else cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ @@ -32404,10 +32405,8 @@ ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - - { echo "$as_me:$LINENO: result: yes" >&5 + { echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6; } - else echo "$as_me: program exited with status $ac_status" >&5 echo "$as_me: failed program was:" >&5 @@ -32419,7 +32418,6 @@ echo "${ECHO_T}no" >&6; } ssh_x509dn_email="no" - fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi @@ -32573,6 +32571,560 @@ fi +# Check for the existence of "EVP_MD members" +{ echo "$as_me:$LINENO: checking for EVP_MD.flags" >&5 +echo $ECHO_N "checking for EVP_MD.flags... $ECHO_C" >&6; } +if test "${ac_cv_member_EVP_MD_flags+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD ac_aggr; +if (ac_aggr.flags) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_flags=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD ac_aggr; +if (sizeof ac_aggr.flags) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_flags=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_member_EVP_MD_flags=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ echo "$as_me:$LINENO: result: $ac_cv_member_EVP_MD_flags" >&5 +echo "${ECHO_T}$ac_cv_member_EVP_MD_flags" >&6; } +if test $ac_cv_member_EVP_MD_flags = yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_EVP_MD_FLAGS 1 +_ACEOF + + +fi + +{ echo "$as_me:$LINENO: checking for EVP_MD.copy" >&5 +echo $ECHO_N "checking for EVP_MD.copy... $ECHO_C" >&6; } +if test "${ac_cv_member_EVP_MD_copy+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD ac_aggr; +if (ac_aggr.copy) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_copy=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD ac_aggr; +if (sizeof ac_aggr.copy) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_copy=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_member_EVP_MD_copy=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ echo "$as_me:$LINENO: result: $ac_cv_member_EVP_MD_copy" >&5 +echo "${ECHO_T}$ac_cv_member_EVP_MD_copy" >&6; } +if test $ac_cv_member_EVP_MD_copy = yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_EVP_MD_COPY 1 +_ACEOF + + +fi + +{ echo "$as_me:$LINENO: checking for EVP_MD.cleanup" >&5 +echo $ECHO_N "checking for EVP_MD.cleanup... $ECHO_C" >&6; } +if test "${ac_cv_member_EVP_MD_cleanup+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD ac_aggr; +if (ac_aggr.cleanup) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_cleanup=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD ac_aggr; +if (sizeof ac_aggr.cleanup) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_cleanup=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_member_EVP_MD_cleanup=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ echo "$as_me:$LINENO: result: $ac_cv_member_EVP_MD_cleanup" >&5 +echo "${ECHO_T}$ac_cv_member_EVP_MD_cleanup" >&6; } +if test $ac_cv_member_EVP_MD_cleanup = yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_EVP_MD_CLEANUP 1 +_ACEOF + + +fi + +{ echo "$as_me:$LINENO: checking for EVP_MD_CTX.md_data" >&5 +echo $ECHO_N "checking for EVP_MD_CTX.md_data... $ECHO_C" >&6; } +if test "${ac_cv_member_EVP_MD_CTX_md_data+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD_CTX ac_aggr; +if (ac_aggr.md_data) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_CTX_md_data=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +static EVP_MD_CTX ac_aggr; +if (sizeof ac_aggr.md_data) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_EVP_MD_CTX_md_data=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_member_EVP_MD_CTX_md_data=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ echo "$as_me:$LINENO: result: $ac_cv_member_EVP_MD_CTX_md_data" >&5 +echo "${ECHO_T}$ac_cv_member_EVP_MD_CTX_md_data" >&6; } +if test $ac_cv_member_EVP_MD_CTX_md_data = yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_EVP_MD_CTX_MD_DATA 1 +_ACEOF + + +fi + + # Where to place sshd.pid piddir=/var/run # make sure the directory exists diff -ruN openssh-4.5p1+x509-5.5.2/configure.ac openssh-4.5p1+x509-6.0/configure.ac --- openssh-4.5p1+x509-5.5.2/configure.ac 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/configure.ac 2007-08-07 09:06:00.000000000 +0300 @@ -3722,8 +3722,8 @@ if test "x$ssh_x509store" = "xyes"; then # Check for Email in X.509 'Distinguished Name' AC_MSG_CHECKING([for Email in X.509 'Distinguished Name']) - AC_TRY_RUN( - [ + AC_RUN_IFELSE( + [AC_LANG_SOURCE([ #include int main(void) { @@ -3734,12 +3734,14 @@ exit (0); return (0); } - ], + ])], + [ AC_MSG_RESULT(yes) ], [ - AC_MSG_RESULT(yes) + AC_MSG_RESULT(no) + ssh_x509dn_email="no" ], [ - AC_MSG_RESULT(no) + AC_MSG_WARN([cross compiling: assuming no]) ssh_x509dn_email="no" ] ) @@ -3752,6 +3754,12 @@ [Define if your openssl library don't support Email in X.509 'Distinguished Name']) fi +# Check for the existence of "EVP_MD members" +AC_CHECK_MEMBERS([EVP_MD.flags],,,[#include ]) +AC_CHECK_MEMBERS([EVP_MD.copy],,,[#include ]) +AC_CHECK_MEMBERS([EVP_MD.cleanup],,,[#include ]) +AC_CHECK_MEMBERS([EVP_MD_CTX.md_data],,,[#include ]) + # Where to place sshd.pid piddir=/var/run # make sure the directory exists diff -ruN openssh-4.5p1+x509-5.5.2/scp.0 openssh-4.5p1+x509-6.0/scp.0 --- openssh-4.5p1+x509-5.5.2/scp.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/scp.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SCP(1) System General Commands Manual SCP(1) +SCP(1) BSD General Commands Manual SCP(1) NAME - scp - secure copy (remote file copy program) + scp -- secure copy (remote file copy program) SYNOPSIS scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file] @@ -58,7 +58,7 @@ -P port Specifies the port to connect to on the remote host. Note that - this option is written with a capital `P', because -p is already + this option is written with a capital 'P', because -p is already reserved for preserving the times and modes of the file in rcp(1). @@ -77,6 +77,8 @@ about their progress. This is helpful in debugging connection, authentication, and configuration problems. + The scp utility exits 0 on success, and >0 if an error occurs. + SEE ALSO rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh_config(5), sshd(8) diff -ruN openssh-4.5p1+x509-5.5.2/sftp.0 openssh-4.5p1+x509-6.0/sftp.0 --- openssh-4.5p1+x509-5.5.2/sftp.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/sftp.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SFTP(1) System General Commands Manual SFTP(1) +SFTP(1) BSD General Commands Manual SFTP(1) NAME - sftp - secure file transfer program + sftp -- secure file transfer program SYNOPSIS sftp [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config] @@ -40,11 +40,11 @@ Batch mode reads a series of commands from an input batchfile instead of stdin. Since it lacks user interaction it should be used in conjunction with non-interactive authentication. A - batchfile of `-' may be used to indicate standard input. sftp + batchfile of '-' may be used to indicate standard input. sftp will abort if any of the following commands fail: get, put, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, chgrp, lpwd and lmkdir. Termination on error can be suppressed on a - command by command basis by prefixing the command with a `-' + command by command basis by prefixing the command with a '-' character (for example, -rm /tmp/blah*). -C Enables compression (via ssh's -C flag). @@ -86,7 +86,7 @@ those of ftp(1). Commands are case insensitive. Pathnames that contain spaces must be enclosed in quotes. Any special characters contained within pathnames that are recognized by glob(3) must be escaped with - backslashes (`\'). + backslashes ('\'). bye Quit sftp. @@ -145,7 +145,7 @@ -1 Produce single columnar output. - -a List files beginning with a dot (`.'). + -a List files beginning with a dot ('.'). -f Do not sort the listing. The default sort order is lexi- cographical. diff -ruN openssh-4.5p1+x509-5.5.2/sftp-server.0 openssh-4.5p1+x509-6.0/sftp-server.0 --- openssh-4.5p1+x509-5.5.2/sftp-server.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/sftp-server.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8) +SFTP-SERVER(8) BSD System Manager's Manual SFTP-SERVER(8) NAME - sftp-server - SFTP server subsystem + sftp-server -- SFTP server subsystem SYNOPSIS sftp-server [-f log_facility] [-l log_level] diff -ruN openssh-4.5p1+x509-5.5.2/ssh.0 openssh-4.5p1+x509-6.0/ssh.0 --- openssh-4.5p1+x509-5.5.2/ssh.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH(1) System General Commands Manual SSH(1) +SSH(1) BSD General Commands Manual SSH(1) NAME - ssh - OpenSSH SSH client (remote login program) + ssh -- OpenSSH SSH client (remote login program) SYNOPSIS ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D @@ -106,13 +106,13 @@ GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost'' indicates that the listening port - be bound for local use only, while an empty address or `*' indi- + be bound for local use only, while an empty address or '*' indi- cates that the port should be available from all interfaces. -e escape_char - Sets the escape character for sessions with a pty (default: `~'). + Sets the escape character for sessions with a pty (default: '~'). The escape character is only recognized at the beginning of a - line. The escape character followed by a dot (`.') closes the + line. The escape character followed by a dot ('.') closes the connection; followed by control-Z suspends the connection; and followed by itself sends the escape character once. Setting the character to ``none'' disables any escapes and makes the session @@ -167,7 +167,7 @@ the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost'' indicates that the listening port - be bound for local use only, while an empty address or `*' indi- + be bound for local use only, while an empty address or '*' indi- cates that the port should be available from all interfaces. -l login_name @@ -234,7 +234,7 @@ By default, the listening socket on the server will be bound to the loopback interface only. This may be overriden by specifying - a bind_address. An empty bind_address, or the address `*', indi- + a bind_address. An empty bind_address, or the address '*', indi- cates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)). @@ -421,7 +421,7 @@ ter can be changed in configuration files using the EscapeChar configura- tion directive or on the command line by the -e option. - The supported escapes (assuming the default `~') are: + The supported escapes (assuming the default '~') are: ~. Disconnect. @@ -592,7 +592,7 @@ X11 server. It is automatically set by ssh to point to a value of the form ``hostname:n'', where ``hostname'' indicates the host where the shell - runs, and `n' is an integer >= 1. ssh uses this + runs, and 'n' is an integer >= 1. ssh uses this special value to forward X11 connections over the secure channel. The user should normally not set DISPLAY explicitly, as that will render the X11 diff -ruN openssh-4.5p1+x509-5.5.2/ssh-add.0 openssh-4.5p1+x509-6.0/ssh-add.0 --- openssh-4.5p1+x509-5.5.2/ssh-add.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh-add.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH-ADD(1) System General Commands Manual SSH-ADD(1) +SSH-ADD(1) BSD General Commands Manual SSH-ADD(1) NAME - ssh-add - adds RSA or DSA identities to the authentication agent + ssh-add -- adds RSA or DSA identities to the authentication agent SYNOPSIS ssh-add [-cDdLlXx] [-t life] [file ...] diff -ruN openssh-4.5p1+x509-5.5.2/ssh-agent.0 openssh-4.5p1+x509-6.0/ssh-agent.0 --- openssh-4.5p1+x509-5.5.2/ssh-agent.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh-agent.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH-AGENT(1) System General Commands Manual SSH-AGENT(1) +SSH-AGENT(1) BSD General Commands Manual SSH-AGENT(1) NAME - ssh-agent - authentication agent + ssh-agent -- authentication agent SYNOPSIS ssh-agent [-a bind_address] [-c | -s] [-t life] [-d] [command [args ...]] diff -ruN openssh-4.5p1+x509-5.5.2/ssh_config.0 openssh-4.5p1+x509-6.0/ssh_config.0 --- openssh-4.5p1+x509-5.5.2/ssh_config.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh_config.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH_CONFIG(5) System File Formats Manual SSH_CONFIG(5) +SSH_CONFIG(5) BSD File Formats Manual SSH_CONFIG(5) NAME - ssh_config - OpenSSH SSH client configuration files + ssh_config -- OpenSSH SSH client configuration files SYNOPSIS ~/.ssh/config @@ -27,9 +27,9 @@ The configuration file has the following format: - Empty lines and lines starting with `#' are comments. Otherwise a line + Empty lines and lines starting with '#' are comments. Otherwise a line is of the format ``keyword arguments''. Configuration options may be - separated by whitespace or optional whitespace and exactly one `='; the + separated by whitespace or optional whitespace and exactly one '='; the latter format is useful to avoid the need to quote whitespace when speci- fying configuration options using the ssh, scp, and sftp -o option. Arguments may optionally be enclosed in double quotes (") in order to @@ -40,7 +40,7 @@ Host Restricts the following declarations (up to the next Host key- word) to be only for those hosts that match one of the patterns - given after the keyword. A single `*' as a pattern can be used + given after the keyword. A single '*' as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). @@ -56,9 +56,9 @@ The intended use for the X.509 server certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: - o `sslserver' , `SSL server' , `SSL_server' or `server' ; - o `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; - o `skip' or `' (empty): do not check purpose. + o 'sslserver' , 'SSL server' , 'SSL_server' or 'server' ; + o 'any' , 'Any Purpose' , 'Any_Purpose' or 'AnyPurpose' ; + o 'skip' or '' (empty): do not check purpose. The default is ``sslserver''. BatchMode @@ -93,7 +93,7 @@ ``X509 store'' option: Specifies hostport and dn of LDAP URLs (Uniform Resource Locators) as detailed in RFC 2255. The rest of URL is build internally. Because of OpenSSH options parser limi- - tation use `%3D' instead of `=' ! + tation use '%3D' instead of '=' ! CARevocationFile ``X509 store'' option: This file contain multiple ``Certificate @@ -199,9 +199,9 @@ ControlPath Specify the path to the control socket used for connection shar- ing as described in the ControlMaster section above or the string - ``none'' to disable connection sharing. In the path, `%l' will - be substituted by the local host name, `%h' will be substituted - by the target host name, `%p' the port, and `%r' by the remote + ``none'' to disable connection sharing. In the path, '%l' will + be substituted by the local host name, '%h' will be substituted + by the target host name, '%p' the port, and '%r' by the remote login username. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r. This ensures that shared connections are uniquely identified. @@ -218,7 +218,7 @@ However, an explicit bind_address may be used to bind the connec- tion to a specific address. The bind_address of ``localhost'' indicates that the listening port be bound for local use only, - while an empty address or `*' indicates that the port should be + while an empty address or '*' indicates that the port should be available from all interfaces. Currently the SOCKS4 and SOCKS5 protocols are supported, and @@ -235,9 +235,9 @@ for more information. EscapeChar - Sets the escape character (default: `~'). The escape character + Sets the escape character (default: '~'). The escape character can also be set on the command line. The argument should be a - single character, `^' followed by a letter, or ``none'' to dis- + single character, '^' followed by a letter, or ``none'' to dis- able the escape character entirely (making the connection trans- parent for binary data). @@ -335,9 +335,9 @@ HostKeyAlias Specifies an alias that should be used instead of the real host - name when looking up or saving the host key in the host key - database files. This option is useful for tunneling SSH connec- - tions or for multiple servers running on a single host. + name when looking up or saving the host key in the host key data- + base files. This option is useful for tunneling SSH connections + or for multiple servers running on a single host. HostName Specifies the real host name to log into. This can be used to @@ -364,9 +364,9 @@ used for authentication. The file name may use the tilde syntax to refer to a user's home - directory or one of the following escape characters: `%d' (local - user's home directory), `%u' (local user name), `%l' (local host - name), `%h' (remote host name) or `%r' (remote user name). + directory or one of the following escape characters: '%d' (local + user's home directory), '%u' (local user name), '%l' (local host + name), '%h' (remote host name) or '%r' (remote user name). It is possible to have multiple identity files specified in con- figuration files; all these identities will be tried in sequence. @@ -399,7 +399,7 @@ bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost'' indicates that the listening port be bound for local use only, while an empty - address or `*' indicates that the port should be available from + address or '*' indicates that the port should be available from all interfaces. LogLevel @@ -455,7 +455,7 @@ Protocol Specifies the protocol versions ssh(1) should support in order of - preference. The possible values are `1' and `2'. Multiple ver- + preference. The possible values are '1' and '2'. Multiple ver- sions must be comma-separated. The default is ``2,1''. This means that ssh tries version 2 and falls back to version 1 if version 2 is not available. @@ -463,8 +463,8 @@ ProxyCommand Specifies the command to use to connect to the server. The com- mand string extends to the end of the line, and is executed with - /bin/sh. In the command string, `%h' will be substituted by the - host name to connect and `%p' by the port. The command can be + /bin/sh. In the command string, '%h' will be substituted by the + host name to connect and '%p' by the port. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i some- @@ -498,9 +498,9 @@ RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated. The argument is the num- - ber of bytes, with an optional suffix of `K', `M', or `G' to + ber of bytes, with an optional suffix of 'K', 'M', or 'G' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The - default is between `1G' and `4G', depending on the cipher. This + default is between '1G' and '4G', depending on the cipher. This option applies to protocol version 2 only. RemoteForward @@ -515,7 +515,7 @@ privileged ports. If the bind_address is not specified, the default is to only bind - to loopback addresses. If the bind_address is `*' or an empty + to loopback addresses. If the bind_address is '*' or an empty string, then the forwarding is requested to listen on all inter- faces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)). @@ -600,8 +600,8 @@ Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, - this means that connections will die if the route is down tem- - porarily, and some people find it annoying. + this means that connections will die if the route is down tempo- + rarily, and some people find it annoying. The default is ``yes'' (to send TCP keepalive messages), and the client will notice if the network goes down or the remote host @@ -666,24 +666,24 @@ VACertificateFile File with X.509 certificates in PEM format concatenated together. In use when VAType is set to ``ocspspec''. The default value is - `' (empty). Certificates from that file explicitly trust `OCSP + '' (empty). Certificates from that file explicitly trust 'OCSP Responder' public key. They are used as trusted certificates in addition to certificates from CACertificateFile , CACertificatePath , UserCACertificateFile and UserCACertificatePath to verify responder certificate. - VAType Specifies whether `Online Certificate Status Protocol' (OCSP) is + VAType Specifies whether 'Online Certificate Status Protocol' (OCSP) is used to validate X.509 certificates. Accepted values are case insensitive: - o `none' : do not use OCSP to validate certificates; - o `ocspcert' : validate only certificates that specify `OCSP + o 'none' : do not use OCSP to validate certificates; + o 'ocspcert' : validate only certificates that specify 'OCSP Service Locator' URL; - o `ocspspec' : use specified in the configuration `OCSP + o 'ocspspec' : use specified in the configuration 'OCSP Responder' to validate all certificates. The default is ``none''. VAOCSPResponderURL - `Access Location' / `OCSP Service Locator' URL of the OCSP + 'Access Location' / 'OCSP Service Locator' URL of the OCSP provider. In use when VAType is set to ``ocspspec''. VerifyHostKeyDNS @@ -723,8 +723,8 @@ is /usr/X11R6/bin/xauth. PATTERNS - A pattern consists of zero or more non-whitespace characters, `*' (a - wildcard that matches zero or more characters), or `?' (a wildcard that + A pattern consists of zero or more non-whitespace characters, '*' (a + wildcard that matches zero or more characters), or '?' (a wildcard that matches exactly one character). For example, to specify a set of decla- rations for any host in the ``.co.uk'' set of domains, the following pat- tern could be used: @@ -738,7 +738,7 @@ A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark - (`!'). For example, to allow a key to be used from anywhere within an + ('!'). For example, to allow a key to be used from anywhere within an organisation except from the ``dialup'' pool, the following entry (in authorized_keys) could be used: diff -ruN openssh-4.5p1+x509-5.5.2/sshd.0 openssh-4.5p1+x509-6.0/sshd.0 --- openssh-4.5p1+x509-5.5.2/sshd.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/sshd.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSHD(8) System Manager's Manual SSHD(8) +SSHD(8) BSD System Manager's Manual SSHD(8) NAME - sshd - OpenSSH SSH daemon + sshd -- OpenSSH SSH daemon SYNOPSIS sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] @@ -157,12 +157,12 @@ that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups . The defini- tion of a locked account is system dependant. Some platforms have their - own account database (eg AIX) and some modify the passwd field ( `*LK*' - on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a - leading `*LOCKED*' on FreeBSD and a leading `!' on Linux). If there is a + own account database (eg AIX) and some modify the passwd field ( '*LK*' + on Solaris and UnixWare, '*' on HP-UX, containing 'Nologin' on Tru64, a + leading '*LOCKED*' on FreeBSD and a leading '!' on Linux). If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field should be set to some- - thing other than these values (eg `NP' or `*NP*' ). + thing other than these values (eg 'NP' or '*NP*' ). If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like @@ -242,7 +242,7 @@ key authentication; if none is specified, the default is ~/.ssh/authorized_keys. It is posible for protocol version 2 to contain X.509 certificates or certificates ``Distinguished Name''. Each line of - the file contains one key (empty lines and lines starting with a `#' are + the file contains one key (empty lines and lines starting with a '#' are ignored as comments). Protocol 1 public keys consist of the following space-separated fields: options, bits, exponent, modulus, comment. Pro- tocol 2 public key consist of: options, keytype, base64-encoded key, com- @@ -255,12 +255,12 @@ addition for protocol version 2 user can use X.509 certificates. In that case keytype is ``x509v3-sign-rsa'' or ``x509v3-sign-dss''. Instead of ``base64 encoded key'' line must contain base64 encoded certicate (old - style) or a keyword (new style), optional followed by symbol `=' (equal) - or `:' (colon), zero or more spaces and certificate ``Distinguished - Name'' (Subject). Keyword is case insensitive and can be one of `Subject' - , `Distinguished Name' , `Distinguished-Name' , `Distinguished_Name' , - `DistinguishedName' or `DN'. Separator of Subject items can be `/' - (slash), `,' (comma) or mixed and order is not important. + style) or a keyword (new style), optional followed by symbol '=' (equal) + or ':' (colon), zero or more spaces and certificate ``Distinguished + Name'' (Subject). Keyword is case insensitive and can be one of 'Subject' + , 'Distinguished Name' , 'Distinguished-Name' , 'Distinguished_Name' , + 'DistinguishedName' or 'DN'. Separator of Subject items can be '/' + (slash), ',' (comma) or mixed and order is not important. Note that lines in this file are usually several hundred bytes long (because of the size of the public key encoding) up to a limit of 8 kilo- @@ -367,18 +367,18 @@ Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces. - Hostnames is a comma-separated list of patterns (`*' and `?' act as wild- + Hostnames is a comma-separated list of patterns ('*' and '?' act as wild- cards); each pattern in turn is matched against the canonical host name (when authenticating a client) or against the user-supplied name (when - authenticating a server). A pattern may also be preceded by `!' to indi- + authenticating a server). A pattern may also be preceded by '!' to indi- cate negation: if the host name matches a negated pattern, it is not accepted (by that line) even if it matched another pattern on the line. - A hostname or address may optionally be enclosed within `[' and `]' - brackets then followed by `:' and a non-standard port number. + A hostname or address may optionally be enclosed within '[' and ']' + brackets then followed by ':' and a non-standard port number. Alternately, hostnames may be stored in a hashed form which hides host names and addresses should the file's contents be disclosed. Hashed - hostnames start with a `|' character. Only one hashed hostname may + hostnames start with a '|' character. Only one hashed hostname may appear on a single line and none of the above negation or wildcard opera- tors may be applied. @@ -386,7 +386,7 @@ they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The optional comment field continues to the end of the line, and is not used. - Lines starting with `#' and empty lines are ignored as comments. + Lines starting with '#' and empty lines are ignored as comments. When performing host authentication, authentication is accepted if any matching line has the proper key. It is thus permissible (but not recom- @@ -450,7 +450,7 @@ ~/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with - `#'), and assignment lines of the form name=value. The file + '#'), and assignment lines of the form name=value. The file should be writable only by the user; it need not be readable by anyone else. Environment processing is disabled by default and is controlled via the PermitUserEnvironment option. diff -ruN openssh-4.5p1+x509-5.5.2/sshd_config.0 openssh-4.5p1+x509-6.0/sshd_config.0 --- openssh-4.5p1+x509-5.5.2/sshd_config.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/sshd_config.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSHD_CONFIG(5) System File Formats Manual SSHD_CONFIG(5) +SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) NAME - sshd_config - OpenSSH SSH daemon configuration file + sshd_config -- OpenSSH SSH daemon configuration file SYNOPSIS /etc/ssh/sshd_config @@ -9,7 +9,7 @@ DESCRIPTION sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file specified with -f on the command line). The file contains keyword-argu- - ment pairs, one per line. Lines starting with `#' and empty lines are + ment pairs, one per line. Lines starting with '#' and empty lines are interpreted as comments. Arguments may optionally be enclosed in double quotes (") in order to represent arguments containing spaces. @@ -21,8 +21,8 @@ copied into the session's environ(7). See SendEnv in ssh_config(5) for how to configure the client. Note that envi- ronment passing is only supported for protocol 2. Variables are - specified by name, which may contain the wildcard characters `*' - and `?'. Multiple environment variables may be separated by + specified by name, which may contain the wildcard characters '*' + and '?'. Multiple environment variables may be separated by whitespace or spread across multiple AcceptEnv directives. Be warned that some environment variables could be used to bypass restricted user environments. For this reason, care should be @@ -38,9 +38,9 @@ The intended use for the X.509 client certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: - o `sslclient' , `SSL client' , `SSL_client' or `client' ; - o `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; - o `skip' or `' (empty): do not check purpose. + o 'sslclient' , 'SSL client' , 'SSL_client' or 'client' ; + o 'any' , 'Any Purpose' , 'Any_Purpose' or 'AnyPurpose' ; + o 'skip' or '' (empty): do not check purpose. The default is ``sslclient''. AllowGroups @@ -111,7 +111,7 @@ ``X509 store'' option: Specifies hostport and dn(distinguished name) of LDAP URLs (Uniform Resource Locators) as detailed in RFC 2255. The rest of URL is build internally. Because of OpenSSH - options parser limitation use `%3D' instead of `=' ! + options parser limitation use '%3D' instead of '=' ! CARevocationFile ``X509 store'' option: This file contain multiple ``Certificate @@ -407,10 +407,10 @@ PermitOpen IPv4_addr:port PermitOpen [IPv6_addr]:port - Multiple forwards may be specified by separating them with - whitespace. An argument of ``any'' can be used to remove all - restrictions and permit any forwarding requests. By default all - port forwarding requests are permitted. + Multiple forwards may be specified by separating them with white- + space. An argument of ``any'' can be used to remove all restric- + tions and permit any forwarding requests. By default all port + forwarding requests are permitted. PermitRootLogin Specifies whether root can log in using ssh(1). The argument @@ -461,7 +461,7 @@ Protocol Specifies the protocol versions sshd(8) supports. The possible - values are `1' and `2'. Multiple versions must be comma-sepa- + values are '1' and '2'. Multiple versions must be comma-sepa- rated. The default is ``2,1''. Note that the order of the pro- tocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. @@ -520,9 +520,9 @@ Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, - this means that connections will die if the route is down tem- - porarily, and some people find it annoying. On the other hand, - if TCP keepalives are not sent, sessions may hang indefinitely on + this means that connections will die if the route is down tempo- + rarily, and some people find it annoying. On the other hand, if + TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving ``ghost'' users and consuming server resources. @@ -570,23 +570,23 @@ VACertificateFile File with X.509 certificates in PEM format concatenated together. In use when VAType is set to ``ocspspec''. The default value is - `' (empty). Certificates from that file explicitly trust `OCSP + '' (empty). Certificates from that file explicitly trust 'OCSP Responder' public key. They are used as trusted certificates in addition to certificates from CACertificateFile and CACertificatePath to verify responder certificate. - VAType Specifies whether `Online Certificate Status Protocol' (OCSP) is + VAType Specifies whether 'Online Certificate Status Protocol' (OCSP) is used to validate X.509 certificates. Accepted values are case insensitive: - o `none' : do not use OCSP to validate certificates; - o `ocspcert' : validate only certificates that specify `OCSP + o 'none' : do not use OCSP to validate certificates; + o 'ocspcert' : validate only certificates that specify 'OCSP Service Locator' URL; - o `ocspspec' : use specified in the configuration `OCSP + o 'ocspspec' : use specified in the configuration 'OCSP Responder' to validate all certificates. The default is ``none''. VAOCSPResponderURL - `Access Location' / `OCSP Service Locator' URL of the OCSP + 'Access Location' / 'OCSP Service Locator' URL of the OCSP provider. In use when VAType is set to ``ocspspec''. X11DisplayOffset @@ -675,7 +675,7 @@ X509 Key Algorithms Format sshd command-line arguments and configuration file options that specify - `X509 Key Algorithms' expressed using a sequence of the form: + 'X509 Key Algorithms' expressed using a sequence of the form: key-type-name,digest-name[,signature-identifier], where key-type-name is key type name, digest-name is rsa-md5 : RSA key and signature using the MD5 hash; diff -ruN openssh-4.5p1+x509-5.5.2/ssh-keygen.0 openssh-4.5p1+x509-6.0/ssh-keygen.0 --- openssh-4.5p1+x509-5.5.2/ssh-keygen.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh-keygen.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH-KEYGEN(1) System General Commands Manual SSH-KEYGEN(1) +SSH-KEYGEN(1) BSD General Commands Manual SSH-KEYGEN(1) NAME - ssh-keygen - authentication key generation, management and conversion + ssh-keygen -- authentication key generation, management and conversion SYNOPSIS ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] @@ -93,7 +93,7 @@ Download the RSA public key stored in the smartcard in reader. -e This option will read a private or public OpenSSH key file and - print the key in a `SECSH Public Key File Format' to stdout. + print the key in a 'SECSH Public Key File Format' to stdout. This option allows exporting keys for use by several commercial SSH implementations. @@ -124,7 +124,7 @@ -i This option will read an unencrypted private (or public) key file in SSH2-compatible format and print an OpenSSH compatible private - (or public) key to stdout. ssh-keygen also reads the `SECSH + (or public) key to stdout. ssh-keygen also reads the 'SECSH Public Key File Format'. This option allows importing keys from several commercial SSH implementations. @@ -191,8 +191,8 @@ MODULI GENERATION ssh-keygen may be used to generate groups for the Diffie-Hellman Group - Exchange (DH-GEX) protocol. Generating these groups is a two-step pro- - cess: first, candidate primes are generated using a fast, but memory + Exchange (DH-GEX) protocol. Generating these groups is a two-step + process: first, candidate primes are generated using a fast, but memory intensive process. These candidate primes are then tested for suitabil- ity (a CPU-intensive process). diff -ruN openssh-4.5p1+x509-5.5.2/ssh-keyscan.0 openssh-4.5p1+x509-6.0/ssh-keyscan.0 --- openssh-4.5p1+x509-5.5.2/ssh-keyscan.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh-keyscan.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH-KEYSCAN(1) System General Commands Manual SSH-KEYSCAN(1) +SSH-KEYSCAN(1) BSD General Commands Manual SSH-KEYSCAN(1) NAME - ssh-keyscan - gather ssh public keys + ssh-keyscan -- gather ssh public keys SYNOPSIS ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type] @@ -17,8 +17,8 @@ sible in parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh. For scanning, one does not need login - access to the machines that are being scanned, nor does the scanning pro- - cess involve any encryption. + access to the machines that are being scanned, nor does the scanning + process involve any encryption. The options are as follows: diff -ruN openssh-4.5p1+x509-5.5.2/ssh-keysign.0 openssh-4.5p1+x509-6.0/ssh-keysign.0 --- openssh-4.5p1+x509-5.5.2/ssh-keysign.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh-keysign.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH-KEYSIGN(8) System Manager's Manual SSH-KEYSIGN(8) +SSH-KEYSIGN(8) BSD System Manager's Manual SSH-KEYSIGN(8) NAME - ssh-keysign - ssh helper program for host-based authentication + ssh-keysign -- ssh helper program for host-based authentication SYNOPSIS ssh-keysign diff -ruN openssh-4.5p1+x509-5.5.2/ssh-rand-helper.0 openssh-4.5p1+x509-6.0/ssh-rand-helper.0 --- openssh-4.5p1+x509-5.5.2/ssh-rand-helper.0 2006-11-08 09:06:00.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh-rand-helper.0 2007-08-07 09:06:00.000000000 +0300 @@ -1,7 +1,7 @@ -SSH-RAND-HELPER(8) System Manager's Manual SSH-RAND-HELPER(8) +SSH-RAND-HELPER(8) BSD System Manager's Manual SSH-RAND-HELPER(8) NAME - ssh-rand-helper - Random number gatherer for OpenSSH + ssh-rand-helper -- Random number gatherer for OpenSSH SYNOPSIS ssh-rand-hlper [-vxXh] [-b bytes] diff -ruN openssh-4.5p1+x509-5.5.2/ssh-x509.c openssh-4.5p1+x509-6.0/ssh-x509.c --- openssh-4.5p1+x509-5.5.2/ssh-x509.c 2006-11-08 01:29:21.000000000 +0200 +++ openssh-4.5p1+x509-6.0/ssh-x509.c 2007-08-06 20:43:27.000000000 +0300 @@ -106,13 +106,212 @@ #ifndef SSH_X509STORE_DISABLED +static unsigned long +ssh_hctol(u_char ch) { +#ifndef CHARSET_EBCDIC +/* '0'-'9' = 0x30 - 0x39 */ +/* 'A'-'F' = 0x41 - 0x46 */ +/* 'a'-'f' = 0x61 - 0x66 */ + if (('0' <= ch) && (ch <= '9')) { + return((long)(ch - '0')); + } + if (('A' <= ch) && (ch <= 'F')) { + return((long)(ch - ('A' - 10))); + } + if (('a' <= ch) && (ch <= 'f')) { + return((long)(ch - ('a' - 10))); + } +#else +# include "ssh_hctol is not implemented for EBCDIC charset" +#endif + + return(-1); +} + + +static unsigned long +ssh_hatol(const u_char *str, size_t maxsize) { + int k; + long v, ret = 0; + + for(k = maxsize; k > 0; k--, str++) { + v = ssh_hctol(*str); + if (v < 0) return(-1); + ret = (ret << 4) + v; + } + return(ret); +} + + +static int +get_escsymbol(const u_char* str, size_t len, u_long *value) { + const char ch = *str; + long v; + + if (len < 1) { + error("get_escsymbol:" + " missing characters in escape sequence"); + return(-1); + } + + /*escape formats: + "{\\}\\W%08lX" + "{\\}\\U%04lX" + "{\\}\\%02X" + */ + if (ch == '\\') { + if (value) *value = ch; + return(1); + } + if (ch == 'W') { + if (len < 9) { + error("get_escsymbol:" + " to short 32-bit escape sequence"); + return(-1); + } + v = ssh_hatol(++str, 8); + if (v < 0) { + error("get_escsymbol:" + " invalid character in 32-bit hex sequence"); + return(-1); + } + if (value) *value = v; + return(9); + } + if (ch == 'U') { + if (len < 5) { + error("get_escsymbol:" + " to short 16-bit escape sequence"); + return(-1); + } + v = ssh_hatol(++str, 4); + if (v < 0) { + error("get_escsymbol:" + " invalid character in 16-bit hex sequence"); + return(-1); + } + if (value) *value = v; + return(5); + } + + v = ssh_hctol(*str); + if (v < 0) { + /*a character is escaped ?*/ + if (*str > 127) { /*ASCII comparision !*/ + /* there is no reason symbol above 127 + to be escaped in this way */ + error("get_escsymbol:" + " non-ascii character in escape sequence"); + return(-1); + } + if (value) *value = *str; + return(1); + } + + /*two hex numbers*/ + { + long vlo; + if (len < 2) { + error("get_escsymbol:" + " to short 8-bit escape sequence"); + return(-1); + } + vlo = ssh_hctol(*++str); + if (vlo < 0) { + error("get_escsymbol:" + " invalid character in 8-bit hex sequence"); + return(-1); + } + v = (v << 4) + vlo; + } + if (value) *value = v; + return(2); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifndef SSH_X509STORE_DISABLED static int/*bool*/ -ssh_X509_NAME_add_entry_by_NID(X509_NAME* name, int nid, const char* str, size_t len) { - int ret = 0; +ssh_X509_NAME_add_entry_by_NID(X509_NAME* name, int nid, const u_char* str, size_t len) { +/* default maxsizes: + C: 2 + L, ST: 128 + O, OU, CN: 64 + emailAddress: 128 +*/ + u_char buf[129*6+1]; /*enough for 128 UTF-8 symbols*/ + int ret = 0; + int type = MBSTRING_ASC; + u_long ch; + u_char *p; + size_t k; - /*this is internal method and we don't check validity of arguments*/ + /*this is internal method and we don't check validity of some arguments*/ - ret = X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC, (u_char*)str, (int)len, -1, 0); + p = buf; + k = sizeof(buf); + + while ((len > 0) && (k > 0)) { + if (*str == '\0') { + error("ssh_X509_NAME_add_entry_by_NID:" + " unsupported zero(NIL) symbol in name"); + return(0); + } + if (*str == '\\') { + len--; + if (len <= 0) { + error("ssh_X509_NAME_add_entry_by_NID:" + " escape sequence without data"); + return(0); + } + + ret = get_escsymbol(++str, len, &ch); + if (ret < 0) return(0); + } else { + ret = UTF8_getc(str, len, &ch); + if(ret < 0) { + error("ssh_X509_NAME_add_entry_by_NID:" + " cannot get next symbol(%.32s)" + , str); + return(0); + } + } + len -= ret; + str += ret; + + /* UTF8_putc return negative if buffer is too short */ + ret = UTF8_putc(p, k, ch); + if (ret < 0) { + error("ssh_X509_NAME_add_entry_by_NID:" + " UTF8_putc fail for symbol %ld", ch); + return(0); + } + k -= ret; + p += ret; + } + if (len > 0) { + error("ssh_X509_NAME_add_entry_by_NID:" + " too long data"); + return(0); + } + *p = '\0'; + + for (p = buf; *p; p++) { + if (*p > 127) { + type = MBSTRING_UTF8; + break; + } + } + k = strlen((char*)buf); + + debug3("ssh_X509_NAME_add_entry_by_NID:" + " type=%s, k=%d" + , ((type == MBSTRING_ASC) ? "ASCII" : "UTF-8") + , k + ); + + /* this method will fail if string exceed max size limit for nid */ + ret = X509_NAME_add_entry_by_NID(name, nid, type, buf, (int)k, -1, 0); if (!ret) { char ebuf[256]; error("ssh_X509_NAME_add_entry_by_NID: X509_NAME_add_entry_by_NID" @@ -172,7 +371,12 @@ ret = 0; break; } - *q = 0; + { + char *s = q; + for(--s; isspace((int)*s) && (s > p); s--) + {/*skip trailing space*/} + *++s = 0; + } nid = OBJ_txt2nid(p); #ifdef SSH_OPENSSL_DN_WITHOUT_EMAIL if (nid == NID_undef) { @@ -195,11 +399,13 @@ break; } + for (; *p && isspace((int)*p); p++) + {/*skip space*/} for (q = token - 1; (q >= p) && isspace((int)*q); q--) {/*skip unexpected \n, etc. from end*/} *++q = 0; - ret = ssh_X509_NAME_add_entry_by_NID(_name, nid, p, (size_t)(q - p)); + ret = ssh_X509_NAME_add_entry_by_NID(_name, nid, (u_char*)p, (size_t)(q - p)); if (!ret) { break; } @@ -436,7 +642,9 @@ int x509key_write_subject2(const Key *key, const char *keyname, FILE *f) { BIO *out; +#if 0 char buf[X509_NAME_MAXLEN]; +#endif if (!x509key_check("x509key_write_subject2", key)) return(0); if (keyname == NULL) return(0); @@ -452,8 +660,12 @@ BIO_puts(out, keyname); BIO_puts(out, " Subject:"); +#if 0 X509_NAME_oneline(X509_get_subject_name(key->x509), buf, sizeof(buf)); BIO_puts(out, buf); +#else + X509_NAME_print_ex(out, X509_get_subject_name(key->x509), 0, SSH_XN_FLAG_ONELINE); +#endif BIO_free_all(out); return(1); @@ -630,8 +842,9 @@ const u_char *data, u_int datalen ) { int ret = -1; - SSHX509KeyAlgs *xkalg; - u_char sigret[256]; + SSHX509KeyAlgs *xkalg = NULL; + int keylen = 0; + u_char *sigret = NULL; u_int siglen; if (!x509key_check("ssh_x509_sign", key)) return(ret); @@ -667,6 +880,16 @@ ret = -1; } } + + if (ret > 0) { + keylen = EVP_PKEY_size(privkey); + if (keylen > 0) { + sigret = xmalloc(keylen); /*fatal on error*/ + } else { + error("ssh_x509_sign: cannot get key size for type %d", key->type); + ret = -1; + } + } if (ret > 0) { EVP_MD_CTX ctx; @@ -674,6 +897,7 @@ EVP_SignInit(&ctx, xkalg->dgst.evp); EVP_SignUpdate(&ctx, data, datalen); ret = EVP_SignFinal(&ctx, sigret, &siglen, privkey); + debug3("ssh_x509_sign: keylen=%d, siglen=%u", keylen, siglen); if (ret <= 0) { char ebuf[256]; error("ssh_x509_sign: digest failed: %.*s", @@ -704,6 +928,10 @@ } buffer_free(&b); } + if (sigret) { + memset(sigret, 's', keylen); + xfree(sigret); + } ret = ret > 0 ? 0 : -1; debug3("ssh_x509_sign: return %d", ret); return(ret); diff -ruN openssh-4.5p1+x509-5.5.2/ssh-xkalg.c openssh-4.5p1+x509-6.0/ssh-xkalg.c --- openssh-4.5p1+x509-5.5.2/ssh-xkalg.c 2006-09-01 21:24:04.000000000 +0300 +++ openssh-4.5p1+x509-6.0/ssh-xkalg.c 2007-08-06 21:20:15.000000000 +0300 @@ -122,6 +122,7 @@ } +#ifdef HAVE_EVP_MD_CTX_MD_DATA static int init(EVP_MD_CTX *ctx) { return(SHA1_Init(ctx->md_data)); @@ -138,23 +139,38 @@ final(EVP_MD_CTX *ctx, unsigned char *md) { return(SHA1_Final(md, ctx->md_data)); } +#endif /*def HAVE_EVP_MD_CTX_MD_DATA*/ +#ifdef HAVE_EVP_MD_FLAGS #ifndef EVP_MD_FLAG_FIPS # define EVP_MD_FLAG_FIPS 0 #endif +#endif /*def HAVE_EVP_MD_FLAGS*/ static const EVP_MD dss1_md = { NID_dsa, NID_dsaWithSHA1, SHA_DIGEST_LENGTH, +#ifdef HAVE_EVP_MD_FLAGS EVP_MD_FLAG_FIPS, +#endif /*def HAVE_EVP_MD_FLAGS*/ +#ifdef HAVE_EVP_MD_CTX_MD_DATA init, update, final, +#else + SHA1_Init, + SHA1_Update, + SHA1_Final, +#endif /*ndef HAVE_EVP_MD_CTX_MD_DATA*/ +#ifdef HAVE_EVP_MD_COPY NULL, +#endif /*def HAVE_EVP_MD_COPY*/ +#ifdef HAVE_EVP_MD_CLEANUP NULL, +#endif /*def HAVE_EVP_MD_CLEANUP*/ EVP_PKEY_DSARAW_method, SHA_CBLOCK, sizeof(EVP_MD *)+sizeof(SHA_CTX), @@ -446,7 +462,7 @@ p = xkalg->name; dupl = 0; - + for ( k = ssh_xkalg_typeind(type, &xkalg, -1); (k >= 0) && (k < loc); diff -ruN openssh-4.5p1+x509-5.5.2/tests/CA/1-cre_cadb.sh openssh-4.5p1+x509-6.0/tests/CA/1-cre_cadb.sh --- openssh-4.5p1+x509-5.5.2/tests/CA/1-cre_cadb.sh 2006-03-12 22:39:08.000000000 +0200 +++ openssh-4.5p1+x509-6.0/tests/CA/1-cre_cadb.sh 2007-02-27 23:22:48.000000000 +0200 @@ -48,6 +48,10 @@ default_crl_days= 30 # how long before next CRL policy = policy_match +# print options (internal use) +name_opt = oneline,-space_eq,-esc_msb # print fine UTF-8 +cert_opt = compatible + EOF } diff -ruN openssh-4.5p1+x509-5.5.2/tests/CA/2-cre_cakeys.sh openssh-4.5p1+x509-6.0/tests/CA/2-cre_cakeys.sh --- openssh-4.5p1+x509-5.5.2/tests/CA/2-cre_cakeys.sh 2006-03-12 22:39:54.000000000 +0200 +++ openssh-4.5p1+x509-6.0/tests/CA/2-cre_cakeys.sh 2006-03-12 23:01:31.000000000 +0200 @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# Copyright (c) 2002-2006 Roumen Petrov, Sofia, Bulgaria # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -74,6 +74,7 @@ $OPENSSL req \ -new -x509 \ -config "${SSH_CACFGFILE}" \ + $SSH_DN_UTF8_FLAG \ -days $SSH_CACERTDAYS \ -passin pass:${KEY_PASS} \ -key "${TMPDIR}/${CAKEY_PREFIX}-rsa.key" \ @@ -122,6 +123,7 @@ $OPENSSL req \ -new -x509 \ -config "${SSH_CACFGFILE}" \ + $SSH_DN_UTF8_FLAG \ -days $SSH_CACERTDAYS \ -passin pass:${KEY_PASS} \ -key "${TMPDIR}/${CAKEY_PREFIX}-dsa.key" \ diff -ruN openssh-4.5p1+x509-5.5.2/tests/CA/3-cre_certs.sh openssh-4.5p1+x509-6.0/tests/CA/3-cre_certs.sh --- openssh-4.5p1+x509-5.5.2/tests/CA/3-cre_certs.sh 2006-02-16 22:07:11.000000000 +0200 +++ openssh-4.5p1+x509-6.0/tests/CA/3-cre_certs.sh 2007-02-17 20:35:58.000000000 +0200 @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# Copyright (c) 2002-2006 Roumen Petrov, Sofia, Bulgaria # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -143,6 +143,7 @@ $OPENSSL req \ -new \ -config "${SSH_CACFGFILE}" \ + $SSH_DN_UTF8_FLAG \ -key "${SSH_BASE_KEY}" \ -passin pass:"" \ -out "${TMPDIR}/${SSH_X509V3_EXTENSIONS}-${type}${subtype}.csr" \ diff -ruN openssh-4.5p1+x509-5.5.2/tests/CA/5-cre_ldap.sh openssh-4.5p1+x509-6.0/tests/CA/5-cre_ldap.sh --- openssh-4.5p1+x509-5.5.2/tests/CA/5-cre_ldap.sh 2006-02-16 22:07:07.000000000 +0200 +++ openssh-4.5p1+x509-6.0/tests/CA/5-cre_ldap.sh 2007-02-11 20:52:47.000000000 +0200 @@ -56,17 +56,19 @@ #The organization 'OpenSSH Test Team': -dn: O=${SSH_DN_O},${SSH_LDAP_DC} +# "O=${SSH_DN_O},${SSH_LDAP_DC}" +dn:`utf8base64 "O=${SSH_DN_O},${SSH_LDAP_DC}"` objectclass: organization -o: ${SSH_DN_O} +o:`utf8base64 "${SSH_DN_O}"` st: ${SSH_DN_ST} #The 'OpenSSH Test Team' "CA" organizational units: -dn: OU=${SSH_DN_OU},O=${SSH_DN_O},${SSH_LDAP_DC} +# "OU=${SSH_DN_OU},O=${SSH_DN_O},${SSH_LDAP_DC}" +dn:`utf8base64 "OU=${SSH_DN_OU},O=${SSH_DN_O},${SSH_LDAP_DC}"` objectclass: organizationalUnit -ou: ${SSH_DN_OU} -l: ${SSH_DN_L} +ou:`utf8base64 "${SSH_DN_OU}"` +l:`utf8base64 "${SSH_DN_L}"` st: ${SSH_DN_ST} EOF @@ -76,10 +78,11 @@ cat </dev/null`; retval=$? +# + if test -n "${SSH_DN_UTF8_FLAG}"; then + NAMEOPT="-nameopt utf8,sep_comma_plus" #ok + #NAMEOPT="-nameopt esc_2253,esc_ctrl,esc_msb,utf8,dump_nostr,dump_der,use_quote,sep_comma_plus_space,sname" #fail - esc_msb should be removed + #NAMEOPT="-nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_der,use_quote,sep_comma_plus_space,sname" #ok + #NAMEOPT="-nameopt esc_2253,esc_ctrl,-esc_msb,utf8,dump_nostr,dump_der,use_quote,sep_comma_plus_space,sname" #ok + #NAMEOPT="-nameopt esc_2253,esc_ctrl,esc_msb,utf8,dump_nostr,dump_der,use_quote,sep_comma_plus_space,sname,-esc_msb" #ok + #NAMEOPT="-nameopt oneline,-esc_msb,-space_eq" #ok + #NAMEOPT="-nameopt oneline,-esc_msb" #now ok (spaces around '=') + else + NAMEOPT= + fi + subject=`"${OPENSSL}" x509 -noout -subject ${NAMEOPT} -in "${identity_file}" $* 2>/dev/null`; retval=$? if test $retval -ne 0 ; then echo "${warn}cannot get certificate subject${norm}" >&2 return $retval @@ -261,4 +273,15 @@ # === +utf8base64() { + if test -n "${SSH_DN_UTF8_FLAG}"; then + printf ':' + printf "$1" | ${OPENSSL} enc -a -e | xargs printf ' %s\n' + else + printf " $1" + fi +} + + +# === FUNCTIONS_INCLUDED="yes" diff -ruN openssh-4.5p1+x509-5.5.2/tests/CA/Makefile.in openssh-4.5p1+x509-6.0/tests/CA/Makefile.in --- openssh-4.5p1+x509-5.5.2/tests/CA/Makefile.in 2005-08-10 21:02:59.000000000 +0300 +++ openssh-4.5p1+x509-6.0/tests/CA/Makefile.in 2007-01-27 16:59:16.000000000 +0200 @@ -1,7 +1,7 @@ srcdir=@srcdir@ @OCSP_ON@SSH_OCSP=yes @OCSP_OFF@SSH_OCSP=no -KEYBITS=1024 +RSAKEYBITS=2048 all: @@ -48,7 +48,7 @@ testhostkey_rsa: @echo @echo "generating RSA 'hostkey'" - $(TEST_SSH_SSHKEYGEN) -t rsa -b $(KEYBITS) -f $@ -N "" + $(TEST_SSH_SSHKEYGEN) -t rsa -b $(RSAKEYBITS) -f $@ -N "" testhostkey_rsa-rsa_md5: testhostkey_rsa ca-test/catest-bundle.crt @echo @@ -58,7 +58,7 @@ testhostkey_dsa: @echo @echo "generating DSA 'hostkey'" - $(TEST_SSH_SSHKEYGEN) -t dsa -b $(KEYBITS) -f $@ -N "" + $(TEST_SSH_SSHKEYGEN) -t dsa -f $@ -N "" testhostkey_dsa-rsa_md5: testhostkey_dsa ca-test/catest-bundle.crt @echo @@ -72,7 +72,7 @@ testid_rsa: @echo @echo "generating RSA 'Identity'" - $(TEST_SSH_SSHKEYGEN) -t rsa -b $(KEYBITS) -f $@ -N "" + $(TEST_SSH_SSHKEYGEN) -t rsa -b $(RSAKEYBITS) -f $@ -N "" testid_rsa-rsa_md5: testid_rsa ca-test/catest-bundle.crt @echo @@ -82,7 +82,7 @@ testid_dsa: @echo @echo "generating DSA 'Identity'" - $(TEST_SSH_SSHKEYGEN) -t dsa -b $(KEYBITS) -f $@ -N "" + $(TEST_SSH_SSHKEYGEN) -t dsa -f $@ -N "" testid_dsa-rsa_md5: testid_dsa ca-test/catest-bundle.crt @echo @@ -101,7 +101,7 @@ @OCSP_ON@testocsp_rsa: @OCSP_ON@ @echo; echo "generating RSA 'ocspkey'" -@OCSP_ON@ $(TEST_SSH_SSHKEYGEN) -t rsa -b $(KEYBITS) -f $@ -N "" +@OCSP_ON@ $(TEST_SSH_SSHKEYGEN) -t rsa -b $(RSAKEYBITS) -f $@ -N "" @OCSP_ON@testocsp_dsa-rsa_md5.crt: testocsp_dsa ca-test/catest-bundle.crt @OCSP_ON@ @echo; echo "generating DSA ocsp responder certificates." @@ -110,7 +110,7 @@ @OCSP_ON@testocsp_dsa: @OCSP_ON@ @echo; echo "generating DSA 'ocspkey'" -@OCSP_ON@ $(TEST_SSH_SSHKEYGEN) -t dsa -b $(KEYBITS) -f $@ -N "" +@OCSP_ON@ $(TEST_SSH_SSHKEYGEN) -t dsa -f $@ -N "" # === diff -ruN openssh-4.5p1+x509-5.5.2/tests/CA/test-agent.sh.inc openssh-4.5p1+x509-6.0/tests/CA/test-agent.sh.inc --- openssh-4.5p1+x509-5.5.2/tests/CA/test-agent.sh.inc 2006-02-05 18:24:05.000000000 +0200 +++ openssh-4.5p1+x509-6.0/tests/CA/test-agent.sh.inc 2007-02-27 22:56:10.000000000 +0200 @@ -107,7 +107,7 @@ # TODO # Note the current script run ssh with -i option, # but ssh check existence of file and when file -# don't exit it is excluded form list of identity +# don't exit it is excluded from list of identity # files. When the list is empty ssh will use # default file names. To avoid this we will # use /dev/null, until method runTest run ssh diff -ruN openssh-4.5p1+x509-5.5.2/tests/CA/test-by_ldap.sh.inc openssh-4.5p1+x509-6.0/tests/CA/test-by_ldap.sh.inc --- openssh-4.5p1+x509-5.5.2/tests/CA/test-by_ldap.sh.inc 2005-08-30 01:43:39.000000000 +0300 +++ openssh-4.5p1+x509-6.0/tests/CA/test-by_ldap.sh.inc 2007-02-12 00:27:13.000000000 +0200 @@ -103,17 +103,18 @@ ( for type in ${SSH_SIGN_TYPES}; do cat < "${AUTHORIZEDKEYSFILE}" runTest "${type} ${subtype} in ${attn}RFC2253${norm} format" "${identity_file}" "" || return $? diff -ruN openssh-4.5p1+x509-5.5.2/x509_by_ldap.c openssh-4.5p1+x509-6.0/x509_by_ldap.c --- openssh-4.5p1+x509-5.5.2/x509_by_ldap.c 2006-09-01 21:23:57.000000000 +0300 +++ openssh-4.5p1+x509-6.0/x509_by_ldap.c 2007-02-13 00:28:14.000000000 +0200 @@ -359,6 +359,28 @@ static char* +ldaplookup_attr(ASN1_STRING *nv) { + char *p = NULL; + int k; + BIO *mbio; + + mbio = BIO_new(BIO_s_mem()); + if (mbio == NULL) return(NULL); + + k = ASN1_STRING_print_ex(mbio, nv, XN_FLAG_RFC2253); + p = OPENSSL_malloc(k + 1); + if (p == NULL) goto done; + + k = BIO_read(mbio, p, k); + p[k] = '\0'; + +done: + BIO_free_all(mbio); + return(p); +} + + +static char* ldaplookup_filter(X509_NAME *name, const char *attribute) { char *p = NULL; int k; @@ -388,6 +410,7 @@ BIO_puts(mbio, OBJ_nid2sn(nid)); BIO_puts(mbio, "="); nv = ne->value; +#if 0 /* TODO: we must escape '(' and ')' symbols and might to check for other symbols (>=128?) @@ -401,6 +424,32 @@ BIO_write(mbio, p, 1); } } +#else + { + char *q, *s; + + q = ldaplookup_attr(nv); + if (q == NULL) goto done; +#ifdef TRACE_BY_LDAP +fprintf(stderr, "TRACE_BY_LDAP ldaplookup_filter: ldaplookup_attr(nv) return '%.512s'\n", q); +#endif + /* escape some charecters according to RFC2254 */ + for (s=q; *s; s++) { + if ((*s == '*') || + (*s == '(') || + (*s == ')') + /* character '\' should be already escaped ! */ + ) { + /* RFC2254 recommendation */ + BIO_printf(mbio, "\\%02X", (int)*s); + continue; + } + BIO_write(mbio, s, 1); + } + + OPENSSL_free(q); + } +#endif BIO_puts(mbio, ")"); } @@ -417,6 +466,9 @@ k = BIO_read(mbio, p, k); p[k] = '\0'; +#ifdef TRACE_BY_LDAP +fprintf(stderr, "TRACE_BY_LDAP ldaplookup_filter: p=%.512s\n", p); +#endif done: BIO_free_all(mbio); diff -ruN openssh-4.5p1+x509-5.5.2/x509_nm_cmp.c openssh-4.5p1+x509-6.0/x509_nm_cmp.c --- openssh-4.5p1+x509-5.5.2/x509_nm_cmp.c 2006-09-01 21:23:43.000000000 +0300 +++ openssh-4.5p1+x509-6.0/x509_nm_cmp.c 2007-01-27 18:37:52.000000000 +0200 @@ -71,6 +71,8 @@ * Since OpenSSH now run without to set locale, i.e. * following comparision is OK. * This implementation should be changed for other locales !!! + * + * Note pa or pb may contain utf8 characters ! */ /* skip leading spaces */ for (; la > 0 && isspace((int)*pa); la--, pa++); @@ -103,32 +105,100 @@ static int +ssh_ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) { +/* + * Note before OpenSSL versions 0.7.e method ASN1_STRING_to_UTF8 + * fail when ASN1_STRING is utf8String ! + */ + int tag; + int l; + + if (!in) return(-1); + + tag = M_ASN1_STRING_type(in); + if (tag != V_ASN1_UTF8STRING) { + /*OpenSSL method surprisingly require non-const(!?) ASN1_STRING!*/ + return(ASN1_STRING_to_UTF8(out, in)); + } + + l = M_ASN1_STRING_length(in); + if (out) { + u_char *p; + + if (*out) { + error("ssh_ASN1_STRING_to_UTF8: *out is not NULL"); + return(-1); + } + /* we MUST allocate memory with OPENSSL method! */ + p = OPENSSL_malloc(l + 1); + if (p == NULL) { + fatal("ssh_ASN1_STRING_to_UTF8: out of memory (allocating %d bytes)", (l + 1)); + } + memcpy(p, M_ASN1_STRING_data(in), l); + p[l] = 0; + *out = p; + } + return(l); +} + + +static int ssh_ASN1_PRINTABLESTRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) { int n = -1; int tagA, tagB; int la, lb; u_char *pa, *pb; + u_char *ua = NULL, *ub = NULL; tagA = M_ASN1_STRING_type(a); tagB = M_ASN1_STRING_type(b); if (tagA != V_ASN1_PRINTABLESTRING) { debug3("ssh_ASN1_PRINTABLESTRING_cmp: a->type=%d(%.30s) is not PrintableString", tagA, ASN1_tag2str(tagA)); + /* just in case - see caling methods */ + if (tagB != V_ASN1_PRINTABLESTRING) { + error("ssh_ASN1_PRINTABLESTRING_cmp: b is not PrintableString too"); + return(-1); + } } if (tagB != V_ASN1_PRINTABLESTRING) { debug3("ssh_ASN1_PRINTABLESTRING_cmp: b->type=%d(%.30s) is not PrintableString", tagB, ASN1_tag2str(tagB)); + /* just in case - see caling methods */ + if (tagA != V_ASN1_PRINTABLESTRING) { + error("ssh_ASN1_PRINTABLESTRING_cmp: a is not PrintableString too"); + return(1); + } } - /* TODO when tagA == tagB */ + if (tagA == tagB) { /*both are PrintableString*/ la = M_ASN1_STRING_length(a); pa = M_ASN1_STRING_data(a); lb = M_ASN1_STRING_length(b); pb = M_ASN1_STRING_data(b); - /* TODO else */ + } else { /*convert strings to utf8*/ + la = ssh_ASN1_STRING_to_UTF8(&ua, a); + if (la <= 0) { + /*first string is lower in case of error or zero length*/ + n = -1; + goto done; + } + lb = ssh_ASN1_STRING_to_UTF8(&ub, a); + if (lb <= 0) { + /*second string is greater in case of error or zero length*/ + n = 1; + goto done; + } + pa = ua; + pb = ub; + } n = ssh_printable_casecmp(pa, la, pb, lb); + +done: + if(ua) OPENSSL_free(ua); + if(ub) OPENSSL_free(ub); #ifdef SSHX509TEST_DBGCMP fprintf(stderr, "ssh_ASN1_PRINTABLESTRING_cmp: return %d\n", n); #endif @@ -137,6 +207,140 @@ /* + * ===================================================================== + * from RFC3280 and oldest 2459: + * DirectoryString ::= CHOICE { + * teletexString TeletexString (SIZE (1..MAX)), + * printableString PrintableString (SIZE (1..MAX)), + * universalString UniversalString (SIZE (1..MAX)), + * utf8String UTF8String (SIZE (1..MAX)), + * bmpString BMPString (SIZE (1..MAX)) } + *..... + * The DirectoryString type is defined as a choice of PrintableString, + * TeletexString, BMPString, UTF8String, and UniversalString. The + * UTF8String encoding is the preferred encoding, and all certificates + * issued after December 31, 2003 MUST use the UTF8String encoding of + * DirectoryString (except as noted below). Until that date, conforming + * CAs MUST choose from the following options when creating a + * distinguished name, including their own: + * (a) if the character set is sufficient, the string MAY be + * represented as a PrintableString; + * (b) failing (a), if the BMPString character set is sufficient the + * string MAY be represented as a BMPString; and + * (c) failing (a) and (b), the string MUST be represented as a + * UTF8String. If (a) or (b) is satisfied, the CA MAY still choose + * to represent the string as a UTF8String. + *..... + * later in RFCs: + * (a) attribute values encoded in different types (e.g., + * PrintableString and BMPString) may be assumed to represent + * different strings; + * (b) attribute values in types other than PrintableString are case + * sensitive (this permits matching of attribute values as binary + * objects); + * (c) attribute values in PrintableString are not case sensitive + * (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and + * (d) attribute values in PrintableString are compared after + * removing leading and trailing white space and converting internal + * substrings of one or more consecutive white space characters to a + * single space. + * ===================================================================== + * + * OpenSSH implementation: + * - assume that all DirectoryStrings represent same strings regardless + * of type. When strings are from different types they will be converted + * to utf8 before comparison. + * - when one of the strings is PrintableString they will be compared + * with method that ignore cases and spaces and convert to utf8 + * if necessary. + * + * Note calling method shoud ensure that both strings are + * DirectoryString !!! + */ +static int +ssh_ASN1_DIRECTORYSTRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + int n = -1; + int tagA, tagB; + int la, lb; + const char *pa, *pb; + u_char *ua = NULL, *ub = NULL; + + tagA = M_ASN1_STRING_type(a); + tagB = M_ASN1_STRING_type(b); + + /* just in case of PrintableString - see caling method ;-) */ + if ((tagA == V_ASN1_PRINTABLESTRING) || + (tagB == V_ASN1_PRINTABLESTRING) ) { + /* + * one is PrintableString and we will compare + * according rules for PrintableString. + */ + return(ssh_ASN1_PRINTABLESTRING_cmp(a, b)); + } +/*....*/ + if (tagA == tagB) { + la = M_ASN1_STRING_length(a); + pa = (const char *)M_ASN1_STRING_data(a); + lb = M_ASN1_STRING_length(b); + pb = (const char *)M_ASN1_STRING_data(b); + } else { + /*convert both string to utf8*/ + la = ssh_ASN1_STRING_to_UTF8(&ua, a); + if (la <= 0) { + /*first string is lower in case of error or zero length*/ + n = -1; + goto done; + } + lb = ssh_ASN1_STRING_to_UTF8(&ub, b); + if (lb <= 0) { + /*second string is greater in case of error or zero length*/ + logit("ssh_ASN1_DIRECTORYSTRING_cmp lb=%d", lb); + n = 1; + goto done; + } +#ifdef SSHX509TEST_DBGCMP +fprintf(stderr, "ssh_ASN1_DIRECTORYSTRING_cmp ua='%s'\n", ua); +fprintf(stderr, "ssh_ASN1_DIRECTORYSTRING_cmp ub='%s'\n", ub); +#endif + pa = (const char *)ua; + pb = (const char *)ub; + } + + n = memcmp(pa, pb, (size_t)MIN(la, lb)); +#ifdef SSHX509TEST_DBGCMP +fprintf(stderr, "ssh_ASN1_DIRECTORYSTRING_cmp n=%d, la=%d, lb=%d\n", n, la, lb); +#endif + if (n == 0) n = (lb - la); + +done: + if(ua) OPENSSL_free(ua); + if(ub) OPENSSL_free(ub); +#ifdef SSHX509TEST_DBGCMP +fprintf(stderr, "ssh_ASN1_DIRECTORYSTRING_cmp: return %d\n", n); +#endif + return(n); +} + + +static int/*bool*/ +ssh_is_DirectoryString(const ASN1_STRING* s) { + int tag = M_ASN1_STRING_type(s); + + switch(tag) { + case V_ASN1_T61STRING: /*==V_ASN1_TELETEXSTRING*/ + case V_ASN1_PRINTABLESTRING: + case V_ASN1_UNIVERSALSTRING: + case V_ASN1_UTF8STRING: + case V_ASN1_BMPSTRING: + return(1); + default: + return(0); + } +} + + +/* * 1.) * Since version 0.9.7.beta4 and 0.9.6h OpenSSL function X509_NAME_cmp * is more restrictive but more correct (!). @@ -257,6 +461,13 @@ goto getnextentry; } + if (ssh_is_DirectoryString(nvA) && + ssh_is_DirectoryString(nvB)) { + n = ssh_ASN1_DIRECTORYSTRING_cmp(nvA, nvB); + if (n == 0) goto entryisok; + + goto getnextentry; + } n = M_ASN1_STRING_length(nvA) - M_ASN1_STRING_length(nvB); if (n != 0) goto getnextentry; diff -ruN openssh-4.5p1+x509-5.5.2/x509store.h openssh-4.5p1+x509-6.0/x509store.h --- openssh-4.5p1+x509-5.5.2/x509store.h 2006-04-25 22:08:01.000000000 +0300 +++ openssh-4.5p1+x509-6.0/x509store.h 2007-02-27 23:00:42.000000000 +0200 @@ -29,6 +29,10 @@ #define X509_NAME_MAXLEN 512 +#define SSH_XN_FLAG_ONELINE ((XN_FLAG_ONELINE & \ + ~XN_FLAG_SPC_EQ & \ + ~XN_FLAG_SEP_MASK) | \ + XN_FLAG_SEP_COMMA_PLUS) int ssh_x509cert_check(X509 *_cert);